This article was first published in the March 2011 Malaysia edition of Accounting and Business magazine.
Boon or bane? That is the question in the minds of many audit practitioners in relation to the impact of the clarified International Standards on Auditing (ISAs). From a professional viewpoint, these revised standards enhance the understandability of the ISAs to promote consistent application and lead towards improvement in audit quality worldwide – a boon most definitely.
However, the enhanced requirements (despite smaller audit considerations provided throughout the standards), will certainly increase the cost of performing an audit. A bane for sure. Good or bad; bonus or burden, practitioners in Malaysia will have to implement the clarified ISAs for audits of financial statements beginning on or after 1 January 2010. For many, this will be for the annual audits with financial year end 31 December 2010.
Holistic risk-based audit
The clarified standards amplify the already-existing emphasis of a holistic risk-based audit, right from the planning stage up to completing the audit and rendering the audit opinion. Risk assessment is a prerequisite for an audit, usually to be carried out in the planning stage, whereby risk identification, its impact on the audit and the audit approach to deal with those risks at assertion levels (including any specific audit procedures) are required to be carried out and documented. This means that the auditor needs invest more time cost for planning than usual, ranging between 15% to 30%, depending on circumstances.
ISA 330 states that the auditor shall obtain more persuasive evidence (usually by increasing the quantity of evidence, emphasising third-party evidence or evidence from multiple independent sources), for higher risk areas of the audit (ie financial statement area). Clearly, the audit procedures designed and the amount/nature of ‘work done’ will be driven by the risk level. Be it control testing or substantive testing, the approach must cater for different risk levels. This also means that for many small and medium-sized businesses, where audits are primarily based on substantive tests, the sampling approach/size has to be one that is earmarked for risks.
The auditing standards also remind auditors to be alert to higher risk factors throughout the audit, with emphasis on related parties and transactions (especially transactions outside the normal course of business), fraud enablers/motivators and areas relating to estimates and judgment. When such indicators or events come to the attention of auditors, they must respond. The clarified standards (for example, ISA 240 on fraud and ISA 550 on related parties) now require a more proactive approach from auditors in risk matters. A notable key ingredient for a successful risk-based audit is understanding the client and their environment, which is emphasised not only in ISA 315, but across many of the other standards.
The ISAs also introduce elements to improve auditor-client communication. ISA 260 for example, requires an auditor to promote communication with management/those charged with governance (TCWG), especially in areas such as the scope and timing of the audit, significant audit findings and difficulties and matters that relate to financial reporting process. The lack or absence of feedback from the client should be viewed as an audit risk and the auditor may consider modifying the audit opinion or even withdrawing from the audit all together (as it may result in a limitation of scope).
ISA 705 and 706 on audit opinions also require an auditor to communicate with TCWG on modifications that are to be made to the audit report, including the proposed wordings/phrases. The new standard, ISA 265, which deals with significant deficiencies in internal controls, also mandates the auditor to communicate to management and/or TCWG. Though these communications are not required in writing (except for communication related to significant deficiencies in internal controls and independence matters for plc audits), an auditor should carefully consider whether oral communication is sufficient in each circumstance.
ISA 600 underwent substantial changes. Various best practices have now been formalised into the standard – such as communicating matters relating to group planning and scope/timing of work (usually in a group audit planning memorandum), downstream instructions from group auditor (usually in a group audit instruction), review of component auditor’s work, etc. A notable emphasis is that the group audit engagement partner’s risk will likely increase because he or she is now ultimately ‘steering’ the group audit.
He or she can no longer rely on the work or representations given by component auditors without making his or her own assessment at the group level (including performing a risk assessment for the whole group), and a review of the adequacy and appropriateness of the work performed and evidence obtained.
The group auditor can, and has to become, more involved in the audit of the group, even to the extent of performing audit procedures at component level (or even directing component auditors to perform them).
Most, if not all of the clarified standards, provide guidance to auditors on how to apply the requirements proportionately in audits of smaller entities (which is defined in ISA 200). The considerations do not actually give leeway to any non-compliance with, or modification to, the requirements, but relate more to simplifying the approach and documentation required. However, where a standard is not relevant in a particular small entity audit (for example where a company does not use any service organisation, ISA 402 is not applicable) or where requirements are conditional and those conditions are not prevalent in the audit, then those requirements need not be applied.
Performing the audit
Two key changes to the audit approach are in relation to materiality and dealing with misstatements discovered during the audit. Auditors now have to set at least two levels of materiality – overall materiality (to consider effects, findings and misstatements on the overall financial statements) and performance materiality (primarily used in dealing with misstatements while performing the audit at the various financial statement areas). The overall materiality has to be higher than performance materiality. No values or indicative thresholds are prescribed, meaning that it has to be determined using professional judgment. ISA 450 also requires an amount/threshold that is trivial to the audit to be determined and documented.
ISA 530 also now explicitly requires an auditor to project or extrapolate misstatements discovered from sampling over the entire population, for their next course of action. ISA 450 in addition, requires uncorrected misstatements (discovered at the assertion/financial statement level) to be aggregated and compared against materiality, to ascertain whether collectively these misstatements result in material misstatements, thus warranting adjustment/correction. TCWG will also need to know about uncorrected misstatements.
Undeniably, the clarified standards mean more work than before. However, the spirit behind them is a noble one, and will hopefully restore public faith in the audit profession, which has suffered in recent years due to high-profile corporate financial scandals.
Ramesh Ruben Louis is a professional trainer and consultant