Mr. J.M. SylphTechnical DirectorInternational Auditing and Assurance Standards BoardInternational Federation of Accountants535 Fifth Avenue, 26th FloorNew York 10017New YorkUSA

31 March 2003

Dear Mr. Sylph,

Response to IAASB Exposure Drafts: Amendment to ISA 200, “Objective and General Principles Governing an Audit of

Financial Statements” ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks

of Material Misstatement” ISA XX, “The Auditor’s Procedures in Response to Assessed Risks” ISA XX, “Audit Evidence”

We are writing in response to the invitation to comment on the Exposure Drafts of the above mentioned proposed new International Standards on Auditing. This response is made on behalf of PricewaterhouseCoopers worldwide.

Overall, we support the general direction of the proposed ISAs, and believe that they represent an appropriate response to recent changes in the business environment. However, we have identified below issues where, in our opinion, there is a need for greater clarity before finalising the new ISAs. In the appendices to this letter, we comment specifically on the issues identified in Appendix 3 of the explanatory memorandum, and provide more detailed comments on each of the drafts.

Understanding of internal control components

We are concerned that the work effort expected in the draft ISA “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” with respect to obtaining an understanding of each of the five internal control components is not defined

PricewaterhouseCoopers LLP is a limited liability partnership registered in England with registered number OC303525. The registered office of PricewaterhouseCoopers LLP is 1 Embankment Place, London WC2N 6RH. All partners in PricewaterhouseCoopers UK Associates A are authorised to conduct business as agents of, and all contracts for services to clients are with, PricewaterhouseCoopers LLP.

PricewaterhouseCoopers LLPSouthwark Towers32 London Bridge StreetLondon SE1 9SYTelephone +44 (0) 20 7583 5000Facsimile +44 (0) 20 7822 4652

sufficiently clearly. In particular, as drafted, the proposed principles and guidance could be interpreted to direct a significant amount of the auditor’s attention to obtaining an understanding of all control procedures even when the auditor concludes that it is not appropriate, or effective, to obtain audit evidence from the effective operations of those controls. Is that what was intended?

The root of our concern rests in two areas of the proposed guidance. Firstly, we do not believe that, as currently drafted, the ISAs provide sufficient clarity on the scope of the controls for which an understanding is required, particularly with respect to control procedures. We are concerned that this lack of clarity could, in fact, misdirect audit effort by requiring the auditor to devote an unwarranted amount of attention on unimportant matters, and detracting attention from key issues. Secondly, we believe that the work required to understand internal controls – defined as requiring an evaluation of design and determining whether the controls have been implemented – requires further consideration. These points are discussed more fully below.

Scope of understanding of control proceduresParagraph 83 requires the auditor to obtain an understanding of control procedures “relevant to the audit”. Paragraph 57 defines controls relevant to the audit as those that individually or in combination with others are likely to prevent, or detect and correct, material misstatements of the financial statements. This sets rather broad parameters when considering all of the various control procedures that an entity would have in place. The explanatory guidance in paragraph 84 appears to seek to limit this requirement by allowing the auditor to consider knowledge about the presence or absence of control procedures obtained from considering other control components, but does not provide any real clarity in defining the extent of understanding that is required.

We believe that the proposed ISA needs to put in place appropriate boundaries for the scope of control procedures of which the auditor needs to obtain an understanding. We believe that paragraph 4 sets appropriate boundaries for the auditor’s understanding – an understanding that is sufficient to identify risks of material misstatement arising from any weaknesses in control, and sufficient to design and perform further audit procedures. But the proposed guidance on control procedures fails to show how those boundaries apply when the auditor is obtaining an understanding of control procedures.

The initial source of confusion in the proposed wording begins in paragraph 50, which requires the auditor to perform risk assessment procedures to obtain an understanding of the components of internal control, without modifying language to define the nature and extent of that understanding. We question whether there is a need for a bold lettered principle in paragraph 50, as paragraph 8 already establishes that the auditor needs to perform risk assessment procedures to obtain an understanding of internal control and there are separate bold lettered requirements for each of the control components. We would recommend that opening sentence in paragraph 50 be guidance rather than bold lettered, and modified by the same wording as is in paragraph 4 (“sufficient to assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures”). The bold lettered requirements

(2)

for each of the control components would define more precisely the expectations regarding the nature and extent of understanding for each component.

