icas regulatory monitoring lesley byrne,...
TRANSCRIPT
© Copyright ICAS 2011
ICAS Regulatory Monitoring
Lesley Byrne, Director
Worldbank Centre for Financial Reporting
Reform
REPARIS programme
© Copyright ICAS 2011
Contents of Presentation
• ICAS Audit Monitoring Visit Process
Standard visits
Sanctions
Interaction with FRC
Listed (Public Interest Entity (PIE)) audit visits
• Common themes
• Setting up a quality assurance programme
© Copyright ICAS 2011
UK regime: quick recap
• Every audit firm must be registered with a
Recognised Supervisory Body (e.g. ICAS)
• Only Responsible Individuals (audit engagement
partners) approved by ICAS can sign audit
reports
• Each audit firm pays an annual audit fee (based
on no. partners, offices, PIE audits)
• Required to comply with Audit Regulations
• Originally 1000+ ICAS audit firms – with audit
exemption now at 225
© Copyright ICAS 2011
Visit Process – Visit Selection
• Visit selection:
• EU Directive requirements:
Firms auditing PIEs – at least once every 3 years
Firms auditing other audits – at least once every 6 years
• Time until next visit (poor performance -shortened
cycle)
• Firms Annual Return:
Form (Handout 1)
Risk database/risk report (Handout 2)
Desk top monitoring
• Follow up (paid)
• Requested (eg investigations, market intelligence)
© Copyright ICAS 2011
ICAS Audit Monitoring
• Audit Monitoring team - ICAS Chartered
Accountants and experienced auditors
• Significant training programme, independent and
fit and proper
• We report to Audit Registration Committee (ARC)
(public interest members and auditors)
© Copyright ICAS 2011
Visit Process – Notification
• Resource scheduling (3 months in advance)
• Budget times
• 6-8 weeks notice
• Notification letter, documents and records list
(Handout 3), visit booklet
• Audit client listed one month before visit
• Planning information to Reviewer one month
before
© Copyright ICAS 2011
Visit Process – Pre Visit Planning
• Review pre visit information to obtain
understanding of (a) firm (b) risks
• This includes:
Review client list – possible internet search
Companies search by auditor (Bureau van Dijk
www.bvdep.com) FAME
Firms Annual Return/risk report
Previous visit report and correspondence from then to
now (e.g. changes in firm, submissions since last visit)
• Pre visit call
© Copyright ICAS 2011
Visit Process – On site initial meeting
Opening Meeting:
•Standard opening meeting agenda (Handout 4)
tailored after pre visit planning
•Meet with Audit Compliance Partner/others to:
Understand firm’s audit practice; audit clients, policies
and procedures;
Identify risks
Ethics discussion:
•Discuss ethical compliance with firm
•Includes discussion on key risks (Handout 5)
•Reflects Ethical Standards (based on IFAC code)
© Copyright ICAS 2011
Visit Process – Post Meeting Planning
• Template (Handout 6)
• Update risk analysis after opening meeting
• Risk based approach to file selection e.g. Cover all RIs - cover off concerns (eg competence,
portfolio size)
Specialist/regulated audits
Large/complex audits
Audit report qualifications etc.
• Minimum of 2 files per visit
• Some full and some restricted reviews
© Copyright ICAS 2011
Visit Process – File reviews
• Credibility review of accounts – identifies
significant audit areas, accounting treatment
issues (Handout 7)
• File review (Handout 8):
Looking for documented audit evidence in support of
audit opinion – key assertions being audited
Looking for compliance with International Standards on
Auditing, Audit Regulations, Ethical Standards etc.
Looking for accounts disclosure compliance
Review documentation of significant auditor judgement
© Copyright ICAS 2011
Visit Process – File reviews
• Raise review points (Handout 9)
• Firm given time to respond & discuss
• Re-visit credibility review
• Consider what areas are not compliant (breach)
and what are ‘needs improvement’
• Underlying causes (e.g. procedures,
competence, RI review etc)
• *NEW* grade each file
© Copyright ICAS 2011
Grade Description Guidance
1 Satisfactory No concerns regarding the sufficiency and quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed.
Only limited weaknesses in documentation of audit work. AND
Any concerns in other areas are limited in nature (both individually and collectively).
