Academic literature suggests that matters that affect an auditor's ability to achieve their fundamental objective—that is, to obtain reasonable assurance that the financial report as a whole is free from material misstatement—comprises two characteristics; auditor competence and auditor independence. In other words, the quality of an audit is a function of these key attributes.
As summarised by Emeritus Professor Keith Houghton and Professor Christine Jubb:
These two characteristics cannot be substituted for each other; that is you cannot have more of one to make up for less of another. They are both necessary conditions for the existence of the value of an audit. These two characteristics are: (1) that the audit must be 'competent' and (2) that the audit be 'independent'. These two characteristics must both be present for an audit to be of value in the market for information.
On this point, Professor Ken Trotman drew attention to the trade-off between auditor competence and auditor independence that threats to audit quality provide:
For example, long-term tenure threatens independence but increases client and industry knowledge. Also, some audit non-services broaden the audit evidence base with a positive effect on confidence.
Professor Stephen Taylor also discussed the above model of audit quality, explaining that competence refers to an auditor's ability to appropriately identify problems, while independence is the auditor's determination to take the most appropriate action in dealing with such problems. Professor Taylor contended that 'defining audit quality in this way has the advantage of requiring that criticisms of audit quality must reflect deficiencies in one or both of the two components'.
Much of the public commentary and debate around audit quality in recent years has centred on conflicts of interest—either actual or perceived—that poses a threat to auditor independence, the second key component of audit quality. In particular, conflicts of interest which have been persistently raised as potentially compromising auditor independence, and which may thereby negatively impact audit quality, include the:
provision of non-audit services to the audited entity; and
perceived closeness of the auditor with the audited entity, particularly that arising through long association.
Australia's audit independence requirements, as detailed in Chapter 2, are set out in the Corporations Act 2001 (Corporations Act), Australian Auditing Standards, and the APES 110 Code of Ethics for Professional Accountants (including Independence Standards) (Code of Ethics), all of which have the force of law. This comprehensive legislative and regulatory framework recognises that auditor independence is fundamental to achieving a high-quality audit as it enables the auditor to be impartial in making professional judgements.
Auditors are legally required to be independent from the entities they audit. They must ensure that they are independent of mind and of appearance, both acting and being seen to act with integrity, objectivity and professional scepticism. In other words, auditors must be mindful, not only of actual conflicts of interest, but also of the perception of conflicts of interest.
In its submission to the inquiry, the Accounting Professional and Ethical Standards Board (APESB) noted that it is not aware of any empirical evidence to suggest that there are significant weaknesses with its pronouncements, and expressed the firm view that the existing professional and ethical standards that apply in Australia represent global best practice.
Indeed, the APESB argued that its suite of professional and ethical standards applicable across various audit and non-audit services is replicated in very few jurisdictions worldwide. Elaborating on this point, the APESB submitted:
APESB has, at times, implemented reforms that may not have suited the commercial interests of accounting firms. For example, in 2010, APESB prohibited the provision of bookkeeping services and some tax services to audit clients that are Public Interest Entities (PIEs). Australia led the way with this prohibition, which has now been recognised as global best practice and included in the International Code of Ethics.
Further comparing current Australian regulation to that in other jurisdictions, the APESB contended that the Australian professional standards framework, which is applicable at the audit firm level and in respect of various professional services, 'is a global leader and is only replicated in a handful of jurisdictions which does not include the UK'. On this point, the APESB took the view that:
…the existing standards framework in Australia on specific professional services is more comprehensive than the UK, where the professional and ethical standards focus mainly on the provision of audit services. Therefore, some of the proposals [put forward in recent UK reviews] may not be relevant or cannot be directly implemented without due consideration of the existing co-regulatory framework in Australia.
The remainder of this chapter will examine in turn the two main issues persistently identified as threats to auditor independence; that is, the provision of non-audit services and perceived closeness of the auditor with the audited entity. Potential solutions considered internationally or proposed by stakeholders to each of these threats will also be discussed.
Provision of non-audit services to audited entities
As noted in Chapter 1, the increasing complexity of the business environment has not only resulted in a more complex audit environment, but has also driven corporate demand for a range of other assurance and non-assurance services. Audit firms, particularly those that comprise the 'Big Four', have expanded their service offering to meet this demand. A substantial part of large audit firms' business is now dedicated to the provision of services, such as advisory or consulting services, to entities they audit and other entities. Non-audit services performed by an external auditor can also include certain reviews required under the Australian Prudential Regulation Authority (APRA) prudential framework.
There are broadly two types of non-audit services that can be provided by an auditor to an entity they audit; namely, those that are related to and complementary to the audit (known as audit-related services), and those not related or complementary to the audit. As explained by the Australian Auditing and Assurance Standards Board (AUASB), services that are not related or complementary to the audit do not rely on any synergies in knowledge between the auditor and audited entity, whereas audit-related services require a deep understanding of the business and its systems of internal control.
Since the corporate collapses and accounting scandals associated with Enron and WorldCom in the early 2000s, ongoing concern has been expressed regarding the provision of non-audit services and whether such services impair an auditor's independence. Such concern has largely been caused by perceptions that financial incentives associated with delivering both audit and non-audit services to the same client may impact on an auditor's application of sufficient and appropriate professional scepticism.
Reflecting on this issue, the Australian Shareholders' Association submitted:
The Enron/Arthur Anderson story highlighted the dangers of 'moral seduction' and 'capture' of audit firms by poor corporate culture. The ensuing collapse of Arthur Anderson and Big Four divestment of consulting practices underlined the market's need to trust audit firms' output. That the Big Four have subsequently developed new consulting practices and added more service lines such as legal and media advisory on top leaves ongoing doubt as to independence…
Professor Allan Fels AO succinctly defined the conflict of interest that the provision of non-audit services is perceived to pose to an auditor's independence:
It's a simple conflict of interest. Someone is tasked with providing an independent, error-free audit of a big business; it's a very important role. If that auditor is also performing services for the person they're auditing, there may be a conflict of interest—they may be compromised—because they want to continue providing those profitable services, and that could be threatened with unfavourable audits.
Professor Sandra van der Laan and Dr Steven Townsend described the apparent financial incentive resulting from the provision of both audit and
non-audit services to a corporate entity as 'economic bonding':
In the case of NAS [non-audit services], economic bonding is argued to result if an auditor becomes financially dependent on both audit fees and NAS provided to the same client. This may act as an inducement for an auditor to concede to management demands.
Representatives of the Big Four also noted that recent public commentary has suggested the largest audit firms use audit work as a loss leader in order to win more profitable non-audit consultancy and advisory work and, moreover, that this is done at the expense of focusing on the provision of high quality audits (discussed in subsequent section on 'assertions that audit is a loss leader').
Indeed, reflecting on such commentary in his submission, Professor James Guthrie contended:
…the Big 4 auditors have incentives to overlook risks in a financial statement audit because it may limit their ability to sell, usually higher-margin, non-audit work to audit clients. This is a cultural issue within these partnerships.
Restrictions and requirements
The restrictions set out in the Corporations Act as well as regulatory and professional standards collectively seek to help identify and minimise potential risks posed to auditor independence through circumstances where a firm provides both audit and non-audit services to the same client. In particular, the legislative and standards framework aims to protect against threats to independence that involve an auditor acting in a management capacity or engaging in work that has a material effect on the financial statements of the audited entity.
Importantly, the restrictions in place limit the threat of an auditor being in a position whereby they audit their own work (commonly referred to as a
self-review threat). For example, an auditor must not provide professional advice on the valuation of a company's assets where such valuations are used in the company's financial statements.
