The syllabus for P7 (INT), Advanced Audit and Assurance contains the following learning

outcome:

Outline and explain the need for the legal and professional framework including:
i) public oversight of audit and assurance practice
ii) the role of audit committees and impact on audit and assurance practice.

Note: the syllabus and study guide for the UK adapted paper is worded slightly differently in
that they refer to jurisdiction specific Corporate Governance Code. For both INT and UK and
IRL adapted papers, the UK Corporate Governance Code is included in the list of examinable
documents, as is the UK Financial Reporting Council Guidance on Audit Committees (Revised
September 2012) as examples of guidance on best practice in relation to corporate
governance principles and specific guidance in relation to audit committees. For the SGP
adapted exam, The Singapore Code of Corporate Governance is the relevant code of best
practice.

Candidates attempting P7 are expected therefore to be conversant with corporate

governance principles, many of which they will have seen in previous exams F8, Audit and
Assurance and P1, Governance, Risk and Ethics. The focus in P7 is on the impact that
corporate governance principles and practice can have on the audit process, and this article
explores some of these issues.

Basic principles of corporate governance – a reminder

Corporate governance is the system by which organisations are directed and controlled. It
encompasses the relationship between the board of directors, shareholders and other
stakeholders, and the effects on corporate strategy and performance. Corporate
governance is important because it looks at how these decision makers act, how they can or
should be monitored, and how they can be held to account for their decisions and actions.

The published audited financial statements and related information are therefore of key
importance. They will usually be the main information set to which shareholders and other
stakeholders have access and this is why having credible financial statements supported by
the auditor’s opinion is crucial.

Many regulatory authorities, including the UK, use a code of best practice, often termed a
‘comply or explain’ approach to corporate governance. Under this approach the regulatory
authority issues a set of principles with which company directors of listed companies are
expected to comply. In many jurisdictions disclosures are required in the financial
statements to demonstrate compliance. Non-compliance is not expected, but in its event,
the facts of the non-compliance must be clearly disclosed and explained.

1
In some jurisdictions, such as the US, a more prescriptive approach is used, whereby
corporate governance requirements are set by legislation. Both the principles and the
legislative approaches are broadly similar in the matters they address. They both deal with
the importance of the board of directors having a balanced structure, emphasising the need
for non-executive directors, and for robust procedures in relation to the appointment of
board members, and their remuneration. They both describe the merits of audit committees
and the need to monitor the effectiveness of internal controls. They both demand disclosure
about these and other matters in the annual report.

The main principles of the UK Corporate Governance Code

The content of the UK and Singapore Corporate Governance Codes are very similar and for
the purpose of this article the principles and provisions of the UK Code will be used to
highlight some of the key areas that the board should consider when assessing their system
of corporate governance.

The Code comprises five sections, each containing main principles:

Leadership

Every company should be headed by an effective board which is collectively responsible for
the long-term success of the company, and should lead and control the company’s
operations.

There should be a clear division of responsibilities at the head of the company, which will
ensure a balance of power and authority, such that no one individual has unfettered powers
of decision.

Non-executive directors should constructively challenge and help develop proposals on

strategy. The board should include a balance of executive and non-executive directors such
that no individual or small group of individuals can dominate the board’s decision taking.

Effectiveness

The board and its committees should have the appropriate balance of skills, experience,
independence and knowledge of the company to enable them to discharge their respective
duties and responsibilities effectively.

2
There should be a formal, rigorous and transparent procedure for the appointment of new
directors to the board. All directors should receive induction on joining the board and
should regularly update and refresh their skills and knowledge.

All directors should be submitted for re-election at regular intervals, subject to continued
satisfactory performance.

Accountability

The board should present a balanced and understandable assessment of the company’s
position and prospects. For UK companies, this is also required by the Companies Act 2006,
which requires that the directors disclose a business review as part of the directors’ report
to be included in the financial statements.

The board should maintain sound risk management and internal control systems. The board
should establish formal and transparent arrangements for considering how they should
apply the corporate reporting and risk management and internal control principles and for
maintaining an appropriate relationship with the company’s auditor.

Remuneration

Levels of remuneration should be sufficient to attract, retain and motivate directors of the
quality required to run the company successfully, but a company should avoid paying more
than is necessary for this purpose. A significant proportion of executive directors’
remuneration should be structured so as to link rewards to corporate and individual
performance.

Relations with shareholders

There should be a dialogue with shareholders based on the mutual understanding of

objectives. The board as a whole has responsibility for ensuring that a satisfactory dialogue
with shareholders takes place. The board should use the Annual General Meeting to
communicate with investors and to encourage their participation.

The role of audit committees

The audit committee is such an important part of corporate governance that it is the subject
of its own guidance document in the UK, the Financial Reporting Council’s Guidance on
Audit Committees. The audit committee should be made up of at least three independent

3
non-executive directors, one of whom should have recent and relevant financial experience.
The committee has many roles, including several that are specifically related to the external
auditor, which are discussed below.

Review of published financial information

The audit committee should monitor the integrity of the company’s financial statements
and any formal announcements relating to the company’s performance. Significant financial
reporting judgements should be specifically reviewed. This means that committee members
should scrutinise all published financial information, and question and be ready to challenge
the finance director and external auditors on any contentious matters arising.

Systems and controls

The audit committee members have responsibility to review the company’s internal
financial controls and systems, and the risk management systems, unless there is a separate
risk committee.

Most large companies have an internal audit function, in which case the audit committee
should extend its monitoring role to include that function, including the evaluation of the
effectiveness of that function.

