NEUTRALISING THREATS Demonstrating your independence from audit clients

by user

on 15 сентября 2016

Category: Documents

>> Downloads: 2

views

Report

Comments

Description

Download NEUTRALISING THREATS Demonstrating your independence from audit clients

Transcript

NEUTRALISING THREATS Demonstrating your independence from audit clients

ISSUE 193
OCTOBER 2014
ICAEW.COM/AAF
NEUTRALISING THREATS
Demonstrating your independence
from audit clients
SALON STYLE
AUDITFUTURES TAKES
THE PROFESSION INTO
THE ART WORLD
JOHN SELWOOD
FACING GOODWILL
AND OTHER
INTANGIBLE ASSETS
AFTER AUDIT
USING ASSURANCE
TO MEET CHANGING
BUSINESS NEEDS
THE MAGAZINE FOR AUDIT & ASSURANCE FACULTY MEMBERS
DISCOVER THE
REWARDS
OF YOUR HARD WORK
PROFESSIONAL MORTGAGES PROVIDED
BY SCOTTISH WIDOWS BANK
Having worked so hard for your career, isn’t it good to know that you could be rewarded
with a Professional Mortgage, exclusively for experts like you?
We have a range of Professional Mortgages with a choice of fixed and variable rates. As a member of ICAEW you can
apply for a three year fixed rate Professional Mortgage, exclusively available to our affinity partners. And the option to
offset means you could use your savings to pay off your mortgage sooner or reduce your monthly mortgage payments.
With a Professional Mortgage you can borrow up to 90% of the value of the property you’d like to buy.
A booking or arrangement fee is payable and Early Repayment Charges apply.
Applicants for a Professional Mortgage must be 21 or over and a fully qualified and registered accountant, actuary,
barrister, dentist, engineer, medical doctor, optometrist, pharmacist, solicitor, teacher or vet. We will also consider
trainee accountants, actuaries and solicitors. Professionals (including trainee accountants, actuaries and solicitors)
employed in a role outside their qualification will be considered on an individual basis.
YOUR HOME MAY BE REPOSSESSED IF YOU DO NOT KEEP UP REPAYMENTS ON YOUR MORTGAGE.
Call Scottish Widows Bank on 0845 845 0222 or visit www.icaew.com
LIFE FEELS BETTER WHEN YOU HAVE A PLAN
MEMBER
REWARDS
PARTNER
Scottish Widows Bank plc. Registered Office: PO Box 12757, 67 Morrison Street, Edinburgh EH3 8YJ. Registered in Scotland no. 154554.
Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 201601. 2088 08/14.
Past, present, perhaps
ISSUE 193
OCTOBER 2014
ICAEW.COM/AAF
NEUTRALISING THREATS
Demonstrating your independence
from audit clients
SALON STYLE
AUDITFUTURES TAKES
THE PROFESSION INTO
THE ART WORLD
JOHN SELWOOD
FACING GOODWILL
AND OTHER
INTANGIBLE ASSETS
AFTER AUDIT
USING ASSURANCE
TO MEET CHANGING
BUSINESS NEEDS
THE MAGAZINE FOR AUDIT & ASSURANCE FACULTY MEMBERS
Audit has a long and illustrious history, but if it is
to have a future it needs to change. Evolution
doesn’t smile kindly on species that fail to adapt.
A long time has passed since double-entry bookkeeping was
invented to keep track of business and financial transactions,
financial reports were developed to give people a true account of
the health of organisations, and audit was invented to provide
assurance on them. Gradually, the focus of the profession has
shifted: from a past where it enabled people to build trust and
engage in economic activity, to a present where it enables people
to comply with regulations and standards.
Audit has always served the public interest, but it can no longer
do this simply by maintaining the status quo. “Technological and social changes bring
new challenges for the profession and we need to learn how to respond,” observed
Robert Hodgkinson, the ICAEW executive director for technical strategy, at the recent
AuditFutures Accountancy Salon on design and trust (see pages 6-7), at the Royal
College of Art (RCA), where auditors and other professionals explored these challenges
using philosophical questions and design principles.
This issue of Audit & Beyond reflects where the profession is starting its journey from
and hints at the direction of travel. As the QAD article Beyond reproach highlights (on
pages 12-14), it is no longer enough for members of the profession to say: “Trust me,
I’m an auditor.” Why bother with assurance? on pages 8-9, acknowledges the ongoing
debate about increased audit exemptions and their impact, and outlines some of the
other assurance-based services clients will need in place of statutory audits.
Anything that increases the confidence of users can constitute assurance, which
brings me back to the need for the profession to meet the changing needs of business
and society.
Auditors are not encouraged to think creatively, but securing the future of audit will
demand new services and social change – so we will need all the help we can get.
Henry Irving
Head of faculty
and
04 News
events
Audit and assurance
news from the faculty
on audit
06 Salon
and trust
AuditFutures brings
various professions and
students together to
discuss whether design
can reshape perceptions
of audit
do we
08 Why
need assurance?
John Ward explains the
value of non-audit
assurance in the face of
increased audit
exemption
10 Q&As
John Selwood tackles the
sticky issue of the useful
economic life of goodwill
for
12 Struggle
independence
QAD reviewers Nick
Reynolds and Henrietta
Thompson outline areas
where auditors struggle
to safeguard their
independence
15 Technical
updates
Legal and regulatory
changes affecting the
profession
the
18 From
faculties
A selection of articles
from across other faculty
magazines
© ICAEW 2014. All rights reserved. The views expressed in this publication are those of the contributors; ICAEW
does not necessarily share their views. ICAEW and the author(s) will not be liable for any reliance you place on
information in this publication. If you want to reproduce or redistribute any of the material in this publication, you
should ﬁrst get ICAEW’s permission in writing. No responsibility for loss occasioned to any person acting or
refraining from action as a result of any material in this publication can be accepted by ICAEW, the publishers or the
author(s). Whilst every care is taken to ensure accuracy, ICAEW, the publishers and author(s) cannot accept liability
for errors or omissions. Details correct at time of going to press.
To comment on your magazine, please email [email protected]
AUDIT & BEYOND OCTOBER 2014
3
News and events
FACULTY STAFF
Henry Irving
Head of Audit & Assurance
Faculty
+44 (0)20 7920 8450
[email protected]
GLOBAL SPOTLIGHT ON FACULTY’S
AUDITFUTURES INITIATIVE
Chris Cantwell
Technical manager,
Practice Regulation
“AuditFutures has
created a space
where the profession
can explore difficult
questions about how
the needs of society
can shape audit”
+44 (0)20 7920 8742
[email protected]
Kate Bond
Services executive,
Sevices & Operations
+44 (0)20 7920 8483
[email protected]
Louise Sharp
Technical manager,
Audit Practice Issues
+44 (0)20 7920 8552
[email protected]
Ruth Ward
Technical manager, Assurance
+44 (0)20 7920 8639
[email protected]
Angela Edwards
SME programme manager
+44 (0) 20 7920 8894
[email protected]
Lesley Meall
Editor
+44 (0)20 7920 8493
[email protected]
Contact details
Audit & Assurance Faculty
Chartered Accountants’ Hall
Moorgate Place, London EC2R 6EA
+44 (0)20 7920 8493
+44 (0)20 7920 8754
[email protected]
icaew.com/aaf
Audit & Beyond is produced by
Progressive Customer Publishing
John Carpenter House
John Carpenter Street
London EC4Y OAN
Advertising enquiries to
[email protected]
ISSN 1748-5789 TECPLM12634
Printed in the UK by
Sterling Solutions
4
When the Consiglio Nazionale dei
Dottori Commercialisti e degli
Esperti Contabili hosts the World
Congress of Accountants on 10-13
November in Rome one of the
starring roles will be played by the
faculty’s groundbreaking
AuditFutures initiatives, exploring
new horizons and perspectives for
the 21st century profession.
