The ASIC Act provides that the FRC's functions are to monitor the effectiveness of auditor independence requirements in Australia and to give the Minister reports and advice about this matter.
Australia has comprehensive legislative and professional requirements concerning the independence of auditors. The principal requirements are:
- Divisions 3 and 5 of Part 2M.4 of the Corporations Act, which set out the requirements that have to be satisfied by the auditors of those entities that are subject to the audit requirements of the Act;
- Auditing Standard ASA 220 Quality control for audits of historical financial information, which was issued by the AUASB in April 2006;
- Section 290 of the Code of Ethics for Professional Accountants (APES 110), which was issued by the APESB in June 2006 and amended in December 20074 and February 20085; and
APES 320 Quality control for firms, which was issued by the APESB in May 2006.6
Under the Corporations Act, all disclosing entities, public companies, large proprietary companies and registered schemes are required to prepare financial reports and have them audited. These audits must be conducted by auditors or audit companies registered by ASIC for that purpose.
To complement the legislative and professional requirements on independence of auditors, appropriate institutional arrangements have been put in place to monitor compliance with those requirements and, where necessary, take appropriate follow-up action. The principal organisations making up these institutional arrangements are ASIC, the ASX, the professional accounting bodies (the ICAA, CPA Australia and the NIA), APESB, the Companies Auditors and Liquidators Disciplinary Board (CALDB) and the FRC.
During the three-year period from 2006 to 2008, a body known as the AQRB also monitored the processes by which the four largest accounting firms seek to ensure their compliance with applicable professional standards and legal obligations in relation to independence and audit quality with respect to financial statement audits of publicly listed entities. In February 2009, the AQRB completed its three-year charter and submitted its final report. The key independence-related findings of the reviews conducted by the AQRB during 2008 are reported later in this section.
The ASIC Act requires the FRC to monitor and assess the nature and overall adequacy of the systems and processes used by audit firms to ensure compliance with auditor independence requirements.
In 2008-09, the FRC performed this function by gathering information from ASIC under the terms of its MOU with that body, by reviewing reports published by the AQRB and the ICAA and by requesting information from the professional accounting bodies under the terms of its MOUs with those bodies.
As a result of this work, the FRC formed the view that the systems and processes used by audit firms to ensure compliance with independence requirements are working effectively. However, the FRC notes that the inspections by ASIC reveal that some firms inspected for the first time need to make improvements in their systems to ensure that their systems are robust and comply with all the legislative requirements.
Report from ASIC
The MOU that the FRC has entered into with ASIC provides for periodic consultations and information sharing between the two bodies to assist in undertaking their respective responsibilities under the law.
ASIC's 2008-09 report to the FRC summarises ASIC's observations and findings in relation to the independence systems and processes of selected firms where inspections commenced or were in progress after 1 July 2008 and were substantially completed by 30 June 2009. The report by ASIC has constituted a key source of information for the FRC with respect to its responsibilities in this area during 2008-09.
During the year ended 30 June 2009, ASIC completed inspections of 15 selected firms. Of these firms:
- four were inspected for the first time7 (Group A);
- one was inspected for the second time (Group B); and
- four were inspected for the fourth time (Group C).
Three of the inspections were conducted jointly with the PCAOB. These were undertaken under an agreement entered into by ASIC to assist the PCAOB to ascertain compliance by Australian auditors with the Sarbanes Oxley Act of 2002.
In 2008 ASIC introduced an inspection program for smaller audit firms auditing entities listed on the ASX. ASIC inspected six firms under this program, with the primary focus of the inspections being on audit quality. This is primarily assessed through audit engagement file reviews rather than a detailed review of the systems of quality control at these firms. The different scope of these inspections reflects the size and client profile of these small audit practices.
Collectively, the 15 firms inspected by ASIC audit approximately 96 per cent by composition and 99 per cent by market capitalisation of the 300 largest entities listed on ASX (S&P/ASX 300). The firms in Group C represent the larger proportion, with responsibility for the audit of 89 per cent by composition and 97 per cent by market capitalisation of the S&P/ASX 300.
Inspections of firms in Groups A to C
ASIC's observations and findings for its inspections of the firms in Groups A to C varied amongst the firms inspected. Between the different groups of firms common themes were identified. In ASIC's view, the differences are due to their nature, size and, to an extent, attributable to the number of times the firms have been inspected. Overall, the firms have shown commitment towards meeting their independence obligations and addressing the observations and findings ASIC raised in its individual inspection reports.
