Christopher J Arnull.
One global effect of the credit crunch is that auditors are likely to adopt a more critical approach to their scrutiny of accounts and to information that is provided to them.
Auditors communicate all over the world to each other and to millions of shareholders each year. During the 'busy season' auditors everywhere manage lots of information. In group audits, much of this will be exchanged between auditors. But there is a gap in clarity over who can rely on what when auditors make statements to each other.
This gap gives rise to uncertainty over legal responsibilities and it could be clarified by transparency in auditing standards or legislation. It is surely not unreasonable to have a clear and transparent framework so that auditors and markets know where legal responsibilities lie when auditors talk to each other.Who's responsible?
When auditors communicate to each other, normally in the subsidiary-parent environment, the question of legal risk gets clouded. The subsidiary auditors are responsible for their audit of the subsidiary. The parent auditors are responsible for their audit of the parent and the group audit. But when the parent auditors ask the subsidiary auditors for help with the group audit, by providing information about their subsidiary audit, can the parent auditors rely - legally - on what they report to them?
International standards on auditing state clearly that the parent's auditor must alone determine how the other auditor's work will affect the parent auditor's audit work. So the parent auditor must consider the professional competence of the other auditor. The parent auditor must perform procedures to obtain enough audit evidence that the other auditor's work is adequate and can be used for the parent auditor's purposes. Auditors are told to cooperate with each other, knowing the context in which one will use another's work.
It is, therefore, clear that the standardsetters regard the responsibility for the parent and group audit as falling squarely on the parent auditor. But what is not so clear is how to balance the need to discharge parent audit responsibilities with reliance on information provided by subsidiary auditors. The standards themselves do not state that the parent auditor cannot rely on the subsidiary auditor's work other than at own risk. The area between the auditors is grey.
The parent auditors might decide not to re-perform audit work on the subsidiary, using instead information communicated to them by the subsidiary auditors. Use of that information might seem pointless if the parent auditors cannot rely on it. But ultimately they cannot divest themselves of responsibility for their own audit work, and for determining the adequacy as audit evidence of information communicated to them.Adequacy of evidence
This applies more widely - not just as between parent and subsidiary auditors. It is a theme consistent in relation to audit evidence generally. The auditor is responsible for determining the adequacy of evidence gathered for his audit. International standards on auditing require external auditors to consider the work of internal auditors. And they may use work performed by an expert. But as with parent and subsidiary auditors, external auditors have to evaluate the internal audit work or an expert's work to confirm its adequacy as audit evidence for the external auditor's purposes. It seems clear in this context also that the external auditor cannot rely on internal audit or on an expert's work as a way of discharging ultimate responsibility for the external audit. But the standards do not address this openly.
This uncertainty arises globally. The credit crunch just brings it more into focus. Auditors in a territory not particularly affected by the credit crunch have to take a more active interest in the environment in which other group members trade and what other auditors have to say.
It would help auditors everywhere if international standards went one more step and clarified the position. The standards could state that parent or external auditors' use of information provided by subsidiary or internal auditors or experts as audit evidence is acceptable and sensible, but does not remove the parent or external auditor's ultimate responsibilities. Or the standards could indicate how the balance between responsibility for the parent audit and responsibility for information communicated by subsidiary auditors should be struck.
At least then auditors would know where they stand when communicating with each other. Currently the position is clouded with uncertainty, which is surely unacceptable. A simple clarification could achieve so much.
Christopher J Arnull is a solicitor and associate general counsel at KPMG LLP. The views expressed in this article are the author's own and do not necessarily represent the views of KPMG LLP
ISA (UK&I) 600, Using the work of another auditor, provides as follows:
2. '… the principal auditor should determine how the work of the other auditor will affect the (principal auditor's) audit.'
7. '… the principal auditor should consider the professional competence of the other auditor … '
8. 'The principal auditor should perform procedures to obtain sufficient appropriate audit evidence that the work of the other auditor is adequate for the principal auditor's purposes … '
18-1. '… the principal auditor has sole responsibility for the principal auditor's audit opinion … '
ISA (UK&I) 610, Considering the work of internal audit, states this:
9. 'The external auditor should obtain a sufficient understanding of internal audit activities to identify and assess the risks of material misstatement … '
16. 'When the external auditor intends to use specific work of internal auditing, the external auditor should evaluate and perform audit procedures on that work to confirm its adequacy for the external auditor's purposes.'
18-1. 'In the event that the external auditor concludes that the work of internal auditing is not adequate for the external auditor's purposes, the external auditor extends the audit procedures beyond those originally planned to ensure that sufficient appropriate audit evidence is obtained to support the conclusions reached.'
ISA (UK&I) 620, Using the work of an expert, includes these provisions:
2. 'When using the work performed by an expert, the auditor should obtain sufficient appropriate audit evidence that such work is adequate for the purposes of the audit.'
5-2. 'Although the auditor may use the work of an expert, the auditor has sole responsibility for the audit opinion.'
11. 'The auditor should obtain sufficient appropriate audit evidence that the scope of the expert's work is adequate for the purposes of the audit.'