PwC believes that the proposed revisions will prove beneficial to external auditors in: (1) explaining how the internal audit function can inform the external auditor's understanding of the entity and risk assessment; and (2) determining if, and when, it is appropriate for the external auditor to use the work of internal audit.
For the attention of Mr James Gunn
International Auditing and Assurance Standards Board
545 Fifth Avenue, 14th Floor
New York, New York, 10017
16 November 2010
IAASB Exposure Draft ISA 610 (Revised) – ‘Using the Work of Internal Auditors’ and related enhancements to ISA 315 (Revised) – ‘Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment’
We appreciate the opportunity to comment on the IAASB’s proposed revision to International Standard on Auditing, ISA 610 (Revised), ‘Using the Work of Internal Auditors’ and related enhancements to ISA 315 (Revised), ‘Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment’.
Following extensive consultation with members of the PricewaterhouseCoopers network of firms, this response summarises the views of member firms who commented on this Exposure Draft. “PricewaterhouseCoopers” refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
We fully support the need to revise both standards, recognising developments in internal audit practices. The proposed revisions will prove beneficial to external auditors in:
We believe the clear separation of requirements between ISA 315 and ISA 610 is of particular benefit in aiding understanding of requirements expected on all engagements and when, and if, ISA 610 is applicable to the audit.
It is also useful to clarify whether or not the external auditor may use internal audit staff to provide direct assistance on the audit engagement, as the extant ISA 610 was ambiguous in this regard. Recognising that internal auditors are not independent of the entity, it is also useful to clarify the safeguards external auditors need to put in place in such circumstances.
Overall, we are supportive of the proposals and content of the proposed revised standards. We agree with the underlying principle in ISA 610 that the decision being made by the external auditor is whether or not the external auditor is able to use assurance work performed by the internal audit function in lieu of performing that work themselves. Thus, we support the focus of the requirements in ISA 610 on the work effort needed to have a robust basis to assess the quality of the assurance work of the internal audit function so that the external auditor can make an informed decision of whether, and to what extent, work of the internal audit function can be used for purposes of the external audit.
With respect to ISA 610, we also strongly support the principle that judgment is the key driver in decisions over the planned use of the work of the internal audit function. The external auditor needs to assess the quality of that assurance work to reduce the risk that those audit procedures may not have been performed effectively. In our view, that risk is largely driven by the extent of judgment that is required in performing, and evaluating the results of, such work. Thus, the “risk assessment” involved in deciding whether or not it is appropriate to use the work of the internal audit function is different from the external auditor’s assessment of the risk of material misstatement in the financial statements. We do, however, acknowledge the relationship between risk of material misstatement and the level of judgment that is likely to be required for a particular procedure and believe that IAASB has made the appropriate linkage between these in the application guidance.
Our detailed comments in response to the specific questions raised in the exposure draft are set out below and explain further our views in respect of the areas of the proposed content that we feel could be improved. We have also provided some specific suggestions for the Board to consider in the appendix to this letter. We encourage IAASB to address these comments in finalising the revised ISAs.
Request for specific comments
1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?
We support the changes proposed in ISA 315 and believe that these bring clarity to the expected communications with the internal audit function and how such communications can enhance the external auditor’s risk assessment. We believe that ISA 315 is the most appropriate place for this requirement, supporting the clear separation of procedures required on all engagements from those applicable if, and when, the external auditor decides to use the work of the internal audit function (ISA 610).
2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining:
We believe the proposed standard provides a good basis for guiding external auditors on the factors to be considered in determining whether and to what extent it is appropriate to use the work of the internal audit function and the planned use of that work. In particular, we support the prohibition on the use of work of the internal audit function when either objectivity or competence is considered to be low. We also agree that even when objectivity and competence is deemed to be greater than low, it is important that the external auditor consider the degree of objectivity and competence, recognising that there is a range that will vary across individuals. Such considerations will help tailor the external auditor’s decisions regarding how internal audit work may be used, the evaluation of the results of such work and the extent of work required by the external auditor that is appropriate to enable them to have a sound basis to judge its quality.
As noted in our overall comments, we are supportive of the requirements focussing on the amount of judgment involved, as a basis for determining the planned use of the work of the internal audit function. We believe that introducing in the requirements the risk of material misstatement as a further explicit factor to take into account would introduce an unnecessary level of complexity to the decisions to be made. In our view, if the risk of material misstatement were to be a factor in its own right, it needs to be clear when it, on its own, would influence the auditor’s decision on whether or not it is appropriate to use internal audit work. We are not convinced that it would.
