Corporate Profile 47Billion Information Technology
Phil Cowperthwaite Tips for Trainers Understanding the ISAs and Using Them Effectively
1. Page 1 | Confidential and Proprietary Information
Tips for Trainers—
Understanding the ISAs and
Using Them Effectively
Phil Cowperthwaite,
Member, IFAC SMP Committee
Trainers’ Seminar
Kampala, Uganda
June 4, 2013
2. Page 2 | Confidential and Proprietary Information
Where Are We today?
• Change, Change, Change
• But is it an auditing paradigm shift?
– ISAs
– New GAAPs
– Ethics
• Likely not
3. Page 3 | Confidential and Proprietary Information
Option #1
• Panic and bail
5. Page 5 | Confidential and Proprietary Information
Option #3
• Study, ponder and decide
Need to decide:
– Can you reduce audit risk sufficiently?
– Is auditing a viable service for your firm?
6. Page 6 | Confidential and Proprietary Information
Structure of the ISAs
• Preface
• Scope and Authority
• Glossary
• Terms applicable to the standards
• ISQC1
• QC for firms covers assurance only
• CASs
• 36 in all , 570+ requirements (incl. ISQC1)
7. Page 7 | Confidential and Proprietary Information
ISA Structure
Scope 10
Objectives 2
Definitions 1
Requirements 11
Application Material 76
100
ISA 200
# of paragraphs
8. Page 8 | Confidential and Proprietary Information
You Need Only to Comply with:
• Relevant ISAs [200.18]
• Relevant Requirements [200.22]
• But you do need to comply with all of these in every audit
9. Page 9 | Confidential and Proprietary Information
ISA 210—Agreeing the Terms of Engagement
Why is it so long? Needs to cover:
1. Every type of audit engagement
2. Every size of reporting entity
3. Every mix of management/TCWG
4. Every type of reporting framework
5. Every country globally
6. Every form of legal/regulatory regulations
10. Page 10 | Confidential and Proprietary Information
Categorizing Requirements
Response
required by the
audit team?
Action is
required in
every audit
If the
circumstance
is identified
action is
required
•A state of
being or
•Reference to
another ISA
Documentation
required?
Action and
conclusion
must always be
documented
Document only
if circumstance
exists
No specific
documentation
required
Impact on
checklists
Include in a
standard
checklist in
every audit
Include in a
checklist only
if the condition
exists
Do not include
in checklist in
any audit
11. Page 11 | Confidential and Proprietary Information
What in ISA 210 is Relevant to Every Micro-Entity Audit?
Para 6
Para 9 and 10
Preconditions
Mutual acknowledgment
16 requirements
and
only 3 relevant every time
12. Page 12 | Confidential and Proprietary Information
Making the Standards Work for You #1
Risk Management
• 210.06
– Will management play ball?
– What does “taking responsibility” look like?
– How much pre-audit assistance is allowable?
• 220.09
– Have you covered off the familiarity threat?
• ISQC1.26
– Do you trust your client?
• 220.12.14
– Do you have the necessary skills?
13. Page 13 | Confidential and Proprietary Information
Making the Standards Work for You #2
Communication
• 210.06
– Does management understand its role?
– Have you or your staff talked with them about it?
• 210.09
– Have TCWG and management actually read the engagement
letter?
• 200.11
– Do you understand your role?
14. Page 14 | Confidential and Proprietary Information
Making the Standards Work for You #3
Audit Efficiency
• 220.14
– Do you have the skills and knowledge?
– Is it industry and sector specific?
• 210.06
– Does management understand it’s role?
• 220.14
– Do you have the time?
– Are the fees appropriate?
