Quality Assurance and Public Oversight in Latin America and Workshop on enhancing audit quality in FRTAP countries, 9 10 December 2013, Vienna Héctor J. Alfonso
Quality assurance and the need of public oversight Quality control internal activities have existed as from the moment the partners of audit firms realized they had to depend on other individuals to carry out the majority of audit procedures. QC (executed before the issue of audit reports) eventually became mandatory (e.g. CVM rules in Brazil, ISA 220). In addition, corporate legislation in most LA countries requires the implementation of supervisory boards to look after the shareholders interests and audit committees. The work of these groups represent a contribution to QC activities 2
Quality assurance and the need of public oversight (2) The need to make sure that quality standards were met evolved into a systemic concept (policies and procedures) that includes post-issue reviews of engagements. All this was subsequently incorporated as QAS into the professional standards (e.g. ISQC 1.48 and ISA 220) and into securities legislation in certain countries (e.g. Brazilian CVM rules). Local, regional or international QA programs, are common practice in LA in network or large regional firms. Non public oversight conducted by third parties, the so called peer reviews, is present in Brazil (inspired by US practice) and became a sort of bridge towards POS. 3
Quality assurance and the need of public oversight (3) Peer reviews have been conducted under professional rules in Brazil since 2003 but they have been criticized (high cost for second and third tier firms, possible cases of independence impairment and inadequate execution in certain cases). Professional self-regulation and all the above mechanisms were not enough to impede certain voluminous and many smaller audit failures that led IOSCO to recommend and lawmakers and regulators of various countries to create independent, powerful oversight bodies. (2003) and Brazil (2009) followed this trend. 4
Why quality assurance and public oversight? Who does what? How do they work together? Brazil Peer reviews conducted under the supervision of CRE (an arm of the CFC the professional regulatory body) since 2002. Apply to all audit firms and individual practitioners. Based on previous experience but covering all firms and practitioners over periods of 4 to 6 years. The POS applies to auditors of listed companies and CVM may include detailed engagement reviews as considered necessary. CRE reports the results of peer reviews to CVM and its parent entity, the CFC. The involvement of non-cpa professionals in POS is limited. 5
Why quality assurance and public oversight? Who does what? How do they work together?(2) QAS reviews are internal. No peer reviews are customarily conducted. However, CPAB inspections normally include detailed reviews of individual engagements documentation tantamount to what peer reviews would cover. The creation of CPAB in 2003 provided the nucleus of POS and was prompted by the high interaction of with the US markets. It incorporated the model of POS governance by non- CPA practitioners. 6
Legal framework of public oversight in Brazil and The Canadian Public Accountability Board - CPAB Not-for profit corporation established under the Corporations Act to promote high quality audits reporting issuers (listed companies) Independent from selfregulatory arrangements of the accounting industry Brazil Securities Commission (CVM) Autarchic agency created to supervise the stock markets with authority on accounting and audit matters related to listed companies Independent from selfregulatory arrangements of the accounting industry 7
Other Latin American countries Argentina: Some efforts are being made to start working on a POS model. Chile: Certain major deficiencies in audits of listed companies have led the SVS to initiate a review program. Still in early stages. Colombia: The Central Bank reviews the compliance with information requirements and has significant enforcement power. However, limited to the financial environment. México: Process of QA still highly dependant on profession self-regulation. 8
Oversight governance structure Council of Governors. 4 members of the securities commissions and 1 professional accountant with POS experience. Board of Directors. 11 members. 4 or 5 must be professional accountants and another 2 must have oversight professional experience. Staff composed of 20-25 inspection personnel and 1-2 registration individuals Superintendency of External Oversight. One superintendent. Supervisory staff. Human resources with experience in supervision of specific aspects of listed companies and risk management. Number determined according to circumstances. Experience is built up through formal and on-thejob training. 9
Scope of activities Registration of auditors of listed companies Inspection Reporting Enforcement and sanctions Registration of auditors of listed companies Inspection Enforcement and sanctions 10
