Abstract
Purpose
This rich descriptive study examines auditors' client risk assessment (i.e. “key audit matters”/critical audit matters) disclosures in expanded audit reports of 328 Financial Times Stock Exchange (FTSE) 350 companies. The study compares auditor-identified client risks with corporate risk disclosures identified in audit committee reports, in terms of number and type of risks. The research also compares variation in auditor-identified client risks between individual Big 4 audit firms. In addition, the study examines auditor ranking of their client risks disclosed.
Design/methodology/approach
The study manually content analyses disclosures in audit reports and audit committee reports of a sample of 328 FTSE-350 companies with 2015 year-ends.
Findings
Audit committees identify more risks than auditors (23% more risks). However, auditor-identified client risks and audit-committee-identified risks are similar (80% similar), as are auditor-identified client risks between the individual Big 4 audit firms. Only ten (3%) audit reports rank the importance of auditor-identified client risks.
Research limitations/implications
Sample is restricted to one year, one jurisdiction, large-listed companies and companies audited by Big 4 auditors.
Practical implications
The study provides important insights for regulators, auditors and users of financial statements by identifying influences on disclosure of auditor-identified client risks.
Originality/value
The paper mobilises institutional theory to interpret the findings. The findings suggest that auditor-identified client risks in expanded audit reports may demonstrate mimetic behaviour in terms of similarity with audit-committee-identified risks and similarity between individual Big 4 audit firms. The study provides important insights for regulators, auditors and users of financial statements by identifying influences on disclosure of auditor-identified client risks.
Keywords
Citation
Dwyer, K.-A.M., Brennan, N.M. and Kirwan, C.E. (2024), "Disclosure of auditor risk assessments in expanded audit reports", Journal of Applied Accounting Research, Vol. 25 No. 1, pp. 1-23. https://doi.org/10.1108/JAAR-07-2022-0181
Publisher
:Emerald Publishing Limited
Copyright © 2023, Karen-Ann M. Dwyer, Niamh M. Brennan and Collette E. Kirwan
License
Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) licence. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this licence may be seen at http://creativecommons.org/licences/by/4.0/legalcode
1. Introduction
Following the 2009 banking crisis, the United Kingdom (UK) Financial Reporting Council (FRC) considerably expanded auditor disclosures in audit reports to explain auditor planning judgements to investors/users. The FRC's objective was to improve the usefulness of audit reports by requiring auditors to include more meaningful information in expanded audit reports (FRC, 2015). The UK FRC was the first standard-setting body to require auditor risk assessment disclosures as follows:
the auditor’s report shall … Describe those assessed risks of material misstatement that were identified by the auditor and which had the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team (Paragraph 19A, FRC, 2013, p. 6).
The International Auditing and Assurance Standards Board (IAASB, 2015) and the United States (US) Public Company Accounting Oversight Board (PCAOB, 2017) followed, requiring similar auditor-identified client risk disclosures (which they term “key audit matters” (KAMs) (IAASB)/“critical audit matters” (CAMs) (PCAOB)) effective 2016 and 2020, respectively. Therefore, our UK auditor risk disclosure study provides evidence that may have a wider relevance internationally.
The UK Corporate Governance Code (FRC, 2012, C3.8) introduced a requirement that audit committees describe the significant issues that audit committees considered in relation to the financial statements. The requirement to disclose audit-committee-identified risks in the UK came into effect at the same time as expanded audit report requirements (i.e. October 2012).
A separate section of the annual report should describe the work of the committee in discharging its responsibilities. The report should include:
The significant issues that the committee considered in relation to the financial statements, and how these issues were addressed (FRC, 2012, p. 20).
We adopt the term “audit-committee-identified risks” to explain risks identified by audit committees in relation to the financial statements. We compare auditor-identified client risk disclosures and audit-committee-identified risk disclosures. We also compare variation in auditor-identified client risk disclosures between the individual Big 4 audit firms.
After the period of our study, the FRC (2016b, 2020) introduced a recommendation that:
The order of presentation of individual matters within the Key Audit Matters section is a matter of professional judgment. For example, such information may be organized in order of relative importance, based on the auditor’s judgment, or may correspond to the manner in which matters are disclosed in the financial statements (Paragraph A32, FRC, 2020, p. 15).
We assess whether, on a voluntary basis, auditors rank their auditor-identified client risk disclosures in terms of importance.
We hand collect auditor-identified client risk disclosures from expanded audit reports of 328 FTSE-350 companies with 2015 year-ends. We hand collect audit-committee-identified risk disclosures from audit committee reports for the same sample. To assess whether the picture changed, we examine ranking of risks for a more-up-to-date 2020 year-end sample and we find similar practices in 2015 and 2020 samples.
We find that auditor risk disclosures are similar to audit-committee risk disclosures suggesting that auditors may engage in mimetic behaviour (DiMaggio and Powell, 1983). This finding is important because too much disclosure alignment between client and auditor may undermine disclosure. We also find high levels of similarity between individual Big 4 auditor-identified client risks. We identify that few auditors rank their identified risks in their expanded audit reports. Without such ranking, the disclosure of auditor-identified client risks in expanded audit reports becomes less meaningful and the FRC's objective of improving usefulness to users may not be met (FRC, 2015).
We make three contributions to the prior literature. First, we conduct a more extensive descriptive analysis of auditor-identified risk disclosures than practitioner studies (Association of Chartered Certified Accountants (ACCA), 2018; FRC, 2015, 2016a). Our analysis is more in-depth than prior studies such as Kitiwong and Sarapaivanich (2020) (who study KAMs' number and type) and Liao et al. (2022) (who study KAMs' number, length and type). We believe our in-depth descriptive study contributes to the prior literature by highlighting details and nuances in auditor disclosures not considered heretofore. Second, Minutti-Mezza (2021, p. 571) calls for researchers to determine “the overlap and discrepancies between the expanded report and other company disclosures to pinpoint the new information provided by the auditor.” We examine how type of auditor-identified client risks compare with type of audit-committee-identified risks by company. Finally, Suttipun (2021) finds that KAM reporting (i.e. measured by word count) is positively associated with audit quality. We are therefore motivated to understand influences on KAM disclosures (e.g. audit committee reporting and individual Big 4 audit firms) which may indirectly influence audit quality.
1.1 Study context
In a US context, Burke et al. (2022, p. 1–2) acknowledge that differences in regulatory, capital markets and legal environments could lead to differences in implementing expanded audit report requirements. It is therefore important to consider the context of expanded audit report requirements. In the UK, the expanded audit report requirements were introduced under considerable political pressure on auditors and on the regulator, the FRC. This followed parliamentary enquiries into auditors' role in the banking crisis, multiple audit failures and pressure on the FRC for being weak and too close to the auditing profession. That pressure forced the regulator to appear proactive and strong by quickly introducing new regulations. The context was risky for auditors, as the regulations broke new ground with these disclosure requirements. There was not a lot of time for auditors to spend developing their approach to the new disclosure regulations. Burke et al. (2022, p. 9) comment that as the US was a late adopter, US auditors were aware of their affiliates' experiences in countries where the expanded audit report had been adopted and could prepare for CAM implementation. In the UK, auditors did not have a lot of time to prepare for the new regulations. Under such circumstances, we argue that the safest course of action for auditors was to normalise the disclosures by falling back on boilerplate disclosures. Kend and Nguyen (2022b) report that expanded audit reports were introduced in Australia and New Zealand on a voluntary basis. This voluntary disclosure context may explain why Kend and Nguyen (2022b) found PwC breaking ranks with the other three Big 4 firms. We contend that the risky context of early introduction of expanded audit reports, together with their mandatory nature, forced the Big 4 into adopting similar disclosures, a less risky position than any one of them breaking ranks.
We structure the remainder of our paper as follows. First, we outline our theoretical perspective in Section 2, drawing on institutional theory to explain disclosure. In Section 3 we discuss prior research on auditor-identified client risks. Then, in Section 4 we outline the research questions (RQs) and method. We discuss the findings in Section 5, and we offer conclusions and policy implications in Section 6.
