Audit Quality Reviews – Top Three International Standards on Auditing (ISAs) that cause audit quality weakness
When we examine the findings of professional bodies and those of Mercia reviewers, a number of ISAs surface to the top time and time again as areas that require improvement, and are the root cause of many of the weaknesses identified on files during quality reviews. Not necessarily in order, but the following are in the spotlight (unfortunately in a negative way):
- ISA 230 – Audit documentation;
- ISA 315 - Identifying and assessing the risks of material misstatement through understanding the entity and its environment; and
- ISA 500 – Audit evidence.
ISA 230 – Audit Documentation
In the case of ISA 230, one of the most common problems is failing to record material aspects of the audit work, or the link between the audit evidence and the final conclusion of the audit. We regularly see monitoring inspection comments referring to a lack of documentation on those files reviewed of the “nature, timing and extent of the audit procedures performed”. In order words, there is an apparent gap in telling the ‘story’ of the audit work undertaken on file i.e. what audit work was undertaken, when and to what extent.
One of the key takeaway points at an audit training course for staff is always to ensure that staff understand that the audit working papers on files must properly record and summarise the audit objectives / assertions tested, the method(s) used to test a given assertion, the results obtained from the procedures performed, and lastly (but very importantly) the conclusion reached. Quite often a firm does not give itself the credit, so to speak, for the audit work it has actually done by properly / fully documenting it. It can frequently come out in a discussion with the audit engagement partner and senior staff following a cold file review, that they had performed additional audit work over and above that which had been recorded on file, but they concede that they did not document it and unfortunately if it’s not there ‘in black and white’ you don’t get the credit for it. Reviewers tend to work off the assumption that if something hasn’t been documented then it hasn’t been done!
ISA 315 - Identifying and assessing the risks of material misstatement through understanding the entity and its environment
This ISA is one of the larger auditing standards, and one of the standards that unfortunately features in many quality review inspection reports as an area of weakness. The scope of the ISA deals with “the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control.” In essence, the auditor needs to gain a comprehensive understanding of the audited entity under many headings (some of which may be more significant than others in terms of assessing risk for a given entity) and to make sure that this understanding of the entity and its business etc. is fully documented on file.
One of the issues we sometimes encounter during cold file reviews is that the documentation of the entity background information has been compiled by a more junior member of the audit team, and through a lack of experience or awareness of the key elements relevant to the entity, the documentation is not sufficiently comprehensive, or something fundamental has been overlooked or missed. It is always recommended that the person tasked with recording the background knowledge of the entity and its environment should be a senior member of the engagement team, as he or she will have a far greater chance due to their knowledge and experience of covering all the relevant bases and have a greater awareness of what is particularly pertinent in terms of risk in relation to the client.
Some of the sections within the recording of background information that tend to be problematic or in some instances possibly even overlooked include, for example, laws and regulations considerations, related parties, use of service organisations (ISA 402), use of accounting estimates etc. In addition, recording the auditor’s understanding of the entity’s accounting systems and internal controls is often an area where improvement is required as the documentation on file can be all too brief or light on detail.
Remember of course that ISA 315 (paragraph 13) also states that “When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel.” Unfortunately, in some cases, the systems and controls documentation of itself may be well documented, but complimentary evidence of the auditor’s confirmation of the design and implementation of internal controls is lacking. This confirmation of design and implementation of internal controls is required as part of the risk assessment process irrespective of whether or not the auditor intends to place any reliance on internal controls or has any intention to perform controls testing at the fieldwork stage of the audit.
Where the auditor does not adequately assess risk through a lack of understanding of the entity’s activities and internal controls, this can lead to an inappropriate audit plan and, consequently, audit evidence, which fails to address the risks of material misstatement of the financial statements.
Firms should also be aware that there is a revised ISA (UK) 315 which is effective for the audits of financial statements for periods beginning on or after 15 December 2021 and introduces a number of key changes to identifying and assessing the risks of material misstatement. You can read more about the changes in our blog post Changes to ISA (UK) 315 Identifying and assessing the risks of material misstatement. Ensuring that your files deal with the current requirements is a good place to start preparing for the revised standard.
ISA 500 – Audit Evidence
Frequently monitoring inspectors cite insufficient audit evidence as the main weakness on audit files. There are certain aspects that seem to crop up in reviews more than others, and these are also noted regularly on Mercia cold file reviews including issues / inadequacies relating to testing completeness of income / revenue, fixed assets testing (rights and obligations / ownership), stock (valuation testing), creditors (completeness testing). Other areas where professional judgment is required (e.g. goodwill or intangibles) can also cause problems.
It is important that staff fully understand and appreciate the purpose of the testing they undertake in a given area, and what assertions they need to focus on, in order to get sufficient and appropriate audit evidence. The direction of the testing performed is also a key consideration - for example when testing debit balances, we normally focus on overstatement and with credit balances, we normally look for possible understatement. Clearly making sure that we get the right type of audit evidence and that we get enough evidence to provide a basis for our audit opinion is crucial, but so too is making sure that we fully record the evidence obtained which links us back to the first segment above on ISA 230.
Conclusion
To conclude, as mentioned at the outset of this article, the above ISAs have been highlighted from reviews by the professional bodies and from Mercia as being common areas of weakness, but of course there are other areas that also crop up within reviews quite regularly. These include:
- the use of sampling;
- materiality;
- analytical review;
- documentation of consideration of compliance with the Ethical Standard (including what safeguards can be applied and when / how to use the provisions and exemptions available within PAASE); and
- recording of audit work in relation to subsequent events and going concern (particularly in light of the requirements of the revised ISA 9UK) 570 – see Applying the Revised ISA (UK) 570 on Going concern).
How we can help
Each year, we carry out hundreds of audit file reviews for firms throughout the UK and Ireland.
Our experienced team can provide a range of reviews including cold file reviews and hot file reviews as well as audit compliance reviews to help you ensure that your audit quality is maintained.
All our reviews include a full written report, detailing the findings from the review and any recommendations.
We can also provide in-house training based on the findings from your file review, helping to develop the skills of your audit team. It also counts towards their CPD.
Find out more and book your audit file review today by contacting a member of our friendly team.