Audit reviews: the process, pitfalls and published themes
Although the majority of the files reviewed were acceptable, it is a concerning time for the firms whose files fell into the most serious category of requiring “significant improvements”. Although the proportion of those across the board is still relatively low (8%), there has been an upward trend in files failing the review to this degree. In 2015/16 the proportion was 1.8%; in 2016/2017, 7.5%; in 2017/2018, 3.6%; and in 2018/2019, 5.9%.
Admittedly, the number of files reviewed this year was lower than in previous years, and the scope of the reviews was widened to include more aspects of the audit, so the upward trend doesn’t represent a true picture due to the variable underlying factors. However, the firms responsible for the audits falling into the 8% will undoubtedly face increasing intervention by the FRC. As the FRC reports state: “Nonetheless, any inspection cycle with audits requiring more than limited improvements is a cause for concern and indicates the need for a firm to take action to achieve the necessary improvements”.
In this blog, we provide some background on what happens prior to and during an AQR, how the FRC may deal with failing files and what steps a firm can take to deal with any criticisms, to receive the best possible outcome.
In the first blog in our series, we provided some background on the audit quality reviews carried out by the ICAEW and ACCA. Those bodies are both a Recognised Supervisory Body (RSB) under the Companies Act 2006 (“the Act”): they review audits which do not fall under the FRC’s jurisdiction.
The FRC was designated the Competent Authority for audit regulation in the UK on 17 June 2016 by the Statutory Audit and Third Country Auditor Regulations 2016 (SATCAR). Under SATCAR, the FRC monitors the quality of the audit work of statutory auditors and audit firms in the UK that audit Public Interest Entities (PIEs), but also includes the audits of large AIM companies, Lloyd’s Syndicates and listed non-EEA audits within its scope. The FRC is responsible for conducting AQRs for firms which audit at least one PIE. Although the principles of FRC and ICAEW/ ACCA reviews are similar, the stakes involved in FRC reviews are much higher. With fines for failing files running into the millions, one can understand why firms falling into the FRC’s jurisdiction approach an AQR with some trepidation.
The frequency of reviews varies depending upon the size of the firm. Reviews are routinely carried out every three years, unless the FRC considers the firm to be high risk, in which case the visits may be more frequent. Larger firms are subject to annual inspections, with the results of those inspections being published, as described earlier.
 A “PIE” is a fully listed company, bank or an insurance provider
The FRC publishes a number of individual firm and thematic inspection reports annually which can help firms to understand the types of issues it looks into, and how the firms subject to the reviews have responded to the criticisms raised. Audit Firm Specific Reports can be found here. Thematic Inspection Reports can be found here. If you firm is about to experience its first AQR visit, it would be helpful to review those documents to obtain some background about the likely focus of the FRC’s visit. This will allow you to identify whether any of the failings may be identified in your firm’s audits or procedures, and put in place steps to rectify any perceived deficiencies before the review takes place.
At the visit, you should anticipate that the AQR team will look at the firm’s overall quality control procedures for the audit of PIEs. The team will recognise, however, that not all firms will follow the same procedures, as these will be dependent upon the size of the firm and the nature of the work it undertakes. The team will focus on understanding how the procedures achieve the quality control standards which are appropriate for the firm. Clearly if you firm carries out one PIE audit of a listed debt company, its procedures may differ from those of the ‘Big 4’.
The firm’s culture will also feed into the AQR’s assessment. The AQR team may regard a firm which has an open and collegiate culture, where audit teams work well together, as a lower risk than firms where the culture departs from this ideal.
In selecting which audits to inspect (if your firm has a portfolio of PIE audits), the AQR team will take into account a number of factors including the assessed risk of the audited entity. It may also focus on audits in particular priority sectors. For example, given the effect of COVID on particular businesses, one might expect the FRC to focus on retail, and perhaps hospitality, in reviews in the immediate future.
The AQR team will carefully review each file selected and will focus on the sufficiency of audit evidence obtained, and the appropriateness of key judgements, when determining audit quality. This includes examining the firm’s compliance with the “Relevant Requirements” defined in SATCAR, including auditing standards, ethical standards and quality control standards issued by the FRC, alongside the audit regulations issued by the ICAEW and ACCA.
