ISA 250 The Auditor's Responsibilities Relating to Laws and Regulations in an Audit of Financial Statements
Proposed redrafted International Standard on Auditing issued for comment by the International Auditing and Assurance Standards Board of the International Federation of Accountants
Comments from ACCA
July 2007
Executive Summary
ACCA welcomes the opportunity to comment on the proposed International Standard on Auditing ISA 250 (Redrafted) The Auditor's Responsibilities Relating to Laws and Regulations in an Audit of Financial Statements (proposed ISA 250), issued for comment by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants.
Our comments are restricted to the changes proposed as a result of applying the Clarity project drafting conventions to extant ISA 250.
We are concerned, however, that the redrafting has disguised significant revision, as such changes may not receive appropriate scrutiny. These are principally in relation to the objectives and certain proposed new requirements for reporting to third parties.
In addition to our detailed comments on the requirements, we have provided an Appendix which gives further information on the deficiencies that we identify in the requirements of this and other proposed ISAs issued as part of the Clarity project.
Changes made to enhance the clarity of proposed ISA 250
Objectives
We consider that objectives 8(a) and 8(b) are appropriate. It is important to separate the objective for laws and regulations that have a direct effect on the determination of material amounts and disclosures in the financial statements from the objective for other laws and regulations. This allows a better appreciation of the different responsibilities of the auditor.
Taken together with the way the requirements are arranged, this presentation will assist in avoiding an expectation gap in respect of what the auditor can reasonably achieve.
The wording of objective 8(b) includes the word 'help'. We assume this is intended to make it clear that the specified procedures will not guarantee to identify instances of non-compliance. There are other interpretations, however, and we believe it is more important to eliminate the word 'help' so that there is no suggestion that the specified procedures alone are not sufficient to achieve the objective.
We are concerned that the wording of objective 8(c) is too wide and suggest that it be made explicit that the auditor's objective is to respond appropriately to identified or suspected non-compliance with laws and regulations insofar as they are relevant to objectives 8(a) and 8(b). We are more concerned, however, that, taken together with the new requirement in paragraph 27, this objective represents a significant change that is being 'hidden' in a mere redraft for the purposes of the Clarity project. The 'appropriate response' has been extended to determining whether there is a responsibility to report to a third party.
We are aware of the requirement in paragraph 43 of ISA 240 The Auditor's Responsibilities Relating To Fraud In An Audit Of Financial Statements (Redrafted) but would distinguish that case, as fraud is of much greater significance 1.
Requirements
The Appendix to this response provides further information on the deficiencies that we identify in the requirements of this and other proposed ISAs resulting from the Clarity project. It should be read in conjunction with each comment below as such deficiencies are particularly evident in these paragraphs.
Paragraph 10
The introductory wording of paragraph 10 is intended to indicate that the auditor needs to consider legal and regulatory issues when performing risk assessment procedures, rather than solely at a later stage. However, the nuance of this, which appears clear to the drafter may be other than clear to the user, especially in translation.
As presented, the wording can be interpreted as a condition precedent that makes the requirements in the bullet points conditional on whether the auditor is involved in a process of 'obtaining an understanding of the entity'2.
The auditor may be involved in other processes and during such processes the auditor will not be required to comply with paragraph 10 because the condition to make that an applicable requirement is not present. We discuss this further in the Appendix to this response under the headings Conditions precedent and Timing of requirements.
Paragraph 11
The words 'after obtaining the above general understanding' are intended to indicate that the requirement is relevant at a later stage of the audit than that referred to in paragraph 10. However, the nuance of this, which appears clear to the drafter may be other than clear to the user, especially in translation.
As presented, the wording can be interpreted as a condition precedent that makes the requirement in paragraph 11 conditional on whether the auditor has completed a process of obtaining a general understanding (and indeed might be interpreted as referring to a process that immediately precedes the requirement).
The auditor may be involved in other processes and during such processes the auditor will not be required to comply with paragraph 11 because the condition to make that an applicable requirement is not present. We discuss this further in the Appendix to this response under the headings Conditions precedent and Timing of requirements.
