Delivering high-quality audits – Reminders for 2024
As CPAs, we are aware of the crucial role that financial statement audits play in maintaining trust, transparency, and confidence in the global financial reporting ecosystem. To help you navigate this audit busy season, CPA Canada has identified several audit-related focus areas to have on your radar, based on the results of Canada’s public company audit regulator’s recent inspection results. While the Canadian Public Accountability Board (CPAB) oversees public accounting firms that audit reporting issuers in Canada, the themes, reminders, and resources highlighted in this blog are relevant to financial statement auditors of all types of entities.
This edition of the audit quality blog highlights:
- inspection themes – challenging areas and reminders for auditors
- resources to help you apply standards effectively
- upcoming changes to auditing standards
INSPECTION THEMES – CHALLENGING AREAS AND REMINDERS FOR AUDITORS
In October 2023, the CPAB published its interim inspection findings as part of its Audit Quality Insights Report. The report highlights common themes related to risk assessment, service organizations, perpetual inventory systems, and audit documentation, supervision and review.
As many of the challenging areas expressed from CPA Canada’s network of practitioners are similar in nature to the themes identified, this blog explores some of CPAB’s common themes further. It’s important to note that CPAB takes a risk-based approach to their inspections, as such, CPAB does not look at every aspect of every file. These findings illustrate the importance of performing a robust risk identification and assessment to ensure planned audit responses address the risks of material misstatement. Also highlighted are helpful CPA Canada resources that you can refer to as you are planning and performing your upcoming audits.
Risk assessment
The quality of your risk assessment process has a pervasive effect on all aspects of the audit. Obtaining an understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control provides you with a frame of reference within which you identify and assess risks of material misstatement. The risk assessment standard (CAS 315, Identifying and Assessing the Risks of Material Misstatement) was recently revised (effective for 2022 calendar year-ends) to require a more robust risk identification and assessment to promote better responses to the identified risks.
CPAB identified several concerns with the implementation of the revised CAS 315 standard. These concerns include:
- insufficient consideration of the likelihood and magnitude of material misstatement
- significant untested populations of transactions and/or account balances
- no testing of information technology (IT) or other controls where extensive use of IT exists
- no evidence of a stand back assessment
- insufficient challenge of the design of management's controls
CPAB found that some auditors did not obtain a comprehensive understanding of the end-to-end processes, including the entity’s IT environment. This included insufficient consideration of the entity’s IT environment and not identifying additional risks of material misstatement from an IT perspective. It’s important for auditors to read and understand the requirements in paragraphs 21-26 of CAS 315 as it relates to understanding the components of an entity’s system of internal control, and to take note of the sequence of these requirements. Understanding the control environment and the entity’s risk assessment process is essential for drawing reliable conclusions about the IT landscape. Moreover, in applying CAS 315, consider involving IT specialists, as appropriate, to help understand where potential risks could arise and how to respond to those risks.
CPA Canada resource reminder: Get help with implementing and applying CAS 315, Identifying and Assessing the Risks of Material Misstatement (CPA Canada’s Implementation tool includes several questions related to concerns raised by CPAB), including the latest publication – FAQ: CAS 315 and the Auditor’s Responsibilities for General Information Technology Controls. This publication can help you understand:
- the IT environment and identification of GITCs
- risks arising from the use of IT
- the difference between GITCs and information processing controls
- when to evaluate the design and implementation of GITCs
- when to test the operating effectiveness of GITCs
- the impact of GITCs that are not appropriately designed and implemented, or GITCs that are not operating effectively
Service organizations
In today’s complex business environment, entities are relying on a wide variety of third-party service providers. Auditors need to be mindful of the added business complexities when an entity is interacting with and using various third-party service providers. You are required to understand the nature of the third-party services provided and assess whether the third-party service provider is a service organization, as per CAS 402. Unfortunately, deficiencies (i.e., significant inspection findings) have been identified in this area. Examples from CPAB’s 2023 interim inspections results report include:
- insufficient understanding of the significance of the services provided by the service organization and how they impact the internal controls of the entity being audited
- reliance on a service auditor report without adequately considering whether the controls tested by the auditor at the service organization address the relevant risks of the entity being audited
- insufficient or no testing of the controls at the entity being audited that are necessary to ensure the effective operation of the controls at the service organization (known as complementary user entity controls
- how you can obtain an understanding of how a user entity uses the services of a service organization or subservice organization in the user entity’s operations
- what controls to identify and how to evaluate the design and implementation of those controls
- what are system and organization controls (SOC) reports and considerations when planning to use SOC reports as audit evidence.