2. Theoretical perspectives
While there are several theories explaining corporate disclosure, few theories explain auditor disclosures. Abraham and Shrives (2014) review two theories in prior research on corporate risk disclosure: proprietary costs theory and institutional theory. They consider the mimetic aspects of institutional theory to be relevant to risk reporting. Gray et al. (2011) highlight the relevance of institutional theory for researching audit reporting, especially the interactions between different parties (i.e. various stakeholders). They note the boilerplate nature of audit reports and comment that institutional theory designates such practice as coercive isomorphism. They recommend the application of institutional theory to offer new insights into audit reports. Several researchers have adopted institutional theory to explain auditor risk assessments/KAMs/CAMs, including Kend and Nguyen (2022b), Nguyen and Kend (2021), Pelzer (2021), Rahaman et al. (2022) and Rousseau and Zehms (2022).
Institutional theory (DiMaggio and Powell, 1983) posits that to gain legitimacy, organisations engage in homogenous behaviour arising from coercive isomorphism, mimetic isomorphism and normative isomorphism. Institutional theory, with its focus on conformity which is associated with survival, tends to suggest coercive and mimetic isomorphism. First, DiMaggio and Powell (1983, p. 156) state that “abrupt increases in uncertainty and ambiguity [such as when new regulations are introduced] should, after brief periods of … experimentation lead to rapid isomorphic change”. Regulatory reforms can act as coercive mechanisms thereby creating homogeneity in organisational field practices and processes (Cohen et al., 2008). Big 4 audit firms may feel coerced into copying their clients' risk disclosures. Second, Big 4 audit firms may copy each other's disclosures (termed mimetic behaviour by DiMaggio and Powell, 1983). Third, Big 4 audit firms may be tempted to mimic or copy others' risk disclosures especially where they are unsure how best to craft the disclosure. As DiMaggio and Powell (1983, p.151) state “Uncertainty is … a powerful force that encourages imitation”. If there are questions about legitimacy regarding risk disclosures, Big 4 audit firms may copy what might be seen as acceptable practices of respected or bellwether organisations to “maintain legitimacy and increase survival prospects” (Dillard et al., 2004, p. 510). For example, Dunne et al. (2021) find similar responses of eight Big 4 audit partners appearing at a public enquiry.
In interview-based research, Nguyen and Kend (2021) adapt institutional theory and institutional logics to new institutional sociology to explain how auditors have responded to audit report reforms requiring disclosure of KAMs. They argue that under new institutional sociology organisations are assumed to become isomorphic as they adapt to new institutional rules and regulations, to which they are expected to blindly conform to ensure legitimacy and survival. Kend and Nguyen (2022b) adopt institutional theory to explain difference in audit materiality disclosure practices between external auditors in Australia and New Zealand. They argue that the interplay between competing institutional logics explain differences in auditor disclosure practices, specifically stakeholder versus legalistic logics. Rahaman et al. (2022) adopt institutional theory to explain their findings that KAMs disclosures are industry related, concluding that in reporting KAMs, audit firms mimic their counterparts, causing them to sustain similar strategies and policies in an institutional context. Pelzer (2021) contrasts auditor public comments prior to the introduction of CAMs in the US with private comments made in 16 interviews. She finds that Big 4 auditors expressed support for the introduction of CAMs in public but in private they were critical of the proposed new auditing standard. She concludes that this divergence in Big 4 auditor views in public versus in private is explained by institutional theory's coercive isomorphism. She argues that audit reporting homogenisation reflects coercive isomorphism, arising from pressure from the regulator to comply with auditing standards. Such compliance provides organisational legitimacy. Rousseau and Zehms (2022) draw on institutional theory to understand how KAM reporting standards relate to legitimate audit-reporting practices. They observe that the KAMs' auditing standard represents the first significant change in audit reporting in over 70 years. They focus on individual audit partner style influences versus audit firm style influences on disclosure. They draw on literature which suggests that KAM reporting will be homogenous at the audit firm level. They outline that institutional theory suggests that organisations adopt practices that involve symbolic meaning and at the same time conformance with societal values to achieve legitimacy (Rousseau and Zehms, 2022, p. 10). However, they find that audit partners make unique KAM reporting judgements which counters concerns that audit firms yield boilerplate KAMs.
As our research: (1) compares auditor-identified client risks to audit-committee-identified risks and (2) examines variation between individual Big 4 audit firms, institutional theory, isomorphism and mimetic behaviour seems relevant to our study. Drawing from Gray et al. (2011), we apply institutional theory to auditor-identified client risks in expanded audit reports to recommend improvements for expanded audit reports in the hope that audit reports do not become boilerplate again.
3. Prior research
In this section, we examine the literature on auditor-identified client risks (the number and the type of auditor-identified client risks disclosed). We discuss literature comparing auditor-identified client risks and audit-committee-identified risks. We examine prior studies examining the variation in auditor-identified client risks by individual Big 4 audit firms. We then consider a paucity of literature on ranking risks.
Most studies of auditor disclosures, are limited to quantification of those disclosures in terms of number of disclosed risks (Bédard et al., 2019; Gutierrez et al., 2018; Lennox et al., 2022; Liao et al., 2022; Sierra-García et al., 2019; Zhang and Shailer, 2021). Other studies examine the readability of KAMs (Velte, 2019; Smith, 2021), the impact of KAMs on audit quality (Suttipun, 2021) and KAMs and auditor liability (Pratoomsuwan et al., 2020). We extend expanded-audit-report research by examining type (and not just quantity) of audit report disclosures. While Kitiwong and Sarapaivanich (2020) and Liao et al. (2022) study types of auditor-identified client risks, these studies do not conduct an in-depth analysis of the type of auditor-identified client risks disclosed.
Pinto and Morais (2019) and Sierra-García et al. (2019) examine the determinants (i.e. auditor and client characteristics) of the number of auditor-identified client risks (i.e. KAMs). Pinto and Morais (2019) find a positive association between disclosure of KAMs and disclosure of business segments, audit fees, precision of accounting standards and firm size; and a negative association between banks and the number of disclosed KAMs. They conclude that culture and institutional factors may influence auditors' judgements and decisions in disclosing KAMs. This leads us to question whether other factors, specifically audit committee disclosures and individual Big 4 audit firms, influence disclosure.
Few academic studies examine the type of auditor-identified client risks. Based on a sample of 1,019 audit reports of non-financial Hong Kong companies, Liao et al. (2022) examine whether 11 classes of auditor-identified client risks influence audit fees, audit quality or investors' reaction. They compare before-and-after companies' first issuance of the expanded audit report. Kitiwong and Sarapaivanich (2020) investigate whether type of KAMs impacts audit quality. They find weak evidence that such disclosures improve audit quality. In an Australian context, Kend and Nguyen (2020) compare whether the same KAMs are disclosed in 2017 and 2021. Kend and Nguyen (2022a) explore the disclosure of audit procedures relating to COVID-19 key audit risks [1]. Three practitioner studies analyse the type of auditor-identified client risks (ACCA, 2018; FRC, 2015, 2016a). ACCA's (2018) findings are drawn from an analysis of approximately 560 audit reports from nine jurisdictions. FRC (2015, 2016a) analyse the number, types of risks, generic/specificity/granularity of risk descriptions in the expanded audit reports of 153 and 278 UK listed companies, respectively.
3.1 Auditor-identified client risks versus audit-committee-identified risks
Managers may describe company risks as part of the strategic report (within the annual report). Directors describe company risks in the governance section of annual reports. Several studies examine managers' and directors' risk disclosures (Abraham and Shrives, 2014; Elshandidy and Shrives, 2016; Linsley and Shrives, 2005; Woods and Marginson, 2004). A common theme is that risk reporting is too generic. As discussed in Section 1, audit-committee-identified risks are the significant issues that the audit committees considered in relation to the financial statements (FRC, 2012, p. 20).
