ISA 720 will require auditors to be alert for inconsistencies between the Provision 29 declaration and (a) the audited financial statements and (b) the auditor’s knowledge obtained during the audit, in the same way they should be alert about inconsistencies in the rest of the other information presented in the annual report. 

Auditors told ICAEW that any inconsistencies arising seem likely to be in the latter category because management and auditors may take a different view of the level of process that is appropriate to determine the effectiveness of material internal controls, and on how much evidence is needed to support the declaration of effectiveness. There will also be more focus on internal control deficiencies identified by auditors. 

Broadly speaking, auditors suggested that they may take a more granular view of what constitutes a material control than management and possibly a wider view of the controls to be considered.

Some also suggested that some companies, at least initially, might consider explaining, for example, that they have focused on material controls over financial reporting and that they will include operational and compliance controls in subsequent periods. 

However, explaining why the monitoring and review of material control effectiveness and/or the related declaration of effectiveness have not been done might be interpreted as an implicit admission that controls are not effective, which might not be well-received. 

For companies – and specifically audit committees – discussions are taking place about what constitutes a ‘material’ control for these purposes. Audit committees and auditors will, in time, also need to consider the nature and extent of disclosure.

Concerns were expressed about the development of standard wording on internal controls by investor relations teams among some smaller listed entities, without any apparent consideration of the need to provide evidence to auditors to support the wording. 

Increased ISA 720 work effort arising from Provision 29 revisions 

Auditors sometimes perform more work than is required by ISAs in some key areas. In addition to the required ISA 720 consistency check, auditors may perform further procedures in response to perceived client and market expectations, particularly for larger listed entities. 

It seems likely that in the absence of further guidance, particularly in relation to the work on non-financial reporting controls, current inconsistencies between firms relating to additional work in these areas will be exacerbated by the revised requirements of Provision 29. 

While ISA 720 has not changed, auditors believe that the new declaration will be considered a significant piece of ‘other information’ and, as such, they are likely to revisit their audit procedures and increase their work effort in this area. It will necessitate additional engagement with audit committees and the board on the process used by the board in making the declaration.

The nature and extent of additional work, if any, performed by auditors remains to be seen. Any additional costs have the potential to add to existing pressures on the attractiveness of the public interest entity audit market to new entrants.

Links to the audit approach

In practice, the audit approach to many audits – including the audits of large Code companies – remains substantive. This is not necessarily because company controls are inadequate; it may simply be because it is a more efficient audit approach. 

Auditors taking a substantive approach do not ignore controls, as ISA 315 on risk assessment requires them to consider the design and implementation of controls, even if they do not test them. While the scope of controls to be considered under ISA 315 is different to the scope of material controls within the declaration of effectiveness, there is an overlap. 

The new board declaration makes it likely that in future, some auditors taking a substantive approach may perform additional procedures on key controls, to support the required statutory audit opinion to the effect that the other information is consistent with the financial statements, as well as the auditor’s knowledge obtained during the audit.

Auditors may ask for higher quality information from management and devote more work effort towards remediation. This, in turn, may drive some further housekeeping by companies on controls. 

The interaction of revisions to Provision 29 and ISA 720 may also drive changes to the audit approach, and reconsideration of whether a substantive approach is in fact more efficient than a controls-based approach. Some auditors noted that they are considering more work on controls in the context of the removal of the cap on sample sizes and that the Financial Reporting Council (FRC) is suggesting to them that more work is needed on internal controls as part of the statutory audit more widely.

Some auditors suggested that in future some boards may pay more attention generally to the ‘front end’ of the annual report. A ‘comply or explain’ approach to the Code is required by the Financial Conduct Authority as well as the FRC, and both have an interest in the work performed under ISA 720 on other information in this context.

Management, market and other stakeholder expectations 

Despite explanations in the audit report and engagement with management, those charged with governance and other stakeholders, auditors reported that assumptions are sometimes made about the nature and extent of the work performed on the ‘front half’ of the annual report that are wide of the mark, in several respects. 

A belief that the whole annual report is audited aside, the baseline requirement of ISA 720 can seem low to some stakeholders. As noted above, auditors reported doing more than is required in some key areas, particularly around potentially market sensitive information. 

The fact that such information – including the declaration of effectiveness of material controls under Provision 29 – has not been audited, or at least subject to more than a ‘read’ requirement and a consistency check, may not be immediately obvious, even to engaged stakeholders.