ISA 315 Revised
The FRC has recently issued a brief consultation document regarding the revised international version of ISA 315 Identifying and Assessing the Risk of Material Misstatement through Understanding of the Entity and its Environment, which they wish to implement in the UK for accounting periods beginning on or after 15 December 2021. A significant number of changes have been made in the new version, recognising the vital impact of risk assessment to the audit process and the problems which we have seen in applying the current requirements in a robust enough manner. As always, the approach of the standard setter seems to be that they should spell out in more detail what they mean by the overarching requirement to identify and assess risks, including specific procedures or considerations along the way.
The new standard and application guidance, at 202 pages, will take some reading however, and I wonder whether many of those who actually perform audits, as opposed to those who write the audit programmes and provide training or technical support, will read it. On the plus side, the actual standard, as opposed to the application guidance, is only 17 pages long, so reading the essentials shouldn’t be much of an issue and users can then dip into the application material as required.
Objective of ISA 315
The objective of the auditor is still to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion level, thereby providing a basis for responding to those risks. Note that despite what some of those appearing in Select Committee hearings have said, that the auditor’s job is not to detect fraud, this is not the case even under the current ISA. Where that fraud is material, the auditor does have a duty to carry out work designed to detect such misstatements.
Clarifications and additional definitions have been made, for example to highlight what is meant by General Information Technology Controls (GITC). The FRC has recently been concerned that insufficient understanding of or attention to GITCs have caused poor audit work. GITCs are the controls over the entity’s IT processes that support the continued proper operation of the IT environment, including the continued effective functioning of information processing controls and the integrity of information (i.e. completeness, accuracy and validity of transactions and information). They will include controls such as passwords, 2 stage verification and documentation of changes to systems.
One other change in definitions worth mentioning is that for significant risk. Previously this was defined as a risk that required extra audit attention. The new definition explains that a significant risk is towards the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of likelihood of misstatement and the magnitude of potential misstatement, or that it is to be treated as a significant risk in accordance with the requirements of other ISAs. This may not change the way a significant risk is considered by much, but it does perhaps give a better idea of how to categorise such risks if in doubt as to whether something is significant.
Obtaining an understanding of the entity and its environment
The revisions here start with a recognition of the risks to the auditors’ scepticism of confirmation bias. This is a natural human instinct where we tend to look for and sometimes only notice, information which confirms what we are being told, rather than being open to information which contradicts what we are being told. The standard now says, at the end of paragraph 13, that “The auditor shall design and perform risk assessment procedures in a manner that is not biased towards obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory.” This is potentially easier said that done and firms will need to think hard about how to train staff and partners to achieve this neutral attitude to evidence. The application guidance points auditors to gathering information from multiple sources outside of the entity to help achieve this neutrality.
The risk assessment process includes, as it does in the current version of the standard:
- Inquiries of management and others within the organisation, including internal audit
- Analytical procedures
- Observation and inspection
Quite a bit more detail is added to what the auditor should understand in assessing risks, including a specific mention of the business model that the entity uses and the extent to which this integrates the use of IT. Whilst training programmes have been reminding auditors to ensure they understand the business model, this specific mention of it in the ISA should be useful in reinforcing the point and linking it to the risks inherent or otherwise in the IT the entity uses.
Understanding the components of the entity’s system of internal control
In this section the new ISA splits into two columns the requirement to understand the controls, processes and structures which address issues such as the entity’s culture, governance and preparation of financial statements etc and the evaluation of those processes. There is much more detail than in the current ISA and more specific mention of the IT environment and general IT controls, as well as those more specific to the applications used.
There is also a clarification that when the auditor intends to test the operating effectiveness of controls, they should assess control risk. However, if the auditor does not plan to test the controls (i.e. plans to carry out a purely substantive audit) the auditor’s assessment of control risk is such that the risk of material misstatement is the same as the assessment of inherent risk. This is logical, as it is saying if you don’t test the controls, essentially you cannot assume there is any mitigation of the inherent risk, so if there is a high inherent risk, the auditor works on the basis there is still a high risk after any controls.
The auditor evaluates whether the audit evidence from the risk assessment procedures provides an adequate basis for the identification and assessment of the risks of material misstatement and if it doesn’t then further procedures must be undertaken. Additionally, any new information which is inconsistent with the audit evidence originally used to assess risks, must lead to a revision of the original conclusions. This again, is an attempt to remind auditors not to ignore information which doesn’t just confirm what they have already found and is an important point for all members of the team to fully absorb and act upon.
The requirements, at first glance, do not look that different, but nonetheless there is an expansion of the them. What is now required to be included in the documentation is:
- The discussion among the engagement team and signification decisions reached (no change)
- Key elements of the auditor’s understanding in accordance with paragraphs 19, 21, 22, and 24, the sources of information from which the auditor’s understanding was obtained and the risk assessment procedures performed (some expansion as more paragraphs are now included in the underlying requirements)
- Evaluation of the design of identified controls and determination of whether such controls have been implemented in accordance with the requirements in paragraph 26 (new requirements)
- The identified and assessed risks of material misstatement at the financial statement and assertion level, including significant risks and risks for which substantive procedures alone cannot provide sufficient evidence and the rationale for the significant judgements made (much more detailed requirements, including judgements and information about significant risks which wasn’t previously required).
The application material (in particular paragraph A238) adds further guidance with examples of documentation which may provide evidence of the application of scepticism by the auditor. For example, when audit evidence obtained from risk assessment includes evidence that both corroborates and contradicts management’s assertion the documentation may include how the auditor evaluated the evidence, including the professional judgements made and whether the evidence provides an appropriate basis for the auditor’s identification and assessment of risks of material misstatement. It can be very difficult to evidence the application of scepticism and this guidance should be welcome, in pointing out areas which should lend themselves to such documentation.
It will also be necessary, I suspect, for audit teams to change their mindsets to ensure that they don’t just dismiss information which doesn’t support the information or figures they are trying to audit, but that it is documented and a judgement made about its validity or otherwise.
This article is designed to give an overview of the changes already made to the international version of ISA 315 with an effective date of accounting periods beginning on or after 15 December 2021 and planned to be made in the ISA (UK) 315 at the same time. If you are responsible for amending audit programmes, internal guidance or training audit teams you will no doubt want to start on that work now. Even if you have no such responsibilities, many of the changes in the ISA will enhance existing practice and not conflict with current requirements. It is worth understanding the changes early and starting to embed new attitudes, especially those around avoiding confirmation bias, as soon as possible.
If you need further advice, consultancy or training in connection with this proposed new standard get in touch