Funding Fees paid by participating firms (163 Canadian and 133 foreign) Initial participation fees of $1,000 Investment income (not significant) Total income (fully applied to cover costs) $ 16 million Part of CVM budget is allocated to the relevant superintendency, as necessary (and possible) Total income and costs not disclosed 11
Overview of the inspection system Participants (audit firms) auditing 100+ reporting issuers - every year. These are the Big 4 which audit 98% of issuers Those issuing 50-99 reports at least every 2 years. Less than 50 every three years A risk-based approach is used to identify firms to be inspected on a non annual basis Inspections are made on the basis of a risk-based supervision model SBR adopted in 2012 104 firms segmented in connection with 4 risk events identified as the most recurrent in past reviews: continuing education, audit deficiencies, inadequate reports, peer review results 12
Scope of inspection Review of policies and procedures related to: Leadership responsibilities for quality in the firm Independence and ethics Client acceptance and continuance HR/professional development Engagement performance and documentation Quality monitoring Similar but with emphasis on detected risk areas: Continuing education Audit performance deficiencies Inadequate reports Results of peer reviews 13
Scope of inspection (2) CPAB tests compliance with the above policies and with standards established by professional bodies. Action taken similar but related to the areas of emphasis mentioned above. Also reviews the files which support the opinions given of the F/S of the issuers 14
Enforcement/discipline Findings, observations and recommendations or requirements are communicated to firms inspected which have 180 days for implementation of remedial action. If violations are detected and not remedied within the timeframe indicated by the CVM, sanctions such as fines (the most common), suspension of professional privileges or termination thereof. In case of failure to take remedial action or if any other violation event is discovered restrictions or sanctions may be applicable 15
Enforcement/discipline (2) Requirements include steps such as additional professional education, enhancement of or implementation of policies in line with standards. Restrictions normally involve prohibitions to accept new engagements or to assign certain designated professionals to a particular engagement. Sanctions can take the form of public censure, fines or the termination of the firm s status as a participant. 16
Reporting the results of inspections CPAB issues two types of reports: Private reports sent to each firm reviewed including findings, recommendations and/or requirements. Firms are supposed to notify security regulators about eventual restrictions or sanctions. Annual public reports to disseminate the results in a general way. No names of specific firms are mentioned No general or individual reports are made. Specific departures from rules, violations, if any, are communicated to the relevant firms together with remedy requirements or sanctions. SBR biennial plans are made public in the CVM site. 17
Cooperation with international regulatory and oversight bodies The European Commission approved CPAB s equivalence in 2010 and it works closely with PCAOB performing some joint inspections. CVM has informed that it has recently obtained recognition (equivalence) from the European Commission. 18
Implementation success, criticisms Canadian QAS/POS activities, have been regarded as generally successful. Reasons may be linked to a disciplined environment, a good quality profession, the existence of high caliber staff to carry out the Board s tasks and adequate funding. Some further refinements are considered necessary: Evolution of compliance to regulator mindset More focus on root-cause analysis Further stakeholder engagement More timely reporting to stakeholders Judicious transparency rather than confidential disclosure Opacity rather than transparency in reporting. Tendency to punishment rather than education PIE s audits may be left out of the program (if they are not listed companies certain large companies, banks or other financial institutions, NGO s are not reached) The concept of knowledge management is confined only to continuing education aspects 19
Differences Target Item CPAB CVM PCAOB SAD Audits of listed companies Audits of listed companies Audits of listed companies Statutory audits Framework Law Law Law Country law Governance Majority of non-cpa s Largely CPA s Majority of non-cpa s Non-practitioners Responsibility Registration, inspection, investigation reporting and enforcement Registration, inspection investigation and enforcement Registration, establishment or adoption of standards, inspection, investigation and enforcement In each country, oversight of registration of statutory auditors, adoption of standards and disciplinary systems QAS reviews Yes Yes Yes Separate system Funding Fees paid by firms Budget allocated Amounts levied on issuers Expected to be adequate and free from any influence Frequency >100 - annual 50-99 2 years <50 3 years Risk based >100 annual <100-3 years QA reviews at least every 6 years (3 for PIE s) PIE s No Included in peer reviews Included in peer reviews Yes 20