comment letter - final-1 - ifac · 3"" isa315(revised)andisa610(revised)" the...

1 ISA 315(Revised) and ISA 610(Revised)

HUNTER COLLEGE www.hunter.cuny.edu

November 8, 2010 Hunter College Graduate Program Economics Department 695 Park Avenue New York, NY 10065 Technical Director The International Federation of Accountants 545 Fifth Avenue, 14th Floor New York, New York 10017 USA Re: ISA 315(Revised): Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 610(Revised): Using the Work of Internal Auditors

To Whom It May Concern:

The Advanced Auditing class (Eco 775) at Hunter College, Graduate Program in

Accounting in New York City appreciates the opportunity to comment on the above

exposure draft.

We discussed the proposed revisions to the drafts in class and our comments are

below. If you would like further discussion with us, please contact Professor Joseph A.

Maffia at 212-792-6300 extension 404.

Sincerely,

Professor Joseph A. Maffia


Hunter College Graduate Program in Accounting Economics Department

Advanced Auditing Class – Eco 775

Comments to the International Auditing and Assurance Standards Board (IAASB) on

ISA 315(Revised): Identifying and Assessing the Risks of Material Misstatement through

Understanding the Entity and Its Environment, and ISA 610(Revised): Using the Work of

Internal Auditors

November 8th, 2010

Principal drafters Ji Li

Emily Tonge Wendy Padilla Uzma Amanat Weining Peng

Maurice Redhead Hunter College Advanced Auditing Class

Acosta, Jenny Noorani, Ashraf Amanat, Uzma Padilla, Wendy Borrero, Cindy Pande, Mangala Gaur Ercetin, Secil Peng, Weining Grueniger, Christine Rafickrullah, Calvin Hoshino, Kozue Redhead, Maurice Johnson, Tiffany Rezk, Monika Kekic, Eldar Sanderson, Timothy Kenny, John Seo, Hyunseok Kitahata, Akina Shafiq, Shahrin Lee, Sun Jeong Siwka, Agnieszka Li, Ji Spikes, Hasea Liang, Li Su, Mao Malik, Mahvash Tamimu, Ali Narinesingh, Arielle Tonge, Emily Navarrete, Daisy Tung, Henry Newcombe, Jonathan Waxman, Michael

Professor Joseph A. Maffia, CPA


The Advanced Auditing class at Hunter College has reviewed ISA 315 (Revised) and

ISA 610 (Revised) and offers the following comments for consideration by the IAASB.

Our responses are based in part on the request for specific comments from

respondents. We have also listed some general comments for consideration. We begin

with our responses to questions asked by the IAASB in its request for specific

comments from respondents.

1. Do respondents believe it is appropriate to require the external auditor to

make inquiries of appropriate individuals within the internal audit function?

If so, do respondents agree such a requirement is appropriately placed in

ISA 315?

Yes, we believe that it is appropriate for the External auditor to make inquiries of

appropriate individuals within the internal audit function. One of the main

elements of the audit process is for the External auditor to obtain an

understanding of the client and its environment, and one of the ways in which the

auditor can execute this requirement is by making inquiries of management and

others within the entity. This will further assist the External auditor in assessing

risks of material misstatement arising from fraud or error, and can also assist in

planning appropriate audit procedures. However, when evaluating the

information provided by the appropriate individuals within the company

concerning the internal audit function, the external auditor should apply

professional skepticism at all times. By applying professional skepticism the

external auditor should not assume that management is honest or dishonest; the

auditor is required to gather and objectively evaluate required audit evidence and

determine the sufficiency of the evidence. However, AU Section 230.04 mentions

that the external auditor is responsible for conducting an audit with due

professional care. This includes having a questioning mind and performing a

critical assessment of the audit evidence.


The requirement is appropriately placed in ISA 315. This extant pertains to

Identifying and Assessing the Risks of Material Misstatement through

Understanding the Entity and Its Environment, which parallels with the intent of

making inquiries of appropriate individuals within the internal audit function. In

fact the risk assessment process in SAS no. 1091 lists inquiries as one of the

procedures for the external auditor to consider as a risk assessment tool.

2. Do respondents believe that appropriate factors have been proposed to be

evaluated by the external auditor in determining:

a. Whether the work of the internal audit function can be used for

purposes of the audit engagement; and

b. The planned use of the work of the internal audit function

Yes, we believe that appropriate factors have been proposed for the external

auditor to determine whether the work of the internal audit function can be used

for purposes of the audit engagement. We are concerned however about the use

of the terms level of objectivity, level of competence, and systematic disciplined

approach. In addition, IAASB explained that the external auditor should assess

whether objectivity and competence are low or high in order to determine

whether to use the work of the internal audit function. Before proceeding to this

point, the terms should be defined using clear language. SAS 1072 identifies

incompetent management with financial statement level of risk. Hence, the

auditor’s ability to assess competence using clearly defined guidelines is crucial

because it relates directly to assessing fraud. We propose the following changes

to A6 on page 31 of the exposure draft:

Assessing low or high objectivity and competence are vague, so we recommend

that IAASB provide a more definitive way in which to assess the various levels of

1 AU 325, paragraphs .17 -‐ .18 and AU 316, paragraphs .08 2 AU 316, paragraphs .28 -‐ .41


objectivity and competence. Simply stating that a low degree of objectivity or

competence is not acceptable, or vice versa is not sufficient guidance for the

external auditor to consider when determining whether to use the internal audit

function of an entity.

We propose:

The use of a point system by the external auditor in analyzing each of these

factors to determine the accepted levels of objectivity and competence. The

external auditor would assign the points using the factors outlined on page 31,

under A6. The auditor would then determine, based on the points that the client

receives, whether the level of objectivity and competence are sufficient for the

external auditor to consider when determining whether to use the internal audit

function of the entity.

We also believe that appropriate factors have been proposed for the external

auditor to determine the planned use of the work of the internal audit function.

The factors outlined will allow the external auditor to evaluate and compare the

relevance of the work of the internal audit function to the audit. In addition,

deficiencies within the audit function are likely to be detected during the planning

stage of the audit, which allows the external auditor to determine whether using

the work of the internal audit function would be beneficial to the audit.

3. Do respondents believe it is appropriate to require the external auditor to

read reports produced by the internal audit function relating to the work of

the internal audit function that is planned to be used by the external

auditor?

Yes, we believe that it is appropriate for the external auditor to read reports that

pertain to the internal audit function that is planned to be used by the auditor;

doing so can possibly assist the auditor in conducting less testing since the

auditor will likely be learning more about the entity and may also obtain answers

to some of the planned audit procedures to be carried out during the audit.


4. Do respondents believe that it is desirable for the scope of ISA 610 to be

expanded to address the matter of direct assistance? If so, do respondents

believe that when obtaining the direct assistance of internal auditors the

external auditor should be required to:

a. Consider the factors that have been proposed in determining the

work that may be assigned to individual internal auditors; and

b. Direct, supervise, and review the audit procedures performed by the

internal auditors in a way that recognizes they are not independent

of the entity?

Yes, we believe that it is desirable for ISA 610 to be expanded to address the

matter of direct assistance. It will assist the external auditor in understanding the

entity, in matters such as the organizational structure of the company. Having

knowledge of the entity will further assist the external auditor in evaluating

appropriate areas in the audit process in which to use the direct assistance of

internal auditors. If direct assistance is considered, the audit may be cost-

effective because internal auditors will perform certain tasks and the auditor will

direct, supervise and review them.

We propose the following revision to ISA 610 Para A18, specifically bullet point

number 2:

The procedures the external auditor may perform to appraise the quality of the

work performed and the conclusions reached by the internal audit function

include the following:

* Re-performing some of the work of the internal audit function, especially work

that require judgment by the internal auditor in planning, performing and evaluating the audit procedures.


Yes, we also believe that the external auditor should be required to consider the

proposed factors for assigning work to internal auditors. This will assist the

external auditor in determining the nature and scope of the work that the internal

auditor performs. This is particularly important to consider when the external

auditor examines areas within the internal audit function that require judgment on

the part of the internal auditor. It is imperative for the external auditor to be

independent of the entity at all times in fact and appearance and as such, the

auditor should apply this premise when assigning work to internal auditors when

direct assistance is considered.

6. Respondents are asked to comment whether, in their opinion, guidance

addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations.

No, we do not think that it is necessary to issue guidance to address special

considerations for audits on smaller entities. Smaller entities typically do not have

an internal audit function. Therefore, the external auditor will be required to

perform all audit tasks and so special considerations are not necessary for audits

of smaller entities.

General Comments:

In order to add clarity we suggest the following format changes. On page 31, A5,

we recommend separating the degree of objectivity and level of competence

sections into two. In addition, the factors associated with each term should

immediately follow each section. For example:

Objectivity refers to the ability to perform those tasks without allowing bias, conflict of interest or undue influence of others to override professional judgments. Factors that may affect the external auditor’s determination of objectivity include the following:

Then list the 5 factors


After which the information for competence follows:

Competence refers to the attainment and maintenance of knowledge and skills at the level required to enable assigned tasks to be performed diligently and in accordance with applicable professional standards. Factors that may affect the external auditor’s determination include the following:

Then list the 3 factors

Our ref: ICAEW Rep 119/10 Mr James Gunn Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, NY 10017 USA 29 October 2010 Dear James IAASB ED: ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatements through Understanding the Entity and its Environment, ISA 610 (Revised), Using the Work of Internal Auditors The ICAEW welcomes the opportunity to comment on the IAASB Exposure Drafts on internal audit published in July 2010. The ICAEW operates under a Royal Charter, working in the public interest. Its regulation of its members, in particular its responsibilities in respect of auditors, is overseen by the Financial Reporting Council. As a world leading professional accountancy body, we provide leadership and practical support to over 134,000 members in more than 160 countries, working with governments, regulators and industry in order to ensure the highest standards are maintained. We are a founding member of the Global Accounting Alliance with over 775,000 members worldwide. We welcome these proposals which have been considered by, among others, our Internal Audit Committee whose members include heads of internal audit in a number of major UK companies, and our Technical and Practical Auditing Committee. The observations of these committees are reflected in our main comments, answers to IAASB’s detailed questions and other comments which are set out below. Please contact me should you wish to discuss any of the points raised in this response. Yours sincerely

Katharine E Bagshaw FCA Manager, Auditing Standards ICAEW Audit and Assurance Faculty T + 44 (0)20 7920 8708 F + 44 (0)20 7920 8754 E: [email protected]

The Institute of Chartered Accountants in England and Wales T +44 (0)20 7920 8100 Chartered Accountants’ Hall F +44 (0)20 7920 0547 Moorgate Place London EC2R 6EA UK DX 877 London/City icaew.com

mailto:[email protected]

Main Comments We welcome the objectives of these proposed revisions which address how the knowledge and findings of internal audit can be leveraged by external auditors to increase audit effectiveness. Potential undue reliance on internal audit is dealt with by establishing a more robust framework for external auditors’ judgements. Clarifying procedures that are always required under ISA 315, those that are only required when external auditors expect to use the work of internal audit and addressing direct assistance all help eliminate ambiguity. Clarifying expected communications with internal audit and how such communications can enhance the risk assessment process is also helpful. We encourage IAASB to consider how the revised ISA might still better reflect the more sophisticated, broad-ranging and diverse roles now undertaken by internal audit and emphasise the benefits this can bring to the internal-external auditor relationship. The need for external auditors to exercise caution in relying on internal audit should be balanced with references to how the effective use of, and co-operation with, internal audit can enhance audit quality and efficiency. For example, reference, or greater reference might be made: • to the fact that the work of internal audit is more likely to be of considerable use to external audit in

sectors such as the retail sector, because of the nature of the work that may be routinely performed by internal audit or similar functions in those sectors;

• by way of footnote or in the application material to the International Standards for the Professional

Practice of Internal Auditing as a benchmark when conducting assessments of internal audit; • to the direct reporting lines between internal audit and the audit committee under many codes of

governance, and to the relevance of the external auditor’s assessment of internal audit to the audit committee, particularly in the public sector.

It may also be helpful for the final standard to note that external auditors should recognise that:

• the quality of internal audit work varies greatly from entity to entity;

• each case should be assessed on its merits;

• internal audit now often occupies a role more central business than it used to; and

• internal auditors are often highly qualified and very experienced.

Direct assistance is a thorny area and we are mindful of the difficulties in drafting associated material. On balance, we believe that the standard should deal with direct assistance because it is increasingly common in a number of jurisdictions. It is critical that the standard (a) emphasises the importance of local and IAASB ethical requirements when determining whether internal auditors are objective and (b) recognises that internal auditors who are members of professional bodies are likely to be obliged by their own professional rules to be objective.

For integrated audits, the PCAOB’s Auditing Standard No 5 An Audit of Internal Control over Financial Reporting that is Integrated with an Audit of Financial Statements notes that the higher the degree of competence and objectivity of the internal auditors, the greater use the external auditor may make of their work. It also notes that the extent to which the external auditor may use the work of others also depends on the risks associated with the controls being tested. As the risk associated with a control increases, the need for the external auditor to perform his or her own work on the control increases. This need for a high level of involvement in some cases might be emphasised in the IAASB standard by

moving some of the descriptive material in paragraph A7 (which refers to the correlation between objectivity and competence on the one hand, and the ability of the external auditor to rely on internal work on the other) to the requirements section.

The final standard should also recognise that while one of the purposes of internal-external auditor relations is efficiency, the use of internal audit work by external auditors does not necessarily reduce costs, particularly if unexpected issues arise with the alignment of internal and external auditor work. Expectations of cost savings arising from potential synergies need to be managed. Where there is a total budget for internal and external audit, internal audit assistance for external audit either directly or indirectly may have an impact on the work and operations of internal audit which may be focussed on critical non-financial areas of the business. The final standard should recognise that the view of the audit committee on the efficient allocation of audit resource may be particularly relevant where internal audit does not spend much time on financial audit. These matters might be dealt with in the material dealing with decisions on if, when and how to use the work of internal audit, in the impact assessment or in any rubric accompanying the issue of the standard. It is noticeable that the proposals focus heavily on the process aspects of internal audit and only make passing references to the absolute quality of internal audit work. It would be helpful for the proposals to recognise that external auditors should be mindful of the fact that high quality internal audit processes do not always guarantee high quality work, and that external auditors should have due regard to the quality of internal audit work irrespective of process.

Answers to IAASB’s Specific Questions 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? Yes. The requirement to make inquiries of the internal audit function as well as management and others within the entity as part of risk assessment is helpful. 2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: (a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and (b) The planned use of the work of the internal audit function? Yes, appropriate factors have been proposed in determining whether and how the work of the internal audit function can be used, but ISA 315 or ISA 610 should recognise that while the focus of the ISA is on internal control over financial reporting, many internal audit departments, at least in larger listed companies, may focus on other areas more central to the operations of the business. We note the absence of references to the International Standards for the Professional Practice of Internal Auditing set by the Institute of Internal Auditors (IIA) and are aware of the need not to create confusion over the respective status of IAASB and IIA standards. Some such standards are particularly relevant in areas such as the evaluation of the internal audit function. Reference might be made to authoritative guidance for internal auditors in the application material and give IIA standards as an example. 3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? Of course it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that the external auditor plans to use. Planning documents will almost always be particularly relevant. External auditors need not however restrict themselves to reading reports on internal controls over financial reporting and they may wish to develop

a wider view of the quality of the company’s overall controls and control environment and culture by reading other reports such as recommendations in non-financial areas, and management responses to internal audit findings, particularly where such matters are reflected in the financial statements. 4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to: (a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and (b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity? Yes, ISA 610 should deal with direct assistance. Where external audit decides it can use the work of internal audit, in whatever way, there are implications for the resources, scope and output of the internal audit function and such matters need to be agreed between the external audit partner, the audit committee and the head of internal audit early in the year (paragraph 17 or A14-15). IIA standards are relevant in this area. 5. Public Interest Concerns—Respondents are asked to address whether there are any public interest concerns that have not been addressed. We are not aware of any such interests that have not been addressed. 6. Special Considerations in the Audit of Smaller Entities—Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations. As noted in our main comments above, it is important to recognise that the quality of internal audit varies greatly and where resources for internal audit are limited, the external auditor may not be able to use the work of internal audit or be directly assisted by internal auditors. 7. Special Considerations in the Audit of Public Sector Entities—Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs. Yes, special considerations in the audit of public sector entities have been dealt with appropriately. The risk based approach to audit applies equally in the public and private sectors and there are insufficient systematic differences in the specifics of the risk environment to warrant comment in the ISA. It might also be helpful, as noted above, for the standard to refer to the direct reporting lines between internal audit and the audit committee under many codes of governance, and to the relevance of the external auditor’s assessment of internal audit to the audit committee, particularly in the public sector. 8. Developing Nations—Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment. We have no comment to make. 9. Translations—Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs.

We have no comment to make. 10. Effective Date—Respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level. The provisional date – for audits of financial statements for periods ending on or after December 15, 2013 – seems reasonable. 11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB’s proposals? and 12. Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB? and 13. Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents? It is disappointing that while the Explanatory Memorandum refers to ‘small increases in work effort’, the impact analysis makes no attempt to describe these increases and simply states that the magnitude of the impact depends on factors which IAASB does not attempt to quantify. The overall impression given by the document is that IAASB hopes increases will be small for no other reason than IAASB believes that that should be the case. There is some expectation that the magnitude column in the impact analysis should give a scale of magnitude, and something more than ‘it depends’. The IAASB should state clearly in its final analysis that the use of internal audit resources by external auditors will not necessarily result in a reduction in external audit costs. It may be more cost-effective in many cases for internal and external audit to work to their respective work programs and to meet periodically to establish if, and to what extent, they can take assurance from the work performed by the other. 14. Would respondents find such an approach useful at the national level? The impact analysis would be more helpful if material were collated at a national level before the international assessment was made.

Other Comments The second sentence of paragraph 7 of draft ISA 610 does not make sense. Inserting the word ‘and’ between ‘audit’ and ‘relate’ renders it more comprehensible.

James Gunn, Technical Director IAASB 545 Fifth Avenue, 14th Floor, New York 10017 USA

15 November 2010

Re: IAASB Exposure Draft on Proposed ISA 620 (Revised) Using the Work of Internal Auditors and ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment

Dear Mr Gunn,

The Audit and Assurance Committee of Chartered Accountants Ireland is pleased to provide you with its comments on the Proposed ISA 610 (Revised) Using the Work of Internal Auditors (ED ISA 610) and Proposed ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment (ED ISA 315).

We support the proposed revision of the standards especially as the previous revision dates from 1994 as noted in the explanatory memorandum in the exposure draft. We have also provided comments to the specific questions raised overleaf.

Chartered Accountants Ireland hopes you find these comments useful. If you require any further clarification on any of the matters raised in this comment letter, please contact Edel Cashman at 00 353 1 6377322 or by email at [email protected].

Kind regards,

___________________

Niall Walsh, Chairman, Audit and Assurance Committee Chartered Accountants Ireland


Request for Specific Comments

Q. 1 Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?

We consider that there should be a requirement for the external auditor to consider (as opposed to a requirement to do so) making inquiries of appropriate individuals within the internal audit function. We consider that such a requirement would be appropriately placed in ISA 315.

2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining:

(a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and (b) The planned use of the work of the internal audit function?

Yes, we consider that the appropriate factors have been proposed to be evaluated by the external auditor in determining whether the work of the internal audit function can be used for purposes of the audit engagement and the planned use of the work of the internal audit function.

3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor?

Yes, we believe that it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit that is planned to be used by the external auditor.

4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to:

(a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and

(b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity?

Yes we agree with the proposals set out above.

5. Public Interest Concerns—Respondents are asked to address whether there are any public interest concerns that have not been addressed.

We consider that the level of Public Interest Concerns reliance on the internal audit (or direct assistance from internal audit) function should be addressed.

6. Special Considerations in the Audit of Smaller Entities—Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations.

We consider that there should be no differentiation in the consideration of the internal audit function in a large versus small entity. However it is worth considering that for smaller entities that are not listed on a public stock exchange in Ireland, that there is no specific requirement for an internal audit function.

7. Special Considerations in the Audit of Public Sector Entities—Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs.

Yes, we consider that the proposals have been appropriately dealt with in the proposed revised ISAs.

8. Developing Nations—Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment.

We have no comments in this regard.

9. Translations—Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs.

We have no comments in this regard.

10. Effective Date—Respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level.

We consider that there is a significant lead time until the provisional effective date and would support the implementation of the proposed revised ISAs at an earlier stage.

11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB’s proposals?

12. Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB?

13. Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents?

14. Would respondents find such an approach useful at the national level?

Yes we consider that the analysis of impact as presented in Section 4 of the Explanatory Memorandum is helpful in understanding the anticipated impacts of the IAASB proposals.

We believe that the equivalent analysis would have benefits at national level to the extent there are specific local factors affecting a proposed amendment to ISAs, but consider that determination of whether a national version should be produced is a matter for those responsible local promulgation of the ISAs.

IAASB Attn. Technical Director Mr. James Gunn 545 Fifth Avenue, 14th Floor New York, New York 10017 USA Dear Mr. Gunn, ICPAK is pleased at being provided with the chance to comment on the Proposed Revised International Standards on Auditing 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and 610 Using the Work of Internal Auditors. Our comments are set out below. It is important that the two functions (Independent Audit function & Internal Audit) work closely together for the quality of the audit to be enhanced. The proposed revisions are useful and will go a long way in cementing this relationship. Our specific comments are appended.

Regards

Richard Kamami For ICPAK

IAASB Attn. Technical Director Mr. James Gunn 545 Fifth Avenue, 14th Floor New York, New York 10017 USA Dear Mr. Gunn, ICPAK is pleased at being provided with the chance to comment on the Proposed Revised International Standards on Auditing 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and 610 Using the Work of Internal Auditors. Our comments are set out below. It is important that the two functions (Independent Audit function & Internal Audit) work closely together for the quality of the audit to be enhanced. The proposed revisions are useful and will go a long way in cementing this relationship. Our specific comments are appended. Request for Specific Comments The IAASB would welcome views on the following: 1. Do respondents believe it is appropriate to require the external auditor to make inquiries

of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?

Response: Yes it is appropriate to require the external auditors to make inquiries of appropriate individuals within the internal audit function. The internal auditor normally has an extensive understanding of the entity due to his all-year round presence. This knowledge will no doubt be useful to help the external auditor in his decision making process as he undertakes the audit. It will be useful to have periodical meetings between the external auditor and the internal auditor as well as those charged with governance. However, it is not clear from ISA 315 Para 5 and A6 if such inquiry is always made even in circumstances where the external auditor has assessed that the objectivity or the integrity of the internal audit function is low.

Moreover, Application material A6c, states that the appropriate individuals with whom such inquiries are made are those who have the appropriate knowledge, experience and authority, such as the chief internal audit executive. It is not clear, if such inquiries are only made of the department and not of those who oversee the internal audit function e.g. the chair of the audit committee.


a. Whether the work of the internal audit function can be used for purposes of the audit engagement; and

b. The planned use of the work of the internal audit function?

Response: Yes. It will also be useful to factor in other elements such as the principles of the Code of Ethics.

3. Do respondents believe it is appropriate to require the external auditor to read reports

produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor?

Response:

� Yes as this will enhance the understanding of the entity. However, in Application Material A 16 - It is not the reading of the reports that provides information on the extent to work done, but it is the review of the work itself and an assessment of whether all the issues noted during the work done are then summarised in the report. This link needs to be clearly stated.


a. Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and

b. Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity?

Response: Yes. In Kenya, this is commonplace as it helps improve the quality of audits. An area that may need to be stressed is the principles of the code of ethics.

The IAASB is also interested in comments on the following matters:

5. Public Interest Concerns - Respondents are asked to address whether there are any public interest concerns that have not been addressed.

Response: There are no public interest concerns that need to be addressed in addition to those already addressed in the proposed standard. What needs to be stressed is the need to have open and flawless communication between the internal and external auditor.

