Changes to the Audit Regulations

Changes to the Eligibility Requirements

When do the changes below take effect?

While the revised Audit Regulations are effective from 1 October 2024, given the potential impact on firm eligibility, the FRC has agreed that changes discussed here will be subject to a six-month transition period with the new eligibility requirements coming in to effect from 1 April 2025.

Summary of change

This is a change to the eligibility requirements to make it clear that where a firm’s constitution, however comprised, includes certain decisions that need more than a simple majority-vote for approval, that audit-qualified persons must be able to control any such ‘super-majorities’. Firms will have until 1 April 2025 to comply.

The eligibility change explained in more detail

Audit firms will be aware that the previous Audit Regulation 2.03 required individuals who have an appropriate qualification (which in practice equates to the Audit Qualification in the majority of cases), and Registered Auditors (e.g. another registered audit firm) to hold:

2.03b - at least a majority of the voting rights (or hold such rights under the firm’s constitution) as enable them to direct its overall policy or alter its constitution;
2.03c - at least a majority of the voting rights in the management board (or hold such rights under the firm’s constitution) as enable them to direct its overall policy or alter its constitution.

While the above elements of the regulations have not changed, the most recent revisions to the supporting guidance notes and definitions used in the Regulations have brought renewed focus on what constitutes authority/control, and in particular seeks to address situations where a firm’s constitution requires a ‘supermajority’ for some decision making. The updates included:

clarifications to the guidance given on what constitutes a ‘majority’, to more clearly reflect that the ‘majority’ of rights required to be held by individuals with the Audit Qualification will be whatever ‘majority’/’supermajority’ a firm’s constitution requires to amend the firm’s overall policy / allow alterations to the constitution; and
clarifications to the guidance given on ‘voting rights’ to more clearly apply to all matters that direct the firm’s overall policy / allow alterations to the constitution.

What is a ‘majority’?

A new definition of ‘majority’ has been added to the Regulations:

“In the context of regulation 2.03 ’majority' of the voting rights means more than 50% unless the firm's constitution specifies a higher percentage of these rights is required for decision making, in which case, ’majority’ shall be taken to mean that specified percentage or more.”

This clarifies that where a supermajority is required to affect changes to the firm’s overall policy / allow alterations to the constitution then rights sufficient to meet whatever that supermajority is must be held by individuals with the Audit Qualification (and/or Registered Auditors).

What are ‘voting rights’?

The definition of Voting Rights used in the Regulations has been changed:

FROM: “The rights to vote on all or substantially all matters at meetings of principals or shareholders of the body in question…”

TO: “The rights to vote at meetings of principals or shareholders of a firm on all matters that direct the firm’s overall policy or alter its constitution…”

This change removes the ‘substantially all’ terminology and focusses more clearly on the relevant areas for decision making. The guidance notes to Regulation 2.03 go on to clarify that while a ‘majority’ normally means greater than 50%, where a firm’s constitution requires a higher percentage of voting rights for decision-making, “majority” shall mean the specified higher percentage. It also clarifies that in this context ‘decision-making’ relates to all management or ownership decisions which direct the firm’s overall policy or alter its constitution.

When considering this matter, firms should be aware that a positive authority to affect change is required. In that context, a fallback power of veto over some decisions would not be expected to constitute sufficient ‘authority’, and the Audit Qualified individuals (and/or Registered Auditors) must hold the authority to pass a vote if one were ever to arise.

Impact on ICAS audit firms

Firms will need to ensure that enough voting rights are held by qualified persons to meet any approval percentages stipulated in the firms’ governance documents. It is not enough that qualified persons can veto a decision; the qualified persons must be capable of passing the vote on all matters that direct the firm’s overall policy or alter its constitution.

It is not expected that these clarifications and amendments will have an impact on many ICAS audit firms, given the majority of our firm are small firms, or firms with simple governance structures. The changes are likely to impact larger firms and those which have more complex governance arrangements (e.g. where there are different voting arrangements for different policies/areas).
However, for the small number of firms that are affected these changes could impact those firms in a fundamental way with regards their audit registration and eligibility.

All firms must carefully consider their own specific circumstances to ensure the eligibility requirements are, and continue to be, met. Given the fundamental nature of Audit Regulation 2.03 with regards a firm’s eligibility for audit registration, any instances of non-compliance would be considered significant matters. Cases of non-compliance would be expected to result in reporting to the ICAS Authorisation Committee and consideration of regulatory action (such as a regulatory penalty accompanied by public notice).

Firms should be aware that considerations may well become more complex where there are multiple legal entries / registered firms within a group structure, and/or where legal entities (rather than natural persons) are principals in a firm (e.g. where corporate entities hold a director / LLP member role). If firms are in any doubt of whether principals and/or those with voting authority hold the Audit Qualification, they should look in to this as a matter of urgency – which may require contacting individuals’ membership bodies. Careful consideration should also take place when succession planning to ensure that individuals with the Audit Qualification, or Registered Auditors, always hold such rights under the firm’s constitution as enable them to direct its overall policy or alter its constitution.