The objective of auditor-identified client risks (i.e. risks that require special audit consideration) and the objective of audit-committee-identified risks (i.e. significant issues that the audit committees consider in relation to the financial statements) (FRC, 2018) is different. Auditor-identified-client risks have “the greatest effect on: the overall audit strategy; the allocation of resources in the audit; and directing the efforts of the engagement team” (FRC, 2013, p. 6). We expect audit-committee-identified risks to be broader and more focused on the preparation of financial statements. However, overlap of auditor-identified client risks and audit-committee-identified risks is inevitable (FRC, 2016a: Gutierrez et al., 2018). Except for Gutierrez et al. (2018), few academic studies compare disclosure of auditor-identified client risks to audit-committee-identified risks. Gutierrez et al. (2018, p. 1557) compare number of auditor-identified client risks to audit-committee-identified risks. They do not compare type of auditor-identified client risks to type of audit-committee-identified risks. The FRC (2015, 2016a) compares the number of auditor-identified client risks and audit-committee-identified risks and performs some “subjective analysis” (FRC, 2015, p. 51). However, the FRC does not show how the type (i.e. topic) of risks compare. Hosseinniakani et al. (2022) compare auditors' disclosure of KAMs and managers' disclosure of significant accounting policies estimates for a sample of Swedish companies. They find a positive relationship between the number of items and risk-related words in auditor and management disclosures, which relationship is strengthened in firms with audit committees. Burke et al. (2022) study the changes in financial statement footnote disclosures following auditors referencing footnote disclosures in their CAMs. They conclude that heightened auditor interest in the footnote disclosures prompts management changes to those disclosures.
3.2 Variation in auditor-identified client risks by individual Big 4 audit firms
The FRC (2015, 2016a) records the number, the nature (i.e. generic/specificity/granularity) of risk descriptions and the average word count of audit-report risk sections by Big 4 audit firms but does not extend the analysis to a comparison of this data. Prior research has found variations in KAMs disclosures between Big 4 audit firms. In a study of UK FTSE-100 companies, Sierra-García et al. (2019) find that Deloitte, EY and KPMG report fewer entity-level-risk KAMs than PwC, while KPMG reports fewer account-level-risk KAMs than PwC. They conclude that the differences in findings could reflect different Big 4 audit practices or different client characteristics in terms of complexity and level of regulation/regulated industry. In an Australian study, Kend and Nguyen (2020) find PwC reports more KAMs per audit client than any other firm, with only EY close. They find that both firms are well above the Australian average, whereas KPMG and Deloitte are close to the Australian average. In terms of topics, both KPMG and PwC similarly report KAMs mainly on the “valuation of inventories,” “investment properties” and the “impairment of goodwill,” while Deloitte and EY report more on the “impairment of goodwill, other intangibles and non-current assets.” In an Australian study of COVID-19 KAMs, Kend and Nguyen (2022a) find a variation in KAMs reported between the Big 4. PwC reports the most KAMs, followed by EY and KPMG, with Deloitte an outlier reporting the least KAMs of the Big 4. They explain the variation in terms of difference in client characteristics such as industries impacted/not impacted by the COVID-19 pandemic. Rahaman et al. (2022) compare the number of KAMs disclosed by Big 4 auditor and the number of words in those disclosures. They find a divergent number of KAMs disclosed across the four firms. However, they find a similar number of words in KAMs disclosures within each individual Big 4 firm. They invoke institutional theory, specifically mimetic isomorphism, to explain their findings. Honkamäki et al. (2022) focus on Big 4 disclosure of KAMs relating to fair value in the real estate sector, finding significant differences between the Big 4 audit firms. They conclude that Big 4 audit firms are not homogenous in terms of their audit reports, suggesting that Big 4 auditors adopt varied audit practices in assessing real estate KAMs. As their sample comes from the European Union, Switzerland and Norway, they find variations depending on common-law versus civil-law countries. For an Australian sample, Bepari et al. (2022) find KPMG and Deloitte disclose significantly fewer KAMs, while PwC discloses significantly more KAMs compared with EY.
To conclude, the findings in the prior literature are ambiguous and contradictory in terms of whether Big 4 firms use unique audit procedures or whether they engage in mimetic behaviour in copying each others’ audit report disclosures. We would argue that audit inspections by regulators such as the UK FRC and the US PCAOB coerce the Big 4 to standardise their audit procedures to meet regulatory checks and oversight (i.e. the opposite of having unique audit procedures). Similarly, we argue that regulators coerce the Big 4 into boilerplate disclosures of each other and of audit committees.
3.3 Ranking risk
Research is limited on ranking risks. Some studies examine managers' (rather than auditors') risk disclosures. Jordan et al. (2013) consider ranking risks renders them more easily communicable and useful for agenda setting. Jordan et al. (2018) highlight the importance of ranking risk for decision-making. Brivot et al. (2017) question the methods used to rank risks, which would help in understanding risk management techniques and how firms adopt different rankings and value risks differently. Trussel and Patrick (2018) describe a risk-ranking system based on financial risk.
Turning to the ranking of auditor-identified client risks, we first consider general observations from independent reviews of auditing. There have been five independent reviews of the UK audit market since 2018, following a series of high-profile corporate failures. A common theme emerging from the independent reviews is that stakeholders do not understand the audit.
A number of witnesses said that the role and work of auditors are not sufficiently transparent and understood (House of Commons, 2019, p. 17).
At the heart of the [Brydon] Report lies the objective of making audit more informative to its users (Brydon, 2019, p. 6).
The ACCA (2018) examines auditor-identified risks in 560 audit reports for companies listed on the following stock exchanges: Brazil, Cyprus, Kenya, Nigeria, Oman, Romania, South Africa, the United Arab Emirates (UAE) and Zimbabwe. ACCA outlines that:
Roundtable participants could see that audit reports now contained much more information that was useful to readers. Nonetheless, there was some scepticism as to whether this information was presented in a useful way. (ACCA, 2018).
The FRC (2015) conducted a review of audit reports and describes the outcome of the Investment Management Association's (IMA) Auditor Reporting Awards. The judges commended ITV's audit report because they included their risks in order of magnitude:
ITV plc (KPMG) (Commended)
A very engaging read, with the use of tables, the risks are outlined in order of magnitude and discussed using simple language (FRC, 2015, p. 54).
As discussed in Section 1, the FRC's objective was to improve the usefulness of audit reports by requiring auditors to include more meaningful information in expanded audit reports (FRC, 2015). Ranking risks could improve risk communication. We examine whether auditors voluntarily rank their risks in their audit reports because ranking risks may improve their usefulness in audit reports (FRC, 2015).
4. Research questions and method
This section outlines the research questions (RQs), describes the sample and data and outlines the method for analysing the data.
4.1 Research questions
We develop three RQs from prior research (Section 3) and institutional theory (Section 2). As discussed in Section 3.1, the objective of auditor-identified client risk disclosures and audit-committee-identified risk disclosures differs. However, overlap is inevitable (FRC, 2016a). Drawing from Minutti-Meza's (2021, p. 550) argument that the same auditor-identified client risks and audit-committee-identified risks “can follow a somewhat generic process that is unlikely to reveal new information”, our first RQ is:
How do auditor-identified-client risks disclosed compare with audit-committee-identified risks disclosed?
As discussed in Section 3.2, the findings in the prior literature are mixed in terms of whether Big 4 firms use unique disclosures or whether they engage in mimetic behaviour in copying each others’ audit-report disclosures. Our second RQ addresses how individual Big 4 audit firms influence auditor-identified client risks disclosed:
How do auditor-identified-client risks vary between Big 4 audit firms?
Drawing from: (1) prior research on manager risk disclosures (Jordan et al., 2013, 2018); (2) general observations from independent audit market reviews (House of Commons, 2019; Brydon, 2019); and (3) practitioner reviews (ACCA, 2018; FRC, 2015), we analyse whether auditors rank their risks in expanded audit reports.
Do auditors rank the importance of risks in their audit reports?
4.2 Sample and data
The population comprises all financial and non-financial companies listed on the London Stock Exchange included in the FTSE-350 Index. Table 1 summarises the population and sample of 328 companies. We exclude 22 companies from the population of 350 companies for the reasons Table 1 identifies.
