Internal quality control systemErnst & Young Accountants LLP’s reputation for providing high-quality professional audit services independently, objectively and ethically is fundamental to our success as independent auditors. We continue to invest in initiatives to promote enhanced objectivity, independence and professional skepticism. These are fundamental attributes of a high-quality audit.
At Ernst & Young Accountants LLP, our role as auditors is to provide assurance on the fair presentation of the financial statements of the companies we audit. We bring together qualified teams to provide our services, drawing on our proven experience across industry sectors and services. We continually strive to improve our quality and risk management processes so that the quality of our service is at a consistently high level.
We recognize that in today’s environment — characterized by continuing globalization, geo-political developments, changing public opinion within Dutch society and the importance of trust to protect the financial markets, and the rapid movement of capital — the quality of our audit services has never been more important. As part of Vision 2020, EY continues to invest heavily in developing and maintaining our audit methodology, tools and other resources needed to support quality service delivery.
While the market and stakeholders continue to demand high-quality audits, they also demand increasingly efficient and effective delivery of audit services. In addition to the investment mentioned, EY continues to seek ways to improve the effectiveness and the efficiency of its audit methodology and processes, while maintaining audit quality.
We work to understand where our audit quality may not be up to our own expectations and those of stakeholders, including external audit firm regulators. We seek to learn from external and internal inspection activities and to identify root causes of adverse quality occurrences to enable us to continually improve audit quality, and we believe that an important part of the audit inspections process is to take effective and appropriate actions to improve quality.
Effectiveness of the quality control system
EY has designed and implemented a comprehensive set of global audit quality control policies and practices. These policies and practices meet the requirements of the International Standards on Quality Control issued by the International Auditing and Assurance Standards Board (IAASB). Ernst & Young Accountants LLP has adopted these global policies and procedures and has supplemented them as necessary to comply with local laws and professional guidelines, and to address specific business needs.
We also execute the EY Audit Quality Review (AQR) program in order to evaluate whether our system of audit quality control has operated effectively so as to provide reasonable assurance that Ernst & Young Accountants LLP and our people comply with applicable professional and internal standards, and regulatory requirements.
The results of the AQR program and external inspections are evaluated and communicated within our firm to provide the basis for continual improvement in audit quality, consistent with the highest standards in the profession.
The GE is responsible for implementing quality improvement and protection programs. As such, it reviews the results of our internal AQR program and external regulatory reviews, as well as any key actions designed to address areas for improvement.
The recent results of such monitoring, together with the recent feedback from independent regulatory inspection visits and internal reports by CO, Risk Management Assurance and QARA, provide us with a basis to conclude that the internal quality control systems are operating effectively. In the course of this evaluation we have identified actions which we believe will further strengthen controls to mitigate material risks. In fiscal year 2015/2016 a more comprehensive insight was gained into internal control effectiveness by means of a phased implementation of a risk management and internal control framework based on the COSO 2013 model.
During fiscal year 2015/2016, we continued to insist on strict compliance with our Global Code of Conduct by our partners and other professionals. We expect them to live up to high standards of integrity and professionalism and we take action when they fail to do so. Monitoring is a key element of this pursuit of compliance and of our Internal Quality Control System. Risk mitigating controls regarding audit quality and compliance are tested throughout the year. Our monitoring controls, Panels, Consultation and AQR procedures generate valuable information and insights. Their results and the policymakers’ statement are included in this Transparency Report.
Nevertheless, we continue to note some deficiencies, in both controls and audit files that we review internally. We believe each deficiency is one too many, as it can potentially harm trust in our audits or auditors. Deficiencies identified are classified as infringements and/or incidents.
An infringement (schending) is recorded in the event of a breach of certain formal internal or external rules and regulations. We keep a detailed register of all infringements by our partners and employees. These infringements vary widely as to their nature, seriousness and impact. Infringements are reported to our firm’s policymakers, and an evaluation takes place as to whether procedures within the organization must be adapted and/or what measures should be taken against the infringing partner or employee.
