Last Christmas gave the audit profession a report by Sir John Kingman which recommended the creation of a new regulatory body, the Audit, Reporting and Governance Authority ("ARGA"). This year, the Christmas season has been marked by the publication on 18 December of Sir Donald Brydon's report, a month or so earlier than expected and, significantly, a day ahead of the Queen's Speech at the opening of Parliament. The Queen's Speech contained reference to Government intentions to introduce legislation to “develop proposals on company audit and corporate reporting, including a stronger regulator with all the powers necessary to reform the sector”.
The Queen's Speech contained reference to Government intentions to introduce legislation to “develop proposals on company audit and corporate reporting, including a stronger regulator with all the powers necessary to reform the sector”. These proposals are likely to be informed not only by the Brydon and Kingman reports, but also the CMA's report on the Statutory Audit Market and the House of Commons BEIS Committee report on the Future of Audit, both of which were published in April 2019.
Sir Donald Brydon, who is a former chair of the London Stock Exchange, made 64 recommendations in his report, which is titled “Assess, Assure and Inform: Improving Audit Quality and Effectiveness”.
The report begins by stating that “audit is not broken but it has lost its way and all the actors in the audit process bear some measure of responsibility”. The report seeks to bring about changes in mind set, and lead to the establishment of structures and principles that would improve the quality and effectiveness of audit, and restore public trust in the profession. However, in order to achieve this, Sir Donald Brydon considers that there needs to be a “fundamental shift in definition and approach to ensure that all appropriate opportunities are taken for the auditor to inform as well as to confirm and verify.”
A key starting point for Sir Donald Brydon's remit was to address the "expectation gap" that is said to exist between the users of audit reports and the realities of audit. Brushing aside the "expectations gap" as a "distraction", the report states that it "deals with all the various gaps by endeavouring to make audit a more informative process and product". This reflects the heavier emphasis in the report on additional work that auditors should be asked to perform. In places the report does note that some of the expectations expressed by investor respondents in this regard are unrealistic.
Audit firms may consider that the report has grappled less well with addressing the expectation gap in terms of the degree of assurance that it is appropriate to expect from an audit, and that the report has not demonstrated a sufficient understanding of the causes of audit failing and the difficulties faced by auditors in identifying fraud and forming judgments about management estimates and forecasts. The report recognises in various passages that an audit is not designed to provide absolute assurance, but in many respects, the recommendations made in respect of improving audit quality (in the sense of the reliability of audit work within the current audit scope) involve accentuation, formalisation or reinvigoration of existing principles and practices (such as training) and have a familiar feel. For example, the faint glow of previous "new dawns" might be recognised in the statement that "moving away from the perspective of a process-led and rules-minded approach should enable a shift from one-size fits-all to something much more informative and useful“ this repeats the traditional attack on audit quality but does not properly examine whether the criticism is justified or whether it is the main cause of audit failures. There is reason to doubt, therefore, that the report's recommendations will deliver significant enhancements to audit quality over and above existing initiatives.
The report addresses a large number of different topics in the course of just over one hundred pages, with the consequence that many of its comments are made at a relatively high-level. In some passages, expansion and clarification of the report would have been helpful and there is likely to be some debate as to the meaning and implications of parts of the report. Although the report proposes various new definitions to clarify existing concepts, it is apparent that a number of the suggested definitions require more detailed consideration in the context of future consultations by BEIS.
In this note we shall summarise our initial reactions and draw attention to some of the more significant recommendations, from the perspective of auditors' liability.
A new profession: purpose, principles and definitions
A number of key recommendations in the report involve giving greater definition to the audit profession itself, redefining some key concepts in order that they are more clearly understood, and giving greater prominence to core principles. Although these changes might improve understanding of an auditor's role by the users of financial statements, in isolation they are unlikely to deliver "a fundamental shift" in audit quality and effectiveness.
Some recommendations propose significant changes in form:-
- The creation of a new profession of Corporate Auditing, separate from the accountancy profession, with its own professional body, to be regulated by ARGA as the supervisory body.
- The work performed by this new profession would be subject to new Principles of Corporate Auditing (Set out at section 6.4 of the report) which “seek to integrate and give more prominence to auditor behaviours set out in existing standards and codes, while adding additional principles around openness, independence, challenge and the public interest.” Auditors may question whether all of these would be new additions to the principles that currently apply to their work. That said, the report requires auditors to attach more significance to consideration of the public interest than under existing standards (see further below).
