International Auditing and Assurance Standards Board s1
Total Page:16
File Type:pdf, Size:1020Kb
Grant Thornton International
Barry Barber Worldwide Director of Audit and Risk Management 399 Thornall Street Edison, New Jersey 08837 732-516-5500 732-516-5550 Direct 732-516-5502 Fax email [email protected]
March 31, 2003
Mr. Jim Sylph Technical Director International Auditing and Assurance Standards Board 535 Fifth Avenue, 26th Floor New York, New York 10017
Dear Mr. Sylph:
We appreciate the opportunity to comment on the following proposed International Standards on Auditing (ISA) approved for exposure by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC):
Amendment to ISA 200, “Objective and General Principles Governing an Audit of Financial Statements”
ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”
ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”
ISA XX, “Audit Evidence.”
We support the IAASB’s issuance of the proposed standards, which (a) require a more comprehensive understanding of the entity and its environment, including its internal control, (b) present a more rigorous approach to risk assessment based on that understanding, and (c) require improved linkage between such risk assessments and the audit procedures performed.
We also support the joint efforts of the IAASB and those of national institutes [such as the American Institute of Certified Public Accountants (AICPA)], and we commend those efforts on the issuance of proposed standards that aim for “convergence and acceptance of an international set of auditing standards.”
We have a number of comments that we believe will improve the quality and the effectiveness of the proposal and ultimately, audit quality. Our comments, which are intended to eliminate potential confusion and inconsistencies in interpretation, are as follows. – 2 – March 31, 2003
Understanding the Entity and Its Environment and Assessing Risks
Applicability of Business Risks
An auditor performs risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement at the financial statement and assertion level. An understanding of the entity’s business risks allows the auditor to obtain a more in-depth understanding of the risks of material financial statement misstatement. For audit purposes, the auditor is ultimately concerned about business risks that may result in material misstatement of the financial statements. Paragraphs 36 through 44 of the proposed standard are lengthy, confusing, and in some respects, not operational. For example, paragraphs 38 and 39 discuss business risks in the future tense, where an audit is concerned about existing processes and historical results. The discussion of the entity’s risk assessment process also diverts the auditor from his or her responsibilities with regards to business risks. We recommend the following to streamline and clarify the auditor’s responsibilities with respect to such risks.
Deleting the first sentence in paragraph 39 and revising the second sentence (which may now be added to paragraph 36) to state that not all business risks have an effect on the financial statements and therefore, may not be risks of material misstatement.
Deleting paragraph 38, or deleting the first sentence in paragraph 38 and revising the examples pertaining to change and complexity to illustrate how such business risks may result in a material financial statement misstatement in the period under audit.
Moving the discussion relating to the entity’s risk assessment process (paragraphs 41 through 44), which is a component of internal control, to the section entitled “Internal Control.” A reference to this discussion may be added to paragraph 40.
Identifying and Testing Significant Risks
The proposed ISA introduces the notion of significant risks. It is our understanding that for significant risks, the auditor should (a) evaluate the design and implementation of the entity’s controls and relevant control procedures, (b) where planning on relying on the operating effectiveness of such controls, perform tests of controls in the current period, and (c) perform substantive procedures specifically responsive to the risk. However, the point of identification of “significant” risks is not made clear in the proposed standard, and we question whether the resulting complication of the standards is justified.
The logic with regard to the auditor’s approach to significant risks is perplexing. For example, when assessing risks (per paragraph 95 of the proposed standard), the auditor considers the entity and its environment, including relevant controls that relate to the risks. However, the proposed determination (per paragraph 105) of whether an identified risk constitutes a significant risk is said to exclude the auditor’s consideration of controls. In addition, the standard infers (per paragraph 104) that significant risks are a subset of all of the risks identified (per paragraph 95). However, the guidance and examples (per paragraphs 105 through 109) encompass items that by their nature may not fall within the routine financial statement assertion process and thus, require special audit consideration.
Further, for significant risks, an auditor is required to evaluate the design and determine the implementation of the entity’s controls and relevant control procedures, but is not required to test those controls. Only when planning to rely on the effectiveness of such controls is the auditor required to perform tests of controls, and such control tests should be performed in the current period. Hence, requiring tests of controls in the current period may be inconsequential when the auditor may default control risk to high; and thereby not test controls at all. In other words, the proposed standards require the auditor to evaluate the design and determine the implementation of controls, but do not explicitly require tests of controls where the design is deemed effective and controls have been implemented. In such circumstances, even if the design is deemed effective and controls have been implemented, – 3 – March 31, 2003 the auditor may determine that substantive procedures are more efficient and tests of controls would not be performed.
