Technical Director of IAASB
Mr. J.M. Sylph
Technical Director
International Auditing and Assurance Standards Board
International Federation of Accountants
535 Fifth Avenue, 26th Floor
New York 10017
New York
USA
31 March 2003
Dear Mr. Sylph,
Response to IAASB Exposure Drafts:
- Amendment to ISA 200, “Objective and General Principles Governing an Audit of Financial Statements”
- ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”
- ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”
- ISA XX, “Audit Evidence”
We are writing in response to the invitation to comment on the Exposure Drafts of the above mentioned proposed new International Standards on Auditing. This response is made on behalf of PricewaterhouseCoopers worldwide.
Overall, we support the general direction of the proposed ISAs, and believe that they represent an appropriate response to recent changes in the business environment. However, we have identified below issues where, in our opinion, there is a need for greater clarity before finalising the new ISAs. In the appendices to this letter, we comment specifically on the issues identified in Appendix 3 of the explanatory memorandum, and provide more detailed comments on each of the drafts.
Understanding of internal control components
We are concerned that the work effort expected in the draft ISA “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” with respect to obtaining an understanding of each of the five internal control components is not defined sufficiently clearly. In particular, as drafted, the proposed principles and guidance could be interpreted to direct a significant amount of the auditor’s attention to obtaining an understanding of all control procedures even when the auditor concludes that it is not appropriate, or effective, to obtain audit evidence from the effective operations of those controls. Is that what was intended?
The root of our concern rests in two areas of the proposed guidance. Firstly, we do not believe that, as currently drafted, the ISAs provide sufficient clarity on the scope of the controls for which an understanding is required, particularly with respect to control procedures. We are concerned that this lack of clarity could, in fact, misdirect audit effort by requiring the auditor to devote an unwarranted amount of attention on unimportant matters, and detracting attention from key issues. Secondly, we believe that the work required to understand internal controls – defined as requiring an evaluation of design and determining whether the controls have been implemented – requires further consideration. These points are discussed more fully below.
Scope of understanding of control procedures
Paragraph 83 requires the auditor to obtain an understanding of control procedures “relevant to the audit”. Paragraph 57 defines controls relevant to the audit as those that individually or in combination with others are likely to prevent, or detect and correct, material misstatements of the financial statements. This sets rather broad parameters when considering all of the various control procedures that an entity would have in place. The explanatory guidance in paragraph 84 appears to seek to limit this requirement by allowing the auditor to consider knowledge about the presence or absence of control procedures obtained from considering other control components, but does not provide any real clarity in defining the extent of understanding that is required.
We believe that the proposed ISA needs to put in place appropriate boundaries for the scope of control procedures of which the auditor needs to obtain an understanding. We believe that paragraph 4 sets appropriate boundaries for the auditor’s understanding – an understanding that is sufficient to identify risks of material misstatement arising from any weaknesses in control, and sufficient to design and perform further audit procedures. But the proposed guidance on control procedures fails to show how those boundaries apply when the auditor is obtaining an understanding of control procedures.
The initial source of confusion in the proposed wording begins in paragraph 50, which requires the auditor to perform risk assessment procedures to obtain an understanding of the components of internal control, without modifying language to define the nature and extent of that understanding. We question whether there is a need for a bold lettered principle in paragraph 50, as paragraph 8 already establishes that the auditor needs to perform risk assessment procedures to obtain an understanding of internal control and there are separate bold lettered requirements for each of the control components. We would recommend that opening sentence in paragraph 50 be guidance rather than bold lettered, and modified by the same wording as is in paragraph 4 (“sufficient to assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures”). The bold lettered requirements for each of the control components would define more precisely the expectations regarding the nature and extent of understanding for each component.
It would also be useful in these opening paragraphs on controls to clearly state that the scope of understanding of each of the control components that is appropriate will vary depending on the circumstances. This is alluded to in paragraphs 51 and 52, but only in an indirect manner. It would alleviate much of the concern if it was acknowledged at the outset that the level of understanding of controls that is needed to identify risks and plan further audit procedures will vary depending on the circumstances. We believe that more often than not, it will be at the control procedures level that the breadth and depth of understanding that is necessary will justifiably vary. It would be useful to set the stage by recognising that fact in these opening paragraphs.
It might also be useful in the opening paragraphs to explain that, because the objectives of the engagements are different, the understanding that the auditor needs of internal control for purposes of the financial statement audit is significantly less than that required in order to be able to express an opinion on the operating effectiveness of internal control. The distinction is discussed in the US Auditing Standard Board’s recently issued Exposure Draft, “Auditing an Entity’s Internal Control Over Financial Reporting in Conjunction With the Financial Statement Audit”, and IAASB might find some useful comparisons in that Exposure Draft.
