The Brydon Review
This is the second of our series of articles on audit reform. SAICA encourages all those affected to be proactive in any discussions on audit reform. This will allow the profession to avoid a scenario where lawmakers make changes that will have undesired and unintended consequences, all in the name of being seen to do something to bring forth change. There is a lot that auditors are doing right, and we need to ensure that those good practices are brought to light and are built on.
The impact of failed audits may be far-reaching to the economy, not just impacting shareholders but also pensioners, employees and suppliers who have an interest in the viability of the company being audited. Due to the public interest nature of the role of auditors, the public has every right to question their trust in the quality of work performed by auditors when corporate failures happen. Criticism against the audit profession should not be taken lightly as it goes to show that the public understands the unique and influential role that auditors play. The auditor, through the legislation, has been granted access to the systems, financial records, information and personnel in the organisation and is thus able to form an independent opinion about the financial position of a company. Therefore, it is crucial that when there is a perception that the audit profession is not living up to its mandated role in society, action should be taken to restore trust.
This is the reason that SAICA is advocating for discussions on audit reform to commence urgently, even in the midst of the COVID-19 global pandemic. Any underlying problems that the profession was grappling with prior to the outbreak in South Africa will be exacerbated in the current environment. Stakeholders may fear that audits are no longer taking place, or that audit quality will decrease. This is however not the case. Audits are still continuing. Audit requirements remain exactly the same – the same standards (the International Standards on Auditing – the ISAs) apply pre-COVID, during COVID and post-COVID. Auditors have adjusted the way they are performing audits, for example alternative procedures, receiving and verifying documents remotely, video technology, etc. A heightened application of professional scepticism and professional judgement by auditors, while remaining objective, is anticipated.
Several regulators have extended reporting deadlines, for example the JSE, the Financial Sector Conduct Authority and the Legal Practice Council. This allows the auditors, for example in the case of listed entities, two extra months to complete their audits. There may be more modified audit opinions. This is not a definite expectation. However, in some cases the auditors may need to modify their opinions due to scope limitations (could not access certain records, could not perform an inventory count, for example) or as a result of going-concern matters. But again, this is not going to happen, and even if it does, it means the auditor is complying with the standards. It is not a reflection on the quality of the audit. Auditors are committed to high audit quality.
Nevertheless, failure to prioritise audit reform could result in South Africa lagging behind its international counterparts in this regard. As discussed in the first article in this series, a number of studies have been performed in the United Kingdom (UK) to look into audit reform. The first article had its focus on the recommendations emanating from the Competition and Markets Authority (CMA) Statutory audit services market study. The focus of this article will be on some of the recommendations from Sir Donald Brydon’s report Report of the Independent Review into the Quality and Effectiveness of Audit (the Brydon Review), which was commissioned by the UK government. The report contains recommendations which should be taken together to stimulate improved audit quality and effectiveness of audit in the UK. The recommendations are collectively aimed at improving audit and assurance in relation to public interest entities (PIEs). The aim is not to analyse all 64 recommendations of the Brydon Review in this article but to highlight some of the key proposals that may need to be considered in the South African environment. For this article, we focus on the recommendations relating to the definition and purpose of an audit as well as recommendations relating to the role of other assurance providers and how these could be considered in South Africa.
The needs and expectations of users of financial and non-financial corporate reporting
The purpose of audit
There seems to be a gap between what audit is in terms of legislation and the ISAs, and what members of the public perceive it to be. For instance, there is a perception that an unqualified audit opinion means that the financial statements are free from misstatements; another perception is that an audit will detect fraud and is designed to detect fraud in a company. The ISAs, on the other hand, place a responsibility on the auditor to obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error. This is usually referred to as the ‘audit expectation’ gap. While some members of the audit profession may argue that a lot needs to be done to educate the public about what an audit is meant and not meant to do, the decades-long outcry from the public which has resulted from corporate failures cannot be ignored. This should be seen as both a challenge and an opportunity to improve the quality of the existing audit product and to redefine the scope of audit to align it more with the public interest.
To address this problem the Brydon Review has put forward this recommendation: ‘The purpose of an audit is to help establish and maintain deserved confidence in a company, in its directors and in the information for which they have responsibility to report, including the financial statements.’ This definition suggests that the focus of an audit should extend beyond financial statements. This is further supported by this statement in the report, ‘auditing should provide information that is useful to present and potential investors, lenders, creditors and other users in making rational investment, credit and other decisions and assessments about the company’. This suggests that auditors should not only be concerned with providing assurance but also to make it an informative process about the audited company to the users of the corporate reports. To satisfy the purpose of serving a wider public interest, the following recommendation has been included in the report: ‘I recommend that auditors should be free to include original information, materially useful to a wide range of users, in their audit report and at the AGM, and not be confined to commenting on that which has already been stated by directors.’ This is a fundamental change in principle as to what is required of auditors.
