International Auditing Standards

International Standard on Auditing (ISA) 200 deals with the independent auditor’s overall responsibilities when conducting an audit of financial statements in accordance with International Standards on Auditing (ISAs). It sets out the overall objectives of the independent auditor and explains the nature and scope of an audit designed to enable the auditor to meet those objectives. ISA 200 also explains the scope, authority, and structure of the ISAs and includes requirements establishing the general responsibilities of the independent auditor applicable in all audits, including the obligation to comply with the ISAs.

ISAs are written in the context of an audit of financial statements by an auditor. When applied to audits of other historical financial information, they are to be adapted as necessary. ISAs do not address auditor responsibilities that may exist in legislation, regulation, or otherwise, such as those connected with offering securities to the public. Such responsibilities may differ from those in ISAs, and while aspects of ISAs might be helpful, it is the auditor’s responsibility to ensure compliance with all relevant legal, regulatory, or professional obligations. ISA 200 became effective for audits of financial statements for periods beginning on or after December 15, 2009.

Overall Objectives of the Auditor

In conducting an audit of financial statements, the overall objectives of the auditor are twofold: (a) To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. This objective enables the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. (b) To report on the financial statements and communicate as required by the ISAs, in accordance with the auditor’s findings.

If reasonable assurance cannot be obtained and a qualified opinion is insufficient, the ISAs require the auditor to disclaim an opinion or withdraw (or resign) from the engagement, where withdrawal is possible under applicable law or regulation.

Purpose and Nature of an Audit of Financial Statements

The fundamental purpose of an audit is to enhance the degree of confidence of intended users in the financial statements. This enhancement is achieved through the auditor expressing an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. For most general purpose frameworks, the opinion addresses whether the financial statements are presented fairly, in all material respects, or give a true and fair view. An audit conducted in accordance with ISAs and relevant ethical requirements enables the auditor to form this opinion.

It is important to note that the auditor’s opinion deals with whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. Such an opinion does not assure, for example, the future viability of the entity nor the efficiency or effectiveness with which management has conducted the affairs of the entity. Law or regulation in some jurisdictions may require auditors to provide opinions on other specific matters, such as the effectiveness of internal control or consistency of a management report; in such cases, additional work would be required beyond that for forming an opinion on the financial statements themselves.

The Premise of an Audit

The financial statements subject to audit are the responsibility of the entity’s management, with oversight from those charged with governance. ISAs do not impose responsibilities on management or those charged with governance and do not override laws or regulations governing their responsibilities. However, an audit in accordance with ISAs is conducted on the premise that management and, where appropriate, those charged with governance have acknowledged and understand certain responsibilities that are fundamental to the conduct of the audit. These responsibilities are:

  • Responsibility for the preparation of the financial statements in accordance with the applicable financial reporting framework, including fair presentation where relevant. This involves identifying the framework, preparing statements accordingly, and including an adequate description of the framework. It also requires management judgment in making reasonable accounting estimates and selecting/applying appropriate policies.
  • Responsibility for establishing such internal control as management and, where appropriate, those charged with governance determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error.
  • Responsibility to provide the auditor with:
    • Access to all information relevant to financial statement preparation that management and, where appropriate, those charged with governance are aware of (records, documentation, etc.).
    • Additional information that the auditor may request.
    • Unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence.

Agreeing to this premise regarding management’s responsibilities is a precondition for accepting the audit engagement. The audit of the financial statements does not relieve management or those charged with governance of their responsibilities. In the public sector, the premise relating to management’s responsibilities may be broader, including responsibility for executing transactions in accordance with law/regulation.

Reasonable Assurance

As the basis for the auditor’s opinion, ISAs require the auditor to obtain reasonable assurance about whether the financial statements are free from material misstatement. Reasonable assurance is defined as a high level, but not absolute, level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (the risk of expressing an inappropriate opinion on materially misstated statements) to an acceptably low level. However, reasonable assurance is not an absolute level of assurance due to the inherent limitations of an audit, which mean that most audit evidence is persuasive rather than conclusive.

Materiality

The concept of materiality is applied by the auditor throughout the audit. This includes planning and performing the audit, and evaluating the effect of identified and uncorrected misstatements on the financial statements. Misstatements, including omissions, are generally considered material if they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. Judgments about materiality are made considering surrounding circumstances, the auditor’s perception of users’ financial information needs, and the size or nature (or both) of a misstatement. Since the auditor’s opinion is on the financial statements as a whole, the auditor is not responsible for detecting misstatements that are not material to the financial statements as a whole. ISA 320 and ISA 450 provide further guidance on materiality.

