The purpose of this chapter is twofold:
As mentioned in Chapter 4, the PCAOB is responsible for creating 18 standards so far, (going as Auditing Standards [AS]), many of which superseded pre-existing ASB standards. Another 99 ASB standards have been brought under the PCAOB umbrella and reflect work in progress (going as AU) standards. The PCAOB’s statement AS 1 describes these standards as “interim standards”. The AU standards may or may not have modifications significant enough to warrant categorization as AS. These will remain as AU standards until amended and accepted by the PCAOB as AS.
Sarbanes Oxley Act (SOX) requires the PCAOB to be responsible for auditing standards relating to publicly listed firms. SOX also addresses the issue of ASB auditing standards published but brought into the PCAOB fold without much amendments (i.e., AU standards). Fogarty, writing in the CPA Journal, notes that these AU standards remain in force as if they had been created by the PCAOB itself. Hence in this and the following chapters we discuss standards first based on the requirements of the ISA, then discuss the differences with respect to related PCAOB standards (AU and AS).
The differences between PCAOB and ISA can be categorized as (a) differences in wording both substantive and less substantive, (b) procedures required by PCAOB but not required by ISA, and (c) procedures required by the ISA but not required by the PCAOB. We adopt this classification based on the categorization in an AICPA website (aicpa.org/FRS). After discussion of the ISA procedures, where applicable, we discuss the differences based on the categories noted earlier and discuss the implications for U.S. auditors. We first talk about issues relating to the engagement process of accepting a client. We then discuss stages in planning an audit. Wherever differences between U.S. and international auditing standards exist, we compare, contrast and discuss the significance of those differences.
The first stage in planning an audit comprises accepting the client.
Hayes et al. (2005) note that the client acceptance phase of the audit has two objectives. They are:
An auditor must exercise care in deciding which clients are acceptable. An accounting firm’s legal and professional responsibilities are such that clients who lack integrity can cause serious and expensive problems. Some auditing firms refuse to accept clients in certain high risk industries. For example, Hayes et al. note that in the United States and Northern Europe during the 1990s, many large auditing firms were very careful when accepting audit engagements of financial institutions after the legal judgments and fines resulting from audits of Lincoln Savings, Standard Chartered Bank, and International Bank of Credit and Commerce (BCCI). At the beginning of the twenty first century, there were great problems in the energy business (Enron, Dynergy, Pacific Gas, and Electric), the telecommunications industry (Worldcom, Global Crossing, Qwest), and healthcare (Health South, ImClone), and even in old line industries such as retailing (K mart, Ahold) and food products (Parmalat).
The procedures potentially leading to acceptance of the client are: acquiring knowledge of the client’s business; examination of the audit firm’s ethical requirements and technical competence; possible use of other professionals (including outside specialists) in the audit; communication with the predecessor auditor; preparation of client proposal; assignment of staff; and the submission of the terms of the engagement in the form of an engagement letter. Prior to acceptance of a new client, the firm should evaluate the client. The first characteristic that needs to be evaluated is the integrity of the client. With regard to integrity, Hayes et al. state that matters that a firm should consider are:
The firm can obtain this information from the following sources: communications with existing or previous providers of professional accountancy services to the client and discussions with third parties; talking to third parties dealing with the firm such as bankers, legal counsel, and industry peers; and background searches of relevant databases. Acceptance of the client is governed in Section 210 of the ISA (now amended by Section ISA 700). An important element in the steps noted earlier is communication with the predecessor auditor. Here there are differences between the ISA and PCAOB as noted by the AICPA in its website, aicpa. org/FRC. It is noted that paragraph 18 of ISA 210 contains requirements, where laws and financial regulations should take precedence over ISA requirements. However, the PCAOB does not have an equivalent of this. The PCAOB does not prescribe situations where financial laws supersede the PCAOB’s rules, perhaps because this situation is atypical in the United States. Hence the implication to a U.S. auditor working in an international environment, following the ISA’s rules, is that they should be aware of which local financial laws (if any) supersede or gain precedence over ISA.
There are also requirements in the PCAOB rules that are not in ISAs. The AICPA in its website notes that paragraphs 11 and 12 of Section 210 in the ASB’s GAAS initially and the equivalent PCAOB standard (now AU 315) specify how the auditor should communicate with predecessor auditors in initial audit, or even reaudit, engagements should the need arise. As mentioned earlier, the equivalent PCAOB standard is AU 315 Communication between Predecessor and Successor Auditors. This requests the successor auditor to communicate either in writing or orally. The successor auditor bears the burden of maintaining confidentiality. AU 315 provides focus for the successor auditor on which areas to cover. AU 315 notes that matters subject to inquiry could include:
However, there is no equivalent in ISA. Hence, there is more flexibility with respect to communicating with predecessors under ISA. Further, paragraph 13 of PCAOB’s AU 315 requires the auditor to remind the client who rehires the auditor of the existing terms of the engagement and to document it. The ISA has no equivalent to AU 315. Rather, paragraphs 11 and 12 of ISA Section 210 merely requires the auditor to assess whether there is a need to remind the client of the terms of the engagement. Does failure to remind the client of the terms of the engagement have any legal consequences? That is, could there be a lawsuit under ISA because the auditor did not remind the clients of the terms of the engagement? Whether the answer is yes or not to these questions depends on each ISA country’s law and legal processes. Addressing such questions is beyond the scope of this book.