Therefore, we recommend the following:
Deleting the notion (in paragraph 95) that the auditor identifies risks by considering relevant controls that relate to such risks.
Deleting the label “significant risks” and simply categorizing such risks as “risks that require special audit consideration.” Significant risks imply that such risks are of more importance than other identified risks.
Providing a clearer definition of such risks, and clearly stating the effect on the audit of identifying a risk as a “risk that requires special audit consideration” versus a risk that does not.
Identifying the purpose of evaluating the design and implementation of controls, including the intended result of such evaluation and (in “The Auditor’s Procedures in Response to Assessed Risks”) the impact on the auditor’s tests of controls and substantive procedures.
Expanding the proposed ISA to include instances where tests of controls should ordinarily be performed and instances where substantive procedures alone may provide sufficient appropriate audit evidence. Examples to illustrate this would be appropriate.
Enhancing the discussion, in paragraph 40 of “The Auditor’s Procedures in Response to Assessed Risks,” relating to performing tests of controls in the current period by referring to paragraphs 31 through 35, which discuss tests of controls throughout the period and tests of controls at a point in time (i.e., do not indirectly mandate the performance of tests of controls throughout the period). In addition, the IAASB should consider adding guidance to illustrate the relevance of tests of controls in the current period for “risks that require special audit consideration.”
Procedures in Response to Assessed Risks
We are particularly concerned that the proposed ISA has not adequately addressed the fundamental questions surrounding tests of controls; which controls should be tested and at what level of detail, and what constitutes sufficient appropriate audit evidence. For example:
Paragraph 38 fails to adequately identify the controls that qualify for testing every three years. For instance, tests of controls relating to significant risks are required to be performed in the current period, and it is implied that tests of controls relating to risks for which substantive procedures alone do not provide sufficient appropriate audit evidence should be performed in the current period. Additionally, this paragraph indirectly implies that relying on controls is possible when the control environment is weak. Hence, which controls and in what circumstances would controls qualify for testing every three years?
Paragraph 39 states that “Where there are a number of controls for which the auditor determines that it is appropriate to use audit evidence obtained in prior audits, the auditor should test the operating effectiveness of some controls each audit.” What is meant by “some controls?”
Paragraph 22 states that “Tests of the operating effectiveness of controls may be performed on controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion.” May the auditor perform or would the auditor perform tests of operating effectiveness on controls that are suitably designed? On what other controls may (or would) tests be performed? Based on this statement, could testing management’s documented monitoring controls constitute a sufficient test of controls? – 4 – March 31, 2003
We recommend the addition of explicit guidance that clearly identifies the controls that should be tested in each period, as opposed to less frequently, and at what level of detail they should be tested, including providing examples that illustrate what constitutes sufficient appropriate audit evidence.
Audit Evidence
Impact on Documentation and Record Retention
The proposed ISA discusses the cumulative nature of audit evidence, which includes audit evidence obtained from audit procedures performed during the course of the audit and may include audit evidence obtained from other sources, such as previous audits and procedures for acceptance and retention of clients. We agree with this concept. However, the issuance of the proposed ISA raises questions with respect to documentation and prescribed retention of audit evidence obtained from prior audits.
We believe that the final ISAs should address the need to carry-forward relevant audit documentation of evidence obtained from previous audits to the period currently under audit, particularly with regards to audit evidence about the operating effectiveness of controls. We recommend that the final standards clarify that documentation for the period under audit might include the documentation (for example, in the form of a copy of a written or electronic document) of the relevant audit evidence obtained from previous audits that was used to draw reasonable conclusions on which the current audit opinion is based. The standards should provide guidance and allow auditor judgment with respect to the form and extent of the documentation to be carried forward. Consequently, any prescribed record retention period need not extend to records from previous audits that are relevant to the current audit.
Effectiveness of Assertions
Management makes certain representations that are embodied in the financial statement components, otherwise known as assertions. The auditor uses these assertions to assess risk and design audit procedures. We believe that there are only selected assertions (which we describe below) that are relevant to the financial statement components and do not agree with the complicated re-categorization of the assertions by classes of transactions, account balances, and presentation and disclosure.
