30 May 2022

Let’s face it, auditing can be like herding cats.

There are so many factors that must be considered simultaneously that it’s really impossible to proceed through anything but the most basic job without new facts emerging, new risks surfacing, and expectations changing. We try to nail this down and not miss anything, with our programmes and engagement letters, but it’s still easy for something to slip through in the busyness.

The new ISA 315 standard addresses this using the language of “iterative and dynamic”. It says: “The auditor’s understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control are interdependent with concepts within the requirements to identify and assess the risks of material misstatement” (paragraph 7).

Consider what we are asked to simultaneously evaluate:

  • The entity itself – history, structure, goals. funding etc.
  • The environment in which it exists – legislation, competitors, industry trends etc.
  • The reporting framework under which it is required to or chooses to report.
  • The inherent risks associated with the above.
  • The control systems used to assist the entity to fulfill its business and reporting responsibilities.
  • The risks associated with those activities and their exposure to both error and fraud.
  • How risk relates to different classes of transactions, different account balances, or disclosures.
  • How risk relates to the assertions made by the client regarding the different classes of transactions, different account balances, or disclosures.
  • The materiality of risks and errors found.
  • Responses and how to address the risks identified.
  • How these responses relate to each other and combine to give an overall level of comfort to the auditor.
  • And much more!

IFAC diagram it like this:

see https://www.ifac.org/system/files/publications/files/ISA-315-Revised-EM-Overall-risk-assessment-flowchart-July-6_0.pdf

So the new standard helpfully informs us that the process is regarded as iterative and dynamic. In other words, it is okay to jiggle our thoughts and responses around until we arrive at the best approach. Auditing is perhaps best regarded as an art more than a science at this level of complexity. Hence the emphasis on exercising professional judgement.

In practical terms, this approach means that we make our preliminary assessments of risk right from our first conversation with the client. We note these down. Then we do some more background research, and we note down our understanding of the client. This may unearth more possible risks. We gain access to client documents, minutes, legal documents and agreements, and past financial reports, and the bigger picture begins to form. We update some of our earlier impressions and go back with more questions.

Then we meet with our team and brainstorm about what they perceive as the risks (especially the inherent risks as we have already noted). We update our assessment of risk. We move identified items around the spectrum of inherent risk as we seek to bring the focus on what is significant.

Paragraph A48 points out the obvious: “…the auditor’s expectations may change as new information is obtained.” We draw initial conclusions, but we update these as our understanding of the client grows. Finally (?) we have a plan that has identified the significant risks and what are the most efficient ways to reduce audit risk to an acceptable level.

Then we start carrying out the work we have decided is required to respond to the risks identified. But (who knew?) more issues surface as we start digging, so we go back and revise our plan accordingly.

Paragraph 7 concludes: “In addition, this ISA (NZ) and ISA (NZ) 330 require the auditor to revise the risk assessments, and modify further overall responses and further audit procedures, based on audit evidence obtained from performing further audit procedures in accordance with ISA (NZ) 330, or if new information is obtained.

This has always been what good auditors do intuitively and was inferred by the old standard. Practical wisdom would suggest taking the time to revisit our plans, not rushing ahead without being really clear on what the risks are and whether our responses are actually addressing those risks, and being flexible enough to adapt to new information as we go.

Who said herding cats isn’t fun?

<< previous article next article>>

17 May 2022

The fourth concept recognised in the new ISA 315 (paragraph 5) builds on the emphasis on inherent risk (IR) discussed in the last article and the need for a separate assessment of inherent risk and control risk.

ISA 200 tells us that inherent risk is higher for some assertions and related classes of transactions, account balances and disclosures than for others. The degree to which inherent risk varies is referred to in ISA 315 as the ‘spectrum of inherent risk.’ The concepts of the spectrum of risk and separate assessment of inherent and control risks were introduced in the ISA 540 standard on the audit of estimates. It is now to be applied across the board in this updated standard.

Also, as we have seen, RoMM at the assertion level for inherent risk is assessed in terms of likelihood of occurrence and magnitude of potential impact. These two factors are always to be considered in tandem, and the combination of a higher likelihood of occurrence and high magnitude creates a significant risk – like nitro-meets-glycerine!

Explosive risks – handle with care

As in the case of handling something explosive, much more care is needed for significant risks. Paragraph A12 states that “The higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.” Thus we are to focus our time and energy on the potentially explosive risks.

In discussing the magnitude of a risk, paragraph A211 states that we are to consider “…the qualitative and quantitative aspects of the possible misstatement…” That is, more than just the dollars, but including the nature and circumstances of the risk.

Paragraph A214 state that the auditor may use different scales or ways of categorising the elements of inherent risk, however, the important thing is that the result will ensure that “…the design and implementation of further audit procedures to address the identified risks of material misstatement at the assertion level is appropriately responsive to the assessment of inherent risk and the reasons for that assessment.”

What about a low-risk audit?

What if the client has no items towards the higher end of the spectrum? What work is then required? The standard does not give much guidance in these cases, although A219 says: “Being close to the upper end of the spectrum of inherent risk will differ from entity to entity, and will not necessarily be the same for an entity period on period. It may depend on the nature and circumstances of the entity for which the risk is being assessed.”

A sensible approach is to assume that while an entity may have few or no significant risks, the risks that rank highest should be where the bulk of the work should be focussed.

<< previous article next article >>

28 April 2022

The third key concept in ISA 315 (Revised 2019), summarised in paragraph 4, relates to understanding Inherent Risk (IR) and Control Risk (CR).