- The meaning of "audit" should be clarified and redefined by ARGA so that it is clear that corporate audits are not confined to the audit of financial statements. The proposed definition is: “The purpose of an audit is to help establish and maintain deserved confidence in a company, in its directors and in the information for which they have responsibility to report, including the financial statements.” This definition in our view requires further thought, to ensure that an amendment to the Companies Act to reflect any such new definition does not create a bias against reporting views that might harm a company.
- The report envisages that its definition of audit allows flexibility in the subject matter of material that may be subject to audit, with similar flexibility in the scope of audit that companies may require above and beyond the existing audit services. The report recommends that audit committees prepare and publish a three-year Audit and Assurance Policy which, among other things, would identify and explain the types of audit and assurance to be obtained (for example, on cyber risk). Some of these services would be outside the scope of statutory audit, despite calls from some investors for the scope to be expanded to encompass these areas, and may be provided by other firms. For example, the report suggests that full-scope assurance on management's abilities, corporate culture or the company business model should lie outside of financial statements audit. Other examples are provided by engagements to validate data relating to directors' reports on Environmental, Social and Governance measures.
- In a related proposal, the report envisages that the different forms of assurance that may be covered by corporate auditing could become the subject of separate, tailored qualifications.
- The form of statutory audit opinion required by the Companies Act should be altered, changing the language from an opinion on whether the financial statements present a “true and fair view”, to an opinion on whether the financial statements "present fairly, in all material respects". Sir Donald Brydon disagrees with the conclusion derived by UK standard-setters from previous legal opinions that "true and fair view" is a necessary over-ride to prevent distortions that might otherwise occasionally arise from the correct application of accounting standards. He considers that there is adequate over-ride in the fact that international auditing standard IAS1 recognises that in rare circumstances it may be necessary for a company to depart from accounting standards to achieve a fair presentation of results.
Liability limitation and responsibilities towards shareholders, other stakeholders and the wider public interest
- Auditors will be relieved to find that Sir Donald Brydon has concluded that there should be no alteration in the law resulting from the ruling of the House of Lords in Caparo v Dickman which established that an auditor's duty for its statutory audit report was confined to the shareholders as a body. His report nevertheless emphasises (and his proposed "Principles of Corporate Auditing" state) that auditors must act in the public interest and have regard in their work to the interests of all users of their reports, other than just the body of shareholders. Accordingly, the report proposes that audit should provide information that is useful to individual shareholders, potential investors, lenders, suppliers, consumers and employees in their decision making. The key statement on this topic appears at paragraph 5.1.7 of the report:
"There needs to be a disconnection between risk of liability and acceptance that users other than shareholders may and will also make decisions based on the audit report. Here decisions to take action or not to take action are equally important. Society has demanded a publicly available report and, in consequence, non-shareholders will also make use of it. Auditors should have regard to this reality without any extension of legal liability beyond that owed to the shareholders as a body. I will argue later for the adoption of overarching principles to govern audit as a profession and therein would lie the guidance as to how auditors may recognise that their report will be legitimately used by others."
- Elsewhere in the report, Sir Donald Brydon has expressed some scepticism that the scale of auditors' potential liabilities is as severe as the profession has claimed. His report attempts, with little sense of conviction, to resuscitate the auditor liability limitation provisions introduced by ss.534-536 of the Companies Act 2006, by recommending that the law is clarified to state that directors will not breach their duties by supporting a proposal to limit an auditor's liability.
- Looking at the other side of the "disconnection", a recurrent theme in the report is that of establishing and improving the flow of communications between companies, their auditors and stakeholders. For example:-
− Where the audit committee is presented with different views by management and auditors, the audit committee should describe the debate and its outcome in its report. For example on issues of valuation, the audit committee should report on the range of the initial views and where in that range the agreed valuation lies.
−The report recommends that companies create mechanisms to enable their workforces to raise issues about risks and assurance, and to respond to those issues.
- A number of innovations are suggested in the report to facilitate shareholder input in the field of risk, audit and assurance, including:
− Earlier publication of the Directors' Risk Report, to take place before the audit committee meeting which determines the scope of the next audit, with an invitation to shareholders to request "the areas of emphasis they wish the auditor to incorporate in the audit plan". Related to this, the report proposes that the audit committee "at a high policy level would "own" the audit plan", as part of the company's Audit and Assurance Policy which is the subject of separate recommendations in the report. In our view these proposals need to be considered more carefully in the context of audit independence and challenge, and the duty that is owed to the shareholders as a whole (given the risk of individual shareholders seeking to influence audit plans to suit their own interests and undisclosed investment strategies that may diverge from the interests of the company as a whole).
