The Clarity ISAs – a quiet revolution in the world of auditing
The March 2006 Accountancy SA magazine published an interesting article entitled “Auditors under pressure as ISAs start to bite”. The article stated that auditors will take over 40% longer to carry out an audit. The good news however, is that in March 2009 the International Auditing and Assurance Standards Board (IAASB) has completed its ‘Clarity Project’, with the objective of making International Standards on Auditing (ISA) more precise, clear and understandable. The clarified ISAs have raised the audit quality bar for all auditors.
Background of the clarity project
On 31 October 2005 the IAASB announced that it intended to improve the clarity of its ISAs by:
- Setting an overall objective for each ISA;
- Clarifying the obligations imposed on the auditor by the requirements of the ISAs, and by using the word “shall” instead of the current “should” to emphasise the expectation that these requirements are applicable in virtually all engagements to which the ISA is relevant;
- Eliminating any ambiguity about the status of the existing ISAs by modifying the language of current present tense statements, either by elevating them to “shall” statements or by eliminating the present tense to make it clear that there is no intention to create a requirement; and
- Improving the overall readability and understandability of the ISAs through structural and drafting improvements.
IAASB’s announcement was accompanied by an Explanatory Memorandum, an Exposure Draft of its Preface to International Standards and Exposure Drafts of four ISAs redrafted in the new “clarified” format. The new “clarified” style makes the standards easier to understand, translate, and implement. These standards will also significantly advance the process of global convergence and enhance the quality and uniformity of practice in audits worldwide.
Results of the project
The project was completed in March 2009 and the clarified ISA’s are effective for audits of financial statements for periods beginning on or after December 15, 2009. The project resulted in sixteen (16) ISA’s and the International Standard on Quality Control 1 (ISQC1) being revised and redrafted, nineteen (19) ISA’s being redrafted and one new ISA being introduced. The redrafted ISAs should be treated carefully as they have in fact been amended slightly and therefore to assume they did not change may be misleading. In particular, some content from the extant ISAs that was not in bold text may in fact have been elevated to requirements in the redrafted ISA.
Significant changes in the clarified ISA’s
The following details the significant changes which have been made. This is not intended to be an exhaustive list of all the changes but provides a birds-eye view of the significant changes.
Every clarified ISA now includes an overall objective as one of the aims of the clarified ISAs is to further encourage thinking. This objective should be under consideration throughout the audit, but there are specific requirements to consider the individual circumstances both at the planning stage and the finalization stage.
The existing ISA 540 (Audit of accounting estimates) has four (4) bold text requirements whereas the clarified ISA 540 (Auditing accounting estimates, including fair value accounting estimates, and related disclosures) has sixteen (16). Like some of the other clarity ISAs the change is to make the audit approach more risk focused. Some of the new requirements indicate that it will be necessary for auditors to review the judgments and decisions made by management to identify whether there are indicators of possible management bias and for accounting estimates that give rise to significant risks, evaluate whether the assumptions are reasonable and how management has considered alternative assumptions or outcomes and why it has rejected them.
The scope of ISA 540 has been extended to cover fair values, and the old ISA 545 on this subject has been withdrawn. It is not surprising that this standard has been significantly tightened given the ongoing debate about the use of fair values in accounting frameworks.
In particular, the standard is more prescriptive of the procedures expected when auditors consider management estimates.
The revised related party standard, ISA 550, recognises that risks of misstatement are higher when related parties are involved. Some of the new requirements are stated below:
- The audit team discussion will need to include a discussion regarding the susceptibility to fraud or error that could result from related party relationships and transactions. The guidance notes issued with the revised ISA suggest that this discussion should include reference to existing/ updated documentation of relationships and transactions, professional skepticism regarding the potential for material misstatement, the conditions or circumstances that could indicate the failure to identify or disclose related parties, the records and documents that may need to be examined, and the importance that management gives to the subject.
- The auditor will be required to obtain an understanding of the controls, if any, that management have established to identify and account for related party relationships and to authorise transactions both with related parties and also those outside the normal course of business.
- When significant transactions outside the normal course of business are identified it will be necessary to enquire about the nature of the transactions and whether related parties could be involved. The guidance notes include examples of transactions outside the normal course of business.
