Audit Risk - Proposed International Standards on Auditing and Proposed Amendment to ISA

Dear Sir

Audit Risk - Proposed International Standards on Auditing and Proposed Amendment to ISA 200, "Objective and Principles Governing an Audit of Financial Statements"

We are pleased to respond to your invitation for comments on the exposure drafts of the above. This response is from the UK firm of Mazars. Set out below are the main points we wish to make, then the response to the issues specified in Appendix 3 of the Explanatory Memorandum and then our detailed comments on the draft documents.

Mazars is an international advisory and accountancy group of firms. In the UK, Mazars is one of the top 20 firms of accountants and business advisers. We employ 1,000 staff and partners and audit is our core business, servicing all sizes of clients from the smallest owner managed to listed companies.

Set out below are the key points of our response. The detailed comments supporting these and suggestions for alternative wording are set out on a paragraph by paragraph basis later in this letter.

Provenance

We believe it is important to note (as acknowledged in the Appendix to the Explanatory Memorandum) that much of the development of these standards is based on the methodologies of the largest firms of auditors in the US. These firms differ from the global population of auditors as they:

• Do not operate in a country with a statutory audit requirement and therefore tend to only audit listed companies, which typically have more established systems of internal control and risk assessment than smaller privately owned entities.
• Generate significant revenues from non-audit business advisory work from their audit clients. Their audit methodologies have therefore developed as part of a broader business advisory offering. A requirement for such an approach is, we believe, not appropriate as an International Standard.
• Are based in the USA where detailed rules and prescriptive guidance rather than shorter principal based standards are the norm for accounting matters.

We do not feel that the standards as drafted have necessarily reflected the different audience which the IAASB as opposed to the US ASB needs to address. Given the recent corporate and audit failures in the USA we believe it is important for these new standards to be shown to be sufficiently credible in their own right and not accepted merely because the largest firms of accountants have similar systems in place.

Length and structure

We feel that the standards as drafted are too long. We would support the removal of almost all of the examples as well as much of the grey text. We note that many of the statements in the standards are not essential instruction on how to carry out an audit but additional explanations and guidance. We feel that most of this material is best placed outside a standard so the principles are not obscured by the detail. We note that the provenance of the standards may have affected this and would point to the brevity and clarity of UK auditing standards as an example.

The main points below all arise from ISA XX "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement".

Business risks (paragraphs 36-40)

We do not agree with the conceptual basis which uses business risks as a primary driver in identifying potential misstatements in the financial statements. We note that consideration of business risks can be a very useful technique to identify opportunities for non-audit work but we feel it has only a small part to play in the identification of risks of material misstatement.We feel the understanding of objectives and strategies is an integral part of understanding the nature of the business, and the understanding of business risks as relevant to the audit flows naturally out of this in the identification of risks of material misstatement. We have expanded these points later in this letter.

Relevant controls (paragraphs 83-84)

The draft standard is unclear as to what relevant controls are and the circumstances in which they do or do not have to be understood. We feel that it is important that there is no requirement to obtain an understanding that will not then be used by the auditor, and that mandatory compliance testing is not brought in by the back door by this standard. We believe that paragraph 110 provides sufficient safeguards to mandate detailed understanding of controls.

Significant risks (paragraphs 104-109)

Whilst we agree with the identification of significant risks and the linkage of specific audit procedures to them, we feel there is a need for a simpler definition of significant risk. The phrase "risks that require special audit consideration" is sufficient without the additional guidance which clouds the issue. Such a decision will always be a matter of judgment and the guidance does not assist this. We also believe that the requirement to identify such risks before considering controls is flawed and inefficient and should be removed, as should the requirement to evaluate the design and determine the implementation of controls for these risks. Paragraph 110 already identifies those circumstances when this understanding of controls will always be required.

We would also draw your attention in particular to our comments on the following areas of this standard as set out below:

• Paragraph 8, and the nature and extent of mandatory procedures
• Paragraphs 51 and 55, and the freedom of auditors to adopt a terminology and conceptual framework of internal control of their choice
• Paragraph 77 and the inclusion of supporting information within the definition of accounting records
• Paragraph 81 and the reference to business processes.

We set out below our responses to the issues raised in Appendix 3 of the Explanatory Memorandum.

General

We believe that auditing standards should apply to all sizes of entity. If the requirements of a standard need modifying for the standard to be usable for a small entity, they should be modified in the main standard. Implementation guidance on the standard for small, public sector, not for profit and other specific entities is best placed outside the standard, either as an appendix to the standard or in a separate practice statement.

Whilst we believe the general thrust of the standards is applicable for all sizes of entity, we would draw attention to the following changes which will be particularly important for smaller entities.

