The decision to revise ISA 315 was as much about the need to update a foundational auditing standard as it was to address existing challenges identified by IAASB as part of its Work Program 2009-11, which looked into the effectiveness of the implementation of clarified ISAs.
According to the ISA 315 Exposure Draft, these findings suggested that a revision was necessary due to responses which strongly indicated that several aspects of the standard were “not being understood or implemented in a consistent manner”.
ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment is a significant standard to be updated as part of the IAASB’s commitment to improving audit quality globally. Following the 2 November 2018 deadline for all responses to the standard’s consultation, the finalised ISA 315 is expected to be ready for June 2019 with a proposed standard implementation date of 15 December 2020.
ISA 315, says ICAEW’s Katharine Bagshaw, deputy chair of the International Federation of Accountants’ Small Medium Practices Committee and member of the Task Force which developed the exposure draft, is the “lynchpin ISA”. It is the ISA on which all other ISAs are based.
“There are no longer any ISAs which are not based on risk assessments,” says Bagshaw. “ISA 315 absolutely represents the heart of the audit and it’s probably the single most important ISA in the entire suite. Get the risk assessment right and you stand a chance of getting everything else right.”
Marek Grabowski, director of audit policy at the Financial Reporting Council and member of the ISA 315 Task Force along with Bagshaw, hopes the finalised version will “hold auditors to account” while supporting them to produce consistently high quality audits. It should also drive auditors to obtain a fuller understanding of the audited entity’s business, its relevant reporting processes and controls and of how accounting standards apply to it.
“Such an understanding is required for a robust risk assessment, which is the essential first step in planning an effective audit,” he adds.
Bagshaw describes the ISA 315 Exposure Draft as a “brave attempt” to deal with some very important issues including a deeper understanding of IT within financial reporting, consistency of risk assessments, scalability and professional scepticism.
Working to scale
Scalability is an important characteristic of the exposure draft. It is about making sure that audits of all sizes can be accommodated within the ISA. The exposure draft acknowledges that the nature and extent of work auditors need to do on an entity’s IT system will be different depending on whether the business is small, using unmodified versions of widely available accounting packages, or whether it is a large multinational writing its own applications from scratch and making extensive modifications to bought-in platforms.
Considering the range of complexities across business entities globally, maintaining scalability to this degree of variation is a big ask. Even so, the focus on scalability says Bagshaw, is a “very positive trend”, even if it could prove a challenge to implement.
“Should IAASB be trying to accommodate entities of such different scales within one ISA? These ISAs have to work for the very largest multinational global audits as well as the very smallest in the developing world,” she admits.
It’s one reason why the IAASB is considering introducing an ISA for less complex audit entities. Bagshaw says it would be a “radical departure” for the standards body. To date it has always stood behind a single set of auditing standards for all entities.
Nevertheless, the proposed revisions to ISA 315 are intended to bring about significant improvements in the consistency of robust, high quality risk assessments for entities of all sizes. One of the ways in which the proposals do this is by introducing a new and less circular definition of ‘significant risk’ by creating the concept of a ‘spectrum of risk’.
The current definition of significant risk is related to risks that merit ‘special audit attention’. It is an entirely subjective test, down to the amount of work auditors carry out on what they perceive to be significant risks. This definition has come in for much criticism, and may have led to some firms generally classifying more risks as significant, with others trending in the opposite direction.
While some experts are calling for the significant risk definition to be removed all together from ISA 315, not everyone agrees. “The revised ISA 315 now explicitly recognises that there is a spectrum of inherent risk,” says Grabowski.
“With this important re-balancing, it is not necessary to remove the concept of significant risks from ISAs. Identifying risks that have significance at the upper end of the spectrum should provide a more effective trigger for auditors in addressing important requirements in terms of controls and key audit matters.”
The new definition of significant risk, then, relates to what is driving that risk, rather than the auditor’s response to it. A significant risk of material misstatement is one which is close to the upper end of the spectrum of inherent risk due to one or a combination of inherent risk factors affecting the likelihood or the magnitude of a misstatement occurring.
“The regulatory approach to this is very important,” Bagshaw adds. “The previous definition of significant risk created a lot of inconsistency because it was easily misinterpreted.”
For Bagshaw, the behavioural issues that lead to inconsistency have a significant effect on audits. It’s one of the reasons why provisions have been made in the exposure draft to encourage and enhance the application of professional scepticism. Yet as Bagshaw points out, these provisions are only a small part of the story.
“You can’t make auditors more sceptical just by peppering standards with instructions to be more sceptical,” she says. “The IAASB recognises that, so the new requirements are of more substance. But auditors need to be aware of their own biases, regardless, and both ICAEW and IFAC have recently issued a number of interesting publications on this.”
Yet Bagshaw says there is one issue which has been highlighted by regulators of small and large firms alike that the standard does attempt to address – the excessive reliance on the output of IT systems which auditors have not tested. In the exposure draft, there are new requirements relating to IT systems, the IT environment, IT general controls and application controls, all of which are intended to address this very problem, even if some larger firms are moving away from test controls all together.
“The exposure draft aims to tackle this by acknowledging that auditors will take a different approach to the audit of reputable, commercially available, widely used off-the-shelf packages used by SMEs to the audit of bespoke IT systems used by multinationals. It comes back to the issue of scalability,” says Bagshaw.
“Provided there are no significant modifications, there is no point asking smaller firms to try to take Sage or QuickBooks apart to see if they ‘work’, but it does make sense for firms to have to look at the systems used by bigger companies who write their own software and make significant adaptations to the platforms they use.”
Both Bagshaw and Grabowski are hopeful that the exposure draft, with its new definitions and specifications and added focus on scalability, will accommodate the largest and most complex of entities as well as smaller audits. And as Bagshaw points out, as all ISAs are interconnected and as this is a foundational ISA, it’s essential to get it right first time.
Otherwise flaws in one ISA will become magnified in others. “Every time a new ISA is developed, an existing ISA is revised. Whatever we decide now, we will be working with for a long time to come, so it’s worth the IAASB taking the time to get this right.”
Scepticism is at the heart of ICAEW’s recent film, Without Question, and is the subject matter of an ICAEW report: Scepticism: the Practitioners Take. The International Accounting Education Standards Board has also recently issued a publication, Unconscious Bias and Professional Scepticism