We discussed that risk at the financial statement level relates to the financial statements as a whole. It may potentially affect many assertions and may not affect one account more than another. For example, if the management of the company is involved in fraud, or if the overall level of competence is such that controls are ineffective, this will be a Risk of Material Misstatement (RoMM) at the more global level (i.e. the financial statement level).

RoMM at the more granular (assertion) level may be split into Inherent Risk (IR) and Control Risk (CR). These are familiar concepts but the new standard formulates these and makes them much more specific, which is a good thing. We are explicitly required to consider inherent risk and control risk separately.

Inherent risk

Inherent risk (IR) is a central concept of the standard, mentioned in 109 places, as compared to control risk, mentioned only 16 times.

IR focuses on the raw reality of the entity before we consider any controls. What would the susceptibility of an assertion to material misstatement be if there were no controls? This is to be considered individually or when aggregated with other misstatements.

The standard now requires IR is to be assessed on a spectrum. This spectrum is to be considered in terms of the likelihood of occurrence and the magnitude of the potential misstatement. These are to be considered in tandem.

For instance, it may be quite likely that a few pens may be taken from the stationery cupboard for private use, but the magnitude of misstatement should this occur is very low. Or there might be a volcano that destroys the city, which would be a high magnitude loss, but the likelihood of occurrence is low. In either case, these would not represent significant risks. The ideal way to display these IRs is graphically. For instance:

Any IR that is both likely to occur and with potential for high-magnitude impact must be regarded as a significant risk (para 12(l)). In the case above, we may identify the top five (circled) items as significant. This reflects good practice, but in the new standard, it is made crystal clear.

There is a new definition of Inherent risk factors in the standard (para 12(f)). This speaks of events or conditions that affect susceptibility to misstatement, whether due to fraud or error.

These may impact on an assertion about a class of transactions, an account balance or a disclosure. Such factors may be qualitative or quantitative and include considerations such as complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors. All should be considered – generally just following common sense.

Why this emphasis on IR? It makes sense that we start with inherent risks, as these represent the fundamental potential for misstatement. Then considering these we may only really concern ourselves with controls that address those risks.

For instance, if we instead started with control risk, we may identify poor controls over cash. But cash does not represent a material part of the business. So if cash is not inherently a material risk is there any point concerning ourselves with the related controls? If we start with IR we will know this.

Control risk

Control risk (CR) describes a risk that a possible material misstatement (either individually or when aggregated with other misstatements) that could occur in an assertion, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.

Paragraph 33 states: “If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk.”

So, we are required to assess control risk (CR) only if we plan to test the operating effectiveness of controls or when substantive procedures alone will not provide sufficient appropriate audit evidence at the assertion level. Therefore, if we do not intend to rely on controls we do not need to test them, so CR effectively defaults back to our IR assessments.

This is a new concept. And it opens questions about how to respond in small entities that do not have many formal controls that we can test, but nevertheless, have a robust system of management and governance oversight which gives us considerable comfort. We shall return to these questions in a later post.

<< previous article next article >>

20 April 2022

The second key concept in ISA 315 relates to the requirement in ISA 200 para 15 to “…plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the financial statements to be materially misstated” and para 16 to “exercise professional judgement in planning and performing an audit of financial statements.”

These should be familiar concepts to auditors, however, familiarity does not mean that the concepts are easy to learn or maintain.


An easy way to explain scepticism is from our NZ popular culture – the famous Tui billboards. They were generally based on an assertion made by someone – then mocked with a sceptical “yeah right” – a good concept to keep in mind when the client is telling us a story (though probably unwise to verbalise):

Like a good journalist interviewing a politician, we cannot take claims at face value without evidence, especially if there is a reason why it might be beneficial for the interviewee to present a biased slant on the truth.

The standard gives some helpful tips for applying professional scepticism in para A13, including encouraging the auditor to:

  • Question contradictory information and the reliability of documents;
  • Consider responses to enquiries and other information obtained from the client;
  • Remain alert to conditions that may indicate possible misstatement due to fraud or error; and
  • Consider how the audit evidence obtained supports our identification and assessment of RoMM.

Confirmation bias

Paragraph 13 reminds us that when designing and performing risk assessment procedures we must not bias our work toward obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory. This takes some thought, as we are caught between time constraints (pushing us towards getting the answer quickly) vs. professional curiosity and thoroughness which may be necessary if something doesn’t quite sit right.

Many audit failures are the result of falling for confirmation bias. As per the American Psychological Association, Confirmation Bias is the tendency to look for information that supports, rather than rejects, one’s preconceptions, typically by interpreting evidence to confirm existing beliefs while rejecting or ignoring any conflicting data.

We mostly instinctively see the evidence that supports our presuppositions about the client, and ignore evidence that falls outside of our existing beliefs about them. In fact, it is very difficult not to do this when we are close to the client and involved in the details of the job. It is the reason we have auditor rotation and review of our work.

To counter bias the standard recommends comparing evidence from multiple sources. Para A15 lists these as:

  • Interactions with management, those charged with governance, and other key entity personnel.
  • External parties such as regulators.
  • Publicly available information about the entity.

Professional judgement

ISA 200 para A26 tells us that: “The distinguishing feature of the professional judgement expected of an auditor is that it is exercised by an auditor whose training, knowledge and experience have assisted in developing the necessary competencies to achieve reasonable judgements.”

The experienced auditor will develop a nose for things that don’t add up, just like the good investigative journalist. I have confirmed with many auditors the immense value of just sitting in the client’s tea-room and chatting with the staff (not so easy during COVID restrictions). This isn’t just about finding out surprising facts but assessing the tone of the client.

