The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:
- No human verification has been conducted of the converted content.
- While we strive for accuracy errors or omissions may exist.
- This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
- For the official and verified version of the publication, refer to the original PDF document.
If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].
FRC response to Basel Committee on Banking Supervision’s ‘Consultative Document - External Audits of
Secretariat of the Basel Committee on Banking Supervision Bank for International Settlements, CH-4002 Basel Switzerland
4 July 2013
Dear Sirs
Consultative Document - External Audits of Banks
The Financial Reporting Council (FRC) welcomes the opportunity to comment on the proposed guidance set out in the above Consultative Document. The document addresses expectations of external auditors, audit committees and audit oversight bodies which are all regulatory areas within the FRC's remit.
We welcome the Committee's commitment to help improve audit quality at banks and, although we have questions about some of the detailed guidance as explained below, we are broadly supportive of the proposed material. However, we believe it will be important in finalising the document to address:
- The lack of clarity as to the status of the proposed guidance and the manner in which the recommendations are implemented; and
- The overlap and interaction with extant auditing standards and guidance.
The Committee indicates that the proposed guidance enhances and replaces other documents, including 'The relationship between banking supervisors and banks' external auditors' (January 2002). That document was developed in association with the International Auditing Practices Committee (IAPC) and was also issued as an International Auditing Practice Statement (IAPS 1004) which has since been withdrawn. In its strategy and work plan for 2012-14 the IAPC's successor, the International Auditing and Assurance Standards Board (IAASB), identified that it would "Based on consultation with the Basel Committee and other stakeholders, and relevant financial reporting, regulatory and other developments, determine actions to be taken regarding the topic of the relationship between external auditors and supervisors / regulators (Guidance on Auditor / Banking Supervisor Relationship)".
We recommend that when finalising this guidance the Committee seeks to work jointly with the IAASB to develop the guidance for auditors and ensure that it fits with and supports the International Standards on Auditing (ISAs). Ideally the document could be developed as joint guidance as was the case for IAPS 1004. Doing so could help address some of the issues we have described in more detail below and provide more clarity as to the expectations of auditors performing ISA based audits of banks.
Status and implementation of the guidance
The Committee acknowledges that significant differences exist in national institutional, legislative and regulatory frameworks amongst jurisdictions, including accounting and auditing standards, supervisory techniques and institutional corporate guidance structures. The Committee recognises that it is not an auditing standard setting body and refers to the principles and explanatory guidance as “recommendations” (paragraph 12) and says (paragraph 31) that they “provide a framework for the supervisor's interactions with the external auditor, the audit committee and the relevant audit oversight body" and that "the outcome of these interactions will inform the supervisor's views as to the quality of the external audit and contribute to the supervisory process”.
Notwithstanding that the recommendations are not intended to establish mandatory requirements, they are worded in a way that, given the language conventions for the ISAs, may well give the impression of requirements, for example often stating that the auditor “should”, “must” or “needs to” do something. This is a particular risk in relation to the 'explanatory guidance' which is very granular and detailed. Further, the Committee states that "Supervisors should clearly communicate the recommendations contained herein to the banks they supervise and their respective external auditors, and articulate the measures the banks and external auditors should undertake to meet these best practices, where possible.” The Committee's open letter to Arnold Schilder recommending improvements to the ISAs, published at the same time as the proposed guidance, includes the statement that “while the Committee's external audit guidance has authority amongst banking regulators, audit oversight bodies are not compelled to look at the guidance when assessing external audits of banks".
In light of the above, supervisors and external auditors could view these recommendations for practical purposes as establishing requirements, whilst audit oversight bodies might not. In our view it would not be helpful for guidance for bank audits to be promulgated with inconsistent expectations among different regulatory bodies as to its status.
In clarifying the status of the material, we suggest that it could be helpful to separate it into two parts (perhaps even separate documents); one setting out the Committee's expectations (with material at a relatively high level) that could guide banking regulators and standard setters in establishing principles/requirements for auditors, audit committees and banking supervisors; and the other providing more detailed guidance for auditors of banks. As explained above, we believe the guidance for auditors should be finalised by the Committee working jointly with the IAASB so that fits more effectively with and supports the ISAs.
