The auditing of financial institutions has changed little over many decades, but the combined forces of post-financial crisis regulatory reform and digitisation are transforming the audit world, writes Heather McKenzie.

Isabelle Santanec

One of the questions asked in the immediate aftermath of the financial crisis was whether auditors were 'the dogs that didn’t bark', signing off on financial statements of institutions that later collapsed. To address these concerns, the European Commission (EC) has introduced new rules on statutory audit, which became applicable throughout the EU on June 17, 2016.

The reform aims to improve audit quality and restore investor confidence in financial information, an essential ingredient for future investment and economic growth, says the EC.

The main objectives of the reform are to:

• Ensure further transparency on the financial information of companies;

• Provide statutory auditors with a strong mandate to be independent and exert professional scepticism;

• Contribute to a more dynamic audit market in the EU; and

• Improve the supervision of statutory auditors and the coordination of audit supervision by competent authorities in the EU.

The power of knowledge

Key measures include increasing the informational value of the audit report. For example, differentiation has been made between public interest entities (PIEs) and non-PIEs. PIEs are defined as all companies listed on an EU-regulated market and unlisted banking and insurance companies and groups, unless they are small.

The audits of PIEs will be required to report on key areas of risk of material misstatement of the annual or consolidated financial statements. In addition, statutory auditors must explain the extent to which the statutory audit was considered capable of detecting irregularities, including fraud.

The audit committee has been strengthened, with requirements for members to be independent and to have competence in the relevant sector. The committee will appoint the statutory auditor, or the audit firm, and will monitor the statutory audit, as well as the performance and independence of the auditor.

Some financial institutions have used the same auditor for 50 years or more, and it is suspected that such a long-standing professional relationship could undermine an auditor’s independence. The EC believes mandatory audit firm rotation will help reduce “excessive familiarity” between the statutory auditor and its clients, limit the risks of carrying over repeated inaccuracies and encourage “fresh thinking”, thus strengthening the conditions for genuine “professional scepticism”. PIEs will be required to change their statutory auditors at least every 10 years. 

Level playing field

The amended directive also encourages the development of a level playing field for audit firms at EU level to foster “more dynamic and open audit markets”. It established a ‘European passport’ for audit firms to facilitate cross-border mobility within the EU and strengthen the single market for audit.

“We expect the EU’s reform to create a more robust audit process that enhances the quality of statutory audits in Europe,” says one EC official. “Several of the key elements of the reform should enhance audit quality, including stronger public oversight of auditors, a stronger role for audit committees, more stringent requirements to promote the independence and professional scepticism of auditors and extended reporting by auditors.”

Vincent Roty, EY partner and audit innovation leader for Europe, the Middle East, India and Africa (EMEIA) financial services, says: “The financial crisis and the regulatory response to it, such as the EU audit reforms and the changing public expectations of financial services, indicate that the time is right to reconsider the purpose of an audit. Audit is becoming less likely to be viewed as a compliance activity. Today, the expectation is that audits should provide a level of comfort to all stakeholders, which include shareholders, regulators and the public.”

This change in perception is important, he adds, because it will enlarge the scope of the audit to provide assurance not only on the financial statements, but also on other areas such as risk and valuation techniques. 

As increased responsibility is placed on audit committee members and non-executive directors, they will ask how they can better challenge management of financial institutions, says Mr Roty. “This opens an opportunity for trusted third parties to add value to the audit process. Such third parties can provide insights into best practice in the industry and provide benchmarks, while maintaining client confidentiality.”

Melanie McLaren, executive director for audit and actuarial regulation at the UK’s Financial Reporting Council (FRC), agrees that corporates are no longer viewing audits as solely compliance exercises. “There is now a focus on assurance and its value. Companies want to make sure they have quality assurance, therefore boards and audit committees realise they have to pay more attention to the quality of the auditor they have; it is not just a utility,” she says.

Digitisation impact

As the regulatory reforms to the audit process begin to influence long-established practices, the digitisation of financial services is further changing the audit landscape. 

With the implementation of digital technology and big data systems, analysis can be undertaken on entire portfolios and data sets, rather than just a selection as is the case with sample-based audits, says Mr Roty. For example, the time saved in being able to automate parts of the audit will enable more value-added tasks to be undertaken, such as analysis, insights and Basel III model benchmarking.

“Greater assurance can be provided about what a bank’s management says about its risk appetite and conduct throughout the group,” he adds.

There is also growing demand for forward-looking audits and for discussions with management and the board of directors about emerging risks such as cyber and data security and quality. “The expectation is that auditors will provide a view on that, comparing the institution with others and assessing whether the risks are properly addressed in the statements,” says Mr Roty.

Blockchain breakdown

Innovative technologies, such as blockchain, have strengthened the argument for ‘continuous audits’. A continuous audit enables independent auditors to provide written assurance on a subject matter, for which an entity’s management is responsible, using a series of auditors’ reports issued virtually simultaneously with, or a short time after, the occurrence of events underlying the subject matter. 

Professor Dr Leen Paape, dean of Nyenrode Business Universiteit in the Netherlands, believes blockchain will reduce the need for traditional auditors and open the way for other skills to be included in an audit team.

“This won’t happen overnight, but technology will help audits and lead to continuous monitoring. Data scientists will be required in an audit team to assure that the data is correct,” he says. He believes the annual report will be obsolete in the next five to 10 years, replaced by continuous monitoring. 

