External audit has sharpened its focus on systems & controls - what does this mean for Heads of Internal Audit?

Original content provided by BDO UK

ISA (UK) 315 (revised July 2020) - Identifying and Assessing the Risks of Material Misstatement -came into force for accounting periods beginning on or after 15 December 2021. Heads of Internal Audit will have already noted that it is being applied to the current audit cycle at their organisations by their external auditors.

This is an important audit standard since it deals with external auditors’ responsibility to understand the entity and its environment (e.g. industry, regulatory and other external factors), the applicable financial reporting framework and the entity’s system of internal control, to be able to identify and assess risks of material misstatement and from this determine any additional audit procedures to be performed. The principal revisions to the standard aim to improve the consistency of risk identification and assessment, refine the approach to understanding the system of internal control and to ensure that certain IT risks are addressed sufficiently.

Impact on the external audit approach

Audit risk model

The statutory audit risk model has not changed. External auditors are still required to identify risks of material misstatement at both the financial statement and assertion levels and where risks have been identified, devise appropriate audit procedures in response.

Financial statement level risks are those that relate pervasively to the financial statements as a whole such as going concern issues, external factors such as declining economic conditions or deficiencies in the control environment.

Assertions are used by auditors to determine the categories of material misstatement that may arise. These include assertions:

  • about classes of transactions and events, and related disclosures, for the period under audit (occurrence, completeness, accuracy, cut-off, classification, presentation),
  • about account balances, and related disclosures, at the period end (existence, rights and obligations, completeness, accuracy, valuation and allocation, classification and presentation)
  • not directly related to recorded classes of transactions, events or account balances.

Risk at assertion level is the possibility that one or more of these assertions is incorrect to the extent that a material misstatement arises.  Assertion level risk comprises inherent risk (the risk that a material misstatement of an assertion could arise before consideration of any related controls) and control risk (the risk that a material misstatement of an assertion will not be prevented, detected and corrected by the entity’s system of internal control).

Required audit risk assessment procedures

Significant changes have been made to required audit risk assessment procedures. To promote more consistency in the approach to the identification and assessment of audit risk the revised standard is much more prescriptive in relation to the work to be undertaken and the areas to be covered. 

Risk assessment procedures to be performed are specified in respect of:

  • The entity and its environment, and the applicable financial reporting framework
  • Components of the entity’s system of internal control.

The risk assessment procedures involve obtaining an understanding of each of these areas and identifying and assessing the related audit risks.

Of most relevance to Heads of Internal Audit is the work that external auditors must now do regarding understanding and evaluating the entity’s system of internal control. In particular, the revised standard has substantially changed and enhanced the requirements and application material in relation to the auditor’s considerations about IT. The main changes can be found in the auditor’s required understanding of the information system and control activities components.

The standard defines the entity’s system of internal control as being made up of the following components:

  • Control environment
  • The entity’s risk assessment process
  • The entity’s process to monitor the system of internal control
  • Information system and communication
  • Control activities.

The control environment comprises the governance and oversight framework, culture, values, assignment of authority and responsibility, recruitment and training, accountability and performance management.  Auditors must now evaluate whether the entity has a culture of honesty and ethical behaviour, whether the control environment provides an appropriate foundation for the other components of the entity’s system of internal control and whether control deficiencies acknowledged in the control environment undermine the other components of the entity’s system of internal control.

For those business risks relevant to financial reporting objectives, auditors are required to understand the entity’s process for identifying, assessing and addressing these risks and evaluate whether the process is appropriate for the entity.

Processes to monitor the system of internal control include control monitoring activities performed by management and internal audit. External auditors must understand these processes and evaluate whether they are appropriate for the entity.

The information system comprises the information processing activities for each significant class of transactions, account balances and disclosures, together with human and IT resources and the IT environment. These need to be understood and evaluated. Specific additional guidance is provided in respect of the IT environment in Appendix 5 of the standard. The objective of understanding the IT environment is to enable the auditor to identify potential risks arising from the use of IT by identifying the key IT applications and processes relevant to the audit and evaluating whether the entity’s information system appropriately supports the preparation of the financial statements.