Where there is no internal audit function, the audit committee should consider annually
whether there is a need for internal audit and make a recommendation to the board, and
the reasons for the absence of such a function should be explained in the relevant section of
the annual report.

Fraud prevention and detection

Finally, the audit committee plays a part in fraud prevention and detection in that
whistleblowing arrangements should be made so that staff of the company may raise
concerns about possible improprieties in respect of financial reporting matters.

External auditors – general principles

The audit committee has specific responsibilities in respect of the external auditors,
including recommending the appointment, reappointment and removal of the external
auditor, approving fees paid for audit and non-audit services, and agreeing on the terms of

4
engagement with the external auditor. A point specific to the UK adapted paper is that
following a revision to the UK Corporate Governance Code in 2012, there is now a
requirement for FTSE 350 companies to put the external audit out to tender every 10 years.

One of the key issues is that the audit committee should annually assess the independence,
objectivity and effectiveness of the external audit process, considering of the ethical
framework applicable in the jurisdiction in which the organisation is operating. The audit
committee should report annually to the board on their assessment with a recommendation
on whether to propose to the shareholders that the external auditor be reappointed. The
audit committee section of the annual report should also discuss the annual assessment of
the external audit process by the audit committee and also include information on the
length of tenure of the current audit firm, when a tender was last conducted, and any
contractual obligations that acted to restrict the audit committee’s choice of external
auditors.

In relation to potential threats to objectivity, the audit committee should seek reassurance
that the auditors and their staff have no financial, business, employment or family and other
personal relationship with the company which could adversely affect the auditor’s
independence and objectivity. The audit committee should seek from the audit firm, on an
annual basis, information about policies and processes for maintaining independence and
monitoring compliance with relevant requirements, including current requirements
regarding the rotation of audit partners and staff.

External auditors – the annual audit cycle

The audit committee should be involved at all stages of the audit, to obtain comfort that a
quality audit will be performed. The Guidance on Audit Committee specifically requires the
following to take place:

At the start of each annual audit cycle, the audit committee should ensure that appropriate
plans are in place for the audit. This includes consideration of planned levels of materiality,
and the proposed resources to execute the plan, having regard also to the seniority,
expertise and experience of the audit team. In practice this means that before any audit
fieldwork takes place, the audit firm should meet with the audit committee to discuss the
audit strategy and audit plan, demonstrating that auditing standards and quality control
principles have been adhered to in their development.

The audit committee should review, with the external auditors, the findings of their work. In
the course of its review, the audit committee should discuss with the external auditor major
issues that arose during the course of the audit and have subsequently been resolved and
those issues that have been left unresolved; review key accounting and audit judgements;
and review levels of errors identified during the audit, obtaining explanations from
management and, where necessary, the external auditors as to why certain errors might
remain unadjusted. The audit committee should review and monitor management’s
5
 responsiveness to the external auditor’s findings and recommendations. Thus, all key audit
findings should be shared with the audit committee and discussed with them as the audit
progresses.

At the end of the annual audit cycle, the audit committee should assess the effectiveness of
the audit process, by:

 reviewing whether the auditor has met the agreed audit plan and understand the reasons
for any changes, including changes in perceived audit risks and the work undertaken by the
external auditors to address those risks
 considering the robustness and perceptiveness of the auditors in their handling of the key
accounting and audit judgements identified and in responding to questions from the audit
committee
 obtaining feedback about the conduct of the audit from key people involved, for example
the finance director and the head of internal audit
 reviewing and monitoring the content of the external auditor’s management letter (report
to those charged with governance), in order to assess whether it is based on a good
understanding of the company’s business and establish whether recommendations have
been acted upon and, if not, the reasons why they have not been acted upon, and
 reporting to the board on the effectiveness of the external audit process.

In summary, the audit committee carefully monitors the conduct of the audit, and plays an
important part in ensuring the quality and rigour of the external audit of the financial
statements.

External auditors – provision of non-audit services

Specifically, the audit committee should develop and implement a policy on the
engagement of the external auditor to supply non-audit services, taking into account the
relevant ethical principles and requirements. The audit committee’s objective should be to
ensure that the provision of such services does not impair the external auditor’s
independence or objectivity. The audit committee should consider:

 whether the skills and experience of the audit firm make it the most suitable supplier of the
non-audit service
 whether there are safeguards in place to eliminate or reduce to an acceptable level any
threat to objectivity and independence in the conduct of the audit resulting from the
provision of such services by the external auditor
 the nature of the non-audit services

6
 the fees incurred, or to be incurred, for non-audit services both for individual services and in
aggregate, relative to the audit fee, and
 the criteria which govern the compensation of the individuals performing the audit.

The audit committee should set and apply a formal policy specifying the types of non-audit
service:

 for which the use of the external auditor is pre-approved (i.e. approval has been given in
advance as a matter of policy, rather than the specific approval of an engagement being
sought before it is contracted)
 from which specific approval from the audit committee is required before they are
contracted, and
 from which the external auditor is excluded.

One of the non-audit services specifically referred to in the Guidance on Audit Committees is
the provision of internal audit by the external auditor. If the external auditor is being
considered to undertake aspects of the internal audit function, the audit committee should
consider the effect this may have on the effectiveness of the company’s overall
arrangements for internal control and investor perceptions in this regard.

Conclusion

Candidates preparing to attempt P7 should be familiar with the corporate governance

principles outlined in this article, and they are encouraged to read the source
documentation to obtain a full understanding of general corporate governance principles
and the role of audit committees in particular. It is the impact of these matters on the audit
process that is particularly important to understand, and candidates should be ready to
include points relating to corporate governance in their answers where appropriate.