(3)

It would also be useful in these opening paragraphs on controls to clearly state that the scope of understanding of each of the control components that is appropriate will vary depending on the circumstances. This is alluded to in paragraphs 51 and 52, but only in an indirect manner. It would alleviate much of the concern if it was acknowledged at the outset that the level of understanding of controls that is needed to identify risks and plan further audit procedures will vary depending on the circumstances. We believe that more often than not, it will be at the control procedures level that the breadth and depth of understanding that is necessary will justifiably vary. It would be useful to set the stage by recognising that fact in these opening paragraphs.

It might also be useful in the opening paragraphs to explain that, because the objectives of the engagements are different, the understanding that the auditor needs of internal control for purposes of the financial statement audit is significantly less than that required in order to be able to express an opinion on the operating effectiveness of internal control. The distinction is discussed in the US Auditing Standard Board’s recently issued Exposure Draft, “Auditing an Entity’s Internal Control Over Financial Reporting in Conjunction With the Financial Statement Audit”, and IAASB might find some useful comparisons in that Exposure Draft.

Further clarity is also required in paragraphs 83 and 84 with respect to the expectations regarding control procedures. Paragraphs 104 and 110 set a baseline for the control procedures for which the auditor should evaluate the design and determine whether they have been implemented. We agree that it is important for the auditor to understand the design of the control procedures related to significant risks and to those risks for which, in the auditor’s judgment, it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures. We also believe that the auditor should obtain an understanding of control procedures sufficient to identify risks of material misstatement arising from any weaknesses in control, and sufficient to design and perform further audit procedures. But that understanding may not need to be extensive when it would be more effective and efficient to respond to risks of material misstatement using substantive procedures.

For example, if the auditor has assessed that the entity has a poor control environment, the auditor would appropriately conclude that little audit evidence can be obtained through controls and, therefore, focus further audit procedures on substantive tests. In such circumstances, we believe that the auditor would need only to gain a relatively broad understanding of control procedures related to the information system and related business processes (as discussed in paragraph 77) and the IT environment in order to plan effective substantive tests to respond to the risks of material misstatement. In other circumstances, the auditor might adopt a top-down approach to controls and conclude that a sufficient understanding has been obtained when the auditor is satisfied that a control would detect any misstatements that might have occurred as a result of a failure or weakness in more detailed control procedures at a lower level. Clearly if the auditor intends to use a particular control procedure or combination of procedures as evidence to support a particular financial statement assertion, the auditor would need to evaluate the design of

(4)

that control and be satisfied that it has been implemented. But we are not convinced that level of understanding is warranted for all control procedures in all circumstances and could, in fact, reduce the quality of the audit by detracting attention from key issues.

Therefore, we believe that some revision to paragraphs 83 and 84 is required to clarify the auditor’s responsibility to understand control procedures. This should reinforce the basic standard set out in paragraph 4 that the auditor’s understanding should be sufficient to assess risk and design and perform further audit procedures. In cases where the auditor is not seeking to rely on controls, the extent of understanding of control procedures to achieve this could be minimal, and would not need to extend to all “controls procedures relevant to the audit” as currently defined, and this should be recognised in the standard. To demonstrate how the work effort that is appropriate in the circumstances will vary, it would help to strengthen the link between control procedures and paragraphs 104 and 110 so that it is clear that, at a minimum, the auditor needs to obtain a solid understanding of the control procedures related to those risks. Having established that as a baseline, the guidance could subsequently contrast the work effort that is necessary for other control procedures, perhaps using the examples similar to those in the paragraph above.