As previously noted, the Code of Ethics issued by the APESB prohibits the provision of certain non-audit services by auditors of Public Interest Entities (PIEs) to their audit clients (see paragraph 2.47), and certain material
non-audit services for all audited entities. The Corporations Act also requires that an auditor provide a written declaration that their work is compatible with the independence requirements under the Act. This declaration, which is included in the Director's Report, includes a statement that the auditor is satisfied that any non-audit work undertaken is compatible with the auditor independence requirements.
In addition to the above non-audit services related requirements, Australian Accounting Standard AASB 1054 Australian Additional Disclosures (AASB 1054) mandates that entities required to prepare financial reports under the Corporations Act disclose separately in their financial statements total fees paid to the auditor for audit and all other services performed during the reporting period. AASB 1054 also requires disclosure of the nature of all other services provided. These fee disclosures are additional to those required by international accounting standards.
Are non-audit services an issue?
From a regulatory perspective, the Australian Securities and Investments Commission (ASIC) noted that, as part of its audit inspection and financial reporting surveillance programs, it had identified some concerns, albeit a small number, relating to the provision of non-audit services. Specifically, in regard to the 18 months to 30 June 2018, ASIC submitted that it had:
identified three cases where it considered the provision of non-audit services was not consistent with auditor independence requirements, including where a firm's experts were treated as both the auditor's and the company management's experts; and
sought an explanation from six audit committees as to how they were satisfied that the auditor's independence was not compromised by the size and nature of non-audit fees.
While cognisant of the increased focus on ensuring the provision of non-audit services does not compromise independence, submitters and witnesses were of the broad view that the existing legislative and regulatory framework is effectively managing threats to auditor independence posed in this regard.
For example, KPMG contended that the regulatory rules and systems relating to the provision of non-audit services to an audited entity are extensive and, in its view, effective in safeguarding auditor independence.
Likewise, Mr Tony Johnson, Chief Executive Officer and Regional Managing Partner, Oceania, EY, described Australia's current regulatory framework as 'rigorous', and stated that 'EY is confident that Australia's strong independence legislation is effectively managing conflicts of interest, including the provision of non-audit services to audit clients'.
The Group of 100 (G100) noted that the reputation and integrity of audit firms is fundamental to their ongoing success. Therefore, individual staff and partners of firms are highly aware of their responsibilities with regard to auditor independence. The G100 continued:
It is our contention that these reputations and future incomes (across all aspects of a firm's business), which would be severely damaged or destroyed by proven conflicts‐of‐interest leading to malign outcomes or to work being deliberately performed not in accordance with regulatory standards, would not be put at risk because of any conflict of interest between auditing and consulting (or other) services.
In support of that view, Mr Gary Lennon, Group Chief Financial Officer at National Australia Bank (NAB), reflected on his professional experience of dealing with EY, who has been the external auditor for the NAB Group since 31 January 2005:
But it's certainly my experience with EY—and I've had near-on 30 years dealing with auditors—is that they're highly professional. They work in global organisations. In my experience, they are independent, because they realise how critical that is. Every time they form a view and write a report, in the end it is their view and their report and they stand 100 per cent behind it. That's been my experience.
Industry stakeholders also drew attention to the fact that audit firms, as well as the companies they provide services to, typically have their own internal policies and systems in place to manage conflicts of interest and threats auditor to independence, including the provision of non-audit services. Further, some stakeholders stressed that such policies and systems meet and, in many cases, exceed regulatory and professional requirements.
For example, Mrs Jody Burton, Chief Risk Officer at Deloitte, told the committee that all engagement opportunities for the firm, whether it is to provide audit or non-audit services, must go through a comprehensive engagement assessment process. Mrs Burton further explained:
As it relates to an audit, the audit engagement partner has ownership of that process. They also have full visibility of any opportunity that moves on that account. So, if a client that we audit requests a particular service from another part of our business, the audit engagement partner has full visibility and is empowered to ensure that they can approve that service only in conjunction with the directors of that entity. So we go to great lengths to ensure that that requirement within the regulations is executed very strictly.
Mr Andrew Yates, National Managing Partner, Audit, Assurance and Risk Consulting, KPMG, described for the committee the global online system 'Sentinel', which is used by KPMG to manage and ensure the firm's independence:
Sentinel was what I was referring to a little bit earlier when I talked about the global online system which manages independence. Whenever a piece of work is potentially going to be performed for any company, it has to be entered into Sentinel. That's consistent all around the world. If there is any part of that piece of work that would be commercially confidential or maybe a conflict, then it will be sent directly to our risk management team and not to the partner who runs the account. Any area where there might be a conflict, it has a different approval route.
Several inquiry participants also pointed to past empirical research examining whether audit quality is in fact undermined by the provision of non-audit services. Such research has produced mixed results, with some earlier studies finding a negative association between the provision of non-audit services and audit quality. However, submitters and witnesses noted that more recent studies, which used alternative quality measures, have found no association.
For instance, Professor Peter Wells cited the 2006 study by Ruddock and colleagues which found no evidence of the provision of non-audit services reducing accounting conservatism, a commonly used measure of accounting quality and audit effectiveness.
Similarly, Professor Stephen Taylor pointed to the 2019 literature review carried out by Dr Jan Bouwens, a Professor of Accounting at Cambridge Judge Business School and Managing Director of the Foundation for Auditing Research. Professor Taylor summarised:
After carefully summarising this literature, Bouwens (2019, p. 3) concludes that 'almost without exception, they point in a different direction than that assumed in politics and debate. That is, evidence suggests that non-audit services do not adversely affect the quality of the work of the auditor'.
Benefits of multidisciplinary expertise
Research has found that non-audit services do not compromise auditor independence or impair audit quality. Indeed, research suggests an increase in audit quality which is often explained via learning. As clarified by the
IPA-Deakin SME Research Centre:
…that is, the provision of non-audit services increases auditor learning, thus establishing a synergistic relationship between the auditor and client or that there is a knowledge spill over from consulting which enhances the auditor's understanding of the client and thus audit quality.
Numerous inquiry participants highlighted this knowledge transfer between firms' audit and other service lines as a key benefit of a multidisciplinary business model, with some going so far as to suggest that for more complex audits, a multidisciplinary approach is actually necessary to enhance audit quality. Further, some inquiry participants contended that, as a result of this knowledge transfer, there are certain non-audit services that the auditor of an entity is in fact best placed to perform, and that this can be done without any loss of the auditor's independence.
The AUASB submitted that knowledge gained from undertaking complementary non-audit services can improve audit quality by contributing to an auditor's understanding of the entity:
The performance of the services complementary to the audit requires a deep understanding of the business and its systems of internal control, to enable appropriate risk assessment and design of appropriate procedures. For example, the complementary services can include assurance procedures over many regulatory returns that benefit from an auditor's knowledge of the client and industry. Having the auditor providing these complementary services can improve audit quality as knowledge gained from undertaking these services contributes to the auditor's understanding of the entity. Engaging another service provider to perform these complementary services would likely result in increased costs to the audited entity as the other provider would need to build the necessary knowledge and experience, which potentially could result in lower quality for these engagements.
Hence, the transfer of knowledge between audit and non-audit services can apply both ways. The G100, for example, noted that an auditor's knowledge of a company's business, systems and process enables them to provide valuable advice in non-audit service areas without impacting on the financial statements. Additionally, the G100 pointed out that, due to the auditor's experience, such advice can often be provided in less time and thus less expense.