There are other important requirements in PCAOB rules that are not in the ISA based on our analysis and the European Maastricht report previously mentioned. AU 315 of PCAOB states (refer paragraphs 3 to 11 for entire discussion) that the auditor (when the prior period financial statements were audited by a predecessor auditor) should request and allow management to authorize the predecessor to allow a review of the predecessor auditor’s audit documentation and to respond fully to inquiries by the auditor. AU 315 also concerns the auditor’s response when management refuses to allow the predecessor auditor to talk to the successor auditor because of disputes between the client and the predecessor auditor (refer paragraphs 3 to 11). The PCAOB believes it is important to address this situation. This is addressed in paragraph 10 of AU 315 of the PCAOB. If the successor auditor receives a limited or unhelpful response, then the implications of that should be considered, and the auditor should seriously consider refusing the engagement. The ISA do not specifically address this and hence there is a grey area where auditors may have to use their professional judgment rather than follow specified guidelines.
This communication between the successor auditor and the predecessor auditor is a requirement of the IFAC1 code of ethics. The objective is to determine whether there are technical or ethical issues that the new auditor has to be aware of before taking on the new engagement. The objective is to prevent opinion shopping by the client. Clients frequently discontinue auditors and attempt to take on new auditors who are willing to be more amenable to their requests. A case serves to illustrate this point. In June 2007 in the United States, a company by the name of Neopharm dropped KPMG Peat Marwick and accepted BDO Seidman as the new auditor. There were a number of bad news items that KPMG Peat Marwick wanted to report. These included weaknesses in the existing control systems. The reason ostensibly was to reduce costs according to the news report. The Code of Ethics requires auditors to be honest. When a new auditor requests information, the predecessor auditor is required to inform the existing auditor whether there are any professional reasons why the new auditor should not take on the engagement.
Even with such communication, however, in the case of a new client, ISA 510 (paragraphs 4 to 8) requires the auditor to not accept the word of the predecessor auditor but to actually perform at least one of two or three identified procedures to obtain sufficient audit evidence about whether the closing balances in the prior year (opening balances in the current period) contain material misstatements that could materially affect the current period’s financial statements. The procedures required are (a) reviewing the predecessor auditor’s audit documentation to obtain evidence regarding opening balances and (b) evaluating whether audit procedures performed in the current audit provide evidence regarding the accuracy of opening balances. The ASB in their website at (http://www.aicpa.org/interestareas/frc/auditattest/downloadabledocuments/clarity/substantive_differences_isa_gass.pdf) notes that they do not believe that either of these procedures on its own provides sufficient evidence regarding opening balances. While under ISA 510, auditors could limit themselves to one procedure, here under the PCAOB AU 315 auditors are required to use more than one procedure. The procedures are identified in AU 315.
The client-auditor (audit firm) relationship is not a one way street where the audit firm evaluates the client and then, judging the client acceptable, sends out an engagement letter closing the deal. The market of audit services is competitive, and just as in any other business, there are highly desirable clients with whom any audit firm would like to have an audit relationship. Although not always the case, audit firms prepare and submit engagement proposals to many of their (potential) clients, especially the large ones.
ISA 210 (Appendix 1) emphasizes that the auditor should write an engagement letter before the commencement of the audit and provides an example of a draft engagement letter. The purpose of the engagement letter is to document and confirm (a) the auditor’s acceptance of the appointment, (b) the objective and scope of the audit, (c) the extent of the auditor’s responsibilities to the client, and (d) the form of any reports. An engagement letter is useful because it helps to avoid misunderstandings with the client during the course of the audit. ISA 210 (paragraph A23 and A24) requires that the engagement letter contain the following:
Whereas the preceding issues are expected, paragraph 7 of ISA 210 recommends but does not require the following in the letter:
An auditor should not accept a client blindly or because of the expected audit fee. International auditing standards require that the auditor obtain an understanding of the client, the environment in which that company operates, and the internal controls of the company. This also enables the auditor to identify the risks associated with the audit. ISA 500 (paragraphs 26 to 35) suggests that the auditor use the following to obtain information about the potential client:
The standard also suggests that the auditor conduct tests tracing transactions through the information system. These are referred to as walkthroughs.
ISA 500 (paragraph 19) requires the auditor to critically analyze the client and its industry and make risk assessments. The standard clearly explains risk assessment procedures that the auditor can use to identify risks associated with a client. It is important that the auditor use information that is current when evaluating a client for acceptance. Hence, ISA 500 in paragraph 19 also recommends that the auditor should determine whether changes that could affect the relevant audit have occurred in the client or its industry. ISA 500 (paragraphs 30 to 34) suggests that the auditor have discussions with the client relating to such issues as changes in management and organizational structure, changes in government regulations that could potentially affect the client, changes in the economic environment, recent or impending changes in technology, types of products or services, and changes in the accounting system and the system of internal control (among others).
