Liity jäseneksi Tilintarkastajahaku Yhteystiedot Palaute English summary

HTM-tilintarkastajat ry
Kastelholmantie 2
00900 Helsinki
puhelin +358 (0)9 4767 9300
faksi +358 (0)9 4767 9306
info@htm.fi

Yhdistys Tilintarkastajan valinta Media Valvonta Koulutus HTM-tilintarkastajaksi

Tiedotteet, puheet ja kolumnit 2012 2011 2010 2009 2008 2007 2006 2005 Lausunnot 2012 Lausunnot 2010-2011 2009 2008 2007 2006 2005 Toimintakertomukset Yhteystiedot

TIEDOTUS

LAUSUNNOT 2008

LAUSUNTO NEUVOTTELEVAAN KYSELYYN KOSKIEN YLEISLUONTOISTA TARKASTUSTA ISRE 2400

Comments on IFAC’s Consultation Paper, September 2008:

Matters to Consider in a Revision of International Standard on Review Engagements 2400,
Engagements to Review Financial Statements

International Federation of Accountants’ille (IFAC) 15.12.2008

BACKGROUND TO OUR COMMENTS

Review is not an alternative to audit but a separate assurance product

As stated in IAASB’s consultation paper the mandatory requirements for a statutory audit of the financial statements have in many countries been removed. However, it must be noted that in most jurisdictions the statutory audit has not even existed in small and medium sized companies, but other methods of control have been in place, e.g. stronger role of tax inspectors by authorities (IRS). The audit has been required only in listed companies.

Even in countries where the audit has earlier been mandatory, but has been removed from most of the small companies, the regulators and authorities have encouraged the companies to continue with audits on voluntary basis. The banks continue to require credible financial statements from companies for which they lendmoney and which they finance. The Basel agreement has also increased the need of high credibility of the financial information. The credit institutions want reasonableor high assurance by qualified and experienced professionals (IES).

The reasons to continue with audited and thus more credible financial statements whether mandatory or voluntary are many; the companies need credible financialstatements for their own use, the creditors and the financial institutes need credible financial statements, and in some countries the tax authorities rely on crediblefinancial statements, especially when taxes are counted from the financial statements of companies and not separate tax accounts need to be prepared, as is the case in our country, where the connection between financial statements and taxation is interlinked.

IAASB is in the process of planning to revise the ISRE 2400 for the purpose of introducing a lighter level of assurance (negative assurance) than an audit on the financial statements of smaller entities, and at the same time with less responsibility or no responsibility (see review assurance report). This leads to the following questions:

- How can a service with light assurance and no responsibility be sold to clients?
- Why is it a negative assurance?
- Is it intended to be a continuous service to an engagement customer like an audit is, or is it going to be an on/off service?
- Can the correct concept be translated?

At least within the Finnish jurisdiction we cannot see, how a review process could usefully be implemented to replace an audit. The most common business form for all sizes of companies is a limited liability company with share capital. There are only ca. 130 listed companies, a few thousand medium sized companies and ca. 98 % of businesses are very small (micro) companies.

Our comments below are based on the above factors and on our experience duringseveral decades (of statutory audits) in giving reasonable (higher) assurance (audit) on the financial statements of small entities of all types and sizes.

ANSWERS TO THE QUESTIONS IN THE CONSULTATION PAPER

Chapter C.2, Moderate Level of Assurance and Engagement Risk, questions 1 and 2

Question 1:

Is the concept of a ‘moderate level of assurance‘ meaningful for practitioners?

We accept the concept of a ‘moderate level of assurance’ is becoming meaningful, when referring to a review engagement. However, we refer to our later comments on the cost effectiveness and differences between an audit and a review.

Question 2:

How should a practitioner determine what constitutes a moderate level of assurance for a review of financial statements?

It may be useful to consider the different expressions of the concept ‘likelihood’. Here the key comes from the following dictionary definition of the concept ‘probable’ meaning ‘possible but not likely’. According to our understanding this helps to develop the following definitions:

Possible refers to level of assurance ‘less than 50 %’.
Probable refers to the level of assurance ‘from 50 % to 80 %’.
Likely refers to the level of assurance ‘more than 80 %’.

Compared to the framework above, the concept ‘moderate’ may mean the level of assurance ‘more than 50 %, but less than 80 %’. Further, the concept ‘reasonable’ may mean the level of assurance ‘more than 80 %, but less than 90 %’ and the concept ‘high’ may mean the level of assurance ‘more than 90 %, but still less than 100 %’.

In footnote 18, there exists the concept ‘plausible’. This may refer to the level of assurance ‘more than 50 %, but less than 80 %’ being roughly less or synonym to the concept ‘moderate’ with focus on consistency with corresponding audit results.

