This article tries to illustrate how a risk-based approach can be adopted for an audit performed under clarified ISAs and what impact some of the new requirements introduced can have on current audit practice.
The Clarified International Standards on Auditing (ISAs) issued by the International Auditing and Assurance Standards Board are effective for audits of accounting periods starting on or after 15 December 2009 (for the UK, periods ending on or after 15 December 2010). For many auditors the performance of their first engagements under the new ISAs is therefore imminent and that would be supported by relevant training and changes to the audit methodology adopted.
Although the implementation of the clarified ISAs may cause some concern for practitioners, in view of the increased length of the new standards compared to the current ones, the introduction of two new standards (ISA 265 on communication of deficiencies in internal control and ISA 450 on the evaluation of misstatements), the revision of 12 other ISAs and the elevation to requirements of guidance material in the current standards, the actual impact of the new standards on current audit practice is not as extensive as the changes brought about by the adoption of the current ISAs.
In fact the clarified ISAs confirm that the main focus of the performance of an audit engagement should be the adoption of a risk-based approach that requires the auditor to exercise professional judgment and maintain professional scepticism throughout the audit. For that purpose now each standard identifies specific objectives, requirements and separate application and explanatory material that guide the auditor in identifying and assessing risks of material misstatement, in obtaining sufficient appropriate audit evidence by designing appropriate responses to the assessed risks and in forming an opinion on the basis of the evidence obtained.
A case in point is ISA 550 on related parties that has been modified to turn from a mainly procedural standard to a risk based one that requires particular application of professional scepticism in identifying and assessing risk associated with related parties and that requires appropriate procedures to be performed if risk factors have been identified.
Planning is paramount in the performance of a risk-based audit and the most relevant ISAs for such purpose, namely:
ISA 300 ‘Planning an Audit of Financial Statements’,
ISA 315 ‘Identifying and assessing the risks of material misstatement through understanding the entity and the environment’, and
ISA 330 ‘The auditor’s responses to assessed risks’,
have not been materially changed so that an auditor already adopting an effective approach under the current ISAs should not be required to make relevant changes to his methodology and practice.
ISA 315 in particular requires the auditor to identify risks throughout the process of obtaining an understanding of the entity and its environment and to assess the potential impact of such risks on the accounts as a whole and on specific assertions.
It is important to point out that the risk identification process should start from developing knowledge of the nature, characteristics and dynamics of the entity and of the environment in which it operates and then move to the assessment of the potential effect in terms of misstatement that such risks could have on the financial statements, rather than following the contrary route of starting to assess risk by reading the financial statements, which could result in missing relevant and pervasive risks relating to industry or entity specific circumstances.
To achieve the objective above the auditor should obtain, among other things, an understanding of the following:
a) The factors at play in the industry sector in which the entity operates, like market size, level of competition, supplier and customer relationships;
b) Regulatory factors such as significant laws and regulations, which could be general or industry specific, like environmental requirements specific to an industry, general employment legislation, health and safety regulations and the applicable financial reporting framework;
c) Relevant external factors affecting the entity like the general economic conditions, interest rates and the availability of finance;
d) The nature and history of the entity, including its operations, revenue sources, products, services, markets served, key personnel, locations, ownership structure, business investments underway or planned, key customers, key suppliers and its financing structure;
e) The selection, application and appropriateness of the accounting policies used by the entity and reasons for any changes;
f) Objectives and strategies of the entity and related business risks; and
g) Review of the entity’s financial performance.
Another important element of the entity that the auditor needs to obtain an understanding of, in order to identify possible sources of risk, is internal control, or the system of controls put in place by the entity to ensure reliability of financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations. Internal control is classified by ISA 315 into five components:
a) The control environment;
b) The entity’s risk assessment process;
c) The information system, including business processes, relevant to financial reporting;
d) Control activities relevant to the audit, and
e) Monitoring of controls.
Although all components of internal control can be relevant to the audit; the control environment, intended as the culture created and fostered by management in respect of integrity, ethics, attitude towards control, commitment to employee competence, communication of values, risk management, assignment of authority and responsibility, can be seen as the foundation that determines the strength of other components of internal control.
The nature of the control environment is pervasive to the whole entity and it affects positively or negatively the effectiveness of other controls that are applied to the entity’s transactions. In fact, deficiencies in the control environment undermine other controls, even if properly designed, as override can happen more easily, while a positive control environment is conducive to a stronger internal control.
It is therefore important to obtain an understanding of the control environment in most or all engagements, especially in respect of smaller entities where controls tend to be informal`, (by conducting inquiries of management and employees and inspecting documents like statement of internal policies to observe their application).
As the requirements of ISA 315 are virtually unchanged, most auditors will be familiar with the procedures and documentation necessary for risk assessment and identification and will be able to evaluate the potential impact of the identified risks on the financial statements and to design procedures that would reduce such risks as required by ISA 330.
Risks and responses will be embodied in a consistent audit strategy and a detailed audit plan that will be duly documented. Auditors that are not familiar with the above process should be reminded of the importance of planning and of its direction that should go from the consideration of the entity, its internal control and its environment to the accounts.
An auditor that starts his planning from the financial statements may easily end up on the wrong track.
Let us consider one that looks at the accounts of an entity that is reporting profits in the face of unfavourable economic conditions and therefore focuses on auditing sales and expenses. Without considering sufficiently wider circumstances the auditor may for example be missing the potential impact that the economic conditions, a possible deterioration of trading terms within the entity’s industry and the availability of finance at general and entity’s level can have at the financial statements level, in terms of the going concern assumption, and at assertions level, for instance in respect of the recoverability of debtors, the accuracy of income recognition in terms of cut off and manipulation of accounting policies, the pressure on management to report results that are not in breach loan covenants.