ICAEW head of technical strategy
Robert Hodgkinson will chair a panel.
Experts and thinkers from a range of
disciplines and backgrounds will
explore how innovation inside the
profession can be helped by
perspectives from outside it.
The discussion will be informed
by collaboration between
AuditFutures, the Royal Society of
Arts and the Royal College of Art
(see pages 6-7).
The innovative work of
AuditFutures was also showcased at
the 2014 conference of the American
Accounting Association in a panel
session on innovating and
transforming the profession by
embracing design-thinking. ICAEW
was also invited to host conference
sessions on the evolving role of
education in professional ethics,
and on reconsidering critical
thinking and moral reasoning in
accounting education.
“Trust in big business is being
eroded. Auditors are associated with
big business and suffer by
association,” says James Roberts,
faculty chair and BDO partner. “But
over the past couple of years,
AuditFutures has succeeded in
creating a space where the profession
can explore difficult questions about
how the needs of society can shape
the future of audit and assurance.”
Now the conversation is going global.
You can join it at AuditFutures.org
INFORMATION YOU NEED TO SUCCEED
ICAEW’s new Faculties Online service provides access to the online
resources of all seven faculties plus their three online communities for a
single fee.
Subscribers benefit from regular e-bulletins, practical advice and good
practice guides, access to Excel online training, plus technical updates on
key developments and legislation.
Visit icaew.com/facultiesonline for more information.
Faculties Online subscribers are not eligible for faculty member rates and
discounts to events and webinars and will not receive paper mailings, nor
do they gain access to the eIFRS service of the IASB.
OCTOBER 2014 AUDIT & BEYOND
NEWS & EVENTS
EVENTS
UPDATE
AUTUMN ROADSHOW
FIGHTING BRIBERY
AND CORRUPTION
ICAEW has released a briefing paper
The UK Bribery Act 2010: its
implications outside the UK. “It
highlights the ‘adequate procedures’
approved by the Ministry of Justice
(MOJ) that you can put in place in
your company to protect yourself
from conviction,” says Michael Izza,
ICAEW chief executive.
The MOJ suggests that six principles
inform a common sense risk-based
approach to anti-bribery procedures.
These principles are: carrying out
risk assessments; developing a
proportional anti-bribery and
corruption policy; communicating
this to employees; carrying out due
diligence reviews on business
partners and associates; monitoring
and regularly reviewing all of this;
and getting top-level commitment.
“The ICAEW board and I are
committed to ensuring that our staff
don’t fall into the bribery trap. It’s a
culture that we’ve spent time
developing and the commitment from
our senior management team has
been crucial to its success,” says Izza.
The briefing paper is at bit.ly/1u2RYG3
“The board and I
are committed to
ensuring ICAEW
staff don’t fall into
the bribery trap”
AUDIT & BEYOND OCTOBER 2014
It is not too late to register for some of the remaining dates in the Autumn
Roadshow, which will focus on the implications for auditors of the adoption of FRS
102 The Financial Reporting Standard applicable in the UK and Republic of Ireland.
The transition to the new UK GAAP will create many new challenges.
Considerations for auditors will include: movement towards accounting at fair
value, the audit of financial instruments, new approaches to many accounting
estimates and new disclosures, and threats to independence.
The transition process promises to be complex. So the roadshow will provide
practical help and guidance on some of the challenges ahead, such as client
assessments of the available options, deciding how to approach areas involving
management’s judgements, and harvesting the necessary transitional information.
Technical Release 13/14AAF Issues for auditors arising from the implementation
of FRS 102 The Financial Reporting Standard applicable in the UK and Republic
of Ireland will be distributed at the roadshow, along with a two-page overview
call to action document. Both of these will subsequently be available on the
faculty website.
During October and November the roadshow will visit venues in Derby, Preston,
and Wakefield, before heading south to visit Birmingham, Milton Keynes, London,
Exeter and Southampton, then nipping back up north again to Durham. For more
information and to register visit icaew.com/aafautumnroadshow2014
LEARNING FROM QAD
Many auditors have mixed feelings about visits from the ICAEW Quality Assurance
Department (QAD). However, at a recent faculty lecture, presentations from a QAD
reviewer and an auditor (who has recently been visited) emphasised what a
constructive process this can be for practices: from preparing for the big day, to
using lessons learned to improve audit quality.
The lecture also touched on many of the issues which were covered in the QAD
Audit Monitoring Report 2013. Although QAD often identifies weaknesses in
documentation, the audits that need most significant improvement generally
lack audit evidence in one or more key areas. Members can learn more about these
areas in the 2013 report at bit.ly/1lJoOuk, and read about some of the ethical
implications in the article on pages 12-14.
Faculty members who didn’t make it to the lecture event at Chartered
Accountants’ Hall on 22 September will be able to read about the different
perspectives of the QAD reviewer and auditor in a future issue of Audit & Beyond.
Parts of the September lecture will also be reprised in a faculty webinar on 26
November, which will be recorded and will eventually join the library at
icaew.com/aafwebinars
NEW WEBINARS AVAILABLE
If you have neglected the faculty webinar library over the summer months it is
time to pay a visit. Seasonal additions cover: the opportunities and threats of
increasing audit exemption limits, interaction with management on smaller entity
audits, and the challenges of providing mortgage references to clients.
Members can access the faculty library of webinar recordings when, where and
as often as they choose, at no charge. A device with an internet connection, faculty
membership number and password are required. If you have forgotten yours, you
can request a new one at icaew.com/password
5
DESIGNING
TRUST
When AuditFutures held its first
Accountancy Salon on design and
trust at the Royal College of Art,
Lesley Meall arrived ready to play
the cynic – and left seriously inspired
f you have never wondered what
21st century auditors can learn
from 17th century artists, or
explored the philosophy of audit, or
considered whether good design could
reshape perceptions of the audit
profession, then you may be wondering
why anyone would bother – and why
you are reading about it in Audit & Beyond.
But when ICAEW’s AuditFutures
programme and the Finance Innovation
Lab recently held the first in a series of
Accountancy Salons, it made
contemplations such as these seem
essential for everyone who is involved
in or even affected by audit.
Reaching the critical masses will not be
easy. However, the discourse between the
attendees at the Accountancy Salon on
‘design and trust’ hinted at what might be
achieved by connecting disciplines as
disparate as audit, design and
philosophy. “It was challenging to work
with creative people. We started from a
vague, abstract place. But this
collaboration between AuditFutures and
the Royal College of Art (RCA) can bring
fresh perspectives to questions about
building trust in the future of audit,” said
Martin Martinoff, the AuditFutures
programme manager.
Just making your way to the salon
encouraged creative thinking, as it
involved meandering around some RCA
annual graduate shows. The creative
I
Faculty head Henry Irving (left) was among
those who took the trip to the RCA for the
session. He took to the floor to discuss audit
and trust at the Accountancy Salon
6
theme continued at the salon, helped by
the work a group of design students had
produced in response to some questions
and propositions on audit and trust (see
below). Then the panel, made up of
philosopher Brennan Jacoby, designer
Nick de Leon and ICAEW technical
strategy lead Robert Hodgkinson, kicked
off the salon discussion by sharing their
thought-provoking perspectives on the
question: ‘Is trust on life support?’
As you might expect of a philosopher,
there was some talk of the need to define
what we mean by trust and what it means
to be trustworthy, particularly in the
context of audit. “Trustworthiness is
often described as predictability and
reliability,” said Jacoby, “but trustworthy
people also include those we trust to do
the right thing in all kinds of situations.”
This led to more big questions such as:
should we ask audit to cultivate good
character and to encourage and empower
individuals and organisations to do the
right thing, rather than constraining it
within a scaffold of regulations? Is the
scaffolding causing our moral minds
to atrophy?