We believe that increasing the number of assertions and repeating assertions within categories may create confusion and lack of understandability rather than enhance management’s and the auditor’s understanding of the relevant assertions embodied in the financial statement components. For instance, we do not agree with the following classifications and terms:
Not assigning “classification” as an assertion that is relevant to account balances at period end.
Assigning “valuation” only to balances at period end even though “valuation” is primarily the direct result of a transaction or event.
Utilizing the term “accuracy” where we believe the term “measurement” is more appropriate.
In addition, certain of the assertions provided by the proposed ISA are not logical, and in practice, these assertions are ordinarily combined. Further, the audit procedures performed to respond to risks of material misstatement at the assertion level are ordinarily designed to respond to the particular assertion, regardless of whether the risk relates to account balances, transactions and events, or presentation and disclosure. For example, confirmations may be used by the auditor to respond to the risk of material misstatement related to the rights and obligations assertion, regardless of whether the confirmations confirm an account balance or a specific transaction.
We believe that the proposed assertions and their related definitions will not effect a favorable change in auditor performance, but audit effectiveness will improve if we (a) properly identify the relevant assertions embodied in the – 5 – March 31, 2003 financial statement components, (b) clearly define those assertions, and (c) provide enhanced examples with respect to their applicability. Accordingly, we propose limiting the number of assertions to the following, which include the concepts embedded in the proposed ISA as enhanced definitions, rather than separate assertions.
Existence or occurrence – Assets, liabilities, and equity interests exist at a given date. Recorded and disclosed transactions pertain to the entity and have taken place.
Completeness – All assets, liabilities, equity interests, transactions and events that should have been recorded have been recorded in the accounting period, and all disclosures that should have been included in the financial statements have been included.
Rights and obligations – At a given date, the entity holds or controls the rights to reported assets, and the reported liabilities are obligations to the entity. Disclosed events pertain to the entity.
Valuation or measurement – Assets, liabilities, and equity interests are recorded at appropriate carrying values. A transaction or event is recorded at the proper amount and allocated to the proper accounting period, and valuation adjustments are appropriately recorded.
Presentation and disclosure – Components of the financial statements are appropriately presented, disclosed, classified, and described in accordance with generally accepted accounting principles, and the disclosures are clear, concise, and understandable.
We also recommend that the final ISA supplement these assertions with detailed and comprehensive examples that cover the applicability of each assertion to balance sheet items, transactions and events, and financial statement presentation and disclosures.
Other Comments
We noted that the proposed standards use several terms to describe controls and risks (such as relevant controls, specific controls, specific control procedures, and controls the auditor has determined to be suitably designed to prevent, or detect and correct, a material misstatement in an assertion; and identified risks, significant risks, significant business risks, and assessed risks). Therefore, to ensure consistency throughout the document, eliminate duplication, enhance clarity and understanding, and eliminate the potential for widespread interpretation, we recommend that the IAASB (a) perform a thorough read-through and, where appropriate, revise the proposed standards, and (b) consider a lexicon with key definitions.
*****
In addition to the recommendations herein, we offer other general and editorial comments for your consideration in Appendix A. Our responses to the IAASB’s request for comments in Appendix 3, Commentators Guide to Issues, of the Explanatory Memorandum to Audit Risk Exposure Drafts are contained in Appendix B.
We would be pleased to discuss this letter with you or another member of the IAASB staff. Please contact me at (732) 516-5550, if you have any questions.
Very truly yours,
Grant Thornton International Barry Barber Worldwide Director of Audit and Risk Management – 6 – March 31, 2003
Appendix A
The following offers general and editorial comments for your consideration. Suggested new language is shown in boldface italics; suggested deleted language is shown by strikethrough.
Amendment to ISA 200, “Objective and General Principles Governing an Audit of Financial Statements”
Paragraph 12 – We recommend the following revision to stress the auditor’s ultimate responsibility, especially with respect to the notion of business risks.
“The auditor is concerned ultimately only with risks that may affect the financial statements.”
Paragraph 17 – An auditor’s consideration of engagement staffing and supervision and the involvement of experts are overall responses to address the risks of material misstatement at the financial statement level (in other words, these items do not represent risks of material misstatement at the overall financial statement level that the auditor would consider). As such, we recommend the following revision.