- It will be necessary to design and perform further audit procedures to obtain evidence about assessed risks associated with related party relationships and transactions. The guidance notes includes examples of a range of substantive audit procedures that might be appropriate.
- If related parties or significant related party transactions are identified which had not been previously identified or disclosed by management, it will be necessary to:
- Request management to identify all transactions with the newly identified related party;
- Enquire why management failed to identify or disclose the relationship or transactions;
- Perform substantive audit procedures relating to newly identified parties or transactions;
- Reconsider the risk that other related parties or significant related party transactions might exist: and
- If the non- disclosure by management appears intentional, evaluate the impact for the audit.
- If significant related party transactions are identified outside the normal course of business, it will be necessary to:
- Inspect the underlying contracts or agreements, if any and evaluate whether the business rationale suggests fraudulent reporting or concealment of assets, whether the terms are consistent with management’s explanation, and whether the transactions have been appropriately accounted for and disclosed;
- Obtain evidence that the transactions have been appropriately authorized and approved.
- If management asserts that a related party transaction was conducted on an arm’s length basis, the audit work will necessitate obtaining sufficient appropriate evidence. The guidance notes include some assertions that management might give and how these might be evaluated.
- It will be necessary to communicate significant matters identified in connection with related parties to those charged with governance, unless they are all involved in managing the business.
- The revised ISA has a requirement to include in the audit documentation the names of identified related parties and the nature of related party relationships; this is already best practice.
It can be seen from the above that knowledge of both the requirements of the revised ISA 550 and of the guidance notes (described as application notes and other explanatory material in the Clarity ISAs) will be necessary to ensure that the audit procedures cover this particular clarified ISA.
The previous ISA 240 required specific procedures to address the risk of management override of controls in the areas of journal entries, estimates and unusual transactions.
The requirements still remain in the new standard, however, now specifically there is mention in the standard that the auditor shall treat those assessed risks of material misstatement due to fraud as significant risks and accordingly, to the extent not already done so, the auditor shall obtain an understanding of the entity’s related controls, including control activities, relevant to such risks.
The auditor is also required to document certain matters in the audit documentation of the auditor’s understanding of the entity and its environment and the assessment of the risks of material misstatement:
- The significant decisions reached during the discussion among the engagement team regarding the susceptibility of the entity’s financial statements to material misstatement due to fraud; and
- The identified and assessed risks of material misstatement due to fraud at the financial statement level and at the assertion level.
The clarity standards separate the consideration of materiality in planning and performing the audit (ISA 320), and in the evaluation of misstatements (ISA 450).
ISA 320 deals with the auditor’s responsibility to apply the concept of materiality in planning and performing an audit of financial statements. ISA 450 explains how materiality is applied in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements. Both standards require auditors to reconsider their determination of materiality if they become aware of information that would have changed that determination had they known it at the planning stage. The standard states that the auditor shall revise materiality for the financial statements as a whole (and, if applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures) in the event of becoming aware of information during the audit that would have caused the auditor to have determined a different amount (or amounts) initially.
The auditor shall include in the audit documentation the following amounts and the factors considered in their determination:
- Materiality for the financial statements as a whole;
- If applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures;
- Performance materiality; and
- Any revision of the above levels as the audit progressed
Wider use of confirmations
ISA 505 on external confirmations has been significantly revised and conforming changes have been made to ISAs 240, 330 and 500 to include considerations as to whether external confirmations are to be performed as substantive procedures.
If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit procedures, the auditor shall communicate with those charged with governance in accordance with ISA 260. The auditor also shall determine the implications for the audit and the auditor’s opinion in accordance with ISA 705.
In future, auditors may be challenged on whether they have obtained sufficient appropriate audit evidence if they have relied on a weaker form of evidence on a matter that could have been the subject of direct confirmation.
Gaining more evidence when an error is considered an anomaly
The clarified ISAs provide a foundation for risk-based auditing. The auditors plan their procedures based on a risk assessment, which is in turn built on an understanding of the entity and its environment, including internal controls. ISA 530 on audit sampling has been revised and the clarified standard states that in the extremely rare circumstances the auditor considers a misstatement or deviation discovered in a sample to be an anomaly, and when an anomaly is considered the auditor shall obtain a high degree of certainty and appropriate audit evidence that such misstatement or deviation is not representative of the population.