ISA 210 (paragraph A28) provides guidance in the event of a recurring audit. In general, since the auditor has done the audit before, it is suggested that there is no need to send an engagement letter unless the auditor feels circumstances have changed, thus necessitating a new letter. It is suggested by ISA 210 paragraph A28 that the following factors may result in the need for a new letter:
The following discussion is from ISA 210 (paragraphs A27 and A28 in particular). In the case of continuing clients, auditors are advised to perform procedures designed to identify significant changes that have taken place since the last audit. The auditor should then consider if there has been any previous conflicts over issues such as the scope of the audit, fee or management integrity. These factors could determine whether the auditor continues or refuses to audit the client. If the tests appear to indicate that there are significant changes and the auditor concludes that accepting the audit involves more risk than is acceptable to them, they have the freedom to refuse the client. Proving that the risk is unacceptable is sufficient reason to protect auditors from lawsuits from disgruntled clients. If the auditor decides to accept the client, there is no guarantee that the client will, on further deliberation, accept the auditor. This is because it is anticipated that the client will be auditor shopping for an auditor that can add value for money. It is contingent on the auditor to make the proposal appear attractive. A new client proposal can include the following:
Source: ISA 210 Amended as a Result of ISA 700 in Appendix 2 on Terms of Audit Engagements. Also refer Hayes et al. (page 180) for succinct summary of ISA 210 Amended as a Result of ISA 700 in Appendix 2 on terms of audit engagement.
Prior to client acceptance, other issues that need to be considered are the following:
The auditor should ensure that the members of the auditor team as well as the entire audit firm meet the relevant independence requirements discussed in Chapter 3.
In considering whether the firm has the capabilities, competence, time, and resources to undertake a new engagement from a new or an existing client, the firm must review the specific requirements of the engagement and existing partner and staff profiles. According to paragraph 31 of the International Standard on Quality Control, prior to the engagement, the audit firm must consider the following:
The auditor has to send an engagement letter to the client.
An example of an engagement letter obtained from the new ISA 700, which supersedes parts of ISA 210 is shown in Exhibit 5.1. There are no significant differences when comparing the ISA engagement letter with a PCAOB engagement letter.
In this section, we discussed stages in the engagement process. Once the auditor has accepted the client, whether as a new or a continuing client, then the next step involves planning the audit. This is discussed next.
Example of an engagement letter (Obtained from ISA 700 amendment to ISA 210).
To the Board of Directors or the appropriate representative of senior management
You have requested that we audit the financial statements of X which comprise the balance sheet as at ____, and the income statement, a statement of changes in equity and cash flow statement for the year then ended, and a summary of significant accounting policies and other explanatory notes. We are pleased to confirm our acceptance and our understanding of this engagement by means of this letter. Our audit will be conducted with the objective of our expressing an opinion on the financial statements.
We will conduct our audit in accordance with International Standards on Auditing. Those Standards require that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. An audit also includes evaluating the appropriateness of accounting polices used and the reasonableness of accounting estimates made by management, as well as evaluating the overall presentation of the financial statements.
Because of the test nature and other inherent limitations of an audit, together with the inherent limitations of any accounting and internal control system, there is an unavoidable risk that even some material misstatements may remain undiscovered.
In making our risk assessments, we consider internal control relevant to the entity’s preparation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. However, we expect to provide you with a separate letter concerning any material weaknesses in the design or implementation of internal control over financial reporting that come to our attention during the audit of the financial statements.
We remind you that the responsibility for the preparation of financial statements that present fairly the financial position, financial performance and cash flows of the company in accordance with International Financial Reporting Standards is that of the management of the company. Our auditors’ report will explain that management is responsible for the preparation and the fair presentation of the financial statements in accordance with the applicable financial reporting framework and this responsibility includes:
We look forward to full cooperation from your staff and we trust that they will make available to us whatever records, documentation and other information are requested in connection with our audit.
[Insert additional information here regarding fee arrangements and billings, as appropriate.]
Please sign and return the attached copy of this letter to indicate that it is in accordance with your understanding of the arrangements for our audit of the financial statements.
XYZ & Co
Acknowledged on behalf of ABC Company by (signed)
Name and Title
The objective of planning an audit is to determine the amount and type of evidence and tests required to assure the auditor that there is no material misstatement of the financial statements. ISA 300 Planning an Audit of Financial Statements states the auditor should plan the audit so that the engagement is performed in an effective manner. In planning an audit the engagement partner has to decide the extent of involvement of varying skilled professionals.
PCAOB’s AU 336 contains requirements regarding the auditor’s obligations for determining the extent of involvement of professionals possessing specialized skills. Specialists according to AU 336 can be, but need not limited to, actuaries, appraisers, engineers among others including attorneys. AU 336 provides situations in which specialists should be used. This could be when the specialist is essential in performing substantive tests to evaluate material financial statement assertions. Similar guidance is also provided in AS 9 of the PCAOB. In particular, paragraph 16 of AS 9 states that the auditor should determine whether specialized skill or knowledge is needed to perform appropriate risk assessments, plan or perform audit procedures, or evaluate results. paragraph 17 of AS 9 states that if a person with specialized skill or knowledge employed or engaged by the auditor participates in the audit, the auditor should have sufficient knowledge of the subject matter to be addressed by such a person to enable the auditor to (a) communicate the objectives of that person’s work, (b) determine whether that person’s procedures meet the auditor’s objectives, and (c) evaluate the results of that person’s procedures as they relate to the nature, timing, and extent of other planned audit procedures and the effects on the auditor’s report. ISA 300 does not contain these requirements.
