The changes proposed by the FRC are summarised below. They are effective for audit periods commencing on or after 1st Jan 2020 (earlier adoption is permitted) so, for many firms, action is required soon to be compliant at the start of their next audit period.
Key highlights for firms
- Completeness of firms’ own reporting of CASS breaches to be assessed
- Auditor is now specifically required to gain an understanding of major IT and automated procedures used by the firm in CASS compliance monitoring
- Reporting to those charged with governance now only includes issues that are of ‘significant risk’ (of non-compliance) and require urgent attention
- Audit engagement letter now must include details of reporting responsibilities to those charged with governance
Key highlights on changes to audit approach – more risk based?
- The standard now references engagement risk when deciding what is appropriate evidence to support reporting
- Use of IT for CASS now added in determination of risk
- Use of third parties now added in determination of risk
- When planning the audit a ‘sufficient and appropriate evidence’ clarification has been added
- Standard now mentions auditor’s judgement when selecting items to test based on the risk of a breach to the rules
- The 3 specific approaches for selecting a sample to test have been removed and are replaced by the above use of judgement
- Removal of statement on compliance mind set for auditor
- Removal of statement saying materiality is not applicable
- Objective of the standard changes from ‘improve quality’ to ‘support high quality’
- Knowledge and findings from the statutory audit is now specifically mentioned (where this is performed by the same firm) in the auditor forming a professional judgement
- Now specifically appropriate to use evaluation of operational controls over firms’ own assets where the systems, controls or governance are ‘common’ with those for client assets to inform the CASS audit
- Use of SOC reports now mentioned when performing assurance on outsourced functions. Auditors can place reliance on these if they assess the quality of work undertaken by the provider.
- Date added for putting together the final engagement file not normally later than 60 days after the date of the report
- Audit QA changes – The audit of CASS small firms need no longer undergo an audit QA review process in some circumstances
Further analysis to follow in due course, window for feedback to FRC closes on 27th September 2019.