International Auditing and Assurance Standards Board s1

– 10 – March 31, 2003

March 31, 2003


Mr. Jim Sylph

Technical Director

International Auditing and Assurance Standards Board

535 Fifth Avenue, 26th Floor

New York, New York 10017

Dear Mr. Sylph:

We appreciate the opportunity to comment on the following proposed International Standards on Auditing (ISA) approved for exposure by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC):

·  Amendment to ISA 200, “Objective and General Principles Governing an Audit of Financial Statements”

·  ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”

·  ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”

·  ISA XX, “Audit Evidence.”

We support the IAASB’s issuance of the proposed standards, which (a) require a more comprehensive understanding of the entity and its environment, including its internal control, (b) present a more rigorous approach to risk assessment based on that understanding, and (c) require improved linkage between such risk assessments and the audit procedures performed.

We also support the joint efforts of the IAASB and those of national institutes [such as the American Institute of Certified Public Accountants (AICPA)], and we commend those efforts on the issuance of proposed standards that aim for “convergence and acceptance of an international set of auditing standards.”

We have a number of comments that we believe will improve the quality and the effectiveness of the proposal and ultimately, audit quality. Our comments, which are intended to eliminate potential confusion and inconsistencies in interpretation, are as follows.


Understanding the Entity and Its Environment and Assessing Risks

Applicability of Business Risks

An auditor performs risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control, to assess the risks of material misstatement at the financial statement and assertion level. An understanding of the entity’s business risks allows the auditor to obtain a more in-depth understanding of the risks of material financial statement misstatement. For audit purposes, the auditor is ultimately concerned about business risks that may result in material misstatement of the financial statements. Paragraphs 36 through 44 of the proposed standard are lengthy, confusing, and in some respects, not operational. For example, paragraphs 38 and 39 discuss business risks in the future tense, where an audit is concerned about existing processes and historical results. The discussion of the entity’s risk assessment process also diverts the auditor from his or her responsibilities with regards to business risks. We recommend the following to streamline and clarify the auditor’s responsibilities with respect to such risks.

·  Deleting the first sentence in paragraph 39 and revising the second sentence (which may now be added to paragraph 36) to state that not all business risks have an effect on the financial statements and therefore, may not be risks of material misstatement.

·  Deleting paragraph 38, or deleting the first sentence in paragraph 38 and revising the examples pertaining to change and complexity to illustrate how such business risks may result in a material financial statement misstatement in the period under audit.

·  Moving the discussion relating to the entity’s risk assessment process (paragraphs 41 through 44), which is a component of internal control, to the section entitled “Internal Control.” A reference to this discussion may be added to paragraph 40.

Identifying and Testing Significant Risks

The proposed ISA introduces the notion of significant risks. It is our understanding that for significant risks, the auditor should (a) evaluate the design and implementation of the entity’s controls and relevant control procedures, (b) where planning on relying on the operating effectiveness of such controls, perform tests of controls in the current period, and (c) perform substantive procedures specifically responsive to the risk. However, the point of identification of “significant” risks is not made clear in the proposed standard, and we question whether the resulting complication of the standards is justified.

The logic with regard to the auditor’s approach to significant risks is perplexing. For example, when assessing risks (per paragraph 95 of the proposed standard), the auditor considers the entity and its environment, including relevant controls that relate to the risks. However, the proposed determination (per paragraph 105) of whether an identified risk constitutes a significant risk is said to exclude the auditor’s consideration of controls. In addition, the standard infers (per paragraph 104) that significant risks are a subset of all of the risks identified (per paragraph 95). However, the guidance and examples (per paragraphs 105 through 109) encompass items that by their nature may not fall within the routine financial statement assertion process and thus, require special audit consideration.

Further, for significant risks, an auditor is required to evaluate the design and determine the implementation of the entity’s controls and relevant control procedures, but is not required to test those controls. Only when planning to rely on the effectiveness of such controls is the auditor required to perform tests of controls, and such control tests should be performed in the current period. Hence, requiring tests of controls in the current period may be inconsequential when the auditor may default control risk to high; and thereby not test controls at all. In other words, the proposed standards require the auditor to evaluate the design and determine the implementation of controls, but do not explicitly require tests of controls where the design is deemed effective and controls have been implemented. In such circumstances, even if the design is deemed effective and controls have been implemented, the auditor may determine that substantive procedures are more efficient and tests of controls would not be performed.

Therefore, we recommend the following:

·  Deleting the notion (in paragraph 95) that the auditor identifies risks by considering relevant controls that relate to such risks.

·  Deleting the label “significant risks” and simply categorizing such risks as “risks that require special audit consideration.” Significant risks imply that such risks are of more importance than other identified risks.

·  Providing a clearer definition of such risks, and clearly stating the effect on the audit of identifying a risk as a “risk that requires special audit consideration” versus a risk that does not.

·  Identifying the purpose of evaluating the design and implementation of controls, including the intended result of such evaluation and (in “The Auditor’s Procedures in Response to Assessed Risks”) the impact on the auditor’s tests of controls and substantive procedures.

·  Expanding the proposed ISA to include instances where tests of controls should ordinarily be performed and instances where substantive procedures alone may provide sufficient appropriate audit evidence. Examples to illustrate this would be appropriate.

·  Enhancing the discussion, in paragraph 40 of “The Auditor’s Procedures in Response to Assessed Risks,” relating to performing tests of controls in the current period by referring to paragraphs 31 through 35, which discuss tests of controls throughout the period and tests of controls at a point in time (i.e., do not indirectly mandate the performance of tests of controls throughout the period). In addition, the IAASB should consider adding guidance to illustrate the relevance of tests of controls in the current period for “risks that require special audit consideration.”

