Things very rarely change quickly in auditing. I’m sure that statement will come as no surprise to anybody reading this.
New auditing standards are almost always released with a long lead time, to allow for appropriate training to be carried out and time for developers and software providers to amend audit programmes and update software to comply with the revised legislation.
A side effect of this approach, however, is that the changes can seem to be some way off for quite some time and then all of a sudden appear in the immediate future.
This is in some ways how I feel now we find ourselves very close to starting our first audits under the revised International Standards on Auditing (ISA) 315 – identifying and assessing risk.
Of course, we are prepared, webinars have been watched, guidance materials digested, and software updated.
The revised standard comes into force for the audit of periods commencing 15 December 2021 or later, having been released in January 2020. With the exception of short periods, this means the standard will start to impact 31 December 2022 year ends onwards.
What has actually changed?
The changes implemented via the revisions to ISA 315 represent the most significant re-write of the standard since 2003.
The major changes revolve around:
• The introduction of five new inherent risk factors to aid in risk assessment: subjectivity, complexity, uncertainty, change, and susceptibility to misstatement due to management bias or fraud.
• A new spectrum of risk, at the higher end of which lie significant risks.
• Scalability focusing on complexity rather than size of an entity.
• Requiring “sufficient, appropriate” evidence to be obtained from risk assessment procedures as the basis for the risk assessment.
• A great deal more on IT, particularly general IT controls.
• More on controls relevant to the audit and on the design and implementation work required for these controls.
There are other significant changes but for the most part those are documentary and so those mean more “unseen” work for the auditor, from a business perspective.
There is one particular area where the above major revisions are going to impact on businesses undergoing a statutory audit – IT controls and the IT environment. Auditors will have to gain an understanding of information processing activities and identify risks arising from the use of IT. They will also need to understand the entity’s general IT controls that address such risks, including risks arising from use of IT applications.
At a basic level this does not change the need for the auditor to:
• Identify relevant applications
• Identify IT related risks
• Identify relevant IT controls
The new standard recognises that “understanding the flows of information in the information system may assist in identifying those controls that need to be further understood”.
Broadly speaking, in English, what this means is by following through transactions and mapping out a business’ systems, the auditor may identify areas where further work needs to be carried out.
This should also help the auditor to identify control deficiencies, which could lead to an increased risk rating on the “spectrum” and in turn more substantive testing will be needed in that area.
Substantive testing, it is acknowledged by the new standard, can take the form of both manual and automated testing which forms part of the continued incorporation of automation within the revised ISAs.
Why does this matter unless you are an auditor?
There are three different reasons the new standard will impact not just on auditors but also on businesses undergoing a statutory audit.
Firstly, the increased focus on controls and particularly IT controls may mean more control points being raised via audit findings reports at the end of the audit process.
Secondly, where weaknesses in controls are identified, this has always led to further testing being required. That will be magnified by the new standard, making increased testing in more areas more likely.
Thirdly, an unexpected side effect of the way the standard uses “complexity” of an entity to drive scalability rather than size of an entity, is that some small entities (which by their nature tend to have fewer formal systems of control) if they are fairly complex, may end up seeing the risks assessed and testing carried out, increasing.
All of the above means that the new standard will probably lead to audits being more disruptive in the first couple of cycles after implementation, but there are also opportunities for systems improvements as part of the process.
The audit and assurance team at Ryecroft Glenton is here as always to guide you through the process.