Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

FRC response to IAASB Post-Implementation Review of the Clarified International Standards on Auditin

Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York New York 10017 USA

7 December 2012

Dear Mr Gunn

Post-Implementation Review of the Clarified International Standards on Auditing

The FRC welcomes the opportunity to provide feedback for the purpose of the post-implementation review being undertaken by the IAASB.

In this response we address:

  • Issues identified by the Audit Quality Review (AQR) team relating to the clarified ISAs; and
  • Feedback and recommendations from our work on auditor scepticism.

Issues identified by the AQR team

The FRC's AQR team has been gathering information on the effectiveness of the clarified ISAs in practice, based primarily on reviews of individual audits, over the past 18 months. The main areas identified to date in which the FRC considers that improvements to the ISAs may be necessary or desirable are set out in Attachment 1 to this response. Feedback from 2012/13 reviews of individual audits is still being gathered and analysed by the AQR Team. Further matters may therefore be identified and communicated to the IAASB at a later date.

Three issues in particular that have given rise to significant concerns are described in detail below:

(i) The objective of Engagement Quality Control Review (EQCR) and documentation of the review

We have identified significantly varying views of what is or should be the appropriate objective of the EQCR and the role of the reviewer. Under the current standards, the EQCR is defined as "A process designed to provide an objective evaluation, on or before the date of the auditor's report, of the significant judgments the engagement team made and the conclusions it reached in formulating the auditor's report." A particular concern raised by some stakeholders is that the standards put too much focus on the involvement of the EQCR towards the end of the audit, considering the engagement team's documented findings, at the expense of more independent consideration of the risks faced by the entity and whether the audit plan is designed to address those appropriately, which is best done at the start of the audit. The standards also appear to put emphasis on considering the audit documentation, when the concern of the EQCR should be more about whether risks have been appropriately addressed.

Our inspections often find that there is insufficient evidence of what the EQCR actually covered, the issues, if any, identified by it and how they were resolved. Our experience, is that firms often only require a checklist (comprising the three items in paragraph 42 of ISQC 1) to be completed to evidence the EQCR. As a result, there is no evidence of the key audit areas reviewed and the extent of any challenge to key judgments made by the audit team. We therefore believe that the documentation requirements in ISQC 1 should be amended to make them less susceptible to engendering a checklist approach. Our 2011/12 Annual Report on our inspection work, published in June 2012, reported that one major firm had revised its policies to ensure that there is appropriate evidence of the review procedures performed and to emphasise the importance which the firm places on the EQCR's role.

We have also identified more fundamental questions about the purpose of an EQCR and how this should be designed to ensure those experienced audit partners who could contribute most in this role are encouraged to take on such roles. There is a concern that many such individuals are not incentivised to participate and indeed are put off by enhanced personal risk and increasing demands for more documentation.

The FRC intends to establish a working group to explore these issues further in early 2013 and will inform the IAASB of its conclusions and recommendations in due course.

(ii) The use of auditor's experts and the distinction from audit 'specialists'

Our audit inspections indicate that there are a number of issues that have arisen from the implementation of ISA 620, Using the Work of an Auditor's Expert. These are:

  • Audit firms are not interpreting and applying the standard in a consistent manner. Audit teams often outsource areas of the audit to internal experts with little or no involvement from themselves.
  • Some audit firms have sought to interpret narrowly the situations in which the requirements set out in ISA 620 need to be met.
  • The extent to which experts need to perform audit procedures is unclear.
  • The extent to which experts need to document their work is unclear.
  • The rationale and basis for distinguishing between work performed by internal experts and members of the audit team in areas such as tax is unclear.

With the above findings in mind, we have reviewed the structure and content of the relevant ISAs and observe the following:

  • Exclusion of an auditor's expert from the definition of the audit engagement team: An engagement team is defined to exclude an auditor's external expert. However, the requirement in paragraph 14 of ISA 220, Quality Control for an Audit of Financial Statements, regarding the assignment of engagement teams almost disregards this definition. It requires the audit engagement partner to be satisfied that the engagement team, and any auditor's experts who are not part of the engagement team, to collectively have the appropriate competence and capabilities to:
    • Perform the audit engagement in accordance with professional standards and applicable legal and regulatory requirements; and
    • Enable an auditor's report that is appropriate in the circumstances to be issued.
  • Auditor mind-set: Paragraph 3 of ISA 620 under the heading "The auditor's responsibility for the audit opinion” states “The auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the auditor's use of the work of an auditor's expert. Nonetheless, if the auditor using the work of an auditor's expert, having followed this ISA, concludes that the work of that expert is adequate for the auditor's purposes, the auditor may accept that expert's findings or conclusions in the expert's field as appropriate audit evidence”. This is an unusual paragraph and may serve to create a mind-set, within auditors, of acceptance of an expert's work without the need for adequate challenge. The effect of such a mind-set may be exacerbated because it appears to us that the requirements for determining what is "adequate for the auditor's purposes” set by the ISA are themselves inadequate or unclear (see below).
  • Relatively passive nature of the evaluation of the adequacy of the auditor's expert's work: Paragraph 11 of ISA 620 establishes requirements for the auditor agreeing the scope of the auditor's expert's work and paragraph 12 establishes requirements for evaluating the adequacy of the auditor's expert's work. There is little direct linkage between these two paragraphs and in particular paragraph 12 does not require the auditor to:
    • Evaluate whether the work done by the expert is in accordance with the agreed scoping; or
    • Evaluate the appropriateness of the expert's work as audit evidence for the relevant assertion (as ISA 500, Audit Evidence, requires the auditor to when evaluating the work of a management's expert).

The way in which these paragraphs are worded invites a passive rather than an active approach to evaluating the auditor's expert's work. This is compounded by paragraph A33 of the application material in ISA 620 which indicates that reviewing the auditor's expert's working papers and reports is an optional rather than a required procedure. The audit inspectors often see the use of the word "may" in this paragraph being used as the audit team's justification.

Distinction between audit specialists and auditor's experts

A further source of confusion is the distinction drawn in the ISAs between audit specialists and auditor's experts. An auditor's expert has expertise in a field other than accounting or auditing whereas a specialist uses expertise in a specialised area of accounting or auditing. However, there are not always clear distinctions between what constitutes accounting and auditing and what constitutes other specialisms, particularly in the taxation and valuation areas.

This distinction may incentivise audit firms or auditors to define what ought to be a "specialist” as an “expert” on the grounds that the audit engagement partner does not have equivalent review responsibilities over the expert's work and the working papers of an external expert do not constitute a requisite part of the auditor's documentation. Our inspections show that this distinction is not being applied consistently in practice by audit firms and audit engagement partners.

Recommendations

We recommend that changes be made to the ISAs in order to address the difficulties that have been identified and in particular to avoid practitioners mistakenly believing that artificially designating an individual to be an auditor's expert (rather than an auditor's specialist) may reduce the extent to which the audit engagement partner has to review and take responsibility for that individual's work. In brief:

  • The overarching requirement should be that set out in paragraph 17 of ISA 200 that “the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptable low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor's opinion."
  • The requirements relating to the work performed by specialists and experts should be identical save that:
    • the engagement partner's control over an external expert is more indirect than the control over a specialist or internal expert; and
    • the working papers of an external expert may not legally form part of the auditor's working papers (which instead should summarise what is on such papers).
  • It should be clear that every individual (including auditor's internal and external experts) who perform audit procedures, (intended to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and enable the auditor to draw reasonable conclusions on which to base the opinion), is a member of the engagement team and should take appropriate direction from the audit engagement partner. To achieve this, the standards and guidance in ISA 620 relating to the use of auditor's experts should be relocated to ISA 220. In this way it would be unnecessary for the engagement partner to need to draw an artificial distinction between "specialists" and "experts". Rather, the focus of the audit engagement partner should be on whether the team collectively has the appropriate competence and capabilities to perform the audit engagement and whether sufficient appropriate audit evidence has been obtained and documented to support the opinion given.
  • An ISA 620 should be retained but be confined to addressing the relationship between the audit engagement team and those with whom the team “consults”. A consultant is not involved in the audit per se and in particular does not draw conclusions on which the audit opinion is based. This could be achieved by moving paragraphs 18 and A21 and A22 out of ISA 220 and using them as a basis for a new ISA 620.

There may be other ways of achieving these improvements such as revising ISA 620 to deal with individuals who are external to the audit firm and provide expertise to the audit team in subjects other than accounting and auditing either as members of the engagement team or as consultants. To the extent that ISA 220 continues to deal with members of the engagement team with expertise in a specialised area of accounting and auditing, consideration could also be given to elevating paragraph A20 of ISA 220 to a requirement and whether there are other matters that this should address to be consistent with the requirements for using the work of an external expert in extant ISA 620.