Written by a member of the P7 examining team

7
 An important part of an external audit is the consideration by the auditor as to whether the
client has complied with laws and regulations.

It is important that candidates preparing for Audit and Assurance (AA) and Advanced Audit
and Assurance (AAA) have an understanding of how laws and regulations affect an audit, not
only in terms of the work the auditor is required to do, but also to appreciate the
responsibilities of both management and the auditor where laws and regulations are
concerned.

The auditing standard that is relevant to this article is ISA 250 (Revised), Consideration of
Laws and Regulations in an Audit of Financial Statements, and the objectives of the auditor
according to paragraph 11 in ISA 250 are:

 to obtain sufficient appropriate audit evidence regarding compliance with the provisions of
those laws and regulations generally recognised to have a direct effect on the determination
of material amounts and disclosures in the financial statements
 to perform specified audit procedures to help identify instances of non-compliance with
other laws and regulations that may have a material effect on the financial statements
 to respond appropriately to identified or suspected non-compliance with laws and
regulations identified during the audit.

The standard defines an act of ‘non-compliance’ as follows:

‘Acts of omission or commission intentional or unintentional, committed by the entity, or by

those charged with governance, by management or by other individualsworking for or under
the direction of the entity which are contrary to the prevailing laws or regulations. Non-
compliance does not include personal misconduct unrelated to the business activities of the
entity.’

Respective responsibilities of management and auditors

Candidates need to go into the exam with an understanding as to who is responsible for
compliance with laws and regulations and who is responsible for the detection of non-
compliance with laws and regulations.

It is the responsibility of management to ensure that an entity complies with relevant laws
and regulations. It is not the responsibility of the auditor to either prevent or detect non-
compliance.

Question 1(c) of the December 2011 F8 exam (now AA) for four marks required candidates
to:

8
 ‘Explain the responsibilities of management and auditors of Chuck Industries Co in relation
to compliance with laws and regulations under ISA 250, Consideration of Laws and
Regulations in an Audit of Financial Statements.’

The question itself was linked to a brief scenario where Chuck Industries Co had received a
visit from the tax authority who had discovered incorrect levels of tax had been deducted
from the payroll as tax rates had not been updated in the previous year and the finance
director was questioning the audit firm as to why they had not identified this non-
compliance with tax legislation.

To secure a pass in this part of the question, candidates would have had to:

 understand that it is role of the management of Chuck Industries Co to ensure the

operations of the entity are conducted in accordance with laws and regulations (this applies
to tax legislation also)
 appreciate that an auditor is not responsible for prevention of non-compliance with laws
and regulations and is not expected to detect instances of non-compliance
 acknowledge in the answer that it is the auditor’s responsibility to obtain reasonable
assurance that the financial statements are free from material misstatement. To that end
the auditor will take into account the legal and regulatory framework within which the
entity operates
 make reference to the auditor’s responsibility to consider those laws and regulations that
have both a direct and an indirect effect on the determination of material amounts and
disclosures in the financial statements.

Direct and indirect laws and regulations

There are many laws and regulations that a reporting entity may have to comply with in
order to continue in business. For example, many entities will have to comply with strict
health and safety legislation; a food manufacturer may have strict food hygiene legislation
to comply with, and an accountancy firm will have a code of ethics to follow from its
professional body. Such laws and regulations will have both a direct effect on the financial
statements and an indirect effect.

For those laws and regulations that have a direct effect on the financial statements, the
auditor will be concerned about gathering sufficient and appropriate audit evidence that the
entity has complied with such laws and regulations. For example, when auditing the payroll
the auditor will be concerned with gathering sufficient and appropriate audit evidence to
ensure that tax legislation has been correctly applied by the entity because if it has not (as in
Question 1(c) in the December 2011 F8 exam), there is risk that the entity could be fined for
non-compliance and the fines could be material, either in isolation or when aggregated with
other misstatements. In addition, amounts within the financial statements may also be
misstated as a result of the non-compliance with laws and regulations.

9
 For those laws and regulations that have an indirect effect on the financial statements, the
auditor will undertake procedures with the objective of identifying non-compliance with
such laws and regulations. ISA 250 gives examples in paragraph 6(b) of:

 compliance with the terms of an operating license

 compliance with regulatory solvency requirements, or
 compliance with environmental regulations.

When designing procedures to help to identify non-compliance with laws and regulations,
ISA 315, Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment requires an auditor to obtain a general
understanding of:

 the applicable legal and regulatory framework, and

 how the entity complies with that framework.

Identifying non-compliance with laws and regulations can be tricky for auditors, particularly
where fraud and/or money laundering is concerned (see later in the article). It is for this
reason that the auditor must maintain a degree of professional scepticism and remain alert
to the possibility that other audit procedures applied may bring instances of non-
compliance or suspected non-compliance with laws and regulations to the auditor’s
attention, and such procedures could include:

 reading minutes of board meetings

 enquiring of management and/or legal advisers concerning litigation or claims brought
against the entity, and
 undertaking substantive tests on classes of transactions, account balances or disclosures.

Reporting identified or suspected non-compliance with laws and regulations

Where the auditor discovers non-compliance with laws and regulations, the auditor must
notify those charged with governance. However, care must be taken by the auditor because
if the auditor suspects that those charged with governance are involved, the auditor must
then communicate with the next highest level of authority, which may include the audit
committee. If a higher level of authority does not exist, the auditor will then consider the
need to obtain legal advice.

The auditor must also consider whether the non-compliance has a material effect on the
financial statements and, in turn, the impact the non-compliance will have on their report.

