Will incoming revisions to auditing standards enhance audit quality?by
Changes to auditing standards ISA 315 and ISA 240 are some of the biggest changes to audit in a generation, and for the first time refer to automated tools and techniques. Is this an insight into what the regulator will be looking for in future file reviews?
Dudley Gould recently sat down with Simon Kettlewell, Director at HAT Group of Accountants, an organisation that provides compliance support to accounting firms, to understand how and to what extent these ISA revisions will impact auditors and the profession at large.
The incoming changes to the auditing standards ISA 315 (identifying and assessing the risks of material misstatement) and ISA 240 (responsibilities relating to fraud) are some of the biggest changes to audit in a generation and come into effect for accounting periods starting on or after 15 December 2021.
Encouragingly, for the first time, the standards refer to automated tools and techniques, including data analytics. This is a strong indicator of the FRC acknowledging their importance going forwards, as well as an insight into what they will be looking for in future file reviews.
In this first of a two-part series, we discuss revisions to ISA 315.
Revisions: An overview
Dudley Gould (DG): What are the main changes to the standard?
Simon Kettlewell (SK): The revision of ISA 315 intends to ensure a more detailed thought process in performing the risk assessment. This requires a more nuanced approach. Previously you had to assess the level of risk at the financial statement and an overall assertion level, but the revision will require auditors to consider what we call inherent risk factors such as complexity, subjectivity and indications of things like management bias and fraud. It will also be mandatory to consider the magnitude and likelihood of errors and map this out on a spectrum of inherent risk.
An automation tipping point?
DG: The revision to ISA 315 references automation for the first time. How significant is this?
SK: It brings the concept of using automated tools and techniques (ATTs) into audit work.
Paragraph A21 of the Application Guidance of the revised ISA 315 says “using automated tools and techniques, the auditor may perform risk assessment procedures on large volumes of data (from the general,sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations”.
Many people will assume automation to mean data analytics. However, there are many different ways you can bring in automation. The revised ISA brings this into risk assessment and using verified banking data to interrogate the entirety of cash transactions will provide an element of comfort which will hugely inform the risk assessment.
DG: Why do you believe auditors have struggled to leverage ATTs for risk assessment? Do you see this changing?
SK: I feel like we’re at a tipping point where auditors start thinking further than the traditional procedures such as analytical reviews, especially as ATTs have been added to the ISAs.
Historically, it’s been difficult for auditors to make the leap with concerns around how you get data out, how you visualise it, how you gain comfort that the data is complete and how you control the data etc.
But now with access to verified transactional data, via the open banking framework, many of those concerns go away and it is easier for auditors to adopt this new technology. We also now need to see a mind shift change, especially with the ISAs pushing for increased adoption of technology.
Why risk assessment keeps getting picked up as an area for significant improvement
DG: The revised ISA 315 pushes firms to put more thought into risk assessment work. Why do you think there is such a focus on strengthening risk assessment?
SK: Many auditors are not dealing with assertion-specific risk properly, which is partially due to different methodologies and software providers. Too many firms still use the old-style checklist approach, but they should be thinking about it from a more holistic point of view. Auditors should go through a thought process, consisting of what they know about a client, what their audit history has been and how good their management is. They will also need to consider whether there are any third parties interested in the accounts, whether they are public, the existence of loan liabilities and so on. All of these things need to come into the thought process. What we’re often finding is firms don’t go through that narrative detailed thought process to justify their overall assessment of risk.
DG: Roughly what percentage of the files you see are marked as having a problem with assessment?
SK: At least half. This could be for a few reasons, such as not documenting or justifying the risk.
How an enhanced focus on risk planning can improve audit efficiency and quality
DG: Do you think audit quality would be improved if firms spent more time on risk planning?
SK: If you devote more time and thought to the planning process, you will have a better and leaner audit process.
Ultimately the auditing standards don’t mandate what your audit has to be for each particular area. What they say is you need to obtain sufficient, appropriate audit evidence that there is no material misstatement in the financial statements.
There is a judgement to be made about how far you go in terms of audit work. There is often a lack of joined-up thinking from the risk assessment to fieldwork. For example, don’t just complete 25 or 30 debtor recoverability tests. Instead, it’s better to consider the risk profile and say we know controls around debtors are pretty good but they have issues with six customers, follow up by doing detailed testing on these six rather than focusing on the rest of the population.
Risk assessment requires the buy-in of the entire engagement team, and this doesn’t happen often. Rather than simply rolling forward the file from last year, the engagement team should meet early on to discuss what happened with the entity in the last year, what is going on globally and where the risks are for that particular entity. From an external review point of view, the lack of an informed team discussion bleeds out in terms of findings and priorities without a shadow of a doubt.
DG: And what role does cash play in the risk assessment?
SK: I think on the face of it people will probably say not much. For an uneducated auditor who hasn’t seen what verified transactions can do I think what you would probably find is that they would just assume that the bank is the easiest section of the audit to deal with.
But almost every single transaction that the entity has will go through a bank account. Again, the problem is that too often auditors think purely in isolation, but cash is a key component to joining the dots and seeing the bigger picture.
The countdown to 2023
The revisions to ISA 315 will force auditors to take a more considered approach to risk, with greater thought needing to be given to the unique circumstances of each entity, particularly around the planning stage. Regulated and directly integrated tools can help manage these new requirements, and with all auditors needing to understand and implement these changes from 2023, it’s advised to be proactive and seek out solutions now.
You might also be interested in
Dudley is a Chartered Accountant formerly with KPMG and Moore Kingston Smith. He founded Audapio, a solution leveraging Open Banking to improve audit quality and efficiency before joining Circit as VP of business development.