Mr. James M. Sylph, FCA

April 14, 2003

Page 1

April 14, 2003

Mr. James M. Sylph, FCA

Technical Director

International Auditing and Assurance Standards Board (IAASB)

International Federation of Accountants

535 Fifth Avenue, 26thFloor

New York, New York10017

USA

Dear Mr. Sylph:

Exposure Draft of Proposed International Standards on Auditing (ISAs)

On Audit Risk

We are pleased to have the opportunity to provide our comments on the above exposure draft (ED). We apologize for responding late, but our comments are the result of the Assurance Standards Board’s (ASB) process for obtaining views of its diverse stakeholders on IAASB EDs. This project is of particular interest to the ASB, as we plan to converge with the final standards once they are issued.

Overall, we are very supportive of the proposed standards. We also support the process the IAASB has followed in developing the proposed standards jointly with the US Auditing Standards Board.

Our comments relate to the following significant issues:

  • A clear definition of and more guidance around what constitutes a “significant risk”
  • Disagreement with the “three-year testing” principle, and the need for more guidance for cycle testing
  • Additional guidance for implementing the standards in the audits of small entities
  • Additional guidance on the impact of information technology (IT)

Our suggestions for clarifying and improving the proposed standards in respect of these issues are set out below.

In addition, we have identified two additional issues that require clarification. They are described in an appendix to this letter.

1. Significant risk

The concept of “significant risk” is not clearly described in paragraph 104 of Understanding the Entity and its Environment and Assessing the Risk of Material Misstatement and consequently, conflicting and confusing messages are provided about what it is intended to mean and when it is assessed. For example, many of our respondents thought that significant risk is the same as high inherent risk of material misstatement. In addition, it is not clear whether it is intended to mean “significant in nature” or “significant in size”. The confusion may arise partly because of the logic flow of paragraphs 95-104, and their relation to the earlier discussion of business risk.

Paragraph 36 requires the auditor to obtain an understanding of the business risks that may result in material misstatement of the financial statements. In the “Assessing Risks of Material Misstatement” section, paragraph 95 requires the auditor to assess the risk of material misstatement by identifying risks and considering relevant controls; however, paragraph 105 subsequently indicates that significant risks are to be determined before controls are identified. Then, paragraph 106 describes significant risks in relation to business risk that may result in material misstatement. Similarly, paragraphs 108 and 109 indicate that significant risks often involve a greater risk of misstatement of the financial statements. In those instances where the term “risk” is used in conjunction with “material misstatement of the financial statements,” it appears that risk is determined after taking into account the impact of internal control.

Because of these apparent inconsistencies in the discussion of significant risks, we believe it is important to clarify the meaning of this key concept and its impact on the auditor’s work effort and documentation.

Based on our understanding of the intent of the “Assessing the Risks of Material Misstatement” section, it would be more logical for the auditor to first consider whether risks identified are significant risks before identifying relevant controls and finally assessing the risk of material misstatement. This may require placing the discussion of significant risk earlier in the section so the guidance clarifies that in relation to significant risks the auditor would:

  • First, identify risks based on his or her understanding of the entity and its environment and the business risks identified by management as part of its risk assessment process.
  • Then, determine which of those risks identified are significant risks (i.e., before considering relevant controls that relate to these risks).
  • For both significant risks and those relevant risks that are not determined to be significant, assess the risk of material misstatement taking into account factors such as relevant controls and the magnitude and likelihood of the material misstatement.

If this interpretation is correct, we are concerned about what the documentation requirements for the first step will be (i.e., documentation of all risks, whether or not they are significant and whether or not they could result in material misstatement).

In any case, we believe the final standard needs to better explain the meaning of the term “significant risks” in relation to other references to risk, in particular, “business risk” and “risks of material misstatement”.

In addition, paragraph 104 states that for “significant risks that require special audit consideration”, the auditor must evaluate the design and implementation of control procedures. It is not clear how this requirement for “significant risks that require special audit consideration” is any different from what is already required of the auditor in obtaining an understanding of internal control. Our interpretation of paragraph 53 in Understanding the Entity and its Environment and Assessing the Risk of Material Misstatement regarding obtaining an understanding of the elements of internal control is that the auditor would enquire about and document the design and implementation of controls in general. Thus it is not clear how the requirements in paragraphs 104-109 are intended to be different.

2. Three-year testing

We disagree with the proposal in paragraph 38 of The Auditor’s Procedures in Response to Assessed Risks that “the auditor should test the operating effectiveness of such controls at least every third audit.” Specifying a particular time period is arbitrary. Rather, judgment should be applied to the specific circumstances each year. Additional guidance (discussed later) is needed to ensure appropriate and consistent application of such judgment in practice.

