Let’s face it, auditing can be like herding cats.
There are so many factors that must be considered simultaneously that it’s really impossible to proceed through anything but the most basic job without new facts emerging, new risks surfacing, and expectations changing. We try to nail this down and not miss anything, with our programmes and engagement letters, but it’s still easy for something to slip through in the busyness.
The new ISA 315 standard addresses this using the language of “iterative and dynamic”. It says:
The auditor’s understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control are interdependent with concepts within the requirements to identify and assess the risks of material misstatement. (paragraph 7)
Consider what we are asked to simultaneously evaluate:
- The entity itself – history, structure, goals. funding etc.
- The environment in which it exists – legislation, competitors, industry trends etc.
- The reporting framework under which it is required to or chooses to report.
- The inherent risks associated with the above.
- The control systems used to assist the entity to fulfill its business and reporting responsibilities.
- The risks associated with those activities and their exposure to both error and fraud.
- How risk relates to different classes of transactions, different account balances, or disclosures.
- How risk relates to the assertions made by the client regarding the different classes of transactions, different account balances, or disclosures.
- The materiality of risks and errors found.
- Responses and how to address the risks identified.
- How these responses relate to each other and combine to give an overall level of comfort to the auditor.
- And much more!
IFAC diagram it like this:
So the new standard helpfully informs us that the process is regarded as iterative and dynamic. In other words, it is okay to jiggle our thoughts and responses around until we arrive at the best approach. Auditing is perhaps best regarded as an art more than a science at this level of complexity. Hence the emphasis on exercising professional judgement.
In practical terms, this approach means that we make our preliminary assessments of risk right from our first conversation with the client. We note these down. Then we do some more background research, and we note down our understanding of the client. This may unearth more possible risks. We gain access to client documents, minutes, legal documents and agreements, and past financial reports, and the bigger picture begins to form. We update some of our earlier impressions and go back with more questions.
Then we meet with our team and brainstorm about what they perceive as the risks (especially the inherent risks as we have already noted). We update our assessment of risk. We move identified items around the spectrum of inherent risk as we seek to bring the focus on what is significant.
Paragraph A48 points out the obvious: “…the auditor’s expectations may change as new information is obtained.” We draw initial conclusions, but we update these as our understanding of the client grows. Finally (?) we have a plan that has identified the significant risks and what are the most efficient ways to reduce audit risk to an acceptable level.
Then we start carrying out the work we have decided is required to respond to the risks identified. But (who knew?) more issues surface as we start digging, so we go back and revise our plan accordingly.
Paragraph 7 concludes:
In addition, this ISA (NZ) and ISA (NZ) 330 require the auditor to revise the risk assessments, and modify further overall responses and further audit procedures, based on audit evidence obtained from performing further audit procedures in accordance with ISA (NZ) 330, or if new information is obtained.
This has always been what good auditors do intuitively and was inferred by the old standard. Practical wisdom would suggest taking the time to revisit our plans, not rushing ahead without being really clear on what the risks are and whether our responses are actually addressing those risks, and being flexible enough to adapt to new information as we go.
Who said herding cats isn’t fun?