05 February 2020 by Peter Swabey
The independent review by Sir Donald Brydon makes recommendations and proposals to improve the quality and effectiveness of audit
Sir Donald Brydon’s independent review into the quality and effectiveness of audit (the Brydon Review) was published on 18 December – all 135 pages of it. It is an excellent piece of work covering a variety of issues and making 64 recommendations, a number of other proposals and suggestions, intended “together to stimulate improved quality and effectiveness of audit in the UK. They relate not only to the work undertaken by the auditor but to the part played by others in relation to the audit”.
A number of the recommendations relate primarily to audit and the work of the auditor and so will not be considered in detail here, but others will, if adopted, make significant changes to a number of aspects of the work of the audit committee and of the company secretary or governance professional who supports it. Although in many cases they are applicable only to the FTSE 350, it is likely that many of the proposals will be adopted more widely across the market and across sectors.
Regular readers of previous articles in Governance and Compliance magazine, or of our technical briefings, will know that the Chartered Governance Institute’s consistent position on all the various consultations relating to the audit profession has been that there are three principal issues that fall to be resolved:
• clarification of the role of audit in order to reduce the huge perception gap that exists between the political, press and public expectation of the role of audit and that which an auditor would perceive it to be
• fostering a greater spirit of professional scepticism among auditors to remove, or at least reduce, the ‘delivery gap’ that the Financial Reporting Council and others have identified between auditor performance and existing audit requirements
• increasing confidence on the part of companies, investors and some regulators in the ability of smaller auditors to perform to the same standard as members of ‘the Big Four’ - the ‘competition gap’.
I was therefore delighted to see two of these three issues addressed by Sir Donald’s recommendations. On the first point, he recommends that “the Audit, Reporting and Governance Authority (ARGA) together with auditors and the Plain English Campaign produce an appropriately concise guide to audit, explaining clearly what the different elements of an audit report mean as redefined in this Report, and what, just as importantly, they do not mean”. Sir Donald also recommends a statement of the purpose of audit to be adopted by ARGA and the Government: “The purpose of an audit is to help establish and maintain deserved confidence in a company, in its directors and in the information for which they have responsibility to report, including the financial statements”. It seems to me that this constitutes a move away from the relatively tight definition of the role of audit in the typical engagement letter and towards the public expectation of the role. This is reinforced by some of the other audit-related recommendations, for example “that auditing should provide information that is useful to present and potential investors, lenders, creditors and other users in making rational investment, credit and other decisions and assessments about the company”; “that auditors should be free to include original information, materially useful to a wide range of users, in their audit report and at the AGM, and not be confined to commenting on that which has already been stated by directors”; and “that the [existing auditor] obligation [to read and consider other information in the Annual Report and to report if they consider it to be materially misstated] should be extended to material outside the Annual Report that is used in investor presentations and RNS announcements”.
On the second point, he recommends that ARGA “acts as the midwife to create a new profession of corporate auditing, establishing the necessary professional body, to encompass today’s auditors and others with appropriate education and authorisation. ARGA would be the statutory supervisory body for that profession”. This will be a significant change for the role, particularly given further recommendations “that an auditor’s authorisation to carry out audits in particular areas of activity should flow from tailored qualifications which they have achieved” with ARGA tasked with ensuring “that education, training and, if necessary, retraining, should take place consistently across this new profession” and “that the development of a specific auditor qualification, including education and training, should become a high priority for ARGA over the coming years” together with the development of an “agreed definition of professional judgment which builds on ISA (UK) 200.” “Training in both forensic accounting and fraud awareness [should] be part of the formal qualification and continuous learning process to practise as a financial statements auditor. In developing qualifications for auditors of other areas of activity, parallel training should be established”.
ARGA is also charged “that the Principles of Corporate Auditing should be established to form an overarching framework governing the behaviour of corporate auditors, and that standards and rules should sit within this framework” and “that each audit report contains a statement to the effect that in conducting the audit the auditor has acted faithfully in accordance with the Principles of Corporate Auditing”.
Put together these recommendations will, if adopted, have a significant impact on the perception gap around the role of audit and the delivery gap between auditor performance and audit requirements.
Sir Donald recommends the introduction of a new Public Interest Statement, which will form part of the Strategic Report, in which the directors “should set out … how they view the company’s legal, financial, social and environmental responsibilities to the public interest. This Statement should explain how the company has discharged its self-declared public interest obligations and responsibilities, what actions it has taken to mitigate any externalities it has caused during the period, and how effective these actions have been … the audit report should state the extent to which the audit has yielded sufficient evidence of consistency between the content of the Public Interest Statement and the Annual Report and Accounts as a whole. The auditor’s opinion should state whether, based on the evidence reviewed, the directors’ Public Interest Statement is presented fairly in all material respects” and “if the auditor considers there are other risks of similar or greater significance to those reported by the directors, based on its knowledge of the company, the auditor should report this fact”.
This Public Interest Statement will be supported by “a Resilience Statement that incorporates, enhances and builds on the [current] Going Concern and Viability Statements”.
It is hard, at first sight, to see how the Public Interest Statement will differ from the s172 reporting now required in the strategic report but we will know more when the more detailed requirements are published.
The review also makes a number of recommendations around the responsibilities of the audit committee and its chair, the way in which the committee must operate and the disclosures that it must make in the annual report.
