New rules are being introduced which will provide for access to audit working papers for successor auditors. Mark Sutton considers the implications.
Firms have always worked on the assumption that their internal audit working papers belong to the auditor, rather than the client, and do not need to be disclosed to a third party. As such, auditors have proceeded on the basis that they cannot be compelled to disclose their papers, except in exceptional circumstances (such as pursuant to a court order), and normally only after a satisfactory hold harmless letter has been obtained from the recipient. However, following a European Commission Directive, which will be implemented in the UK from 6 April 2008, there will be a requirement on auditors to provide access to “all relevant information” where a successor auditor makes a request for access.
This new obligation is not established in existing UK law, neither is it covered by the Auditing Practices Board’s ethical standards, or Audit Regulations. It is likely to have significant risk implications for auditors, because for the first time the duty of disclosure includes access to working papers.
The Directive and Companies Act 2006
The new disclosure obligations arise from the EC’s Directive on Statutory Audits of Annual and Consolidated Accounts, 2006/43 (the Directive). Article 23(3) of the Directive provides that:
“Where a statutory auditor or audit firm is replaced by another statutory auditor or audit firm, the former statutory auditor or audit firm shall provide the incoming statutory auditor or audit firm with access to all relevant information concerning the audited entity.”
The Directive is to be implemented in the UK by way of the Statutory Auditors and Third Country Auditors Regulations 20071. The UK regulations come into force on 6 April 2008, and will substitute paragraph 9(3)(c) of Schedule 10 to the Companies Act 2006 (the Act), to require that:
“A person ceasing to hold office as a statutory auditor makes available to his successor in their office all relevant information which he holds in relation to that office.”
To coincide with the Act, the Joint Audit Committee has issued revised audit regulations (the Regulations) for implementation in April 2008. The Regulations provide that a predecessor auditor must provide access to documents, when requested by a successor. The scope of “relevant information” that can be requested is wide, and will for the first time include information contained in auditors’ working papers. It will also encompass both company audits and noncompany statutory audits. However, access will be limited to the last audit carried out by the outgoing firm, and only the last year’s worth of papers.
Why is the new law necessary?
The Directive’s primary driver is to raise the quality and transparency of audits so as to ensure that investors, and other interested parties, can rely fully on the accuracy of audited accounts. It also aims to enhance the EC’s objective for the protection against crime, and against the backdrop of the recent scandals involving Parmalat and Ahold. To this end, on announcing the Directive in 2004, Internal Market Commissioner Frits Bolkestein said: “Auditors are our major line of defence against crooks who want to cook the books. Parmalat was a reminder of what happens when that defence fails. Faith in financial reporting and in the markets is destroyed. Unless it is specifically restored, investment, jobs and growth will be lost.”
The Directive also dovetails with the findings of the Financial Reporting Council’s (FRC) recent investigation into audit choice. With the assistance of various market participants, the FRC published 15 recommendations for improvements. One of these suggested that mechanisms should be put in place to improve access by an incoming auditor, to information relevant to the audit held by the outgoing one. The participant’s group found that:
- audit committees perceived changing auditors to be costly and risky
- the costs and risks associated with change, acted as a strong disincentive to instruct new auditors.
In particular, the participant’s group was conscious that it takes time for a new audit team to develop an understanding of the client’s business, and this can cause disruption, and hence is a barrier to change.
However, the Directive and Act do pose new risks for firms. Some of these concerns have already been raised by the ICAEW during consultation on the draft Act. These concerns include:
- Additional liabilities The ICAEW is concerned that the new disclosure obligations could create additional liabilities for auditors, which was not the intention of the legislation.
- Duties relating to confidentiality, data protection and money laundering The ICAEW considered that whilst these duties did not apply to new auditors reviewing a predecessor’s working papers, the position should be specifically clarified in the Act.
- Hold harmless agreements Historically, where firms have provided others with access to working papers, there is typically a hold harmless agreement in place, limiting a firm’s liability. However, under the Act, an outgoing auditor must provide access to their papers, regardless of whether there is a hold harmless agreement in place, or not.
Following the consultation period, the Department for Business Enterprise and Regulatory Reform confirmed that the Act does not intend to alter the existing duties owed by auditors. However, the Act does not require a hold harmless agreement, as a condition of audit working papers being disclosed. Therefore there is a risk that new auditors may use the Act as a tool by which to amass information to support or encourage a client’s claim or complaint against a predecessor auditor. Whilst the Act does not alter auditors’ liabilities, it will make it easier for claimants to build a case. Equally, whilst the Act was intended to make it easier for an auditor to get up to speed on a new appointment, there is a risk firms will instinctively rely upon the working papers of their predecessor, without fully testing the findings. As such both the incoming and outgoing auditors may face enhanced risk.
The Audit and Assurance Faculty is due to publish (in March 2008) guidance on how the industry can manage its duty of care when providing access to working papers. Whilst it is only guidance, and not a requirement, i envisages putting in place a hold harmless framework, including proforma letters for requesting documentation, and authorisation from clients. This offers some comfort should it be adopted as industry practice.
S389A Companies Act 1985
The requirement to disclose auditing material, is not entirely unprecedented. Under s389A Companies Act 19852 an auditor of a parent company can require the auditor of a subsidiary to “provide him with such information or explanations as he thinks necessary for the performance of his duties as auditor” (emphasis added).
The requirement to provide disclosure under s389 overrides any confidentiality obligations, and similarly can be used as a mechanism by which to gather evidence to mount a claim or complaint. However, the test for disclosure under s389 is limited to that of “necessity”, to allow the auditor of the parent company to complete its audit. The test for disclosure under the Act is much wider, namely “all relevant information”.
The Act’s new disclosure requirements will present firms with fresh challenges from April. Whilst firms should clearly request hold harmless agreements whenever faced with a disclosure request by a successor auditor, an agreement cannot be insisted upon. As such, firms will need to pay even closer attention to the quality of their working papers, than they do already, alive to the fact that disclosure requests could be used by former clients as document “fishing expeditions” searching for material to help support future claims.