FOCUS

THE VALUE AND FUTURE OF AUDIT

THE VALUE AND FUTURE OF AUDIT

LIM JU MAY and WANG ZHUMEI

STAKEHOLDERS SHARE THEIR PERSPECTIVES

Recent high-profile corporate failures in the UK such as Carillion, BHS and Patisserie Valerie have raised concerns about the audit industry, its role, quality and whether it needs to evolve to meet the needs of stakeholders. The UK Business, Energy and Industrial Strategy Committee (BEIS) published a report on “The Future of Audit” on its inquiries into these corporate failures that had raised questions on competition, resilience, conflicts of interest, regulatory weakness and the nature of audit itself which have contributed to a crisis of trust in the UK audit industry.

On 10 April 2019, the UK government called for views on the quality and effectiveness of audit (Brydon Review) alongside two on-going reviews on the UK regulator, the Financial Reporting Council (FRC) (Kingman Review), and the supply of statutory audit services in the UK by the Competition and Markets Authority (CMA). The Brydon Review is intended to take a fresh look at the existing purpose, scope and quality of audit, how far it can and should evolve to meet the needs of users and to serve the wider public interest.

The developments in the UK will have influence around the world where capital markets depend on robust and high-quality independent audits. Singapore, being a global financial centre, requires an effective audit industry to underpin confidence in the financial reporting by companies.

To obtain views from Singapore stakeholders, ISCA hosted a roundtable co-chaired by ISCA President Kon Yin Tong, and a Global Public Policy Committee1 (GPPC) representative Julia Tay of EY. Similar roundtables were also held in other key markets. The Singapore roundtable, which took place on 28 May 2019, was attended by a diverse range of stakeholders including management, directors and audit committee members, auditors, investors, regulators and academics. The roundtable generated robust discussions, of which the key points are summarised here.

THERE IS STILL VALUE IN THE CURRENT AUDIT PRODUCT

Participants affirmed that the current audit product is valued. Audit reports are referred to as a starting point to draw high-level conclusions of companies including any material misstatements in the financial statements. Investors also see the added value from Key Audit Matters (KAMs) that draw their attention to certain risk areas in the company.

However, participants commented that auditors are not communicating their value beyond the audit report. While audit committees are appreciative of the effort and rigour of audit work performed before a true and fair opinion can be rendered, investors are unable to perceive further value beyond the audit opinion.

Hence, participants suggested that even without any expansion in audit scope, audit reports could increase its communicative value by including an assessment of the effectiveness of internal controls, risks, early warning signs on going concern, compliance with the Corporate Governance Code (CG Code), and assessment of corporate culture, etc.

Investors also added that the communicative value of the audit report will be enhanced if it were accompanied by greater interaction between auditors and investors. If a company has issues, investors would want to hear from the auditors through platforms such as the annual general meetings.

Recognising the spectrum of stakeholders’ needs from an audit, there may inadvertently be a gap between what is expected from an audit, and what an audit actually does. Corporate failures tend to widen this gap when there is undue focus on what the auditors failed to do, vis-à-vis the role of other stakeholders in the corporate reporting ecosystem. Therefore, it is necessary to educate the market on what an audit is and is not, whether through better clarity in the audit report or through other means.

Participants affirmed that the current audit product is valued. Audit reports are referred to as a starting point to draw high-level conclusions of companies including any material misstatements in the financial statements.

THE QUALITY OF FINANCIAL REPORTS IS A SHARED RESPONSIBILITY OF ALL ECOSYSTEM STAKEHOLDERS

High quality and transparent financial reports are fundamental to building trust in capital markets and in making investment decisions. Participants agreed that auditors are not the sole guardians of public interest and that a robust corporate reporting ecosystem is the shared responsibility of all stakeholders.

Although participants recognised this shared responsibility, they agreed that the accountability framework in the ecosystem is unbalanced and light on other stakeholders vis-à-vis auditors. In Singapore, if the CEO and CFO are not directors of the company, they are essentially unregulated under the Companies Act. Additionally, there are no regulations governing the minimum criteria and responsibilities of the CFO and preparers of financial statements, unlike in some jurisdictions where they are regulated by law and have personal liability.

The participants emphasised that the quality of financial reports is, first and foremost, the responsibility of management. Directors who are entrusted with the stewardship of the company are required to exercise their knowledge of the business and challenge management’s assumptions on judgemental accounting estimates and valuations. Auditors can provide observations and recommendations on the control environment through management letters. But, ultimately, the strength of internal controls stems from within the company and cannot be derived from an external audit, that is, quality and controls cannot be “audited into” the company.

The individual roles and responsibilities of stakeholders in the ecosystem may not have been sufficiently understood by the market. This may have resulted in auditors often being pushed into the spotlight and blamed when things go wrong. Therefore, participants agreed that greater communication to the market is needed to clarify individual roles, specifically the role of auditors in relation to management and other ecosystem stakeholders. The developments in the UK also served to remind that where there are gaps in the accountability of any stakeholder, self-reform to strengthen the corporate reporting ecosystem would be more desirable than regulatory intervention.

Participants agreed that auditors are not the sole guardians of public interest and that a robust corporate reporting ecosystem is the shared responsibility of all stakeholders.

CONSIDERATIONS ON EXPANDING THE SCOPE AND PURPOSE OF AUDIT

Fraud

While auditors are not expected to purposefully sniff out all types of fraud, participants unanimously agreed that detecting material fraud in financial reporting is the responsibility of auditors. However, there still exists a misconception that auditors are responsible to detect and report all fraud.