(iii) 'Back to back' audit opinions

As explained in Attachment 1, in our comments on ISA 600, we have identified significant issues in the conduct of group audits when the group parent company is registered in one jurisdiction, where the group auditor is based, but the group's operations, accounting records and management are located in a different jurisdiction (the parent is sometimes referred to as a "letterbox company"). We have seen cases at a number of firms where the group auditor who signs the audit report has very little participation in the conduct of the group audit, including the audit of the consolidation process, relying instead on clearance reports from audit firms who undertake the audit work in the jurisdiction(s) where the operations and accounting records are based. Further, some firms have issued guidance which promotes such an approach and effectively disapplies the requirements of ISA 600 in such cases.

In our view, these group auditors are failing to comply with both the underlying principles and specific requirements of ISA 600 and other ISAs such as 220 which set out the responsibility of the engagement partner for the direction, supervision and performance of the audit engagement. However, they have sometimes argued that ISA 600 does not envisage these circumstances and, therefore, need not be applied (and that guidance issued by their firm fills a "gap” in the ISAs). While we do not consider such an argument to be sustainable, we believe that from an audit quality perspective, the group auditor's responsibilities in these circumstances should be specifically covered, and clarified, in the ISAs.

Our discussions with a number of other audit regulators have confirmed that this issue is also of concern to them, with a similar approach being followed by firms in their jurisdiction.

Auditor scepticism

In August 2010 the FRC (through its Auditing Practices Board (APB)) published a Discussion Paper Auditor Scepticism: Raising the Bar. A Feedback Paper on this was published in March 2011 which summarised the comments received and outlined the action that the FRC intended to take. Those actions included undertaking work in the following areas:

  • Ensuring that there is a consistent understanding of the nature of professional scepticism and its role in the conduct of an audit. To address this, in March 2012 the FRC published a briefing paper, Professional Scepticism: Establishing a Common Understanding and Reaffirming its Central Role in Delivering Audit Quality;
  • Reviewing ISAs (UK and Ireland) for possible ambiguities in relation to the nature and importance of professional scepticism, and proposing such changes as may be needed to make sure the position is clear;
  • Reviewing ISQC (UK and Ireland) 1 to ensure that it has sufficient requirements and guidance relating to the need for firms to have appropriate policies and procedures for promoting the competencies that underlie professional scepticism; and
  • Considering how the application of scepticism can be made more transparent.

Our observations and recommendations arising from our reviews of where the ISAs and ISQC 1 may be improved to better promote professional scepticism and make its application more transparent are described in Attachment 2 to this response.

Yours sincerely Signature of Nick Nick Land Director of the FRC and Chairman of the FRC's Audit & Assurance Council

Enquiries in relation to this letter should be directed to Marek Grabowski, Director of Audit Policy. DDI: 020 7492 2325 Email: [email protected]

About the FRC

The Financial Reporting Council is the UK's independent regulator responsible for promoting high quality corporate governance and reporting to foster investment. We promote high standards of corporate governance through the UK Corporate Governance Code. We set standards for corporate reporting and actuarial practice and monitor and enforce accounting and auditing standards. We also oversee the regulatory activities of the actuarial profession and the professional accountancy bodies and operate independent disciplinary arrangements for public interest cases involving accountants and actuaries.