“Such risks may be especially relevant to the auditor’s consideration of the risk of material misstatement arising from fraud or whether there are events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern. The auditor’s response to consideration of the risk of material misstatement at the overall financial statement level includes consideration of the knowledge, skill, and ability of personnel assigned significant engagement responsibilities, including whether to involve experts; the appropriate levels of supervision; and general changes to the nature, timing or extent of audit procedureswhether there are events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern.”
Paragraph 22 – We recommend the following revision to clarify the relationship between detection risk and the risk assessment.
“ The acceptable level of dDetection risk bears an inverse relationship to the assessment of the risk of material misstatement at the assertion level.”
ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”
Paragraph 9 – We recommend incorporating the notion of inquiries of the predecessor auditor to obtain information about the entity and its environment (and review of their working papers for Paragraphs 23 & 25).
Paragraph 14 – We recommend including “reading analysts’ reports and reviewing websites about the company” as examples of other audit procedures.
Paragraph 33 – We recommend including a reference to ISA 550, Related Parties.
Paragraph 60 – We recommend striking the word “generally” in the second sentence.
Paragraph 117 & 118 – We recommend the following revision to streamline and clarify the required documentation.
“a. The discussion among the audit team regarding the susceptibility of the entity’s financial statements to material misstatement due to error or fraud, including how and when the discussion occurred, the audit team members who participated, and the subject matter discussed, and the decisions relevant to the audit procedures;” – 7 – March 31, 2003
“d. The results of the risk assessment of the risks of material misstatement both at the financial statement level and at the assertion level.”
Then delete paragraph 118.
ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”
Paragraph 5 – We recommend providing an example of what is meant by “elements of unpredictability.”
Paragraph 8 or 18 – We recommend providing an explanation as to why the nature of audit procedures is ordinarily of most importance in responding to assessed risks. We recommend also providing an example where the nature may not be the most important consideration (e.g., only sending one confirmation to confirm accounts receivable that is made up of many small balances, where extent and timing should also be considered).
Paragraph 12 – We recommend the following revision to clarify the guidance with respect to the nature, timing, and extent of further audit procedures.
“In determining the audit procedures to be performed, the auditor considers the assessed risk of material misstatement at the financial statement level and at the assertion level for classes of transactions, account balances, and disclosuresreasons for each risk assessment. For example, if the auditor considers that there is a lower assessed the inherent risk as low because of the particular characteristics of the class of transactions (that is, inherent risks), the auditor may determine that substantive analytical procedures alone may provide sufficient appropriate audit evidence. On the other hand, if the auditor assessed the control expects that there is a lower risk that a material misstatement may arise as low because an entity has effective controls and the auditor intends to perform tests of controls to obtain audit evidence about their operating effectiveness, the auditor should design the nature, timing, and extent of planned substantive procedures based on the effective operation of those controls, then the auditor performs tests of controls to obtain audit evidence about their operating effectiveness. For example, the The risk of misstatement may be considered low for a class of transactions of reasonably uniform, noncomplex characteristics that are routinely processed and controlled by the entity’s information system.
Paragraph 25 – This paragraph discusses how the auditor may have made inquiries about management’s use of budgets, observed management’s comparison of monthly budgeted and actual expenses, and inspected reports pertaining to the investigation of variances between budgeted and actual amounts. It further discusses how the performance of such tests may provide sufficient appropriate audit evidence. We believe that the example that has been provided (i.e., a “high-level” management monitoring control related to the review of budget versus actual) would ordinarily not provide sufficient appropriate audit evidence to reduce risk to an appropriately low level. As such, we recommend that another example be provided.
Paragraph 30 - When performing substantive procedures, the auditor may not detect any misstatements in an account balance, class of transactions, or disclosure. Paragraph 30 discusses how the absence of misstatements does not necessarily imply that controls related to the assertion being tested are effective. We believe that the proposed ISA should be enhanced to discuss the circumstances in which the absence of misstatements may provide evidence of the effective operation of controls, depending on the nature, timing, and extent of the substantive procedures performed. For example, when the auditor does not detect any misstatements after substantively testing a sample of the population of a database with computer assisted auditing techniques, the auditor may conclude that he or she has obtained indirect evidence that controls are operating effectively. While the evidence is likely not conclusive, it may be persuasive in combination with the substantive test.
Paragraph 36 – This paragraph discusses how the inspection of logs may indicate whether controls have been changed. We doubt the practicality of this example and question whether inspecting logs would be efficient and effective in obtaining sufficient appropriate audit evidence. – 8 – March 31, 2003
Paragraph 39 – We recommend the following revision to clarify that if controls being relied on are tested at least every third audit, they may not be tested in the subsequent period (versus the subsequent two periods).
