Where next with assurance: a review of ICAEW’s consultation paper

Your reading for the weekend is Where next with assurance?, a consultation paper from ICAEW which aims to take their series on assurance, “The Journey” to the next stage. It draws on feedback from ICAEW members who are developing assurance engagements in practice, and brings together strands from the corporate reporting and assurance debate around the world.

I have mixed feelings about this paper, so I hope that many of you will read it and respond to the consultation questions ask.  It is a valuable contribution to the assurance debate, but I can’t give my unqualified assent to the five key views expressed.

Addressing each of those “We think that…” statements in turn:

“Rather than focusing on the annual report – or any other single report of an organisation – we should think about the right way to use assurance to meet the needs of the organisation itself”

I don’t believe that the needs of the organisation which is the subject of the assurance are the only, or principal driver of the need for assurance.  In my view, assurance – and the role of the chartered accountant – are relevant to the public interest, to better business and to a better society; the first question we should ask about assurance is whether it is meeting those needs.

Moreover, if we were trying only, or mainly, to address the needs of organisations themselves, many of the issues assurance providers face with determining whether engagements are appropriate for users’ needs, who should be permitted to use and rely on reports and what consequences this has for the assurance provider’s liability would disappear.   So to position assurance as focussed primarily on addressing the needs of an organisation, not its stakeholders, skirts around some of the biggest practical obstacles to the development of an assurance market in the UK.

“The role of the board in determining the need for assurance, internally and externally, is vital to understanding the future of assurance”

No-one could disagree with this statement.  But I’m concerned that this view risks polarising the relationship between executive directors and the other parties who might be interested in assurance.  ICAEW skirts close to painting a picture of a world where directors know best and the very valid concerns of other stakeholders, including the public and those who feel excluded from the debate on trust in business, are automatically accorded lower value.

I believe that one of the most valuable roles of a chartered accountant is to facilitate engagement, and therefore relationship, between executive directors and other stakeholders, so that we can achieve a consensus on where better, more useable, information – and more assurance – is needed.

The paper correctly observes that the modern assurance market is undeveloped “…apart from in a few specific and regulated areas.”  It fails, though, to explore the reasons why a thriving assurance market has developed only where assurance is required by regulation.  This question is of fundamental, structural important to the market and we will not get very far if we ignore it.

The challenge facing assurance providers is determining whether there is a market, and for what, in the absence of regulation.

“Getting the right assurance in the right place is essential. This means asking the right questions about risks and information flows, and in a complex organisation it means keeping track of the situation with an assurance map”

Again, I’m sure no-one could argue with this.  However I don’t agree that “…the first step is working out where there are risks associated with information flows.”   Recent corporate scandals have demonstrated that where boards do not start from the perspective of strategy (and the risks that threaten achievement of strategy), they do not accord an appropriate level of importance to strategic non-financial information flows, and therefore these don’t make it onto the assurance map to start with.

I’d say that VW would be one example of this – their business model had an inherent tension between the need to comply with environmental regulation and the preference of their customers for the high performance that can be achieved unconstrained by regulation.  Unless that strategic tension is acknowledged, the related information flows are unlikely to be regarded as high risk.  Tesco is another such example where the challenge for the Board was recognising the extent to which the company’s profitability depended on pushing compliance with regulation to the absolute limits.

Essentially, once a company has fallen into the trap of not making meaningful disclosure of the most strategic information, then any assurance map that starts by asking what risks relate to the information which is gathered and disclosed will already have some significant omissions.

“Assurance can be provided over risk disclosures or forward-looking information, even if the question asked is different from ‘is this true and fair?’”

The paper sets out the four characteristics of “useful” forward-looking information – it is: understandable, relevant, reliable, and comparable.   The paper then proposes that “An assurance provider can carry out an engagement to provide an opinion on whether information that cannot be assessed yet for accuracy has the four characteristics for usefulness.”  I would agree that those are characteristics of a good basis of preparation of forecast information, but in my view, any assurance opinion on that forecast information would s be expressed as “properly prepared” in accordance with the basis of preparation, rather than “very useful”.

Of course a good basis of preparation does result in useful information, but not necessarily for every user – indeed existing assurance practice, including case law relevant to the financial statement audit, recognises that the needs of a homogenous population of users may differ even from that of any individual user who is a member of that population.  If we imply that it is simple to determine what is “useful” to a potentially very large range of users, we again skirt round one of the most difficult issues in the development of an assurance market.