Evaluation of design and implementationParagraph 53 explains that obtaining an understanding of internal control includes evaluating the design of a control and determining whether it has been implemented. It also explains the procedures that are necessary to gain this understanding, for example, inquiring of entity personnel and inspecting documents and reports. However, we believe these procedures could be more than is necessary in some circumstances to obtain an understanding of the design and implementation of controls in order to assess the risks of material misstatement and design and perform further audit procedures. In fact, the procedures may be more akin to those necessary when performing tests of operating effectiveness.

We believe that this requirement should be amended to make the approach practical on all audits, particularly those where the auditor gains assurance primarily from substantive tests. We are not convinced that the level of work effort needed to obtain a sufficient understanding of design of, in particular control procedures, needs to be extensive. One approach is that paragraph 53 (and certain other paragraphs) be amended to ensure that the procedures necessary to determine implementation are more focussed, providing a clearer distinction between understanding and tests of operating effectiveness.

Financial statement assertions

Generally, we agree with the focus on financial statement assertions within the ISAs, because it will help to ensure that auditors properly consider the different types of potential misstatements that may occur. However, we are concerned that the proposed categorisation of assertions into transactions/events, balances and presentation and disclosure is over-engineered. In practice auditors use evidence about assertions for transactions/events as part of their evidence about balances, and use evidence about assertions for

(5)

transactions/events and balances as part of their evidence in evaluating presentation and disclosure.

We believe, therefore, that some simplification of the assertions should be possible. One alternative would be to consider the categories to be cumulative, in the sense that the assurance obtained with respect to an account balance is dependent on the evidence obtained on the related transaction and event assertions. Thus, in obtaining sufficient appropriate evidence for the financial statements, the auditor obtains cumulatively sufficient appropriate evidence to support the assertions for, first, transactions and events, then account balances, and finally presentation and disclosure. If this model is accepted, it is not necessary to repeat, for example, completeness for both transactions and events, and account balances. The “cumulative assertion” model would look like:

Transactions and events§ Occurrence§ Completeness§ Accuracy§ Cutoff§ Classification

Account balances§ Existence§ Rights and obligations§ Valuation

Presentation and disclosure§ Completeness (or compliance with all required disclosure requirements)§ Transparency

We also believe that the occurrence assertion for classes of transactions and events should be modified to include the concept that the auditor is likely to be concerned principally with the transactions that give rise to the rights and obligations, for example in examining terms of sales contracts. This could be achieved by amending the definition of the occurrence assertion as follows: “the transactions and events giving rise to rights and obligations that have been recorded have occurred and pertain to the entity.”

Closing remarks

In conclusion, we would like to reiterate our support for this project. We recognise the significant effort involved in developing these proposed revisions to the core concepts underlying the audit of financial statements and commend IAASB for paving the way for greater international convergence by working jointly with the US Auditing Standards Board on this project. We believe that the new ISAs will prove to be a significant enhancement of the international auditing standards literature.

(6)

In finalising the ISAs, we encourage IAASB to consider the areas that we have identified where we believe that clarification is needed to ensure consistent interpretation and application of the new ISAs and our other suggestions for improving the structure and clarity of the drafts. Given that these audit risk standards will be the framework on which many of the other auditing standards are based for the foreseeable future and will be applied by auditors all around the world, it is important that the final ISAs are understandable and define sufficiently clearly what is expected of auditors.

Please contact either Diana Hillier (+44 (0)20 7804 0472) or Geoffrey Swales (+44 (0)20 7213 3350) if you would like to discuss any of these comments further.

Yours faithfully,

[Original signed and forwarded by post]

PricewaterhouseCoopers

(7)

Appendix 1

Comments on issues identified in Appendix 3 of the explanatory memorandum on which specific comment was invited

In relation to the audit of small entities, are there special audit considerations in applying the standards and guidance contained in proposed ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement” and proposed ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”?

Will the further guidance in Appendix 2 assist the auditor in understanding the components of internal control, including their application to small entities, or is there sufficient material in the ISA itself?

Generally, the additional material could be helpful to auditors in further understanding internal control, and therefore we welcome its inclusion. However, we believe that the main body of the standard is too detailed, and we recommend that Appendix 2 be expanded by the inclusion of some of the detailed material currently included in paragraphs 50 to 94. Some simplification should then be possible to eliminate any duplication.