“The purpose of this requirement is to avoid the possibility that the auditor might apply the approach of paragraph 38 to all controls on which the auditor proposes to rely, but test all those controls in a single audit period with no testing of controls in the subsequent two periods.”
ISA XX, “Audit Evidence”
Paragraph 14 – An auditor does not examine all the information available in an audit for several reasons, including the performance of risk assessment procedures and audit procedures designed to respond to the risks of material misstatement. However, paragraph 14 is limited to sampling procedures. As such, we recommend the following revision.
“The auditor uses professional judgment in determining the quantity and quality of audit evidence, and thus its sufficiency and appropriateness, to support the audit opinion. Both the individual assertions in financial statements and the overall proposition that the financial statements as a whole give a true and fair view (or are presented fairly, in all material respects) are of such a nature that the auditor is seldom convinced beyond all doubt with respect to the financial statements being audited. In forming the opinion, the auditor does not ordinarily examine all the information available because conclusions can be reached by performing risk assessment procedures and audit procedures responsive to risks of material misstatement. The auditor may also use using sampling approaches to draw reasonable conclusions. Ordinarily, the auditor finds it necessary to rely on audit evidence that is persuasive rather than conclusive; however, in order to obtain reasonable assurance, the auditor is not satisfied with audit evidence that is less than persuasive.”
Paragraph 16 – We agree with the notion that sufficient appropriate audit evidence on which the audit opinion is based cannot be obtained by performing only risk assessment procedures. However, risk assessment procedures can provide sufficient appropriate audit evidence at the financial statement and assertion level. In order to clarify these separate and distinct points, we recommend deleting the first sentence of Paragraph 16 and adding the last sentence to Paragraph 15.
Paragraph 17 – We recommend the following revision to clarify the auditor’s responsibilities with respect to tests of controls. In addition, a reference to direct auditors to the related discussions in “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” and “The Auditor’s Procedures in Response to Assessed Risks” would also be appropriate.
“Tests of controls are requiredWwhere the auditor’s risk assessment assumes the operating effectiveness of controls, the auditor identifies and tests those controls. In additionparticular, where substantive procedures alone do not provide sufficient appropriate audit evidence, the auditor performs tests of controls to obtain audit evidence about their operating effectiveness of controls where substantive procedures alone do not provide sufficient appropriate audit evidence. See the proposed ISA, The Auditor’s Procedures in Response to Assessed Risks.”
Paragraph 19 – We recommend the following revision, as audit procedures are not necessarily exclusive.
“ These audit procedures, or combinations thereof, may be used as risk assessment procedures, tests of controls, or and substantive procedures, depending on the context in which they are applied by the auditor.”
Paragraph 24 – To clarify the last sentence of paragraph 24, we recommend replacing it with the following (or with an example similar to the following).
“Inspection of individual inventory items ordinarily accompanies the observation of inventory counting. For example, when observing an inventory count, the auditor ordinarily inspects individual inventory – 9 – March 31, 2003
items (such as opening containers included in the inventory count to ensure that they are not empty) to, among other things, verify their existence.
Paragraph 33 – Consider amending ISA 505, “External Confirmations” to include the notion of side agreements as included herein. – 10 – March 31, 2003
Appendix B
The following is in response to the IAASB’s request for comments in Appendix 3, Commentators Guide to Issues, of the Explanatory Memorandum to Audit Risk Exposure Drafts.
1. ISAs are drafted to contain basic principles and essential procedures together with related guidance that apply to the audits of financial statements of any entity, irrespective of its size. However, the IAASB recognizes that the audit of small entities may give rise to certain special audit considerations.
Are there such special audit considerations in applying the standards and guidance contained in proposed ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”? If so, include details of such considerations.
The objective of an audit of financial statements is the same for all entities, regardless of size. We believe that the risk-based approach described in the proposed standards can be applied equally well to entities of all sizes. Therefore, we would not support the establishment of separate auditing standards specific to smaller entities. That said, we do recognize that auditors cannot necessarily apply the principles set out in the proposed standards to smaller entities in the same way as for larger entities.
