When the United States was beset by the Enron and other accounting scandals at the beginning of the twenty-first century, the resulting Sarbanes-Oxley legislation a year later went a long way to address the shortcomings in the country’s financial accountability controls. The collapse of Carillion a couple years ago, the United Kingdom’s version of Enron, has led to extensive investigations and analysis. The latest to be completed, the Brydon Review, calls for the actual rending apart of the audit and accounting profession, as our first article describes.
Keeping pace with changes in accounting system complexities is an increasingly challenging and never ending task. For the past three decades, COSO, the Committee of Sponsoring Organizations of the Treadway Commission, has developed and updated internal control frameworks for businesses of all sizes. The most recent addition, Managing Cyber Risk in a Digital Age, extends the guidance into the further reaches of technology with specific tools and approaches that help to “manage” the risk that is never fully eliminated. See our second article for more.
Finally, our Worldwide Update covers news from organizations across the globe.
Gerald Herter - Editor
Brydon Review Calls for Major Disruption in the Audit Profession
Following on prior year Kingman Review, new report expands on proposed reforms
Last May, the Audit & Accounting Alert reported on the regulatory responses centering on auditor failures to detect problems leading to horrific collapses of companies like Carillion plc. One of the responses still in process at that time, the Brydon Independent Review into the Quality and Effectiveness of the UK Audit Market, led by Sir Donald Brydon, British businessman and recent Chair of the London Stock Exchange Group, was finalized with results published on December 18, 2019.
The Brydon Review had been commissioned by the UK’s Secretary of State for Business, Energy and Industrial Strategy to address the audit expectation gap between what users of financial reports expected and what auditors delivered, along with their related responsibilities. The Review considered input from 120 businesses, individuals, accounting firms and professional organizations. Additionally, over one hundred meetings and roundtables were conducted.
Appallingly, the Review noted that the 1992 MacFarlane Report, almost three decades ago, found a similar expectation gap, as well as perceived gaps in audit scope, especially with regards to internal controls, fraud, future risk and director responsibility. That report also sought a more forward looking audit approach and accountability to the broader public beyond just the shareholders.
Not surprising, the Brydon Review’s fourteen specific areas of recommendations include calls for profound transformation of the audit profession itself, as well as the audit process. Most earthshaking is the proposal for a complete new audit profession, separate from all other activities of the accounting profession. This audit profession would be established by the new Audit, Reporting and Governance Authority (ARGA), itself a recommendation of the recent Kingman Review as a replacement for the troubled Financial Reporting Council (FRC).
Starting with the basics, the Brydon Review states that the very Audit Purpose needs to be recast. The proposed new definition is: “The purpose of an audit is to help establish and maintain deserved confidence in a company, in its directors and in the information for which they have responsibility to report, including the financial statements.”
The roles and responsibilities of a company’s directors are expanded through creation of new reporting on the audit and assurance policy, assessment of risks and uncertainties, the company’s resilience in the near and long term, and obligations to the public interest. Specific opportunities are also proposed for engagement by other parties, such as shareholders, employees, and the public at large.
With regards to fraud detection, auditors would be held to a higher standard, along with the directors, who would be required to report on fraud prevention and detection measures taken. The auditor report would address assurance on the director’s statement as well as other work performed by the auditor.
The Brydon Review would delve deeply into auditor operations like never before for the sake of transparency. Recommendations include:
- Having different personnel perform the audit from those that negotiate the fee,
- Publishing audit profitability, and compensation of the engagement partner along with criteria for setting the compensation,
- Disclosure of audit hours spent by each level of auditor,
- Disclosure of reasons for resignation, dismissal or decision not to rebid on an audit,
- Answer questions at annual meetings.
Other recommendations cover technology, key performance indicators, extending skepticism to suspicion, changes to the auditor report language, and extending audit beyond the financial statements.