− Consistent with his comments when calling for evidence, Sir Donald Brydon recommends that questions for the audit committee chair and auditor become standing items on the agendas of all AGMs.
− The report recommends delayed publication of minutes of audit committee meetings, with minimal redaction, to facilitate transparency of the meetings for the benefit of stakeholders. This recommendation may do more harm than good if it leads to audit presentations becoming less forceful or challenging, and more circumspect.
− The creation of a new body, the Audit Users Review Board (AURB), to represent the views of users of audit reports in dialogues with ARGA on proposals for the evolution of audit. The report suggests that auditors consider creating their own body to enter into dialogue with ARGA on improvements to audit, in place of the existing Audit Quality Forum ("AQF"). In making this recommendation, Sir Donald Brydon has questioned the value of a body intended to foster consensus, co-operation and mutual understanding, and has instead endorsed a framework where different interests simply put their views to ARGA from their own perspectives.
- The principle that auditors should act in the public interest may require auditors to identify and assess the respects in which the audit client engages aspects of the public interest, such as operating in an industry that has national or regional significance (e.g. infrastructure, defence, importance to regional economy), number of employees, links to national or local government e.g. public service contracts. The report's recommendation might result in more exacting standards or additional resources being applied in practice to certain aspects of the audit of companies that have significant engagement with public interest considerations (for example, in the assessment of resilience), because of the risk of facing disciplinary sanction for failure to act in the public interest.
The responsibilities of directors in relation to internal controls
Significantly, and somewhat as expected in light of views previously expressed by Sir John Kingman, the report recommends a form of certification regime for CEOs and CFOs akin to the US model introduced in the Sarbanes-Oxley Act in 2002 after Enron's collapse. The proposal would require the CEO and CFO to attest to the Board in respect of the effectiveness of internal controls over financial reporting, based on an evaluation performed for that purpose, at least 28 days before financial statements are signed. Failures or weaknesses in such controls would trigger a requirement for the Board to obtain an audit of the effectiveness of the controls.
Expanded audit responsibilities
The report comments that some observers have stated that audit "has not kept pace" with the many changes affecting the business environment, and recommends additional areas of work that auditors should perform.
The report proposes various additional responsibilities to those already encompassed by the audit of financial statements, including in particular:
- The auditors should report any material information not included in the Annual Report of which they become aware in the course of their work if they believe it would be useful to those using their audit report, and should not be confined to identifying material errors in the Annual Report.
- The auditors should consider the directors' annual statement under section 172, which confirms the directors' performance of their obligations under that statutory provision to consider the interests of stakeholders such as employees, customers and suppliers, and to act fairly as between members. The auditors should report whether the directors' statement is "based on observed reality, on the basis of the auditor's knowledge of the company and its processes".
- Auditors should report on the extent to which their work has been influenced and informed (or not) by any external "signals" which might imply enhanced risk, such as sustained negative commentary on the audit client, the extent of short positions, and widening swaps spreads.
- The directors should set out in a Public Interest Statement how they view the company’s legal, financial, social and environmental responsibilities to the public interest. The auditor’s opinion should then state whether, based on the evidence reviewed, the directors’ Public Interest Statement is presented fairly in all material respects.
- Alternative Performance measures (being measures of financial performance other than those defined or specified in the applicable reporting framework), and any Key Performance Indicators (KPIs) used for the purpose of calculating executive remuneration, are to be audited.
Other forms of audit reporting would fall within the more general scope of audit to be covered in a company's Audit and Assurance Policy:
- When a dividend is proposed that is "similar" to the level of distributable reserves, the distributable reserves should be subject to audit.
- Directors should report on policies and performance in respect of payments to suppliers, to be subjected to "some level of audit" to be described in the company's Audit and Assurance Policy.
- The Brydon report asserts that the auditor's responsibility to detect fraud is poorly understood by users of audited accounts, partly as a result of auditing standard ISA 240 that state, it is more difficult to identify fraud in circumstances of collusion on the part of members of management. The report recommends that ARGA amend ISA 240 "to make clear that it is the obligation of an auditor to endeavour to detect material fraud in all reasonable ways"; this language seems to go farther than intended if it requires the auditor to do more than obtain reasonable assurance.