If it is felt necessary to include a minimum testing period, we believe such a period should not be in black letter text. For example, paragraph 38 could be restated as follows:

The auditor should determine the appropriateness of reliance in the current audit on controls that have not changed and that were tested in prior audits. In such situations, the auditor should test the operating effectiveness of such controls on a periodic basis.(black letter) In considering the length of time period that may elapse before retesting a control, the auditor considers the control environment, the entity’s monitoring of controls, general IT controls and the effectiveness of the control and its application by the entity. However, the period elapsed since the auditor last tested a control would not normally exceed three years, because the longer the time elapsed…

In addition, we believe there are two underlying issues that need to be clearly explained in the accompanying guidance, regardless of whether the changes proposed above regarding a fixed time period are adopted:

  1. When reliance is to be placed on a control, this reliance should not be supported by audit procedures performed in prior audits unless there is reliable evidence (e.g., an automated change control process or a software package that cannot be changed by the user) that the control has not changed. This typically only applies to automated controls, not manual ones.
  1. When the auditor’s understanding of the entity and its environment reveals that controls should have changed to respond to an increased level of risk, but did not change, the auditor should not rely on periodic testing.

For the first issue, the guidance should provide more specific direction on when it is appropriate to carry out cycle testing and how the auditor would implement the requirement to test the operating effectiveness of some controls in each audit. Paragraph 38 should, for example, emphasize the importance of a strong risk assessment process, strong IT controls and strong monitoring controls to any cycle testing decision making by the auditor. It should be clear as to whether the requirement to test some controls in each audit applies at the overall audit level, at the class of transactions/account balance level or at the assertion level.

Further, the guidance should point out that in most cases (i.e. except for the fully automated controls example described in paragraph 36) the auditor should be required to test the operating effectiveness of the control each year in which he or she intends to rely on that control. In particular, paragraph 38 should be amended to remove any unintended reference to manual controls.

In addition, guidance should be added in paragraph 38 or in a new paragraph to indicate that in the case of fully automated controls, the auditor would perform procedures to ensure no changes had been made to the control since it was last tested directly.

For the second issue, guidance should be added in paragraph 38 or in a new paragraph to recognize that in some cases, due to changes in circumstances in the entity or its environment (e.g., an increased level of risk because of an acquisition, or a significant new competitor), the entity’s controls should have changed in response to the increased risk. The guidance should note that if the controls did not change in such circumstances, the auditor should not rely on periodic testing. Guidance should also be provided to link this situation to the auditor’s procedures in response to the assessed risks.

The additional guidance suggested above is consistent with the intent of paragraph 19 of Audit Evidence, which states, “Audit evidence obtained from previous audits may provide audit evidence where the auditor performs audit procedures to establish its continuing relevance.” We suggest a reference be added to this statement to reinforce the idea that there are clear boundaries around the nature and extent of the auditor’s continued reliance on controls in the current audit, even fully automated controls with strong change management processes.

3.Small entities

We believe it is vital that the IAASB provide sufficient implementation guidance to assist practitioners in implementing the standards in audits of small entities. We recognize that it is not the role of standard setters to explain the detailed application of principles. However, in this case it is likely to be an important element of achieving “general acceptance” among practitioners whose primary clientele is small entities. The application of, and the benefits from, the proposed audit risk model are more readily apparent in audits of larger entities, which may have more sophisticated internal control. Accordingly, it is important to demonstrate that this model can be applied effectively in audits of small entities.

A clear description of a small entity is needed as a starting point. It should take into account characteristics in addition to those specified in IAPS 1005, The Special Considerations in the Audit of Small Entities. Such additional characteristics include the following:

  • The degree of complexity of the operations, including consideration of the accounting estimation required and the degree of measurement uncertainty in the financial statement items
  • The nature and extent of adjusting entries required
  • The existence or lack of a planning and monitoring function (e.g., the formulation of expectations via budgeting, performance monitoring and performance reporting)
  • The level of accounting knowledge resident in the entity

It is important to note that whether an entity is considered small depends on the circumstances. An entity could be considered small if it met only some of the characteristics. Thus, sufficient illustrative examples are required to demonstrate application of the standards. These examples could be provided either in appendices to the standards, or in practice statements.

A particular area where more guidance is required is communication of weaknesses in internal controls. We suggest wording along the following lines be added after paragraph 116 of Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement to address this issue:

In owner-managed entities there is often a concentration of operational control and decision-making power. Consequently owner-managers are likely to be knowledgeable about the day-to-day operations of the business. In such circumstances, the auditor may question the usefulness of communicating significant weaknesses in internal control because the owner-manager may either already be informed about such matters, or may believe that such matters are not relevant. In addition, in the case of smaller entities, the auditor may be reluctant to communicate significant weaknesses in internal control related to limited segregation of duties. The auditor may believe that communication of such weaknesses is impractical because it is unlikely that they can be addressed in a cost beneficial manner.