Key Concepts Defined in ISA 200

ISA 200 defines several key terms for the purposes of the ISAs:

  • Applicable financial reporting framework: The framework adopted by management and, where appropriate, those charged with governance in preparing the financial statements that is acceptable for the entity’s nature and objectives, or required by law/regulation. Frameworks can be fair presentation frameworks (requiring compliance plus potentially additional disclosures or rare departures for fair presentation) or compliance frameworks (requiring compliance only). Frameworks encompass standards, laws, regulations, interpretations, practices, and literature.
  • Audit evidence: Information used by the auditor in arriving at the conclusions for the opinion. Includes accounting records and other information. Sufficiency is the quantity measure, affected by assessed risks and quality. Appropriateness is the quality measure, meaning relevance and reliability. Evidence can support or contradict management assertions, and even the absence of information can be evidence.
  • Audit risk: The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. It is a function of the risks of material misstatement and detection risk. It’s a technical term and does not include the auditor’s business risks.
  • Auditor: The person(s) conducting the audit, usually the engagement partner or engagement team members, or the firm.
  • Detection risk: The risk that the auditor’s procedures to reduce audit risk won’t detect a misstatement that could be material. It’s a function of the effectiveness of procedures and their application.
  • Financial statements: A structured representation of historical financial information, including notes, communicating economic resources/obligations or changes therein, in accordance with a framework. Notes ordinarily include significant accounting policies and explanatory information. Usually a complete set, but can be a single statement.
  • Historical financial information: Information in financial terms about an entity, derived from its accounting system, regarding past events or conditions.
  • Management: The person(s) with executive responsibility for entity operations. May include some charged with governance.
  • Misstatement: A difference between a reported item and what is required by the framework regarding amount, classification, presentation, or disclosure. Can arise from error or fraud. In fair presentation frameworks, misstatements also include adjustments necessary for fair presentation/true and fair view.
  • Premise: Shorthand for the premise relating to the responsibilities of management and those charged with governance on which an audit is conducted.
  • Professional judgment: Application of relevant training, knowledge, and experience within the context of auditing, accounting, and ethical standards to make informed decisions appropriate for the audit engagement circumstances. Essential for the proper conduct of an audit. Required for decisions about materiality, audit risk, nature/timing/extent of procedures, evaluating evidence, evaluating management judgments, and drawing conclusions.
  • Professional skepticism: An attitude including a questioning mind, being alert to conditions indicating possible misstatement (error/fraud), and a critical assessment of audit evidence. Required when planning and performing an audit. Includes being alert to contradictory evidence, reliability questions, fraud conditions, and the need for additional procedures. Necessary for critical assessment of evidence.
  • Reasonable assurance: In financial statement audits, a high, but not absolute, level of assurance.
  • Risk of material misstatement (RMM): The risk that financial statements are materially misstated prior to audit. Consists of two components at the assertion level: Inherent risk (susceptibility of an assertion to material misstatement before controls) and Control risk (risk a material misstatement won’t be prevented/detected/corrected by internal control). These are the entity’s risks. RMM can exist at the overall financial statement level or the assertion level.
  • Those charged with governance: Person(s) or organization(s) responsible for overseeing the entity’s strategic direction and accountability obligations, including overseeing the financial reporting process. May include management personnel.

Requirements for Conducting an Audit in Accordance with ISAs

ISA 200 sets out several requirements for the auditor:

  1. Ethical Requirements: The auditor shall comply with relevant ethical requirements, including those pertaining to independence, relating to financial statement audit engagements. These ordinarily comprise Parts A and B of the IESBA Code of Ethics and national requirements. Part A covers fundamental principles: Integrity, Objectivity, Professional competence and due care, Confidentiality, and Professional behavior. Independence is required by the IESBA Code in the public interest, comprising independence of mind and independence in appearance. Independence safeguards the auditor’s ability to form an opinion without being compromised and enhances integrity, objectivity, and professional skepticism. Quality control standards (like ISQC 1 and ISA 220) deal with firm and engagement partner responsibilities for ethical compliance, including independence.
  2. Professional Skepticism: The auditor shall plan and perform an audit with professional skepticism, recognizing circumstances that may cause material misstatement. This includes being alert to contradictory evidence, unreliable information, possible fraud conditions, and the need for additional procedures. Maintaining skepticism is necessary to reduce risks like overlooking unusual circumstances or using inappropriate assumptions. It requires questioning contradictory evidence and the reliability of documents/inquiries. Past experience with management integrity does not relieve the auditor of the need for skepticism or allow less than persuasive evidence.
  3. Professional Judgment: The auditor shall exercise professional judgment in planning and performing an audit. This is essential for interpreting ethical requirements and ISAs and making informed decisions throughout the audit. It is particularly necessary for decisions regarding materiality, audit risk, audit procedures, evaluating evidence, and evaluating management judgments/drawing conclusions. Professional judgment is exercised by a competently trained, knowledgeable, and experienced auditor. It is based on known facts and circumstances and should be appropriately documented. It cannot be used to justify decisions not supported by facts, circumstances, or sufficient appropriate audit evidence.
  4. Sufficient Appropriate Audit Evidence and Audit Risk: To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level, enabling the auditor to draw reasonable conclusions for the opinion. Audit evidence is necessary to support the opinion and report. Sufficiency (quantity) is affected by assessed risks and quality. Appropriateness (quality) refers to relevance and reliability. Whether sufficient appropriate evidence is obtained is a matter of professional judgment. Audit risk is a function of RMM and detection risk. RMM (Inherent Risk + Control Risk) exists prior to the audit. Detection risk relates to the effectiveness of the auditor’s procedures. Higher RMM requires lower acceptable detection risk and more persuasive evidence. Planning, staffing, skepticism, supervision, and review help reduce detection risk.
  5. Conduct of an Audit in Accordance with ISAs: The auditor shall comply with all ISAs relevant to the audit. An ISA is relevant if in effect and the circumstances addressed by it exist. The auditor must understand the entire text of an ISA, including application and explanatory material, to understand its objectives and apply requirements properly. The auditor cannot represent compliance with ISAs unless all requirements of ISA 200 and other relevant ISAs are met.

Contents and Application of ISAs

The ISAs, taken together, provide the standards for the auditor’s work in fulfilling the overall objectives. They deal with general responsibilities and their application to specific topics. An ISA contains objectives, requirements (“shall”), and related application and other explanatory material. It may also include introductory material and definitions. The entire text is relevant to proper application. Application and explanatory material provides further explanation, guidance, and examples; while not requirements themselves, they are relevant to proper application. Appendices form part of this material. Definitions assist consistent application and interpretation. Additional considerations specific to audits of smaller entities and public sector entities may be included.

Each individual ISA contains one or more objectives linking its requirements to the auditor’s overall objectives. These objectives help the auditor understand what needs to be accomplished and decide if more work is needed. Achieving individual objectives is subject to the inherent limitations of an audit. The auditor must consider the interrelationships among ISAs; specific ISAs may expand on how principles from general ISAs (like ISA 315 and ISA 330) apply.

The auditor uses these objectives to determine if any additional audit procedures beyond those specifically required by the ISAs are necessary to achieve the objectives in the particular circumstances. The requirements are designed to enable objective achievement, but circumstances vary, so the auditor is responsible for determining necessary procedures. The auditor also uses the objectives to evaluate whether sufficient appropriate audit evidence has been obtained. If evidence is insufficient, the auditor considers if other ISAs provide it, extends procedures, or performs other necessary procedures. If unable to obtain sufficient appropriate evidence, the auditor must determine the effect on the report or the ability to complete the engagement.

The auditor must comply with each relevant requirement unless the entire ISA is not relevant or the requirement is conditional and the condition doesn’t exist. Conditional requirements can be explicit (e.g., modify opinion for scope limitation) or implicit (e.g., communicate significant control deficiencies if identified). Requirements can also be conditional on applicable law or regulation. In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement if it is for a specific procedure that would be ineffective. In such cases, the auditor shall perform alternative audit procedures to achieve the aim of the requirement. Documentation is required for such departures.

If an objective in a relevant ISA cannot be achieved, the auditor shall evaluate whether this prevents achieving the overall objectives. This might require modifying the opinion or withdrawing from the engagement (if possible). Failure to achieve an objective is a significant matter requiring documentation. Whether an objective is achieved is a matter of professional judgment, considering procedures performed, evidence obtained, and whether more work is needed.

Inherent Limitations of an Audit

Due to inherent limitations, the auditor cannot reduce audit risk to zero and cannot obtain absolute assurance that financial statements are free from material misstatement. Audit evidence is typically persuasive, not conclusive. These limitations arise from:

  • The nature of financial reporting: Preparing financial statements involves management judgment, subjectivity, estimates, and uncertainty, leading to an inherent level of variability that cannot be eliminated by auditing.
  • The nature of audit procedures: There are practical and legal limits on obtaining evidence. Management may not provide complete information (limiting certainty on completeness). Fraud can involve sophisticated concealment, making procedures ineffective (auditors are not authentication experts). An audit is not a legal investigation and auditors lack search powers.
  • The need for the audit to be conducted within a reasonable period and at a reasonable cost: Users expect a timely opinion at a reasonable cost. It’s impracticable to address all information or exhaustively pursue every matter. This necessitates planning effectively, directing effort to high-risk areas, and using testing. Difficulty, time, or cost alone is not a valid reason to omit a necessary procedure or accept less persuasive evidence.