Needless to say, the answer to the question “what would be useful here?” may well be one of the unknown unknowns as I think we could argue it was in the financial crisis. Is it “useful” for any set of forecasts to anticipate the zombie apocalypse? I suspect all will argue that it is not, until afterwards, when they’ll ask where the auditors were.

“Assurance can add value to narrative information using current principles and techniques, and the skilled judgement of preparers and assurance providers”

The previous section of the paper concludes with the words: “An assurance engagement on these subjects might consider whether the information is useful, or whether the process has been implemented as described, rather than asking ‘is this true and fair?!”  This is, I think, a misleading question, since it suggests that the financial statement auditor is consciously considering whether the financial statements are “true” and “fair”, as if those were separable testable characteristics.  In reality, in my view, the phrase “true and fair” has passed into regulatory rhetoric, as having an understood meaning as a whole (compliance with GAAP) that cannot be analysed down to its constituent parts.

The relevant question when exploring the assurance market is how long it might take for non-financial assurance phraseology to pass into the equivalent assurance rhetoric.  I would argue that, in the context of ISAE 3402 “fairly presents”, “suitably designed” and “operating effectively” have crossed the rhetorical Rubicon.  But I think it may be a long time before “fair, balanced and understandable” has acquired a similar standing as a phrase, the meaning of which is understood and shared, without reference to its constituent parts.

In conclusion

I think it needs to be clearer up-front that this paper is intended to be a provocation, a thought piece, rather than a technical analysis.  I find the idea of a continuum of assurance that embraces internal and external assurance helpful but I think the paper could be clearer about the fact that its references to assurance address the role of the chartered accountant in not only providing independent external assurance, but also in developing innovative interfaces which allow the value of internal assurance to be unlocked for stakeholders.

Stark choices for Tony

I have two excuses for this blog post. The first is that any parent of an eight year old is obliged to be able to name a favourite super hero.  The second is that once I’d thought of this title, the only way to get it out of my head was to write the post.  For those who don’t have a favourite super hero, Tony Stark is the billionaire engineer and industrialist who, in the Marvel comic book series created by Stan Lee, and in the recent re-imagined films, becomes Iron Man.

Stark’s wealth comes from his ownership interest in an arms manufacturing company.  However, when captured by terrorists who try to force him to build a weapon of mass destruction, he instead builds a powered suit of armour, which he uses first to escape the terrorists and then, following multiple improvements, in his new guise as Iron Man, to save the world.

While being held hostage, Stark discovers that Stark Industries’ products are making their way into the hands of terrorists, and being used on civilians.  When he arrives home, the first thing he does is announce that Stark Industries will no longer manufacture weaponry, and he diverts its resources to developing clean fusion energy.  But is that his only choice as a responsible businessman or is it possible to be a responsible arms manufacturer?

I believe it’s possible to develop a code for ethical behaviour in any industry.  While an ideal world would be one without armed conflict, there is an ethical role for weaponry in the world we have created – to protect freedom and defend human rights.  But an ethical arms manufacturer will not want to supply those whose aims are the opposite.  It will, therefore, need a code of behaviour which, if adhered to, will prevent its products and intellectual property from ending up in the wrong hands.

In common with other codes of trading behaviour (for example, anti-bribery and corruption), an effective code for ethical supply would need to cover the tone at the top of the organisation, risk assessment and management, policies and procedures, communication to and training of employees, relationships with third parties, internal controls and monitoring, review and discipline.  Within each of those areas, the organisation would identify its objectives, for example setting the limits as to what types of customer behaviour might lead to black-listing, identify the threats to those objectives, and the resulting controls that could be put in place.

Evaluating the effectiveness of the code would require a top to bottom look at how it has been implemented across the organisation including, for example, the effects on corporate governance, recruitment, internal audit, contract due diligence, physical controls over inventory and cyber-security.  Scepticism might demand that the organisation makes an external statement about its principles and how they are applied in practice, and that that statement comes under scrutiny from an independent organisation.

An added complexity for an arms manufacturer is the question of how much of the decision-making around ethical supply can be sub-contracted to the government of the day.  Some would argue that if a particular territory is considered by a democratically elected government to be a suitable customer for weaponry, the manufacturer should not have to think further about this.  I don’t think it’s so clear cut; adding a layer of agency to the decision-making, introducing other agendas, can muddy the decision-making waters.

In fairness to Tony Stark, he wouldn’t have had any luck implementing this approach anyway, as his chief executive officer is a wrong ‘un for whom ethical supply is the bottom of the agenda – without buy-in from the board, any plan to change behaviour would surely be doomed to failure.  And Stark Industries doesn’t seem to have internal or external auditors; or at least, if it has they don’t feature in the story, sadly – auditors could have been Tony’s best ally in implementing and monitoring the effect of a programme to change behaviour.