For example, Sir Donald recommends “that the directors’ Risk Report should be published prior to the audit committee meeting at which the scope of the next audit is determined and endorsed, leaving sufficient time for shareholders to comment … [with] … a formal invitation to shareholders to express any requests they have regarding the areas of emphasis they wish the auditor to incorporate in the audit plan. The audit committee should state the auditor’s proposed materiality levels for the forthcoming audit with this invitation” and “the audit committee and the auditor [should] be required to publish the reasons why they accepted or rejected any such requests in their Reports”. Past experience suggests that there will be little appetite from shareholders to comment on the risk report, particularly at a busy time of the year, and that this recommendation may not have the effect intended.
Sir Donald recommends “that the audit committee should describe the content of the debate [regarding differences of view between management and auditors] and its outcome, including the justification for the agreed treatment. For example, where the differences of view would have led to material changes in valuation, even when these differences have been resolved, the audit committee should report on the range of the initial views and where in that range the agreed valuation lies”.
Sir Donald recommends “that the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d). This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.”
The idea of a UK version of Sarbanes Oxley legislation is one that has been suggested from a number of quarters and is one to which we shall return in a future edition of Governance and Compliance.
Sir Donald recommends a formal role for ARGA in receiving reports from those concerned about audit issues. He recommends “that ARGA requires auditors to report to the Board of Directors if they have encountered any information in the course of their audit which leads to an anxiety about the resilience of the business not reflected in the Resilience Statement. If they consider the Board does not pay sufficient attention to their anxieties, they should have an obligation to report to ARGA, or an alternative regulator depending on the circumstances” and it should “establish a formal confidential mechanism to interact with shareholders or other stakeholders to respond to concerns regarding particular audits.”
It should be noted that, as in other places in the report, this raises the question of to whom does the auditor owe its primary duty. There is an increasing focus on a public interest role rather than duty being owed solely to the company and its shareholders.
Some of the other recommendations relating to governance issues include:
• “That the audit report should include a new section in which the auditor states whether the company’s section 172 statement is based on observed reality, on the basis of the auditor’s knowledge of the company and its processes”
• “That a standing item be added to AGM agendas: questions to the chair of the audit committee and to the auditor.” Many companies would, no doubt, argue that this will already be covered in questions on the accounts
• “That a simple mechanism to enable the workforce to raise issues around risks and assurance should be developed in each company, so that the designated director (or other mechanism) be the recipient of those inputs. The company should then have an obligation to respond to the workforce as to the way in which it has reacted to their requests”
• “That any Key Performance Indicators used for the purpose of calculating executive remuneration should be subject to audit”
• “That amendments are made to the Companies Act to clarify and strengthen the process by which auditors and companies inform shareholders and other stakeholders of an auditor’s resignation, dismissal or decision not to participate in a retender”.
Generally, Sir Donald’s recommendations make excellent sense and, if adopted, will improve the standard of audit of UK companies. There are, however, just a few that seem unnecessary. For example, he recommends “that the audit committee publish a three-year rolling Audit and Assurance Policy which would be put to an annual advisory vote by shareholders for approval at the Annual General Meeting”. It seems to me that yet another advisory vote at the AGM is not especially helpful.
Sir Donald also recommends “that audit committee minutes be published with a time-lag of 12-18 months and with approved [by the auditor and by ARGA] redactions”. The justification for this proposal is that it “would help strengthen confidence in the role of the audit committee if shareholders and other interested parties could gain some insight into how the committee has reached a successful conclusion regarding the company’s handling of financial reporting and risk. In particular, there would be value in understanding how the committee has, where necessary, challenged the company’s executives, its senior management, its internal audit function or its external auditor, in order to drive changes in behaviour or reporting for the benefit of the company as a whole.” Sir Donald accepts that “faced with future publication, minutes will become more bland and less informative” but believes that “the remedy lies with shareholders who should not permit this behaviour”. It seems to me that, at such a distance after the event, publication of the minutes will serve no purpose and, more importantly, will not be as useful in determining what went wrong in future cases of corporate failure if they are prepared with a view to future publication. If shareholders do not have confidence in the directors that they have appointed, they should use their voting power to remove them and replace them with directors in whom they do have confidence.
Finally, he recommends “That a new body - the Audit Users Review Board - be established, comprising solely users of audit reports, to review proposals from and give advice to ARGA as to the evolution of audit”. I have some doubts as to the benefit of a body comprised ‘solely’ of users of audit reports as experience has shown that users do not always bear practicality or materiality in mind when proposing new corporate reporting.
All in all, this is a comprehensive review of the role of audit, which makes a number of important recommendations – the only gap in my view being that there is nothing to increase confidence on the part of companies, investors and some regulators in the ability of smaller auditors to perform to the same standard as members of ‘the Big Four’ - and we must now wait to see how Government carries it forward, together with Sir John Kingman’s review of the role of the Financial Reporting Council as regulator and the Competition and Markets Authority’s review of the audit market. The changes proposed are sufficiently far-reaching that they are likely to need revisions to the Companies Act and so there is likely to be a further period of consultation.
There are two other issues that will need to be carefully considered as part of this process. Firstly, the impact on competition as a number of the audit-related recommendations are such that whilst ‘the Big Four‘ firms will be able to implement them, there may be a more significant impact on those smaller firms that the CMA report is encouraging companies to use. Secondly, many of our larger companies have listings in multiple jurisdictions with their own legal and regulatory requirements. While UK companies must comply with UK law and regulation, those with, for example, a US listing will have to manage the concerns of their US lawyers around some of the disclosures that Sir Donald recommends.
The full text of the Brydon Review can be found here: icsa.org.uk/brydon-review.