Auditing accounting estimates in an ISA audit (updated August 2019)

This version of the guide is relevant for audits of financial statements for accounting periods commencing on or after 15 December 2019. For audits of earlier periods see Auditing accounting estimates in an ISA audit.

KEY ISAS*
ISA 540 (Revised ) Auditing accounting estimates and related disclosures
* The guidance below focuses on key issues in implementing ISAs as issued by the International Auditing and Assurance Standards Board. It does not address all ISA requirements.

Why is it important?

Years ago, bad debt and inventory provisions might have been the key estimates in financial statements. Today, estimates creep into many other places including pension liabilities, impairments, provisions for legal claims and financial instruments and some of them are based on increasingly complex calculations that require judgement.

The latest revision to ISA 540 introduces robust requirements, particularly geared towards addressing the audit of complex estimates but the standard is applicable to all estimates and, as a result, is scalable. The standard particularly focuses on enhancing professional scepticism and communications and transparency between the auditor and those charged with governance. It has introduced some key changes and enhancements including:

• enhanced risk assessment procedures;
• a requirement for separate inherent risk and control risk assessments at the assertion level and introduction of the spectrum of inherent risk;
• enhanced emphasis on the auditor’s decisions about controls;
• the need for the further audit procedures to be responsive to the assessed risks of material misstatement and that the higher the assessed risk the more persuasive the audit evidence needs to be;
• work effort structured around testing methods, data and assumptions;
• enhanced documentation requirements;
• enhanced scepticism requirements;
• overall stand-back requirement;
• enhanced audit requirements for disclosures; and
• a new requirement to consider matters relating to estimates when communicating with those charged with governance.

As with the other ISAs, the standard is split between objectives, requirements and application material.

Requirements and challenges

How are accounting estimates picked up in risk assessment?

To provide a basis for the identification and assessment of the risks of material misstatement the first step in applying the standard is to obtain an understanding of the entity and its environment, including:

• transactions and other events/conditions that may give rise to the need for or changes in estimates to be recognised or disclosed; 
• the requirements of the Financial Reporting framework relating to accounting estimates and how they apply in the context of the nature and circumstances of the entity and its environment, including how transactions or other events and conditions are subject to, or affected by, inherent risk factors;
• regulatory factors or frameworks relevant to the entity’s accounting estimates; 
• the nature of the accounting estimates and disclosures (based on the understanding gained from the above procedures) that the auditor expects to see in the entity’s financial statements.

The auditor also needs to understand the entity’s internal control which includes:

• the nature and extent of oversight and governance over management financial reporting process in relation to accounting estimates;
• how management identifies the need for, and applies specialised skills or knowledge related to accounting estimates, including with respect to the use of a management’s expert;
• how the entity’s risk assessment process identifies and addresses risks relating to accounting estimates; and  
• the entity’s information system as it relates to accounting estimates.

A key scalability point is that the detailed information system understanding is only needed for estimates that arise from significant classes of transactions, account balances and disclosures.

The auditor needs to understand the relevant control activities over management’s process for making accounting estimates and how management reviews the outcomes of previous accounting estimates and responds to the results.

Another step in risk assessment is to revisit estimates used in the prior period or, where applicable, their subsequent re-estimation in the current period. This is not designed to call into question previous judgements; rather, it assists in identifying current period risks. For example, an entity traditionally applies a sliding scale of percentages to provide for old inventory. If, in the current year, some types of inventory turn out to have been sold for both significantly higher and lower prices, this may indicate that the auditor needs to do more work to challenge management on whether such a simple technique is appropriate.

Conversely, if almost all old inventory is sold for an amount higher than the written down amount, it might indicate management bias and, at the very least, call into question whether the assumed percentages were the best estimates. At worst, it could indicate a deliberate attempt to defraud.

The auditor also needs to determine upfront whether the engagement team requires specialised skills to perform risk assessment procedures, identify or assess the risks of material misstatement, design and perform audit procedures to respond to those risks or evaluate the audit evidence obtained.

The standard also includes a specific requirement to document the key elements of the auditor’s understanding of the entity, its environment and the entity’s internal control.

Are all estimates equal?

In a word, no. The extent of further work to be performed will be dependent on the assessed risks of material misstatements.

In assessing the risks of material misstatement relating to an accounting estimate, the auditor is required to separately assess inherent and control risk at the assertion level. These assessments then form the basis for the design and performance of further audit procedures to respond to the assessed risks of material misstatement.