We include financial sector companies omitted in prior expanded-audit-report studies (Gutierrez et al., 2018; Reid et al., 2019; Smith, 2021). We hand-collect the data from 2015 annual reports for each company. Consistent with Quick et al. (2022), we choose 2015 year ends because the timing is approximately two years post implementation of expanded audit reports (FRC, 2013). We expect auditor risk assessment disclosures to be more consistent after the first year of implementation because the first year may have implementation issues (FRC, 2015). The timing also allows us to examine mimetic behaviour (Section 2) which may be more prevalent after the first year of disclosure. We collect auditor-identified client risk data (i.e. number and type of auditor-identified client risks) from expanded audit reports of each company.
4.3 Content analysis
We apply manual content analysis to auditor-identified client risks in expanded audit reports and audit-committee-identified risks in annual reports. Such deep analytical approaches, accompanied by rich description, serve to complement more statistical approaches in the prior literature. Our content analysis adheres to coding instructions for each RQ (available from the authors on request). To address RQ1, we compare the number and type of auditor-identified client risks (see illustration in Appendix 1, Example 1) with audit-committee-identified risks (see illustration in Appendix 2). We also identify whether auditors cross-reference (within their audit reports) their client risks identified to audit-committee-identified risks in annual reports (see illustration in Appendix 1, Example 1). To address RQ2, we analyse the variation in the number and type of auditor-identified client risks by each of the individual Big 4 audit firms by comparing individual Big 4 auditor-identified client risks. We also analyse the variation in auditor-identified and audit-committee-identified risks by each of the Big 4 audit firms and we compare reconciliations of the risks auditors identify to audit-committee-identified risks in their audit reports by Big 4 audit firm. Finally for RQ3, we identify whether auditors rank the importance of risks in their audit reports (see illustration in Appendix 1, Example 2).
5. Findings and discussion
We present and discuss the findings in this section by reference to our three RQs.
5.1 Auditor-identified client risks versus audit-committee-identified risks (RQ1)
Table 2 presents the number and frequency of auditor-identified client risks versus audit-committee-identified risks. Audit committees identify 1,423 risks (and auditors identify 1,161 risks) for the sample of 328 companies. Therefore, audit committees report 23% more risks and a wider range of risks than auditors. The difference is mainly attributable to the number of entity-level risks. In total, 107 audit committees report at least one entity-level risk for each company (33% of 328 companies) compared with only 42 auditors (13% of 328 companies). Similar to auditors, most audit committees (73%: 241 companies) report two, three, four or five risks. On average, audit committees report 4.33 risks (un-tabulated), which is higher than the average number of risks that auditors report (3.54 risks) (un-tabulated). Our findings are consistent with the FRC (2016a) which finds that audit committee reports tend to highlight more issues (i.e. audit-committee-identified risks) than auditors.
We find that auditor-identified client risk disclosures and audit-committee-identified risk disclosures are similar (80% similar) (Table 3 Panel A). Auditors identify the same risks as audit committees (for the same company) for 80% of auditor-identified client risks (934 auditor-identified client risks). These findings are consistent with the FRC (2015, 2016a) which finds that “in year one c.74% of the issues included in audit committee reports for all companies in our sample were also included in auditor's reports, which increased to 85% in year two” (FRC, 2016a, p. 55). We analyse the matching of auditor-identified client risks and audit-committee-identified risks by company (Table 3 Panel B). We find that auditors of 111 companies (34%) identify the exact same number and type of auditor-identified client risks as audit-committee-identified risks. We find that auditors of 96 companies (29%) identify the same type of auditor-identified client risks as audit-committee-identified risks, with audit committees identifying additional risks. Table 3 Panel C presents the types of auditor-identified client risks versus the types of audit-committee-identified risks by company. We find that auditors identify a similar number of risks as audit committees (i.e. within 10% range) for the following risk types: impairment of intangibles, impairment of other assets, financial assets and pensions. Audit committees identify 168 entity-level risks which is substantially higher than the number of entity-level risks identified by auditors (47). Audit committees identify 147 other account-level risks, which is substantially higher than other account-level risks identified by auditors (63). These two types of risks (i.e. entity-level risks and other account-level risks) primarily drive the increase in the number of risks identified by audit committees. Audit committees identify more acquisitions (33% more), taxation (11% more), other assets (34% more) and other liability (19% more) risks than auditors. Audit committees identify some risks that auditors do not identify. For example, within entity-level risks, Thomas Cook Group plc's audit committee identifies audit regulation (auditor rotation) as a significant issue. We find that most auditors (87%) cross-reference the risks they identify to audit-committee-identified risks, with most auditors reconciling their risks to both audit committees' reports and notes in annual reports (Table 3 Panel D). This indicates that cross-referencing of auditor-identified client risks and audit-committee-identified risks is high. The FRC (2016a) highlights that investors value effective cross-referencing of audit reports to relevant parts of the annual reports and financial statements.
5.1.1 Isomorphism and mimetic behaviour: auditor versus audit-committee risks
On the one hand, when we compare the number of client risks identified by auditors to the number of risks identified by audit committees, we find differences. For example, audit committees identify more risks than auditors (23% more). Audit committees identify up to 11 risks whereas auditors identify up to nine risks. Therefore, our findings suggest that auditors do not mimic audit committees for the number of risks they disclose in their expanded audit reports. On the other hand, when we compare the type of auditor-identified client risk disclosures to the type of audit-committee-identified risk disclosures we find similarities. As discussed, we find that auditor-identified client risks and audit-committee-identified risks are similar (80% similar). Arguably, such similarity may contribute to a sense of reliability for users. [2] Conversely, our findings suggest that auditor-identified client risks in expanded audit reports may demonstrate mimetic behaviour in terms of similarity with audit-committee-identified risks. While some overlap is to be expected, is there too much overlap? As discussed in Section 2, regulatory reforms can act as coercive mechanisms thereby creating homogeneity in organisational field practices and processes (Cohen et al., 2008). The FRC introduced expanded audit reports to close the information gap between users of financial statements and auditors. However, this regulatory reform may have led to coercive and mimetic isomorphism. While the UK regulations are mandatory, we position them as coercive because of the risk of litigation relating to the extra disclosures. We consider the regulations forced the Big 4 to protect themselves through falling back on boilerplate disclosures. Big 4 audit firms may feel coerced into copying their clients' risk disclosures. We suggest (similar to FRC, 2016a) that there is a danger of too much alignment between auditor-identified client risks and audit-committee-identified risks, which may undermine disclosures.
One risk which may arise from this close alignment is the repetition of information between the auditor’s report and the audit committee report – particularly where ‘significant issues’ in the audit committee report are essentially the same, and the descriptions of outcomes largely identical (FRC, 2016a, p. 55).
We acknowledge that overlap of auditor-identified client risks and audit-committee-identified risk is inevitable (FRC, 2016a) (in particular, for companies in the same industry). However, the duplication may suggest to readers that auditors copy audit-committee-identified risks or that the disclosure of auditor-identified client risks is generic.
Even if auditors commit to using ‘company-specific’ or ‘non-boilerplate’ language, the identification of KAMs and CAMs among the matters communicated to the audit committee can follow a somewhat generic process that is unlikely to reveal new information (Minutti-Meza, 2021, p. 560).
5.2 Variations by Big 4 audit firm (RQ2)
To analyse how Big 4 audit firms may influence auditor-identified client risks in expanded audit reports, we first compare the number of auditor-identified client risks disclosed by individual Big 4 audit firms. Consistent with prior studies (FRC, 2015; Sierra-García et al., 2019), we find that PwC reports on average the highest number of risks (4.15 risks) and KPMG reports on average the lowest number of risks (2.81 risks) (Table 4). Therefore, there is only a slight variation in the number of auditor-identified client risks disclose by each individual audit firm.