Brain science confirms that having a ‘hunch’ or a ‘bad feeling’ is often a reliable indicator that we should investigate a bit deeper. Our right-brain function is constantly scanning our environment and we pick up complex patterns and human interactions that alert us that something isn’t quite right. The right brain works much faster than the more cognitive left brain, so we are aware of things emotionally and physically before we really have time to think about them and process them cognitively. So a good auditor learns to use all of their brain.

ISA 315 para 17 also emphasises the importance of the whole team being involved in planning and looking for risks. In a team, even the newest member may think of something that the more experienced have missed. Everybody has different experiences, skills and perceptions to bring to the table. So a good auditor also uses the brains of all their team!

<< previous article next article >>

11 April 2022

ISA (NZ) 315 (Revised 2019) applies for audits of financial statements for periods beginning on or after 15 December 2021. To prepare for it we are producing a series of articles, and we are updating our content and our risk identification and assessment process to better suit the new standard.

The standard starts with a series of key concepts. These are useful to get the drift of the standard. Most of these are basic auditing but they provide great revision and help to break risk assessment down in a way that hopefully makes sense.

Key Concept 1 – Audit Risk

Paragraph 2 of the new standard references the requirement in ISA (NZ) 200 that audit risk be reduced to an acceptably low level by obtaining sufficient appropriate audit evidence.

Audit risk sounds simple at first glance but can quickly turn nasty once we start trying to define and understand how it actually works. This is where we must start using some acronyms and abbreviations (much as I hate them).

Audit Risk (AR) is described as a function of Risk of Material Misstatement (RoMM) and Detection Risk (DR). RoMM may exist on two levels – the financial statement level and the assertion level. RoMM consists of two components: Inherent Risk and Control Risk (para 4). The whole objective of the audit (per para 11) is to identify and assess the RoMM, so that we can use this as a basis for designing and implementing responses to the assessed RoMM.

If you are like me, its easy to go a bit like this around this point:

The key is to understand the meaning behind AR = RoMM x DR.

AR must be reduced to an “acceptably low” level. So let’s break down the rest of this.

First, what is material misstatement? ISA (NZ) 320 (2) says: “Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.”

You could say in the context of the audit material things are what we care about; things that make the financial statements not just wrong but misleadingly so.

So, risk of material misstatement (RoMM) is a weak point that could lead to us missing something big and important in our work and so failing in our task.

We identify a weak point, we think about the likelihood of it being wrong or producing wrong results, and we consider the potential impact on the financial statements if the worst-case scenario were to emerge. We identify, describe and assess the RoMM.

Second, what about the Financial Statement level and Assertion level? This is easily enough understood as either that which will impact the financial statements as a whole (financial statement level) or that which is more granular, relating to classes of transactions, account balances and disclosures (assertion level).

In plain English an assertion is defined as: 

“A confident and forceful statement of fact or belief” (Oxford Dictionary).

The Collins English dictionary goes further and says:

“A positive statement, usually made without an attempt at furnishing evidence.”

Paragraph A190 lists assertions as things like Occurrence, Completeness, Accuracy, Cutoff, Classification, Presentation, Existence, Rights and Obligations, Valuation and Allocation.

Our job is to assess whether the assertion being made is important (i.e. material) enough for us to look for evidence that it is actually true.

For example, if the preparers of the financial statements are confidently and forcefully stating that say, certain inventory is owned by them, exists and is valued at a certain amount, we as auditors are required to assess whether the balance (or potential for error) is material and if it is, whether their confidence and force in making these claims are justified by looking for evidence using suitable procedures that respond to the risk.

We will consider how these responses work later.

Making Audit Risk (AR) acceptable is like us saying whether it is possible, given the RoMMs we have identified, to design suitable audit responses to be comfortable that we have found evidence to support the assertions.

If we can’t do that we should either not accept the engagement at all, disclaim the audit report if it is too late, or modify the report if we can ring-fence the uncertainty to certain categories.

next article >>

7 April 2022

From January 2022 the thresholds at which New Zealand financial reporting requirements are allowed, and to the levels under which audits and review engagements are required, have been updated. Let’s consider New Zealand’s reporting landscape while considering the changes.

A variety of reporting levels

Think of the reporting framework as a tree with two main branches – Public Benefit Entities (PBEs) and For-Profit Entities (FPEs), reflecting the reality that some entities operate in the public sector for public benefit and some operate at the for-profit end of the scale.

The needs of the readers of financial statements for for-profit entities and public-benefit entities will likely be somewhat different, so a distinction is made.

However, whether an entity is primarily for community and social benefit isn’t as clear-cut as it sounds, as most if not all entities have (hopefully) some kind of public benefit – the provision of healthy food for instance is part of the goal of an entity like Fonterra. But the type and purpose of transactions often make the distinction clearer – many transactions are non-exchange in nature, and specialised assets are often held for which there may be no commercial market.

Not all entities want or need to trade or invest internationally or even have much of a public face at all. The NZ XRB thankfully recognised this and drew some distinctions between outward-facing entities that require wide-scale credibility and smaller-scale local entities that will never have to be scrutinised on the international stage. Discussions of ownership, scale, public accountability, and purpose are factored into these distinctions. 

Public Benefit Entities

The Public Benefit Entities (PBE) branch of the reporting standards is somewhat easier to navigate than the For-Profit bough.

If, after looking at founding documents, beneficiaries, and issues of funding we decide that the entity is indeed a PBE there are four slots of financial reporting that we can choose from.

Tier 1 – The plumpest fruit

To whom is the entity accountable? Where is the funding for the entity derived? An entity may be for public benefit but not publicly accountable – for example, a charity for helping the homeless that is funded by support from corporate sponsors.