Donning the metaphorical hat of a
lapsed auditor, Hodgkinson explained to
salon attendees that audit is about much
more than regulation. “The current
paradigm of auditing, as primarily about
financial reports, prevents us from
thinking about why audit exists and what
its purpose is. We have become distracted
by the technicalities of how we do things
– how we accumulate evidence and how
we check things. However, in reality, audit
is a service that has allowed people to
OCTOBER 2014 AUDIT & BEYOND
AUDITFUTURES
build trust, and this has enabled
international trade and activity. It is
designed to allow people to reap the
benefits of economic development.”
Like design, audit is rooted in real,
practical needs: audit evolved to meet
those of the past and it must evolve to
meet those of the future. “We cannot
stay attached to the conventional and
traditional ways of doing things –
technological and social changes will
bring new challenges for the profession
and we need to learn how to respond to
these,” suggested Hodgkinson. By
working with the RCA to explore
questions such as why audit is necessary
and how it can be redesigned to best
serve the public interest, AuditFutures
is looking beyond the monetary
transactions that audit tends to focus on,
to consider the other interactions that
matter to people.
Design is about discovering what people
need and what works for them. Designer
and panellist de Leon said: “You can get
out-of-the-box thinking from a business
school, but design adds human and
cultural dimensions to questions about
trust. Design can help us get to the roots
of what the audit profession is about, and
help it to see what it does through a
different pair of eyes.” Design can
remind auditors not to cling to existing
approaches to delivering services,
highlight the benefits of explaining their
purpose rather than framing them within
regulations and standards, and it can
help the profession to identify
opportunities to reinvent its services.
“In looking at the future of audit, we
went back to basics. Now let’s see what
happens when we let creative people
explore this in more detail,” said
Martinoff. The five service design
students then explained their projects,
and how they had each explored one of
the following questions:
Can audit create a better society?
How can the audit profession help
to build a high-trust culture in
organisations?
How can audit improve the prospects of
business?
How can audit balance public interest
and shareholder interest?
AUDIT & BEYOND OCTOBER 2014
Robert Hodgkinson (top), Brennan Jacoby
(centre) and Nick de Leon chat about trust
How can you trust in something you
can’t see or don’t participate in?
“In looking at the future of
audit, we went back to
basics. Now let’s see what
happens when we let
creative people explore”
All of the students’ responses proved
thought provoking (and you can learn
more about them at bit.ly/1vU6fnA). Some
were more practical than others; but
when the Audit & Assurance Faculty
considered their work, the most creative
approach emerged as the winner. “We
liked the way Harry Trimble approached
the problem,” said Henry Irving, faculty
head. “It makes you think, challenges
your preconceptions and alters your
perceptions – like all great art.”
When Trimble began his exploration of
trust in audit by asking members of the
public “Do you trust auditors?”, the most
common answer was not “Yes” or “No”,
but “What is an auditor?” So his question
evolved into: “How can you trust in
something you can’t see or don’t
participate in?” This led to the concept of
‘The Human Exchange Museum’, which
aims to develop public understanding of
audit and trust in this, through a series of
co-created stories, exhibitions and events.
“It started us thinking in a different
direction, questioning how good auditors
are at communicating what we do, and
asking how we can use stories to better
engage the public,” said Irving. As well
as offering a fresh approach to
demonstrating the value that audit
aspires to create in society, the ‘exchange
museum’ concept can go further, by
helping people to better understand
other professions and organisations and
the invisible structures in society – which
should inspire all of us.
“The AuditFutures initiative between
ICAEW and the Finance Innovation Lab is
all about inspiring different conversations,
such as this,” said Irving. Its thought
leadership is already changing the way
that audit is seen around the world. In the
future, it may help the audit profession to
evolve in a way that takes the trust and
understanding of the public along with it.
So why not join us on the journey at
auditfutures.org.
7
WHY BOTHER
WITH ASSURANCE?
Even when a statutory audit is no longer required, the underlying
business needs remain. Auditors can meet these needs by providing
focused third-party assurance, as John Ward explains
he profession is engaged in an
active and important debate
about the impact of existing and
expected audit exemptions. There is
limited air space to debate assurance as
well. However, assurance provides a route
to other services that clients will need in
place of statutory audits. So why not make
the time?
As a profession, we argue that the audit
is necessary as a means of ensuring the
reliability of financial information; it
supports the world’s financial
infrastructure. Who wouldn’t place more
reliance on an audited (versus unaudited)
set of financial statements? So why do I
advocate assurance?
If I’m running a small company, that
does not mean I don’t need assurance in
any form once the statutory audit has
gone. The audit is a multi-purpose tool
that has evolved over time to include a
lot of elements and addresses the needs
of many. But once it is gone the
underlying business needs do not go
away. There remain many topics that
either give cause for concern among
management or warrant some form of
assurance because that is needed by a
third party. For example, in no
particular order:
T
NEW SYSTEMS
A company is implementing a new suite of
accounting systems. It’s important that
they should work well. Rather than
operating them without review, it may be
helpful for a full evaluation of the internal
control systems to be performed soon after
implementation to ensure they can be
relied on.
JUSTINE BECKETT/IKON
FRAUD RISK
A business has suffered a fraud. That
may have been investigated and resolved
but are there any significant fraud risks
to which the business is still exposed? If
so, what are they and are there sensible
preventative and detective controls
that can be adopted to minimise the
actual risk?
8
OCTOBER 2014 AUDIT & BEYOND
NON-AUDIT ASSURANCE
MANAGEMENT ACCOUNTS
Key business decisions are made based on
the monthly figures; but how accurate are
they? Is the way we assemble them
practical and sensible, as well as being
sufficiently close to the actuals, to prevent
inappropriate business investment
decisions from being made? Are they
systemically robust?
FINANCIAL STATEMENTS
Compilation – they may have been
assembled by the senior finance person.
But would it be helpful to know that
someone who has at least as much
financial knowledge has checked certain
key aspects of their compilation?;
Agreed-upon procedures – There may be
specific areas of uncertainty in the results
that warrant a more detailed examination,
such as stock valuation or provisioning.
The business might benefit from the
results of a defined set of tests to allow
them to draw their own conclusions on
the accuracy;
Bank covenants – Does the bank require
compliance with a banking covenant and
the asset cover for its lending? Does this
require a full audit to establish the real
value of the company’s assets? Or would
a limited assurance opinion based on
audit-type work in certain specified
areas suffice?
Rather than focusing on
the loss of a statutory
audit, time may be better
spent talking to clients
and offering solutions
SELF-REPORTED ROYALTIES
The company may be due royalties from
third parties that are self-reported by those
bodies. If there is no mechanism to allow
assurance, then advice may be required to
help establish a simple but effective
mechanism to ensure that they are receiving
complete and accurate royalty payments.
TAX RETURNS/HMRC
HMRC may accept tax and process returns
based on the financial statements. However,
management may not have the degree of
knowledge and expertise to complete
them accurately. They may want a greater
degree of validation of certain key figures
before using them or an accountant to
compile the returns. Perhaps management
wants a greater level of assurance that
there is a sound underlying system in
place for compiling the raw data that is
used to complete returns to HMRC, given
the risks associated with an error.
These are just some of the reasons why a
business might find it helpful or necessary
to obtain some focused assurance. There
are plenty more.
So rather than focusing time and attention
regretting the loss of a statutory audit, a
practitioner’s time may be better spent
talking to their clients and understanding
more about the nature of their business
and management concerns, while offering
solutions. Such a dialogue is necessary in
assurance work because, in my experience,
clients are often simply not aware of the
scenarios to which there may be an assurance
response. As a practitioner you can only
help if you get to grips with the business,
the nature of the management concerns
and the nature of the subjects involved.