Only time will tell whether and how extensively the recommendations of the Brydon Review are implemented. With over a year having passed since release of the Kingman Review, little has been done on that review’s comprehensive recommendations. Legislation to create the ARGA has not been instituted, nor the call to separate the audit and consulting arms of accounting firms.
The Annual Review released by the Financial Reporting Council in January 2020 indicated no change in overall quality of reporting from the prior year, though compliance with the UK Corporate Code was still considered high, with 73% of companies reviewed in full compliance and 95% reporting compliance with all but one of two of the Code’s 54 provisions.
With other pressing matters facing the UK, mainly the implications of Brexit, garnering substantive attention to the Brydon and Kingman Reviews will provide a significant challenge. Considering the potentially transformative nature of the recommendations, serious actions, even if moved forward, will take a substantial transitional period. In America, when similar drastic measures were called for, subsequent to the Enron and other scandals, the resulting Sarbanes-Oxley legislation served to bring considerable improvement with tough but not draconian reforms. Hopefully the UK will have similar success.
Adding to the conversation, recent proposals by the International Ethics Standards Board for Accountants (IESBA) would place stronger restrictions on non-assurance services provided by auditors to their audit clients, as well as to the relationship between the audit and non-audit fees charged to those clients. Moving in the opposite direction, the United States Securities and Exchange Commission is proposing to provide more latitude to auditors in resolving independence questions with regard to audit clients. While these specific loosenings are based on the years of experience since Sarbanes-Oxley, they are relatively minor changes that do not affect the basic underpinnings of independence.
Further details can be found at at Brydon review calls for ‘urgent reform’. (https://www.accountancyage.com/2019/12/18/brydon-review-calls-for-urgent-reform/)
Managing Cyber Risk in a Digital Age
COSO offers structured guidance for cyber defense
In response to United States Congressional mandates in the 1970’s, arising out of prevalent corrupt financial practices, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) was formed by professional accounting associations in 1985, to forge a path forward toward improvement of financial reporting integrity.
For the past three decades, COSO has provided substantive guidance in the form of comprehensive frameworks and guides, beginning with the groundbreaking Internal Control — Integrated Framework
, released in 1992. Subsequent documents dealt with enterprise risk management, governance and operational performance, fraud risk management, guidance for smaller company controls, and monitoring internal controls. Over time the frameworks have been updated and expanded.
With the ascendance of far-reaching internet connected systems in recent years, further sophistication in the guidance was called for. The World Economic Forum’s annual Global Risk Report
has followed the rise of cyberattacks and data fraud onto the lists of the top global risks in terms of likelihood and impact.
COSO in the Cyber Age
, issued in January, 2015, was the first step, applying the guidelines of the 2013 update of Internal Control — Integrated Framework
to accounting technology. Specifics were delineated as to perpetrators of cyberattacks and tools for addressing the new risks. Even so, as pointed out in the March, 2015 article in the Audit & Accounting Alert, the report candidly stated “The reality is that cyber risk is not something that can be avoided; instead, it must be managed.”
Future trends singled out in the June, 2017 COSO update, Enterprise Risk Management - Integrating with Strategy and Performance (ERM)
, included the anticipated use of advanced analytics and data visualization tools to help deal with the risks from the proliferation of data, as well as the leveraging of artificial intelligence. Then, COSO’s October, 2018, release, Enterprise Risk Management – Applying enterprise risk management to environmental, social and governance-related risks
, referred to the role of rapidly changing technological developments, both from a standpoint as threats to sustainability as well as tools for use in managing the related risks.
For more definitive guidance, COSO in December, 2019, released Managing Cyber Risk in a Digital Age
for use in applying the principles of the 2017 update. Produced in conjunction with Deloitte Risk & Advisory, the guide is directed at boards of directors, audit committee members, executives and cyber practitioners.
The 2017 ERM update delineated the 20 principles of risk management, organized into the following five categories:
- Governance and Culture
- Strategy and Objective-Setting
- Review and Revision
- Information, Communication, and Reporting
The new guide describes ways to tackle cyber risk within the context of each category.
