ON BEHALF OF JANINE VAN DIGGELEN, HEAD OF AUDIT FIRM OVERSIGHT DIVISION AFM

Size: px

Start display at page:

Download "ON BEHALF OF JANINE VAN DIGGELEN, HEAD OF AUDIT FIRM OVERSIGHT DIVISION AFM"

Karen Morgan
6 years ago
Views:

1 ON BEHALF OF JANINE VAN DIGGELEN, HEAD OF AUDIT FIRM OVERSIGHT DIVISION AFM Dear Mr Schilder, Please find attached a letter on behalf of 14 independent European audit regulators and/or oversight bodies in relation to the Exposure Draft of ISA 610 (Revised), Using the Work of Internal Auditors and the relating changes to ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment. The content of the letter has been discussed and agreed between the 14 audit regulators who are listed in the introduction to the letter. We believe that we, as audit regulators, are in a good position to comment on the subject of internal audit as we have reviewed a number of audits where a high degree of reliance has been placed on the internal audit function and, in a number of cases, have raised issues regarding the approach taken in practice. We consider ISA 610 to be an important standard as it typically applies to large Public Interest Entities, and we appreciate your consideration and taking into account of our comments before ISA 610 is issued in final form. We consider this to be important for several reasons, such as ensuring a level playing field for auditors across jurisdictions, ensuring the credibility of the ISAs, and thus ensuring that ISA 610 will be widely adopted. Yours sincerely, Martijn Duffels M.A.H. Duffels Senior Supervision Officer Audit Firm Supervision Division Phone Fax Mobile martijn.duffels@afm.nl Autoriteit Financiële Markten Visiting Address: Vijzelgracht HS Amsterdam The Netherlands Postal Address: P.O. Box GS Amsterdam The Netherlands Phone The AFM promotes fairness and transparency within financial markets.

2 ISA 610 ED Using the Work of Internal Auditors Comment Letter from European Audit Regulators 1. Introduction The objective of this letter is to summarize the comments of a number of independent European audit regulators and/or oversight bodies ( the audit regulators ) in relation to the exposure draft on ISA 610 (Revised), Using the Work of Internal Auditors. The content of this letter has been discussed and agreed between audit regulators who have met for this purpose, representing the following countries; Bulgaria Commission for public oversight of statutory auditors (CPOSA) Estonia Auditors Activities Oversight Council Finland The Auditing Board of the Central Chamber of Commerce of Finland (AB3C) Greece Hellenic Accounting and Auditing Standards Oversight Board Lithuania The Authority of Audit and Accounting (3A) Luxembourg Commission de Surveillance du Secteur Financier Malta Accountancy Board Netherlands Netherlands Authority for the Financial Markets (AFM) Norway Finanstilsynet (The Financial Supervisory Authority) Portugal Conselho Nacional de Supervisão de Auditoria Slovakia Úrad pre dohľad nad výkonom auditu (UDVA) Slovenia Agencija Republike Slovenije za javni nadzor nad revidiranjem (Agency for Public Oversight of Auditing) Spain Instituto de Contabilidad y Auditoria de Cuentas (ICAC) Sweden Swedish Supervisory Board of Public Accountants We believe that we are in a good position to comment on the subject of internal audit as we have reviewed a number of audits where a high degree of reliance has been placed on the internal audit function and, in a number of cases, have raised issues regarding the approach taken in practice. We are concerned that the result of the proposed changes to ISA 610 could potentially lead to a significant reduction in the independent testing performed by the external auditors and could also impair their independence. We consider ISA 610 to be an important standard as it typically applies to large Public Interest Entities, and we anticipate you taking our comments into account before ISA 610 is issued in final form. This is important in order to ensure a level playing field for auditors across jurisdictions, to ensure the credibility of the ISAs, and thus to ensure that the ISA 610 will be widely adopted. 2. Proposed revisions to the ISA 610 ED We agree with the IAASB s notion that recognition of the fact that the internal audit function applies a systematic and disciplined approach is important, and that this characteristic differentiates the work of the internal audit function from other internal controls. Whilst the exposure draft implies otherwise (para 10), we believe it should only relate to work performed by internal auditors, and that other types of testing, e.g. management testing of internal controls, although subject to a systematic and disciplined approach, cannot be considered equivalent. Finally, while we recognize that the internal audit function is an assurance function, it remains a part of the audit client s internal control system. ISA 610 ED Comment Letter from European Audit Regulators Page 1 of 6

3 ISA 610 ED Using the Work of Internal Auditors The main question is how the internal audit function affects the role of the independent auditor. We believe that the current exposure draft does not provide a clear distinction between the role of the internal audit function and the external audit team. While there needs to be a certain level of co-ordination between the external audit team and the internal audit function, an approach of cooperation where audit procedures are divided between the two is inappropriate, and blurs the distinctive roles of the external and internal auditors. Whilst the exposure draft (para 16) states that the external auditor has the sole responsibility for the audit opinion expressed, it does not clearly describe what is required to fulfill the sole responsibility under this ISA. The current exposure draft permits the work of internal auditors to reduce detection risk, e.g. through the performance of substantive testing and by not requiring any reperformance testing of the work performed by internal auditors. However, it is clear from the Glossary of Terms that it is only the work of the external auditor that can reduce detection risk. On the other hand, we believe that an effective internal audit function contributes to a reduced control risk. In this case, the external auditor can accept a higher detection risk, and reduce the amount of substantive testing. Finally, unlike other relevant standards, the revised ISA 610 includes no reference to the Code of Ethics. The Code of Ethics requires the audit team to be independent from the audit client. This is a requirement internal auditors cannot fulfill, which is why we consider it necessary to include such a reference to clearly distinguish between the role and independence requirements that apply to the external auditor versus the role and objectivity requirements that apply to internal auditors. Consequently, we believe that the revised ISA 610 should: (1) include a description of how it conforms with the audit risk model as defined in the Glossary of Terms, and how it conforms with the independence requirements set forth in the Code of Ethics (2) set out clear requirements for how the external auditor s assessment of risks of material misstatement shall determine the extent to which the external auditor can use the work of internal auditors, i.e. that the higher the risks of material misstatement, the less reliance the external auditor can place on work performed by internal auditors (3) set out clear requirements in relation to the need for a minimum level of direct testing by the external auditors for each material area of the financial statements (4) set out clear requirements in relation to how the external auditor shall determine the adequacy of the work performed by internal audit, for each area where reliance is to be placed, including a specific requirement for the external auditor to re-perform a proportion of the work (5) define the limited extent to which direct assistance can be obtained by the external auditors considering that direct assistance is incompatible with the Code of Ethics and that independence regulation in many jurisdictions prohibits direct assistance. The ISA should thus ensure that the external auditor has sufficient first hand understanding of the audit client, that he/she directly obtains sufficient appropriate audit evidence related to high-risk areas, and have sufficient appropriate audit evidence of the effectiveness of the internal audit work upon which the external auditor places reliance. A further description of our considerations related to the exposure draft can be found in appendix A to this letter. Further, the results of a survey among 20 European audit regulators of local independence regulation and their views on the Code of Ethics are summarized in appendix B. ISA 610 ED Comment Letter from European Audit Regulators Page 2 of 6

4 ISA 610 ED Using the Work of Internal Auditors Appendix A Further considerations related to the exposure draft 1. The Premise Underlying the Proposed Revision to ISA 610 In the Explanatory Memorandum (EM), the IAASB states that during the process of revising the ISA 610, the IAASB has been aware of perceptions both that there is a need to further audit effectiveness and that there is a need to avoid undue reliance. We agree with the notion that the revision of ISA 610 should enhance both audit effectiveness and audit quality. We also agree with the IAASB s notion that recognition of the fact that the internal audit function applies a systematic and disciplined approach is important, and that this characteristic differentiates the work of the internal audit function from other internal controls. In the EM the IAASB acknowledges that some might expect the external auditor s decisions regarding the use of the work of the internal audit function to be related to the assessed risk of material misstatement at the assertion level for particular classes of transactions, account balances, and disclosures. Nevertheless, while the IAASB agrees that there is a relationship between the amount of judgment involved and the level of risk ( ) the IAASB is of the view that, even in relation to significant risks, there may be some audit work involving less judgment that can contribute to the audit evidence obtained. For that reason the IAASB believes the focus on judgment in the requirement is appropriate. We consider this to be an unnecessary and complicating departure from the fundamental Audit Risk model. The different parts of the ISA 610 ED (ED), which have prompted our comments below, are all related to the IAASB s focus on judgment rather than risk. As stated in the EM in relation to the use of direct assistance, the IAASB believes that this is important ( ) to avoid undue pressures being placed on the external auditor by the entity to use internal auditors for cost or other reasons, which could be detrimental to audit quality. We believe that the ED will result in undue pressures being placed on the external auditor both in relation to the use of internal auditors to perform direct assistance as well as in relation to the use of the work of internal auditors in general. Consequently, we believe that while the ED may enhance audit efficiency, it may not enhance audit quality. 2. Using the Work of Internal Auditors The ED does not require the assessed risk of material misstatement to be taken into account in determining whether and to what extent the work of the internal audit function may be used in a particular area. Instead, it provides that it is the amount of judgment involved in performing the audit procedures that is to be considered. The EM states that the IAASB is of the view that, even in relation to significant risks, there may be some audit work involving less judgment that can contribute to the audit evidence obtained. Nevertheless, we believe it is imperative to maintain a risk based approach throughout the audit, where the external auditor consistently designs and performs audit procedures based on his assessment of the risks of material misstatement for all areas. This is also necessary in order for the external auditor to effectively fulfill the sole responsibility for the audit opinion. ISA 610 ED Comment Letter from European Audit Regulators Page 3 of 6

5 ISA 610 ED Using the Work of Internal Auditors 3. Testing the Work of Internal Auditors In the EM the IAASB states that the external auditor s objective is to obtain sufficient evidence about the internal audit function as a whole, rather than test each individual piece of work performed by the function as is required by ISA 330 in relation to other controls. This position is reflected in A 20 where it is stated that while it is not necessary for the external auditor to do some reperformance in each area of work of the internal audit function that is being used, reperformance of some of such work provides a stronger form of evidence regarding the adequacy of the work of the internal audit function for purposes of the audit. It seems unnecessary to point out that reperformance testing provides a stronger form of evidence, when, at the same time, the ED does not consider it necessary because evidence about the internal audit function as a whole is considered to be sufficient. We do not believe that it is appropriate for the auditor to place reliance on work performed by internal auditors, without performing tests directed at this work. As such, we are of the opinion that a requirement for testing the work of internal audit, including through reperformance, should be included in the ED. 4. Auditor, Risk of Material Misstatement and Detection Risk The IAASB Glossary of Terms defines Audit Risk as: The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk. The three terms auditor, risks of material misstatement, and detection risk are essential. As noted above, the IAASB does not consider the external auditor s decisions regarding the use of the work of the internal audit function to be related to the assessed risk of material misstatement. This raises the fundamental question whether the work of internal auditors may reduce detection risk. The ED does not require the auditor to test the work of internal auditors upon which the auditor places reliance. Thus, the ED encourages an audit approach where the work of internal auditors may reduce detection risk, as it permits the auditor to adopt audit evidence obtained by internal auditors without testing it. Internal auditors are effectively considered equivalent to the auditor. This is evident when considering the definition of detection risk: The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. Considering internal auditors members of the engagement team represents a violation of the Code of Ethics, which requires members of the engagement team to be independent of the client. This situation is also probably not envisioned in the definition of auditor: Auditor is used to refer to the person or persons conducting the audit, usually the engagement partner or other members of the engagement team, or, as applicable, the firm. We believe that permitting the work of internal auditors to reduce detection risk both violates fundamental independence provisions and thus inevitably increases the risk of undue reliance. As noted above, we agree that the systematic and disciplined approach of the internal audit function differentiates the work of the internal audit function from other internal controls. Nevertheless, the internal audit function remains a part of the audit client s internal control system. Consequently, a well functioning internal audit function may reduce control risk, and thus the risk of material misstatement. However, as the internal audit function is an integral part of the audit client, it can only reduce the risk of material misstatement (control risk), but not reduce detection risk. ISA 610 ED Comment Letter from European Audit Regulators Page 4 of 6

6 ISA 610 ED Using the Work of Internal Auditors 5. Substantive Procedures A17 gives substantive testing as an example of procedures that could be relied on. However, there is no specific reference for the need of the auditor to perform some work on all material balances (e.g. confirmations on cash balances). We believe that there is a risk that, for material but routine non judgmental balances (e.g. cash, stock, debtors, and creditors), the standard could be interpreted as allowing all or most of the work to be performed by internal audit alone. This is another area where the ED permits the work of internal auditors to reduce detection risk, and thus increases the risk of undue reliance. 6. Direct assistance We do not agree that the ISA should address the use of direct assistance. In order to secure the independence of the auditors, a number of jurisdictions have independence laws or regulations in place with which direct assistance is in incompatible. As noted above, the Code of Ethics also requires the audit team to be independent from the audit client. Further, the ED provides that the external auditors may assign external audit work to individual internal auditors, applying similar considerations to those used in determining what reliance should be placed on the work of the internal audit function. It therefore seems that external audit procedures relating to areas of significant risk could be assigned to internal auditors if they are not deemed to involve making significant judgments. No reperformance of any such work undertaken by internal auditors under the direction and supervision of the external auditors is required. Instead, the level of direction, supervision and review shall recognize that internal auditors are not independent of the entity (para 24). (Para A27 indicates that the external auditor s review could include walking through the procedures performed by the internal auditors if the records examined by the internal auditors are available during the review.) These provisions in the ED blur the distinct differences between the external audit team and the internal audit function. In this light we also refer to ISA 600 where auditors rely on the work of an independent (component) auditor. In such a case a minimum level of procedures are required. We do not see that the ED is consistent with this approach, as it does not include any requirements for (reperformance) testing of work performed by internal auditors who, unlike component auditors, are not independent. In any case, when addressing direct assistance, the limited extent to which direct assistance can be obtained by the external auditors should be clearly defined, considering that direct assistance is incompatible with the Code of Ethics and that independence regulation in many jurisdictions prohibits direct assistance. 7. Changes to ISA 315 We believe that paragraph 23 of ISA 315 should be changed. As compared to the current version, there is no longer a requirement to determine whether or not to use internal audit. We believe, however, that it is an important requirement. Further, as ISA 610 does not apply when the auditor does not expect to use the work of internal auditors (see the end of paragraph 2 of proposed ISA 610), the determination by the auditor of whether internal audit is used, should not be part of ISA Conclusion We believe that the ISA 610 like the other ISAs should incorporate the audit risk model and the independence requirements set forth in the Code of Ethics. Consequently, we do not believe that the work of internal auditors may reduce detection risk. ISA 610 ED Comment Letter from European Audit Regulators Page 5 of 6