The baseline expectation of the market is that auditors exercise professional scepticism in the audit and report fraud or red flags within the confines of limitations inherent in the nature and complexities of fraud today. The sophistication of well-orchestrated fraud raised the question about auditors’ competence and their ability to detect such fraud without the involvement of forensic auditors that will lead to additional costs.

There were strong views for more timely reporting on financial reporting fraud by auditors. However, participants recognised that unlike management who are involved in the daily operations of the company, auditors are less likely able to detect fraud due to the frequency of the audit. This led to suggestions that with the advent of technology, continuous or real-time audits will increase the chance of detecting fraud and enable more timely reporting. Once again, this translates to additional costs.

Participants also pointed out that the auditing standards state that management and those charged with governance are primarily responsible for fraud prevention and detection. The participants viewed that management’s priorities and attitude towards fraud will, to a large extent, shape the organisation’s culture and emphasis placed on having effective internal controls in respect of fraud. Investment in well-defined systems will lead to costs which should not be a deterrence as the costs of not detecting fraud would be higher for the company.

In general, there were no strong objections for an expanded role for auditors regarding fraud outside the financial statements. However, to prevent a widening expectation gap, participants expressed the need for the market to be educated should this be the direction of change. In particular, the market needs to understand that the auditors’ role will be to assess the effectiveness of the company’s fraud prevention and detection system, against an industry framework, rather than be the primary party responsible for detecting and preventing fraud.

While participants want more to be done, it was also recognised that any expanded scope, more timely reporting and involvement of forensic auditors will lead to higher audit fees and the need for liability caps. Hence, the call for change must go back to the basics of stakeholder needs and match the risk levels of the specific company.

Internal controls

Participants suggested that expanding the scope on internal controls may be a catalyst for companies to strengthen their internal controls. However, this may lead to high compliance costs as was the case when US companies implemented requirements under the Sarbanes Oxley Act (US SOX).

Participants generally felt that the auditor’s existing scope regarding internal controls over financial reporting (ICFR) was sufficient but lacked articulation to the market. The public may not be aware that a true and fair opinion can still be given when there are ICFR weaknesses due to mitigating factors and alternative procedures performed.

Instead of expanding the auditor’s scope, one of the suggestions was to improve communication by embedding in KAMs what the auditor has performed as part of the audit, the auditor’s assessment of the control environment, controls which the auditor had relied upon and those that the auditor could not rely on due to weaknesses or other reasons. Such transparency in the auditor’s reporting will also provide the market with insights into the companies’ tone at the top and company culture in respect of internal controls.

As companies increasingly go digital and use big data, there may be a need to expand the scope of internal controls beyond financial reporting to include assurance over IT-related matters. This comes with increased expectation of auditors’ competencies on IT systems and cybersecurity.

Going concern and forward-looking audits

The auditing standards require auditors to assess the appropriateness of management’s going concern basis of accounting and the responsibility to highlight any material uncertainty about the company’s ability to continue as a going concern. An audit typically looks at historical information and highlights any red flags to the market of the ability of the company to continue operations in the next 12 months.

Stakeholders would like audits to provide early warning signs to avoid surprise corporate failures. However, as an audit takes time to complete, participants commented that by the time going concern issues are reported in the year-end audit report, it is already a foregone conclusion. Similarly, there were suggestions that future technology-enabled continuous or real-time audits could help to improve the timeliness of going concern red flags.

Participants indicated that there is a demand for forward-looking information but concluded that providing assurance over such information would be difficult. They questioned the ability of auditors to provide forward-looking assurance when such information is often “unauditable” and would be difficult for auditors to provide assurance without reliance on specialists or experts. The alternative to providing assurance would be to perform agreed-upon procedures, which then raised the question whether such procedures would be valuable or useful to stakeholders.

The aforesaid should not cloud management’s role in the forecast process that forms the basis of going concern and forward-looking audits. Ultimately, it is management’s responsibility to provide reliable and accurate forecasts. Therefore, participants were of the view that management would be in a better position to disclose the inputs to the forecasts and the process involved, and for auditors to opine on the controls over the forecast process.

THE FUTURE OF AUDIT

In summary, participants affirmed that the current audit product is not broken. The communicative value of the audit product can be further enhanced with additional reporting, better understanding of the audit scope and increased interaction between auditors and stakeholders.

While there were no strong calls to expand the audit product beyond what it currently does, auditors need to be vigilant to the changing needs of users of financial statements, and innovatively evolve the audit product, its scope and the assurance levels required, to meet users’ needs.

Although it is easy to demand that auditors do more, participants concluded that any expansion of the audit product must be preceded by clear industry frameworks which set out the professional standards that auditors must meet, and the roles and responsibilities of all stakeholders in the corporate reporting ecosystem. Any scope expansion must also be accompanied by new competencies on the part of the auditor, and balanced accountability frameworks that bind all stakeholders of the corporate reporting ecosystem.

The communicative value of the audit product can be further enhanced with additional reporting, better understanding of the audit scope and increased interaction between auditors and stakeholders.

CONCLUDING THOUGHTS

The Brydon Review has been a positive challenge and will likely catalyse an improved audit product. However, this silver lining stands against a backdrop of heavy regulatory intervention that will not only impact the audit profession but also companies, audit committees and the UK regulator. In Singapore, we can take a more proactive approach of self-reform to strengthen the corporate reporting ecosystem and restore trust without costly regulatory intervention. Auditors and all stakeholders should step up and effectively discharge their roles and responsibilities to make Singapore a trusted capital market.


Lim Ju May is Deputy Director, and Wang Zhumei is Manager, Technical, ISCA.


1 The Global Public Policy Committee (GPPC) of the six largest international accounting networks comprises representatives of BDO, Deloitte, EY, Grant Thornton, KPMG and PwC, and focuses on public policy issues for the profession.