Shariq Barmaky and Chiew Chun Wee examine the challenges and implications of the revised and redrafted ISA 600.
ISA 600 wordy, but worthwhile
The auditing profession has come a long way since the time when corporations had simple operations and structures, and audit requirements could be as straightforward as providing a certification of endorsement to sole proprietors so they could demonstrate to the suppliers their ability to pay off debts within the credit terms.
The corporation subject to an audit has expanded, across states, and beyond national boundaries. This has brought about management's challenge of reporting on the results and financial status of an economic body that is an aggregation of diverse entities situated around the globe.
Similarly, auditors have faced the daunting task of putting down their name on a group audit report that says that the group financial statements are, in all material respects, true and fair. To do that, the group auditor can either spend months or potentially years, to plough through the books and records of each entity in turn, with a view to eventually gathering sufficient appropriate audit evidence to provide a basis for an audit opinion. This by then would be way past its useful shelf life. They can alternatively rely on auditors of individual components of the group to perform the necessary work, and issue the overall audit opinion on the group financial statements based on the results of that work.
The question, and the crux of what auditing standards try to address, is to what extent can the group auditors use the work that the components' auditors have performed?
ISA 600 (revised and redrafted) The International Auditing and Assurance Standards Board (IAASB) released the revised and redrafted International Standard on Auditing (ISA) relating to group audits, ISA 600, in October 2007, after a prolonged and intensive deliberation and consultation process. This was not surprising given the wide-ranging implications the ISA in question has on the work to be performed by the auditors of group financial statements.
The revised and redrafted ISA 600 Special Considerations: Audits of Group Financial Statements (Including the Work of Component Auditors) may be wordy, but one thing we will agree on upfront is that the length is a product of necessity. The scope of the revised ISA 600 is broader than the extant standard. The revised ISA 600 covers all audits of group financial statements, while the extant standard covers only group audits where 'other auditors' are involved.
Ahead of its effective date (earmarked for audits of financial periods commencing on or after 15 December 2009 to be consistent with the effective date for all standards being redrafted under IAASB's Clarity Project), we comment on a selection of the added requirements and guidance and discuss the potential challenges, and implications that auditors will face in applying the new requirements.
Eliminate choice of 'division of responsibility' In the extant ISA 600 Using the Work of Another Auditor, the 'principal auditor' may, if so permitted by the local regulations, 'base the audit opinion on the financial statements taken as a whole solely upon the report of another auditor regarding the audit of one or more components'. The extant standard notes that this is not 'desirable', but allows such practice nonetheless.
The revised ISA, in one of the most explicit departures from the extant standard, eliminates the above option.
In instances where local regulations require the group audit report to make reference to the component auditor, the revised ISA makes it compulsory for the group engagement partner to indicate in the same report that such reference (to the component auditor) does not 'diminish the group engagement partner's or the group engagement partner's firm's responsibility for the group audit opinion'.
It is clear in the revised ISA 600 that the group engagement team, in arriving at the group audit opinion, has a responsibility to obtain an understanding of the overall operations of the group, including the manner in which the business is structured, and the interaction between each business component. The group engagement team should perform a comprehensive risk analysis that is pertinent for an in-depth and focused audit. Under the extant ISA, and where allowed by local legislation, an auditor is allowed to attribute audit responsibility over a significant portion of the group financial statements to another auditor.
The option is removed in the revised standard and the readers of the audit report need only deal with one auditor. They need not be concerned about multiple auditors being responsible for different components of the financial statements.
Although the 'division of responsibility' option was not available in a great number of jurisdictions in the first place, the elimination of such an option creates divergence in those that do, most notably, in the US. In fact, as proponents of the 'division of responsibility' option may argue, this is one option that really should have been made available to all auditors. The concern is that, having the option removed, coupled with what some view as more prescriptive guidelines on what constitutes a 'significant component' as well as the work that needs to be performed thereon (more on this later), auditors will face practical challenges when auditing large complex groups that are operating across a wide-ranging geographic region.
Take for instance a group that comprises several significant associates accounted for using the equity method under International Accounting Standard 28 Investments in Associates. Because the group only has significant influence but not control over those associates, the group engagement team may not be able to gain access to those associates and their auditors to perform the necessary procedures to base its group audit opinion on.
Accordingly, there could be a scope limitation that will result in a qualified ('except-for') opinion, or in more extreme cases, a disclaimer of opinion in the group audit report. In fact, the revised ISA 600 anticipates such a scenario and has been 'helpful' in providing an illustrative report with a qualified opinion arising from the above-mentioned scope limitation (refer to Appendix 1 to the revised ISA 600).
Overly prescriptive? The revised and redrafted ISA 600 is without question a whole lot lengthier than the extant standard. Through comments received in relation to the three exposure drafts issued on the subject, one can see constant reminders for the standard to stay true to ISA's principle-based roots, and to avoid becoming overly prescriptive. The revised ISA 600 focuses on the auditor's identification of 'significant components' and the work performed thereon, either by the group engagement team or by component auditors.
'Significant component' is defined as a component identified by the group engagement team:
that is of individual financial significance to the group, or (ii) that, due to it specific nature or circumstances, is likely to include significant risks of material misstatement of the group financial statements.
The identification of significant components determines many activities that need to be performed by the group engagement team, including acceptance and continuance, risk assessment and work to be determined.
Acceptance and continuance in the revised ISA 600 is based on the group engagement partner's determination that he or she will be able to obtain sufficient appropriate audit evidence in relation to the consolidation process and the financial information on which to base the group audit opinion.
