ISA 600 Explained
The International Federation of Accountants has updated the International Standard on Auditing 600 (ISA 600), and the revised standard went into effect on December 15, 2023. What are the advantages and disadvantages of the revisions when it comes to group audits?
What are the pros and cons of the latest update to the International Standard on Auditing?
The International Federation of Accountants has updated the International Standard on Auditing 600 (ISA 600), and the revised standard went into effect on December 15, 2023. What are the advantages and disadvantages of the revisions when it comes to group audits?
Firstly, a group audit refers to an audit of consolidated financial statements where the parent company and its subsidiaries are viewed as a single economic entity or “group.” It is often conducted by the parent company’s auditor, known as the group auditor, and encompasses the financial information of the parent company and its subsidiaries. As the group auditor will provide an opinion on the consolidated financial statements, it is essential that they are satisfied with the work completed by component auditors or local audit teams.
The group audit is necessary because businesses often operate through different legal entities and across different geographical locations. For an accurate view of the group’s financial situation, auditors must assess financial statements at both the parent and subsidiary levels and follow the standards established by the relevant auditing bodies.
International Standard on Auditing 600 (ISA 600) (Revised), Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors) deals with special considerations that apply to a group audit, including when component auditors are involved. The standard is effective for audits of group financial statements for periods beginning on or after December 15, 2023, and aligns with recently revised standards which emphasize the assessment of risk, including ISQM1 and ISA 220 (Revised) and ISA 315 (Revised 2019). There is increased emphasis on the responsibilities of auditors relating to professional skepticism, planning and performing a group audit, two-way communications between the group auditor and component auditors, and documentation.
The changes are intended to:
- Encourage proactive management of quality at the group engagement and the component levels
- Keep the standard fit for purpose in a wide range of circumstances and in a developing environment
- Reinforce the need for robust communication and interactions during the group audit
- Foster an appropriately independent, challenging, and skeptical mindset on the part of the auditor
ISA 600 (Revised) sets out the responsibilities of the group auditor for providing the audit opinion on the group financial statements, including components such as subsidiaries, associates, joint ventures, and non-controller entities.
Advantages
Viewed from the component auditor’s side, relying on a variety of useful information regarding management’s rationale from the group auditor can reduce the risk of material misstatement and detection risk when conducting audit components.
One significant change is the introduction of the risk-based approach as a framework for planning and performing a group audit engagement. This means more focus on identifying and assessing the risks of material misstatement and performing further audit procedures in response to the assessed risks. The group auditor develops initial expectations and, based on these, may involve component auditors in risk assessment procedures, as these individuals may have direct knowledge and experience with the entities or business units that could be helpful in understanding the activities and related risks.
According to the standard, the group engagement partner may take responsibility for directing and supervising component auditors in different ways, such as:
- Discussing identified and assessed risks, issues, findings, and conclusions
- Participating in the closing or other key meetings between the component auditors and component management
The discussion between the group auditors and component auditors provides the opportunity to understand how and where the entity’s financial statements may be susceptible to material misstatement due to fraud. This is done by considering external and internal factors affecting the group that may create an incentive or pressure for group management, component management, or others to commit fraud. The discussion between group engagement partners and other key management team members also provides a chance to identify risks of material misstatement relevant to components where there may be impediments to the exercise of professional skepticism. In other words, the involvement of the group auditor enhances the effectiveness of component auditors.
ISA 600 (Revised) strengthens and clarifies the importance of two-way communications between the group auditor and component auditors as well as various aspects of the group auditor’s interaction with component auditors. However, there are many types of restrictions that may exist, such as on access to people and information (e.g., component management, those charged with governance of component, component auditors) as well as audit documentation.
Viewed from the group auditor’s side, the revised standard provides guidance on ways to overcome restrictions. The group auditor may be able to visit the location of the component auditor or meet with the component auditor to review their audit documentation. They may also be able to review the relevant audit documentation remotely when not prohibited by law or regulation and request that the component auditor prepare and provide a memorandum that addresses the relevant information.
Disadvantages
The application of ISA 600 (Revised) may also bring some downsides.
According to the requirements, the role of group auditor increases, as does the workload of component auditors. The group auditor may involve component auditors to provide information or perform audit work to fulfill the requirements of the standard.
Component auditors can be—and often are—involved in all phases of the group audit. The group auditor shall take responsibility for the nature, timing, and extent of further audit procedures to be performed, including determining the components at which to perform further audit procedures. This responsibility is demonstrated through meeting the requirements of the consolidation process and considerations when component auditors are involved.
Communication
ISA 600 (Revised) includes enhanced documentation requirements and application material to emphasize the link to the requirements of ISA 230 and other relevant ISAs. The required documentation includes:
Basis for the group auditor’s determination of components
Basis for the group auditor’s determination of the competence and capabilities of component auditors
Documentation of the direction and supervision of component auditors and the review of the work
Additional considerations when access to audit documentation is restricted
The strength and clarity of the importance of two-way communications between the group auditor and component auditors in the standard are likely to result in more work for the group engagement team. This is particularly true regarding the enhanced responsibilities in evaluating the component auditor’s communication and the adequacy of their work, the sufficiency and appropriateness of audit evidence obtained, and communicating with group management and those charged with governance of the group. References in the standard to the definition of “engagement team” includes the group auditor and component auditors.
As mentioned, the group auditor will involve component auditors and clarify the instructions for the risk-assessment procedures. However, in practice, there are some instructions from the group auditor that may not be suitable for component auditors, and this can lead to some aspects of the instructions not being effective.
These changes to the standard will take time to implement, comply with, and complete for both the group auditor component auditor sides.
Generally, both sides should make sure that they understand the new requirements and that audit methodologies are updated accordingly and in a timely manner. They should also reassess the models being used for considering component materiality and aggregation risk to determine whether they are still appropriate.
For more information, please contact Grant Thornton Japan at info@jp.gt.com or visit www.grantthornton.jp/en
Internal Controls, Sustainability, and IFRS
With two new sustainability standards in effect for annual reporting as of January 1, 2024, companies may need to reassess their internal controls to ensure they are compliant with disclosure requirements.
How two new sustainability standards impact reporting and disclosure, and what companies should consider to ensure they are compliant.
On June 26, 2023, the International Sustainability Standards Board (ISSB) unveiled its first-ever standards for sustainability disclosure. Designated International Financial Reporting Standards (IFRS) S1 and S2, they focus on general sustainability- and climate-related disclosures.
As demand grows from investors, regulators, customers, and other stakeholders for companies to disclose their sustainability practices and impact on the environment and society, these standards could help with the assessment of a company’s long-term sustainability, its ability to manage risks and opportunities, and to compare companies across industries.
IFRS S1, General Requirements for Disclosures of Sustainability-related Financial Information, requires companies to disclose financial information about their sustainability-related risks and opportunities that is useful to primary users of general-purpose financial reports in making decisions related to providing resources to the company. IFRS S2, Climate-related Disclosures, requires companies to disclose the same related to climate.
As this information could affect the company’s cash flow, access to financing, or cost of capital, the requirement for reporting and transparency might influence strategy, objectives, and decision-making processes.
With these new sustainability standards taking effect for annual reporting periods beginning on or after January 1, 2024, companies should reassess their systems of internal controls to comply with the disclosure requirements.
The table below shows internal controls that companies may need to consider.
| Internal Control Areas | Points to Consider |
|---|---|
| Data collection, verification, and management | · Accuracy and reliability of sustainability data for reporting · Manage the increased volume of sustainability data |
| Risk assessment and management | · Controls and processes to identify, assess, and manage risks and opportunities · Consistency with its strategic decisions and operations |
| Technology infrastructure | · Invest in new technology and IT controls |
| Training and awareness | · Invest in employee training and awareness programs · Policies and procedures to evaluate competencies |
| Governance | · Establish authority and responsibility |
| Integration with financial reporting | · Communication and monitoring from management and those charged with governance · Facilitate external audit |
| Stakeholder engagement | · Inclusion of processes for engaging with stakeholders |
Data Collection, Verification, and Management
The IFRS standards and reporting promote transparency and accountability regarding sustainability- and climate-related risks and opportunities. By requiring the collection and validation of data, a company can ensure accuracy and reliability for reporting.
Doing so will require robust internal controls similar to those used in financial reporting, and internal controls may need to be updated to manage the storage, access, and protection of a larger volume of data. As sustainability reporting is often required by regulatory bodies or industry standards, integrating sustainability metrics into internal controls helps ensure compliance and reduces the risk of penalties and legal issues.
Risk Assessment and Management
As sustainability reporting involves identifying, assessing, prioritizing, and monitoring risks and opportunities related to sustainability and climate, internal controls must include processes to effectively assess, manage, and mitigate risks. It is also key to ensure that those charged with governance have considered trade-offs associated with the risks and opportunities.
Sustainability reporting also highlights long-term sustainability goals and opportunities. Therefore, aligning internal controls with these goals can ensure that strategic decisions and operations are consistent with sustainability objectives.
Technology Infrastructure
Companies may need to invest in new technology and IT controls to manage sustainability data, especially if they are transitioning to digital reporting platforms. Information systems should be able to capture internal and external sources of data related to sustainability and climate risks and opportunities.
Training and Awareness
Companies may need to invest in employee training and awareness programs to ensure that all personnel understand the sustainability goals and the importance of reporting, and can carry out their internal control responsibilities. Companies may need to monitor the contributions of employees to these objectives. Processes may include policies to determine whether appropriate skills and competencies are available or will be developed to oversee strategies designed to respond to risks and opportunities related to sustainability and climate.
Governance
Sustainability reporting may necessitate changes in corporate governance to ensure that sustainability considerations are integrated into strategy and decision-making processes. Internal controls should reflect shifts in governance by having a governance body (which may include a board, committee, or equivalent) or individuals responsible for oversight of risks and opportunities related to sustainability and climate. Companies should also consider updating policies and procedures to reflect the responsibilities of those charged with governance and management.
Integration with Financial Reporting
Aligning the processes for sustainability and financial reporting requires careful coordination and internal controls to ensure that both are accurate and consistent. Policies and processes should consider how, and how often, those charged with governance and management are informed about sustainability- and climate-related risks and opportunities and decisions on significant transactions. Companies may also need to establish controls and policies to facilitate external audits of their sustainability disclosures to ensure that the data, processes, metrics, and targets adhere to reporting standards.
Stakeholder Engagement
Internal controls may need adjusting to address the broader set of stakeholders associated with sustainability reporting compared with traditional financial reporting. Sustainability reporting can lead to increased stakeholder scrutiny and engagement, and effective internal controls can help manage these interactions and ensure that stakeholder concerns are addressed, and the company’s reputation maintained. Communication methods should take into considering the timing, audience, and nature of the engagement.
As the ISSB is currently developing these sustainability standards, we expect that additional standards might be promulgated to address the needs of the stakeholders. Regular reviews and updates of internal controls, policies, and procedures are necessary to adapt to changing sustainability reporting standards and evolving practices.
Companies focusing on sustainability could drive innovations and efficiencies in their processes that lead to cost reductions. Internal controls can monitor and optimize these changes to ensure that they are implemented effectively and align with the company’s strategies, objectives, and decision-making processes.
For more information, please contact Grant Thornton Japan at info@jp.gt.com or visit www.grantthornton.jp/en