The paragraphs relating to small entities are somewhat brief. There are special considerations in applying the standards and guidance to small entities. Although we believe that the standards are generally relevant to the audits of small entities, some limited additional guidance on how to apply them would be welcome. The IAASB states, in the explanatory memorandum, that an alternative would be to include additional guidance in the IAPS on small entities. We believe that if this is to have real value any revision to that IAPS to provide guidance on applying the new Risk Assessment ISAs should be issued at the same time as the final ISAs.

Is it appropriate for the ISA to specify a time period to limit the ability of the auditor to use audit evidence obtained in a prior audit?

It is helpful to set out a benchmark such as a three year period, and we believe that such a period is appropriate. However, we would prefer that the bold lettered requirement indicate that the auditor should consider whether it is appropriate to retest the controls in light of the fact that the longer the time elapsed since the controls were tested, the less audit evidence it provides about the effectiveness of the control in the current audit period. The guidance could then emphasise that the auditor would need to use professional judgement and knowledge of the entity’s circumstances, with the three year period being considered a rebuttable presumption as the appropriate time period.

(8)

Is it appropriate for the IAASB to establish detailed documentation requirements? Are the proposals practical? If not, what suggestions do you have for documentation that achieves the objective of improving compliance with standards?

We believe that it is appropriate for the IAASB to establish detailed documentation requirements, in order to eliminate inconsistencies in practice. Generally we believe that the proposals are practical, subject to our detailed comment elsewhere in this response. This may be one area, however, where guidance for auditors of smaller entities would be useful.

Other general comments

In recently issued ISAs (for example, ISA 240 and ISA 570), IAASB has included a section on the responsibilities of those charged with governance and management. It would be useful to similarly establish management’s responsibilities in the risk assessment process.

There is already discussion of management’s risk assessment process for identifying and responding to business risks in the proposed ISA “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”. But we believe that the discussion in paragraph 23 of ISA 200 could also be expanded to more fully describe management’s responsibilities for assessing the risk of misstatement and putting in place controls designed to prevent or to detect and correct any misstatements. Much of the guidance in paragraphs 10-12 of ISA 240 could serve as a basis for this guidance, which would have the benefit of enabling the section in ISA 240 to be rewritten so that it focussed more directly on management’s responsibility to prevent and detect fraud.

At the same time, since paragraph 23 is being amended, it would be useful to make sure that the wording of it is consistent with other ISAs. For example, it would also be useful to amend the current wording of management’s responsibility for the financial statements in ISA 200 to be consistent with ISA 580 by referring to management’s responsibility for the preparation and fair presentation of the financial statements in accordance with financial reporting framework.

(9)

Appendix 2

Detailed comments on proposed amendment to ISA 200, “Objective and General Principles Governing an Audit of Financial Statements”

Paragraph 12This is the first time that the term “business risks” is used in the ISAs, but it is not defined until paragraph 36 of proposed ISA “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”. It might be useful to cross reference the term, perhaps by way of footnote, to paragraph 36 since an appreciation of what business risks are is important to understanding of the points made in this paragraph.

Paragraph 17The final sentence in this paragraph needs to be clarified. Currently it explains that matters such as the knowledge, skill and ability of personnel assigned to the engagement are part of the auditor’s consideration of the risk of material misstatement. Whilst these might affect the auditor’s detection risk, they will not have an impact on either inherent or control risk, and consequently do not affect the risk of material misstatement.

Paragraph 21The definition of detection risk in this paragraph differs from the existing definition in ISA 400 in that it refers only to material misstatements and not to misstatements that could be material either individually or when aggregated with other misstatements. There appear to be differences in the auditing literature in various countries on this point when defining detection risk at the assertion level (for example, Section 5130.11 in the CICA Handbook and AU 312.27 in the US auditing literature). It will be important to ensure that the definition of detection risk in this ISA is appropriately aligned with the guidance on materiality and assessing misstatements in other ISAs to ensure that the concept is not lost that a misstatement could be material as a result of its aggregation with other misstatements.

