By now, most auditors should be aware that the standards under which they operate are about to change. For accounting periods beginning on or after 15 December 2004, a whole new suite of auditing standards, based on International Standards on Auditing, will replace the existing Statements of Auditing Standards.
In many areas there are no differences of substance between the old and the new standards. Different words, similar requirements. The Auditing Practices Board's approach, with existing UK requirements being added to the underlying ISAs where they reflect better or more contemporary practice, serves to minimise the change that auditors will face.
But three of the new standards stand out as likely to have a considerable impact:
• ISA 240, The Auditor's Responsibility to Consider Fraud in an Audit of Financial Statements;
• ISA 315, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement; and
• ISA 330, The Auditor's Procedures in Response to Assessed Risks.
It is not just that these standards differ significantly from those they replace; it is that they are pervasive, providing the marbling running through the auditor's approach. Assessment of risk, including the risk of fraud, is already at the heart of every audit. The new standards move the position on, both deepening and broadening the requirements. The ISAs contain new procedural and documentation requirements, but to focus on those requirements is to miss the point. Fundamentally, they require thought, and that the audit file provides evidence of that thought.
If there is one question that every auditor should be asking, it is, 'What could go wrong?' ISA 315 formalises that question.
ISA 315 requires the auditor, in all cases, to undertake risk assessment procedures, including procedures to enable the auditor to understand the design and implementation of internal controls. The ISA also requires the auditor to obtain or update an understanding of the entity. This understanding needs to cover the business and its environment, both internally and externally.
It includes, but is not limited to, the business risks the entity faces.
Everything comes back to the financial statements, and where things could go wrong. The auditor needs to develop sufficient understanding to be able to undertake a reasoned assessment of where the risks of material misstatement in the financial statements lie.
The ISA also requires discussion: discussion with management, and others, as part of gaining an understanding; discussion within the audit team to ensure that all its members realise the potential for fraud and error in the areas assigned to them, and understand how their work may affect other aspects of the audit. While the ISA provides a broad agenda for the team discussion, and most auditors will develop their own approaches, at its heart the agenda is simple; again, 'What could go wrong?'
More formally, the ISA requires the auditor to adopt a four level approach to risk assessment:
• identification of risks arising from the entity and its environment, including relevant controls, by considering these factors by reference to classes of transactions, account balances and disclosures in the financial statements;
• relating the risks that have been identified to what can go wrong at the assertion level;
• considering whether the risks are of magnitude that could result in a material misstatement of the financial statements; and
• considering the likelihood that the risks could result in a material misstatement of the financial statements.
Auditors also need to decide if there are any risks that require special audit consideration. It is assumed within the ISA that such key risks will exists for most audits. In making this assessment, controls are initially ignored. However, once such risks have been identified then the auditor is required to consider, specifically, the design and implementation of any controls that might mitigate those risks.
Reacting to risk
If ISA 315 asks 'What could go wrong?', ISA 330 asks '… and what are we going to do about it?'
The auditor is required to respond to the assessed risk in two basic ways: at the overall level, by considering matters such as the make up of the audit team and when the audit fieldwork will take place; at the assertion level, by designing and performing specific procedures responsive to the risks that have been assessed. The risks that have been assessed should have a direct and demonstrable impact on the programme of work, affecting the nature, the timing and the extent of the audit procedures to be performed.
ISA 330 does not make tests of control mandatory in all cases. While auditors are, as noted above, required to test the design and implementation of controls, they are not always required to test their operational effectiveness.
Tests of control must be performed where:
• the auditor's assessment of risk includes an expectation of the operational effectiveness of controls; or
• where substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
In the first case, it is hardly unreasonable to say that an auditor cannot reduce substantive testing on the basis of controls without obtaining audit evidence that those controls are actually operating effectively in practice. The second, and less common, case will apply to certain businesses where sufficient substantive testing is impossible. This is most likely to apply in a highly automated environment, particularly where the documentation supporting transactions is itself created automatically.
Where the auditor decides that tests of control are appropriate, it is not necessary to test every control every year. The ISA allows evidence on controls obtained in prior audits to be used as part of the audit evidence for the current year, so long as:
• the auditor obtains evidence that the controls have not changed in the year;
• controls on which reliance is placed are tested at least once every third audit;
• some controls are tested each audit; and
• controls for significant risks are tested each period.