6. Special Considerations in the Audit of Smaller Entities - Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations.

Response: As in case of many of the audits of SMEs an internal audit may not be existent or there may be issues with its competence or objectivity, the exclusion of such situations in the scope are adequately covered. However, while in the proposed changes to ISA 315 it is appropriate to require the external auditors to make inquiries of appropriate individuals within the internal audit function, it is not clear from ISA 315 Para 5 and A6 if such inquiry is always made even in circumstances where the external auditor has assessed that the objectivity or the integrity of the internal audit function is low.

7. Special Considerations in the Audit of Public Sector Entities - Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs.

Response: Not Applicable.

8. Developing Nations - Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment.

Response: No such difficulties are noted in the context of Kenya as the scope clearly states when one is in the standard and when not. This is important from the context of the audits of SMEs.

9. Translations - Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs.

Response: Not applicable to Kenya.

10. Effective Date - Respondents are asked to comment whether, in their opinion, the

provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level.

Response: Normally financial statement preparation is linked to a year end and in the case of IFRS, it is logical to link the any changes in the IFRS to a financial year end. It is not clear in the case of audit standards, which are based on an issue of an audit report, why the effective date is lined to a financial year end and not to the date of the issue of an audit report or to the commencement of the audit. Linking the effective date to the date of the issue of an audit report or the commencement of an audit would avoid the completion of using two different audit methodologies to multiple audits of a same entity done to clear an audit backlog.

Request for Comments on Analysis of Impacts The IAASB would appreciate comments on the following matters: 11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum

helpful to respondents in understanding the anticipated impacts of the IAASB’s proposals?

Response: Yes it is helpful in understanding the IAASB proposals.

12. Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB?

Response: Yes. It will be useful to have clear-cut agreements between management, external auditor and the internal auditor.

13. Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents? Response: No.


Response: Yes.

Other Comments to Specific Items in the Proposed ISA 610: � It will be useful to incorporate the definitions of the internal auditors and internal audit function. � The cross-reference in Paragraph 3 to Application Material A1 does provide an appropriate

link, as Paragraph 3 deals with direct assistance. Application Material A1 would better be linked to Paragraph 1.

� Application Material A2 does not provide any additional guidance as it covers what is already stated in Paragraph 5, and could therefore be deleted in its entirety.

� Paragraph 2 – While the paragraph states that “In addition, the external auditor need not apply this ISA if the external auditor does not expect to use the work of the internal auditor ----“, it does not provide examples in the Application Material of circumstance where such situations exit. The provision of examples is important to further clarify such situations.

� The use of professional judgment (as stated in Application Material A4) is always required in an audit. It would be more appropriate to evaluate this into a requirement and amend Paragraph 13 to read “The external auditor shall use professional judgment in determining whether the work of the internal audit function can used for the purpose of the audit, and the nature and extent to which the work may be used in the circumstances by evaluating the following -----“.

� Application Material A9 - In addition to the existence and adequacy of the internal audit function, the monitoring and the enforcement of the effectiveness of the function is also an important criterion. It is not clear if this is captured in the next bullet which states “whether the internal audit function has appropriate quality control polices and procedures”. Moreover, it may be useful to state what the quality control polices and procedures should encompass to avoid confusions with the quality control polices as enshrined in ISQC 1.

We believe that we have addressed the issues which in our opinion deserve to be addressed. Should you have any query on the same, please contact Richard Kamami on [email protected]. Yours Faithfully. Richard Kamami

December 15, 2010

Mr. James Gunn Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York 10017 USA By E-mail: [email protected]

Dear James,

Re.: Exposure Draft ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatements through Understanding the Entity and Its Environment

ISA 610 (Revised), Using the Work of Internal Auditors

We would like to thank you for the opportunity to provide the International Auditing and Assurance Standards Board (IAASB) with our comments on the Exposure Draft ISA 315 (Revised), “Identifying and Assessing the Risks of Material Misstatements through Understanding the Entity and Its Environment” and ISA 610 (Revised), “Using the Work of Internal Auditors” (hereinafter referred to as “the draft”).

We support the initiative to revise ISA 610 given the developments noted in the explanatory memorandum and the fact that the last revision of ISA 610 dates from 1994. In particular, we welcome strengthening the consideration of the work of internal audit as part of the external auditor’s risk assessment as proposed for ISA 315. We also support clarifying and improving the conditions under which an external auditor may use the work of internal audit. As a matter of principle, we also believe that clarification of the issue of direct assistance is needed, even though we are not in favour of the approach proposed in the draft.

/26 to the comment letter to the IAASB dated December 15, 2010

Below, this comment letter addresses the major issues in relation to direct assistance that we have identified in the draft. Our responses to the questions posed in the Exposure Draft are included in Appendix 1 to this comment letter. Our detailed comments by paragraph are included in Appendix 2 to this comment letter. The comments in the appendices are based on the analysis provided in the letter below.

We are particularly concerned with the proposals in the draft in relation to “direct assistance”. We have addressed our concerns in a structured manner in the following sections of this letter. First we delineate direct assistance from other activities (i.e., determine what direct assistance is), which is the prerequisite for determining whether it is acceptable. We then describe the impact of direct assistance on auditor effectiveness and auditor independence, before concluding on direct assistance. Based on our arguments below, we believe that there are no benefits in terms of audit effectiveness in permitting direct assistance, as properly defined, but there are some serious risks to audit effectiveness and to the independence of the external auditor.

I. Distinction Between Obtaining Direct Assistance and Other Activities

The draft does not properly delineate what is meant by direct assistance in the context of the role of the internal audit function through a definition and further description. As a result, our discussions on this issue with members of the profession and other stakeholders appears to indicate that there is considerable confusion arising from the draft about what the distinction, if any, among the following activities of the external auditor is:

a) Having entity staff, including internal auditors, assist the external auditor in obtaining entity information that is used as audit evidence,

b) Obtaining an understanding or testing operating effectiveness of internal control, in particular in relation to high level monitoring controls,

c) Using the work of internal audit, especially when the work is coordinated with that of the external auditor, and

d) Obtaining direct assistance from internal auditors, in particular in obtaining additional assurance from that assistance.

We will address each of these in turn.

a) Having entity staff assist the external auditor in obtaining information that is used as audit evidence


As noted in ISA 200.A2 (b) in connection with ISA 200.A19, external audits are premised on management, and where appropriate, those charged with governance, being responsible for such books and records necessary to enable the preparation of financial statements. Furthermore, pursuant to ISA 200.A3 (c) (i) and (ii), that premise extends to management and, where appropriate, those charged with governance, providing the external auditor access to all information of which they are aware that is relevant to the preparation of the financial statements such as records, documentation and other matters, and any additional information that the external auditor may request from them for the purpose of the audit. Consequently, on behalf of management, entity staff provides entity information to the external auditor that is used by the external auditor as audit evidence. An entity has a pecuniary interest in having an efficient external audit, and therefore having entity staff be helpful to the external auditor in this respect makes good sense. In this context, to support the external auditor, entity staff may respond to inquiries, prepare schedules or narrative descriptions, seek and sort documents or items selected for inspection or testing by the external auditor, and may even prepare schedules for use in the external auditor’s working papers noting the identifying characteristics of items selected by the external auditor for testing. As a matter of principle, internal auditors, as entity staff or when engaged by the entity, may also be involved in providing such information to, or assisting, the external auditor as noted.

However, these activities need to be distinguished from the actual performance of audit procedures as noted in ISA 500 – that is, for example, the actual inspection of documents or other evidence, the performance of recalculations, analyses, inquiries, observations and external confirmation procedures, reperforming procedures, selecting items for testing, and performing procedures on the completeness of the information obtained. These audit procedures are performed with the objective of enabling the external auditor to derive findings from the evidence obtained from those procedures for the purposes of the audit.

Having entity staff, including internal auditors, assist the external auditor in obtaining entity information that is used as audit evidence does not constitute “direct assistance”, but the actual performance of audit procedures, as noted in the previous paragraph, by internal auditors on behalf of the external auditor would constitute such “direct assistance”. The draft does not explicitly clarify this distinction and thereby contributes to considerable confusion as to the nature, and therefore the acceptability, of such direct assistance.

b) Obtaining an understanding or testing operating effectiveness of internal control, in particular in relation to high level monitoring controls


The draft does not clarify the role of the internal audit function within an entity from the perspective of an external auditor. In particular the draft does not clarify the relationship between an external auditor’s obtaining an understanding or testing operating effectiveness of internal control, in particular in relation to high level monitoring controls, and an external auditor using the work of the internal audit function. It is not clear from the draft whether the internal audit function is a part of internal control or not.

A review of the description of ISA 610.A3 of the draft indicates that, with the exception of consulting related thereto, all of the noted activities represent, from the perspective of the external auditor, monitoring controls – but mostly high level monitoring controls (e.g., over governance, risk management, etc.). Hence, from the point of view of the external auditor, and from an IAASB standards setting perspective, the internal audit function represents a high level monitoring control. If individuals or organizations within an entity do not perform functions that represent such a high level monitoring control, then, even if labeled “internal audit”, these are not an “internal audit function”. This implies that, disregarding the issue of direct assistance, the external auditor using the work of the internal audit function in fact represents an expectation that this high level monitoring control (the internal audit function) is appropriately designed, implemented, and is operating effectively. Consequently, without considering direct assistance, ISA 610 covers the external auditor’s risk assessment (paragraphs 13 to 17 of ISA 610 of the draft are analogous to the risk assessment procedures in ISA 315) and risk response (ISA 330 paragraphs 18 and 19 of ISA 610 of the draft are analogous to risk response procedures in ISA 330) with respect to the work of the internal audit function as a special high level monitoring control. However, the structure and paradigm applied in ISA 610 of the draft does not seamlessly fit into the paradigm used in ISA 315 and 330.

For these reasons, a definition or description in the draft of the internal audit function needs to distinguish between that function from an external auditor’s perspective (i.e., a special high level monitoring control with related consulting) and other activities carried out by internal auditors that may or may not be relevant to the audit.

c) Using the work of internal audit, especially when the work is coordinated with that of the external auditor

As noted in the previous paragraphs, using the work of the internal audit function may change the nature, timing and extent of further audit procedures based upon an expectation that particular aspects of the internal audit function are operating effectively. In this context, it is common practice for external


auditors to coordinate their planning with that of internal auditors in anticipation of being able to use the work of internal auditors. This is no different in substance from the external auditor suggesting management establish other monitoring controls that may have an impact on the nature, timing and extent of the external auditor’s procedures. However, pursuant to the last bullet point of paragraph 290.163 of the IESBA Code of Ethics, (hereinafter referred to as “the Code”) such consultation should not cross the line into the external auditor taking responsibility for designing, implementing and maintaining internal control, which would create unacceptable self-review and self-interest threats that cannot be mitigated by safeguards (see 290.165 of the Code). Consequently, external auditors coordinating their planning with that of the internal auditors should not cross the line into taking responsibility for any of the work plans or work of the internal audit function by directing or supervising those plans or work, since this would create unacceptable self-review and self-interest threats that cannot be mitigated by safeguards.

The draft does not clarify that, disregarding direct assistance, using the work of the internal audit function, as a high level monitoring control, is the same as having an expectation that in the internal audit function is operating effectively and then testing that operating effectiveness.

d) Direct assistance from internal auditors, in particular in obtaining additional assurance from that assistance

Based upon the discussion in a) to c) above, direct assistance from internal auditors does not refer to the external auditor:

a) Having the internal audit function assist the external auditor in obtaining entity information that is used as audit evidence (which includes obtaining audit evidence about the results of non-monitoring activities or consulting activities unrelated to monitoring performed by the internal auditors that are relevant to the external audit), and

b) Obtaining an understanding or testing operating effectiveness of the internal audit function as a special high level monitoring control (which is the same as using the work of internal audit when the work is coordinated with that of the external auditor, but not directed or supervised by the external auditor).

Direct assistance must then refer to the internal audit function performing audit procedures under the direct direction and supervision of the external auditor, that, but for their being performed by the internal audit function, would otherwise have been performed by the external auditor, such that the external auditor


obtains assurance about internal control or particular assertions in the financial statements.

While the text of the draft does make reference to direct assistance involving the performance of audit procedures by internal auditors for the external auditor, the draft does not properly delineate what is meant by direct assistance in the context of the role of the internal audit function through a definition and further description as noted above. This leads to a rather vague understanding by readers of the draft as to precisely what is being proposed.

II. Approach to Direct Assistance in the Draft

We have serious concerns with the approach taken in the draft on the issue of direct assistance. While we agree that continued ambiguity in ISA 610 about the permissibility of direct assistance needs clarification, the approach thereafter does not respond to the basic question of whether direct assistance is in the public interest for audits of financial statements. While we recognize that some jurisdictions permit direct assistance, and that it is common practice in some, this does not necessarily mean that it is a good practice that is worthy of emulation or that ought to be permitted at an international level. The key public interest issues in relation to direct assistance are the impact on audit quality, or effectiveness, and on auditor independence in appearance and in fact. We address independence issues in the next section of this letter and concentrate on audit effectiveness issues in this section.

The question arises what the reasons for permitting direct assistance are. Our review of the analysis of impacts in the Explanatory Memorandum indicates that other than the overall recurring decrease in work effort (i.e., less costs) of the external auditor on the assumption that greater use of direct assistance is made than is previously the case, no benefits are expected from permitting direct assistance. We explicitly note that this expected benefit would only apply if auditors used direct assistance more than they do now as a result of the standard explicitly permitting direct assistance. The fact that increased recurring audit effectiveness is expected for those cases in which direct assistance is already being used by having introduced a more rigorous framework for its use is not relevant to a decision as to whether it should be permitted in the first place, because audit effectiveness might be increased even further by prohibiting direct assistance in those cases where it is currently being used: this is a potential opportunity cost not included in the analysis. Hence, it is not clear to us what the reasons for permitting direct assistance might be other than a reduction of cost. In our view, this is an inadequate reason to permit rather than


to prohibit direct assistance, unless there is a positive or at least neutral effect on audit quality. Hence, the impact analysis fails to consider the opportunity costs of not prohibiting direct assistance where it is being applied and the costs to audit effectiveness of introducing direct assistance where it has not been applied before.

We believe that explicitly permitting direct assistance will result in preparers pressuring external auditors to reduce audit fees by employing direct assistance in those jurisdictions where it may not have been prior practice even though there is no benefit in terms of audit effectiveness. This means that the statement in the Explanatory Memorandum that external auditors need not employ direct assistance because the standard only permits, rather than mandates, direct assistance, fails to recognize economic realities.

As noted above, direct assistance involves the external auditor directing and supervising the performance of audit procedures by internal auditors. However, since internal auditors are employed or engaged by management or those charged with governance, they are not accountable to the external auditor: they are accountable to management or those charged with governance. This bears the risk to audit effectiveness that, since internal auditors are actually subject to the direction and supervision of management or those charged with governance because they are accountable to them, they may be inclined or even directed to collude with them on their findings, divulge their findings to management or those charged with governance first (which may allow management or those charged with governance to influence audit findings), or may choose to conceal certain findings from the auditor. This becomes a particularly acute risk to audit effectiveness when considerations of management bias or fraud may be an issue. Confining direct assistance to matters of lesser judgment may not alleviate this risk because even seemingly innocuous audit procedures not involving judgment may yield unexpected evidence on such matters. A potential safeguard might be to have management and those charged with governance undertake, in the engagement letter, not to influence any direct assistance provided by internal auditors, and have internal auditors and management or those charged with governance provide a written representation that no such influence has taken place, but this is a rather weak safeguard, if at all

Consideration is also not given in the Explanatory Memorandum to the long-term impact on the ability of firms to train new auditors if considerable routine audit work is outsourced to internal auditors by means of direct assistance.

On the whole, the risks to audit effectiveness appear to outweigh the benefits that might be obtained from direct assistance.


III. The Impact of Direct Assistance on Auditor Independence

The key questions in relation to whether direct assistance is acceptable under the Code are: 1. whether the provision of direct assistance causes internal auditors to be members of the audit team, and 2. which internal auditors are permitted to provide direct assistance (i.e., internal auditors that are entity employees; internal auditors, engaged by the entity, of the external auditor’s firm or network; or other internal auditors engaged by the entity), and 3. whether direct assistance involves an unacceptable self-review threat.

Membership on the audit team

In paragraph 290.04, the Code states:

“In the case of audit engagements, it is in the public interest and, therefore, required by this Code, that members of audit teams, firms and network firms shall be independent of audit clients.”

The definition in the Code of “audit team” includes all members of the engagement team for the audit engagement, which in turn is defined as:

“All partners and staff performing the engagement, and any individuals engaged by the firm or network firm who perform assurance procedures on the engagement. This excludes external experts engaged by the firm or network firm.”

Consequently, any partners and staff of a firm or network performing the engagement, and any individuals performing audit procedures on an audit engagement, are members of the audit team. Such partners, staff and other individuals must be independent. Whether these individuals are employed or engaged to perform the engagement or audit procedures is not relevant. Furthermore, when providing direct assistance, the audit firm effectively engages the entity employing or engaging the internal auditor to obtain that assistance, whereby those individuals are effectively engaged to perform the engagement or audit procedures.

With respect to external experts engaged by the external auditor, one could argue that they are providing expertise to the external auditor rather than performing audit procedures. Even if they were considered to be performing audit procedures, an exception was made because the use of external experts is crucial for audit effectiveness for many external audits even when external auditors are unable to arrange to have external experts meet all of the independence requirements that apply to members of the audit team. There is


therefore an overriding public interest reason in relation to audit effectiveness for the exception made for external experts.

Of course, we are aware that the Code can be amended to provide for an exception for internal auditors like that provided for external experts engaged by the external auditor. However, there is no overriding public interest reason in terms of improving audit effectiveness to provide such an exception, since internal auditors providing direct assistance to external auditors are only performing audit procedures that external auditors would otherwise have performed themselves. Consequently, such a provision would be without substance (i.e., represent a fiction) or any public interest purpose.

Internal auditors employed by the entity

Employees of the entity are not independent of the entity (see paragraphs 290.124 to 290.132 of the Code, which forbid even lesser threats in this regard). Since there is no difference in terms of independence between internal auditors employed by the entity and any other individual employed by the entity, internal auditors employed by the entity are not independent of the entity. Furthermore, paragraph 290.197 of the Code forbids the external auditor, when providing internal audit services, from directing or taking responsibility for the actions of the entity’s internal audit employees. If the external auditor were not providing internal audit services, then such direction or responsibility would therefore bear even greater risks to external auditor independence, which means it is effectively prohibited. Hence, if external auditors obtain direct assistance (which, as noted above, implies the performance of audit procedures for the external auditor) from internal auditors employed by the entity, then, as noted above, by definition, internal auditors would be on the engagement team and would therefore need to be independent of the entity, which they cannot be by virtue of being employed by the entity. Furthermore, since such audit procedures would be performed by internal auditors under the direction and supervision of the external auditor, the external auditor would be in violation of paragraph 290.17 of the Code. Hence, the Code effectively forbids direct assistance from internal auditors employed by the entity.

Internal audit services provided by external auditor

As noted above, as part of the internal audit function, internal auditors design, implement or operate the internal audit function and consult in relation thereto, which, as described above, is a special high level monitoring control. The Code forbids the external auditor from taking responsibility for designing, implementing and maintaining internal control, including internal audit services, because this is a management responsibility (paragraphs 290.13 and 290.197


of the Code). Paragraph 290.198 of the Code specifies measures that can be undertaken so that internal audit services can nevertheless be provided by the external auditor. However, paragraph 290.199 recognizes the potential self review threat when the external auditor provides internal audit services, and as an example of a safeguard to reduce or mitigate that threat suggests using professionals that are not on the audit team. As noted above, internal auditors providing direct assistance are, by definition, on the audit team. For public interest entities, paragraph 290.200 of the Code forbids internal audit services that in some way relate to a significant part of internal control over financial reporting, to financial accounting systems or financial statement items.

Consequently, obtaining direct assistance from internal auditors of the external auditor’s firm or network would render ineffective the primary potential safeguard (using professionals not on the audit team) that would permit the external auditor to render internal audit services. Consequently, its does not appear to be advantageous from the perspective of the Code’s independence requirements to permit direct assistance from internal auditors from the external auditor’s firm or network.

Arguments against direct assistance from engaged internal auditors not from external auditor’s firm or network

One of the key arguments used to support direct assistance is based on the fact that the effectiveness of the external auditor’s use of the work of the internal audit function is greatly improved when that work is coordinated with that of the external auditor. The argument then follows that if the external auditor were not only to coordinate the work of the internal audit function, but actually direct and supervise that work, the value of that work to the external auditor would increase significantly.

However, as demonstrated in section I. c) above, external auditors coordinating their planning with that of the internal auditors should not cross the line into taking responsibility for any of the work plans or work of the internal audit function by directing or supervising those plans or work, since this would create unacceptable self-review and self-interest threats that cannot be mitigated by safeguards. In this context, direct assistance blurs the distinction between using the work of internal auditors and the performance of audit procedures by the audit team, with all of the concomitant independence problems discussed above.

Even more importantly, since the internal audit function is a special high level monitoring control using a systematic and disciplined approach (or it would not be an “internal audit function”), when internal auditors perform audit procedures


by providing direct assistance to the external auditor, there is a rather high likelihood that internal auditors will, in one way or another, be reviewing their own work on controls or information. Consequently, the benefits of the increased value of the work of internal audit, when the external auditor directs and supervises that work through direction and supervision thereof, are exceeded by the costs of the loss of independence due to the unmitigated self review and self interest threats, even when the internal auditors are engaged, rather than employed, by the entity and are not from the external auditor’s firm or network.

In conclusion, there are no benefits in terms of audit effectiveness in permitting direct assistance, as properly defined, but there are some serious risks to audit effectiveness and to the independence of the external auditor. For these reasons, we believe that permitting direct assistance is not in the public interest.

We hope that our views will be helpful to the IAASB. If you have any questions relating to our comments in this letter, we would be pleased to be of further assistance.

Yours truly,

Klaus-Peter Feld Wolfgang P. Böhm

Executive Director Director International Affairs

541/584


Appendix 1: Reponses to the Questions Posed in the Explanatory Memorandum

Question 1 Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?

We agree that it is appropriate to require external auditors, as part of their risk assessment procedures, to make inquiries of appropriate individuals within the external audit function, and agree that such a requirement is appropriately placed in ISA 315, since this is where risk assessment procedures are dealt with. However, the ability of auditors to determine whether they have fulfilled this requirement depends upon whether or not they are able to determine if an internal audit function exists. Merely adding the text as proposed to ISA 315.06 and qualifying audit function with the term “if the function exists” will not lead to a workable requirement without a definition allowing auditors to determine if one exists. To this effect, auditors require a definition of the “internal audit function” that may be supplemented by appropriate application material. Furthermore, a distinction needs to be made between the “internal audit function” and “internal auditors”. Based on the discussion in our letter in section I. (b), we suggest that the sentence proposed in the draft for ISA 315.A101 may form the basis for such definitions, but amended to read as follows:

Internal audit function – A high level monitoring control and related consulting activity designed to evaluate and improve the effectiveness of an entity’s risk management, internal control, or1 governance processes.

Internal auditors – Individuals that perform the activities of the internal audit function.

We suggest that the application material thereto draw upon the discussion in our letter in section I.(b) and paragraph ISA 610.A3 proposed in the draft, as long as the reference to “assurance” in the latter is deleted. While we agree that a systematic, disciplined approach is a prerequisite for the existence of an internal audit function, we do not believe that this necessarily distinguishes the internal audit function from other high level monitoring controls. We also believe that the

1 Please note that we suggest using the word „or“, rather than „and“ because an internal audit function need not cover each of these processes.


draft should cease to use terms other than “internal audit function” or “internal auditors”, such as “internal auditing”, etc., because this causes confusion.

Question 2 Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: (a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and (b) The planned use of the work of the internal audit function?

With respect to (a), we agree with the identification of the broad nature of the factors that have been proposed, in paragraphs ISA 610.13 and .14 of the draft, to be evaluated by the external auditor in determining whether the work of the internal audit function can be used for purposes of the audit engagement, but have some concerns in how these factors are described. In particular, we take issue with the limitation of the evaluation of the internal audit function’s organizational status and relevant policies and procedures to support objectivity, the use of the terms “level of competence” and “degree of objectivity” and, in relation to both objectivity and competence, the reference to a “low” degree or level.

