icas regulatory monitoring lesley byrne,...

© Copyright ICAS 2011

ICAS Regulatory Monitoring

Lesley Byrne, Director

Worldbank Centre for Financial Reporting

Reform

REPARIS programme


Contents of Presentation

• ICAS Audit Monitoring Visit Process

Standard visits

Sanctions

Interaction with FRC

Listed (Public Interest Entity (PIE)) audit visits

• Common themes

• Setting up a quality assurance programme


UK regime: quick recap

• Every audit firm must be registered with a

Recognised Supervisory Body (e.g. ICAS)

• Only Responsible Individuals (audit engagement

partners) approved by ICAS can sign audit

reports

• Each audit firm pays an annual audit fee (based

on no. partners, offices, PIE audits)

• Required to comply with Audit Regulations

• Originally 1000+ ICAS audit firms – with audit

exemption now at 225


Visit Process – Visit Selection

• Visit selection:

• EU Directive requirements:

Firms auditing PIEs – at least once every 3 years

Firms auditing other audits – at least once every 6 years

• Time until next visit (poor performance -shortened

cycle)

• Firms Annual Return:

Form (Handout 1)

Risk database/risk report (Handout 2)

Desk top monitoring

• Follow up (paid)

• Requested (eg investigations, market intelligence)


ICAS Audit Monitoring

• Audit Monitoring team - ICAS Chartered

Accountants and experienced auditors

• Significant training programme, independent and

fit and proper

• We report to Audit Registration Committee (ARC)

(public interest members and auditors)


Visit Process – Notification

• Resource scheduling (3 months in advance)

• Budget times

• 6-8 weeks notice

• Notification letter, documents and records list

(Handout 3), visit booklet

• Audit client listed one month before visit

• Planning information to Reviewer one month

before


Visit Process – Pre Visit Planning

• Review pre visit information to obtain

understanding of (a) firm (b) risks

• This includes:

Review client list – possible internet search

Companies search by auditor (Bureau van Dijk

www.bvdep.com) FAME

Firms Annual Return/risk report

Previous visit report and correspondence from then to

now (e.g. changes in firm, submissions since last visit)

• Pre visit call

http://www.bvdep.com/


Visit Process – On site initial meeting

Opening Meeting:

•Standard opening meeting agenda (Handout 4)

tailored after pre visit planning

•Meet with Audit Compliance Partner/others to:

Understand firm’s audit practice; audit clients, policies

and procedures;

Identify risks

Ethics discussion:

•Discuss ethical compliance with firm

•Includes discussion on key risks (Handout 5)

•Reflects Ethical Standards (based on IFAC code)


Visit Process – Post Meeting Planning

• Template (Handout 6)

• Update risk analysis after opening meeting

• Risk based approach to file selection e.g. Cover all RIs - cover off concerns (eg competence,

portfolio size)

Specialist/regulated audits

Large/complex audits

Audit report qualifications etc.

• Minimum of 2 files per visit

• Some full and some restricted reviews


Visit Process – File reviews

• Credibility review of accounts – identifies

significant audit areas, accounting treatment

issues (Handout 7)

• File review (Handout 8):

Looking for documented audit evidence in support of

audit opinion – key assertions being audited

Looking for compliance with International Standards on

Auditing, Audit Regulations, Ethical Standards etc.

Looking for accounts disclosure compliance

Review documentation of significant auditor judgement


Visit Process – File reviews

• Raise review points (Handout 9)

• Firm given time to respond & discuss

• Re-visit credibility review

• Consider what areas are not compliant (breach)

and what are ‘needs improvement’

• Underlying causes (e.g. procedures,

competence, RI review etc)

• *NEW* grade each file


Grade Description Guidance

1 Satisfactory No concerns regarding the sufficiency and quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed.

Only limited weaknesses in documentation of audit work. AND

Any concerns in other areas are limited in nature (both individually and collectively).

2A Generally acceptable but a small number of improvements required

Only limited concerns regarding the sufficiency or quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed. AND/OR

Weaknesses in documentation of audit work are restricted to a small number of areas AND/OR

Some concerns, assessed as less than significant (individually and collectively), in other areas.

2B Some improvement required

Some concerns, assessed as less than significant, regarding the sufficiency or quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed. AND/OR

More widespread weaknesses in documentation of audit work. AND/OR

Significant concerns in other areas (individually or collectively).

3 Significant improvements required

Significant concerns regarding the sufficiency or quality of audit evidence or the appropriateness of significant audit judgments in the areas reviewed (not limited to the documentation of the underlying thought processes). AND/OR

Very significant concerns in other areas (individually or collectively).


Visit Process – Firm Wide (ISQC1)

• Independence, fit and proper, confidentiality

procedures (e.g. declarations safeguards)

• Training/CPD;

• Firm’s manuals/templates

• Professional indemnity insurance

• Money laundering procedures

• Review of appraisal/HR process

• Review of consultation process/differences of

opinion

(Handout 10)


Visit Process – Audit Compliance

Review

• Called ‘Monitoring’ in ISQC1

• We place emphasis on this – self diagnosis

• Will review this year and previous year reviews

• Whole firm review – consistent with our findings?