10
 If the auditor identifies or suspects non-compliance, the auditor will need to consider
whether law, regulation and ethical requirements either require the auditor to report to an
appropriate authority outside the entity, or establish responsibilities under which this may
be appropriate.

There may be occasions when the auditor’s duty of confidentiality may be overridden by law
or statute. This can be the case when the auditor discovers non-compliance with legislation
such as drug trafficking or money laundering.

Money laundering

The Study Guide to AAA covers the issue of money laundering separately to that of laws and
regulations in A2(a) to (g). ACCA’s Code of Ethics and Conduct defines ‘money
laundering’ as:

‘...the process by which criminals attempt to conceal the true origin and ownership of the
proceeds of their criminal activity, allowing them to maintain control over the proceeds and,
ultimately, providing a legitimate cover for their sources of income.’

Auditors need to be particularly careful where money laundering issues are concerned –
especially for a business that is predominantly cash-based because the scope for money
laundering in such businesses is wide. There are usually three stages in money laundering:

 Placement – which is the introduction or ‘placement’ of illegal funds into a financial system.
 Layering – which is where the money is passed through a large number of transactions. This
is done so that it makes it difficult to trace the money to its original source.
 Integration – which is where the ‘dirty’ money becomes ‘clean’ as it passes back into a
legitimate economy.

Money laundering offences can include:

 concealing criminal property

 acquiring, using or possessing criminal property
 becoming involved in arrangement which is known, or suspected, of facilitating the
acquisition of criminal property.

There are many countries in which money laundering is a criminal offence and, where an
accountant or an auditor discovers a situation which may give rise to money laundering, the
accountant or auditor must report such suspicions to a ‘money laundering reporting officer’
(MLRO) whose responsibility it is to report such suspicions to an enforcement agency (in the
UK, this enforcement agency is the National Crime Agency (NCA)).

11
 It is an offence to fail to report suspicions of money laundering to NCA or the MLRO as soon
as practicable, and it is also an offence if the MLRO fails to pass on a report to the NCA.
Where the entity is actively involved in money laundering, the signs are likely to be similar
to those where there is a risk of fraud, and can include:

 complex corporate structure where complexity does not seem to be warranted

 transactions not in the ordinary course of business
 many large cash transactions when not expected
 transactions where there is a lack of information or explanations, or where explanations are
unsatisfactory, or
 transactions with little commercial logic taking place in the normal course of business.

Question 3(b) in the March/June 2016 P7 (Int) Sample Questions (now AAA) gave candidates
a scenario where they were placed in the position of audit manager. The audit senior had
noted as part of their review of the cash book, a receipt of $350,000 for which the source
was unclear followed by a transfer of the same amount to a bank account held in another
country. When questioned, the financial controller had referred the audit senior to the
business owner. Documentary evidence had been requested but had not yet been received.

This particular question did not make reference to the term ‘money laundering’ in the scenario or in the question
requirement; the question required the candidate to evaluate the implications for the completion of the audit,
recommending any further actions which should be taken by the firm.

The fact that no mention of money laundering was made either in the scenario or in the
question requirements is reflective of the fact that in real life those committing money
laundering will not openly admit to committing such offences. Money laundering is
therefore very similar (if not identical in many ways) to fraud and, therefore, auditors should
set aside any beliefs concerning the integrity and honesty of the audit client and keep a
sceptical mindset where such issues are concerned.

Tipping off

The term ‘tipping off’ means that the MLRO discloses something that will prejudice an
investigation. It is an offence to make the perpetrators of money laundering aware that the
auditor has suspicions or knowledge regarding their money laundering activities or that
these suspicions or knowledge have been reported. It is unnecessary for the auditor to gain
all the facts, or to ascertain without a doubt, that an offence has occurred. The auditor only
needs to satisfy themselves that their suspicions are reasonable, and obtain sufficient
evidence to show the allegations are made in good faith.

Conclusion

12
Candidates attempting AA and AAA are advised to gain a sound understanding of laws and
regulations, not only in the context of the Syllabus and Study Guide but also in the context
of real-life situations to allow for greater application of knowledge.

Keep in mind the fact that questions in AAA will not always flag up that candidates need to
consider laws and regulations; the challenging nature of AAA will mean that candidates will
have to conclude for themselves that questions are testing a specific subject area of the
syllabus.

13
Ethical standards and their application form a significant part of the Advanced Audit and
Assurance (AAA) syllabus and are examined regularly.

Approaching AAA

It is vital that candidates have a solid and thorough understanding of the ethical standards
examined previously in Audit and Assurance. At AAA, it is the application of the content of
those standards that is important. These include the IESBA International Code of Ethics for
Professional Accountants (the Code) and the ACCA Code of Ethics and Conduct (refer to the
examinable documents link in the Related Links box for full details).

UK/IRL/SGP exams: UK exam candidates will be examined on the Financial Reporting

Council’s Ethical Standard. IRL exam candidates will be tested on the IAASA’s Ethical
Standard for Auditors (Ireland). SGP candidates should also refer to the ISCA Code of
Professional Conduct and Ethics.

Candidate will be familiar with ACCA’s Code of Ethics from the Audit and Assurance (AA)
exam. This mirrors the IESBA’s Code with the five basic principles of integrity, objectivity,
professional competence and due care, confidentiality, and professional behaviour.

These fundamental principles may be subject to areas of threat of self-review, self-interest,

advocacy, familiarity, and intimidation.

UL/IRL exams: The FRC (Financial Reporting Council) Ethical Standard for the UK and the
IAASA Ethical Standard for Auditors (Ireland) have an additional threat: Management
threat to the overarching principles of integrity, objectivity and independence.