Next, we compare the type of auditor-identified client risk disclosures by individual Big 4 audit firms. We find that individual Big 4 audit firms identify similar risks (Table 5). We also find that the alignment of the type of auditor-identified client risks and audit-committee-identified risks varies only slightly by individual Big 4 audit firms (Table 6). Finally, we find that the propensity to include a reconciliation of the client risks auditors identify to audit-committee-identified risks in their audit reports is similar by individual Big 4 audit firms (un-tabulated).
5.2.1 Isomorphism and mimetic behaviour: Big 4 audit firm disclosure
On the one hand, when we compare the number of risks identified by individual Big 4 audit firms, we find only a slight variation suggesting that individual Big 4 audit firms may mimic each other when disclosing the number of auditor-identified client risks. On the other hand, when we analyse the type of risks identified by individual Big 4 audit firms, we find very little variation. Individual Big 4 audit firms identify similar risks (Table 5) and they also identify similar proportions of each type of risk compared to the total risks identified by each Big 4 audit firm. For example, PwC identify impairment of other assets for 11% of their total risks, Deloitte identify impairment of other assets for 14% of their total risks and KPMG and EY both identify impairment of other assets for 12% of their total risks. Our findings in Table 6 Panel A and Panel B (similarity of type of auditor-identified and audit-committee-identified risks by Big 4 audit firm) and reconciliations by individual Big 4 audit firms (Table 6 Panel C) reinforce our findings which indicate that auditor and audit-committee risk disclosures are similar. As discussed in Section 2, individual Big 4 audit firms may copy what might be seen as acceptable practices of respected or bellwether organisations. Our findings show that individual Big 4 auditor-identified client risks in expanded audit reports are very similar (Table 5) which indicates mimetic behaviour. We acknowledge that it is reasonable that individual Big 4 auditor-identified client risks may be similar risks (in particular, for companies in the same industry). Subsequent to our study, in 2016, the FRC (2016c) introduced guidance for audit committees. Paragraph 79 of this guidance requires audit committees to review auditor changes in perceived audit risks and the work undertaken by the external auditors to address those risks. Such conversations are likely to lead to greater similarity between auditor and audit-committee risk disclosures.
5.3 Ranking of auditor-identified client risks (RQ3)
To address whether auditors rank the importance of their risks, we analyse a sub-sample of 310 companies disclosing more than one auditor-identified client risk. FRC (2020) suggests an order-of-presentation choice of relative importance or the manner in which matters are disclosed in the financial statements. We find that few auditors rank the importance of risks disclosed in their audit reports (3%: ten companies) (un-tabulated). These ten company auditors report between two and eight risks. We find that most of the ten auditors report their auditor-identified client risks in an order-of-importance format (see Illustrative extract 1 – Intertek's auditors disclosed four risks [we only show the first disclosure in Illustrative extract 1]).
Illustrative extract 1: Auditors rank the importance of their risks
In arriving at our audit opinion above on the financial statements the risks of material misstatement that had the greatest effect on our audit, in decreasing order of audit significance, were as follows:
Impairment of goodwill £481.4m (2014: £nil), etc.
(Intertek Group plc annual report 2015, p. 138).
Most auditors (97%) list their risks (Appendix 1, Example 1) but do not rank the risks in order of importance. Two company auditors (Rolls-Royce Holdings plc and Computacenter plc) include a risk map which maps the risks auditors identify in a quadrant depending on the likelihood of occurrence and the magnitude of potential impact (Appendix1, Example 2 Rolls-Royce Holdings plc). Our findings are similar to manager risk reporting studies which conclude that manager risk reporting is too generic (i.e. too general to be useful) (Linsley and Shrives, 2005; Woods and Marginson, 2004). We suggest that auditors should rank their risks in expanded audit reports to improve the usefulness of audit reports (FRC, 2015) (Section 3.3).
5.3.1 Additional analysis of auditor risk assessments for companies with 2020 year-ends
As ranking of auditor-identified client risks was not recommended (as a matter of professional judgement) until 2016 (FRC, 2016b) (after the period of our research), to assess whether the picture has changed substantially five years on from 2015, we examine whether auditors rank their auditor-identified client risks for a representative sample of 25 companies with 2020 year-ends. The 25 companies range in size and industry, and all have Big 4 auditors. For comparative purposes, we select companies audited by the same audit firm in 2015 and 2020. We find that most auditors (88%) continue to list rather than rank their auditor-identified client risks. We find that the three out of 25 auditors (12%) ranking their auditor-identified client risks report them in an order-of-importance format.
6. Conclusion
Our research set out to examine auditor risk assessment (KAMs/CAMs) disclosures. We compare auditor-identified client risk disclosures and audit-committee-identified risk disclosures. We also compare auditor-identified client risk disclosures between the four Big 4 audit firms. We assess whether auditors rank auditor-identified client risks. Our findings provide new insights into how auditors disclose their auditor-identified client risks in expanded audit reports. We identify two possible influences on disclosure of auditor-identified client risks: (1) influence of audit-committee risk disclosures; and (2) influence of individual Big 4 audit firms. This finding is important because too much disclosure alignment between client and auditor may undermine disclosure. We also find that few auditors rank their identified risks in their expanded audit reports. Without such ranking, the disclosure of auditor-identified client risks in expanded audit reports becomes less meaningful and the regulator's objective of improving the usefulness of expanded audit reports may not be met (FRC, 2015).
Under political pressure following the banking crisis, the FRC was the first standard-setting body to require auditor risk assessment disclosures. As such, the FRC did not have evidence to justify its new proposals. Following institutional theory, we wonder did the FRC consider the interaction between the UK Corporate Governance Code (FRC, 2018) requirements for audit committees to disclose risks when requiring auditors to disclose client audit risks. Did the FRC inadvertently coerce auditors to follow audit committee disclosures? Following institutional theory, we question whether auditors copy audit commitee and each others' disclosures to protect themselves. Paragraph 17.5.7 of the UK Brydon Report (Brydon, 2019) considers an increase in “freer form” audit reports is likely to lead to informing users’ better and less likelihood that auditors will retreat behind a new form of boilerplate reporting. Power (2003) argues that the front stage of auditing projects a neat, standardised, clean, clinical impression. Backstage is messy. Boilerplate strips away context, the messiness of auditing. Auditors have no option but to portray auditing in this manner, which is facilitated by boilerplate disclosures.
We suggest that regulators require auditors to distinguish between their audit focus and the audit-committee's focus when they disclose their auditor-identified client risks in expanded audit reports. We find that auditors may mimic audit-committee-identified risk disclosures or each other (individual Big 4 audit firm). We urge regulators to exercise caution and consider these influences (audit-committee-identified risks and Big 4 audit firm) on auditor risk disclosures in expanded audit reports. Furthermore, we recommend that auditing standard setters (FRC, IAASB, PCAOB) require auditors to rank the importance of auditor-identified client risks in their audit reports so users of financial statements can understand the level of importance of each risk. This would, in turn, help meet the regulator's objective of improving usefulness to users by requiring auditors to include more meaningful information in their expanded audit reports (FRC, 2015).
We believe the regulatory quest for transparency is bound to fail. Regulations try to make a practice that is inherently messy appear neat and tidy (Power, 2003). It is not possible to discuss risks in a meaningful way. Therefore, not much extra is learned from audit committee versus expanded audit report risk disclosures. While regulators try and make audit more transparent, audit firms consider their own risks, and client disclosures, and perform a display/performativity of transparency by doing similar to what others (their clients and other Big 4 firms) are doing. “Auditors' judgment” (FRC, 2020, p. 15–16) does not come through in the disclosures.
