Audit quality in the spotlight
Audit quality is emerging as a priority issue across global markets. In the UK, the collapses of previously substantial firms (Carillion as the main example, but most recently, Thomas Cook) have called the quality of audit oversight into question, with reforms now under review.
In Australia, this issue is about to come under the spotlight of the Commonwealth Parliamentary Joint Committee on Corporations and Financial Services, which has launched a new inquiry. The terms of reference are broad and include potential conflicts of interest with non-audit fees, audit quality, valuation of intangible assets and effectiveness of enforcement.
Why is audit quality in the spotlight? Firstly, because the regulator has raised issues. The Australian Securities and Investment Commission (ASIC) found that almost a quarter of the key audit areas the regulator reviews do not contain a “reasonable assurance” that the financial report as a whole is free of material misstatement. While this isn’t a significant change from past reviews, ASIC says it will be “intensifying” its focus on audit quality in the year ahead.
Questions have also been raised about the impact that non-audit fees earned from audit clients has on independence. This has been a particular focus of the UK debate. The British government is currently consulting on reforms including bans on non-audit consulting and requirements for big companies to have “joint auditors”, among others.
In the US, the Securities and Exchange Commission rules prohibit an auditor from providing a range of non-audit services to an audit client.
Audit quality is of critical importance to directors. Our feedback to date tells us that directors have a high degree of confidence in the quality of audit in Australia, and do not see the need for more prescriptive regulation. We are seeking views from across our membership to help inform our engagement with the review. Please contact our policy team here with your views.
ASIC taskforce: questions for boards
In October, ASIC released the first outcomes from its new Corporate Governance Taskforce, setting out its findings on the oversight of non-financial risk in seven large listed financial services entities.
The ASIC report can be downloaded here.
Consistent with the Australian Prudential Regulation Authority (APRA) prudential review into the Commonwealth Bank, and Commissioner Hayne’s final report of the banking Royal Commission, ASIC found that the financial services entities it reviewed are struggling to grapple with non-financial risk.
See the separate article “Risk Radar” here for a more detailed overview of the ASIC review and comments.
The ASIC report has some interesting findings — for example, in the sample it reviewed, ASIC found the number of pages in a risk committee pack varied from more than 700 pages to 130.
ASIC also questioned what it perceived to be “modest” meeting hours for risk committees at the institutions it reviewed (ranging from 40 hours a year to 16 across its sample).
ASIC has encouraged directors with multiple board roles and risk committee positions to “ensure they have capacity” for BAU as well as periods of intense work.
ASIC has listed questions that it recommends boards of large listed entities ask themselves under themes of risk appetite statements, information flows and risk committees.
Directors of all organisations looking to improve non-financial risk oversight may find ASIC’s questions helpful (see breakout below).
For financial services entities the findings are no surprise — the self-assessments of APRA-regulated entities against the APRA CBA Report acknowledged that non-financial risk oversight is less mature and needs improvement, including metrics and information flows to the board.
There are no simple solutions to the challenges that come with governing large and complex financial institutions.
While the ASIC report offers some useful general insights, it is based on a small sample of seven large, listed financial services companies. It is also, necessarily, backward-looking, while governance practice is adapting.
ASIC noted that practice is changing and observed some directors and officers starting to think “laterally and innovatively”. ASIC also acknowledged there is no one-size-fits-all approach to governance — just as there are no simple solutions to the challenges that come with governing large and complex financial institutions.
The second taskforce report — on executive remuneration – is expected before year’s end.
Behavioural experts analyse the influence of board mindsets
ASIC’s use of an organisational psychologist as part of the taskforce’s work proved both attention-grabbing and intriguing in media and director discussions.
The taskforce report includes as an attachment the behavioural expert report, with observations on board mindsets and behaviours through the engagement. The expert identifies mindsets and behaviours that they consider to be helpful to the oversight of risk — such as board leadership on integrity and ethics, conscious challenge of management; and unhelpful — such as limited self-reflection, unconscious bias, limited deep industry experience.
Four “archetypes” are presented of different board styles with the strengths and risks of each style noted.
ASIC stressed that the expert input was beneficial and hopes that boards will find it a helpful resource. In launching the taskforce report, ASIC chair James Shipton also sought to “debunk the myth” that ASIC is seeking to put organisational psychologists in every boardroom.
While the behavioural expert’s report has interesting commentary and opportunities for director reflection, it also has limitations, drawing broad conclusions from a relatively small data set. Accordingly, there are limits on how widely the report’s findings could or should be extrapolated.
ASIC questions for boards – non-financial risk oversight
On risk appetite statements
- Does our stated compliance risk appetite reflect our actual appetite?
- When we fall outside appetite, are we requiring management to act [with urgency]?
- Do our metrics allow us to measure performance against our articulated appetite?
On information flows
Is the information from management calibrated to help us perform our oversight function?
Are significant non-financial risk issues receiving sufficient prominence in reports?
Do our minutes adequately capture key discussion points, reasons for decisions and significant issues raised with management?
On board risk committees
Are we dedicating sufficient time to risk issues, including non-financial risk, at committees?
Does the risk committee meet often enough to oversee material risks in a timely manner?
Do we have transparent and effective processes for escalation of urgent material to the board?
See the complete ASIC questions in Appendix 1 of the taskforce report here.