To print the Settlement, click here.
IRISH AUDITING AND ACCOUNTING SUPERVISORY AUTHORITY
IN THE MATTER OF MICHAEL TUOHY
1. Following an investigation by the Irish Auditing and Accounting Supervisory Authority (‘the Authority’) a Settlement Agreement has been agreed and the Authority has decided to impose a Reprimand and the respondent is further fined €10,500 by way of sanction.
2. The contraventions were admitted by the respondent.
3. This matter concerned the audit of the financial statements of National Asset Management DAC for the year ended 31 December 2016. The company is a NAMA Group Entity and is responsible for issuing the government guaranteed debt instruments and subordinated debt, which were used as consideration in acquiring loan assets.
4.Michael Tuohy was the statutory auditor for the statutory audit of the financial statements of National Asset Management DAC for the year ended 31 December 2016. As Engagement Partner, Michael Tuohy was required to take responsibility for the overall quality of each audit engagement, for the supervision and performance of the audit engagement and for the auditor’s report being appropriate in the circumstances. He was also required, through a review of the audit documentation and discussion with the engagement team, to be satisfied that sufficient appropriate audit evidence had been obtained.
5. In 2016, the revenue earned was €371m, with a profit of €7m and assets of €7.4bn, including €3.9bn of loans and receivables. Planning materiality for the audit was set by the engagement team at €18m. National Asset Management DAC ’s 2016 financial statements were audited by Mazars. This was the first time that Mazars audited the financial statements of National Asset Management DAC. The firm was appointed as Statutory Auditors on 1 June 2017 and it issued the audit opinion on 27 September 2017.
6. In this audit, loans and receivables was a significant balance in the company being 217 times the materiality for the entity. It was a complex valuation, not based on observable inputs. The concerns identified form the basis of the allegations in this case and raised concerns as to whether sufficient appropriate audit evidence was obtained as at the date of issuing the audit opinion.
The Relevant Standards of Conduct
7. The standards of conduct reasonably to be expected of the Respondent were set out in the Fundamental Principles contained in the Code of Ethics (“the Code”) applicable at the relevant time, issued by the Institute of Chartered Accountants in Ireland (ICAI). The Fundamental Principles contained in the Code are made in the public interest and are designed to maintain a high standard of professional conduct by all members of ICAI.
8. In complying with the Code, to conduct an audit in accordance with applicable technical and professional standards, the relevant auditing standards, were the International Standards on Auditing (UK and Ireland) (“ISAs”). The purpose of ISAs is to establish standards and general principles with which auditors are required to comply. Together they form a body of standards that should be applied before an auditor can express an opinion that financial statements give a ‘true and fair view’ within the meaning of the Companies Act 2014.
9. Aspects of the following ISAs are referred to in this document:
ISA (UK and Ireland) 200 – Overall objectives of the independent auditor and the conduct of an audit in accordance with International Standards on Auditing
ISA (UK and Ireland) 230 – Audit documentation
ISA (UK and Ireland) 330 – The auditor’s responses to the assessed risks
ISA (UK and Ireland) 500 – Audit evidence
ISA (UK and Ireland) 530 – Audit sampling
ISA (UK and Ireland) 540 – Auditing accounting estimates, including fair value accounting estimates, and related disclosures
ISA (UK and Ireland) 620 – Using the work of an auditor’s expert
10. The relevant contraventions identified in this case demonstrated that insufficient professional scepticism was applied in this audit engagement and the respondent’s performance of the audit fell below the standards reasonably expected of a statutory auditor. Auditing standards require the auditor to plan and perform an audit with professional scepticism. ISA (UK & Ireland) 200 (Overall objectives of the independent auditor and the conduct of an audit in accordance with International Standards on Auditing) para 15 states:
The Auditor shall plan and perform an audit with professional skepticism recognising that circumstances may exist that cause the financial statement to be materially misstated.
11. In respect of the particulars below ISA (UK & Ireland) 200 paragraph 15 relates to Particulars (a) (b) and (c).
(a)There was insufficient challenging of assumptions used in the valuation of the loans and receivables balance. There was insufficient work on reasonableness of management assumptions. Appropriate procedures were not performed in relation to the scoping, review and consideration of the work of the valuation expert utilised by the audit team.
12. Auditing standards, particularly ISA (UK & Ireland) 540 (Auditing Accounting Estimates and Related Disclosures), set out specific requirements where there is a judgement and/or estimate involved in a particular balance, to ensure that the auditor considers obtaining an understanding of whether and, if so, how management has assessed the effect of estimation uncertainty. The auditor also needs to assess how management has considered alternative assumptions or outcomes by, for example, performing a sensitivity analysis to determine the effect of changes on an accounting estimate.
