Comments from ACCA to the International Auditing and Assurance Standards Board (IAASB), November 2010. Proposed International Standards on Auditing issued for comment by the International Auditing and Assurance Standards Board of the International Federation of Accountants.
ACCA welcomes the opportunity to comment on the proposed International Standards on Auditing 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment and 610 (Revised)Using the Work of Internal Auditors issued by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants.
The revisions stem from a perceived need to update ISA 610 for developments in internal auditing and external auditing practice since 1994. We agree that updating is appropriate. We also agree that the scope of the revision should now include the case where internal auditors provide direct assistance to the external auditor.
We are particularly pleased that the proposed revision has been done in a way that does not add unnecessary costs to audits where the audited entity does not have an internal audit function, or where the auditor chooses not to place reliance on an internal audit function.
Our remaining comments are presented as answers to the specific questions asked in the explanatory memorandum forming part of the exposure draft.
Matters on which specific questions are asked
In this section of our response we answer the questions posed in the explanatory memorandum forming part of the exposure draft.
Question 1
Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?
For the reasons set out below, we do not agree that this should be a requirement. Instead, it would be preferable to use the application material to achieve an appropriate emphasis on those other than management of whom enquiries ought to be made.
Paragraph 6 of proposed ISA 315 contains the following bullet point:
6. The risk assessment procedures shall include the following:
a. Inquiries of management, of appropriate individuals within the internal audit function (if the function exists), and of others within the entity who in the auditor's judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error.
The construction of the paragraph is intended to give recognition to the position that management and appropriate individuals within the internal audit function will always be classed as 'may have information that is likely to assist in identifying risks of material misstatement due to fraud or error'. This is contrasted with others within the entity, as inquiries of such individuals are only required as a matter of auditor judgement.
The question of who is an 'appropriate individual' within the internal audit function is answered in the application material - the answer depends on their 'knowledge, experience and authority', not on any propensity to posses information 'that is likely to assist in identifying risks of material misstatement due to fraud or error.'
This placing of emphasis on the internal audit function has two detrimental effects. It mandates inquiries even where the auditor judges that those within the internal audit function will not 'have information that is likely to assist in identifying risks of material misstatement due to fraud or error.' This introduces inefficiency. More importantly, it de-emphasises inquiries of 'others', including those responsible for financial reporting, which may damage the quality of the audit, especially where a 'tick box' approach to demonstrating compliance with ISAs is prevalent.
We do not agree with the introduction of the term 'appropriate individuals [within the internal audit function]' into proposed ISA 315. It is an unnecessary complication that has rightly been avoided in the case of 'management' and 'others'. It would be better to refer to inquiries of the internal audit function (as is done in paragraph A6) and leave it at that. Proposed ISA 610 does not make use of the term 'appropriate individuals' and so its removal from proposed ISA 315 would also improve consistency between the two ISAs.
Question 2
Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining?
a. Whether the work of the internal audit function can be used for purposes of the audit engagement; and
b. The planned use of the work of the internal audit function?
ISA 315 and ISA 610 deal with three ways in which the internal audit function can increase the effectiveness or efficiency of the external auditor:
1. The auditor may be able to determine a lower assessment of risk (and reduce substantive testing as a consequence) (ISA 315)
2. The auditor uses of the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed (ISA 610)
3. Internal auditors provide direct assistance under the direction and supervision of the external auditor (ISA 610)
The factors proposed to be evaluated in connection with 2 and 3 above are dealt with in ISA 610 and we find them generally appropriate. The detailed application material is helpful in determining how, in practice, objectivity and competence may be assessed. We discuss the interaction between 'independence' and 'objectivity' in our answer to question 4 below.
Question 3
Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor?
The language used in the requirement in paragraph 18 of proposed ISA 610 is imprecise. A report 'relating to' the work of the function that the external auditor intends to use could be peripheral to such work, or could amount to a record to the nature, timing and extent of audit procedures performed and the findings thereof. As such it is left to the judgement of the auditor to determine whether any report falls into the category of 'relevant'. The requirement is too imprecise and should be removed.
Paragraph 19 of proposed ISA 610 contains the more concrete requirement and we see no need to also have a requirement as set out in paragraph 18. As paragraph 19 itself states, the auditor necessarily evaluates whether 'any reports prepared by the internal audit function are consistent with the results of the work performed'; thus, reading is implicit.
Paragraph A16 adds nothing to the requirement in paragraph 18 and can also be deleted. Reference to reports could be made instead at the end of the first bullet point in paragraph A18 as follows:
The procedures the external auditor may perform to appraise the quality of the work performed and the conclusions reached by the internal audit function include the following:
Question 4
Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to?
a. Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and
b. Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity
We support the extension of scope of proposed ISA 610 to include direct assistance of internal auditors to the external auditor.
We generally agree with the need to evaluate objectivity and competence and the other factors addressed in proposed ISA 610 as set out in parts (a) and (b) of question 2.
We are concerned, however, by the statement in paragraph 24 that 'The level of direction, supervision and review shall recognize that internal auditors are not independent of the entity.'
We do not think it sensible to introduce the complication of 'independence' when: 'The extent of direction, supervision or review of the audit procedures performed by the internal auditors is also dependent on the external auditor's evaluation of the degree of objectivity' (as set out in paragraph A28).