• Cold file reviews – consistent with file findings?

• Timely follow up action?

• Report on effectiveness


Visit Process – Closing Meeting

• Handout 11

• Pull together all findings of visit into a report –

done on-site on last day of visit

• Conclude on compliance with ISAs/Audit

Regulations

• Balanced, includes positive points

• Identify underlying causes of problems

• Discuss with firm

• Firm given 14 days for formal responses


Visit Process – Visit Report

• Grading of outcome based on:

Extent of findings

Firm’s responses

Assessment of ability/commitment

• Format of report depends on grading:

A-C: short summary of proposed grading/action

(Handout 12)- internal document

D: long form report to firm for comment (Handout 13)

• Time to next visit determined


Grade Suitable when ARC action Examples of follow up action

A No breaches • Cleared by Chair • For noting only –

letter sent to confirm end of visit

No follow up action

B Some breaches but firm’s action plan appropriate

• Cleared by Chair • For noting only –

letter sent to confirm end of visit

No follow up action

C Breaches more serious – confirmation needed of improvement (C1: systemic C2: non systemic)

• Nominated to committee member

• Decide whether agree with proposed action

• Request submission of follow up action.

• Assess when submitted

• CPD records to evidence training

• Cold file reviews • Procedures

purchased • Procedures

implemented


Grade Suitable when

ARC action Examples of follow up action

D The most serious issues e.g. repeat serious breaches; integrity or ethics issues; lack of commitment D1/D2: minded to withdraw D3: continue with stringent conditions/ restrictions

• Full report to firm for formal response and consider any further actions

• Full review by Committee

• Decide whether to withdraw or continue

Example conditions: •ACR •Cold file reviews •Hot file reviews •CPD •Procedures Example restrictions: •No new audits •No specialist audits •If continue – restrictions and conditions •Financial penalties/referral to Investigations •If withdraw – inform firm. Default publicity. Most firms request hearing.


Audit Registration Committee (ARC)

• ARC meet every two months.

• Powers include:

Accept/reject audit licence RI applications

Withdraw/suspend audit registration

Consider monitoring reports

Require information

Impose sanctions: conditions and restrictions

Impose regulatory penalties (eg repeat issues, ethics)

Refer for disciplinary action

• Independent appeal process


Sanctions

• ICAS prefers ‘educational’ approach to prevent

repeat offences

• However this approach still costs the firm:

• Cost of cold file review approx. £300-£400 approx. (to

ICAS, training provider or another firm);

• Cost of full Audit Compliance Review £1,000 approx.

(whole firm review and 2 cold file reviews – as above);

• Hot file review: £500 approx. (as above)

• CPD training (cost per course £100-£200 – any training

provider)

• Follow up visit by ICAS (£1,000 a day)

• Procedures eg £300 per annum

• Withdrawal (with publicity)/restriction – hurts

financially/reputation


Financial Sanctions

• In more serious cases - ethics, integrity, serious

repeat issues, failure to comply with committee

decisions, audit opinions without audit work,

failing to cooperate etc

• Based on (a) seriousness of findings (b) extent of

mitigating/aggravating circumstances

• Small number of penalty decisions made by ARC

– only starting to raise penalties now after series

of visits

• Withdrawal – default publicity


Recent ARC sanctions

Reason for Regulatory Penalty Action Failure to submit cold file reviews of audits as directed by ARC

Consent Order issued with £750 fine

Failure to submit 2 hot file reviews, an audit compliance review, accounts disclosure procedures and training to ARC.

Consent Order issued with £250 fine

An audit opinion was signed by the Audit Compliance Partner without having undertaken the appropriate acceptance procedure and without performing audit work to support the opinion given

Consent Order issued with £1,000 fine

The Firm had a principal who is not a member and has not applied for Affiliate status- firm ineligible

Consent Order issued with £1,000 fine


Recent Investigations Sanctions

• 2: order of reprimand with financial

Offence Sanction

Audit reports when not a ‘Responsible Individual’:

Order for severe reprimand (with financial penalties around £5-10k) and exclusion of membership

Failing to take proper account of audit independence issues

Order of severe reprimand and financial penalty £5-10k.

Failing to advise a client that an audit was required:

Warning/admonishment with a low-level fine (around £1-2k).

Failing to conduct sufficient work to justify audit conclusions:

This led to an exclusion from Membership (although there were aggravating factors).


Investigations considerations

• Findings are more serious where there is

misconduct, rather than simple incompetence.

• If it is a technical error in audit work then if

unintentional and no financial benefit:

reprimand, with

a low-ish financial penalty.

• The Committee/Tribunals take a dim view of

anything that casts doubt on integrity: e.g. ethical,

Member has unduly profited:

• High end penalty;

• Possible exclusion from membership.


