DateSecrétariatFédérationRue de la Loi 83

Généraldes Experts1040 Bruxelles

31 March 2003ComptablesTél. 32 (0) 2 285 40 85

EuropéensFax: 32 (0) 2 231 11 12

E-mail:

Mr J. Sylph

Technical Director

International Auditing and Assurance

Standards Board

535 Fifth Avenue, 26th Floor

New York 10017

USA

Dear Sir,

Audit Risk: Proposed International Standards on Auditing and Proposed Amendment to ISA 200, “Objective and Principles Governing an Audit of Financial Statements”

  1. The Fédération des Experts Comptables Européens (FEE) is pleased to respond to the IAASB’s request for comments on the Audit Risk Exposure Drafts. We provide overall comments on matters of strategic importance to the IAASB before setting out answers to questions asked in Appendix 3 of the Explanatory Memorandum and making comments on matters of principle and drafting in relation to each of the Exposure Drafts.

Matters of strategic importance to the IAASB

  1. FEE strongly supports the work of the IAASB and in November 2001, published its “Proposal on International Standards on Auditing in the EU”. We proposed that by 2005 all auditors in the European Union should apply ISAs in performing statutory audits. This proposal has attracted widespread support within Europe and we welcome the IAASB’s acknowledgement of the importance of EU support in deciding on its own priorities, work programme and consultation activities, for example in relation to the revision of ISA 700 on the auditor’s report.
  1. The IAASB’s Audit Risk Exposure Drafts are central to how the FEE proposal is taken forward. In this context our views are as follows:
  • We believe it to be important that the IAASB react to recent crises regarding the credibility of audited financial statements by ensuring that auditing standards address the needs of the users of financial statements and audit reports, as well as addressing regulators’ concerns. The Exposure Drafts represent a substantial improvement on current ISAs and national auditing standards and provide an opportunity to enhance the credibility of risk-based auditing and the quality of audits. They are better than existing standards in dealing with business risk and the auditor’s understanding of the business, linking the auditor’s risk assessment and audit testing, and defining the broad range of information that constitutes audit evidence.
  • However, as currently drafted, the Exposure Drafts would be unnecessarily difficult to implement across the EU, particularly for auditors of smaller enterprises. In aggregate they are too long, complex to understand and too prescriptive. This will cause problems of translation, interpretation, training and application which are likely to prevent or delay successful implementation.
  • It would be helpful if the IAASB could come forward with early and urgent proposals to respond to difficulties identified with the Exposure Drafts so that EU regulators, standard setters and professional bodies can make a realistic assessment of an appropriate timetable for the adoption of ISAs.
  1. The volume of guidance provided in these documents is considerable and goes beyond that normally provided in ISAs designed to focus on basic principles and essential procedures. In the following sections of this letter, we make detailed comments to explain our concerns about the length, complexity and prescriptiveness of the Exposure Drafts, as well as specific suggestions for improvement. However, general suggestions that can be made are that the IAASB might:
  • set out bold-type requirements in standalone paragraphs and ensure that each succeeding grey-type paragraph clearly provides explanatory and illustrative material to support the preceding bold-type paragraph;
  • frame bold-type basic principles as requirements not just to do something but to do something in order to achieve a desired outcome;
  • frame bold-type essential procedures in sufficiently general terms to permit auditors to exercise professional judgement in applying them, instead of feeling compelled to perform specific procedures simply because they are required; and
  • check that all bold-type requirements are of general applicability to all auditors regardless of the size of the audit team or the size and complexity of the audited entity.
  1. These observations reflect the fundamental conditions for the adoption of ISAs in the EU. The standards must be principle-based and, because “an audit is an audit”, applicable to all audit engagements.

Questions in Appendix 3 of the Explanatory Memorandum

The IAASB recognizes that the audit of small entities may give rise to certain special audit considerations. Are there such special considerations in applying the standards and guidance contained in proposed ISA XX, “Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement”, and proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”? If so, include details of such considerations.

  1. In our view, the IAASB’s approach to the audit of smaller entities is fundamentally problematic. The approach may be characterised as follows:
  • bold-type ISA requirements are drafted in terms of audited entities that are large and complex and large audit teams;
  • grey-type ISA guidance covers all circumstances that might be relevant to large complex audited entities and large audit teams;
  • additional guidance for auditors of smaller entities (whether in an ISA, an appendix to an ISA or practice statement IAPS 1005) explains how elements of ISAs may be disregarded or interpreted when auditing smaller entities.
  1. The IAASB’s approach not only undermines the idea that an “audit is an audit” but it also has the unreasonable effect of requiring auditors of smaller entities to have regard to more material than auditors of large and complex entities.
  1. We suggest that the IAASB follow an alternative “think small first” approach that may be characterised as follows:
  • bold-type ISA requirements should be drafted in terms of all audits regardless of the size and complexity of the audited entity or the size of the audit team;
  • grey-type ISA guidance should first cover circumstances that apply to all audited entities and audit teams; and
  • additional grey-type ISA guidance should contain specific references to the circumstances in which it is applicable, for example, when dispersed operations call for formalization of the audited entity’s processes or when the size of the audit team calls for more formal communications and meetings.
  1. Such an approach would reinforce the idea that “an audit is an audit” and help ensure that the introduction of ISAs in the EU would not result in excessive costs, particularly amongst smaller entities and their auditors.