Perpetual inventory systems
Perpetual inventory systems were also highlighted as a common theme in CPAB’s inspection findings. As auditors, understanding and evaluating the effectiveness of these systems that continuously track and update inventory levels may be necessary. CPAB stressed the importance of auditors examining the design and operation of perpetual inventory systems to ensure the accuracy of reported inventory balances and reduce the risk of misstatements.
Audit documentation, supervision and review
Lastly, CPAB identified audit documentation, supervision and review as an ongoing area requiring attention. As the auditor, you are required to prepare appropriate and sufficient audit documentation to support your conclusion and to evidence that the audit was planned and performed as required. Additionally, effective supervision and review are essential components to support the consistent performance of quality engagements. As outlined in the new quality management standard, the nature, timing and extent of direction and supervision of engagement teams and review of the work performed must be appropriate, based on the nature and circumstances of the engagements and the resources assigned or made available to the engagement teams.
CPA Canada resource reminder: CPA Canada has published numerous resources to help you with the effective implementation and application of Canadian Auditing Standards (CAS) in the CPA Canada Handbook – Assurance, including audit documentation reminders. Check out the suite of resources available relating to quality management, specifically the CSQM 1 Implementation Tool, which can help with adequate supervision and review.
Important notice: If you or your firm rely on CPA Canada’s Auditor Reporting Guide, please check out the most recent edition of the guide, expected to be published by March 2024, which will include updates to illustrative financial statements prepared in accordance with International Financial Reporting Standards.
UPCOMING CHANGES TO AUDITING STANDARDS
Auditors have an ongoing obligation to adhere to relevant standards, including new or updated standards in effect. In recent times, the audit landscape has become increasingly intricate, necessitating the revision of numerous standards in short order, due to the dynamic nature of the environment. As a result, the International Auditing and Assurance Standards Board (IAASB) as well as our Canadian AASB (AASB) continue their ongoing efforts to ensure standards are fit for purpose. Many of the upcoming planned changes to standards will aim to clarify or align with recent changes to the risk assessment standard. As auditors, staying informed on standard setting projects allows you to think about the impact of standard changes, share your views on draft standards, appropriately plan for implementation, and advise your clients of relevant developments. The following Canadian auditing standards are being revised with revisions expected to be approved within the next two years:
CAS 570, Going Concern
The IAASB’s public consultation period on the going concern standard closed in August 2023. The proposed changes included:
- defining material uncertainty related to going concern and clarifying “significant doubt”
- enhancing the risk identification and assessment procedures
- extending the timeline of management’s going concern assessment to 12 months from the financial statement approval date
- introducing flexibility to address circumstances when management is unwilling to extend its going concern assessment
- strengthening the auditor’s evaluation of management’s going concern assessment
- enhancing transparency with respect to the auditor’s responsibilities and work related to going concern
These proposed changes are explored further in CPA Canada’s Practitioner’s Pulse Webinar on Going Concern, where CPAB discusses challenges identified in their Going Concern Thematic Review and the AASB discusses the proposed changes to CAS 570 intended to address the challenges.
Expected approval: The IAASB is expecting to approve ISA 570 (Revised), Going Concern in December 2024.
CAS 240, Fraud
The IAASB’s public consultation period on the fraud standard has just begun. The proposed changes aim to:
- clarify the role and responsibilities of the auditor for fraud in an audit of financial statements
- promote consistent behaviour and facilitate effective responses to identified risks of material misstatement due to fraud through strengthening CAS 240 to establish more robust requirements and enhance and clarify application material where necessary
- enhance CAS 240 to reinforce the importance, throughout the audit, of the appropriate exercise of professional skepticism in fraud-related audit procedures
- enhance transparency on fraud-related procedures where appropriate, including strengthening communications with those charged with governance and the reporting requirements in CAS 240 and other relevant CAS.
Keep an eye out for CPA Canada’s Spring 2024 Practitioner’s Pulse Webinar, which will discuss the fraud standard, among other topics!
Expected approval: The IAASB is expecting to approve ISA 240 (Revised), Fraud in March 2025.
Practitioners can keep up-to-date with the proposed projects and applicable exposure drafts through the AASB Projects page.
KEEP THE CONVERSATION GOING
Remember to check back on CPA Canada’s resource pages as well as the FRAS Canada page for upcoming changes. Let us know if there are other challenging areas where you feel guidance could be valuable or helpful to you and other auditors!
Disclaimer
The views and opinions expressed in this article are those of the author and do not necessarily reflect that of CPA Canada.