For Governance and Culture, about half of organizations place cybersecurity on the board’s agenda at least quarterly, and increasingly, public companies are appointing technology-focused board members. Within the organization a broadly represented team led by senior management should concentrate on cyber threats and foster an aware environment among the staff.
For Strategy and Objective Setting, companies need to assess the relative risks of each sector of operations, in order to tailor the approach. Nine cyber security models are illustrated for possible employment, including five general frameworks, including those from the National Institute of Standards and Technology (NIST), International Organization of Standardization (IOS), AICPA, HITRUST Alliance, Center for Internet Security, and ISACA. Industry-specific standards are provided from The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), Payment Card Industry (PCI) Security Standards Council, and Cloud Security Alliance (CSA). Also, the Open Group’s FAIR (Factor Analysis of Information Risk) is mentioned as a tool that can be used “to quantify risk and derive values for risk tolerance evaluation.”
In the area of performance, the guide describes the various types of attackers and related techniques for dealing with them. The threats are characterized as:
- Nation-states and spies
- Organized criminals
Once an assessment is made of the nature and methods employed by attackers, risk exposure can be evaluated. Then resources can be more efficiently allocated to defend both against internal and external threats, as well as for coping with and recovering from successful attacks that need to be anticipated.
Since technology and systems are continually changing, the area of Review & Revision must be sufficiently robust to keep up and ahead of emerging cyber threats. Internal or external audit can be tasked with giving assurance to the ongoing adequacy of controls in place. CPA firms are positioned to assist clients by applying the AICPA guidance, System and Organization Controls (“SOC”) for Cybersecurity
Finally, in the area of Information, Communication & Reporting, an organization’s various forms of technology that produce mission critical data can support the intelligence needs of ERM, but are also at risk of compromise. Threats to reliability, availability and speed of data, can shut down the ability to communicate and report. Ransomware is a prime example in this regard. Software tools and third parties are available to provide cyber security and reporting. Also, compliance with reporting and regulatory requirements surrounding cyber events needs to be considered. Resources, such as the AICPA’s Cybersecurity Risk Management Reporting Framework
may serve this purpose.
Increasingly, awareness, training, and positioning of effective tools are essential for mitigating the potential for disastrous outcomes from the evermore sophisticated cyber techniques threatening organizations of all sizes and at all levels. Skimping on budgetary funding for cyber security can be fatal. COSO’s Managing Cyber Risk in a Digital Age
provides a structured framework for organizing the defense.
Further details can be found at the COSO website, , https://www.coso.org
and at COSO Issues Guidance on Managing Cyber Risk in a Digital
Periodic roundup of recent and upcoming actions and activities by audit and accounting organizations throughout the world.
International Accounting Standards Board (www.ifrs.org)
- Request for Information - Comprehensive Review of the IFRS for SMEs Standard published January 28, 2020. “The objective of the consultation is to seek views on whether and how to align the IFRS for SMEs Standard with full IFRS Standards…The Request for Information asks for views on different approaches to updating the IFRS for SMEs Standard, as well as views on how the Standard could be aligned with newer IFRS Standards, such as IFRS 9 Financial Instruments, IFRS 15 Revenue from Contracts with Customers and IFRS 16 Leases.” The comment period ends on July 27, 2020.
International Federation of Accountants (www.ifac.org)
- International Audit and Assurance Standards Board (IAASB) - International Standard on Auditing (ISA) 315 (Revised 2019), issued December 19, 2019, “made enhancements and clarifications to encourage a more consistent and robust risk assessment, which forms the foundation of the auditor’s efforts to gather sufficient appropriate audit evidence. The revisions also modernize the standard to keep up with the evolving environment in which businesses operate, in particular in relation to technology, as well as a focus on why procedures are required.” Effective generally in 2022.