13. There was insufficient evidence of the engagement team’s review of the sensitivity analysis presented in the notes of the financial statements.
14. There was limited evidence on the audit file of procedures regarding sensitivity analysis for the impairment charges over loans and receivables. It was unclear from the audit file as to why a sensitivity analysis was not performed given the materiality of the balance and the fact that there had been no such analysis previously. Further, this was the first year of the audit for the firm and insufficient procedures were performed to respond to estimation uncertainty and the effect such uncertainty can have on the appropriateness of estimates in the financial statements. There was insufficient evidence of the engagement team’s assessment of how management had assessed the effect of estimation uncertainty.
15. Auditing standards require assessment of whether the methods used in making accounting estimates and the assumptions underlying accounting estimates are appropriate. For accounting estimates that give rise to significant risks, auditors are required to evaluate whether the significant assumptions used by management are reasonable and to identify transactions, events, conditions and changes in circumstances that may give rise to new estimates, or the need to revise existing estimates. The Effective Interest Rate (EIR) methodology adopted by the entity was implemented in 2010. Insufficient procedures were performed to assess the reasonableness of the key assumptions or the appropriateness of the methodology applied. Although the methodology was developed in 2010, there was no evidence of how the engagement team challenged whether the EIR methodology used continued to be appropriate. The engagement team relied on an external review of the EIR methodology which took place in 2010. The review itself makes reference to ‘logical integrity’ and did not indicate if it made a qualitative assessment of the assumptions. The quantitative finance expert did not investigate whether any alternative assumptions could have been applied. It was the responsibility of the respondent as the statutory auditor to direct and evaluate the adequacy of the work of the quantitative finance expert.
16. The audit file noted that the methodology was developed in 2010 as mentioned above and there was no reference on the audit file to a periodic assessment being carried out by National Asset Management DAC in respect of the model regarding its continued appropriateness. The engagement team had not challenged management as to why this was not performed. Further, the respondent did not perform his own independent analysis.
17. It was the responsibility of the auditor to assess the assumptions and methods applied in accordance with the requirements of auditing standards. Further, it is the responsibility of the auditor to adequately document consideration of alternative/additional assumptions and why they were not relevant to National Asset Management DAC’s portfolio of loans.
18. Auditing standards require that, where an expert is used, the auditor shall evaluate the adequacy of the auditor’s expert’s work.
19. In order to assess the accuracy and appropriateness of management judgement applied in the impairment process, the quantitative finance expert reviewed the back testing received from the entity. ISA (UK & Ireland) 540 requires auditors to review the outcome of previous estimates, known as back testing. The auditor’s expert was unable to independently verify the results of the back testing undertaken in the first half of 2017 by management because of a lack of benchmark data.
20. There was limited evidence in the auditor’s expert’s report about the methodology used by the entity and limited narrative on the procedures performed by the auditor’s expert in their review. The audit file did contain a workpaper documenting how the auditor had concluded on the work of the auditor’s experts.
21. It was unclear how the Respondent was sufficiently satisfied with the procedures performed by the quantitative finance expert.
22. There was insufficient evidence on the audit file that the engagement team evaluated the adequacy of the testing approach adopted by the auditor’s expert for example the appropriateness of the EIR model, or the accuracy of the rate used.
23. The was insufficient evidence on file to demonstrate that procedures were performed to assess the relevance and reasonableness of the expert’s conclusions, and their consistency with other audit evidence. For example, there was a €40 million surplus income management adjustment which was not investigated further by the engagement team as it was deemed to lead to a ‘conservative estimation’. There was insufficient evidence of challenge of this material management adjustment and the assumptions used in the calculation. There was insufficient evidence that procedures were performed to assess whether the expert adequately reviewed the appropriateness of assumptions applied.
24. It was the responsibility of the auditor to ensure sufficient procedures were performed to assess whether the expert adequately reviewed the appropriateness of methodology applied.
25. There was inadequate evidence on how the engagement team assessed the recommendations from their expert and how this was communicated to those charged with governance.
26. As part of the audit, a loan file review specialist was engaged to perform work on loan file reviews and matters concerning loan valuation, loan file review and management overlays. However, the planning audit memorandum identified the loan file review specialist as an expert.
27. On examination of the audit file, it was difficult to determine whether the individual was a specialist or an expert. A specialist would be expected to include all workpapers on the audit file in accordance with ISA (UK & Ireland) 230. However, in this case only memos summarising the work were included.
(b)There was insufficient appropriate audit evidence over the completeness and accuracy of the data underlying the loans and receivables balance because of insufficient IT testing performed and failure to sufficiently consider the impact of multiple IT deficiencies and multiple audit adjustments on the planned procedures.