2A Generally acceptable but a small number of improvements required
Only limited concerns regarding the sufficiency or quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed. AND/OR
Weaknesses in documentation of audit work are restricted to a small number of areas AND/OR
Some concerns, assessed as less than significant (individually and collectively), in other areas.
2B Some improvement required
Some concerns, assessed as less than significant, regarding the sufficiency or quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed. AND/OR
More widespread weaknesses in documentation of audit work. AND/OR
Significant concerns in other areas (individually or collectively).
3 Significant improvements required
Significant concerns regarding the sufficiency or quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed (not limited to the documentation of the underlying thought processes). AND/OR
Very significant concerns in other areas (individually or collectively).
© Copyright ICAS 2011
Visit Process – Firm Wide (ISQC1)
• Independence, fit and proper, confidentiality
procedures (e.g. declarations safeguards)
• Training/CPD;
• Firm’s manuals/templates
• Professional indemnity insurance
• Money laundering procedures
• Review of appraisal/HR process
• Review of consultation process/differences of
opinion
(Handout 10)
© Copyright ICAS 2011
Visit Process – Audit Compliance
Review
• Called ‘Monitoring’ in ISQC1
• We place emphasis on this – self diagnosis
• Will review this year and previous year reviews
• Whole firm review – consistent with our findings?
• Cold file reviews – consistent with file findings?
• Timely follow up action?
• Report on effectiveness
© Copyright ICAS 2011
Visit Process – Closing Meeting
• Handout 11
• Pull together all findings of visit into a report –
done on-site on last day of visit
• Conclude on compliance with ISAs/Audit
Regulations
• Balanced, includes positive points
• Identify underlying causes of problems
• Discuss with firm
• Firm given 14 days for formal responses
© Copyright ICAS 2011
Visit Process – Visit Report
• Grading of outcome based on:
Extent of findings
Firm’s responses
Assessment of ability/commitment
• Format of report depends on grading:
A-C: short summary of proposed grading/action
(Handout 12)- internal document
D: long form report to firm for comment (Handout 13)
• Time to next visit determined
© Copyright ICAS 2011
Grade Suitable when ARC action Examples of follow up action
A No breaches • Cleared by Chair • For noting only –
letter sent to confirm end of visit
No follow up action
B Some breaches but firm’s action plan appropriate
• Cleared by Chair • For noting only –
letter sent to confirm end of visit
No follow up action
C Breaches more serious – confirmation needed of improvement (C1: systemic C2: non systemic)
• Nominated to committee member
• Decide whether agree with proposed action
• Request submission of follow up action.
• Assess when submitted
• CPD records to evidence training
• Cold file reviews • Procedures
purchased • Procedures
implemented
© Copyright ICAS 2011
Grade Suitable when
ARC action Examples of follow up action
D The most serious issues e.g. repeat serious breaches; integrity or ethics issues; lack of commitment D1/D2: minded to withdraw D3: continue with stringent conditions/ restrictions
• Full report to firm for formal response and consider any further actions
• Full review by Committee
• Decide whether to withdraw or continue
Example conditions: •ACR •Cold file reviews •Hot file reviews •CPD •Procedures Example restrictions: •No new audits •No specialist audits •If continue – restrictions and conditions •Financial penalties/referral to Investigations •If withdraw – inform firm. Default publicity. Most firms request hearing.
© Copyright ICAS 2011
Audit Registration Committee (ARC)
• ARC meet every two months.
