Consideration of the wider financial reporting framework and the roles that key stakeholders within that framework play with regard to audit quality highlights the existence of a disconnect between the regulatory requirements of an audit and auditors, and the general public's expectations regarding the functions of an audit and auditors. This apparent disconnect, widely referred to as the 'expectation gap', has been recognised within the audit profession for many years.
Indeed, in August 2002, the Joint Standing Committee on Public Accounts and Audit commented on the expectation gap in its Review of Independent Auditing by Registered Company Auditors. That report stated:
…there is a strong sense that much of the disquiet regarding apparent audit failures in cases of corporate collapses stems from an 'audit expectation gap'.
The expectations gap might be described as the misalignment between what auditors understand should, or can be delivered and what stakeholders, including the general public, expect auditors to deliver.
Mazars reflected on how the expectation gap has influenced, and undeniably continues to influence, debate and public commentary regarding the role and quality of audit:
The expectation gap creates significant friction when considering the role and quality of audit, especially as these matters are considered and debated in the press and public forums. The audit profession has significantly increased the scope of the work required in an audit through continuing development of professional standards. Unfortunately, there remains a public understanding of the role of the auditor that is at odds with the actual role of the auditor under legislation and contractual provisions of appointment
This chapter examines the expectation gap as it relates to perceived responsibilities to detect and prevent fraud and misconduct, and the assessment of a company's ongoing economic viability. Proposals to expand the scope of audit in order to help address the expectation gap are then explored, including a discussion of digital financial reporting as an enabler for technology-driven changes in analysis and auditing.
Expectations regarding fraud, misconduct and economic viability
As raised by numerous submitters and witnesses, the expectation gap is most evident with regard to financial report users' understanding of the auditor's role in preventing and detecting fraud and misconduct, and in assessing a company's economic viability. The relative responsibilities of directors and management versus that of auditors in these areas are often misconstrued, and the outcomes achievable by an audit overestimated.
BDO Australia summarised in layman's terms what some users expect from an audit:
Auditors have a number of responsibilities, but the main thrust of audit is currently aimed at the financial statements. Although our responsibilities are clear in law and regulation, it is also clear that this is not readily understood by users and indeed falls short of the extent to which many of them want the auditors to be involved.
Put simply in lay terms, we believe users want auditors to be involved in: 'checking the financials are right' [currently the fundamental objective of an audit], 'checking that the control environment is sound', 'checking for management fraud', and 'giving some confidence that the company is going to continue in existence'.
This apparent distinction between auditors' duties and public expectations was clearly demonstrated in evidence from Mr Chris George, Professional Practice Director, Oceania, EY, pertaining to the audit of payroll transactions:
Ms HAMMOND: I have one final question, in relation to a number of organisations or companies—and I'm not going to name any—who have recently been found to have been systematically underpaying employees. To what extent, under our current audit frameworks and processes—and this gets, I think, to the sampling question—could auditors have picked up on this?
Mr George: It's a good question. I think also relates to one of the recommendations we have made in our submission, around, 'Are audits meeting public expectations and the needs of users in areas broader than the financial statements?' In a typical financial statement audit, when any auditor is auditing payroll, we are making sure the transaction that has been entered into with a third party—an employee, a customer, a supplier—is recorded in the financials at the value it was transacted at. As I mentioned earlier, we have requirements around compliance with laws and regulations. They are to satisfy ourselves that the company understands what its laws and regulations are and has processes in place to deal with them. We're not required to audit those processes. When it comes to payroll we would typically make sure there is an approval of an amount of payroll being made. We're looking to see that the dollars that have been paid to the employees have been approved appropriately. Our audit would not necessarily go to the extent of looking at awards for individual employees. We would ask questions of the company around whether they were aware of the audits they needed to comply with and that they had processes in place to do so.
Auditors' duties in relation to the detection of fraud and misconduct are limited to that which would have a material impact on the audited entity's financial statements. Australian Auditing Standards explicitly recognise that there are inherent difficulties in an auditor's ability to detect fraud and misconduct, and that the primary responsibility for the prevention and detection fraud and non-compliance with laws and regulations rests with those charged with governance and management of an entity (see paragraphs 2.22–2.25).