Attachment 1

Clarified ISA Nature of issue Potential weakness in ISA
260
Communications with Important matters (e.g. the nature and extent of the planned involvement in the work of the auditors of significant components) are sometimes not reported or only reported orally to Audit Committees, in particular for (but not limited to) non-FTSE 350 listed entities. ISA 260 does not require either key audit planning information or significant audit findings to be communicated in writing to the AC of a listed entity.
Audit Committees Communications to the Audit Committee frequently refer to outstanding matters. Auditors do not always update the AC on the resolution of such matters. No specific requirement or guidance in ISA 260 for the auditor to update the AC on the resolution of significant outstanding matters.
315 Audit firms and audit engagement teams are not identifying significant risks on a consistent basis and, in some cases, certain risks are being inappropriately assessed as not being significant. The ISA 315 does not provide an adequate framework to promote reasonable consistency in the assessment of significant risks, given the importance of this assessment to the nature and extent of audit work performed.
Risk assessment
and
240 The ISAs specify a presumption that there are significant risks of fraud due to revenue recognition. This presumption is often rebutted at some major firms (sometimes by referring to related controls in place). ISA 240 does not make it clear that the presumption that there are significant risks of fraud due to revenue recognition should only be rebutted if there are convincing reasons for doing so (and the fact that controls are in place is not a valid reason).
Fraud risks
330 The operating effectiveness of IT general controls is not always adequately tested when reliance is placed on IT dependent controls. The need for and approach to the testing of IT general controls is not specifically covered by the ISA.
Responding to risks
530 Judgmental sampling is frequently used at some major firms. The basis of the sample sizes used (often relatively small numbers) and how they link to risk and materiality is often not explained. Unduly low sample sizes may be used in some cases to achieve "audit efficiencies". The ISA does not require the basis for judgmental sample sizes used or how they reflect the risks which the relevant tests are intended to address to be justified.
Sampling
540 There is often insufficient challenge of management in relation to the appropriateness of key assumptions underlying accounting estimates/fair values, including in the following areas: – Impairment of assets. – Valuation of financial assets and liabilities. – Investment property valuations. – Loan impairment valuations. Insufficient emphasis is placed on the need to exercise professional scepticism and challenge management assertions in key areas requiring the exercise of judgment, given the potential for and heightened risk of management bias.
Accounting estimates The requirements in paragraphs 15-17 are not always applied in key areas involving high levels of subjectivity/management judgment. The requirements in paragraphs 15-17 only apply to accounting estimates assessed as giving rise to significant risks. There is no presumption in the ISA that key areas involving high levels of subjectivity give rise to significant risks.
and fair values
600 Component materiality – There is considerable variation in practice in how component materiality is determined (some firms provide more specific guidance than others). The rationale for setting it below group materiality is not fully understood. Component materiality appears to be set at too high a level in some cases (impacting on the adequacy of the work performed). The considerations to be taken into account in setting component materiality are not fully explained in the ISA. There is no requirement for the audit team to set out their rationale for the level(s) set.
Group audits Identification of significant components - While components which do not appear to be individually financially significant are sometimes treated as significant, the reasons for doing so are not always clear. The ISA does not require components identified as significant due to risks relating to their specific nature or circumstances to be identified, together with how the work performed on their financial information (if less than a full scope audit) addressed these specific risks.
Involvement in planning and risk assessment for significant components – The assessment of significant risks by auditors of significant components is not always consistent with the group auditor's risk assessment and this is not always identified on a timely basis. The ISA does not require information on the significant risks identified by auditors of significant components, together with details of the audit procedures planned to respond to them, to be obtained and reviewed at the planning stage.
Review of work performed on significant components - The extent of the group audit team's review of the component auditor's work is often unclear or limited to a review of a high level communication. The ISA is unclear as to how and when the extent of review required should be decided. It does not require the group team to assess at the planning stage whether/the extent to which significant components auditors' working papers relating to areas of significant risk should be reviewed (and then to revisit this decision at the completion stage).
"Back to back" audit opinions – See the main body of this response. See the main body of this response.
Consolidation process – Group audit teams are often delegating work on the consolidation process to component auditors in cases where the group consolidation is undertaken in another jurisdiction where group management is based. Similarly, in cases where there is a very significant sub-consolidation in another jurisdiction the audit work is often being performed by the local component auditor, with the group audit team performing work on a very limited final consolidation in their own jurisdiction only. ISA 600 does not directly address cases where the group consolidation or a very significant sub-consolidation is undertaken in a jurisdiction other than that where the group auditor is based (many firms take the view that the work required to be performed on the consolidation process by the group audit team under paras 32-37 may be delegated to a component auditor in such cases).
620 See the main body of this response. See the main body of this response.
Use of Experts
ISQC1 See the main body of this response. See the main body of this response.
EQCR
ISQC 1 The procedures for pre-issuance technical reviews of financial statements, and the scope of these reviews, vary significantly between firms. These reviews are separate from the EQCR but also form an important element of the quality control procedures for listed audits at major firms. This important aspect of larger firms' QC procedures is not currently addressed by ISQC1.
Pre-issuance
technical reviews
ISQC1 Firms do not always properly assess whether external inspection findings relating to an individual audit call into question the appropriateness of their audit report. ISQC1 (para 52) only specifically requires such an assessment to be made, and further action to be taken as appropriate, in relation to the findings of internal reviews.
Monitoring The scope of internal reviews of firm-wide procedures varies considerably between firms and the effectiveness and coverage of such reviews generally could be improved. There is currently no specific guidance in ISQC1 on the monitoring of firm-wide procedures and the linkage with reviews of individual audits.
Internal reviews of individual audits tend to focus on compliance with the firm's policies and procedures rather than the appropriateness of audit judgments in key areas. As a result, they are less likely to identify significant issues relating to the quality of the audit than an external review focusing on key areas of judgment. ISQC1 implies that the sole purpose of the reviews is to monitor compliance with firms' policies and procedures, rather than to assess the quality of the audit and whether or not judgments made in key audit areas were appropriate. It does not identify promoting and improving audit quality within the firm as the overriding objective which should guide how the reviews are performed.

