Two of the most important ISAs in any audit are ISA 315 on risk assessment and ISA 540 on the audit of estimates. Exposure Draft (ED) ISA 315 on risk assessment was approved at the September IAASB meeting, as was the final version of ISA 540 on estimates.
In this blog, Katharine Bagshaw FCA takes an in-depth look at ISA 315. Look out for her exploration of ISA 540 in a later blog.
You can learn more about both issues in Katharine’s recent Croner-i eCPD® webinars.
ISA 315: Risk Assessment
Risk assessment and work on controls have been causing trouble for auditors and audit regulators for a long time. ACCA, ICAEW, FRC and other audit regulators all over the world complain that auditors assess risks appropriately but don’t address them, assess risks but don’t document them, and sometimes simply don’t see the risks staring them in the face, because they don’t make the right connections. But what they rarely say is that auditors missed the risk altogether. And they often concede that auditors arrive at the right conclusions anyway.
Simply getting to the right answer isn’t enough, unfortunately.
The proposals on the table seem unlikely to banish these complaints forever, but there are some interesting long term trends in work on controls which might reduce the significance of that particular problem over time – more on that later.
If the risk assessment is right, there is some chance that the response and the conclusions will be right. Miss a significant risk, and it seems unlikely that any amount of work in other areas will compensate, except perhaps by stumbling over one by accident when looking for something else.
But is it really that straightforward?
Risk analysis – as the new proposals make clear – is an iterative process and the definition of a ‘significant’ risk is important: shift it slightly and the whole workload moves. Under the extant requirements, a significant risk is something requiring ‘special audit consideration’. It’s a circular definition, and not helpful because auditors may spend a lot of time and effort on routine low risk issues, but less overall on the truly significant issues – despite the fact that they require more judgement and more partner level involvement.
The new definition of a ‘significant’ risk is one toward the upper end of a ‘spectrum’ of likelihood and magnitude. Which sounds quite sensible, but really only codifies existing best practice, and still leaves auditors a bit mystified about where to draw the line in the very wide grey area in the middle of the spectrum. The proposals aren’t crystal clear either about whether something that isn’t very likely, but potentially has big impact, qualifies as significant. The Explanatory Memorandum just says they haven’t been excluded.
ISA 315 was last revised back in 2003. Among the other significant proposed changes are the introduction of five ‘inherent risk factors’: ‘subjectivity’, ‘complexity’, ‘change’, ‘uncertainty’ and ‘susceptibility to misstatement as a result of fraud or error’. Some of these correspond to those in ISA 540, and there will be more on references to them as other ISAs are revised.
ISA 315 and controls on IT
The current revision also has a lot more on IT, some of it a challenging read. But it does respond to concerns among audit regulators about auditors of larger entities doing too little work on IT general controls, despite relying heavily on the operation of those controls. It also addresses the problem of auditors ignoring controls altogether in smaller audits, despite performing all of the substantive work on reports whose integrity – in the absence of controls testing – can only be evidenced by a great deal more substantive work than is actually performed.
No one wants auditors of SMEs to worry about the adequacy of deeply-embedded controls that can’t be changed in widely-used and reputable accounting packages. The proposals try to accommodate that while recognising that packages still need some controls around them, to make sure that management is at least aware of the changes that are in fact made to them, and that they are appropriate.
While the Explanatory Memorandum does have a helpful table covering scalability points such as these, readers could be forgiven for missing some points at first glance.
Controls around IT are just part of a much bigger issue about controls ‘relevant to the audit’. These are the controls auditors need to do some ‘design and implementation’ work on regardless of whether they intend to test them. The proposals are much clearer than the extant standard about what these controls are, and what needs to be done with them, but what they don’t address are more fundamental objections to having to do any work on controls at all when a fully substantive approach is taken.
The firms’ response
Attempts to explain the rationale for this over the years have had limited success. In one corner, there are smaller firms, and sometimes auditors in larger firms conducting smaller audits, complaining that the required work in this area is largely wasted and that they don’t believe it is necessary to the risk assessment.
In the other are standard-setters, regulators, and staff working on methodologies, all of who are equally adamant that this work is needed. This issue is one among many that have given rise to a new IAASB project on the audit of less complex entities.
Interestingly, in this context, there seems to be a trend away from controls testing, towards more extensive tests of detail. In some smaller firms this seems to be because it’s just easier. Regulators can be picky about work on controls and sometimes they’re simply best avoided.
In larger firms, there are important questions about the extent to which the use of data analytics – currently focussed on the risk assessment – can be used to provide substantive audit evidence. Firms’ investment in these tools is substantial and the way in which auditing standards keep up with this remains to be seen, but there may well be some surprise expressed at the fact that while the proposals do refer to these tools and techniques, they only really do so in passing.
What seems likely to take readers aback most about these proposals is their sheer length and complexity. Navigating them without the flowcharts provided might be quite a challenge and the prospect of reading, understanding and translating these proposals into a workable methodology for a smaller audit will be daunting for some.
The proposals and all of the responses are now available on the IAASB website. Responses seem unlikely to pull any punches and it remains to be seen whether IAASB can achieve its objective of finalisation in June next year. One can only wish IAASB well in that task.
Katharine Bagshaw FCA has dealt with technical audit issues for nearly 25 years as a practitioner, trainer and writer. She is a regular contributor to Croner-i eCPD®, a former deputy chair of IFAC’s Small and Medium Practices (SMP) Committee, and was a member of IAASB’s Task Force that developed ED-ISA 315.