ISA 315 Understanding the entity and its environment and assessing the risks of material misstatement notes to attain the objective the auditor has to (paragraphs 20 to 24):
These are considered individually.
Paragraph 7 of ISA 315 states that the auditor should perform risk assessment procedures to obtain an understanding of the entity and its environment. Risk assessment procedures to be performed are described below.
Inquiries of Management and Others Within the Entity Much information can be obtained by inquiries. Inquiries can be directed towards those charged with governance; internal audit personnel; employees involved in initiating, processing, or recording complex or unusual transactions; in-house legal counsel; and marketing or sales personnel (this is helpful in identifying changes in marketing strategies, sales trends, and contractual arrangements with customers). Overall, the discussions could encompass management objectives such as increasing profit, reducing investment in working capital, and reducing taxes among others. It is noted that although management may be the most effective and efficient information source, it is worthwhile to obtain information from as many sources as possible to reduce the potential for bias.
Analytical Procedures ISA 315 in paragraph 10 notes that analytical procedures may be helpful in identifying the existence of unusual transactions or events, amounts, ratios, and trends that might indicate matters that have financial statement and audit implications. For example, the ratio of gross profit (sales minus cost of goods sold = gross profit) to sales can be compared from one year to the next to indicate changes in the company’s profit generating potential from a consistent product line. Analytical procedures are useful in that they help the auditor develop expectations about plausible relationships; comparison with actual relationships could yield information about unusual or unexpected relationships. In the example, if gross profit ratio (gross profit/sales) increased sharply from one year to the next, other things remaining the same, that would be a signal to the auditor that something may be amiss in the company’s inventory count or sales bookings. This could, in turn, identify risks of material misstatement. We discuss this more extensively in a later chapter and will not elaborate further here.
Observation and Inspection The importance of observation and inspection is that evidence from this could support information previously obtained from inquiries of management. Paragraph 11 of ISA 315 provides examples for auditors including, but not limited to:
In discussing transactions, PCAOB’s AU 330 includes a requirement to confirm accounts receivable unless certain conditions exist. This is a left over from paragraph 34 of Statements on Auditing Standard (SAS) No. 67, the Confirmation Process. This requirement is not in ISA.
ISA 315 paragraph 12 requires a team-wide discussion of the susceptibility of the financial statements to fraud or error. The objective of this discussion is for members of the audit planning team to gain a better understanding of the potential for material misstatements of the financial statements resulting from fraud or error.
This is discussed in paragraph 20 of ISA 315. The auditor is advised to study the following:
Industry, Regulatory and Other External Factors Paragraph 22 of ISA 315 notes that the auditor should obtain an understanding of the relevant industry, regulatory, and other external factors, including the applicable financial reporting framework. These factors include industry conditions such as the competitive environment, supplier and customer relationships, and technological developments. These factors also include the legal and political environment and environmental requirements affecting the industry and the entity and other external factors such as general economic conditions.
Nature of the Entity This is covered in paragraph 25 of ISA 315. The auditor should obtain an understanding of the nature of the entity. The nature of the entity refers to the entity’s operations, its ownership and governance, the types of investments that it is making and plans to make, the way the entity is structured, and how it is financed. This is important because an understanding of the nature of the entity enables the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements. An understanding of the ownership and relations between owners and other people or entities is important in determining whether related party transactions (RPTs) have been identified and accounted for appropriately. (Additional guidance is provided in ISA 550, Related Parties on this matter.)
Objectives and Strategies and Related Business Risks Here the entity’s objectives are the overall plans for the company as determined by those charged with governance and management. Strategies are the operational approaches by which management intends to achieve its objectives. Business risks result from significant conditions, events, circumstances, actions or inactions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies. It is important to understand business risk because most business risk will have a financial consequence that may find their way into financial statements. The purpose of understanding this is to:
Measurement and Review of the Entity's Financial Performance This is covered in paragraph 35 of ISA 315. In order to assess the risk of material misstatements in the financial statements, an auditor should examine internally generated information used by the management and external (third party) evaluations of the company. Internal information may include key performance indicators such as budgets, variance analysis, and divisional, departmental, and other level performance reports. The auditor is also expected to compare the entity’s performance with those of its competitors. The auditor is also required to evaluate external information such as analyst’s reports and credit rating agency reports. It is important for the auditor because internal or external performance measures may create pressures on management to misstate the financial statements.
This is addressed in paragraph 100 of ISA 315. The auditor is required to assess the risks of material misstatement at the financial statement level and at the assertion level for classes of transactions account balances and disclosures. paragraph 100 of ISA 315 requests the auditor to do the following:
In determining whether these risks exist, there is a difference between the United States and the international auditing standards. In the United States, PCAOB’s AU 316 Consideration of Fraud in a Financial Statement Audit and also PCAOB’s AS 12 Identifying and Assessing the Risks of Material Misstatement requires the auditor to consider the risk of misstatement due to fraud. PCAOB’s AU 316 contains a specific requirement for the auditor to consider the results of the assessment of the risk of material misstatement due to fraud during planning. However ISA 315 does not. Further, the appendices of PCAOB AU 316 provide examples of how to assess risks of material misstatement due to fraud. This is not so with ISA 315. This is an issue that auditors have to be aware of, namely, the U.S. standards give more prominence to assessing risk of fraud during the planning phase of the audit. Another difference is that PCAOB AU 316 has been expanded to specifically include addressing, when applicable, the issue of whether the person performing the control possesses the necessary authority and competence to perform the control effectively. This is not in ISA 330.