If the guidance is finalised on a stand-alone basis by the Committee, rather than working with the IAASB, we recommend that the Committee sets out more clearly how it expects the guidance to be implemented in the context of national regulatory environments. For example, does the Committee expect it to be enshrined in local regulations applicable to bank audits and/or is the guidance expected to be promulgated as “authoritative” for the purpose of audit oversight. We also recommend that the Committee consider how it might reword the guidance to avoid it appearing to establish requirements. In this regard it could be helpful to adopt the IAASB's drafting conventions that were developed for the IAASB's Clarity Project under which the ISAs were rewritten to make clearer the distinction between requirements and guidance.
Overlap and interaction with auditing standards
Although the Committee's proposed principles and explanatory guidance are broadly consistent with the ISAs, the ISAs avoid stating in guidance that the auditor “should” do something. However, in a number of areas, some of which are addressed in the letter to Arnold Schilder, the proposed principles and guidance appear to go beyond what is required by the ISAs because they indicate that the auditor 'should' do certain things that are not specifically required by the ISAs.
Additional guidance that addresses specific considerations relevant to bank audits is helpful to supplement the ISAs, which are designed to be of general application to all audits, and we are supportive of such guidance. However, where the proposed intent is to extend the procedural requirements for auditors, in order to avoid confusion we believe it is vital that any necessary action should be taken through modifications to the auditing standards or related application material or in an IAASB Practice Note after dialogue with the IAASB and that this should be a matter for the IAASB to take forward within its normal due process.
The Committee's letter to Arnold Schilder sets out recommendations as to how the ISAs could be improved. The letter indicates that the Committee believes that "the application material [in the ISAs] should be expanded to address specific industry and regulatory factors relevant to financial institutions about which auditors of banks should have appropriate knowledge." We do not support expanding the application material within ISAs in this way – there are other industry sectors where specific guidance could also be beneficial and the potential for very significant expansion of the volume of application material within the ISAs would be considerable and not helpful for auditors of entities to which the incremental guidance is not applicable. In our view industry specific guidance should be published separately and we support the Committee's recommendation to the IAASB that the IAASB develop a dedicated Practice Note for audits of banks. However, we believe it would be preferable for that Practice Note to be complete in itself and not need to be "used in conjunction with the Committee's guidance on external audits". Furthermore, we believe that such a Practice Note should have authority equivalent to application material in an ISA.
Comments on points of detail in the proposed guidance
Ethical Requirements
We agree that it is appropriate for banks to be regarded as 'public interest entities' and be subject to the applicable jurisdictional ethical requirements on that basis. However, paragraph 42 states that “the external auditor must comply with the applicable jurisdictional and internationally accepted ethical standards" (emphasis added). This appears to require the auditor to comply with the ethical requirements established by the national regulatory bodies and also the IESBA Code, and possibly other ethical requirements, if different. Ethical Codes/standards are ordinarily designed to be considered and applied as a whole. If they are applied on a piecemeal basis, with different aspects pulled from different Codes or standards, this could be confusing and may give rise to uncertainty as to what are the specific applicable requirements. We believe the applicable ethical requirements are a matter for national regulators to determine. If the Committee is concerned that requirements in particular jurisdictions are not sufficiently rigorous we recommend that it sets out its expectations for bank regulators and standard setters and then seeks to work with the relevant regulators to address the improvements that it considers are necessary to the particular relevant ethical codes or standards that apply to auditors – rather than establishing alternative or incremental requirements for auditors.
Extent of controls testing
Paragraph 60 states that, given the nature of bank activities, including those involving a high volume of transactions, “... the external auditor should perform extensive tests of controls over financial reporting ...". We agree that, for audits of banks, testing of controls is ordinarily important. However, there is wide variation between different banks in terms of size, activity and organisation and the auditor should assess and test controls having regard to the specific circumstances of each entity. There may be other techniques auditors can employ when testing high volumes of transactions, including those based on the use of IT.