If the group engagement partner concludes that sufficient appropriate audit evidence cannot be obtained due to restrictions imposed by group management, and the possible effect of this inability will result in a disclaimer of opinion, the group engagement partner must not accept the engagement.
There is added guidance on identification of significant components within the group, and the related procedures that are mandated for such components.
The premise is logical. As pointed out in the Application and Other Explanatory Material of ISA 600, '[as] the individual financial significance of a component increases, the risks of material misstatement of the group financial statements ordinarily increase'.
The revised standard proposes one way to determine 'individual financial significance' could be to apply 'a percentage to a chosen benchmark'. The percentage mentioned in ISA 600 is 15 per cent. Depending on the nature and circumstances of the group, appropriate benchmarks might include group assets, liabilities, cash flows, profit or turnover.
In an earlier draft exposed for comments in 2005, the percentage proposed was 20 per cent, and it was set within the standard itself (only shifted to the application material when the new ISA clarity drafting convention was applied) and was worded to represent the minimal percentage that should be regarded as significant ('The nature and circumstances of the group, however, may make a lower percentage appropriate').
Some oppose the inclusion of an 'arbitrary' threshold as it takes the 'judgement' away from the auditors' work. Despite the fact that '15 per cent' is included as an example, it can be foreseen that any component that breaches the 15 per cent mark and yet is not determined to be a 'significant component' will warrant some form of rationalisation by the auditors.
For such 'exceptions', the auditors would have to clearly lay out their thought process in arriving at that conclusion. The indicative threshold of 15 per cent will help promote consistent application of the standard.
The revised ISA 600 sets out that auditors must obtain sufficient appropriate audit evidence on group financial statements through audits performed on all significant components and analytical or other procedures performed on the remaining components.
It essentially notes that on a rotational basis, the group engagement team may perform, or require component auditors to perform an audit (of the financial statements or specific accounts, transaction or disclosure), a review under International Standard on Review Engagements (ISRE) or other specific procedures.
When a component auditor performs an audit of the financial information of a significant component, the group engagement team is required to be involved in the component auditor's risk-assessment process to identify significant risks of material misstatements of the group financial statements. The revised ISA 600 indicates that the minimum level of participation in this regard is for the group engagement team to discuss with the component auditors or component management the component's business activities that are significant to the group, to discuss with the component auditor the susceptibility of the component to material misstatement of the financial information due to fraud or error and to review the component auditor's documentation of identified risks of material mis-statement of the group financial statements.
Group A does not have any 'significant component' (neither exceeding the 15 per cent 'threshold' nor is one that 'due to its specific nature or circumstances, is likely to include significant risks of material misstatement of the group financial statements').
Hypothetically, the group engagement team merely needs to perform a token selection of procedures from the earlier paragraph on top of analytical review on all the components at the group level, and it will be in compliance with the form (probably not the substance) of the revised ISA 600.
On the other hand, Group B, which is made up entirely of 'significant components', will require an audit at component materiality to be performed on the whole group. There is lesser room for manoeuvre in this case.
One way to address the apparent inequity would be for the standard to include an indicative audit 'coverage' ordinarily necessary.
Accordingly, for Group A, the group engagement team can only satisfactorily complete the group audit when a sufficient percentage of the group is audited; and for Group B, the significant components can be audited on a rotational basis as long as the 'coverage' is achieved for each year.
Of course, such an approach will again be criticised for being way too prescriptive and rule-based.
As it stands, the revised standard will require practitioners to exercise their judgement to address the requirements for audits of groups with varying structures: to identify significant components and determine the nature, timing and extent of audit or other procedures to be performed.
One can only trust that professional sense will shine through at the end of the day and that the nature, timing and extent of procedures adopted by the group engagement auditor for significant components will be able to with-stand any scrutiny by their peers, regulators and, in extreme circumstances, by law enforcers.
Component materiality One of the new concepts brought about by the revised ISA 600 is 'component materiality', which is the materiality used by component auditors to perform an audit or a review for purposes of the group audit.
It is explained that in order to 'reduce the risk that the aggregate of detected and undetected misstatements in the group financial statements exceeds the materiality level for the group financial statements as a whole, component materiality shall be lower than the materiality level for the group financial statements as a whole' . The extant ISA 600 did not provide guidance on component materiality. How much lower? The application material says the 'component materiality level need not be an arithmetical portion of the group materiality level and, consequently, the aggregate of the component materiality levels may exceed the group materiality level'.
The 'component materiality' concept is not one that is readily understandable to all. In practice, individual audit firms would have to implement firm-specific policies and guidance. Since the concept relies on judgement, there could be many interpretations that may appear acceptable but may vary widely in the manner of execution and results.
Signing off There is no mistaking that the revised ISA on group audits has provided some very good practical answers to practitioners, and is a giant stride in the profession's quest to enhance the quality of audit work, promote consistency in practices across the profession, and bring the standard of the profession up to mark.
This is in line with the overriding principle underpinning all past, present and future IAASB redrafting projects.
It has been observed that the guidance within the revised standard represents consolidation of best practices from within the profession.
Accordingly, even before the revised ISA becomes effective and binding, those responsible for inspecting audit engagements might be persuaded to view any practices that deviate from those put forth in the revised standard as being subpar. The challenges highlighted may in fact arrive sooner than we think.
Shariq Barmaky is a partner and head of the technical department at Deloitte Singapore. Chiew Chun Wee is a senior manager in the firm's technical department.
