Risk assessment and internal controls: continuing challenges for auditors
Risk assessment is critical to the conduct of all financial statement audits. The idea of a ‘risk-based’ approach to auditing has been around for at least 20 years, and it is not a difficult concept: it refers to the focus of the audit process on those areas that are most at risk of material misstatement. But both auditors and regulators report problems in in applying the relevant auditing standards consistently.
The last major revision to the auditing standards governing risk assessment in an audit (the ‘risk ISAs’ referring to ISAs 315 "Identifying and assessing the risks of material misstatement through understanding the entity and its environment" and 330 "The auditor’s procedures in response to assessed risks)" was finalised in 2003. Firms of all sizes initially struggled to apply the new requirements and there was general agreement that while there was nothing inherently difficult about the new ISAs, they were unwieldy, not an easy read, and that they were particularly hard to apply to smaller, less complex audits.
A ‘clarification’ process in 2010 was intended to eliminate unnecessary complexity in the structure of the ISAs, to make them clearer. Despite this, some believe that the risk ISAs are still unnecessarily lengthy, still hard to apply to smaller less complex audits and that they may be conceptually flawed, as well as being out of date.
International Standards on Auditing (ISAs) apply to audits of all sizes and they must accommodate the largest of audits, in all of their complexity, as well as smaller ones. While they are intended to be capable of proportionate application to smaller, less complex audits, problems in applying them persist and many auditors continue, after over a decade, to struggle to apply them efficiently to such audits. There are a number of reasons for this. Part of the issue is a lack of understanding of the standards themselves among some auditors. But extensive educational efforts by professional bodies and others have not eliminated these problems, some of which seem intractable. Part of the problem inevitably lies in the ISAs themselves, and some problems almost certainly pre-date all of the changes.
For example, for auditors of smaller, less complex entities, there are continuing problems with the work required on internal controls as part of understanding the business, even when a wholly substantive approach is taken. In many audits there are problems with the linkages between risk assessment and the auditors’ response, and both regulators and auditors complain about inconsistences in how risks, and particularly ‘significant risks’, which require additional audit work, are defined in the ISAs and assessed in practice.
The risk ISAs are being revised. IAASB’s post-implementation review of the clarified ISAs highlighted a number of significant issues that need to be addressed, and the IAASB now has these ISAs on its agenda. An initial discussion is scheduled for the March 2016 meeting.
"Risk assessment and internal controls: continuing challenges for auditors" is a contribution to the debate. It is a series of three articles intended to stimulate and inform debate in this singularly critical area. Some of these issues highlighted are relevant to larger audits, but many are disproportionately problematic in smaller, less complex audits.
These articles are not a comprehensive review of issues with the risk ISAs. Rather, they focus on areas from the auditors’ perspective, and in particular on the application of the risk ISAs to smaller, less complex audits. All three articles have been written with extensive input from ICAEW auditors.
The three articles cover:
- aspects of risk assessment and the auditor’s response thereto that continue to present challenges to auditors, and IAASB’s plans to address them;
- continuing challenges arising from required audit work on documenting and testing internal controls; and
- required audit work on the design and implementation of internal control components in smaller and less complex audits: this article first appeared in the May 2014 edition of Audit & Beyond.