15. Page 15 | Confidential and Proprietary Information
How to Deal with All This Material
• Treat it as an exercise in change management
• Appoint a team leader
• Determine requirements relevant to your audit
• Take time to digest it all
• Talk to your colleagues and clients now
16. Page 16 | Confidential and Proprietary Information
Summary
• You need to understand all the ISAs so you can:
– Tailor them to the specific circumstances of your practice
– React appropriately to unusual circumstances
– Communicate effectively with your clients
– Reduce engagement risk
– Make your audits as efficient as possible
Change is today’s constantThat change is today’s constant is trite but true.These are truly challenging times for SME auditors in Canada what with reformatted audit standards and for the first time in Canadian accounting history five GAAPs including Canadian ASPE GAAP, GAAP for NFPOs and IFRS. This change is occurring at the same time as changes in sales, personal and corporate income tax rules and sweeping reviews to the charity and not-for-profit sectors in Canada.Before we feel too sorry for ourselves we have to acknowledge that the globe is awash with change from east to west. Other professions are undergoing significant change in Canada, including having to cope with increased regulation, changes in standards and significant increases in required documentation. The medical, engineering, teaching and architectural professions to name a few are experiencing change every bit as daunting as that facing us. Industry in Canada is going through sweeping shifts in response to global trends. The pace has been driven mercilessly by ‘improvements’ in communication through email, social networking and information technology. The message? Change is not unique to our profession. Change is the only constant in the information age.It is important to realize the changes in standards are not occurring with the sole purpose of making life difficult for us professional accountants. The changes are in response to rapidly changing global conditions. The ISAs have requirements that, in theory, encompass every historical financial statement audit engagement for every reporting entity in every country, not just micro-entities in Canada. By no means will every requirement be relevant in every audit. If you invest some time now to understand how the standards are intended to work I think you will find you can perform a very effective and efficient (read: affordable) audit of a micro-entity in the Canadian context, provided of course that the entity is auditable in the first place.The standards are seen as state-of-the-art/best practice. Do you want to be seen as providing a second class service by your clients?You as audit practitioners have a big decision to make. Do you participate or not? Are these changes truly a paradigm shift in the profession or more an exercise in change management? As I will demonstrate throughout this seminar why I think it is the latter. The big shift for Canadian auditors in the middle of the last decade came with the introduction of the risk based approach to audit engagements, quality control standards for firms and the increased focus on fraud and its impact on financial reporting. Take a close look at what you need to accomplish and I think you will find the road ahead is not as difficult as it seems. In fact, I believe the audit standards can be used to your advantage.
1. Dramatically change the focus of or give up your practice. If you decide to opt out of auditing micro-entities, what will you do instead given that change appears to be everywhere? If you don’t like change then I think you have a problem on your hands unless, of course, you are close to retirement and are able change the focus of your life.
Ignore the changes in the profession and the new standards. If you chose this option you could have: - Problems with audit regulators; - Liability issues if you have an audit failure; - Loss of clients as they grow and need more demanding services - Risk to your professional reputation.
3. Make an informed decision before turning your professional world upside down. See exactly what the changes are. Set up an implementationplan. Figure out what you can do, what you want to do and how to make the changes in our profession work for you. If you perform one or two audits a year then the investment in professional development may not be worth the time. Auditing is increasingly a specialty for trained auditors and has been for some time. In my experience auditing micro-entities effectively and efficiently is a sub-specialty. If you take time to learn a few skills to increase both your level of service and competence in this area you should be able to take advantage of those skills. Benefits should include a thriving professional and profitable practice with a risk profile to meet your needs.
Getting familiar with the structure of the ISAs Let’s take a look at ISA 200. The analysis developed here will provide you with some ideas to make getting through all the ISAs that much more manageable.ISA 200 - Overall objectives of the independent auditor and the conduct of an audit in accordance with Canadian auditing standardsLook at the structure of this standard, laid out as: The Introduction, Scope, Objective, Definitions, Requirements and finally Application and Explanatory Material. Some standards have appendices and illustrations in addition to these sections.How many requirement paragraphs are there? How many application paragraphs are there? Review paragraphs 14-17 from beginning to end. This is the fundamental core of our profession as auditors of historical financial statements.Points to note especially:The Objectives give you a very clear picture of the aim of the requirements. You need to comply with all ISAs relevant to your audit. [Para 200.18] Use the objectives to help here. A complete knowledge of all the standards is essential, as you cannot make a professional judgment as to what to leave out if you don’t know what is in the standards in the first place. Group audits, reliance on internal audit and statistical sampling are three examples of ISAs you will likely not need to refer to often, if at all. There go 50 requirements right there!-You need to comply with all relevant requirements in ISAs relevant to your audit. [Para 200.22] A complete knowledge of all the standards is essential, as you cannot make a professional judgment as to what to leave out if you don’t know what is in the standards in the first place.Professional judgment as noted earlier and professional skepticism remain key (ISA 200 16 & .17). The requirements may only be two lines each, but they are tremendously important to every aspect of the audit of a micro-entity.