Deloitte contended that multidisciplinary firms are able to consistently deliver a large population of qualified and skilled audit professionals as well as a breadth and depth of specialist capabilities that can be readily drawn on. Expanding on this point, Deloitte commented:
These specialists, as employees, are already compliant with required independence obligations. To that end, our audit practice benefits from access to a broad range of technical and industry specialists, with over 380 specialists in Australia providing audit support roles. At the same time, our advisory businesses benefit from the regulatory experience, deep accounting skills and leadership capability that our audit practice brings to our broader firm.
Representing the views of audited companies' Chief Financial Officers,
Mr Andrew Porter, Chair of the G100, told the committee that 'we want efficient, timely, accurate and expert advice from our external service providers—both our auditors and the consultants that we use from other firms who are not our auditors'. Mr Porter further commented:
It is important, in our opinion, that companies continue to have access to
full-service firms and that these firms are able to attract the best people with a varied career that enables them to build on and develop their expertise.
Some submitters and witnesses suggested that, as the business and audit environment becomes more complex, the specialist expertise obtained through a multidisciplinary approach will be a key component in ensuring the delivery of high-quality audits.
For example, Deloitte noted that, as organisations change to become more technology-focused and operate in new and more global markets, audits now often require professionals with specialist knowledge in areas such as valuations, financial and economics modelling, financial instruments, tax, technology systems, data, and internal controls. As such, Deloitte contended, 'the range of expertise required to deliver quality audits has expanded and become a more critical driver of audit quality'.
EY shared a similar view, noting how specialist expertise from its other service lines has been utilised to assist in audits:
Expertise in artificial intelligence, cyber, analytics, robotics, block chain and other emerging disciplines are increasingly required and there is a continuing trend for increased involvement of specialist resources. These new skills reside in and are being developed in our non-assurance service lines.
In the financial year ended 30 June 2019, 8.7 per cent of time spent on the Australian Securities Exchange (ASX) 300 audits conducted by EY Australia, was incurred by specialists from other service lines as their expertise was required in the execution of the audit. When specialists from the other service lines assist in audits, they become subject to the heightened independence rules applicable to audit team members.
Assertions that audit is a loss leader
As noted by ASIC, whether the provision of non-audit services to an audited entity compromises the auditor's independence, and thereby impacts audit quality, may depend on the size of the fees payable and the nature of the
non-audit services. Some assessments of audit quality have therefore taken into account the fees paid to auditors for financial statement audits or for other work.
The Australian Accounting Standards Board (AASB) explained how comparisons of audit fees across entities can be regarded in assessments of financial reporting and audit quality:
Comparatively higher audit fees could indicate financial reporting problems or issues with the audit process. Comparatively lower audit fees may indicate that a lower quality audit has been performed.
Figure 4.1 details the fee revenue from engagements at ASX 300 entities as reported in financial reports for the years ended 12 months to 31 March 2018 and 31 March 2019. Fees for consulting services are included as part of
Figure 4.1: Fee revenue from engagements at ASX 300 entities—12 months to
31 March 2018 and 31 March 2019
Source: ASIC, Submission 16, p. 10.
Industry stakeholders disputed assertions that the increasing range of others services delivered by the largest firms can be used as a loss leader in order to sell higher margin non-audit services.
PricewaterhouseCoopers (PwC) acknowledged that operating a multidisciplinary business model can create the perception that focus is being directed toward priorities such as firm-wide growth opportunities rather than on the provision of high-quality, independent audits. However, PwC stated that 'audit is not used as a loss leader for growth in other parts of the firm', continuing that:
The level of profitability across our Assurance, Consulting and Financial Advisory businesses is broadly equal, demonstrating balance and strength right across the portfolio. Our level of investment in audit is such that we intend for this to remain the case.
Likewise, Deloitte were firmly of the view that 'audit is a valuable and profitable business for our firm', further asserting that 'other services are not required to "subsidise" our audit business line, nor do we use audit services as a "loss leader" to generate revenue from other services to the entities we audit'.
Mr Imbesi, Chairman, Deloitte Australia, reiterated this point in response to questions from the committee regarding Deloitte's service margins:
…ASIC has asked us for more information regarding our audit business, the margins that it makes relative to the average of the rest of our business. So there is more and more information we're being asked for to get more insight into how we operate our audit business. What I can say to you is that our audit business is profitable, its margin is slightly higher than the average of the firm, it's not a loss leader and it's a contributor to the firm's overall components.
EY noted that fees from its ASX 300 audit clients for non-audit services, not including audit-related or other assurance services, comprised 14 per cent of the firm's Australian revenue in the 2019 financial year. EY further submitted:
We operate our business with the expectation that our audit engagements be profitable, hold partners accountable for this, and do not price our audit engagements with the expectation or consideration of non-audit-related services we may be asked to provide. The suggestion that the audit of financial statements is a “loss leader” for the sale of non-audit services is not correct.
KPMG also provided a breakdown of revenue figures from audit and
non-audit services provided to its largest clients:
Over the past five years, 69 per cent of revenue for KPMG’s six audit clients in the ASX20 was earned from the financial statement audit, 22 per cent from other assurance and audit-related services and 9 per cent from non-audit services. In FY2019, 5 per cent of the revenue earned from our ASX 300 audit clients was from other assurance and audit-related services and 18 per cent from non-audit services.
Further rejecting suggestions that audit services are used as a loss leader by the auditing profession, the Big Four firms sought to highlight that their partner remuneration processes are structured in such a way that audit partners are not incentivised on the basis of selling non-audit services to audit clients.
For instance, KPMG noted that it has a 'clear policy of not remunerating any audit partners for selling non-audit services to any audit clients of the firm', further stating that 'there is zero financial incentive for audit partners to put revenue ahead of audit quality'.
Similarly, Deloitte submitted that its auditors are evaluated solely on the basis of their audit work and pointed out that, in fact, 'metrics related to the sale of non-audit services are prohibited by Deloitte policies when evaluating or compensating audit partners'.
Mr Jamie Gatt, Managing Partner, Audit and Assurance, Deloitte, also noted in evidence to the committee that ASIC's findings in relation to the firm's audit quality are taken into account in determining an audit partner's remuneration:
Yes. Findings on audit quality are all taken into account. Audit quality would be the most significant metric that we look at in relation to any audit partner. If there are findings from ASIC reviews, they are taken into account through their quality rating, and that will ultimately have an impact on their remuneration.
CPS 220 Review
The committee examined the issue of whether non-audit services pose a risk to auditor independence during public hearings for the inquiry. In particular, the committee questioned representatives from NAB and EY regarding the engagement of EY in 2018 to conduct a review of NAB's risk management framework, as required under APRA's prudential and reporting standards. As previously noted, EY has been the external auditor for the NAB Group since 31 January 2005.
APRA's Prudential Standard CPS 220 Risk Management (CPS 220) outlines the risk management requirements applicable to APRA-regulated authorised deposit-taking institutions. Paragraphs 44 and 45 of CPS 220 set out annual and triennial review obligations:
An APRA-regulated institution must ensure that compliance with, and the effectiveness of, the risk management framework of the institution is subject to review by internal and/or external audit at least annually. The results of this review must be reported to the institution's Board Audit Committee, the senior officer outside of Australia or Compliance Committee, as relevant.
An APRA-regulated institution must, in addition to paragraph 44, ensure that the appropriateness, effectiveness and adequacy of the institution's risk management framework are subject to a comprehensive review by operationally independent, appropriately trained and competent persons (this may include external consultants) at least every three years. The results of this review must be reported to the institution’s Board Risk Committee, the senior officer outside Australia or Compliance Committee, as relevant.