Even in relation to an assertion that the external auditor has assessed as a significant risk, it may often be possible that certain audit procedures that require less judgment can provide relevant audit evidence. We believe external auditors should be able to use such work – even though it is unlikely to represent a substantial portion of the audit evidence that will be needed in response to that risk. On the other hand, certain audit procedures performed in relation to risks other than significant risks might involve significant judgment. In our view, that internal audit work should not be used. Thus, it is the amount of judgment involved in planning and performing the audit procedure and in evaluating the results that is the appropriate driver for the decision, rather than the risk of misstatement. We cannot think of a situation when risk alone would be the determining factor.
However, we believe it may be useful to add guidance to the application material in ISA 610 paragraph A12 to illustrate more explicitly the link between the external auditor’s assessment of the risk of material misstatement and the extent of the use of the work of the internal audit function. For example, IAASB could consider adding guidance similar to that in US standard AU 322, which states that for assertions identified with an assessed high risk of material misstatement:“the consideration of internal auditors’ work cannot alone reduce audit risk to an acceptable level to eliminate the necessity to perform tests of those assertions directly by the auditor.”
Although internal audit plays a role in management’s monitoring of controls, the internal audit function is different from other monitoring controls and the work of such a function is not a “control activity”. The key difference is that it is a separate function performing assurance work with its own quality control policies and procedures over that work. Therefore, we support the view in ISA 610 that it is important to clearly differentiate testing of controls by an internal audit function that has a systematic and disciplined approach and system of quality control from similar testing performed by other individuals within an entity. As set out in paragraph 10 of ISA 610, any testing by individuals in an entity that is not subject to a systematic and disciplined approach should be considered a control activity and, therefore, the external auditor would need to obtain evidence regarding the effectiveness of such a control, in accordance with ISA 330. However we believe that this distinction could be made more explicit, and encourage IAASB to draw on the wording above.
There are two important additional implications of this rationale:
3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor?
We support the inclusion of this requirement in ISA 610 and believe that this is likely to be existing common practice for many engagement teams, where the work of internal auditors is used. We also support the application material included in ISA 315 and believe that paragraph A6b, setting out guidance on reading internal audit reports that may have findings relevant to the audit, has been set at an appropriate level. A certain amount of judgment is necessary in this regard as mandating the reading of all internal audit reports, as part of any requirement in ISA 315, may not be practicable in some circumstances.
4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to:
We believe that the proposed ISA 610 contains appropriate guidance for determining whether and how direct assistance may be provided. In particular, the focus on direction and supervision by the external auditor and emphasis that all significant judgments remain the sole responsibility of the external auditor, together with the underlying assessment of objectivity and competence, provide a robust framework for determining whether such use is appropriate.
With respect to supervision and review, decisions regarding the nature and extent of review procedures required by the external auditor are judgmental and will vary across engagements. We therefore support the level of guidance set out in the exposure draft, recognising that the external auditor’s assessments of the levels of judgment involved, the objectivity and competence of the individuals will drive the decisions over the nature and extent of review required. We believe that this is entirely consistent with the principles of ISA 600 in assessing the level of involvement required by a group engagement team in reviewing the work of component auditors, as well as the principles underpinning ISA 220 with respect to supervision and review. In particular, we feel that it is appropriate to draw parallels with the guidance in ISQC1 paragraph A34 which explains what appropriate supervision involves, including reference to the competence and capabilities of the members of the engagement team and identifying matters for consideration by more experienced engagement team members. In line with these principles, we therefore believe that it is not necessary to mandate explicit review requirements or to impose a prescribed level of re-performance in all areas where direct assistance is used.
Comments on the ‘Analysis of Impacts’
1. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB’s proposals?
Broadly, the narrative impact analysis in section 4 is helpful in setting out high level assessments of the likely impact of the proposed revisions, analysing between different interested parties. In addition, separating out the impacts on audit effectiveness and work effort is useful. We would however question whether the concept can be made to work effectively across future standards given the inherent variability of potential impacts across engagements and whether the benefits to be gained are considered sufficiently important, in the context of the overall process from the perspective of maximising users understanding of the exposure draft, when weighed against the resource cost of its production.
2. Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB?
As noted, through our responses to the request for specific comments above, we support the proposed revisions to the standards and believe that the assessed impacts appear reasonable. In particular the clarification of those requirements that are applicable to all entities (ISA 315) (where an internal audit function exists) as opposed to those that are only required when it is decided to use the work of the internal audit function (ISA 610) will, we believe, have a positive impact on audit effectiveness through enhancing the understanding of the external auditors. In addition, the detailed provisions regarding: i) assessment of objectivity and competence of the internal audit function; and ii) amount of judgment required in planning and performing audit procedures should help ensure more focussed and appropriate use of the work of the internal audit function.