We recognise some limitations in our study. First, we acknowledge that our results cannot be generalised because the sample is restricted to one year, one jurisdiction, large-listed companies and companies audited by Big 4 auditors. As the UK was one of the first jurisdictions to introduce disclosure of audit risks and the UK Corporate Governance Code (FRC, 2012, 2018) is unique in requiring audit committees to disclose significant issues arising in relation to financial statements, our findings may reflect and be limited to this regulatory context. To assess whether the picture has changed substantially five years on from 2015, we examine KAM guidance in 2020 and find that the guidance in the updated auditing standard (FRC, 2020) for disclosure of KAMs in expanded audit reports is similar to the guidance outlined in our introduction (FRC, 2013). We also assess whether auditors rank their auditor-identified client risks for a representative sample of companies with 2020 year-ends and our findings indicate that the picture has not changed substantially. We believe our findings are as applicable in 2020 as in 2015 when we hand-collected the data. Second, we acknowledge that content analysis may expose researchers to judgement and bias. We attempt to overcome this limitation by following a systematic coding approach.
In light of our results, we offer some suggestions for future research. Researchers could extend our analysis and examine how non-Big 4 auditors disclose their auditor-identified client risks. Researchers could compare Big 4 auditor disclosures and non-Big 4 auditor disclosures to provide more insight. Future researchers could interview auditors to explore: (1) the overlap of auditor-identified client risks and audit-committee-identified risks, and (2) the similarity of auditor-identified client risks amongst Big 4 audit firms. Moreover, future research could perform a longitudinal analysis to identify whether auditor-identified client risk disclosures change over time. Despite the limitations, the richness of data in this study allows deep insight into how auditors disclose their auditor-identified client risks in expanded audit reports. We provide important insights for standard-setters, auditors and users of financial statements by identifying influences on the disclosure of auditor-identified client risks which may undermine disclosure and indirectly influence audit quality.
Figures
Population and sample size
| No. of companies | |
|---|---|
| Population: FTSE-350 companies | 350 |
| Companies audited by non-Big 4 auditorsNote1 | (9) |
| Companies audited by non-UK auditors not applying ISA (UK and Ireland) | (10) |
| Companies listed for the first time in November 2015 | (3) |
| Overall sample of companies | 328 |
Note(s):
Note 1: We exclude non-Big 4 auditors because they may not have the same characteristics as Big 4 audit firms (e.g. size and structure) and they are a small proportion of the population (3%)
Number of auditor-identified client risks versus audit-committee-identified risks
| Panel A: Number of auditor-identified client risks versus audit-committee-identified | ||||
|---|---|---|---|---|
| Auditor-identified client risks | Audit-committee-identified risks | |||
| No. of companies | No. of risks | No. of companies | No. of risks | |
| Number of entity-level risks | 42 | 47 | 107 | 168 |
| Number of account-level risks | 328 | 1,114 | 328 | 1,255 |
| Total | 1,161 | 1,423 | ||
| Panel B: Frequency of auditor-identified versus audit-committee-identified risks | |||||
|---|---|---|---|---|---|
| Frequency of risks | No. of auditor-identified client risks per company | No. of auditor-identified client risks | No. of audit-committee-identified risks per company | No. of audit-committee-identified risks | Note 1% difference |
| One risk | 18 | 18 | 11 | 11 | −39% |
| Two risks | 75 | 150 | 46 | 92 | −39% |
| Three risks | 77 | 231 | 54 | 162 | −30% |
| Four risks | 78 | 312 | 91 | 364 | 17% |
| Five risks | 46 | 230 | 50 | 250 | 9% |
| Six risks | 23 | 138 | 29 | 174 | 26% |
| Seven risks | 7 | 49 | 24 | 168 | 243% |
| Eight risks | 3 | 24 | 12 | 96 | 300% |
| Nine risks | 1 | 9 | 6 | 54 | 500% |
| Ten risks | 0 | 0 | 3 | 30 | Note 2n/a |
| 11 risks | 0 | 0 | 2 | 22 | n/a |
| 328 | 1,161 | 328 | 1,423 | 23% | |
Note(s):
Note 1: % difference is the percentage difference between the no. of audit-committee-identified risks and the no. of auditor-identified client risks (e.g. 11 audit-committee-identified risks versus 18 auditor-identified client risks = −39%)
Note 2: Auditors do not identify ten or 11 risks therefore there is no percentage difference
Type of auditor-identified client risks versus audit-committee-identified risks
| Panel A: Auditor-identified client risks match/do not match audit-committee-identified risks (for same company) | ||
|---|---|---|
| No. of auditor-identified client risks | % of auditor-identified client risks | |
| Auditor-identified client risks match audit-committee-identified risks | 934 | 80% |
| Auditor-identified client risks do not match audit-committee-identified risks | 227 | 20% |
| Total number of auditor-identified client risks | 1,161 | 100% |
| Panel B: Analysis of matching by company | ||
|---|---|---|
| No. of companies | % of companies | |
| Auditor-identified client risks match audit-committee-identified risks | 111 | 34% |
| Auditor-identified client risks match audit-committee-identified risks and auditor identifies additional risks | 14 | 4% |
| Auditor-identified client risks match audit-committee-identified risks and audit committee identifies additional risks | 96 | 29% |
| Auditor-identified client risks do not match audit-committee-identified risks | 5 | 2% |
| Some auditor-identified client risks match audit-committee-identified risks and vice versa Note 1 | 102 | 31% |
| Overall sample of companies | 328 | 100% |
| Panel C: Type of auditor-identified client risks versus audit-committee-identified risks | |||||
|---|---|---|---|---|---|
| Auditor-identified client risks | Audit-committee-identified risks | Note 2% difference | |||
| ➊ Entity-level risksNote 3 | 47 | 168 | 257% | ||
| ➋ Account-level risks | |||||
| ① Revenue | 202 | 163 | −19% | ||
| ② Asset | |||||
| Ⓐ Impairment of intangibles | 143 | 141 | −1% | ||
| Ⓑ Impairment of other assets | 140 | 129 | −8% | ||
| Ⓒ Acquisitions | 85 | 114 | 34% | ||
| Ⓓ Financial assets | 82 | 84 | 2% | ||
| Ⓔ Other assets | 80 | 105 | 31% | ||
| Total asset risks | 530 | 573 | 8% | ||
| ③ Liability/expense | |||||
| Ⓕ Taxation | 113 | 126 | 11% | ||
| Ⓖ Pensions | 63 | 76 | 2% | ||
| Ⓗ Other liabilities | 143 | 170 | 19% | ||
| Total liability/expense risks | 319 | 372 | 17% | ||
| ④ Other account-level risks | |||||
| Ⓘ Disclosure | 2 | 13 | 85% | ||
| Ⓙ Exceptional item | 37 | 61 | 39% | ||
| Ⓚ Other | 24 | 73 | 70% | ||
| Total other account-level risks | 63 | 147 | 133% | ||
| Total sample of risks/% difference | 1,161 | 1,423 | 23% | ||
| Panel D: Auditors' referencing of their risks to risks in audit committee report or notes in annual report | ||
|---|---|---|
| No. of companies | % of companies | |
| Auditor cross-references risks to audit committee report and notesNote 4 | 279 | 85% |
| Auditor cross-references risks to audit committee report only | 7 | 2% |
| Auditor cross-references risks to notes Note 4 only | 36 | 11% |
| Auditor does not cross-reference risks to audit committee report or notes Note 4 | 6 | 2% |
Key:
➊➋: Categories of auditor-identified client risks
①②③④: Sub-categories of auditor-identified client risks
ⒶⒷⒸⒹⒺⒻⒼⒽⒾⒿⓀ: Sub-sets of account-level risks