Four breaches of the auditor rotation requirements of section 324DB of the Corporations Act by Group C firms were discovered during the year. Three of the breaches related to one firm and were disclosed to ASIC on a voluntary basis. In all three cases, an ineligible partner played a significant role either as an engagement partner or engagement quality control review partner in the audit of a listed client for more than five out of seven successive financial years. In the fourth case, another firm's monitoring processes identified a breach that resulted from an engagement quality control review partner playing a significant role in the audit of a listed client for six out of seven successive financial years.
ASIC has informed the FRC that both firms' leadership thoroughly investigated these breaches and took appropriate action, including financial sanctions against the partners involved. Both firms also enhanced their rotation monitoring processes to reduce the possibility of further breaches occurring. The FRC notes that ASIC will continue to monitor the effectiveness of the partner rotation systems during its next scheduled inspection at these firms.
Other observations contained in ASIC's inspection report about firms in Groups A to C include:
- Auditor rotation: All of the firms have considered their rotation obligations under the requirements of the Act. Group C firms, reflecting the size and nature of their listed audit client portfolios, had more sophisticated rotation arrangements in place to facilitate and monitor compliance. It was noted that this was not always the case with Group A firms, with one such firm not formally documenting its plan for rotation whilst another had not updated its rotation plan to reflect recent partner movements.
- Network firms: The Group A firms inspected in the current year were predominantly in a transitionary phase in modifying their systems, policies and processes to ensure compliance as a network firm. As a result, ASIC was unable to assess the operating effectiveness of certain policies and procedures over a period of time. ASIC will continue to monitor the effectiveness of these policies and procedures during its next scheduled inspection at these firms.
- Independence policies and processes: All of the firms have policies and processes in place to facilitate compliance with the independence requirements of the Act. However, the completeness and adequacy of independence policies varied, particularly among Group A firms.
- Testing of independence systems: With one exception, firms within Group A had not commenced testing the systems and processes used to ensure compliance with their legal and professional independence requirements. For the one Group A firm that is testing its independence systems, the program is not comprehensive and the firm did not deal with identified breaches arising from its testing process in a timely manner. ASIC has informed the FRC that all firms conducting testing of their independence policies and procedures include a review of the approval process for non-audit services provided to audit clients. The FRC notes that while firms are not compelled to test their systems and processes, such testing is considered to be best practice.
- Results from firms' monitoring programs: With the exception of the auditor rotation breaches referred to above, the firms with independence monitoring programs (primarily those in Group C) did not identify any breaches of the Corporations Act. However, ASIC found that the majority of firms were still reporting high incidences of non-compliance with personal independence policies. To put this observation in context, it is important to note that in some areas the policies of the firms in Group C include requirements that go further than those of the Corporations Act.
- Evaluation of independence threats: The majority of the firms have established policies and processes to assess threats to independence and consider safeguards, including those relating to the provision of non-audit services. However, ASIC found deficiencies in the quality and existence of documentation to evidence the application of firm policies by some of the Group A firms.
- Human resources and tone at the top: Last year ASIC noted that a number of firms needed to improve their processes to ensure a clear and transparent link exists between independence testing results and partner performance evaluations. This observation is again noted for the Group A firms inspected for the first time in 2008-09. However, ASIC has noted improvements in the processes adopted by Group C firms to enhance the transparency of independence considerations in the partner evaluation process, including imposing financial penalties for significant non-compliance identified.
Small firm inspections
As noted above, ASIC inspected six small firms under its new inspection program for smaller audit firms auditing entities listed on the ASX. The process is designed to ascertain the quality of audit conduct at small firms and to gain an overview of selected systems and processes relating to audit quality and audit independence. ASIC's consideration of small firms' compliance with the independence requirements of the Corporations Act is limited to high-level enquiries with the firms' leadership and independence-related matters documented on the audit engagement file selected for review.
ASIC has advised the FRC that in conducting these inspections and in determining its observations and findings, it is conscious of the size and nature of the firms. ASIC's inspection of the small firms did not identify any independence breaches of the Corporations Act; however, its findings showed that the small firms need to review their professional, ethical and statutory requirements in relation to independence to ensure they comply with their obligations, including the auditor rotation obligations under section 324DA of the Corporations Act.
Other observations made by ASIC on the basis of its inspections of the small firms included that:
- half of the small firms did not have an annual independence confirmation process for assurance personnel to confirm their compliance with independence policies and procedures, as required by paragraph 23 of APES 320;
- two of the small firms did not have established policies and processes in place for the approval of non-audit services to audit clients prior to the service being provided, as required by paragraph 290.158 of APES 110; and
- two of the small firms were at a greater risk of breaching the auditor rotation requirements under the Corporations Act due to the limited number of audit partners within their respective audit practices. ASIC observed that these firms need to focus on future partner admissions and succession planning to ensure they are able to continue to comply with the auditor rotation requirements of the Act.