Or an entity may be publicly accountable but for-profit rather than for public benefit – for example, banks, insurance and superannuation providers, publicly listed companies and others that trade debt or equity instruments to the public. The specific criteria are provided by the Financial Markets Conduct Act 2013 (FMC Entities) and by the IASB definition of public accountability. 

Anything that is publicly accountable will fall into Tier 1 – full compliance with full PBE accounting standards. 

Also falling into that basket will be large entities – defined in this case by expenditure – over $30million over the last two periods (note this has not changed). This size is specified by the XRB A1 Accounting Standards Framework document. There are only about 60 charities in this category in New Zealand. 

Tier 2 – Not so large and not accountable

PBEs that are neither publicly accountable nor with expenses over $30million are graded based simply on their expenditure level over the last two periods.

Under $30million but over $2million drops into Tier 2 (again these thresholds are unchanged). These are subject to the same PBE accounting standards as the larger entities, but with some reduced disclosure requirements concessions (“RDR”).

There are about 900 NZ charities in this category. An important point to remember is that all PBE entities, regardless of size and type, will by default go into the Tier 1 unless they elect to adopt another category. 

Tier 3 and 4 – Small in value but large in number 

Dropping into Tier 3 will be entities under the $2million expenses mark, but over $140,000 (increased from $125k). Anything under that level may fall into Tier 4. Tier 3 uses what is known as “PBE Simple Format Reporting Standard – Accrual” (PBE SFR-A). Tier 4 uses “Public Benefit Entity Simple Format Reporting – Cash” (PBE SFR-C (“C” for “cash”)). 

Over 90% of the 27,000 NZ registered charities fall into Tier 3 and 4. The XRB has published extensive guides and Charities Services has downloadable Excel templates for completing these reports (follow the links above).

But will they need to be audited or reviewed?

Which of these entities will be required to be audited? Under the Accounting Infrastructure Reform Bill, entities with expenditures over $1.1million (previously $1m) for the two preceding accounting periods are required to be audited.

Entities with expenditures between $550,000 (previously $500,000) and $1.1million for the two preceding accounting periods may opt for a review engagement. This work must be performed by a “qualified auditor” in compliance with the appropriate assurance standards. 

Under $550,000 there is no statutory requirement for audit or review unless, of course, the founding documents or funding sources require this. 

For-Profit Entities

As noted, an entity may be publicly accountable and also for-profit rather than for public benefit – for example, banks, insurance and superannuation providers, publicly listed companies and others that trade debt or equity instruments to the public.

These entities are by default Tier 1 FPE, required to comply with full NZ IFRS standards. Also, as per the PBE rules, anything with a total expenditure of over $33 million (increased from $30million) in the two preceding periods will fall into this tier, whether publicly accountable or not, captured by their sheer economic weight.

Tier 2 – How large is large?

Similarly to the PBE branch, Tier 2 is only to be applied to non-publicly accountable entities, but the size criteria are a little more complex, and some other factors are considered.

For Tier 1 economic impact is measured in terms of expenditure, but Tier 2 uses a definition of size based on a combination of revenue and assets. Additionally, the thresholds for assets and revenue differ depending on whether the Company (and these are likely to be companies) are locally or overseas owned.

To be “large” in terms of Tier 2, a locally owned entity must have assets exceeding $66 million (increased from $60million) or revenue exceeding $33 million. These thresholds must be reached at the balance date of each of the two preceding accounting periods to apply.

The thresholds for an overseas-owned company are lower – presumably because there is perceived to be a higher risk. Assets exceeding $22 million (previously $20million) or revenue exceeding $11million (previously $10million) at the balance date of each of the two preceding accounting periods will trigger the “large” switch in this case.

That’s not all though… if the entity is not large in the terms above but has 10 or more shareholders it is also caught in Tier 2 – unless 95% of the shareholders agree to opt-out.

Remember that as with PBE entities, regardless of size and type, FPEs will by default go into the Tier 1 bin unless they elect to adopt another category.

The other 90%

After 1 April 2015, smaller for-profits could use NZ IFRS RDR, but so long as IRD and internal management requirements were met they were free to do what works best for them. 

In effect, this means that most small NZ companies, partnerships and sole traders do not need to prepare financial statements that comply with General Purpose Accounting Principles (GAAP).

Of course, governance, banks and other investors need helpful information. To meet this need NZICA/CAANZ issued some optional guidelines (the SPFR for FPE framework). Entities that do not use these guidelines must still comply with IRD minimum reporting requirements.

Is an audit required?

Tier 1 entities always require an audit, which makes sense, as do “large” overseas companies that are Tier 2. “Large” local companies may, in terms of Tier 2, opt-out of the requirement for audit, as may smaller entities with 10 or more shareholders.

NOTE: Audit Assistant has a Financial Reporting Regime Testing Tool which may be used stand-alone, but is also incorporated into the newer templates. This has now been updated to the new thresholds, however, users will need to be mindful of the period being audited, to make sure that the results are applicable.

3 November 2021

Why a new standard?

A wide range of stakeholders use Agreed-Upon Procedure (AUP) reports for various reasons. The demand for AUP engagements continues to grow, particularly with the need for increased accountability around funding and grants.

In addition, regulation changes have also driven increased demand for AUP engagements, especially from smaller entities, as increased audit costs and higher thresholds for statutory audit prompt stakeholders to look for alternative services to an audit (e.g. banks may request AUP engagements on receivables and inventory instead of audited financial statements of borrowers).