Also, in the last sentence, we would suggest referring to an “acceptably low level” rather than a “negligible” level.

Paragraph 22The assertion in the second sentence that detection risk bears an inverse relationship to the assessment of the risk of material misstatement at an assertion level is true only for given levels of audit risk. Consequently, we suggest adding “for a given level of audit risk” at the end of that sentence.

(10)

Detailed comments on ISA XX, “Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement”

Paragraph 8Although undoubtedly unintentional, this requirement could be seen as requiring the auditor to perform all of these procedures for each of the categories of the auditor’s understanding of the entity and its environment, including each of the control components of internal control. Paragraph 53, on the other hand, says that obtaining audit evidence about the design and implementation of relevant controls may involve inquiry, observation and inspection, but that inquiry alone is not enough. We recommend amending paragraph 8 so that it is consistent with the principle in paragraph 53.

Paragraph 13There is a reference in this paragraph to a “walkthrough”. Although many auditors are likely to understand this term, it is not explained, and it is not referred to subsequently. We suggest that either the term is deleted from this paragraph, or alternatively it is defined here, and used subsequently when discussing in more detail the procedures necessary to gain an understanding of the design and implementation of controls.

Paragraph 41In the second sentence, it will be helpful to refer to the “entity’s risk assessment process” to clearly differentiate it from the auditor’s risk assessment.

Paragraph 42The reference to “is appropriate to the circumstances” should be clarified. In a small entity, management’s risk assessment process is likely to be very informal, which may be appropriate to the entity’s circumstances but as a result may be of limited assistance to the auditor. This is another area where guidance for auditors of smaller entities would be useful, particularly with respect to the documentation requirements.

Paragraph 43The auditor will only be concerned with business risks that have an impact on the audit. For the avoidance of doubt, this paragraph should explain that the auditor is not expected to broaden the scope of the audit to wider business risks in relation to reporting on the entity’s risk assessment process – unless, of course, the auditor has additional responsibilities that are imposed by law or regulation beyond the expressing an opinion on the financial statements.

Paragraph 54The assertion made in this paragraph is not explained or supported. We would suggest that either further explanation of the point is made in this paragraph, or simply delete paragraph 54 and leave the explanation of this point to ISA XX, “The Auditor’s Procedures in Response to Assessed Risks” where it is discussed more fully in paragraphs 24 and 25.

(11)

Paragraphs 59/60Examples are given in both paragraphs of controls that would generally not be relevant to a financial statement audit. We believe that there is a need for greater clarity on controls relevant to the audit, but equally the ISA should recognise that whether or not controls are relevant to a financial statement audit will depend on the entity’s circumstances, and consequently the auditor will need to use professional judgement. In an entity where there is a high degree of integration between operational and financial data, the auditor may conclude that operational controls can provide some evidence of the reliability of financial information and consequently those controls will be relevant to the audit.

Paragraph 83We suggest that the term “control activities” is used in place of “control procedures”. The definition of control procedures includes “policies and procedures”, and therefore a broader term such as “activities” is appropriate. This is consistent with the terminology used in the COSO internal control framework. This will affect not only paragraph 83, but also other paragraphs where there is reference to “control procedures”.

The examples of segregation of duties are not particularly helpful because, for example, the reference to “approval and control of documents” is too brief to provide a clear understanding of the purpose of the control. The explanation in Appendix 2 is clearer.

Paragraph 84The penultimate sentence refers to asset accountability. This term needs further explanation, as it is not in general use.

Paragraph 88The last line as currently drafted reads incorrectly: “security of the data such systems process”.

Paragraphs 91/92Based on the material in the drafts, auditors are likely to find it difficult to distinguish between control procedures and monitoring of controls. For example, paragraph 91 states that management’s review of whether the bank reconciliations have been prepared on a timely basis is “monitoring of control”, whereas reviewing and approving reconciliations is included in paragraph 83 as a control procedure. Similarly paragraph 92 describes using information from external parties in order to assess whether or not there are problems within the entity that need improvement as an example of monitoring of controls. This could also be considered a control procedure, as could the example in paragraph 18 of Appendix 2 referring to the sales managers’ activities.

