How will the new audit rules affect your firm?by
The Financial Reporting Council has updated the ethical standard for auditors. Julia Penny looks at what impact this will have on firms and the quality of audit.
The expected update to the ethical standard (ES) for auditors was issued by the Financial Reporting Council (FRC) on 15 January. The updated standard does three main things:
- simplifies the standard and adds clarity to areas that were causing issues for auditors and assurance providers
- incorporates the updates made to the International Ethics Standards Board for Accountants (IESBA) code
- adds a targeted restriction on fees from entities related by a single controlling party.
At the same time the FRC has issued guidance for auditors on the application of the objective, reasonable and informed third-party test (ORITP test), which many of the requirements in the ES are predicated on. The guidance is not prescriptive but highlights ways in which firms can ensure they take account of the ORITP, such as using panels of such individuals to give prospective or retrospective views on ethical decisions.
The consultation draft for the ES was issued in August 2023. The resulting feedback statement issued in January with the new standard, sets out the original objectives and a summary of the views of respondents. Let’s look at some of the key changes and their implications.
OEPIs and PIEs
One of the most noticeable points from the feedback statements is the universal desire of those responding to remove the other entity of public interest (OEPI) category. Many also wanted the new definition of a public interest entity (PIE) to be simpler and aligned between the various definitions within statute, the FRC ES and the IESBA code. The FRC commented that it cannot change the PIE definition, only government can do that, but it stated that it was highly likely that the FRC would amend or withdraw the OEPI category, once details of any new statutory definition for PIEs is known.
We can only hope for a future PIE definition that is understandable and workable. At present, working out if you are providing services to a PIE can often be tortuous and potentially lead to inadvertent, but significant, breaches of regulations and standards if you incorrectly conclude an entity is not a PIE. It is forever a source of frustration that regulations can be so opaque, and that following them becomes a minefield.
The standard has also been revised concerning the requirement for reporting breaches to the FRC. The ES now specifically requires the engagement and ethics partners to consider the perspective of an ORITP in making judgments on whether it is necessary to resign from an engagement or what safeguards are required. In the additional guidance issued on the ORITP test there is a discussion of the possible use of panels of relevant individuals to help test whether the conclusions of the audit and ethics partners properly meet the test. It is clear that firms will need to be careful to show how they have considered the ORITP test, rather than just treat it as something that could be considered in a court or during enforcement procedures.
Much to everyone’s relief, the original proposals to, in effect, treat all breaches not picked up by the firm’s systems as “not inadvertent” have been dropped. Instead, the previous requirement to use professional judgment to determine if a breach is inadvertent is retained. This seems only fair given that the definition of inadvertent is usually taken to be “not resulting from, or achieved through, deliberate planning”. It would have seemed unduly harsh to then say that a system not picking up on a breach is therefore deliberate action to breach the standard.
While the focus on the detailed description of what is inadvertent might seem pedantic, it is vitally important. An inadvertent breach is stated to not necessarily call into question the firm’s ability to give an audit or other public interest assurance opinion (see 1.25 of the ES). Conversely, it would seem therefore that a breach not classified as inadvertent would be almost certain to indicate the firm would be unable (from an ethics viewpoint) to provide the relevant audit or public interest assurance opinions.
Clarifications to additional requirements
A new paragraph (1.46) has been added that summarises where additional requirements relating to certain types of entity exist. Respondents to the consultation indicated that this was helpful, given the current minefield of requirements. The new paragraph sets out which additional requirements apply to the following entities:
- PIEs as defined in UK law
- listed entities only (including such entities that are PIEs, both as defined in UK law and in the definition of a PIE in the IESBA code)
- listed entities and PIEs, both as defined in UK law, and in the definition of a PIE in the IESBA code.
While the paragraph is helpful, it does highlight, given that there are between five and seven extra requirements for each of the above categories, how complex the underlying legal situation has become. It is easy to see that firms might breach the standards despite best efforts to comply, given the complexity. It is even easier to see the increased costs of compliance that such complexities give rise to. The FRC has been directed by government to include a focus on improving the competitiveness of UK plc and, while the FRC can do nothing about the PIE definition, surely the government should follow its own advice and ensure that definitions are simple (or as simple as possible) and aligned. This would reduce costs and help to prevent slight differences in requirements creating gaps down which the unwary can fall.