The new standard is designed to address the needs of regulators, funding bodies, creditors, and other entities for increased accountability around the use of funds, grants, and other financial and non-financial subject matters by:

  • Broadening the scope to include financial and non-financial subject matters.
  • Adding examples of AUP engagements.
  • Clarifying the role professional judgment plays in an AUP engagement.
  • Including explanations on the distinctions between AUP engagements and assurance engagements, and
  • Highlighting the practitioner’s responsibilities under relevant ethical requirements for dealing with fraud and non-compliance with laws and regulations.

The rest of the article focuses on the key revisions to ISRS (NZ) 4400 compared to APS-1.

Professional Judgment and the Practitioner’s Objectivity and Independence

The standard concludes that professional judgment is not suspended in an AUP engagement (paragraph 18). However, applying professional judgment when performing procedures in an AUP engagement differs from an assurance engagement.

Professional judgment is applied in accepting and conducting an AUP engagement, for example in determining appropriate actions if the practitioner becomes aware of facts or circumstances suggesting that the procedures are inappropriate for the purpose of the agreed-upon procedures engagement (paragraph A22).

Once procedures are clearly defined, professional judgement is still to be exercised in matters that may indicate fraud or an instance of non-compliance or suspected noncompliance with laws or regulations, or where doubt may be cast on the integrity of the information relevant to the AUP engagement or that indicate that the information may be misleading.

The AUP engagement is performed by an objective practitioner, which means a practitioner’s professional or business judgment is not compromised (paragraph A14).

The standard gives the practitioner flexibility to address circumstances even when the engaging party practitioner is not independent of the entity.  However, the emphasis is now placed on transparency regarding the practitioner’s independence.

Engagement Acceptance and Continuance

The extant APS-1 sets out requirements and guidance dealing with the terms of the engagement. However, it does not contain any requirements or application material on conditions required to be met before the practitioner can accept an AUP engagement.

ISRS (NZ) 4400 sets out engagement acceptance and continuance conditions in paragraphs 20-21 and A20-A29. These paragraphs reinforce the unique characteristics of an AUP engagement, namely:

  • That the engaging party acknowledges expected procedures performed by the practitioner are appropriate for the engagement; and
  • That the AUP and related findings can be described objectively, in terms that are clear, not misleading, and not subject to varying interpretations.

Practitioner’s Expert

The extant APS-1 does not deal with the use of an expert. The new standard includes requirements and application material to address the use of the work of a practitioner’s expert in an AUP engagement, including the practitioner’s responsibilities when using the work of a practitioner’s expert and consideration of whether it is appropriate to include references to a practitioner’s expert in the AUP report.

The IAASB believes that a practitioner’s expert can appropriately assist the practitioner within the context of an AUP engagement by applying the expert’s competence and capabilities. ISRS (NZ) 4400 includes examples of how a practitioner’s expert can assist the practitioner in an AUP engagement, such as a chemist determining the toxin levels in a sample of grains.

AUP Report Restrictions and Non-Financial Subject Matters

The previous standard required the practitioner’s report to include a statement restricting parties to those who have agreed to the procedures performed since others may misinterpret the results, unaware of the reasons for the procedures.

This requirement created ambiguity around what constitutes “parties that have agreed to the procedures to be performed”. A narrow interpretation is that the AUP report is restricted to signatories to the engagement letter. AUP reports are often required to be provided to users such as regulators who are not parties to the terms of the engagement or posted online as required by law or regulation.

ISRS (NZ) 4400 no longer restricts the AUP report to parties that have agreed to the procedures to be performed. Guidance is provided, in paragraph A43, on the practitioner’s considerations when restricting the use of the AUP report to better meet users’ needs. This paragraph is based on paragraph A21 of ISA 800.

There are an increasing number of AUP engagements performed on non-financial subject matters. Clarifying that the scope includes non-financial subject matters (paragraph 2) and addresses market demand for such engagements (A1-A2).

Recommendations Arising from the Performance of AUP Engagements

APS-1 does not contemplate the practitioner recommending changes or improvements on matters that arose from the performance of AUP engagements. However, practitioners do get requested to make recommendations together with an AUP engagement. For example, regulators may request recommendations on improving controls relating to deficiencies identified in the AUP report.

Therefore, paragraph 33 of ISRS (NZ) 4400 requires that the AUP report be distinguished from other engagement reports (such as recommendations). Paragraph A45 guides how recommendations can be distinguished from the AUP report.

What are the changes Audit Assistant has made to its Agreed Upon Procedures template?

The updated changes are primarily around requirements and reports relating to ISRS (NZ) 4400 compared to APS-1, and subsequently, this has resulted in many wording changes. Reports have been amended to reflect the ISRS (NZ) 4400 recommended form.

The changes are focused on Planning, Strategy, Finalisation and Reporting, and Reports within the template.

Planning now includes a new page for Engagement level Quality Control. This page is for the engagement partner to complete around their obligations to ensure appropriate procedures around acceptance and continuance, documentation, adherence to professional standards, quality control management occurs throughout the AUP engagement.

Users will be prompted to use the new template and may upgrade from an existing engagement in the case of recurring engagements. We suggest waiting until a job is rolled over before upgrading.

When does the new standard apply?

ISRS (NZ) 4400 is effective for agreed-upon procedures engagements for which the terms of engagement are agreed on or after 1 January 2022. Early adoption is permitted.

18 August 2021

Why there is a need for yet another quality standard? PES 4 supports PES 3 in that it specifically addresses the Engagement Quality Reviewer; their appointment, eligibility, responsibilities, and documentation.

PES 4 (the NZ version of ISQM 2) aims to strengthen the requirements for engagements that should be subject to an engagement quality review by extending the requirement for an Engagement Quality Review (EQR) to engagements other than audits of listed entities.