- International Ethics Standards Board for Accountants (IESBA) - Revisions to Part 4B of the Code to Reflect Terms and Concepts Used in ISAE 3000 (Revised), issued January 3, 2020, to “change Part 4B of the Code to make the part’s provisions consistent with the revised assurance terms and concepts in the International Auditing and Assurance Standards Board’s (IAASB’s) International Standard on Assurance Engagements (ISAE) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information.
- International Ethics Standards Board for Accountants (IESBA) - Exposure Draft - Proposed Revisions to the Non-Assurance Services (NAS) Provisions of the Code, issued January 21, 2020, proposes “ a prohibition on providing NAS to an audit client that is a public interest entity (PIE) if a self-review threat to independence will be created; further tightening of the circumstances in which materiality may be considered in determining the permissibility of a NAS; strengthened provisions regarding auditor communication with those charged with governance (TCWG), including, for PIEs, a requirement for NAS pre-approval by TCWG; and stricter requirements regarding the provision of some NAS, including certain tax and corporate finance advice.” The comment period ends on May 4, 2020.
- International Ethics Standards Board for Accountants (IESBA) - Exposure Draft - Proposed Revisions to the Fee-Related Provisions of the Code, issued January 21, 2020, proposes “ a prohibition on firms allowing the audit fee to be influenced by the provision of services other than audit to the audit client; in the case of PIEs, a requirement to cease to act as auditor if fee dependency on the audit client continues beyond a specified period; and communication of fee-related information to TCWG and to the public to assist their judgments about auditor independence.” The comment period ends on May 4, 2020.
- International Ethics Standards Board for Accountants (IESBA) - Exposure Draft - Proposed Revision to the Code Addressing the Objectivity of Engagement Quality Reviewers, issued January 30, 2020, “ explains the different types of threat to compliance with the fundamental principle of objectivity that might be created in circumstances where an individual is being considered for appointment as an engagement quality reviewer for a given engagement; sets out factors to consider in evaluating the level of the identified threats; and suggests actions that might be safeguards to address the threats. The comment period ends on March 16, 2020.
- International Public Sector Accounting Standards Board (IPSASB)) – Improvements to IPSAS, 2019, issued January 30, 2020, “comprises of minor improvements to IPSAS in order to address issues raised by stakeholders.”
Association of Chartered Certified Accountants (www.accaglobal.com)
- Sustainable Development Goals Disclosure (SDGD) Recommendations, report issued January 17, 2020, in conjunction with Chartered Accountants ANZ, the Institute of Chartered Accountants of Scotland (ICAS) the International Federation of Accountants (IFAC), the International Integrated Reporting Council (IIRC) and the World Benchmarking Alliance (WBA), “to help reporting organisations: • develop their SDG Disclosures aligned with the other reporting frameworks that they use; • enhance the credibility of their SDG Disclosures; and • embed SDG considerations into their strategic business decisions to make sure we leave a better planet for future generations.”
- Explainable AI: Putting the user at the core, professional insight report issued February 12, 2020, “highlights one of the key issues with artificial intelligence: the fact that most of us don't know how it works, and how the algorithms reach the conclusions that drive their outputs.”
Chartered Institute of Management Accountants (www.cimaglobal.com)
No new develoments
International Integrated Reporting Council
- Integrated Thinking & Strategy - State of play report, published January 21, 2020, “presents a new model for integrated thinking that encourages long term, sustainable decision-making, enabling businesses to play their roles as stakeholders of a sustainable world… Integrated thinking is a multi-capital management approach that enables organizations to deliver their purpose to the benefit of their key stakeholders over time. It is about creating and preserving value and enabling better decision-making based on interconnected, multi-capital information.” The six capitals of integrated reporting are financial, manufactured, intellectual, social & relational, human, and natural.