The assessment of inherent risk depends on the degree to which the inherent risk factors affect the likelihood or magnitude of misstatement and the auditor’s assessment of this varies on a scale referred to in the standard as the spectrum of inherent risk.

The inherent risk factors are:

• The degree of estimation uncertainty in the estimate; and
• The degree to which subjectivity, complexity or other inherent risk factors affects the selection and application of methods, data and assumptions in making the estimate or the selection of management’s point estimate and related disclosures.

Just because an estimated number is large does not mean the degree of estimation uncertainty is high or vice versa. Consider an entity for which materiality has been determined as €10,000.

The entity has an investment property, revalued each year to open market value. At the year end, the property is under offer for a price of €2m and conveyancing is progressing smoothly. While the value is significant, the degree of uncertainty is low given a firm indication of price from the offer made.

The same entity has a tax liability of €5,000, being tax on profits of €100,000 less group relief of €95,000. The allowability of group relief is disputed and the tax advisors believe it could go either way. With a 50:50 chance of success, the estimation uncertainty is €95,000, which is very high.

In relation to control risk, the auditor needs to understand the controls in place and the environment. The auditor needs to think about whether the further audit procedures planned are reliant on the operating effectiveness of controls as this will influence whether tests of controls are needed. Tests of controls are needed if the auditor plans to rely on the controls or in situations where substantive procedures alone cannot provide sufficient appropriate audit evidence.

Having considered these factors, the auditor ought to have an understanding of the risks that estimates and disclosures might be materially misstated.

How does the auditor respond to assessed risks?

Just as the requirements in relation to the risk assessment procedures in ISA 540 are really a guide to applying ISA 315, the requirements to respond to risks in ISA 540 (are really a guide to applying ISA 330 to estimates. In common with ISA 330, ISA 540 recognises that there is no ‘one size fits all’ response and that different responses will be needed depending on the assessed risks. To demonstrate scalability, the standard therefore makes it clear that the further audit procedures need to be responsive to the reasons for the assessed risk of material misstatement and that the higher the assessed risk, the more persuasive the audit evidence needs to be. The linkage of the further audit procedures with the assessed risk and the reasons for the assessment needs to be documented.

Alongside this, and highlighting the need for professional scepticism, the auditor is required to design and perform further audit procedures without a bias towards obtaining corroborative or excluding contradictory evidence.

ISA 540 requires the auditor to respond in one or more of three ways by:

• obtaining evidence from events up to the date of the audit report;
• testing how management has made the estimate;
• developing the auditor’s own point estimate or range.

For the second and third approaches the requirements are structured around testing the methods, data and assumptions.

How does the auditor determine whether the methods, assumptions or data are appropriate?

The first stage is determining whether management has appropriately applied the requirements of the financial reporting framework in relation to the methods chosen, significant assumptions made and selection of data. This may be relatively straightforward. The auditor also needs to assess whether any changes from the prior period are appropriate in the circumstances.

The auditor also needs to think about whether:

• the calculations are applied in accordance with the method and are mathematically accurate and if the method involves complex modelling, judgements have been applied consistently and the design of the model meets the measurement objective of the financial reporting framework (and the auditor may need to consider whether there is a need for specialised skills or knowledge here);
• Significant assumptions are consistent with each other and those used in other accounting estimates or with related assumptions used in other areas of the entity’s business activities; and
• The data is relevant and reliable and has been appropriately understood or interpreted by management.

Arbitrary changes in methods, data or inconsistency in significant assumptions not justified by changes in circumstances or new information will need to be discussed with management. What is required in all cases is the use of judgement and professional scepticism. For example, where an impairment calculation is supported by assumptions about future sales, the auditor’s industry knowledge and judgement will be important in considering the reasonableness of sales figures used in discounted cash flow forecasts.

What if management hasn’t taken appropriate steps to address estimation uncertainty?

The auditor needs to consider whether management has taken appropriate steps to understand estimation uncertainty and address it by selecting an appropriate point estimate and by developing related disclosures. If, based on the audit evidence obtained, the auditor doesn’t believe that management has appropriately addressed estimation uncertainty the auditor must

• Request management to do more work – which means either additional procedures, reconsideration of the point estimate or additional disclosures – and evaluate the response;
• If the response does not sufficiently address estimation uncertainty, develop an auditor’s point estimate or range (if practicable); and
• Evaluate whether a deficiency in internal control exists (requiring a communication in accordance with ISA 265).