Paragraph 12
The words 'in addition' make an unnecessary link between the requirements in paragraph 12 and those presented earlier. The auditor is unsure whether the words refer back to paragraph 11 or to paragraphs 10 and 11. As the conditions precedent are different, it is not clear whether the requirements in the bullet points are relevant during obtaining a general understanding or only thereafter. We discuss this further in the Appendix to this response under the headings Conditions precedent and Timing of requirements.
We recognise that the bold-type paragraph 19 in extant ISA 250 begins with the word 'further' but believe that redrafting for the purposes of the Clarity project should produce greater precision of language.
Paragraph 13
The words 'during the audit' are unnecessary and should be eliminated.
This requirement is one for which it is unnecessary for the auditor to document compliance separately, as it will be self-evident within the audit file. As explained in the Appendix to this response under the heading Basic principles and essential procedures we recommend explaining this in the Application and Other Explanatory Material (A&OEM) section.
Paragraph 15
Paragraph 15 contains no requirements. Given that objective 8(b) already states that the procedures to be performed are those that are specified, there is no need for this further material.
Paragraph 17
Although paragraph 21 refers to the circumstances where all of those charged with governance are involved in management of the entity (and footnotes ISA 260); paragraph 17 (and paragraph 18) do not. As explained in the Appendix to this response under the heading Communication of audit matters with those charged with governance we recommend using the A&OEM section to allow easy reference to the implications of such circumstances.
Paragraph 18
We do not agree with the inclusion of this requirement. A requirement to 'assess the need to [do something]' is inappropriate for two reasons. Firstly, it will result in auditors carrying out procedures and documenting the relevant facts and considerations when what they should be doing is deciding whether they need to obtain legal advice. Secondly, there should be no requirement to decide whether to obtain legal advice (which we assume the wording actually intended). There are two main reasons why this requirement is wrong. The first is that under the drafting conventions of the Clarity project this should not be a requirement because it will apply only in rare circumstances. The wording in paragraph A15 is adequate to guide appropriate auditor behaviour. The second reason why a requirement to decide whether to obtain legal advice is inappropriate, is that there are many circumstances in which legal advice ought to be considered. If ISAs only include requirements for a few of these, a climate will be created whereby auditors will be deterred from seeking legal advice unless there is a specific requirement. This is one of the risks of creating proposed ISAs that are too rules-based.
There is a further consideration relating to obtaining legal advice. If the advice is from the auditor's own lawyer it may include 'further action, if any, the auditor would take' (paragraph A15). This advice is primarily to benefit the auditor by, for example, reducing the risk of committing a breach of confidentiality or being sued. ISAs should mandate actions that benefit the quality of the audit, not those that primarily benefit the auditor.
Paragraph 18
Please refer to our comments on paragraph 17 reproduced below:
Although paragraph 21 refers to the circumstances where all of those charged with governance are involved in management of the entity (and footnotes ISA 260); paragraph 17 (and paragraph 18) do not. As explained in the Appendix to this response under the heading Communication of audit matters with those charged with governance we recommend using the A&OEM section to allow easy reference to the implications of such circumstances.
Paragraph 20
The words 'and take appropriate action' have been added to the end of the requirement from extant ISA 250. We see no justification for adding such wording. The auditor is being required to do something that he or she judges to be appropriate. This is not a specific requirement and so fails to meet the test of being necessary to achieve the objectives of the ISA.
The requirement also suffers from a deficiency in logic. The action is mandated as a result of an evaluation of 'the implications of non-compliance in relation to other aspects of the audit, including the auditor's risk assessment and the reliability of written representations'. That evaluation could result in an assessment that there were no important implications and yet the auditor is still required to do something in order to meet the requirement. This puts the auditor into a logical trap as taking action when none is needed cannot be described as taking appropriate action. If the requirement is retained, it is necessary to change it to 'take appropriate action or refrain from action when that is appropriate'.
There are many requirements in ISAs where the words 'and take appropriate action' could be added. A consistent approach should be taken in the Clarity project to ensure that requirements are specific where necessary and omitted when unnecessary - as should be the case with this requirement.
Paragraph 21
Please refer to our comments on paragraph 17 reproduced below:
Although paragraph 21 refers to the circumstances where all of those charged with governance are involved in management of the entity (and footnotes ISA 260); paragraph 17 (and paragraph 18) do not. As explained in the Appendix to this response under the heading Communication of audit matters with those charged with governance we recommend using the A&OEM section to allow easy reference to the implications of such circumstances.
Paragraph 21 and A&OEM in relation to paragraphs 21 to 23
As discussed further in the Appendix to this response under the heading Communication of audit matters with those charged with governance, we recommend making a cross-reference to the A&OEM section to deal with circumstance when all of those charged with governance are involved in managing the entity. This approach would also facilitate further changes that we suggest in relation to paragraphs 21 to 23 as there is currently no related A&OEM and we suggest that there should be in order to transfer unnecessary material from the Requirements section (see below).
Paragraph 21
Bullet point (b) of paragraph 21 includes the explanatory wording 'other than when the matters are clearly inconsequential'. This should be transferred to the A&OEM section. ISA 240 The Auditor's Responsibility to Consider Fraud in an Audit of Financial Statements (Redrafted) uses the A&OEM section to provide guidance on the treatment of matters that might be inconsequential (paragraph 40 and A59) and it is inconsistent to present similar material in the Requirements section.
The terminology used has changed from 'matters that are clearly inconsequential or trivial' (extant ISA 250) and it is important that such a change is justified by consistency in the Clarity project. There seems to be potential for the terminology to fail to be consistent because of tensions with other documents. For example, proposed ISA 450 Evaluation of Misstatements Identified during the Audit (Revised and Redrafted)3 refers to 'misstatements identified during the audit, other than those that are clearly trivial'. In addition, there is a need to consider consistency with the IFAC Code of Ethics for Professional Accountants, where the terminology in section 290.32 (exposure draft) is: 'Throughout this section, reference is made to significant and clearly insignificant threats to independence. In considering the significance of any particular matter, qualitative as well as quantitative factors should be taken into account. A matter should be considered clearly insignificant only if it is deemed to be both trivial and inconsequential.' We recommend, therefore, that a consistent approach be established for this document and others in the Clarity project.
Paragraph 22
We suggest that the A&OEM section should contain material to clarify whether the 'non-compliance referred to in paragraph 21' is affected by whether the matter is 'clearly inconsequential' (see our comments on paragraph 21).
The intention of extant ISA 250 (paragraph 33) is that 'If in the auditor's judgment the noncompliance is believed to be intentional and material, the auditor should communicate the finding without delay.' Material accompanying proposed ISA 250 explains that editorial amendments have been made to this 'to align with proposed ISA 260 (Revised and Redrafted)'. This is due for finalisation in IAASB's September 2007 meeting (or thereafter) and is not currently in the public domain.
We assume that the current draft of ISA 260 no longer refers to materiality and that the intention of proposed paragraph 22 is that the auditor should act on all non-compliance judged to be intentional. As paragraph 21 currently includes wording that excludes some matters, it is necessary to resolve any doubt the reader might have by providing appropriate guidance.
Paragraph 23
The second part of paragraph 23 is a requirement to assess the need to
obtain legal advice. As set out above in relation to paragraph 18, we do not
agree with the inclusion of such a requirement. Our reasons are reproduced below
for ease of reference:
A requirement to 'assess the need to [do something]' is inappropriate for two reasons. Firstly, it will result in auditors carrying out procedures and documenting the relevant facts and considerations when what they should be doing is deciding whether they need to obtain legal advice. Secondly, there should be no requirement to decide whether to obtain legal advice (which we assume the wording actually intended). There are two main reasons why this requirement is wrong. The first is that under the drafting conventions of the Clarity project this should not be a requirement because it will apply only in rare circumstances. The second reason why a requirement to decide whether to obtain legal advice is inappropriate is that there are many circumstances in which legal advice ought to be considered. If ISAs only include requirements for a few of these, a climate will be created whereby auditors will be deterred from seeking legal advice unless there is a specific requirement. This is one of the risks of creating proposed ISAs that are too rules-based.
There is a further consideration relating to obtaining legal advice. If the advice is from the auditor's own lawyer it may include 'further action, if any, the auditor would take' (paragraph A15 [which is in relation to paragraph 18]). This advice is primarily to benefit the auditor by, for example, reducing the risk of committing a breach of confidentiality or being sued. ISAs should mandate actions that benefit the quality of the audit, not those that primarily benefit the auditor.
Paragraph 27
Paragraph 27 contains a new requirement that results from elevating guidance in paragraph 38 of extant ISA 250. It also contains guidance.
We do not agree with the elevation of this material to a requirement, nor with the inclusion of guidance material in the Requirements section. It should be transferred to the A&OEM section.
The requirement appears to be innocuous but actually is very onerous while having no direct bearing on the quality of the audit. Determining whether there is a responsibility to report will require the auditor to possess a high level of legal knowledge and skill, or obtain legal advice. If retained as a requirement, it should be rewritten to restrict its application (see our comments above on objective 8(c)).
We also caution against any arguments that the proposed requirement makes little sense without an additional requirement to report. Such an addition would be entirely inappropriate.
The auditor's actions in reporting or not reporting a matter may be prescribed by law and there should be no double jeopardy whereby an auditing standard imposes itself on the same matter. We strongly suggest that a redrafting for the purposes of the Clarity project is not the time to introduce such a significant change. This material should be confined to the A&OEM section. This would allow the IAASB to develop appropriate generic material to deal with matters of international significance, such as money laundering.
The level of public interest varies considerably in relation to the audited entity, the nature of the non-compliance and the identity of the party to who reporting may occur. A single requirement does not capture this. In the UK and Ireland, pressure from financial regulators to whom auditors might report resulted in the creation of an auditing standard (SAS 620 The Auditors' Right and Duty to Report to Regulators in the Financial Sector). In 2004 when the Auditing Practices Board consulted on the proposed introduction of ISA (UK and Ireland) the requirements of that standard were proposed as 'plusses' to the international standards. ACCA commented to the APB4 that:
'Although, historically, the material in SAS 620 has had the authority of a standard, we do not believe that it is necessary for it to retain that status. The auditor's statutory duty to report to regulators is a matter of law and an equivalent standard is no longer necessary. A similar duplication exists with regard to the right to report.
As a preferred alternative, we propose, therefore, that SAS 620 be revised and published with the authority of a Practice Note (or pronouncement of equivalent status). This would immediately remove it as a 'plus' from ISA (UK&I) and promote international harmonisation. It would also achieve consistency in the UK and Ireland as APB has adopted that treatment in relation to guidance on money laundering.'
Paragraph 28
The proposed documentation requirement had been extended to include the results of discussions 'with management, and where applicable, those charged with governance and other parties outside the entity'.
We have commented in relation to objective 8(c) and paragraph 27 on a requirement extending to parties outside the entity. We see no justification for introducing a documentation requirement for discussions that will often be confidential to the auditor and the third party and which may be totally unrelated to the audit of the financial statements.
The new requirement is described as an 'editorial amendment' to align with proposed ISA 230 Audit Documentation and proposed ISA 260 Communication with Those Charged with Governance. Paragraph 8 of ISA 230, on which comments were requested by 31 March 207, requires that: 'The auditor shall document discussions of significant matters with management and others, including when and with whom the discussions took place.' This duplicated the proposed requirement in paragraph 28, rendering it unnecessary. If it is retained, the wording in ISA 230 should be adopted as it refers to significant matters.
The wording 'and where applicable' is difficult to interpret. Is it intended to indicate that the requirement is applicable in all cases that a discussion has taken place with these parties (which could easily have been made explicit) or that there are some other conditions precedent? If the requirement is retained, we suggest eliminating this wording.
Appendix: Common Deficiencies in Requirements
This Appendix provides further information on the deficiencies that we identify in the requirements of this and other proposed ISAs issued as part of the Clarity project. Our comments are collected under three headings:
- Growth in the number of requirements
- Presentation of requirements
- Other significant issues
Growth in number of requirements
There seems to be no external economic or social justification, suddenly to increase the degree of specificity of ISAs; nevertheless, many proposed ISAs exhibit a substantial growth in the number and detail of specific requirements. We are not convinced that the implementation of the guidelines adopted for deciding on the requirements to be included in an ISA is correct.
We are concerned that the proliferation of requirements will promote a 'tick box' mentality. Each extra requirement introduced is another box to tick, another factor that can reduce the quality of an audit, and another cost that bears disproportionately on smaller audits and deters the more widespread application of ISAs.
The cost of including a single requirement should not be underestimated. Even if that requirement is conditional and is not relevant in the circumstances, it requires consideration by every auditor on every audit and that gives rise to a considerable cost, which includes the related training and changes to audit manuals, programmes or software.
Our detailed analysis concludes that hardly any of the changes from a present-tense statement to a requirement are justified. We recommend that the proposed requirements be reconsidered on an individual basis and that each remains as a requirement only if a strong case can be made for that.
The 'requirement' is really guidance on another requirement
Many new requirements deal with the same subject as another but in greater detail: the auditor is required both to do something and also to carry out the steps in that process. This is a simple duplication, which should be eliminated.
Such secondary requirements are best treated as explanatory material that auditors can refer to in relation to the primary requirement.
Requirements that are only relevant in rare circumstances
Extant ISAs contain some present-tense statements that provide guidance to the auditor when facing uncommon circumstances. The general Clarity project guideline for inclusion of requirements is that the requirement is expected to be applicable in virtually all engagements to which the ISA is relevant. Ordinarily, therefore, such present-tense statements should not be elevated to requirements.
We accept that certain requirements are of sufficient importance that this guideline can be disregarded. For example, although audits of public interest entities form only a small minority of audits, it is sometimes necessary to include requirements that will be relevant only to such entities. This may be done by restricting the application of the requirement by the use of a condition precedent.
We do not believe that it is appropriate, however, to make wider use of conditions as a device to justify inclusion of requirements for uncommon circumstances. Although a requirement will ensure that the auditor, when facing the specific conditions, will act in an appropriate manner, a balance has to be struck between that and the additional burden placed on every audit. Every conditional requirement requires consideration by every auditor on every audit and that gives rise to a considerable cost burden, which falls disproportionately on smaller entities.
We recommend, therefore, that any such proposed elevation be supported by an assessment of the frequency with which the condition for its use is met and the additional benefit (if any) to the quality of the audit that arises through inclusion as a requirement. We would not ordinarily expect such assessments to show that the benefit of elevation outweighed its cost.
Presentation of Requirements
We do not find the Requirements sections of proposed ISAs easy to understand. As well as the proliferation of requirements, many of which are overlapping, as discussed above under the heading Growth in number of requirements, there are two main reasons for this:
- explanatory material is interspersed with the requirements, and
- the requirements are not constructed in a simple fashion.
Explanatory material
We do not support splitting the supplementary material providing explanation and guidance between the Application and Other Explanatory Material (A&OEM) section and the Requirements section. Such an approach forces users to carry out a detailed analysis of the text of the Requirements section to identify the 'essential explanatory material' and discover which parts of the text are actual requirements. Rather than improving clarity, explanatory material adds unnecessary length and detracts from the reader's understanding. Instead, we strongly suggest that the 'essential explanatory material' and the 'supplementary material providing further explanation and guidance' both be presented only in the A&OEM section (or its appendices).
Simple construction
We do not find the requirements easy to understand because they are not always drafted in a simple fashion. As a result, auditors who need to know when a requirement applies, and when it does not, have to be very diligent and analytic readers.
In our February 2006 response to the redrafting proposals 'Improving the Clarity of IAASB Standards' we proposed the adoption of a structure that clearly showed:
- any conditions precedent
- on whom a requirement was placed
- the action required, and
- the object of that action.
The Appendix to that response included an example of an appropriate tabular layout to achieve that result. As ISAs have now been issued without such a method of presentation, we see no point in continuing to argue against the use of prose to convey the requirements. We believe that more should be done, however, to address the difficulties of presenting requirements in prose so that there is less doubt about the meaning of the various 'shall' statements.
Conditions precedent
Requirements with multiple conditions precedent are particularly difficult to understand when written in prose. The complexity of the material also makes translation difficult. Where possible, we recommend keeping conditions precedent close to the requirement so that the auditor does not have to refer back to earlier material.
Some apparent conditions precedent are intended to place the requirement at a particular stage of the audit or identify it as relevant in particular circumstances5 . We recommend avoiding such constructions by positioning words after the 'shall' statement unless they are clearly an explicit condition precedent.
On whom the requirement is placed
Sometimes, instead of the auditor being required to do something, the requirement is placed on a document or earlier action. A typical construction being 'The auditor's evaluation shall cover the same period as that used by management...'. Such indirect requirements are less clear than ones written to apply directly to the auditor.
Other Significant Issues
Basic principles and essential procedures
The bold type in extant ISAs identifies basic principles and essential procedures. These are substantially different in nature, but the Clarity project has combined the two as 'requirements'. We do not agree with this approach, which leads to confusion, as auditors may attempt to treat a principle as an action. The corresponding and perhaps greater danger is that auditors who correctly interpret some of the 'shall' statements as principles will treat as principles some that are intended as active requirements.
We recommend separating the principles with which the auditor is required to comply from the required procedures and other actions. This could be achieved by separating requirements into two sub-sections but it could also be achieved through explanation in the A&OEM section for each requirement that is a basic principle. Such explanation could also refer to the fact that it is unnecessary for the auditor to document separately compliance with matters for which compliance is self-evident within the audit file.
Limitation or clarification of the auditor's responsibility
Statements apparently limiting or clarifying the auditor's responsibility are present in several ISAs. These should be considered individually to determine the best way to present them when redrafting an ISA. As a general rule, we do not favour introducing such statements into the Requirements section as they are neither requirements nor form conditions precedent and, if included there as explanatory material, they detract from the clarity of the requirements.
Statements that are sufficiently important should be included in the Introduction section where that is necessary to elaborate on the scope or context of the particular ISA. Other statements should be included in the A&OEM section.
Timing of requirements
We have commented above, under the heading Conditions precedent that wording intended to place a requirement at a particular stage of the audit could be interpreted as a condition precedent and restrict its application.
The preferred timing of a requirement is a matter that should be considered on a consistent basis for all ISAs. If sufficiently important, the timing of a requirement should itself be a requirement; if timing is not critical, the preferred timing should be indicated by guidance material or left unstated. It should be remembered that many of the requirements depend on others and that the introduction of explicit mention of timing (or similar rephrasing of a requirement) should not be undertaken lightly.
Communication of audit matters with those charged with governance
Several ISAs include requirements to communicate with those charged with governance. Proposed ISA 260 Communication of Audit Matters with Those Charged with Governance contains wording to take account of the circumstance when all of those charged with governance are involved in managing the entity.
An appropriate method of recognising such circumstances is needed for the Clarity project. Consistent with our view on the exclusion of explanatory material from the Requirements section, we suggest that a cross-reference be made in the A&OEM section to the related material in ISA 260.
1 For example, proposed ISA 200 paragraph 5 states that '...the overall objective of the independent auditor is to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error...' there is no separate mention of non-compliance with laws and regulations.
2 Proposed ISA 570 Going Concern used the words: 'performing risk assessment procedures to obtain an understanding of the entity'; one form ought to be used consistently.
3 The text is taken from Agenda Item 6C of the IAASB Main Agenda (July 2007).
4 International Standards on Auditing (UK and Ireland) Proposed Standards on Auditing and associated pronouncements issued for comment by the Auditing Practices Board, Comments from ACCA, September 2004:
5 For example, in our April 2007 response to proposed ISA 230 Audit Documentation we explained the difficulty of using the words 'in exceptional circumstances' in paragraph 10 of that proposed ISA.