The two most important categories of infringements are those of independence rules and those of rules and regulations regarding audits of financial statements. We provide information on independence-related infringements during fiscal year 2015/2016 in the “Independence practices” section of this Transparency Report.
The table below on the next page shows the number of infringements related to the quality or quality control of audits of financial statements during fiscal year 2015/2016. The breakdown by type of client is based on their qualifications under Dutch law: they are either Public Interest Entities according to Dutch Law (Organisaties van Openbaar Belang, including listed clients), statutory audits (wettelijke controles or WeCos, i.e. financial statements audits required by law) or other audits of statutory financial statements (indicated below as non-WeCo). In total, we have performed about 8,400 audits (FY15 7,100), of which about 2,800 (FY15 3,750) are WeCos.
|Type of infringement at financial statement audits 2015/2016||WeCo/OOB||WeCo/non-OOB||non-WeCo||Total|
|1. Engagement Quality Review incorrectly applied, or not applied||1||1|
|2. EQR concurrence notice sent to CO after release of auditor’s opinion||1||1|
|3. Infringements resulting from Audit Quality Review 2014/2015 test cycle||1||2||3|
|4. Insufficient audit evidence in specific areas||2||2|
|5. Infringements of duty to secrecy||1 (1)||5 (4)||1 (1)||7|
|6. . Mandatory consultation not applied / Concurrence with PPG after release of auditor’s opinion||7||1||8|
|Type of infringement at financial statement audits 2014/2015||WeCo/OOB||WeCo/non-OOB||non-WeCo||Total|
|1. Engagement Quality Review incorrectly applied, or not applied||2||2|
|2. EQR concurrence notice sent to CO after release of auditor’s opinion||1||1||2|
|3. Infringements resulting from Audit Quality Review 2013/2014 test cycle||2||2|
|4. Insufficient audit evidence in specific areas||1||18||2||21|
|5. Infringements of duty to observe secrecy||2||2|
|6. Mandatory consultation not applied / Concurrence with PPG after release of auditor’s opinion||2||2||4|
As we are a learning organization, we take a critical look at the number of infringements and their year-on-year development.
|The infringements mentioned in the table above can be classified as follows:||Our follow-up has been:|
|1||Engagement Quality Review incorrectly applied, or not applied||The EQRs for the years 2012, 2013 and 2014 were not performed since the client was mistakenly not identified as a Public Interest Entities according to Dutch Law (Organisatie van Openbaar Belang, OOB). After noticing this infringement an EQR took place on the 2015 file. Furthermore PPG will offer additional guidance on the definition of Public Interest Entities according to Dutch Law.|
|2||EQR concurrence notice sent to the CO after release of auditor’s opinion||After questioning the team the concurrence notice was sent to the CO.|
|3||Infringements resulting from the Audit Quality Review 2015/2016 test cycle||Each of the partners and executive directors involved prepared a mandatory Remedial Action Plan, whose implementation was reviewed during the 2015/2016 test cycle. We refer to the AQR section of this Transparency Report, where improvement procedures are discussed.|
|4||Insufficient audit evidence in specific areas||One file relates to a review report regarding prospective financial information. Since the auditor no longer works for EY no further actions were taken. The second file related to an audit in a specific sector. The planned follow-up for this infringement consists of investigations of files in the related sector (including a number of files of the auditor concerned).|
|5||Infringements of duty to observe secrecy||The consequences for clients have been mitigated. The employees involved have engaged in extra training on secrecy.|
|6||Mandatory consultation not applied / Concurrence with PPG after release of auditor’s opinion||PPG will consider if additional guidance is needed regarding mandatory consultation.|
|7||Other||In disciplinary consultation between the auditor and the policymakers, the infringements were discussed and the importance of timely and direct communication with the regulator was emphasized.|
The firm as a whole benefit from our annual summary of “lessons learned from infringements”. A summary of the infringements and the lessons learned is distributed to all Assurance personnel.