WORLD ECONOMIC FORUM
Africa, Europe, India and the Middle East (AEIME)
- Inclusive Deployment of Blockchain: Case Studies and Learnings from the United Arab Emirates, White Paper published January 15, 2020. “By bringing together public- and private-sector entities to share their lessons and insights on blockchain deployment, this project aims to reduce missteps and anchor effective methodologies within the technology.”
- Toward Common Metrics and Consistent Reporting of Sustainable Value Creation, White Paper published January 22, 2019, “proposes a common, core set of metrics and recommended disclosures that International Business Council members could use to align their mainstream reporting and, in so doing, reduce fragmentation and encourage faster progress towards a systemic solution, perhaps to include a generally accepted international accounting standard.”
FRC– Financial Reporting Council of the UK(www.frc.org.uk)
- Accounting, Reporting, and Auditing during transition period following exit from the EU. Letters were issued February 14, 2020, to accountants and auditors with guidance during this period. Generally, there is no change in accounting, reporting and auditing frameworks during the transition. Assessments of equivalency and adequacy with the EU are expected by June 20, 2020.
- Consultation on proposed revision of auditing standard for identifying and assessing risks of material misstatement, issued January 28, 2020. The proposed “changes reflect revisions made by the International Auditing and Assurance Standards Board (IAASB) and are designed to establish a more robust and consistent risk identification and assessment. A more robust risk assessment process enhances the basis upon which auditors design and perform audit procedures that are responsive to the risks of material misstatement and, thereby, obtain sufficient appropriate audit evidence to provide a basis for the audit opinion.” The comment period ends April 4, 2020.
- Conforming Amendments to Standards Arising From ISA (UK) 540 (Revised), issued January 14, 2020. Eight International Standards on Auditing, including ISA’s (UK) 200, 230, 240, 260, 500, 580, 700 and 701, were amended to conform with ISA (UK) 540 (Revised) – Auditing Accounting Estimates and Related disclosures. Effective generally in 2020.
ICAEW- Institute of Chartered Accountants in England and Wales(https://www.icaew.com/)
- No New Developments
EFRAG– European Financial Reporting Advisory Group(www.efrag.org)
- How to improve climate-related reporting – A summary of good practices from Europe and beyond, published February 6, 2020, by EFRAG’s Project Task Force of Climate-related Reporting (PTF-CRR) of the European Lab. “The primary focus of the PTF-CRR was on identifying good reporting practices and assessing the level of maturity in the implementation of the TCFD recommendations, while also taking into consideration the climate-related reporting elements of the EU Non-financial Reporting Directive and the related European Commission non-binding guidelines.”
Americas, Asia, Australia and New Zealand (AAANZ)
AICPA –American Institute of Certified Public Accountants(www.aicpa.org)
FASB –Financial Accounting Standards Board (www.fasb.org)
- Accounting and Review Services Committee (ARSC) - Statement on Standards for Accounting and Review Services No. 25 – Materiality in a Review of Financial Statements and Adverse Conclusions, issued February 11, 2020, “amends AR-C sections 60, 70, 80, and 90 in AICPA Professional Standards. This SSARS further converges AR-C section 90, Review of Financial Statements, with International Standard for Review Engagements 2400 (Revised), Engagements to Review Historical Financial Statements… SSARS No. 25 also aligns certain concepts with the auditing standards.” Effective generally in 2021.
GASB– Governmental Accounting Standards Board(www.gasb.org)
- Financial Instruments—Credit Losses (Topic 326) and Leases (Topic 842) Amendments to SEC Paragraphs Pursuant to SEC Staff Accounting Bulletin No. 119 and Update to SEC Section on Effective Date Related to Accounting Standards Update No. 2016-02, Leases (Topic 842), ASU No. 2020-02, issued February 12, 2020, to add and amend SEC paragraphs in the Accounting Standards Codification to reflect the issuance of SEC Staff Accounting Bulletin No. 119 related to the new credit losses standard and comments by the SEC staff related to the revised effective date of the new leases standard.