We recognize that an external auditor cannot be asked to actively evaluate the objectivity of an internal auditor, since objectivity is a state of mind. To this effect, we agree that the external auditor evaluate the extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of internal auditors. However, if, during the audit, external auditors become aware of other information that affects the external auditor’s understanding of the objectivity of internal auditors, then the external auditor must take that information into account in his or her evaluation. ISA 610.13 (a) needs to be amended to take this into account by inserting the wording “…, and any other information of which the auditor becomes aware during the audit that affects the auditor’s understanding of the objectivity of internal auditors,…” between the words “procedures” and “support”. The wording should also be more neutral in this respect: the word “support” should be replaced with “affect”.

Competence is not just a question of extent, but also of nature. For this reason, we suggest that the word “level of” be deleted in paragraph ISA 610.13 (b) and that application material to ISA 610.13(b) note that competence relates to having the right competencies in sufficient measure. The use of the term “low degree of objectivity” suggests that there is an acceptable “moderate degree of objectivity”. We therefore suggest that in ISA 610.14(a), the term “low degree of


objectivity” be replaced with “insufficient objectivity”, which recognizes that objectivity is a sliding scale, but that what matters is having enough; the words “degree of” can then also be deleted from ISA 610.14 (b). Likewise, in ISA 610.14 (b) the term “low level of competence” ought to be replaced with “inadequate competence”, which conveys the notion that competence is a sliding scale that depends on both nature and extent; the words “level of” can then be deleted in ISA 610.14 (a).

With respect to (b), we agree with the identification of the broad nature of the factors that have been proposed, in paragraphs ISA 610.15 and .16 of the draft, to be evaluated by the external auditor in determining the planned use of the work of the internal audit function. However, in line with our comments to (a) above, the words “degree of” and “level of” in ISA 610.15 (a) should be deleted. Furthermore, the items listed in ISA 610.15(c) (i) and (ii) of the draft are too limiting, in that judgment may also be involved in the planned use of the internal audit function regarding planning and performing audit procedures or evaluating audit evidence in relation to obtaining an understanding of internal control, risk management and governance processes that have an impact on more than just a particular class of transactions, an account balance, a disclosure or an assertion. We therefore suggest deleting the words “for particular classes of transactions, account balances and disclosures” in (i) and “in support of the relevant assertions” in (ii), and explaining the matters covered in the application material thereto.

As an additional issue, the factors noted in (a) as amended for our suggestions are also relevant in the auditor’s consideration of the internal control function for risk assessment purposes under ISA 315. As noted in our letter, the interrelationship between ISA 315 (risk assessment of the internal audit function as a special high level monitoring control), ISA 330 (tests of the operating effectiveness of the internal audit function as a risk response) and ISA 610 (using the work of the internal audit function) have not been seamlessly integrated in the draft.

Question 3 Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor?

This is a leading question because it is almost unthinkable that an external auditor not read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external


auditor; the requirement in ISA 610.18 of the draft is therefore entirely appropriate. The real issue that ought to have been asked in the question is the extent to which the external auditor ought to be required to read reports that the external auditor has not planned to use under risk assessment considerations in ISA 315.

We do not believe it to be appropriate to include a requirement that external auditors read each report produced by the internal audit function because there may be a large number of such reports in some larger groups and many of these reports are not relevant to the external audit. However, we do believe it to be appropriate for the external auditor (and in groups, the group auditor or component auditor, as relevant) to obtain a list of such reports and to discuss that list with the internal audit function to determine whether there are reports on that list that are likely to contain information that is relevant to the external auditor’s risk assessment. When, based upon the discussion of that list, reports have been identified that are likely to be relevant to the external auditor’s risk assessment, the auditor should be required to obtain a general familiarity with the overall contents of each such report before deciding whether there is likely to be information in a report that is relevant to that audit, that therefore needs to be read to as part of the external auditor’s risk assessment and risk response when using that work.

In this respect, we believe that the requirements in ISA 315 and how they interrelate to those for the planned use of the work of internal auditors in ISA 610 needs to be strengthened. This would mean that, should the internal audit function’s activities have produced negative findings, the external auditor would necessarily consider the impact thereof, if any, on the auditor’s assessment of risk. There needs to be a mechanism to ensure that such unfavourable findings that have an impact on risk assessment are read. We suggest that the following sentences be added to ISA 315.23 as follows:

“If the internal audit function has produced reports relating to its work, the auditor shall obtain a list of those reports and discuss with the internal audit function, on the basis of that list, whether any of these reports are likely to be relevant to the audit. If, on the basis of this discussion, the auditor believes that a report is likely to be relevant to the audit, the auditor shall consider the overall content of the report to evaluate whether there is information in that report is relevant to the audit, and if so, read that information.”


Question 4 Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to: (a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and (b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity?

We believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance because clarity on its permissibility or not is needed. However, we do not support the draft explicitly permitting direct assistance. The weighty reasons for this are noted at length in our letter.


Question 5 Public Interest Concerns—Respondents are asked to address whether there are any public interest concerns that have not been addressed.

As noted in our letter, we believe that considerations in relation to audit quality or effectiveness, and to the risks to auditor independence, were not appropriately taken into account in determining whether to explicitly permit or prohibit direct assistance.

Another public interest concern relates to why the IAASB has changed the nature of its effective dates for standards from “periods beginning on or after” to “periods ending on or after”. This is a major change in the applicability of the effective date, but this important change was not subject to more than several minutes of IAASB deliberation without consideration of the historical reasons why effective dates are written as they are – nor is this change highlighted in any way in the Explanatory Memorandum. In our view, the IAASB did not follow appropriate due process in this respect. Our concerns with the nature of the change in effective date is described in our response to Question 10 below.

Question 6 Special Considerations in the Audit of Smaller Entities—Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations.


As a rule, smaller entities will not have an formal internal audit function. Therefore, the draft would generally not be relevant to them. However, when smaller entities do have such a function, then the proposals in the draft would be appropriate without any need for special considerations in the audit of smaller entities.

Question 7 Special Considerations in the Audit of Public Sector Entities—Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs.

We have no comments in relation to this question.

Question 8 Developing Nations—Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment.

We have no comments in relation to this question.

Question 9 Translations—Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs.

We do not have any comments on this issue at the present time.

Question 10 Effective Date—Respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level.

ISAs currently in effect that do not relate to reporting have effective dates for audits of financial statements for periods beginning on or after a certain date. The mode of effective date proposed in the draft is being changed to audits of financial statements for periods ending on or after a certain date.


The reason for changing to “periods ending” appears to have been that some national standards setters and firms had overlooked the fact that reference is made to “periods” and not “years” “beginning on or after” for the clarified ISAs, which implies that short periods of less than a year would be affected. This engendered the need for the IAASB to issue a Frequently Asked Question to limit the application of the clarified ISAs to years ending December 15, 2010, but not to shorter periods ending before then. The change to “periods ending on or after” would prevent such untoward short-period issues from arising.

However, the question arises whether this change would have other impacts that have not been considered. In particular, the change means that short periods (e.g., the first three quarters) ending prior to December 15 of an effective date that are audited would be audited using the old standards, whereas the last quarter and entire year would need to be audited using the new standards. Does this mean that in cases where quarters are audited in addition to the full year the auditor will need to perform additional work on the first three quarters in accordance with the new auditing standards to be able to provide an opinion on the entire year? In the case of a recurring audit, do the closing balances of the previous year (the opening balances of the first quarter) then also need to be audited using the new in addition to the old standards?

Furthermore, in an audit of a long period (e.g., of two years) for which the first year had been previously audited using the old standards, would the auditor need to do additional audit work on the first year to ensure that the entire period (the two years), including the opening balances of the second year, was audited using the new standards?

We recognize that standards setters such as the PCAOB and APB are using “periods ending” rather than “periods beginning”, but this relates to the fact that they have a particular regulatory mandate in which the focus is on the audit of annual financial statements. The IAASB covers audits, including audits of special purpose financial statements, of a completely voluntary nature, in which audits of short periods together with audits of the entire year thereafter, and audits of long periods (i.e., more than a year), are uncommon, but not unheard of. If there is concern about effective dates that are too early given the experience in relation to short periods for the clarity ISAs, the correct solution is to move the effective date to an additional year later, rather than to have short periods within entire years audited using different standards due to the use of “periods ending” rather than “periods beginning”.

The other issue that arises is the fact that now days audits of annual financial statements are not commenced for most enterprises after year-end, but well


before end of the year, and in many cases the preliminary planning procedures (e.g., engagement continuance) need to start before the beginning of the year being audited. Is the IAASB sending the right message in this case by focusing on the end, rather than beginning, of the year?

On the whole, the change to “periods ending on or after” does not appear to be appropriate given these considerations.

Request for Comments on Analysis of Impacts. … The IAASB would appreciate comments on the following matters:

Question 11 Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB’s proposals?

We believe that, if it were appropriately done, the analysis of impact presented in Section 4 of this Explanatory Memorandum is helpful to respondents in understanding the anticipated impacts of the IAASB’s proposals. However, as noted in our response to Question 12, the actual impact analysis, was, in our view, not appropriately done.

Question 12 Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB?

A review of the analysis of impacts shows a thorough analysis of impacts was not undertaken.

As noted in our letter, the overall recurring decrease in work effort (i.e., less costs) of the external auditor is made on the assumption that greater use of direct assistance is made than is previously the case, which only applies if auditors use direct assistance more than they do now as a result of the standard explicitly permitting direct assistance. The fact that increased recurring audit effectiveness is expected for those cases in which direct assistance is already being used by having introduced a more rigorous framework for its use is not relevant to a decision as to whether it should be permitted in the first place, because audit effectiveness might be increased even further by prohibiting direct assistance in those cases where it is currently being used: this is a potential opportunity cost not included in the analysis. Hence, the impact analysis fails to consider the opportunity costs of not prohibiting direct


assistance where it is being applied and the costs to audit effectiveness of introducing direct assistance where it has not been applied before.

Furthermore, lower auditor costs due to direct assistance may well be offset somewhat by higher costs due to higher quality audit staff needed for both assessing the competency, objectivity, etc. of internal auditors and in supervising and reviewing the work performed.

Question 13 Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents?

On the whole, we believe that the nature of the narrative and tabular presentation is helpful. However, we note that the heading for the first column in the table only relates to audit effectiveness, even though the actual items in the column relate to other matters as well. This may confuse many readers.

Question 14 Would respondents find such an approach useful at the national level?

It is not clear to us what is being asked in this question: whether such an approach would be useful to national standards setters in setting their standards, or whether the IAASB should seek to have the approach applied at a national level when exposing its proposed pronouncements. In relation to the former, we believe that this is a question that needs to be answered by each national standards setter based upon its particular environment. We have not considered whether such an approach would be useful in our environment and therefore cannot comment on this question at this time. In relation to the latter, the request for comments on the impact assessment ought to suffice for the IAASB to obtain input at a national level from different jurisdictions about the appropriateness of its analysis.


Appendix 2: Detailed Comments By Paragraph

ISA 315

23. We refer to our response to the Question 3 posed in the Explanatory Memorandum. We also believe that the phrase that was in original ISA 315 (“in order to determine whether the internal audit function is likely to be relevant to the audit”) ought to be reinserted at the end of the first phrase “If the entity has an internal audit function” because the original phrase defined the aim of the procedures and serves to define the nature of the inquiries in this respect

A6. The word “continuous” needs to replaced with “continual”, since a continuous process never stops in real time, and that is not what is meant.

A6b. We believe that this paragraph can be deleted, since it would be replaced with our suggested additional sentences for paragraph 23. If the reports are relevant, then they need to be read.

A71a. In respect of the proposed amendment, we question when an auditor would not be required to consider how management has responded to the findings and recommendations of the internal audit function regarding identified weaknesses in internal control relevant to the audit. It seems to us that according to the clarity conventions this procedure is required in virtually all cases for weaknesses that are of sufficient relevance to the audit. We therefore suggest a conditional requirement would be appropriate, provided an appropriate threshold is used.

A101. As noted in our response to Question 1, a definition together with explanatory material is needed for the term “internal audit function” and “internal auditor”. The material in A101 and A102, with the exception of the reference to “assurance” (which would be replaced with “high level monitoring”) would form a part of that definition and material. As noted, other terms, such as “internal auditing”, should then not be used to avoid confusion.

A102. In line with our response to Question 1, the second sentence should read “… , for example, performing procedures and evaluating for management and those charged with governance the design and…”. Missing from the description of activities are activities in relation to compliance. In the last


sentence, the words “limited to” should be replaced with “be focused on” and the words “may not relate to” be replaced with “may not directly relate to primarily”.

A102a. Both A102a. and A102b do not appear to be in the right place because they actually seem to relate to the requirement on inquiries in ISA 315.06(a). The old wording in A104 in the second sentence “… the function’s responsibilities are likely to be related” is superior to “the function’s responsibilities are related” and should be reinstated. In our view, the “may” in the last sentence is inappropriate, because, having determined that the function’s responsibilities are likely to be related to financial reporting, the audit would need to obtain a further understanding of the activities performed for risk assessment purposes. For this reason, this sentence should be moved to the requirements.

A103. Reference is made to “modify the nature, or timing, or reduce the extent, of audit work”. This was in the original ISA, but upon reflection, we believe that the wording ought to be changed to “modify the nature, timing or extent, of audit work”. The reason for this is that, based upon the information obtained from the internal audit function, an auditor’s risks assessment may lead to the auditor to conclude that the extent of audit work (whether additional risk assessment, tests of controls or substantive procedures) needs to be increased. We suggest that the wording be changed accordingly throughout the ISA.

A103b. The word “any” in the fourth line is superfluous and can be deleted. The word “may” towards the end of that sentence should be replaced with “are likely to” because the internal audit function cannot be expected to provide information to the auditor on the sheer possibility that something might affect the work of the auditor.

ISA 610

Title We find both the title “Using the work” and the subsequent use of the term “using the work” as the overarching term for both using the work and direct assistance as well as just for just using the work (paragraphs 18 to 19) as very confusing. We believe that the using the term with this double meaning contributes significantly to the misunderstanding, noted in our letter, of the meaning of direct assistance. We therefore strongly recommend that “using the work” be used only in connection with the external auditor’s risk assessment and risk response in relation to the


work of the internal audit function as a special high level monitoring control and related consulting activity (i.e., using the work), and that, if retained, direct assistance be named separately. Hence, in line with the definitions that we propose for “internal audit function” and “internal auditors”, the title would need to read “”Using the Work of the Internal Audit Function and Obtaining Direct Assistance from Internal Auditors.” These distinctions would need to be made throughout from paragraphs 1 to 17.

2. We refer to our comments on paragraph ISA 315.A103 on the use of the term “reduce the extent” and suggest the wording be changed accordingly. This wording would also be need to be changed throughout the standard, such as in paragraph 12.

4. We suggest adding a comma after the word “extent” in the first sentence and suggest changing part of the second sentence to read “…when contemplating whether the external auditor obtains direct assistance from internal auditors.”

5. The last sentence should be changed to read “…the internal audit function may plan and perform procedures for management and those charged with governance to evaluate the design,…”.

7. The word “appear” in the second sentence should be replaced with “are”, because the auditor may not choose to use the work even if it is relevant.

8. Not only law or regulation, but national professional standards (ethical standards or auditing standards) may forbid or restrict direct assistance. For this reason, the words “law or regulation” in the first sentence and throughout the standard where these are used should be changed to read “law, regulation or professional standards”. The question that has not been asked is whether the restrictions noted in the first sentence (in particular in relation to not being permitted to communicate with internal audit) may also have an impact on ISA 315 and therefore may need to be noted there as well.

11. We refer to our response to Questions 5 and 10.

13. In relation to paragraphs 13 to 15, we refer to our responses to Question 2.

16. Since “sufficient procedures” is not a concept used in the ISAs, we suggest changing the wording to “…perform procedures to obtain


sufficient appropriate audit evidence to enable the external auditor to draw reasonable conclusions...”.

17. The word “the” at the end of the sentence should be changed to “their”. When seeking to coordinate the work of the external and internal auditor for the purposes of using the work (i.e., paragraphs 18 and 19, not direct assistance), the external auditor would also discuss such coordination with management and those charged with governance. However, such discussion at a high level would be even more important if direct assistance is obtained, but the discussion should not lead to management or those charged with governance becoming aware of the details of the overall audit strategy or audit plan of the external auditor.

19. In (b), the word “audit” should be deleted because this evidence is not audit evidence for the external auditor, but evidence for the work of the internal auditor. In (c), the word “any” should be replaced with “the”.

20. In line with our response to Question 2 and comments on paragraph 8, the second sentence of this paragraph should read “…, and plans, to obtain direct assistance from internal auditors, the external auditor shall evaluate the objectivity and competence of the internal auditors providing such assistance.”

21. In line with our previous comments, this paragraph should read as follows:

“The external auditor shall not obtain direct assistance from an internal auditor if the internal auditor is not:

(a) sufficiently objective, regardless of the internal auditor’s competence; or

(b) adequately competent, regardless of the internal auditor’s objectivity.”

22. The word “amount” should be changed to “nature, timing and extent”, since it is not just a question of quantity, but also of quality and timing. In relation to (a) and (c), we refer to our responses to question 2.

24. For the reasons explained in our comment to paragraph 22, the word “level” should be changed to “nature, timing and extent”.

25. We refer to our responses on question 2, which would result in conforming amendments to this paragraph.

A1. The paragraph reference in the heading should be to paragraphs 2-3.


A2. In relation to paragraphs A2 to A3 we refer to section I. b) in our comment letter and our response to Question 1 on the issue of definitions. The term internal auditing “ should be replaced with “internal audit function” and “assurance and consulting” replaced with “high level monitoring and related consulting”.

A3. In the first bullet point under “Activities relating to internal control”, “provides assurance on” should be replaced with “evaluates”. In the second bullet point thereafter, the word “recognize” should be inserted in between “identify and “measure”. We would like to point out that the second, third and fourth bullet points do not relate to internal control, but to the evaluation of information, operational auditing and the evaluation of compliance, respectively.

A5. The words “degree of” and “level of” can be deleted. The word s “whether to use, and if so” should be inserted between the words “determining” and “the nature”.

A6. As pointed out in our response to Question 2, consideration needs to be given to any other information of which the external auditor becomes aware the affects his or her assessment of objectivity or competence. The last bullet point in this paragraph applies to the evaluation of objectivity too because professional standards may address that or related issues (e.g., independence).

A7. The second sentence should be changed to read “The greater the objectivity and competence,…” and the third sentence should be changed to read “However, sufficient objectivity cannot compensate for inadequate competence, and adequate competence cannot compensate for insufficient objectivity”.

A8. While a systematic and disciplined approach is a prerequisite for the existence of an internal audit function, we do not believe that it is a characteristic that distinguishes it from other high level monitoring control activities. Indeed, an unsystematic, undisciplined approach in other high level control activities may be indicative of a control deficiency. We therefore suggest changing the first sentence to read “…an important characteristic of an internal audit function”.

A9. In the second bullet point, the words “and appears to carry out” should be inserted in between the words “has” and “appropriate”.

A10. We suggest deleting the words “degree of” and “level of”.


A11. We suggest deleting the words “amount of” and “that is”. The word “unlikely” should be replaced with “less likely”.

A13. The grammar in the second sentence needs to be corrected to achieve a parallel construction.

A15. The first use of the word “may” in the second bullet point is superfluous because it sets too low a bar: we suggest it be removed; the words “may consider” should be replaced with “is able to consider”. In the third bullet pint the word “any” can be deleted and the “may” replaced with “the external auditor believes”.

A18. The sentence should begin with “Examples of procedures” and the word “the” prior to “procedures” deleted. The words “degree of” and “level of” can be deleted and the words “amount of” replaced with “nature and extent of”.

A20. In relation to the last sentence, reperformance should also be focused not just in those areas of greater judgment, but also those areas of greater risk. Hence the words “greater risks of misstatement exist or”, should be inserted in between the words “where” and “more”.

A22. To prevent the use of the term “use internal auditors” and the confusion that this causes in relation to direct assurance, we suggest changing the second sentence to read “…circumstances, external auditors direct, supervise, and review the audit procedures performed by internal auditors directly on…”.

A25. We suggest that the words “degree of” and “level of “ be deleted.

A27. The words “when expressing an opinion on financial statements” are superfluous and can be deleted. The word “will” can be replaced with “are”. Furthermore, for clarity, the words “by the external auditor” should be inserted in between the words “review” and “of the audit procedures”.

A28. The words “level of” and “degree of” can be deleted and the words “by the external auditor” inserted after the words “or review”. The last sentence uses the present tense as if it were a requirement: either the sentence should be moved to the requirements or the nature of the sentence changed to guidance.

November 12, 2010 Technical Director International Auditing and Assurance Standards Board (IAASB) 545 Fifth Avenue, 14th Floor New York, New York, 10017, USA

Submitted via www.iaasb.org RE: Comments on Proposed Revisions to ISAs:

- 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and

- 610 Using the Work of Internal Auditors Dear Sir/Madam: The Institute of Internal Auditors (IIA) appreciates the opportunity to provide comments on proposed revisions to ISA 315 and ISA 610. We collaborated with IIA Institutes around the world in developing this global response. Furthermore, our comments are based on thorough analyses and discussions conducted by a core team of audit experts who serve on The IIA’s Professional Issues Committee, the Internal Audit Standards Board, the Ethics Committee, and the Committee on Quality. These experts consist of Chartered Accountants and Certified Internal Auditors who have worked in the public and private sectors, internal and external auditing, and in small, medium, and large multinational companies. ISAs 315 and 610 provide guidance that is very important as internal auditors work closely with external auditors. These standards could significantly and positively impact the relationship between external audit (EA) and internal audit (IA), how their audits are coordinated and performed, and how EA leverages the knowledge, experience and expertise of IA to enhance audit effectiveness. We applaud your efforts to make the ISAs more reflective of the advancements made in internal auditing. In particular, we are pleased to see that ISA 315 introduces the requirement for EA to make inquiries of the IA function, which allows EA to leverage IA’s knowledge of the entity, the environment, and risks. Both ISAs explain the breadth of activities performed by IA and refer to internal auditing as an assurance activity, distinguishing internal auditing from other monitoring controls in the organizations. We are especially pleased that ISA 610 speaks to three key tests for determining whether to use the work of IA: objectivity; competence; and IA’s use of a systematic and disciplined approach, including quality control. Our principal comments and observations are highlighted below. Responses to the specific questions are summarized in Attachment A, along with recommendations to elevate guidance from the Application and Other Explanatory Material Section to the Requirements Section, and other suggested wording changes.

• We agree that it is appropriate for EA to rely on the work of IA where the audit objectives are in agreement. Cooperation is essential to ensure that audit coverage is coordinated, enhanced, and duplicate efforts are minimized.

• "Fraud risk" has relevance to both ISAs. We recommend that the ISAs recognize the

heightened importance of fraud risks and the value of cooperation between EA and IA on topics such as fraud risk assessment, risk mitigation strategies, fraud detection controls and remediation.

• Both ISAs should also emphasize the value of collaboration between EA and IA. The sharing of information and work plans throughout the year, as well as relying on the work of others, is especially important since internal control operates over a period of time, not simply at a moment in time. In particular, to the extent that these assurance and monitoring activities are governance-‐related (e.g., entity-‐level controls such as tone at/from the top), the notion of EA and IA collaboration becomes even more important.

• We support establishing a framework to aid EA to decide whether, and if so, to what

extent to use the work of IA. However, in our opinion, the judgment-‐based framework presented does not facilitate consistent application in evaluating the key decision factors. The framework would be improved by moving the expanded discussion in ISA 610 paragraphs A6 and A9 from the Application and Other Explanatory Material Section into the Requirements Section.

• We also noted that the very factors that impact EA’s decision to use and the extent of using IA work (e.g. objectivity, organizational status, competency, etc.) are already embodied in The IIA’s International Professional Practices Framework (IPPF). A set of IA standards and professional guidance such as those incorporated in the IPPF provides a clear benchmark and expectation of what is necessary for an IA function to practice with the highest level of professionalism. The IPPF is the only set of international IA standards for all industry sectors and is well known around the world to EA and IA professionals alike, as well as to others who rely on IA services. We believe EA should require conformance with internationally recognized IA professional standards and reference this conformance in their evaluation of IA practice. We have made suggestions where such references would be helpful in the proposed ISAs.