Not included in the tables on the previous page and above, are infringements regarding the archiving of audit files, as these concern the timeliness of archiving of the audit file after sign-off only. Archiving means that an electronic copy of the audit file is stored in our archive system, after which it is no longer editable. For OOBs and other WeCos, external regulations set the maximum period for archiving audit files (60 days or 2 months; 45 days for PCAOB audit files) after signing the auditor’s opinion. For quality and efficiency reasons, we set an internal filing deadline of ten business days after signing the auditor’s opinion for all financial statements audits. When justified and subject to approval by the PPG, a longer period (up to 60 days) may apply.
We met the external rule of 60 days for 99.7% of all archived files. We failed to meet the deadline for 22 files (2014/2015: 14 files). Twelve of these were WeCo files; 10 were non-WeCo files.
Data breach notification
Effective 1 January 2016, the Dutch Data Protection Act (Wet bescherming persoonsgegevens) was amended and a mandatory data breach notification obligation came into force. This obligation means that organizations must notify the Dutch Data Protection Authority as soon as they experience a serious data breach. A data breach must be reported to the Dutch Data Protection Authority if it leads to a considerable likelihood of serious adverse effects on the protection of personal data, or if it has serious adverse effects on the protection of personal data.
Data breaches relate to those instances in which an actual security breach has occurred. Examples of security breaches are the loss of a USB-key, the theft of a laptop or intrusion by a hacker. Not every security breach however qualifies as a data breach. A security breach is only considered to be a data breach if it involves the loss of personal data, or if unlawful processing of personal data cannot reasonably be excluded.
We keep a register of all security breaches to assess whether a breach needs to be reported to the Dutch Data Protection Authority as a data breach. This register includes incidents like lost or stolen laptops, smart devices, secure ID cards, hard copy files, emails sent to the wrong person etc. Ernst & Young Accountants LLP reported one data breach to the Dutch Data Protection Authority. This breach related to an errant email containing financial data of a client’s employees.
Some security breaches also qualify as an infringement of certain formal internal or external rules and regulations (such as the duty to keep audit information confidential). We registered six breaches as infringements (which include the data breach that was reported to the Dutch Data Protection Authority).
Under Dutch law, we are obliged to inform the AFM immediately of any incident that might have serious consequences for the integrity of our operations. We apply AFM’s guidance on the interpretation of an “incident”. This interpretation is broad in scope and includes examples of risks that are not necessarily related to infringements nor to deficiencies in the quality of auditors’ work. For example, potential reputational damage to the firm can also qualify as an “incident”, even when it is linked to non-audit partners of, or non-audit services provided by, the Dutch EY network.
During fiscal year 2015/2016 we reported 9 (2014/2015: 14) incidents to the AFM.
|(Potential) criminal offence and violations of the law at client||2||2||4||1||1|
|Correction of error(s) in financial statements||1||3||1|
|Threat to independence||1|
|Improper use of opinion issued by EY||1||6||3|
- Two cases concerned potential fraud at a client of us.
- One case concerned potential wrongdoing by a former employee of Ernst & Young Accountants LLP that impacted the relationship with a client.
- One case concerned the bankruptcy of a large audit client within one year after we issued its audit opinion
- Two cases concerned media reporting on our clients that (also) referred to Ernst & Young Accountants LLP or to services we provided.
- One case concerned the correction of errors in the financial statements of the client in combination with media reporting on those errors, referring to our audit during fiscal year 2015/2016.
- One case concerned the early termination of an audit engagement as a result of a client not meeting our requirements based on our continuous client due diligence monitoring obligations pursuant to the Dutch Money Laundering and Terrorist Financing Prevention Act (Wwft), introducing possible improper business conduct leading to reputational risk for us.
- One case concerned to the publication of financial statements with our auditors’ report where the published financial statements were not identical to those audited by our firm.
We keep the AFM informed about our follow-up of incidents and, if applicable, report to the AFM on measures we have taken and their results.