The concept of scalability has been included within the standard, allowing the firm to adjust certain requirements for their size and nature, especially the significant judgements made.

We saw how PES 3 describes the firm’s responsibility for establishing quality management, including the new quality management approach. An engagement quality review is a response, among others, designed and implemented by a firm to address its assessed quality risks. The performance of an EQR is undertaken at the engagement level. However, the reviewer’s response is implemented on behalf of the firm.

PES 4 is applicable only through requirements in PES 3 and ISA 220 for a firm’s quality management system. Therefore, PES 4 is closely interrelated to the other quality management standards.

There are some requirements related to EQR within PES 3 and the new ISA 220 but these are mainly to do with the engagement team supporting the reviewer and a process to trigger an EQR.

Appointment and Eligibility of Engagement Quality Reviewers

When the firm’s quality management system assesses the need for an engagement quality review, PES 4 states the minimum requirements for eligibility and appointment of reviewers around competencies, capabilities, ethics required, and other relevant considerations. A firm may choose to select further requirements for selecting reviewers.

The standard also lays out the selection of the reviewer, including the qualifications, experience, and objectivity of the individual selected to perform the EQR. It also addresses the reviewer’s requirements of independence, integrity, and objectivity and their ability to challenge the engagement team’s judgements and authority.

Appointment and eligibility requirements for engagement quality reviewers are more selective (whether internal to the firm or external) than those in the old standard including:

• The eligibility of the individual(s) within the firm responsible for the appointment of engagement quality reviewers.

• The eligibility of individuals to assist the engagement quality reviewer in performing the engagement quality review.

• The engagement quality reviewer’s responsibility for the performance of the engagement quality review, including assessing the appropriateness of the work of individuals assisting in the review.

• Limitations on an individual’s eligibility to be appointed as an engagement quality reviewer for an engagement for which the individual previously served as the engagement partner.

Competence and Capabilities, Including Sufficient Time

Requirements regarding the criteria for eligibility of engagement quality reviewers and have been maintained in PES 4 and improved through expanding the eligibility requirements. The standard describes the competence and capabilities of the engagement quality reviewer.

The IAASB believes that the achievement of an effective engagement quality review requires the involvement of the reviewer at appropriate points in the engagement, consistent with when the engagement team is making significant judgements because doing so facilitates the resolution of issues promptly. Accordingly, PES 4 includes a new requirement addressing the reviewer’s responsibility to perform the procedures at the appropriate time during the engagement.

The timing of the performance of the EQR is essential. Not only concerning when the reviewer becomes involved but the time allocated for the performance of the review. The firm’s policies or procedures must give the reviewer sufficient time to perform the review.

Relevant Ethical Requirements – objectivity

To improve the reviewer’s objectivity, PES 4 requires a reviewer to comply with relevant ethical requirements and explicitly highlight the threats to objectivity in its application material about the engagement or engagement team. The standard includes a new requirement for the firm to establish policies or procedures that limit an individual’s eligibility to be appointed as a reviewer for an engagement on which the individual previously served as the engagement partner.

Furthermore, the application material suggests objectivity may be accomplished by establishing a two-year cooling-off period and notes that determining a suitable cooling-off period depends on the facts and circumstances of the engagement and applicable law or regulation provisions or regulation and relevant ethical requirements.

The standard implies that if the individual is appointed as the reviewer immediately after serving as the engagement partner, there are no safeguards or other actions that would eliminate the threats to the individual’s objectivity or reduce them to an acceptable level.

Outside firm Engagement Quality Reviewers

The standard considers that small to medium firms may not have sufficient experience within and might require external reviewers. The standard has been expressly set up not to be onerous that the availability of suitable engagement quality reviewers is limited or non-existent for small to medium firms.

PES 4 clarifies that the exact eligibility requirements apply to any individual appointed as a reviewer, whether within the firm or external (as may be the case when there is no partner or other individual within the firm who is eligible to perform the engagement quality review).

Significant Judgements and Significant Matters

EQR discussions with the engagement partner (or other engagement team members, if applicable), along with the information obtained from the engagement team about the nature and circumstances of the entity, will enable the reviewer to be aware of significant judgements made within the engagement.

Based on that information, the reviewer looks at selected engagement documentation in support of those significant judgements. The standard clarifies that the engagement quality reviewer discusses with the engagement partner and, if applicable, other engagement team members significant matters and significant judgements made in planning, performing, and reporting on the engagement.


The engagement quality reviewer evaluates the basis for the engagement team’s significant judgements, including, when applicable to the type of engagement. The reviewer evaluates the professional scepticism of the engagement team based on the review of selected engagement documentation. By doing this, the reviewer acknowledges their role in evaluating the engagement team’s exercise of professional scepticism in making significant judgements and reaching conclusions, and, where appropriate, challenging them.

PES 4 includes a specific requirement for the reviewer to take responsibility for documentation of the EQR. The documentation is to be filed with the engagement documentation. The documentation is sufficient to enable an experienced practitioner, having no previous connection to the engagement, to understand the nature, timing, and extent of the engagement quality review procedures performed.

In summary, the implementation of PES 4 will make it easier for firms and for reviewers to understand their responsibilities when an EQR is required – all in one place.

<<previous article

The IAASB has now issued its proposed standard on less complex entities (ED-ISA for LCE) for feedback.

A standard around LCE’s is long overdue, and their proposal comes with the hope of easing unnecessary requirements placed on auditors.

The standard is expected to come into effect around 2023/2024 and should be a game-changer for the audit of most of our client entities. This article follows on from prior commentary and summarises some of the critical changes the LCE standard will have on an audit engagement.