7 ISA 610 ED Using the Work of Internal Auditors Appendix B Summary of a Survey among 20 European regulators Countries where it has been confirmed that direct assistance is in conflict with statutory independence regulation (the list may not be complete): Germany Luxembourg The Netherlands Norway Portugal Slovenia Spain Audit regulators considering direct assistance to be in conflict with IFAC s Code of Ethics: All 20 regulators considered direct assistance to be in conflict with the independence requirements set forth in the Code of Ethics Audit regulators considering it problematic to use work of internal auditors for high risk areas: Substantially all 20 regulators considered it inappropriate to use the work of internal auditors for high risk areas Audit regulators considering it inappropriate to use of work by internal auditors without testing it: All 20 regulators believed it to be inappropriate to use work of internal auditors without testing to some extent the work upon which the auditor places reliance ISA 610 ED Comment Letter from European Audit Regulators Page 6 of 6

8 ACAG AUSTRALASIAN COUNCIL OF AUDITORS GENERAL 27 September 2010 Mr James Gunn Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue 14 th Floor New York, New York USA Dear Mr Gunn, Exposure Draft: Proposed International Standards on Auditing ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 610 (Revised), Using the Work of Internal Auditors Attached is the Australasian Council of Auditors-General (ACAG) response to the Exposure Draft referred to above. The views expressed in this submission represent those of all Australian members of ACAG. The opportunity to comment is appreciated and I trust you will find the attached comments useful. Yours sincerely Simon O Neill Chairman ACAG Financial Reporting and Auditing Committee PO Box 275, Civic Square ACT 2608, Australia Phone/Fax: Overseas phone/fax: soneill@audit.sa.gov.au Website: ABN

9 Proposed International Standards on Auditing ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment ISA 610 (Revised), Using the Work of Internal Auditors Request for Specific Comment The IAASB has requested comments on the following: 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? ACAG Comment: We believe that it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function as part of risk assessment procedures as it should enable the external auditor to leverage the internal audit function s knowledge of the entity and any expertise in risk and control. Also, because the existence of an internal audit function should add to an entity s internal control environment, it will also enable the external auditors to assess any impact that internal audit has on assessing whether to apply a controls and/or substantive approach. While the extant ISA 315 paragraph 6 s requirements to obtain information relevant to identifying risks of material misstatement may capture inquiries of internal audit, the revised standard provides greater clarity. Given that the auditor is already required to make enquiries of internal audit regarding fraud, it is not anticipated that this would create a large amount of additional work effort. ISA 315 seems to be an appropriate place for such a requirement, however, reference should be made here to the requirement in ISA 240 The Auditor s Responsibilities Relating to Fraud in an Audit of a Financial Report. 2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: (a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and ACAG Comment: We believe that the factors outlined in proposed ISA 610 paragraphs are appropriate for determining whether the work of the internal audit function can be used.

10 While the standard is clear that the work of internal audit cannot be used if there is a low level of objectivity or competence, it is not clear whether application of a systematic and disciplined approach, including quality control is required. Application Guidance states that the application of a systematic and disciplined approach is an important characteristic that distinguishes the activities of the internal audit function from other monitoring control activities that may be performed within the entity which implies that this is a requirement. As such, it should be made clearer that the use of the work of the internal audit function is not appropriate if any of the three factors are not present. The standard should also clarify what appropriate quality control policies and procedures would be for an internal audit function and specify that they would not be to the level required by ISQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements. (b) Whether the work of the internal audit function can be used for purposes of the audit engagement; and ACAG Comment: ACAG supports the proposal. 3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? ACAG Comment: We believe that such a requirement is appropriate. Further, we believe that it is generally current practice for external auditors to read reports produced by the internal audit function which relate to an entity s financial reporting framework and work the external auditor plans to use. As such, it is not likely to create an additional burden on external auditors. 4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? ACAG Comment: Given the proposed requirements do not require or encourage the external auditor to obtain, or to consider obtaining direct assistance from internal audit staff, ACAG supports the standard addressing the matter of direct assistance.

11 Addressing provision of direct assistance by internal auditors will remove any ambiguity about whether the IAASB supports its use. Where an external auditor plans to use internal auditors to provide direct assistance, the considerations proposed in the ED when determining the work that may be assigned to internal auditors and the amount of direction, supervision and review necessary, are useful. If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to: (a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and ACAG Comment: ACAG supports the proposal. (b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity? ACAG Comment: We believe that it is of great importance that any such standard recognizes that the internal audit function is not independent of the entity in the sense that external auditors are in auditing financial statements. This makes it clear to the entity that work performed by internal auditors cannot simply be relied upon by external auditors without additional work and assessment of its reliability being undertaken. As such we support the proposal. The IAASB is also interested in comments on the following matters: 5. Public Interest Concerns Respondents are asked to address whether there are any public interest concerns that have not been addressed. ACAG Comment: In our opinion, there are no public interest concerns that need to be addressed. 6. Special Considerations in the Audit of Smaller Entities Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations. ACAG Comment: In our opinion, guidance addressing special considerations in the audit of small entities is not necessary.

12 7. Special Considerations in the Audit of Public Sector Entities Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs. ACAG Comment: In our opinion, there are no special considerations in the audit of public sector entities that need to be included in the proposed revised ISAs. 8. Developing Nations Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment. ACAG Comment: No specific comments are provided. 9. Translations Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs. ACAG Comment: We have not identified any translation issues. 10. Effective Date Respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level. ACAG Comment: We believe the provisional effective date is appropriate. Other comments Definitions We note that the definitions of internal audit function and internal auditors are not included in the proposed ISA 610 (Revised). Rather, a description of an internal audit function which focuses on the objectives and activities of such a function is included in ISA 315 and ISA 610. ISA 315 effectively defines internal auditing, a term which is not used in either standard.

13 While paragraph 9 of ISA 610 states that neither the title of the function, nor whether it is performed by the entity or a third-party service provider, are determinants of whether or not the external auditor can use the work of the internal audit function, this does not help to clarify what types of groups are captured for the purposes of inquiry required by ISA 315. ACAG is of the opinion that the term internal audit function should be defined in the standards. This will assist in clarifying whether, for example, divisions such as specialised fraud detection and prevention divisions are meant to be captured, that is, whether the external auditor is expected to make inquiries of such groups. Given ISA 610 refers to both internal audit functions and internal auditors, it is also recommended that a definition of the latter be included to clarify that this is simply a term for the individuals who perform the activities of the internal audit function, as opposed to encompassing a different group of people. Auditor s Report While it is noted in paragraph 16 of the ISA 610 (Revised) that the external auditor has sole responsibility for the audit opinion expressed, it may be useful to include in the standard explicit requirements which prohibit the auditor from referring to the work of internal auditors in the Auditor s Report, similar to that currently included in ISA 620 Using the Work of an Expert at paragraphs 3,14 and 15. Request for Comments on Analysis of Impacts The IAASB has requested comments on the following matters: 11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB s proposals? ACAG Comment: We believe that the analysis of impact is useful in understanding the IAASB s intentions, views and issues that have been considered in developing the ED. However, we question the need for both the narrative presented in section 4 and the table included in the Appendix as they are somewhat repetitive. Given the level of variability of impact depending on the size/nature of the entity, and the current use of internal audit work, the Direction and magnitude of impact and Variability by size/nature of entity subject to audit columns are of limited use in this instance.

14 12. Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB? ACAG Comment: While the impact on internal auditors/internal audit functions is discussed, the overall impact on management and those charged with governance could be considered. 13. Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents? ACAG Comment: Refer comments under Question 11. It would be more helpful if the Appendix followed the same structure as the narrative presented in Section 4 (ie break up the table into areas which relate to external audit, internal audit and Audit Oversight bodies). 14. Would respondents find such an approach useful at the national level? ACAG Comment: Refer to comments above.

15 IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT and USING THE WORK OF INTERNAL AUDITORS Proposed International Standards on Auditing issued for comment by the International Auditing and Assurance Standards Board of the International Federation of Accountants Comments from ACCA November 2010

16 ACCA (the Association of Chartered Certified Accountants) is the global body for professional accountants. We aim to offer business-relevant, first-choice qualifications to people of application, ability and ambition around the world who seek a rewarding career in accountancy, finance and management. We support our 140,000 members and 404,000 students throughout their careers, providing services through a network of 83 offices and centres. Our global infrastructure means that exams and support are delivered and reputation and influence developed at a local level, directly benefiting stakeholders wherever they are based, or plan to move to, in pursuit of new career opportunities.

17 Page 1 General Comments ACCA welcomes the opportunity to comment on the proposed International Standards on Auditing 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment and 610 (Revised) Using the Work of Internal Auditors issued by the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants. The revisions stem from a perceived need to update ISA 610 for developments in internal auditing and external auditing practice since We agree that updating is appropriate. We also agree that the scope of the revision should now include the case where internal auditors provide direct assistance to the external auditor. We are particularly pleased that the proposed revision has been done in a way that does not add unnecessary costs to audits where the audited entity does not have an internal audit function, or where the auditor chooses not to place reliance on an internal audit function. Our remaining comments are presented as answers to the specific questions asked in the explanatory memorandum forming part of the exposure draft.

18 Page 2 Matters on which Specific Questions are Asked In this section of our response we answer the questions posed in the explanatory memorandum forming part of the exposure draft. Question 1 Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? For the reasons set out below, we do not agree that this should be a requirement. Instead, it would be preferable to use the application material to achieve an appropriate emphasis on those other than management of whom enquiries ought to be made. Paragraph 6 of proposed ISA 315 contains the following bullet point: 6. The risk assessment procedures shall include the following: (a) Inquiries of management, of appropriate individuals within the internal audit function (if the function exists), and of others within the entity who in the auditor s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error. The construction of the paragraph is intended to give recognition to the position that management and appropriate individuals within the internal audit function will always be classed as may have information that is likely to assist in identifying risks of material misstatement due to fraud or error. This is contrasted with others within the entity, as inquiries of such individuals are only required as a matter of auditor judgement.

19 Page 3 The question of who is an appropriate individual within the internal audit function is answered in the application material the answer depends on their knowledge, experience and authority, not on any propensity to posses information that is likely to assist in identifying risks of material misstatement due to fraud or error. This placing of emphasis on the internal audit function has two detrimental effects. It mandates inquiries even where the auditor judges that those within the internal audit function will not have information that is likely to assist in identifying risks of material misstatement due to fraud or error. This introduces inefficiency. More importantly, it deemphasises inquiries of others, including those responsible for financial reporting, which may damage the quality of the audit, especially where a tick box approach to demonstrating compliance with ISAs is prevalent. We do not agree with the introduction of the term appropriate individuals [within the internal audit function] into proposed ISA 315. It is an unnecessary complication that has rightly been avoided in the case of management and others. It would be better to refer to inquiries of the internal audit function (as is done in paragraph A6) and leave it at that. Proposed ISA 610 does not make use of the term appropriate individuals and so its removal from proposed ISA 315 would also improve consistency between the two ISAs.

20 Page 4 Question 2 Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining? (a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and (b) The planned use of the work of the internal audit function? ISA 315 and ISA 610 deal with three ways in which the internal audit function can increase the effectiveness or efficiency of the external auditor: 1. The auditor may be able to determine a lower assessment of risk (and reduce substantive testing as a consequence) (ISA 315) 2. The auditor uses of the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed (ISA 610) 3. Internal auditors provide direct assistance under the direction and supervision of the external auditor (ISA 610) The factors proposed to be evaluated in connection with 2 and 3 above are dealt with in ISA 610 and we find them generally appropriate. The detailed application material is helpful in determining how, in practice, objectivity and competence may be assessed. We discuss the interaction between independence and objectivity in our answer to question 4 below.

21 Page 5 Question 3 Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? The language used in the requirement in paragraph 18 of proposed ISA 610 is imprecise. A report relating to the work of the function that the external auditor intends to use could be peripheral to such work, or could amount to a record to the nature, timing and extent of audit procedures performed and the findings thereof. As such it is left to the judgement of the auditor to determine whether any report falls into the category of relevant. The requirement is too imprecise and should be removed. Paragraph 19 of proposed ISA 610 contains the more concrete requirement and we see no need to also have a requirement as set out in paragraph 18. As paragraph 19 itself states, the auditor necessarily evaluates whether any reports prepared by the internal audit function are consistent with the results of the work performed ; thus, reading is implicit. Paragraph A16 adds nothing to the requirement in paragraph 18 and can also be deleted. Reference to reports could be made instead at the end of the first bullet point in paragraph A18 as follows: The procedures the external auditor may perform to appraise the quality of the work performed and the conclusions reached by the internal audit function include the following: Reviewing the internal audit function s work program, working papers, and related reports

22 Page 6 Question 4 Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to? (a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and (b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity We support the extension of scope of proposed ISA 610 to include direct assistance of internal auditors to the external auditor. We generally agree with the need to evaluate objectivity and competence and the other factors addressed in proposed ISA 610 as set out in parts (a) and (b) of question 2. We are concerned, however, by the statement in paragraph 24 that The level of direction, supervision and review shall recognize that internal auditors are not independent of the entity. We do not think it sensible to introduce the complication of independence when: The extent of direction, supervision or review of the audit procedures performed by the internal auditors is also dependent on the external auditor s evaluation of the degree of objectivity (as set out in paragraph A28). The related application material explains that independence is being judged against the required degree of independence for an external auditor. An external auditor s independence would be compromised by being an employee of the company, but the implication is that this defect can be safeguarded by appropriate direction, supervision or review if the individual is an internal auditor. This is clearly not the case; no amount of extra direction, supervision and review can repair such compromised independence.

23 Page 7 Independence is more than a simple surrogate for objectivity and, if reference to it is retained, the application material ought to explain much more about it. Independence is a state of mind considered to be necessary to allow an individual to act with integrity and exercise objectivity and professional skepticism. (Paragraph of the IESBA Code of Ethics for Professional Accountants). The exercise of professional scepticism is of particular relevance to auditing as paragraph 15 of ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing requires that The auditor shall plan and perform an audit with professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated. Thus the auditor s direction, supervision and review of internal audit staff would have to recognise that the exercise of professional skepticism may be affected by the relative lack of independence. Rather than suggest that ISA 610 needs to include greater coverage of the possible ramifications of the lack of independence of the internal audit staff we would prefer the reference to be dropped. Instead we suggest that the requirement and application material in paragraphs 24 and A28 (paragraph A27 is deleted) should be revised to: 24. The external auditor shall direct, supervise and review the work performed by internal auditors on the engagement in accordance with ISA 220. Such direction, supervision and review shall be more extensive than if members of the engagement team perform the work. A28. The extent of direction, supervision or review of the audit procedures performed by the internal auditors is dependent on the external auditor s evaluation of the degree of objectivity and level of competence of, and the nature and extent of audit procedures to be performed by, the internal auditors. Reviewing the work performed by internal auditors includes consideration of whether professional scepticism has been exercised and the evidence obtained is sufficient and appropriate in the circumstances, and that it supports the conclusions reached. In our answer to question 5 we suggest changes to the reference to independence in paragraph 6 of proposed ISA 315.