Appendix 2 of ISA XX, “Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement” contains further guidance to assist the auditor in understanding the components of internal control, including their application to small entities. Is this additional guidance helpful, or is there sufficient material within the ISA itself? In considering this question, commentators should assume that the paragraphs relating to small entities will be retained whether in the Appendix or elsewhere.

  1. As a general observation, we do not favour the inclusion of material in appendices to ISAs because of the uncertainty this creates as to its status and its relationship to bold-type requirements. In this particular case, we believe not only that the material in Appendix 2 is excessive but also that much of the related guidance in paragraphs 50 to 94 is unnecessary.
  1. We are particularly concerned that Appendix 2 and paragraphs 50 to 94 will have the overall effect of enshrining the COSO model of the components of internal control within International Standards on Auditing. It is inappropriate for one national model to be accorded such authority and we endorse paragraph 55 of the proposed ISA which appears to recognize this point.

Where the auditor plans to rely on controls that have not changed since they were last tested, paragraph 38 of ISA XX, “The Auditor’s Procedures in Response to Assessed Risks” requires the auditor to test the operating effectiveness of such controls at least every third audit. Is it appropriate for the ISA to specify a time period, and if so, is every third audit an appropriate limit? If not, please indicate what time period, if any, is considered more appropriate.

  1. In our view, it is appropriate for the ISA to require auditors to apply judgement to determine the frequency of testing of unchanged controls in order to ensure that they have adequate evidence to support their conclusions. It would also be appropriate for the ISA to contain explanatory material that illustrates circumstances in which an auditor performs such testing every third year. However, it is inappropriate to specify a time period in the ISA.

The IAASB considers that documentation requirements are important as a means of ensuring that auditors comply with significant requirements of the standards. The requirements are more extensive than previously. Do commentators agree that it is appropriate for the IAASB to establish detailed documentation requirements? Are the proposals practical? If not, what suggestions do you have for documentation that achieves the objectives of improving compliance with standards?

  1. We fundamentally disagree with the premise of these questions. In our view, bold-type requirements related to documentation need to specify the purpose of documentation, but this should not be “ensuring that auditors comply with significant requirements of the standards”. Such a statement denigrates auditors and would be quite inappropriate for inclusion in ISAs
  1. Our suggestion is that bold-type paragraphs should emphasise that the purpose of documentation is to enable a reviewer who is knowledgeable about auditing but has no prior knowledge of the audit to understand the procedures performed, the conclusions reached and the basis for those conclusions. Further bold-type requirements should cover specific procedures to be documented but do so in sufficiently general terms to permit auditors to exercise professional judgement in applying them.
  1. There is a balance to be struck between the costs and benefits of documentation. Ultimately, it is the quality of the auditor’s procedures and conclusions that benefit users of audit reports, not the quantity of audit documentation. Audit documentation represents only the starting point for any evaluation of the quality of the auditor’s work; it is not the be-all and end-all of such an evaluation.

Proposed Amendment to ISA 200, “Objective and Principles Governing an Audit of Financial Statements”

