20 April 2022

The second key concept in ISA 315 relates to the requirement in ISA 200 para 15 to “…plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the financial statements to be materially misstated” and para 16 to “exercise professional judgement in planning and performing an audit of financial statements.”

These should be familiar concepts to auditors, however, familiarity does not mean that the concepts are easy to learn or maintain.


An easy way to explain scepticism is from our NZ popular culture – the famous Tui billboards. They were generally based on an assertion made by someone – then mocked with a sceptical “yeah right” – a good concept to keep in mind when the client is telling us a story (though probably unwise to verbalise):

Like a good journalist interviewing a politician, we cannot take claims at face value without evidence, especially if there is a reason why it might be beneficial for the interviewee to present a biased slant on the truth.

The standard gives some helpful tips for applying professional scepticism in para A13, including encouraging the auditor to:

  • Question contradictory information and the reliability of documents;
  • Consider responses to enquiries and other information obtained from the client;
  • Remain alert to conditions that may indicate possible misstatement due to fraud or error; and
  • Consider how the audit evidence obtained supports our identification and assessment of RoMM.

Confirmation bias

Paragraph 13 reminds us that when designing and performing risk assessment procedures we must not bias our work toward obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory. This takes some thought, as we are caught between time constraints (pushing us towards getting the answer quickly) vs. professional curiosity and thoroughness which may be necessary if something doesn’t quite sit right.

Many audit failures are the result of falling for confirmation bias. As per the American Psychological Association, Confirmation Bias is the tendency to look for information that supports, rather than rejects, one’s preconceptions, typically by interpreting evidence to confirm existing beliefs while rejecting or ignoring any conflicting data.

We mostly instinctively see the evidence that supports our presuppositions about the client, and ignore evidence that falls outside of our existing beliefs about them. In fact, it is very difficult not to do this when we are close to the client and involved in the details of the job. It is the reason we have auditor rotation and review of our work.

To counter bias the standard recommends comparing evidence from multiple sources. Para A15 lists these as:

  • Interactions with management, those charged with governance, and other key entity personnel.
  • External parties such as regulators.
  • Publicly available information about the entity.

Professional judgement

ISA 200 para A26 tells us that: “The distinguishing feature of the professional judgement expected of an auditor is that it is exercised by an auditor whose training, knowledge and experience have assisted in developing the necessary competencies to achieve reasonable judgements.”

The experienced auditor will develop a nose for things that don’t add up, just like the good investigative journalist. I have confirmed with many auditors the immense value of just sitting in the client’s tea-room and chatting with the staff (not so easy during COVID restrictions). This isn’t just about finding out surprising facts but assessing the tone of the client.

Brain science confirms that having a ‘hunch’ or a ‘bad feeling’ is often a reliable indicator that we should investigate a bit deeper. Our right-brain function is constantly scanning our environment and we pick up complex patterns and human interactions that alert us that something isn’t quite right. The right brain works much faster than the more cognitive left brain, so we are aware of things emotionally and physically before we really have time to think about them and process them cognitively. So a good auditor learns to use all of their brain.

ISA 315 para 17 also emphasises the importance of the whole team being involved in planning and looking for risks. In a team, even the newest member may think of something that the more experienced have missed. Everybody has different experiences, skills and perceptions to bring to the table. So a good auditor also uses the brains of all their team!

<< previous article next article >>

11 April 2022

ISA (NZ) 315 (Revised 2019) applies for audits of financial statements for periods beginning on or after 15 December 2021. To prepare for it we are producing a series of articles, and we are updating our content and our risk identification and assessment process to better suit the new standard.

The standard starts with a series of key concepts. These are useful to get the drift of the standard. Most of these are basic auditing but they provide great revision and help to break risk assessment down in a way that hopefully makes sense.

Key Concept 1 – Audit Risk

Paragraph 2 of the new standard references the requirement in ISA (NZ) 200 that audit risk be reduced to an acceptably low level by obtaining sufficient appropriate audit evidence.

Audit risk sounds simple at first glance but can quickly turn nasty once we start trying to define and understand how it actually works. This is where we must start using some acronyms and abbreviations (much as I hate them).

Audit Risk (AR) is described as a function of Risk of Material Misstatement (RoMM) and Detection Risk (DR). RoMM may exist on two levels – the financial statement level and the assertion level. RoMM consists of two components: Inherent Risk and Control Risk (para 4). The whole objective of the audit (per para 11) is to identify and assess the RoMM, so that we can use this as a basis for designing and implementing responses to the assessed RoMM.

If you are like me, its easy to go a bit like this around this point:

The key is to understand the meaning behind AR = RoMM x DR.

AR must be reduced to an “acceptably low” level. So let’s break down the rest of this.

First, what is material misstatement? ISA (NZ) 320 (2) says: “Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.”

You could say in the context of the audit material things are what we care about; things that make the financial statements not just wrong but misleadingly so.

So, risk of material misstatement (RoMM) is a weak point that could lead to us missing something big and important in our work and so failing in our task.

We identify a weak point, we think about the likelihood of it being wrong or producing wrong results, and we consider the potential impact on the financial statements if the worst-case scenario were to emerge. We identify, describe and assess the RoMM.

Second, what about the Financial Statement level and Assertion level? This is easily enough understood as either that which will impact the financial statements as a whole (financial statement level) or that which is more granular, relating to classes of transactions, account balances and disclosures (assertion level).

In plain English an assertion is defined as: 

“A confident and forceful statement of fact or belief” (Oxford Dictionary).

The Collins English dictionary goes further and says:

“A positive statement, usually made without an attempt at furnishing evidence.”

Paragraph A190 lists assertions as things like Occurrence, Completeness, Accuracy, Cutoff, Classification, Presentation, Existence, Rights and Obligations, Valuation and Allocation.

Our job is to assess whether the assertion being made is important (i.e. material) enough for us to look for evidence that it is actually true.

For example, if the preparers of the financial statements are confidently and forcefully stating that say, certain inventory is owned by them, exists and is valued at a certain amount, we as auditors are required to assess whether the balance (or potential for error) is material and if it is, whether their confidence and force in making these claims are justified by looking for evidence using suitable procedures that respond to the risk.

We will consider how these responses work later.

Making Audit Risk (AR) acceptable is like us saying whether it is possible, given the RoMMs we have identified, to design suitable audit responses to be comfortable that we have found evidence to support the assertions.

If we can’t do that we should either not accept the engagement at all, disclaim the audit report if it is too late, or modify the report if we can ring-fence the uncertainty to certain categories.

next article >>