Introducing independent regulation helped restore public confidence in the audit profession after the major corporate scandals of a decade ago. As business reels from the recent financial crisis, regulation is in the spotlight again, with questions being asked whether the level of oversight is appropriate – or whether audit firms are struggling with too strict a regulatory regime.
Audit regulation in the UK now works under a two-tier system. Until seven years ago, ICAEW was responsible for monitoring audits its members performed under the Companies Act. In 2005, as part of the post-Enron reforms, the Audit Inspection Unit (AIU) took over the monitoring of audit work on public interest entities. ICAEW continued to be the frontline regulator for all audits of private companies and other non-public-interest entities carried out by its members. This is done through the Quality Assurance Department (QAD). Feedback from firms reviewed is that QAD’s approach is tough but fair.
Pauline Wallace, PwC’s head of public policy and regulatory affairs, says her fellow partners feel QAD is an effective process and the monitoring is the right level for non-public-interest entities. "This area can be dealt with more efficiently by ICAEW," she says.
It’s no longer acceptable for professional bodies to be completely self-regulating for audit
Vernon Soare, ICAEW executive director of professional standards
On the other hand AIU reviews are highly demanding on the reviewed firm’s time and resources. In some cases the regulator has an almost permanent presence at the audit firms, raising the intriguing possibility that the regulator spends more time regulating an audit firm than the firm does doing its clients’ audits.
Some practitioners have privately commented that the process is too much (while several firms subject to detailed AIU reviews declined to comment for this article). One of the firms that did agree to an interview was Mazars, which has recently completed its first AIU inspection. This involved the AIU team working at the firm’s offices for six months during which it carried out a review of four Mazars’ audits and more than 600 documents dealing with practice-related matters. "The process was very time intensive," says David Herbinet, head of Mazars’s corporate and public interest markets. "Providing the information, discussing findings, then the AIU report tied up significant resources."
While Herbinet says that Mazars did not see much duplication between QAD and AIU monitoring, he reports that other firms say they have. "It would make sense for the different regulators to look at how the system as a whole is functioning, to see if the scope can be improved and any duplications minimised," he says.
If the AIU is so deeply embedded in the work of the auditors it is monitoring, why didn’t it pick up on the problems with the banks? This point was raised in last year’s House of Lords’ review of the audit profession and its regulation.
ICAEW executive director of professional standards Vernon Soare says this point brings up some important issues both about the accountability of the AIU and its parent body, the Financial Reporting Council (FRC). "The proposed changes to the FRC’s structure and governance will have the FRC reporting annually to the BIS Select Committee," he says. "It’s a question of who monitors those who audit the auditors; of accountability and where this eventually rests."
Wallace says the thinking to come out of the financial crisis is that the whole system – not just audit – should have warned of what was to come. "The whole corporate reporting system probably needs to change. Audit will inevitably play a part in the redesigned system but you can’t just tweak one component, you have to look at the entire framework."
The legal side of the audit framework, including audit monitoring, is enshrined in the EU Statutory Audit Directive. This specifies the need for an independent regulator to be responsible for ensuring that audit work on public interest entities is done to a proper standard. While the UK has a clear split between the work of the AIU and that of ICAEW and other recognised supervisory bodies, other EU countries have a different interpretation of the directive: in several countries professional bodies review all types of audit work while independent regulators review all work of the professional bodies.
While the approach differs, the basic move towards independent regulation has been happening not only in the EU but elsewhere in the world. "It’s no longer acceptable for professional bodies to be completely self-regulating for audit," says Soare. "There’s an increasing tendency for independent oversight, particularly of the public interest sector audits."
Wallace is happy with the way the audit regulation system works in the UK, but is concerned about current proposals from Brussels, which would insist on all audit regulation coming under the remit of the independent regulator. "A professional body ought to have some regulatory obligations – that’s what makes the difference between it and a trade body," she says. "It’s right that the AIU as a completely independent body should continue to review the audits that matter to the capital markets. But the rest can be dealt with more efficiently by ICAEW."
Shining a light on audits
The AIU’s independence should give investors confidence in audits of public interest entities, as should the transparency over its findings. In 2010 the regulator started issuing individual reports on the outcomes and conclusions of its work at the larger individual firms. The AIU has what have been described by several practitioners as, "very lively" discussions on the reports with the firms involved before the content is made public. The latest set of reports displayed what ICAEW president Mark Spofforth describes as "clear improvements on 2010", despite some less favourable coverage in the media.
"We’re encouraged by the transparency of the results," says Phil Crooks, head of audit at Grant Thornton. "The advantage of results being made public is that we can say: look, the regulators say our audit quality is as good as anyone else’s." Herbinet agrees. "When you look at the reports you see there aren’t really significant differences between the very large firms and firms like Mazars."
Transparency has a flipside though: although they get to see the reports before they are issued, the firms cannot control what’s reported. Crooks says some audit committees at client companies have been keen to find out more about the comments that the AIU has made on their audits. "It’s quite legitimate that they want to know what the comments really mean. We then need to put these into context. As the AIU reports make clear, the team doesn’t review all of an assignment but looks at what they perceive to be the high-risk areas. It’s not surprising their findings can be, well, challenging."
Crooks believes more work is needed to understand the way stakeholders read the reports and their interpretation of them. "The FRC has done much to engage audit committee chairs but further work could be done to make sure the reports issued meet stakeholders’ requirements," he says. "If you want to engage with readers, you have to ask how they’re interpreting the material."
Another issue for Crooks is the tricky matter of consistency. "You need to strike a balance between the inspector having the freedom to highlight and report issues or giving inspectors a lead on what they should focus on. You run the risk of reporting what you think should be there as opposed to reporting what you find."
The AIU states that its monitoring approach includes critical assessment of key audit judgments made in reaching the audit opinion. However, in practice Herbinet says there is a strong focus on compliance with standards. "There is a certain degree of judgment – as there should be – in international standards on auditing. The AIU has to form a view based on what it sees in the audit files."
He feels the system would benefit from dialogue between the regulator and the firms about building continuous improvements in audit. "There needs to be a balance between doing a good job from a compliance point of view and from the adding-value point of view. Some of the expectations gap arises from this, with the client expecting one thing and the audit firms and regulator delivering something else. This is an ongoing issue that firms have to get a grip on."
Overall, Wallace thinks the AIU reports make clear that audit quality is "really good". She says: "There are times when things don’t go according to plan. You wouldn’t have confidence in a regulatory process that never found anything wrong."
She says the UK should be trumpeting the fact that its audits are of such a high quality. "The positives to come out of the AIU process are that the systems are good, the right messages are coming from the top down, firms are focused on audit quality and this pervades everything they do."