• Powers include:
Accept/reject audit licence RI applications
Withdraw/suspend audit registration
Consider monitoring reports
Require information
Impose sanctions: conditions and restrictions
Impose regulatory penalties (eg repeat issues, ethics)
Refer for disciplinary action
• Independent appeal process
© Copyright ICAS 2011
Sanctions
• ICAS prefers ‘educational’ approach to prevent
repeat offences
• However this approach still costs the firm:
• Cost of cold file review approx. £300-£400 approx. (to
ICAS, training provider or another firm);
• Cost of full Audit Compliance Review £1,000 approx.
(whole firm review and 2 cold file reviews – as above);
• Hot file review: £500 approx. (as above)
• CPD training (cost per course £100-£200 – any training
provider)
• Follow up visit by ICAS (£1,000 a day)
• Procedures eg £300 per annum
• Withdrawal (with publicity)/restriction – hurts
financially/reputation
© Copyright ICAS 2011
Financial Sanctions
• In more serious cases - ethics, integrity, serious
repeat issues, failure to comply with committee
decisions, audit opinions without audit work,
failing to cooperate etc
• Based on (a) seriousness of findings (b) extent of
mitigating/aggravating circumstances
• Small number of penalty decisions made by ARC
– only starting to raise penalties now after series
of visits
• Withdrawal – default publicity
© Copyright ICAS 2011
Recent ARC sanctions
Reason for Regulatory Penalty Action Failure to submit cold file reviews of audits as directed by ARC
Consent Order issued with £750 fine
Failure to submit 2 hot file reviews, an audit compliance review, accounts disclosure procedures and training to ARC.
Consent Order issued with £250 fine
An audit opinion was signed by the Audit Compliance Partner without having undertaken the appropriate acceptance procedure and without performing audit work to support the opinion given
Consent Order issued with £1,000 fine
The Firm had a principal who is not a member and has not applied for Affiliate status- firm ineligible
Consent Order issued with £1,000 fine
© Copyright ICAS 2011
Recent Investigations Sanctions
• 2: order of reprimand with financial
Offence Sanction
Audit reports when not a ‘Responsible Individual’:
Order for severe reprimand (with financial penalties around £5-10k) and exclusion of membership
Failing to take proper account of audit independence issues
Order of severe reprimand and financial penalty £5-10k.
Failing to advise a client that an audit was required:
Warning/admonishment with a low-level fine (around £1-2k).
Failing to conduct sufficient work to justify audit conclusions:
This led to an exclusion from Membership (although there were aggravating factors).
© Copyright ICAS 2011
Investigations considerations
• Findings are more serious where there is
misconduct, rather than simple incompetence.
• If it is a technical error in audit work then if
unintentional and no financial benefit:
reprimand, with
a low-ish financial penalty.
• The Committee/Tribunals take a dim view of
anything that casts doubt on integrity: e.g. ethical,
Member has unduly profited:
• High end penalty;
• Possible exclusion from membership.
© Copyright ICAS 2011
Investigations considerations
• The most common aggravating factor is a failure
to respond to ICAS correspondence in
connection with an investigation.