For example, the breadth and depth of controls do not always exist in smaller entities, and the auditor’s understanding of the entity, including its internal control, is therefore affected. Therefore, we are pleased that the proposed standards allow the auditor to exercise judgment and flexibility in identifying and responding to risks and in the form and extent of the related documentation. More specifically, they do not require the performance of tests of controls and do not prohibit the performance of substantive procedures alone (provided the auditor has performed the risk assessment procedures and obtained an understanding of the entity’s controls). For example, where the auditor obtained an understanding of the entity’s internal control and has determined that the entity has not established effective controls, the auditor may assess control risk as high and perform a fully substantive audit.
2. Paragraphs 50 through 94 [of ISA XX, “Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement”] deals with internal control including the requirement to obtain an understanding of the components of internal control and guidance on obtaining the understanding. Appendix 2 contains further guidance to assist the auditor in understanding the components of internal control, including their application to small entities.
Is this additional guidance helpful, or is there sufficient material within the ISA itself?
The proposed standards have considerably revised the requirements and guidance related to the auditor’s consideration of an entity’s internal control. This includes the introduction of the internal control components that were, for the most part, not defined in ISA 400, Risk Assessments and Internal Control. Accordingly, Appendix 2 is not only essential and valuable for an auditor’s understanding of the internal control components that are now relevant to a financial statement audit performed in accordance with ISAs, but also necessary to develop more robust auditing standards.
The additional guidance pertaining to small entities is also helpful for an auditor’s understanding of the relevancy and application of the internal control components to such entities. We believe that this specific guidance provides auditors with a means of applying one set of auditing standards to all financial statement audits. – 11 – March 31, 2003
3. Where the auditor plans to rely on controls that have not changed since they were last tested, paragraph 38 [of ISA XX, “The Auditor’s Procedures In Response To Assessed Risks”] requires the auditor to test the operating effectiveness of such controls at least every third audit. The IAASB discussed whether it was appropriate to impose such a limit on the ability of the auditor to use audit evidence obtained in a prior audit. The alternative view is that the period for such reliance should be left to the auditor’s judgment.
Is it appropriate for the ISA to specify a time period, and if so, is every third audit an appropriate limit? If not, please indicate what time period, if any, is considered more appropriate.
We support the IAASB’s decision to ease the requirement to perform tests of controls each period and to allow the auditor to use audit evidence about the operating effectiveness of controls obtained in prior audits. In such circumstances, we believe that the requirement to test the operating effectiveness of controls at least every third audit, as proposed, allows adequate auditor judgment to rely on controls that have not changed since they were last tested, but yet imposes a reasonable boundary on the performance of such tests of controls.
We also believe that it is appropriate for the ISA to impose a limit on the ability of the auditor to use audit evidence about the operating effectiveness of controls obtained in a prior audit and believe that every third audit is an appropriate limit. Without such a boundary, we presume that ultimately the execution of such tests may deteriorate and therefore, the quality of audits could suffer.
4. Proposed ISAs XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement,” and ISA XX, “The Auditor’s Procedures in Response to Assessed Risks,” include detailed documentation requirements. The IAASB considers that documentation requirements are important as a means of ensuring that auditors comply with significant requirements of the standards. The requirements are more extensive than previously.
Do commentators agree that it is appropriate for the IAASB to establish detailed documentation requirements? Are the proposals practical? If not, what suggestions do you have for documentation that achieves the objective of improving compliance with standards?
The objectives of audit documentation relate primarily to (a) providing evidence to support the audit opinion, (b) providing evidence that the audit was carried out in accordance with ISAs, and (c) aiding in the conduct and supervision of the work. Accordingly, we agree with the areas for which documentation is required by the proposed standards and note that the required documentation would be appropriate in consideration of ISA 230, Documentation. However, we are concerned that the IAASB believes that audit quality will be enhanced by significant documentation requirements.
We do not necessarily believe that significant documentation requirements improve audit quality. Additionally, we believe that extensive documentation requirements may in fact create substantial opportunities for second- guessing the auditor’s judgment and may be burdensome to implement in certain circumstances. So, while we believe that the areas requiring documentation, as discussed in the proposed standard, are appropriate, we believe it is as important to allow auditor judgment in determining the form and extent of any such documentation. Documentation will differ between engagements depending on the particular entity under audit, its environment and its internal controls. With respect to the proposed documentation requirements, we recommend adding a reference to ISA 230, which provides additional guidance on the auditor’s professional judgment with respect to the extent of the working papers to be prepared and retained.