In making judgments about materiality the auditor is required to consider the following aspects:
There are no differences between the application of ISA 320 and the U.S. equivalent PCAOB’s AS 11 entitled Consideration of Materiality in Planning and Performing an Audit. The topics and guidance are similar. The identity of any other parties involved, though, may be extremely important in that, if transactions are conducted between related parties, the actual value of the transaction to the organization may never be known. In the next section, we address the differences between the newly adopted PCAOB AS 18 Related Parties and the ISA 550.
The PCAOB recently requested comment on and then approved AS 18 entitled Related Parties. RPTs are a problem because the negotiated price for the exchange of an asset or the price of a service, for example, may reflect the relationship between the decision makers on both sides (e.g., parent-child; husband-wife) and not reflect the fair market value of the asset or service being exchanged. Accordingly, the shareholders or stakeholders of the organization may either receive too few resources for an item or service sold to a related party or pay too much for such an item. AS 18 was adopted by the PCAOB because it was felt that the existing standard, the PCAOB’s AU 334 Interim Standard, was insufficient. AS 18 improves upon AU 334 Related Parties, the current PCAOB-related party standard, by providing additional guidelines in the form of specific audit procedures for auditors’ use in dealing with RPTs. The need to address this is considered especially important because AU 334 has not been substantially updated since it was released in 1983. As a matter of fact, despite such prominent scandals as Enron, Worldcom, and Tyco international, AU 334 has remained virtually unchanged. The PCAOB feels RPTs increase the risk of material misstatement in company financial statements. The issue of RPTs is considered important because, as the PCAOB notes in its release (PCAOB release 2014-002), prominent corporate scandals involving RPTs have undermined investor confidence and resulted in significant losses for investors. The PCAOB’s release further noted that existing requirements are inadequate and these weaknesses need to be addressed with special focus on providing greater guidance to auditors.
In particular, the PCAOB felt AU 334 was deficient in that it lacked direction; further, the procedures discussed to tackle and investigate RPT were inadequate. AS 18 provides more procedures for accounting for and disclosure of transactions between a company and related parties relative to ISA 550 and its own AU 334. AS 18 becomes effective on or after December 15, 2014.
An RPT is a problem because it causes errors in the measurement and the recognition of transactions. These, in turn, cause errors in financial statements that can go undetected by the auditor. In essence RPTs can increase risks of material misstatement. The purpose of AS 18 is to provide greater guidance with respect to identifying, assessing, and responding to risks of material misstatement because of RPTs.
AS 18 requires the auditor to do the following:
A publication by Deloitte Touche notes that AS 18 (forthcoming standard effective December 2014) carries much of the content from the current standards (ISA 550 and AU 334). However, there are important differences.
Given this basic information, we summarize the key differences between PCAOB and ISA with respect to RPT under the following categories:
AS 18 (forthcoming standard) carries forward much of the content from the earlier standards (ISA 550 and AU 334). However, in certain circumstances, the Board made revisions to clarify and refine various aspects of the new standard. A Deloitte Touche report (http://www.iasplus.com/en/publications/us/heads-up/2014/pcaob-requirements) notes that the forthcoming AS 18 differs from the currently effective standards in that:
The Deloitte Touche report mentioned earlier provides a comprehensive analysis of the differences between AS 18, on the one hand, and ISA 550 and AU 334 on the other, with respect to identification and handling of RPTs, and we use the findings of this report extensively in our discussion.
Deloitte Touche report cited earlier also notes that AS 18 adds and expands requirements intended to help auditors achieve the objective of obtaining “sufficient appropriate evidence to determine whether related parties and relationships and transactions with related parties have been properly identified, accounted for and disclosed in the financial statements.” The Deloitte Touche report notes that unlike the current ISA 550, the proposed standard specifies the objectives of the auditor’s work related to RPTs.
The report also notes that the proposed standard uses a framework neutral approach regarding (1) definition of related parties and (2) financial statement disclosure requirements (i.e., the release acknowledges that in preparing financial statements, issuers might use different financial reporting frameworks such as U.S. GAAP or IFRS. This is different from AU 334, which refers auditors only to U.S. GAAP).
AS 18 requires the auditor to obtain an understanding of the controls that management has established to (1) identify RPTs, (2) authorize and approve transactions with related parties, and (3) account for and disclose relationships and transactions with related parties in the financial statements.
This is more pro-active relative to ISA 550 and AU 334 which state that the auditor should obtain an understanding of the management’s responsibilities when determining the work to be performed for possible RPTs. Under AS 18, auditors will need to perform procedures to evaluate the design of such controls and determine that they have been implemented. Examples of specific procedures to evaluate designs of controls are also provided in AS 18.The Deloitte Touche report notes that these provisions differ from those in the current standard, which state that the auditor should obtain an understanding of the management’s responsibilities when determining the work to be performed for possible RPTs. Further, the current standard requires the auditor to consider controls over management activities, whereas the new standard requires the auditor to understand the controls for RPTs. Under AS 18 auditors must perform procedures to evaluate the design of such controls and determine they have been implemented.
AS 18 requires the auditor to make inquiries from management about RPTs and about the company’s relationships and transactions with them, including the business purposes of such transactions. AS 18 adds procedures the auditor should perform with respect to inquiries of management and other personnel. The current standards ISA 550 and AU 334 only describe audit procedures that the auditor should consider in determining the existence of related parties. (Examples of audit procedures include requesting from management the names of related parties and whether there were any transactions with these parties during the period under audit.) The key difference is that the current standard only recommends, whereas the forthcoming standard AS 18 requires the inquiries noted in the preceding lines. In addition ISA 550 and AU 334 do not specify any required communication with the audit committee. AS 18 does specify communication. So, this is a notable difference. AS 18 also includes examples of other individuals in the company to whom it would be appropriate for the auditor to direct such inquiries (e.g., internal auditors, in house legal counsel and human resources director among others). This is not in the current standards ISA 550 and AU 334 and is another difference.
AS 18 states that managers should communicate to the engagement team (team conducting the audit) relevant information about related parties, including the names of the related parties and the nature of the company’s transactions with those related parties. In audits in which other auditors participate, the auditor should inquire about RPTs from the other auditor. This is another difference between AS 18 and the current standards.
AS18 requires the auditor to identify and assess the risks of material misstatements associated with RPTs. Then, use the results as the basis for planning and performing audit procedures.
AS 18 adds requirements for auditors regarding identifying and assessing risks of material misstatements associated with RPTs. The Deloitte Touche report notes that a key difference is that the forthcoming standard is better because the existing standards, ISA 550 and AU 334 do not contain specific guidance for auditors in these matters.
RPTs can increase the risks of material misstatement in financial statements. AS 18 prescribes specific auditing procedures for RPTs that should be disclosed in the financial statements and considered to be of significant risk. The procedures include the following:
The Deloitte Touche report states that there is no significant difference between AS 18 and existing standards in respect to these procedures.
The forthcoming standard requires the auditor to evaluate whether the company has properly identified its related parties. AS 18 emphasizes that the auditor should not rely solely on representations made by the management about the accuracy and completeness of RPTs. AS 18 notes that, if an auditor determines that RPTs exist, the auditor is required to perform additional procedures. The purpose is to (1) reassess the risk of material misstatement and (2) evaluate the impact of management’s nondisclosure and its consideration of fraud.
The above provisions are in a separate section of AS 18. The Deloitte Touche report notes that while the current standards (ISA 550 and AU 334) do cover the issues discussed in the previous paragraph they provide limited direction.
Under the forthcoming AS 18, the auditor is required to evaluate the company’s accounting for and disclosure of relationships and RPTs.
The auditor is specifically required to determine whether the audit evidence supports or contradicts any management assertion that RPTs were conducted on an arm’s length basis. If the auditor is unable to obtain sufficient evidence to corroborate the management’s assertions or if the management does not agree to any disclosure required by the auditor, the auditor is required to modify the auditor’s report and express a qualified or adverse opinion.
The Deloitte Touche report notes that the new standards broaden the requirements of the auditor in terms of the scope of the auditor’s responsibility. For example, a preface in a statement that management believes or it is the company’s belief does not change the auditor’s responsibility. For example, if the company’s belief is that all RPTs have been disclosed, it does not absolve the auditor of his or her responsibility. The auditor has to be proactive and verify. Subject to that, there is little difference between the proposed and existing standards.
AS 18 requires the auditor to communicate the auditor’s evaluation of (1) the company’s identification of RPT, (2) accounting for RPT, and (3) disclosure of RPTs directly to the audit committee. This is a significant difference to the existing standards ISA 550 and AU 334, which do not state that the auditor is required to communicate the above RPT-related information to the audit committee.
There are three important issues regarding the planning stage of the audit that which have to be addressed. These relate to:
Even though the ISA does not mention this specifically, the European Union Guideline requires that to maintain independence, the partners must be rotated every seven years. We previously noted that the auditor must be aware of how national laws affect the audit. Here is an example of local (or European Union-wide) regulation adding rules that the auditor must be familiar with, in addition to being familiar with the ISA rules themselves. In this respect, there is a difference between European regulations and SOX, with the latter requiring that partners be rotated every five years. Given that the ISA is used in over 100 countries, this emphasizes the need for auditors to be aware of additional requirements that national laws or regulations may add to the auditor’s burden even in nations that formally use the ISA.
In certain cases, if the auditor feels they do not have sufficient auditing resources and presence because one part of the business is in another division or country, they have to decide if another auditor with the requisite expertise, (e.g., having audited organizations in that industry before), resources, and independence will be required to audit a part of the business of the client in the other division or country. In this respect, ISA 600 provides guidance to auditors. The guidance under ISA 600 requires the auditor to initially consider whether the auditor can act as principal auditor should they decide to seek the help of another auditor (please refer paragraph 6 for the discussion here). The determination of principal auditor status depends on (a) the extent to which the portion of the financial statements it audits is material and (b) the degree of the auditor’s knowledge regarding the business or its components. If the auditor feels that the portion of the financial statements being audited is material and the auditor’s knowledge of the business is substantial, then the auditor or she can opt to act as principal auditor. The other party is then referred to as the other auditor.
It is the duty of the principal auditor to ensure that the other auditor is competent and independent. How can the principal auditor determine whether the other auditor is competent? This is difficult to measure. Sources of information include auditors, bankers, and discussions with the other auditor.
The principal auditor is required to advise the other auditor of the independence requirements. If the other auditor feels that its independence could be compromised in any way the other auditor should inform the principal auditor. The principal auditor is required to take an active role in the work of the other auditor. For example, the principal auditor is required to request a written summary of the procedures that the other auditor will apply in the audit and review those procedures. It is suggested that the principal auditor visit the other auditor’s premises to review these procedures (refer paragraphs 7 to 11, ISA 600). This is more stringent than PCAOB auditing standards, which do not appear to require visits by the principal to the other auditor’s premises nor critical review of the procedures applied by the other auditor. In any event when reading the original ASB and PCAOB standards, one does not see this guidance. (In reality lack of guidance does not preclude an auditor from reviewing procedures applied by the other auditor.) The principal auditor also has the authority to request the other auditor to limit the procedures if the principal auditor feels that the tests are too time consuming and unnecessarily rigorous given the circumstances.
In addition to the issue raised in the previous paragraph, namely, that principal auditors are required to visit the other auditor’s premises under ISA but not under PCAOB, there are minor differences pertinent to auditors operating in the U.S. environment vis a vis the international environment. Paragraph 12(b) of ISA 620 requires the auditor to evaluate the significant assumptions and methods of the auditor’s selected auditor. The PCAOB uses an expanded wording of this requirement to more clearly articulate the auditor’s responsibility in this regard. The ASB believes this does not create a difference between the application of ISA 620 and Section 620 of the original ASB (refer aicpa.org/FRC), which is now PCAOB’s AU 336. There are also differences in the ISA not specified in the PCAOB’s standards Paragraphs 16 and 17 of ISA 620 contains a conditional requirement regarding the auditor’s reference to the specialist or expert (other auditor) hired by the auditor in the auditor’s report when such reference is required by law or regulation. Because such reference is not required by law or regulation in the United States, such a requirement is not included in AU 336.
Once the audit is complete the principal auditor is required to document in the audit working papers the components that were audited by the other auditor and their significance to the financial statements. The principal auditor is also required to document the procedures used by the other auditors. If they had requested the other auditors to limit the procedures, however, they do not need to report that nor the reasons for requesting the procedures be limited.
It is required that the other auditor bring to the attention of the principal auditor areas where the other auditor could not conduct work as requested. The other auditor also needs to advise the principal auditor of any matters that came to the attention of the other auditor that may have an important bearing on the principal auditor’s work.
There are differences in the requirements in the ISA and PCAOB standards. The AICPA (www.aicpa.org/FRC) notes that ISA 600 does not permit the auditor’s report on the client’s financial statements to make a reference to a component auditor unless required by law or regulation to include such a reference. PCAOB’s AU 543, Part of Audit Performed by Other Independent Auditor requires the auditor to make reference to the audit of a component auditor in the auditor’s report on the client financial statements. Why? The PCAOB may believe that the ability to make reference to the report of another auditor is appropriate in the United States for two main reasons. This has always been required by GAAS in the United States and there are no compelling new issues or developments to suggest a need to change the approach. In particular, some audits are complex because of factors such as size and diversity of the client operations (auditing of the Federal government is a striking example). In such circumstances, eliminating the option to make reference to a component auditor serves no purpose as it reduces transparency.
If two auditors are involved in the audit, an important issue relates to the responsibility for the audit. This is important, because, for whatever reason, should the client decide to sue, the agreement between the principal auditor and the other auditor will factor into which firm faces damages should the client win the case. This issue is dealt with in paragraph 18 of ISA 600. The paragraph allows auditors to follow the laws of the local country in which the lawsuit occurs. For example, the principal auditor can chose to take full responsibility or apportion responsibility if doing the latter is consistent with, or required by, local law. Paragraph 18 clearly states that, should the principal auditor decide to apportion responsibility, the principal auditor’s report should state this fact clearly and should indicate the magnitude of the portion of the financial statements audited by the other auditor. It is important to emphasize that in some countries division of responsibility may not be allowed. Paragraph 11 of the Australian standard AU 600 entitled Special Considerations-Audits of a Group Financial Report (Including the Work of Component Auditors) does not allow division of responsibility in Australia. Similarly the Implementation Guidance issued by the Japanese Institute of Certified Public Accountants does not allow this in Japan. SAS 510 (the UK equivalent of ISA 600) does not allow division of responsibility in the UK. That is, the main auditor has to take the full brunt of any legal action. The other auditor is considered as in the employ of the primary auditor, and it is the primary auditor who has to face the music. The Canadian standards also do not allow division of responsibility. The United States allows division of responsibility. However, in the audit opinion, the auditor is required to clearly state that the financial statement includes numbers that have been audited by another auditor. Thus, it is vital that auditors in the United States clearly study local legislation when deciding if (and how) to use the work of a local auditor based in a foreign country. As mentioned, in many parts of Europe, unlike the United States, the auditor cannot assign responsibility but bears the full liability. This is an important issue for American auditors to bear in mind.