Other relevant regulations: notification of changes in eligibility

The transition period to 1 April 2025 should allow firms time to make any governance changes required.

Firms should also be aware that Audit Regulation 2.11 requires audit registered firms to inform ICAS in writing, as soon as practicable, of any changes which might affect a firm's eligibility. Notification of such changes should be timely and not later than ten business days after the event.

It is recognised that some unforeseen or unavoidable circumstances may result in a firm ceasing to meet the eligibility requirements. Under Audit Regulation 2.17 a firm must notify the Authorisation Committee if it ceases to meet one or more of the eligibility requirements. Notification must take place in writing within ten business days of the situation arising and should set out the circumstances and what action the Registered Auditor proposes to take. On considering such a notification, the Authorisation Committee has the power to grant dispensation from the eligibility requirements in cases where continued registration would not adversely affect an audit client or any other person. Dispensation would be temporary, to enable the firm to address any eligibility issues, and would not last for more than 90 days.

Audit monitoring visits

While breaches of eligibility are relatively rare (in 2023 this was identified in only 8% of visits), they are among the most significant issues identified on audit monitoring visits.

From the monitoring team’s experience, issues with eligibility most often arise where there have been changes in the structure of a firm, or where principals have changed, without sufficient notification being made to ICAS and / or consideration of the potential impact of the changes with regards to compliance with the Audit Regulations.

Firms should be aware that not all CAs have the Audit Qualification, so care should be taken to keep track of changes in Audit Qualified principals and voting rights. Partnerships are reminded that all members / partners of such practices will be considered to have equal voting rights unless there is a formal agreement setting out otherwise.

There have also been a small number of other issues relating to eligibility noted in recent years, which are shared here again for reference:

• Non-qualified principals in an audit firm not completing the required Audit Affiliate application. Firms are reminded that under Audit Regulation 2.03a, any principal that is not a member of ICAS, ICAEW, ICAI, or ACCA will likely require an Audit Affiliate application to be submitted.
• Audit firms constituted as a corporate practice (i.e. a limited company), which have not sufficiently tailored their Articles of Association. Audit Regulation 2.03d sets out various requirements that must be met in such a firm’s articles of association. These include a requirement for shareholders to notify the firm of any changes in shareholding, and a requirement that the firm’s directors must approve any transfer of shares resulting in a shareholder holding more than 3% of the firm’s share capital.
• A case where an Audit Compliance Principal (ACP) was not a principal in the firm. In such cases, the regulations require the ACP to be a member of a management board which administers or manages the firm, but this was not the case.

Changes to the regulations relating to maintaining competence

Audit Regulation 3.17 – Maintaining Competence (which is seen to relate to a firm’s overall processes for training and ongoing development) has been expanded to set out to more clearly cross refer to Audit Regulation 3.17A (which relates more directly to the requirement for each RI to maintain competence), and to clarify the importance of retaining evidence of training / CPD undertaken.

Maintaining competence

The additional references now included are shown in bold below

3.17 – “A Registered Auditor must make arrangements so that all principals and employees doing audit work are, and continue to be, competent to carry out the audits for which they are responsible or employed. The Registered Auditor’s arrangements in this regard facilitate compliance with regulation 3.17A by the responsible individuals. A Registered Auditor must make arrangements for the retention of the records of continuing professional development (‘CPD’) undertaken by principals and employees engaged in audit work including the CPD undertaken by responsible individuals to comply with regulation 3.17A. A Registered Auditor must ensure that CPD records are made available to the registering Institute for inspection and review when requested.”

Audit Regulation 3.17A has also been amended and expanded to clarify requirements on an RI level, and to more clearly refer to the learning outcomes in Table A of International Education Standard 8 (IES8), which sets out the core competencies that all RIs are required to develop and maintain.

FROM: 3.17A – “A responsible individual must take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values, including, in particular, in relation to auditing, with content that is relevant to their role and responsibilities.”

TO: 3.17A  “A Responsible individual is required to:

(a)take part in appropriate programmes of continuing education in order to maintain their theoretical knowledge, professional skills and values, in relation to auditing, at a sufficiently high level. A responsible individual must undertake CPD to:

• achieve the learning outcomes in Table A of IES 8; and
• maintain professional knowledge in (i) the UK auditing framework and (ii) financial reporting standards in use in the UK relevant to the preparation of financial statements and to statutory audit;

(b)  ensure that appropriate records are retained to demonstrate compliance with the responsible individual’s CPD obligations.”

While the underlying requirements are nothing new, ICAS Audit Monitoring regularly finds that firms (in considering a firm-wide approach to CPD) and RIs (in considering their own approach) have not explicitly considered IES8 as part of the CPD process. There is also a correlation between non-compliance with Audit Regulation 3.17 & 3.17A and poor audit quality. Firms should ensure that sufficient appropriate CPD is conducted by all auditors, and that RIs are explicitly considering the requirements of IES 8 when planning, conducting and recording CPD. To aid in the latter, worked examples of a CPD record for an experienced RI are available on ICAS.com for reference.