Certain assertions or subject matters (like fraud involving senior management/collusion, related parties, non-compliance with laws, and going concern) have particularly significant potential effects from these inherent limitations. Relevant ISAs identify specific procedures to help mitigate these effects.

Given these limitations, there is an unavoidable risk that some material misstatements may not be detected, even if the audit is properly planned and performed according to ISAs. Therefore, the subsequent discovery of a material misstatement does not by itself indicate a failure to conduct an audit in accordance with ISAs. Compliance with ISAs is determined by the procedures performed, the sufficiency/appropriateness of evidence obtained, and the suitability of the auditor’s report based on that evidence relative to the overall objectives. Crucially, inherent limitations are not a justification for the auditor to be satisfied with less than persuasive audit evidence.

The key themes, concepts, and requirements outlined in International Standard on Auditing (ISA) 200, which governs the overall objectives and conduct of an independent audit of financial statements in accordance with International Standards on Auditing (ISAs).

1. Purpose and Scope of an Audit:

  • Purpose: The fundamental purpose of an audit is to “enhance the degree of confidence of intended users in the financial statements.” This is achieved through the auditor expressing an opinion on whether the financial statements are prepared, in all material respects, according to an applicable financial reporting framework. For most general-purpose frameworks, this opinion addresses whether the financial statements are presented fairly or give a true and fair view.
  • Scope: ISA 200 outlines the independent auditor’s overall responsibilities when conducting an audit in accordance with ISAs. It clarifies the nature and scope of such an audit and the auditor’s general responsibilities, including the obligation to comply with ISAs.
  • Limitations: An audit opinion does not guarantee the entity’s future viability or the efficiency of management. While ISAs provide guidance on matters relevant to forming an opinion on financial statements, auditors may have additional responsibilities in certain jurisdictions (e.g., reporting on internal control effectiveness) that are not fully addressed by ISAs and may require further work.

2. Overall Objectives of the Independent Auditor:

The primary objectives of the auditor when conducting a financial statement audit are:

  • (a) “To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework.”
  • (b) “To report on the financial statements, and communicate as required by the ISAs, in accordance with the auditor’s findings.”

If reasonable assurance cannot be obtained and a qualified opinion is insufficient, the auditor is required to “disclaim an opinion or withdraw (or resign) from the engagement, where withdrawal is possible under applicable law or regulation.”

3. Key Concepts and Requirements:

  • Reasonable Assurance: This is a “high level of assurance” obtained when the auditor gathers “sufficient appropriate audit evidence to reduce audit risk… to an acceptably low level.” However, reasonable assurance is not absolute due to the inherent limitations of an audit.
  • Materiality: Materiality is applied during planning and performance of the audit, and when evaluating misstatements. Misstatements are material if they “could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.” Judgments about materiality are context-dependent and influenced by user needs and the size/nature of the misstatement. The auditor is not responsible for detecting immaterial misstatements.
  • Ethical Requirements: The auditor “shall comply with relevant ethical requirements, including those pertaining to independence, relating to financial statement audit engagements.” This includes adhering to the fundamental principles of integrity, objectivity, professional competence and due care, confidentiality, and professional behavior, as outlined in the IESBA Code of Ethics. Independence of mind and appearance is crucial for safeguarding the auditor’s ability to form an opinion without undue influence.
  • Professional Skepticism: The auditor “shall plan and perform an audit with professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated.” This involves having a “questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence.” Professional skepticism is vital for critically assessing evidence, questioning contradictions, and evaluating the reliability of information.
  • Professional Judgment: The auditor “shall exercise professional judgment in planning and performing an audit of financial statements.” This involves applying “relevant training, knowledge and experience… in making informed decisions about the courses of action that are appropriate in the circumstances of the audit engagement.” Professional judgment is necessary for decisions regarding materiality, audit risk, the nature, timing, and extent of procedures, evaluating evidence, assessing management judgments, and drawing conclusions. It must be appropriately documented and cannot justify decisions not supported by evidence.
  • Sufficient Appropriate Audit Evidence and Audit Risk:Audit Evidence: This is the “Information used by the auditor in arriving at the conclusions on which the auditor’s opinion is based.” It includes information from accounting records and other sources, and can support or contradict management assertions.
  • Sufficiency: This is the “measure of the quantity of audit evidence,” influenced by the auditor’s risk assessment and the quality of the evidence.
  • Appropriateness: This is the “measure of the quality of audit evidence; that is, its relevance and its reliability.”
  • Audit Risk: This is “The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated.” It is a function of the risks of material misstatement and detection risk. Audit risk does not include the risk of expressing a wrong opinion when the statements are not materially misstated, nor the auditor’s business risks.
  • Risks of Material Misstatement: These exist at the overall financial statement level and the assertion level. At the assertion level, they comprise:
  • Inherent Risk: “The susceptibility of an assertion… to a misstatement that could be material… before consideration of any related controls.”
  • Control Risk: “The risk that a misstatement… will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control.”
  • Detection Risk: This is “The risk that the procedures performed by the auditor… will not detect a misstatement that exists and that could be material.” It relates to the effectiveness of the auditor’s procedures and their application. Detection risk can only be reduced, not eliminated, due to inherent audit limitations.