The reviewers will identify where there are areas of improvement required relating to audit quality or to compliance with regulatory requirements. It is rare that an AQR visit results in an entirely clean bill of health; on most occasions some, at least minor, improvements will be required, which will form the content of an action plan, which is agreed with the firm. The AQR team will assess periodically whether progress has been made on the deficiencies identified in the action plan, and whether those improvements are sufficient to address the problematic areas which were identified. It is axiomatic that firms must focus on the action plan and ensure that improvements are made; a failure to address the concerns sufficiently will at best lead to more regular visits, and, at worst, could lead to enforcement action. This is not a ‘tick box’ exercise where the firm can simply indicate that it will improve. Detailed and measurable steps should be put in place, and implemented, to satisfy the FRC that the risk of the firm carrying out future audits is low.
At the conclusion of the AQR, the team will issue confidential reports on the audits which have been reviewed. The reports will be provided to the responsible audit firm, but also to the Audit Committee Chair of the audited entity. The reports grade the quality of the audits in the following categories:
Where an audit has been graded as “improvements required”, or “significant improvements required”, the FRC will consider whether enforcement action is appropriate. This could result in a significant sanction being imposed against the audit firm and audit partner. You should take steps to avoid this at all costs, by engaging constructively and openly with the FRC, and by putting in place a robust and measurable action plan. However, where the FRC is not satisfied that engagement is sufficient to address its concerns, there are a number of steps you can take to try to secure the best possible outcome.
If the FRC does decide to take enforcement action, the procedure will be governed by the FRC’s Audit Enforcement Procedure (AEP). The AEP describes all of the steps of the procedure, including deadlines, and the FRC keeps as rigidly as it can to the rules contained within it.
The first aim when a failing file has been referred down the enforcement route is to try to seek that the FRC’s Case Examiner proceeds with “constructive engagement”. This is appropriate when the issues are fairly narrowly focussed and the audit firm has been proactive in demonstrating that the perceived deficiencies have been rectified.
However, it is common for the Case Examiner to, instead, decide that the information he/ she has received amounts to an ‘allegation’, in which case the matter is referred to the Conduct Committee. The Conduct Committee can then refer the allegation for investigation by the Executive Counsel, leading to a full investigation.
An explanation of key parts of the process under the AEP can be found in our FAQs. The process can be lengthy and time intensive. The FRC is likely to ask for the full audit file, then follow up with a number of information requests, which are to be answered in a timely manner. An interview with the audit partner is likely to be sought, at which he or she will be led through many key decisions and asked to explain or justify them. The FRC will use its in-house legal and forensic accountancy teams, but will also seek external guidance from experts and Counsel, which can lead to significant costs being incurred. If there is ultimately a settlement or a finding of misconduct, the FRC will seek to recoup some of all of its costs from the audit firm or partner.
The most important initial step you should take is to obtain expert advice. Even simple requests from the FRC for information need to be considered carefully. For example, it might seem logical and routine to provide the audit file. In doing so, however, you need to consider whether it contains privileged or otherwise confidential information, which may need to be removed or redacted.
It can seem easier to simply respond to information requests as they arise, and wait for the outcome of the investigation. You should consider, however, whether this is the best approach to take. Costs are accumulating throughout. Are there areas which are capable of being agreed with the FRC? Is it possible to cut down the FRC’s investigatory focus? Can you prepare a full in-house root cause analysis to allow you to understand what went wrong, and propose ways to ensure that the same mistakes will not happen in the future?
The FRC offers significant discounts for early settlement, and a further discount for exceptional cooperation. There will of course be cases where you fundamentally disagree with some of the FRC’s findings, and will want to ultimately defend your position at a tribunal. Sometimes, it is more tactically sound, and more effective in preserving the firm’s reputation, to consider the alleged failings and make concessions or admissions where the evidence supports doing so. There is no ‘one approach fits all’ solution. Seeking advice at the earliest possible stage will allow you to avoid falling into any legal traps, such as inadvertently waiving privilege, and will assist you in preserving your audit licence, or avoiding an excessive fine and costs award.
Julie Matheson is a Partner in the Regulatory team, specialising in defending professionals in the financial and legal fields. She has particular expertise in defending accountants and accountancy firms in regulatory proceedings brought by the FRC, ICAEW and ACCA.
Sarah Harris is a Partner in the Regulatory team. Sarah has significant experience in the prosecution and defence of regulatory matters across a number of sectors. She is an experienced advocate who presents cases of all levels of complexity, ranging from allegations of sexual misconduct to lengthy and complex competency cases.
Skip to content Home About Us Insights Services Contact Accessibility