Whether these recommendations would work in South Africa would require extensive consultation. Furthermore, the interaction between updated definitions and the revised scope of an audit as well as the existing auditing standards and regulations would need to be considered. The Auditing Profession Act 26 of 2005 (the Act) would need to be amended. The Independent Regulatory Board of Auditors (IRBA) is the national standard-setter and the auditing standards it prescribes in South Africa are those of the International Auditing and Assurance Standards Board (IAASB). Either the IAASB would need to reconsider the entire base on which the ISAs are premised (that is, what an audit means), or a local definition and scope of an audit, which is fundamentally different to the one recognised by the IAASB, would need to be determined. This requires a separate set of auditing standards to be developed for South Africa. This could be a very time-consuming process and may require significant investment in capacitating the IRBA. This would also not be desirable as there should be global convergence regarding auditing standards. A further concern would be the fact that auditors have no limitation of liability in South Africa in terms of section 46 of the Act.
Users of the audit product
The starting point of any change in the purpose and scope of an audit would require the identification of the users of the audit product. Traditionally, the users of audit have been shareholders, given that they provide financial capital and require accountability on how that capital has been put to use by those charged with governance.
SAICA recommends that any discussions on reform in this area should focus on determining whether there is a need to expand the reporting responsibilities of the auditor to beyond shareholders and if so, can this be done without significantly exposing the auditors to increased risk of liability.
In order to recognise legitimate interests of all users, the Brydon Review recommends that: ‘The directors present an annual Public Interest Statement (as part of the Strategic Report) on how they view the company’s legal, financial, social and environmental responsibilities to the public interest. This Statement should explain how the company has discharged its self-declared public interest obligations and responsibilities, what actions it has taken to mitigate any externalities it has caused during the period, and how effective these actions have been.’
Non-financial corporate reporting
The recommended definition of an audit by Sir Donald Brydon suggests that financial reporting is only a component of corporate reporting. In other words, users want assurance on other aspects of corporate reporting as well. In South Africa, JSE-listed companies are required to apply the principles in the King IV Code of Corporate Governance. The King Code includes the recommendation that companies should prepare integrated reports. ‘The primary purpose of an integrated report is to explain to providers of capital how an organisation creates value over time. It therefore contains relevant information, financial and other. An integrated report benefits all stakeholders interested in an organisation’s ability to create value over time, including employees, customers, suppliers, business partners, local communities, legislators, regulators and policy-makers.’
As a result of companies already applying this King IV principle, South Africa is quite advanced in the integrated reporting space and some auditors are already providing assurance over these reports. International Standard on Assurance Engagements (ISAE) 3000, Assurance Engagements other than Audits or Reviews of Historical Financial Information, is one of the key auditing standards used by auditors to perform these engagements.
However, there is no requirement that only registered auditors should perform these engagements, resulting in different professionals from various industries performing these assurance engagements based on varying reporting frameworks. As South Africa is already advanced in this area, there is no need to reinvent the wheel. Any reforms introduced should be to enhance how assurance engagements are performed on extended external reporting, to identify the need to recognise reporting frameworks and deciding on whether there is a need to regulate all assurance providers operating in this space.
In the UK, the Brydon Review recommends the following: ‘that the Audit Reporting and Governance Authority (ARGA) determines a framework for all corporate auditing, whether of financial statements or of other information’. Contextualised to the South African environment, considerations would need to be made on a suitable regulator who will then be tasked with the responsibility of recognising appropriate frameworks. The suitability of the International Framework for Assurance Engagements may also be considered as a foundation to assess whether a reporting framework could be assured and therefore be considered in South Africa.
In order to drive improvements in audit quality, it is not just auditors who need to transform their thinking. The Brydon Review includes recommendations placing responsibility on the directors and audit committees to explain the actions they have taken to prevent material fraud and to report on internal controls. These two functions already perform a lot of work in this area, yet the work they perform remains largely unknown to the stakeholders, hence the drive for further disclosure and transparency on their activities. The recommendations further empower shareholders by allowing them to question both the audit committee chairperson and the auditor at annual general meetings.
In South Africa, King IV recommends that affected businesses adopt a combined assurance model. A combined assurance model incorporates and optimises all assurance services and functions so that, taken as a whole, these enable an effective control environment; support the integrity of information used for internal decision-making by management, the governing body and its committees; and support the integrity of the organisation’s external reports. Under combined assurance, assurance is provided by the following role players:
- The organisation’s line functions that own and manage risks
- The organisation’s specialist functions that facilitate and oversee risk management and compliance
- Internal auditors, internal forensic fraud examiners and auditors, safety and process assessors, and statutory actuaries
- Independent external assurance service providers such as external auditors
- Other external assurance providers such as sustainability and environmental auditors, external actuaries, and external forensic fraud examiners and auditors, and
- Regulatory inspectors
This list incorporates internal and external assurance providers. All these assurance providers would be required to assist in providing assurance on the extended external reporting that the Brydon Review recommends. The corporate failures experienced in South Africa have, however, shown that the implementation of the combined assurance model needs improvement. For example, the organisation’s line functions that own and manage risk appear to not have performed their duties properly in several cases – internal controls have failed in many cases. Any reforms to improve assurance should build upon any progress made in terms of applying the combined assurance model.