REGULATORY COMPLIANCE
A business may be required to submit
regulatory returns. If these are complex,
or the downside risks associated with
errors are significant, then management
may want an independent third party
to challenge and check the compilation
before they are submitted to manage
the risk of error.
John Ward is an
independent consultant
and sits on the ICAEW
Assurance Panel and its
Narrative Assurance
Working Group
GUIDANCE AND TECHNICAL REFERENCES
The range of assurance options
available to us as practitioners
is considerable. The Assurance
Sourcebook (icaew.com/
assurancesourcebook) provides
some helpful material describing
the breadth of services including
the use of assurance, agreedupon-procedures, compilation,
consulting and advisory services,
due diligence and other
services. It may seem strange to
include some of these services
as assurance, but anything that
AUDIT & BEYOND OCTOBER 2014
helps to increase the confidence
of a user in a subject might
constitute assurance.
The faculty provides some
examples of assurance
engagements (at bit.ly/1tf2RmD)
and assurance-related Technical
Releases (see bit.ly/1ojfF6I and
bit.ly/SBeil8). ISAE 3000
(Revised) Assurance
Engagements Other than
Audits or Reviews of Historical
Financial Information (at
bit.ly/1tfzKi0) provides a technical
reference. I also recommend
reading the IFAC International
Framework for Assurance
Engagements (bit.ly/1fmUBbo)
because it gives a good analysis
– in the first 20 paragraphs – of
assurance in the broad sense, as
well as the technical definition.
As a profession, we have the
breadth of skills and experience
to offer our clients a wide range
of support to help them run
their businesses. We will be best
placed to do that if we:
get to know our clients
better;
understand their business
needs; and
shape the services we
suggest in response to those
needs to focus on their
business needs.
Now would be a good time to
be better business advisers
and strengthen our clients’
perceptions that we can help
them.
9
John Selwood’s Q&As
This month John tackles an issue many auditors
will not want to face but will probably come across
during the transition to FRS 102: the useful economic
life of goodwill and other intangible assets
Q
A company currently uses 20
years as the useful economic life
(UEL) for goodwill. Management has
considered the impact of FRS 102
The Financial Reporting Standard
applicable in the UK and Republic of
Ireland on this estimate and they have
concluded that a five-year life is more
appropriate. This is a huge change so
what audit evidence do I need to
obtain to support this new UEL?
If you were to choose not to think
about this too much, it could be
very straightforward. As auditors, you
could just focus on obtaining audit
evidence to support the new UEL of five
years. When preparing accounts using
FRS 102, a five-year life will not be
uncommon, because this is the
maximum life where the UEL cannot
be reliably estimated.
It is worth noting that five years is the
maximum rather than a default, and the
absence of reliable evidence regarding the
UEL does not absolve management from
considering whether a life shorter than
five years might be appropriate. Equally,
the existence of a five-year maximum in
the absence of reliable evidence does not
absolve management from seeking out
evidence that might support a longer life
were they to bother looking for it.
The auditors’ determination of how
A
10
much audit evidence is required will start,
like the auditing of any other accounting
estimate, by ensuring that they
understand both how the estimate is
made and the requirements of the
relevant accounting framework (in this
instance FRS 102, section 19). Of course,
it is management who are responsible for
determining the UEL of goodwill. The
auditors will look at how management
has determined the UEL and the
evidence management used to reach
their conclusions.
Also, auditors have to assess the degree
of estimation uncertainty as part of their
risk assessment. The risk of fraud should
not be forgotten, as it is possible that
management might be trying to
manipulate the financial statements by
using a UEL which is excessively long or
short. Where the amortisation of goodwill
is not subject to tax relief, it is not
uncommon for management to err on the
side of a longer life in order to maintain a
strong balance sheet.
SAFEGUARDS AND NON-AUDIT
SERVICES
If the auditor is asked to assist with the
determination of an appropriate UEL then
this is the provision of a non-audit service
and management threats arise. If there is
informed management, then most of the
time auditors will be permitted to assist,
provided appropriate safeguards are
applied. If the entity is listed or no
safeguards are sufficient to address the
management threat then the auditor
should not provide this service.
So far, so good with this question –
however, an auditor who thinks about
this more deeply might wonder how
management originally justified a UEL
of 20 years if there was no reliable
An auditor who thinks about this more deeply
might wonder how management justified a UEL
of 20 years if there was no reliable evidence
OCTOBER 2014 AUDIT & BEYOND
Q&A
supporting evidence. If there was
justification, then FRS 102 permits a
longer life; so why are management
making this change? Has there been a
change of circumstances to justify it? Is
FRS 102 sufficiently different to FRS 10 in
its approach to justify this change?
If this 20-year UEL was wrong, shouldn’t the
auditors have identified the issue before? Not doing
so could leave them in an embarrassing situation
A CENTRAL ISSUE?
I could continue along these lines for
some time but instead I will address what
is sometimes a central issue in these
cases: when applying FRS 10 Goodwill and
intangible assets, some entities used the
20-year maximum UEL of goodwill as a
default rather than a maximum. It is
possible that FRS 102 will be applied in
a similarly thoughtless manner, with a
five-year life being the new default.
If there is insufficient audit evidence
to support the 20-year life, then the
reduction in UEL may be the correction
of an error rather than a transitional
adjustment. This means it will be
separately presented and disclosed in
the first financial statements that are
produced applying FRS 102.
It is possible that management might
not agree with this approach; they
might resist the treatment of this as
the correction of an error and the
auditors will have to address this
disagreement. If management cannot be
persuaded to present this properly then
AUDIT & BEYOND OCTOBER 2014
the auditors would need to consider
qualifying their opinion.
What troubles me about this situation is
that the firm of auditors might have never
raised the issue of the 20-year UEL in any
of its previous audits. If this 20-year UEL
was wrong, shouldn’t the auditors have
identified the issue before? Not doing so
could leave the auditors in a
professionally embarrassing situation.
Because of the potential for issues such as
these, a second partner review might be
useful, to safeguard against any threats to
independence arising.
about reviewing UELs in an accounting
period prior to FRS 102 transition.
Having said all of this, it is perfectly
reasonable that a longer UEL, justified
under FRS 10, might reduce to five years
or fewer when applying FRS 102 for the
first time. FRS 10 para 22 says that
uncertainty over UELs should not lead to
unrealistically short lives. This is a slightly
different approach to FRS 102. This
illustrates that, on transition, auditors
need to not only understand FRS 102, but
also understand previous UK GAAP.
A WAKE-UP CALL
This question and the issues it raises are
a wake-up call for auditors to encourage
management to consider changes of
circumstance that affect the UELs of
goodwill more regularly. Where
possible, management might think
John Selwood is a member of the faculty’s
Practitioner Services Committee
11
BEYOND REPROACH
Although Ethical Standards for Auditors have been around
for some years, there are still areas where auditors
commonly struggle to consider and safeguard threats to
their independence, as QAD reviewers Nick Reynolds
and Henrietta Thompson outline
ike all ICAEW members,
auditors are expected to
demonstrate the highest
standards of professional conduct. It is
not enough to believe you are behaving
ethically, or even to behave ethically
– you must also demonstrate this at
every stage of the audit process.
Usually, most auditors are comfortable
with the concepts outlined in Ethical
Standard (ES) 1 Integrity, objectivity and
independence, and the need for threats
DAN MURRELL
L
12
to be considered and for safeguards to be
applied. However, during QAD monitoring
visits reviewers find some areas where
financial, business, employment and other
relationships raise problems repeatedly.