24 Page 8 Question 5 Public Interest Concerns Respondents are asked to address whether there are any public interest concerns that have not been addressed. The explanatory memorandum forming part of the exposure draft refers to the concerns of some stakeholders about threats to the independence of the external audit team (in fact or perceived) when internal auditors provide direct assistance. We suggest that it would be helpful for the resulting standards, or indeed a future revision of the IESBA Code of Ethics for Professional Accountants, to clarify how such threats may be safeguarded (in addition to the clear position that internal audit staff are not part of the engagement team). As a minimum paragraph 6 of proposed ISA 315 could be expanded as follows: 6. External auditors may be able to use such work rather than perform that work themselves in obtaining sufficient appropriate audit evidence on which to base the auditor s opinion. Internal auditors may also provide direct assistance on the engagement by performing audit procedures under the direction and supervision of the external auditor. Neither the internal audit function nor the internal auditors are independent of the entity as is required of the external auditor in an audit of financial statements in accordance with ISA 200. Accordingly, the external auditor follows the relevant requirements of this ISA and ISA 610 in order to make use of the work of internal auditors without compromising external auditor independence.

25 Page 9 Question 6 Special Considerations in the Audit of Smaller Entities Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations. We are pleased to note that the requirements relating to the internal audit function in proposed ISA 315 and the scope of ISA 610 are such that for most SMEs it will be a simple matter to judge that no requirements are relevant. Accordingly, there is little need to provide guidance addressing special considerations in the audit of smaller entities. Nevertheless, paragraph 10 of proposed ISA 610 deals with the circumstances of individuals within an entity that perform ad hoc procedures similar to those performed by an internal audit function. The paragraph clarifies the meaning of internal audit function in these circumstances, which may be more common in some SMEs. It would be helpful if paragraph A103a of proposed ISA 315 were also to refer to such arrangements. Alternatively, the definition of internal audit function could be extended to make it clear that it did not include individuals performing ad hoc procedures. Question 7 Special Considerations in the Audit of Public Sector Entities have been dealt with appropriately in the proposed revised ISAs? It is clear from the text (for example paragraph A102 of proposed ISA 315) that the revised ISAs are applicable in the audit of public sector entities and we do not feel the need to expand the text further to include any specific material dealing with special considerations in the audit of public sector entities. Question 8 Developing Nations any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment? We have no specific concerns about the application of the revised ISAs in a developing nation environment.

26 Page 10 Question 9 Translations potential translation issues? We identify no potential translation issues. Question 10 Effective Date appropriate? The proposal is that the revision be effective for audits of financial statements for periods ending on or after December 15, We agree with the date suggested.

Page 11 Question 11 Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB's proposals?

27 Page 11 Question 11 Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB's proposals? We find the impact analysis helpful. Question 12 Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB? In general we agree with the impact analysis as presented, acknowledging that the magnitude of an impact is difficult to judge as it is dependent on whether and if so, the extent to which the external auditor uses the work of internal auditors. Question 13 Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents? The tabular approach is generally understandable but we suggest that users will wish to compare claimed increases in audit effectiveness with expected changes in costs. The direction and magnitude of the impact column combines considerations of effectiveness, work effort, and other impacts and it is not easy, therefore, to see what the balance is between improved quality and increased costs. For example, a decrease in external auditor work effort is identified as a decrease in the second column, which could be interpreted as a decrease in audit effectiveness. Question 14 Would respondents find such an approach useful at the national level? So long as an analysis is available at an international level, we see little point in a further analysis at a national level. While that might highlight aspects of particular relevance to a jurisdiction, (for example one where there were few large companies) the international analysis should contain sufficient detail to inform national stakeholders.

28 TECH-CDR-973.DOC

29 November 12, 2010 Mr. James Gunn Technical Director International Audit and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, NY Re: Exposure Draft: ISA 610 (Revised), Using the Work of Internal Auditors Dear Mr. Gunn: The American Institute of Certified Public Accountants (AICPA) is pleased to comment on the International Auditing and Assurance Standards Board s (IAASB) proposed International Standards on Auditing (ISA) 610 (Revised), Using the Work of Internal Auditors, and the related conforming amendments to ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment. Request for Specific Comments 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? Yes, but please see comments below. 2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: a. Whether the work of the internal audit function can be used for purposes of the audit engagement; and b. The planned use of the work of the internal audit function? Yes. 3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? Yes. Please see our additional comments below. 4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to:

30 a. Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and b. Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity? Yes, we agree that the scope of ISA 610 should be expanded to address the matter of direct assistance and we agree with the proposed requirements for the external auditor when obtaining the direct assistance of internal auditors. Please see our additional comments below. 5. Public Interest Concerns Respondents are asked to address whether there are any public interest concerns that have not been addressed. None of which we are aware. 6. Special Considerations in the Audit of Smaller Entities Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations. Yes, we believe that it is appropriate for ISA 610 to include guidance addressing special considerations for audits of smaller entities. Please see in particular our comments on paragraphs 9 and 10 of the proposed ISA 610 relating to the description of an internal audit function and the focus on the existence of an internal audit function in the proposed ISA 610. In particular, we are concerned that paragraph 10 unduly narrows the scope of this proposed standard by focusing on the ability to use the work of internal auditors (or those performing similar activities) to the situation where there is a formal internal audit function. We believe the focus would be more appropriately directed to the nature of the activities performed and the competence and objectivity of the individuals performing them. We are concerned that this distinction will unduly limit the applicability of the proposed ISA 610 when performing audits of smaller entities. 7. Special Considerations in the Audit of Public Sector Entities Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs. Yes. 8. Developing Nations Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment. Not applicable. 9. Translations Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes Page 2 of 12

31 comment on potential translation issues noted in reviewing the proposed revised ISAs. Not applicable. 10. Effective Date Respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level. The proposed ISA 610 states that it will be effective for audits of financial statements ending or after December 15, Because we believe that the guidance in the proposed ISA 610 will be useful to auditors, especially where direct assistance of the internal auditor is not currently being obtained, we suggest that consideration be given to establishing an earlier effective date, or at least providing for, or encouraging, early implementation. Comments Related to the Conforming Amendments to ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment Obtaining an Understanding of the Internal Audit Function Paragraph 23 of ISA 315 currently reads as follows: If the entity has an internal audit function, the auditor shall obtain an understanding of the following in order to determine whether the internal audit function is likely to be relevant to the audit: a. The nature of the internal audit function s responsibilities and how the internal audit function fits in the entity s organizational structure; and b. The activities performed, or to be performed, by the internal audit function. The Exposure Draft proposes certain conforming amendments to paragraph 23 of ISA 315 such that it would read as follows: If the entity has an internal audit function, the auditor shall obtain an understanding of the nature of the internal audit function s responsibilities, how the function fits in the entity s organizational structure, and the activities performed, or to be performed. The conforming amendment eliminates the notion of in order to determine whether the internal audit function is likely to be relevant to the audit. By doing this, we believe that proposed paragraph 23 does not clearly articulate the intent of the understanding the auditor is required to obtain. Therefore, we believe that the proposed conforming amendment to paragraph 23 should be revised to clarify that the intent of the requirement is to obtain an understanding of the internal audit function so that the auditor can determine whether the internal audit function (and the work it performed) is likely to be relevant to the audit, including whether the auditor might be able to use the work of the internal auditor function or use internal auditors in a direct assistance capacity. Nature of the Internal Audit Function Paragraph A103 of the conforming amendment states, in part, Auditors are more likely to be able to use the work of an entity s internal audit function when it appears, based on experience in previous audits or the auditor s risk assessment procedures, that the entity has a well-established internal audit function (for example, one that is adequately Page 3 of 12

32 and appropriately resourced, and has a direct reporting relationship to those charged with governance). We believe that the example is not clear and may therefore be confusing in that it infers that only where the function reports directly to those charged with governance would it be considered well established. We do not believe that the notions of a well-established internal audit function and direct reporting relationship to those charged with governance are necessarily connected. We also believe, subject to the requirements in proposed ISA 610 (and the extant standard), that it may well be appropriate in the circumstances to use the work of an internal audit function that does not report directly to those charged with governance. Therefore, we suggest that the example be eliminated altogether, or alternatively modified to remove the statement regarding the reporting relationship. Comments Related to ISA 610 (Revised), Using the Work of Internal Auditors Activities of the Internal Audit Function (paragraph 9) Paragraph 9 of the proposed ISA 610 explains that the activities of the internal audit function may be performed by functions that have different titles. We agree with this premise. As an example, we note that in our jurisdiction, there has been an increase in the use of groups dedicated to perform specific activities that are similar to internal auditing activities, and these groups therefore effectively function like an internal audit group, even though they might not be titled as such. Examples of those groups are dedicated groups to test the operating effectiveness of internal control or to test compliance with internal control. U.S. AT 501, An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements (AT 501), recognizes that the auditor might use the work of others, other than internal auditors, but that the use of such work would be subject to the same considerations and framework as would be applicable to internal auditors. Paragraph 30 of AT 501 provides for this as follows: For purposes of the examination of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, entity personnel (in addition to internal auditors), and third parties working under the direction of management or those charged with governance that provide evidence about the effectiveness of internal control. In an integrated audit, the auditor also may use this work to obtain evidence supporting the assessment of control risk for purposes of the financial statement audit. We recommend that additional application guidance be added to the proposed ISA 610 to illustrate this point and to not unnecessarily restrict the application of the proposed standard. Internal Audit Function (paragraphs 10 and 13(c)) The proposed ISA 610 focuses on the existence of an internal audit function in order to be able to use the work of internal auditors in accordance with the proposed standard. Paragraph 10 states, in part, There may be individuals within an entity that perform ad hoc procedures similar to those performed by an internal audit function. However, unless performed by an objective and competent function that applies a systematic and disciplined approach, including quality control, such procedures would be considered control activities We believe that focusing on the existence of a formal function having a systematic and disciplined approach is unduly restrictive and will inappropriately limit the application of the proposed ISA 610. Therefore, we do not Page 4 of 12

33 believe that the distinction drawn in the proposed ISA 610 for the situation where there is a formal function as opposed to when there is not, is appropriate. Accordingly, we disagree with the requirement in paragraph 13(c) which we interpret as precluding the ability to use work performed by internal auditors (or those performing internal auditlike activities) unless there was a specific function with a systematic and disciplined approach. We note that in our jurisdiction, it is not uncommon for entities to have appropriately skilled individuals involved in performing internal auditing activities, but there might not be an internal audit function which is subject to a systematic approach and disciplined approach. This may be especially the case in smaller entities that have a very limited number of internal audit personnel (or perhaps even have part-time internal audit personnel). We disagree with the premise that unless performed by an objective and competent function that applies a systematic and disciplined approach, including quality control, such procedures would be considered control activities. We believe that the determination as to whether the work of an internal auditor is a control activity or an internal audit activity depends on the specific facts and circumstances which the external auditor evaluates using his or her professional judgment considering the assessment of the risk of material misstatement. Therefore, we recommend that the proposed ISA 610 should also provide that, in some situations, it may be appropriate for the auditor to use work of internal auditors (or those performing internal audit-like activities), even where there is not a formal internal audit function, and that it may also be appropriate to obtain direct assistance from such individuals subject to review and supervision by the external auditor. Therefore, we strongly believe that rather than focusing on the systematic nature of the approach and on the specific existence of a formal internal audit function, the focus should be on the activities of the individuals performing internal auditing activities and on their respective skills, expertise, and objectivity. The most important considerations of the auditor in evaluating whether the work of the internal audit function can be used, or whether an internal auditor can be used in a direct assistance capacity, should be an assessment of the risks associated with the particular work and whether the internal auditors (or function) are sufficiently competent and objective, such that their work is suitable for the auditor s purpose. We believe that the scope of proposed ISA 610 is inappropriately limited by focusing on the existence of a formal internal audit function and categorizing internal auditing activities performed in the absence of a formal function as control activities, such that the external auditor would not be able to consider using such work in the manner provided for in the proposed standard. Therefore, we believe that paragraph 10 should be revised to remove this distinction. We also suggest clarifying in the background (and possibly the objective see comment below) to the proposed standard that the use of the term internal audit function throughout the proposed standard is not intended to preclude the ability to use the work of appropriately competent and objective internal auditors who might not be organized in a formal internal audit function. Alternatively, consideration should be given to redrafting the requirements and the application material such that the focus is on internal audit activities as opposed to the internal audit function. Note that we have provided a suggestion as to how to accomplish this for the objective, as described below; however, we have not made Page 5 of 12

34 specific suggestions for the rest of the proposed standard. Accordingly, our use of the term internal audit function in our comments is not intended to preclude reference to internal audit activities performed by individuals who might not be part of a formal internal audit function. Objectives of Proposed ISA 610 (paragraph 12) We believe that the objectives are not clearly articulated; because, they do not separately address the concepts of using the work of an internal audit function and using internal auditors in a direct assistance capacity. In light of the issues raised above regarding the seemingly narrow focus on the internal audit function, we also question whether the objectives should be focused on internal auditor activities as opposed to the internal audit function. To capture this thought and to clarify the objectives, we suggest separating the concepts of (1) using the work of an internal audit function/individuals who perform internal auditing activities and (2) using direct assistance into separate sub-paragraphs. The following paragraph suggests our proposed revision to paragraph 12: 12. The objectives of the external auditor, where the entity has an internal audit function or individuals who perform internal audit activities, are: a. To determine whether, and to what extent, to use the work of the internal audit function or individuals performing internal audit activities to modify the nature or timing, or reduce the extent, of audit procedures to be performed; b. To determine whether, and to what extent to obtain direct assistance from internal auditors or individuals performing internal audit activities; and c. If the external auditor intends to use the work of the internal audit function or individuals performing internal audit activities or to obtain direct assistance from internal auditors or other individuals performing internal audit activities, to determine whether that work is adequate for the purposes of the audit. Determining the Planned Use of the Work of the Internal Audit Function (paragraph 15) Paragraph 15 of the proposed ISA contains several factors that the auditor is required to consider in determining the planned use of the work of the internal audit function. We are concerned that the requirement is confusing because it combines several thoughts. Paragraph 15 of the proposed ISA 610 states the following: 15. In determining the planned use of the work of the internal audit function, the external auditor shall consider: (a) The external auditor s evaluation of the degree of objectivity and level of competence of the internal audit function; (b) The nature and scope of work performed, or to be performed, by the internal audit function and its relevance to the external auditor s overall audit strategy and audit plan; and (c) The amount of judgment involved in: Page 6 of 12