Partner and staff rotation
The wording and presentation have sought to combine the rules and the separately published FRC guidance, to make it easier to understand. There is also now a helpful table in paragraph 3.22 summarising the requirements as they apply to individual partners in various roles, for the different entity types.
One of the more substantive changes is the consideration of independence based on fees received by the firm. Previously the requirement stated that where the total fees for services from a public interest entity or other listed entity and its subsidiaries relevant to a recurring engagement by the firm exceeded 10%, the firm resigns or does not stand for reappointment. The new wording strengthens this by adding to the group concept, that if the fees are from a collection of entities with the same beneficial owner or controlling party (which is not a corporate entity) this also counts towards the 10%.
Arguably, given that the 2019 ES states that the overriding objective to ensure independence applies, as well as the specific rules, firms may already have taken such situations into account when deciding on their independence. Presumably the FRC found that this didn’t always happen and so have made the change to the requirements. This highlights the fact that a list of detailed rules, even where principles are supposed to be followed in addition to the rules, can often lead to an overly rules-based approach, leading to the need for more rules!
The change is perfectly logical though, as the fee limit is designed to protect the independence of the firm. If you are getting 10% or more from a particular client group, and issuing a qualified opinion could risk you losing such a large amount of fees, you might be more reluctant to do so. But if you have a collection of companies, all ultimately owned by the same individual, the risk is the same. If you issue a qualified opinion on one entity, you risk losing all of those related entities, even though they aren’t in the same corporate group.
The IESBA code is in some cases more stringent now, so amendments have been made to match the requirements and to address some findings in FRC inspections in relation to non-audit services. In summary, changes have been made to prohibit more IT services, tax services, recruitment and remuneration services and corporate finance services.
Financial interests of individuals
There is also a tightening up of what happens if there is a breach to the requirement not to have a financial interest (except as specified) in an entity relevant to an engagement. As well as disposing of (or part disposing of) the interest, and not being a covered person for that engagement, if the breach arose from a material prohibited financial interest or a prohibited transaction in a financial instrument, the individual is also excluded from any role that means they would be operating in the same office or business unit as the engagement partner if they themselves are not the engagement partner (see 2.9 and 2.10 for further information). This could mean that someone would need to change office or department, so it is even more important to ensure the requirements are not breached.
Audit cap and ESG assurance
While not addressed in the standard there are concerns about the 70% cap on non-audit fees for a PIE audit, particularly for existing or future ESG assurance work as it is currently not statutorily required from the auditor. The FRC has no power to change the definitions used in the cap, but it will report the concerns back to the Department for Business and Trade.
The new standard becomes effective on 15 December 2024, though firms may complete engagements relating to periods commencing before 15 December 2024, according to existing ethical standards.
Independence of firms
So what impact is this new standard going to have on firms and on the actual independence of firms?
Most significantly, there may be firms impacted by the new restriction concerning clients that have the same controlling party, even though they are not part of the same group of entities. The fee limits might be exceeded, meaning that the firm must resign, or they might be at a level below the need to resign, but requiring additional safeguards. This may genuinely improve independence in terms of fee reliance in some cases.
In addition to this change, there are some more minor changes in prohibited non-audit services and all firms will need to carefully reassess whether any of the changed requirements impact their ability to act. But the changes are not huge.
Firms will need to spend time carefully considering the changes, just in case they impact them and of course, policies, procedures and systems will all need changing. But will there be a big impact on the quality of audit? I suspect not. Being independent isn’t just about following rules and principles. It’s about truly understanding the nature of audit, noticing when something is going to impact independence or quality and doing something about that. Even if the something is resigning. It is about ethics, in its broadest sense, not just about a big list of (nonetheless vitally important) rules.
You might also be interested in
Julia Penny is the principal of JS Penny Ltd which provides technical and training consulting on anti-money laundering procedures, auditing and financial reporting. Julia is a member of ICAEW Board and Council, chair of the ICAEW Ethics Advisory Committee and past chair of the ICAEW...