• The overall length of the definitive standards (as opposed to the appendices) is too long. Much of the grey text is guidance and should be outside the body of the standard. This is in accordance with drafting principle based standards rather than detailed prescriptive rules.
• Careful consideration should be given to the content of black letter paragraphs. In several cases some of the specific requirements would not apply to smaller entities, including the nature of the risk assessment procedures (paragraph 8), the requirement to assess controls for risks of special significance (paragraph 104), the documentation of internal control (paragraph 117(b)).
• Business risk consideration is particularly difficult for smaller entities where risk assessment processes are informal and a classically trained management team may not be in place. This is further grounds for our argument (set out below) that this should not form part of the final standard.
• The clarification of the requirement towards controls, especially to test the design and implementation of relevant controls (paragraph 83-84) and to test the operating effectiveness (paragraph 12).

ISA XX, "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement"

We feel that users of the standard, especially those required to determine a firm's policies and procedures, will find the guidance in the Appendix useful. If the guidance was not published by the IAASB, we would need to carry out further research. There is however ample material available on this subject.

As noted above we do not believe this guidance should form part of the standard itself, and much of the standard should instead be included in the appendix. It may be appropriate to move the contents of the appendix to a separate guidance paper, also to be published by the IAASB and at the same time as the standard. This would mean that changes in management practice would not automatically require the updating of the standard, and would support the statement in paragraph 55 of the standard that firms may use different terminologies and conceptual frameworks. The guidance would then take on the form of a view of internal control and would be available for users without being mandated as a framework.

ISA XX, "The Auditor's Procedures in Response to Assessed Risks"

We believe it would be better for the period of reliance on controls not previously tested to be left to the judgement of the auditor. There should however be a requirement for the auditor to document each year why they consider there is no need to retest the controls. It may be appropriate for the IAASB to publish a separate paper with the results of its research into this area to provide guidance to firms.

Documentation

We do not believe there should or need be prescriptive documentation requirements in these standards. Instead we feel there should be a requirement for an auditor to demonstrate how they have complied with the (black letter) auditing standards.

However if the current documentation requirements are retained, we would suggest as noted below that the requirements in paragraph 117(b) are reduced. As they stand these would both force the adoption of a particular framework for internal control and be overly burdensome for the audit of a smaller entity. We would suggest this be replaced with a requirement for an "evaluation of internal control and the basis for it"

Set out below are our detailed comments on the various standards. We have not noted the conforming changes within the draft standards needed as a result of the changes noted below.

ISA XX, "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement"

Paragraph 8 mandates three type of procedure which must be performed as risk assessment procedures. We do not support a requirement to enquire of those outside management and to perform observation and inspection in all cases without exception, which is mandated by paragraph 8.We are confused by paragraph 17 which seems to say that paragraph 8 may not apply in all cases.

We suggest that paragraph 8 is redrafted to require enquiry, analytical procedures and other procedures as necessary. The following paragraphs could then be rephrased as guidance on these requirements, and paragraph 17 could become a clearer statement that the nature and extent of risk assessment procedures varies depending on the size and nature of the entity, although it is questionable if such a statement is necessary.

Paragraphs 18 - 22 deal with the requirement for a discussion amongst team members, including the "auditor with final responsibility". Paragraph 20 includes a reference to "how" this occurs but this is not explained; we would interpret this to mean that the discussion could be achieved by any means (including telephone or video conference, web meeting or email discussion) as long as the objective of an interchange of views is achieved. If this is not the case this section should be amended to clarify this.

Paragraph 34 requires an auditor to consider an entity's accounting policies. Whilst an understanding of accounting policies and how they differ from other entities in the same industry can help identify risks of misstatement, there is also a requirement under some financial reporting frameworks (IAS 8 as amended by the improvements project and in the UK FRS 18) for management to choose appropriate accounting policies. For an auditor to express an opinion that the accounts give a true and fair view, substantive evidence about these presentation assertions is required; the risk assessment procedures in paragraph 34 may help towards this but are unlikely to be sufficient. We suggest that it is made clear in the grey part of this paragraph that the risk assessment procedures should be the basis of the substantive work in forming an opinion on these assertions.

Paragraph 35 deals with disclosure of material matters. As drafted, this paragraph does not reflect the impact on risk assessment but would sit more appropriately in an ISA dealing with such disclosures, perhaps within ISA 501. Alternatively the contents of this paragraph could be combined with the discussion of assertions relating to disclosures in paragraph 7 of ISA XX "Audit Evidence".