ASIC has advised the FRC that it is continuing to monitor the types of non-audit services being provided by firms and the potential independence threats that may arise from the provision of such services. ASIC has noted that one firm recently re-entered the consultancy market following the acquisition of a consultancy firm. Whilst the provision of such services does not contravene the requirements of the Corporations Act, all firms need to ensure that they have effective systems and processes for the approval of non-audit services to audit clients. The need for firms to assess threats to independence and implement safeguards when providing non-audit services remains a focus for ASIC.
ASIC's 2007-08 inspection report
Last year ASIC reported that its consultations with firms on rotation requirements had identified two possible areas of ambiguity within the Corporations Act. The FRC indicated in its 2007-08 Report on Auditor Independence that it would liaise further with ASIC on the issue of auditor rotation and this has now occurred.
One matter related to the interpretation of 'significant role', as defined in section 9 of the Corporations Act, and whether it applies to partners that provide assistance on audits outside of the lead auditor or review auditor roles. On further examination, ASIC considers that the definition does not extend beyond those that act as lead or review auditors. The FRC concurs with ASIC's view.
The other matter concerned whether the rotation period commences when a company or registered scheme lists on a prescribed financial market within Australia or is counted from the time that the lead or review partner commenced on the engagement, which could be earlier than the listing date. ASIC has informed the FRC that it believes best practice should be applied in this area. Accordingly, it will expect firms to apply the provision using the time that the lead or review partner commenced on the engagement. This approach has regard to the current users of a listed entity's financial report, any possible familiarity threat relating to the current duration of an auditor's relevant involvement with the audit engagement, and the benefits of a fresh perspective being applied to an audit engagement.
Reviews by the AQRB8
The AQRB reviewed each of the four largest accounting firms during 2008, although two firms decided, for reasons of conflict with the timing of other review programs, that they wished the AQRB to reduce the scope of the 2008 review.
The significant difference between the reduced and normal scope reviews was that for the former the review was limited to observing practices on matters raised by the AQRB in the past. For normal scope reviews, a representative sample of audit files were selected and inspected in accordance with the AQRB's established program. The AQRB's normal reviews encompassed public interest entities, defined by the AQRB as listed entities, unlisted disclosing entities, APRA-regulated bodies and large proprietary companies (as defined in the Corporations Act).
The AQRB concluded that all four participating firms have established sound policies and procedures in Australia that are designed to enable them to complete effective audits within the framework of current Australian legal and professional requirements.
The key independence-related findings from the AQRB's 2008 review were as follows:
- The firms take a proactive approach towards independence. All firms require independence confirmations at the start of employment, and then at least annually, for all professional staff and partners. Partners and senior professional staff must also, on an ongoing basis, disclose their investments on an interactive database. These monitoring processes, which typically also include the audit of a random selection of independence declarations, on occasions detect that there have been independence breaches and these are dealt with by the firm according to their seriousness.
- The AQRB observed that although some firms continue to have a high number of breaches, these were generally minor in nature, only entailed a breach of the firm's own (more stringent) policies rather than legislative requirements and were appropriately responded to by the firm. Compliance with independence rules is taken into account in performance assessments for senior levels and serious breaches can attract financial penalties.
- Three of the four firms require that all staff on a particular audit engagement make a comprehensive independence declaration in respect of that client, normally at the commencement of each engagement. The fourth firm relies on its systems, continual staff independence reporting requirements and annual independence declarations to provide it with assurance on the required independence of staff on each engagement.
- All firms maintain comprehensive, normally global, client databases so as to enable monitoring processes in respect of both permissible investments and provision of non-audit services. The AQRB views these as very active, reasonably resourced monitoring schemes.
In those firms where the AQRB performed a full scope review, it paid attention to the quantum of non-audit fees compared to the audit fee. The AQRB observed a single instance in each of two of the firms of non-audit fees which exceeded the audit fee and had the potential to create an impression of impairment of audit independence. Enquiries of the audit teams and the firms' independence monitoring teams by the AQRB showed that they were fully aware of these situations and had satisfied themselves that audit independence was not impaired.