Likewise, the primary responsibility for the economic viability of an entity also rests with its management and directors. An auditor's role in this respect is limited to evaluating and concluding on the appropriateness of management’s assessment of the entity’s ability to continue as a going concern (see
In relation to this, the Group of 100 (G100) drew attention to the obligations of directors and management under the continuous disclosure regime applicable to
Australian-listed entities, the requirements of which are not a feature of most other jurisdictions. The G100 submitted:
It is important to note that auditors are not responsible for opining on continuous disclosure matters—this remains the responsibility of the Board which reinforces the very salient point that ultimately it is the Board who are responsible to the shareholders for the operation of a company, for its internal controls and for its financial statements.
Link between corporate collapse and audit
As mentioned previously, concerns about audit quality, particularly internationally, have stemmed primarily from high-profile collapses of corporate entities in recent years. These corporate collapses have led to perceptions of audit failure, or at the very least, a loss of trust in corporate reporting and audit.
Some inquiry participants sought to clarify such perceptions. For example, Professor Peter Wells submitted:
Concerns about audit quality are frequently expressed, and there are instances of perceived 'failure'. However, corporate failure should not be attributed to auditors, this is the responsibility of managers and directors. The concern here should be limited to 'financial reporting' failures and this is jointly attributable to managers, directors and auditors.
Chartered Accountants Australia and New Zealand (CA ANZ) made the point that an auditor makes an assessment of a company's financial viability at a particular point in time and cannot predict future events. Circumstances in a company or economy can change quickly and therefore, company failure does not necessarily mean there has been an audit failure.
Deloitte expressed the opinion that 'even the best audit cannot prevent all forms of corporate collapse', further contending that 'companies fail for many reasons, and there is no systemic, causal link between corporate failure and audit quality in Australia'.
Mrs Jody Burton, Chief Risk Officer at Deloitte Australia, reiterated this point in later evidence, also underlining that the opinion expressed in an auditor's report is based on the particular circumstances that existed at the point in time the report was signed:
Senator O'NEILL: Deloitte was the auditor of the failed Hastie Group. When a company fails, and an auditor has signed off on the accounts, to what extent can we question the role and responsibility of the auditor?
Mrs Burton: You're quite correct. Deloitte were the auditors of Hastie. But, I think, as you've noted in relation to corporate collapse, companies fail for many reasons. Those reasons can be internal factors as well as the external environment. It can be in relation to economic conditions. It can be a disruption to the industry or the business model. It can be the strategic choices or the financial decisions made by an entity's management. We're unable to advise on those choices.
The definition of 'going concern' is essentially whether a company can pay off its debts as and when they fall due within a 12-month period. That opinion is struck at the date of signing the audit opinion by the directors of the company and by the auditor. Essentially, circumstances can change after that event, so it's based on the set of circumstances that exist at the point in time.
Professor Allan Fels AO also acknowledged there are key factors other than audit quality that may ultimately lead to corporate collapse:
Oh, yes. The main cause of corporate collapses is not typically a failure in auditing, but it can be a contributing factor. It looks bad, and the better the auditing the fewer the collapses.
Expanding the scope of audit
Generally, efforts to address the expectation gap have focused on better educating the business community, media and other stakeholders about the role and scope of audit. However, the success of this approach has been limited at best, and some argue that the expectation gap is in fact widening with the increasing complexity of the business environment in which the audit profession operates.
On this point, Deloitte submitted:
What society expects of business is fundamentally changing, and the kind of assurance that is needed is evolving with it. It is no longer only about what is required by standards and laws. This has driven an increasing 'expectations gap' between the role audit is intended and required to play versus the role that some expect audit to play. To that end, there is a gap between the audit product dictated by current audit and accounting standards and the expectation by some that audit provide more—from additional assurance across a business' functions to enhanced perspectives on fraud and misconduct, to judgments of long-term financial viability.
Stakeholders now look to auditors for deeper insights that focus on risk, operations and financial performance to better understand an organisation's future viability, as well as insights that contribute to a forward-looking agenda.
While the drivers of the expectation gap are arguably a matter of perception for the most part, addressing the gap is an important factor in the debate about audit quality, as audit quality is ultimately assessed by the market through the investment decisions made. Several inquiry participants supported moving away from the usual education-based approach to addressing the expectation gap and suggested that, alternatively, expanding the scope of audit to better meet users' needs be considered.
RSM Australia, for instance, expressed the view that previous attempts to narrow the expectation gap have failed and consequently:
…the audit profession should consider the alternative that there may indeed be a 'delivery gap' between what an audit delivers and what the public have a right to expect. We therefore support an approach, after appropriate research, of changing the scope of an audit to better match public needs and expectations.
Similarly, Deloitte stated that 'it is time to move beyond the effort to continue to explain to investors and broader stakeholders what they should expect', and that 'it is time to take action to address the causes driving this gap'.
In accordance with that view, Mr Matt Graham, Managing Partner, Assurance at PricewaterhouseCoopers (PwC), commented that 'there is an opportunity there for us to, instead of talking about how wide that gap is, start to work as to how we might be able to close it'.
KPMG also argued that there are opportunities to expand the scope of audit, noting advancements in technologies as well as auditor and specialist skills sets:
With the market rapidly changing, and expectations along with it, we believe there are opportunities to evolve the function and scope of audit. Given the rapid rise of technology and the increasing sophistication of auditor and specialist skills, there are a range of possibilities to constructively expand the role of audit and auditors where there is market demand and it is beneficial to the operation of capital markets.
CPA Australia suggested that to address users' needs and expectations with respect to audited information, it is necessary to first identify the key users of corporate reporting, then determine users' needs and identify which are reasonable to meet, and finally identify services which could address those needs. While CPA Australia recommended a cost-benefit analysis to best determine ways in which users' needs could be met, it noted that primary needs are likely to include minimisation of unexpected corporate collapse, and prevention or early detection of fraud.
The Financial Reporting Council (FRC) supported key stakeholders exploring how the expectation gap can be addressed. However, it noted the importance of any changes to the scope of audit being considered in light of sufficient and appropriate evidence. In particular, the FRC advised that any expansion of auditors' responsibilities to specifically consider fraud or misconduct needs to consider the cost and benefits of doing so.
Professor Wells also highlighted the increased cost associated with extending the scope of audit to include endorsement of a company's ongoing economic viability and the detection of non-material fraud or misconduct, asserting that there is no economic rationale for extending audit to include these matters. Professor Wells noted that doing so 'would impact large firms and small firms, including those where this is less problematic', and contended that 'this is more appropriately considered a function of management and directors'.
Similarly, the G100 stressed that in considering any changes to auditors' responsibilities in relation to a company's economic viability:
Directors should not abrogate their responsibilities either in the financial statements or in continuous disclosure for informing the market and shareholders about any issues arising out of going concern. Equally, however, auditors need to be able to satisfy themselves that the going concern basis is appropriate. There may be scope for further explanation to stakeholders as to what work has been done to provide this assurance.
Strengthened reporting on fraud and assessment of going concern
Some submitters proposed that audit and financial reporting requirements relating to the detection of fraud and management's assessment of going concern could be strengthened, thereby helping to address public expectations through greater transparency.
For example, on the issue of detecting and preventing fraud, KPMG submitted:
We would support additional content being included in audit reports which communicates the auditor's obligations to detect or prevent fraud, and which further specifies the audit procedures undertaken to address the risk of material fraud as part of the audit.
The content should be tailored to the client based on specific knowledge of the relevant industry and avoid the use of 'boilerplate' language. Disclosures should enable a user to understand how fraud might occur, and the specific audit tests designed to enable the auditor to obtain reasonable assurance that the financial statements are free of material misstatement.
PwC suggested that consideration be given to requiring more deliberate analysis and company reporting on going concern, as well as whether such information should be subject to audit. PwC continued:
We also see merit in exploring whether auditors should be required to always include a key audit matter on going concern in their audit reports to provide context about the auditor's views.
Likewise, KPMG noted its support for implementing a new reporting requirement whereby the auditor of a listed entity provides a clear statement on whether management's assessment of going concern satisfies reporting requirements and, additionally, that the auditor sets out work done in this respect. Expanding on this point, KPMG argued:
We consider the need to address public expectations through greater transparency outweighs the additional costs that would be associated with these proposals, including those arising from the need for further regulation of both companies and auditors.
Enhanced corporate financial reporting
High-quality financial reporting and, by extension, high-quality audit, is reliant on strong internal controls over the information included in financial reports. Evidence arising from international jurisdictions suggests that measures which enhance corporate financial reporting in respect of companies' internal controls, particularly in relation to identifying and addressing fraud risk, can have a positive impact on audit quality. Such measures effectively minimise the expectation gap by promoting a strong framework of responsibilities within the wider financial reporting ecosystem.
In the United States (US), the Sarbanes-Oxley Act of 2002 (SOX)—introduced following the high-profile collapses of the Enron and WorldCom corporations—significantly expanded focus on the responsibilities of management and directors for internal control over financial reporting. Under SOX, management of issuers of securities are required to sign off and annually report on internal controls. Specifically, as outlined by the Australian Securities and Investments Commission (ASIC), section 302 of SOX requires company management to certify that they:
are responsible for establishing and maintaining internal controls;
have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;
have evaluated the effectiveness of the issuer’s internal controls within 90 days prior to the report; and
have presented in the report their conclusions about the effectiveness of their internal controls.
In addition to mandating these internal control procedures, section 404 of SOX requires the external auditor to report on the accuracy of company management's assertion that the internal controls in place on financial reporting are operational and effective.
In discussing the effectiveness of and appropriateness of Australia's current legislation and regulation in supporting audit quality, submitters and witnesses broadly supported an internal control framework similar to that implemented in the US being considered in the Australian context.
Such an approach has also been considered in recent reviews relevant to audit quality in the United Kingdom (UK). Indeed, Sir Donald Brydon's final report of the Independent Review into the Quality and Effectiveness of Audit recommended:
That the Government gives serious consideration to mandating a UK Internal Controls Statement consisting of a signed attestation by the CEO and CFO to the Board that an evaluation of the effectiveness of the company’s internal controls over financial reporting has been completed and whether or not they were effective, as in SOX 302(c) and (d). This attestation should be received by the Board no later than 28 days before the accounts of the company for the relevant financial period are signed. The Board should then report to shareholders that it has received such an attestation.
While of the view that there is no single 'quick-fix' solution to holistically improve audit quality, ASIC submitted that 'good corporate financial reporting controls will assist with audit quality'. ASIC highlighted the following points in support of possible policy reforms similar to those effected in the US under SOX:
Evidence in the United States suggests the annual reports by management and auditors on internal controls have led to improved internal controls for processes supporting financial reporting, and to improved financial reporting and audit.
The reports and underlying processes are likely to result in increased confidence in audited financial reports and assist companies in accessing capital.
Grant Thornton supported measures to reinforce the role of directors and other stakeholders in the maintenance of an appropriate control environment and the preparation of high-quality financial statements. Grant Thornton elaborated:
We see the role of audit as part of a wider ecosystem where other stakeholders also have responsibilities. We note that quality has improved in the United States market with the introduction of greater responsibility and promotion of the role of directors in respect of their duties and the requirements of the auditor to report on the control environment.
EY pointed to evidence from the US (Figure 5.1) which indicates that the level of financial statement restatements from accelerated filers has significantly reduced since the SOX reforms were introduced.
Figure 5.1: Financial statement restatements from accelerated filers in the US
Source: Audit Analytics (2017 Financial Restatements), as cited in EY, Submission 29, p. 12.
Mr Gatt from Deloitte also explained this US evidence base to the committee:
Because of that focus on internal controls, we've seen that in the US the evidence base is that the quality of financial reporting has improved significantly. SOX came in in 2002 or 2003. We were talking before about ASIC's level of restatement. Here it's four to five per cent. In the US, the level of restatements of material issues peaked in 2005, as companies became used to SOX, at around 900 restatements of the listed companies. Basically, from there to 2018, that has dropped by around 85 per cent to where it's currently sitting now—about 120. By our calculations, that equates to about a 1½ per cent restatement rate. SOX has been a key part of that. Essentially management are personally accountable for the internal control system. We're not coming away from our responsibilities, but, essentially, all elements are covered.
Digital Financial Reports
The use of Digital Financial Reports (DFRs) is likely to be a significant enabler for technology-driven changes in analysis and auditing. DFRs can be read like a PDF document but also allow users, auditors and regulators to readily extract information electronically for analysis, comparison and risk assessment. However, DFRs are not widely used in Australia, hindering potential advances in analysis and auditing. The limitations on DFRs in Australia and options for resolving them are discussed below.
Current status of digital financial reporting
The current format of financial reports presents substantial challenges for users, including regulators, standard-setters and professional bodies, in terms of being able to access information. Financial information is often provided as text with variable formats, and extraction of data is time-consuming, expensive and subject to error. This impacts the transparency of and ease with which information is analysed.
Some digital information can be obtained from data aggregators, who digitise the contents of financial reports once they have purchased the reports from ASIC. While many users presently send financial statements overseas to have the data extracted, the accuracy is poor. Further, the Australia Accounting Standards Board (AASB) indicated that even after the data has been extracted, additional work and expense is required to get the data into a suitable form for analysis.
The relevant standards for DFRs appear to be in place. For example, the International Accounting Standards Board (IASB) has developed a taxonomy for tagging information in financial statements that enables the computerised extraction of financial information, referred to as 'eXtensible Business Reporting Language'.
Further, the committee received evidence that companies already produce DFRs for other jurisdictions. DFRs have been used in the US since 2009. In 2018, the US Securities and Exchange Commission (SEC) issued a rule that requires registrants to use a digital format in their submissions of operating company financial statement and fund risk/return information. Additionally, from January 2020, the European Union (EU) will require DFRs for all companies listed on European exchanges.
Some Australian companies are already required to use DFRs in other contexts. A number of Australian companies with securities listed in the US are now required to lodge DFRs with the US SEC. In Australia, the Australian Prudential Regulation Authority currently requires digital reports from banks. However, that requirement has not been extended to other companies traded on the stock exchange.
A range of stakeholders including ASIC, the AASB, CPA Australia, and Professor Wells noted that while companies have been able to voluntarily lodge DFRs with ASIC since 2010, no DFRs have been lodged to date. Both ASIC and Professor Wells suggested that companies do not lodge DFRs because analysts have not updated their systems to use DFRs, and analysts are not updating their systems because no entities produce the DFRs.
Given that voluntary use of DFRs has been available for a decade, Professor Wells suggested it would be better to legislate to require DFRs than for ASIC to make a policy or the AASB to make a standard.
Benefits of digital financial reporting
A number of submitters and witnesses, including PwC, Deloitte, CA ANZ, and Professor Wells, supported the use of DFRs.
Professor Wells referred to research from the US which indicates that DFRs:
increase transparency and led to improvements in financial statement quality;
lower information processing costs for users of financial statements;
increase analyst forecast accuracy; and
improve the information efficiency of capital markets.
Professor Wells also suggested that if Australia was to mandate DFRs, that would provide opportunities for the financial services and technology industries to develop technology and products using DFRs.
Similarly, CA ANZ submitted that DFRs would enable more meaningful and customised reporting for stakeholders, better-informed investors, and better decision making.
Evidence to the committee indicated that regulators and standard setters would benefit substantially from the widespread adoption of digital financial reporting. For example, the ability to electronically extract risk assessment data would allow ASIC to more effectively target areas of risk. This would apply to audit inspections as well as other areas of ASIC's work.
The AASB noted that DFRs assist standard-setters to research and assess the scope and potential impact of proposed changes to standards. For example, the national accounting standard-setters in the US, UK and Europe have access to digital financial report information, enabling them to analyse the costs and benefits of proposed changes to standards.
Importantly, Professor Wells suggested there could be a substantial cost saving for regulators arising from the use of DFRs:
The cost savings for ASIC would be enormous, in terms of the supervision regime. Cost savings for users would be enormous because every major financial institution re-formats the financial statements to their own. So, instead of having to do it with 10 financial institutions, you would have just the one piece of software that they generate and does it every time. So, there would be enormous benefits to that.
The FRC, Australian Auditing and Assurance Standards Board and AASB suggested that DFRs lodged with ASIC on the public record should be freely available to standard-setters and regulators, as it would enable them to better perform their functions.