In November 2019, the JSE amended certain of its listing requirements. One of the listing requirements amended was listing requirement 3.84 relating to corporate governance. A new paragraph (k) was added to the requirement that reads as follows:
- ‘The directors, whose names are stated below, hereby confirm that −
the annual financial statements set out on pages […] to […], fairly present in all material respects the financial position, financial performance and cash flows of the issuer in terms of IFRS;
no facts have been omitted or untrue statements made that would make the annual financial statements false or misleading;
- internal financial controls have been put in place to ensure that material information relating to the issuer and its consolidated subsidiaries have been provided to effectively prepare the financial statements of the issuer; and
- the internal financial controls are adequate and effective and can be relied upon in compiling the annual financial statements, having fulfilled our role and function within the combined assurance model pursuant to principle 15 of the King Code. Where we are not satisfied, we have disclosed to the audit committee and the auditors the deficiencies in design and operational effectiveness of the internal financial controls and any fraud that involves directors, and have taken the necessary remedial action.’
- Although the implementation of this requirement has been postponed due to COVID-19, the principle indicates that there is a recognition that assurance is to be provided by more than just the external auditors. Others involved in the financial reporting chain are also effectively providing assurance.
Reforms for improvements should not just be targeted at auditors only but to every component in the corporate reporting ecosystem such as audit committees. Audit committees have a significant role to play in ensuring that a company’s combined assurance model is effective. As noted by Sir Donald Brydon, ‘It is the audit committee’s collective job to give the auditor courage.’ The role of the audit committee is also important in that it determines the scope of assurance work that the company undertakes and also controls the budget of the assurance activities. If audit committees view the audit as a commodity whose fee should be kept to the bare minimum instead of an opportunity to improve transparency in corporate reporting, no progress will be made in improving audit quality.
Auditors will forever be chasing tight audit deadlines in order to complete audits that only comply with the statutory requirements, resulting in audit being a compliance exercise. Fee models should be reconsidered, audit quality indicators (AQIs) should be considered, and audit fees should possibly (and likely) be increased to ensure that auditors have the necessary resources to perform the types of audits required for large and complex companies.
The audit committee function needs to be strengthened as it has the ability to limit or enhance audit. The Brydon Review has made the following recommendations regarding audit committees:
‘It would help strengthen confidence in the role of the audit committee if shareholders and other interested parties could gain some insight into how the committee has reached a successful conclusion regarding the company’s handling of financial reporting and risk. In particular, there would be value in understanding how the committee has, where necessary, challenged the company’s executives, its senior management, its internal audit function or its external auditor, in order to drive changes in behaviour or reporting for the benefit of the company as a whole.’
‘I recommend that audit committee minutes be published with a time-lag of 12-18 months and with approved redactions.’ This recommendation could enhance the transparency of the audit committee in how they have executed their functions.
‘I recommend that the audit committee publish a three-year rolling Audit and Assurance Policy which would be put to an annual advisory vote by shareholders for approval at the Annual General Meeting.’ Such policy is expected to:
- Explain the process of appointing auditors
- Explain the work demanded of the auditors and any conditions attached
- Explain the fees basis for audit work
- Provide a framework for decisions about materiality
- Explain how seeking assurance relates to the Risk Report [this report – not applicable in South Africa – includes a description of the principal risks, the procedures put in place to identify emerging risks and an explanation of how these are being mitigated] of the directors, and
- Explain the approach taken to obtaining and reporting on assurance around internal controls, both in relation to the financial reporting and operational controls
Such interaction between stakeholders and the audit committee could be part of the solution in addressing the ‘expectation gap’ as it will give transparency about the assurance activities of the company.
Most importantly, what the required reforms point to is that there should be greater collaboration between stakeholders and assurance providers. None of the audit reforms will be meaningful unless a platform for such collaboration is created and as SAICA we will continue to advocate for such dialogue among all affected parties.
1 Although the term ‘company’ has been used in this article, the same considerations may apply to any form of entity being audited.
2 ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements, paragraph 5.
3 The International Integrated Reporting Council, The International Integrated Reporting Framework, page 4.
4 Refer to volume III of the 2018 Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements available at https://www.irba.co.za/handbooks-of-international-standards/2018-handbook-of-international-standards.
5 The Institute of Directors in Southern Africa, King IV Report on Corporate Governance, page 68.
6 Available at https://www.jse.co.za/content/JSEAnnouncementItems/051119Amendment%20Schedule%20Primary%20Listings.pdf.
AUTHOR | Thandokuhle Myoli CA(SA) is Project Director: Audit and Assurance at SAICA.