Noting the committee's interest in CPS 220, Ms Heidi Richards, Executive Director, Policy and Advice at APRA, outlined the intended purpose of the reports arising from CPS 220 reviews:
And I wanted to stress that these reports are for the institution's board; they're not required in our standard to be provided to APRA, but in practice APRA supervisors generally request them and review them. The CPS 220 risk management review requirement is designed to support the institution's own processes for ongoing improvement of its risk management framework. APRA also conducts its own reviews of the risk management framework as part of our broader supervision program.
Recent public commentary has raised concerns regarding the appropriateness of EY's engagement by NAB to perform the bank's CPS 220 review—a service which NAB categorised as 'audit-related' in its accounts—given the longstanding appointment of EY as NAB's external auditor.
In particular, an article by Adele Ferguson published in The Age and Sydney Morning Herald on 2 August 2019 suggested that a leak of internal documents from NAB raised questions about the role of EY in its assessment of NAB for the review and the management of conflicts of interest. The article alleged that some information found by EY during its review was not included in EY's draft report, or in its final report as provided to the NAB Board Audit Committee. The August 2019 article also outlined EY's apparent proposal to NAB in response to NAB's tender to accounting firms to conduct the CPS 220 review:
EY's proposal outlined the rules of engagement, including that both NAB and EY would agree who would be interviewed and discuss interim findings. EY would also prepare a draft report with recommendations and send it to NAB for review.
EY also offered to provide 'proactive end-to-end stakeholder management and early communication of findings based on a no-surprises approach'.
Once NAB had reviewed the draft report, the proposal said, EY would 'socialise with key management'. A draft report would then be presented (along with the final report) to NAB's board risk committee and/or the board audit committee.
Seeking to allay concerns regarding any perceived conflicts of interest,
Mr Gary Lennon, Group Chief Financial Officer at NAB, outlined the bank's independence policy as it applies to its external auditor, noting that it sets strict limitations on the work that EY can provide. Specifically, as the external auditor, EY is prohibited from undertaking work for NAB that does not meet the bank's definition of audit-related. Mr Lennon continued that this consequently 'excludes EY from most project and advisory services, which are typically undertaken by other major accounting firms for NAB'.
Elaborating on this point, Mr Lennon asserted that the independence requirements applicable to EY under its independence policy are more stringent than those applied to other accounting firms that provide services to NAB. In particular, in line with the extensive legislative and regulatory requirements relating to auditor independence, EY is expressly prohibited from providing services to NAB that would risk EY auditing its own work:
The auditor, by definition—and we apply these standards to our auditor more tightly than other accounting firms—is more independent than anyone else. On some of the restrictions that we put on our auditor—we've already gone through some of them—the services that they can provide are far more restrictive than the services other firms can provide. Other firms can provide services including doing the actual work—so you open up the exposure that you may be doing a review of work that you've done. The financial arrangements between ourselves and our auditor are severely restricted; we can't have banking relationships, and partners in EY can't hold NAB stock. In terms of NAB staff working for EY or vice versa, there are very strict restrictions. Our auditor has more additional restrictions than any other accounting firm because of this importance of independence.
Similarly, representatives of EY sought to assure the committee that its independence as NAB's external auditor was in no way impaired through its engagement by NAB to conduct the CPS 220 review. For instance, Mr Tony Johnson told the committee:
The nature of our work means that every day we're accustomed to robust challenge of our findings on points of fact, context, presentation and language by relevant stakeholders. We listen to the commentary and then form and state our uncompromised position. In respect of the NAB
CPS 220 work, the partners responsible have confirmed that they were not pressured to—and nor did they—dilute or compromise any of their recommendations as a result of challenge from stakeholders, as you will have seen in the final NAB CPS 220 report.
In respect of our CPS 220 work, EY partners and staff held themselves to the highest professional standards. In addition, our audit role was not conflicted, either legally or ethically, and auditor independence was not impaired.
Mrs Leigh Walker, Regional Independence Leader at EY, underlined that the provision of the CPS 220 triennial review is fully compliant with Australia's extensive regulations around auditor independence. Mrs Walker further commented:
We went through the usual rigorous process that we do when we're evaluating any service. That applies to any service. Whether it's an audit related service or a non-audit service, we require all our teams to apply that rigorous standard. We would look at things like: is there a risk of self-review? With the CPS 220 work there was no risk of self-review because the results of the CPS 220 triennial review do not form part of the financial statements. They do not form part of the internal controls over financial reporting, so there was no self-review threat with the CPS 220 work.
Mr Johnson strongly reiterated this point in later evidence, stating that 'to be absolutely clear: there is not an ounce of doubt that this is a permitted service under the laws and rules of independence in Australia'.
ASIC affirmed that the auditor independence requirements under the Corporations Act were not compromised by EY performing the CPS 220 review for NAB, commenting in an answer to question on notice:
While there is no requirement for the auditor to provide the CPS 220 risk management opinion, there is no necessary incompatibility in the auditor providing such an opinion under the Corporations Act 2001.
Importantly, ASIC also pointed out that, in considering whether the independence requirements of the Corporations Act and Code of Ethics have been complied with in relation to the provision of non-audit services, such as EY's CPS 220 review for NAB, all the relevant facts and circumstances need to be taken into account. ASIC advised that 'this may include consideration of fee dependency questions or concerns if the risk management work was found to be deficient in the external audit'. ASIC continued that any CPS 220 assurance services should be small compared to the fees for statutory audit services provided to an entity, which in this circumstance, the figures suggest to be the case. EY's fee for undertaking the CPS 220 review for NAB was $450,000, as compared to $10.4 million for the provision of statutory audit services for the bank to the end of September 2018.
In addition, ASIC commented that the extent to which the provider of work relating to CPS 220 should be independent of a bank is ultimately a matter for the directors of that bank and APRA. ASIC further noted that CPS 220 permits the use of internal auditors who may be employees of the bank to conduct the required triennial review.
On this point, Mrs Walker from EY reminded the committee that there is a distinction between statutory auditor independence as required by the Corporations Act, and the operational independence APRA requires of persons engaged to conduct a CPS 220 review:
APRA defines operational independence as being where someone has not been involved in 'the development or implementation of the framework, or the activities under review'. We have extensive regulations around statutory auditor independence that cover…everything from financial interests, loans and guarantees, business relationships, family and personal relationships, recent service with an audit client, serving as a director or officer, employment with an audit client, and temporary personnel arrangements as well as non-audit services. These are extensively regulated. It means that EY and Sarah would not have provided any services involving the development or implementation of that framework, so EY met the operationally independent standards set by APRA as well as being independent as per the statutory audit requirements in the Corporations Act in the auditing standards and in APES 110.
The committee questioned representatives of NAB and EY as to how the iterative drafting and 'no-surprises' approach reportedly put forward in EY's proposal to undertake the CPS 220 review is reflective of an appropriate independent relationship between the bank and its auditor. Mr Chris George, Professional Practice Director at EY, clarified:
No surprises is a very common request that we and all audit firms would get from all of their clients. It doesn't mean a cosy relationship. It means: tell us things upfront so that we can deal with them and make sure they've been appropriately treated in the financial statements. It just forms the basis of good professional service.
If you're characterising a no-surprises approach as a cosy relationship, that is not how we see it characterised. It's about communication and dealing with matters upfront so that they can be appropriately dealt with and treated in financial statements.
Mr Johnson repeated this view, underlining that 'no surprises does not mean no disagreement', but rather it means 'timely communication on the identification of issues'. Mr Johnson continued:
Whether this be in the audit context, CPS 220 or any major review, these are large exercises that are complex and require detailed project management, milestones to be met and matters to be resolved. Fundamental to completing an effective and efficient quality audit and an effective and efficient CPS 220 is that there is an understanding between all the stakeholders—in the case of an audit, that is the board members, management and auditors—that issues, as soon as they are identified, will be resolved so that each of those stakeholders can work through and be comfortable at the end of the day in signing off on a report—in the case of an audit, that it's true and fair; in the case of a CPS 220, that it meets the appropriate guidelines set out by APRA.
