ICAEW.com works better with JavaScript enabled.
Exclusive

Tackling new and revised auditing standards

Author:

Published: 12 Dec 2022

Exclusive content
Access to our exclusive resources is for specific groups of students, subscribers, users and members.
Log in Find out more
Peter Herbert highlights the hottest topics for audit in 2023, including ISQM1, ISA 315 revised and ISA (UK) 240 revised, and gives feedback from QAD on audit quality.

With a raft of new and revised auditing standards and the ongoing challenge of a difficult economic climate, there’s much to focus on for audits conducted during 2023. My recent faculty webinar covered some of the key considerations and also provided an opportunity to share some important messages from ICAEW’s Quality Assurance Department (QAD), following my discussions with it in advance of the webinar.

A recording of my November 2022 faculty webinar is available. This article shares some highlights from the event and some timely tips from QAD.

ISQM 1

Much has been said (and written) about the steps firms need to take to get to grips with the new quality management standard, ISQM 1, in advance of its implementation. QAD expects that firms will have had a good stab at their risk assessment in advance of the 15 December 2022 deadline, but it also recognises that not all firms will, by then, have in place a system of quality management that is the finished article.

My experience is that some firms have produced detailed papers explaining how what they already do adequately addresses all quality risks (an approach that might reasonably be described as a ‘retrofit’). During the webinar I encouraged firms (that may have taken this approach) to be open to the idea that some further actions will be necessary – especially if cold file reviews and ICAEW inspection visits identify weaknesses. Risks in relation to governance and strategy will be challenging for some firms, as solutions might take a while to formulate and implement. In the current climate it’s not unusual to see mergers between firms and it’s important for such firms to consider whether the related structural and cultural challenges have been adequately thought through and a consistent approach to audit achieved – and to not shy away from difficult questions.

A domineering managing partner or chief executive in a smaller independent firm can definitely be a force for the good, but is audit quality a priority for them and, if not, how can the firm balance commercial considerations and good audit outcomes? Do certain responsible individuals ‘dabble’ in audits or in particular types of audits? If so, should they be doing audits at all? These might be very challenging questions for some, but not ones to duck.

My discussions with QAD in advance of November’s webinar also highlighted the need for audit firms to focus on risks relating to resources. As the climate for accountancy recruitment is difficult and not helped by audit becoming an increasingly specialist area, what steps can firms take to ensure they recruit and retain the right people? Also, do they give appropriate consideration to training requirements?

Comments on root cause analysis in ICAEW’s Audit Monitoring Report 2020-21 (tinyurl.com/AB-Audit-Monitor) highlighted a lack of knowledge of auditing and financial reporting standards as a recurring problem. ISQM 1 gives firms a chance to think afresh about how partners and staff gain the crucial continuing professional development they really need.

ISA 315 revised

Implementation of the revised International Standard on Auditing (ISA) 315 Identifying and assessing the risks of material misstatement for accounting periods commencing on or after 15 December 2021 means substantial changes to proprietary audits systems, so many see its introduction as a burden. The revision of the standard will, however, give some an impetus to refresh their approach to risk assessment to get better quality and more efficient audit outcomes. This is crucial in an environment in which a drift towards the removal of sample size caps makes ‘smart’ auditing very much the order of the day.

For many auditors, the following will be the most significant changes:

  • A need to think about how a client’s use of information technology (IT) creates misstatement risks in the financial statements and how IT controls, and in particular general IT controls, This might not have been given much thought previously. Consideration of the entity and its environment (paragraph 19), its information systems (paragraph 25) and its control activities (paragraph 26) will all help flush out the relevant issues. address such risks. Appendix 5 of the revised standard provides a useful summary of the features of different IT applications – and which ones are and are not likely to give rise to significant risks. This makes clear that standalone applications with non-complex functionality are often unlikely to give rise to significant risks.
  • A need to give more careful thought to misstatement risks considering a range of inherent risk factors (not unlike those in the revised ISA 540, on accounting estimates) and to consider likelihood and magnitude to determine where risks sit on the ‘inherent risk spectrum’.

During courses, some questions are currently cropping up repeatedly. For example, what should a typical risk schedule look like? Does audit documentation need to consider every assertion for every account balance, class of transaction and disclosure?
The short answer to the latter question is “No”.

Auditors will, however, need to develop a thoughtful list of significant misstatement risks, of which there might be few for straightforward audits. Where risks sit at the higher end of the spectrum, audit testing and documentation will need to be on point, with appropriate and timely review by the engagement partner clearly evident on file.

Many firms are questioning whether additional time invested in planning audits in the light of the changes will result in increased fees. Possibly, and possibly not. Either way, a more thoughtful, focused approach to audit strategy might be a beneficial outcome.

ISA (UK) 240 revised

Many feel that the revision of the fraud standard, ISA (UK) 240, is more about mindset than procedures. The Financial Reporting Council has used the revised UK standard to remind auditors of some crucial steps to take when identifying and assessing the risk of material misstatement due to fraud.