Note(s): Note 1: Example: The auditor identifies four risks, and the audit committee identifies four risks. Two of the four audit-committee-identified risks match the auditor-identified client risks
Note 2: % difference is the increase or decrease of each type of audit-committee-identified risk versus auditor-identified client risks
Note 3: We do not analyse entity-level risks by sub-category because of the small number of entity-level risks (47 of 1,161 auditor-identified client risks) (4%)
Note 4: Notes = notes in the financial statements
Number of auditor-identified client risks by Big 4 audit firm
| Audit firm | No. of companies | Audit firm % sample of companies | Average no. of risks identified by audit firm |
|---|---|---|---|
| PwC | 100 | 30% | 4.15 |
| Deloitte | 85 | 26% | 3.68 |
| KPMG | 90 | 28% | 2.81 |
| EY | 53 | 16% | 3.40 |
| Total | 328 | 100% | 3.54 |
Types of auditor-identified client risks by Big 4 audit firm
| Type of auditor-identified client risk | PwC No. and % Note 1 | Deloitte No. and % | KPMG No. and % | EY No. and % | No. of risks | ||||
|---|---|---|---|---|---|---|---|---|---|
| ➊ Entity-level risks | 22 | 5% | 8 | 3% | 7 | 3% | 10 | 5% | 47 |
| ➋ Account-level risks | |||||||||
| ① Revenue | 55 | 13% | 66 | 20% | 38 | 15% | 43 | 23% | 202 |
| ② Asset | |||||||||
| Ⓐ Impairment of intangibles | 51 | 12% | 37 | 12% | 39 | 15% | 16 | 9% | 143 |
| Ⓑ Impairment of other assets | 43 | 11% | 46 | 14% | 30 | 12% | 21 | 12% | 140 |
| Ⓒ Acquisitions | 29 | 7% | 29 | 9% | 13 | 5% | 14 | 8% | 85 |
| Ⓓ Financial assets | 26 | 6% | 20 | 6% | 18 | 7% | 18 | 10% | 82 |
| Ⓔ Other assets | 21 | 8% | 26 | 8% | 21 | 8% | 12 | 7% | 80 |
| Total asset risks | 170 | 158 | 121 | 81 | 530 | ||||
| ③ Liability/expense | |||||||||
| Ⓕ Taxation | 48 | 12% | 18 | 6% | 38 | 15% | 9 | 5% | 113 |
| Ⓖ Pensions | 30 | 7% | 16 | 5% | 8 | 3% | 9 | 5% | 63 |
| Ⓗ Other liabilities | 55 | 13% | 37 | 12% | 30 | 12% | 21 | 12% | 143 |
| Total liability risk | 133 | 71 | 76 | 39 | 319 | ||||
| ④ Other account-level risks | 28 | 6% | 16 | 5% | 10 | 5% | 9 | 4% | 63 |
| Total auditor-identified client risks | 408 | 100% | 319 | 100% | 252 | 100% | 182 | 100% | 1,161 |
Note(s):
➊➋: Categories of auditor-identified client risks
①②③④: Sub-categories of auditor-identified client risks
ⒶⒷⒸⒹⒺⒻⒼⒽ: Sub-sets of account-level risks
Note 1: %: The percentage weighting is the number of risk types (e.g. revenue) identified by a Big 4 audit firm divided by the total number of risks identified by the same Big 4 audit firm *100 (e.g. 55 revenue risks represent 13% of the total auditor-identified client risks: 408 risks)
Auditor-identified client risks versus audit-committee-identified risks by Big 4 audit firm
| Panel A: Auditor-identified client risks match/do not match audit-committee-identified risks (for same company) (by Big 4 audit firm) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Deloitte No. and % | EY No. and % | KPMG No. and % | PwC No. and % | Total | ||||||
| Auditor-identified client risks match audit-committee-identified risks | 259 | 81% | 127 | 70% | 225 | 89% | 323 | 79% | 934 | 80% |
| Auditor-identified client risks do not match audit-committee-identified risks | 60 | 19% | 55 | 30% | 27 | 11% | 85 | 21% | 227 | 20% |
| Total number of auditor-identified client risks | 319 | 100% | 182 | 100% | 252 | 100% | 408 | 100% | 1,161 | 100% |
| Panel B: Analysis of matching by company | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Auditor-identified client risks match audit-committee-identified risks | 29 | 34% | 12 | 23% | 42 | 47% | 28 | 28% | 111 | 34% |
| Auditor-identified client risks match audit-committee-identified risks and auditor identifies additional risks | 4 | 5% | 5 | 9% | 1 | 1% | 4 | 4% | 14 | 4% |
| Auditor-identified client risks match audit-committee-identified risks and audit committee identifies additional risks | 26 | 31% | 11 | 21% | 34 | 38% | 25 | 25% | 96 | 29% |
| Auditor-identified client risks do not match audit-committee-identified risks | 2 | 2% | 1 | 2% | 1 | 1% | 2 | 2% | 5 | 2% |
| Some auditor-identified client risks match audit-committee-identified risks and vice versa Note1 | 24 | 28% | 24 | 45% | 12 | 13% | 41 | 41% | 102 | 31% |
| Overall sample of companies | 85 | 100% | 53 | 100% | 90 | 100% | 100 | 100% | 328 | 100% |
Note(s):
Note 1: Example: The auditor identifies four risks, and the audit committee identifies four risks. Two of the four audit-committee-identified risks match the auditor-identified client risks
Note 2: Notes = notes in the financial statements
Notes
The acronym COVID-19 stands for Corona Virus Disease-2019. Following an outbreak in Wuhan China in December 2019, COVID-19 led to the first worldwide pandemic in over 100 years.
We thank one of the reviewers for suggesting this point.
References
Abraham, S. and Shrives, P.J. (2014), “Improving the relevance of risk factor disclosure in corporate annual reports”, The British Accounting Review, Vol. 46 No. 1, pp. 91-107.
Association of Chartered Certified Accountants (ACCA) (2018), “Key audit matters: unlocking the secrets of the audit”, available at: https://www.accaglobal.com/vn/en/professional-insights/global-profession/key-audit-matters.html (accessed 13 July 2022).
Bédard, J., Gonthier-Besacier, N. and Schatt, A. (2019), “Consequences of expanded audit reports: evidence from the justifications of assessments in France”, Auditing: A Journal of Practice and Theory, Vol. 38 No. 3, pp. 23-45.
Bepari, M.K., Mollik, A.T., Nahar, S. and Islam, M.N. (2022), “Determinants of accounts level and entity level key audit matters: further evidence”, Accounting in Europe, Vol. 19 No. 3, pp. 397-422.
Brivot, M., Himick, D. and Martinez, D. (2017), “Constructing, contesting, and overloading: a study of risk management framing”, European Accounting Review, Vol. 26 No. 2, pp. 703-728.
Brydon, D. (2019), Assess, assure and inform: improving audit quality and effectiveness: report of the independent review into the quality and effectiveness of audit. London.
Burke, J., Hoitash, R., Hoitash, U. and Xiao, S.X. (2022 in press), “The disclosure and consequences of US critical audit matters”, The Accounting Review.
Cohen, J.R., Krishnamoorthy, G. and Wright, A.M. (2008), “Form versus substance: the implications for auditing practice and research of alternative perspectives on corporate governance”, Auditing: A Journal of Practice and Theory, Vol. 27 No. 2, pp. 181-198.
Dillard, J.F., Rigsby, J.T. and Goodman, C. (2004), “The making and remaking of organization context”, Accounting, Auditing and Accountability Journal, Vol. 17 No. 4, pp. 506-542.
DiMaggio, P. and Powell, W. (1983), “The iron cage revisited: institutional isomorphism and collective rationality in organizational fields”, American Sociological Review, Vol. 48 No. 2, pp. 147-160.
Dunne, N.J., Brennan, N.M. and Kirwan, C.E. (2021), “Impression management and Big Four auditors: scrutiny at a public inquiry”, Accounting, Organizations and Society, Vol. 88, 101170.
Elshandidy, T. and Shrives, P.J. (2016), “Environmental incentives for and usefulness of textual risk reporting: evidence from Germany”, The International Journal of Accounting, Vol. 51 No. 4, pp. 464-486.
Financial Reporting Council (FRC) (2012), The UK Corporate Governance Code, Financial Reporting Council, London.
Financial Reporting Council (FRC) (2013), The Independent Auditor’s Report on Financial Statements. International Standard on Auditing (UK and Ireland) 700, Financial Reporting Council, London.
Financial Reporting Council (FRC) (2015), Extended Auditor's Reports. A Review of Experience in the First Year, Financial Reporting Council, London.
Financial Reporting Council (FRC) (2016a), Extended Auditor's Reports: A Further Review of Experience, Financial Reporting Council, London.