• The International Standards for the Professional Practice of Internal Auditing (The

Standards) require that internal audit functions be subjected to an external quality assessment (EQA) every five years. We believe ISA 610 should require EA to consider the results of the EQA when determining whether or not to rely on the work of internal auditing.

• Compliance with The Standards, coupled with positive results from the periodic EQA,

provide good supporting evidence for IA’s independence and objectivity. ISA 610 makes several references to the lack of independence of IA (e.g. paragraphs 6, 24, and A27.). While it is not possible for internal auditors to attain full independence from the organizations they serve as required of EA in ISA 200, the Internal Audit Charter, the organizational status of IA, and compliance with The Standards allow them to attain sufficient independence and provide adequate safeguards to support IA’s objectivity. We recommend that ISA 610 acknowledges that these requirements are appropriate safeguards.

• Regarding direct assistance, we believe that the extent to which IA may provide direct assistance to EA is a resource allocation decision that must be made by those charged with governance responsibilities and the Chief Audit Executive (CAE), and not by the EA unilaterally. (See ISA 610 paragraphs 20 and A24.) EA should provide cost benefit information to enable the responsible parties to make informed decisions.

• We also recommend moving the guidance on coordination in ISA 610 paragraph A14 from the Application and Other Explanatory Material Section into the Requirements Section.

The IIA welcomes the opportunity to discuss any and all of these recommendations with you. We offer our assistance to the IAASB in the continued development of these Standards.

Best Regards, Richard F. Chambers, CIA, CGAP, CCSA President and Chief Executive Officer

About The Institute of Internal Auditors The IIA is the global voice, acknowledged leader, principal educator, and recognized authority of the internal audit profession and maintains the International Standards for the Professional Practice of Internal Auditing (Standards). These principles-‐based standards are recognized globally and are available in 29 languages. The IIA represents more than 160,000 members across the globe and has 103 institutes in 165 countries that serve members at the local level.

1

Attachment A

The Institute of Internal Auditors (IIA)

Response to International Auditing and Assurance Standards Board (IAASB)

RE: Comments on Exposure Drafts – Proposed Revisions to

ISA 315 Identifying and Assessing the Risks of Material Misstatement through

Understanding the Entity and Its Environment, and

ISA 610 Using the Work of Internal Auditors

Request for Specific Comments

The IAASB would welcome views on the following:

1. Do respondents believe it is appropriate to require the external auditor to make

inquiries of appropriate individuals within the internal audit function?

Yes, it will create synergies for both external audit (EA) and internal audit (IA). IA has a

broad scope of responsibilities providing assurance and consulting services to evaluate and

improve the effectiveness of governance, risk management and internal controls within its

organization. In addition IA assesses a wide spectrum of risks (financial reporting,

financial, operations, compliance, systems, strategic, etc.) and has unique insights,

perspectives and a holistic view of the organization.

However, we recommend that the IAASB replace the reference to appropriate individuals

within the IA function with “the Chief Audit Executive (CAE)” (e.g. ISA 315: 6.(a), A6a.

A6c., A102a., etc.). According to IIA Standard 2000 – Managing the Internal Audit

Activity and Standard 2050 – Coordination, the CAE has overall responsibility for

managing the IA function and coordinating activities with other internal and external

assurance providers. The CAE should be the primary contact and may designate individuals

responsible for interacting with EA.

If so, do respondents agree such a requirement is appropriately placed in ISA 315?

Yes. The requirement is appropriately placed in ISA 315.

2. Do respondents believe that appropriate factors have been proposed to be

evaluated by the external auditor in determining:

(a) Whether the work of the internal audit function can be used for purposes of the

audit engagement; and

(b) The planned use of the work of the internal audit function?

Yes, but the criteria presented are broad and may not be applied consistently.

2

General

It is appropriate for EA to rely on the work of IA where the objectives of the work are

in agreement. Cooperation between internal and external auditors is essential to ensure

that audit coverage is coordinated, enhanced, and duplicate efforts are minimized.

Assessment Framework and Key Factors

We support establishing a framework to aid EA to decide whether, and if so, to what

extent to use IA work. However, the draft judgment-based framework presented in ISA

610 does not promote consistent application in evaluating the key decision factors. The

framework would be improved by moving the expanded discussion in ISA 610 A.6 and

A.9 from the Application and Other Explanatory Material Section to the Requirements

Section.

We believe EA should require conformance with internationally recognized IA

professional standards and reference this conformance in their evaluation of IA practice.

A set of IA standards and professional guidance such as those incorporated in The IIA‟s

International Professional Practices Framework (IPPF) provides a clear benchmark and

expectation of what is necessary for an IA function to practice with the highest level of

professionalism. The IPPF is the only set of international IA standards for all industry

sectors and is well known around the world to EA and IA professionals alike, as well as

to others who rely on IA services. We have made suggestions where such references

would be helpful in the proposed ISAs.

The IPPF includes Mandatory Guidance (Definition of Internal Auditing, Code of

Ethics, and The Standards) and Strongly Recommended Guidance (Position Papers,

Practice Advisories, Practice Guides) for IA professionals. The Mandatory Guidance is

subject to a rigorous standard setting process, including public exposure. Stock

exchanges, regulatory agencies, credit and governance rating agencies in various

countries, and financial services industry regulators in particular, view compliance with

the IPPF as the hallmark of professionalism. When these agencies perform compliance

reviews, their assessment criteria include IA‟s compliance with the IPPF and the results

of IA‟s internal and external quality assurance and improvement programs.

We recognize that ISAs are laws in many countries and that the IAASB has been

reluctant to require IA functions to comply with the IPPF. However, there is no conflict

in recognizing the fact that the IPPF is the global practice framework for the IA

profession.

All the factors listed are appropriate factors for the framework.

3

Independence

Compliance with The Standards, coupled with positive results from the periodic

external quality assessment (EQA), provide good supporting evidence for IA‟s

independence and objectivity. ISA 610 makes several references to the lack of

independence of IA (e.g. paragraphs 6, 24, and A27). While it is not possible for

internal auditors to attain full independence from the organizations they serve as

required of EA in ISA 200, the Internal Audit Charter, the organizational status of IA,

and compliance with The Standards provide adequate safeguards to support IA‟s

objectivity. We recommend that ISA 610 acknowledges that these requirements are

appropriate safeguards.

Leveraging Compliance with IIA Standards 1300 - Quality Assurance and

Improvement Program

We believe that EA should leverage The IIA‟s IPPF and the results of an EQA where

applicable, instead of conducting its own assessment of the IA function. The very

factors that impact EA‟s decision to use and the extent of using IA work (e.g.

objectivity, organizational status, competency, etc.) are already embodied in the IPPF.

Further, IIA Standards 1300 - Quality Assurance and Improvement Program requires an

EQA be performed by an independent, qualified reviewer at least once every five years.

EQA assesses compliance with the IPPF and the ways in which IA continuously

improves to increase its effectiveness and add value to their organization. The scope is

far broader than the requirements in ISA 610 paragraphs 13 and 15. EQA includes

review of compliance with Mandatory Guidance, interviews with key stakeholders such

as those charged with governance, senior management, the CAE, audit management and

staff, as well as a review of policies, procedures, audit methodologies, and workpapers.

If the IA function complies with Standards 1300, has positive EQA results, and if there

were no major changes that impact the review results, this information should be

leveraged by the EA in determining whether and to what extent the work of IA can be

used.

We also concur with the objective to obtain sufficient evidence about IA as a whole,

rather than „test‟ each individual piece of work performed by the function. It is

appropriate for EA to verify the work of IA on a sample basis.

Application of the ISAs

ISA 315 addresses the understanding the EA obtains of an entity‟s internal audit

function and inquiries that the EA makes of IA to obtain information relevant to

external auditor‟s risk assessment. This ISA should be applicable even if the IA

function‟s responsibilities are not directly related to the entity‟s financial reporting.

(Also see paragraphs 22 – 24.) We believe that a strong ongoing relationship and two-

way communication between the EA and IA should exist regardless of whether the EA

plans to use the work of IA.

http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/standards-items/?C=3093&i=8251



4

3. Do respondents believe it is appropriate to require the external auditor to read

reports produced by the internal audit function relating to the work of the internal

audit function that is planned to be used by the external auditor?

Yes. It is not only appropriate but it should be mandatory to read the reports. This is

appropriately placed in ISA 610 paragraph 18 of the Requirements Section.

4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded

to address the matter of direct assistance?

Yes, it is desirable to expand the scope of ISA 610 to address direct assistance.

We believe that direct assistance should be undertaken when there are clear benefits for

both EA and IA. There are fundamental concerns with the practice of diverting IA

resources from providing assurance on governance, risk management and controls to

providing direct assistance on lower level work such as those listed in A.17 (checking

reconciliation, observing inventory counts, or reviewing transactions at insignificant

locations).

IA has a distinct and valuable role within the governance structure covering a broad

spectrum of risks in an organization, not just those related to financial reporting.

Providing direct assistance (without increasing corresponding audit resources) diverts

resources from IA‟s core roles and reduces the level of assurance and consulting

services provided to management and the board on the broader risks facing the

organization; it has the potential to weaken corporate governance.

The extent to which IA may provide direct assistance to EA is a resource allocation

decision that must be made by those charged with governance responsibilities and the

Chief Audit Executive (CAE) and not by the EA unilaterally. (See ISA 610 20. and

A24.) EA should provide cost benefit information to enable the responsible parties to

make informed decisions.

If so, do respondents believe that when obtaining the direct assistance of internal

auditors the external auditor should be required to:

(a) Consider the factors that have been proposed in determining the work that may be

assigned to individual internal auditors; and

Yes, if EA were to obtain direct assistance, the proposed factors should be considered.

Competence should also be evaluated at the individual level.

(b) Direct, supervise, and review the audit procedures performed by the internal

auditors in a way that recognizes they are not independent of the entity?

5

Regarding independence, it is appropriate to assess the level of organizational

independence as well as organization/individual objectivity that IA may have rather

than starting with the position that IA is not independent. (Please also refer to response

to #2, the section on Independence.)

If an IA function complies with IIA Standards 1300 – Quality Assurance and

Improvement Program and has had positive results from an independent EQA, such

results should be considered in EA‟s assessment. (Please refer to #2, the section on

Leveraging Compliance with IIA Standards 1300 - Quality Assurance and Improvement

Program.) EA should request a copy of the EQA from the CAE.

We believe that an IA function that complies with IPPF Standard 1100, and in

particular 1110, has the acceptable level of independence for the purposes of ISA 610;

its staff who provides Direct Assistance may not require a higher level of direction,

supervision and/or review due to the independence issue. This should be evaluated by

the EA and not assume a higher level of supervision is required.


5. Public Interest Concerns—Respondents are asked to address whether there are any

public interest concerns that have not been addressed.

We believe that "fraud risks" have relevance to both ISA 315 and ISA 610. We

recommend that these ISAs recognize the importance of fraud risks, the value of

cooperation between EA and IA, and encourage a collaborative work plan in this significant

area.

One of the most important "expectations gap" pertaining to the EA and IA

professions comes from how the “auditing profession" addresses "fraud

risks". Increasingly, regulators around the world are demanding the auditing profession

assume greater responsibility in this area, and provide a greater degree of assurance that the

financial statements are free of material misstatements relating to fraud and error.

Despite a global environment with a history of fraudulent financial reporting, there is often

a lack of cooperation and coordination between EA and IA in addressing fraud risk

assessment, risk mitigation strategies, fraud detection controls and remediation activities. If

done well, a coordinated brainstorming and fraud risk response strategy could go a long

way in closing this expectation gap and strengthening corporate governance.

6. Special Considerations in the Audit of Smaller Entities—Respondents are asked to

comment whether, in their opinion, guidance addressing special considerations in the

audit of smaller entities should be provided in the proposed revised ISAs. If so,



6

respondents are asked to explain why and to suggest the nature of any such

considerations.

While the IAASB recognizes that some small and medium sized entities (SMEs) may not

have IA functions, it may overlook the possibility that some organizations, particularly

SME‟s, use outsourced providers to meet IA needs. Some are concerned about EA

independence and that the governance structure could be weakened where EA and IA

services are delivered by the same provider.

It is desirable to give special considerations in the audit of SMEs, because risk exposure is

directly proportional to the complexity of an entity; risk profiles, appetite, tolerance,

controls, and audit risks could be very different from large organizations. Also, IA staff in

small-size organizations may have responsibilities that go beyond IA; this may impact their

independence and objectivity.

7. Special Considerations in the Audit of Public Sector Entities—Respondents are

asked to comment whether, in their opinion, special considerations in the audit of

public sector entities have been dealt with appropriately in the proposed revised ISAs.

Yes.

8. Developing Nations—Recognizing that many developing nations have adopted or

are in the process of adopting the ISAs, the IAASB invites respondents from these

nations to comment, in particular, on any foreseeable difficulties in applying the

proposed revised ISAs in a developing nation environment.

A foreseeable difficulty for implementation in developing nations is that IA practices may

not be at the maturity level for EA to place reliance on its work or obtain direct assistance.

For example:

- IA may not comply with IPPF in key areas such as independence, objectivity,

competency, application of a systematic and disciplined approach, quality controls,

etc.

- Conflicting regulatory requirements.

- Scarcity of financial resources.

- Weak compliance systems and processes.

- Language and translation issues.

9. Translations—Recognizing that many respondents intend to translate the final

revised ISAs for adoption in their own environments, the IAASB welcomes comment

on potential translation issues noted in reviewing the proposed revised ISAs.

There are no major issues in developed countries. Potential problems in developing

countries are:

- Limited financial resources.

- Lack of qualified translation resources for technical standards.

7

- Lack of understanding of the technical Auditing, Risk Management, and Control

terms of the ISAs.

- Lack of comparable terms in local languages.

10. Effective Date—Respondents are asked to comment whether, in their opinion, the

provisional effective date is appropriate for supporting effective adoption and

implementation of the proposed revised ISAs at the national level.

Yes, for developed nations but it would be more challenging for developing nations. There

is a need to allow sufficient time for translation and training.

Request for Comments on Analysis of Impacts

The IAASB is piloting the use of impact analyses. The impact analysis contained in

this Explanatory Memorandum shows the IAASB’s consideration of the potential

impacts of both the overall proposed revised ISA 315 and ISA 610 and the preferred

option for each key issue addressed during the development of the proposed revised

standards.

Narrative descriptions of this analysis are included in this Explanatory Memorandum

and presented in tabular format in the Appendix. The impact analysis in the

Appendix identifies who will be affected by the proposed revised standards and

preferred options, how, and to what extent they will be affected. It is important to

note that the impact analysis is intended to communicate the impact of the

incremental difference between extant and proposed revised ISA 315 and ISA 610, not

between current and future practice.

The IAASB would appreciate comments on the following matters:

11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum

helpful to respondents in understanding the anticipated impacts of the IAASB’s

proposals?

It is a good concept, however, it would be extremely difficult to deliver a useful impact

analysis for the stakeholders because the extent to which entities will be affected varies

greatly among different countries, industries, regulatory environment, governance culture,

maturity levels of IA functions, scope of IA‟s responsibilities, sizes of the organization,

sizes of the IA function, etc.

12. Do respondents agree with the impact analysis as presented? Are there any other

stakeholders, or other impacts on stakeholders, that should be considered and

addressed by the IAASB?

Entity management, Boards, and those in charge of governance are additional stakeholders

that should be considered. From an impact standpoint, if IA provides direct assistance, IA

may need to increase staff size and staff mix.

8

13. Are there any changes to the narrative or tabular presentation of the impact

analysis that would be helpful to respondents?

See response to #11.


See response to #11.

Other Suggested Wording Changes (See Bold Red Letters)

ISA 315

6. (a) Page 20.

“Inquiries of management, of appropriate individuals within the internal audit function the

Chief Audit Executive (CAE) ….and of others within the entity, such as Legal Counsel,

Chief Regulatory Compliance Officer, Chief Ethics Compliance Officer, Head of

Investigation, etc.‖.

Add: new 6. (b.)

Review of pertinent prior year audit reports.

Change 6. (b) to 6. (c)

Change 6. (c) to 6. (d)

A6b. Page 21.

Due to the broad scope of IA activities on governance, risk management and control,

EA should be alert to the possibility that IA may identify issues relevant to financial

reporting on audits of other areas (e.g. in audit of the control environment, Code of

Ethics, corporate governance structure, risk assessment and monitoring processes,

etc. ) If, based on responses to the auditor‟s inquires, it appears that there are findings that

may be relevant to……….

22. Page 20.

……..including those related to those control activities relevant to the audit, and how the

entity initiates remedial implements actions to remediate its control deficiencies in its

controls.

23. Page 20

“…..the auditor shall obtain an understanding of the nature of internal audit function‟s

responsibilities, how the function fits in the entity‟s organizational structure, whether it

has access to senior management and those charged with governance, and the

activities………”

9

A101. Page 22.

We recommend that the ISA uses The IPPF‟s definition of internal auditing:

Internal Auditing is an independent, objective assurance and consulting activity

designed to add value and improve an organization’s operations. It helps an

organization accomplish its objectives by bringing a systematic, disciplined approach

to evaluate and improve the effectiveness of risk management, control, and

governance processes.

A102. Page 22.

“…….However, the responsibilities of the another audit function may be limited to focus

on evaluating the economy, efficiency and effectiveness of operations, for example, and

may not relate to the entity‟s financial reporting.”

A103. Page 23

“……that the entity has a well-established internal audit function (for example, one that

conforms with The IIA’s IPPF, one that is adequately resourced and has a direct reporting

relationship to those charged with governance).

A103b. Page 23

13. (a) becomes 13. (c)

………..Similarly, the external auditors should also bring information to the attention

of internal auditors that will enable internal auditors to add value to the

organization.”

ISA 610 5. Page 25

“The objectives of the internal audit function are determined by management and, where

applicable those charged with governance and/or management and may include

assurance...While the objectives of the IA function and the external auditor may be

different, an entity‟s internal audit function may perform…”

13. Page 27. Add:

New 13. (a) Whether the internal audit function conforms with internationally

recognized IA professional standards such as The IIA’s IPPF. If the answer is Yes,

obtain evidence of conformance.

New 13. (b) Whether the IA function is subject to a periodic external quality

assessment (EQA) as required by The IIA’s IPPF. If the answer is Yes, review the

most recent EQA result.

13. (a) becomes 13. (c)

13. (b) becomes 13. (d)

13. (c) becomes 13. (e)

10

If the answers are No, then proceed to 13 (c) – (e).

17. Page 28.

“If the external auditor plans to use the work ….. with the internal audit function CAE as

a basis for coordinating the respective activities. The external auditor and the CAE’s

designate should document the agreed upon scope, the nature and extent of work,

timing, roles and responsibilities regarding coordination and communication, and

other specific requirements.‖

A2. Page 30.

We recommend that the ISA uses The IPPF‟s definition of internal auditing. See comment

for ISA 315 A101. Page 22.

A3. Add a bullet

Review of IT systems that support the business and accounting processes.

A6. Page 31 and A9. Page 32

Recommend moving these entire sections to the Requirements Section under 13. (a),

13. (b), and 13 (c) on Page 27.

Add:

New first topic: Conformance with Professional Standards

Whether the internal audit function conforms with internationally recognized IA

professional standards such as The IIA’s IPPF. If the answer is Yes, obtain

evidence of conformance.

Whether the IA function is subject to a periodic external quality assessment

(EQA) as required by The IIA’s IPPF. If the answer is Yes, review the most

recent EQA result.

EA can use these evidences to meet the requirements in 13. (a) – (c)

A.14. Page 33.

Recommend moving to the Requirements section.

A15. Page 33.

Add first bullet point „EA reaches agreement with the CAE on coordination plan and

resource commitment in advance.’

Insert as second bullet point ―EA and IA conduct joint advanced planning.‖

Organizacion Internacional de Cornisiones de ValoresInternational Organisation of Securities CommissionsOrganisation internationale des commissions de va leursOrganizayao Internacional das Comissoes de Valore

December 2, 2010

Technical DirectorInternational Auditing and Assurance Standards Board545 Fifth Avenue, 14th FloorNew York, NY 10017

Re: Proposed International Standards on Auditing 315 (Revised), "Identifying and.Assessing the Risks of Material Misstatement through Understanding the Entityand Its Environment" and 610 (Revised), "Using the Work of Internal Auditors"

Dear Mr. Sylph:

The International Organization of Securities Commissions (lOSCO) Standing CommitteeNo. 1 on Multinational Disclosure and Accounting (SC 1) appreciates the opportunity tocomment on the Exposure Draft (ED) of proposed International Standards on Auditing(ISA) 315 (Revised), Identifying and Assessing the Risks ofMaterial Misstatementthrough Understanding the Entity and Its Environment and ISA 610 (Revised), Using theWork ofInternal Auditors. As an international organization of securities regulatorsrepresenting the public interest, IOSCO is committed to enhancing the integrity ofinternational markets through promotion of high quality accounting, auditing andprofessional standards.

Members of SC 1 seek to further IOSCO's mission through thoughtful consideration ofaccounting, auditing and disclosure concerns, and pursuit of improved global financialreporting. We direct our attention to professional standards that relate to auditing offinancial statements contained in documents filed with securities regulators or otherwisemade available to the general public. As we review proposed auditing standards, ourconcerns focus on whether the standards are sufficient in scope and adequately cover all

Calle Oquendo 1228006 MadridESPANATel.: (34.91)417.55.49 • Fax: (34.91)[email protected].• www.iosco.org

;~ '.

....~ ,~.,

I.f~

r.

concerns focus on whether the standards are sufficient in scope and adequately cover allrelevant aspects of the area of audit being addressed, whether the standards are clear andunderstandable, and whether the standards are written in such a way as to be enforceable.Our comments in this letter reflect those matters on which we have achieved a consensusamong the members of SC 1; however, they are not intended to include all comments thatmight be provided by individual members on behalf of their respective jurisdictions.

Views on Certain Key Issues in the Exposure Draft

Purpose ofthe Project

We welcome a project to update ISA 610 and provide additional coverage of howexternal auditors can appropriately and effectively use the work and information providedby a company's internal audit function to enhance the quality of an audit. We canappreciate the challenging task of revising an international standard given that there is adiverse range ofpractices around the world. Within SC 1, our members' jurisdictionshave varying practices regarding the use of internal audit by external auditors,particularly in regard to direct assistance.

In this comment letter, we outline several matters that we believe need to be addressedbefore the revisions to ISA 315 and ISA 610 are finalized. Some comments relate toclarifications needed, while others relate to additional content that is needed to addressgaps that we believe exist in the requirements and/or application section of the proposedstandard.

We recall that during discussions at previous CAG meetings mention was made oftheconcerns of regulators and users that use of a company's internal audit function shouldnot simply be a cost cutting measure. To this end, we would be extremely concerned ifthe motivation for using internal audit work was tied to a desire for cost reduction on thepart of either the issuer or the external auditor, rather than viewing use of internal audit asa tool to enhance audit quality. We believe it would be helpful for the Introduction in ISA610 to state that the auditor's judgment regarding use of internal audit should be basedupon a conclusion that such use will contribute to audit quality.

Preserving the Principle ofan Independent External Audit

We believe that information provided by a competent and objective internal auditfunction can provide valuable insight into an audited entity's business and be useful to anexternal auditor in assessing and addressing the risks of material misstatement in afinancial statement audit. However, we caution that an external auditor's use of theinternal audit function cannot be of a nature and extent that would be perceived byinvestors and other reasonable third parties to undermine the concept of "an independentexternal audit."

We recognize that internal auditors can add to the quality of an audit because they oftenhave valuable inside knowledge of the business, organization, and risks of the audited

2

entity. However, in the interest of high quality audits and investor confidence, it isimportant that there is a clear distinction between the roles of external auditors andinternal auditors and that the "independent external audit" is the product of the externalauditor's work. As such, external auditors must themselves perform sufficient proceduresin gathering and corroborating audit evidence in order to fulfill the external auditor's fullresponsibility for the audit opinion.