Investigations considerations

• The most common aggravating factor is a failure

to respond to ICAS correspondence in

connection with an investigation.

• All decisions – publicity default

• Common sanctions guidance – considering

• However ICAS has only small no. of audit

complaints/small population


Visit process - Internal Quality Control

• All visit files and reports reviewed before sent to

ARC

• Review points raised and reviewers must clear

and amend reports

• Reviewers given targets to ensure:

Quick turnaround of reports

Balanced reports and appropriate gradings given

This is monitored and part of ongoing training

• Stats kept on Audit Visit Summary (Handout 14)


Financial Reporting Council UK:

Oversight Function • Annual stats to FRC every year (March)

• Annual inspection visit – targeted review of

aspects of RSB function

• Reviews ICAS procedures/policies

• Review completed monitoring visits &

accompanied visits

• Discuss findings and agree recommendations

• Issue report

• Power to sanction


Interaction with FRC on PIE firm visits

Big four/mid teir firms:

•FRC: lead, review firm wide, Audit Compliance

Review (monitoring) and PIE audits

•ICAS: review residual audit client population/ RIs

•Start of visit: ICAS send FRC visit planning memo

•End of visit: ICAS will issue draft report to FRC

•FRC and ICAS will liaise throughout visit on issues

•FRC report goes to ICAS ARC in conjunction with

ICAS report


Interaction with FRC on PIE firm visits

Other firms:

• Previously: ICAS led visit, FRC conducted review

of at least one PIE audit

• Now:

for all firms with 10 or less PIE audits, ICAS solely will

conduct the visit including a review of PIE audits

FRC will review ICAS work on firm wide procedures, all

PIE audit file reviews, and the draft report


Visit Process - PIE firm visits

• Liaise with the FRC

• Hold a planning meeting in advance of visit

(Handout 4A)

• Prepare an Audit Visit Planning Memorandum

(Handout 6A)

• More detailed firm wide checklist

• Developing and testing a more detailed file

review checklist

• Work reviewed by FRC

• Full report to Committee (similar style to D report)


Key Themes

Annual Report (Handout 15) key underlying causes:

• Professional scepticism: challenging

management assertions

• Fee pressures: cutting corners (insufficient time

for planning misdirected audit work)

• Specialist audits: cutting corners – lack of

specialist procedures

• Over-reliance on accounts preparation

• Lack of awareness of clarified ISA requirements –

due to lack of training

• Ineffective cold file reviews


Key Themes

• Under-declaring audits

• Less face to face training

• Inconsistent standards: Firms operating as sole practitioners – no cohesion

Ineffective ACP

RI issues (too many audits/age/too few

audits/competence)

Small clients not given same attention/procedures

Very busy audit times

Satellite/rogue offices


Common issues

• Planning:

Engagement terms – not issued/out of date

Revenue recognition not identified as significant fraud

risks or not rebutted

Management override not identified as significant fraud

risk and no procedures designed to address

Client/team fraud discussions not taking place/recorded

No assessment of design/implementation of controls

Performance materiality not set


Common issues

• Fieldwork:

Documentation (90% of files)

Management expert – independence/objectivity &

assessment of evidence

Evidence issues: accounting treatment;

ownership/existence of TFA; bank confirmations;

recoverability of debtors; profit and loss

Laws and regulations – lack of sufficient audit work

• Completion:

2 way communication with those charged with

governance: significant findings; key areas of

judgement; unadjusted errors


Key Themes

• Completion: • Subsequent events: lack of documented consideration

and lack of evidence up to point of signing audit report

• Going Concern - : not considering and recording key factors material in the

going concern assessment;

that assessments cover 12 months from the date of the

audit report; and

not challenging assumptions made by management in

forecasts and projections.


How we support our firms

FRC have required audit quality initiatives

Audit Monitoring:

•Mandatory audit course

•Quarterly Audit News

•Helpsheets

Practice Support (commercial):

•Procedures/manual

•Cold file reviews

More information available on our website


Setting up a Quality Assurance

Programme

Initial need:

•Application process (Firms, RIs, affiliates??)

•Fee setting

•Need Regulations/Rules and Committee/decision

making process. ICAS:

http://icas.org.uk/home/regulation-and-ethics/audit-

regulation/audit-registration/

•Support for firms by body or externally:

• Commercial procedures readily available

• Training courses available

• Information on what to expect

http://icas.org.uk/home/regulation-and-ethics/audit-regulation/audit-registration/










Setting up Quality Assurance

Programme

• Set up monitoring methodology

• Recruitment/training

• Cyclical approach

• Focus: audit procedures/CPD/cold file review

reperformance

• Poorer performance – follow up action?

Longer Term:

• Annual Returns

• Risk based visit selection

• Support and audit quality initiatives


And finally…..

• Any Questions?

• ICAS Audit Monitoring section of website:

http://icas.org.uk/Audit_Monitoring.aspx

THANK YOU

http://icas.org.uk/Audit_Monitoring.aspx

icas regulatory monitoring lesley byrne,...

Documents