Under the ASIC Act, the FRC is required to monitor and assess the nature, overall adequacy and effectiveness of: the systems and processes used by the professional accounting bodies for planning and performing quality assurance reviews of audit work undertaken by Australian auditors to the extent that those reviews relate to auditor independence requirements; the responsive action taken by auditors who have been subject to such reviews; and the action taken by the professional accounting bodies to ensure that auditors are responding appropriately. In addition, the FRC is required to monitor and assess the nature and overall adequacy of the investigation and disciplinary procedures of the professional accounting bodies as those procedures apply to Australian auditors.
During 2008-09, the FRC met these requirements by requesting relevant information from the professional accounting bodies and reviewing publicly available material issued by those bodies.
Quality review programs
ICAA members who hold a Certificate of Public Practice (CPP) are required to undergo the Quality Review Program in accordance with the policies and procedures governing the operation of the Program. All practices that sign off on audits requiring registered company auditor (RCA) registration are reviewed at least once every three years, while all other practices (including those with an RCA but not conducting RCA audits) are reviewed once every five years. Information provided by the ICAA indicates that during the year ended 30 June 2009, it reviewed 468 practices with 79 per cent of the review reports recording either no departures from professional standards or departures from professional standards that are not classified as serious.
The ICAA divides the group of practices that conduct audits into two key types: those that conduct audits under the requirements of the Corporations Act; and those that conduct other types of audits. The reviews conducted during 2008-09 found that all of these practices had departures from professional standards. However, these departures were not classified as serious for 72 per cent of the practices that conduct Corporations Act audits and 80 per cent of the practices that undertake other types of audits.
The ICAA has informed the FRC that the majority of non-compliance identified in the quality reviews completed during the year related to insufficient audit documentation. The ICAA also indicated that these areas of non-compliance were not considered to require referral to its disciplinary processes. An interesting observation by the ICAA is that there has been an increase in the number of practices that resigned from all their audit engagements as a result of matters noted during their quality reviews: from 1 per cent in 2007-08 to 5 per cent in 2008-09.
In the area of auditor independence, the following areas of non-compliance with the requirements of APES 110 Code of Ethics for Professional Accountants were noted:
- no documentation or inadequate documentation when considering threats to independence (12 per cent of the 468 practices reviewed);
- appropriate safeguards were not adequately applied when carrying out auditing and accounting functions for a client (13 per cent of practices reviewed); and
- auditing the self-managed superannuation fund of a partner in their practice (6 per cent of practices reviewed).
Practices that failed to comply with these requirements were required to confirm in writing to the ICAA that the issues had been addressed.
CPA Australia has advised that as at 30 June 2009, 5,459 of its members held a CPA Public Practice Certificate (PPC). All members holding a PPC are subject to CPA Australia's quality review process. There are 751 members holding a PPC who are registered company auditors.
CPA Australia's Quality Assurance (QA) program continues to adopt a cyclical, risk assessment approach to review, selection and completion. The program aims to review members in public practice every four years with the exception of those members whose review identified departures from professional standards or a breach of an auditing standard. Members whose reviews have identified minor departures are reviewed again three years later. Registered company auditors are also reviewed every three years regardless of the review outcome. Members whose review outcomes identified significant non-compliance issues are reviewed in the subsequent year. All public accounting services offered by a member are reviewed using a tailored program based on their individual practice profile.
In 2008, the reviews conducted by CPA Australia's QA program found that 78 per cent of those reviewed were either fully compliant or had only minor departures from professional standards.
Forty-five breaches of the standard requiring audit independence were identified during the 2008 QA program. For the first six months of 2009, 42 breaches of the same standard had been identified. In the majority of cases these breaches relate to audits of self-managed superannuation funds (SMSFs) and not Corporations Act entities.
Compliance with professional, ethical, auditing and accounting standards is assessed by public practice quality assurance reviewers on behalf of the NIA to ensure that practitioners are complying with their ethical obligations. In the NIA's view, this ensures that members follow the audit and financial reporting frameworks where applicable.
The professional accounting bodies have provided the FRC with the following information concerning disciplinary matters during the year ended 30 June 2009:
- The ICAA reported one disciplinary case involving a breach of its auditor independence requirements. The case was referred by a regulatory body and was in relation to a member who audited their own self-managed superannuation fund. The member was severely reprimanded by the Professional Conduct Tribunal.
- CPA Australia advised that its Professional Conduct Business Unit received 16 referrals from a regulatory body relating to auditor independence issues associated with audits of SMSFs. Nine of the referrals have been heard by a disciplinary tribunal and the outcomes have been published on the CPA Australia website. The other seven referrals are still in the investigation process.