After having considered the above definitions a qualified practitioner should have enough experience to be able to use his or her professional judgement to determine when a reasonable/high assurance or only a moderate assurance can be obtained in an engagement. Reviews should only be carried out by qualified audit professionals.

Chapter C.3, Conditions for Engagement Acceptance

Question 3:

Should ISRE 2400 contain requirements and guidance to assist practitioners’ judgments at the pre-acceptance stage as to whether a request to undertake a review of an entity’s financial statements is:

(a) practicable; and

(b) appropriate, in the sense of being likely to meet the needs and expectations of the engaging party and those parties who are intended users of the report?

The process could be the same as when considering an audit engagement, and therefore reference could be made to the relevant ISA:s.

Question 4:

Should ISRE 2400 explicitly describe the respective obligations of the entity’s management and those charged with governance, and of the practitioner performing the review of the entity’s financial statements?

Regarding the role of management and of those in charge of governance, there cannot be seen any differences between an audit and a review. This, regarding these roles, it is enough to refer to the contents regarding audit

Regarding the role of practitioners, the only meaningful difference is the depth of auditing procedures since the results of an audit should give a higher level of assurance than a review. In other respects, regarding also the role of an auditor, reference to the contents of an audit may be sufficient.

The most important question is, however, the contents of auditor’s reports, where any material uncertainties less than audit should be disclosed.

It should be the role of the engaging party to determine, where a review is practicable and appropriate. The auditor’s role in this instance is to make the differences between an audit and a review understandable to the engaging party, and this role should be explained here. If the engaging party does not accept the reported uncertainties of a review, it may be possible through further audit procedures to change the review level to the audit level.

At least in small or micro entities the differences between ‘a review’ and ‘an audit’, regarding both the procedures and the costs, are in practice small, therefore, the most expensive way would be to change a review at a later stage to an audit. This is why, if the choice is left to an auditor, he/she should prefer an audit instead of a review.

The main reason for the small differences between an audit and a review in small and micro entities lie on the fact that, the smaller the entity the less significant or material issues there exist, and the easier it may be to identify these issues straight from the understanding of the entity’s business and operations.

The second reason lies on the fact that, the smaller the entity the less internal control and other control procedures can exist.

The main difference between a review and an audit is, that review procedures mean

- inquiries
- some basic procedures
- some simple substantive analytical and matching of significant accountbalances
- only few substantive procedures
- no testing of controls

In addition to this, audit procedures include also

- supplementary basic procedures
- supplementary substantive procedures
- testing of controls
- possible more complex substantive analytical procedures.

However, regarding the audits of small and micro entities, these supplementary procedures, excluding some supplementary basic procedures and some supplementary substantive procedures, may in general have only little, if any role.

Chapter C.4, Evidence to Support the Review Engagement Report

Question 5:

To achieve the objective of a review engagement, what factors influence the practitioner’s assessment of the work effort required to provide a reasonable basis for reporting the practitioner’s conclusion(s) on the financialstatements? To what extent are the illustrative detailed procedures contained in appendix 2 to ISRE 2400 used in practice?

In small and medium sized entities where there are only a few employees a review where testing of controls cannot be substituted by interviews does not differ from an audit.

We refer to the last paragraph of our answer to question 4. The description in this paragraph is outlined according to the contents referred to in this question. The referred appendix includes wide and detailed list of issues to be noted in reviews. As also mentioned in the beginning of this appendix, it includes far more inquiry issues than ever used in one review or audit, but their use depends on which of them are considered as material and this will vary according to the entities to bereviewed. This is why, in spite of only partial use of the appendix-contents, the contents as examples can leave as it is.

Here one general note is, that audits may include less inquiries than reviews to be compensated with more of other audit procedures. This also means, that in small and micro entities, where the contents of financial statements are in order, the reviews may not be less expensive than audits. However, audits are more effective to find occurring misstatements to be corrected than reviews. Chapter C.4.1, Risk Assessment Procedures, questions 6 and 7.

Question 6:

How should a practitioner performing a review of financial statements address engagement risk when performing the review?

Question 7:

Would the nature, timing and extent of review engagement procedures be significantly different between a review engagement based on performance of procedures without an explicit assessment of risk of misstatement in the financial statements, and a review engagement where a risk-based approach is applied to assess and respond to those risks? Would the costs of the engagement differ significantly?

In small and especially in micro entities, the better the auditor is in general acquainted with the customer entity’s line of industry and its operational procedures, the less separate risk assessment procedures are needed, because the general significant and material risks can be seen straight through the entity’s line of industry for the needs to plan the review.

