Deloitte Touche Tohmatsu
Page 13
March 31, 2003
Mr. Jim Sylph
Technical Director
International Auditing and Assurance Standards Board
535 Fifth Avenue, 26th floor
New York, New York 10017
Dear Mr. Sylph,
Proposed Audit Risk Standards
We welcome the opportunity to comment on the audit risk exposure drafts issued by the International Auditing and Assurance Standards Board (“IAASB”). The development of new International Standards on Auditing (“ISAs”) to replace the various existing standards which relate to assessment of and responses to risk is timely given the need to restore public confidence in auditing. Improving the guidance on internal control and risk assessments is vital to the process of obtaining IOSCO and EU endorsement of the ISAs. We believe the exposure drafts accomplish this goal, and the comments that follow should be considered in light of our overall support of these standards.
We note that the IAASB believes that the proposed audit risk standards will increase audit quality as a result of better risk assessment and improved design and performance of audit procedures to respond to risks. Our view is that there is much useful material contained in these proposed standards, but that clarification is required in some areas to ensure that auditors (and others) understand what is required of them. Such areas include risk assessment procedures, the difference between ‘tests of control’ and ‘understanding design and implementation’, analytical procedures, the discussion among the audit team, the use of prior years’ knowledge and the financial reporting closing process.
Also there are aspects of the proposed standard on “Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement” (“Understanding the Entity”) that need to be improved. These include putting much more emphasis on the need for a powerful upfront accounting critique, which is then sustained throughout the audit, pulling together more the material on “out of normal process” transactions and on control override, and on reducing the length of the Appendices, which also need to become less prescriptive.
We are also concerned that there are aspects of governance that are described in ways which are rather outdated or which are underplayed. This is probably due to the fact that, since the development of the COSO model, there have been other governance developments, notably the increased importance of the audit committee, other control models which place more emphasis on the overall responsibility for internal control being assumed by management or the board, the ongoing identification, prioritisation and management of significant risk, review of the effectiveness of the system of control by the audit committee or the board, more focus on the importance of whistle blowing procedures and on codes of conduct, and the issue of the statements including assertions on internal control.
More needs to be said about the role of those charged with governance in reviewing the process for which management is responsible for identifying and managing the business and financial reporting risks. This involves the need for proper briefing by management on business developments and for financial literacy.
There is also a sense when reading the proposed standard on “Understanding the Entity” that it implies that it should be the auditor, rather than management, who should own the process for identifying significant risk and for documenting systems of control. This is contrary to recent governance developments. It also ignores the increased amount of work that is needed towards developing the basis for proper reporting by management to the audit committee and to the public. Unless more attention is paid to this, the audit process becomes a substitute for processes which management should conduct themselves. In such circumstances these processes do not develop as much as they should and ultimately there is more potential exposure to control failures and audit litigation than there should be.
We are also concerned that the proposed standard on “Understanding the Entity” is too long. The effect of including so much material on the understanding of the entity and its environment is that it seems to downplay the importance of the assessment of risk. There is perhaps scope to move more material to the Appendices. We also consider that Appendix 1 may inadvertently encourage a return to the era when lengthy permanent files were produced which partners stopped reading because they contained too much which was irrelevant. Alternatively Appendix 1 may result in a form filling exercise that distracts auditors from the key place where they now need to start the audit – the powerful upfront accounting critique. Another feature of Appendix 1 is that its prescriptive style adds a considerable cost burden to the audit of smaller entities. It should be made clearer that it is intended for training purposes.
The concept of what is sufficient audit evidence, as described in paragraph 26 of the draft standard “Auditor’s Procedures in Response to Assessed Risk” (“Auditor’s Procedures”) needs to be defined with greater clarity and the concept of “inquiry alone not providing sufficient evidence” needs to be put in bold text or given greater prominence.
Issues relating to audits of groups of companies, for example, control over subsidiary entities, and the aggregation of accounting information and group level risk issues, need to be addressed within the ISAs. We understand that the IAASB has established a Group Audits Task Force, and we recommend that this task force work with the Audit Risk Task Force to ensure that, as a whole, the ISAs adequately take these issues into account.
The proposed audit risk standards do not do much to clarify the expectation gap between what the public expects and what an audit actually delivers. It is difficult to say whether this can ever be achieved in auditing standards, but perhaps ISA 200 requires additional guidance to supplement the existing material around reasonable assurance. It also needs to state categorically that an audit is not a guarantee that the financial statements are free of material misstatement and that there is no such thing as absolute assurance. (Because a doctor conducts an annual physical examination with a clean bill of health does not guarantee that the patient will not drop dead the next day.) Standards may never eliminate the expectation gap, particularly without an ongoing major public relations educational campaign.
We are supportive of the new assertions and the distinction between those relating respectively to the balance sheet and to the income statement.
Our responses to the specific issues raised by IAASB:
1. Small entities
We note the inclusion of some guidance on small entities. This is welcome, but a key principle that should be incorporated (and one that is particularly applicable to small entities) is the need to keep the understanding of the entity and its environment and the assessment of risk simple. Otherwise there is a danger that, unless the auditor focuses on the key business issues and the significant risks, the auditor will not see the “woods for the trees”.