4. Conduct of an Audit in Accordance with ISAs:

  • Compliance with ISAs: The auditor “shall comply with all ISAs relevant to the audit.” An ISA is relevant if it’s in effect and the circumstances it addresses exist. The auditor must understand the entire text of an ISA, including application and explanatory material, to apply requirements properly. Compliance with ISAs must be represented in the auditor’s report only if all relevant ISAs have been complied with.
  • Objectives in Individual ISAs: Each ISA contains objectives linked to the auditor’s overall objectives. These objectives help the auditor determine necessary procedures and evaluate whether sufficient appropriate evidence has been obtained.
  • Compliance with Relevant Requirements: The auditor “shall comply with each requirement of an ISA unless, in the circumstances of the audit: (a) The entire ISA is not relevant; or (b) The requirement is not relevant because it is conditional and the condition does not exist.”
  • Departure from Requirements: In exceptional circumstances, the auditor may depart from a relevant ISA requirement if the specified procedure would be ineffective. In such cases, alternative procedures must be performed to achieve the aim of the requirement.
  • Failure to Achieve an Objective: If an objective in a relevant ISA cannot be achieved, the auditor must evaluate whether this prevents achieving the overall objectives and requires modifying the opinion or withdrawing from the engagement. Failure to achieve an objective is a significant matter requiring documentation.

5. Inherent Limitations of an Audit:

Even a properly planned and performed audit has inherent limitations, meaning there’s an unavoidable risk that some material misstatements may not be detected. These limitations stem from:

  • The Nature of Financial Reporting: Preparation of financial statements involves management judgment and estimates, which can have inherent variability.
  • The Nature of Audit Procedures: Audit procedures may not be effective in detecting sophisticated fraud involving collusion or falsified documents. Auditors are not expected to be authentication experts. An audit is not a legal investigation.
  • Timeliness and Cost: Financial information’s value diminishes over time, and there’s a balance between reliability and cost. Auditors must plan effectively and focus on areas of higher risk. It’s impractical to pursue every matter exhaustively assuming error or fraud.

6. Management’s Responsibilities (Premise of the Audit):

An audit is conducted on the premise that management and, where appropriate, those charged with governance, acknowledge and understand their fundamental responsibilities for:

  • Preparing financial statements in accordance with the applicable financial reporting framework (including fair presentation where relevant).
  • Implementing internal control necessary for financial statements free from material misstatement.
  • Providing the auditor with access to all relevant information, additional requested information, and unrestricted access to necessary personnel.

The audit does not relieve management or those charged with governance of these responsibilities.

7. Definitions:

ISA 200 provides definitions for key terms, including:

  • Applicable financial reporting framework: The framework used to prepare financial statements.
  • Audit evidence: Information used to form the audit opinion.
  • Audit risk: Risk of expressing an inappropriate opinion on materially misstated financial statements.
  • Auditor: The person(s) conducting the audit.
  • Detection risk: Risk that auditor procedures won’t detect a material misstatement.
  • Financial statements: Structured representation of historical financial information.
  • Historical financial information: Financial information about past events.
  • Management: Persons with executive responsibility for operations.
  • Misstatement: Difference between reported and required financial statement item.
  • Premise: Management’s responsibilities for financial statement preparation and internal control.
  • Professional judgment: Application of training, knowledge, and experience to make informed decisions.
  • Professional skepticism: Questioning mind, alertness to misstatement indicators, and critical assessment of evidence.
  • Reasonable assurance: High, but not absolute, level of assurance.
  • Risk of material misstatement: Risk of material misstatement before the audit, consisting of inherent and control risk.
  • Those charged with governance: Persons overseeing strategic direction and accountability, including financial reporting.

This briefing document provides a high-level overview of the crucial elements of ISA 200. A thorough understanding of the complete text and application material is necessary for proper application in an audit engagement.