IFAC are currently in the process of updating ISA 315 - described as "the heart of the audit".
Note that the flowcharts are impossible to read in the webinar or in the downloadable slides. I suggest downloading the high definition versions from here. The flowcharts are quite helpful once you figure out the acronyms!
The overall approach doesn't really change from our current auditing practice, but there is some fine tuning to update some definitions and terminology - all fairly common sense stuff though.
The interesting area that the task force has particularly focussed on is scalability - how to adjust the requirements of the standard to work for tiny entities with few controls where substantive testing is a given - to huge entities where evaluating and testing controls is vital.
The new standard recognises that all entities, regardless of size, have some controls. Realistically though in a small job these will be limited, but the auditor is still required to look at the areas of vulnerability which are likely to be in the areas of control over journal entries and control over access to IT.
As most small entities use "off the shelf" software that cannot normally be changed the software itself isn't normally a risk - but who can access the software and potentially add, remove or change transactions.
When we update our templates for the new standard we will look at adding some specific guidance for smaller entities that reflects these options.
Special mention is given to "automated tools and techniques"- what used to be called CAATs. In it's basic form this is the ability to load up a large blob of data - say all sales transactions for a year - then to run queries against that to identify the high risk items that we should be looking at, or to provide indicators of whether some of the data could be fake or tampered with.
The standard recognises that many auditors use these techniques and specifically mentions them. Currently we don't have the facility to add large amounts or data into Audit Assistant for this kind of work, but suggest that users purchase something like TeamMate Analytics or use the advanced features in Excel, but we are currently considering how to provide these tools within Audit Assistant (possibly as an add-on).
Materiality and Risk
The proposed new standard also clarifies the relationship between risk assessment and materiality, recognising that some classes of transactions, account balances and disclosures (a.k.a. COTABD) may not be regarded as risky, but they are material. Fiona gave the example of Land owned long-term by an entity that does not change year by year. Risk is probably low but the balance is probably the most significant in terms of size in the accounts, so it cannot be overlooked.
The standard recognises, sensibly, that the auditor should consider classes of transactions, account balances and disclosures that are risky and/or material.
This maps on to our existing approach in Audit Assistant whereby we suggest that items tagged as "risk" should also include items that are significant because of their size.
If you want to join the discussion
The new standard will apply for periods beginning on or after 15 December 2020. The deadline for submissions is November 2, 2018.