SAICA recently hosted representatives from the International Auditing and Assurance Standards Board (IAASB) where the complexities and challenges relating to extant ISA 315 (Revised) were heard ‘straight from the horse’s mouth’ in the context of the IAASB’s current standard-setting projects
The IAASB is an international standard-setting body tasked with issuing standards that promote high-quality auditing, assurance and other related-service engagements that are performed consistently throughout the world, and in the public interest. Subsequent to the issue of the clarified International Standards on Auditing (ISAs) in 2009, the IAASB commenced with a comprehensive post-implementation review project aimed at assessing whether the clarified ISAs were being understood and implemented in the way that the IAASB intended.
THE CURRENT COMPLEXITIES
The results of the post-implementation review of the clarified ISAs identified ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, as one of the standards with the biggest challenges and in-practice issues.
The issues that were raised included the following:
- Clarify the purpose of obtaining an understanding of the entity and its environment, including the entity’s internal controls:
- Why does the auditor have to obtain an understanding of the entity’s internal controls in those instances where a substantive approach is going to be followed with no reliance being placed on the internal controls? It is necessary to clarify that the auditor’s understanding of internal control relates more broadly to the identification and assessment of risks of material misstatement, even where controls will not be tested.
- What is the extent of the understanding required?
- In the existing standard, there are five components of internal control. What is the auditor required to do for each of the five components? These components are all different and the work effort required in relation to each component is unique.
- ISA 315 (Revised) requires the auditor to obtain an understanding of the internal controls relevant to the audit.1 What does ‘relevant to the audit’ actually mean?
- ISA 315 (Revised) indicates that with respect to some risks, the auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures.2 In the current technological environment in which businesses operate (taking cognisance of the evolution of information technology), the performance of substantive procedures in obtaining audit evidence may no longer be practical, possible or effective. When this situation arises and the auditor is required to obtain an understanding of the internal controls that have been implemented in response to risks relating to inaccurate or incomplete recording of routine and significant classes of transactions or account balances,3 what is required at the risk assessment stage and how does this translate into the work that is subsequently performed in terms of testing the operating effectiveness of the controls and the total mix of evidence required to reduce audit risk to an acceptable low level at the assertion level for the classes of transactions and account balances concerned?
ADDRESSING THE COMPLEXITIES
The IAASB has recognised the importance of the auditor’s understanding of the entity and its environment, including the entity’s internal controls because of the role that this understanding plays in relation to the identification and assessment of risks of material misstatement. To this end, each audit will have a varying amount of internal controls that will ultimately impact on the auditor’s response to the assessed risk, as required by ISA 330.
In relation to small and medium practices (SMPs) where the client base consists of smaller entities; or, more generally in performing audits of smaller entities, the internal control environment may be less prevalent and sophisticated. It has been acknowledged that even in these circumstances the auditor is still required to have a basic understanding of the entity’s internal control relevant to the audit. The IAASB is still deliberating what is meant by a basic understanding; what is the extent of the work that needs to be performed; and what is the auditor required to include on the audit file to demonstrate that this understanding has been appropriately obtained.
Other areas that the IAASB is considering in revising the extant ISA 315 (Revised) include the following:
- The IAASB is looking at modernising the standard for developments in information technology (IT). The environment in which audits are conducted has evolved and, although the current standard can still be used; there are areas where it is not helpful or useful. The IAASB is therefore thinking through how they can incorporate technology into the standard or show how technology is actually being used. This is no easy task because of the rapid pace at which technology changes. The IAASB is trying to draft standards that are as future proof as possible, by keeping them principles-based so that the standards can still be applied in different circumstances, and be scalable.
- With the advancements made in the IT arena, IT controls – including general controls – have become more important in the auditing environment of today and the current standard is seen to be ‘light’ on some of these IT-related matters. Initial discussions have commenced, which include the relationship between IT general controls and application controls. This is a difficult area because of the complexity of IT systems, including the use of terminology that not all auditors may be familiar with. The aim here is to keep the standard at a level that auditors will understand, while still addressing the relevant matters relating to IT.
- ISA 315 (Revised) needs to be enhanced in the area of data analytics. The IAASB needs to think about how auditors use data analytics and ensure that the standards are enabling the auditor to appropriately incorporate the use of data analytics into the auditing process.
- The ISAs need to be scalable in that they can be applied to small or large audits (or to simpler or more complex audits). The scalability of the standards is not specific to SMPs. However, as these standards get more complex, it becomes more difficult to use these effectively in the audits of smaller entities. The IAASB is therefore considering how the concept of scalability can be incorporated into the revised standard. Here, the IAASB is using the term ‘think simple first’ and then scale up to allow for higher order application as the environment becomes more complex. It would be important to incorporate this concept into ISA 315 (Revised) since this is the standard that ultimately drives the auditor’s work effort.
- The IAASB is revisiting the continued relevance of the components of ‘risks of material misstatement’, namely inherent risks and control risks, and how the auditor’s understanding and application of these concepts could be enhanced through the requirements and application material in ISA 315 (Revised). Furthermore, they are considering the appropriate use of the concept of significant risk; including the approach to the identification of significant risks and the sufficiency of identifying and responding to risks other than significant risks. The IAASB is deliberating the notion of a ‘spectrum of risk’ as opposed to a primarily distinguishing only between significant risks and risks that are not significant.
- The documentation requirements contained in ISA 315 (Revised) need to be expanded on. There are instances where audit work may have been performed, in that the auditor may have considered the matter but this is not demonstrated or documented on the audit file. If key or significant matters are not documented, it tends to give rise to issues with regulatory bodies when inspections are performed. The audit file therefore needs to be very clearly documented and the documentation requirements contained in ISA 315 (Revised) need to be expanded on to cater for this.
- There are areas where definitions, language and structure are inconsistent. The intention of the IAASB may be that, although certain terms are defined differently, some terms do carry the same meaning but the market sometimes sees these as having different meanings. Therefore, there is a need to ensure that all definitions, terms and language are consistent and clear.
- With all of the projects that are currently under way, there is a conscious consideration of professional scepticism. It is not sufficient for the standard to merely require that the auditor be sceptical – it also has to address what this actually means. The standard therefore needs to be expanded on, to include specific requirements that will ultimately drive behaviour that is characterised by professional scepticism, that is, a sceptical mindset. The IAASB needs to identify the areas where professional scepticism plays a role and build on this in the standard.
The underlying principle of a risk-based audit upon which the ISAs is based focuses on the identification and assessment of the risks of material misstatement of the financial statements and designing and performing further auditing procedures in response to the assessed risks. ISA 315 (Revised) is foundational to the audit in that it drives the work effort of the auditor; yet it seems that there is either a link missing or an unclear link between obtaining an understanding of the entity and its environment, including internal controls, the identification and assessment of the risks of material misstatement and the further audit procedures that are ultimately performed.
The IAASB has recognised the important function that ISA 315 (Revised) fulfils as a foundational standard, including the ensuring that a clear link is made between ISA 315 (Revised) and the other standards and that the principle-based requirements contained throughout the ISAs are consistent as the revised standards are drafted as part of the IAASB’s current projects.
1 ISA 315 (Revised), 12.
2 ISA 315 (Revised), 30.
3 ISA 315 (Revised), 30.