Financial Reporting Council (FRC) (2016b), Communicating Key Audit Matters in the Independent Auditor's Report, International Standard on Auditing (UK) 701, Financial Reporting Council, London.
Financial Reporting Council (FRC) (2016c), Guidance on Audit Committees, Financial Reporting Council, London.
Financial Reporting Council (FRC) (2018), The UK Corporate Governance Code, Financial Reporting Council, London.
Financial Reporting Council (FRC) (2020), Communicating Key Audit Matters in the Independent Auditor's Report, International Standard on Auditing (UK) 701, Financial Reporting Council, London.
Gray, G.L., Turner, J.L., Coram, P.J. and Mock, T.J. (2011), “Perceptions and misperceptions regarding the unqualified auditor's report by financial statement preparers, users, and auditors”, Accounting Horizons, Vol. 25 No. 4, pp. 659-684.
Gutierrez, E., Minutti-Mezza, M., Tatum, K.W. and Vulcheva, M. (2018), “Consequences of adopting an expanded auditor's report in the United Kingdom”, Review of Accounting Studies, Vol. 23 No. 4, pp. 1543-1587.
Honkamäki, T., Mättö, M. and Teittinen, H. (2022), “The homogeneity of BIG4 audit reports after the implementation of key audit matters in the context of fair value accounting”, International Journal of Auditing, Vol. 26 No. 3, pp. 354-370.
Hosseinniakani, M., Overland, C. and Samani, N. (2022), “Do key audit matters matter? The correspondence between auditor and management disclosures, and the role of audit committees”, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3903173 (accessed 13 July 2022).
House of Commons (2019), “The future of audit. Nineteenth report of session 2017-19”, (March), available at: https://publications.parliament.uk/pa/cm201719/cmselect/cmbeis/1718/1718.pdf
International Auditing and Assurance Standards Board (IAASB) (2015), International Standard on Auditing (ISA) 701, Communicating Key Audit Matters in the Independent Auditor's Report, International Federation of Accountants, New York.
Jordan, S., Jørgensen, L. and Mitterhofer, H. (2013), “Performing risk and the project: risk maps as mediating instruments”, Management Accounting Research, Vol. 24 No. 2, pp. 156-174.
Jordan, S., Mitterhofer, H. and Jørgensen, L. (2018), “The interdiscursive appeal of risk matrices: collective symbols, flexibility normalism and the interplay of ‘risk’ and ‘uncertainty’”, Accounting, Organizations and Society, Vol. 67, pp. 34-55.
Kend, M. and Nguyen, L.A. (2020), “Investigating recent audit reform in the Australian context: an analysis of the KAM disclosures in audit reports 2017-2018”, International Journal of Auditing, Vol. 24 No. 3, pp. 412-430.
Kend, M. and Nguyen, L.A. (2022a), “Key audit risks and audit procedures during the initial year of the COVID-19 pandemic: an analysis of audit reports 2019-2020”, Managerial Auditing Journal, Vol. 37 No. 7, pp. 798-818.
Kend, M. and Nguyen, L.A. (2022b in press), “Translating audit materiality in disclosure: competing logics and different outcomes in Australia and New Zealand”, Critical Perspectives on Accounting, 102502.
Kitiwong, W. and Sarapaivanich, N. (2020), “Consequences of the implementation of expanded audit reports with key audit matters (KAMs) on audit quality”, Managerial Auditing Journal, Vol. 35 No. 8, pp. 1095-1119.
Lennox, C.S., Schmidt, J.J. and Thompson, A.M. (2022 in press), “Why are expanded audit reports not informative to investors? Evidence from the United Kingdom”, Review of Accounting Studies.
Liao, L., Minutti-Meza, M., Zhang, Y. and Zou, Y. (2022), “Consequences of the adoption of the expanded auditor's report: evidence from Hong Kong”, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3392449 (accessed 13 July 2022).
Linsley, P.M. and Shrives, P.J. (2005), “Examining risk reporting in UK public companies”, The Journal of Risk Finance, Vol. 6 No. 4, pp. 292-305.
Minutti-Meza, M. (2021), “The art of conversation: the expanded audit report”, Accounting and Business Research, Vol. 51 No. 5, pp. 548-581.
Nguyen, L.A. and Kend, M. (2021), “The perceived impact of the KAM reforms on audit reports, audit quality and auditor work practices: stakeholders' perspectives”, Managerial Auditing Journal, Vol. 36 No. 3, pp. 437-462.
Pelzer, J.R.E. (2021), “Processing change: a qualitative study examining the frontstage and backstage of audit firms contemplating the implementation of critical audit matters”, International Journal of Auditing, Vol. 25 No. 3, pp. 769-796.
Pinto, I. and Morais, A.I. (2019), “What matters in disclosures of key audit matters: evidence from Europe”, Journal of International Financial Management and Accounting, Vol. 30 No. 2, pp. 145-162.
Power, M.K. (2003), “Auditing and the production of legitimacy”, Accounting, Organizations and Society, Vol. 28 No. 4, pp. 379-394.
Pratoomsuwan, T. and Yolrabil, O. (2020), “Key audit matter and auditor liability: evidence from auditor evaluators in Thailand”, Journal of Applied Accounting Research, Vol. 21 No. 4, pp. 741-762.
Public Company Accounting Oversight Board (PCAOB) (2017), The Auditor’s Report on an Audit of Financial Statements when the Auditor Expresses an Unqualified Opinion; and Related Amendments to PCAOB Standards, PCAOB, Washington, DC.
Quick, R., Zaman, M. and Mandalawattha, G. (2022 in press), “Auditors' application of materiality: insight from the UK”, Accounting Forum.
Rahaman, M.M., Hossain, M.M. and Bhuiyan, M.B.U. (2022 in press), “Disclosure of key audit matters (KAMs) in financial reporting: evidence from an emerging economy”, Journal of Accounting in Emerging Economies.
Reid, L.C., Carcello, J.V., Li, C. and Neal, T.L. (2019), “Impact of auditor report changes on financial reporting quality and audit costs: evidence from the United Kingdom”, Contemporary Accounting Research, Vol. 36 No. 3, pp. 1501-1539.
Rousseau, L.M. and Zehms, K.M. (2022), “It's a matter of style: the role of audit firms and audit partners in key audit matter reporting”, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3625651 (accessed 13 July 2022).
Sierra-García, L., Gambetta, N., García-Benau, M.A. and Orta-Perez, M. (2019), “Understanding the determinants of the magnitude of entity-level risk and account-level risk key audit matters: the case of the United Kingdom”, The British Accounting Review, Vol. 51 No. 3, pp. 227-240.
Smith, K.W. (2021), “Tell Me More: a content analysis of expanded auditor reporting in the United Kingdom”, available at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2821399 (accessed 13 July 2022).
Suttipun, M. (2021), “Impact of key audit matters (KAMs) reporting on audit quality: evidence from Thailand”, Journal of Applied Accounting Research, Vol. 22 No. 5, pp. 869-882.
Trussel, J.M. and Patrick, P.A. (2018), “Assessing and ranking the financial risk of municipal governments: the case of Pennsylvania”, Journal of Applied Accounting Research, Vol. 19 No. 1, pp. 81-101.
Velte, P. (2019), “Associations between the financial and industry expertise of audit committee members and key audit matters within related audit reports”, Journal of Applied Accounting Research, Vol. 21 No. 1, pp. 185-200.
Woods, M. and Marginson, D.E.W. (2004), “Accounting for derivatives: an evaluation of reporting practices by UK banks”, European Accounting Review, Vol. 13 No. 2, pp. 373-391.
Zhang, P.F. and Shailer, G. (2021), “Changes in audit effort and changes in auditors' disclosures of risks of material misstatement”, The British Accounting Review, Vol. 53 No. 3, 100970.
Acknowledgements
The authors appreciate comments from participants at the 34th Annual Irish Accounting & Finance Conference 2022 and the European Accounting Association Congress 2022. The authors gratefully acknowledge helpful comments from the Editor, the Associate Editor and the two anonymous reviewers.