Auditor's expected understanding of prudential regulations
Paragraph 85 states that “In the course of the audit, the external auditor should remain alert to actual or suspected breaches of prudential regulations, particularly those that are likely to be of material significance to the functions of the supervisor. ... if the external auditor identifies any such breaches of material significance, the auditor should notify the supervisor immediately." ISA 250 requires the auditor to remain alert to the possibility that audit procedures may bring instances of non-compliance with regulations to the auditor's attention. However, it is not clear from the Committee's guidance the extent of understanding of the prudential regulation that the supervisor expects the auditor to have, and it could be read as being more than is needed to audit the financial statements – ISA 250 requires the auditor to have a general understanding of the legal and regulatory framework applicable to the entity and there may be many prudential regulations that are not directly relevant to the audit of the financial statements. We recommend that the Committee's expectations in this respect be further discussed with the IAASB. The sheer volume of prudential regulations is likely to make it impracticable for the auditor to obtain an in-depth understanding of all those that are not relevant to the audit of the financial statements.
Matters relevant to audit committees
Paragraph 108 identifies matters the audit committee should maintain an understanding and knowledge of, including "the current nature of the audit environment ...". It is not clear what this means.
Paragraph 113 identifies that "Where the audit firm has been the external auditor of the bank for many years, there may be a perception that there is a familiarity or self-interest threat to the external auditor's objectivity and independence in its audit of the bank." It then states “However, when the bank changes its external auditor, there is a risk that the depth of understanding of the bank and its activities and systems will be lost. This may affect the new external auditor's ability to identify risks of material financial statement misstatements and respond to them appropriately, and hence may detract from the quality of the audit.” This could give the impression that the Committee sees greater risk in tendering/rotation than in not doing so – there is only a "perception” of problems with keeping the same firm for many years, while there is a clearly identified “risk” with changing them. We believe that a more helpful message would be that there are risks in each respect and that they need to be managed effectively in either case.
Paragraph 114 states that "Audit committees should have a policy in place that stipulates the frequency with which there should be a tender for the external audit contract. ..." We do not believe it is necessary to stipulate a specific frequency, but rather consider it appropriate to identify a maximum period for which the audit is not put out to tender. The UK Corporate Governance Code states that FTSE 350 companies should put the external audit contract out to tender at least every ten years.
Communications between supervisors and auditors
Section 6 includes a significant amount of guidance on communications between supervisors and auditors and makes clear that good communication channels can be beneficial to both. However, there is much more focus on direct communication from the auditor to the supervisor and relatively little to encourage direct communication from the supervisor to the auditor. Paragraph 162 states “If appropriate confidentiality rules are in place, the supervisor may decide to communicate bank-specific information to the external auditor ...". We appreciate that there are typically regulatory duties and rights for auditors regarding communication to supervisors and that, in part, the guidance reflects this. However, subject to the need to comply with confidentiality and other applicable rules/regulations, we believe it would be beneficial for supervisors to be encouraged to directly communicate matters they believe may assist the external auditor in conducting a quality external audit in the same way that auditors are encouraged to directly communicate to supervisors. Using the word “may” in the guidance for supervisors, compared to using the word “should” in the guidance for auditors, could give the impression that less rigorous expectations of supervisors are being promoted.
Yours faithfully
Nick Land Director of the FRC and Chairman of the FRC's Audit & Assurance Council
Enquiries in relation to this letter should be directed to Marek Grabowski, Director of Audit Policy. DDI: 020 7492 2325 Email: [email protected]
About the FRC
The Financial Reporting Council is the UK's independent regulator responsible for promoting high quality corporate governance and reporting to foster investment. We promote high standards of corporate governance through the UK Corporate Governance Code. We set standards for corporate reporting and actuarial practice and monitor and enforce accounting and auditing standards. We also oversee the regulatory activities of the actuarial profession and the professional accountancy bodies and operate independent disciplinary arrangements for public interest cases involving accountants and actuaries.
Aldwych House, 71-91 Aldwych, London WC2B 4HN Tel: +44 (0)20 7492 2300 Fax: +44 (0)20 7492 2399 www.frc.org.uk The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered office: as above.