Earlier this year the Financial Reporting Council (FRC) published the findings of its thematic review into whether audit practices are ensuring their quality control procedures are up to scratch. Its conclusions were blunt. Although firms are devoting substantial resources to audit quality control, says the FRC, it thinks they are not doing enough to monitor the controls that ensure quality audits are performed consistently across the firm.
The FRC identified more audits that needed significant improvement than the firms did. That’s not good enough for the regulator, which expects firms’ monitoring to be as robust as its own.
The FRC regulates public interest entity audits so it might seem that this finding matters only to the largest firms. However, changes in UK law to bring in the EU Audit Regulation and Directive later this year mean that an additional number of firms – current estimates are 50 – will come into the FRC’s sights.
ICAEW’s regulatory arm, responsible for regulation outside the FRC’s remit, believes all firms should be interested in the thematic review’s findings. “The subject matter of this review might be the biggest firms but the findings should resonate with any practice,” says Trevor Smith, regional director in the Quality Assurance Department (QAD). “Any firm should use the findings to take stock and ask: does this highlight issues we should be challenging ourselves about?”
Large firms can afford to have separate teams dedicated to reviewing their quality assurance. For instance, Smith & Williamson has a senior quality monitoring committee which is independent of the people who do the quality assurance reviews. This committee considers the results of the reviews and identifies common themes, ensuring the results are fed through to the learning and development, technical and quality assurance groups.
The key point is making sure someone suitable is given responsibility to take this overall view and for ensuring the actions needed are taken, says Matt Howells, head of the firm’s national assurance technical group. “It’s all very well identifying weaknesses. But if you identify issues on a particular file you might want to look at that file the following year to make sure these issues are being addressed. Or if you find something that has a wider thematic implication across the sector or the firm, you might make changes to your methodology or training. Then you need to ask: has that change been effective? We would need to do a cold file review and some specific reviews in the area to make sure the improvements are being followed through.”
Under audit regulations firms need to review the work of each audit partner at least once every three years. The FRCs comments on the frequency and extent of firms monitoring (firms should consider whether [this is] appropriate to meet regulatory requirements) suggests the regulator would like to see more regular reviews, possibly a more prescriptive approach to the audit regulations.
This goes against the general direction of regulatory rule reduction, relying more on judgement and less on tick-box adherence. Todays approach encourages accountants to concentrate on outcomes and use their judgement against a set of principles, says Peter James, head of ICAEW regulatory policy.
It would appear that firms have variable views of how in-house monitoring should be conducted, he says. Their judgement, however, would be influenced by compensating controls: by other factors which add to or reduce the risk of poor quality in the performance of audits.
Leadership is crucial. “If the tone at the top isn’t right, you’re not going to get people further down buying into the idea that the quality of what they’re doing is important. Whoever is in charge of your quality monitoring process must be sufficiently senior to be able to go to any partner and say, you need to address these areas. Otherwise they won’t have the clout.”
The pressure is on for firms to concentrate on root cause analysis: to find out about the issues underlying problems and to do something about them. The FCA review refers to this, commending the firms reviewed for their good practice in digging down to find the reasons for problems found.
Root cause analysis is an important part of the monitoring process says Gill Spaul, technical director at Moore Stephens Europe. “It means stop thinking only about what happened: you’re only going to fix it if you work out why it happened. Otherwise you will carry on year after year doing the same old thing.”
But firms shouldn’t expect any kind of quick fix. “Building root cause analysis into systems is not going to change things overnight as these root causes are likely to be complex, and possibly outside firms’ control. Focusing on ‘why’ will instead bear fruit in the long run.”
RSM conducts its root cause analysis on two levels. On a macro level quarterly meetings between the quality assurance department, senior audit management, and technical and training teams consider how the different parties can address any issues identified that impact audit quality. At a micro level the review of audit files drills down to explore underlying causes, for example, for non-compliance with the ISA’s or firm’s procedures.
The reviewers produce written notes on the file and ask the audit teams to respond, says James Farmbrough, head of QAD. “Their responses fall into two columns: in the first they need to explain mitigating factors while in the second they set out how they will do things differently in the future. This second column flows into a personal action plan for all audit partners and managers in which they commit to future actions.”
Farmbrough’s team considers controls and bounces issues found back to those charged with operating these controls. “We look at controls such as attendance at training courses, internal authorisation so certain categories of audits can only be done by certain people, second partner review, and so on,” he says. “But don’t forget there is a control in the first partner review. Audit partners are responsible for forming an audit opinion but also carry out a quality control function as they review the work carried out by the audit team. We try to emphasise this responsibility, asking them why they didn’t spot things we have picked up in their review, holding them accountable for that control.”
Help for smaller firms
ICAEW is working on developing practical guidance for smaller firms to help them identify root causes of audit and control deficiencies. “Where something has been going wrong, the guidance will help firms explore the reason for the problem and what to do about it,” explains Chris Cantwell, technical manager of practice regulation in the Audit & Assurance Faculty. “It’s not just about having the right manuals and processes in place but could include other factors, such as people issues.”
A number of smaller firms use training organisations to review their audit quality control and cold file reviews. “Don’t underestimate the value of an external review,” says Trevor Smith, regional director in the QAD. “These firms can give you objective feedback and bespoke training to address issues identified.”
Communication is a vital factor in this, says Spaul: a reviewer needs to be able to articulate issues when they find them and to know who to connect with. “It’s all about communication. You could have the best monitoring system in the world but if you can’t communicate information about the system and get people to understand how to work within it, then you might as well not have it.”
The FRC review carries a message for audit committees, pointing out the essential role they can play in reviewing and monitoring the effectiveness of the audit process, building investor confidence in the quality of the audit and, ultimately, the credibility of the financial statements. While Chris Cantwell, technical manager of practice regulation in ICAEW’s Audit & Assurance Faculty, sees pressure currently coming more from the regulators, he thinks that audit committees can play a greater part. “They are interested in the firm’s culture, and audit quality control monitoring relates to this.”
Howells echoes the observations from other firms that audit committees of existing clients do not currently appear too interested in audit quality control. However, he is starting to notice more questions in tender documents about how the firm assesses the quality of its work. “We don’t have individual public reports in the same way the bigger firms do, so the tenders now ask what procedures we have in place. This is something that has increased recently and is an area of interest that I think is only going to grow.”