Because auditors are required to consider each component of control, it is important that the standard provides clear guidance on the nature of each component, and therefore we believe some revision to these examples is necessary.

(12)

Paragraph 98This paragraph states that the nature of risks arising from a weak control environment is such that they are not likely to be related to specific risks in classes of transactions, account balances or disclosures. However, in some cases, this will be possible and will enable the auditor to focus audit procedures on the risks. For example, if there is a concern about management’s estimates, the auditor will pay particular attention to where estimates apply to specific classes of transactions, account balances or disclosures.

Paragraph 110We found that a number of people reviewing the Exposure Drafts, particularly those whose first language is not English, had difficulty understanding the category of risks that are defined in this paragraph and also in paragraph 23 of the proposed ISA “The Auditor’s Procedures in Response to Assessed Risks.” Although it may be departing from the style in the Exposure Draft, it would be useful to move paragraph 112 to precede paragraph 110 as it more clearly explains the circumstances that paragraph 110 is addressing.

Paragraph 117Paragraph (d) requires further clarification in relation to the extent of the documentation of risk assessment required. For example, it could be interpreted as requiring the auditor to record whether or not the risk assessment procedures have identified risks of material misstatement for all assertions. Alternatively, it could be interpreted as requiring only significant risks to be recorded, together with the audit procedures which the auditor determines necessary as a result of the risk assessment procedures. We believe that the latter is the appropriate requirement.

Appendix 2

In paragraph 14, the comma should be deleted in the second sentence.

The final bullet point in paragraph 15 should read “..in the normal course of their duties”, and not “…auditor’s duties”.

(13)

Detailed comments on ISA XX, “The Auditor’s Procedures in Response to Assessed Risks”

Paragraphs 5/8The bold statements in these paragraphs repeat the bold statement in paragraph 3, and this repetition seems unnecessary. The bold statements could be removed from these paragraphs so that they contain only explanatory material to support the requirement in paragraph 3.

Paragraph 5Further guidance is needed on how, in practice, to incorporate “additional elements of unpredictability” in the selection of further audit procedures.

Paragraph 13The reference to obtaining evidence about the accuracy and completeness of the information should be broadened, for example by referring to the reliability, or quality, of the information.

Paragraph 22It would be useful to foreshadow in the guidance in this paragraph that, as discussed in 36 and 38, audit evidence obtained in previous periods may provide relevant audit evidence regarding the operating effectiveness of controls in the current period. Otherwise, there is a risk that the wording of the bold lettered requirement in this paragraph could be interpreted to contradict that point.

Paragraph 23As noted above in regard to paragraph 110, a number of people reviewing the Exposure Drafts, particularly those whose first language is not English, had difficulty understanding this category of risks. Although there is a cross-reference to paragraph 110, that discussion of this category of risks is in another ISA. It might be easier to understand this category of risks in this ISA if this paragraph referred to circumstances when the auditor has determined that it is necessary to obtain audit evidence about the operating effectiveness of certain controls in order to reduce the risks of material misstatement at the assertion level to an acceptably low level.

Paragraph 24This paragraph states that testing the operating effectiveness of controls is different from obtaining audit evidence that controls have been implemented. However, as explained in our earlier comments, we believe that the distinction between the two is not sufficiently clear in the Exposure Drafts, and that the extent of work required in relation to assessing implementation may not need to be extensive.

Paragraph 26This paragraph states: “Tests of …controls ordinarily include those procedures used to evaluate the design of controls and determine whether they have been implemented, and

(14)

also includes reperformance of the application of the control by the auditor.” It is unclear whether this is intended to mean that procedures ordinarily include reperformance, or merely that reperformance is a method of testing controls. If it is the former, we do not believe this to be appropriate because reperformance may not always be practicable and generally the auditor should be able to obtain sufficient evidence from inquiry combined with other procedures such as inspection of documents. Note that paragraph 36 does not include reference to reperformance.