There is also a need to recognise that the entity’s objectives and strategies and related business risks are rarely articulated well within small entities. Similarly such entities may not have much measurement and review of financial performance.
2. Understanding the internal control
Paragraphs 50 through 94 of “Understanding the Entity” seem to be based largely on previous material. However internal control expectations have moved on during the past decade and again more recently in various countries in response to significant scandals. In particular the section on internal control needs to reflect the following developments:
Control environment
· Legal or regulatory requirements that expect management or the directors of listed (and some other entities) to make public statements on internal control.
· The need for periodic review of the arrangements for whistle blowing.
· Legal or regulatory requirements relating to disclosures by management to the audit committee and on the nature of the process for reviewing the effectiveness of the system of control.
Information and communication
· Increased focus on disclosure controls rather than merely financial controls.
Control procedures
· Increasing expectations that management have proper documentation themselves of their systems of control and of the apportionment of key functions relating to risk management and control.
· Greater recognition of the need for proper procedures to deal with deviations from codes of conduct.
Monitoring and corrective action
· Increased focus (and possibly public disclosure) of the process taken to rectify significant problems arising from control weaknesses disclosed in the annual report.
· Legal or regulatory requirements relating to disclosures by management to the audit committee and on the nature of the process for reviewing the effectiveness of the system of control.
More emphasis is needed on the types of questions which modern audit committees are likely to ask of external auditors. These may include:
· What are you views about the tone at the top?
· What is the quality of management’s documentation of the systems of internal control (which should be owned by management rather than by the auditors)?
· What the key issues relating to risk and lack of control about which the audit committee should be aware?
· What are your views about our whistle blowing procedures?
· What are the key things we need to know about the closedown of the books and in relation to control (or lack of control) of parts of the business that are material to the group?
A significant topic, which is dealt with in a manner that is too fragmented, is the possibility of management override of key controls, particularly over out of normal process transactions. Currently guidance on this vital topic (which seems to account for more than its fair share of major scandals) is scattered within paragraphs 67, 79, 80 (3rd and 4th Bullets) and 107 to 109 of “Understanding the Entity”. This material needs to be gathered together more and given even greater emphasis.
Another issue that needs to be given more attention is that some modern business process related technology driven systems are not strong on key issues such as bank reconciliations or control over personal accounts. The section on IT controls can perhaps focus more on the importance of auditors being consulted before IT systems are introduced. Auditors also need to be ready to deal with the question from audit committee members, “Are there controls issues relating to our IT systems which could give rise to accounting break downs?”
3. The auditor’s procedures in response to assessed risk
We concur with the requirement that the auditor should test the operating effectiveness of controls on which the audit plans to rely at least every third year.
4. Documentation
We have some concern that paragraph 117(b) of “Understanding the Entity” could recreate the spectre of thick permanent files which are then ignored but which among the detail contain key points that are easy to overlook. We therefore recommend that the documentation in this area should be confined to an understanding of the matters identified in paragraph 26 which the auditor considers to be of importance. Perhaps the focus should be on what has changed, what appears to the auditor to be dysfunctional and what might contribute to material misstatement arising from fraud.
The documentation of the discussion among the audit team referred to in paragraph 117(a) would more usefully follow the understanding referred to in paragraph 117(b), and therefore these paragraphs could be reversed. There is also a need to limit the documentation of the discussion to the key points that arose. Otherwise the documentation of the discussion could be rambling, contain matters whose likelihood are regarded as too remote and increase unfairly the litigation risk against the auditor. We suggest including some grey-lettered guidance that states that the documentation of the discussion is intended to be a brief overview of the topics discussed and key points, not a verbatim documentation of the discussion.
Detailed comments on the specific documents:
(a) Amendment to ISA 200 ‘Objective and Principles governing an audit of financial statements’
It would be useful if this document could refer more to the concept of professional skepticism.
(b) Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement.
The applicable financial reporting framework is far too important a topic to be part of a section on Industry, Regulatory and Other External Factors and then dispersed within paragraphs 5, 26(b), 30, 34 and 35. We recommend an upfront financial reporting critique, as the scandals over recent years have frequently involved the selection of inappropriate accounting policies and practices which affect not just year-end financial reporting but also interim reporting. Unless there is a robust challenge early on, management may become more entrenched in any bad accounting practices that have been the basis for interim reporting. Also, with the acceleration of the timetable for financial reporting in various parts of the world, this is not an area that should be left until the end of the audit. Furthermore, it is arguable that until an upfront accounting critique is performed, the understanding of the business and of its misstatement risks cannot be put in its proper context.
Issues that may need to be considered during an upfront financial reporting critique include:
§ What are the critical accounting policies?
§ How do those policies compare with industry norms?
§ What do analysts, the media and financial management say about the accounting?
§ Could the accounting be subject to regulatory criticism?
§ What are the key accounting judgments?
§ To what extent is the financial position dependent on accounting judgments?
§ What is the history of accounting issues in recent years?
§ Are there items in the balance sheet or off balance sheet that are questionable?
§ Are there indications that prior year accounting judgments have been revised or need revision?
§ What terms of trade with customers or suppliers could have accounting implications?
§ Are there signs that management could be taking an excessively aggressive approach in the areas of earnings and revenue recognition and treatment of costs or promotional discounts?