Attachment 2

Scepticism

Set out below are the FRC's current views and recommendation for improvement to the ISAs and ISQC 1 arising from:

  • Review of the ISAs for possible ambiguities in relation to the nature and importance of professional scepticism;
  • Review of ISQC (UK and Ireland) 1 to ensure that it has sufficient requirements and guidance relating to the need for firms to have appropriate policies and procedures for promoting the competencies that underlie professional scepticism; and
  • Considering how the application of scepticism can be made more transparent.

1. ISAs

1.1 Risk assessment

Scepticism is embedded in ISAs 240 and 540 on fraud and auditing estimates. However, it is less clear how scepticism relates to ISA 315 (Understanding the entity and assessing the risks of material misstatement). The approach set out in ISA 315:

  • Describes those aspects of the entity and its environment about which the auditor should obtain an understanding;
  • Requires certain risk assessment procedures to be applied;
  • Requires the engagement partner and other key engagement team members to discuss the susceptibility of the entity's financial statements to material misstatement; and
  • Requires the auditor to identify risks and to assess the importance of the risks including, where appropriate, designating certain risks as 'significant risks'.

The appropriate application of professional scepticism in the audit requires a mind-set which rigorously questions and challenges management's assertions with a degree of doubt that reflects the expectations of shareholders (and other stakeholders) for whose benefit it is performed. All judgments made in the course of the audit should be founded on the perspective of the shareholders (and other stakeholders). That mind-set demands the sort of hard evidence – to back each audit judgment and, ultimately, the board's assertion that the financial statements give a true and fair view - that would be convincing and persuasive to shareholders (and other stakeholders), given the auditor's risk assessment.

While ISA 315 provides a useful framework for the risk assessment process, risk assessment is highly judgmental and will vary between auditors and audit teams. ISA 315 is vague about what is a risk (for example it does not explore the interaction of likelihood and significance) and does not provide any guidance about the auditor's mind-set when identifying and assessing risks - optimism or pessimism in approaching the assessment would make a significant difference to the outcome. Errors in the risk assessment process could have a significant impact on the assurance that is obtained by causing a lower work effort in response to some assessed risks than is appropriate.

Greater consistency in approach might be achieved if ISA 315 were to:

  • Define a 'risk of misstatement'. Differences of view are likely to exist as to where, on the spectrum of likelihood (remote, likely, probable etc.,) and significance a risk should lie before it is 'identified and assessed' and the magnitude of risks that need to be identified.
  • Provide guidance about the mind-set needed for identifying and assessing risks. Approaches based on optimism or pessimism would likely result in very different outcomes. It may be helpful to have a similar statement in ISAS 315 to that in ISA 240 along the lines of 'the auditor shall maintain professional scepticism throughout the audit risk assessment process, recognizing the possibility that a material misstatement due to error could exist notwithstanding the auditors past experience of auditing the entity'. The auditor's risk assessment process should involve a critical appraisal of management's assertions, actively looking for risks of material misstatement. The auditor should be considering why management's judgments might be wrong as much as what management does to support its judgments.
  • Emphasise that all members of the audit team involved in risk assessment need to be committed to fulfilling their responsibilities in the interests of shareholders. In addition to challenging management, they need to be able to challenge their own judgments and those of other members of the team whose work they review.
  • Elaborate on the importance of identifying and considering changes in the business and the environment in which it operates, including how they might impact management motivations and the risks of misstatement. The auditor should develop a high degree of knowledge of the audited entity's business and the environment in which it operates, sufficient to enable the auditor make its risk assessment through its own fresh and independent eyes rather than through the eyes of management.

1.2. Searching for evidence that contradicts management's assertions

There has been an active debate on whether the purpose of an audit is to gather evidence to:

  • Actively challenge management's assertions; or
  • Just to support management's assertions.

