In today’s complex audit landscape, ethical compliance isn’t just a box to tick - it’s a business-critical safeguard. A recent FRC ruling against a Big 4 firm highlights how even indirect breaches by component auditors can result in substantial penalties.
If your audit teams rely on third-party auditors, this article is a must-read. It breaks down the case, the missed red flags, and what you can do to protect your firm from similar risks.
The FRC's recent fining of a Big 4 firm ('the Firm') relating to its statutory audit of a PLC and its wider corporate group illustrates the importance of adherence to ethical standards. The FRC did not call into question the quality of the audit work conducted, but both the Firm and its audit engagement partner received significant fines for not spotting that an entirely separate component auditor firm, auditing an associate entity within the corporate group, had not complied with the 2019 Ethical Standards.
Background
The Firm performed the statutory audit for the parent company ('PC') of a corporate group operating in the agriculture and engineering sectors, for the 2021 financial year (FY21). PC was a FTSE listed company and a Public Interest Entity ("PIE"). The FY21 financial statements were prepared as group financial statements and incorporated the financial results of subsidiaries, joint ventures and associates of PC. These included an associate company ('AC'), which was audited by a separate firm, known as Firm X.
There were some 30 components in the group audit, nine of which were assessed as being significant. AC was a financially significant component in the group because it contributed more than 5% of Profit before Tax from Continuing Operations (“PBTCO”). In FY21, AC was audited by Firm X and therefore it was the “component auditor” on whom the Firm were to rely. The other significant components of the group were audited by the Firm.
AC was a “material subsidiary” and this meant Firm X's audit partner was a "key audit partner" for the purposes of applying the 2019 Ethical Standard ("the standard").
Paragraph 1.47 of the standard provides:
"1.47 In order to use the work of another firm (including network firms) for the purpose of an engagement, the lead firm for the engagement has to obtain sufficient appropriate evidence and be satisfied that such another firm is independent of each entity relevant to the engagement in accordance with supporting ethical provision 2.4 of this Ethical Standard."
This in turn cross-refers to paragraph A2.4 of the standard which provides:
"A2.4 For each engagement, the firm and the engagement partner (in the case of the engagement partner insofar as they are able to do so) shall ensure that the firm’s independence is not compromised as a result of conditions or relationships that would compromise the independence of a network firm (whether or not its work is used in the conduct of the engagement) or another firm whose work is used in the conduct of the engagement, having regard to the ethical requirements in this Ethical Standard that are relevant to the engagement."
In practice, this meant that every component auditor relied upon by the Firm had to meet the independence requirements of the ethical standards for a PIE audit, even though the smaller component entity (AC) was not itself a PIE.
Firm X did not meet the standard in three important respects:-
- Firstly, the audit partner at Firm X had audited AC for more than five years
- Secondly, Firm X also "prepare[d] current or deferred tax calculations that are or may reasonably be expected to be used by the relevant entity when preparing accounting entries"
- Thirdly, in FY21 Firm X provided services to AC that included the preparation of its statutory accounts. These amounted to “accounting services” under the standard
All of these activities meant that Firm X was not in compliance with the standards for a PIE or listed entity, and so the Firm should not have relied upon Firm X's audit work.
Group Audit Instruction ("GAI") – opportunities missed?
In preparation for the audit, the Firm sent a GAI to Firm X but this wrongly referred to the old ethical standard, prior to 2019, and so did not refer to the five year key audit partner limitation or the prohibited non-audit services.
The Firm also considered the component auditor's independence and also raised questions from a "Second line of defence" reviewer, but missed the issues later identified. The Firm knew that Firm X was providing non-audit services to AC, and that it had also provided non-audit services to AC in the two preceding years, but the Firm did not inquire further as to their nature, or query whether that prevented compliance with the Standard.
The issues were identified by the successor auditor, Firm Y, when it took over from the Firm and began its audit work.
Sanctions
The Firm was fined £1.25m and its engagement partner was fined £70,000. The fines were significantly reduced to £690,625 and £38,675 respectively to reflect their exceptional co-operation by self-reporting the breaches of the standard, their admissions of non-compliance and their prompt and early settlement. The Firm also received a non-financial sanction requiring it to review representative samples in relation to PIE audits involving component auditors and report to the FRC on compliance with the independence requirements of the standard.
Caused by a change in the ethical standards?
The FRC noted that FY21 was the first year requiring compliance with the 2019 Ethical Standard when conducting a statutory audit. It is very possible that the new standard, and specifically the enhanced independence requirements, may have caused confusion and may have caught the auditors out in this instance.
Standing back, it perhaps seems harsh that the Firm was significantly sanctioned by the FRC for an apparent failing by the component auditor to spot that it did not itself meet with the recently revised standards. The FRC was careful to make clear that it did not, other than the ethical breaches identified, identify any issues with the audits. But rules are rules.
A new FRC Ethical Standard came into force from 15 December 2024 and it is likely this will throw up further issues for firms conducting PIE audits, especially with component auditors. It seems clear that the burden on PIE/listed auditors to check not only their own compliance with ethical requirements, but also those of all the component auditors in a group, can be a complicated one. Auditors need to be extra vigilant whenever working alongside and relying on any third party contributing to group audits, and follow procedures to verify their independence and ensure ethical standards have been complied with.
