IT IS A RARE feat to introduce regulation that keeps investors, companies and account preparers happy but it seems the FRC’s extended audit committee and auditor reporting policy may have managed it.
Many FTSE 350 companies and their auditors are yet to report using the new standards, which came into effect on 1 October and require committees and auditors to say more about company risks and how they became comfortable with key judgments made by management. Nevertheless, investors have hailed the first wave as taking steps towards an open dialogue.
Investors are encouraged by the progress made since last year. Iain Richards, head of governance and responsible investment at Threadneedle, says he has been “pleasantly surprised by the usefulness of some of the disclosures”, while KPMG head of audit Tony Cates has applauds the watchdog “for its bold decision to set us off down that path” of greater transparency.
A recent KPMG survey into 134 listed companies’ auditor and audit committee reports found a diversity of approaches, particularly when it comes to the identification and description of risk – an issue also flagged by FRC research. Despite this, KPMG technical accounting partner Mike Metcalf says he is impressed by the quality of work produced since the standard was issued in June 2013.
“There is a certain amount of variability in terms of what one gets out of an audit committee statement or an auditor’s report, but I think we’ve come an enormously long way in a short time,” he said. “That variety is only to be expected when we’ve done something that is frankly an overnight revolution.”
In a foreword to KPMG’s study, which assesses the reports and statements made in relation to FTSE 350 companies published since the standards came into effect, Threadneedle’s Richards stresses auditor reports are more than just due diligence; they also build trust and credibility in the shareholder/business relationship “in a world that is rarely black and white”.
Auditors are now required to provide a description of key audit risks and how they were addressed in their statements that accompany annual reports, while also providing an explanation of materiality in planning and performing the audit and how materiality influenced the scope of the audit.
The report finds auditors report an average of 3.5 risks, excluding management override of controls and fraud in revenue recognition. The spread of risks in auditor reports ranged from one to eight; however, the report notes the number of risks documented do not necessarily correlate with companies’ FTSE ranking, which KPMG says shows auditors are responding to specific circumstances, rather than applying a pattern of smaller company, fewer risks.
The most common risks remain impairment, taxation, provisions and revenue recognition – areas that can be subjective and that can apply across a wide range of types of business. The largest single category, after impairment risks, is “other”. A significant proportion of these 38 occur only once. They often relate to accounting judgments, for example the appropriate accounting for aircraft maintenance arrangements, broadcasting royalties or particular powers over an investee.
It is not only a case of the numbers of risks being disclosed, but how they are explained that really sets the reports apart.
KPMG’s findings echo analysis carried out by the FRC, which found “a variety of approaches with audit reports varying in terms of the depth of the auditor’s description of the risks and their approach”, the watchdog’s director of audit policy Marek Grabowski says. A Citi Research review published in March also drew similar conclusions, noting “very significant variations in quality”.
“Some people thought of things others hadn’t, there were different depths to which auditors described their thoughts on risk and how they’d responded to that in their audit work – I wasn’t surprised to see that,” says Metcalf.
“The standard is written at a fairly high level and the challenge was for audit firms in a short space of time to work out how to respond to that. It seemed inevitable there would be some variety.”
In a way, this variability is a positive, Metcalf argues, as “if they’d all looked the same, it probably means they wouldn’t have been very good”. However, he noted the differences in description of risks as “an area where there’s most that can be done”.
BDO partner James Roberts agrees variability is not necessarily a bad thing. For audit firms, it may actually be an opportunity, as firms “are trying to differentiate themselves from each other”.
“The more guidance you get, the more people go on producing dry repetitions of the rules,” he says. “If you say to people, ‘put in what you want to put in,’ you end up with much more variability and interest. I think that’s what’s happened here, and it’s giving people the opportunity to differentiate.”
Variability extends to audit committee reports, while there were also a number of cases with differences between the risks in the auditor report versus the issues identified by the audit committee report. “If the auditor includes a risk in the audit report, we would expect that the same issue would have been communicated by them to the audit committee,” KPMG says in its findings.
Some audit committees produced detailed narrative, outlining what the key risks were, why they were an issue for the company, the evidence they considered and how the committees reached their conclusions – in particular showing that they were pro-active, for example in seeking information from management and not just reacting to what was provided to them.
In contrast, a number of audit committees were less forthcoming in these more judgmental areas – stating their reliance on management’s views but not providing further explanation.
“The risk is that these different approaches will give the impression of different styles of audit committee, ranging from those that are more active and engaged to those with a more passive style. That passive style of reporting could give the impression of a passive style of audit committee,” the report finds.
Keep it fresh
A win straight out of the blocks is to be commended, but the test going forward will be to keep reports fresh. The risks of a business are unlikely to change dramatically in years two and three, Metcalf says, which could lead to repetition.
“How do we keep it fresh when the risks next year are potentially pretty much the same? We don’t want it to appear to be boilerplate or standardised simply because that is what was said last year. That is a challenge,” he says.
Investor feedback will be crucial to ensure the reports remain insightful. “One way to do this is to make sure that they communicate entity and circumstance-specific information that draws out important insights from the current audit,” says the FRC’s Grabowski.
Indeed, investors have said they would engage more with audit committee reports if they provided “hooks” to form a discussion around, the UK’s reporting watchdog has been told. A report by the FRC’s Financial Reporting Lab issued last year found that investors want audit committee reporting to be bespoke and company specific and for significant financial statement issues to be tailored to the company each year.
KPMG’s Cates says investors’ interest in reports is “the most encouraging thing” to take from recent developments. From the firm’s perspective, the most interesting element for shareholders has been the small number of reports that included its findings in addition to the key risks and the auditor’s response to them. Further debate is needed as to “whether findings reports should become the norm”, Cates said.
While debate continues over the direction of future years, it’s important to acknowledge the positives, BDO’s Roberts says.
“Broadly it’s a good thing and people are approaching it with a degree of enthusiasm, and what I’ve seen from investors is that they like it,” he said. “For once, people seem to be doing something that everyone approves of.”
Steve Butler of Punter Southall Aspire highlights the importance of pension governance meetings to protect against mistakes and safeguard company reputation
Simon Wright of CareersinAudit.com discusses how an effective cyber defence force is critical to businesses worldwide and how internal auditors can make the transition to a new career in cyber security
The FRC has said that the investigation will 'consider, but not be restricted to, issues regarding misstated accounting balances'
Craig Maxwell joins the audit and assurance team in Scotland