The related application material explains that independence is being judged against the required degree of independence for an external auditor. An external auditor's independence would be compromised by being an employee of the company, but the implication is that this defect can be safeguarded by appropriate direction, supervision or review if the individual is an internal auditor. This is clearly not the case; no amount of extra direction, supervision and review can repair such compromised independence.
Independence is more than a simple surrogate for objectivity and, if reference to it is retained, the application material ought to explain much more about it. Independence is a state of mind considered to be necessary to allow an individual to act with integrity and exercise objectivity and professional scepticism. (Paragraph 290.6 of the IESBA Code of Ethics for Professional Accountants). The exercise of professional scepticism is of particular relevance to auditing as paragraph 15 of ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing requires that 'The auditor shall plan and perform an audit with professional scepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated.' Thus the auditor's direction, supervision and review of internal audit staff would have to recognise that the exercise of professional scepticism may be affected by the relative lack of independence.
Rather than suggest that ISA 610 needs to include greater coverage of the possible ramifications of the lack of independence of the internal audit staff we would prefer the reference to be dropped. Instead we suggest that the requirement and application material in paragraphs 24 and A28 (paragraph A27 is deleted) should be revised to:
24. The external auditor shall direct, supervise and review the work performed by internal auditors on the engagement in accordance with ISA 220. Such direction, supervision and review shall be more extensive than if members of the engagement team perform the work.
A28. The extent of direction, supervision or review of the audit procedures performed by the internal auditors is dependent on the external auditor's evaluation of the degree of objectivity and level of competence of, and the nature and extent of audit procedures to be performed by, the internal auditors. Reviewing the work performed by internal auditors includes consideration of whether professional scepticism has been exercised and the evidence obtained is sufficient and appropriate in the circumstances, and that it supports the conclusions reached.
In our answer to question 5 we suggest changes to the reference to independence in paragraph 6 of proposed ISA 315.
Question 5
Public interest concerns - Respondents are asked to address whether there are any public interest concerns that have not been addressed.
The explanatory memorandum forming part of the exposure draft refers to the concerns of some stakeholders about threats to the independence of the external audit team (in fact or perceived) when internal auditors provide direct assistance.
We suggest that it would be helpful for the resulting standards, or indeed a future revision of the IESBA Code of Ethics for Professional Accountants, to clarify how such threats may be safeguarded (in addition to the clear position that internal audit staff are not part of the engagement team).
As a minimum paragraph 6 of proposed ISA 315 could be expanded as follows:
6. External auditors may be able to use such work rather than perform that work themselves in obtaining sufficient appropriate audit evidence on which to base the auditor's opinion. Internal auditors may also provide direct assistance on the engagement by performing audit procedures under the direction and supervision of the external auditor. Neither the internal audit function nor the internal auditors are independent of the entity as is required of the external auditor in an audit of financial statements in accordance with ISA 200. Accordingly, the external auditor follows the relevant requirements of this ISA and ISA 610 in order to make use of the work of internal auditors without compromising external auditor independence.
Question 6
Special Considerations in the Audit of Smaller Entities - Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations.
We are pleased to note that the requirements relating to the internal audit function in proposed ISA 315 and the scope of ISA 610 are such that for most SMEs it will be a simple matter to judge that no requirements are relevant. Accordingly, there is little need to provide guidance addressing special considerations in the audit of smaller entities.
Nevertheless, paragraph 10 of proposed ISA 610 deals with the circumstances of individuals within an entity that perform ad hoc procedures similar to those performed by an internal audit function. The paragraph clarifies the meaning of 'internal audit function' in these circumstances, which may be more common in some SMEs. It would be helpful if paragraph A103a of proposed ISA 315 were also to refer to such arrangements. Alternatively, the definition of 'internal audit function' could be extended to make it clear that it did not include individuals performing ad hoc procedures.
Question 7
Special Considerations in the Audit of Public Sector Entities - have been dealt with appropriately in the proposed revised ISAs?
It is clear from the text (for example paragraph A102 of proposed ISA 315) that the revised ISAs are applicable in the audit of public sector entities and we do not feel the need to expand the text further to include any specific material dealing with special considerations in the audit of public sector entities.
Question 8
Developing Nations - any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment?
We have no specific concerns about the application of the revised ISAs in a developing nation environment.
Question 9
Translations - potential translation issues?
We identify no potential translation issues.
Question 10
Effective Date - appropriate?
The proposal is that the revision be effective for audits of financial statements for periods ending on or after December 15, 2013. We agree with the date suggested.
Question 11
Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB's proposals?
We find the impact analysis helpful.
Question 12
Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB?
In general we agree with the impact analysis as presented, acknowledging that the magnitude of an impact is difficult to judge as it is dependent on whether and if so, the extent to which the external auditor uses the work of internal auditors.
Question 13
Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents?
The tabular approach is generally understandable but we suggest that users will wish to compare claimed increases in audit effectiveness with expected changes in costs. The direction and magnitude of the impact column combines considerations of effectiveness, work effort, and other impacts and it is not easy, therefore, to see what the balance is between improved quality and increased costs. For example, a decrease in external auditor work effort is identified as a 'decrease' in the second column, which could be interpreted as a decrease in audit effectiveness.
Question 14
Would respondents find such an approach useful at the national level?
So long as an analysis is available at an international level, we see little point in a further analysis at a national level. While that might highlight aspects of particular relevance to a jurisdiction, (for example one where there were few large companies) the international analysis should contain sufficient detail to inform national stakeholders.