Evidence from representatives of NAB concurred with this view. For example, Mr Shaun Dooley, Group Chief Risk Officer at NAB, suggested that the drafting approach used by EY—whereby relevant management at the bank had the opportunity to correct any facts, seek clarification on recommendations, and start necessary work to address findings—ultimately led to a more useful CPS 220 report. Mr Dooley elaborated:
We had conversations in terms of seeking clarification, providing fact checking, seeking examples—in fact, the final report was longer. It was about four pages longer than the first report. It was much more actionable, therefore—because it was more actionable—it was more useful to me as a risk manager to address the issues that were highlighted in the report. So we could establish a program of work. We've stood up a lot of resources since the CPS 220 report was finalised, since our self-assessment report was published, to ensure that we are addressing the issues that were highlighted.
Separation of audit and non-audit services
In the United Kingdom (UK), in April 2019, the Competition and Markets Authority (CMA) recommended an operational split between the audit and non-audit practices of the Big Four to address the perceived conflicts between audit and the other service lines of the largest firms. As outlined in the CMA's final report of its statutory audit services market study:
This remedy would require the Big Four to put in place a strong strategic and operational split between their audit and non-audit services practices, including separate governance and strategy, separate accounts and remuneration policies, and no profit-sharing between audit and non-audit.
The aim of this is to ensure auditors' full focus is on conducting high quality audits, without their incentives being affected by the much greater revenue and profits from the non-audit side of the firm.
The CMA recommended that the UK Government put in place the operational split initially at the Big Four firms, but that the regulator be able to add other firms in later years should they grow closer to the Big Four's size. While the CMA outlined the likely elements of the operational split, it specified that the regulator should be given the powers to design the specific details of the proposed remedy and refine it over time.
Professor Fels supported implementation of an enforced separation of functions between audit and other services offered by firms in Australia, contending that such a measure should take the form of a law which stipulates that no auditing firm should provide consulting services to any business.
However, unlike the recommendation of the CMA in the UK, Professor Fels argued there be a more substantial, full structural separation between audit and non-audit services, contending that 'separation of the two functions would be a much cleaner, simpler and less costly way to deal with the problem'.
Professor Fels put forward numerous reasons as to why he believed there should be a total structural separation, including that:
there is an actual and perceived conflict of interest when an audit firm is also seeking to undertake consulting work, for an audited entity or others;
inherent conflicts of interest already exist in the same firms providing external auditing services to entities on a yearly basis; and
it would be prudent to adopt total structural separation from the start, rather than incur costs of an alternative 'compromise solution'.
Commenting on the operational separation proposed in the UK, Professor Fels expressed the opinion that such a measure could have possible impacts on competition between audit firms:
It seems to me that a measure of that sort has its own problems. Let me give you one example. Supposing a business is auditing business A. It can't do consulting for business A but it does consulting for business B, who is a competitor. There's already a looming problem. Knowledge acquired about either A or B may be used in relation to its competitor. There would need to be numerous safeguards for that, and they would be messy. That's one reason that I am concerned about halfway house resolution of this.
Mr Porter from the G100 disagreed with Professor Fels' view:
I noted the comments from Professor Fels, but consulting firms themselves will consult to a large number of businesses in the same industry. That is why they're valued by corporates, because of their breadth of industry expertise and the insights that they can bring.
Mr Amir Ghandar, Leader, Reporting and Assurance, Chartered Accountants Australia and New Zealand (CA ANZ), also sought to highlight that the CMA, in carrying out its market study, chose not to pursue proposals for full structural separation of audit and non-audit services. The CMA made this decision on the basis that such a measure could have significant negative consequences, including a detrimental effect on audit efficiency and quality. Additionally, Mr Ghandar noted that the CMA found structural separation could have considerable competition implications, particularly for smaller firms, by making them less resilient, more dependent on audit clients, and less able to invest in technology and retain/recruit qualified staff.
Adjunct Professor Stuart Kells drew the committee's attention to the practical implications of structurally separating the Big Four firms, commenting that the 'practicalities of doing that, we think, are probably prohibitive'. Adjunct Professor Kells elaborated:
I think it's really important to think about how it would play out in a practical sense. Say you said, for example, to PwC in Australia—because these are international franchises obviously—'From now on in Australia you can only do auditing. You're going to do a narrow conception of external financial auditing.' They are a big multiservice firm. How are you going to implement that? Does it mean that on day two all of the consulting people leave, or that they are in different organisations that have different brands? All of those partners bought into that firm based on the multiservice thing that was PwC. On day two when it's called 'Jim's Consulting' it is a very different thing. Do we need to compensate them for that? Do we need to think about any kind of practical implementation issues? So that's what we are getting at when we say there are all sorts of curly issues.
Submitters and witnesses from the Big Four and other industry stakeholders opposed any form of separation, either structural or operational, being introduced in Australia, with most arguing that such a course of action would be detrimental to audit quality.
PwC were concerned that operational separation would negatively impact audit quality by limiting firms' access to multidisciplinary capabilities, both through impaired ability to attract highly skilled staff and to effectively meet evolving client needs:
In today's world, the best talent seeks out jobs that have optionality in career paths, and joining a multidisciplinary firm with a global footprint is a significant enabler for us to attract the best and brightest minds. We also believe the future scope of audit is likely to broaden considerably, with the skills that reside outside the traditional audit business becoming increasingly important to meet stakeholder expectations.
Likewise, Mr Johnson from EY asserted that access to the specialist expertise provided by a multidisciplinary business model is integral to audit quality:
Audit quality being paramount, then, in my view, the access to subject matter experts is paramount. We touched on valuation today. These are very complex areas. Taxation is a very complex area. Technology is a very complex area. I see that structural separation would reduce audit quality because the access to those necessary skills would be reduced or limited.
RSM Australia (RSM) agreed that multidisciplinary firms are necessary to ensure auditors have access to sufficient in-house expertise to effectively complete their audits. RSM was, therefore, not in favour of any enforced separation between firms' audit and other services. RSM continued:
However, in our view, it is possible to have an effective, thriving
multi-disciplinary practice, with deep expertise in areas that may support audit quality, such as taxation and valuation, by providing consulting and associated services to the remainder of the market, without the need to provide such services directly to audit clients.
The G100 submitted that separation into 'stand alone' audit firms would be attempting to address a conflict of interest situation which, in its opinion, does not exist, while in reality increasing costs and reducing audit quality and effectiveness.
The IPA-Deakin SME Research Centre suggested that, on balance, any benefits gained from restricting non-audit services with a view to enhancing audit independence are likely to be outweighed by the costs associated with firms not benefiting from the deeper understanding of clients attained through a multidisciplinary business model. The Centre continued:
In our opinion, there is a range of alternative and far more influential measures that, if implemented correctly, would be far more effective at enhancing audit quality rather than banning an auditor from providing NAS.
ASIC also pointed to the potential negative impact of an operational split on audit quality as a result of not having ready access to expertise and possibly limiting the ability of audit firms to attract and retain staff.
Recognising the need to support efforts to improve audit quality and maintain stakeholders' trust and confidence, inquiry participants presented some alternative solutions to enhance existing auditor independence safeguards in relation to non-audit services. Mainly, inquiry participants suggested the adoption of industry-wide definitions of non-audit services categories, as well as reflective changes to the current fee disclosure framework (as required under AASB 1054).