Becoming Iron Man might be Tony Stark’s only choice, but it isn’t the only choice for an arms manufacturer.  We might wish weapons didn’t exist, but we all rely on their existence. The challenge for a responsible business is how to control their supply in a way that maximises their deterrent power and minimises the devastation they can cause.

On auditors’ independence, self-review and twisted knickers

In July 2009, Rentokil Initial Plc walked into the middle of a storm when they announced:

“The Company invited its existing auditors PricewaterhouseCoopers LLP as well as KPMG Audit Plc to submit proposals for a more integrated financial assurance process extending external audit coverage to some work undertaken by internal audit. The board has decided to proceed with KPMG, who will be appointed to undertake the 2009 audit. Combined internal and external audit costs will reduce by approximately 30%.”

Within a week, under the headline Cut-price Rentokil-KPMG deal raises ethical questions for auditors Accountancy Age reported that:

“The arrangement has led some to re-examine audit’s ethical code which highlights two main risks when external auditors also provide internal audit services.  The first threat, known as the self-review threat, warns against the external auditor relying heavily on its own internal audit work. The second threat, known as the management threat, warns against the internal auditors assuming the role of management.”

Two years later, the Financial Reporting Council’s Audit Inspection Unit (“the AIU”) (now the Audit Quality Review Team) reported:

“In the light of the prior year publicity surrounding the provision of “extended assurance” services, we reviewed the audit of two entities where such services had been provided. We did not identify any relevant requirements of the Ethical Standards applicable at the time that had not been met or any adverse impact on audit quality.”

Confused yet?  Had KPMG engaged to be both external and internal auditors at Rentokil?  If they had, why wasn’t this an ethical problem for them and their regulator?

In 2009, when KPMG proposed for the Rentokil audit, they were working within the boundaries set by the Auditing Practices Board (“the APB”) Ethical Standard 5 (“ES 5”) 2008 Non-audit services provided to audited entities.  This included a prohibition on an  audit firm providing internal audit services to an audit client “where it is reasonably foreseeable that:

a)      for the purposes of the audit of the financial statements, the auditor would place significant reliance on the internal audit work performed by the audit firm; or

b)     for the purposes of the internal audit services, the audit firm would undertake part of the role of management” (APB ES5: 44)

APB ES5 (2008) went on to give an example of a scenario where the self-review threat would be considered “unacceptably high” noting that the auditor of a large bank should conclude that it is unacceptable to provide internal audit services, too, to that bank since the external audit team is likely to place significant reliance on the work performed by the internal audit team in relation to the bank’s internal financial controls (APB ES5 (2008): 44-45).

Wait! Run that by me again please: does it say that the auditor may not test the internal financial controls of its audit client? No – the external auditor is not only permitted but expected to test internal financial controls.  But what if the internal auditors have already tested them? Where that is the case, the external auditor has a decision to make: can the testing carried out by internal audit be relied upon or should the external auditor retest the controls?

APB International Standard on Auditing (United Kingdom and Ireland) 610 reminds the external auditor that he “has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor’s use of the work of the internal auditors” (APB ISA (UK&I) 610: 4)  Inevitably, therefore, the external auditor will reperform some testing; the question is how much?

Provided the external auditor can establish to his satisfaction that the work of internal auditors is reliable, he may reduce considerably his own controls testing.  This remains an option if the internal audit services are contracted out to a professional services provider, but, according to APB ES5 (2008), not if that professional services provider is the same firm as the external auditor. Why? Because then the external auditor would be reviewing his own firm’s work, which constitutes self-review, creating exactly the scenario identified in the 2008 standard as constituting an “unacceptably high” threat to the external auditor’s independence.

The flaw in this reasoning can be exposed thus.  Supposing the external audit team does not plan to use the work of internal audit, but rather re-perform all of the controls testing themselves.  This could conceivably result in a scenario where each sampled instance of any one control is tested twice: once to provide comfort to those charged with governance, acting as a proxy for the shareholders, by the internal auditors and once to provide comfort to exactly the same ultimate party, by the external auditors.  This actually seems a dangerous outcome because those charged with governance may wrongly conclude that they are getting twice as much comfort, whereas in fact they are being supplied with the same result twice by different teams. 