Digging in to the audit standardsISA 200 still seems very long and much of it does not relate to day-to-day audits of micro-entities. What would be helpful is a system for determining in every ISA what is required on a day-to-day basis.The ISAs do not focus on only one financial reporting framework, Canadian GAAP. They can therefore be more easily adapted to the multiplicity of frameworks that auditors are reporting on these days. Many professional organizations, including my own, have instituted mandatory professional development for their members. Our firm of eight professionals usually attends two four-hour sessions a year on changes to audit standards. Is eight hours enough to acquire a complete knowledge and understanding of the newly adopted ISAs? No. It’s not even close to being enough, especially since presenters often present their own methods of standards compliance and do not focus on the original wording of the standards. Following someone else’s system will likely not give you a complete knowledge or understanding of the actual requirements and the result could be inefficient and ineffective audits.In addition, many small and medium-sized firms base their audit methodologies on off-the-shelf third-party models. These generic models are often well put together but are designed for a very wide variety of audit engagements. They have to be to appear to as wide an audience as possible. These methodologies are not customized for your clients, your culture or your style. Many also provide generic checklists that, while based on the ISA requirements, are often interpretations of the requirements as opposed to being the requirements themselves. Unless you have a complete knowledge and understanding of the standards themselves, how do you decide what parts of the programs and what checklists to include in your firm’s audit methodology and, just as important, what to leave out? You need a very sharp focus to do the audit of a micro-entity efficiently and effectively. Unnecessary procedures add time that may not be recovered and can distract you from important issues. Ten unnecessary procedures in an audit with 100 procedures can result in a considerable amount of unproductive time where 10 in an audit of 1,000 is much less problematic. To develop a sharp focus you must first know the standards, and I cannot see how this can be done without a determined effort to actually read them. Would you commission a firm of architects to design your house if you knew no one in the firm had ever taken the time to read the actual building code but was just relying on the interpretive material of another professional? I think not. I contend that you cannot benefit from audit refresher survey courses or customize generic audit programs without first having read the standards themselves. The investment in time will pay off in efficiency of your audits.Now let’s get specific again. Let’s discuss how to read, understand and make the standards work for you.A useful first step is to acknowledge the ISAs are a tome but that not all will be relevant to your engagements. Do this in a way which suits you and your firm. Be creative. WARNING #1 -You must understand all the requirements to know what can be safely filtered out!Next, focus learning on specifics of your practice. Not all ISAs are relevant to every audit – the standards must cover every audit in every situation globally. Your practice is just but one small piece of the global audit pie.So, the key question is how to focus on what is important to your practice so you can achieve the economic benefits of a focused audit engagement. Warning #2 - You need to invest some time up front to benefit in future.Leaning will not happen all by itself.
Parsing the ISAsI am now going to focus on ISA 210 (Agreeing the Terms of Engagement) to illustrate one way of both understanding the ISAs and focusing on the requirements that are critical to your practise.We just looked at ISA 200 which states that we must comply with all ISAs relevant to our audits (200.18) and within those relevant ISAs, all requirements relevant to an audit (200.22). This allows two levels of filtering as we go through the standards: Is ISA 210 (Agreeing the Terms of Engagement) always relevant to our audit? (hint: Read the objective of the ISA) If it is, which requirements are likely to be relevant? If a ISA is always relevant then we need to look at which of the requirements in it are likely to be relevant in our audits. Examples of requirements not relevant to an audit of a micro-entity in Canada include:requirements covering non–ISA-compliant reports specified by law or regulation for entities requiring ISA-compliant audits (ISA 210.21); requirements to test the expectation that controls are operating effectively (ISA 330.08); and - requirements when an engagement needs an engagement quality control review (ISA 220.19-21).
Parsing the ISAs cont’dNow back to ISA 210 for a look at the individual requirements. As mentioned earlier, The ISAs have requirements that, in theory, encompass every historical financial statement audit engagement for every reporting entity in every country, not just micro-entities in Canada. By no means will every requirement be relevant in every audit. This gives us much opportunity to winnow irrelevant requirements.
This table provides one possible way to categorize all 570+ requirements.