Because internal auditors are employees of the audited entity, they cannot by definitionbe considered independent in the sense that is required for members of an external audit .engagement team. Therefore any use made of internal audit employees and/or their workin the internal audit function must be made with careful evaluation of their competencyand objectivity, as well as with safeguards and with professional skepticism on the part ofthe external auditor.

We have a concern if an external auditor makes use of such internal audit work withoutassessing internal audit's qualifications in the way that would be comparable to workdone when using the work or reports of component auditors in an external audit. Inparticular, we would encourage the IAASB to include some mention in ISA 610paragraphs 13 and 14 of the factors that should be evaluated by the external auditor inassessing objectivity and competence in an internal audit function. In addition tomentioning the factors that are now covered only in Application Material paragraph A6,the coverage should address points such as whether the internal audit function possessesan understanding of the relevant external auditing standards applicable to their worksufficient to fulfill the internal audit function's responsibilities relating to the externalaudit; and whether the internal audit function possesses the special skills (for example,industry specific knowledge) necessary to perform the work related to the financialstatements. Also, the related Application Material paragraph A6 of ISA 610 might alsodescribe the independence requirements applicable to external auditors, to add emphasisas it discusses the importance of objectivity on the part of internal auditors.

External auditors should not rely on internal auditors with respect to the performance ofsignificant substantive procedures nor should the work of, or information supplied by, theinternal audit function be the sole source of audit evidence in any area of the audit that ismore than low risk or is otherwise significant to the audit. Using the work of internalaudit in any way that could potentially cause such work to be substituted for externalaudit procedures to an inordinate degree, or that could lead to accepting such workwithout the professional skepticism that would be applied to information supplied byother employees ofthe audited company is unacceptable. We would be very concerned ifoveruse or inappropriate use was made of information or work of the internal auditfunction.

To this end, paragraphs 18, 19 and A 17 of ISA 610 should be supplemented withadditional safeguards for using the work of internal audit in partial substitution for auditevidence to be gathered directly by the external auditor. Safeguards should include all ofthe following:

3

1. For work performed by internal audit that is to be relied upon by the externalauditor, the external auditor should independently reperform procedures and besatisfied that there is minimum variation of the results.

2. The totality of procedures performed by internal audit and used by the externalauditor should not be material to the financial statements of the audited entity.

3. Work performed by internal audit and relied upon by the external auditor shouldnot include matters that involve high risk or a high need for judgment.

Paragraph 19 of ISA 610 addresses the external auditor's evaluation of the adequacy ofaudit work after a decision has been made to use such work. We believe that mentionshould also be made of assessing the apparent objectivity of the work performed.

Various Uses ofthe Internal Audit Function by External Auditors

Upon reading the ED, it appears that the Board's focus on the subject of direct assistancehas resulted in the standard discussing direct assistance to some length, but providinginsufficient coverage of other potential uses of the internal audit function. In practice, weunderstand that external auditors could be making use of the internal audit function invarious ways in risk assessment procedures and/or in gathering audit evidence inconducting the audit. As .such, we believe that the proposed revisions to ISAs 315 and610 should provide a more comprehensive coverage regarding the difference betweenusing the work of an internal audit function for risk assessment and to providebackground information to inform the design of external audit procedures, versus usinginternal audit information and work as a partial replacement for external audit proceduresperformed by the external auditor. The following are examples of various ways in whichit appears that the work or information of a company's internal audit function couldpotentially be used:

1. The external auditor makes use of the internal audit function through making inquiriesof the chief audit executive or other head of a company's internal audit function, as wellas making inquiries of other managers and employees within the internal audit function;

2. The external auditor reads reports of work that internal auditors have performed whilecarrying out their internal audit functions during the period, or reviews other internalaudit documents as a means to inform the external auditor's work;

3. Ifregulatory requirements permit, the external auditor, after appropriate review,decides to use reports or other work that has been performed by internal audit during theperiod in partial substitution for audit evidence to be gathered directly by the externalauditor; and/or

4. If regulatory requirements permit, the external auditor uses staff members of theinternal audit function to perform certain audit procedures under the direct supervision ofthe external auditor, i.e., in what is termed "a direct assistance capacity" as described inthe ISA. .

4

We noted that the phrase "using the work of internal audit" (or variations thereof) is usedthroughout the ED, without making it clear when the intent is to refer not only to directassistance but also to one or more of the other uses of the internal audit functiondescribed above. We request that the Board be more specific as to which type of use it isreferring to when using the term "using the work of internal audit" as the various types ofuse may each carry a different level of risk with respect to the external audit and warrantseparate requirements and guidance. We believe that an ISA on use of internal auditshould provide specific coverage on provisions and safeguards for each type of use.

The Explanatory Memorandum within the ED outlines rationale for and the benefits to bederived from the changes in these two ISAs, as well as their perceived effects; however,coverage in an Explanatory Memorandum may be lost when the ISAs are finalized. Webelieve that the ISA 315 and 61 a standards themselves should say more about whyexternal auditors might or might not wish to use the work of the internal audit function(in its various forms of use) including both the risks and benefits ofusirig such work.That language should be included in the body of the standard to support clear andunderstandable requirements for making appropriate judgments regarding the use ofinternal audit functions.

Reperformance

Paragraph A2a ofISA 61 a states that "while it is not necessary for the external auditor todo some reperformance in each area of work of the internal audit function that is beingused, reperformance of some of such work provides a stronger form of evidenceregarding the adequacy of the work of the internal audit function for purposes of theaudit. Accordingly, in most circumstances, some reperformance of such work will beappropriate. Moreover, the external auditor is more likely to focus reperformance in thoseareas where more judgment was exercised by the internal audit function."

We believe that this paragraph is too vague and soft with respect to reperformanceneeded when using the work of internal auditors in a "direct assistance" role or in anyother capacity. This paragraph does not provide sufficient guidance for whenreperformance should be performed. This could result in inadequate quality control andsupervision. Further, we are concerned that making no mention of the risk of materialmisstatement in discussing areas where an external auditor might focus reperformancework could leave the reader with the impression that this risk is not an important factor.

We believe that the guidance in the ISA should be strengthened to ensure that theexternal auditor tests the internal auditor's work both at the financial statement level andat the assertion level for all classes of transactions, account balances and disclosures ifsuch internal audit work is used by the external auditor in a direct or "indirect assistance"capacity. To accomplish this, it may be necessary to address this subject in theRequirements section as well as in the Application Material section.

Direct Assistance

5

Paragraph 8 of ISA 610 states "in some jurisdictions the external auditor may beprohibited, or restricted to some extent by law or regulation, from using the work of theinternal audit function, from obtaining direct assistance from internal auditors, or fromcommunicating with the internal audit function to the extent contemplated in this ISA."In light of this, we believe it would be prudent for the Board to make explicit mentionwithin ISA 610 paragraph 8 of the independence concerns that drive such restrictions,including both the threat of the internal audit function auditing its own work, and the factthat internal auditors are employees of the audited entity.

We are aware that there are some jurisdictions that have national standards on auditingthat contain specific procedures on direct assistance. We would encourage the Board,when finalizing ISA 610, to consider whether these national standards contain anyadditional conditions, safeguards, or guidance that would further strengthen the finalversion of the standard.

As a further comment relating to use of internal audit staff in a direct assistance capacitywhere permitted, our members believe that such use of the internal audit staff should belimited to areas oflower risk and/or lesser necessity for judgment, and limited controltesting procedures that support the external auditor's assessment of internal controlswhen doing risk assessment.

Paragraph 22 (c) of ISA 610 implies that when obtaining direct assistance one of thefactors to be considered in determining the work that may be assigned to individualinternal auditors is the amount ofjudgment involved in planning and performing relevantaudit procedures. With only "judgment" mentioned in this paragraph, we are concernedthat external audit procedures relating to areas of more than lower risk could be assignedto internal auditors if they are not deemed to involve making significant judgments. Webelieve that the risk of material misstatement should be included as a factor in thisparagraph.

Paragraph 24 onSA 610 states that "the level of supervision and review shall recognizethat internal auditors are not independent of the entity." We believe it should be explicitlystated in this requirement that significant supervision is needed in view of the fact thatinternal auditors are employees of the audited entity, and that the supervision shouldinclude some reperformance of the internal auditor's work.

External Auditor's Consideration ofRisk Factors

Paragraph 15 onSA 610 states that "in determining the planned use of the work oftheinternal audit function, the external auditor shall consider: ... (c) the amount ofjudgmentinvolved in:

(i) Planning and performing relevant audit procedures for particular classes oftransactions, account balances and disclosures; and

(ii) Evaluating the audit evidence gathered by the internal audit function insupport of the relevant assertions."

6

? .

We believe the use ofboth significant judgment and a significant level of risk should beincorporated into the requirements throughout the body of the standards as appropriatesince there may be audit areas in which the level of risk should be considered withoutregard to the amount ofjudgment involved. In particular paragraph 15 of ISA 610 shouldbe expanded to include a bullet point "(d)" that could then address the risks that arejudged to exist in the areas where use of internal audit work is contemplated, and providethat the external auditor's involvement should be greater in areas that have more thanminimal risk. Further, the lead sentence of paragraph 15 ofISA 610 which states that "indetermining the planned use of the work of the internal audit function, the externalauditor shall consider. .. " would be clearer and more specific if it says "the auditor shalldetermine the planned use of the work of the internal audit function and shall theretodetermine... "

We also believe that both paragraph A6b of ISA 315 and the application material of ISA610 should contain a specific requirement for the external auditor to follow up onnegative information or concerns that are communicated to the audit engagement team byinternal auditors, which may be indicative of a heightened risk of a material misstatementof the financial statements or a material change in the external auditor's risk assessment,regardless of whether or not the external auditor initiated the inquiry. In addition, theexternal auditor should take a more proactive approach in seeking and understanding anysuch findings or concerns that the internal audit function may be privy to. We realize thatISAs do not have this specific provision for negative information or concerns that arecommunicated by non-internal audit employees. However, we think the same principleshould apply to information presented by other individuals within the company outside ofthe internal audit function and the principle should be evaluated with respect to otherISAs.

Paragraph A6c of ISA 315 defines appropriate individuals within the internal auditfunction as "those who have the appropriate knowledge, experience, and authority, suchas the chief internal audit executive." We think this is too narrow a designation and thetitle used may not be universally recognized. Inquiries can and should be made of otherswithin an internal audit function in both planning and conducting the audit, as numerousinternal audit individuals may have relevant information that would assist the externalauditor in identifying and addressing risks of material misstatement. As such, werecommend the sentence be expanded to include "those who have the appropriateknowledge, experience, and authority, such as the chief internal audit executive or otherhead of internal audit and other managers and employees within the internal audit staff."

Gap With Respect to Decisions on Whether or Not to Use the Internal Audit Function

Paragraph 2 of ISA 610 states that "this ISA addresses the use of the work of the internalaudit function when the external auditor expects to use the work of the function to modifythe nature or timing, or reduce the extent, of audit procedures to be performed" andfurther states that "the external auditor need not apply this ISA if the external auditordoes not expect to use the work of the internal audit function to modify the nature ortiming, or reduce the extent, of audit procedures to be performed." These statements

7

appear to leave a gap in having coverage in ISAs regarding the external auditor'sdetermination of whether to use the work of the internal audit function. Althoughparagraph 13 later in ISA 610 provides some brief coverage, the sequence of thisparagraph in relation to paragraph 2 in ISA 610 and the manner in which ISA 610 is titledand prefaced makes the content of paragraph 13 inconsequential. In addition, theproposed change to paragraph 23 of ISA 315 does not include any requirement orguidance on determining whether or not to use the internal audit function. In order toprovide necessary coverage for this decision, paragraph 13 of ISA 610 should be broughtforward and incorporated into paragraph 2 of ISA 610. Further, we recommend ISA 315include language regarding determination requirements consistent with extant ISA 315paragraph 23 to address the gap in ISA coverage of important and relevant judgment anddecision making.

Language Used In the Standard

We believe that paragraphs 14 and 21 ofISA 610 should be expressed more directly andin the positive form rather than the negative. For example, paragraphs 14 [and 21] of ISA610 which states that "the external auditor shall not use an internal audit function [shallnot obtain the direct assistance of an internal auditor] where there is either a low degreeof objectivity or a low degree of competence" can be revised to read "the external auditorshall only use the work of the internal audit function to substitute for the work of theexternal audit engagement team [shall only obtain direct assistance] if the internal auditfunction has both a high degree of objectivity and a high level of competence."

Definition ofInternal Audit and Interaction between Internal Auditors and ExternalAuditors

Prior to paragraph A2 of ISA 610, there is a heading "Relationship between the InternalAuditors and the External Auditor." However, it is only the activities of the internal auditfunction that are currently mentioned. We believe that this section should be enhanced byincluding the role and responsibilities of both the internal auditor and the external auditorand how they should interact.

Paragraph A2 of ISA 610 defines "Internal Auditing" as assurance and consultingactivities within an entity designed to evaluate and improve the effectiveness of theentity's risk management, internal control, and governance processes. We believe thedefinition should be expanded to include the role of internal audit with respect toeffectiveness of the financial reporting process, as this is not an uncommon role for theinternal audit function.

Paragraphs A8-A9 of ISA 610 provides examples of a "systematic and disciplined"approach. However, as the term "systematic and disciplined" is not defined or discussedin the Requirements section ofthe standard it is unclear what criteria would apply. Wesuggest that further discussion and/or some examples of approaches or criteria forapproaches that would encompass what is intended by the term be provided particularlyas 1) the Explanatory Memorandum states "the IAASB believes recognition of the fact

8

that the internal audit function applies a systematic and disciplined approach isimportant" and 2) the term is used throughout the ED.

In addition to the general comments we have made in the preceding text, Appendix Acontains our responses to specific questions included in the ED.

Thank you for the opportunity to comment on this ED. If you have any questions or needadditional information regarding this comment letter, you may contact me or Nigel Jamesat 202-551-5300.

Sincerely,

·C. z:..o-~VA. ErhardtChairIOSCO Standing Committee No.1

9

Appendix A:

Responses to Specific Questions in the Exposure Draft

1. Do respondents believe it is appropriate to require the external auditor to makeinquiries of appropriate individuals within the internal audit function? If so, dorespondents agree such a requirement is appropriately placed in ISA 315?

Please refer to our comments made under the headings "External Auditor's Considerationof Risk Factors" and "Preserving the Principles of an External Audit."

2. Do respondents believe that appropriate factors have been proposed to beevaluated by the external auditor in determining:(a) Whether the work of the internal audit function can be used for purposes of theaudit engagement; and(b) The planned use of the work of the internal audit function?

We believe there is a gap in needed coverage in these ISAs. Please refer to ourcomments under the headings "Preserving the Principle of an Independent Audit","External Auditor's Consideration of Risk Factors" and "Gap With Respect to Decisionson Whether or Not to Use the Internal Audit Function" in the body of our letter.

3. Do respondents believe it is appropriate to require the external auditor to readreports produced by the internal audit function relating to the work of the internalaudit function that is planned to be used by the external auditor?

This question seems to place an undue focus or emphasis on external auditors onlyreading the reports of internal auditors when the external auditor has made a decision touse the work of the internal audit function in one or more specific areas. We believe theexternal auditor should be encouraged to read reports of internal auditors when makingrisk assessment judgments and to follow up on other information that may be indicativeof a material misstatement volunteered by internal auditors as part of the externalauditor's risk assessment, regardless of whether the external auditor intends to use thework of the internal audit function in particular areas.

4. Do respondents believe that it is desirable for the scope of ISA 610 to be expandedto address the matter of direct assistance? If so, do respondents believe that whenobtaining the direct assistance of internal auditors the external auditor should berequired to:(a) Consider the factors that have been proposed in determining the work that maybe assigned to individual internal auditors; and(b) Direct, supervise, and review the audit procedures performed by the internalauditors in a way that recognizes they are not independent of the entity?

10

Please refer to our comments made under the headings "Direct Assistance" and "VariousUses of the Internal Audit Function by External Auditors" in the body of our letter.

5. Public Interest Concerns - Respondents are asked to address whether there areany public interest concerns that have not been addressed.

We believe there is a distinction between the roles of external auditors and internalauditors that is important to preserve, and that the concept of an "independent externalaudit" means that the audit must be the product of that external auditor's work. As such,external auditors must themselves perform sufficient procedures in gathering andcorroborating audit evidence to reflect the external auditor's full responsibility for theaudit opinion. External auditors should not rely on internal auditors with respect to theperformance of significant substantive procedures or utilize internal audit evidence as thesole evidence in any area of the audit. Please refer to our comments under the heading"Preserving the Principle of an Independent External Audit"

We also believe that it is important that each potential use of the internal audit functionby external auditors be clearly articulated or adequately explained in the ED asmentioned under the heading "Various Uses of the Internal Audit Function by ExternalAuditors" in the body of our letter.

6. Special Considerations in the Audit of Smaller Entities - Respondents are askedto comment whether, in their opinion, guidance addressing special considerations inthe audit of smaller entities should be provided in the proposed revised ISAs. If so,respondents are asked to explain why and to suggest the nature of any suchconsiderations.

We have no comment to provide in this area.

7. Special Considerations in the Audit of Public Sector Entities-Respondents areasked to comment whether, in their opinion, special considerations in the audit ofpublic sector entities have been dealt with appropriately in the proposed revisedISAs.


8. Developing Nations - Recognizing that many developing nations have adopted orare in the process of adopting the ISAs, the IAASB invites respondents from thesenations to comment, in particular, on any foreseeable difficulties in applying theproposed revised ISAs in a developing nation environment.


9. Translations - Recognizing that many respondents intend to translate the finalrevised ISAs for adoption in their own environments, the IAASB welcomes

11

comment on potential translation issues noted in reviewing the proposed revisedISAs.

The use of the word "consider" throughout the ED can be difficult to translate in certainlanguages.

In addition, translation is more challenging where long sentences are used. As such, theuse of short sentences should be used where practical.

10. Effective Date-Respondents are asked to comment whether, in their opinion,the provisional effective date is appropriate for supporting effective adoption andimplementation of the proposed revised ISAs at the national level.

The provisional effective date seems reasonable, though the date for the Approval ofFinal Revised Standard may be an aggressive timeframe considering the potential forvarying views.

11. Is the analysis of impact presented in Section 4 of this ExplanatoryMemorandum helpful to respondents in understanding the anticipated impacts ofthe IAASB's proposals?

The Explanatory Memorandum provides useful background information to accompanythe ISAs. However, we suggest that the Explanatory Memorandum, including the impactanalysis, be expanded to address the effect of the ISAs on additional stakeholders such asaudit committees, investors, issuers and regulators as it currently only addresses theimpact on external auditors, internal audit functions/internal auditors and audit oversightbodies.

12. Do respondents agree with the impact analysis as presented? Are there any otherstakeholders, or other impacts on stakeholders, that should be considered andaddressed by the IAASB?

See comments in 11 above.

13. Are there any changes to the narrative or tabular presentation of the impactanalysis that would be helpful to respondents?




12

1 of 19

Building 2 Greenstone Hill Office Park Emerald Boulevard Modderfontein PO Box 751595 Garden View 2047 Johannesburg South Africa

Tel 087 940 8800 Fax 087 940 8873 E-mail [email protected] Docex 158 Johannesburg Internet www.irba.co.za

15 November 2010

Submitted electronically to [email protected]

Mr James Gunn

Technical Director

International Auditing and Assurance Standards Board

545 Fifth Avenue

New York

10017 USA

Dear James,

Proposed International Standards on Auditing: ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity, and its Environment, and ISA 610 (Revised), Using the Work of Internal Auditors The Independent Regulatory Board for Auditors (IRBA) is the Audit Regulator and National Auditing Standard Setter in South Africa. It has as one of its statutory objectives the protection of the public by regulating audits performed by registered auditors, and the promotion of investment and employment in the Republic.

We appreciate this opportunity to comment on the Proposed ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 610 (Revised), Using the Work of Internal Auditors, developed by the International Auditing and Assurance Standards Board (IAASB). We understand the aims of the IAASB to enhance external auditors’ performance, by enabling them to better consider and leverage, as appropriate, the knowledge of entities’ internal audit functions in making risk assessments in external audits, and by providing a stronger framework for the evaluation of, and, where appropriate, using the work and assistance of entities’ internal auditors.

Our comments set out below have been prepared by a Task Group of the Committee for Auditing Standards (CFAS), the committee responsible for standard setting in SA. The Task Group was representative of auditors as well as non – auditors. Our comments also reflect the IRBA’s views as the Audit Regulator in South Africa.

Our comments comprise three sections:

1. Overall Comments;

2. Responses to specific comments requested by the IAASB; and

3. Suggested changes to specific paragraphs.


Kindly e-mail our Director: Standards at [email protected], or phone Direct Line: +27 87-940-8871 and Cell phone: +27 82 322 6324 if clarity is required on any of our comments or if she is able to assist in any way.

Yours sincerely,

Bernard Peter Agulhas

Chief Executive Officer

2 of 19


1. Overall Comments 1.1. We consider Revised ISA 610, Using the Work of Internal Auditors, as an important

standard that is applied by many auditors in South Africa who audit listed companies and public sector entities which are required by legislation or regulation, and in terms of good governance practices to establish audit committees and internal audit functions. Such entities are more likely to have internal audit functions that have matured over the past years. Consequently, the proposed amendments have a direct bearing on the IRBA’s functions as both the National Standard Setter and Audit Regulator in South Africa.

1.2. A trend that is evident in South Africa is the engagement of external providers of internal audit services, many affiliated to external audit firms, who may be regarded as being more independent of the entity than an internal audit function established within the entity. Our Code of Professional Conduct does not permit an external auditing firm to provide both internal audit services and external audit services to an audit client.

1.3. We are aware that external auditors are placed under increasing pressure from management of entities subject to audit, to take account of work performed by internal auditors in order to avoid “apparent” duplication of work performed and to “reduce” the costs of external audit. This should not be done at the risk of material misstatements in financial statements going undetected by the external auditors, thereby undermining audit quality and the important role of the independent audit, and affecting audit opinions expressed by external auditors.

1.4. The draft ED provides that the external auditors may assign external audit work to individual internal auditors, applying similar considerations to those used in determining what reliance should be placed on the work of the internal audit function. It therefore seems that external audit procedures relating to areas of significant risk could be assigned to internal auditors if they are not deemed to involve making significant judgments.

1.5. No re-performance of any such work undertaken by internal auditors under the direction and supervision of the external auditors is required. Instead, “the level of direction, supervision and review shall recognize that internal auditors are not independent of the entity” (proposed ISA 610 paragraph 24). Paragraph A27 indicates that: “.. the direction, supervision or review of the procedures performed by the internal auditors will ordinarily be more extensive than if members of the engagement team perform the work”. In contrast, the PCAOB’s AS5 (paragraph 27) requires that “when direct assistance is provided, the auditor should … supervise, review, evaluate and test the work performed by internal auditors to the extent appropriate in the circumstances”.

1.6. We have concerns that as internal auditors are not subject to the same academic training and training in the important areas of professional scepticism and professional judgment (ISA 200), disciplinary actions, and code of professional ethics as external auditors, the considerations in evaluating their competence in providing direct assistance as required by paragraph 22(a) of ISA 610 could be far more onerous than when the external auditor is considering the objectivity and competence of the internal audit function in relevant areas where the auditor intends to use the work of the internal audit function. It may be helpful for the second bullet point to ISA 610 paragraph A9 be extended to include:

1.6.1. Whether the internal audit function has appropriate quality control policies and procedures, for example such as those policies and procedures in ISQC1 that would be applicable to an internal audit function, including those relating to leadership,

3 of 19

human resources, and engagement performance and such other appropriate requirements as may be established by a professional body for internal auditors.

1.7. An audit firm would apply far more stringent considerations in employing or assigning audit team members, beyond considering simply the objectivity and competence of the individual. Direction, supervision and review procedures of individual audit team members are not aimed at addressing these considerations (refer to ISQC 1 paragraphs A34 – A35 and ISA 220 paragraphs A13 – A 19) so they will not substitute for a lack in training, knowledge of professional auditing standards and a code of professional ethics on the part of individual internal auditors. It can also never be a substitute for the lack of independence of an internal audit function. When the external auditor plans to use the work of the internal audit function, different considerations are applied, such as competence, experience, and their methodology, in addition to its independence, in meeting its internal audit objectives.

