Relevant to ACCA Qualification Papers F8 and P7
To enhance the application of auditing standards in exam questions, candidates must familiarise themselves with the clarity auditing standards. The International Auditing and Assurance Standards Board (IAASB) has completed its comprehensive project to enhance the clarity of all of its International Standards on Auditing (ISAs) in 2009 for improving understandability of auditing standards, and all the new clarity auditing standards are now examinable.
The full set of clarity auditing standards features 39 documents, which include:
- a new International Standard on Auditing on communicating deficiencies in internal control – ISA 265 (Clarified), Communicating Deficiencies in Internal Control to those Charged with Governance and Management
- 35 clarity ISAs
- a clarified international standard on quality control – ISQC 1, Quality Controls for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements
- a revised glossary of terms
- a revised preface to the International Standards on Quality Control, Auditing, Review, Other Assurance and Related Services.
ISA 265 (Clarified), Communicating Deficiencies in Internal Control to those Charged with Governance and Management
Among the clarified auditing standards, ISA 265 (Clarified) is a completely new standard.
It deals with the auditor’s responsibility to communicate appropriately to those charged with governance and management deficiencies in internal control that the auditor has identified in an audit of financial statements.
When auditors plan for an audit, they are required to perform risk assessment through understanding internal controls, and also test for the appropriateness of design of internal controls and whether they are implemented. When control reliance strategy is adopted, auditors are required to perform tests of controls to gather audit evidence on the operating effectiveness of controls.
During both processes, auditors might identify deficiencies in internal controls. In accordance with ISA 265 (Clarified), ‘deficiency’ exists when ‘a control is designed, implemented or operated in such a way that it is unable to prevent, or detect and correct, misstatements in financial statements on a timely basis; or a control necessary to prevent, or detect and correct misstatements in the financial statements on a timely basis is missing’. It is equivalent to a deviation from an internal control.
It is common in practice and in exam questions to identify and explain deficiencies in internal control systems. An example is Question 3(b) of Paper F8 in the June 2010 exam session. Candidates were required to identify and explain deficiencies in the cash cycle of a window cleaning company, suggest controls to address each of these deficiencies, and list tests of controls the auditor would perform to assess if the controls were operating effectively.
If the deficiency is significant, it is known as ‘significant deficiency’. It is ‘a deficiency or combination of deficiencies in internal control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged with governance’. It depends not only on whether a misstatement has actually occurred, but also on the likelihood that a misstatement could occur and the potential magnitude of the misstatement. Significant deficiencies may therefore exist even though the auditor has not identified misstatements during the audit.
Consideration points should include:
- the likelihood of the deficiencies leading to material misstatements in the financial statements in the future
- the susceptibility to loss or fraud of the related asset or liability
- the subjectivity and complexity of determining estimated amounts, such as fair value accounting estimates
- the financial statement amounts exposed to the deficiencies
- the volume of activity that has occurred or could occur in the account balance or class of transactions exposed to the deficiency or deficiencies
- the importance of the controls to the financial reporting process
- the cause and frequency of the exceptions detected as a result of the deficiencies in the controls
- the interaction of the deficiency with other deficiencies in internal control.
When you found the following indicators in real practice or exam questions, this would indicate significant deficiencies. These include:
- evidence of ineffective aspects of the control environment , such as management fraud not mitigated by internal controls, not sufficient oversight of significant management interests by those charged with governance, and no implementation of remedial actions against significant deficiencies communicated
- absence or inefficiency of a risk assessment process
- evidence of ineffective responses to identified significant risks
- misstatements detected by the auditor’s procedures, which were not prevented, detected and corrected by the internal controls
- restatement of previously issued financial statements to reflect the correction of a material misstatement due to error or fraud
- evidence of management’s inability to oversee the preparation of the financial statements.
In response to significant deficiencies in internal control identified during the audit, the auditor will communicate in writing the significant deficiencies to those charged with governance on a timely basis. For the communication, this would include a description of the deficiencies, an explanation of their potential effects, and sufficient information to enable those charged with governance and management to understand the context of the communication.
In terms of the sufficiency of the details of communication, the consideration factors include:
- the nature of the entity – more details for public interest entities than non-public interest entities
- the size and complexity of the entity – more details for larger and more complex entities
- the nature of significant deficiencies that the auditor has identified – more details for those involving integrity of management and fraud
- the entity’s governance composition – more details for inexperienced governance members
- legal or regulatory requirements regarding the communication of specific types of deficiency in internal control
Evaluation of misstatements
As well as deficiencies in internal controls, misstatements may also be detected during an audit. ISA 450 (Clarified), Evaluation of Misstatements Identified During the Audit is actually a new separate standard as well. This highlights the importance of focusing on the deficiencies/misstatements during the audit, which is a common consideration for a risk-based approach.
ISA 450 (Clarified) deals with the auditor’s responsibility to evaluate the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements. ‘Misstatement’ is defined as ‘a difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatement can arise from error or fraud.’ This also relates to those that require adjustments for issuing a true and fair view on the financial statements.
For these kind of identified misstatements, the auditor should determine whether the nature and the circumstances of their occurrence indicate the existence of other misstatements, which could be material individually or in aggregate. These misstatements should be communicated to the appropriate level of management on a timely basis.
The auditor should also consider whether there is a need to revise the audit strategy and audit plan – especially when those areas are confirmed to have appropriate design, implementation and effective operation of controls, now there are identified misstatements. Does the initial conclusion need to be reconsidered? This would definitely affect the risk assessment, audit strategy and audit plan.
‘Uncorrected misstatements’ are the ‘misstatements that the auditor has accumulated during the audit that have not been corrected’. Before evaluating the effect of the uncorrected misstatements, the auditor should confirm whether the materiality still remains appropriate. Afterwards, the auditor will determine the uncorrected misstatements are material individually or in aggregate. The auditor will consider:
- the size and nature of the misstatements, and the particular circumstances of the occurrence
- the effect of uncorrected misstatements related to the prior periods.
The auditor will communicate the uncorrected misstatements and their implication on the auditor’s report to those charged with governance. The auditor will also request a written representation (including a summary of uncorrected misstatements) from management and – where appropriate – those charged with governance as to whether they believe the effects of uncorrected misstatements are immaterial, individually and in aggregate to the financial statements as a whole.
To summarise, candidates need to update their auditing knowledge, understand them and apply them in the exam questions.
As stated by the Paper P7 examiner: ‘A significant proportion of candidates continue to produce answers that are simply too vague or too brief, do not actually answer the question requirements, and display inadequate technical knowledge of the clarified ISAs. These candidates are encouraged to improve their exam technique, as well as knowledge of the syllabus, by practising as many past exam questions as possible, using up-to-date study materials, and by taking on board the comments made in examiner’s articles and reports.’