- The report proposes a new reporting duty for directors to set out the actions they have taken each year to prevent and detect material fraud. The report also recommends a corresponding duty for audit reports to state (i) the work performed by the auditor to conclude that the directors' statement on material fraud is appropriate and (ii) what additional steps the auditor has taken to assess the effectiveness of relevant controls and to detect such fraud.
- The Brydon report recommends the establishment by ARGA of an independent Auditor Fraud Panel to which ARGA would refer "the results of any investigations into auditor failure to detect material frauds", with powers to impose sanctions on auditors. This proposal is not developed much further in the Brydon report, no doubt because the framework for ARGA investigations and proceedings is yet to be set out. It is unclear, therefore, whether and how proceedings in the Auditor Fraud Panel would run alongside issues arising out of the same audits that did not involve failure to detect fraud. Responding to concerns that regulatory decisions on failure to identify fraud are beset by hindsight and "scalp-hunting", the report suggests that the panel membership is modelled on the Panel on Takeovers and Mergers, so that it will include an eminent lawyer, alongside practitioners and investors. In fact, of course, these features of panel membership are already possessed by FRC Disciplinary Tribunal panels.
Resilience Statements: Going concern, viability and long-term considerations
- The report recommends that going concern statements and viability statements are replaced by a new resilience statement from the company’s directors which would address the short-term (up to 2 years), medium-term (thereafter, up to 5 years) and long-term future of the company. Only the statement as to the short-term future would be subject to a financial statements audit. The company could decide to seek further assurance on its medium- and long-term statements, and would reflect this in its Audit and Assurance Policy.
- In addition, auditors should report any anxieties about the resilience of the business to the board. If these anxieties are not sufficiently addressed by the directors, the report recommends that auditors should also be under an obligation to report to ARGA.
Some other key recommendations
- Audit Fees: Sir Donald Brydon raises concerns as to the independence of the audit engagement partner who has proposed and negotiated a fee, and the risk of auditors being put under pressure to reduce work by CFOs whose departmental budgets may bear the burden of the fees. The report recommends that fees are negotiated and agreed by audit firms other than through the engagement team, and that the law is changed so that audit fees are shown next to dividend in the profit and loss account in order not to impact on measures of results that are relevant to incentives.
- Estimates and ranges: The audit report should include some substantive discussion of the key areas of measurement uncertainty and provide information on the ranges and sensitivities associated with the point estimates for those measurements. Somewhat surprisingly, the Brydon report concludes that the evolution of forms of graduated findings should be "left to the marketplace" rather than made the subject of standardisation laid down by the regulator.
- Whistleblowing: In order to encourage protected disclosures to auditors, the report recommends that statutory auditors are added to the list of Prescribed Persons under the Public Interest Disclosure Act, and that the protections available to employees should be extended to other stakeholders with a direct economic relationship in the audited entity.
- Technological developments and sampling: The report proposes that "given the developments towards considering 100% of transaction data", audit reports should explain the reasons for the necessity and basis of any sampling techniques used in conducting the audit.
- Resignation of auditors: The report expresses concerns that there remains insufficient transparency around reasons for the resignation or dismissal of auditors, or decisions not to re-tender. The report recommends that amendments are made to the Companies Act to strengthen the provision of related information to shareholders and other stakeholders, by requiring auditors to address standard written questions and (in cases of resignation or dismissal) attend a general meeting to answer questions there.
- Books and records: Further guidance should be provided by ARGA on the auditors' responsibilities towards the assessment of the adequacy of books and records.
- ARGA: ARGA should publish details of audits it commends, not just those it sanctions for failings. The report observes that it is as important for ARGA to back its judgments publicly as it is for auditors; the risk that something might subsequently go wrong "is one of the normal risks of professional life". ARGA should also create a formal confidential mechanism to enable investors and other stakeholders to raise concerns with it about particular audits.
- Joint audits: The report makes no recommendation but defers to the outcome of BEIS's consultation on the CMA proposals for joint audit. Sir Donald Brydon comments that "it is far from clear what the impact of such audits would be on quality".
Sir Donald Brydon's report will next be considered by BEIS, with a view to the preparation of a BEIS consultation paper on implementation of recommendations. Having said in his report that auditing has "lost its way", it remains to be seen whether Sir Donald Brydon's recommendations will light a path towards a future in which the profession will have surmounted the challenges it currently faces, or whether his report will serve only to entangle the auditor in a denser thicket of obligations.