• All decisions – publicity default
• Common sanctions guidance – considering
• However ICAS has only small no. of audit
complaints/small population
© Copyright ICAS 2011
Visit process - Internal Quality Control
• All visit files and reports reviewed before sent to
ARC
• Review points raised and reviewers must clear
and amend reports
• Reviewers given targets to ensure:
Quick turnaround of reports
Balanced reports and appropriate gradings given
This is monitored and part of ongoing training
• Stats kept on Audit Visit Summary (Handout 14)
© Copyright ICAS 2011
Financial Reporting Council UK:
Oversight Function • Annual stats to FRC every year (March)
• Annual inspection visit – targeted review of
aspects of RSB function
• Reviews ICAS procedures/policies
• Review completed monitoring visits &
accompanied visits
• Discuss findings and agree recommendations
• Issue report
• Power to sanction
© Copyright ICAS 2011
Interaction with FRC on PIE firm visits
Big four/mid teir firms:
•FRC: lead, review firm wide, Audit Compliance
Review (monitoring) and PIE audits
•ICAS: review residual audit client population/ RIs
•Start of visit: ICAS send FRC visit planning memo
•End of visit: ICAS will issue draft report to FRC
•FRC and ICAS will liaise throughout visit on issues
•FRC report goes to ICAS ARC in conjunction with
ICAS report
© Copyright ICAS 2011
Interaction with FRC on PIE firm visits
Other firms:
• Previously: ICAS led visit, FRC conducted review
of at least one PIE audit
• Now:
for all firms with 10 or less PIE audits, ICAS solely will
conduct the visit including a review of PIE audits
FRC will review ICAS work on firm wide procedures, all
PIE audit file reviews, and the draft report
© Copyright ICAS 2011
Visit Process - PIE firm visits
• Liaise with the FRC
• Hold a planning meeting in advance of visit
(Handout 4A)
• Prepare an Audit Visit Planning Memorandum
(Handout 6A)
• More detailed firm wide checklist
• Developing and testing a more detailed file
review checklist
• Work reviewed by FRC
• Full report to Committee (similar style to D report)
© Copyright ICAS 2011
Key Themes
Annual Report (Handout 15) key underlying causes:
• Professional scepticism: challenging
management assertions
• Fee pressures: cutting corners (insufficient time
for planning misdirected audit work)
• Specialist audits: cutting corners – lack of
specialist procedures
• Over-reliance on accounts preparation
• Lack of awareness of clarified ISA requirements –
due to lack of training
• Ineffective cold file reviews
© Copyright ICAS 2011
Key Themes
• Under-declaring audits
• Less face to face training
• Inconsistent standards: Firms operating as sole practitioners – no cohesion
Ineffective ACP
RI issues (too many audits/age/too few
audits/competence)
Small clients not given same attention/procedures
Very busy audit times
Satellite/rogue offices
© Copyright ICAS 2011
Common issues
• Planning:
Engagement terms – not issued/out of date
Revenue recognition not identified as significant fraud
risks or not rebutted
Management override not identified as significant fraud
risk and no procedures designed to address
Client/team fraud discussions not taking place/recorded
No assessment of design/implementation of controls
Performance materiality not set
© Copyright ICAS 2011
Common issues
• Fieldwork:
Documentation (90% of files)
Management expert – independence/objectivity &
assessment of evidence
Evidence issues: accounting treatment;
ownership/existence of TFA; bank confirmations;
recoverability of debtors; profit and loss
Laws and regulations – lack of sufficient audit work
• Completion:
2 way communication with those charged with
governance: significant findings; key areas of
judgement; unadjusted errors
© Copyright ICAS 2011
Key Themes
• Completion: • Subsequent events: lack of documented consideration
and lack of evidence up to point of signing audit report
• Going Concern - : not considering and recording key factors material in the
going concern assessment;
that assessments cover 12 months from the date of the
audit report; and
not challenging assumptions made by management in
forecasts and projections.
© Copyright ICAS 2011
How we support our firms
FRC have required audit quality initiatives
Audit Monitoring:
•Mandatory audit course
•Quarterly Audit News
•Helpsheets
Practice Support (commercial):
•Procedures/manual
•Cold file reviews
More information available on our website
© Copyright ICAS 2011
Setting up a Quality Assurance
Programme
Initial need:
•Application process (Firms, RIs, affiliates??)
•Fee setting
•Need Regulations/Rules and Committee/decision
making process. ICAS:
http://icas.org.uk/home/regulation-and-ethics/audit-
regulation/audit-registration/
•Support for firms by body or externally:
• Commercial procedures readily available
• Training courses available
• Information on what to expect
© Copyright ICAS 2011
Setting up Quality Assurance
Programme
• Set up monitoring methodology
• Recruitment/training
• Cyclical approach
• Focus: audit procedures/CPD/cold file review
reperformance
• Poorer performance – follow up action?
Longer Term:
• Annual Returns
• Risk based visit selection
• Support and audit quality initiatives
© Copyright ICAS 2011
And finally…..
• Any Questions?
• ICAS Audit Monitoring section of website:
http://icas.org.uk/Audit_Monitoring.aspx
THANK YOU