Nevertheless, the auditor would communicate a significant weakness in such situations. There is normally a cost/benefit decision involved in addressing some of the matters encountered by the auditor. If the auditor does not communicate such matters, the auditor could effectively be perceived as having made the cost/benefit decision on management’s behalf. In addition, it is only by communicating such significant weaknesses that the auditorcan be certain that management has been informed of the problem.

4.Information technology

The ED treats IT as a special consideration and a stand-alone function, when for most entities, including small entities, it is the prevalent situation. IT is no longer just a means of processing accounting information, but is comprehensively integrated into all aspects of financial and strategic business management. Understanding IT is integral to understanding the entity and its environment because IT is used to process information in all aspects of the business and to exercise control.

We believe, therefore, that the discussion of IT should be embellished to clearly show that IT is a strategic business issue that has a pervasive impact at the control [c1]environment level as well as at the operational level of specific controls. As such, IT should be considered together with other business risks in understanding the entity and its environment.

We would suggest that the following paragraph be added as paragraph 8 in Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement, under the heading which precedes present paragraph 7:

8. Entities of all sizes use information technology such as electronic commerce and the Internet as part of their business strategies. This may include the integration of information systems throughout entities and between entities and their business partners. In some cases, these systems include users from outside of the enterprise, and sometimes parts or all of the systems are outsourced. Such systems often involve particular risks that can have significant impacts. For example, the technologies used may be new to the entity and this fact combined with the pervasiveness of technology to the entity’s operations can create a new set of risks. Accordingly, it is critical for the auditor to gain a good understanding of the strategic use of IT, including the use of technology for conducting electronic commerce, in planning the audit.

It may also be useful to include a reference in the suggested new paragraph to IAPS 1013, Electronic Commerce—Effect on the Audit of Financial Statements.

We also suggest updating paragraphs 62, 63 and 64 in relation to the suggested addition above. Again, the existing paragraphs evoke the old fashioned approach to IT, under which manual systems used to be the norm and IT the exception, which is no longer valid. In addition, much of what is said about IT systems in those paragraphs is also true of manual systems.

In addition, we believe that appropriate references should be added to the following related IAPS for special audit considerations related to IT:

  • IAPS 1001, IT Environments—Stand-Alone Personal Computers
  • IAPS 1002, IT Environments—On-Line Computer Systems
  • IAPS 1003, IT Environments—Database Systems
  • IAPS 1009, Computer Assisted Audit Techniques

If you have any questions about our comments, we would be pleased to discuss them with you. Please contact Paul Lohnes, Director, Assurance Standards at (416) 204-3287.

Yours very truly,

Peter Gregory, CA

Chair, Assurance Standards Board

Attachment

cc:Members of the Assurance Standards Board

L.D. Esdon, FCA

L.D. Desautels, FCA

Appendix to ASB Response to IAASB Audit Risk ED

The ASB identified the following additional issues:

1.Internal control

a.Internal control is a vital element of the audit risk model. As such, it is important for the standards and guidance on internal control to be easy to understand and unambiguous. We believe the black letter guidance on internal control in paragraph 50 of the proposed ISA, Understanding the Entity and its Environment and Assessing the Risk of Material Misstatement should be augmented to clearly indicate that the controls referred to are controls relevant to the audit, as explained in paragraphs 56-60.

b.Paragraph 30 of the proposed ISA, The Auditor’s Procedures in Response to Assessed Risks states, “the auditor may use tests of details as tests of controls.” The intent of this statement is not clear. The second sentence of this paragraph indicates that “The objective of test of controls is to evaluate whether a control operated effectively.” However the last sentence of the paragraph indicates that “the absence of misstatements detected by a substantive procedure (which is assumed to be used in the same context as a test of details, even though substantive tests also include analytical review) does not imply that controls related to the assertion being tested are effective.”

We believe it is clearer to state that the auditor may perform one type of procedure with two separate objectives, as is noted in the fourth sentence of this paragraph. And, if the part of the dual-purpose test is to test operating effectiveness of the controls, the last sentence should be deleted. Alternatively, it could be explained that for single purpose tests of details that statement is true, however, dual-purpose tests do provide evidence about the operating effectiveness of the controls.

c.Paragraph 26 of The Auditor’s Procedures in Response to Assessed Risks indicates that “Inquiry alone will not provide sufficient appropriate audit evidence for testing the operating effectiveness of controls.” We believe this is an important concept that appears to be a requirement, but it is not in black letter text, nor is it prominently displayed. If the intent is that this be a requirement, we believe it should be highlighted in black letter text as the first sentence in paragraph 26 or a new paragraph, as follows: