Overview of Key Requirements in Exposure Drafts of SA 220 and SA 315

Table of Contents

1. Introduction
2. Exposure Draft SA 220 (Revised) – Quality Management for an Audit of Financial Statements
3. Exposure Draft SA 315 (Revised) – Identifying and Assessing the Risks of Material Misstatements

1. Introduction

• AASB of ICAI has issued Exposure Drafts of 7 Standards
• New Proposed Standards are in line with corresponding International Standards
• Proposed revised standards will result in conforming amendments in other SA
• Shift from “Control” to “Management”
• Objective to encourage proactive quality management at firm and engagement level.
• To promote a more robust, proactive, scalable and effective approach to quality management.
• SQM 1: Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Service Engagements
• SQM 2: Engagement Quality Reviews
• SA 220: Quality Management for an Audit of Financial Statements
• SA 250: Consideration of Laws and Regulations in an Audit of Financial Statements
• SA 315: Identifying and Assessing the Risks of Material Misstatement
• SA 540: Auditing Accounting Estimates and Related Disclosures
• SRS 4400: Agreed-Upon Procedures Engagements.

2. Exposure Draft SA 220 (Revised) – Quality Management for an Audit of Financial Statements

2.1 Relationship of SQM 1 with SQM 2 and SA 220 (R)

SQM 1 – Quality Management at the firm level

• Requires the firm to design, implement and operate a SQM to manage the quality of engagements performed by the firm.

SQM 2 – Engagement Quality Reviews

• EQR form part of the firm’s SQM.
• SQM 2 builds upon SQM 1 by including specific requirements for:
  1. Appointment and eligibility of the EQ Reviewer;
  2. Performance of the EQR;
  3. Documentation of the EQR.

SA 220 (R) – Quality Management at the engagement level

• Deals with auditor’s responsibilities regarding quality management at the engagement level and the related responsibilities of the engagement partner.
• Applies to audits of FS.

2.2 Overview

• Clarifies and strengthens the key elements of quality management at engagement level.
• Focuses on role of the engagement partner in managing and achieving quality on audit engagement
• Encourage proactive management of quality at the engagement level.
• Keep the standard fit for purpose in wide range of circumstances.
• Emphasize the importance of professional skepticism.
• Enhance the documentation of the auditor’s judgement.

2.3 Snapshot of Key Changes

• Increased responsibilities of Engagement partner.
• Consideration of evolving environment, including changes made to the definition of Engagement Team to recognize different and evolving engagement team structures.
• Considers:
  1. Importance of professional skepticism and professional judgement in performing audit engagements.
  2. Scalability: The Standard is intended to be applied in the context of the nature and circumstances of each audit
• Recognizes the growing role of technology in audit of financial statements. ‘Resources Section’ enhanced to include technological and intellectual resources in addition to the human resources involved in an audit engagement.
• Clarifies the relationship between SA 220 and the Standards on Quality Management.

2.4 Scope and Applicability

• Proposed Standard deals with the specific responsibilities of the auditor regarding quality management at the engagement level for an audit of financial statements and the related responsibilities of the engagement partner.
• Standard to be read in conjunction with relevant ethical requirements.
• Applicability not yet notified.

2.5 Objective of Revised SA 220

To manage quality at the engagement level to obtain reasonable assurance that quality has been achieved such that:

• The auditor has fulfilled the auditor’s responsibilities, and has conducted the audit, in accordance with professional standards and applicable legal and regulatory requirements; and
• The auditor’s report issued is appropriate in the circumstances.

2.6 Key Changes in SA 220 (R)

2.6.1 Managing and Achieving Quality at the Engagement Level

The engagement partner’s overall responsibility to manage and achieve quality at the engagement level is to be established through his/her sufficient and appropriate involvement throughout the audit engagement.

Leadership Responsibilities

Increased emphasis on the leadership responsibilities of the Engagement Partner in managing and achieving quality at the engagement level.

Direction, Supervision and Review

Engagement partner is responsible for determining the nature, timing and extent of direction, supervision and review, in light of engagement circumstances.

Standback

Engagement partner shall be satisfied that his/her involvement has been sufficient and appropriate to provide basis for taking overall responsibility.

2.6.2 Scalability

• The revised standard includes material on scalability, as the standard is intended to be applied in the context of the nature and circumstances of each audit.
• The objective of material on Scalability is to emphasize that the revised standard can be applied by firms of all sizes.
• SA 220 (Revised) includes certain paragraphs that highlight how the revised SA can be applied in the different circumstances. (Eg. Paragraph 8 and Paragraphs A13 – A14)

For example:

When an audit is carried out entirely by an engagement partner, which may be the case for an audit of a less complex entities, some of the requirements in this SA are not relevant because they are conditional upon the involvement of other members of the engagement team.

2.6.3 Clarifying Engagement Partner Responsibilities

• Engagement partner is required to take into account information obtained in the acceptance and continuance process in planning and performing the audit engagement.
• Requirements and application material are more explicit about what the engagement partner needs to review, including a listing of examples of significant judgments in relation to the audit engagement.

2.6.4 Engagement Team may depend on the Firm’s System of Quality Management

• SA 220 (Revised) clarifies that, ordinarily, the engagement team may depend on the firm’s policies or procedures, unless
  1. the engagement team’s understanding or experience indicates that the firm’s policies or procedures would not be effective or
  2. information provided by the firm or others indicates that the firm’s policies or procedures are not operating effectively.

This approach avoids the risk that the engagement team blindly relies on the firm’s system of quality management.

2.6.5 Professional Skepticism is Central to Quality Management

• The revised standard includes new introductory material on importance of Professional skepticism and Professional judgment in performing audit engagements.
• Application material sets out the examples of impediments to professional skepticism, which includes common threats and biases (conscious or unconscious) and suggestions as to possible actions that the engagement team can take to mitigate these.

2.6.7 Engagement Resources

• Deals with modern auditing environment including the use of different audit delivery models and technology.
• Resources have been expanded beyond human resources to include technological and intellectual resources.

2.6.8 Definition of Engagement Team

• Changes in the definition recognize that, regardless of where individuals are located or how they are related to the firm, if an individual is performing audit procedures, then he or she is to be appropriately directed and supervised and the work reviewed in accordance with SA 220 (Revised).
• Engagement team Definition as per SA 220 (R) — All partners and staff performing the audit engagement, and any other individuals who perform audit procedures on the engagement, excluding an auditor’s external expert* and internal auditors who provide direct assistance on an engagement. (Ref: Para. A15-A25).

*Explanation: As per existing SA 220, the definition of Engagement Team includes experts contracted by the firm, which was also in line with the erstwhile ICAl’s Code of Ethics. However, a similar change has not been made in the proposed SA 220 (Revised) as compared to ISA 220 (Revised), because the said definition is in sync with the definition of the Engagement Team given under SQM 1 as well as ICAl’s Code of Ethics (Revised 2019)

2.6.9 Documentation

Enhanced audit documentation of the auditor’s judgments

The revised Standard:

• provides guidance on how the engagement partner’s involvement in the audit could be evidenced and
• emphasizes on the documentation of the auditor’s consideration of judgmental matters such as circumstances that may pose risks to achieving quality on the audit engagement.

2.6.10 Other Important Points

SA 220 (Revised)

• Includes interaction with SA 600 which explains how the requirements in SA 220 and other SAs are to be applied in group audit situations.
• Integrates the new quality management concepts in SQM 1/SQM 2, so that such concepts can be carried through at the engagement level.

3. Exposure Draft SA 315 (Revised) – Identifying and Assessing the Risks of Material Misstatements

3.1 Group of Standards

SA 315 is a part of standard grouped as risk assessment and response to assessed risks. This group consist of total 6 standards on audit.

1. SA 300, Planning an audit of financial statements
2. SA 315, Identifying and Assessing the Risks of Material Misstatement
3. SA 320, Materiality in planning and performing an audit
4. SA 330, The Auditor’s responses to assessed risks
5. SA 402, Audit considerations relating to an entity using service organisation
6. SA 450, Evaluation of misstatements identified during audit

Total 6 Standards in the group – Risk Assessment and Response to Assessed Risks

3.2 Key Revisions in Exposure Draft

1. The introduction of five new inherent risk factors to aid in risk assessment; subjectivity, complexity, uncertainty, change and susceptibility to misstatement due to management bias or fraud.
2. A new spectrum of risk, at the higher end of which lie significant risks.
3. Requiring “sufficient, appropriate” evidence to be obtained from risk assessment procedures as the basis for the risk assessment.
4. A great deal more on IT, particularly IT general controls.
5. More on controls relevant to the audit and on the design and implementation work required for these controls.
6. Removal of considerations specific to smaller entities as a separate category of paragraph and inclusion of that material within the main body of the text and the addition of new material.
7. Other changes including:
   • requiring inherent and control risk to be assessed separately (the extent standard
     permits a combined assessment);
   • distinguishing between direct and indirect control components; and
   • a new stand-back requiring reconsideration, when material classes of transactions, account balance and disclosure are not assessed as significant, but are material

3.3 Practical Aspect

Auditor’s Responsibilities for the Audit of the Financial Statements

Our objectives are to obtain reasonable assurance about whether the Financial Statements as a whole are free from material misstatement, whether due to fraud or error, and to issue an auditor’s report that includes our opinion. Reasonable assurance is a high level of assurance, but is not a guarantee that an audit conducted in accordance with SAs will always detect a material misstatement when it exists. Misstatements can arise from fraud or error and are considered material if, individually or in the aggregate, they could reasonably be expected to influence the economic decision of users taken on the basis of these Financial Statements.

As part of an audit in accordance with SAs, we exercise professional judgement and maintain professional scepticism throughout the audit. We also:

• Identify and assess the risks of material misstatement of the Financial Statements, whether due to fraud or error, design and perform audit procedures responsive to those risks, and obtain audit evidence that is sufficient and appropriate to provide a basis for our opinion. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control.

3.4 Scope and Objective

Scope

This Standard on Auditing (SA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements.

Objective

The objective of the auditor is to

• identify and assess the risks of material misstatement,
• whether due to fraud or error,
• at the financial statement and assertion levels
• thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement.

3.5 Audit Risk

The risk that financial statements contain a material misstatement and the risk that the auditor will not detect such a misstatement.

• Inherent Risk – Susceptibility of an assertion to be a misstatement that could be material, assuming that there are no related controls
• Fraud Risk (generally a part of Inherent & Control Risk) – Risk of an intentional act by one or more individuals
• Control Risk – Entity’s internal control system will not prevent, or detect and correct on a timely basis a material misstatement
• Detection Risk – Risk that the auditor will not detect a misstatement

3.6 Components

Assertions — Representations, explicit or otherwise, with respect to the recognition, measurement, presentation and disclosure of information in the financial statements which are inherent in management representing that the financial statements are prepared in accordance with the applicable financial reporting framework.
Assertions are used by the auditor to consider the different types of potential misstatements that may occur when identifying, assessing and responding to the risks of material misstatement.

Business Risk — A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

Significant risk — An identified risk of material misstatement:

i. For which the assessment of inherent risk is close to the upper end of the spectrum of inherent risk due to the degree to which inherent risk factors affect the combination of the likelihood of a misstatement occurring and the magnitude of the potential misstatement should that misstatement occur;

Controls — Policies or procedures that an entity establishes to achieve the control objectives of management or those charged with governance.

3.7 Risk Assessment Procedures and Related Activities

Inquiries

• Inquiries with TCWG
• Inquiries with Internal Audit Functions
• Inquiries with key stakeholders including legal counsel, CFO, CEO, head of departments

Analytical Procedures

• Include both financial and non financial information
• Assist in setting the expectation for a particular account balance
• Identification of unusual and significant transactions
• Preliminary assessment or indication of risk of material misstatement

Observation and Inspection

• Entity operations
• Reviewing various minutes of meetings, policies, procedures and manuals
• MIS
• Physical presence at key locations

Internal and External Source of Information

3.8 Understanding the Entity

External Factors

• Nature of Industry
• Regulatory Environment
• Financial Reporting Framework

Nature of Entity

• Organisation Structure
• Ownership and Governance
• Business Models
• Business Models Integration with IT

Others

• Related business risks
• Business performance tracking

3.9 Risk Assessment

• Overall financial statement level: which refers to risks of material misstatement that relate pervasively to the financial statements as a whole and therefore potentially affect all assertions.
• These are those risks of material judgement that in auditor’s judgment are not confined to specific elements, accounts or items of the financial statements.
• As these impacts the financial statements as a whole, they result in change of overall behaviours and testing strategy relating to the audit as a whole.
• Risks identifiable with specific assertions at the class of transactions, account balance, or disclosure level.
• For each account balance, class of transactions and disclosure, an assessment of risk (such as high, moderate, or low) should be made for each individual assertion (C, E, A, and V) being addressed.

3.10 Assertions

The Implementation Guide on “Risk Based Audit” issued by the Institute of Chartered Accountants of India considers the following assertions:

• Completeness (C)
• Accuracy (A)
• Valuation (V)
• Presentation (P)
• Existence (E)

3.11 Identify and Assessing the risk of material misstatement

Financial Statement Level

• Whether the risks have a pervasive effect on the financial statements
• Management override of controls
• Deficient control environment (management’s lack of competence)
• Integrity of the entity’s management
• Concerns about the condition and reliability of an entity’s records

Assertion Level for class of transaction, account balances and disclosures

• Class of Transaction
• Account Balances
• Disclosures

3.12 System of Internal Control

Control Environment

• Management’s commitment to integrity and ethical values
• oversight over the entity’s system of internal control by, TCWG
• HR policies and Procedures
• Roles and Responsibility
• Organisational Structure

The entity’s risk assessment process

• Identifying business risks relevant to financial reporting
• Estimating significance of those risks
• Mitigation plan for those risks
• Evaluating entity’s risk assessment process is appropriate

The entity’s process to monitor the system of internal control

• monitoring the effectiveness of controls
• identification and remediation of control deficiencies identified
• entity’s internal audit function
• entity’s process for monitoring the system of internal controls appropriate

The information system and communication

• Information flows through the entity’s information system
• IRPR process for all the transactions
• Communication between Management and TCWG
• External Communication

Control activities

• Controls that address a risk that is determined to be a significant risk
• Control over JEs and non routine transaction bookings
• Controls over IT system (ITGC and ITAC)
• Segregation of duties

3.13 Discussion between team members

• The engagement partner and other key engagement team members shall discuss the application of the applicable financial reporting framework and the susceptibility of the entity’s financial statements to material misstatement.
• All team members need not be present in engagement team discussion
• When there are engagement team members not involved in the engagement team discussion, the engagement partner shall determine which matters are to be communicated to those members.

3.14 Reassessment of Risk of Material Misstatement

• If the auditor obtains new information which is inconsistent with the audit evidence on which the auditor originally based the identification or assessments of the risks of material misstatement, the auditor shall revise the identification or assessment.

3.15 Documentation

If it is not documented, this is not audited.

Documentation:

• The discussion among the engagement team and the significant decisions reached;
• Key elements of the auditor’s understanding
• The sources of information from which the auditor’s understanding was obtained; and the risk assessment procedures performed;
• The evaluation of the design of identified controls, and determination whether such controls have been implemented
• The identified and assessed risks of material misstatement at the financial statement level and at the assertion level
• Significant risks and risks for which substantive procedures alone cannot provide sufficient appropriate audit evidence, and the rationale for the significant judgments made

3.16 Small Entities

• Some entities, including less complex entities, and particularly owner-managed entities, may not have established structured processes and systems (e.g., a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken.
• When such systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through observation and inquiry.
• Other entities, typically more complex entities, are expected to have more formalized and documented policies and procedures. The auditor may use such documentation in performing risk assessment procedures.

3.17 Way Forward

• Establish SQM 1 & SQM 2 within the firm
• May require a dedicated team to implement & monitor SQM 1 and SQM 2
• Assess whether these are meeting “Quality Management” Objective
• Redraft checklists for new standards proposed
• Identify implementation challenges NOW and draw a plan
• Assess the requirements of new standards and map the resources available- develop a plan to meet the gaps (example- availability of EQR, IT Professionals, etc.)
• Assess the additional effort required and sensitize clients now for additional time and fees
  (example- IT professional in case of risk assessment; additional work in SA 540)