Stepping up from AA to AAA

Ensure a solid foundation of knowledge of the fundamental principles, threats to the

principles and potential safeguards to these threats. Candidates at AAA will be expected to
develop their understanding more than they did at AA, demonstrating their ability to apply
their knowledge to the scenario and provide a depth of answer which addresses the
fundamental principles, the threats, the implication of these threats and considering any
possible safeguards or further actions to be taken.

Answering ethics questions at AAA

14
 Read the scenario carefully, credit is awarded for appropriate application of the knowledge
(referencing the scenario or specific issues from it, not just stating knowledge).

1. Identify the ethical threat

2. Evaluate and understand how it arises and the implication of the threat
3. Apply the knowledge to the specific scenario to determine the safeguards or course of
action required. When the professional accountant determines that appropriate
safeguards are not available or cannot be applied to eliminate the threats or reduce
them to an acceptable level, the professional accountant should consider whether to
accept or continue with the engagement.

Worked example
There are further points in each case that could be developed and additional outcomes
available within the ethical codes; however, they do represent a well-developed answer a
candidate could use to attain the full marks available.

Example 1
The audit committee of Mumbai Co has asked the partner to consider whether it would
be possible for the audit team to perform a review of the company’s internal control
system. A number of recent incidents have raised concerns amongst the management
team that controls have deteriorated and that this has increased the risk of fraud, as well
as inefficient commercial practices. The auditor’s report for the audit of the financial
statements of Mumbai Co for the year ended 31 March 20X5 was signed a few weeks
ago. Mumbai Co is a listed company.

Required:
Evaluate the ethical issues raised and any actions your firm should take in response to
the client’s request.

(6 marks)

This is going to give rise to a self-review threat and may possibly lead to assuming a
management responsibility.

15
This identification is the first step to answering the question, but these points alone will
score minimal credit in the exam. Candidates should be aiming to demonstrate they
understand how the issue has arisen and what the implication of that threat may be:

Providing a review of the company’s system and controls gives rise to a self-review threat
as these controls will then be reviewed by the firm when determining our audit
strategy. The firm may be reluctant to highlight errors or adopt a substantive approach
during the audit as this may highlight deficiencies in the firm’s work on the additional
service. (1 mark)

The design of systems and controls is a management responsibility so a review of such

may give rise to a situation where the auditor is assuming a management responsibility
by taking on the role of management. (1 mark)

Candidates should then apply the guidance to the scenario – evaluate the significance and
suggest safeguards:

The code states that the threat to independence of undertaking management

responsibilities for an audit client is so significant that there are no safeguards which
could reduce the threat to an acceptable level. (1 mark)

From an exam technique point of view, candidates should be looking for depth of their
answer. At this stage, it is not recommended to start speculating about relative fee size;
focus on the information the examiner has provided in the scenario. Here, the company is
flagged as being a listed company, so there will be further development available on this
area. Candidates could consider how potential management responsibility issues may be
overcome, using experience from their studies for AAA and past question practice. It is these
points that may be used to attract further marks.

16
 Management responsibility can be avoided if the client takes responsibility for
monitoring the reports made and taking the decisions on recommendations.
(1 mark)

However, as this client is listed, we are prohibited from undertaking internal audit
services which relate to a significant part of the controls over financial reporting. (1
mark)

An evaluation will require a conclusion demonstrating that the candidate can recommend a
potential solution (a safeguard or declining the engagement).

As such we must decline the additional work. (1 mark)

In other circumstances, the safeguard of using separate teams to overcome self-review

threats or considering the competence of the firm to provide this service would attain
credit; however, in this case, the client is listed so these points are irrelevant here.

Note that, in the exam, minimal marks are awarded for simply listing self-review or
management responsibility as they will need to be explained in the context of the
scenario. As such, candidates should ensure to take the time to explain the
threats rather than simply writing terms.

Conclusion

Candidates should ensure they have a solid understanding of the relevant ethical codes. The
Examining Team are wanting to see how candidates demonstrate their application of
knowledge to a scenario. This means that when preparing for this exam, a good grasp of the
knowledge underpinning the syllabus is important but practicing questions and developing
the skills of applying that knowledge is key to passing.

Written by a member of the AAA examining team

17
Auditor liability: ‘fair and reasonable’ punishment?

The issue of auditor’s liability is included in the syllabus for Advanced Audit and Assurance
(AAA). Candidates need to understand and apply the principles of establishing liability in a
particular situation, as well as being able to discuss the ways in which liability may be
limited. The specific learning outcomes can be found in the Syllabus and study guide for the
AAA examination.

This article focuses on the issue of auditor’s liability in the UK, and therefore contains
references to the UK Companies Act 2006, as well as UK-specific legal cases. Candidates
other than those attempting the UK adapted paper are not expected to have UK-specific
knowledge. The concepts discussed in this article, however, are broadly relevant and will
help candidates to understand why this is an important issue within the auditing profession.

Over the past two decades the bill for fines issued by audit regulators of Big Four audit firms
alone has run into millions of pounds. Examples include KPMG’s 2023 settlement of
£21million regarding its audit of the collapsed outsourcer, Carillion. The FRC found the audit
work had not been completed ‘with an adequate degree of professional scepticism’. PwC’s
fines on the inadequate scrutiny of long-term contracts at the construction companies Kier
and Galliford Try totalling £5million were issued in 2022. These fines are increasingly
concerning, both in terms of audit quality and the reputation of the profession but also in
terms of the cost to the industry and the barriers this creates to competition within the
audit market.

This article considers the current legal position of auditors in the UK. It also discusses the
impact on the competitiveness of the audit market and some of the methods available to
limit exposure to expensive litigation.

