Brydon Review: Call for deeper, wider audits
UK review reveals stakeholders would like more information on company prospects and risks
- Findings from high-profile UK review of audit quality and effectiveness are due at the end of 2019
- Less than half of investors see company audits as meeting the needs of investors
- ‘Big four’ audit firm PwC recommends more disclosures on risk
Less than half of the investment community believe company audits meet the needs of investors, according to a survey by accountancy firm PWC. Nearly three-quarters seek more information about a company’s future prospects and risks, and only a third say audit is effectively meeting the needs of the general public, employees, customers and suppliers.
The company was responding to a high-profile review of the quality and effectiveness of audit commissioned by the UK government and conducted by Sir Donald Brydon, former chair of the London Stock Exchange Group. The failure of businesses such as facilities management and construction giant Carillion in 2018, as well as concerns about lack of competition between the ‘big four’ UK audit firms, prompted the launch of the review last year.
As it published the paper in July, the company conceded there was a case for change in a number of areas, including company reporting. “A more fundamental review of the entire corporate reporting system is required to ensure stakeholders can have confidence in the information they need,” said Hemione Hudson, head of audit at PwC UK.
Of course, the review will consider the bigger picture such as the interplay between the limitations to auditor liability, the requirements of accounts users and the legal responsibilities of company directors. Within this relationship, whose frontiers could be redrawn, there are grey areas that can be exploited.
But among its considerations is also an increase in the scope of the audit itself and its content – not all of which the audit needs to be liable for. Critics of the current system contend that restrictions to information audited – rather than the quality of the audit of information published – are a key cause of stakeholder ignorance before companies collapse. Disclosures on management judgements of materiality are a case in point.
“The opinion expressed by the auditor only relates to material issues. Directors can quantify materiality in minimum monetary terms that can be discussed with the auditor, who may disagree. However, such negotiations and decisions are not disclosed,” says Collins Ntim, professor of accounting at Southampton University. Hence, a series of individual transactions below the minimum can escape audit inquiry. “This provides the auditor with a route for avoiding penalties,” he says.
Judgements on operational and financial risk are similarly unverified, although they may be mentioned in the annual report’s commentary. “Risk reporting is outside the scope of the financial audit,” explains John Boulton, technical strategy manager at the Institute of Chartered Accountants of England and Wales (ICAEW).
While external auditors check whether risk management processes exist, internal auditors verify the areas of risk defined by directors. It is not obligatory to publish information about these considerations, nor about concerns about risk controls, which may also be influenced by conflicts of interest between the two different auditing firms “A significant issue to consider in terms of material risk is the responsibility of the internal auditor, who ensures that the company is properly managed,” says Ntim.
Large businesses, especially in the financial services sector, have a well-developed internal audit function playing a key role in providing assurance on the design and operation of the organisation’s internal controls over financial reporting to boards and management. These controls often relate to issues such as information security, operational and financial risks such as company loans that could default.
According to Natasha Landell-Mills, head of stewardship at specialist asset manager Sarasin & Partners, inadequate explanations on risk are a key area of ambiguity, leading to a disconnect between the risk disclosures and accounts. This discrepancy may be exacerbated by current restrictions to the scope of the external audit. Decarbonisation risks experienced by oil and gas companies are an example of risk not usually reflected in the financial statements.
“We often see decarbonisation identified as a key risk. However, there is often very limited commentary on how this risk has been taken into account in drawing up the financial statement. The most obvious way in which it could impact companies’ balance sheets is through their valuation of key assets,” Landell-Mills says.
Equally, she urges for the publication of risk related to potential litigation or regulatory issues within the financial accounts in monetised form under the provisions section, for example.
But, as Boulton explains, the requirement to convert risk assessments into financial data is still not mandatory. “Understanding risk is at the heart of the audit, and all the numbers in the financial statements are affected by the current risk the company is exposed to. But the management reporting on that risk is outside the scope of the audit,” he says.
In response to some of these concerns, which have all been raised in the Brydon consultation, PWC suggested further information on internal controls be published and audited. More insight was needed about the material uncertainties facing a company, it said.
“A significant issue to consider in terms of material risk is the responsibility of the internal auditor, who ensures that the company is properly managed” - Collins Ntim
“We could enhance the reporting and auditing of a company’s internal controls by requiring an attestation from directors of the design and effectiveness of a company’s internal controls, and a corresponding attestation on internal control from the auditor for larger companies,” says Hudson.
The audit firm also proposes the publication of an assurance map to help build confidence in the company’s management. This would ensure that all sources of assurance over a company’s main risks, whether financial or not, are considered. Auditors would be responsible for determining the level and type of assurance needed by their company’s stakeholders, and to present it to them and discuss it at the beginning of the reporting cycle. This would stimulate a discussion among the senior management of the business about the needs of the company’s stakeholders.
Although the review will examine audit, it will not consider another concern to many accounts users – the mould set by the financial standards. Since these seek to provide a neutral view of the business’s economic position at a point in time, they are unlikely to contain a future-looking view of risk but contain data concerned with historic transactions.
The review is likely to take into account alleged conflicts of interest within the auditing profession, however. Mutual self-interest between external and internal auditors, and the provision of a diverse range of services for the same company (such as tax advice and consultancy as well as auditing) have all been raised as warning signs indicating a lack of competition.
Questions have been raised also as to whether auditor liability should be increased. Hence, the reaction from the audit firms shows a readiness to give up more professional confidentiality and devise more innovative narrative. “It is possible to develop reporting that helps the investor to see market trends and react to them more quickly,” says Boulton.