28. ISA (UK & Ireland) 500 explains what constitutes audit evidence in an audit of financial statements, and deals with the auditor’s responsibility to design and perform audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion.
29. In this case the IT audit team undertook the following work:
- Testing of ITGCs (IT General Controls)
- Testing of ITACs (IT Application Controls)
- IT interface testing –
- IT testing of key spreadsheets
- Mapping of key account balances to underlying systems for source information.
30. There were a number of IT audit control deficiencies identified by the IT specialists and highlighted in the IT audit document on the audit file.
31. There was limited evidence to support work done by the engagement team in assessing the identified control deficiencies and how they impacted the audit. There was no evidence of review by the core audit team of work performed. There was no evidence of communication between the IT audit team and the core audit team other than attendance of the core audit team at the IT audit team planning meeting. Of the documentation produced by the IT specialists, there was no explanation of the significance of the findings and what, if any, actions were required by the engagement team.
32. In respect of the IT deficiencies that were identified, there was insufficient evidence of review performed on the assessment and grading of these findings by the engagement team. There was insufficient evidence of consideration of the severity of audit findings and why certain findings were included in the management letter and others omitted.
33. There was insufficient evidence of the evaluation of the individual and cumulative IT control weaknesses. IT weaknesses were communicated to the audit committee in the management letter. However, no control findings were communicated in writing at the time of the audit summary presentation to the Audit Committee.
34. ISA (UK & Ireland) 500 (Audit Evidence) expects the auditor to evaluate the appropriateness of that specialist’s work as audit evidence for the relevant assertion and when using information produced by the entity, the auditor shall evaluate whether the information is sufficiently reliable for the auditor’s purposes.
(c)The audit team did not perform sufficient procedures to test the existence of loans/underlying securities.
35. The engagement team performed procedures to address the existence assertion in relation to loans sold. However, sufficient testing was not performed on loans/underlying securities at year end, valued at €3.9bn. There were insufficient procedures performed by the engagement team to address the risk of material misstatement at the “existence” assertion level on the current balance of loans and receivables to reduce audit risk to an acceptably low level. ISA (UK & Ireland) 330 (The Auditor’s Responses to Assessed Risks) requires that the auditor obtains sufficient appropriate audit evidence regarding the assessed risks of material misstatement at the assertion level, through designing and implementing appropriate responses to those risks.
Identification of Sanction
36. The sanction imposed must be proportionate balancing the need to protect the public with the Respondents’ own interests.
37. The purpose of sanction is to declare and uphold proper standards of conduct amongst statutory auditors and statutory audit firms and to maintain public and market confidence in statutory auditors and statutory audit firms and their regulators. In addition, the purpose of sanction is to protect the public from statutory auditors and statutory audit firms whose standard of work falls short of the high-quality audit expected of statutory auditors and statutory audit firms.
38. In coming to the appropriate and proportionate sanction the Authority took into account the Authorities sanctions guidance (effective from 8 March 2021) : The Authority also had regard to its published policy on settlement agreements. The Authority had regard to:
(a)The gravity and duration of the relevant contravention;
(b)The degree of responsibility of the specified person;
(c) The financial strength of the specified person;
(d)The amount of profits gained or losses avoided by the specified person in consequence of the contravention;
(e)The level of cooperation of the specified person with the Supervisory Authority;
(f) Previous relevant contraventions committed by the specified person.
The Authority considers that the conduct in question was a serious departure from the standards expected of a statutory auditor. The contraventions in respect of the loans and receivables in this case went to the core of the work of National Asset Management DAC.
39. In mitigation the respondent has engaged fully with the Authority. The issues identified in this case have not been repeated. The respondent has no previous disciplinary or regulatory findings against him. Subsequent inspections by IAASA of Mr Tuohy’s audit work have not raised any further concerns. The respondent’s timely admissions demonstrate his insight into the contraventions that were identified. Further the period over which the contraventions related concerned one audit and there was an early admission and a genuine acceptance of the contraventions.
40. In considering the level of engagement of the respondent with the Authority, an early settlement discount was also applied.
41. The Authority took into account the timing of the admissions of the respondent. The applicable available sanctions in this case are those that could have been imposed by ICAI as this case concerns the financial statement for the year end audit 2016. The Authority considered the appropriateness of a Caution in this case and it concluded that such a sanction would be insufficient given the seriousness of the contraventions identified.
42. The Authority took into account the timing of the admissions and it considered that it was appropriate to apply an early settlement discount of 30% to the level of the fine imposed.
43. The Authority concluded that the appropriate sanction in this case is a Reprimand and, that the respondent is further fined €10,500 (the early settlement discount having been applied).
Dated: 3 November 2021