During a recent monitoring visit, my firm was criticised for entertaining our audit clients. I thought that the Ethical Standard only addressed the situation where the auditor received the hospitality. I have been in the profession for many years and in my experience my audit clients expect my firm to entertain them at nice restaurants.
During the pandemic, independence issues arising from hospitality dropped off the agenda for many audit firms, for obvious reasons. I have noticed that some people are now making up for lost time.
It seems that you have fallen into a common pitfall in not appreciating that the Financial Reporting Council’s (FRC’s) Revised Ethical Standard 2019 refers to hospitality accepted and received. The standard is now very clear that hospitality is a two-way street, for independence purposes, as you will see from the emphasis I have added in the extract below.
Policies adopted by audit firms on hospitality vary enormously. Some firms adopt financial thresholds that are positively puritanical. Even a cheeky Nando’s would be borderline. Other firms are more permissive.
Deciding what hospitality is and isn’t acceptable is very much down to a matter of professional judgement in applying the standard, which states (para 4.40): “A firm, its partners and any covered person, and persons closely associated with them, shall not offer or accept* pecuniary and non-pecuniary gifts or favours, including hospitality, from an entity relevant to the engagement, or any other entity related to that entity, unless an objective, reasonable and informed third party* would consider the value thereof as trivial or inconsequential.” (* Emphasis added for the purposes of this article.)
The ‘third party’ test is key here. I don’t think that a third party would solely consider the financial value of the hospitality. Context would also be relevant. I think that they are more likely to consider a working lunch to be trivial than an evening event that is purely social.
Having said that, in my personal opinion, a third party is not likely to consider a swanky restaurant to be trivial. I recommend that you revise your hospitality policy to take this into account.
You may also want to refresh your memory by watching a recent faculty webinar on the FRC Ethical Standard.
It shares some lessons learned and offers some useful reminders for firms. Among other things, the webinar includes a section on application of the ‘Objective, Reasonable and Informed Third Party test’.
You will find the Revised Ethical Standard 2019 on the FRC website along with the latest glossary of terms and other related documents.
Can you clarify what sole practitioners should do when they have been auditing an entity for 10 years or more? Must I have an external review every year now?
What you are referring to here is commonly known as the ‘10-year rule’, which applies for audits of entities that are not listed and are not public interest entities (PIEs). For PIEs and listed entities, the rules are different.
The Revised FRC Ethical Standard 2019 has a fair amount to say on all of this in Section 3, Long Association with Engagements and with Entities Relevant to Engagements. I’ll briefly paraphrase.
Where an engagement partner has been in that role for 10 years, the familiarity threat has to be considered. This has to be communicated to management and safeguards must be applied.
The obvious issue here for sole practitioners is that second partner review is the most commonly used safeguard, under the so-called ‘10-year rule’, and that option is, of course, not easily available for sole practitioners.
While an external file review would be an appropriate safeguard (and a properly robust one), it is not the only safeguard that could be applied. You might have sufficiently experienced senior managers in the firm that could perform a review. Also, you might decide to give up the audit, although many would consider this an extreme choice.
However, I accept that more often than not, there is nobody sufficiently senior and experienced in the firm to do this and an external review is the only option.
There will be circumstances in which the threats to independence are such that the external review must be performed every year, but equally, sometimes it might be sufficient for this review to be performed on a rotational basis, every two or three years. As always, professional judgement is needed.
To inform this judgement, you may want to give the relevant sections of the Revised Ethical Standard 2019 a read through. As I suggested in my response to the previous question, also watching the recent faculty webinar on the standard may prove to be a good use of your time.
Faculty webinar on Revised Ethical Standard 2019
The FRC’s Revised Ethical Standard 2019 came into effect on 15 March 2020 and aimed to strengthen auditor independence, prevent conflicts of interest and improve audit quality.
The audit profession has had more than two years to digest, understand and apply the standard and there have been plenty of opportunities to learn lessons. This July 2022 faculty webinar draws on one firm’s experience with applying the key changes introduced in the revisions, explores some of the requirements in more detail and highlights some of the more recent emerging issues for firms to consider.
The webinar covers:
- what we have learned, two years on, including application of the Objective, Reasonable and Informed Third Party test;
- horizon scanning – anticipated changes down the road;
- role and mindset;
- ethical issues around remote working; and
- non-financial conduct – professional behaviour in and out of work.
The webinar is available on demand.
When auditing investments managed by investment managers, I have always used the annual report, from the managers, as a third-party confirmation. I am now being told that this is not good enough. I always thought that third-party confirmations were high-quality evidence. What am I missing?
For audit purposes, investment managers are often not third parties, they are service organisations. Thinking that investment manager reports are always third-party evidence is, unfortunately, a rather common mistake.
The audited entity often uses the investment manager as a service organisation, in that the investment manager maintains the only record of the assets held, income received, profits and losses on sale and revaluation gains and losses. Therefore, the entity has outsourced an element of its internal controls.
This means that the annual report provided to management by the investment managers is part of the audited entity’s internal controls and cannot be relied upon as audit evidence. When the investment managers are treated as a service organisation, the auditors should:
- consider obtaining a ‘Type 2’ report, if there is one;
- obtain audit evidence to support the valuation of the investments; and
- obtain audit evidence to support the ownership and existence of investments.
If you aren’t too sure what I mean by a ‘Type 2’ report, I can understand why – there are a number of contenders. Fortunately, I can point you at some ICAEW resources that will be helpful.
In 2020 the faculty published a Technical Release TECH 01/20 Assurance reports on internal controls of service organisations made available to third parties.
It includes information on Type 1 and Type 2 reports, with explanations, examples and templates. This offers information you may find useful on comparable guidance and standards including ISAE 3402 and SSAE 18 SOC 1 and SSAE 18 SOC 2.
TECH 01/20 was published as a replacement for the Technical release AAF 01/06. TECH 01/20 features updated terminology that aligns with the terminology in ISAE 3402 and in SOC 1 and SOC 2.
You will find an Audit & Beyond article introducing TECH 01/20.
About the author
John Selwood, freelance lecturer and writer
Audit & Beyond
This article was first featured in the September 2022 edition of Audit & Beyond.
