The European Union (EU) audit legislation, enacted in 2014, and effective starting in June 2016, will usher in far-reaching changes for companies that are public interest entities (PIEs) in the EU.
, as we explain below. Yet many audit committees may not be aware of the challenges that lie ahead.
Definition of a PIE
The first question for audit committees to consider is whether their company is an EU PIE or has an EU PIE in its group.
PIEs are broadly defined in the legislation as “companies that are governed by the law of a Member State that have shares or securities admitted to trading on a regulated market in the EU.”
Yet, significantly, all credit institutions and insurance undertakings are also defined as PIEs, whether they are listed or not. Therefore, banking and insurance groups will find the new legislation particularly challenging because every subsidiary that they have in the EU is likely to be a PIE.
It is important to note that Member States can expand the definition of what constitutes a PIE, and many will do so.
For more information on what currently constitutes a PIE, see EY’s paper, EU audit legislation: understanding the legislation and how it will affect you. ×
Under the law, EU competent authorities must, among other things:
- Evaluate PIE audit committee performance as part of audit market monitoring reports that they are required to publish every three years
- Establish a sanctions regime that is applicable to individual PIE audit committee members, other directors and the PIEs themselves (as well as their external auditors) in the event of non-compliance with the law
Under the law, audit committees of PIEs must:
- Rotate audit firms in accordance with local laws
- Meet specific requirements for monitoring auditor independence, including preapproving expenditure on permissible non-audit services (preapproving expenditure could be difficult where a large entity has subsidiaries in multiple jurisdictions, because different Member States will apply different prohibitions with regard to non-audit services)
While much of what has been legislated relating to PIE audit committees is already leading practice in many EU Member States, there are some jurisdictions where the framework will require audit committees to make substantial changes to how they currently operate.
The general requirement in the legislation is that every PIE should establish an audit committee. Although Member States can decide to exempt certain PIEs from that requirement, it is possible that some groups of companies might find themselves legally obliged to establish more than one audit committee. This will require a degree of coordination between those audit committees in order to avoid unnecessary duplication of effort while affording full compliance with the law.
As the implementation date for the legislation is close, it is essential that audit committees understand the new requirements and start preparing for them now.
Changes impacting audit committees
The changes described below apply to audit committees of PIEs, unless otherwise noted.
For the first time, the legislation requires the European Competition Network and the audit oversight authorities in each Member State to prepare an audit market monitoring report on a three-year basis. The report will focus on topics including concentration levels in the PIE audit market, audit quality and the performance of audit committees, with the first report due to be published in June 2016 and the second in June 2019.
At this stage, it is not clear how the performance of an audit committee will be assessed, although a better indication will be afforded once the first audit market monitoring report is published in June 2016. The way in which the audit committee conducts the audit tendering process will almost certainly form a major part of the assessment.
Regardless of the jurisdiction in which they are based, audit committees will have to be able to “demonstrate, upon request, to the competent authority that the selection procedure was conducted in a fair manner.” It is also possible that the review may include the audit committee’s role in the assessment of auditor independence, monitoring the provision of non-audit services and supporting overall audit quality.
It could also include a judgment on whether the audit committee is sufficiently independent and comprises individuals who provide the right breadth of sector and accounting or auditing skills. Should there be any breaches of the law, penalties could be imposed on individual audit committee members as well as on the PIE itself.
There is some flexibility for Member States, however. For example, they have the option to adopt a shorter time frame for rotation. They also may choose to let PIEs put their audit out for public tender after 10 years and allow them to keep their current auditor for a maximum of 10 additional years.
The audit committee is responsible for conducting a tender consistent with certain legal requirements. It must conduct an audit tender in accordance with the requirements that are specific to the PIE’s own jurisdiction. It needs to follow a fair and transparent process when selecting a new auditor.
Furthermore, it must be able to demonstrate that the organization of the tender process contains non-discriminatory selection criteria and has not precluded the participation of smaller audit firms (e.g., those outside the Big Four).
Following the tender, the audit committee must recommend the names of at least two potential auditors to the board. One name will be the preferred choice. The choice and preference will then be presented to the shareholders by the board. If the recommendation of the audit committee has been rejected, the board will need to explain why.