Types of liability

18
Auditors are potentially liable for both criminal and civil offences. The former occur when
individuals or organisations breach a government imposed law; in other words criminal law
governs relationships between entities and the state. Civil law, in contrast, deals with
disputes between individuals and/or organisations.

Criminal offences
Like any individual or organisation auditors are bound by the laws in the countries in which
they operate. So under current criminal law auditors could be prosecuted for acts such as
fraud and insider trading.

Audit is also subject to legislation prescribed by the Companies Act 2006. This includes many
sections governing who can be an auditor, how auditors are appointed and removed and
the functions of auditors.

One noteworthy offence from the Companies Act is that of ‘knowingly, or recklessly causing
a report under s.495 (auditor’s report on company’s annual accounts) to include any matter
that is misleading, false or deceptive in a material particular’ (s.507).

This means that auditors could be prosecuted in a criminal court for either knowingly or
recklessly issuing an inappropriate audit opinion.

Civil offences
There are two pieces of civil law of particular significance to the audit profession; contract
law and the law of tort. These establish the principles for auditor liability to clients and to
third parties, respectively.

Under contract law parties can seek remedy for a breach of contractual obligations.
Therefore shareholders can seek remedy from an auditor if they fail to comply with the
terms of an engagement letter. For example; an auditor could be sued by the shareholders,
which was the case in the PwC settlement to Tyco shareholders referred to above.

Under the law of tort auditors can be sued for negligence if they breach a duty of care
towards a third party who consequently suffers some form of loss.

Case history

The application of the law of tort in the auditing profession, and the way in which auditors
seek to limit their exposure to the ensuing liabilities, has been shaped by a number of recent
landmark cases. The most notable of these are Caparo Industries Plc (Caparo) v
Dickman (1990) and Royal Bank of Scotland (RBS) vs Bannerman Johnstone
MacLay (Bannerman) (2002).

19
 In the first case Caparo pursued the firm Touche Ross (who later merged to form Deloitte &
Touche) following a series of share purchases of a company called Fidelity plc. Caparo
alleges that the purchase decisions were based upon inaccurate accounts that overvalued
the company. They also claimed that, as auditors of Fidelity, Touche Ross owed potential
investors a duty of care. The claim was unsuccessful; the House of Lords concluded that the
accounts were prepared for the existing shareholders as a class for the purposes of
exercising their class rights and that the auditor had no reasonable knowledge of the
purpose that the accounts would be put to by Caparo.

It was this case that provided the current guidance for when duty of care between an
auditor and a third party exists. Under the ruling this occurs when:

 the loss suffered is a reasonably foreseeable consequence of the defendant’s conduct

 there is sufficient ‘proximity’ of relationship between the defendant and the pursuer, and
 it is 'fair, just and reasonable' to impose a liability on the defendant.

In the second case RBS alleged to have lost over £13m in unpaid overdraft facilities to
insolvent client APC Ltd. They claimed that Bannerman had been negligent in failing to
detect a fraudulent and material misstatement in the accounts of APC. The banking facility
was provided on the basis of receiving audited financial statements each year.

In contrast to Touche Ross, who had no knowledge of Caparo’s intention to rely upon the
audited financial statements, Bannerman, through their audit of the banking facility letter of
APC, would have been aware of RBS’s intention to use the audited accounts as a basis for
lending decisions. For this reason it was upheld that they owed RBS a duty of care. The
judge in the Bannerman case also, and crucially, concluded that the absence of any
disclaimer of liability to third parties was a significant contributing factor to the duty of care
owed to them.

Joint and several liability

The guidance for when an auditor may be liable, either under criminal or civil law, appears
to be clear and largely uncontroversial. The same cannot be said of the nature of the fines
and settlements, which remains a hotly debated issue.

Before discussing this, it is worth making the point that auditors are only found liable in
cases where they have breached their responsibilities to perform work with professional
competence and due care and to act independently of their clients. There is therefore little
argument that they should face the penalties of their own failures and that parties that have
suffered as a result should be able to seek adequate compensation.

The main criticism of the current system is that the penalties incurred by the audit
profession are unfairly high. This arises from the civil law principle of ‘joint and several
liability’ enforced in the UK (as well as the US). This means that even if there are multiple

20
 culpable parties in a negligence case the plaintiff may pursue any one of those parties
individually for the entire damages sought.

So for example, if a director fraudulently misstates the financial statements, the company’s
management fail to detect this because of poor controls and the auditor performs an
inadequate audit leading to the wrong audit opinion, it would be fair to say all three parties
are at fault. Shareholders seeking compensation for any consequent losses, however, could
try and recover the full loss from only one of those three parties.

Given that many of the cases arise when companies are facing financial difficulties, as with
the examples cited above, and that any individuals involved are unlikely to possess sufficient
assets to settle the liabilities, the audit firm, who may be asset rich and possess professional
indemnity insurance, is often the sole target for financial compensation.

Regardless of the perceived fairness, this situation does create a number of challenges for
the profession, namely:

1. The increasing cost to the industry, firstly from defending and settling claims but also from
spiralling insurance premiums.
2. The potential for consequent increases in audit fees to cover these rising costs.
3. The overall lack of sufficient insurance cover in the sector in comparison to the size of some
of the claims.(Reference 1)
4. The lack of competition in the audit market for large (listed) entities.

With regard to the final point, auditor liability is not the sole reason for the lack of
competition in the audit of listed entities but it is a significant barrier to entering that
market. In the UK, there are continuing proposals to encourage more ‘mid tier’ audit firms
to audit FTSE 350 companies. However, the size of the teams and the resources and
experience required have traditionally been barriers to new entrants.