- Exposure Draft – Not-for-Profit Entities (Topic 958) - Presentation and Disclosures by Not-for-Profit Entities for Contributed Nonfinancial Assets, issued February 10, 2020, “intended to improve transparency around how not-for-profit organizations present and disclose contributed nonfinancial assets, also known as gifts-in-kind…The proposed ASU would require a not-for-profit organization to present contributed nonfinancial assets as a separate line item in the statement of activities, apart from contributions of cash or other financial assets.” Also, certain disclosures are required. The comment period ends April 10, 2020.
- Investments—Equity Securities (Topic 321), Investments—Equity Method and Joint Ventures (Topic 323), and Derivatives and Hedging (Topic 815)—Clarifying the Interactions between Topic 321, Topic 323, and Topic 815 (a consensus of the FASB Emerging Issues Task Force), ASU No. 2020-01, issued January 16, 2020, clarifies the interaction between accounting standards related to equity securities, equity method investments, and certain derivatives. Effective generally for years beginning in 2021 for public companies and 2022 for other entities. Early adoption is generally permitted.
COSO- The Committee of Sponsoring Organizations of the Treadway Commission(www.coso.org)
- GASB Statement No. 92, Omnibus 2020, issued February 5, 2020, “addressing various accounting and financial reporting issues identified during the implementation and application of certain GASB pronouncements.” Effective at various dates.
- Creating and Protecting Value: Understanding and Implementing Enterprise Risk Management, guidance issued February 4, 2020, “offering succinct, tangible steps to implement an effective ERM program.”
- Managing Cyber Risk in a Digital Age, guidance issued December 17, 2019. See article in this issue for details.
PCAOB– Public Company Accounting Oversight Board(www.pcaob.org)
SASB– Sustainability Accounting Standards Board(www.sasb.org)
- Potential Approach to Revisions to PCAOB Quality Control Standards, Concept Release issued December 17, 2019, intended to “inform the Board on the approach and what changes it might propose in the future to strengthen the PCAOB's requirements for audit firms' quality control systems.” The comment period ends March 16, 2020.
SEC– Securities and Exchange Commission(www.sec.gov)
- SASB Implementation Primer, launched on February 4, 2020, as “an online resource for companies seeking to incorporate SASB standards into their core communications with investors.”
- Proposed Simplification and Modernization of Regulation S-K Items 301, 302, and 303 and MD&A Metrics Guidance, issued January 30, 2020, proposes “amendments to modernize, simplify, and enhance certain financial disclosure requirements in Regulation S-K. The proposed amendments would eliminate duplicative disclosures and modernize and enhance Management's Discussion and Analysis disclosures for the benefit of investors, while simplifying compliance efforts for companies. The Commission also announced that it is providing guidance on key performance indicators and metrics in Management's Discussion and Analysis.” The comment period ends 60 days after publication date in the Federal Register.
- Proposed Amendments to Rule 2-01, Qualification of Accountants, issued December 30, 2019, “to codify certain staff consultations and modernize certain aspects of its auditor independence framework. The proposed amendments would update select aspects of the nearly two-decade-old auditor independence rule set to more effectively structure the independence rules and analysis so that relationships and services that would not pose threats to an auditor’s objectivity and impartiality do not trigger non-substantive rule breaches or potentially time consuming audit committee review of non-substantive matters.” The comment period ends 60 days after publication date in the Federal Register.
Audit & Accounting Alert is a publication of Integra International intended to highlight emerging issues in the profession. The goal is to give Integra members an awareness of developments impacting the practice of Audit & Accounting enabling them to stay on the forefront of industry trends.This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors forspecific advice.
Editor Gerald E. Herter ~ HMWC CPAs & Business Advisors, 17501 E. 17th Street, Suite 100, Tustin CA
email: [email protected]
Integra International is registered in London at 1st Floor Sackville House, 143-149 Fenchurch Street, London, EC3M 6BN, United Kingdom