When then performing the key basic procedures, the auditor also can become acquainted with the key material risks specific in just this customer entity in order to supplement his or her review plan.

The smaller the entity is, the less material risks can be found and the more important the key basic procedures will become and the less differences there can exist between a review and an audit.

Regarding small and micro entities, the risk based approach through separate risk assessment procedures may not give new tools for an experienced auditor, but maybe useful for less experienced staff where such is needed in order to perform the review.

The costs come accordingly. In both cases, a separate risk register etc. compared to costs may be useful only regarding continuing engagements over several years.

C.4.2, Internal Control

Question 8:

In general terms, what procedures are needed to obtain an understanding of the entity’s internal control over financial reporting for purposes of performing a review of financial statements?

Question 9:

If the entity does not have internal controls that would prevent or detect occurrence of misstatements in the entity’s financial statements, what are the implications for thepractitioner regarding the entity’s internal controls for the purpose of the review?

In small and micro entities, if the auditor is acquainted with the customer’s entity through previous reviews or audits, no specific procedures regarding internal control are needed for reviews. If he or she is not previously acquainted with the entity, discussions with management regarding internal control environment may be useful.

The reasons for the above are, that the smaller entity, the less internal controls can exist, and the existing internal controls, if any, can be addressed reasonably when performing the basic procedures.

C.4.3, Enquiry Procedures

Question 10:

Does ISRE 2400 place appropriate emphasis on the use of enquiry as a source of evidence in a review engagement? To what extent, if at all, do you think use of inquiry in an engagement to review financial statements should differ from its use in an audit?

Instead of testing, the enquiries can supplement the basic procedures, but not replace them. The less internal controls can exist, the less useful the enquiries maybe. But the more the entity size will grow above small size (this means the number of personnel from 10 to 50 or more), the more important the enquiries become as a part of a review.

By performing key basic procedures, the auditor is able to get information also in order to consider the reliance of the enquiry results.

For review purposes, additional procedures may be needed in order to confirm enquiry results, if conflicting information occurs.

C.4.4, Analytical Procedures

Question 11:

Does ISRE 2400 provide sufficient guidance on how to apply analytical review procedures effectively in an engagement to review financial statements? Ifnot, what additional guidance might be provided to assist practitioners?

Question 12: To what extent, if at all, do you think use of analytical review procedures in a review engagement should differ from that in an audit engagement?

In general, the key analytical procedures using highly aggregated information should be included into the basic procedures for both all audits and all reviews, but because of less other procedures, they are still more important regarding reviews than regarding audits.

C.4.5, Considerations Where Circumstances Warrant Performance of Other Review Procedures

Question 13:

What situations might require a practitioner performing a review to consider, based on the results of procedures performed to obtain evidence for the conclusion on the financial statements, whether performance of additional procedures is necessary to ensure that the engagement risk is reduced to an acceptable level?

Question 14: What factors should the practitioner consider to determine the nature and extent of further procedures required to reduce the engagement risk sufficiently to be able to express the conclusion on the financial statements?

The key basic procedures should include also the use of bank statements to match the bank balances. So far also other balances exist including significant risk of misstatement, they may be covered by some additional procedure, also regarding reviews.

C.4.6, Situations Where an Entity’s Auditor Reviews the Entity’s Financial Statements

Question 15:

How, if at all, should a review of financial statements performed by a practitioner who is the entity’s auditor differ from a review of financial statements performed by a practitioner who is not the entity’s auditor?

If the entity’s statutory auditor performs the review, the inquiries may not be needed and the focus to key basic procedures may be enough. Here the typical use forreviews is connected with interim financial statements, where the reviews also in general can be most useful to replace audits.

If the practitioner performing review is not the entity’s auditor, also the enquiry procedures are needed excluding the smallest entities.

Question 16:

How, if at all, should the nature, scope and extent of the work carried out for an engagement to review financial statements differ depending on whether or not the report issued for the review engagement will be made public, or be published together with the financial statements reviewed?

The level of known publicity may not effect to the quality of the auditor’s main report. In spite of original meaning, any such auditor’s report may become public.

C.5, Communication with those Charged with Governance

Question 17:

What are the key matters a practitioner performing a review of historical financial statements should be required to communicate with those charged with governance of the entity?

Most important is to make those charged with governance to understand, that review is not a synonym for audit.

However, the smaller the entity is, the less there can exist differences between review and audit. Therefore, we suggest, that the review process should not be taken in use at all regarding small or micro size entities (this means entities with personnel far less than 50).