Relationships between audit clients,
partners, staff and their immediate and
close family members can create
significant ethical challenges. Although
QAD doesn’t often find auditors whose
partners or staff are themselves directors
or shareholders in audit clients, this is not
unheard of. More commonly, QAD
encounters circumstances where
relationships are not prohibited, but
the threats need to be considered and
safeguarded: for example, if partners or
staff may have brothers or sisters who
are audit clients. This is permitted,
provided you can demonstrate that you
have considered the threats and
implemented safeguards, where
necessary, to ensure that you are
independent.
OCTOBER 2014 AUDIT & BEYOND
COVER STORY
THE INFLUENCE OF TRUSTEES
Trustee shareholdings are a particular
problem area, and came up a number of
times during the 2013 and 2012 monitoring
visits. Typically, an individual in a firm is
asked to be the trustee of a family trust
which holds shares in an audit client. In
many cases, these holdings will be material
to the trust, and this creates a conflict for
the firm, similar to when an individual in
a firm holds shares in the audit client
directly. The trustee should not be the
responsible individual (RI) on that audit
or in a position to influence it. This
includes those in the firm’s chain of
command who are in a position to exert
influence over the audit partner, so you
need to think quite broadly.
In a small firm, a senior partner is very
likely to be in the chain of command over
a junior partner who acts as RI – unless
you can clearly show otherwise. As
trusteeships tend to go to the firm’s
senior partners, with many years of
client relationships, it can be difficult to
meet the requirements of the Ethical
Standards (ES) if the firm wants to
continue as auditor and as trustee. See
the full set at bit.ly/1oX7qNc
As not all cases are so clear cut, there
can be significant judgement involved. It is
important to consider how a reasonable
person would see your relationship with
an audit client. In the given circumstances,
would they understand why you consider
yourself to be an independent auditor?
Guidance on trustee shareholdings is
available in Audit news 52 (bit.ly/1yVSIMi)
and in the ethics section of the ICAEW
website (bit.ly/Xy3q0c).
The first priority is to have a thorough
process to gather relevant information
from all of your partners and staff, so that
you can identify threats. Annual
declarations of independence from all staff
AUDIT & BEYOND OCTOBER 2014
are essential. If you have quite a few
audits, make staff aware of all of them, so
that they know who they need to be
independent of. Once you have identified
a threat, consult as necessary, and
remember to document your safeguards,
and the reasons for your conclusions.
LONG ASSOCIATION AND FEES
Independence challenges can also arise for
auditors and audit firms because long
associations between the audited entity
and partners and staff can lead to
self-interest, self-review and familiarity
threats to their objectivity. Fee
dependency can also create threats.
ES 3 Long Association with the Audit
Engagement is clear on the rules for listed
entities, with five-year rotation of RIs,
except in the rare cases where the client
feels there are exceptional circumstances
that justify an extension to seven years
(whether these years have been accrued
continuously or in aggregate). In practice,
this impacts on relatively few audit firms.
Relationships
between audit
clients, partners,
staff and their
immediate and close
family members can
create significant
ethical challenges
The rules are also clear on the need for all
audit firms to assess the threats that long
association pose to the auditor’s objectivity
and independence and the need to apply
safeguards to reduce any threats to an
acceptable level – and the 10-year rule
affects a great many audit firms.
ES 3 paragraph 9 states that: “Once an
audit engagement partner has held this
role for a continuous period of ten years,
careful consideration is given as to
whether a reasonable and informed third
party would consider the audit firm’s
objectivity and independence to be
impaired.” It goes on to suggest various
appropriate safeguards, such as those
listed in paragraph 8 of ES 3, which are:
rotation of the RI, involvement of an
additional partner, and applying
independent quality control reviews to the
engagement in question. There are fewer
options for firms with just one RI, where
rotation is impossible.
The examples of the safeguards given in
paragraph 8 of ES 3 should always be
considered. In practice, QAD finds that
rather than apply safeguards such as these,
many firms take the other option outlined
in ES 3, paragraph 9 (b): documenting why
the RI continues to participate in the audit
engagement without any safeguards and
communicating this reasoning to those
charged with governance of the audit
client. The second element is particularly
important and should not be ignored,
even if the firm is concerned that this
could be an invitation for the client to
re-tender for the audit. You will need to
judge the possible consequences – and the
paragraph 8 safeguards will be a better
route in some circumstances.
FINANCIAL INDEPENDENCE
The financial nature of the firm’s
relationship with clients must also be
13
COVER STORY
considered: fee dependency is a threat.
Remember that if you expect ongoing fees
for audit and non-audit services from a
client or a statutory group of audit clients
to regularly exceed 15% of your practice
income, you cannot remain as auditor. It is
acceptable to have the occasional year
when special work arises and you exceed
the 15% threshold. But if you continue with
this work, year-on-year, then it must be
considered as part of the ongoing fee. (If
you have a listed audit client, this
percentage reduces to 10%.)
For an unlisted client, you may also need
additional safeguards where the total fees
are regularly between 10% and 15% of total
practice income. In these cases, unless the
client qualifies as a small company, you need
an external independent quality control
review before the audit report is finalised.
This is what many term an external hot
file review, so it is quite a big deal if it
applies – and it will add to the cost.
(Similar rules apply for listed audit clients,
with the threshold of between 5% and 10%
of fees.)
If the client qualifies as a small company,
no hot review is needed, as you can take
the exemption available in the ES
Provisions Available for Smaller Entities
(PASE) at bit.ly/1qmMz7k
Clearly, smaller audit practices are more
likely to have difficulties with fee
dependency. However, there are a few
factors which can help, especially if you are
a sole practitioner. Other earned income
can count towards the total income figure,
for example, and if you have connected
practices it is possible that these may meet
the definition of a network firm and can
also count towards the total income.
On the ICAEW website you will find an
ethics FAQ relating to this (at bit.ly/1te4uBV),
and the definition of a network is also
given in detail (at bit.ly/1vdhY0j).
14
NON-AUDIT SERVICES
Most auditors provide some non-audit
services to their audit clients, and within
the parameters of the Ethical Standards
there is nothing wrong with this; but the
associated threats must be considered.
The types of non-audit services that you
can provide are significantly curtailed if
you audit a listed client, as you cannot
provide any accounting assistance, except
in an emergency. Some smaller listed
companies can struggle with financial
reporting, and in these cases you will need
to encourage them to include another
accountancy firm to assist.
For many audit clients, preparation of
the accounts and tax disclosures are all
part of the annual audit. Yet however
good an accountant you are, mistakes
can happen, and you need to identify
and safeguard threats; though here, as
with fee dependency, you can use PASE
where applicable.
If you are preparing the accounts, you
need to consider whether there is a risk
If adjustments are
material, who is
going to check that
you have not made
an error in the heat
of the moment?
that you are making decisions about the
accounting for particular items without
knowing the full facts. Make sure you
discuss these points fully with
management so, for example, you can
establish that a particular liability meets
the definition of a provision rather than a
contingent liability, or it is correct to
account for turnover as principal rather
than agent.
One of the riskiest times in an audit is
when last-minute adjustments are made,
and QAD does see cases where they do not
get enough scrutiny. If the adjustments are
material, who is going to check that you
have not inadvertently got your debits and
credits the wrong way around or made
some other error in the heat of the
moment? If threats such as this are not
identified and addressed, a situation may
arise where somebody has made an error,
but both you and the client have happily
signed materially misstated accounts.
The strongest safeguards are where
the audit team or the senior members
of the team reviewing work are
independent from the non-audit
services provided by the firm; no one
looks as critically at their own work as
they do at someone else’s. So if you have
processed a change, get someone else
– including the client – to check it. Better
still, ask the client to process the change
and then you can check it.
