A new group audit standard is coming. Are you ready?

In January 2019, the IAASB decided to continue with the revisions to ISA 600. An exposure draft was issued in April 2020 (ED-600) and the comment period expired in October 2020.

This audit blog explains some of the challenges Canadian auditors had with the existing standard, how the IAASB has addressed them in ED-600 and summarizes some of the concerns the Canadian Auditing and Assurance Standards Board (AASB) noted in its response letter to the IAASB on ED-600.

Challenges and next steps

What are the challenges with the current standard and what is the IAASB doing to address them?

Bottom up vs. top down approach to risk identification

ISA 600 requires the group auditor to identify significant components and, depending on the risks of material misstatement, conduct one or more of certain required procedures. This often involves conducting an audit of the component information of significant components using component materiality. For components that are not significant, the group auditor could perform analytical procedures or more work, should this be considered necessary.

Scoping an audit based on the identification of components, which is a bottom-up approach, may not always result in an appropriate assessment of the risks of material misstatement at the group financial statement level. This can also result in the identification of component risks that are not relevant to the group. The AASB prefers a top-down risk-based approach where the starting point is the risks of material misstatement at the group level followed by drilling down to significant components and their significant risks. In this way, the audit work should be better driven to support the group audit opinion.

In ED-600, the IAASB developed a new approach that it refers to as the “risk-based approach” and which is closely tied to the requirements in revised ISA 315. There is now greater focus on the Group Engagement Team (GET)’s responsibility to identify and assess the risks of material misstatement at the group financial statement level and assertion level. ED-600 has a greater focus on obtaining sufficient appropriate audit evidence (not just defaulting to an audit of component financial information).

How ISA 600 interacts with other ISAs, and its scope

ISA 600 requires the application of all relevant ISAs, however, auditors struggle with how to implement this in practice. Auditors are asking for more examples of how the ISAs can be applied in a group environment. Given the questions, guidance is needed on how ISAs 315 and 320 (materiality) can be applied in a group environment. The AASB believes that the scope of ISA 600 needs to distinguish more clearly between multi-location audits and group audits.

In ED-600, the IAASB has clarified the scope and applicability of the standard. The key entry point to ED-600 is the existence of a “consolidation process” that is fundamental to the definition of group financial statements. If there is no separately prepared financial information for branches or divisions of an entity that requires aggregation under a consolidation process, the financial statements are not group financial statements. ED-600 also recognizes that a GET may determine that it is effective and more efficient to obtain audit evidence by planning and performing the group audit based on locations, functions or activities that are not aligned with how management views the entities or business units comprising the group, for example, when there are shared service centres.

Acceptance and continuance considerations, including restrictions on access

For the acceptance or continuance decision, early identification by the group auditor of when the preconditions of an audit are not present, particularly if the group auditor will not have access to the information or people necessary to obtaining sufficient appropriate audit evidence, is important. ISA 600 does not provide examples to help auditors understand what conditions should be considered when accepting a client and how those conditions may impact the auditor’s access to information.

Auditors struggle to obtain sufficient appropriate audit evidence when the component is an investment accounted for by the equity method or is otherwise not controlled by the group, and group management has little or no control to access component financial information. Without access to the component or their auditor, the only financial information available is the component’s audited financial statements and related auditor’s opinion. ISA 600 should provide guidance on how the audit opinion on the stand-alone financial statements can be appropriately used as audit evidence in these situations.

Access issues may arise where the GET is not authorized to do audit work in a foreign jurisdiction and therefore a component auditor needs to be engaged.

ED-600 notes that there are several different types of access issues that may occur in a group audit. ED-600 differentiates between restrictions on access that are within the control of group management and those that are not. It notes that restrictions on access to people or information do not alleviate the requirement for the GET to obtain sufficient appropriate audit evidence, provides a few examples of types of restrictions and explains how the GET may overcome restrictions in various situations, including access restrictions related to equity-accounted investments.

Work effort related to non-significant components

ISA 600 contains requirements for the GET to select components that are not significant components and perform, or request a component auditor to perform, one or more specified approaches on the financial information of the individual components selected. This is an area where significant auditor judgment is required. Canadian regulators have noted in their inspection findings a lack of sufficient and appropriate audit procedures relative to the risk or size of the component.