Paragraph 34This paragraph explains that evidence about the operating effectiveness of controls may be obtained from substantive procedures performed with regard to the remaining period. This statement should be clarified in the light of paragraph 30, which states that the absence of misstatements detected by a substantive procedure does not imply that controls related to the assertion being tested are effective. We assume that the results of substantive testing would provide at least some limited assurance.

Paragraph 36The bold lettered requirement in this paragraph suggests that the auditor would need to use a combination of procedures to confirm the understanding of the specific controls, yet the example given later in the paragraph refers to only one procedure. This seems to be contradictory.

Paragraph 39Some further guidance is needed to support the proposed standard that the auditor should test the operating effectiveness of some controls in each audit. In particular, we believe that the explanatory material should acknowledge that it is acceptable for the auditor to rotate tests of operating effectiveness among key transaction processing systems, business processes or cycles where appropriate (taking into account materiality and that the system has not changed, and that the auditor is not relying on the relevant controls to mitigate key risks).

Paragraph 40This requires the auditor to obtain all audit evidence about the operating effectiveness of controls from tests of controls performed in the current period, but there is no reference to the matters the auditor considers in determining the extent of testing required. Therefore, it is not clear whether the auditor is allowed to use knowledge from prior audits in determining the extent of evidence needed in the current year. It would seem reasonable to allow this, but then the auditor would be, in a sense, using evidence about operating effectiveness obtained from prior years, which could be considered to be counter to the proposed standard. It would be useful to provide some guidance on matters the auditor would consider in determining the extent of testing, and refer to knowledge from prior audits as one of those sources.

Paragraph 45The final sentence states: “For significant risks, it is not likely that audit evidence obtained from substantive analytical procedures alone will be sufficient.” If this is intended to relate

(15)

to cases where the auditor relies solely on substantive procedures, it is unnecessary because the earlier part of the paragraph already states that tests of details are required. If it is intended to apply to instances where the auditor tests controls over significant risks, we do not believe this to be appropriate. Depending on the circumstances, where the auditor relies on controls, substantive analytical procedures could suffice without tests of details. We suggest that the final sentence is deleted.

Paragraph 52Paragraphs 50 and 51 recognise that tests of controls are relevant to gaining assurance over the remaining period, but paragraph 52 refers to substantive testing only. Accordingly, paragraph 52 should be expanded to add reference to tests of controls.

Paragraph 56This paragraph states that the extent of testing is ordinarily thought of in terms of sample size. It should point out that there are other aspects to determining the extent of tests of details, for example the auditor may be able to target substantive testing to large or unusual items rather than perform representative sampling.

(16)

Detailed comments on ISA XX, “Audit Evidence”

Paragraph 3Audit evidence is described as including the entity’s accounting records. We recommend that this be amended to refer to the “information contained in accounting records”, as this would be more consistent with the rest of the wording of the paragraph.

Paragraph 9The example referring to the collection of accounts receivable may cause some confusion between the assertions for transactions and for balances. It refers to evidence regarding existence and valuation (balances) but not necessarily period end cut-offs (transactions).

In addition, the word “examination” should be replaced by “tests”, consistent with IAASB’s agreed use of terms.

Paragraph 12While not disagreeing with the point being made in this paragraph, we question whether corroborating evidence changes the reliability of the evidence it supports, but rather whether it increases the assurance the auditor obtains for the assertions that evidence supports.

Paragraphs 22 to 32Although the paragraphs describing individual types of test are helpful, this guidance also needs to explain how they can work in combination, particularly in relation to evaluating design and implementation or testing the operating effectiveness of the controls. Paragraph 31 explains that inquiry alone will not ordinarily provide sufficient evidence, but inquiry combined with corroboration, referred to in paragraph 32, will often be sufficient.

Paragraph 27References to basic inquiry skills such as “asking clear, concise and relevant questions” and “listening actively and effectively” are unnecessary in an auditing standard, and therefore much of this paragraph should be deleted.

Paragraph 33This should explain that confirmations can be written or oral, and the former provides more reliable audit evidence.

(17)