Last year saw significant revisions to the UK’s auditing standards, addressing the audit of accounting estimates and going concern. The coming reporting season will see auditors grappling with further revisions to major auditing standards on risk assessment and fraud. In this article we outline these changes and their impact.
The catalyst for these changes has been the sudden and high profile failures of major companies and the subsequent scrutiny of the audits of those organisations. As a result, over recent years, we have seen several reviews of the audit market with the aim of improving audit quality. In addition, auditing standards have been updated to keep pace with technology and the way businesses operate today in a digital world, serving a global marketplace.
UK Auditing Standards – what has changed?
For accounting periods commencing on or after 15 December 2021 (which will affect December 2022 year ends first and any short periods of account commencing after 15 December 2021), there are two revisions to existing ISAs (ISA (UK) 315 and ISA (UK) 240) that will come into effect and directly impact the work the auditor is performing.
ISA (UK) 315, the standard on identifying and assessing the risks of material misstatements has seen a significant expansion. This standard is all about understanding the entity, its environment, and the applicable financial reporting framework, in order to adequately identify the risks of material misstatement.
The corporate landscape has changed significantly since this standard first came into effect, notably a significant shift in the adoption of new technology in every aspect of our lives. What this standard aims to achieve is ensuring the focus, at the the start of any audit, is on really understanding the entity. The auditors’ procedures are planned in direct response to the risks identified, and these new revisions now require a lot more work to be done to ensure the auditors’ risk assessment is robust enough to correctly identify those risks of material misstatement.
Changes to ISA (UK) 315 will likely result in more discussions and requests for information and documentation during the audit planning. This will mean your auditor potentially looking more closely at policies, procedures and internal controls than they have done in previous years, and they will focus more heavily on the general IT environment to gather a greater understanding of the potential risks arising from the technology used within your business. The auditor will need to gain a more thorough understanding of the structure of the IT hardware and software and the various layers of the IT system such as security and access rights.
Five inherent risk factors have also been introduced to aid in risk assessment: complexity, subjectivity, change, uncertainty and susceptibility to misstatement due to management bias or other fraud risk factors, insofar as they affect inherent risk. New requirements have been added with respect to the entity’s control environment, including more evidence/information on controls relevant to the audit and on the design and implementation testing required to be undertaken in all cases.
The auditor’s responsibilities in relation to fraud
ISA (UK) 240 revisions will come into effect at the same time, relating to the auditors’ responsibilities regarding fraud in the financial statements. It has never been so important for businesses, and auditors, to remain vigilant in this area. The revisions to ISA (UK) 240 aim to clarify the auditor’s responsibilities relating to fraud, to address the expectation gap between what the public feels an auditor does or should do in relation to fraud, and what the auditor’s obligations actually are in this area.
Many of the new requirements come at the risk assessment stage. The auditor must make inquiries with individuals in the entity who deal with allegations of fraud raised by employees, to discuss risks of fraud with those charged with governance, and to evaluate any inconsistencies in responses. There are also new requirements to determine whether the engagement team requires specialised skills or knowledge to perform the audit procedures in this area.
It has been highlighted within the standard that the risk of misstatement due to fraud may be higher than the risk related to error, simply by the fact that an error results from a mistake, whereas an individual or group of individuals committing fraud will have made considerable efforts to ensure the fraud goes undetected.
As with ISA (UK) 315, there is a greater focus on professional scepticism, including requirements for the auditor to remain alert for conditions that might suggest that a document or record is not genuine, and to investigate implausible responses to inquiries as well as inconsistent responses.
What will these revisions mean for a business being audited?
Your auditor will undoubtedly be performing more audit procedures as a result of these changes, but the size of the impact on the controls and substantive testing will inevitably vary from entity to entity as the risk assessment and risks identified are naturally unique to each business. The only certainty is that all businesses should be prepared for the step change and the increased rigour from the audit in the coming reporting season.
For more information on any of the points raised here, get in touch with your usual Saffery contact, or speak to Anna Hicks.