In ED-600, the GET determines the most appropriate strategy to obtain sufficient appropriate audit evidence, and the nature, timing and extent of further audit procedures to address the assessed risks of material misstatement. The GET may decide to use different approaches, or a combination of approaches, to gather audit evidence about classes of transactions, account balances and disclosures. Such approaches include deciding where further audit procedures need to be performed (at which components) and who will perform the further audit procedures to address the assessed risks of material misstatement.

Aggregation risk and component materiality are not well understood

Aggregation risk is important to understand and address in a group audit engagement because there is a greater likelihood that audit procedures will be performed on classes of transactions, account balances or disclosures that are disaggregated across components. Generally, aggregation risk increases as the number of components at which audit procedures are performed separately increases. ISA 600 does not define aggregation risk and auditors may not understand and apply the concept appropriately, which affects the work effort on the group financial statements.

ED-600 includes a new definition and related application material to explain the concept in more detail.

The terms ‘component materiality’ and ‘component performance materiality’ are both used in ISA 600. However, there is a lack of understanding by auditors for how to calculate component materiality based on the group circumstances, which has led to significant variation in practice.

In ED-600, the GET determines component performance materiality for each component at which audit procedures are to be performed and communicates the amount to component auditors when they are involved in planning and performing further audit procedures at the component. The IAASB also added application material to describe the factors the GET may take into account in setting component performance materiality. Importantly, these factors focus on matters that affect aggregation risk, i.e., the extent of disaggregation across components, and expectations about the nature, frequency and magnitude of misstatements in component financial information.

Documentation requirements need to be strengthened

ISA 600 contains documentation requirements, including those relating to the nature, timing and extent of the group auditor’s involvement in the work performed by component auditors on significant components. However, some believe more guidance is needed in relation to the group auditor’s judgment regarding a component auditor’s findings; on what types of significant communications to document and how to document the group auditor’s evaluation of component auditor findings.

ED-600 includes revised documentation requirements. The IAASB also expanded the application material. The GET has a responsibility to determine whether the documentation for the group audit engagement meets the requirements of ISA 230.

The AASB on the ED-600 changes

So, what does the AASB think of the changes in ED-600?

In developing its response letter on ED-600, the AASB conducted field testing of ED-600 to better understand how engagement teams may interpret the requirements and the practical implications of the proposals. Overall, the AASB is pleased with how ED-600 deals with the principles of a risk-based audit and incorporates new quality management standards. It likes how ED-600 clarifies the responsibilities of the GET, including the involvement in the work of component auditors; the on-going two-way communication required between the GET and component auditors throughout the audit; and addressing access restrictions when accepting, continuing and documenting the group audit.

However, the AASB still has some reservations, including:

• ED-600 needs to deal more robustly with the complex issues related to using audit evidence from an audit performed at a component, such as a statutory audit of component financial statements.
• The AASB is still concerned that group auditors will struggle to determine when to involve component auditors in performing risk assessment and further audit procedures, and the nature, timing and extent of these procedures.
• The transition to the new risk-based approach for group audits will be a challenge for many auditors, particularly in understanding which audit scenarios fall under the standard and those that do not, in addition to applying the concepts in ISA 315 to a complex group audit. Extensive transition guidance will likely be necessary to support a successful application of the new standard.

What happens now?

The IAASB is reviewing the responses received on ED-600 and hopes to finalize ISA 600 in 2021. There will likely be an effective date of 18-24 months after finalization of ISA 600. This seems like a long way off. However, given the impact of the changes on group audits and the roles of both GETs and component auditors, it is important for those involved in group audits to begin the process of understanding the proposals and what it might mean for their firm and engagements.

Reading ED-600 and understanding the matters set out in this blog are a good starting point in assisting auditors as they monitor the finalization of the standard and work towards its application in the future. Such work will help all auditors be appropriately prepared for the new standard.

CPA Canada will be developing guidance on the new standard in due course. Stay tuned.

Keep the conversation going

Do you have specific questions about the new standard? Post a comment below or email me directly.

Conversations about Audit Quality is designed to create an exchange of ideas on global audit quality developments and issues and their impact in Canada.

Disclaimer

The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.