Further clarity is also required in paragraphs 83 and 84 with respect to the expectations regarding control procedures. Paragraphs 104 and 110 set a baseline for the control procedures for which the auditor should evaluate the design and determine whether they have been implemented. We agree that it is important for the auditor to understand the design of the control procedures related to significant risks and to those risks for which, in the auditor’s judgment, it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures. We also believe that the auditor should obtain an understanding of control procedures sufficient to identify risks of material misstatement arising from any weaknesses in control, and sufficient to design and perform further audit procedures. But that understanding may not need to be extensive when it would be more effective and efficient to respond to risks of material misstatement using substantive procedures.
For example, if the auditor has assessed that the entity has a poor control environment, the auditor would appropriately conclude that little audit evidence can be obtained through controls and, therefore, focus further audit procedures on substantive tests. In such circumstances, we believe that the auditor would need only to gain a relatively broad understanding of control procedures related to the information system and related business processes (as discussed in paragraph 77) and the IT environment in order to plan effective substantive tests to respond to the risks of material misstatement. In other circumstances, the auditor might adopt a top-down approach to controls and conclude that a sufficient understanding has been obtained when the auditor is satisfied that a control would detect any misstatements that might have occurred as a result of a failure or weakness in more detailed control procedures at a lower level. Clearly if the auditor intends to use a particular control procedure or combination of procedures as evidence to support a particular financial statement assertion, the auditor would need to evaluate the design of that control and be satisfied that it has been implemented. But we are not convinced that level of understanding is warranted for all control procedures in all circumstances and could, in fact, reduce the quality of the audit by detracting attention from key issues.
Therefore, we believe that some revision to paragraphs 83 and 84 is required to clarify the auditor’s responsibility to understand control procedures. This should reinforce the basic standard set out in paragraph 4 that the auditor’s understanding should be sufficient to assess risk and design and perform further audit procedures. In cases where the auditor is not seeking to rely on controls, the extent of understanding of control procedures to achieve this could be minimal, and would not need to extend to all “controls procedures relevant to the audit” as currently defined, and this should be recognised in the standard. To demonstrate how the work effort that is appropriate in the circumstances will vary, it would help to strengthen the link between control procedures and paragraphs 104 and 110 so that it is clear that, at a minimum, the auditor needs to obtain a solid understanding of the control procedures related to those risks. Having established that as a baseline, the guidance could subsequently contrast the work effort that is necessary for other control procedures, perhaps using the examples similar to those in the paragraph above.
Evaluation of design and implementation
Paragraph 53 explains that obtaining an understanding of internal control includes evaluating the design of a control and determining whether it has been implemented. It also explains the procedures that are necessary to gain this understanding, for example, inquiring of entity personnel and inspecting documents and reports. However, we believe these procedures could be more than is necessary in some circumstances to obtain an understanding of the design and implementation of controls in order to assess the risks of material misstatement and design and perform further audit procedures. In fact, the procedures may be more akin to those necessary when performing tests of operating effectiveness.
We believe that this requirement should be amended to make the approach practical on all audits, particularly those where the auditor gains assurance primarily from substantive tests. We are not convinced that the level of work effort needed to obtain a sufficient understanding of design of, in particular control procedures, needs to be extensive. One approach is that paragraph 53 (and certain other paragraphs) be amended to ensure that the procedures necessary to determine implementation are more focussed, providing a clearer distinction between understanding and tests of operating effectiveness.
Financial statement assertions
Generally, we agree with the focus on financial statement assertions within the ISAs, because it will help to ensure that auditors properly consider the different types of potential misstatements that may occur. However, we are concerned that the proposed categorisation of assertions into transactions/events, balances and presentation and disclosure is over-engineered. In practice auditors use evidence about assertions for transactions/events as part of their evidence about balances, and use evidence about assertions for transactions/events and balances as part of their evidence in evaluating presentation and disclosure.
