Question

Assume that the global pandemic COVID-19 will cause a material impact to your audit client. What additional audit procedures and disclosures are required in your audit planning and audit opinion.

Answer 1

The auditor’s risk identification and assessment process is iterative and dynamic. Auditors are required to revise risk assessments and modify responses and further audit procedures, based on audit evidence or new information obtained. Throughout the engagement, auditors need to be constantly vigilant due to the fast-changing and complex circumstances as it may be necessary to revisit risk identification and assessment in the current circumstances.

Planned safeguards to address threats to independence may also need to be reconsidered in light of changing circumstances.

Understanding the Entity and its Environment

The auditor’s understanding of the entity and its environment has likely changed from previous periods due to the implications of Covid-19. There may be changes to the entity’s objectives, strategy, organizational structure, governance arrangements and business model and it is important that the auditor considers how these changes impact the audit. Changes may also be needed if the auditor has already completed planning and risk assessment before the onset of the Covid-19 pandemic and may also be necessary during the audit as the environment continues to evolve. Examples of risks increasing the susceptibility to risks of material misstatement that may be heightened in the current environment include:

Inappropriate objectives or ineffective execution of strategies

A failure to recognize the need for change or lack of expertise to deal with the changes

Reduction or expansion of the business and demand has not been accurately estimated or appropriate due diligence undertaken on new products or services

Loss of financing due to entity’s inability to meet requirements

Regulatory requirements resulting in increased legal exposure

Incentives and pressures on management, which may result in intentional or unintentional management bias

Increased risks of fraud

Auditors should discuss with management and TCWG how they have assessed the impact of Covid-19 on the business and evaluate whether there are new or changed risks that could be material. Understanding how TCWG are addressing the new or changed risks is essential for the auditor in understanding where changes may be needed to the audit. Ongoing communication throughout the audit is also essential as the entity’s circumstances may change.

It is also important to understand how any relevant changes in laws or regulations impact the entity and how it operates, including extension of reporting periods in some jurisdictions. There may also be changes to the applicable financial reporting standards in different jurisdictions that may need to be considered.

Materiality

The auditor may need to consider the impact of any changes brought on by the pandemic on materiality, including the basis on which materiality is determined in accordance with ISA 320 Materiality in Planning and Performing an Audit. The auditor may also need to revise materiality for the financial statements as a whole during the audit in the event of becoming aware of information that would have caused the auditor to have determined a different amount initially, which could occur as the entity’s circumstances change. As materiality is adjusted for the current circumstances, consideration will also be needed about the impact of previously unadjusted differences which may now become material and need to be adjusted for.

Controls

An understanding of the entity’s system of internal controls relevant to the audit assists when identifying potential misstatements. This understanding is required even when auditors do not plan to rely on the operating effectiveness of controls because it helps identify where possible misstatements could occur. In the current environment, it is likely that there have been changes to various components of the system of internal control, and a thorough understanding of what is changed will assist the auditor in their risk identification and assessment process. In particular, the control environment will likely be different—many organizations have had to change the way they operate and so would have had to change their oversight processes and how controls operate. These changes may lead to additional risks of material misstatement.

If the auditor does intend on relying on the operating effectiveness of controls, again this may have changed and further insight as to the control and how it operates, as well as the auditor’s intended reliance, may also change. Further insights can be found when obtaining audit evidence about the design and implementation of identified controls (including IT controls). However, although this may be difficult because of a lack of access to certain information (e.g. documents or reports) or company personnel (e.g. ability to enquire or observe the application of specific controls), the relevant work still needs to be undertaken in an alternative way or the risk identification or assessment changed accordingly. For example, obtaining an understanding of controls could be achieved remotely using alternative procedures, however inquiry is not sufficient to determine whether such controls have been placed in operation. Auditors will need to consider what evidence can be obtained remotely to determine if effectively designed controls have been placed in operation to mitigate the applicable risks.

Internal controls may not have operated consistently throughout the audit period because of the changed circumstances of many companies. Therefore an understanding of any control changes, as well as new and additional controls now relevant to the audit will be important (e.g., different personnel involved, documentation differences for working remotely etc.) in helping to understand whether controls are still operating as they did, and whether any new risks arise because of the changes. In addition, new significant risk areas could be identified, which were not assessed as significant risks in prior audits. If the auditor has determined that a significant risk exists, they are required to obtain an understanding of the entity’s controls, including control activities, relevant to that risk.

If the auditor is unable to perform walkthroughs to confirm their understanding of the information system, or where applicable undertake tests of controls onsite (where the auditor intends to rely on the operating effectiveness of controls), they may need to identify additional risks of material misstatement that will need to be considered and where they were intending relaying on controls they may need to change their audit response and increase substantive testing.

Fraud

The circumstances that many companies find themselves in may have increased the risk of fraud. Companies have had to quickly change the way they operate, including changes to controls, all of which may allow for greater opportunities for fraud. The auditor’s exercise of professional skepticism is particularly important when considering fraud risks on the entity in the current environment.

ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements requires the auditor to make inquires of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. If the auditor is unable to conduct fraud interviews in person due to Covid-19, these inquiries could be done utilizing technology such as video conferencing. This may be preferred to only telephone conversations because auditors can still see management’s body language.

Other Considerations

In the current environment, the auditor may face additional pressure to reduce the level of the audit fee for services in progress or to be provided. The IESBA publication highlights that there may be threats to compliance with the fundamental principles of professional competence and due care if the fee quoted is so low that it may be difficult to perform the engagement in accordance with applicable technical and professional standards for that price. The level of fees (or if they are overdue) might create a self-interest or intimidation threat to independence and auditors should apply the conceptual framework to identify, evaluate and address such threats.

If auditors are unable to obtain evidence to perform and complete the risk identification and assessment process, they may have scope limitations and will need to consider the effect on the planned audit procedures and the impact on the auditor’s report (see section on Auditor Reporting).