As well as getting their noses into the revised standard, auditors are well advised to take a look at ICAEW’s excellent recent publication Sharpening the Focus on Corporate Fraud (see overleaf). This provides some invaluable insights on tackling fraud risk from experienced auditors within the profession.

Many firms will find that the changes to ISA (UK) 240 are relatively subtle. Key changes that all firms should focus on are:

  • specific considerations in relation to fraud for the team meeting (paragraph 16). The implementation of the revised ISA (UK) 240 and revised ISA 315 totally put to bed the myth that the engagement team meeting is a tick box exercise;
  • a requirement for auditors to be alert for conditions indicating that a document may not be authentic. Guidance in paragraph A9.1 provides a useful complement to this requirement; and
  • enhanced requirements for communicating with management (paragraph 18) and those charged with governance (paragraph 21). The focus in the revised standard is about not just talking about fraud risk to client management – especially as they will often be considered the most likely perpetrators of fraud.

Some firms will also need to understand the differences between the revised ISA (UK) 240 and ISA 240, the International Auditing and Assurance Standards Board (IAASB) version of the fraud standard on which it is based, and plans for its revision (see ‘Further reading and resources’, below).

QAD top tips

As mentioned earlier, my recent webinar was used to gather feedback from QAD about the issues it most commonly encounters regarding audit quality. What it highlighted was interesting, although not totally unexpected:

  • A lack of challenge and scepticism, in particular regarding going concern and asset valuations. Appraising a client’s assessment of going concern can be challenging where budgets and forecasts are not produced, but a documented discussion about business performance, plans and pinch points will often suffice.
  • A weak risk assessment, often culminating in a scattergun list of risks with no real attempt to develop tailored tests in response. We can but hope the revision to ISA 315 addresses the failings in this area.
  • Weak testing of revenue, with firms begrudgingly accepting there is a risk of fraud in revenue recognition without giving thought to how this manifests itself and what an appropriate audit response should look like. Firms may need to give more thought to this – and demonstrate they have done so. ISA (UK) 240 offers examples of revenue recognition fraud and auditor responses to assist with these considerations.

Onwards and upwards

So there’s lots of food for thought as we start 2023. In difficult economic times, with a range of regulatory changes about to come into force, auditors need to be on top of their game. However, as many of the changes are more akin to evolution than revolution, firms that already perform and document good quality audits will be well on their way to full compliance.

Further reading and resources

A recording of Peter Herbert’s faculty webinar on Hot topics and tips for 2023 audits.

An Audit & Beyond Q&A on ISQM 1, ISA 315 and ISA (UK) 240 (from the October 2022 edition)

International standards on quality management

There have been a number of recent Audit & Beyond articles to assist smaller firms with ISQM 1 preparations and compliance and to help them understand QAD expectations. These can be found, along with other resources to help audit firms implement the new quality management standards ISQM 1, ISQM 2 and ISA 220 (Revised), through the faculty’s ‘Quality management in audit firms’ hub.

The International Auditing and Assurance Standards Board (IAASB) makes these quality management standards and associated support materials available.

The Financial Reporting Council (FRC) makes the UK versions available

ISA 315 (Revised)

The revised risk assessment standard, ISA 315, provides more material to support auditors in assessing risks relating to IT. It also includes prescriptive requirements for auditors.

A recent Audit & Beyond article on Understanding the entity’s IT systems and related risks highlights changes in the revised ISA 315, its enhanced scalability and points to additional support material the standard offers to assist auditors.

A brief overview of the main revisions in ISA 315 is available from the faculty along with links to other material related to the standard.

A first-time implementation guide for the revised ISA 315 was published in July 2022 by the IAASB.

The IAASB makes ISA 315 (Revised 2019) available.

The FRC makes ISA (UK) 315 (Revised 2020) available.

ISA (UK) 240 (Revised)

During 2022, the faculty has provided a range of resources to assist firms with the preparations for and implementation of ISA (UK) 240.

Audit & Beyond articles include:

‘Fraud risk factors in a financial statement audit’, a faculty webinar recording, offering practical tips on implementing the revised ISA (UK) 240.

Sharpening the Focus on Corporate Fraud: an Audit Firm Perspective, a recent ICAEW report was the subject of a live panel discussion, available now as a recording.

The IAASB is planning to revise ISA 240 and during 2022 published some related resources that firms may find useful. Information on the project and its timeline.

IAASB guidance The fraud lens – interactions between ISA 240 and other ISAs illustrates relationships and linkages between ISA 240 and other ISAs when planning, performing and reporting on an audit engagement, and shows this in a diagram that many auditors may find useful .

About the author
Peter Herbert, Director, Insight Training

Audit & Beyond

This article was first featured in the December 2022/January 2023 edition of Audit & Beyond.

Audit & Beyond Dec/Jan 2022/23