The FRC believes that an audit should involve actively looking for evidence that contradicts management's assertions rather than just looking for evidence that supports them. While this notion is embodied in the overall objective of the auditor set out in ISA 2001 there is little encouragement within ISA 200, or indeed the other ISAs, for the auditor to seek out information that contradicts management's assertions.

While there are references in the ISA application material to the effect that audit evidence comprises both information that supports and corroborates management's assertions and information that contradicts such assertions, there may be benefit, in the ISAs containing more specific requirements and guidance relating to the need for auditors to actively search for evidence that contradicts management's assertions. Possible actions include:

  • Reconsidering the objective of ISA 3302 to align it more closely with the overall objective of an audit in ISA 200.
  • Emphasising in ISA 5003 that obtaining sufficient appropriate audit evidence involves the performance of procedures designed to seek out evidence that contradicts management's assertions as well as performance of procedures that support management's assertions. Auditors should obtain evidence from at least two independent sources where possible.
  • Including more in ISA 5404 on the need to 'challenge' management on accounting estimates. While ISA 540 is additional to, not a replacement for, ISA 315 and ISA 330, in mandating the techniques for gathering evidence (paragraph 13) currently it could be seen as allowing an approach that is limited to gathering evidence to support assertions. Audit procedures could include the auditor considering what an appropriate amount/range for an accounting estimate would be before looking at management's amount in relation to that.
  • Giving emphasis in the ISAs to the value of seeking to identify large or unusual items for detailed testing, including through use of computer interrogations.
  • Emphasising that all members of the audit team involved in gathering audit evidence need to be committed to fulfilling their responsibilities in the interests of shareholders.
  • Requiring that when auditors communicate the significant findings from the audit to those charged with governance, including to an audit committee if one exists, they do so where appropriate in a way that demonstrates how they have challenged management and exercised scepticism.

The auditor should suspend judgment about whether the financial statements do or do not give a true and fair view until satisfied that:

  • There has been sufficient inquiry and challenge;
  • Sufficient testing of management's assertions has been undertaken;
  • The quality of the resulting evidence obtained has been critically appraised and judged by the auditor to be sufficiently persuasive; and
  • Where there are plausible alternative treatments of an item in the financial statements (such as different valuation bases), an assessment has been made as to whether one is superior and whether sufficient disclosure of the alternatives has been given, in order to give a true and fair view.

1.3. Documentation

While the ISAs have a number of documentation requirements that can help demonstrate that a degree of scepticism has been applied, more needs to be done to make this more transparent both for internal and external review purposes. Possible actions include:

  • Requiring the auditor to approach and document audit judgments and review processes in a manner that facilitates challenge and demonstrates the rigour of that challenge.
  • Requiring fuller documentation on the basis for the auditor's conclusions on difficult judgements (i.e. effectively extending the documentation requirement in ISA 540 that just relates to accounting estimates). Not allowing conclusionary statements without an explanation of the rationale, relating it to the nature of the challenges raised in the underlying work and reviews, the strength of the evidence obtained and the perspective of shareholders (and other stakeholders). Engagement teams should document their audit judgments and conclusions in a way that clearly demonstrates that they have exercised an appropriate degree of management challenge and professional scepticism. In particular, if applicable the reasons why the audit team concurs with management's assertions should be clearly articulated in a way that, where appropriate, discusses the appropriateness of alternative views and the reasons why they have not been adopted.
  • Specifying documentation requirements specific to the review process (including any review undertaken by the Engagement Quality Control Reviewer).

1.4. Audit engagement partners and others in the chain of review need to encourage scepticism

ISA 2205 makes clear that the engagement partner takes responsibility for the overall quality on each audit engagement to which they are assigned, including such matters as the direction, supervision and performance of the audit, the adequacy of internal consultation and the performance of reviews. However, to enhance the application of professional scepticism it could be addressed specifically in ISA 220, setting out the actions to be taken by engagement partners and others in the chain of review to encourage greater scepticism including, for example, through:

  • Providing active challenge in assessing risk and planning the audit procedures to be performed. This should include thinking about the changes that are taking place in the entity and its environment and planning audit procedures that are responsive to them.
  • Leading and participating in audit team planning meetings to discuss the susceptibility of the entity's financial statements to material misstatement including through fraud and the misuse of related parties.
  • Being accessible to other staff during the audit and encouraging them to consult with them on a timely basis.
  • Taking the steps necessary to carry out, face to face where appropriate, a diligent challenge and review of the audit work performed, and the adequacy of the documentation prepared, by other members of the engagement team.
  • Emphasising the critical role of scepticism in achieving a quality audit and leading by example to engender an appropriate degree of scepticism.