Communication refers to the ways in which significant matters supporting the preparation of the financial statements are communicated within the entity, between management and those charged with governance and with external parties such as regulators. Auditors are required to evaluate whether the entity’s information system and communication appropriately support the preparation of the financial statements.

For the control activities component, the standard now clearly directs the external audit work towards identifying controls that address risks of material misstatement at the assertion level. These are specified as controls that address significant risks of material misstatement, controls over journals, controls where the auditor plans to test operating effectiveness to determine the extent of substantive testing and any other controls that the auditor considers relevant. For IT applications and aspects of the IT environment that are subject to the risks of using IT (e.g. unauthorised access, inappropriate data changes) identified through understanding the IT environment the auditor is required to identify the IT risks and any related IT general controls.

The auditor is required to evaluate the design and the extent of implementation of all the controls relevant to the control activities component.

Relevance to internal audit

The external audit approach has shifted to a more granular assessment of financial controls, the IT environment and IT general controls, even if the external auditors do not seek to rely upon them. Expectations have increased and auditors are now required to obtain more detailed information so that they can understand and evaluate the entity’s system of internal control. Management therefore needs to provide more comprehensive documentation of financial and IT controls as audit evidence. External audit reporting is likely to include an increased number of recommendations relating to controls.

As a result, the work of internal audit may come under increased scrutiny. Internal audit may be asked to assist management in responding to requests for control documentation and to share more of their reports and schedules. Management could potentially ask internal audit to undertake “pre-audit assessments” of controls so that everything is in order before the external audit. Those aspects of the internal audit plan relating to financial controls or the IT environment will be looked at more closely by management to ensure that they do not duplicate the work performed by the external auditors. Internal audit may also need to explain their findings more fully in these areas - especially if they appear inconsistent with the control reporting provided by the external audit.

Alongside these developments, the implementation of the proposed changes to UK corporate governance continues to progress steadily with most large corporate entities having begun to prepare for the expected requirement for an explicit directors’ statement on the effectiveness of internal controls over financial reporting and the basis for that assessment.  This is also driving more formal documentation of financial and IT controls. Although additional resource is often being recruited to lead this project, internal audit still has a supporting role to play as the control documentation and approach is developed - drawing on the knowledge of the business obtained through its work on financial and IT processes and controls. Once the requirement comes into force, the internal audit plan may need to be reviewed again to ensure that it is aligned with any assurance required to support the directors’ statement.

How should Heads of Internal Audit respond?

Heads of Internal Audit need to be aware of, and understand, the impact of this change in approach. The revised standard is now being applied to all external audits, with audited entities’ financial and IT controls being assessed by audit teams in greater depth than before. UK corporate governance reform is also focused on these controls. More questions will be asked of the organisation, more controls points will be included in external audit reporting to the Audit Committee and management may look to their internal audit team for support and advice.

To respond to these challenges, it is essential that Heads of Internal Audit look again at their approach to financial and IT controls. This should include the strategy - the extent of coverage of these areas within the plan – and how this is aligned with external audit activity and any assurance to support the proposed directors’ statement. This will enable duplication of audit effort to be minimised.

The objective and scope of individual internal audits relating to financial and IT controls should also be considered in this light.  The objectives and approach of an internal audit are very different from external audit. Audit risk for external auditors is focused primarily on financial statement misstatement, whereas internal audit is looking to provide assurance in respect of a much wider population of risks associated with the organisation’s strategy and business objectives. As a result, the conclusions arising from internal audit work can potentially differ from those reached by external audit - even though they appear to be looking at the same process area.

Refreshing the internal audit strategy and approach and articulating this to management, the Audit Committee and the external auditors should ensure that the assurance provided by internal audit is more clearly defined and the potential for perceived duplication or misunderstandings is addressed.