  1. In our view, the proposed amendment significantly improves ISA 200 so that it provides a much more robust basis for the IAASB’s risk-based auditing standards. Nevertheless, we have a number of suggestions for further improvements.
  1. Paragraph 13 underlines the importance of the concept of “reasonable assurance” to a financial statement audit. The term is not only central to the auditor’s report under ISA 700, but it is also the heading for paragraphs 8 to 11 of ISA 200. In these circumstances, we recommend that the IAASB takes the opportunity provided by the amendment of ISA 200 to:
  • establish the importance of the concept of reasonable assurance in a bold-type paragraph; and
  • directly relate the idea of acquiring reasonable assurance to the idea of reducing “audit risk to an acceptably low level” as set out in bold-type paragraph 14.
  1. Paragraphs 16, 19, 20 and 21 all make reference to assertions. It might therefore be helpful if the IAASB were to provide some explanation of the term instead of deferring such discussion to paragraph 7 of the proposed ISA, “Audit Evidence”.
  1. The first sentence of paragraph 16 declares in effect that the auditor’s responsibilities only extend to misstatements that are material to the financial statements “taken as a whole”. It is unclear how this view is consistent with the statement in the next sentence that the auditor considers materiality not only at “the overall financial statement level” but also “in relation to the individual classes of transactions, account balances and disclosures and the related assertions”. An explanation would be helpful.
  1. The second sentence of paragraph 17 states that risks of material misstatement that relate pervasively to the financial statements as a whole “often relate to the entity’s control environment, and are not necessarily risks identifiable with specific assertions”. However, it should also be acknowledged that such risks also often relate to factors that have nothing to do with the control environment, such as economic conditions and external pressures on management.
  1. The final sentence of paragraph 17 states that the auditor’s consideration of the risk of material misstatement includes consideration of a range of factors related to the audit team rather than the audited entity such as its knowledge, skill and ability, the involvement of experts and supervision. In our view, these factors relate to the auditor’s response to the risk of misstatement, not the risk itself. This apparent mistake should be corrected.
  1. We also have the following drafting suggestions:
  • consistent with the Exposure Drafts’ recognition of the importance of business risk, paragraph 12 should state that the auditor is “ultimately” concerned only with risks that may affect the financial statements;
  • it is unclear what is achieved by qualifying the reference to conclusions in paragraph 14 and referring to “reasonable conclusions”;
  • in paragraph 18 it would be better to say that the auditor seeks to “respond to” risks and not to “restrict” them which is surely the prerogative of management;
  • note 2 to paragraph 18 could be removed since paragraph 20 adequately makes the point that auditors may wish to assess risk in quantitative terms but are not obliged to do so;
  • the references to inherent risk, control risk and detection risk in paragraphs 19 and 21 should be aligned with the existing Glossary of Terms and existing ISAs;
  • the second sentence of paragraph 21 should refer to audit procedures in the plural;
  • the last sentence of paragraph 21 might better refer to reducing risks associated with the conduct of audit procedures to an “acceptably low level” rather than a “negligible level”; and
  • the statement in the second sentence of paragraph 22 that detection risk bears an inverse relationship to the assessment of the risk of misstatement at the assertion level is not correct since detection risk bears an inverse relationship to the risk of misstatement not to the assessment of the risk of misstatement. Presumably, what was meant is that the permissible level of detection risk varies inversely to the assessed risk of misstatement for a given level of audit risk. Hence, the sentence should read “For a given level of audit risk, the acceptable level of detection risk varies inversely to the assessed risk of misstatement”.

Proposed International Standard on Auditing, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”

  1. In our view, this Exposure Draft presents a thorough explanation of the risk assessment process which is missing from current ISAs and national standards. It does an excellent job of explaining the relationship between business risk and audit risk and of integrating requirements relating to the auditor’s understanding of the business, the control environment and accounting systems into the fabric of the audit.
  1. However, our principal concerns are that the Exposure Draft is too long, complex to understand and too prescriptive. The structure of the Standard is not conducive to ease of application and therefore could be improved. Because the Standard is difficult to understand and hence apply in certain areas, there is a risk that the quality of audits may be adversely affected, particularly for less complex audits performed by small and medium-sized practices. In the context of trying to implement the proposed ISA across the European Union by 2005, these are significant concerns. They will exacerbate problems of translation, training and implementation, particularly on audits of smaller enterprises which are very important in the EU. We explain our concerns in the paragraphs that follow.
  1. We are surprised that the Exposure Draft does not contain upfront a bold-type requirement to perform an assessment of the risks of a material misstatement of the financial statements. This would make the proposed ISA easier to follow and provide a context for the bold-type requirement in paragraph 4 that the auditor obtains an understanding of the entity and its environment that is sufficient to assess the risks of material misstatement. As things stand, the reader has to wait until paragraph 95 of the Exposure Draft for a bold-type paragraph that requires the auditor to assess risks of material misstatement.
  1. Confusingly, although it takes until paragraph 95 to introduce a requirement to assess risks of misstatement, earlier parts of the proposed ISA refer extensively to “risk assessment procedures”. In our view, it is contrary to the normal use of English for paragraph 7 to characterise audit procedures to obtain an understanding of the entity and its environment as “risk assessment procedures”, especially when the same paragraph states that such procedures for obtaining an understanding may also be used as substantive tests and tests of controls.
  1. We suggest that it would be easier to dispense with the idea of risk assessment procedures and simply refer to auditors carrying out procedures to obtain an understanding of the entity and its environment sufficient to enable them to assess the risks of material misstatement. It would be particularly helpful if bold-type paragraphs 28, 32, 34, 41, 45, 50 and 68 could make reference to the fact that the purpose of procedures to obtain an understanding of the entity and its environment is to enable auditors to assess risks of material misstatement.
  1. Paragraph 8 deals with inquiries, analytical procedures, observation and inspection. We consider it useful as guidance but not as a bold-type requirement. It describes methods for achieving the objectives set out in paragraph 4 but these methods are not essential procedures in their own right. The methods described are techniques for obtaining evidence rather than procedures that should be mandatory for completing any aspect of understanding the entity and its environment.
  1. The discussion of smaller, less complex entities in paragraph 17 is not as helpful as it might be. In our view, it would be better to adopt a “think small first” approach. This would mean any grey-type paragraph would make reference, where applicable, to the fact that it was only applicable to entities that exceeded a particular size or had particular complexities in their range of products and services, structures, systems, controls, transactions, IT applications or legal and regulatory requirements.