Managing exposure to liability

Audit quality
There are a number of ways in which audit firms can manage their exposure to claims of
negligence. Perhaps the most obvious is not being negligent in the first place. In practical
terms this means rigorously applying International Standards on Auditing and the
IESBA’s International Code of Ethics for Professional Accountants and paying close attention
to the terms and conditions agreed upon in the engagement letter.

Of course, improvements in quality management have been strengthened by the issue of

the revised suite of International Standards on Quality Management and an upgraded ISA
220 (UK) (Revised) Quality Management for an Audit of Financial Statements. These have
stressed a change in mindset, moving from an individual engagement risk and quality

21
assessment, to one which is looking at the culture of quality at a firmwide level. The aim of
this is to incorporate the management of quality throughout the whole firm, embedding it
within the work, the employees and, most significantly, at a leadership and management
level. . However, there is still significant pressure to reduce audit fees, and many companies
who are audited by the large firms are facing a more challenging economic forecast.
Stakeholders, such as corporate and individual investors are seeking more certainty and
increasingly wanting assurance over non-financial issues, such as those relating to
sustainability and corporate responsibility. With the introduction of the sustainability
disclosure standards and the need for further upskilling by auditors, there are likely to be
more challenges on the horizon.

Disclaimers of liability
One of the outcomes of the Bannerman case was the potential exposure of auditors to
litigation from third parties to whom they have not disclaimed liability. As a result it became
common to include a disclaimer of liability to third parties in the wording of the audit
report.

Disclaimers may not entirely eliminate liability to third parties but they do reduce the scope
for courts to assume liability to them. It should be noted that whilst this should reduce the
threat of litigation in the UK, this protection may not extend overseas because the
disclaimer is based on a ruling from a UK court case. It also provides no protection from the
threat of litigation from clients under contract law.

There are also critics of the ‘Bannerman Paragraph,’ who believe that its presence devalues
the audit report. They argue that the disclaimer acts as a barrier to litigation, which reduces
the pressure to perform good quality audits in the first place. It is plausible that this reduces
the credibility of the audit report in the eyes of the reader.

Liability Limitation Agreements

Since 2008 auditors have been permitted, under the terms of the Companies Act, to use
Liability Limitation Agreements (LLAs) to reduce the threat of litigation from clients. LLAs are
clauses built into the terms of an engagement that impose a cap on the amount of
compensation that can be sought from the auditor. These must be approved by
shareholders annually and be upheld by judges as ‘fair and reasonable’ when cases arise.

Whilst this may sound straightforward it has created problems, including how to define the
cap (ie as a fixed monetary amount, a multiple of the fee, proportionate liability on a case by
case basis). It is also difficult to decide what is fair and reasonable when setting the terms of
the engagement because this is done before any potential litigation, or the scale of potential
litigation, is known to the auditor and the client. This is therefore open to the interpretation
of the courts. At which point the level of compensation may as well lie at the discretion of
the courts in the first place.

Another problem lies with the shareholders; what motivation do they have for agreeing to
terms that could potentially reduce their ability to recover any losses they incur due to the

22
negligence of other parties? Once again this may be perceived as a barrier to litigation that
audit firms can hide behind, reducing the pressure to perform good quality audits. Indeed, if
the company and the audit firm enter into an auditor liability limitation agreement, the
company must disclose within the financial statements the extent to which it is limited
(Companies (Disclosure of Auditor Remuneration and Liability Limitation Agreement)
Regulations 2008). The directors themselves may also be exposed to a breach of their
fiduciary duty to act in the interests of the shareholders if they recommend the limitation
agreement.

Proportional liability
Under this proposal the audit firm would accept their proportion of the blame in a
negligence case and would pay that proportion of the compensation. This system, as
introduced in Australia in 2004, would ensure a fair outcome for the plaintiff without placing
the entire financial burden upon the audit profession.

This is still being debated in the UK, but its advocates say that it would help to reduce the
financial barriers for entry into the FTSE 350 audit market by reducing insurance premiums.

Current status

There is an increasing trend of litigation that is costing the audit profession millions of
pounds. The potential costs and risks of auditing large, listed businesses may now be
prohibitive for any firm of willing auditors outside of the top ten audit firms. In more recent
years, there are an increasing number of non-Big Four firms, namely Grant Thornton, BDO
and Mazars, who have become statutory auditors of public interest companies in the UK.

The UK government is increasingly seeking to reform audit by undertaking a number of

significant reviews, such as the Kingman Report. This gave the FRC stronger powers, which
will eventually lead to the establishment of a strong regulatory body Audit, Reporting and
Governance Authority (ARGA). Further recommendations have been put to the government
in its white paper published by the Department for Business, Energy and Industrial Strategy
(BEIS). Currently no further developments have occurred due to delays in legislation
following the 2020 impact of the COVID-19 pandemic. The FRC are issuing heavier fines and
challenging poor quality audits with greater capacity than in previous years.

Auditors can reduce their exposure to litigation by adopting the revised quality
management standards established by the IAASB, ensuring training of all staff on key risk
assessment areas and employing a firmwide culture of quality and best practice.

Reference
1. Auditing: Commission Issues Recommendation on Limiting Audit Firms’ Liability, European
Commission, 6 June 2008

Updated by a member of the AAA Examining Team (Oct 2023)

23
A survey of audit committee members attending the 4th Annual Audit Committee Issues
Conference, published by KPMG in 2008(1), identified the increased risk of earnings
management as a top concern. For auditors, it is certainly the case that there is an
increased risk of earnings management or even fraudulent financial reporting in the
financial statements of those companies affected by the global economic downturn.

What is ‘earnings management’?

Earnings management occurs when companies deliberately manipulate their revenues

and/or expenses in order to inflate (or deflate) figures relating to profits and earnings per
share. In other words, it is when companies use ‘creative accounting’ to construct reported
figures that show the position and performance that management want to show.
Unfortunately, earnings management is not uncommon. Preparers of financial information
(the finance director or financial controller, for example) are often under pressure from
other members of the senior management team to present a certain level of profitability.
This is especially the case in today’s economic climate, when a company’s revenue may have
reduced significantly due to market factors, or if profit is being eroded by significant
expenses arising from asset impairments or other exceptional losses.

Earnings management does not always mean that the applicable financial reporting
framework has not been followed. Earnings management is often described as ‘bending the
rules’. It may be that the manipulation of published figures is the result of selecting an
accounting policy which is allowed under the financial reporting framework, but which does
not reflect economic reality. For example, changing the estimated life of a non-current asset
is allowed under financial reporting standards, but if it is done purely to manipulate the
depreciation charge (and therefore earnings), then it becomes an example of earnings
management.

24
The problem for the auditor is that financial reporting standards allow a degree of flexibility
in application, and all financial statements will include balances and disclosures that are
subject to judgment and estimations. This means that it is sometimes difficult to decide if an
accounting treatment is within accepted accounting principles, or whether the treatment is
in breach of the rules – in which case it represents fraudulent financial reporting.

When does earnings management become fraud?

Fraudulent financial reporting is a deliberate misstatement in the financial statements. It

can include the deliberate falsification of underlying accounting records, intentionally
breaching an accounting standard, or knowingly omitting transactions or required
disclosures in the financial statements. For example, deliberately not disclosing a contingent
liability, or significant going concern problems, in the notes to the financial statements
means that the disclosures required (under IAS 37 and IAS 1 respectively) have intentionally
not been made. According to ISA 240 (Redrafted), The Auditor’s Responsibilities Relating to
Fraud in an Audit of Financial Statements, this is an example of fraudulent financial
reporting.

ISA 240 (Redrafted) states that ‘incentive or pressure to commit fraudulent financial
reporting may exist when management is under pressure, from sources outside or inside the
entity, to achieve an expected (and perhaps unrealistic) earnings target or financial outcome
– particularly since the consequences to management for failing to reach financial goals can
be significant’. It can therefore be seen that in times of financial difficulty, such as the
current economic downturn, management may feel pressurised into the non-disclosure of
items that may detract from the company’s performance during the year, or into the use of
accounting policies which produce deliberately misstated results for the year.

Earnings management and fraudulent financial reporting are discussed more fully in an
article in Student Accountant(2), which can be found on the ACCA website.

What are the implications to the auditor?

Professional scepticism
ISA 240 (Redrafted) stresses the importance of approaching the audit with a degree of
professional scepticism, an attitude which should be heightened if there is a suspicion of
fraudulent financial reporting.

Discussion among the audit team

In accordance with ISA 315, (Redrafted) Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity and its Environment, ISA 240 (Redrafted)
re-emphasises the fact that the audit team should have a discussion about those factors
that indicate that the financial statements may be susceptible to misstatement due to fraud.

25
Evaluation of accounting policies
When assessing the risk of fraudulent financial reporting, particular attention should be paid
to the selection and application of accounting policies. Particular attention should focus on
those policies relating to complex transactions, and to subjective matters. All accounting
policies and estimates should be carefully reviewed for potential bias. The circumstances
resulting in any bias may represent a risk of misstatement due to a fraudulent financial
reporting.

Completeness of disclosures
In difficult economic times, management may be tempted to hide information which may
raise concerns about the company’s performance. The auditor must therefore consider
whether all relevant information has been disclosed in the financial statements in
compliance with accounting standards.

Audit report
In cases where financial statements appear to have been misstated due to earnings
management or fraudulent financial reporting, the auditor should carefully consider the
implications for the audit report. The problem for the auditor will be to decide whether any
earnings management is within generally accepted accounting principles (and so, therefore,
the financial statements are fairly presented), or whether it is so aggressive that it is in
breach of accepted accounting practice and therefore fraudulent. A breach of financial
reporting principles resulting from the misapplication of accounting standards will result in a
disagreement and thus a potential qualification of the audit opinion.

Reporting to those charged with governance

Instances of fraudulent financial reporting should be communicated to those charged with
governance on a timely basis. The relevant audit procedures necessary to complete the
audit should also be discussed.

Other reporting responsibilities

ISA 240 (Redrafted) indicates that where fraud has occurred, the auditor should consider
other reporting responsibilities, such as communications with regulatory and enforcement
authorities. In many jurisdictions, it would also be appropriate to communicate with
shareholders, for example at a general meeting of members.

Conclusion

Current global economic circumstances mean that auditors face increased audit risk.
Preparers of financial statements have the motive to make the published accounts appear
as good as possible, and the means to do this is earnings management or fraudulent
financial reporting. Auditors therefore need to conduct risk assessment and audit
procedures carefully, in order to fully identify indicators of manipulation, and to gather
sufficient evidence to decide whether any manipulation is the result of bending or breaking
financial reporting rules, for which the ultimate consequence may be a qualified audit

26
 opinion. Auditors, as well as shareholders, may need to approach all companies’ financial
statements with an increased degree of scepticism in the current climate.

Written by a member of the P7 examining team

References

1. Recession-Related Risks, a Top Concern for Audit Committees, KPMG Audit Committee
Institute Survey, 2008.
2. Namasiku L, Earnings Management, Student Accountant, April 2004.

27