We believe, therefore, that some simplification of the assertions should be possible. One alternative would be to consider the categories to be cumulative, in the sense that the assurance obtained with respect to an account balance is dependent on the evidence obtained on the related transaction and event assertions. Thus, in obtaining sufficient appropriate evidence for the financial statements, the auditor obtains cumulatively sufficient appropriate evidence to support the assertions for, first, transactions and events, then account balances, and finally presentation and disclosure. If this model is accepted, it is not necessary to repeat, for example, completeness for both transactions and events, and account balances. The “cumulative assertion” model would look like:
Transactions and events
Occurrence
Completeness
Accuracy
Cutoff
Classification
Account balances
Existence
Rights and obligations
Valuation
Presentation and disclosure
Completeness (or compliance with all required disclosure requirements)
Transparency
We also believe that the occurrence assertion for classes of transactions and events should be modified to include the concept that the auditor is likely to be concerned principally with the transactions that give rise to the rights and obligations, for example in examining terms of sales contracts. This could be achieved by amending the definition of the occurrence assertion as follows: “the transactions and events giving rise to rights and obligations that have been recorded have occurred and pertain to the entity.”
Closing remarks
In conclusion, we would like to reiterate our support for this project. We recognise the significant effort involved in developing these proposed revisions to the core concepts underlying the audit of financial statements and commend IAASB for paving the way for greater international convergence by working jointly with the US Auditing Standards Board on this project. We believe that the new ISAs will prove to be a significant enhancement of the international auditing standards literature.
In finalising the ISAs, we encourage IAASB to consider the areas that we have identified where we believe that clarification is needed to ensure consistent interpretation and application of the new ISAs and our other suggestions for improving the structure and clarity of the drafts. Given that these audit risk standards will be the framework on which many of the other auditing standards are based for the foreseeable future and will be applied by auditors all around the world, it is important that the final ISAs are understandable and define sufficiently clearly what is expected of auditors.
Please contact either Diana Hillier (+44 (0)20 7804 0472) or Geoffrey Swales (+44 (0)20 7213 3350) if you would like to discuss any of these comments further.
Yours faithfully,
[Original signed and forwarded by post]
PricewaterhouseCoopers
Appendix 1
Comments on issues identified in Appendix 3 of the explanatory memorandum on which specific comment was invited
In relation to the audit of small entities, are there special audit considerations in applying the standards and guidance contained in proposed ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” and proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”?
Will the further guidance in Appendix 2 assist the auditor in understanding the components of internal control, including their application to small entities, or is there sufficient material in the ISA itself?
Generally, the additional material could be helpful to auditors in further understanding internal control, and therefore we welcome its inclusion. However, we believe that the main body of the standard is too detailed, and we recommend that Appendix 2 be expanded by the inclusion of some of the detailed material currently included in paragraphs 50 to 94. Some simplification should then be possible to eliminate any duplication.
The paragraphs relating to small entities are somewhat brief. There are special considerations in applying the standards and guidance to small entities. Although we believe that the standards are generally relevant to the audits of small entities, some limited additional guidance on how to apply them would be welcome.The IAASB states, in the explanatory memorandum, that an alternative would be to include additional guidance in the IAPS on small entities. We believe that if this is to have real value any revision to that IAPS to provide guidance on applying the new Risk Assessment ISAs should be issued at the same time as the final ISAs.
Is it appropriate for the ISA to specify a time period to limit the ability of the auditor to use audit evidence obtained in a prior audit?
It is helpful to set out a benchmark such as a three year period, and we believe that such a period is appropriate. However, we would prefer that the bold lettered requirement indicate that the auditor should consider whether it is appropriate to retest the controls in light of the fact that the longer the time elapsed since the controls were tested, the less audit evidence it provides about the effectiveness of the control in the current audit period. The guidance could then emphasise that the auditor would need to use professional judgement and knowledge of the entity’s circumstances, with the three year period being considered a rebuttable presumption as the appropriate time period.
Is it appropriate for the IAASB to establish detailed documentation requirements? Are the proposals practical? If not, what suggestions do you have for documentation that achieves the objective of improving compliance with standards?
We believe that it is appropriate for the IAASB to establish detailed documentation requirements, in order to eliminate inconsistencies in practice. Generally we believe that the proposals are practical, subject to our detailed comment elsewhere in this response. This may be one area, however, where guidance for auditors of smaller entities would be useful.
Other general comments
In recently issued ISAs (for example, ISA 240 and ISA 570), IAASB has included a section on the responsibilities of those charged with governance and management. It would be useful to similarly establish management’s responsibilities in the risk assessment process.
There is already discussion of management’s risk assessment process for identifying and responding to business risks in the proposed ISA “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”. But we believe that the discussion in paragraph 23 of ISA 200could also be expanded to more fully describe management’s responsibilities for assessing the risk of misstatement and putting in place controls designed to prevent or to detect and correct any misstatements. Much of the guidance in paragraphs 10-12 of ISA 240 could serve as a basis for this guidance, which would have the benefit of enabling the section in ISA 240 to be rewritten so that it focussed more directly on management’s responsibility to prevent and detect fraud.