1.8. The proposed Revised ISA 610 deviates from the other ISAs in the sense that it no longer links the auditor’s procedures to the level of risk of material misstatement. Rather, it requires the auditor to base his procedures on the assessment of the level of judgment applied by the internal auditor when auditing a particular account balance or transaction. We consider this to be a major deviation from the IAASB’s risk based standards which could increase detection risk and might result in an inappropriate audit opinion.

2. Request for Specific Comments 2.1. Drafting Convention 2.1.1. The following convention is used throughout in respect of our comments on the

proposed ISA 610 (Revised) and the related enhancements proposed to ISA 315 (Revised):

• Italics – Words in italics indicate extracts from ISA 610 and/or ISA 315, as appropriate.

• Strikethrough – Words in strikethrough indicate deletions we are proposing to ISA 610 and/or ISA 315, as appropriate.

• Underline - Words underlined indicate insertions we are proposing to ISA 610 and/or ISA 315, as appropriate

2.2. Request for specific comments

Question 1 Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?

2.2.1. Response We agree that it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function, as it may enable the external auditor to better understand and leverage, as appropriate, the knowledge and findings of the entity’s internal audit function in the auditor making risk assessments.

The proposed requirement in paragraph 6(a), now elevated from paragraph A6 of the Application Material in the existing ISA 315, appears to assume the internal audit

4 of 19

function is located within the entity and hence cannot be regarded as “independent”. There is no guidance for circumstances where the internal audit “function” may be outsourced to an “independent” internal audit service provider, whose appointment and scope of work might be approved by the audit committee of the entity. We recommend the inclusion of a reference to paragraph 6(a) (paragraph 7(a) after renumbering) in the aforementioned paragraphs as paragraph 6(a) specifically refers to enquiries made of appropriate individuals within the internal audit function:

• A102a. “The auditor’s inquiries of appropriate individuals within the internal audit function in accordance with paragraph 6(a) of this ISA…”

• A102b. “The information obtained from the auditor’s inquiries in paragraph 6(a), and the understanding…”

Depending on the scope of work performed by the entity's internal audit function, the external auditor’s inquiries may provide access to a wealth of information that is both relevant to the audit and important for the auditor to understand the entity’s business.

We do, however, foresee that in certain instances it would be inefficient and ineffective to be required to make such inquiries of individuals within the internal audit function, for example, where activities of the internal audit function are limited and may relate only to the review of the economy, efficiency and effectiveness of operating activities, and its activities remain unchanged each year. In terms of the new requirement the auditor is required to make inquiries even if there is no reasonable prospect of obtaining any information that will assist the auditor in his/her risk assessment. Whilst the benefits of including this requirement will far outweigh any inefficiencies which may potentially be experienced, it is assumed that paragraph 2 of the proposed ISA 610 will apply where the external auditor need not apply this ISA if the external auditor does not expect to use the work of the internal audit function.

We agree that such requirement is appropriately placed in paragraph 6 of ISA 315.

Question 2 Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining:

(a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and


2.2.2. Response We have a number of concerns regarding some of the factors to be considered in determining whether, and to what extent, to use the work of the internal audit function as set out in paragraphs 13 to 16 of the proposed ISA 610 and related application guidance.

2.2.2.1. Evaluating the objectivity and competence of the internal auditors

Paragraph 13(a) requires the auditor, in determining whether the work of the internal audit function can be used for purposes of the audit, to evaluate the “extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors”. Whilst this is appropriate in principle, it is then linked to paragraphs 14(a) and (b) and 15(a) that require the auditor to evaluate the “degree of objectivity and level of competence” of the internal audit function. Objectivity is a state of mind and cannot be evaluated by the auditor without some

5 of 19

evidence of how it has, or has not, been exercised. Similarly levels of competence cannot be assessed by the external auditor without some objective basis for determining what levels are appropriate, relative to the procedures performed by individual internal auditors and the perceived competence of the internal audit function.

What the external auditor can be required to a do, from a review of the policies and procedures of the internal audit function and / or based on prior experience of the internal audit function, is to identify significant threats to the objectivity of the internal audit function or individual internal auditors employed therein. For example, if any internal auditors are engaged in a management role or are performing operational duties or functions outside of the internal audit function this fact would be regarded as a threat that is so significant to the objectivity of the internal auditors that it would preclude the external auditors from using the work of the internal audit function.

2.2.2.2. Effective systematic and disciplined approach

Paragraph 13 requires that the auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by evaluating the matters in paragraphs 13 (a), the extent of support for objectivity, (b) the level of competence and (c) whether there is a systematic and disciplined approach. There is no reference in the requirement as to whether the systematic and disciplined approach is effective and results in reasonable conclusions being drawn by the internal audit function.

Although paragraphs 14(a) and 14(b) refer to the consequences of the auditor’s evaluation of paragraph 13(a) and 13(b), no reference is made to the consequence of the conclusion drawn by the external auditor’s evaluation of the requirement in paragraph 13(c). This should be inserted as paragraph 14(c).

Consequently, it is suggested that, to address our concerns regarding objectivity and systematic and disciplined approach, paragraphs 14 and 15 be amended to reflect that:

14. The external auditor shall not use the work of the internal audit function if the external auditor concludes on the basis of the evaluation in paragraph 13 that:

a) There are significant threats to the objectivity of the internal auditors, regardless of the level of competence; or

b) It has a low level of competence, regardless of its degree of the level of threats to the objectivity of the internal auditors; or

c) It does not have an effective systematic and disciplined approach, including appropriate quality control.

The related Application and other Explanatory Material in A6 for paragraph 14 should be expanded to include:

• “where internal auditors are engaged in a management role, or are performing operational duties or functions outside of the internal audit function, there is an underlying presumption that such activities would represent too significant a threat to the objectivity of the internal auditors to enable the auditor to use the work of the internal audit.”

2.2.2.3. Determining the Planned Use of the Work of the Internal Audit Function

In line with the above comments, we recommend that paragraph 15 be amended as follows:

15: In determining the planned use of the work of the internal audit function, the external auditor shall consider:

(a) The external auditor’s evaluation of the significance degree of threats to the objectivity of the internal auditors and the level of competence of the internal audit function;

6 of 19

2.2.2.4. Conforming changes will be required to the related application material

Paragraph A8 appears to view the application of a “systematic and disciplined approach” as the important characteristic that distinguishes the activities of the internal audit function from other “monitoring control activities” performed within the entity. There is no indication, however, of who performs the monitoring of the internal audit function and whether this is performed as “quality control activities” by management, the audit committee or by persons within the internal audit function. What distinguishes the internal audit function from other monitoring controls in the entity is that the internal audit function, in addition to applying a systematic and disciplined approach, is competent and has sufficient support to ensure the objectivity of the internal auditors. This would better align with the suggested changes to paragraphs 14 and 15 above. Paragraph A8 could clarify this better, by being reworded as follows:

“A8. The application of a systematic and disciplined approach is an one of the important characteristics that, taken together with evidence to support the objectivity of the internal auditors and the competence of the function, distinguishes the activities of the internal audit function from other monitoring control activities that may be performed within the entity.”

2.2.2.5. Risks of material misstatement

Whilst paragraph 15, in identifying matters to be considered by external audit when determining the planned use of the work of the internal audit function correctly includes consideration of: objectivity, competence, relevance of nature and scope of work performed or to be performed to the audit strategy and plan and amount of judgement involved, it does not deal with the risk of material misstatement of particular classes of transactions or balances. We believe that this important consideration should be inserted as paragraph 15(d), which could be worded as follows:

15(d) The assessed level of risk of material misstatement in respect of the particular transactions or balances that are being audited.

2.2.2.6. Direct performance of procedures by the external auditor

Moreover, the higher the assessed level of risk of material misstatement is, the more persuasive the audit evidence required by the external auditor will be to gather sufficient appropriate audit evidence to support significant professional judgements made. In such circumstances the external auditor should perform more of the work directly regardless of the external auditor’s decision to use the work of the internal audit function. We believe that paragraph 16 does not make this sufficiently clear and suggest it be reworded as follows:

16 Because the external auditor has the sole responsibility for the audit opinion expressed, the external auditor shall consider directly perform procedures to the extent considered necessary to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the external auditor’s opinion on the financial statements. The external auditor shall not use the work of internal audit function as a basis to make significant professional judgements in the audit engagement.

(a) Make the significant judgements in the audit engagement; and

(b) Plan to directly perform sufficient procedures to be able to draw reasonable conclusions on which to base the external auditor’s opinion,

Regardless of the external auditor’s decision to use the work of the internal audit function. (Ref: Para. A13)

7 of 19

2.2.2.7. Sample sizes

As part of the external auditor’s assessment of whether and to what extent the work of the internal audit function can be used, one of the factors that would have a bearing on the external auditor’s decision is the sample sizes used.

Should the sample sizes used by the internal audit function be substantially smaller than the sample size that the external auditor would use in performing the audit procedures, it would result in an increased likelihood that the work performed by the internal audit function would not be sufficient for purposes of reliance thereon by the external auditor as the external auditor would need to perform additional ‘top-up’ testing, which is likely to be inefficient.

In addition, the external auditor would also be interested in understanding the follow up action that was taken by the internal auditor in respect of any exceptions noted, as well as what action, if any, management has taken to address the exceptions so noted. Consequently the following additions to the Application guidance in A14 are suggested:

In discussing the planned use of their work with the internal audit function as a basis for coordinating the respective activities, it may be useful to address the following:

• The timing of such work; • The extent of audit coverage; • Materiality for the financial statements as a whole (and, if applicable, materiality

level or levels for particular classes of transactions, account balances or disclosures), and performance materiality;

• Proposed methods of item selection and sample sizes; • Documentation of the work performed; and • Review and reporting procedures; and • Actions taken by management and internal audit to resolve the exceptions

noted.

2.2.2.8. Definitions

The proposed ISA 610 does not contain a “Definitions” section, unlike the other ISAs. We also note that the concepts of the degree of objectivity and level of competence of the internal audit function (referred to in ISA 610 paragraphs 13 – 15) are not defined in the Glossary of Terms to the ISAs. Nor is any reference made to the IFAC Code of Ethics where the concept of independence, objectivity and professional competence and due care, as well as consideration of the conceptual underpinnings to threats that would impair the independence of an external auditor and appropriate safeguards are compatible with the intent of the proposed amendments.

Question 3 Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor?

2.2.3. Response Yes, we believe it is appropriate to require the external auditor to read those reports produced by the internal audit function relating to the work of the internal audit function that the external auditor plans to use. Reports produced by the internal audit function serve as evidence of the conclusions reached as a result of the work performed by the function.

8 of 19

We also believe that it should be a requirement in ISA 315, possibly inserted as a new paragraph 6(b), that where, based on the auditor’s inquiries or consideration of matters raised with the audit committee, it appears the internal audit function has identified matters that might give rise to a risk of material misstatement at the financial statement and assertion level, the external auditor shall read any related internal audit reports.

Paragraph A18 of the proposed revisions to ISA 610 states that, in order to appraise the quality of the work performed and conclusions reached by the internal audit function, “the procedures the external auditor may perform include the following:

• Reviewing the internal audit function’s work program and working papers,

• Re-performing some of the work of internal audit function, or

• Observing the procedures performed by the internal audit function”.

In order to execute some or all of the procedures in paragraph A18 (or equivalent procedures to support the use of the work of the function), it is also critical for the external auditor, in applying the requirements in paragraph 19(c), to consider whether the conclusions reached by the internal audit function in performing its procedures are appropriate in the circumstances and are consistent with the results of the work performed. This should be added to paragraph A18 as an example of another procedure to be performed by external audit.

With regard to the fifth bullet point under paragraph A17, this would not be permitted in South Africa as any audit of financial statements of an entity has to be performed by the external registered auditor and not the internal auditor, irrespective of whether the subsidiary is a significant component or not. Consequently, we suggest the bullet point should indicate that it may be subject to jurisdictional requirements.

Question 4 Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to:

(a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and

(b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity?

2.2.4. Response Yes, we believe the scope of ISA 610 should be expanded to address the matter of direct assistance to achieve clarity and consistency amongst jurisdictions where it is allowed. The present ISA 610 does not provide sufficient guidance on the use of direct assistance from internal audit to ensure such consistency. We believe, however, that the factors proposed when planning to use direct assistance are not stringent enough. (See earlier comments on specific paragraphs regarding degree and level of objectivity and competence, as well as paragraph 2.2 under our overall comments). We also believe that direction, supervision and review cannot compensate for threats to objectivity of internal auditors.

Internal auditors do not have to comply with the IFAC Code of Ethics and this will pose a problem for the external auditor obtaining direct assistance from internal auditors, as the ISAs require the audit partner responsible for the audit engagement to ensure that the members of the audit team are independent of the audit client.

9 of 19

Although some jurisdictions prohibit this practice we believe that, specifically because of the perceived threats to independence of the external audit team, it is even more important for the IAASB to set boundaries for those auditors who practice in jurisdictions that permit such use of internal auditors to level the playing fields and ensure a consistent application of the principles across jurisdictions that apply the ISAs that will prevent practices that might impact on audit quality.

The following paragraphs deal with specific concerns in further detail.

2.2.4.1. Encouraging direct assistance

The proposed ISA 610 should not be seen as encouraging direct assistance from internal auditors. Direct assistance should not be used in circumstances where the procedures performed and audit evidence obtained will form the basis for significant audit judgments or where there is a significant risk of material misstatements. The guidance in paragraph A22 should be amended as follows to recognise this:

A22 It may be possible In some limited circumstances for the external auditors to may obtain direct assistance from the internal auditors in carrying out audit procedures which otherwise would be performed by the external auditors themselves. Such assistance is only appropriate where the internal auditors will perform routine audit procedures, the evidence from which will not provide the basis for significant audit judgements, nor are required to address significant risks of material misstatement. In such these circumstances, external auditors use internal auditors, under the direction, supervision and review of the external audit team. , to perform audit procedures directly on the engagement which otherwise would be performed by the external auditors themselves.

2.2.4.2. Factors to consider

2.2.4.2.1. Objectivity of internal auditors providing direct assistance

Our earlier concerns expressed above with regard to the objectivity of the internal auditors and suggested changes to paragraphs 13 to 15 and related application paragraphs apply equally here. Thus, paragraphs 20, 21(a) and 22(a) should require the external auditor to identify threats to objectivity of the internal auditors, rather than trying to evaluate their degree of objectivity. In addition, the capacity of the internal audit function to provide the direct assistance should be considered. Recommended changes would be:

20 … the external auditor shall evaluate the degree of threats to objectivity and the level of competence of the internal auditors …

21 The internal auditor shall not obtain the direct assistance of an internal auditor’s if the internal auditor has:

(a) a low degree of There are significant threats to the objectivity of the internal auditor, regardless of the internal auditor’s level of competence; or

(b) a The internal auditor has a low level of competence, regardless of internal auditor’s degree of the level of threats to the objectivity of the internal auditor.

22 In determining the work that may be assigned to individual internal auditors and the amount of direction, supervision and review that is appropriate in the circumstances, the external auditor shall consider:

(a) The external auditor’s evaluation of the degree of threats to the objectivity and the level of competence of the internal auditors who will be providing

10 of 19

such assistance; and whether internal audit has sufficient capacity available to provide the required direct assistance;

The documentation requirement in paragraph 25 would also need to be changed to reflect the suggested changes above as follows:

25 If the external auditor uses the work of the internal audit function, the

external auditor shall include in the audit documentation:

(a) The evaluation of the degree of threats to the objectivity of the internal auditors, and the level of competence of the internal audit function and capacity to provide the direct assistance required that can be performed effectively and efficiently ….

2.2.4.2.2. Areas where direct assistance is not appropriate

Internal auditors should not provide direct assistance in areas where such assistance will give rise to a self-review threat for the external auditors because of work internal auditors have previously undertaken, (for example in an area where they have already performed procedures and provided a “clean” report to management or to the audit committee), but where the external auditor may have identified a potential risk of material misstatement.

In addition, in line with our earlier comments, direct assistance should not be obtained in areas where the evidence obtained will form the basis for significant judgements, or where there is a risk of material misstatement.

This can be accommodated with amendments to paragraph 23, as follows:

23 The auditor shall not obtain direct assistance from internal auditors to perform audit procedures:

(a) Whereby the internal auditors to gather evidence that the external auditor will use as the basis for making significant judgements in the audit engagement; or

(b) That respond to a significant risk of material misstatement; or

(c) In respect of areas that the internal auditors have already reported on to management or those charged with governance (as above); or

(d) To perform procedures to determine whether the work of the internal audit function can be used for the purposes of the audit ….

(Note: the original paragraph 23(b) moves to paragraph 23(d))

2.2.4.2.3. Determining the work to be assigned to individual internal auditors

In further response to Question 4(a) paragraph A24 indicates … the external auditor may discuss matters such as the extent to which the work of internal auditors will be used on the audit engagement, including the planned use of direct assistance. Where obtaining of direct assistance from internal auditors is planned, the arrangements must be formalised and the external auditor should:

(a) Obtain a formal agreement from the authorised representative of the entity, usually a director, or approval by the audit committee or others responsible for corporate governance, with confirmation by the internal auditors, regarding the internal auditor’s acceptance that instructions of the staff of the audit firm in relation to the work to be performed will be followed and specific matters identified as such will be kept confidential by the internal auditors as instructed by the external audit team; and

11 of 19

(b) Obtain an acknowledgement from the head of the internal audit function and / or those responsible for corporate governance regarding the role the internal auditors will play and responsibility of the external auditor for quality assurance and the overall audit opinion, and that the entity agrees to the terms and conditions in (a) and such additional terms the external auditor believes is appropriate in the circumstances.

2.2.4.2.4. Direction, supervision, and review

In further response to Question 4(b) paragraph 24 refers to the external auditor directing, supervising and reviewing the work performance by the internal auditors providing the direct assistance in accordance with ISA 220 Quality Control for an Audit of Financial Statements. Further “the level of direction, supervision and review shall recognise that internal auditors are not independent of the entity”. Paragraph 27 goes on to indicate that the direction, supervision and review will ordinarily be more extensive than if members or the audit team perform the work.

This suggests that direct assistance requires more by way of direction, supervision and review than is indicated in paragraphs A13 to A19 of ISA 220. We believe that the auditor may find it difficult to demonstrate that the direction, supervision and review has been more extensive than that applied to ordinary audit team members. It may be more appropriate for the external audit team reviewer to address the nature of the review procedures. The external auditor should consider re-performing some of the procedures carried out by the internal auditors and establish that the audit evidence obtained from the procedures performed is in agreement with the records of the entity and provides sufficient appropriate audit evidence to support the external auditor’s conclusions based on that work. Accordingly, we suggest that changes should be made to the second sentence in paragraph 24 as follows:

24 ….The level of direction, and supervision and the level and nature of review shall recognise that internal auditors are not independent of the entity. The review procedures shall include comparing the information in the audit documentation to the underlying accounting records for evidence of the procedures performed by the internal auditors and determining that sufficient appropriate audit evidence has been obtained to support the external auditor’s conclusions based on that work.

Question 5 Public Interest Concerns—Respondents are asked to address whether there are any public interest concerns that have not been addressed.

2.2.5. Response As expressed above we are aware of the fact that there may be possible concerns regarding the external auditor’s perceived independence in situations where use is made of direct assistance from internal auditors. Provided our suggested changes to address these concerns can be accommodated in the final ISA 610 issued by the IAASB, it is our view that the requirements of the proposed standard relating to the provision of direct assistance, in conjunction with the requirements of the quality control standards, may provide adequate safeguards to address the potential threat to the external auditor’s independence.

Furthermore, we believe that if the changes relating to risk assessment when deciding to use internal audit are implemented, the risk of the auditor expressing an inappropriate opinion may be reduced.

12 of 19

Question 6 Special Considerations in the Audit of Smaller Entities—Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why, and to suggest the nature of any such considerations?

2.2.6. Response We are of the opinion that guidance addressing special considerations in the audit of smaller entities should not be provided in the ISAs.

Defining what is considered to be a ‘smaller entity’ could be onerous, particularly as the view of what constitutes a ‘smaller entity’ is likely to vary from country to country and may well be influenced by regulatory requirements within each country, thereby affecting consistency of application.

The provision of such guidance may well defeat the purpose of the Clarified ISAs, which sought to make the Standards clearer thereby improving their consistent application.

Furthermore, it is our view that smaller entities are less likely to have internal auditors or internal audit functions, and that therefore the cost for the IFAC of researching special considerations relating to smaller entities is likely to far outweigh any potential benefits that may be obtained.

As the threats to the independence of an internal auditor of a smaller entity, is far greater than that which may be experienced by a well-structured internal audit department in a larger organisation, the external auditor is less likely to make substantial use of such an internal auditor’s work or obtain direct assistance from the internal auditors.

We believe that the proposed standard does not place an undue burden on the external auditor who intends to make use of the work of a smaller entity’s internal audit function.

Question 7 Special Considerations in the Audit of Public Sector Entities—Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs.

2.2.7. Response We believe that special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs.

The responsibility to appoint internal auditors and the responsibilities of the internal audit function may be set by legislation in addition to management and those charged with governance. We believe that using the work of the internal audit function of a public sector entity would be no different to using the work of the internal audit function of any other entity that has such a function.

Question 8 Developing Nations—Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment.

13 of 19

2.2.8. Response Whether or not developing nations may experience difficulties in applying the proposed ISA 610 will depend on whether or not they have proper well-functioning professional bodies relating to internal auditors. If these are not established, the external auditor is less likely to make substantial use of the work performed by the internal audit function. If however, by virtue of the entity being progressive or part of a global group, an effective internal audit function is established, the external auditors who in such circumstances may themselves be associated with large global audit firms, should be able to apply the proposed requirements in ISA 315 and ISA 610.

Where effective internal audit functions are not established by the entity, the assessed risk of material misstatement in the financial statements of such entities is likely to be higher, resulting in greater emphasis being placed on the external auditor obtaining sufficient appropriate audit evidence through the performance of substantive audit procedures, and less likelihood of external audit seeking to obtain direct assistance from the internal auditors.

Question 9 Translations — Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs.

2.2.9. Response The IRBA currently does not translate any of the International Auditing and Assurance Standards Board pronouncements, adopted, issued and prescribed under copyright from IFAC. Accordingly, we are not able to comment on this question.

Question 10 Effective Date—Respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level.

2.2.10. Response The provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs, however, some resistance may be encountered given the recent extensive amendments to firms’ audit methodologies to accommodate the clarified ISAs.

The proposed provisional effective date will provide auditors with sufficient time to update their audit manuals and to adequately consider the impact of the requirements on their engagements and audit practices.

We question whether the wording should not be amended to align with the wording used throughout the clarified ISA’s, namely, that the ISA’s are effective for audits of financial statements for periods ending beginning on or after December 15, 2013.

2.3. Request for Comments on Analysis of Impacts

Question 11: Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB’s

14 of 19

proposals?

2.3.1. Response We believe that the Analysis of Impacts presented in Section 4 of this Explanatory Memorandum may be helpful in understanding the anticipated impacts of the proposed revision of ISA 315 and ISA 610, as it sets out the impact for the different parties (e.g. external auditors and the internal audit function). It is unclear, however, why the impact on the audit client itself has not been included, since this will be the first thing the client will want to know, in particular, how this will impact a “reduction” in the external audit fee.

The inclusion of the “Direction and Magnitude of Impact” in the second column was not found to be helpful as in all cases, the magnitude of impact is dependent on the extent to which the external auditor uses the work of the internal auditors or obtains direct assistance in those jurisdictions where it is permitted.

In addition to the above comment, the ‘direction’ of the impact is duplicated between the first column (“Audit effectiveness”) and the second column (“Direction and Magnitude of the Impact”) as both columns indicate whether there is an increase or a decrease in work effort by the external auditors or internal auditors. As a suggestion, the ‘direction’ should either be retained in the first column, and the second column deleted, or removed from the first column and retained in the second column.

