Like it or not, the clarified International Standards on Auditing (ISAs) have raised the audit quality bar for all practitioners. The 36 clarified auditing standards come into effect for audits of accounting periods commencing on or after 15 December 2009. Some standards are significantly revised but all have been rewritten in the new clarity format and contain a number of key changes that auditors will need to consider if they want their work to comply with the new auditing rules.
The 12 areas set out here are not an exhaustive list of the changes between the old and new ISAs - far from it. But they offer a good starting point to assess whether your audit work reflects the spirit of the new standards.
The ultimate scale of the challenge will vary from audit to audit and practitioner to practitioner, depending on the complexity of the engagement and the quality of their work under the old standards. The significance of the matters noted will also vary from jurisdiction to jurisdiction where the old ISAs may have been supplemented by local requirements.
1: Assessing ISA objectives have been met both in planning and finalising an audit
One of the aims of the new ISAs is to further encourage thinking. To drive this, every ISA now includes an overall objective. The auditor is now required to consider the particular circumstances of the audit and what procedures they need to complete if they are to achieve the audit.
This objective should be under consideration throughout the audit, but there are specific requirements to consider the individual circumstances both at the planning stage and the finalisation stage.
In most cases it is expected that an auditor will meet the objective of the standard by complying with its requirements, but this doesn't remove the requirement to consider whether special circumstances and procedures are necessary to meet the specific objectives and express an audit opinion.
2: Management override is a significant risk
The previous ISA 240 required specific procedures to address the risk of management override of controls in the areas of journal entries, estimates and unusual transactions.
The requirement for procedures in these areas remains in the new standard but it is clear that management override should now be treated as a significant risk. The classification of management override as a significant risk has consequences throughout the audit including the evaluation of the design and determining the implementation of relevant controls. As a result, engagement teams may need to give more time to these areas in their internal fraud discussion.
3: Introducing related parties as a fraud consideration
The revised related party standard, ISA 550, recognises that risks of misstatement are higher when related parties are involved. The updated standard requires related party relationships and transactions to be considered explicitly in the engagement team's fraud discussion and an understanding of controls relevant to related parties to be obtained. It follows from this that if those controls are missing, the auditor may be required to report the fact to those charged with governance. The updated standard requires the auditor to challenge any management assertion that transactions with related parties are on an arm's length basis.
4: Revising materiality if circumstances change and at finalisation
The clarity standards separate the consideration of materiality in planning and performing the audit (ISA 320) and in the evaluation of misstatements (ISA 450). Both standards require auditors to reconsider their determination of materiality if they become aware of information that would have changed that determination had they known it at the planning stage. So if your materiality is based on a financial benchmark which changes during the audit, it is crucial to document your consideration of the impact of that change on the determination of materiality.
5: Wider use of confirmations
The updated standards encourage auditors to obtain evidence from independent third parties. In particular, they suggest the wider use of positive confirmations and extended use of direct confirmations by seeking to confirm more detailed information, such as contractual terms, in areas where confirmations are more routinely applied. ISA 505 on external confirmations has been significantly revised and conforming changes have been made to ISAs 240, 330 and 500 to include considerations as to whether external confirmations are to be performed as substantive procedures. In future, auditors may be challenged on whether they have obtained sufficient appropriate audit evidence if they have relied on a weaker form of evidence on a matter that could have been the subject of direct confirmation.
6: Specific procedures required for estimates and fair values
The scope of ISA 540 has been extended to cover fair values, and the old ISA 545 on the subject has been withdrawn. It is not surprising that this standard has been significantly tightened given the ongoing debate about the use of fair values in accounting frameworks. In particular, the standard is more prescriptive of the procedures expected when auditors consider management estimates.
7: Gaining more evidence when an error discovered by sampling is considered an anomaly
The ISAs provide a foundation for risk-based auditing. The auditors plan their procedures based on a risk assessment, which is in turn built on an understanding of the entity and its environment, including internal controls. ISA 530 on audit sampling has been revised to emphasise that it will be extremely rare for any deviation or misstatement identified in a sample to be considered an anomaly and not representative of the whole population.
If auditors wish to make a decision that an anomaly exists, they are required to obtain sufficient appropriate evidence to support their position. This concept is important because the existence of anomalies suggests a weakness in both the auditor's understanding of the entity and the resulting risk assessment.
8: Communicating deficiencies in internal controls, including missing controls ISA 265 is a new standard that governs the communication of deficiencies in internal control to those charged with governance and management.
The standard emphasises the importance of the communication of such matters. It explicitly defines a deficiency in internal control as including the absence of necessary controls.
It is important that auditors' risk assessments include consideration of the types of control they would expect to find at an audited entity given its size, its nature and its complexity. If such controls are missing, their absence should be communicated to the appropriate level of management or to those charged with governance even if they do not directly impact on the planned audit procedures.
9: Communication of significant difficulties encountered during the audit to those charged with governance
The theme of the revised ISA 260 is to emphasise the importance of effective two-way communication between the auditor and those who are charged with the governance of the audited entity.
The revised standard provides more guidance on what matters are likely to be of governance interest. In particular, it requires that any significant difficulties encountered during the audit - for example, the unavailability of expected information - be communicated. It also requires the auditor to evaluate whether the two-way communication between the auditor and those charged with governance is adequate for the purposes of the audit. Auditors will need to consider their ability to accept reappointment if they conclude that the level of two-way communication is inadequate for their purposes.
10: Going concern considerations
One by-product of the clarification process is the elevation to requirements of matters that were previously included in guidance.
ISA 570 is an example of a standard that has not been revised but where the redrafting has given rise to a significant number of elevations. In particular, elevations include the requirement for specific procedures when events or conditions have been identified that may cast doubt on the ability of the entity to continue as a going concern (ISA 570.16). These include evaluating management's plans for future actions and considering whether those plans are feasible.
11: Format of auditor's report
ISAs 700, 705 and 706 deal with reporting matters. Although the final formats of reports are likely to be specific to different jurisdictions, it is probable that the changes will affect the audit report in some way. In particular, auditors should take care over the form of their report where they are considering a modification or inclusion of an emphasis of matter paragraph in their report. These areas are covered in ISA 705, Modifications to the Opinion in the Independent Auditor's Report, and ISA 706, Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor's Report.
12: The audit of groups including working with component auditors
One of the most complex changes is for auditors performing the audits of group financial statements. The new ISA 600 is likely to have the biggest impact on their day-to-day work. It is the first time that a comprehensive international standard has been issued in this area.
Although the standard seeks to crystallise commonly used best practices, the following areas are likely to require additional thought and documentation:
- considering whether an engagement is a group audit within the scope of the standard;
- scoping the group audit, including determining significant components in the group;
- obtaining an understanding of, and completing procedures on, group-wide controls and the consolidation process;
- determining materiality and performance materiality for the group and components; and
- obtaining an understanding of component auditors and being involved in their work.
Where an entity uses third-party service organisations or where auditors use their own experts, the changes should also be evaulated in the revised ISAs 402 and 620 respectively.
It is important to remember that the changes to the ISAs are, in part, responses to issues arising from past corporate failures. The purpose of the changes is to stimulate better auditing and not to encourage more extensive checklists. With this in mind, auditors should use the clarity standards to improve the quality of their audits by challenging what they have done in the past. Improvements in audit quality can be achieved by thinking how these changes will impact on what is done, when it is done and how it is communicated to the client.
What the new ISAs are not about is more box-ticking.
Robert Stenhouse FCCA is director of national accounting and audit at Deloitte in the UK, and specialises in auditing technical matters. He is an ACCA Council member and vice chairman of ACCA's Auditing Technical Committee