35 (i) Planning and performing relevant audit procedures for particular classes of transactions, account balances and disclosures; and (ii) Evaluating the audit evidence gathered by the internal audit function in support of the relevant assertions. Sub-paragraphs (a) and (b) seem to work in tandem, but they seem to be broader, more overall factors that the external auditor would consider in determining whether to use the work of the internal audit function. Sub-paragraph (c) seems to be a more granular consideration and something that might be more relevant to the particular work that the auditor is considering using. It is also not clear whether sub-paragraph (c) is referring to the judgment of the auditor or the internal auditor or both. We suggest separating subparagraph (c) into a separate paragraph. In addition, we believe that the requirement in sub-paragraph (c) is missing specific consideration of materiality. The following paragraph suggests our proposed paragraph to replace sub-paragraph (c) and includes what we would view as essential guidance relating to the requirement: 15x. When the auditor plans to use the work of the internal audit function, in determining what work to use and the extent to which it can be used, the auditor shall consider a. The materiality of financial statement amounts to which the work pertains that is, account balances or classes of transactions. b. The risk (consisting of inherent risk and control risk) of material misstatement of the assertions related to these financial statement amounts. c. The degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions. As the materiality of the financial statement amounts increases and either the risk of material misstatement or the degree of subjectivity increases, the need for the auditor to perform the auditor s own tests of the assertions increases. As these factors decrease, the need for the auditor to perform the auditor s own tests of the assertions decreases. Significant Judgments (paragraph 16) Paragraph 16 of the proposed ISA 610 requires, in part, that the external auditor shall make the significant judgments in the audit engagement We believe that this specific requirement is not necessary because the concept of the auditor making significant judgments is implicit throughout the ISAs. It is not clear what incremental action would be necessary to satisfy this requirement and also what documentation would be necessary to demonstrate having complied with it. We believe that the requirement would be more precise and operational without paragraph 16(a). In addition, we suggest that the application material be revised to indicate that the auditor is (as a matter of fact) responsible for making the significant judgments throughout the audit. Therefore, we recommend that paragraph 16 of the proposed ISA be redrafted as follows: 16. Because the external auditor has sole responsibility for the audit opinion expressed, the external auditor shall plan to directly perform sufficient procedures to be able to draw reasonable conclusions on which to base the external auditor s opinion. We recommend that the first sentence of paragraph A13 of the application material be rephrased as follows: Page 7 of 12

36 A13. Because the external auditor has sole responsibility for the audit opinion expressed, the external auditor is responsible for making the significant judgments in the audit engagement. Use of Internal Auditor s Work in Areas Where Significant Risks Have Been Identified or Where the Degree of Subjectivity Involved in the Evaluation of the Audit Evidence is High Notwithstanding the discussion in paragraphs A11 through A13, the proposed ISA 610 does not specifically impose any limitation on the use of the work of internal auditors in areas where significant risks have been identified or where the degree of subjectivity involved in the evaluation of the audit evidence is high. We believe that for significant risks or where the degree of subjectivity involved in the evaluation of the audit evidence is high, the auditor should not solely use the work of internal auditors. Therefore, we suggest that an additional requirement be added to the proposed ISA 610 requiring that where the auditor plans to use the work of the internal audit function to address significant risks or where the degree of subjectivity involved in the evaluation of the audit evidence is high, that the auditor should also perform procedures directly: New Requirement: If the auditor plans to use the work of the internal audit function for assertions where significant risks of material misstatement have been identified or where the degree of subjectivity involved in the evaluation of the audit evidence is high, the auditor should also plan to perform procedures directly. New Application Material: For assertions where significant risks of misstatement have been identified or where the degree of subjectivity involved in the evaluation of the audit evidence is high, the consideration of internal auditors' work cannot alone reduce audit risk to an acceptable level to eliminate the necessity to perform tests of those assertions directly by the auditor. Assertions about the valuation of assets and liabilities involving significant accounting estimates, and about the existence and disclosure of related-party transactions, contingencies, and revenue recognition, are examples of assertions where significant risks of material misstatement may likely exist or where a high degree of subjectivity may be involved in evaluating the audit evidence. Using the Work of the Internal Audit Function (paragraphs 18 and 19) Paragraph 18 of the proposed ISA 610 requires the auditor to read the reports of the internal audit function. We believe that the proposed ISA 610 should more clearly define what is meant by the term report. In some cases, it may be a formal report prepared by the internal auditor; however, in other cases, it may be less formal documentation of the internal auditor s conclusions. We believe that the auditor should be required to read documentation summarizing the results of work performed by the internal audit function where the external auditor plans to use such work. Paragraph 19 establishes requirements of the auditor to evaluate the adequacy of the work of the internal audit function. Paragraph 19 reads as follows: 19. In order to have a sufficient basis to support the use of work of the internal audit function, the external auditor shall perform audit procedures that are appropriate in the circumstances on that work to determine its adequacy for purposes of the audit engagement. In determining the adequacy of such work, the external auditor shall evaluate whether: Page 8 of 12

37 (a) The work was properly planned, performed, supervised, reviewed and documented; (b) Adequate audit evidence has been obtained to enable the internal audit function to draw reasonable conclusions; and (c) Conclusions reached are appropriate in the circumstances and any reports prepared by the internal audit function are consistent with the results of the work performed. We believe that paragraph 19 is confusing because it is not clear whether the requirements in sub-paragraphs (a) (c) are intended to be applied to each individual project of the internal audit function (for example, each individual test or activity performed by the internal auditor) or whether they should be applied to the work of the internal audit function or individual internal auditors at a more overall level. We do not believe that all of the matters addressed in paragraph 19 need to be separately or specifically evaluated for each and every test or activity performed by the internal auditor that the external auditor plans to use. If the requirements in paragraph 19 are intended to be applied to every internal audit test or activity, we believe that this would require that the evaluation of the work of the internal auditor that the external auditor plans to use would in all cases need to be performed at a very granular and detailed level. In many cases, this would eliminate any potential benefits from efficiencies to be obtained through using the work of internal auditors. In particular, we believe that the items in paragraph 19(a) may be addressed at a more overall level. Therefore, we believe the guidance to this requirement should be explicitly clarified to provide that the requirement may be applied at a more overall level (i.e., if appropriate, at the level of the overall internal audit function or more specifically to the individuals or separate groups of individuals performing the tests or activities that the external auditor plans to use) and is not necessarily intended to be separately applied to each and every test or activity that the external auditor plans to use. The procedures in 19(a) are, in reality, an extension of the work already performed to address the requirements in paragraph 13 through 15. This linkage or drill down approach should be made more apparent in the proposed standard. We also believe that the procedures to be performed to address the requirements in subparagraphs 19(b) and (c) need to specifically encompass all of the work that the external auditor plans to use, but the external auditor may exercise professional judgment in determining the nature, timing, and extent of the necessary procedures in order to have a basis to conclude with respect to sub-paragraphs 19(b) and (c). We also do not believe that reperformance procedures are clearly explained in the proposed ISA 610. We believe that in making the evaluation in paragraph 19, the auditor should be required to test some of the internal auditor s work and that this should be made clearer in the proposed ISA 610. Reperformance testing may be accomplished by either examining some of the controls, transactions, or balances that the internal auditors examined or by examining similar controls, transactions, or balances not actually examined by the internal auditors. We do not believe that it is necessary that the external auditor should be required to reperform some portion of each and every internal audit test or activity that the external auditor plans to use. Reperformance testing may be supplemented with reviews of working papers and also observation. We believe that the proposed ISA 610 should explain that the external auditor should use professional judgment in determining the nature and extent of necessary reperformance Page 9 of 12

38 testing and may plan such testing in consideration of factors such as the risk associated with the particular tests or activities and related financial statement assertions, whether the same individual has performed multiple tests or activities, whether the same work program has been used, etc. The overall focus of the external auditor should be on using professional judgment in performing sufficient procedures to have a basis to conclude as the quality and effectiveness of the internal auditor s work such that it is adequate for the auditor s purposes. Obtaining Direct Assistance from Internal Auditors (paragraphs 20 24) Paragraphs 20 through 24 address obtaining direct assistance from the internal auditors. Similar to paragraph 15(c), we believe that paragraph 22(c) should be drafted as a separate requirement see specific comment above. We also believe that the proposed ISA 610 is missing some important considerations including, for example, communications between the auditor and the internal auditor performing the direct assistance. We suggest that the following be added as application material to paragraph 24: Axx. In directing internal auditors providing direct assistance, it is appropriate for the auditor to inform the internal auditors of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of such audit procedures, such as possible accounting and auditing issues. The auditor may also remind internal auditors about bringing all significant accounting and auditing issues identified during the audit to the auditor s attention. We also believe that when using internal auditors in a direct assistance capacity, the auditor should be careful to not compromise the effectiveness of the audit by providing such internal auditors with free access to the external auditor s audit documentation. The internal auditor s access to audit documentation should be limited to the areas that he or she is being assigned to by the external auditor. We recommend that an incremental requirement be included in ISA 610 to address this matter. Documentation We believe that paragraph 25 of the proposed ISA 610 should contain a specific requirement of the auditor to retain in the audit documentation the internal audit reports that are required to be read in accordance with paragraph 18 of the proposed ISA 610. Furthermore, we believe that the auditor should retain in the audit documentation the internal auditor s significant conclusions relating to the work that the external auditor is planning to use, regardless of the formality of the reports or documentation. In addition, we recommend that an additional requirement be added to address how the auditor satisfied the requirements of paragraph 24 pertaining to the level of direction, supervision, and review of internal auditors providing direct assistance to the auditor. *** Thank you for the opportunity to comment on this exposure draft. If you have any questions regarding the comments in this letter, please contact Mr. Hiram Hasty at , hhasty@aicpa.org. Page 10 of 12

39 Respectfully submitted, /s/ Darrel R. Schubert Chair, Auditing Standards Board Page 11 of 12

40 Exposure Draft: ISA 610 (Revised), Using the Work of Internal Auditors Other Comments The following comments represent more minor and editorial comments that we believe the IAASB should consider in finalizing the conforming amendments to ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and finalizing ISA 610 (Revised), Using the Work of Internal Auditors. Conforming Amendments to ISA 315 Paragraph A6c we suggest adding in the auditor s judgment in the first sentence following the word who. Paragraph A103b we suggest changing the word engagement to the period covered by the engagement in the first and fourth sentences. Proposed ISA 610 Paragraph 5 we suggest adding the phrase some or all which may be relevant at the end of the paragraph. Paragraph 6 we suggest changing the term such work in the first sentence to the work of the internal audit function or work performed by internal auditors Paragraph 9 we suggest adding the word sole in front of the word determinants in the third sentence of the paragraph. Paragraph A3 we suggest adding and financial reporting to the sub-title Activities relating to internal control. Paragraph A9 we suggest the following edits, Factors that may affect the external auditor s determination of whether the activities of the internal audit function are appliesd a systematic and using a disciplined approach to planning Paragraph A11 in light of our comments above, we do not believe that this paragraph is necessary and we recommend that it be deleted. Paragraph A14 third bullet would not be necessary based on the comments to paragraph 15 above. Paragraph A17 we do not believe the fourth bullet is necessary because this is part of gaining an understanding of the entity s financial reporting process. Paragraph A19 to improve the readability of the paragraph, we suggest breaking up the long sentences in the paragraph. Paragraph A20 in the third sentence, the term stronger form is missing the relevant comparison. We suggest more relevant and reliable or more persuasive. Page 12 of 12

41 Auditing Practices Board Audit Inspection Unit Aldwych House, Aldwych, London WC2B 4HN Telephone: Fax: Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14 th Floor New York New York USA 15 November 2010 Dear Sir Exposure Draft: ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment ISA 610 (Revised), Using the Work of Internal Auditors This is a joint response to the above exposure draft from the Auditing Practices Board (APB) and Audit Inspection Unit (AIU) of the Financial Reporting Council (FRC). The FRC is the UK s independent regulator responsible for promoting high quality corporate governance and reporting to foster investment. The APB is responsible for setting high quality standards and guidance for the performance of external audit. The AIU is part of the FRC s Professional Oversight Board (POB) and is responsible for the monitoring of the audits of all UK listed and other major public interest entities in order to safeguard and improve audit quality. Through its work it obtains important insights into the practical application of auditing standards and guidance and how they might be improved to enhance audit quality. The comments and recommendations expressed in this response have been approved on behalf of the Boards of both the APB and the POB. We are supportive of the direction of the proposed revisions of ISAs 315 and 610, including the expansion of scope to address direct assistance. These revised ISAs represent an improvement by setting out a logical flow to the external auditor s consideration and, where relevant, use of an entity s internal audit function. However, we have identified a number of concerns which we believe are significant and therefore need to be addressed. These relate in particular to:

42 the factors to be evaluated when determining the use to be made of the work of the internal audit function (see our response to your question 2). In particular, there need to be clearer limitations on the extent to which the auditor can use the work of internal audit in areas of higher assessed risk; identifying areas where obtaining direct assistance is not appropriate (see our responses to your question 4). In particular, it needs to be made clearer that the external auditor should not obtain direct assistance from internal auditors to perform procedures that will provide the basis for significant judgments or where there is a significant risk of material misstatement. We have a number of other recommendations that we believe would further enhance the revision of ISA 610 and these are described below. When the ISA revisions are finalised we would need to expose them for consultation prior to their adoption in the UK and Ireland. As part of that process we will wish to evaluate whether our concerns have been adequately addressed in the final standards or whether supplementary requirements and/or guidance might be necessary in the UK and Ireland to address them. Responses to specific questions asked by the IAASB 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? Yes, we agree that it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function where one exists. Such inquiries are particularly relevant to the external auditor when identifying and assessing risks of material misstatement. This is because it cannot be assumed that, where such a risk has been identified by internal audit, it would necessarily also be identified by the external auditor without making inquiries of internal audit. We also believe that the auditor should also be required to consider any matters that have been raised with the audit committee, where one exists, by management or others within the entity, including the internal audit function. This should be an additional point in paragraph 6: (x) Consideration of any matters raised with the Audit Committee (if one exists) by management or others within the entity, including the internal audit function (if one exists). ISA 315 is the appropriate standard in which to place these requirements. 2. Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: (a) (b) Whether the work of the internal audit function can be used for purposes of the audit engagement; and The planned use of the work of the internal audit function? 2