C.6, Reporting and Communication with Intended Users

Question 18:

How can a practitioner effectively communicate the concept of a level of assurance that is less than high, as obtained in a review engagement, to theintended readers or users of a review report, so that they will be able to properly estimate the level of confidence they can associate with the conclusion of the review?

We don’t know any better ways than negative expressions in review reports instead of positive expressions in audit reports.

Question 19:

Can the term ‘moderate level of assurance’ usefully be restated as a ‘plain language’ term in order to assist users of review reports to better understandthe underlying message conveyed by the conclusion expressed in a review report?

The way to express the level of accuracy should differ in the review reports from those in the audit reports, and some standardised way for this is needed so thatreaders can clearly understand the difference. Here we cannot go further than expect, that the readers using financial statements, also have knowledge of auditing.

Question 20:

What form of expression of the conclusion on the financial statements in the review report might increase the perceived usefulness of a review as an alternative form of assurance engagement? Would a different expression of the practitioner’s conclusion other than in negative terms increase readers’ orusers’ understanding of the level of assurance conveyed and, if so, how should the practitioner’s conclusion be expressed?

Look at the answers above (Q18).

Question 21:

Given the limited work effort ordinarily undertaken for a review engagement (i.e. enquiry and analytical review procedures), what level of detail isappropriate to properly inform readers or users of the review report about the scope of the review engagement and the work undertaken for theengagement? Should practitioners be permitted to use a flexible format for their review reports to communicate the nature of the work undertaken?

The focus should be in how a review differs from an audit. An effective way to express this difference may be to disclose what an audit includes and a review doesnot. In addition to this general recommendation, the format can be flexible.

C.7, The International Standards on Review Engagements

Question 22:

Do the review engagement standards need to be complete in themselves so that they ‘stand alone’ as standards separate from the ISAs? If so, which aspects of the ISAs should be incorporated into the review engagementstandards?

Situations where the contents of those parts of ISRE 2400 which will be exactly the same as in the corresponding ISA:

For a reader it is easier, if the text of the ISA is included in the ISRE in precisely the same format as in the original ISA (as a quote) with clear reference to that ISA.

Situations where parts of a certain ISA are included in a modified form in ISRE:

These cases can be decided case by case.

CONCLUSIONS

The audit has recently been standardised by IAASB and now begins to equal to the compliance with ISA-standards (a check list / cook book approach). It is claimed that this type of compliance becomes too time consuming and thus an unnecessarily expensive service to small entities. That can be agreed, if the methodologies of especially the large international audit companies (B4-B10) are in use. They have been constructed for audits of very large global companies and not for small audits.

The demand for the credibility of financial statements, even those of small entities clearly continues by many interest groups and the lack thereof leads to additional costs for the companies. The question is, how the audit profession shall answer to that demand.

It must not be forgotten that in the Nordic countries audits also serve public interest purposes and the audited reliable financial statements, even those of small entities are used for that purpose.

IFAC’s SMPC has recently issued an implementation guide to using international standards on auditing in the audit of small- and medium-sized entities. It is an excellent guide, and many countries have already translated it or are in a translating process. Some countries have constructed tools (methodologies) which are moresuitable to use for audits of SME:s than those of the B4 firms large company methodologies, still the newly developed methodologies are based on the conceptof ‘an audit is an audit’ to fulfil the compliance with the ISA:s and to obtain a reasonable assurance level and are more cost efficient. The IFAC’s implementationguide is of great help also in this process.

With the help of the above mentioned implementation guide we analysed the concept of a review for use in small company environment and we came into the conclusion that an audit is a more suitable form of assurance on the true and fair view of a company’s financial reports in a small entity than a review, especially incompanies with less than 50 employees.

There is neither any decisive difference in the cost effectiveness of an audit as compared to a review, but the client gets a higher assurance in an audit opinionthan in a negative opinion of a review. The most essential difference in the contents of an audit and a review is that in the first mentioned assurance control testings arecarried out and in the other alternative the control testings are replaced by interviews. Since in a small entity there is hardly any personnel that could be interviewed, the audit function would prevail and the review would not be applicable.

In audits of small companies where an auditor knows the company and its line of business the need for a multi-phase risk process in not so great, but he or she caneasily detect the risks in connection with the basic audit procedures and allocate his or her actions on essential matters. In this connection the professionaljudgement should also be accepted wider. A professional can judge whether an audit can be carried out or not.

We want to emphasize that persons carrying out even review engagements shouldbe qualified auditors and not less qualified persons.

HTM-tilintarkastajat ry - Kastelholmantie 2 - 00900 Helsinki - puhelin +358 (0)9 4767 9300 - faksi +358 (0)9 4767 9306 - info@htm.fi -