Question 12: Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB?

2.3.2. Response: We are in agreement with the impact analysis as presented. However, as stated above, it is unclear why the impact on the audit client itself has not been included. The current summary may need to be updated with changes proposed by commentators that are accepted by the IAASB in finalising the proposed ISA 315 and ISA 610.

We do however have one suggested change to the wording as currently included in the impact analysis presented. We suggest that the word “inform” in the guidance above be replaced with the word “enhance” to facilitate better reading of the sentence. On the first page of the impact analysis, “Audit effectiveness” is currently stated as being:

“Overall increase in audit effectiveness anticipated because of the following:

• …

• The external auditor will be required (under ISA 315) to make inquiries of the internal audit function, (if the function exists), to leverage the function’s knowledge of the entity and its expertise in risk and control. This will further inform enhance the external auditor’s understanding of the entity and its environment which forms the basis for the external auditor’s risk assessments. …”

Question 13: Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents?

15 of 19

2.3.3. Response We question the applicability of the word “effectiveness” in the heading of the first column as all matters listed under the current heading of “Audit effectiveness” do not relate to effectiveness as such. We suggest replacing the word “effectiveness” with the word “implications” for the auditors.

Question 14: Would respondents find such an approach useful at the national level?

2.3.4. Response: We consider that the approach may be useful at the national level and enhanced if the potential impact for the audit client can also be reflected.

3. Suggested changes to specific paragraphs in ISA 315 and ISA 610

Paragraph Suggested Changes

ISA 315 Other Comments – Proposed ISA 315

1. 23 Paragraph 23 of ISA 315:

In order to be consistent in wording, and provide auditors with an upfront explanation of why the ISA requires the auditor to obtain an understanding of the internal audit function, we suggest the following changes:

23. If the entity has an internal audit function, in order to determine the role the internal audit function plays in the entity’s monitoring of internal control over financial reporting, the auditor shall obtain an understanding of the nature of the internal audit function’s responsibilities, how the function fits in the entity’s organizational structure its status within the organization, and the activities performed, or to be performed.

ISA 610 Other Comments – Proposed 610

2. 7

The second sentence of paragraph 7 appears to contain an editorial error, we query whether it is intended to read:

For this reason, even if some of the internal audit function’s activities appear relevant to the external audit or relate to the entity’s financial reporting, the external auditor may decide not to use the work of the internal audit function.

3. Definitions section

A Definitions section has been omitted from ISA 610 and should be inserted before the Requirements paragraphs. Specific Definitions in an ISA are usually included both in the relevant ISA and the Glossary of Terms. We believe that the new terms in the exposure draft should be defined or further explained, for example:

Words included in Glossary:

• Internal audit function • Internal auditors • Significant risk

Words used that could be defined and added to the Glossary, that are not included in the Glossary in the 2010 Handbook Part I:

16 of 19


• Par 14(a): “degree” of objectivity • Par 14(b): “level” of competence • Par 16: “significant judgement”

4. 12 The objectives of the external auditor, where the entity has an internal audit function and based on the understanding of the internal audit function as obtained in ISA 315, the external auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed, are:

5. A9 (2nd bullet

point)

It is suggested that the 2nd bullet point in A9 is amended to deal with the quality control aspects, as follows:

Whether the internal audit function has appropriate quality control policies and procedures, for example such as those policies and procedures in IQC1 that would be applicable to and internal audit function, including those relating to leadership, human resources, and engagement performance and such other appropriate requirements as may be established by a professional body for internal auditors.

6. A17 The fifth bullet point under paragraph A17, would not be permitted in South Africa as any audit of financial statements of an entity that is required, has to be performed by the external registered auditor and not the internal auditor, irrespective of whether the subsidiary is a significant component or not. Secondly the standards applicable to a group audit are set out in ISA 600 Special Considerations – Audits of Group Financial Statements (including the Work of Component Auditors). Consequently, we suggest the bullet point should also include:

• Audits or reviews of the financial information of subsidiaries that are not significant components to the group, regard being had to jurisdictional requirements and subject to complying with the requirements of ISA 600 regarding the involvement of the group engagement team.

7. 22 – A27 20, 22-24, A22-A23, and A25-

A28

In many paragraphs on direct assistance, the proposed revisions use the term “internal auditors,” however, two paragraphs (paragraph 22 and paragraph A27) modify this term with the word “individual.” To make it clear that direct assistance contemplates the use of specific, individual internal auditors, as opposed to the internal audit function, we recommend that either:

a) the phrase “internal auditors” is modified by the word “individual” in paragraphs 20, 22-24, A22-A23, and A25-A28; or

b) A definition section of the document should be included to define the terms “internal audit function” and “internal auditors” to make this distinction.

c) Paragraphs 20 to 22 should make reference to the application material in (A6 and A7) relating to level of competence and objectivity of the individual internal auditor’s providing direct assistance.

17 of 19


8. 26(a) The current documentation requirement in paragraph 25 requires the auditor to document the evaluation of the degree of objectivity and level of competence of the internal audit function when the auditor uses the work of the function.

However, there is no equivalent documentation requirement for individual internal auditors who provide direct assistance on the audit engagement. We believe that an additional requirement is needed as paragraph:

26(a) to evaluate the objectivity and competence of the individual internal auditor providing direct assistance, as it will provide an important safeguard for confirming the appropriate use of direct assistance.

It is assumed that the documentation requirements in paragraph 25(b) and 25(c) would automatically be required as part of the external auditor’s working papers, prepared by those individual internal auditor/s when providing direct assistance under the instruction, supervision and review by the external auditor.

9. 13(a) Additional application material for paragraph 13(a):

Paragraph 13(a) states that the external auditor shall evaluate the extent to which the internal audit functions’ organizational status support the objectivity of the internal auditors. It may be helpful to include a reference in the application material of ISA 610 to the requirement in ISA 315 (paragraph 23) to obtain an understanding of the status of the internal audit function within the organization.

10. A3 Paragraph A3 sixth bullet

Paragraph A3 – sixth bullet refers to “ethics and values”, whereas the current paragraph A70 (a) in the extant ISA 315 refers to “... enforcement of integrity and ethical values”. The same wording should replace that used in paragraph A3 of the proposed ISA 610.

11. A16 Paragraph A16:

A16. Reading reports of the internal audit function relating to the work of the function that the external auditor intends plans to use assists the external auditor in obtaining an understanding of the nature and extent of audit procedures and the related findings.


A18. The procedures the external auditor may perform to appraise evaluate the quality of the work performed and the conclusions reached by the internal audit function include the following:


This application guidance is included within the section on direct assistance, however, the content relates both to when the external auditor plans to use the work of the internal audit function, and when the external auditor plans the use of direct assistance from individual internal auditors. Accordingly, this paragraph should be moved to its

18 of 19

19 of 19


own separate section within the application material:

A24. In accordance with ISA 260, the external auditor communicates with those charged with governance an overview of the planned scope and timing of the audit. In doing so, the external auditor may discuss matters such as the extent to which the work of the internal audit function will be used on the audit engagement, including and the planned use of individual internal auditors for direct assistance.

15 November 2010 Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, NY 10017 Via web site www.iaasb.org Re: Proposed International Standards on Auditing ISA 315 (Revised), Identifying and Assessing

the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 610 (Revised), Using the Work of Internal Auditors

Members of the International Auditing and Assurance Standards Board: We very much appreciate the opportunity to provide comments and recommendations to the International Auditing and Assurance Standards Board exposure drafts (EDs) ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 610, Using the Work of Internal Auditors. These comments and recommendations are offered on behalf of both ISACA® and the IT Governance Institute® (ITGI®), international, independent thought leaders on information technology (IT) control, security and assurance, and governance of enterprise IT. We are responding primarily from an IT perspective. We believe the proposed ISAs will be useful to both internal and external auditors and congratulate the IAASB on its accomplishment. Our general comments are provided in the following section of the letter; more specific comments and our responses to IAASB questions are included in Attachments A and B, respectively. General Comments We are very supportive of the issuance of ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 610 (Revised), Using the Work of Internal Auditors, as updated standards. However, we suggest clarification of the following matters: • We believe that the external auditor should read all internal audit reports that may have

relevance to the accounting and financial reporting process (IAASB Question 3), rather than just those with “findings” (ISA 315, paragraph 6a) or those related to areas in which the external auditor plans to use the work of internal audit (ISA 610, paragraphs 18 and A16). Reading all relevant internal audit reports will enhance the external auditor’s understanding of the business and assist in the identification and assessment of risks. Reports without “findings” may be as useful to the external auditor as those with “findings.”

IFAC Page 2 15 November 2010

• Many internal audit functions have implemented approaches referred to as “continuous assurance” or “continuous controls monitoring,” which often are information-systems-based tools that can provide real-time evidence of a failure of a control. It would be helpful to suggest that the external auditor might inquire about the use of such approaches.

We are generally pleased with both the content and tone, and offer some specific suggestions in Attachment A.

* * * * As the worldwide leading independent thought leaders on IT controls, we are eager to assist the IAASB in accomplishing its mission. Please feel free to call on our organizations if we can be of assistance in any way on further deliberations, task forces or committees. Again, we appreciate the opportunity to comment on the IAASB draft guidance. Respectfully submitted,

Everett C. Johnson, CPA Chair, Professional Issues Task Force Past International President, 2005-2007 ISACA (www.isaca.org) IT Governance Institute (www.itgi.org) About ISACA and ITGI With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and knowledge through the globally respected Certified Information Systems Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT® (CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations. ISACA continually updates COBIT®, which helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to the business. The IT Governance Institute® (ITGI®) (www.itgi.org) is a nonprofit, independent research entity that provides guidance for the global business community on issues related to the governance of enterprise IT assets. ITGI was established by the nonprofit membership association ISACA in 1998.


Attachment A—Specific Comments and Suggestions Reference Comments and Suggestions ISA 315, A6b The first sentence should read “… auditor’s inquiries, it appears that there

have been audits that may be relevant to the entity’s financial reporting and the audit, …”

ISA 315, A6c Add to the end of the sentence “and the information systems auditor.”

ISA 315, A6d Add the following additional bullet to the list of bullets: • Inquiries directed toward information systems personnel may provide

information about system changes, system or control failures, or other information-system-related risks.

ISA 315, A103a We suggest replacing the term “monitoring controls” with “monitoring activities” or “monitoring of controls” to clarify that monitoring is an activity to provide management assurance that controls are operating effectively, not just another control, and to be consistent with terminology used by COSO.

ISA 610, A3 In the first bullet under “… internal control,” it would be helpful if the second sentence included language such as “… responsibility for reviewing controls (including information systems controls), evaluating their operation, …”

ISA 610, A6 In the second bullet under “Competence,” it may be helpful to add to the end of the second sentence examples of internationally recognized professional designations using language such as “… a relevant professional designation, such as Certified Internal Auditor (CIA) or Certified Information Systems Auditor (CISA).”

ISA 610, A16 It may be helpful to add a sentence at the end of this paragraph along the following lines: “The external auditor also reads other reports of the internal audit function related to financial reporting and the audit and considers such reports in planning the use of the work of internal audit.”

ISA 610, A17 We suggest adding the following to the first bullet “… effectiveness of controls, including information systems controls.”


Attachment B—Responses to IAASB Questions Our responses to the IAASB’s questions are based on our review of the proposed ISAs and are included below. 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of

appropriate individuals within the internal audit function? Yes If so, do respondents agree such a requirement is appropriately placed in ISA 315? Yes

2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: (a) Whether the work of the internal audit function can be used for purposes of the audit

engagement; and (b) The planned use of the work of the internal audit function? Yes

3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? Yes; however, the external auditor should also read other reports produced by the internal audit function related to financial reporting or the audit.

4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? Yes

If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to: (a) Consider the factors that have been proposed in determining the work that may be

assigned to individual internal auditors; and (b) Direct, supervise, and review the audit procedures performed by the internal auditors in a

way that recognizes they are not independent of the entity? Yes The IAASB is also interested in comments on the following matters: 5. Public Interest Concerns—Respondents are asked to address whether there are any public

interest concerns that have not been addressed. No

6. Special Considerations in the Audit of Smaller Entities—Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. Yes

If so, respondents are asked to explain why and to suggest the nature of any such considerations. We believe it would be helpful to provide guidance or examples of matters to be considered in a smaller entity if the internal audit function is not formalized (as it is in many larger entities) or internal-audit-type activities are performed by persons who also have other management or operating responsibilities.


7. Special Considerations in the Audit of Public Sector Entities—Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs. Yes

8. Developing Nations—Recognizing that many developing nations have adopted or are in the

process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment. NA

9. Translations—Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs. NA


provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level. Yes

Request for Comments on Analysis of Impacts The IAASB is piloting the use of impact analyses. The impact analysis contained in this Explanatory Memorandum shows the IAASB’s consideration of the potential impacts of both the overall proposed revised ISA 315 and ISA 610 and the preferred option for each key issue addressed during the development of the proposed revised standards. Narrative descriptions of this analysis are included in this Explanatory Memorandum and presented in tabular format in the Appendix. The impact analysis in the Appendix identifies who will be affected by the proposed revised standards and preferred options, how, and to what extent they will be affected. It is important to note that the impact analysis is intended to communicate the impact of the incremental difference between extant and proposed revised ISA 315 and ISA 610, not between current and future practice. The IAASB would appreciate comments on the following matters: 11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to

respondents in understanding the anticipated impacts of the IAASB’s proposals? Yes

12. Do respondents agree with the impact analysis as presented? Yes

Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB? No

13. Are there any changes to the narrative or tabular presentation of the impact analysis that

would be helpful to respondents? No

14. Would respondents find such an approach useful at the national level? Yes

- 1 -

The Japanese Institute of Certified Public Accountants 4-4-1 Kudan-Minami, Chiyoda-ku, Tokyo 102-8264, Japan Phone: 81-3-3515-1130 Fax: 81-3-5226-3355 Email: [email protected]

November 15, 2010 Technical Director International Auditing and Assurance Standards Board International Federation of Accountants 545 5th Avenue, 14th Floor New York, New York 10017 USA

JICPA Comments on the Proposed International Standard on Auditing, ISA 315 (Revised),

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 610 (Revised), Using the Work of Internal Auditors.

The Japanese Institute of Certified Public Accountants (“we”, “our”, “us” and “JICPA”) is pleased to provide you with our comments on the Proposed International Standard on Auditing, ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (“Proposed ISA 315”), and ISA 610 (Revised), Using the Work of Internal Auditors (“Proposed ISA 610”). Based on our review, we have the following comments:

I. Request for Specific Comments 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of

appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?

Comment Yes, we believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function, and agree that such a requirement is appropriately placed in ISA 315.

- 2 -

2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: (a) Whether the work of the internal audit function can be used for purposes of the audit

engagement; and (b) The planned use of the work of the internal audit function?

Comment Please see our “Other Comments” below.


Comment Yes, we believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor.

4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to: (a) Consider the factors that have been proposed in determining the work that may be

assigned to individual internal auditors; and (b) Direct, supervise, and review the audit procedures performed by the internal auditors in a

way that recognizes they are not independent of the entity?

Comment We acknowledge that the direct assistant is common practice in many jurisdictions, and we agree that it is necessary for the scope of ISA 610 to be expanded to address the matter of direct assistance. On the other hand, as explained in the Explanatory Memorandum, there are jurisdictions, including Japan, where obtaining direct assistance from internal auditors by external auditors are not allowed by local law or regulation. We appreciate that Proposed ISA 610 acknowledges this fact, and explicitly states that such prohibitions will not prevent the external auditor from complying with the ISAs because ISA 610 does not require the external auditor to obtain direct assistance from internal auditors. However, regarding the proposed requirements and guidance for direct assistance, we have the

- 3 -

following concerns.

The implications for the effectiveness of the audit When obtaining direct assistance, the external auditor directs, supervises, and reviews the audit procedures performed by the internal auditors; and the working papers prepared by the internal auditors, who provided direct assistance on the audit engagement, are included in the audit documentation. If the internal auditor informs management of the matters relating to the external audit, which the internal auditor obtains through providing direct assistance, we are concerned that there may be circumstances where the effectiveness of the external audit may be compromised. Therefore, at a minimum, in the Application and Other Explanatory Material, we believe following explanations should be included:

-when planning to use internal auditors to provide direct assistance, the degree of objectivity of the internal auditors is a particularly important consideration;

-care is required when communicating with the internal auditors about the assignment of the work so as not to compromise the effectiveness of the audit.

The extent and amount of work to be performed by the internal auditors In determining the work that may be assigned to individual internal auditors, paragraph 22 of Proposed ISA 610 stipulates similar considerations to the requirement regarding the use of the work of the internal audit function, and paragraph 23(a) states that the external auditor shall not obtain direct assistance from internal auditors whereby the internal auditors make significant judgments in the audit engagement. However, there is no provision which is corresponds to paragraph 16(b), and whenever the internal auditors have some degree of objectivity and level of competence, except for paragraph 23, there seems to be no limitation on the amount of work which the external auditor is able to assign to individual internal auditors. This impression is exacerbated by the fact that the only provision provided in Proposed ISA 610, regarding the special scope limitation for direct assistance is paragraph 23(b), which states “the external auditor shall not obtain direct assistance from internal auditors to perform procedures to determine whether the work of the internal audit function can be used for purposes of the audit or to provide a sufficient basis to support the external auditor’s use of the work of the internal audit function”. We believe this is self-evident that it is not appropriate for the external auditor to obtain direct assistance in those areas. Even if the internal auditor has very high degree of objectivity and level of competence, they are not independent from the entity, and it is not appropriate to assign disproportionate amount of work to individual internal auditors. To avoid over reliance, we believe it is necessary to establish further provisions regarding the extent and amount of work that the external auditor is able to obtain direct assistance.

- 4 -

II. Comments on Analysis of Impacts There are many overlaps between the explanation in the section 4 of the Explanatory Memorandum (narrative description) and the Appendix (tabular presentation). In order to clarify the purpose of each, we propose following: Narrative description - explaining the implication on audit effectiveness in a comprehensive

manner; Tabular presentation - stating the implication on audit effectiveness in a concise manner so

that readers can easily understand the entire picture. In addition, it is questionable whether there may be cases where the extent of the impact on audit effectiveness can be measured in a 7-point directional scale (as stated in Note 1 of Appendix). We believe a 3-point directional scale (Increase/None/Decrease) is sufficient, since the impact on audit effectiveness is difficult to explain in a more precise, quantitative manner.

III. Other Comments Proposed ISA315

Paragraphs 23 and A102b We agree to establish a requirement to make inquiries of the internal audit function as part of the risk assessment procedures (paragraph 6(a) of Proposed ISA 315). However, we disagree with the requirement in paragraph 23 of Proposed ISA 315, which stipulates the understanding of the internal audit function as a factor that directly influences the external auditor’s identification and assessment of material misstatement in financial statements, as opposed to extant requirement, which stipulates it as a trigger point to consider whether ISA 610 is relevant to the audit. This is because paragraph 22 of ISA 315 already requires the external auditor to obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting and, therefore, it is not necessary to provide for another requirement related to an understanding of the internal audit function. In addition, paragraph A6a of Proposed ISA 315 already explains that information obtained through inquiries required in paragraph 6 of Proposed ISA 315 is useful to the auditor in identifying and assessing risks of material misstatement. We also note that paragraph A102b is redundant to paragraph A6a of Proposed ISA 315. In order to improve the flow of the standard and makes it more concise and understandable, we propose the following revision: (Paragraph 23) “If the entity has an internal audit function, the auditor shall obtain an understanding of the

- 5 -

nature of the internal audit function’s responsibilities, how the function fits in the entity’s organizational structure, and the activities performed, or to be performed in order to determine

whether the auditor expects to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed.” (Paragraph A102b) “The information obtained from the auditor’s inquiries in paragraph 6, and the understanding obtained of the role the internal audit function plays in the entity’s monitoring of internal control over financial reporting, may provide information that is relevant to the auditor’s identification and assessment of the risks of material misstatement.” (Paragraph A103) “If the nature of the internal audit function’s responsibilities and assurance activities are related to the entity’s financial reporting, the auditor may also be able to use the work of the internal audit function…”

Paragraphs A6 second sentence and A6a first sentence The second sentence in paragraph A6 (“Information may also be obtained by the auditor through inquiries with the internal audit function….”) and the first sentence in paragraph A6a (“If an entity has an internal audit function, inquiries of appropriate individuals within the function may provide information that is useful to…”) appears to suggest that whether to make inquiries of internal audit function is dependent on the external auditor’s decision, and that seems contradictory to the requirement in paragraph 6(a) which requires making inquiries. In addition, the second sentence in paragraph A6 is redundant to the first sentence in paragraph A6a and the first sentence in paragraph A6d. In order to improve the flow of the text, we propose the following revision: (Paragraph A6) “Much of the information obtained by the auditor’s inquiries is obtained from management and those responsible for financial reporting. Information may also be obtained by the auditor through inquiries with the internal audit function, if the entity has such a function, and others within the entity. As obtaining an understanding of the entity and its environment is a continuous, dynamic process, the auditor’s inquiries may occur throughout the audit engagement. A6a. However, iIf an entity has an internal audit function, inquiries of the appropriate individuals within the function may haveprovide information that is useful to… “ (Paragraph A6ab)

- 6 -

“If, based on… “ (Paragraph A6bc) “Appropriate individuals within the function…” (Paragraph A6cd) “The auditor may also obtain information, or a different perspective in identifying risks of material misstatement, through inquiries of others within the entity and other employees with different levels of authority. For example: • Inquiries directed at… • Inquiries directed towards marketing or sales personnel may provide information about

changes in the entity’s marketing strategies, sales trends, or contractual arrangements with its customers”

(Paragraph A6d) “As obtaining an understanding of the entity and its environment is a continuous, dynamic process, the auditor’s inquiries may occur throughout the audit engagement.”

Paragraph A101

Paragraph A101 uses the term “assurance”, and we understand this is consistent with the definition of internal auditing used by the Institute of Internal Auditors. However, in the IAASB’s pronouncements, “assurance engagement” is defined as “an engagement in which a practitioner express as a conclusion designed to enhance the degree of confidence of the intended users….” Therefore, in the IAASB’s pronouncements, “assurance” is positioned as an activity that is performed by a practitioner who is external to the entity, which is substantially different characteristic from the internal audit activity. In addition, dependent on the entity, consulting activities may or may not be included in the activities of internal audit function. To avoid confusion, the phrase “assurance and consulting” in paragraph A101 should be deleted to read as follows: “Internal auditing refers to assurance and consulting activities designed to evaluated and improve the effectiveness…”

Paragraph A103a For readers’ convenience, paragraph A103a, which states “As is further discussed in ISA 610…”, should include reference to relevant paragraphs of Proposed ISA 610.

- 7 -

Proposed ISA 610 Paragraph 5 first sentence

The sentence “The objectives of the internal audit function are determined by management and, where applicable, those charged with governance and may include assurance and consulting activities….” seems inconsistent with the sentence “Internal auditing refers to assurance and consulting activities…” in paragraph A101 of proposed ISA 315 and paragraph A2 of proposed ISA 610. In addition, we believe that the second sentence of paragraph 3 of extant ISA 610, which provides useful explanation regarding the relationships between the internal audit function and the external auditor, should be retained. Therefore, we propose to delete latter part of the first sentence of paragraph 5, and instead add an explanation which is similar to paragraph 3 of extant ISA 610 as follow: “The objectives of the internal audit function are determined by management and, where applicable, those charged with governance and may include assurance and consulting activities within an entity designed to evaluate and improve the effectiveness of the entity’s risk management, internal control, and governance processes. While the objectives of the internal audit function and the external auditor are different, aAn entity’s internal audit function may perform audit procedures similar to those performed by the external auditor in an audit of financial statements…”

Paragraph 8 The second sentence (“The ISAs do not override laws or regulations that govern an audit of financial statements.”) seems to disconnected with the third sentence (“However, such provisions or restrictions will not prevent the external auditor from complying with the ISAs…”). Therefore, we propose the following revision: “The ISAs do not override laws or regulations that govern an audit of financial statements.24 However, such prohibitions or restrictions will not prevent the external auditor from complying with the ISAs asSince this ISA does not require the external auditor to use the work of the internal audit function or to obtain direct assistance from internal auditors, such prohibitions or restrictions will not prevent the external auditor from complying with the ISAs.”