Procedures in Response to Assessed Risks

We are particularly concerned that the proposed ISA has not adequately addressed the fundamental questions surrounding tests of controls; which controls should be tested and at what level of detail, and what constitutes sufficient appropriate audit evidence. For example:

·  Paragraph 38 fails to adequately identify the controls that qualify for testing every three years. For instance, tests of controls relating to significant risks are required to be performed in the current period, and it is implied that tests of controls relating to risks for which substantive procedures alone do not provide sufficient appropriate audit evidence should be performed in the current period. Additionally, this paragraph indirectly implies that relying on controls is possible when the control environment is weak. Hence, which controls and in what circumstances would controls qualify for testing every three years?

·  Paragraph 39 states that “Where there are a number of controls for which the auditor determines that it is appropriate to use audit evidence obtained in prior audits, the auditor should test the operating effectiveness of some controls each audit.” What is meant by “some controls?”

·  Paragraph 22 states that “Tests of the operating effectiveness of controls may be performed on controls that the auditor has determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion.” May the auditor perform or would the auditor perform tests of operating effectiveness on controls that are suitably designed? On what other controls may (or would) tests be performed? Based on this statement, could testing management’s documented monitoring controls constitute a sufficient test of controls?

We recommend the addition of explicit guidance that clearly identifies the controls that should be tested in each period, as opposed to less frequently, and at what level of detail they should be tested, including providing examples that illustrate what constitutes sufficient appropriate audit evidence.

Audit Evidence

Impact on Documentation and Record Retention

The proposed ISA discusses the cumulative nature of audit evidence, which includes audit evidence obtained from audit procedures performed during the course of the audit and may include audit evidence obtained from other sources, such as previous audits and procedures for acceptance and retention of clients. We agree with this concept. However, the issuance of the proposed ISA raises questions with respect to documentation and prescribed retention of audit evidence obtained from prior audits.

We believe that the final ISAs should address the need to carry-forward relevant audit documentation of evidence obtained from previous audits to the period currently under audit, particularly with regards to audit evidence about the operating effectiveness of controls. We recommend that the final standards clarify that documentation for the period under audit might include the documentation (for example, in the form of a copy of a written or electronic document) of the relevant audit evidence obtained from previous audits that was used to draw reasonable conclusions on which the current audit opinion is based. The standards should provide guidance and allow auditor judgment with respect to the form and extent of the documentation to be carried forward. Consequently, any prescribed record retention period need not extend to records from previous audits that are relevant to the current audit.

Effectiveness of Assertions

Management makes certain representations that are embodied in the financial statement components, otherwise known as assertions. The auditor uses these assertions to assess risk and design audit procedures. We believe that there are only selected assertions (which we describe below) that are relevant to the financial statement components and do not agree with the complicated re-categorization of the assertions by classes of transactions, account balances, and presentation and disclosure.

We believe that increasing the number of assertions and repeating assertions within categories may create confusion and lack of understandability rather than enhance management’s and the auditor’s understanding of the relevant assertions embodied in the financial statement components. For instance, we do not agree with the following classifications and terms:

·  Not assigning “classification” as an assertion that is relevant to account balances at period end.

·  Assigning “valuation” only to balances at period end even though “valuation” is primarily the direct result of a transaction or event.

·  Utilizing the term “accuracy” where we believe the term “measurement” is more appropriate.

In addition, certain of the assertions provided by the proposed ISA are not logical, and in practice, these assertions are ordinarily combined. Further, the audit procedures performed to respond to risks of material misstatement at the assertion level are ordinarily designed to respond to the particular assertion, regardless of whether the risk relates to account balances, transactions and events, or presentation and disclosure. For example, confirmations may be used by the auditor to respond to the risk of material misstatement related to the rights and obligations assertion, regardless of whether the confirmations confirm an account balance or a specific transaction.

We believe that the proposed assertions and their related definitions will not effect a favorable change in auditor performance, but audit effectiveness will improve if we (a) properly identify the relevant assertions embodied in the financial statement components, (b) clearly define those assertions, and (c) provide enhanced examples with respect to their applicability. Accordingly, we propose limiting the number of assertions to the following, which include the concepts embedded in the proposed ISA as enhanced definitions, rather than separate assertions.

·  Existence or occurrence – Assets, liabilities, and equity interests exist at a given date. Recorded and disclosed transactions pertain to the entity and have taken place.

·  Completeness – All assets, liabilities, equity interests, transactions and events that should have been recorded have been recorded in the accounting period, and all disclosures that should have been included in the financial statements have been included.

·  Rights and obligations – At a given date, the entity holds or controls the rights to reported assets, and the reported liabilities are obligations to the entity. Disclosed events pertain to the entity.

·  Valuation or measurement – Assets, liabilities, and equity interests are recorded at appropriate carrying values. A transaction or event is recorded at the proper amount and allocated to the proper accounting period, and valuation adjustments are appropriately recorded.

·  Presentation and disclosure – Components of the financial statements are appropriately presented, disclosed, classified, and described in accordance with generally accepted accounting principles, and the disclosures are clear, concise, and understandable.

We also recommend that the final ISA supplement these assertions with detailed and comprehensive examples that cover the applicability of each assertion to balance sheet items, transactions and events, and financial statement presentation and disclosures.

Other Comments

We noted that the proposed standards use several terms to describe controls and risks (such as relevant controls, specific controls, specific control procedures, and controls the auditor has determined to be suitably designed to prevent, or detect and correct, a material misstatement in an assertion; and identified risks, significant risks, significant business risks, and assessed risks). Therefore, to ensure consistency throughout the document, eliminate duplication, enhance clarity and understanding, and eliminate the potential for widespread interpretation, we recommend that the IAASB (a) perform a thorough read-through and, where appropriate, revise the proposed standards, and (b) consider a lexicon with key definitions.