Audit Monitoring findings

Looking back at 2023, the monitoring team found breaches against Audit Regulation 3.17 and/or 3.17A on 16% of visits, resulting from weaknesses in a firm or RIs arrangements for training and continuing professional development (CPD). While this was in a relatively small proportion of visits, it should be recognised that breaches of these regulations are often closely linked to other significant, or widespread, issues with audit quality or compliance:

Half of these visits related to cases where insufficient or ineffective CPD was considered to have been an underlying factor in poor audit quality (where the RIs files were found to require significant improvement).
The other half of the cases related to instances where RI’s CPD records were poor, and did not demonstrate sufficient consideration of the requirements of IES8.

Changes to the regulations relating to the audit compliance review process

The guidance notes to Audit Regulation 3.20 have been expanded and updated to more clearly cross refer to the requirements brought in by the International Standard on Quality Management (UK) 1 (ISQM1).

Audit Compliance Review (including Cold File Review)

Given the guidance and commentary available elsewhere on ISQM1, and the monitoring and evaluation processes it requires, this update will not go into detail on those changes. However, we do want to signpost an amendment to the commentary on cold file review processes.

Firms should already be aware that the regulations require a process of cold file review(s) to be conducted annually. Previously the de minimis required by the Audit Regulations was for at least one cold file review to be conducted per year. The updates to the regulations give additional guidance:

“ISQM1 requires firms to select at least one completed engagement for each responsible individual on a cyclical basis determined by the firm. It also prohibits and engagement team members or the engagement quality reviewer from performing any inspection of that engagement.

However, to comply with these regulations the firm’s procedures for review of completed engagements must also meet the following two criteria:

1. The cycle of inspection of completed engagements for each responsible individual must not exceed three years.
2. Monitoring must include at least one inspection of a completed engagement, each year.

Where the additional reviews required by ‘2’ above exceed those that would be required for the firm to comply with ISQM1, the firm may relax the requirement for the inspection to be conducted by an individual independent from the engagement team providing it considers that the selected individual is able to conduct the review with a sufficiently independent and objective mindset.

A firm that does not have a suitable internal reviewer meeting the criteria set out in ISQM1 should engage an external reviewer at least once every three years.”

The latter two paragraphs here recognise that a small, sole RI firm may well have challenges in conducting an independent cold file review process. As in the previous Audit Regulations, a sole RI can conduct a cold file review of one of their own files (so long as they are able to conduct the review with a sufficiently independent and objective mindset) on the proviso that an externa cold file review process is engaged at least once every three years.

Firm Quality Management processes in the year of a monitoring visit

One other minor amendment flagged in the revised regulations, is that:

“A firm should conduct monitoring each year, even when the firm has had a quality inspection from the Institute during the year.”

While this has always been the case, as ICAS Audit Monitoring do not form part of a firm’s quality management (or control, as was) processes, this is a welcome opportunity to remind firms that they must continue to conduct their own quality management reviews, including ‘whole firm’ monitoring and cold file reviews, even in years when a monitoring visit is expected, planned, or has taken place.

ICAS Audit Monitoring findings

Looking back at the 2023 ICAS Audit Monitoring visits, 32% of visits identified a breach of AR 3.20. The most common underlying issue being the lack of an effective cold file review process. In most cases, this resulted from a complete lack of a cold file review process in the year of the monitoring visit, and that preceding it.

Our 2023 Monitoring Report noted that an effective cold file review process is an essential component of a firm’s SOQM, and firms with good quality audit files tend to have an effective cold file review process in place more often than not. Most cases where a cold file review process had not been conducted at all involved smaller firms, and it is acknowledged that sole RI practices can find it especially challenging. As above, it is recognised that a sole RI can still conduct their own cold file review so long as an external reviewer is engaged at least once every three years. Smaller firms may also want to consider whether there is any another individual in the firm who, although not a responsible individual, is very experienced in current auditing requirements and might be able to undertake an effective review. If so, assuming that the individual did not take part in the audit, the firm may decide this individual would be a suitable person to conduct the required cold file review.

In 2023, reviewers also came across some instances where a cold file review had been conducted as required, but where the findings of the process were inconsistent with the findings of ICAS Audit Monitoring. This is most often the case where an internal review did not raise many queries, or did not identify significant issues that were identified in the monitoring visit. Firms should ensure that any cold file review process is robust and conducted by individuals with sufficient capability and experience.

More latterly, the monitoring team has anecdotally considered there to be a correlation between firms (including even larger firms) that choose to engage an external cold file review process and better levels of audit quality, even when such reviews are only engaged on a periodic basis (e.g. every second or third year). This may not be unexpected where internal reviews tend towards considering compliance with firm procedures and ‘the way we do things’, while external reviews give a different perspective. While external reviews are not certainly required under the regulations (other than as previously stated) firm’s may want to consider what options are available to them to ensure their monitoring procedures are as affective and robust as possible.