This article reprises the first half of an
hour-long QAD webinar that took place
earlier in 2014 – a full recording is available
at bit.ly/1nup2Re
Nick Reynolds and Henrietta Thompson are
reviewers in the ICAEW Quality Assurance
Department
OCTOBER 2014 AUDIT & BEYOND
UPDATES
Technical
updates
Our round-up of legal
and regulatory changes
AUDITING AND
ASSURANCE:
UK & IRELAND
FRC CONSULTS ON REGULATIONS AND
GUIDANCE FOR LOCAL PUBLIC AUDIT
(JULY 2014)
The Financial Reporting Council (FRC) has
issued a consultation on FRC Regulations
and Statutory Guidance under the Local
Audit and Accountability Act 2014.
The Act provides for the abolition of the
Audit Commission and establishes a new
framework for the regulation of auditors
of local public bodies. The government
has asked the FRC to take on specific
responsibilities, which include:
inspecting the quality of audits of the
largest local public bodies and health
bodies other than foundation trusts;
overseeing the regulation of auditors of
local public bodies by professional
bodies recognised for this purpose; and
setting specific statutory requirements
on auditors.
The consultation document seeks views
on statutory requirements:
for transparency reports, which
auditors of major local bodies are
required by the Act to publish each year;
for keeping the Register of Local Public
Auditors; and
giving statutory guidance to a recognised
supervisory body on the approval of
individuals as Engagement Leads for
local public audit.
Comments are invited by 17 October 2014.
bit.ly/1zlF0o7
FRC ANNUAL REPORT FOR 2013/14
(JULY 2014)
The FRC outlines its achievements and
challenges over the year in its Annual
Report for 2013/14, the first to be based
on the new framework for the Strategic
Report. It includes its first financial
statements prepared under new UK GAAP.
bit.ly/1rqMOBq
AUDIT & BEYOND OCTOBER 2014
AUDITING AND
ASSURANCE:
INTERNATIONAL
IESBA PROPOSES STRENGTHENED
AUDITOR INDEPENDENCE STANDARD
ADDRESSING LONG ASSOCIATION IN
ETHICS CODE
(AUGUST 2014)
The International Ethics Standards Board
for Accountants (IESBA) has published an
exposure draft Proposed Changes to
Certain Provisions of the Code Addressing
the Long Association of Personnel with an
Audit or Assurance Client.
Among the proposed changes are:
strengthened general provisions
applicable to all audit engagements
regarding the threats created by long
association;
with respect to partner rotation, an
increase in the mandatory “cooling-off ”
period, from two to five years, for the
engagement partner on the audit of a
public interest entity;
strengthened restrictions on the type of
activities that can be undertaken with
respect to the audit client and audit
engagement by any former key audit
partner in the cooling-off period; and
a requirement to obtain the
concurrence of those charged with
governance regarding the application
of certain exceptions to the rotation
requirements.
The Ethics Board is also proposing
strengthened provisions in Section 291
of the Code dealing with assurance
engagements. These proposals were
informed by wide-ranging research,
including a benchmarking exercise of
jurisdictional requirements, stakeholder
outreach, and a survey that received
more than 400 responses from standard
setters, audit committees, regulators
and firms. Comments are invited by
12 November 2014.
bit.ly/1nIvPXA
FINANCIAL
REPORTING:
UK & IRELAND
FRC PROPOSES AMENDMENTS TO
FRS 102 RELATING TO PENSION
OBLIGATIONS
(AUGUST 2014)
The FRC has issued exposure draft FRED
55 Draft Amendments to FRS 102 – Pension
obligations, in order to clarify issues
relating to accounting for defined benefit
pension plans in advance of new UK and
Irish GAAP becoming mandatory from 1
January 2015.
These proposed amendments would
clarify that:
(a) UK and Irish GAAP does not include all
the complexities of International
Financial Reporting Standards (IFRS);
no additional liabilities need be
recognised in respect of a ‘schedule of
contributions’ that has been agreed in
order to address a deficit in the plan; and
(b) consistent with current practice, the
effect of restricting the recognition of
a surplus in a defined benefit plan,
where the surplus is not recoverable,
is recognised in other comprehensive
income, rather than profit or loss.
Comments are invited by 21 November
2014. The FRC expects to issue the final
amendments to FRS 102 early in 2015.
They will apply to accounting periods
beginning on or after 1 January 2015.
bit.ly/1kUkbNx
FINANCIAL REPORTING LAB
INSIGHT REPORT ON CLEAR AND
CONCISE REPORTING
(AUGUST 2014)
The FRC Financial Reporting Lab (the
Lab) has published Towards Clear &
Concise Reporting. This insight report
examines progress made by companies
towards producing relevant and
succinct annual reports and accounts
and includes ideas on how companies
15
FINANCIAL
REPORTING:
INTERNATIONAL
can make further progress.
Having reviewed the most recent round
of annual reports published by FTSE 350
companies, the Lab encourages
companies to think about:
the communication channels used
and how to match information to
users’ needs;
how to focus content on what is most
important to investors;
removing immaterial disclosures;
using cross-referencing and layout to
improve clarity; and
planning ahead.
The report includes practical insight on
the process of change and how BP and
Prudential have managed this.
bit.ly/1sM9agq
FRC LAB REPORT ON ACCOUNTING
POLICIES AND INTEGRATION OF
RELATED FINANCIAL INFORMATION
(JULY 2014)
The FRC Financial Reporting Lab has
published Accounting policies and integration
of related financial information, which
provides insights on what investors want
from accounting policy disclosures and where
they should appear in financial statements.
Some 16 companies, 19 institutional
investor and analyst organisations and
more than 200 retail shareholders
participated in the Lab project. This
report contributes to the FRC’s
programme of work to promote clear and
concise reporting from which investors
can, with justifiable confidence, draw
conclusions about a company’s
performance, position and prospects.
The Lab report includes examples of
current good practice and highlights how
disclosure could be modified to provide
the most value to investors in the future.
bit.ly/1sIhdu8
16
FRC ISSUES AMENDMENTS TO FRS 101
AND FRS 102
(JULY 2014)
The FRC has issued amendments to new UK
GAAP aimed at improving the accounting
for certain financial transactions, the ease of
use of the standards and reducing the cost
of compliance. The amendments to FRS 102
relate to:
financial instruments:
(i) updating the requirements on hedge
accounting, making hedge accounting
more readily available to entities where
it is consistent with their risk
management processes;
(ii) relaxing the conditions for regarding
financial instruments as ‘basic’, with
the effect that more financial
instruments will be measured by
reference to cost rather than fair
value; and
making the transition to FRS 102
less costly.
They are effective from the same date as
FRS 102, which is 1 January 2015.
FRS 101 allows entities to apply IFRS
with exemptions from some disclosures.
The amendments to FRS 101 reflect its first
annual review to ensure those disclosure
exemptions are updated on a timely basis
as IFRS develops.
bit.ly/1tzbiZw
IASB PUBLISHES NARROW-SCOPE
AMENDMENTS TO IAS 27 SEPARATE
FINANCIAL STATEMENTS
(AUGUST 2014)
The International Accounting Standards
Board (IASB) has issued Equity Method in
Separate Financial Statements
(Amendments to IAS 27). The amendments
will allow entities to use the equity
method to account for investments in
subsidiaries, joint ventures and associates
in their separate financial statements.
The amendments will help some
jurisdictions move to IFRS for separate
financial statements, reducing compliance
costs without reducing the information
available to investors. The amendments
are in response to requests that the IASB
had received during its inaugural public
agenda consultation.
bit.ly/1yqDqPq
IASB COMPLETES REFORM OF
FINANCIAL INSTRUMENTS ACCOUNTING
(JULY 2014)
The IASB has issued IFRS 9 Financial
Instruments. The improvements IFRS 9
introduces include a logical model for
classification and measurement, a single,
forward-looking ‘expected loss’
impairment model and a substantially
reformed approach to hedge accounting.
The new Standard will come into effect
on 1 January 2018 and early application
is permitted.