Paragraphs 36 - 40 present a requirement to understand the businesses objectives and strategies and business risks that may result in misstatements in the financial statements. We believe that a requirement to identify business risks should not form part of the final standard and these paragraphs should be removed.

We suggest that the understanding of objectives and strategies is part of the understanding of the nature of the entity and should be included within paragraph 32. Paragraphs36 - 40 should be replaced with a sentence in paragraph 33 to say that "An understanding of an entity's objectives and strategies can lead to the identification of business risks and management actions which may lead to potential misstatements in the financial statements and a better understanding of expectations in the financial statements." The reasons for this and the flaws we perceive in these paragraphs and the method within them are set out below.

Paragraph 39 states that "Most business risks will eventually have financial consequences". This is incorrect. A risk is something that may affect the business adversely, and many risks will not arise. It is only when the risk occurs, or the entity acts to deal with the risk, that there could be a financial effect. It therefore follows that an understanding of all business risks is not required for the audit.

Where management acts to control a risk, there will often be a financial effect of this control. Most of these will be either separate classes of transactions (eg insurance) or an increase in an existing class of transaction (eg staff costs), so do not need to be considered separately to identify risks of material misstatement in the financial statements.

When a business risk occurs during a period there is likely to be an effect on the financial statements. Many of these effects will just be a change in the number or value of an existing class of transactions (eg the risk that a competitor will gain market share, if it occurs, will lead to a reduction in sales). Thus an understanding of the business in this area will often enhance analytical review procedures but is rarely helpful to identify risks of material misstatement. It is also important to note that even business risks that arise and have a material effect on the financial statements other than a change in an existing class of transactions, will not give rise to a misstatement if management have correctly accounted for them.

There is also a difficulty with identifying risks which have occurred in a period. Management typically focus on controlling risks which have not occurred, so basing an assessment on management's processes is unlikely to be effective. Also in many businesses compliance and financial reporting objectives are not stated and hence risks relating to these implied objectives will not be identified unless the auditor adds to managements objectives.

A caveat to the above is that any business risk can potentially lead to a change in the fundamental going concern basis of preparation of the financial statements. As an event after the balance sheet date which changes the going concern basis is always adjusting (under IAS 10 and SSAP 17), any risk may be material. We believe it is more appropriate for consideration of all the risks affecting going concern to be made together.

Paragraphs 41 - 44 cover the entity's risk assessment process. This is included in paragraph 51 as a component of internal control and in the light of our comments above on business risk we feel that these paragraphs would be best included after paragraph 75.

Paragraphs 45 - 49 deal with understanding the measurement and review of the entity's financial performance. We feel this is part of the control procedures within the component of internal control set out in paragraph 51 and this detailed guidance should be included with that in paragraph 83 onwards.

Paragraph 47 refers to gaining an understanding of an entity's performance measures. As described in this paragraph this is distinct from an understanding of the measurement and review process. The understanding of performance measures themselves is an essential part of planning the audit but is not part of the understanding of internal control; it is part of preliminary analytical review referred to in paragraph 8(b). As such this guidance should be included in paragraph 12 or within ISA 520.

Paragraphs 41 to 94 deal with gaining an understanding of internal control. We believe that much of this material could be placed in the appendix, thus shortening the length of the standard and making it easier to use. Please note that our comments above regarding the moving of sections do not over rule our suggestion that all the detailed guidance is removed from the standard.

Paragraph 51 states that the purpose of internal control is to provide assurance about "financial reporting, effectiveness and efficiency of operations and compliance with applicable laws and regulations". This is an assumption; surely the purpose of internal control should be determined by those charged with governance / management of each entity. To define this in an auditing standard in this way is inappropriate. We suggest that this sentence is reworded to start "Internal control as considered in this ISA is designed and effected...".

Paragraph 51 defines five components of internal control. Paragraph 55 says that firms may use differing conceptual frameworks providing the requirements of the ISA are met. We do not believe that the definitive nature of the statement in paragraph 51 is appropriate or beneficial. We believe that the statement in paragraph 55 would be better appended to paragraph 51.

Paragraphs 53 to 60 deal mostly with specific controls (control procedures and the monitoring of controls) rather than the control environment, the entity's risk assessment process and the information systems. We believe this could be made clearer by use of an appropriate subheading prior to paragraph 53.

Paragraph 66 states that internal control "can provide an entity only reasonable assurance about achieving the entity's objectives". Internal control can provide such assurance about meeting financial reporting and legal and compliance objectives but may not be able to provide such assurances about business and operational objectives; these typically are heavily influenced by external factors which the entity cannot fully control. For example, an objective to increase sales may not be met despite internal control procedures because the market plunges, despite extensive control procedures being in place. We suggest the first sentence is reworded to make this clearer.