43 No, some changes are required to the factors to be considered and, in addition, we have a number of other concerns which are described below. Objectivity of the internal auditors Paragraph 13(a) requires the auditor to evaluate the extent to which the internal audit function s organizational status and relevant policies and procedures support the objectivity of the internal auditors. This is appropriate. However, paragraphs 14 and 15(a) are worded in a way that suggests the outcome of paragraph 13(a) is an evaluation of the degree of objectivity of the internal audit function. This is not appropriate objectivity is a state of mind and cannot as such be evaluated absent evidence of how it has or has not been exercised, which may not be available to the external auditor. It would be better for paragraphs 14 and 15(a) to refer to threats to the objectivity of the internal auditors that have been identified. Suggested drafting changes are set out below. We also believe that, when considering whether the relevant policies and procedures of the internal audit function support the objectivity of the internal auditors, there should be a presumption that internal auditors do not have any managerial or operational duties or responsibilities outside the internal audit function. We believe that an additional bullet point should be added to paragraph A6 in this respect: Whether the internal auditors have any managerial or operational duties or responsibilities outside the internal audit function ordinarily there would be a presumption that such duties or responsibilities would represent too significant a threat to the objectivity of the internal auditors to enable the auditor to use the work of the internal audit function. Systematic and disciplined approach Paragraph 13 requires the auditor to determine whether the work of the internal auditor can be used for purposes of the audit by evaluating the matters in paragraphs 13(a) (extent of support for objectivity), (b) (level of competence) and (c) (whether there is a systematic and disciplined approach, including quality control). This does not recognize the degree to which the internal audit function applies an effective systematic and disciplined approach and draws reasonable conclusions. For example, the effectiveness of the quality control policies and procedures may vary from one internal audit function to another. Paragraph 14 indicates the auditor is required only to take account of its evaluations in relation to the function s support for objectivity and its competence. We believe that, in addition, the auditor should not be permitted to use the work of the internal audit function unless the auditor is satisfied that the internal audit function applies an effective systematic and disciplined approach, including appropriate quality controls. Suggested drafting changes to paragraphs 13 to 15 to address our concerns in relation to Objectivity of the internal auditors and Systematic and disciplined approach are set out below: 3

44 13 (c) WhetherThe extent to which the internal audit function applies an effective systematic and disciplined approach, including quality control, and draws reasonable conclusions on the basis of its findings. 14 The external auditor shall not use the work of the internal audit function if it hasthe external auditor concludes on the basis of the evaluation in paragraph 13 that: (a) There are significant threats to the objectivity of the internal auditors, regardless of the level of competence; or (b) It has a low level of competence, regardless of the level of threats to the objectivity of the internal auditors; or (c) It does not have an effective systematic and disciplined approach, including appropriate quality control. Determining the Planned Use of the Work of the Internal Audit Function 15 In determining the planned use of the work of the internal audit function, the external auditor shall consider: (a) The external auditor s evaluation of the degree of threats to the objectivity of the internal auditors and the level of competence of the internal audit function; Conforming changes would need to be made to the related application material. Because the premise of paragraph A8 appears to be that a systematic and disciplined approach is a unique (and therefore defining) feature of an internal audit function, paragraph A8 implies that whenever there are monitoring control activities performed by management that follow a systematic and disciplined approach, the individuals performing them may be regarded as part of an internal audit function. Although we recognise that it is important that an internal audit function has an effective systematic and disciplined approach including appropriate quality control, we do not believe that that alone is sufficient to describe the key characteristics of an internal audit function. We believe that what distinguishes an internal audit function from other monitoring control activities is that internal audit activities are undertaken by a function that, in addition to applying a systematic and disciplined approach, is competent and has sufficient support to ensure the objectivity of the internal auditors. We believe, therefore, that the language should be clarified and suggest the following redrafting: A8. The application of a systematic and disciplined approach is an one of the important characteristics that, taken together with support for the objectivity of the internal auditors and the competence of the function, distinguishes the activities of the internal audit function from other monitoring control activities that may be performed within the entity. Risks of material misstatement The extent and nature of risk is important in determining the extent of the external auditor s work. While it is acknowledged that there is some link between risk and the nature of work/the degree of judgment, we believe that there should be some limitations on the extent to which the external auditor can use the work of the internal audit function in areas of higher 4

45 assessed risk. Accordingly, we believe that paragraph 15 should include a further point (d) requiring the auditor to consider: The assessed level of risk of material misstatement in relation to the transactions, account balances or disclosures that are being audited. The application material should be restructured so that this requirement is supported by the last sentence of paragraph A13, which could become a new paragraph A14. This identifies that the higher the assessed risks of material misstatement, the more persuasive the audit evidence required by the external auditor will need to be, and, therefore, the more likely it will be that the external auditor will need to perform more of the work directly. We do not think sufficient emphasis is given to this in the exposure draft with the requirements focused solely on the amount of judgment involved. In paragraph 15(c) the words the auditor s should be inserted before judgment for clarity. Direct performance of procedures by the external auditor Paragraph 16 does not make it sufficiently clear that the external auditor should directly perform the procedures necessary to make the significant professional judgments in the audit without using the work of the internal audit function. Accordingly, we believe that paragraph 16 should be reworded as follows: 16 Because the external auditor has sole responsibility for the audit opinion expressed, the external auditor shall directly perform procedures to the extent necessary to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the external auditor s opinion on the financial statements. The external auditor shall not use the work of the internal audit function as a basis to make the significant professional judgments in the audit engagement.: (a) Make the significant judgments in the audit engagement; or (b) Plan to directly perform sufficient procedures to be able to draw reasonable conclusions on which to base the external auditor s opinion. regardless of the external auditor s decision to use the work of the internal audit function. 3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? Yes, the external auditor should be required to read reports produced by the internal audit function that relate to work the external auditor plans to use. See also our comments below regarding ISA 315 and the auditor reading reports as part of the process of identifying and assessing risks of material misstatement. 4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when 5

46 obtaining the direct assistance of internal auditors the external auditor should be required to: (a) (b) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity? Scope Yes, we agree the scope of ISA 610 should be expanded to address direct assistance to achieve clarity on this point as there are clearly risks to audit quality in relation to such assistance. We already add supplementary guidance on direct assistance to the current ISA 610 as implemented in the UK and Ireland. We acknowledge that there are some jurisdictions where direct assistance is prohibited but there are others, including our own, where it is permitted and accepted as appropriate in certain circumstances. It is appropriate for ISA 610 to establish relevant requirements and application material to support audit quality where direct assistance is a possibility. Remaining silent on the matter would not be conducive to harmonisation of audit practice and may facilitate inconsistencies and practices that could be detrimental to audit quality. However, it is important that ISA 610 should not be perceived as encouraging direct assistance from internal auditors. In our view direct assistance is only appropriate where the internal auditors perform what may be regarded as mundane external audit procedures and not audit procedures that will provide the basis for significant judgments or where there is a significant risk of material misstatement. See our further comments below on areas where direct assistance is not appropriate. Factors to consider Objectivity of the internal auditors providing direct assistance Consistent with our comments above on the factors to be taken into account when considering whether to use the work of internal audit, we believe that paragraphs 20, 21(a) and 22(a) should require external auditor to consider threats to the objectivity of the internal auditors rather than attempt to evaluate their actual degree of objectivity. Appropriate changes would be: 20. the external auditor shall evaluate the degree of threats to objectivity and the level of competence of the internal auditors 21 The external auditor shall not obtain the direct use of an internal auditor if the internal auditor has: (a) a low degree of objectivity There are significant threats to the objectivity of the internal auditor, regardless of the internal auditor s level of competence of the internal auditor; or (b) a low level of competence The internal auditor has a low level of competence, regardless of internal auditor s degree of the level of threats to the objectivity of the internal auditor. 6

47 22 In determining the work that may be assigned to individual internal auditors and the amount of direction, supervision and review that is appropriate in the circumstances, the external auditor shall consider: (a) The external auditor s evaluation of the degree of threats to the objectivity and the level of competence of the internal auditors who will be providing such assistance; The documentation requirement would also need to be changed to reflect this as follows: 25 If the external auditor uses the work of the internal audit function, the external auditor shall include in the audit documentation: (a) The evaluation of the degree of threats to the objectivity of the internal auditors and the level of competence of. Areas where direct assistance is not appropriate In our view, internal auditors should not be used to provide direct assistance where the assistance to be provided would give rise to a self review threat because of other work that they have previously undertaken (e.g. working on an area for which they have already given a clean bill of health to management or those charged with governance). This could be addressed in paragraph 23 (see below). As explained above, we also believe that it needs to be made clearer that the external auditor should not obtain direct assistance from internal auditors to perform procedures that will provide the basis for significant judgments or where there is a significant risk of material misstatement. Taking account of the above, we recommend rewording paragraph 23 as follows: 23 The external auditor shall not obtain direct assistance from internal auditors to perform audit procedures: (a) Whereby the internal auditors which the external auditor will rely upon when making significant judgments in the audit engagement; or (b) That respond to a significant risk of material misstatement; or (c) On areas the internal auditors have already reported on to management or those charged with governance; or (bd) To perform procedures to determine whether the work of the internal audit function can be used for the purposes of the audit. For the reasons explained above, the guidance in paragraph A22 should be amended to make it clearer that direct assistance is not encouraged and is only appropriate where the internal auditors will perform mundane audit procedures. For example: A22. It may be possible in In some limited circumstances the external auditors to may obtain direct assistance from the internal auditors in carrying out audit procedures which otherwise would be performed by the external auditors themselves. Such assistance is only appropriate where the internal auditors will perform what would be regarded as mundane external audit procedures (being procedures that do not 7

48 provide the basis for significant audit judgments nor are required to address significant risks of material misstatement). In such these circumstances, external auditors use internal auditors, under the direction, supervision and review of the external audit team, to perform audit procedures directly on the engagement which otherwise would be performed by the external auditors themselves. Formalisation of the working arrangements The guidance in paragraph A24 suggests that the external auditor may discuss with those charged with governance such matters as the extent to which the work of internal auditors will be used on the audit engagement, including the planned use of direct assistance. We believe the arrangements for obtaining the direct assistance of internal auditors need to be more formalised and that the external auditor should: (i) (ii) Obtain a written confirmation from the relevant internal auditors and from an authorised representative of the entity that relevant individuals agree to follow the instructions of staff of the audit firm in relation to the work performed and that, where applicable, they will keep confidential specific matters as instructed by the audit team; and Confirm with the head of internal audit and/or those responsible for governance in the organisation, the role that the individuals will play, the responsibility of the external auditor for quality assurance and the overall audit opinion, and the agreement of the entity to the terms in (i) above; Having a formal agreement in place was a matter that the Institute of Internal Auditors considered important when they responded to the exposure of the guidance we include in our standards. We recognise, as discussed in the Explanatory Memorandum, that it is important that undue pressure should not be placed on external auditors to use internal auditors for cost or other reasons which could be detrimental to audit quality. We believe that our proposals for more formalised arrangements would strengthen rather than weaken the authority of the auditor in this respect. Direction, supervision and review Clearly the external auditor needs to direct, supervise and review the audit procedures performed by those internal auditors providing direct assistance. However, we are concerned that the requirement in the second sentence of paragraph 24 that The level of direction, supervision and review shall recognize that internal auditors are not independent of the entity is insufficient in that it focuses only on the level and not the nature of the procedures. The guidance in paragraph A27 explains that this means that the direction, supervision or review will ordinarily be more extensive than if members of the engagement team perform the work. This suggests that direct assistance requires more direction, supervision and review than is discussed in paragraphs A13 A19 of ISA 220. From a regulatory viewpoint, we note that it may be difficult for the external auditor to be able to demonstrate that the level of direction, supervision and review has been more extensive than for members of the engagement team. We believe that the lack of independence of the internal auditors requires more intrusive direction, supervision and review in relation to direct assistance. In addition to requiring a higher level, another important difference should be the nature of the review work undertaken. For example, the review procedures should involve the external auditor checking 8

49 back to the entity s supporting records for some of the work performed. Accordingly we believe that the requirement in paragraph 24 should be amended to: The level of direction and supervision and the level and nature of review shall recognize that internal auditors are not independent of the entity. The review procedures shall include the external auditor checking back to the entity s accounting records for some of the work performed by the internal auditors. What is particularly important, and could be stated, either in the requirements or in the application material, is that the external auditor needs to be satisfied that the internal auditors providing direct assistance have obtained sufficient appropriate audit evidence to support the conclusions based on that work. Other Comments ISA 315 Reading internal audit reports Proposed guidance in paragraph A6b suggests that If, based on responses to the auditor s inquiries, it appears that there are findings that may be relevant to the entity s financial reporting and the audit, the auditor may find it useful to read related internal audit reports. We believe this should be elevated to a requirement as follows: Where, based on the external auditor s inquiries or consideration of matters raised with the audit committee, it appears that internal audit has identified matters that may give rise to a risk of material misstatement, the external auditor shall read any related internal audit reports. ISA 610 What is an internal audit function for the purpose of the ISA? Paragraphs 9 and 10 of the Introduction appear to present an explanation of what is, and is not, an internal audit function for the purpose of the standard, but this is not definitive. We believe that it would be helpful to amend these paragraphs as follows: 9 Activities similar to those performed by an internal audit function may be conducted by functions with other titles within an entity. Some or all of the activities of an internal audit function may also be outsourced to a third-party service provider. Neither the title of the function, nor whether it is performed by the entity or a third-party service provider, are determinants of whether or not the external auditor can use the work of the internal audit function or third party provider. Rather, it is the nature of the activities, and the objectivity and competence of the individuals in the function or third party provider that are relevant. References in this ISA to the work of the internal audit function include relevant activities of other functions or third party providers that have these characteristics. 10. There may be individuals within an entity that perform ad hoc procedures similar to those performed by an internal audit function. However, unless performed by an objective and competent function that applies a systematic and disciplined 9