Auditors of PIEs will be subject to a maximum cap on non-audit fees. The cap equals 70% of audit fees based on a three-year rolling average. Outside a specific list of prohibited services, auditors can provide a range of permissible non-audit services to their audit clients. Prohibited services includes providing accounts preparation, structuring, valuation, legal and payroll services. A list of tax services are also prohibited, although Member States may permit them in certain circumstances.
Since audit committees of PIEs will have to preapprove expenditure on permissible non-audit services, they will need to understand the structure of their groups and the different audit arrangements that are in place. The audit committee will need to know which services the PIE requires and which professional services firms will be eligible to provide them.
Moreover, if an audit firm from another network (i.e., a network other than the one performing the group audit) is appointed to audit an entity within the group, the audit committee of the PIE will have to consider carefully whether that entity is, itself, a PIE or if it has parents or subsidiaries in the EU that are PIEs. If so, and to the extent that the incoming auditor has been providing other services elsewhere in the group, those arrangements may need to be terminated.
Where there are multiple PIEs in a group, that requirement can become increasingly complex to monitor, particularly since PIEs in different jurisdictions may have to rotate their auditors at different times.
For example, if a London-based bank has a small subsidiary in Italy that awards its audit to a particular firm, the prohibitions on which services can be provided by that firm apply to the Italian subsidiary as well as to that subsidiary’s own subsidiaries and its parent companies within the EU. They also apply to the audit firm’s entire global network. If the firm had been providing non-audit services to the bank in London, it would no longer be considered independent once it won the Italian audit and would have to stop providing those non-audit services.
Nevertheless, although the prohibitions apply to the audit network globally, they would not prevent the US firm within a network from providing non-audit services to a US parent company. That said, if the US entity were a subsidiary of an EU PIE, while most non-audit services are permissible subject to a “threats and safeguards” assessment, some services are explicitly banned (e.g., bookkeeping and payroll services and the preparation of accounting records and financial statements).
Under the new framework, the majority of audit committee members must now be independent, and one member must be competent in accounting or auditing. Additionally, the legislation states that “committee members as a whole shall have competence relevant to the sector in which the audited entity is operating.”
This is viewed as a significant change from the 2006 directive, which only required one member of the audit committee to be independent and to have competence in accounting or auditing.
The law requires the auditor to submit an additional, more detailed, report to the audit committee on the results of the statutory audit. Under the legislation, Member States may impose additional requirements for such reports, including requiring the audit committee to pass this on to the board, along with an explanation of how the audit of the financial statements contributed to the integrity of the PIE’s financial reporting and the audit committee’s role during the process.
Audit committees of companies that are based outside the EU, but that have EU PIEs somewhere in their group structure, will also be affected by the legislation. For example, any PIEs in the EU will have to abide by the new auditor rotation requirements, and the independence of their auditors will still need to be monitored. The audit committee of a non-EU parent would not, however, be subject to sanctions on individual audit committee members enforced by the EU supervisory authorities.
How audit committees can prepare
An initial priority will be for an audit committee to ascertain to what extent there are PIEs anywhere in their group structure, a determination that could be informed by discussions with their auditor.
If any PIEs are identified, their
by following the steps below:
- The applicable rotation and tendering requirements for the PIE’s audit should be determined, both in terms of length and timing. These will differ according to jurisdiction and the length of the existing audit relationship.
- Relationships beyond the company’s current auditor should be managed. Audit committees of PIEs need to examine whether audit firms other than the current auditor provide non-audit services to other group companies, determine the nature of any such services, and ascertain whether those firms would be considered sufficiently independent if they were to tender for the audit in the future.
- The audit committee should obtain regular updates from its current auditor on its independence.
- The audit committee should decide how to provide proof that it has carried out the audit tendering process in a fair, transparent and non-discriminatory manner.
- The composition of the audit committee should be reviewed to ensure that it complies with the new regulation. Is it sufficiently independent and is it composed of individuals who provide the right breadth of sector and accounting or auditing skills? It may be necessary for the audit committee to consider performing its own skills analysis in order to get an accurate picture.
The far-reaching changes from the 2014 EU audit legislation warrant attention from audit committees of companies that are, or include, a PIE under the EU legislation or EU Member State definitions. EY encourages timely consideration of these matters to facilitate fulfillment of related obligations.