Classification and measurement
In terms of classifying financial assets,
IFRS 9 introduces an approach driven by
cashflow characteristics and the business
model in which an asset is held. This
single, principle-based approach replaces
existing rule-based requirements that are
considered overly complex and difficult to
apply. The new model also results in a
OCTOBER 2014 AUDIT & BEYOND
UPDATES
single impairment model being applied to
all financial instruments, which removes a
source of complexity associated with
previous accounting requirements.
Impairment
The delayed recognition of credit losses
on loans (and other financial instruments)
was identified as a weakness in existing
accounting standards during the financial
crisis. As part of IFRS 9, the IASB includes
a new expected-loss impairment model
that will require more timely recognition
of expected credit losses.
Hedge accounting
IFRS 9 introduces a substantially
reformed model for hedge accounting,
with enhanced disclosures about risk
management activity.
Own credit
IFRS 9 also removes the volatility in profit
or loss that was caused by changes in the
credit risk of liabilities elected to be
measured at fair value. This change in
accounting means that gains caused by
the deterioration of an entity’s own credit
risk on such liabilities are no longer
recognised in profit or loss. Early
application of this improvement to
financial reporting is permitted by IFRS 9.
bit.ly/1peJvwe
THE IAESB ADOPTS 2014-2016
STRATEGY TO SUPPORT REVISED
INTERNATIONAL EDUCATION
STANDARDS
(AUGUST 2014)
The International Accounting Education
Standards Board has issued its 2014-2016
Strategy and Work Plan, which focuses
on supporting the adoption and
implementation of International
Education Standards (IESs).
AUDIT & BEYOND OCTOBER 2014
In upholding its public interest
mandate, the IAESB is pursuing the
following strategic initiatives:
promulgating a series of high-quality
standards and other publications
reflecting good practice in the
education, development, and
assessment of professional accountants;
promoting the adoption and
implementation of the IESs;
developing education benchmarks
for measuring the implementation
of the IESs; and
periodically reviewing the need for
further revisions to any of the IESs,
or for developing additional standards.
The IAESB has identified the following
work priorities:
setting and maintaining the IESs and
considering the need for additional
IESs;
supporting adoption and
implementation of the revised IESs; and
assessing the impact of the IESs by
conducting a baseline study and a
post-implementation review.
bit.ly/1teK6SM
IAESB PROPOSES FRAMEWORK TO
ENHANCE CLARITY OF STANDARDS
(JULY 2014)
The IAESB is proposing a revised
Framework for International Education
Standards (the Framework), which sets
out the concepts that guide its IES. From
an educational perspective, the Education
Board is also proposing new definitions
for the terms ‘professional accountant’
and ‘general education’.
The proposed Framework consists of
four parts:
Part one identifies the purpose and
scope of the Framework;
Part two explains the educational
concepts of professional competence,
learning outcomes, general education,
initial professional development,
continuing professional development,
and assessment and measurement used
in the process of determining the
effectiveness of learning and
development, which will be used by
the IAESB when developing the IESs;
Part three describes the nature of the
IESs and related IAESB publications; and
Part four outlines IFAC member body
obligations relating to the IESs.
The Framework is targeted primarily at
IFAC member bodies that have direct or
indirect responsibility for the learning
and development of their members and
students. The Framework is relevant to
a wide range of other stakeholders,
including accounting faculties at
universities, employers of professional
accountants, professional accountants,
prospective professional accountants, and
others interested in the work of the IAESB.
As part of its initiative to improve the
clarity of its standards, the IAESB is
redrafting all eight of its IESs in
accordance with its new drafting
conventions. The IAESB has completed
the revision of IESs 1 to 6 and the
redrafting of IES 7. Under the current
timetable, the IAESB anticipates that the
revision of its final standard, IES 8, will
be completed by Q4 2014.
The IAESB invites comments by 27
October 2014.
bit.ly/1tZYD1M
Louise Sharp
produces Technical
Updates. She is a
technical manager
at the Audit &
Assurance Faculty
17
PORTFOLIO
From the faculties
Keep in touch with
our selection from
ICAEW’s other
faculty magazines
COVER STORY
AN ESSENTIAL
GUIDE TO
SECURITY
STANDARDS
CYBER ESSENTIALS SCHEME
This is a key objective of the National
Cyber Security Strategy and is being
delivered as part of the government’s
National Cyber Security Programme.
From 1 October 2014, the UK
government will require all suppliers
bidding for certain personal and
sensitive information handling
contracts to be Cyber Essentials
fines and reputational damage.
“The threat from IT security breaches
is too significant for accountants with
IT roles to overlook the information
security frameworks, schemes and
standards that can help to identify,
assess and address the key risks and
threats,” says Omer Tariq, manager
for risk and advisory at BDO. Marc
Vael, international vice president at
the Information Systems Audit and
Control Association (ISACA), a
professional association focused on
IT governance adds: “Understanding
them can help you to save valuable
time building proper information
security in your organisation and
when validating and confirming
where you are with this.”
Figuring out how much you need
to understand in order to do this is
almost as complex as some of the
standards. Among the many potential
influences are:
where your responsibilities for IT
security begin and end;
the size, type and structure of your
department or organisation;
14
ownership and use of IT assets,
products and services;
IT management and governance
frameworks in use;
existing IT security policies and
procedures;
compliance with statutory, sector
and supplier requirements; and
access to technical expertise and
financial resources.
So your need to know (as an individual,
department or organisation) will sit
somewhere on a very broad spectrum –
not unlike the information security
responsibilities and technical expertise
of the members of the IT Faculty. But
everyone has to start somewhere, and
if you don’t already know your COBIT
from your PCI DSS, or your ISO 27001
from your BS7799-2, a basic grasp of some
of the most widely used frameworks,
schemes and standards relating to IT
security is an important step on the
road to enlightenment – or certification.
Let’s begin with the latest and
greatest UK government initiatives in
this area, and see where this leads.
GALLERYSTOCK
A
cyberstreetwise.com/ and
cyberessentials/#downloads
The CE scheme focuses on the
most common internet-based cyber
security threats. However, its
requirements reflect longerestablished and more extensive
IT security standards, such as the
ISO/IEC 27000 series.
ISO/IEC 27000 SERIES
Navigating the expanding landscape of
information security standards can be a
challenge. So if you don’t know your PCI
DSS from your ISO 27001, Lesley Meall’s
at-a-glance guide can help
s computing and
communication devices,
software, data and networks
have become more accessible and
prolific, their security has become
more complex. So has the landscape
of information security frameworks,
schemes and standards. The occupants
now include (but are not restricted
to) COBIT, Cyber Essentials, PCI DSS
and the ISO/ICE 27000 series. It’s
almost enough to make you hanker for
the mainframe or desktop computing
eras, when you could draw a bright line
around your IT assets and their security.
Well, almost. A more connected
and ubiquitous computing ecosystem
is not without benefits. But
technologies and trends such as cloud
computing, growing (personal and
professional) use of mobile devices
and social media, and the emergence
of ‘big data’ have created new and
significant security challenges. Very
few organisations are now immune to
vulnerabilities, such as leaky employee
endpoints, as well as threats and
risks, such as disruption to business,
(CE) certified. Any other business
can choose to be certified.
You can learn about CE
requirements, the assurance framework
that underpins assessment, approved
accreditation bodies that certify
companies to provide CE services, the
two available levels of CE certification
and how to obtain them at
SEPTEMBER/OCTOBER 2014 CHARTECH
This started life as a 1980s government
initiative by the Commercial Computer
Security Centre of the now defunct
Department of Trade and Industry;
then, after a long and circuitous
international journey, the 27000
series of information standards was
launched in 2005 (learn more at
27000.org/thepast.htm), to help
organisations improve their information
security management.
The members of this fledgling family
of standards you are most likely to
encounter are 27001 and 27002.