Neither the ICAA nor CPA Australia is aware of the referral of any members to the CALDB during the year ended 30 June 2009 for a breach of auditor independence requirements.
The NIA has informed the FRC that its complaint, investigation and disciplinary process continues to ensure that members against whom a case is found are brought before a disciplinary tribunal for sanction. The NIA has also advised the FRC that it monitors regulatory agencies such as the CALDB and ASIC to ensure that any action of those bodies against NIA members is recorded by the NIA and acted upon in accordance with the disciplinary due process of the NIA.
The ASIC Act requires the FRC to promote, and monitor the adequacy of, the teaching of professional and business ethics by, or on behalf of, the professional accounting bodies to the extent to which the teaching of those subjects relates to auditor independence.
In 2008-09, the FRC continued to monitor the adequacy of the teaching of ethics by obtaining relevant information from the professional accounting bodies. On the basis of the information supplied by the bodies, the FRC is satisfied that the teaching of ethics by each of the bodies continues to be adequate.
In light of the GFC creating significant pressures for both the business community and the wider Australian economy during 2008-09, the FRC concluded that, in the lead-up to the preparation and audit of the 30 June financial statements, it would be appropriate for the professional accounting bodies to remind their members who are involved in the preparation and audit of such statements about the importance of the profession's ethical standards and the need for compliance with them. The FRC notes that each of the professional accounting bodies has undertaken a range of actions to remind their members about the need for compliance with the ethical requirements. The FRC thanks the bodies for their support in respect of this matter.
The FRC is required by the ASIC Act to monitor the overall compliance by companies, registered managed investment schemes and disclosing entities with audit-related disclosure requirements of the Corporations Act and the accounting standards. A summary of these requirements is provided at Appendix D.
The MOU that the FRC has entered into with ASIC provides for ASIC to give the FRC regular reports identifying matters arising from its financial reporting or auditor surveillance activities in relation to compliance by auditors and companies with the independence disclosure requirements in Part 2M.3 of the Corporations Act. The MOU with the ASX also provides for that body and the FRC to exchange information.
During 2008-09, the FRC received no information indicating that there had been substantive non-compliance with the audit-related disclosure requirements of the Corporations Act and the accounting standards.
ASIC has informed the FRC that its financial reporting surveillance program for the year ended 30 June 2008 included examination of independence declarations under section 307C of the Corporations Act for about 100 listed entities. None of the declarations reviewed contained any exceptions. Section 307C independence declarations were also examined as part of ASIC's 2008-09 audit inspection program. Other than the auditor rotation breaches noted elsewhere in this section of the report, no further exceptions were identified from this process.
In addition, ASX informed the FRC that its technical review of financial reports lodged with it included an examination of the form and location in the financial reports of the auditor independence declarations required under section 307C of the Corporations Act and disclosed by directors under subsections 298(1) and 306(2) of the Act. The ASX's June 2008 and December 2008 analyses found that, as in previous years, the preferred format was for the declaration to be presented as a separate attachment to the directors' report.
Paragraph 225(2B)(e) of the ASIC Act provides that the FRC is to monitor international developments in auditor independence, assess the adequacy of the Australian auditor independence requirements provided for in the Corporations Act and the codes of professional conduct in the light of those developments and give the Minister, and the professional accounting bodies, reports and advice on any additional measures needed to enhance the independence of Australian auditors.
The FRC undertakes this function through the monitoring and consideration of general media reports about audit independence issues as well as material placed on the internet websites of key overseas oversight and standard setting bodies and other regulatory agencies.
In addition, overseas visits by the FRC Chairman during the year also provided an opportunity to obtain information of relevance to the FRC's auditor independence functions.
The FRC did not become aware of any international developments during the year that suggest Australia's auditor independence requirements are in need of revision or further enhancement.
4 Amendment to Network Firms in section 290 was issued in December 2007 and applied to assurance engagements commencing on or after 1 July 2008.
5 Amendment to Auditor Independence Requirements in section 290 was issued in February 2008 and was effective from 15 February 2008.
6 APES 320 was reissued in May 2009. The reissued standard is effective from 1 January 2010, although early adoption is permitted.
7 First time inspections include three firms inspected as networks under the revised definition of a network firm. One of these networks had previously had an inspection of one office in 2007.
8 The information in this section of the report has been prepared having regard to the comments and observations in the Third Report on the Quality of Audits Performed by Participating Auditors of Public Interest Entities, published by the Audit Quality Review Board, Sydney, December 2008. As noted earlier in this section of the report, the AQRB completed its three-year charter in February 2009.