ISA 220 also requires6 the engagement partner to be satisfied that the engagement team collectively have the appropriate competence and capabilities. Supporting application material lists factors that the engagement partner may take into consideration7. This list is a mixture of knowledge and professional skills, including the ability to apply professional judgment, but scepticism is not specifically included. Indeed there is only a limited connection between the competencies and capabilities listed and those in IFAC Educational Standards. There may be benefit in being clearer, perhaps within ISA 220, about what the necessary competence areas and capabilities should be, including scepticism.

1.5 The definition of professional scepticism

The ISAs define professional scepticism as:

> 'An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence'.

Questioning mind: While a questioning mind-set is clearly needed the word 'questioning' seems rather weak and 'challenging' may be more appropriate. This should not be read as meaning that the auditor must 'distrust' management and indeed is consistent with the statement in ISA 2009 that:

> 'The auditor cannot be expected to disregard past experience of the honesty and integrity of management and those charged with governance. Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional scepticism or allow the auditor to be satisfied with less-than-persuasive audit evidence when obtaining reasonable assurance'.

A questioning mind-set also involves being aware of natural optimism and other behavioural factors such as 'group think', the tendency to develop more extreme rather than balanced risk assessments and the need to counterbalance these behavioural features.

Alert to conditions: It is hard to believe that just being alert to conditions which may indicate possible misstatement due to error or fraud is the right mind set for risk assessment – which is such a significant activity in shaping the audit and influencing the extent and nature of audit evidence obtained. Nor is it consistent with ISA 240 which requires the auditor to recognise the possibility that fraud could exist notwithstanding the auditors past experience of the honesty and integrity of management10 and ISA 540 which requires the auditor to review for indicators of management bias11.

Academics12 have used the expression 'a heightened awareness of the risk that figures could be affected by error or dishonesty' which might be a more useful description of the appropriate mind-set. However, consideration of management behaviours, including possible management bias, is also important.

Critical assessment of audit evidence: It is not entirely clear what 'a critical assessment' means or who it applies to. It could mean that auditors should be circumspect about the value of each item of evidence or whether sufficient appropriate evidence has been obtained or both. It may be better to focus on whether sufficient appropriate evidence has been obtained, although this might be difficult for individual audit members. Alternatives may be found in the US explanation of scepticism which has 'the gathering and objective evaluation of evidence' and 'the auditor should not be satisfied with less than persuasive evidence because of a belief that management is honest'.13 However, there are management behaviours other than honesty to consider, such as a propensity for management bias.

A critical assessment of audit evidence should include not only challenge of management, but also of the professional judgments the auditor is making. This includes not just judgments about the sufficiency and appropriateness of the evidence obtained, but also judgments made in the risk identification and assessment and planning responses to those. Actions that would assist this include challenge in the review process and an exhortation to self-challenge, and a clear requirement to document the rationale for judgments rather than just giving conclusionary statements.

To reflect this approach an improved definition of scepticism would be:

'Scepticism: An attitude of mind that involves individual auditors having:

  • A heightened awareness of the risk that the financial statements could be affected by error or fraud, or bias in management's judgments;
  • A willingness to challenge management about the reliability of the internal controls and the draft financial statements notwithstanding past experience of management and those charged with governance; and
  • A willingness to challenge themselves about whether they have made appropriate professional judgments and sufficient appropriate audit evidence has been obtained'.

2. ISQC 1

2.1 Developing an audit firm environment in which sceptical behaviour is encouraged

Scepticism is an attitude of mind that applies to individual auditors. Individual auditors need to:

  • Develop a good understanding of the entity and its business in order to provide a basis for identifying unusual events or transactions;
  • Have a questioning mind and be willing to challenge management assertions;
  • Assess critically the information and explanations obtained in the course of their work and corroborate them;
  • Seek to understand management behaviour and motivations that may increase the risk of misstatement of the financial statements;
  • Investigate the nature and cause of deviation or misstatements identified, avoid jumping to conclusions without appropriate audit evidence, and challenge their own behaviour and judgments;
  • Be alert for evidence that is inconsistent with other evidence obtained or calls into question the reliability of documents and responses to inquiries; and
  • Have the confidence to challenge management and the persistence to follow things through to a conclusion - even if predisposed to agree with management's assertion, the auditor should actively consider the alternative views and challenge management to demonstrate that they are not more appropriate.