27001 provides the requirements for
establishing, implementing, maintaining
and continuously improving an
information security management
system (ISMS); it replaced the
BS7799-2 standard.
27002 outlines the hundreds of
potential controls and control
mechanisms, which may be
implemented subject to the guidance
in 27001. 27002 superseded ISO 17799
standard (a code of practice for
information security).
You can learn more about the
development of other standards in the
27000 series at 27000.org/contact.
htm and other ISO standards related
to the 27000 series at 27000.org/
other.htm
Numbers in the ISO 27000 series
(also known as the ISMS family of
standards) are allocated by the
International Organisation for
Standardisation (ISO, iso.org) which
has developed and published more
than 19,500 voluntary ‘best practice’
standards. ISO is a membership
network of national standard setters,
such as the UK British Standards
CHARTECH SEPTEMBER/OCTOBER 2014
Institution (BSI) – a private company
incorporated by Royal Charter.
No law that says you have to comply
with 27001 or gain certification for this,
and some organisations choose to
implement the standard (or part of
it) for the intrinsic benefits. But as
compliance with 27001 is required
of product and service providers to
an increasing number of businesses
and government bodies (across the
globe), some organisations need to
implement it and to demonstrate
this – which is possible only with the
help of an independent accredited
certification provider. ISO advice
on selecting a certification body/
provider is at iso.org/iso/home/
standards/certification.htm , and
a flowchart showing the ISO 27001
certification process is at 27000.org/
ismsprocess.htm
Finding organisations that can
No law says you have
to comply with 27001,
but compliance with
27001 is required of
product and service
providers to an
increasing number
of businesses
provide ‘independent’ ISO 27001
certification is as simple as
Googling ‘iso 27001 accredited
certification providers’, which brings
up possibilities ranging from the Big
Four accounting firms to specialists
such as BSI (and yes, that is the same
BSI that acts as the UK’s national
standard setter).
IASME STANDARD
The IASME Consortium created
the Information Assurance
Management Standard for SMEs in
2013. It offers small businesses an
option that is less challenging to
achieve and maintain than ISO
270001; a high-level comparison of
the two standards is available at
iasme.co.uk/index.php/iso
The IASME Consortium Ltd is one
of two bodies currently accredited to
appoint Cyber Essentials certification
providers (the other is CREST, a
non-profit organisation). IASME
evolved from another government
initiative, and took forward a
project of the Technology Strategy
Board, a non-departmental public
body, established by the government
in 2004, and funded by the
Department for Business, Innovation
& Skills.
You can learn about approaches
to certification, including companies
that are licensed to deliver IASME
assessments and routes to becoming
an assessor, at iasme.co.uk/index.php/
companiesdeliver
15
SELF PRESERVATION
SOCIETY
ESSENTIAL GUIDE TO GREAT EXPECTATIONS
SECURITY STANDARDS FS FOCUS
In 2010 the takeover of confectioner
Cadbury by US food giant Kraft prompted
public outcry. In 2014, the prospect of
losing pharma giant AstraZeneca to its US
rival Pfizer provoked a similar reaction.
This month’s cover story looks closely at
the debate around takeovers, asking the
experts’ views on both sides of the fence.
Janet Williamson, senior policy officer at
the TUC, proposes a commission: “Mergers
and takeovers should be assessed by a
commission to ensure transactions operate
in the long-term interests of the target
company, and which would operate at
arms’ length from government.”
British law only allows the government
to intervene to protect national security,
preserve accuracy and freedom of
expression in the media, or safeguard
financial stability. European regulators can
block deals on competition grounds. The
Pfizer case is not covered by any of these.
The question, then, is if the postCadbury Takeover Code enhancements
mean the UK now has sufficiently robust
legislation to protect the public interest.
“My natural inclination is for less
intervention,” says Selina Sagayam, partner
at law firm Gibson Dunn. “Where you start
getting into trouble is when there is too
much discretion on what the grounds for
intervention might be. Introducing
uncertainty would not be in our interests.”
Technologies and trends such as cloud
computing, growing use of mobile
devices and social media, and the
emergence of ‘big data’, have created new
and significant security challenges. Few
organisations are now immune to leaky
employee endpoints or threats including
disruption to business, fines and
reputational damage.
Figuring out how much you need to
understand for your business is almost as
complex as some of the security
standards you can follow. But everyone
has to start somewhere, and if you don’t
already know your Control Objectives for
Information and Related Technology
(COBIT) framework from your Payment
Card Industry Data Security Standards
(PCI DSS), or your ISO 27001 from your
BS7799-2, a basic grasp of some of the
most widely-used frameworks, schemes
and standards relating to IT security is an
important step on the road to
enlightenment – or certification.
This autumn’s Chartech cover story will
guide you through the various compliance
options available. But as Marc Vael,
international vice-president at the
Information Systems Audit and Control
Association, says: “All of the frameworks,
schemes and standards should be
considered as good inspiration. But all of
them require intelligent interpretation.”
In an attempt to improve banks’ approach
to reporting losses, a new standard, IFRS
9 Financial Instruments, has been published
by the International Accounting Standards
Board (IASB). In 2018 an ‘expected loss’
model will replace the ‘incurred loss’
model used so far.
Unable to reach agreement with US
standard-setters, the IASB has pursued a
path that differs from the American model.
The new standard introduces a
three-stage approach to loan-loss
provisioning. It is not perfect, as Eddy
James from the Financial Reporting
Faculty points out in this article, but
supporters argue that it provides a
workable solution and a pragmatic
reflection of the economics of lending.
On the flipside, the new standard is
more complex than the one it replaces
and may be less intuitive to understand.
It does include operational simplifications
that will make it easier to apply – for
example the standard removes the need
to recognise lifetime losses if a financial
instrument continues to be classified as
low risk even if the credit risk has increased.
Users should expect to spend money on
implementing IFRS 9; some may need to
develop new systems, processes and
internal control to comply. Ageing IT
systems in banks could make
implementation difficult.
For more from the Corporate Finance Faculty,
visit icaew.com/cff
For more from the IT Faculty, visit
icaew.com/itfac
For more from the Financial Reporting
Faculty, visit icaew.com/frfac
CORPORATE FINANCIER
18
CHARTECH
OCTOBER 2014 AUDIT & BEYOND
Access the information
you need to succeed
New online service
Get the latest technical updates, information and resources through our new online
service – Faculties Online. Subscription to Faculties Online gives you access to the
online content and resources of our seven specialist faculties and three communities.
Stay up-to-date with practical advice from industry experts, and view the latest
thinking and developments in accountancy, ﬁnance and business.
Subscribe* today at icaew.com/facultiesonline or call +44 (0)1908 248 250.
*Subscription excludes access to eIFRS and discounts to events, seminars and webinars.
BUSINESS WITH CONFIDENCE
icaew.com/facultiesonline
The ICAEW has
driven a great deal.
So you can drive a great Volvo XC60.
The Volvo XC60’s new engine gives you six-cylinder performance with four-cylinder
economy of 62.8mpg combined. And all from a premium Sports Utility Vehicle which
combines comfort and style.
Today, a partnership between the ICAEW and Volvo means you can benefit from a hugely
valuable offer – as well as servicing, finance and accessory deals – at your local Volvo
dealership Get the inside story on offers across the full Volvo range now.
Find out how much you could save at
icaew.com/memberrewards/volvo or call the
Volvo Car Business Centre on 08444 905 203
MEMBER
REWARDS
PARTNER
Fuel consumption for the Volvo Range in MPG (l/100 km): Urban 18.6 (15.2) – 74.3
(3.8), Extra Urban 34.9 (8.1) – 91.1 (3.1), Combined 26.4 (10.7) – 155.2 (1.8).
CO2 emissions 249 – 48g/km. MPG figures are obtained from laboratory testing and
intended for comparisons between vehicles and may not reflect real driving results.