Industry-wide definitions and associated fee disclosure
Presently, there are no industry-wide definitions of the non-audit services an auditor may perform, and indeed, current practice is that reporting entities develop their own criteria as to what constitutes the different categories of services (for example, audit-related or other assurance services) as reported in entities' financial statements.
Demonstrating this point, Mr Lennon explained that NAB:
…have devised a policy for us on the classifications which we think is appropriate and sensible. But, when you look around other banks and how they have classified, you can see that there are some inconsistencies with how different banks or different firms have taken a different approach. I think everyone has addressed it in an appropriate manner, but, just by the fact that there aren't overriding guidelines, it does lead to the possibility of inconsistencies. I think that would be helpful, actually.
Mr Bernie Szentirmay, National Head of Audit Quality at KPMG, noted that, generally, reporting entities have disclosed fees relating to statutory audit and other services provided by their auditor under three 'buckets'. However, there are inconsistencies in the marketplace as to which services are categorised under each bucket:
There are generally three buckets. There are financial statement audits, which I think are relatively clear; there's an understanding in the marketplace of what they mean. Then there are audits of regulatory matters, which are required under law. And then there's, kind of, a third bucket, which is other assurance services. They're not necessarily required by law, but the auditor is applying assurance standards. I think that's where the lines blur a little bit and there is some inconsistency in the marketplace.
Industry stakeholders were of the broad view that the market would benefit from clearly and consistently defined categories and associated fee disclosure of non-audit services, noting that this would provide increased transparency and clarity around the appropriate nature and value of such services.
The Australian Institute of Company Directors (AICD) noted that, currently, non-audit services are essentially defined as services other than services related to the conduct of an audit. The AICD characterised this all-purpose definition as 'unhelpful', and later noted:
The current definitions of what is audit work, audit-related work and
non-audit work are unclear. Limited assistance is provided by the statutory definition in the Corporations Act. These definitions are of critical importance to directors who are under a statutory obligation to disclose expenditure of those amounts, as already discussed.
The AICD believes that this is an area where further regulatory guidance to assist companies and audit firms classify their work, including other types of assurance work, would be beneficial. This will assist in better reporting of how payments are made from companies to audit firms and for what kind of services.
Welcoming discussion of measures to mitigate perceived conflicts associated with non-audit services, Deloitte also highlighted the benefit of better defined categories of services and associated fee transparency in listed entity reports:
This would mean the market could consider audit-related and other assurance services and fees separately from other non-audit services and fees. This would allow investors, shareholders and regulators to better evaluate the independence of the auditor.
Similarly, EY asserted that 'a lack of guidance as to how to categorise
non-audit services has led to inconsistencies in how companies disclose these fees in annual financial statements'. EY further submitted that disclosure of fees for services provided by a firm should be made according to the framework illustrated in Figure 4.2 below.
Figure 4.2: EY's proposed audit and non-audit services disclosure framework
Source: EY, Submission 29, p. 5.
The AUASB has observed inconsistencies in the disclosures of fees paid to auditors, including how the nature of other services provided are described. While not specific with regard to proposed categories of non-audit services, the AUASB recommended:
…a clearer framework is adopted in the reporting of fees to the auditor in the financial report, which discloses fees that are related to and complementary to the audit separately from those that are not related to or complementary to the audit. This would improve the information of the nature of non-audit fees paid to the audit and allow users to make informed judgements in this area.
CPA Australia noted that in the United States (US), the Securities and Exchange Commission requires companies to disclose fees paid to external auditors for the two most recent years according to four categories—'audit', 'audit-related' (being fees reasonably related to the performance of the audit or review of the company's financial statements), 'tax', and 'all other' fees. Companies are also required to provide a narrative description in relation to other fees. CPA Australia recommended the required disclosure of fees paid to auditors in 'useful' categories, such as those applied in the US. CPA Australia further added:
To assist in fulfilling these requirements, issue guidance to clarify which fees fall within each category. This would enable better differentiation between NAS which need to be conducted by the auditor of the entity and NAS which could give rise to a conflict of interest and consequently a threat to independence that needs to be mitigated.
The G100 drew attention to fact that, although audit and other service fees paid to the auditor are currently required to be disclosed by Australian listed entities, there is no such obligation for those entities to disclose fees paid to firms that do not conduct the audit of their financial reports. Consequently, the G100 explained, 'there is no public information on an entity-by-entity basis disclosing how much in consulting or other fees are paid to accounting firms that are not the company's auditor'.
Also noting this apparent gap in disclosure, the APESB suggested that, in addition to the different categories of fees received by auditors as suggested above, implementing more prescriptive disclosures whereby fees paid to firms other than an entity's auditor may enhance the transparency of an entity's use of the services provided by firms.
Greater clarity on prohibited services
In the US, the Sarbanes-Oxley Act of 2002 (SOX) prohibits auditors from providing specified non-audit services to audited entities. Additionally, SOX prohibits any other service deemed through regulation as impermissible by the Public Company Accounting Oversight Board (PCAOB). Some submitters advocated a similar approach be adopted in Australia, with more prescriptive regulatory guidance on what constitutes prohibited non-audit services.
The Australian Shareholders' Association, for instance, stated that it 'would like a clear definition of acceptable audit, audit-related services and non-audit services that a firm may provide to a company'.
CPA Australia submitted that changing perceptions and expectations with regard to which non-audit services are acceptable to perform in conjunction with an audit have created uncertainty amongst auditors. CPA Australia continued that greater clarity regarding acceptable and unacceptable non-audit services would provide auditors with certainty regarding requirements and expectations.
Mr Andrew Rigele, National Managing Partner, Audit and Assurance, Grant Thornton, contended that regulatory requirements regarding what an auditor or firm can or cannot do with respect to non-audit services need to be clearly defined such that there is no ambiguity in marketplace understanding:
Mr Rigele: There have, to date, been strong ethical rules around what an auditor or audit firm can do and can't do in terms of non-assurance services and other assurance services to date. To us, it's a pretty clear market expectation or that expectation gap that everyone talks about around that sentiment. I think the audit profession needs to act to that and perhaps look at something where it's clearly defined what we can and cannot do—
Senator O'NEILL: Which is the US system, as revealed to this committee clearly in the evidence from ASIC.
Mr Rigele: Yes, that's right. I think we need no ambiguity around it. We need to get to a stage where everyone understands the platform. One person's perception is reality and I think we just need to react to that.
Senator O'NEILL: Clean it up and make it clear?
Mr Rigele: Make it clear…
BDO Australia (BDO) also argued that there is a need to clarify and strengthen the independence rules relating to non-audit services, and suggested:
…the way to do this is to better define the list of non-audit services that are prohibited. Using the guidance set out in APES 110 we suggest that a detailed list of prohibited services be developed. This should result in a clear differentiate between assurance services that can be provided by the auditor and non-audit services that are prohibited.
Mr Timothy Kendall, Partner at BDO, expanded on this point in evidence to the committee:
Senator WHISH-WILSON: …Do you think this [the APES 110 standards] is too subjective? Does it need to be more prescriptive than what's already here?
Mr Kendall: That would be our view.
Senator WHISH-WILSON: Really?
Mr Kendall: That is generally a principles based standard. There are some specific prohibitions in there, but we believe that you'd get greater outcomes if you were more definitive on what those prohibited services were so that there was absolute clarity that these particular things could not be done by the auditor. It may be—
Senator O'NEILL: Because it takes away the self-assessment determination—
Mr Kendall: That's right—
EY also supported the development of a list of prohibited non-audit services in order to provide increased assurance that potential conflicts of interest arising from the provision of such services are being appropriately managed. EY elaborated that incorporating:
…this list of prohibited non-audit services in the Australian Auditing Standards would formalise the existing Corporations Act requirements and the APES 110 framework to inspire greater public confidence in the management of non-audit services provided to audit clients by auditors.