Hugh Harper, strategy and operations leader for EMEIA financial services at EY, says at present continuous audit validation, particularly with blockchain, is conceptual. Like Mr Paape, he believes any change will be “an evolution, not revolution”.

Mr Harper believes that with new technology, some form of continuous monitoring and verification will occur alongside the core business system controls of the audit. However, when making longer term audit appointments today, the medium-term evolution in audit scope, practice and disciplines and an audit team’s ability to lead and adapt in this environment are new considerations for audit committees.

The audit of the future

In seeking to make financial institutions more transparent, financial regulators have created a paradox as audits become much more complex, says Mr Paape. “In demanding that financial institutions become more transparent, we may create all types of systems that will make it very complex so that people at large don’t understand what is in the audit report,” he says. 

He cites the International Financial Reporting Standard 9 (IFRS 9) regulation that was recently endorsed by the EC. The reporting standard is mandatory from January 1, 2018 and comprises classification and measurement, impairment and hedge accounting. Unlike hedge accounting under IAS 39, the new standard enables companies to better reflect their risk management activities in their financial statements. 

“Auditors should not just ensure the annual report is more helpful for stakeholders, I would like to see them also ensure the information is more relevant; they should look at the company as a whole,” says Mr Paape. An alternative is to audit ‘in control’ statements that describe the risk management and control systems of organisations. This, however, would involve a lot more work on the part of the auditor, he says.

A question of value

Isabelle Santenac, assurance services leader for EMEIA financial services at EY, says there is a big difference between the market value and book value of financial services firms, which suggests the markets are pricing risk or intangibles that are not at present part of financial statements and therefore not audited. “We believe there is a need to deliver broader assurance on elements that are not reflected in financial statements, but are important for stakeholders, in particular in financial institutions,” she says.

For example, the regulatory capital ratios set out in the Capital Adequacy Directive are important measures but are not part of an audit review. “The capital, liquidity and leverage ratios are more important for investors and regulators than the pure financial statements,” says Ms Santenac. 

Regulators focused on these ratios following the financial crisis as they sought to strengthen the capital and liquidity of banks. In turn, banks have had to significantly change the way they manage their capital and liquidity. For auditors to remain relevant, says Ms Santenac, they must assess and provide assurance on matters that are important to stakeholders, which includes investors, regulators and the general public. 

The EC official says the regulator is aware there is a debate about an “expectations gap” in audits. “Certainly, auditors must thoroughly understand the audited entity’s business model, risk appetite and so on. This is particularly important for audits of financial institutions. However, the audit remains focused on the financial statements," the official adds.

“Having said that, the extended audit report and the additional report to the audit committee required for PIEs require that auditors address a broad range of relevant matters, including significant risks of material misstatements, an assessment of valuation methods applied to items in the financial statements and a report on any deficiencies in the audited entity’s internal financial control system.”

Forward looking

Accounting standards such as IFRS 9 are encouraging auditors to take a more forward looking view of credit risks, for example, which will require auditors to include more credit risk specialists in their teams. “The trend in audit is to broaden assurance, going beyond the financial statements,” says Ms Santenac.

Ms McLaren also cites the more forward-looking element of audits as important. “Audits are not done in a vacuum and the issue to be addressed is whether an auditor is looking at the right things, particularly non-financial aspects. The concept of strategic reporting has emerged as stakeholders not only need historical information in the financial statements, but also on a company’s prospects,” she says.

The FRC, through its UK Corporate Governance Code, has introduced a requirement for directors to provide a viability statement that sets out how long they reasonably expect the business to be able to set its liabilities as they fall due. For banks there are special considerations and so the FRC has developed supplemental guidance. There have also been other reporting developments to promote more transparency between audited financial statements and the reporting tied to capital adequacy.

“The regulatory Pillar Three information is in the public domain but there is no obligation for it to be audited. However, an auditor must make sure that information is consistent with the understanding it has gained through auditing the financial statements,” says Ms McLaren.

Transforming the audit market

Until a few years ago, there was not really an audit market – the level of rotation of audit firms was low and usually stimulated by a merger and acquisition event or for some independence issue. Regulatory reforms, digitisation of the financial services business model and greater social interest in financial services firms are beginning to reshape the nature of the assurance sector.

Mr Harper says “almost overnight”, stakeholders and clients have placed a greater focus on the audit selection and design. Efficiency and transparency are being improved and there has been a “maturing of understanding” of what firms want in an auditor and how to “buy” an auditor.

He adds: “In 10 years, an audit will look very different to what it does today because business systems are changing, as is the nature of risk that is being evaluated in an audit. This will require a new set of disciplines in audit teams, covering areas such as cyber risk and data science. Audits will become even more multi-disciplinary, expertly architected to combine broad skills and expertise. The days of the generic audit and general auditor are truly becoming a thing of the past.”

The EC official says the retendering and rotation has forced auditors to rethink how they deliver value and quality to their clients, adding: “Audit committees bear an important responsibility to ensure that the new audit legislation works as intended. They need to act as the guardians of the auditor’s independence and ensure that auditors can effectively perform their duties. Many large financial institutions have long-standing and professionally run audit committees but this is not yet the case for all financial institutions.”


All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker

For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Top 1000 2023

Request a demonstration to The Banker Database

Join our community

The Banker on Twitter