The audit documentation needs to show how the auditor has responded to this.

How does the auditor develop a point estimate or range?

Developing an auditor’s point estimate or range might be necessary where, for example, there are appropriate alternative assumptions or sources of data that can be used or if the auditor’s review of similar accounting estimates made in the prior period suggests that the current period process is not likely to be effective.

In relation to the use of point and range estimates, the auditor may use management’s or the auditor’s own methods, assumptions and data but either way the further audit procedures should be performed to address the same considerations in relation to methods, assumptions and data as required when testing how management has made the estimate.

If using different assumptions to those used by management, the auditor needs to understand management’s assumptions well enough to establish that they have considered relevant variables and evaluated differences. Different, equally valid assumptions may be used as inputs to a model but if there is little effect on the estimate, it may suggest that management’s estimate is appropriate. If there is a significant difference, it might suggest that management has made an error, or that there is high sensitivity to changes in assumptions which might indicate that the assessed risk should be higher along the spectrum. It will also lead the auditor to consider the reasonableness of disclosures about estimation uncertainty.

If the auditor concludes that it is appropriate to use a range, the range is narrowed based on audit evidence available, until all outcomes within the range are considered reasonable. This should be obvious. The auditor excludes from the range those extremities unlikely to occur and, looking at the remaining reasonable range, compares it with management’s estimate. The size of the “reasonable” range may itself be useful because if it is significant then estimation uncertainty may be a significant risk.

What about management bias?

The auditor needs to think about whether management’s judgements and decisions in making estimates are indicators of management bias – even where they might be individually reasonable. This means considering whether the judgements made in selecting the method, significant assumptions or data give rise to indicators of possible management bias. Indicators of possible management bias include arbitrary changes in estimates or methods, or overly optimistic or pessimistic assumptions. This is particularly the case where these changes or assumptions help management achieve an objective such as maximising a bonus or minimising tax which, in extreme circumstances, may indicate fraud.

Where there are indicators, the auditor needs to think about how these affect the audit and document both the indicators and the auditor’s evaluation of the implications.

What about significant risks?

The standard requires the auditor to determine whether any of the risks of material misstatement identified and assessed are significant risks and where this is the case the auditor needs to obtain an understanding of the entity’s controls, including control activities, relevant to that risk.

What is required for the overall evaluation?

The standard includes a requirement to ‘stand back’ and evaluate, based on the audit procedures performed and audit evidence obtained, whether:

• the risk assessments at the assertion level are still appropriate;
• management’s decisions relating to recognition, measurement and presentation and disclosure are in accordance with the financial reporting framework; and
• sufficient appropriate audit evidence has been obtained.

There is a particular emphasis here on taking account of all relevant audit evidence, whether corroborative and contradictory.

How does the auditor evaluate the reasonableness of estimates and related disclosures?

The auditor must evaluate whether the estimates and related disclosures are reasonable with regard to the financial reporting framework – or are misstated.

This includes considering whether the estimate is reliable enough to be recognised. For example, IAS 37 Provisions, contingent liabilities and contingent assets requires that if a provision cannot be reliably estimated it should not be booked. A contingent liability should be disclosed instead and the need for an emphasis of matter in the auditor’s report should be considered in such circumstances.

When the auditor has determined a point estimate, a difference between that estimate and management’s is a misstatement. Where the auditor’s estimate is a range, the misstatement is no less than the difference between management’s point estimate and the nearest point of the auditor’s range. When the audit evidence supports a wide range (even multiples of materiality for the financial statements as a whole) it may indicate that it is important for the auditor to reconsider whether sufficient appropriate audit evidence has been obtained regarding the reasonableness of the amounts within the range.

The auditor must also document significant judgements relating to their assessment. They must also obtain written representations from management about the appropriateness of the methods, significant assumptions and data used in making the accounting estimates in terms of achieving recognition, measurement and disclosure that is in accordance with the financial reporting framework.

What communications with those charged with governance are necessary?

In accordance with ISA 260 and ISA 265 the auditor needs to communicate significant qualitative aspects of the entity’s accounting practices and significant deficiencies in internal control related to estimates and related disclosures. Appendix 2 of ISA 540 includes examples of matters that the auditor might want to communicate here.