These behavioural characteristics need to be developed within audit firms by creating an environment in which sceptical behaviour is both encouraged and rewarded. This involves recruitment, training, performance measurement and promotion and reward systems. The culture within the audit firm should emphasise the importance of:

  • Understanding and pursuing the perspective of the shareholders (and other stakeholders) of the audited entity in making audit judgments;
  • Coaching less experienced staff to foster appropriate scepticism;
  • Sharing experiences about difficult audit judgments within the firm;
  • Consultation with others about difficult audit judgments; and
  • Supporting audit partners when they need to take and communicate difficult audit judgements.

ISQC 1 could be made more specific as to both the need for audit firms to develop and nurture the appropriate competencies (including scepticism) and the ways in which this should be achieved. Possible actions could involve requiring:

  • Scepticism (and perhaps other essential competencies such as objectivity, judgement and business knowledge) to be embedded in the competency frameworks used for evaluating partner and staff performance.
  • Scepticism (and perhaps other essential competencies) to be embedded in training programmes.
  • Firm methodologies and review processes to emphasise the importance of, and provide practical support for auditors in:
    • developing a thorough understanding of the entity's business and its environment, sufficient to enable the auditor to carry out a robust risk assessment through their own fresh eyes;
    • identifying issues early in the planning cycle to allow adequate time for them to be investigated and resolved;
    • rigorously taking such steps as are appropriate to the scale and complexity of the financial reporting systems, to identify unusual transactions;
    • documenting audit judgments in a conclusive rather than a conclusionary manner and therefore setting out not only the conclusion but also the rationale for the conclusion, relating it to the nature of the challenges raised in the underlying work and reviews, the strength of the evidence obtained and the perspective of shareholders (and other stakeholders);
    • raising matters with the Audit Committee (or those charged with governance) in relation to which the auditor believes the perspective of shareholders (and other stakeholders) about the treatment or disclosure of the matter in the financial statements or related narrative reports could well be different from that adopted by the entity; and
    • ensuring that the disclosures relating to such matters are carefully assessed to ensure that those of relevance to shareholders (and other stakeholders) are sufficient and appropriate in the circumstances, having regard to the auditor's consideration of the true and fair view.
  • Partners being accessible to other staff during the audit and encouraging staff to consult with them on a timely basis.
  • Partners and managers to be evaluated on the extent to which they are actively involved in supervising work and coaching more junior staff.
  • Partners and others in the review chain reviewing work with members of the engagement team on a 'face to face' basis where appropriate to encourage discussion and challenge of issues.
  • Audit firms to share internally experiences about audit challenges within the firm and thereby to enable auditors to learn from the wider experience of the firm's exposure to difficult issues.
  • Additional procedures and / or documentation as part of engagement quality control reviews to ensure that they challenge rigorously the engagement team's judgments and conclusions.
  • Firms to establish internal 'whistle blowing' arrangements to allow, amongst other things, staff to report if they think their scepticism is being unreasonably supressed.
  • Specific issues (for example the degree of scepticism applied) to be explored as part of internal monitoring procedures.

Footnotes

  1. Paragraph 11 states that the objectives are: (a) To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and (b) To report on the financial statements, and communicate as required by the ISAs (UK and Ireland), in accordance with the auditor's findings. 

  2. 'The auditor's responses to assessed risks' 

  3. 'Audit evidence' 

  4. 'Auditing accounting estimates, including fair value accounting estimates, and related disclosures' 

  5. 'Quality control for an audit of financial statements' 

  6. Paragraph 14 

  7. Paragraph A11 

  8. IES8 has a number of requirements relating to Knowledge, Professional Skills and Professional Values, Ethics and Attitudes - demonstrating professional scepticism is one of the professional skills listed. 

  9. Paragraph A22 

  10. Paragraph 12 

  11. Paragraph 21 

  12. A definition developed by US academics (Bell, Peecher and Soloman) and reconfirmed by another US study 'A model and literature review of professional scepticism in auditing' by Mark Nelson) 

  13. AICPA AU Section 230 – Due Professional Care in the Performance of Work paras .07and .09 

File

Name FRC response to IAASB Post-Implementation Review of the Clarified International Standards on Auditin
Publication date 27 September 2023
Type Response to external consultations
Format PDF, 536.6 KB
Download original
Back to top