Where the effective operation of a control is an objective binary outcome – it either operated effectively or it failed – no matter how many times any one historical instance of that control is tested, assuming no negligence on the part of the testers, the result of the test will be the same.  The same is true for a substantive test with an objective, binary outcome.  Does it matter whether such tests are performed once, by one team, who then report the result directly to those charged with governance (previously the role of the internal auditor) but then go on to use that result as evidence in forming the external audit opinion? 

It affects the cost to the shareholders of the overall level of assurance achieved, with it clearly being preferable to pay for each test only once.  And it affects the effectiveness of assurance activities, because the elimination of duplicate testing provides resource for other controls (generally operational controls) to be brought into the scope of testing for the first time.  Moreover, as noted above, the very existence of separate internal and external audit teams can create a false sense of security for stakeholders, if, in reality, both teams largely duplicate each other’s work.

The APB recognised the rationale behind the extended audit model and, following an open consultation with interested parties, revised APB ES5 accordingly.  This now recognises that some extended audit work is effectively a part of the external audit and, subject to some conditions, presumed not to be a threat to the auditor’s independence.

The conditions imposed by the APB on allowing such extended audit work to be considered part of the audit are that it relates to financial information and/or financial controls, is authorised by those charged with governance, is integrated with the work performed in the audit and is on the same principal terms and conditions as the audit. (APB ES5: 68-69).

So are auditors and those charged with governance of cash-strapped audited entities now living happily ever after?  Not quite, for it is relatively easy for some testing which the audited entity wishes to commission to fall without the four conditions set out above, for example, testing of operational rather than financial controls.

Where this is the case, the additional testing is not prohibited, but the auditor is forced to consider the threats to independence, principally management and self-review!  However, as explained above, where the outcome of any testing is an objective, binary result, it cannot make any difference to the finding whether the test is performed once, twice or many times.  Duplicate testing to avoid self-review is an expensive, redundant safeguard.  So we are left asking why APB ES5, in this specific regard, positively requires the auditor to consider a threat to independence – self-review – that cannot, in fact, have any effect on the auditor’s independence. 

The investigation into the extended audit model significantly failed to justify the historical concern over the external auditor doing too much testing.  The resulting amendment to APB ES5, by leaving in place the requirement to consider the self-review threat in a broad range of circumstances where the four extended audit criteria will not be met, has created a lasting legacy of concern that for the external auditor to go beyond the bare minimum of testing needed to form the audit opinion is, somehow, unethical.  As a result, there has been a relatively low take-up of the opportunity to extend the scope of the external audit, and reduce any duplication of internal audit test work.  This should be a matter of concern to all stakeholders.

Even if we attribute the hysterical response of the financial press on the occasion of the Rentokil announcement to their concern for institutional investors, who are said to regard the independence threats of the external auditor performing internal audit work as some of the most significant of any non-audit service, we get no nearer to understanding why those investors are so vexed. 

An outsider may conclude that one of the greatest threats to the quality of the external audit is for there to be any co-ordination or even combination of internal and external audit in the interests of efficiency and cost savings.  But if that is the case, why haven’t we seen the FRC mandate a minimum level of internal audit testing to be carried out by listed companies?  Indeed, a number of listed companies have no internal audit function at all.

It remains necessary, critical even, that for internal audit services which do not meet the four conditions to be considered an extension of the external audit work, the effect of the management threat to independence be fully assessed by the auditor and either safeguards put in place, or, where no safeguards are adequate, the opportunity declined.  And it is right that the auditor must consider the self-review threat to independence where the non-audit service being offered is one in which the professional forms subjective opinions, such as valuation services.  Here, the auditor’s objectivity must be safeguarded from the inevitable bias that arises when a colleague from the same firm has already formed a view.

But it is high time that the auditing profession and its regulators re-opened the discussion about self-review.  If the auditor can’t be trusted to review anything he or a colleague has done without bias creeping in, where is the value in the many review processes mandated by auditing standards as an essential part of the external audit?  And how can the auditor ever be satisfied with his own work on the previous year’s figures, a genuine instance of self-review that is far more likely to require objective professional judgment than just evaluating the results of internal audit work over financial or non-financial controls? 

In the current environment, the onus is on auditors to deliver to stakeholders the maximum breadth and depth of independent assurance for the fee. This commitment to delivering value is, in itself, an ethical purpose, one that must follow naturally from compliance with applicable ethical standards, if those standards are to achieve their intended result.  It’s vital, therefore, that the auditing profession investigates and addresses the residual concern remaining that extending the scope of the external audit and eliminating duplication from the work performed by internal and external auditors is – somehow, for some reasons, we can’t quite explain why – unethical.

%d bloggers like this: