The Work of the International Forum of Independent Audit Regulators and the Role of Auditor Oversight in Financial Institution Risk Disclosure
I. The Role of IFIAR
The International Forum of Independent Audit Regulators was established in 2006. Membership is open to regulatory agencies that are independent of the auditing profession and that are engaged in auditor regulatory functions in the public interest. In particular, IFIAR members are responsible for the system of recurring inspection of audit firms in their jurisdictions. IFIAR currently has 41 members.
IFIAR members share the common goal of improving audit quality globally. IFIAR's activities include —
- Sharing knowledge of the audit market environment and practical experiences, with a focus on inspections of auditors and audit firms.
- Promoting collaboration and consistency in regulatory activity, including the exchange of specific information between audit regulators.
- Providing a platform for dialogue with other organizations that have an interest in audit quality.
IFIAR accomplishes these objectives through six working groups, semi-annual plenary meetings, annual inspections workshops, and external communications.
While IFIAR members have regulatory authority within their own jurisdictions, IFIAR is not itself a regulator. IFIAR is also not a standard-setting body. The disclosure requirements, accounting principles, and auditing standards governing financial reporting and auditing are established by the laws of each jurisdiction. Auditors in many, but not all, IFIAR member jurisdictions apply the International Standards on Auditing (ISAs), which are promulgated by the International Auditing and Assurance Standards Board (IAASB). IFIAR is a member of the Monitoring Group, a group of regulatory and international public interest organizations that monitors activities of the Public Interest Oversight Board, which, in turn, oversees the public interest activities of the IAASB.
II. The Role of the Auditor in Reviewing Risk-Related Disclosures
The responsibilities of auditor oversight bodies for risk disclosures are linked to the responsibilities of the auditors they oversee. In broad terms, the role of the auditor is to perform audit procedures sufficient, under the applicable auditing standards, to permit the auditor to express an opinion on whether the financial statements of the reporting company are presented fairly in accordance with the applicable accounting framework, such as International Financial Reporting Standards (IFRS) or U.S. Generally Accepted Accounting Principles (U.S. GAAP). Disclosure requirements originate in the accounting framework and in any applicable legal requirements, such as the securities laws. Preparation of the financial statements, including compliance with disclosure requirements, is initially the responsibility of the reporting company's management.
If the applicable accounting framework requires disclosure in the financial statements of information relating to risk, the auditor must audit that disclosure, like any other aspect of the financial statements. Both IFRS and U.S. GAAP require certain disclosures related to financial instruments. The auditor must perform procedures to test such disclosures. If the auditor determines that such disclosures are materially incomplete or inaccurate, he or she cannot issue a clean opinion.
Financial institutions and other reporting companies may also disclose information relating to risk exposure outside of audited financial statements, such as in reports that include the financial statements, in interim reports and press releases, or in other documents. For example, the management's discussion and analysis (MD&A) required in U.S. securities filings must include discussion of liquidity, capital resources, results of operations, off-balance sheet arrangements and contractual obligations. With respect to other information included in documents containing the financial statements, both the ISAs and PCAOB standards impose a limited obligation on the auditor: The auditor should read the other information and consider whether the information, or the manner of its presentation, is materially inconsistent with information appearing in the financial statements.
The Appendix to this paper summarizes information prepared by IFIAR members in eight jurisdictions describing the responsibilities of auditors for reviewing risk-related financial institution disclosures and steps taken to enhance auditor compliance with these requirements since 2007.
III. Initiatives to Expand Auditor Disclosure Responsibilities
Several key regulatory and standard-setting bodies are considering ways of expanding the scope of the auditor's reporting responsibilities. These initiatives arise from dissatisfaction expressed by users of financial statements concerning the lack of information that auditors were required to provide about the risks and uncertainties faced by major financial institutions in the run-up to the 2008 economic crisis. While the various auditor reporting proposals and alternatives under discussion extend beyond financial institution risk disclosure, below is a high level overview of how the three major reporting model projects might affect risk disclosures.[*]
A. IAASB Consultation Paper
On May 16, 2011, the IAASB issued a consultation paper entitled "Enhancing the Value of Auditor Reporting: Exploring Options for Change." The paper lays out options to close a perceived "information gap" and states that some investors and analysts believe that the auditor could report on "key business, operational and audit risks the auditor believes exist" as well as on the "quality and effectiveness of the governance structure and risk management." The paper seeks views about types of additional information that could be included in the auditor's report and on the prospect of the auditor providing insight about the quality of entity financial reporting.
B. PCAOB Concept Release
On June 21, 2011, the PCAOB issued a concept release which discusses alternative ways of expanding the auditor's reporting model. Three of those alternatives could result in expanded information or assurance regarding risk.
- Require the auditor to provide an auditor's discussion and analysis (AD&A), similar to MD&A. An AD&A would be a supplemental narrative report in which the auditor would discuss his or her views regarding significant matters, such as audit risks. The AD&A might also include a discussion of the auditor's views regarding the company's financial statements, such as management's judgments and estimates, accounting policies and practices, and difficult reporting issues.
- Require one or more emphasis paragraphs in all audit reports. Emphasis paragraphs could be used to highlight the most significant matters in the financial statements and identify where these matters are disclosed. The auditor might also be required to comment on key audit procedures performed pertaining to such matters.
- Require auditors to provide assurance on information outside the financial statements, such as MD&A or earnings releases. Such a requirement could have the effect of requiring that risk discussion in MD&A be audited.
C. EC Proposal
On November 30, 2011, the European Commission proposed a series of new requirements regarding statutory audits of public interest entities. Under the proposal, the content of the audit report disclosed to the public would be expanded to include an explanation of key areas of risk of material misstatements in the financial statements, a going concern assessment, and whether the audit was designed to detect fraud. In addition, the auditor would be required to prepare a more detailed report for the audit committee. This report would explain judgments about material uncertainty that may cast doubt about the entity's ability to continue as a going concern and on the findings of the audit with the necessary explanations. The expanded audit report could not be longer than four pages or 10,000 characters.
IV. The Role of Auditor Oversight in Risk Disclosure
IFIAR members have a strong interest in the responsibilities of auditors with respect to financial institution risk disclosures and in any changes in those responsibilities.
- Auditor responsibilities for the completeness and accuracy of financial institution risk disclosures affect IFIAR's members' inspection programs. Through inspection workshop and plenary meeting discussions, IFIAR members share inspections insights and identify challenges. This process could be a vehicle for gathering information about how auditors are performing in this area.
- IFIAR plans to hold a membership discussion of proposals for expanding auditor reporting responsibilities at its plenary meeting next Spring. In addition, through IFIAR's Standards Working Group, members discuss and may comment on the implications of IAASB proposals, including any that address risk disclosure.
- IFIAR engages in dialogue with the major multi-national firms, both at the plenary meeting and working group level. In particular, IFIAR's Global Public Policy Committee Working Group provides a central forum for regular dialogue between audit regulators and the six largest audit firms regarding audit challenges and quality control system improvements. To the extent specific issues emerge regarding risk disclosure auditing, these mechanisms could be used to discuss those issues with the large firms.
Appendix — Summary of Selected Responses From IFIAR Members Related To Auditor Responsibility For Risk Disclosure
Note: The Appendix is non-public and is not included with the version of this paper posted on the PCAOB's website.
[*] Several countries already require auditor's reports to include additional information. For example, in Germany, auditors of public companies are generally required to issue a long-form auditor's report, discussing matters such as the company's economic position and trend of business operations and the nature and scope of the auditor's procedures. Additionally, French law requires the auditor's report to contain a "justification of the auditor's assessments." The auditor is required, in an explanatory paragraph, to explain the procedures the auditor performed with respect to relevant areas of the audit, such as accounting policies, accounting estimates, and overall presentation of the financial statements. Each justification of the auditor's assessment must reference a specific disclosure contained in the audited financial statements.