No additional stakeholders/impacts have been identified.
3. Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents?
We believe that there is limited incremental benefit from the tabular impact analysis as presented in the appendix to the explanatory memorandum compared to the narrative descriptions. In particular, there is limited added value in the “Direction and Magnitude of Impact” and “Variability by size/nature of entity subject to audit” columns. As noted under point 1 above, given the inherent variability across engagements, it is unclear whether these specific analyses will provide particularly meaningful and useful detail for future standards.
4. Would respondents find such an approach useful at the national level?
We have no comments regarding public interest concerns, adoption by developing nations or regarding translation.
Regarding smaller entities, we feel that the standards do not need to provide additional guidance as, in our opinion, many smaller entities will either not have an internal audit function or, having addressed the requirements in proposed ISA 315, will readily conclude that they do not intend to use the work of the function.
With respect to the proposed effective date we believe that 15 December 2013 is reasonable on the presumption that IAASB follows its normal practice of permitting early adoption, recognising that for larger entity audits many of the new requirements may currently be common practice for such engagement teams.
Our detailed comments in respect of specific paragraphs within the exposure draft are included in the appendix to this letter.
We would be happy to discuss our views further with you. If you have any questions regarding this letter, please contact Deian Tecwyn (+44 207 212 3695) or Jamie Shannon (+44 141 355 4225)
We encourage IAASB to address the following matters in finalising the revised ISAs.
|ISA 315.A6a||To emphasise the benefits that the auditor may gain from enquiries of the internal audit function we suggest the final sentence of this paragraph be revised as follows:
“For example, in performing their work, the internal audit function is likely to have obtained insight into the entity’s operations and business risks, and may have findings based on their work, such as identified control deficiencies or risks, that may provide valuable input to the auditor’s understanding of the entity, risk assessments or other aspects of the audit.”
|ISA 315.A71a||We suggest it may be useful to extend this guidance to clarify that ‘how management has responded to the findings and recommendations of the internal audit function’ should include understanding whether and how such responses have been implemented, evidenced (where appropriate) and whether those areas of internal control have been subject to re-evaluation by the internal auditors.|
|ISA 315.A101 -A102||ISA 315 paragraphs A101 and A102 refer, respectively, to the internal audit function’s role in providing assurance over the “effectiveness of an entity’s risk management, internal control and governance processes” and assurance regarding the “design and effectiveness of risk management, internal control and governance processes”. It is important to consider the depth of scope of the internal audit function’s role within the entity as this has a direct bearing on the potential scope of the use of the work of the function by the external auditor, recognising the difference between assessing design and implementation of a control as compared to testing operating effectiveness. We suggest that IAASB review the use of these terms to ensure that they are applied consistently across both revised ISA 315 and ISA 610, with further clarifying guidance as deemed appropriate, to make clear that the scope and objectives of the internal audit function can vary between assessing the design and implementation of such processes to simply testing their operating effectiveness.|
|ISA 610.2||To maintain consistency with the language adopted in ISAs 230, 240, 260 and 315 we suggest that the third sentence be amended to remove the phrase “does not exist” and replace this with the following language:
“The ISA does not apply if an entity does not have an internal audit function or the function’s responsibilities and activities are not related to the entity’s financial reporting.”
|ISA 610.A10||As noted in the body of our response, we support the statement that any testing by individuals in an entity that is not subject to a systematic and disciplined approach would be considered a control activity and, therefore, the external auditor would need to obtain evidence regarding the effectiveness of such a control, in accordance with ISA 330. We note, however, that it may be more difficult in the SME environment to determine what constitutes an internal audit function. Therefore, we believe that there would be merit in adding guidance explaining that monitoring controls performed by an owner-manager in an SME environment would not be considered equivalent to an internal audit function.|
|ISA 610.A17||We suggest the inclusion of the following additional example, in the list of examples of the work of the internal audit function that may be used by the external auditor:
|ISA 610.A18||We believe that it would be appropriate to include ‘enquires of appropriate individuals within the internal audit function’ as a further example of procedures to assist in the evaluation of the quality of the work performed and conclusions reached, whilst making clear that enquiries alone are not sufficient to make such an evaluation and therefore should be conducted in conjunction with a combination of other types of procedure as given in the current guidance.|
|ISA 610.A22||To ensure complete clarity in understanding, we suggest for consideration that the definition of ‘direct assistance’, as explained in paragraph A22, be included as a formal definition at the beginning of the standard.|