Some clarified ISAs changes relevant to planning have been introduced in a number of revised and new ISAs.
ISA 320 on materiality has in fact introduced the requirement to determine ‘performance materiality’ at a level below that determined for the financial statements as a whole. Although the concept of performance materiality was not expressly formulated in the previous ISAs, it was widely adopted in practice by the use of such benchmarks as working materiality and tolerable error.
ISA 320 formally defines it as ‘the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole’ and the concept would also apply to the materiality level set for particular classes of transactions, account balances or disclosures.
Hence performance materiality will be a figure which is less than the overall materiality of the job and will take in to consideration the general risk associated with the client and also the specific risks, for example by taking into account past uncorrected errors and the probability that undetected errors exist. There is no guidance as to how lower performance materiality should be compared to overall materiality as that would be a matter of judgement for the auditor based on assessed risks.
ISA 402 on the entity’s use of service organisations recognises the increased use of such organisations and the increasing complexity of the ensuing relationships. The revised standard aligns its requirements with the risk assessment standards especially in terms of obtaining an understanding of internal control and the assessment of identified risks.
Many entities outsource to agencies services that are part of their information system, such as payroll, maintenance of accounting records, credit control and management of assets. As such it would be necessary for the auditor to obtain an understanding of the way services organisations are used, the processes affected, the materiality of the areas outsourced, the entity’s and the agency’s controls in place over transactions processed externally and the contractual terms involved and to assess the impact of such services on internal control, the potential risks for the financial statements and the impact on the audit approach.
Other changes relevant to planning are included in the revised ISA 540 on auditing accounting estimates and in ISA 550 on related parties and are highlighted below.
As mentioned above the clarified ISA 550 ‘Related Parties’ has been modified to place emphasis on the performance of procedures that help identifying and assessing the risk of misstatement of the financial statements arising from related party relations and transactions, and on producing appropriate responses to such risk.
In general related party relationships and transactions may present a higher risk of misstatement as they are difficult to identify especially as management may not understand the relevant related parties reporting requirements, or the entity’s information systems may not identify and record related party relationships and transactions or because management may use related parties for manipulation or concealment purposes.
The revised ISA suggests procedures to support the auditor’s task of identifying related parties that have not been disclosed or identified by the entity’s management.
The main requirements, most of which are new, of ISA 550 in terms of assessment and identification of risk procedures include:
The main responses mandated by ISA 550 to the risks arising from related party relationships and transactions include the following:
Performing specified procedures if the auditor identifies related parties or transactions that management has not previously identified or disclosed to the auditor, such as:
a) Communicate promptly the information to the other members of the team,
b) Request management to identify all transactions with the newly identified related parties,
c) Perform substantive procedures on the parties and transactions just identified,
d) Reconsider the risk that other unidentified or undisclosed related parties may exist, and if non-disclosure was intentional, evaluate the implications for the audit especially in terms of fraud.
Performing procedures for identified related party transactions outside the entity’s normal course of business:
a) Inspect the underlying contracts or agreements, if any, to evaluate whether the business rationale, or rather lack of it, suggests that they may disguise fraudulent accounting or misappropriation of assets and the transactions have been appropriately accounted for and disclosed in accordance with relevant standards and legislation
b) Obtain evidence that the transactions have been appropriately authorised and approved.
ISA 540 on the auditing of accounting estimates, including fair value, and related disclosures, acknowledges that financial statements contain more estimated amounts than was envisaged when the ISAs were originally issued. The revised ISA 540 therefore aims at improving the rigor of the auditing of estimates and conforms the approach to the audit of estimates to the risk-based approach applicable under the risk assessment and fraud standards.
ISA 540 requires the application of greater rigor and scepticism into the audit of accounting estimates, including the auditor’s consideration of possible management bias. In addition it provides standards and guidance on the auditor’s determination and documentation of misstatements and indicators of possible management bias relating to individual estimates.
New specific requirements relevant at planning stage include:
Other new requirements relevant at performance stage include:
ISA 580 includes amongst its objectives the requirement to obtain written representations. Where it was previously sufficient for management to acknowledge their responsibilities the auditor will now have to obtain representations that management have fulfilled their responsibility for the preparation of the accounts and for the completeness of information provided to the auditor. This is contained in ISA 580.6.
The redrafting of ISA 580 also makes it very clear that written representation support audit evidence and that they do not in isolation provide sufficient audit evidence. The ISA states the representation is:
It is clear that written representations by management is required for all audits, if it is not forthcoming what action should the auditor take?
If management fails to provide written representations the auditor is required to:
If there is sufficient doubt surrounding the representation acknowledging management responsibility for the preparation of the accounts, the information provided on the completeness of the representations by management or the reliability of the information then the auditor will need to disclaim their opinion.
ISA 600 on group audits codifies more specific procedures to achieve consistency where a group auditor takes sole responsibility and other auditors perform the audit of components. Effectively the group auditor is required to get more involved in the work of component auditors.
In particular the group auditor is required to obtain an understanding of component auditors, including their professional competence and whether they understand, and will comply with, the ethical requirements that are relevant to the group audit.
Auditing under Clarified ISAs will not require a revolution in current practice and methodology as the standards have been streamlined to adhere to the risk-based approach to auditing introduced by the original ISAs and have been improved by clearly identifying overall objectives, requirements and guidance.
As stressed above, planning remains paramount to the performance of an effective audit, especially in terms of identifying risk from appropriate knowledge of the entity and its environment and of designing procedures to reduce it. The new requirements that are likely to have the wider impact on current audit practice are those relating to ISA 550 on related parties and those included in ISA 540 on accounting estimates.