We are coming to the end of the traditional audit busy season. Company announcements are being made, accounts are being signed off, where required preparations for filing with regulators or exchanges are under way. In any year, this is a busy time for directors and, in particular, for audit committees.
2021 is, of course, a unique year for financial reporting. Financial statements will reflect a year which for many businesses has seen their profits obliterated, for many more reduced, and for the lucky few growth beyond their wildest expectations. It has also seen remote working move from a suggestion to a full-time reality for many sectors of the economy.
The Virtual Audit
This has presented a unique challenge to the auditing sector. An activity that is habitually if not universally undertaken on-site in the premises of the client has moved into a virtual space, with all the challenges that distance and lack of real time access to people brings. To give one example, auditors have had to innovate as regards how they oversee stocktakes, which is pretty difficult if you’re not allowed in the warehouse. And, at the same time, the demands of audit have not changed. The law remains the same, the standards remain the same, and the regulation of auditors, by their professional body or for public interest entity (‘PIE’) auditors by the Irish Auditing and Accounting Supervisory Authority (IAASA), is equally unchanged.
As this goes to print, IAASA will be publishing the results of its latest round of inspections of PIE auditors. These reports cover seven firms: BDO, Deloitte, EY, Grant Thornton, KPMG, Mazars, and PWC. The reports provide information on how the firms as a whole structure and run themselves to ensure audit quality. And they also take a sample of audits and review them to ensure that those structures translate into a high quality audit. If there are significant issues, IAASA can launch investigations into a firm, and/or an audit partner, and sanction them where warranted. One firm has already been subject to sanction in this way.
But what is a high quality audit? Surely an audit is an audit? And why should directors care about whether one firm or another signs their name to the audit report?
Put simply, an audit is required to be performed to a set of international standards, and as such the same minimum standard of quality should apply. However, in practice our reports show that this is not always the case. Firms differ. And this stretches well beyond those firms which IAASA reports on. The vast majority of audit firms are regulated by their professional bodies, who inspect them to see if their audits are being undertaken to the required standard. While they do not publish reports, each body rates the audit firms and, where necessary, demands improvements.
A poor quality audit means that, while the audit report may say the financial statements give a true and fair view, the audit work may not back this up. Furthermore, this is where directors need to take note. It is not the responsibility of the auditors to make sure the financial statements give a true and fair view, it is the directors. It is not the responsibility of the auditors to ensure the company keeps proper accounting books and records. That again is the directors, and failure to ensure this is a Category 2 offence under company law. That means up to five years in jail and a €50,000 fine. Per offence.
This is the law that applies to all companies. For larger companies, there can be even more onerous requirements for directors. For example, in the US under the Sarbanes Oxley Act directors need to sign off on the internal financial controls of the company. Again, penalties in this scenario for directors include fines and imprisonment. Recent reports indicate that the UK is considering introducing similar measures for company directors as part of a range of responses to high profile corporate failures.
While there are no indications currently that such measures will be introduced in Ireland, at EU level there has been a demand for a legislative and regulatory response to the collapse of Wirecard, and the revelation of a €1.9billion hole in its cash reserves. Fraud has been and remains a criminal offence, but the focus of legislators has turned to the failure of systems, both internal and external, to identify the issues in Wirecard before its catastrophic demise. Amongst the responses under consideration is an extension of Sarbanes Oxley type requirements to certain categories of EU entities. Of course, any such amendments to EU law would take some time, but what is clear is that increasingly directors will be held to account where companies fail.
The Importance of a Quality Audit
Which brings us back to those high quality audits. Again, to put it simply, the auditors’ report is a key mechanism in allowing the company directors to have some level of trust in the financial reporting of the company, for which they are legally responsible. It is, of course, just one mechanism. Under the standard three lines of defence model, a company should have robust systems, controls and internal oversight processes to also give comfort to directors. This model should ensure that a company is properly recording and reporting its results. But the external audit, undertaken in accordance with international standards, issued in Ireland by IAASA, and carried out rigorously and to a high standard, plays a critical part in the oversight process. An audit, properly undertaken, will identify the key risk areas, and will set out how the audit team will have addressed these issues.
There are also mandatory requirements for communicating with audit committees (or whomever is charged with governance of the company), where all of the issues and how they have been addressed are communicated, without having to go through management or the finance team. For listed entities, audit reports are now full of much more useful information about the audit including, for example, what were the key risks, and what was the materiality level the auditors applied in reviewing transactions.
Company directors, knowing what their legal responsibilities are, should be motivated to get the highest quality audit they possibly can and not, for example, the lowest cost. In assessing their auditors, and potential auditors, directors should be asking questions about audit quality. When was the last time the auditor was inspected? What were the results of that inspection? If an auditor is reticent about sharing these then directors can draw their own conclusions. And, of course, for the firms that IAASA regulates directly, it’s all there in the public domain.
These reports are not the only measure of quality, of course. Directors need to satisfy themselves that the audit firm has, or can, obtain a good understanding of their business, that they have the available resources to carry out the audit, and that the individuals doing the work are high calibre. These are all individual judgements, which can be supported by the external reviews on the firms as a whole.
Ultimately, while the audit report is addressed to the shareholders of the company, the persons who can derive some measure of security from it are the company directors. It is directors, therefore, who need to think very carefully about how they measure that security. Do you want the cheapest, or the best? If you find yourself in the nightmare scenario of a potential financial hole in your company, do you want your auditors to spot it and inform you in good time, or do you want to read about it in the morning? The choice is yours.