Firms have learnt a lot from their implementation and application of the revised ISA 315/ISA (UK) 315 on ‘Identifying and assessing the risks of material misstatement’. This article shares some insights, impressions and lessons learned from first-time adoption, based on the experiences of auditors, feedback from faculty webinars during 2023 and responses to a brief faculty survey on:

• the greatest positive difference the standard has made to audits and why;
• what firms have found most difficult and why; and 
• areas where training has been most needed and why.

It was great to see firms responding to the survey with positive feedback on the benefits of ISA 315, including its potential to reinforce the need for original thought and tailored audit responses. However, some auditors are still encountering practical challenges and querying the value of some of the (nearly) new mandatory requirements in the revised standard.

The following summarises some of the main benefits and opportunities of embracing ISA 315 and offers insights which should help address concerns and difficulties raised in some responses to the survey (which can be explored in more detail in our recent ISA 315 webinar).

Scalability

ISA 315 may be a daunting standard, leading some to question whether it can truly be applied to smaller and (dare we use the phrase) ‘less complex’ entities. Ironically, it was similar concerns about the preceding version of the standard that contributed to its revision. However, one reason the revised ISA is so large is that it promotes scalability and provides practical examples of its application. There is a focus on business model complexity rather than size. This is a much better approach, as not all large entities are complex and some small entities in certain sectors can be fraught with risks.

There is no substitute for reading the ISA to help demystify the scalability misconception.

Understanding the entity and environment 

Reading web reviews and performing other research before booking a holiday or making a big purchase has become the norm. Why should we apply a different mindset when approaching an audit?

Most firms, regardless of size, refer in tenders and marketing material to understanding their clients and delivering exceptional client service. In this regard ISA 315 provides a useful blueprint about what you need to know about the audit entity which is fundamental to the risk assessment and audit response. Why wouldn’t you want to know about its key customers, key suppliers, key terms and conditions of doing business, how the entity makes or sells products and services, and its dependencies on information technology (IT) and service providers? This knowledge is pervasive to the audit and supports the application of professional scepticism. 

Audits can feel time pressured, and it is understandable that the sound of the ticking clock seems to get louder as you spend hours researching industry/sector databases, looking more closely at management information, discussing systems and processes, and doing walkthroughs. It can be tempting to adopt an approach that is the same as last year – and possibly for years before that, too. ISA 315 provides a great opportunity to revisit your approach.

Holding your nerve can make a big difference to how you engage with your audit client, allowing for more targeted questions and incisive feedback, supporting exceptional client service and audit quality. As your expectations become more informed you are better placed to spot unusual trends which may indicate heightened risks or the possibility of fraud. This better understanding allows for a more targeted audit approach.

The value of controls, IT and GITCs evaluation

This is an area where it could be tempting to mis-quote the Nike tagline “Just do it!” and say no more. After all, the ISA makes these activities mandatory regardless of the proposed audit approach. An unsuspecting auditor could find themselves in an uncomfortable position if they did not evaluate controls, IT and general IT controls (GITC), only for an issue to arise subsequently which called into question the reliability of the audit.

However, the approach you take to doing something only because you have to is not always as effective as it could be; appreciating the benefits is almost always more compelling. Taking the time to properly evaluate controls, IT and GITCs can allow teams to redesign the audit approach and implement new techniques which can capture more effective assurance more efficiently. This can improve the overall quality of an audit. It could also save you a lot of angst should a negative issue subsequently emerge.

The sample size conundrum

Concerns among auditors about sample sizes have been compounded over recent years as many methodology providers have removed or repositioned their stance on sample caps. For those lamenting the passing of the sample cap and concerned by the apparent increase in sample sizes, ISA 315 is, believe it or not, your friend, as outlined in an earlier article. Working through ISA 315 properly should give an auditor the confidence to adopt alternative testing strategies including controls testing, substantive analytics, data analytics and computer-aided audit tools, and to leverage tools that make use of open banking. While some tests of detail will remain, residual populations will be smaller and more focused, reducing sample sizes. 

The revised ISA does, however, make it clear that there may be instances where substantive testing alone may not be enough, such as high-volume, low-value populations. Here audit teams will need to explore alternative testing strategies or risk the sufficiency of their assurance being called into question. The recent thematic on sampling from the UK’s Financial Reporting Council provides useful insights on sampling, which is as applicable to non-PIE audits as it is PIEs.

Documentation

ISA 315 is an evidence-based standard. Many off-the-shelf audit platforms and proprietary solutions have great work programmes and checklists. However, these are aide-memoires, not the audit, and just filling them in is unlikely to be enough. It is not what the regulators want to see and is unlikely to be what the providers intended as evidence spread across the audit file. There is no substitute for well-reasoned integrated notes to demonstrate your understanding of the key matters relevant to the audit, the detail of which is scalable and linked to the complexity of the entity. 

The power of a flow chart should not be underestimated. A picture can paint a thousand words and a good flow chart can flush out misunderstandings, weaknesses in systems and key risks, and aid the briefing of team members and test design. Flow charts are also less daunting to review than multiple pages of notes (for those who have gone beyond the checklist approach).

Conclusion

After considering all of this, you may still find yourself thinking (to paraphrase one survey respondent): “We have done all of this, and it has made no difference to our audit, except add cost. What is the point?” If so, it may be time to reflect on whether:

• you might be suffering from a perfect storm of confirmation bias and familiarity threat;
• your approach is truly objective, ensuring you have not missed any significant risks; and
• your audit response will stand up to scrutiny.

The last point is apposite: there will undoubtedly be additional costs arising from an effective risk assessment. 

The extent of these additional costs will depend on how progressive your previous audit strategy was, as some costs can be offset by a more effective audit. However, these incremental costs will seem insignificant if your audit is called into question by a regulator, professional body or litigator. Perhaps more positively, this additional cost will in part be offset by a more efficient and effective audit and support better client engagement and stakeholder service. You should not lose sight of partner and staff attraction and retention. 

An unimaginative checkbox audit is not what attracted many of us to audit and will drive away good talent. For the right-minded, ISA 315 can reignite the audit passion.

Rhodri Whitlock, Assurance and Advisory Consultant, HPL Associates, and Paul Winrow, Partner, Mazars UK