Relationship to ISAs

The IAASB has decided that the proposed standard is to be separate from the ISAs with no intended need to directly reference back to their requirements or application material. However, the proposed standard does not address complex matters or circumstances so is not permitted to be used for audits that are not audits of financial statements of LCEs.

As a consequence, when a firm is auditing an entity with transactions and accounts deemed less complex, they cannot supplement by using other auditing standards concerning a more complex account or transaction (like an accounting estimate calculated using a bespoke, complex model). In this instance, the auditor may not use ISA for LCE together with requirements from say ISA 540 (Revised) to supplement what may not be addressed in ISA for LCE when planning and performing the audit. They would need to carry out the whole audit using ISAs (see Explanatory Memorandum para 26-28).

Therefore, it will be critical in the planning stage to ensure the LCE standard is applicable for every aspect of the audit engagement. The standard provides good guidance around the applicability of LCE for an audit engagement. See table below:

from Explanatory Memorandum para 50

What Qualitative Characteristics might make the standard inappropriate?

Outside of the specific prohibitions in the table above, an entity may be prohibited from using the LCE standard where an entity exhibits:

  • Complex matters or circumstances relating to the nature and extent of the entity’s business activities, operations and related transactions and events relevant to the preparation of the financial statements.
  • Topics, themes and matters that increase or indicate complexity, such as those relating to ownership, corporate governance arrangements, policies, procedures or processes established by the entity.
    (from Explanatory Memorandum para 67)

What about groups?

At this stage, the standard is unlikely to allow group audits; however, the board is open to changing their minds and has proposed options to incorporate group audits into the standard.

General flow of the proposed standard

The content of ED-ISA for LCE have been grouped into nine “Parts” that follow the flow of an audit engagement (rather than by subject matter or topic like the ISAs):

from Explanatory Memorandum para 92

Each part follows the same structure, a preface, authority (circumstances in which the standard is prohibited or limited), broad concepts, key requirements, and appendices.

Potential Grey areas in the application of the standard

Accounting estimates – Specific procedures concerning the use of complex modelling and detailed requirements to address situations where there is higher estimation uncertainty have not been included as they are not expected to be relevant for the types of accounting estimates in an audit of a typical LCE. While the presence of one complex characteristic exhibited by an entity does not necessarily exclude the use of ISA for LCE this is a tricky area which would lead to a judgement call for the auditor about whether it is still appropriate to continue performing the audit under the proposed standard. The auditor would need to determine if the complex matter or circumstance identified is not in the spirit of what standard intended to be allowed as an accounting estimate.

Service Organisations – The standard is designed for the typical nature and circumstances of an LCE. The prime example is with LCEs that have payroll processed by a service organisation. However, situations deemed more complex relating to the entity’s use of a service organisation have not been addressed within the proposed standard. For example, requirements relating to an auditor’s ability to rely on reports on the operating effectiveness of controls from the entity providing the services (e.g., ‘Type 1’ and ‘Type 2’ reports) are not included as it is anticipated that where transactions are less complex, the auditor would be able to obtain the necessary audit evidence without difficulty from records available including, if applicable, in relation to controls at the service organisation.

Planning the Audit

One of the areas where the IAASB has modulated the proposed standard is to not distinguish between the overall audit strategy and the audit plan required by the ISAs. The auditor is still required to plan the audit in the same manner, however, the relevant outcomes of what the auditor would need to do about establishing the overall audit strategy and audit plan have been incorporated together (i.e., there is still a requirement to establish and plan the audit’s scope, timing, and direction).


The IAASB has released a video explaining the draft standard:

Audit Assistant response

We think that the approach taken appears sensible, but are yet to get into the deep details. We may make a submission on behalf of our users if there are any particular issues that are brought to our attention.

Our goal over the next year or so is to make a new template from scratch incorporating the requirements of the new standard, in anticipation of its adoption. As a clean-slate build, we will be looking at ways to make this as efficient as possible, without having to retain backwards compatibility. Please contact us if you would like to add to our submission on the ED, or make suggestions for the new template.

4 June 2021

ISA 220 (revised) deals primarily with the engagement partners’ responsibilities in overseeing the quality of the assurance work.

It forms part of the suite of Quality Management Standards, dovetailing with PES 3 Quality Management for Firms that Perform Audits or Reviews of Financial Statements or Other Assurance or Related Services Engagements (aka ISQM 1) and PES 4 Engagement Quality Reviews (aka ISQM 2).

ISA 220 (revised) will be effective from December 2022. Its emphasis may be summarised as:

  • Proactive management of quality at the engagement level by emphasising the importance of professional scepticism.
  • Enhancing the auditor’s documentation judgments.
  • Reinforcing the need for robust communications between the engagement team and partner.

A criticism of the prior standard was that firm quality control manuals were simply to satisfy standard requirements and were not used in the actual engagement. This standard clarifies the role and responsibilities of the engagement partner; notably, their required involvement throughout the engagement and their responsibility for managing and achieving quality at the engagement level.

The objective of the standard is as follows:

The auditor is to manage quality at the engagement level to obtain reasonable assurance that quality is achieved such that:

(a) The auditor has fulfilled the auditor’s responsibilities, and has conducted the audit under professional standards and applicable legal and regulatory requirements; and

(b) The auditor’s report issued is appropriate in the circumstances.

What are the Engagement Partner’s main responsibilities in the engagement?

The new standard makes the engagement partner’s responsibilities around leadership and project management (including assessing the engagement team’s competence and objectivity) more explicit.

