|DATE||Dec. 9, 2011|
|Daniel L. Goelzer, Board Member|
|EVENT:||IFIAR Roundtable on Financial Institution Risk Disclosure|
I. The Role of IFIAR
The International Forum of Independent Audit Regulators was established in 2006. Membership is open to regulatory agencies that are independent of the auditing profession and that are engaged in auditor regulatory functions in the public interest. In particular, IFIAR members are responsible for the system of recurring inspection of audit firms in their jurisdictions. IFIAR currently has 41 members.
IFIAR members share the common goal of improving audit quality globally. IFIAR's activities include —
IFIAR accomplishes these objectives through six working groups, semi-annual plenary meetings, annual inspections workshops, and external communications.
While IFIAR members have regulatory authority within their own jurisdictions, IFIAR is not itself a regulator. IFIAR is also not a standard-setting body. The disclosure requirements, accounting principles, and auditing standards governing financial reporting and auditing are established by the laws of each jurisdiction. Auditors in many, but not all, IFIAR member jurisdictions apply the International Standards on Auditing (ISAs), which are promulgated by the International Auditing and Assurance Standards Board (IAASB). IFIAR is a member of the Monitoring Group, a group of regulatory and international public interest organizations that monitors activities of the Public Interest Oversight Board, which, in turn, oversees the public interest activities of the IAASB.
II. The Role of the Auditor in Reviewing Risk-Related Disclosures
The responsibilities of auditor oversight bodies for risk disclosures are linked to the responsibilities of the auditors they oversee. In broad terms, the role of the auditor is to perform audit procedures sufficient, under the applicable auditing standards, to permit the auditor to express an opinion on whether the financial statements of the reporting company are presented fairly in accordance with the applicable accounting framework, such as International Financial Reporting Standards (IFRS) or U.S. Generally Accepted Accounting Principles (U.S. GAAP). Disclosure requirements originate in the accounting framework and in any applicable legal requirements, such as the securities laws. Preparation of the financial statements, including compliance with disclosure requirements, is initially the responsibility of the reporting company's management.
If the applicable accounting framework requires disclosure in the financial statements of information relating to risk, the auditor must audit that disclosure, like any other aspect of the financial statements. Both IFRS and U.S. GAAP require certain disclosures related to financial instruments. The auditor must perform procedures to test such disclosures. If the auditor determines that such disclosures are materially incomplete or inaccurate, he or she cannot issue a clean opinion.
Financial institutions and other reporting companies may also disclose information relating to risk exposure outside of audited financial statements, such as in reports that include the financial statements, in interim reports and press releases, or in other documents. For example, the management's discussion and analysis (MD&A) required in U.S. securities filings must include discussion of liquidity, capital resources, results of operations, off-balance sheet arrangements and contractual obligations. With respect to other information included in documents containing the financial statements, both the ISAs and PCAOB standards impose a limited obligation on the auditor: The auditor should read the other information and consider whether the information, or the manner of its presentation, is materially inconsistent with information appearing in the financial statements.
The Appendix to this paper summarizes information prepared by IFIAR members in eight jurisdictions describing the responsibilities of auditors for reviewing risk-related financial institution disclosures and steps taken to enhance auditor compliance with these requirements since 2007.
III. Initiatives to Expand Auditor Disclosure Responsibilities
Several key regulatory and standard-setting bodies are considering ways of expanding the scope of the auditor's reporting responsibilities. These initiatives arise from dissatisfaction expressed by users of financial statements concerning the lack of information that auditors were required to provide about the risks and uncertainties faced by major financial institutions in the run-up to the 2008 economic crisis. While the various auditor reporting proposals and alternatives under discussion extend beyond financial institution risk disclosure, below is a high level overview of how the three major reporting model projects might affect risk disclosures.[*]
A. IAASB Consultation Paper
On May 16, 2011, the IAASB issued a consultation paper entitled "Enhancing the Value of Auditor Reporting: Exploring Options for Change." The paper lays out options to close a perceived "information gap" and states that some investors and analysts believe that the auditor could report on "key business, operational and audit risks the auditor believes exist" as well as on the "quality and effectiveness of the governance structure and risk management." The paper seeks views about types of additional information that could be included in the auditor's report and on the prospect of the auditor providing insight about the quality of entity financial reporting.
B. PCAOB Concept Release
On June 21, 2011, the PCAOB issued a concept release which discusses alternative ways of expanding the auditor's reporting model. Three of those alternatives could result in expanded information or assurance regarding risk.
C. EC Proposal
On November 30, 2011, the European Commission proposed a series of new requirements regarding statutory audits of public interest entities. Under the proposal, the content of the audit report disclosed to the public would be expanded to include an explanation of key areas of risk of material misstatements in the financial statements, a going concern assessment, and whether the audit was designed to detect fraud. In addition, the auditor would be required to prepare a more detailed report for the audit committee. This report would explain judgments about material uncertainty that may cast doubt about the entity's ability to continue as a going concern and on the findings of the audit with the necessary explanations. The expanded audit report could not be longer than four pages or 10,000 characters.
IV. The Role of Auditor Oversight in Risk Disclosure
IFIAR members have a strong interest in the responsibilities of auditors with respect to financial institution risk disclosures and in any changes in those responsibilities.
Appendix — Summary of Selected Responses From IFIAR Members Related To Auditor Responsibility For Risk Disclosure
Note: The Appendix is non-public and is not included with the version of this paper posted on the PCAOB's website.
[*] Several countries already require auditor's reports to include additional information. For example, in Germany, auditors of public companies are generally required to issue a long-form auditor's report, discussing matters such as the company's economic position and trend of business operations and the nature and scope of the auditor's procedures. Additionally, French law requires the auditor's report to contain a "justification of the auditor's assessments." The auditor is required, in an explanatory paragraph, to explain the procedures the auditor performed with respect to relevant areas of the audit, such as accounting policies, accounting estimates, and overall presentation of the financial statements. Each justification of the auditor's assessment must reference a specific disclosure contained in the audited financial statements.