EY further suggested that an auditor's independence declaration, as required under the Corporations Act (see paragraph 2.39), could then also be extended to require that the auditor explicitly attest that no prohibited non-audit services were provided to the audited entity.
Other proposed enhancements
In addition to the above, some submitters and witnesses suggested other possible changes to the current regulatory and professional standards framework in order to further enhance auditor independence.
Mandatory partner remuneration safeguard
While noting its own policy of not remunerating audit partners for selling
non-audit services to audit clients, KPMG took the view that this approach should be extended across the audit profession. Specifically, KPMG submitted:
We support revising the Code of Ethics standard, APES 110, to include the concept that no audit partner can be remunerated for selling non-audit services to any audit clients of a firm, as a mandatory safeguard that all firms need to apply to mitigate risks of potential conflicts of interest.
The IPA–Deakin SME Research Centre shared a similar view, stating that 'regulators should ensure that audit firms build remuneration incentives around audit effectiveness rather than on an excessive focus on efficiency and profitability'.
Indeed, some firms noted that they have already adopted an approach whereby audit quality is a key determinant of a partner's remuneration. For example, representatives of EY noted that audit partners of the firm are assigned a 'quality rating' which ultimately affects the remuneration they receive. Mr Johnson explained:
When it comes to an audit partner, I've noted that audit quality is the No. 1 determinant. So it will play out in a number of ways. Assuming there have been issues, one would expect that would be a 'did not meet expectations'. That means there is actually a cap on the overall rating that that partner can get. There are a number. Audit quality is No. 1, but there are other dimensions that we have to measure partners as well. So there is a cap on that partner's overall rating that they cannot be above—I'll call it a 3 rating out of a 5 scale. That rating then feeds into their remuneration. So their remuneration has been reduced as a result of the rating…
Cap on non-audit services
Despite being of the view that the framework of legislation, regulators and companies' internal governance is working effectively with regard to the provision of non-audit services, KPMG suggested that, to provide further clarity and certainty, consideration could be given to capping non-audit services (excluding other assurance and audit-related services) for ASX 300 listed companies. KPMG continued that 'capping would involve allowing permitted non-audit services to be provided by the statutory auditor up to a set percentage of the fee paid for the statutory audit'.
When questioned by the committee as to what such a percentage should be, Mr Szentirmay from KPMG pointed to caps imposed under similar measures internationally:
It does vary. I think the UK has gone with a 70 per cent model over an average of three financial years. That's seen that as fit for purpose in that marketplace. We see a matter of practice here in Australia that some companies have already adopted this effectively as a matter of their own internal policy. But the percentages do significantly differ. It's probably where you get towards that kind of one-to-one ratio, of the cap being
100 per cent. There tends to be a broader view that perhaps some sort of natural limit is approaching that cap.
Auditor familiarity with audited entities
Another potential threat to auditor independence frequently raised in debate over recent years, internationally and domestically, is auditor tenure with corporate clients. While perhaps not as contentious as matters relating to the provision of non-audit services, questions have been asked about whether longer individual auditor or audit firm tenure could lead to an over-familiarity and, in turn, an erosion of professional scepticism necessary to perform
As summarised in Chapter 2, the Corporations Act and professional and ethical requirements in the APES 110 Code of Ethics set out auditor rotation and 'cooling-off' period requirements. For audits of listed entities, the Corporations Act prohibits audit partners from leading the audit of a company for more than five consecutive, or more than five out of seven successive, financial years. Former partners of an audit firm are also required to wait two years before taking up certain positions with the audited entity. The Code of Ethics largely reflects these Corporations Act requirements. However, to ensure alignment with international standards, the cooling-off period for engagement partners of listed or APRA-regulated entities has recently increased to three years, and will increase to five years from 31 December 2023.
Inquiry participants were generally of the view that Australia's existing audit partner rotation and cooling-off requirements are adequate and effectively reduce the threat posed to auditor independence through over-familiarity with the entities they audit.
The G100, for example, submitted that audit partner rotation has reduced the possibility of an auditor becoming too embedded with a client and being unable to maintain professional scepticism and independence. Mr Andrew Porter, Chair of the G100, reiterated this view in later evidence to the committee, stating that 'partner rotation has been successful and we would like to see that continue'.
Deloitte commented that existing requirements:
…strike the right balance between addressing the threats to independence created by long term relationships and the need to maintain relevant knowledge and experience to support audit quality.
Likewise, EY considered legislation in this area adequate, noting that academic research has generally found that longer tenure is associated with higher audit quality. EY further asserted that 'it should not be assumed that reductions in audit tenure will increase audit quality'.
Mandatory firm rotation
In overseas jurisdictions, mandatory firm rotation (MFR) has been proposed and, in some cases, implemented as a measure to avoid the familiarity risk posed by longstanding relationships between an auditor and client. For example, European Union (EU) audit legislation requires a maximum 10-year MFR for PIEs, extending to a maximum of 20 years if a public tender is conducted. However, as noted by several inquiry participants, some jurisdictions have subsequently reversed their policies on MFR, including South Korea, Brazil, Argentina, Singapore, Spain and Canada. Further, in the US, the statutory oversight body, PCAOB, has been explicitly prohibited from requiring MFR for public companies.
Noting responses to MFR internationally, most inquiry participants were opposed to such a measure being introduced in Australia. Several submitters and witnesses highlighted empirical research which does not support mandating the rotation of audit firms and, indeed, suggests that MFR could be detrimental to audit quality.
KPMG observed that, over the years, the majority of academic studies relating to audit firm tenure and audit quality have not supported MFR. In particular, KPMG noted the April 2019 the study on the EU Statutory Audit Reform requested by the European Parliament's Committee on Economic and Monetary Affairs, which concluded:
When we focus on firm rotation and auditor tenure in the auditor independence literature, the evidence generally shows that a longer tenure is not associated with lower quality audits and that mandatory rotation does not necessarily lead to enhanced audit quality.
Professor Michael Bradbury and Associate Professor Bryan Howieson pointed to a 2017 study which found mixed evidence on the impact of audit partner rotation on audit quality. That study also found:
There are offsetting costs and benefits of audit partner rotation.
Rotation from an industry specialist to a non-specialist audit firm reduces audit quality.
Rotation from a non-specialist to a specialist auditor results in no change in audit quality, unless the audit firm is also an industry specialist.
The AUASB submitted that audit firm rotation can result in increased costs, for instance through organisational disruptions, start-up costs associated with building required client knowledge, and a loss of the outgoing auditor's
client-specific knowledge. The AUASB further noted that this loss of knowledge could impact on the quality of audit services delivered, and cautioned that:
It is important that any enforced requirements relating to the rotation or audit partners and/or firms does not have any unintended consequences and negatively impact audit quality. Any legislative consideration should be based on evidence relevant to the circumstances of the Australian market.
Similarly, CPA Australia commented that while audit firm rotation may improve stakeholders' perception of auditor independence, much of the academic research on the issue has found that 'longer tenure is associated with quality and the early years of tenure with relatively lower audit quality'. CPA Australia also reflected on the possible application of MFR to the Australian market:
In Australia, being a relatively small capital market with companies geographically widely spread, mandatory firm rotation could result in difficulties in some companies finding a suitable auditor with the appropriate specialisations in required locations.
While not advocating the introduction of MFR in Australia, submitters and witnesses presented other suggestions to improve transparency and clarity relating to audit firm tenure and tendering. In particular, inquiry participants proposed additional disclosure with regard to audit firm tenure, as well as consideration of a mandated tendering regime.
