A key topic for audit update courses in Autumn 2022 and Spring 2023 is ISA (UK) 315 revised, the updated FRC standard on ‘Identifying and Assessing the Risks of Material Misstatement.’ We thought it might be useful to use this month’s blog to share the most common questions that are cropping up and our suggested responses.
1. Should our planning work be throwing lots more risks than before?
Potentially. The revised ISA requires firms to think more carefully, in a ‘bottom up’ way about risks by audit assertion rather than (as has often been the case historically) simply rolling forward the previous year’s risks. But should there really be lots more? A speaker on ICAEW’s recent charity conference spoke about 2 risks becoming 17 for a fairly straightforward audit she had recently been involved in. This seems extreme. Wouldn’t very low level risks get picked up by standard audit procedures anyhow? At Insight Training, we’re encouraging firms not to overcomplicate things!
2. Our grading system for risks is 1 to 5 based on our methodology. How on earth do we work out how to grade risks – and what is a significant risk?
This is very much a judgement call. Some feel that a grading of 4 or 5 would be indicative of significant risk (i.e. one ‘towards the higher end of the spectrum’). We’re finding that for some of our clients, audit engagement partners are having to roll their sleeves up more and get involved in having conversations about gradings in order to make those decisions. Maybe that’s no bad thing. It certainly reflects the spirit of the revised ISA (UK) 220 (Quality Management for an Audit of Financial Statements).
3. There’s lots of discussion about extra work on IT systems and controls. Is it such a big deal for straightforward audits?
Many of the firms that we work with have developed lengthy checklists which they are working through with their clients. There will definitely be an investment of time for many here. It’s important not to lose sight of the purpose of the audit though – which is to identify risks of material misstatement in the financial statements and to devise tailored responses. It’s all well and good to ask clients about cybersecurity, firewalls and disaster recovery plans but how does that all impact on the truth and fairness of the accounts? We are, after all, financial auditors not IT auditors!
4. Does the new ISA impact on the extent of our testing (e.g. sample sizes)?
Not directly – though a careful assertion by assertion assessment of risk should inform a tailored approach which is both effective and efficient. As we’ve discussed a lot on courses over the last 12 months, the removal of sample size caps for some audit methodologies has made firms reflect hard on their risk assessments and also how they use a range of testing methods (including tests of control and analytical review) to gather evidence. This can help to make sample sizes more manageable.
5. Is there more work to do on journals?
There’s more focus on journals in the revised ISA (UK) 240 ‘The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements’ than in ISA (UK) 315 and as a result of this, more work may be needed. It all comes back to risk though. If there is a material misstatement risk resulting from the use of journals to commit fraud and manipulate financial performance and position, then a thoughtful audit approach will be needed. For some clients with smaller, simpler businesses this may be much less of a risk.
6. How much more time should audit planning take – and can we charge?
There will definitely be a potentially significant investment of time in year 1, if only to really understand the way that clients’ IT works and the related risks and IT controls which address these. To compound matters there’s the issue of changing audit methodologies. Some of our clients are spending as much time getting to grips with the audit software as they are the nuts and bolts of the revised ISA itself! The conference speaker mentioned earlier (a partner in BDO) spoke about 15-30% more time being spent on each audit. If that’s the case then firms should certainly be looking to pass the additional cost on.