EY were given sanctions as follows:
- a financial penalty of £3,500,000 (discounted to £2,205,000);
- a severe reprimand;
- a declaration that the audit report did not satisfy the audit reporting requirements; and
- a non-financial sanction requiring EY to report to the FRC for one year in respect of audit work performed in relation to onerous contract provisions.
Further sanctions were applied to the key audit partner.
What went wrong?
The 2017 reporting period was EY’s first as Stagecoach’s statutory auditor. The failings relate to three specific audit areas, all of which were material and had been identified as significant risks requiring a heightened audit response:
(1) defined benefit pension scheme obligations;
(2) provisions for insurance claims relating to accidents; and
(3) an onerous contract provision relating to the East Coast Mainline railway franchise.
The main failings were as follows:
- Poor use of experts
The most serious identified deficiencies in EY’s audit work were due to insufficient evaluation and challenge of the work of management’s and EY’s respective experts, and a lack of proper challenge of management about material assumptions about Stagecoach’s defined benefit pension schemes.
Stagecoach’s management engaged an external actuarial firm in respect of pensions, split into two teams. EY engaged their in-house pension actuarial specialists as auditors’ experts. EY failed to evaluate how management had made the pensions estimates and the audit file did not document the assessment of the work of one of the external actuarial teams. In addition, there were no substantive procedures in relation to assumptions input into the models. The fact that Stagecoach had used a management expert in making the accounting estimates is no substitute for undertaking adequate audit work.
The auditors failed to evaluate the adequacy of their own expert’s work on pensions and assess its consistency with other audit evidence. This included the challenge of assumptions used and a lack of consideration of potential management bias. In short, there was a lack of professional scepticism applied.
The auditor’s expert identified significant deficiencies in the methodologies used by management / their experts in order to derive assumptions for the pension schemes. These had the potential to result in a material misstatement in future accounting periods these findings and should have been reported to the Audit Committee.
A large percentage of the valuation of the insurance provision was provided to management by a third party (another management’s expert) with the remainder of the valuation compromising ‘volatility adjustments’ and ‘judgemental overlays’. Although EY engaged their own team of experts to assess management’s expert in this area, the audit team failed to:
- document whether management’s expert had sufficient competency; and
- identify that there was a familiarity threat arising from the length of service (13 years) that the expert had been engaged.
The FRC also found that the audit team had not appropriately considered significant risks and controls for certain aspects of both the pension scheme obligations and insurance claim provisions.
- Evidence and audit testing
Testing of source data
The FRC concluded that EY’s audit plan did not appropriately address whether the necessary audit confidence over whether pension schemes source data was complete and valid. It was noted that there was no attempt to design procedures to deal with the fact that source data was not maintained by Stagecoach for certain material pension schemes or to consider the possibility of a limitation of audit scope. The audit partner only became aware of these significant breaches through the FRC’s review.
The FRC found no evidence that provisions for insurance claims were tested to ensure the completeness of data included in relevant databases. Only a selection of ‘Large claims’ were examined and thus EY failed to test a representative sample. In short, EY failed to obtain sufficient appropriate audit evidence and to apply sufficient professional scepticism in their conduct of the audit although it is not alleged that the financial statements are materially misstated.
Audit evidence relating to the onerous contract
The FRC found that EY failed to obtain sufficient appropriate audit evidence to support assertions that a new management contract would be forthcoming by the Secretary of State and there was no review / evaluation of evidence regarding potential claims. These areas showcased a lack of professional scepticism to management’s assertions and lack of any third-party validation.
The FRC noted that the content and extent of the audit documentation was of low quality for these three specific areas of the audit. The documentation did not record the full extent of the procedures and judgements made.
Claudia Mortimore, Deputy Executive Counsel to the FRC commented that:
“The audit failings in this case were extensive and related to a number of fundamental auditing standards including the requirement to obtain sufficient appropriate audit evidence, adequately evaluate expert evidence, apply sufficient professional scepticism and challenge management, and prepare proper audit documentation. The sanctions imposed reflect the seriousness of the breaches and are intended to improve the quality of future audits.”
Implications for other auditors
The case highlights how, in a first-year audit, areas of judgement and challenge and sufficient documentation of key issues are often missed as auditors get to grips with accepting a new client and understanding them and their environment.
It’s not unusual to see a lack of professional scepticism applied to balances where a management expert has been involved in determining the figures. Care must be taken to ensure that sufficient appropriate audit evidence is obtained in these cases, in particular consideration of completeness of source data is often overlooked. Scepticism must also be applied where auditor’s experts are used, and if issues are found then they must be appropriately followed up by the audit team.
Where significant risks are identified, it is often the case that firms do not consider the design and implementation of controls relevant to the significant risk. This must be considered and documented.
At the heart of many of the points above is a lack of professional scepticism – a common finding in Mercia’s own experience of reviewing audit files. This is a clear area that regulators focus on, and audit firms must ensure that their audit files demonstrate rigorous application of scepticism.
If you are interested in Mercia providing audit quality reviews for your firm in order to help identify weaknesses, then please contact us for further details.
The Final Decision Notice is available here.