There is no choice with substantive tests, they need to be performed for each material class of transactions, account balance or disclosure.
While most substantive procedures are left to the auditor's judgement, the ISA specifically requires:
• agreeing the financial statements to the underlying accounting records; and
• examining material journal entries and other adjustments made in the course of preparing the financial statements.
At the end of the process, the auditor needs to consider whether the work undertaken provides enough evidence that the risk the financial statements are materially misstated is low.
Thinking like a fraudster
It might be going a little bit far to gloss ISA 240 as requiring the auditor to think like a fraudster. But not much.
The standard runs in parallel with the basic risk standards, dealing with the specific risks associated with fraud. It identifies two relevant types of fraud:
• misstatements resulting from misappropriation of assets; and
• misstatements resulting from fraudulent misrepresentation.
It does not change the auditor's basic responsibilities, acknowledging that the primary responsibility for preventing and detecting fraud must lie with those charged with governance and management of the entity. The standard also continues to recognise the inherent limitations of an audit for detecting fraud.
What it does do is to place the assessment of, and reaction to, fraud risk at the centre of the audit process. The audit team, and the audit partner in particular, need to consider fraud risks at every stage. They are relevant in assessing the risks, in deciding on the testing to be performed, and in assessing the quality and sufficiency of the audit evidence that has been obtained.
ISA 240 probably cannot be resolved into a single question, but it can be summarised in a couple. 'If I were to commit a fraud what would it be?' followed by '… and how do we know that didn't happen?' The ISA leaves open the question of who is asking the first question, allowing for third parties, staff, management and those charged with governance.
The first requirement of the standard is that of scepticism, recognising that there could be a material error due to fraud. Scepticism about management and those charged with governance is stressed, even where the auditor has past experience, and no reason to question their honesty and integrity.
Like ISA 315, the fraud standard also requires discussions. These discussions can be combined with the risk discussions.
The auditor should discuss fraud risks with relevant people from the entity subject to audit. The main discussion is likely to be with management, and should cover the perceived risks, the way those risks are controlled and any identified cases of fraud. For larger entities in particular, discussions may also need to be held with those charged with governance and others, such as internal audit.
Fraud risks also need to be covered by discussion within the audit team.
This discussion needs to cover many things including the basic risks, the pressures that the entity and its management may face and any factors that may be considered an indication that a fraud may have occurred. During the discussion it is also important that the need to be alert to indications of fraud is stressed. After the discussion, the partner needs to consider the information that needs to be passed on to any members of the audit team who were not present.
Following from the discussion, the programme of work needs to reflect the fraud risks. Among the factors that need to be incorporated are:
• introducing some unpredictability into the nature, timing and extent of audit procedures to be undertaken;
• testing the appropriateness of journal entries, and other adjustments made in the preparation of the financial statements;
• reviewing accounting estimates for bias that could result in material misstatement due to fraud; and
• obtaining an understanding of the business rationale of significant transactions outside the normal course of business or that are otherwise considered unusual.
On the first point, there has to be considerable merit in any auditing standard that specifically prohibits simply following last year's audit file.
For the latter stages of the audit, the ISA requires the auditor to consider whether analytical procedures, and any identified misstatements, provide any indication of fraud. Where such an indication exists, the auditor needs to consider the implications in relation to other aspects of the audit.
Recording the risks
Proper consideration of risks is necessary, but not sufficient. The audit file needs to demonstrate that this has been done. Each of the key ISAs contains documentation requirements. Basically, these require the audit file to show that the risks have been assessed, and how. This would include, for example, a record of the various discussions held. They also require the audit file to demonstrate the linkage between the risk assessments and the audit work that has been performed.
• David Chopping is a partner at Moore Stephens, vice chair of the Institute's ISA Implementation sub-group and chair of the Smaller Audits ISA Group. He is also general editor of CCH's Accounting Standards
WHERE TO FIND MORE
Two articles in last month's Accountancy look at ISAs. They are on p48 and p94.
A website on ISAs can be found at www.audit2005.com.