Looking closely with audit of a micro-entity in Canada in mind:Para 6, agreeing the terms of engagement with management, is important and will be applicable in every engagement. Having said that, if you are using Canadian Accounting Standards for Private Enterprise (ASPE) then 210.06(a) will (almost) always be applicable and, while the requirement is critical, it will almost always be non-controversial in Canada. Reminding management of their responsibility for statement preparation and selection of accounting policies etc. is important in every audit and therefore 210.06(b) must be dealt with in every engagement.Paragraphs 201.07 and 210.08 deal with an imposed scope limitation and the situation where the preconditions do not exist. It is important to know what the requirements are in these situations but these situations are also likely to be far and few between for most micro-entity audits.Paragraphs 201.09 and 210.10 require you to communicate the terms in writing to management in a letter and will be applicable every year, unless circumstances do not change year-over-year in which case you do not have to reissue the letter if you chose not to.The rest of the section deals with changes to the terms of engagement in mid-audit (210.11 and 210.14 to 210.17) and the situation where laws and regulation supersede the ISAs (210.18-210.21). It is important to know these requirements exist, but they are likely to be relevant in very few audits of micro-entities in Canada.To summarize, of the 16 requirements in 50 paragraphs in ISA 210, paragraphs .06, .09 and .10 are critical, will apply in every engagement and should be in your audit methodology and incorporated into every audit. Knowing you have to deal with three requirements out of 16 is a lot less daunting than considering all 16 every time.In summary, several of the 36 ISAs will not be relevant to the audit of a micro-entity and many requirements in relevant ISAs may need only the briefest consideration. Once they have been considered and determined not to be relevant, they can be ignored year after year unless engagement circumstances change. So why must the practitioner have a complete knowledge and understanding of all 572 requirement paragraphs in the ISAs before undertaking a 12-hour audit? The reason is that you cannot make a professional judgment as to what to leave out if you don’t know what is in the standards in the first place. The question now becomes how best to obtain that knowledge.
Making the standards work for youHow can you use the requirements in ISQC1 and ISA 210 and 220 to your advantage? Looking at the three themes, risk management, communication, and audit efficiency:Risk management-210.06(b) -Is management willing to step up to the plate and take responsibility for financial reporting? In short, have the pre-conditions for an audit been met? -What does ‘taking responsibility’ mean in the context of an audit of a micro-entity? -How involved could and should you get in terms of proposing adjustments, cleaning up messes and providing assistance with drafting statements? Professional judgment and our code of ethics play a big role here.ISQC1.26 -Do you consider your client to have integrity? Are they appropriately competent?220.12-14 -Do you have the skills to do the work requested? Can you be sufficiently objective? Do you have the appropriate staff for the engagement with adequate time to do the work? These are not just idle questions. The standards only require that we meet our minimum professional standards. It is probably not a bad idea to work them into our day-to-day practice. Communication-210.06/.09 -Does management actually understand its role and responsibility in the financial reporting chain? Have you or your staff actually talked with them about this? Have management actually read the engagement letter? What are the implications if they just blindly sign? This standard requires communication with your client. Why not turn that into a constructive conversation, perhaps in the form of reaffirming your respective roles at the beginning of the engagement? This need not take a long time or require a special meeting. Audit efficiency-220.12-14 -Do you have the skills to do the work requested? Can you be sufficiently objective? Do you have the appropriate staff for the engagement with adequate time to do the work? If you are embarking on the type of engagement you do all the time then you are probably organized and prepared. If, however, you are about to embark on a new type of engagement or one with a new client, issues or profitability must always be considered. Will you have to reinvent my wheel to do this audit? Are your recoveries likely to be adequate? Is it worth the investment in time?Remember that every assurance engagement is a business transaction; you are providing statement users with enhanced statement credibility in exchange for money. Both parties have to be comfortable that they are getting value for money. We don’t call our agreement an “Engagement” letter for nothing.
Talk with your clients nowThe ISAs have some new and very specific communication requirements; use these to your advantage. For example:ISA 210 – “Agreeing the Terms of Audit Engagements”, requires management to acknowledge their financial reporting responsibilities in every NFPO audit. The audit is premised on this acknowledgement. Make sure that management knows what they have to bring to the table in order for you to do your audit. If you will have a hand in drafting the financial statements, you might also take this opportunity to explain to your client the safeguards you have put in place to protect your independence.ISAs 240 – “The Auditors Responsibilities Relating to Fraud” and ISA 550 – “Related Parties” requires you to ask very specific questions of both management and board members in every NFPO audit. Take a minute to make a tailored checklist of what you need to ask client personnel in your NFPO audit engagements; then ask away. Remember, it is intended to be very much a two-way conversation.ISA 265 – “Communicating Deficiencies in Internal Control to Management and Those Charged with Governance” requires you to report all significant deficiencies in internal control in writing. ISA 260 – “Communicating with Those Charged with Governance” requires you to report other matters that, in your professional judgment, are important to the financial reporting process. Many NFPO clients respect your expertise and appreciate your suggestions. Use these sections to your advantage as an opportunity for enhanced client service.ISA 700 – “Forming an Audit Opinion and Reporting on Financial Statements”requires an audit report that is quite different from the one we have used up to now. Take the opportunity at some point to go through the new report with management. They just might be interested in why the report, if it includes a scope limitation on the completeness of donations received from the public that is common in many charitable organizations, may not fit on one page. Consider including the expected text of the scope limitation in the engagement and audit-strategy letters that you issue at the beginning of the audit to prevent surprises toward the end of the engagement.