When an auditor has been the engagement partner for an audit client for 10 or more years, the Ethical Standard for Auditors (Ireland) (ES) suggests that there is a risk to the auditors’ independence and objectivity arising from this long association.
It’s a common misconception that the only options are audit firm rotation or an external audit file review
In the case of unlisted clients, the ES requires that the auditor considers its position and applies safeguards to reduce the threats from long association to a level where independence would not be compromised. (There are different rules for listed clients.)
Standard wording
There is a common misconception that in the case of a sole practice, the only available options for long association risk are audit firm rotation or to have an external audit file review performed by another auditor.
The 10-year anniversary of an unquoted company audit is a reflection point
However, this is not correct. Paragraph 3.4 in the ES lists four possible safeguards, but it is important to note the use of the word ‘may’ rather than ‘must’ or ‘should’, and to recognise that this is not a throwaway use of these words.
The ES does not use ‘must’ or ‘should’ and therefore the list of four possible safeguards in paragraph 3.4 is an example list and not exhaustive – other options are available. The Irish Auditing and Accounting Supervisory Authority (IAASA) uses the words ‘must’, ‘should’ and ‘may’ very carefully, and auditors should not read more into a word’s meaning than was intended by the standard’s author.
The 10-year anniversary of an unquoted company audit is a reflection point, requiring the auditor to reflect on their long association risk and to document both the reflection and the approach that the auditor plans to apply to manage this risk
Managing risk
The risk can be addressed by the rotation of the engagement partner or responsible individual (an employee holding statutory audit status), rotation to a different audit firm or external file reviews as per paragraph 3.4, but it can also be a consultation and review or may require no action/safeguard.
The ES also requires that the firm discusses and agrees the safeguards with the audit client and documents this discussion and agreement.
In many cases there will be no threat to independence or objectivity arising from long association
A consultation and review is a discussion with another auditor on the possibility that an independent third party might question an auditor’s independence and objectivity because of the long association risk.
In many cases there will be no threat to independence or objectivity arising from long association and, therefore, no safeguards are required.
In some cases, perhaps where there may also be fee dependence issues or there are particularly complex judgements to be made where there are threats, the only appropriate safeguards might be audit engagement partner rotation, rotation to another audit firm or hot file reviews.
Documentation is key
The key, as with all audit requirements, is to document the potential risks, to document the reason why a particular safeguard is appropriate and to document the discussion and agreement of the client to the proposed controls.
When drafting the firm’s International Standard on Quality Management manual, a practice needs to ensure that the manual allows the firm to consider safeguards other than just external file reviews or audit partner rotation. Some proprietary audit quality manuals automatically default to external file reviews only.
The manual also needs to allow the firm to consider a consultation and review or the option of not applying any controls in appropriate circumstances. Any long association safeguards would need to be set in the context of the existing safeguards over matters such as the provision of non-audit services and to include, for example, cycle reviews of completed audit engagements.