Communicating deficiencies in internal controls, including missing controls and significant difficulties encountered during the audit
ISA 265 is a new standard that governs the communication of deficiencies in internal control to those charged with governance and management. The standard emphasises the importance of the communication of such matters. It explicitly defines a deficiency in internal control as including the absence of necessary controls.
It is important that auditors’ risk assessments include consideration of the types of control they would expect to find at an audited entity given its size, its nature and its complexity. If such controls are missing, their absence should be communicated to the appropriate level of management or to those charged with governance even if they do not directly impact on the planned audit procedures.
The theme of the revised ISA 260 is to emphasise the importance of effective two-way communication between the auditor and those who are charged with the governance of the audited entity.
The revised standard provides more guidance on what matters are likely to be of governance interest. In particular, it requires that any significant difficulties encountered during the audit – for example, the unavailability of expected information – be communicated. It also requires the auditor to evaluate whether the two-way communication between the auditor and those charged with governance is adequate for the purposes of the audit. Auditors will need to consider their ability to accept reappointment if they conclude that the level of two-way communication is inadequate for their purposes.
Going concern considerations
One of the changes in clarified ISA is the elevation to requirements of matters that were previously included in guidance.
ISA 570 is an example of a standard that has not been revised but where the redrafting has given rise to a significant number of elevations. In particular, elevations include considering the events or conditions which may have been identified that may cast significant doubt on the entity’s ability to continue as a going concern, the auditor shall obtain sufficient appropriate audit evidence to determine whether or not a material uncertainty exists through performing additional audit procedures, including consideration of mitigating factors. The procedures include evaluating management’s plans for future actions and considering whether those plans are feasible.
Format of auditor’s report
ISAs 700, 705 and 706 deal with reporting matters. Although the final formats of reports are likely to be specific to different jurisdictions, it is probable that the changes will affect the audit report in some way. In particular, auditors should take care over the form of their report where they are considering a modification or inclusion of an emphasis of matter paragraph in their report. These areas are covered in ISA 705, Modifications to the Opinion in the Independent Auditor’s Report, and ISA 706, Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report.
The existing ISA 600 has nine (9) bold text requirements. The new clarified ISA 600 has forty-one (41); these include an even greater involvement in assessing risk where part of the group is not audited by the parent company auditor.
The revised ISA introduces a number of new requirements that the group auditor needs to undertake, particularly when other auditors audit components of the group. These requirements strengthen the direction of the audit by the group auditor and the group auditor’s involvement in the work of component auditors. Many of the new requirements were in effect there in the old standard’s guidance; others are things that many group auditors would always have done anyway. The key in applying the new standard is to identify the differences in practice for a specific audit and focus on those. Some may even result in a more efficient approach as well as a more effective one – for example, looking at group wide controls might reduce the work needed by component auditors.
The new ISA 600 is still likely to have the biggest impact on many audits. It is the first time that a comprehensive international standard has been issued in this area. Although the standard seeks to crystallize commonly used best practices, the following areas are likely to require additional thought and documentation:
- considering whether an engagement is a group audit within the scope of the standard;
- scoping the group audit, including determining significant components in the group;
- obtaining an understanding of, and completing procedures on, group-wide controls and the consolidation process;
- determining materiality and performance materiality for the group and components; and
- obtaining an understanding of component auditors and being involved in their work.
Auditors who aim to deliver a ‘no surprises’ audit will want to discuss the implications with clients long before the new requirements take effect. No doubt many will be asking about the effect on time and fees, but the implications are wider than just that. There is the prospect of changes in the ways that auditors and clients communicate, and auditors may be asking clients for information in a format they have not asked for before.
Auditors should not underestimate the change or the challenge. It’s important to make sure that training is planned at the right level and at the right time. There really is no substitute for actually reading the new standards. It’s important to make sure that methodologies are updated so that they will be ready to run when needed. But it’s even more important for individual auditors to know what the standards actually say and how they can undertake an audit that complies with them. After all, that is what every audit report will say they have done.
It is important to remember that the changes to the ISAs are, in part, responses to issues arising from past corporate failures. The purpose of the changes is to stimulate better auditing and not to encourage more extensive checklists. With this in mind, auditors should use the clarity standards to improve the quality of their audits. What the new ISAs are not about is more box-ticking.
(This article has been contributed by Mr. Vinod M. Joshi, Associate Director, Dubai).