The Financial Reporting Council (FRC) has updated eight audit standards to reflect ISA (UK) 540 (Revised) – Auditing Accounting Estimates and Related Disclosures, focusing on auditor liability, fraud, going concern, joint audit and management challenge
The overhaul of ISA 540 has resulted in significant changes, which impact a number of individual audit standards introducing a stronger focus on auditor liability and responsibility, identification of fraud, reporting on going concern and risk factors, and an emphasis on auditor scepticism and management challenge, particularly when auditors feel that the board is not being fully informed about potential issues.
All the amendments to the International Standards on Auditing (UK) (ISAs (UK)) have an effective date of 15 December 2019.
The revised ISAs (UK) are 200, 230, 240, 260, 500, 580, 700 and 701.
The revision to ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing (UK) clarifies management responsibility for the corporate governance, stressing that ‘those charged with governance include the directors (executive and non-executive) of a company and the members of an audit committee where one exists. For other types of entity it usually includes equivalent persons such as the partners, proprietors, committee of management or trustees’. However, in terms of audit responsibility, in the UK, management will not normally include non-executive directors.
The revised standard also includes more emphasis on the role of audit scepticism, stating ‘the auditor shall maintain professional scepticism throughout the audit, recognising the possibility of a material misstatement due to facts or behaviour indicating irregularities, including fraud, or error, notwithstanding the auditor's past experience of the honesty and integrity of the entity's management and of those charged with governance’.
ISA (UK) 230 Audit Documentation has been revised to stress that audit documentation should include all documents, information, records and other data required by ISQC (UK) 1 (revised November 2019), ISAs (UK) and applicable legal and regulatory requirements.
At the same time, any additional data and documents that are important in supporting the auditor’s report as part of the audit documentations should be retained.
There is also a new time constraint to produce the final audit file within 60 days from the date of the auditor’s report.
For the first time, going concern is written into the standard as a factor which must be taken into account when judging the significance of a particular risk, particularly in the context of the entity’s ability to continue as a going concern.
ISA (UK) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements now features guidance on how auditors should behave when or if they suspect fraud, and the extent of intervention with clients.
The revised standard states in para 41-1 that ‘for audits of financial statements of public interest entities, when an auditor suspects or has reasonable grounds to suspect that irregularities, including fraud with regard to the financial statements of the entity, may occur or has occurred, the auditor shall, unless prohibited by law or regulation, inform the entity and invite it to investigate the matter and take appropriate measures to deal with such irregularities and to prevent any recurrence of such irregularities in the future’. (Ref: para. A63-1–A63-2)
In the case of audits of financial statements of public interest entities, if the company refuses to investigate the potential fraud, the auditor has a duty to inform the authorities responsible for investigating such irregularities. There is also a duty to report any actual or suspected non-compliance with laws and regulations to the audit committee. Auditors should also be aware that tipping off the entity about potential breaches of money laundering rules due to non-compliance may be prohibited under UK law.
It also states that auditors should use professional judgment when considering whether to report irregularities to authorities if they decide that a public interest entity has not taken appropriate action to deal with the actual or potential risks of fraud identified or have failed to prevent future occurrences of fraud.
ISA (UK) 260 Communication with those Charged with Governance clarifies reporting requirements where an audit committee is not in place. This update stresses the importance of reporting and identifying significant risks of material misstatement, whether or not they due to fraud, and particularly their impact on the overall audit strategy, allocation of resources and directing the efforts of the engagement team.
There is also two pages of guidance for auditors of companies that are required to conform with the UK Corporate Governance Code, particularly in the context of business risks relevant to financial reporting objectives. Interestingly, there is also some information about the reporting requirements when more than one audit firm is involved in an audit, with a requirement to describe the distribution of tasks among the auditors, and to ensure that the second auditor is independent.
The standard states: ‘Where the auditor has made arrangements for any of the auditor’s activities to be conducted by another firm that is not a member of the same network, or has used the work of external experts, the report shall indicate that fact and shall confirm that the auditor received a confirmation from the other firm and/or the external expert regarding their independence.’
There is also some detail on how to deal with differences of opinion between different audit firms, and the requirement to report this to the audit committee.
‘Where more than one auditor has been engaged simultaneously, and any disagreement has arisen between them on auditing procedures, accounting rules or any other issue regarding the conduct of the audit, the reasons for such disagreement shall be explained in the additional report to the audit committee,’ the amendment reads.
There is also a requirement for the individual audit engagement partner to sign and date the additional report to the audit committee.
Building on general concerns about the lack of challenge to senior management the updated standard states that the auditor is required to consider whether there are certain issues which have been communicated with the audit committee but should actually be escalated to board level.
The recommendation to auditors is that they should ‘where judged appropriate, attend the relevant part of a board meeting where the audit committee reports to the board, hold discussions with individual board members, or review any written reports from the audit committee to the board’. There is also a reminder about reviewing engagement letters on a regular basis.
There have also been amendments to ISA (UK) 500 Audit Evidence, ISA (UK) 580 Written Presentations, ISA (UK) 700 Forming an Opinion and Reporting on Financial Statements and ISA (UK) 701 Communicating Key Audit Matters in the Independent Auditor’s Report.
The changes were included as an annexe to ISA (UK) 540 when it was released last November, but have now been added to the individual text of each standard.
By Sara White