An audit is an audit, or is it?

Is there a need for pared-down audit standards – sometimes called audit-lite?

“An audit is an audit,” is the steadfast position of the International Federation of Accountants and the Chartered Professional Accountants of Canada. But this fundamental principle is coming under increasing pressure internationally as jurisdictions with mandatory audit requirements look for cheaper ways to obtain assurance on financial information. The audit standards, it is argued, are huge and bound to drive up costs for the smallest of entities. Some say there is a need for pared down audit standards, sometimes referred to as “audit-lite.”

One could argue that there are already two sets of audit standards: one for listed public entities and one for all others. Every audit of a listed entity must, for example, include an engagement quality-control review and an assertion by the auditor of independence and compliance with ethical requirements. These are not always required for nonlisted entity audits.

However, these additional requirements are in response to perceived increased risk and, as is generally accepted, needed to achieve the same level of assurance in listed entities as is achieved in nonlisted entities. That is, they are meant to attain one level of assurance common to all audits.

User expectations of an audit

Before we take a look at some of the arguments put forward for a pared down audit, consider the practical implications of an audit-lite engagement from three perspectives: a board member, a creditor and management.

Board member: boards of directors consider audited statements an important component in the stewardship of an entity’s assets. This is especially true for micro-entities where a very small management team, often one person, may perform most of the administrative work. Assurance from an independent professional accountant that the statements are fairly presented provides significant comfort.

Now, imagine a prospective board member considering whether or not to join a board of directors. If he or she does join the board, his or her reputation will be on the line in the event of a financial problem. Would one prefer joining a board knowing auditors perform a full audit, or will he or she be satisfied with assurance from a pared down audit? Likely the former. Entities able to provide a full audit opinion are likely to have a better chance of attracting competent and financially astute talent to their boards of directors. A complete audit will provide access to better talent, and better talent on boards of directors is always in the public interest.

Creditor: consider the case of creditors and funders requiring independent assurance that financial statements are fairly presented. Again, would a funder prefer the assurance from a full audit or would it be satisfied with assurance from a pared down audit? In Ontario, both private sector and government funders of micro- and small not-for-profit entities have overwhelmingly opted for the assurance provided by an audit as a condition of funding; acceptance of a limited assurance engagement (a review) is uncommon. The cost of a full audit is clearly seen to be worth the effort, with a complete audit providing better access to funds.

Management: finally, consider the optics from the perspective of a micro-entity’s management team. A full audit provides an annual opportunity to have an independent financial reporting expert review the books and records, make suggestions for improvements in internal control, and possibly provide valuable business observations based on broad experience and sector expertise. Management may like reduced cost from audit-lite, but will it expect less value added to its operations? Likely not. A complete audit helps reduce the ever-present expectation gap.

Audit-lite – what to leave out?

Proponents of a pared down audit usually cite the prohibitive cost of audits on the smallest of entities. Presumably, the way to reduce cost is to reduce audit time – and that entails reducing audit requirements.

So the question is: what would be left out?

Risk assessment: the first area in the standards offered as a sacrifice is usually that of risk assessment. Why bother assessing where there is risk of material misstatement in the audit of the smallest of entities when you could cut straight to performing generic audit procedures?

There are several reasons why risk assessment should not be sacrificed:

  • reduced professional judgment — risk assessment requires the auditor to identify and focus procedures on areas of the greatest risk. As every audit is unique, professional judgment is essential. Inability or failure to exercise judgment is the antithesis of what clients expect of a skilled assurance professional.
  • increased audit risk — if risk assessment is not required, auditors run the risk of performing ineffective audits by gathering inappropriate and/or insufficient evidence. The focus of every engagement must be to identify areas where material misstatements are likely to occur, followed by gathering evidence to support conclusions in those areas. Risk assessment makes a requirement of what every experienced auditor does instinctively.
  • decreased engagement efficiency — without a requirement to focus on areas of risk, every audit will require the same slate of procedures. Many of these procedures may not be necessary or may not be required to the same degree in every audit. This will result in inefficient audits.

Documentation: a second criticism of one-size-fits-all audit requirements is that documentation appears to be disproportionately burdensome for auditors performing audits of small- and especially micro-entities. This, they complain, unnecessarily increases the time spent, and the costs, of these engagements.

But what does the documentation requirement actually require?

In a nutshell, Canadian Auditing Standard (CAS) 230 requires documentation of: procedures performed, evidence obtained, results and significant matters. Documentation should be proportionate to the complexity of the engagement. In the audit of a relatively simple entity, procedures performed, evidence obtained and conclusions reached on that evidence will actually be much less complex, resulting in documentation being less burdensome than that developed for a complex or larger entity.

On top of this, every audit requires documentation of significant matters to a level that is sufficient to enable an experienced auditor to understand decisions reached. It is in the public interest for significant matters to be documented in every audit, regardless of complexity or size of the entity being audited. Scaling back requirements in this area would invariably gut the very heart of the audit service, which provides a considered professional opinion on the financial statements of every entity audited. Size and complexity do not play a role. Plus, public interest demands that auditors be able to justify their decisions regardless of the nature of the client.

An audit must be an audit

As audit standards require that every audit is designed to provide the same level of assurance to readers and users of the audit report, creating a two-tier audit service would only cause market confusion. Financial statement readers already have trouble understanding what auditors actually do. Further fragmenting the audit market runs the risk of widening the ever-present expectation gap.

Further, removing the parts of an audit that auditors find time consuming, such as documenting design, the implementation of internal control and significant matters, would eliminate the very aspects of what makes an audit useful to management and those charged with governance: having an experienced professional accountant examine and comment on the financial reporting side of their business. Audit-lite would simply short-change client service and efficiency.

So what’s the solution?

The solution is for auditors to first read and understand the audit standards. In every audit, CAS 200 specifically allows for noncompliance with standards and requirements that are not relevant. Auditors cannot determine what is not relevant to the circumstances of an engagement if they do not know the standards in the first place. Going through the standards takes time and effort, but once done, the experienced auditor can tailor requirements to fit specific engagements like a handmade glove. Efficiency and recoveries will be maximized.

Combining knowledge of the standards with automated working papers, an appropriately senior level of staff, and having industry knowledge will result in an audit effort proportionate to the size and complexity of every audit engagement. Having inexperienced staff not familiar with the standards and using generic templates will not result in an efficient audit. It is not the standards themselves that result in disproportionate effort, but rather how they are applied.

Conclusion

Introducing a two-tier audit service into the marketplace will likely increase the expectation gap that already exists between users and auditors. It would also decrease the level of service in every audit currently provided to the smallest of clients. This not in the public interest.

The ability to appropriately tailor audit steps to the size and complexity of every entity is expressly provided in the standards themselves. Auditors need to step up to the plate and ensure all their audits are focused, proportionate and relevant.

Client service demands that an audit remain an audit and not something less-than.

(For an exposition on why an audit must be an audit see IFAC’s Policy Position 2 (March 2012), IFAC’s support for a single set of auditing standards: audits of small-and medium-sized entities.


Phil Cowperthwaite, FCPA, FCA, is a partner of Cowperthwaite Mehta and a member of the IFAC’s Small and Medium Practices committee

Technical editor: Glenn Rioux, MM, CPA, CA, vice-president, Standards

Highlights

Our annual survey of the leading customer relationship management systems.