50 approach, including quality control, such procedures would be considered control activities and obtaining evidence regarding the effectiveness of such controls would be part of the auditor s responses to assessed risks in accordance with ISA 330. Ordinarily, persons with operational/ managerial duties and responsibilities outside the internal audit function would face threats to their objectivity that would preclude them from being treated as part of an internal audit function for the purpose of this standard.. Quality control The auditor is required to evaluate whether the internal audit function has appropriate quality control policies and procedures. It would be helpful to provide guidance in the application material to assist the external auditor to do this and we believe that many of the elements of ISQC 1 provide a suitable model against which to make the evaluation. We recommend that the second bullet point in paragraph A9 be extended to make reference to ISQC 1 as follows: Whether the internal audit function has appropriate quality control policies and procedures; for example such as those policies and procedures in ISQC 1 that would be applicable to an internal audit function, including those relating to leadership, human resources and engagement performance. Other appropriate requirements may be established by a professional body for internal auditors. Discussion and co-ordination with the internal audit function The list of matters set out in paragraph A14 that it may be useful to address with the internal audit function should include the nature of the work performed. Using the work of the internal audit function Paragraph 19(b) requires the external auditor to evaluate whether adequate audit evidence has been obtained to enable the internal audit function to draw reasonable conclusions. The concept of adequate audit evidence is not used in any other ISAs and it is not clear what would be required for evidence to be adequate. This requirement should instead refer to whether sufficient appropriate audit evidence has been obtained, consistent with other ISAs and the meaning of which is explained in ISAs 200 and 500. Without this change there is a risk that 19(b) could read as indicating that a lower level of audit evidence is acceptable for internal audit than for external audit work. With respect to the examples of work that may be used, we recommend that the second bullet point of paragraph A17 is amended as follows: Limited Ssubstantive procedures in low risk areas not involving the exercise of judgment (for example, checking reconciliations) We also recommend that paragraph A18 is deleted. The different types of procedure described are reasonably obvious (reperformance, review, observation) but there is a risk that it could be read as suggesting that only one of these types of procedure would be sufficient to enable the external auditor to evaluate the internal audit work performed. We expect that, when determining the adequacy of the work of the internal audit function, the external auditor would always review their work program and working papers (it would be difficult to comply with paragraph 19(a) without such review), and paragraph A20 makes clear that in most circumstances some reperformance will be appropriate. We believe that observing the 10

51 procedures performed by the internal audit function is likely to be of limited value and would never be an appropriate sole procedure. Examples of work of the internal audit function that may be used We recommend that the last bullet of paragraph A17 is amended to Audits or reviews of the financial information, of subsidiaries that are not significant components to the group, subject to complying with the requirements of ISA 600 regarding the involvement of the group engagement team. This is important as where a group consists only of components not considered significant components the group engagement team needs to be involved to an appropriate extent in the work performed. If you wish to discuss our comments please contact Marek Grabowski (Telephone +44 (20) ) or Andrew Jones (Telephone +44 (20) ). Yours faithfully Richard Fleck Chairman, APB Paul George Director of Auditing and Director, POB 11

52 Auditing Standards Committee Comment Letter Proposed International Standards on Auditing, Revisions to ISA 315 and ISA 610 Authors: James Bierstaker, Lawrence Abbott, Paul Caster, Susan Parker, Philip Reckers INTRODUCTION The Auditing Standards Committee of the Auditing Section of the American Accounting Association is pleased to provide comments on the Proposed International Standards on Auditing, Revisions to ISA 315 and ISA 610 exposure draft. We very much appreciate the opportunity to provide input. The views expressed in this letter and attachments are those of the members of the Auditing Standards Committee and do not reflect an official position of the American Accounting Association. In addition, the comments reflect the overall consensus view of the Committee, not necessarily the views of every individual member. We hope that our attached comments and suggestions are helpful and will assist in finalizing the proposed guidance. If the Board has any questions about our input, please feel free to contact our committee chair for additional follow-up. Comments related to revised IAS 610 We believe that it would be helpful for the board to provide more concrete examples of situations in which it would never be appropriate for internal auditors to assist directly in the work of the external auditor. For example, while external auditors may make inquiries of internal auditors about fraud risks in the organization, internal auditors should never be participants in the discussion of fraud risks by the external auditors. Likewise, we would suggest that internal auditors should not be apprised beforehand of any audit procedures that are to be performed on a surprise basis. Similarly, internal auditors should not be made aware of, in advance, of the locations chosen for the observation of inventory counts, for clients with multiple locations. Internal auditors should never participate in the discussion of the type of audit opinion being considered by the external auditors. This discussion, should the board determine to include it, could also appear after paragraph A22. The Public Company Accounting Oversight Board, in its proposed new standard on confirmation evidence, specifically excludes internal auditors from participating in the confirmation process. We are of the opinion that the PCAOB policy is too restrictive and that internal auditors could be used in certain circumstances by external auditors for such tasks as gathering evidence on exceptions noted on confirmation forms and checking addresses, for instance. However, we believe that internal auditors should not be involved in the preparation, control, or sending of confirmations, nor in the receipt of confirmations from confirmees.

53 The revision does not explicitly address common circumstance of an internal audit function that has been outsourced to a third party service provider (OSP). Instead the guidance suggests that objectivity, competence and the nature of the activities performed should be assessed independently of the title or source of the work. OSPs (as long as they are truly independent of the auditee) possess a qualitatively different organizational position. It may be helpful to external auditors to provide additional guidance with respect to OSPs regarding which criteria would be appropriate to consider when making this evaluation. This would potentially alleviate some of the cost impact involved in assessing organizational position. In paragraph 12b, it is stated that the external auditors objective is to determine whether that work is adequate for purposes of the audit. Could this be stated more specifically, perhaps with wording such as determine whether that work is adequate to support the proposed reduction in extent of testing? In paragraphs 13a, the determination of organizational status is discussed. In the related materials A6, organizational status is understood by reference, in part, to reporting lines and employment decisions. It may be helpful to provide additional criteria regarding the definition of reporting line, as that term may refer to either what officer the internal audit function reports to administratively, or to the recipients of the internal audit reports. Second, we suggest that consideration be given to directing the external auditors attention to the assignment of budget oversight authority for the internal auditors. Budgetary oversight assigned to a sufficiently high level within the auditee enhances organizational position by protecting internal audit from potential budget-related pressure. Also related to the guidance in A6 regarding organizational status, we believe it may be helpful to further clarify the terminology of those charged with governance, as that term relates to the determination of organizational status. ISA 260 provides a thorough description of the variety of institutional arrangements that exist and provides guidance for the auditor in identifying those parties. In some instances, those meeting the ISA 260 definition are clearly not independent of the organization and the preparation of its financial statements. In that instance, the reference in A6 to whether the internal audit function reports to those charged to governance as an indicator of organizational status may not sufficiently clarify how the external auditor should consider instances where internal audit reports to parties involved in the preparation of financial statements. We believe that paragraph 18 and the related guidance in A16 may be slightly too narrow. Paragraph 18 directs the external auditor to read the reports of the function relating to the work that the external auditor plans to use. We believe audit effectiveness would be enhanced by directing the external auditor to read the audit reports related to the specific areas under audit. In this way, the external auditor will be able to access the internal auditor s knowledge of the subject areas, even if electing not to use the work of the function directly. Paragraph 16b states that the external auditor must plan to perform sufficient procedures to be able to draw reasonable conclusions on which to base the external auditor s opinion. This statement appears to potentially constrain the external auditor from actually relying on the internal auditors work, if they always must directly perform enough procedures to base an opinion.

54 Comments related to revised IAS 315: The committee fully supports the addition of a requirement for the external auditors to make inquiries of the internal audit personnel.

November 2010 Exposure Drafts ISA 315 (Revised) and ISA 610 (Revised) Dear Mr Gunn The Basel Committee on Banking Supervision welcomes the opportunity to comment on the IAASB s 15 July 2010 Exposure

62 Chairman VIA Mr James Gunn Technical Director International Auditing and Assurance Standards Board (IAASB) International Federation of Accountants 545 Fifth Avenue, 14 th Floor New York, New York USA 15 November 2010 Exposure Drafts ISA 315 (Revised) and ISA 610 (Revised) Dear Mr Gunn The Basel Committee on Banking Supervision welcomes the opportunity to comment on the IAASB s 15 July 2010 Exposure Draft ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 610 (Revised), Using the Work of Internal Auditors. The Committee s has long promoted strong corporate governance practices in banking organisations. 1 The financial crisis that began mid-2007 has reaffirmed that strong internal controls, including an internal audit function and an independent external audit, are crucial building blocks for sound corporate governance. The Committee recognises that the board and senior management should make effective use of the work conducted by a firm s external auditors as well as its internal audit and internal control functions. The Committee also encourages consultation among supervisors, internal auditors and external auditors in order to make their cooperation as efficient and effective as possible. The Committee therefore supports the overall objective of revising ISA 315 and ISA 610 to build a stronger framework for evaluating and using the work of a bank s internal auditors with external audits. We encourage IAASB to be more direct in describing the circumstances under which it is appropriate for external auditors to use the work of internal auditors. In this regard, IAASB should consider including specific criteria, such as those that are set out in the Committee's August 2001 document Internal audit in banks and the supervisor's relationship with auditors. These criteria are similar to the criteria promoted by professional associations such as The Institute of Internal Auditors. 1 In October 2010, the Committee published Principles for enhancing corporate governance. This guidance, which reflects lessons learned from the financial crisis, revised earlier guidance issued by the Committee in In addition, in August 2001 the Committee published Internal audit in banks and the supervisor's relationship with auditors. These documents can be accessed by visiting Centralbahnplatz 2 CH-4002 Basel Switzerland Tel: Fax: @bis.org 1/4

63 The Committee also has some specific comments. These are set out below. Specific Comments Nature and role of the internal audit function The Committee supports the approach taken in paragraph 23 of ED ISA 315 requiring that the auditor shall obtain an understanding of the nature of the internal audit function's responsibilities, how it fits in the entity's organisational structure, and the activities performed or to be performed. However, the related application and other explanatory material (paragraphs A b) should include criteria relating to the standing of the internal audit function within the entity. The internal audit function plays a vital role in an entity s corporate governance. Therefore, the Committee recommends that the external auditor should assess the permanency of the internal audit function within the entity and whether the entity can rely on an adequate internal audit function that is appropriate to its size and the nature of its operations (including whether the internal audit function has appropriate resources and qualified staff available). The external auditor should also assess the existence and content of any internal audit charter (or terms of reference) that specifies the standing and authority of the internal audit function within the entity. Such a charter should establish at a minimum: the objectives and scope of the internal audit function, its position within the organisation, its powers, its responsibilities and relationship with other control functions and the accountability of the head of the internal audit department. In addition, the external auditor should consider how any charter is applied in practice. For most banks, charters would be approved by the board of directors (or equivalent level). For those banks where charters are not available, the rights of the internal audit department are generally assured by equivalent supervisory regulation. Placing reliance on internal audit - the relationship between objectivity and competence The Committee believes that the drafting of paragraph 14 and related application and other explanatory material should be more positive and straightforward. As currently drafted, this paragraph essentially states in the negative form, that the external auditor shall not use an internal audit function when there is either a low degree of objectivity, competence or both. We believe that it would be clearer to express the requirement as The external auditor shall only use the internal auditor s work if there is both a high degree of objectivity and a high level of competence. Furthermore, the application material does not expand on the principle in paragraph 14. We believe that the IAASB needs to consider whether there should be minimum conditions when applying the concepts of objectivity and competence Centralbahnplatz 2 CH-4002 Basel Switzerland Tel: Fax: @bis.org 2/4

64 in practice. In effect, paragraph A7 shows the inherent weakness of the proposed approach as it offers little or no guidance to the external auditor when applying the requirement of paragraph 14. Such conditions would constitute a threshold above which reliance on an internal audit function can be placed. Therefore, we recommend modifying paragraph 14 as noted above as well as the related application material to actively require the external auditor to consider using the work of the internal auditors only when the threshold is achieved. The threshold should be judged by the external auditor based on the refinements proposed to the criteria in ED ISA 315 above, and in ED ISA 610, paragraph A6. Paragraph A6 of ED ISA 610 should be amended to recognise that the independent internal audit function should be separated from the activities being audited and the day-to-day internal control process in order to maintain its objectivity. Each auditor forming part of that function should also be competent. Specifically: Under the subtitle "objectivity," attention needs to be drawn to the concept of the internal audit function being independent of the activities audited and from the day-to-day internal control process. That is, the internal audit function needs to be independent of the management of the entity s day-to-day activities. Attention also needs to be drawn to the concept of impartiality, ie meaning that the internal audit function should be in a position to perform its assignments free from bias and interference (the first notion bias is mentioned in the ED), and Under the subtitle "competence", attention needs to be drawn to the competence (ie skills, qualifications and experience) of every internal auditor forming part of the internal audit function. This is essential for the proper functioning of the bank's internal audit function. Direct assistance engagements The Committee agrees with the IAASB that direct assistance is not possible when the internal audit lacks objectivity and competence (paragraph 21 of ED ISA 610). However, we believe that it would be clearer to express the requirement in the positive form, so that it reads The external auditor shall only obtain the direct assistance of an internal auditor if the internal auditor has both a high degree of objectivity and a high degree of competence. We believe that paragraph 23 and related application material in paragraphs A22- A28 of the ED ISA 610 need to be made more precise in order to be helpful to the external auditor. The current wording would allow an internal auditor to perform a wide range of activities for the external auditor. This is a fundamental concern that would undermine the perceived independence of the external auditor. We strongly encourage the Board to address this issue within ED ISA 610. We are aware that the Ethics Board of the International Federation of Accountants has considered the relationship between direct assistance and the independence of the external auditor. However, this issue needs to be more clearly explained. Specifically, ED ISA 610 needs to draw a distinction between those circumstances when an external auditor simply places reliance on the work done by an internal auditor and those circumstances when an external auditor actively supervises an internal auditor. In the latter case, we believe that the internal auditor could be perceived to be part of the engagement team of the external auditor and that this may be perceived as compromising the external auditor s independence. We also Centralbahnplatz 2 CH-4002 Basel Switzerland Tel: Fax: @bis.org 3/4

65 believe that paragraph 23 of ED ISA 610 that address the circumstances when direct assistance is not allowed should be drafted in a more direct manner, specifically restricting direct assistance to those areas deemed to be of low inherent risk and requiring no or very little judgment, rather than the current approach that prohibits direct assistance when the internal auditor would make significant judgments. The matter of direct assistance is also linked to comments that the Committee has previously made on the July 2009 Revised Code of Ethics to the Ethics Board. Our comments related to auditors providing internal audit services to public interest entities. We continue to encourage both Boards to make clear distinctions between the external auditor relying on work done by the internal auditor in the course of the external audit engagement, and the external auditor being actively and directly assisted by the internal auditor during the course of the external audit engagement. 2 We believe that the former arrangement can support effective external audit in certain circumstances, but that much greater caution should be exercised regarding the latter arrangement. With this in mind, we believe that there would be value in adding more specific examples of audit procedures that it would be acceptable for the internal auditor to perform to the application material in paragraphs A22-A28 of ED ISA 610. We also question the inclusion of the word ordinarily in paragraph A27; we would assume that the direction, supervision and review of audit procedures performed by the internal auditor should be more extensive than if members of the engagement team performed the work. * * * * * This letter has been prepared by the Committee s Accounting Task Force, chaired by Ms Sylvie Mathérat, Director of the Banque de France, and has been approved by the Committee. If you have any questions regarding this letter, please feel free to contact Sylvie Mathérat ( ), Marc Pickeur, who chairs the Audit Subgroup of the Accounting Task Force ( ) or Rob Sharma ( ) or Xavier-Yves Zanota ( ) at the Basel Committee Secretariat. Yours sincerely Nout Wellink 2 In some instances, the internal audit function is outsourced to the external auditor s firm. In such instances there is a clear self review threat. Centralbahnplatz 2 CH-4002 Basel Switzerland Tel: Fax: @bis.org 4/4

66 Tel: Fax: BDO International Limited Contact: 100 Park Avenue New York, NY United States of America Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue 14th Floor New York New York USA By 15 November 2010 Dear Sir Proposed ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 610 (Revised), Using the Work of Internal Auditors BDO is pleased to have the opportunity to comment on the above exposure draft issued by the International Auditing and Assurance Standards Board. Reponses to request for specific comments 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? Yes, we believe it is appropriate for the external auditor to make inquiries as part of the risk assessment process and as a result we consider this requirement is appropriately placed in ISA Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: a. Whether the work of the internal audit function can be used for purposes of the audit engagement; and b. The planned use of the work of the internal audit function? Whilst we generally agree that appropriate factors have been proposed we have the following comments and suggestions. With respect to the factors included in paragraph A6 to consider when assessing objectivity, we believe it would also be useful to include whether the internal audit function is outsourced or not and whether there are any bonus arrangements or stock options in place for members of the internal audit function. Whilst the presence of such factors would not automatically impair objectivity, we consider it important that they are included in the application guidance. BDO International Limited is a UK company limited by guarantee. It is the governing entity of the international BDO network of independent member firms ( the BDO network ). Service provision within the BDO network is coordinated by Brussels Worldwide Services BVBA, a limited liability company incorporated in Belgium with its statutory seat in Brussels. Each of BDO International Limited, Brussels Worldwide Services BVBA and the member firms is a separate legal entity and has no liability for another such entity s acts or omissions. Nothing in the arrangements or rules of the BDO network shall constitute or imply an agency relationship or a partnership between BDO International Limited, Brussels Worldwide Services BVBA and/or the member firms of the BDO network. BDO is the brand name for the BDO network and for each of the BDO member firms.

67 To be consistent with a risk based audit approach, we believe it is appropriate to consider the planned use of the work of the internal audit function in a particular area in light of the risk of material misstatement for that area. Therefore, we propose that paragraph 15c is re-moved and an additional paragraph is included as follows: In making judgments about the effect of the internal auditor s work on the auditor s procedures, the external auditor shall consider: (a) The risk of material misstatement; and (b) The degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions. As the materiality of the financial statement amounts increases and either the risk of material misstatement or the degree of subjectivity increases, the need for the auditor to perform his or her own tests of the assertions increases. We also recommend that the following be added to the application guidance linked to 15(c) For assertions relating to significant risks, the consideration of the internal auditor s work alone cannot reduce audit risk to an acceptably low level to eliminate the necessity to perform tests on those assertions directly. Examples of assertions that may have a high risk of material misstatement or may involve a high degree of subjectivity in the evaluation of audit evidence include the valuation of assets and liabilities involving significant estimates, and the existence and disclosure of related party transactions, contingencies, uncertainties, and subsequent events. 3. Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? Yes, we believe that this requirement is appropriate. 4. Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to: a. Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and b. Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity? We agree with the increase in scope to include the matter of direct assistance. As the proposed standard is about using the work of internal audit, we recommend that the requirements are written on this basis, rather than as currently written, which is when we cannot use the direct assistance of internal audit. Therefore, we suggest that paragraphs 21 and 23 are amended as follows: 21: The external auditor shall only obtain the direct assistance of an internal auditor if the internal auditor has: (a) an appropriate degree of objectivity; and (b) a level of competence that is appropriate to the work being assigned. 23: The external auditor shall only obtain direct assistance from internal auditors where: (a) the internal auditors are not required to make significant judgments (b) the procedures to be performed by internal audit do not relate to the determination of whether the work of internal audit can be used for the purposes of the audit or to provide a sufficient basis to support the use of the work of internal audit

68 We believe the proposed standard should place greater emphasis on the lack of independence of the internal audit function and as a result we consider that paragraph 24, where this is considered, is moved to the beginning of the section on direct assistance and cross referred to the application guidance currently within A27 and A Public Interest Concerns Respondents are asked to address whether there are any public interest concerns that have not been addressed. We are not aware of any concerns that have not been addressed. 6. Special Considerations in the Audit of Smaller Entities Respondents are asked to comment whether, in their opinion, guidance addressing special considerations in the audit of smaller entities should be provided in the proposed revised ISAs. If so, respondents are asked to explain why and to suggest the nature of any such considerations. We don t believe further guidance is specifically needed in this area. 7. Special Considerations in the Audit of Public Sector Entities Respondents are asked to comment whether, in their opinion, special considerations in the audit of public sector entities have been dealt with appropriately in the proposed revised ISAs. We have no comments in this area. 8. Developing Nations Recognizing that many developing nations have adopted or are in the process of adopting the ISAs, the IAASB invites respondents from these nations to comment, in particular, on any foreseeable difficulties in applying the proposed revised ISAs in a developing nation environment. We have no comments in this area. 9. Translations Recognizing that many respondents intend to translate the final revised ISAs for adoption in their own environments, the IAASB welcomes comment on potential translation issues noted in reviewing the proposed revised ISAs. We have no comments in this area. 10. Effective Date Respondents are asked to comment whether, in their opinion, the provisional effective date is appropriate for supporting effective adoption and implementation of the proposed revised ISAs at the national level. We consider the provisional effective date to be reasonable and believe early adoption should be permitted. Responses to request for comments on analysis of impacts 11. Is the analysis of impact presented in Section 4 of this Explanatory Memorandum helpful to respondents in understanding the anticipated impacts of the IAASB s proposals? 12. Do respondents agree with the impact analysis as presented? Are there any other stakeholders, or other impacts on stakeholders, that should be considered and addressed by the IAASB? 13. Are there any changes to the narrative or tabular presentation of the impact analysis that would be helpful to respondents? We agree in principle with the inclusion of the impact analysis; however it is difficult to assess the usefulness of the information based on this standard as the changes to the extant ISA are only incremental and the expected impact is minimal. 3

69 14. Would respondents find such an approach useful at the national level? Yes. In addition we believe it would be useful for the IAASB to collect information from national standard setters to assist with making the analysis at the international level as specific as possible. Additional comments We note that the definitions for the internal audit function and internal auditors are no longer included within the proposed ISA 610. Whilst we appreciate that such a definition would be broad, we consider this a significant omission and would recommend these definitions are included. We consider it to be more appropriate to combine paragraphs 1 and 3 as they both address the external auditor s responsibilities relating to using the work of internal auditors. The new paragraph 1 should then be cross referenced to A1. In paragraph 7, we suggest inserting and between audit and relate in the second sentence so it is easier to understand. We suggest the following change to the objectives contained in paragraph 12 to highlight the difference between using the work of internal audit and obtaining direct assistance from internal audit. The objectives of the external auditor, where the entity has an internal audit function are: (a) To determine whether, and to what extent, to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed, (b) To determine whether, and to what extent to obtain direct assistance from internal auditors; and (c) If using the work of the internal audit function or obtaining direct assistance from internal auditors, to determine whether that work is adequate for the purposes of the audit. As previously mentioned above, since the proposed standard is about using the work of internal audit, we recommend that the requirements are written on this basis, rather than as currently written which is when we cannot use the work of an internal audit function. Therefore, we suggest that paragraph 14 is amended as follows: The external auditor shall only use the work of the internal audit function if it has (a) an appropriate degree of objectivity, regardless of the level of competence; and (b) a level of competence that is appropriate to the work they perform, regardless of the level of objectivity. Please contact me should you wish to discuss any of these comments. Yours faithfully, BDO International Limited Wayne Kolins Global Head of Audit and Accounting Member of the Executive 4

8 November 2010 Technical Director International Auditing and Assurance Standards Board 545 5th Avenue, 14th Floor New York, New York 10017 USA Tower 42 25 Old Broad Street London EC2N 1HQ United

70 8 November 2010 Technical Director International Auditing and Assurance Standards Board 545 5th Avenue, 14th Floor New York, New York USA Tower Old Broad Street London EC2N 1HQ United Kingdom t + 44 (0) f + 44 (0) Dear Sir, Proposed International Standards on Auditing 315 (revised), identifying and assessing the risk of material misstatement through understanding the entity and its environment and 610 (revised), using the work of internal auditors The Committee of European Banking Supervisors (CEBS), comprised of high level representatives from banking supervisory authorities and central banks of the European Union welcomes the opportunity to comment on the proposed revisions to the International Standards on Auditing (ISA 315 and ISA 610). The relationship of external auditors with internal auditors is a topic of importance to the supervisory authorities. This is because audited annual reports are a significant source of information used in exercising banking supervision, and also because Article 22 of the European Capital Requirements Directive requires institutions to implement adequate internal control procedures, which we understand includes the existence of a permanent internal audit function within each bank. The financial crisis has highlighted that strong internal controls, supplemented by an effective internal audit function, and an independent external audit are crucial parts of sound corporate governance. Through their opinions on annual accounts and annual reports, external auditors contribute to the public oversight model and to the financial stability of the market. As banking supervisors we therefore have an interest in ensuring that auditing standards are of a high quality and are clear and capable of consistent application. We welcome the Exposure Draft and its clarification on how external auditors should interact with the internal audit function (including directly addressing the matter of direct assistance), and believe this framework will improve the current standards. However, we would suggest distinguishing clearly between the external auditor relying on the work of internal audit and the external auditor directly being assisted by internal audit. We would not encourage direct assistance, as this practice may reduce the perception by the public of the independence and objectivity of external auditors. If at all, we strongly suggest that direct assistance should be clearly and specifically restricted to areas of low inherent audit risk and requiring no or very little judgment. This is important to prevent the undermining of the independence of the external auditor s work.

71 When external auditors would rely on the work of internal audit, they should evaluate and take into account the risk of material misstatements. In some sections (e.g. paragraphs 14, 21 and 23 of ED ISA 610), we believe it would be clearer to express the requirements more directly and in the positive rather than negative form. For example the ISA should read "The external auditor shall only use the work of the internal audit function if it has both a high degree of objectivity and a high level of competence" rather than "The external auditor shall not use an internal audit function where there is either a low degree of objectivity or a low degree of competence". In addition minimum criteria should be developed to define a threshold, above which reliance could be placed on internal auditors. There would also be value in adding more specific examples of audit procedures to the application guidance in paragraphs A22-A28. Please find more specific comments and drafting suggestions in the Annex to this letter. Our comments were coordinated by our Expert Group on Financial Information (EGFI), and especially by its Subgroup on Auditing, which is chaired by Patricia Sucher, from the UK FSA. If you have any questions regarding our comments, please feel free to contact the chairman of EGFI, Mr. Didier Elbaum from the French Autorité de Contrôle Prudentiel ( ) or Ms. Sucher ( ). Yours sincerely Giovanni Carosio

72 Annex Comments on ISA 315 Paragraph A6d Useful information may also be obtained by the external auditor from the independent risk control function in banks, which is responsible for identifying, assessing, monitoring, reporting and mitigating risks, including operational risks. In particular larger institutions would have a dedicated operational risk function, responsible inter alia for collecting operational risk loss data, including so called timing losses 1. We suggest adding the following bullet point to paragraph A6d: Inquiries directed to the risk control function may provide information on operational risks within the accounting procedures and on the severity and frequency of losses (including so called timing losses ) caused by accounting and valuation errors. Paragraph A b The requirements that relate to the external auditor obtaining an understanding of the nature of the internal audit functions responsibilities, how it fits in the entity s organisational structure, and the activities performed or to be performed should include the obligation for the external auditor to assess the existence and content of an approved internal audit charter, where one exists, to obtain knowledge of the organisational status and scope of the internal audit function. Such a charter would be approved by the Board of Directors (or equivalent). We also believe that the process to obtain knowledge of the organizational status of the internal audit function should include a requirement that the external auditor consider how management has responded to the findings and recommendations of the internal audit function. 1 Within the CEBS Compendium of Supplementary Guidelines on implementation issues of operational risk timing losses are defined as follows: Timing losses can be defined as the negative economic impacts booked in a fiscal period, due to events impacting the cash flows (lower cash in / higher cash out) of previous fiscal periods. Timing impacts typically relate to the occurrence of operational risk events that result in the temporary distortion of an institution s financial accounts (e.g. revenue overstatement, accounting errors and mark-to-market errors). While these events do not represent a true financial impact on the institution (net impact over time is zero), if the error continues across two or more accounting periods, it may represent a material misstatement of the institution s financial statements. This in turn may result in legal censure of the institution from its counterparts, customers, supervisory authorities, etc.

73 Comments on ISA 610 Paragraph 14 and A6-A7 We would encourage the IAASB to expand the application material on the principle in paragraph 14, considering in particular whether there need to be specific criteria and minimum conditions when applying the concepts of objectivity and competence in practice. These would provide a threshold above which reliance could be placed on internal auditors. The requirements that relate to determining whether the work of the internal audit function can be used by external auditors include a prohibition, stated in 14 on using the work of the internal audit function if it has either a low degree of objectivity or a low degree of competence. We believe this requirements needs to clarify the notion of low degree ( A7 of the application and other explanatory material does not expand on this notion either). We suggest setting a threshold above which reliance could be placed on the degree of objectivity and competence of the internal audit function. Such a threshold could be composed of a combination of several specific minimum criteria to be met and should be sufficiently detailed as there will always be some judgment involved. Criteria set in A6 regarding objectivity and competence could be used as a starting point. Also, as noted in the cover letter, we believe it would be clearer to express the requirement in paragraph 14 more directly and in the positive form. Paragraph A6 (4 th bullet) and subheading Objectivity Recent supervisory regulation and guidelines based on the lessons learned of the financial crisis highlight the importance of an appropriate remuneration policy within the control functions. Therefore we recommend adding including appropriate remuneration policy to that bullet point. In addition, under the subheading Objectivity, it may be useful to add that an institution should also have policies in place regarding staff transferred from the business or support functions to internal audit as this may limit their independence. Paragraph 15 and A12-A13 In determining the planned use of the work of the internal audit function paragraph 15 only focuses on the degree of objectivity and level of competence (para. 15 a), the nature and scope of the work performed (para. 15 b) and the amount of judgment involved in performing the audit procedures and evaluating the audit evidence (para. 15c). ISA 315.4e states that the risk of material misstatements is a significant risk that requires special audit consideration. However, the draft ISA 610 does not require explicitly external auditors to take areas of significant risks into account in determining whether and to what extent the work of the internal audit function may be used. Even though often a lot of judgement is needed in

74 auditing significant risk areas, it is possible that some significant risk areas do not involve substantial judgment. We believe that application guidance in paragraphs A12-13 is not sufficiently strict to ensure that areas exposed to the risk of material misstatements are reviewed by the external auditor itself. Therefore we recommend requiring in para 15 (c) that the external auditor shall consider the risk of material misstatements. While work performed by the internal audit function in relation to areas of significant risk may be taken into account, we believe that there should be a requirement for the auditor to perform its own audit procedures in those areas. Such a requirement would reduce the external audit risk considerably. Paragraphs 19 and A18 (3 rd bullet) External auditors should also evaluate the processes and systems used for tracking internal audit findings as this would be consistent with paragraph A21 where the follow up is mentioned. A new Paragraph 19 (d) could read: Internal audit findings and related corrective actions are appropriately tracked and followed up by the internal audit function. A fourth bullet point under A 18 could read: Reviewing the tracking system of internal audit findings and its follow-up by internal audit. Paragraph 23 and related paragraphs A23-A27, We would not encourage direct assistance of external auditors by internal auditors, as this practice may reduce the independence and objectivity of external auditors. If at all, we strongly suggest that direct assistance should be clearly and specifically restricted to areas of low inherent audit risk and requiring no or very little judgment, to prevent the undermining of the independence of the external auditor s work. When external auditors would rely on the work of internal audit, they should evaluate and take into account the risk of material misstatements. In high risk areas and where a high level of judgement is used, external auditors should not rely on internal auditors. We believe the standard should make a clear distinction between the external auditor relying on the work done by the internal auditor and the external auditor obtaining direct assistance from the internal auditor. For example, we believe that the guidance in application material in paragraphs A23, A25 and A26 may be too general and not helpful in guiding the external auditor. The current drafting would allow for a wide range of practices, which goes beyond the acceptable level of assistance by internal auditors. More examples and specific criteria should be added to enhance the clarity of the standard. We also believe that the requirements concerning direct assistance should be clarified in order to provide the external auditor with a stronger framework as regards the circumstances when the external auditor can obtain direct assistance from the internal auditor and the supervision to be exercised by the external auditor over the work done by the internal auditor. This recommendation particularly applies to paragraph 23 and related application guidance in paragraph A27. Specifically, we recommend that the wording of paragraph 23 be modified in order to strengthen and clarify the requirement. We believe that the current wording, that states in the negative form that the external auditor shall

75 not obtain direct assistance from internal auditors under circumstances (a) and (b), should instead read as the external auditor shall only obtain direct assistance under specified circumstances. In addition, we believe that the requirements specific to direct assistance that are set in paragraphs A27-A28 do not expand sufficiently on the notion of supervision and review by the external auditor of the work done by the internal auditor. In particular, we question the need for the word ordinarily in paragraph A27; we would assume that supervision or review of audit procedures performed by internal auditors providing direct assistance should be more extensive than if members of the engagement team perform the work.

76 COMMITTEE OF EUROPEAN SECURITIES REGULATORS THE CHAIRMAN Technical Director IAASB 545 Fifth Avenue, 14th Floor New York Unites Stated of America Date: 5 November 2010 Ref.: CESR/ RE: Consultation on the proposed revisions to International Standard on Auditing (ISA) 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and ISA 610, Using the Work of Internal Auditors. The Committee of European Securities Regulators (CESR), through its Corporate Reporting Standing Committee, has considered the exposure draft (ED) issued by the IAASB on the ISA 315 and ISA 610. CESR believes that the matters addressed in this ED are of great importance from the point of view of the securities regulators. Indeed large companies and groups listed in the European markets have internal audit functions that play an important role within their organizational structures and fruitful relationships between internal and external auditors could be build with the aim of providing benefits for their respective objectives. However CESR has noticed that in the ED these relationships have been dealt on the basis of a new approach, which we believe has widened the possibility to use the work of the internal audit function. While we acknowledge that the explicit inclusion of auditors obtaining direct assistance from internal auditors has been made in order to provide greater clarity in this area, CESR has various concerns about the ED as a whole. The key concerns are set out below and more detailed observations are shown in Appendix 1. The ED seems to be based on the premise that where companies have an internal audit function, subject to the performance of certain procedures on the objectivity, level of competence and working approach of the function, the external auditor can use the work of the internal audit function and/or obtain direct assistance from internal auditors to a very large extent and potentially in all areas of the audit work. The ED pays insufficient attention to the threats to auditors independence and objectivity arising from this approach. The critical issue in using the work of the internal audit function and/or obtaining direct assistance from internal auditors is the existence of an unavoidable threat that the work performed in such a way has not been carried out with the expected level of independence, certainly without the same level of independence that is required to external auditors. As a consequence, extensive use of the internal audit work, as well as inappropriate use in risky areas of the audit work, raises concerns from the point of view of securities regulators pursuing investor protection and therefore interested in the quality of listed entities audits carried out by independent auditors. In this regard, direct assistance is particularly critical, given that, as explicitly recognized by the ED, the independence threats are greatest in this case. CESR believes that the threats posed by direct assistance are such that it should be prohibited or very limited and clearly restricted to low risk areas. The internal audit function is set up to serve the needs of the company and cannot be independent in the same way as the external audit is. Therefore, when external auditors wish to rely on its work for their own purposes, they should evaluate the internal audit function and the work done by this CESR, avenue de Friedland, Paris, France - Tel +33 (0) , web site :

77 function in order to verify whether appropriate conditions are in place and then take a decision as to whether reliance over this function and its work is appropriate,. CESR believes a more rigorous approach should be required by external auditors in determining the nature and extent of their reliance on the internal audit function, and in particular that the ED should be clearer in identifying circumstances where the internal audit function cannot be used and in establishing appropriate safeguards to deal with threats to auditor independence. Our detailed comments are set out in the Appendix to this letter. We hope that you find our comments helpful and would be happy to discuss all or any of these issues further with you. Yours sincerely, Carlos Tavares 2

78 Appendix 1 CESR s detailed comments with respect to some areas included in the proposed revised standards Question 1 Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? CESR notes the amendments made to ISA 315 and finds it appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function as one of the mandatory procedures when assessing the risk of material misstatement. Question 2 Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: (a) Whether the work of the internal audit function can be used for purposes of the audit engagement; and (b) The planned use of the work of the internal audit function? (a) CESR believes that the factors proposed to be evaluated by the external auditor in determining whether the work of the internal audit function can be used are appropriate (objectivity, level of competence and working approach of the function). We agree that the auditor should be required not to use the work of the internal audit function when the function s degree of objectivity or its level of competence is low. However, we note that no consequences seem to derive from the analysis of the working approach of the function. It should be required that when the outcome of the analysis on the activities of the internal audit function is unsatisfactory the auditor shall not use the work of the function. We also believe that it would be clearer for paragraph 14 to be expressed more directly and in the positive form, rather than the negative (for example The external auditor shall only use the work of the internal audit function if it has a high degree of objectivity and a high level of competence ). (b) ISAs are based on the Audit Risk Model where the risk assessment plays a pivotal role in the overall audit process. The new ED (in contrast with the current version of ISA 610) does not require the identified and assessed risks of material misstatements to be taken into account in determining to what extent the work of the internal audit function may be used in a particular area. Instead, the ED requires the amount of judgment involved in performing the audit procedures to be considered (par.15). This criterion does not seem to be sufficient to provide a sound basis for determining the use of the work of the internal audit function. It is very unclear how the amount of judgment can be weighted and evaluated beforehand while the risk assessment is based on the procedures required by ISA 315. Indeed, the application material in A13 makes a reference to the risk assessment, stating that the higher the assessed risks of material misstatement, the more persuasive the audit evidence required by the external auditor will need to be, and, therefore, the more likely it will be that the external auditor will need to perform more of the work directly. This is an important reminder that, however, is not mandatory. 3

79 CESR believes the ED should be strengthened to provide, in addition to the current reference to the amount of judgment, for an obligation to consider the level of the assessed risks of material misstatement when determining the use of the work performed by the internal audit function. The ED should require that the higher the risks of material misstatements, the less reliance external auditors can place on the work performed by internal auditors, particularly in areas where significant risks have been identified. Question 3 Do respondents believe it is appropriate to require the external auditor to read reports produced by the internal audit function relating to the work of the internal audit function that is planned to be used by the external auditor? The ED requires (par.19) that the external auditor performs audit procedures that are appropriate in the circumstances on the work of the internal audit function to determine its adequacy for the purposes of the audit engagement. However the nature, timing and extent of the audit procedures that the external auditor can perform (including possible re-performance of some work) is addressed only in the application material (A19 and A20), and so does not have mandatory status. The IAASB should consider whether there should be a minimum level of procedures that have be performed in all cases before external auditors can rely on the work of the internal audit function. CESR believes that the current requirement is not sufficient to prevent over-reliance on the audit evidence provided by the internal audit function. Therefore the ED should require that the nature, timing and extent of the audit procedures performed to review the internal audit work be linked to the level of risk associated with the area covered by internal auditors and, in addition to this, that external auditors should perform some testing of the work of the internal audit function to verify its adequacy. Question 4 Do respondents believe that it is desirable for the scope of ISA 610 to be expanded to address the matter of direct assistance? If so, do respondents believe that when obtaining the direct assistance of internal auditors the external auditor should be required to: (a) Consider the factors that have been proposed in determining the work that may be assigned to individual internal auditors; and (b) Direct, supervise, and review the audit procedures performed by the internal auditors in a way that recognizes they are not independent of the entity? (a) The ED addresses two situations of possible involvement of the internal audit function in the external audit work: a) using the work of the internal audit function; and b) obtaining direct assistance from internal auditors under the direction and supervision of the external auditor. First of all, CESR notes that the distinction between the two situations is not always be clear cut, and confusion may be possible in some cases. However the distinction is important because the two situations are different in terms of threats to the external auditor s independence. In case of direct assistance, the internal audit staff can be considered, in substance, as part of the engagement team. Indeed, ISA 220 defines the engagement team as all personnel performing the engagement, including any individuals who perform audit procedures. If internal auditors providing direct assistance are in substance members of the engagement team, it should be considered whether or not they have to comply with the independence rules applicable to external auditors. The ED is silent in this regard. The auditor that obtains direct assistance only has an obligation to evaluate the degree of objectivity (par.20) of internal auditors and shall recognize that internal auditors are not 4

80 independent of the entity (par.24). The ED does not require any clear actions or safeguards that should be put in place to mitigate this threat to independence. CESR believes that internal audit staff should not be exempted from the independence requirements which apply to all other individuals directly involved in the audit, and that this area should be addressed in the final document. In any case, it will be impossible to avoid the underlying conflict arising from the fact that internal auditors are hired by the audited company and therefore they will never be totally independent. Furthermore the ED provides that the external auditors may assign external audit work to individual internal auditors, applying similar considerations to those used in determining what reliance should be placed on the work of the internal audit function. It therefore seems that external audit procedures relating to areas of significant risk could be assigned to internal auditors if they are not deemed to involve making significant judgments. Moreover, the amount of direction, supervision and review of work performed by internal audit staff can be determined considering the degree of objectivity and level of competence of internal auditors, the nature and scope of work to be performed and the amount of judgment involved. We have concerns about whether these limits on the use of direct assistance are sufficiently robust, and believe that the considerations made with reference to the extent of the use of the internal audit function (point 2 above) and the extent of the auditor s review of the work done by the internal audit function (point 3 above) are, even more, valid here. Therefore CESR believes that there should be an explicit obligation to consider the level of the assessed risks of material misstatement when determining the work to be done by internal auditors and that the nature, timing and extent of the audit procedures performed to review the internal auditors work should also be explicitly linked to the level of risk associated with the area covered by the work performed. Also, some testing of the work of internal auditors should be performed to verify its adequacy. CESR believes that direct assistance is particularly critical given the unavoidable independence threats, and that it should be prohibited or explicitly limited to low risk areas where little or no judgment is required. (b) There are areas of work where the auditor decides to use external confirmations that provide reliable audit evidence obtained from external sources. When using external confirmation procedures, because of the reliance attached to these procedures, according to ISA 505 the auditor shall maintain control over external confirmation requests. CESR believes that it would be consistent with the approach followed in ISA 505 to require auditors not to use the work of the internal audit function or to obtain direct assistance to send confirmation requests, receive confirmation responses or evaluate the evidence obtained from performing confirmation procedures. 5

277 Wellington Street West Toronto, Ontario M5V 3H2 Phone: 416 977 3222 Fax 416 204 3408 www.aasbcanada.

84 277 Wellington Street West Toronto, Ontario M5V 3H2 Phone: Fax November 15, , rue Wellington Ouest Toronto, Ontario M5V 3H2 Tél: Télec: Mr. James Gunn Technical Director International Auditing and Assurance Standards Board International Federation of Accountants 545 Fifth Avenue 14 th Floor New York, NY U.S.A. Dear Mr. Gunn, Re: Proposed ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment; and ISA 610 (Revised), Using the Work of Internal Auditors We are pleased to provide the views of the Canadian Auditing and Assurance Standards Board (AASB) on matters raised in IAASB s Exposure Draft of proposed ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment; and ISA 610 (Revised), Using the Work of Internal Auditors. In developing this response, we considered comments provided to us by interested parties in Canada. Request for specific comments Our responses to the matters on which you specifically requested comments are set out below. 1. Do respondents believe it is appropriate to require the external auditor to make inquiries of appropriate individuals within the internal audit function? If so, do respondents agree such a requirement is appropriately placed in ISA 315? Yes - we agree with such requirement and believe that it is appropriately placed in proposed ISA Do respondents believe that appropriate factors have been proposed to be evaluated by the external auditor in determining: a. Whether the work of the internal audit function can be used for purposes of the audit engagement; and b. The planned use of the work of the internal audit function? Page 1 of 10

Re.: Comment letter from European audit regulators relating to IAASB s consultation "A framework for Audit Quality"

11 June 2013 To: Mr. Schilder Chair of the International Auditing and Assurance Standards Board Re.: Comment letter from European audit regulators relating to IAASB s consultation "A framework for Audit