CPA Australia suggested that removing ASIC registry fees for access to corporate information would enable greater transparency and facilitate analysis on a timely basis.
Costs of implementing digital financial reporting
Professor Wells argued that the costs of implementing digital financial reporting are exaggerated:
The costs, I think, are largely overstated. A lot of accounting firms use software to generate general purpose financial reports. An example would be CaseWare. If you used that software then it would be very easy for the software provider to modify the software to include tags or labels. That would automatically populate the files which are issued. That would be a relatively low-cost option because it's one software provider updating it and everyone just using it. I think the costs which have been claimed in the past are overstated these days.
The following factors would limit the costs to business of adopting DFRs:
the IASB has developed and propagated appropriate standards;
experience has already been gained in the US and will soon be gained in Europe; and
existing software solutions and additions could be made to existing software.
Expectation gap and increasing complexity
Addressing the gap between what users of financial reports expect an auditor to provide and what auditors are required to provide under statutory obligations is no simple task. However, the committee considers it should be explored to further strengthen trust in the system and better meet users' needs.
Numerous submitters and witnesses stated that the expectation gap is most evident with regard to the auditor's role in preventing and detecting fraud and misconduct, and in assessing a company's economic viability. Further, the relative responsibilities of directors and management versus those of auditors in these areas are often misconstrued, and the outcomes achievable by an audit overestimated.
Nevertheless, any consideration of regulatory change with respect to these expectation gaps that would potentially expand the scope of audit needs to take into account the whole ecosystem of corporate governance and financial reporting, as well as who would bear the cost of any proposed policy changes.
The committee considers that the Financial Reporting Council is well-placed to oversee a formal review into these matters.
The committee recommends that the Financial Reporting Council oversee a formal review, to report by the end of the 2020–21 financial year, of the sufficiency and effectiveness of reporting requirements under the Australian standards in relation to:
the prevention and detection of fraud; and
management's assessment of going concern.
Reporting on internal control frameworks
Evidence from several submitters and witnesses broadly supported an internal control framework, similar to that implemented in the US, being considered in the Australian context. Section 404 of the US Sarbanes-Oxley Act 2002 requires the external auditor to report on the accuracy of company management's assertion that the internal controls in place on financial reporting are operational and effective.
The committee considers that reporting on internal control frameworks should be strengthened.
The committee recommends that the Corporations Act 2001 be amended such that entities required to have their financial reports audited under the Act must establish and maintain an internal controls framework for financial reporting. In addition, such amendments should require that:
management evaluate and annually report on the effectiveness of the entity's internal control framework; and
the external auditor report on management's assessment of the entity's internal control framework.
Digital Financial Reporting
Evidence to the committee indicated considerable enthusiasm for the use of digital financial reporting. The committee considers the benefits of DFRs are likely to substantially outweigh the costs. Evidence to the committee indicated that the widespread adoption of digital financial reporting would likely:
increase transparency and lead to improvements in financial statement quality;
lower the information processing costs for users of financial statements;
increase the forecast accuracy undertaken by analysts; and
improve the information efficiency of capital markets.
Evidence also indicated that the costs of implementing digital financial reporting may have been exaggerated. Further, in terms of the practical steps needed to implement digital financial reporting, the committee notes that the relevant standards appear to have been developed. Moreover, the US already requires the use of digital financial reporting, with the EU poised to follow suit. This suggests there may be no practical barriers to implementing digital financial reporting in Australia.
The voluntary approach to digital financial reporting taken in Australia for the past decade has not led to any significant use of DFRs. This suggests that government may need to take proactive steps requiring the implementation of DFRs. However, the committee notes that it has not heard from a wide
cross-section of entities required to produce financial reports. The committee considers that, therefore, it may be appropriate for the government to undertake a review to identify and resolve any remaining barriers to the use of DFRs, with a view to making digital financial reporting standard practice in Australia.
The committee recommends that the Australian Government take appropriate action to make digital financial reporting standard practice in Australia.
The committee notes suggestions to remove ASIC charges for access to financial reports. The committee considers that this question may be appropriate to explore once DFRs are in use. Therefore, the committee suggests that the government consider changes to access fees as part of a
post-implementation review of DFRs.
Senator James Paterson