Disclosure of audit tenure
The Australian Shareholders' Association argued that there should be clear disclosure in companies annual reports around the appointment and engagement of the external auditor, further asserting that 'at a bare minimum, the date of the audit firm appointment, current audit partner’s commencement and most recent tender date should be clearly stated in the annual report'.
PwC also supported additional disclosure whereby companies include the length of tenure of their audit firm as well as lead partner tenure in their annual report.
KPMG echoed this view, stating that mandating explicit disclosure of auditor tenure should be considered for the Australian market. KPMG also noted that such disclosure is mandated in the US, where PCAOB auditing standards require specific disclosure of auditor tenure in the auditor's report.
Similarly, EY submitted:
Legislation and regulatory guidance should be developed to require a report to shareholders, as part of an annual report, by directors or the audit committee addressing auditor appointment and tenure…The ASX Corporate Governance Council might consider providing guidance on this in the absence of legislation.
Grant Thornton also suggested the ASX's disclosure requirements as a potential avenue for increased disclosure relating to audit tenure:
…we would support amendments to the ASX Corporate Governance Disclosure requirements in relation to an explicit statement by Those Charged with Governance in cases where they have retained the same audit firm for 10 or more years in order to provide transparency on the perception of audit firm rotation.
Mandated tendering regime
Noting a lack of evidence to support any improvements to audit quality gained through MFR, and that there are already audit partner rotation requirements in place, CPA Australia submitted that consideration:
…might be given to adopting as best practice, audit tendering at reasonable intervals. This could be done through ASX listing rules or Corporate Governance Principles and Recommendations. For example, suggesting tenders every 10 years may be worth exploring to avoid very long tenures which create a lack of independence of appearance.
KPMG also supported consideration of a mandatory tendering regime, noting that this may increase transparency and better safeguard audit quality than MFR. However, KPMG suggested that mandatory tendering, if implemented, could take the form of a 'comply or explain' regime, where companies are required to put audits out for tender based on a certain timeline or must otherwise explain to shareholders why this has not occurred.
The Australian Shareholders' Association also noted its support for such a regime:
[The Australian Shareholders' Association] believes that good corporate governance mandates that audit firms should be reviewed periodically and there should be a competitive tender for the external audit every 10 years (or sooner where audited accounts have been shown to be deficient, inaccurate and in breach of the accounting standards)…Beyond 10 years with the one auditor, the audit committee should disclose in the Annual Report the rationale and intentions for maintaining independence of the external auditor.
Mr Ghandar from CA ANZ described a similar mandated tendering approach, although he suggested a longer tenure review period of 15 to 20 years:
…we would like to see that tackled through an 'if not, why not?' governance approach where boards would be tasked with reviewing their auditor's tenure at least every 15 to 20 years and, if they don't put the audit out to tender and change auditors, with explaining why that is.
Many of the issues raised during the inquiry appear to stem from incomplete information or presumptions. In this regard, the committee stresses the importance of distinguishing between issues that impact on audit quality 'in fact', versus those that are a matter of perception. For example, it may be that the provision of non-audit services has no actual discernible impact on audit quality. And yet, the provision of non-audit services may impact the perception of independence which, as a consequence would impact the perception of audit quality. The committee acknowledges that perceptions are important even though they are not the same thing as an actual variation in audit quality outcomes.
The committee agrees with the majority of stakeholders that there is scope to tighten rules regarding auditor independence, particularly as it relates to the provision of non-audit services. Even if they do not materially improve audit quality, measures which enhance transparency of auditors' independence are likely to improve stakeholders' perceptions of audit quality and thereby improve confidence and trust in capital markets.
With this in mind, the committee considers that conflicts of interest and auditor independence need to be an ongoing focus area. Regulatory approaches regarding auditor independence need to keep pace with changing community expectations. Indeed, extensive legislation, standards, and professional and ethical safeguards surrounding the provision of non-audit services notwithstanding, the committee is acutely aware of the concerns and expectations expressed by some stakeholders regarding auditor independence when an audit firm also provides other services to an audited entity.
The committee therefore considers it timely that further measures are undertaken with respect to the provision by an audit firm of non-audit services and auditor independence declarations. In developing and consulting on such measures, appropriate consideration should be given to the merits of reforms implemented in international jurisdictions, such as the US Sarbanes-Oxley Act of 2002.
In making the following recommendations, the committee is mindful of the need to balance concerns regarding the provision of non-audit services against the level of expertise and resources that are required to conduct the audits of large, increasingly complex entities. The committee is of the view that multidisciplinary firms with specific expertise in specialised areas are best placed to deliver high-quality audits that address the needs of modern businesses.
Further, the committee is aware that these changes have both costs and benefits. The committee has taken a prudent approach of addressing the threats to auditor independence (real and perceived), noting that there is a risk that more radical measures to enhance auditor independence could result in a trade-off in other equally important factors, such as auditor competence.
The committee recommends that the Financial Reporting Council, in partnership with ASIC, by the end of the 2020–21 financial year, oversee consultation, development and introduction under Australian standards of:
defined categories and associated fee disclosure requirements in relation to audit and non-audit services; and
a list of non-audit services that audit firms are explicitly prohibited from providing to an audited entity.
The committee recommends that the Corporations Act 2001 be amended so that an auditor's independence declaration is expanded to require the auditor to specifically confirm that no prohibited non-audit services have been provided.
The committee recommends that the Accounting Professional and Ethical Standards Board consider revising the APES 110 Code of Ethics to include a safeguard that no audit partner can be incentivised, through remuneration advancement or any other means or practice, for selling non-audit services to an audited entity.
Evidence to the committee noted that the implementation of mandatory firm rotation in other jurisdictions to date has been largely unsuccessful. Indeed, a number of countries have chosen to repeal their mandatory firm rotation policies or, in the case of the US, explicitly prohibit their introduction. Further, any potential repercussions of the 10-year mandatory firm rotation regime in place for PIEs in the EU are yet to be seen. On this basis, and noting the inherent costs that would be incurred through organisational disruption and losses in client knowledge, the committee considers that it would be unwise to propose such a measure be introduced in Australia.
The committee is confident that the current and proposed legislative and professional requirements on audit partner rotation and cooling-off periods are operating effectively to manage threats to auditor independence posed through longstanding auditor tenure. However, in the interests of supporting stakeholders trust and confidence in audit and, by extension, corporate governance relationships, the committee believes that transparency around auditor tenure can be improved.
The committee is of the view that introducing a requirement for disclosure of auditor tenure by corporate entities is a relatively simple and low-cost regulatory change that would have considerable benefits for stakeholder perceptions of Australia's audit market. Likewise, the committee considers that a 10-year mandatory tendering regime, under which corporate entities may elect not to undertake a public tender process as long as the reasons for not doing so are disclosed to shareholders, would strike the right balance between providing stakeholders with improved visibility of auditor-client relationships, without imposing significant regulatory burden or enforcing losses in client knowledge.
The committee recommends that the Financial Reporting Council, by the end of the 2020–21 financial year, oversee the revision and implementation of Australian standards to require audited entities to disclose auditor tenure in annual financial reports. Such disclosure should include both the length of tenure of the entity's external auditor, and of the lead audit partner.
The committee recommends that the Corporations Act 2001 be amended to implement a mandatory tendering regime such that entities required to have their financial reports audited under the Act must:
undertake a public tender process every ten years; or
if an entity elects not to undertake a public tender process, the entity must provide an explanation to shareholders in its annual report as to why this has not occurred.
The committee further recommends that such a tender process be implemented by 2022 for any entity that has had the same auditor for a continuous period of ten years since 2012.