The engagement partner needs to be adequately involved throughout the engagement to provide the engagement leadership required to achieve high-quality audits.

The diagram below illustrates how the engagement partner’s overall engagement is responsible for managing and achieving quality through sufficient and appropriate involvement. Their significant judgments made and the conclusions reached are appropriate given the nature and circumstances of the audit. This overall responsibility includes:

Fulfilling leadership responsibilities

This includes taking actions to create an environment for the engagement that emphasises the firm’s culture and the expected behaviour of engagement team members and assigning procedures, tasks or actions to other members of the engagement team.

Leadership must assign responsibilities to other engagement team members. The standard recognises that the engagement partner may assign procedures, tasks, or actions to other engagement team members to assist the engagement partner in complying with the requirements but must take overall responsibility for the engagement quality.

Supporting engagement performance

This includes taking responsibility for the nature, timing and extent of direction, supervision and review of the work performed.

New requirements require the engagement partner to review the financial statements and the auditor’s report before dating the auditor’s report and, prior to their issuance, to review formal written communications to management, those charged with governance, or regulatory authorities.

The engagement partner must review audit documentation relating to significant matters and other areas involving significant judgments. The partner should focus on complex or contentious matters identified during the engagement and the conclusions reached.

Standing back

The engagement partner must take overall responsibility for managing and achieving quality, including whether their involvement has been sufficient and appropriate throughout the engagement. The nature and circumstances of the engagement are taken into account, especially with significant judgements and conclusions reached.

Relevant Ethical Requirements

The standard has strengthened relevant ethical requirements and the engagement partner’s role in dealing with relevant ethical requirements. Accordingly, in addition to enhancing the extant requirements, ISA 220 (revised) includes requirements regarding:

• Understanding of the relevant ethical requirements and whether other members of the engagement team are aware of those requirements and the firm’s related policies or procedures;

• Threats to compliance with relevant ethical requirements; and

• Determining whether relevant ethical requirements, including those related to independence, have been fulfilled.

Engagement Resources

The engagement partner is responsible for determining sufficient and appropriate resources assigned or made available on a timely basis. They are responsible for taking appropriate action when the firm provides insufficient or inappropriate resources in the engagement team’s audit engagement.

The standard includes new application material detailing:

  • How human, technological, and intellectual resources may be used to support the performance of audit engagements.
  • How project management skills can help manage the quality of the audit engagement and the appropriate actions if the engagement partner determines that the resources are insufficient or inappropriate.

Examples of engagement resources the engagement partner can use to determine whether to depend on the firm’s related policies or procedures include:

• Information systems that monitor independence;

• Information systems that deal with acceptance and continuance of client relationships and audit engagements; and

• Audit methodologies and related implementation tools and guidance.

Firm-level responses

Some firm-level responses to quality risks are not performed at the engagement level but are nevertheless relevant when complying with ISA’s requirements. For example, determining whether the engagement team members collectively have the appropriate competence and capabilities to perform the audit engagement. The engagement partner should look at the firm’s policies or procedures dealing with personnel recruitment and professional training.

When determining whether they may depend on the firm’s policies or procedures in complying with the requirements, the engagement partner should take into account:

• Their knowledge or understanding of or practical experience with the firm’s policies or procedures.

• Information provided by the firm’s monitoring and remediation processes indicates what firm policies or procedures operate effectively. For example, the engagement partner may depend on the firm’s technological development and maintenance programs when using firm-approved technology to perform audit procedures based on the firm’s information.

Project Management

Project management is a crucial part of the engagement, and the engagement partner should be actively involved or have a documented process outlining how it is delegated.

Some examples of how a firm may project manage:

• Increasing the engagement team’s ability to exercise professional scepticism through alleviating budget or time constraints that may otherwise impede the exercise of professional scepticism;

• Facilitating timely performance of audit work to more effectively manage time constraints at the end of the audit process when more complex or contentious matters may arise;

• Monitoring the progress of the audit against the audit plan,  including the achievement of key milestones, which may assist the engagement team in being proactive in identifying the need for making timely adjustments to the audit plan and the assigned resources;

• Assisting the engagement partner in taking responsibility for the direction and supervision of engagement team members and the review of their work; or

• Coordinating arrangements with component auditors and auditor’s experts.

The relationship between ISA 220 (revised), PES 3 and PES 4

ISA 220 operates as part of the broader system of quality management established by PES 3. Under PES 3, the firm establishes quality objectives, identifies and assesses quality risks, and designs responses to address the quality risks concerning the components of the firm’s system of quality management. This can be achieved at the firm level or the engagement level, depending on its nature, circumstances, and engagement.

Accordingly,  PES 3 requires the firm to communicate information to the engagement team about their responsibilities regarding the firm’s responses that require implementation at the engagement level.

ISA 220 and PES 3 align concerning monitoring and remediation. The engagement partner is responsible for dealing with the relevant aspects of the monitoring and remediation process. Communication by the firm includes the results of the monitoring and remediation process.

Furthermore, the engagement partner and team requirement to fully cooperate with the engagement quality reviewer is the linkage between ISA 220 and PES 4.

In summary

ISA 220 (revised) aims to implement a firm’s quality management system at the engagement level. In particular, the standard aims to ensure that the engagement partner is adequately involved throughout the engagement. To ensure that the team has adequate supervision (project management), expertise (in-house or external) and resources to satisfy the level of quality developed by the firm in their quality control manual.

The communication between the team members and the firm’s management and governance will help ensure that a firm’s quality management is fit for purpose and applicable to actual engagements.

We hope this, our new Quality Control Tools and earlier articles will help you to hit the ground running when the new standards become active.