In certain cases, the auditor may have neither the education nor the technical expertise to conduct a component of the audit. Paragraph 6 of ISA 620 provides the following examples where an expert could be called in:
In such cases, the auditor may contemplate calling in an expert. ISA 620 provides guidance on the use of experts. ISA 620 defines an expert as a person or firm possessing special skills, knowledge, and experience in a particular field other than accounting and auditing. In particular, paragraph 8 of ISA 620 notes that the auditor should evaluate the professional competence of the expert prior to using him/her. This will involve considering the professional certification or licensing by, or membership in, an appropriate professional body. The auditor is also required to assess the experience and reputation in the field in which the auditor is seeking audit evidence. The auditor should also ensure that the expert is independent. (If, for example, the expert has an investment in the entity being audited, that implies that the expert is financially dependent on the entity. This is assumed to impair his or her independence. ISA 620 does not prohibit the auditor from using an expert even assuming impaired independence. Rather, the auditor is required to seek evidence from other experts to corroborate the first expert’s evidence. Some countries including the United States do not allow an auditor to use an expert who lacks independence. Thus, the auditor must be careful in choosing an expert and examining the background of the expert.)
The auditor is required to communicate clearly with the expert. The auditor should make clear the scope of the expert’s work and intended use of the expert’s work by the auditor. The expert should be informed about the extent of his or her access to files and records of the client and also the matters to be covered in the report by the expert to the auditor.
It is also required that the auditor evaluate the work of the expert. Paragraph12 of ISA 620 provides guidance to the auditor. In particular, the auditor is required to examine:
Paragraph 12 of ISA 620 takes this a step further and even requires an auditor to review and test the data used by the expert and the appropriateness and reasonableness of the assumptions and methods used. If the auditor tests the results and concludes that the results are not consistent with the auditor’s results, then the matter has to be resolved. This could involve further discussions with the entity and the expert and applying additional audit procedures even to the extent of engaging another expert. There are differences between ISA 620 and Section PCAOB’s AU 336 in the United States. As noted above, ISA 620 requires the auditor to evaluate the significant assumptions and methods of the auditor’s specialist (www.aicpa.org/FRC). The PCAOB’s AU 336 expanded the wording of this requirement to more clearly articulate the auditor’s responsibility in this regard. However, the AICPA notes (www.aicpa.org/FRC) that the ASB then and PCAOB now may believe this does not create a difference between the application of ISA 620 and the application of PCAOB’s AU 336. There are also requirements in the ISA not mentioned in GAAS. Paragraph 14 of ISA 620 contains a condition requirement regarding the auditor’s reference to the auditor’s specialist in the auditor’s report when such reference is required by law or regulation. Because such reference is not required by law or regulation in the United States, such requirement is not included in PCAOB’s AU 336.
In general it is held that if the auditor issues a clean (unmodified report) to the client, then the work of the expert does not need to be referenced. This is because such a reference might be misunderstood to be a qualification of the auditor’s opinion or a division of responsibility, neither of which is intended. If the audit report is qualified, it is recommended that, where appropriate, the auditor refer to the work of the expert and the extent of the expert’s involvement. The auditor is also required to clearly name the expert. However, paragraph 17 of ISA 610 requires the auditor to obtain the permission of the expert prior to citing them in the auditor report. If permission is not granted, then a problem arises. This is because ISA 610 does not cover a situation where permission is refused. The assumption is that permission is granted. If permission is refused then the auditor may need to seek legal counsel. This is not an issue under PCAOB where there is no requirement that permission of the expert be required prior to citing them. Hence, U.S. auditors need to be aware that under ISA they must obtain the permission of the expert they used prior to citing them in the auditor’s report; otherwise legal issues could arise.
The engagement acceptance process and planning an audit are both very critical, early parts of the auditing process. The engagement process provides the auditor with information that may lead it to accept a potential client and the revenue that accepting the client would provide or reject the client. Earlier in the book we discussed the problem of audit failure—the giving of an inappropriate opinion on the client’s financial statements—and auditor legal liability. In order to avoid legal liability as well as to help ensure that the audit firm itself has the right mix of talent and capability to audit a particular client, the auditor is required under both ISA and PCAOB standards to learn about the client. In this chapter, we present a description of how the ISA and PCAOB standards require and suggest that the engagement process be carried out. This information is important because it provides valuable information about how audit firms, in effect, investigate their clients before deciding to accept a potential client.
Next, we describe the process by which the auditor, having accepted the client, begins planning the audit itself. This information is also important to readers because they learn something about the information used to plan the audit, a very important process that impacts how the audit firm’s resources will be used during the audit itself. Understanding both the client engagement process and the audit planning process will be very useful in understanding the actual conduct of the audit presented in the following chapters.
1Note that the International Federation of Accountants (IFAC) is the parent of the IAASB and the IESBA.