We often hear that accountants are boring and a significant minority of accountants quite happily agree! And what could be more boring than auditing? An auditing standard on non-compliance with laws and regulations (NOCLAR) perhaps? 

Probably. Except, of course, when the non-compliance relates to the flammability of building materials, or the reporting of emissions by a large car manufacturer, for example, at which point everyone starts to take an interest.

Only very occasionally does ICAEW’s Audit and Assurance Faculty take proposals relating to auditing standards to an audience of non-auditors. One example is the Financial Reporting Council’s (FRC) consultation on Proposed International Standard on Auditing (ISA) (UK) 250 (Revised), Consideration of Laws and Regulations in an Audit of Financial Statements. Its two parts consist of a revision of extant ISA (UK) 250(A), and a new standard, ISA 2X0, replacing extant ISA (UK) 250(B), covering auditor reporting to regulators in the public interest.

ISA 250(A)

The story starts about six months ago, on the other side of the Atlantic. In June 2023, the US Public Company Accounting Oversight Board (PCAOB) proposed controversial amendments on the same subject. The proposed revisions would require auditors to consider laws and regulations globally, without reference to the risk assessment performed by management. The proposals were met by an unusually high level of resistance. Two PCAOB board members voted against the amendments and the Centre for Audit Quality (CAQ) organised a response campaign among audit committee chairs, based on the questionable benefits to audit quality and significant potential costs. ICAEW also responded expressing similar concerns. 

The FRC has attempted to distance itself from the PCAOB’s proposals by permitting auditors to start with management’s assessment, believing this to be a more proportionate and risk-based approach. However, the FRC’s proposals apply to all audits, including the smallest, whereas the PCAOB’s only apply to SEC registrants. While the largest of US companies might be expected to have some framework for assessing the risks of non-compliance globally, that may not be the case for smaller UK companies, some of which will inevitably look to their auditors for guidance on which laws and regulations need to be considered.

The FRC is also proposing to abolish the distinction between laws and regulations that have a ‘direct’ effect on the financial statements, such as those governing format and disclosures, and those having an ‘indirect’ effect through the potential for fines or other penalties, such as health and safety legislation. 

This matters because, at present, auditors are only required to investigate the latter if matters come to their attention to suggest that there may be an issue. The proposals mean that both auditors and companies need to have a reasonably complete understanding of all relevant laws and regulations as a starting point; an understanding that will often be hard to achieve, and may involve extensive and expensive legal input.

ICAEW’s outreach suggests that preparers are worried that auditors will need to ask them for information that they do not have, may not be able to provide at a reasonable cost and may well not need to manage the business. The FRC’s invitation to comment clearly acknowledges that that auditor’s commitment cannot be open-ended, but many are interpreting the proposals differently, and believe that audit inspectors will do the same.

The timing is not great, given the plethora of laws and regulations governing environmental, social and governance reporting being developed globally. Reporting requirements in some such areas are highly judgemental, such as Scope 3 emissions reporting. And, as with fraud, non-compliance will often not be clear in the absence of a regulatory or legal judgement being handed down. 

ISA 250(B) 

Extant ISA (UK) 250(B) The Auditor’s Statutory Right and Duty to Report to Regulators of Public Interest Entities and Regulators of Other Entities in the Financial Sector does what it says on the tin. The FRC is proposing to replace it with a new ISA (UK) 2X0, Special Considerations for Audits of Public Interest Entities – Communicate and Reporting to an Appropriate Authority Outside the Entity. 

The proposed new standard has a different focus to the extant standard – dealing with PIE auditors only – and the key change lies in proposed paragraph 18. This would require auditors to report a ‘reportable matter’ to an ‘appropriate authority’, in the public interest, even when laws, regulations or ethics do not require it. A ‘reportable matter’ is one that arises during the course of the audit which the auditor has determined is of ‘such significance’ that it is in the public interest to report even where law, regulation or relevant ethical requirements do not require it.

This – like the revision of 250A – was envisaged by Sir Donald Brydon. But crucially, it was buttressed by statutory protections for auditors – who would otherwise be in breach of their duty of confidentiality – which were to form part of the audit reform legislation which has, for now at least, been abandoned. 

Absent these ‘good faith’ protections, the proposals appear to be fatally flawed. For the new requirement to be workable, the protections must somehow be facilitated.

Why?

For all stakeholders, there is a significant question mark over the wider purpose of both sets of proposals. To our knowledge, no recent Audit Quality Review by the FRC or report following a visit by ICAEW’s Quality Assurance Department has highlighted either non-compliance with laws and regulations, or reporting to regulators in the public interest, as areas of focus. And while non-compliance with laws and regulations was cited in one recent high-profile FRC enforcement action (see 2021 Rolls-Royce audit), there seems to be no evidence of systemic failures by auditors either to identify non-compliance with laws and regulations that might have a material effect, or to report to regulators in the public interest where appropriate. 

Standard-setters want to raise standards and it is hard to disagree with that. But answers are needed to questions about how much more the FRC expects of auditors in terms of work effort. If the FRC is unable or unwilling to provide clarity, there is a risk of overkill, plus the potential to further disincentivise smaller audit firms from entering the PIE audit market. No one wants either of those things.

A very small minority of those we engaged with suggested that auditors simply needed to ‘roll up their sleeves and get on with it’, but this exception proves the rule; it is very unusual for auditors and preparers to speak with one voice on such matters. Both auditors and preparers suggested that if the real mischief here is the failure of companies to adequately assess the risk of non-compliance, further thought needs to be given to how to improve corporate standards. Perhaps a better option would be through the soon-to-be revised Corporate Governance Code rather than the ‘back door’ of auditing standards. Audit tails shouldn’t wag corporate dogs…

ICAEW makes strenuous efforts to provide constructive criticism in all of its responses to standard-setters, whether UK or global, to help achieve the common goal of enhanced audit quality. But we are finding it more difficult than usual to make constructive suggestions in this case, not least because of the absence of examples of laws and regulations that auditors are not addressing properly, or of reports that are not being made in the public interest. 

ICAEW will continue to engage with stakeholders on this issue to try and find a constructive way forward. The consultation closes on 12 January 2024.

Katharine Bagshaw, Senior Technical Manager, Audit and Assurance Faculty, ICAEW