Paragraph 15 We agree that amount of professional judgment is important factor in determining the planned use of the work of the internal audit function, and we also agree that even in relation to the significant risks, there may be some audit work involving less judgment that can contribute to audit evidence obtained, as explained in page 7 of the Explanatory Memorandum. However, the assessed risk of material misstatement at the assertion level for particular classes of transactions,

- 8 -

account balances, and disclosure is also an important factor in determining the planned use of the work of the internal audit function. Both risks and judgments are stipulated in paragraph 10 of extant ISA 610 as a requirement, and we understand that there is no issue regarding this matter so far. Therefore, similar to paragraph 10 of extant ISA 610, we believe that both judgments and risks should be provided as relevant factors in the requirement.

Paragraph 22(c)(ii) The reference to paragraphs A11 to A13 should be deleted, since paragraph A26 already provides relevant explanation.

Paragraph A1 The reference to paragraph A1 should be made at subheading Scope of this ISA which is above paragraph 1, since paragraph A1 relates not only to paragraph 3 but also to paragraphs 1 and 2.

Paragraph A2 Please see our comment on paragraph A101 of Proposed ISA 315 above.

Paragraph A4 The reference to paragraph A4 should be made at subheading Determining Whether and to What

Extent to Use the Work of the Internal Audit Function, which is above paragraph 13, not from paragraph 13(a) and (b), since paragraph A4 does not refer to objectivity and competence.

Paragraph A9 We believe the guidance for determining whether the internal audit function applies a systematic and disciplined approach is not sufficient. Especially, regarding the second bullet, it is not clear to us as to how to determine the “appropriateness” of the quality control policies and procedures of the internal audit function. If this means that all activities of internal audit function need to apply rigorous quality control policies and procedures which is, for example, anticipated in ISQC 1, this results in unnecessarily restriction in the use of the work of the internal audit function, and we believe this not to be appropriate. Consideration of the application of a systematic and disciplined approach of the internal audit function is a new provision which is introduced in Proposed ISA 610. Therefore, in order to assist the implementation in practice, and to avoid unnecessary and unintended restriction, we believe further guidance regarding this matter is necessary.

- 9 -

Paragraph A14 third bullet In order to avoid misinterpretation that materiality for the financial statements as a whole and performance materiality is determined based on the discussion between the external auditor and the internal audit function, we propose the following revision: “Materiality for the financial statements as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures), and performance materiality to be used in such work”

Paragraphs A18 and A20 Paragraphs A18 and A20 imply that the definition of “reperformance” includes both “examining items already examined by the internal audit function” and “examining similar items examined by the internal audit function”. However, we believe it is important to explicitly explain that (1) there are two distinct approaches by the external auditor to determine whether the work of the internal audit function is appropriate, and (2) the external auditor can evaluate the quality of the work and conclusions of the internal audit function through examining similar items, without necessarily examining items already examined by the internal audit function. Therefore, we believe it is not appropriate to categorize “examining similar items examined by the internal audit function” as “reperformance” since the external auditor does not examine the items already examined by the internal audit function, and it should be differentiated. Therefore, we propose the following revision: (Paragraph A18) “The procedures the external auditor may perform to appraise the quality of the work performed and the conclusions reached by the internal audit function include the following: • Reviewing the internal audit function’s work program and working papers • Reperforming some of the work of the internal audit function • Examining items which are similar to the items already examined by the internal audit

function (that is, examination of similar items) • Observing the procedures performed by the internal audit function” (Paragraph A20) “Reperformance involves the external auditor’s independent execution of procedures that were originally performed by the internal audit function. Accordingly, iIt involves examining items already examined by the internal audit function, or other similar items.”

(Paragraph A21) “While it is not necessary for the external auditor to do some reperformance or examination of

- 10 -

similar items in each area of work of the internal audit function that is being used, reperformance of some of such work or examination of similar items provides a stronger form of evidence regarding the adequacy of the work of the internal audit function for purposes of the audit. Accordingly, in most circumstances, some reperformance of such work or examination of similar items will be appropriate. Moreover, the external auditor is more likely to focus on reperformance or examination of similar items in those areas where more judgment was exercised by the internal audit function in planning, performing and evaluating the results of the audit procedures.”

Paragraphs A22 to A28 For readers’ convenience, the reference to the Application and Other Explanatory Material should be made at individual requirement level if possible. Therefore, we propose the following references: Paragraphs A22 to A24 - Subheading above paragraph 20; Paragraph A25 - Paragraph 21; Paragraph A26 - Paragraph 22; Paragraphs A27 and A28 - Paragraph 24 In closing, we wish to express our appreciation for this opportunity to comment on this Proposed International Standard on Auditing. Sincerely yours, Sayaka Sumida Executive Board Member - Auditing Standards The Japanese Institute of Certified Public Accountants

IAASBTechnical Director545 5th Avenue 14th Floor NY 10017

Regarding: ISA 610 Use of the Work of the Internal Auditor and 315 Identification and Assessment of Risk of Material Mis-statement

By : Dr. Joseph S. Maresca CPA, CISA________________________________________________________________

Colleagues, Thank you for the opportunity to critique this issuance. Details follow:Comments on ISA 610 are first and 315 will follow .

Background- Using the Work of the Internal Auditor-ISA 610 and 315 Identifying Risk___________________________________________________________________

The external auditor's use of the work of the internal auditor is basedupon a number of factors including:o objectivity or the place in the organizationo level of competenceo disciplined approacho quality control pp. 6

The external auditor must obtain sufficient evidence of the internalaudit as a whole. An increase in risk may mean that reliance is less likelythat the external auditor will rely on the work of internal auditors.The external auditor may read the internal audit reports to beutilized in connection with reliance.

The external auditor must be concerned about a minimum thresholdof objectivity for the internal audit function, as well as the level ofcompetence.

Critique: The questions to be answered in the followup comment letters are as follows:1. Should the external auditors make inquiries of internal audit?2. Is the external audit using enough factors to rely on internal audit?3. Is it appropriate to read the internal audit reports?4. Is direct assistance necessary from the internal audit?5. Are there any public interest concerns?6. Are there special problems for smaller entities?7. Are there any special issues relative to the public sector?8. Are there special issues for nations in a developmental stage?9. Are translations an issue?

Question 1: Yes. The external auditors should make inquiries of theinternal audit, legal counsel, Audit Committee of the Board of Directorsand management. The inquiries of the Audit Committee of the Board ofDirectors are necessary to ensure that there is an objective reportingrelationship between the internal audit and the Audit Committee ofthe Board of Directors. Indeed, the best scenario for enhanced objectivity would be that the Audit Committee of the Board of Directors has hiring authority over the internal auditors and supervision overmajor findings and the followup thereof.

Question 2: The external auditors should give due weight to the

reporting relationship of the internal auditors into theAudit Committee of the Board of Directors. In addition, theexternal auditors should examine the work of the financialaudit staff, as well as IT audit staff. The IT audit staff hasthe responsibility for auditing data centers, data security,financial applications systems, the operating system of thecomputer, the computer library, remote job entry sites,the disaster recovery plan and the contingency plan.Lastly, the external auditor may take independentsamples of financial transactions keeping materialityto the financial statements in mind.

Question 3: Should the external auditors read the auditreports. Yes, the audit reports should contain informationon the adequacy of internal accounting controls, as wellas followup of management's plan to correct the itemscited. Followup internal audits should document eithercompletion of management's action or state that significant action is in progress by a date certain.

Question 4: Yes. The external auditors may utilize theinternal auditors to assist in documenting the systemof internal accounting control. With work flow in place,the external auditor will need to update the work ofthe internal auditor rather than duplicate it.Again, risk factors are to be considered in makingthis judgment. Prior audit workpapers should be reviewedby the external auditor.

Question 5: Yes, there may be public interest concerns;such as, filings with the Securities Exchange Commissionor comparable filings in European or other bourses overseas.Naturally, there are public interest concerns in theaudit of non-profits or municipalities.

Question 6: Yes, there may be concerns for smaller entities.In smaller entities, there may be a consolidation of functionsthat lend themselves to separation or segregation of functionsin larger firms. In addition, smaller firms may not have theresident internal audit experts in accounting and auditing.

Question 7: Yes. There may be political dimensions inauditing the public sector. These concerns will requirea "heightened awareness" by the external auditor withregard to the internal audit staff of a public sector entity.

Question 8: Yes, nations in a developmental stage may not havehighly developed accounting systems and procedures in place.The audit of the financial records may be more difficult andmore manual systems and disaggregated computer systemsmay be scattered throughout the country rather than centralized.A key question for the external auditor will be how the financialdata is aggregated. i.e. the source and methods of authenticatingthe data

Question 9: Yes. Translations can be a problem due to amultiplicity of dialects in some countries or regions.

The external auditor may be required to do more on-siteinspection of facilities and data including manual and system data. The language of the contract, as well as legal venuecan be important for interpreting key provisions of contracts.

The identification and assessment of risk of material mis-statementis by understanding the entity and its environment. An understandingof the entity is gained by reviewing the entity charter, chart of accounts,work flow, discussions with management and operating personnel andreviewing the work of the internal auditors both financial and IT auditors.

When the external auditor uses the work of the internal auditors,the degree of objectivity should be examined, as well as competenceof the internal auditors. Internal auditors certified in accountancyand internal IT auditors certified in information systems auditingwill likely present competent evidential matter due to stringentlicensing requirements.

Again, the Audit Committee of the Board of Directors should hire the internal auditors and have a reporting relationship to be apprised of major findings. The systematic approach to the review of internal accounting control is another important factor.

The auditor must make a determination as to how the internal auditfunction fits within the organization and the report relationship(preferably) to an independent audit committee of the board of directors.

Reliable sources of information are by direct confirmation,physical inspection, authenticating flow charts/work flowand taking statistically significant samples of transactionswith respect to accounts with material balances andpotential risk exposure.

Audit evidence may be obtained by examining the corporatecharter and mission statement. The ethics requirements should beset forth clearly and unambiguously. A71

The auditor should review how management has responded tointernal audit. Followup of management's action to correctmajor audit findings will be in order. A 71a

LEVI & SINCLAIR Comptables Agréés • Chartered Accountants

1303 Greene Avenue, Suite 400, Montreal, Quebec H3Z 2A7 Tel: (514) 931-7600 ext. 18 Fax: (514) 931-3600

[email protected]

SENCRL LLP

From the Desk of Philip C. Levi, CFE, FCA, CPA/CFF, CA•IFA

To: Technical Director, International Auditing and Assurance Standards Board

CC:

Date: August 31, 2010

Re: Comments on ISA 315 (Revised and 610 (Revised) EDs. ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement

through Understanding the Entity and Its Environment ISA 610 (Revised), Using

the Work of Internal Auditors

1. Do respondents believe it is appropriate to require the external auditor to make

inquiries of appropriate individuals within the internal audit function? If so, do

respondents agree such a requirement is appropriately placed in ISA 315?

Comments: Yes this is definitely appropriate and could appear in either 315 or 610.

2. Do respondents believe that appropriate factors have been proposed to be evaluated

by the external auditor in determining:

(a) Whether the work of the internal audit function can be used for purposes of

the audit engagement; and

Comments: Yes. In particular the external auditor must insure that the internal

auditor is both competent and has the mandate within the

organization to oversee the areas which the external auditor

intends to rely upon.


Comments: Yes - same as above. In too many instances the internal auditor is

not performing an internal audit function as this is not their defined

responsibility.


Memo from Philip C. Levi, CFE, FCA, CPA/CFF, CA•IFA August 31, 2010 Page 2 of 4

Serving clients worldwide through membership in / Au service des clients partout le monde grâce à son affiliation à INTEGRA International

3. Do respondents believe it is appropriate to require the external auditor to read reports

produced by the internal audit function relating to the work of the internal audit function

that is planned to be used by the external auditor?

Comments: Yes. This will not only provide additional audit information but will also

provide background as to the nature, timing and extent of the work

performed by the internal audit function.

4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to

address the matter of direct assistance? If so, do respondents believe that when

obtaining the direct assistance of internal auditors the external auditor should be

required to:

(a) Consider the factors that have been proposed in determining the work that

may be assigned to individual internal auditors; and

Comments: The use of internal audit staff should be limited to areas that would

not provide for any appearance of conflict, whether it be due to their

close relationship with those being audited or the fact that they

would be auditing areas that they were already supposed to have

audited. This may result in the suppression of information that

would otherwise be brought forward to the external auditor.

(b) Direct, supervise, and review the audit procedures performed by the internal

auditors in a way that recognizes they are not independent of the entity?

Comments: For the reasons stated above, internal auditors should not perform

external audit functions only support functions such as account

analysis and scheduling for audit by the external auditor.

5. Public Interest Concerns—Respondents are asked to address whether there are any

public interest concerns that have not been addressed.

Comments: None noted



6. Special Considerations in the Audit of Smaller Entities—Respondents are asked to

comment whether, in their opinion, guidance addressing special considerations in the

audit of smaller entities should be provided in the proposed revised ISAs. If so,

respondents are asked to explain why and to suggest the nature of any such

considerations.

Comments: The same concerns tha are identified above regarding independence and

conflicts would be even more significant in smaller entities where the relationships

would tend to be closer.

7. Special Considerations in the Audit of Public Sector Entities—Respondents are asked

to comment whether, in their opinion, special considerations in the audit of public sector

entities have been dealt with appropriately in the proposed revised ISAs.

Comments: Nothing to add

8. Developing Nations—Recognizing that many developing nations have adopted or are

in the process of adopting the ISAs, the IAASB invites respondents from these nations

to comment, in particular, on any foreseeable difficulties in applying the proposed

revised ISAs in a developing nation environment.

Comments: No comment.

9. Translations—Recognizing that many respondents intend to translate the final

revised ISAs for adoption in their own environments, the IAASB welcomes comment on

potential translation issues noted in reviewing the proposed revised ISAs.

Comments: Since the ultimate issues which will be subject to careful scrutiny will

generally result form a perceived or actual allegation of wrongdoing which may also

result in litigation, the wording of the standards will become vital. As such, it is

imperative that nothing be left to interpretation and one language be considered the

“official” version which all others are for reference and ease of use purposes.




provisional effective date is appropriate for supporting effective adoption and

implementation of the proposed revised ISAs at the national level.

Comments: Acceptable.

11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum

helpful to respondents in understanding the anticipated impacts of the IAASB’s

proposals?

Comments: Not really. It is general and for SMEs entirely N/A. I think the impact should

be based upon the individual circumstances of each entity and be documented by the

external auditor, based upon the facts and their professional judgement.

12. Do respondents agree with the impact analysis as presented? Are there any other

stakeholders, or other impacts on stakeholders, that should be considered and

addressed by the IAASB?

Comments: See above.

13. Are there any changes to the narrative or tabular presentation of the impact analysis

that would be helpful to respondents?

Comments: I believe it should be eliminated completely and replaced with a

requirement that the external auditor assess and document the impact as described

above.


Comments: See above.

KPMG IFRG Limited Tel +44 (0) 20 7694 8871 Fax +44 (0) 20 7694 8429 1-2 Dorset Rise DX 38050 Blackfriars

London EC4Y 8EN [email protected] United Kingdom

s

Technical Director International Auditing and Assurance Standards Board International Federation of Accountants 545 Fifth Avenue, 14th Floor New York, New York 10017 USA

15 November 2010

Our ref SS/288

Contact Sylvia Smith

Dear Sirs

IAASB Exposure Draft, ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 610 (Revised), Using the Work of Internal Auditors We are pleased to have the opportunity to comment on the above Exposure Draft issued by the International Auditing and Assurance Standards Board (IAASB).

Overarching comments

Definition of “Internal Audit”

We note and support the lack of definition of “internal audit” in these proposed standards. Management and Those Charged with Governance set up internal audit functions in their respective organizations to help them meet their objectives. Because this is determined on an entity-by-entity basis, it is unlikely that one definition will fit all situations. We believe that the description of the objectives and activities of the internal audit function in Proposed ISA 315.A102 and Proposed ISA 610.05 provides sufficient guidance regarding who is a member of the internal audit function, and who is merely part of management of the entity.

Response to specific questions

Our responses to the questions posed in the Exposure Draft are set out below.

1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315?

KPMG IFRG Limited, a UK company limited by guarantee, is a member of KPMG International, a Swiss cooperative

Registered in England No 5253019 Registered office: Aquis Court, 31 Fishpool Street, St Albans, Hertfordshire AL3 4RF

ABCD

KPMG IFRG Limited 15 November 20 10

We support the requirement in Proposed ISA 315.06(a) to make inquiries of appropriate individuals within the internal audit function (if the function exists) to assist in identifying risks of material misstatement due to fraud and error. It provides a basis for the auditor to learn from and use the internal auditor’s knowledge of the organization and expertise in risk and control. It also serves as a source of information that might not otherwise come to the auditor’s attention.

Furthermore, we believe the requirement is appropriately placed in ISA 315 because it is relevant to the auditor’s identification and assessment of the risks of material misstatement, and is relevant in all audits. If the requirement were placed in ISA 610, there is a risk that it would be overlooked by auditors who had not decided to use the work of the internal audit function.


a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and

The factors in Proposed ISA 610.13-.14 are appropriate ones to evaluate in determining whether the work of internal audit function can be used for the purpose of the audit.

We agree with the IAASB’s conclusion that, although the auditor will need to directly perform sufficient procedures to be able to draw reasonable conclusions on which to base the external auditor’s opinion, in fact, the work of internal audit can contribute audit evidence in areas of significant risk. Therefore, it is not appropriate to prohibit the use of the work of the internal audit function in areas of high risk. In those areas of higher risk, the auditor may need to directly perform more procedures, particularly focusing on areas requiring more auditor judgment.

The factors in Proposed ISA 610.20-.21 are appropriate in determining whether the auditor can obtain direct assistance from internal auditors. We note that Proposed ISA 610.13-.14 is focused on the objectivity and competence of the internal audit function, and that Proposed ISA 610.20-.21 is focused on the objectivity and competence of the individual internal auditors who will be providing the direct assistance. This is an appropriate distinction because of the difference between using the work of the internal audit function, and directing, supervising, and reviewing the work of individual internal auditors providing direct assistance to the auditor.

b) The planned use of the work of the internal audit function?

Proposed ISA 610.15-.16 provides appropriate factors to consider when determining the planned use of the work of the internal audit function. We note that risk is not one of the factors to be considered. We believe the focus on judgment in Proposed ISA 610.15(c), and the requirements for the auditor to take sole responsibility for the audit opinion in Proposed ISA 610.16 is correct, and the application material in Proposed ISA 610.A11-.A13 adequately describes the relationship between risk and judgment. As previously mentioned, it is not appropriate to prohibit the use of the work of the internal audit

SS/288 2

ABCD


function in areas of high risk. In those areas of higher risk, the auditor may need to directly perform more procedures, focusing on those areas that require more judgment.


In some organizations, the internal audit function produces many reports, many of which are not related to the work that is planned to be used by the external auditor. A requirement to read reports produced by the internal audit function when the auditor is assessing risks, and before the auditor has determined whether the work of the internal audit function can be used for the purposes of the audit, may result in the auditor spending undue time reading reports that are not related to the work the auditor intends to use. However, when the auditor has decided to use the work of the internal audit function, the auditor should read reports related to that work. Therefore:

• Proposed ISA 315.A6b is appropriate in stating that, “If, based on responses to the auditor’s inquiries, it appears that there are findings that may be relevant to the entity’s financial reporting and the audit, the auditor may find it useful to read related internal audit reports.”

• In Proposed ISA 610.18, the auditor has decided to use the work of the internal audit function. At this point in the audit, it is appropriate to have a requirement to read the reports of the function relating to such work.


a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and

b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity?

We agree that Proposed ISA 610 should deal with direct assistance to eliminate ambiguity about the IAASB’s intent with respect to this topic.

We recognize that, in some jurisdictions, there are concerns that internal auditors are not independent, and therefore use of internal audit in a direct assistance role in these jurisdictions is not permitted. However, we also recognize that direct assistance is established practice in many other jurisdictions. Such practice is based on the assumption that, with appropriate standards and safeguards in place, significant benefits can be realized from use of internal audit in a direct assistance role. Given this divergence in practice and approach, prohibiting direct assistance altogether in the ISA would be

SS/288 3

ABCD


unfortunate as it will result in a significant change in those jurisdictions that believe the use of direct assistance can be effectively managed.

Having said this, robust standards and safeguards are key to effective use of direct assistance. Accordingly, we recommend that IAASB make the following changes to the standard to clarify what is meant by direct assistance and the auditor’s responsibilities when using internal audit in this way:

• Include a definition for direct assistance in the standard;

• Clarify the requirements that apply when using the work of internal audit irrespective of how that work is used and then set out the additional requirements that need to be applied when internal audit is used in a direct assistance role. As currently draft, it is not clear whether the requirements in paragraphs 15 to 19 need to be carried out in all circumstance, including when the auditor is planning to use internal audit in a direct assistance role.

5. Public Interest Concerns – Respondents are asked to address whether there are any public interest concerns that have not been addressed.

We are not aware of any public interest concerns that have not been addressed.

6. Special Considerations in the Audit of Smaller Entities – Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations.

We do not believe that it is necessary to provide additional guidance addressing special considerations in the audit of smaller entities.

7. Special Considerations in the Audit of Public Sector Entities – Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs.

We do not believe that it is necessary to provide additional guidance addressing special considerations in the audit of public sector entities.

8. Developing Nations – Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment.

We do not know of any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment.

SS/288 4

ABCD

KPMG IFRG Limited 15 November 20 10 9. Translations – Recognizing that many respondents intend to translate the final revised

ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs.

We are not aware of any potential translation issues with respect to these proposed ISAs.

10. Effective Date – respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level.

The proposed effective date allows time for effective adoption and implementation of the proposed revised ISAs at the national level.

11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB’s proposals?

The impact analysis is prepared at a very high level, thus limited the ability of readers to understand the anticipated effects of the IAASB’s proposals.

12. Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or impacts on stakeholders, that should be considered and addressed by the IAASB?

We agree with the general format of the impact analysis as presented, and believe that it has considered appropriate stakeholders and the impacts on those stakeholders; however, as mentioned above, we believe it needs to be presented at a more detailed level to useful.

13. Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents?

We note that, although the title above the first column is “Audit Effectiveness,” some of the impacts are more related to audit efficiency. For example, the second and third items on the list relate to the overall decrease in work effort, which is an efficiency point, not an effectiveness point. Other items on the list do not appear to relate directly to either audit effectiveness or efficiency. For example, the final three items on the list related to clarifying ambiguity, independence, and the inspection process, relate to audit effectiveness and efficiency to the extent that, in general, clear standards, auditor independence, and an inspection process do so indirectly. We suggest that the list be organized into efficiency impacts, effectiveness impacts, and indirect impacts, with appropriate titles over the columns.

We also suggest that the impact listed in the first column be presented in neutral language, and the direction of the impact be indicated only in the second column. For example, the second item on the list is “Overall decrease in work effort.” The direction and magnitude of the impact is “decrease.” Some might read this quickly and apply the rule that two negatives make a positive. This could be very confusing because the second item on the list is “Overall increase in work effort.” We suggest that the first column should indicate,

SS/288 5

ABCD


SS/288 6

“Impact on audit efficiency because of the following:” Then, the direction in the second column would indicate “decrease” or “increase.” Also, changing the focus to “audit efficiency” instead of “work effort,” in the first column would result in all of the “increases” in the second column being positive effects, and all of the “decreases” in the second column being negative effects, which would make the chart easier to read overall.


Yes. We believe that such an approach, but at a more detailed level, would be useful at the national level.

Please contact Sylvia Smith at +44 (0)20 7694 8871 if you wish to discuss any of the issues raised in this letter.

Yours sincerely

KPMG IFRG Limited

cc: Rod Devlin, KPMG IFRG Limited Craig Crawford, KPMG LLP Walt Conn, KPMG LLP

comment letter - final-1 - ifac · 3"" isa315(revised)andisa610(revised)" the...

Documents