DTT Letter with logo€¦ · Web viewHowever internal control expectations have moved on during the past decade and again more recently in various countries in response to ... To

March 31, 2003

Mr. Jim SylphTechnical DirectorInternational Auditing and Assurance Standards Board535 Fifth Avenue, 26th floorNew York, New York 10017

Dear Mr. Sylph,

Proposed Audit Risk Standards

We welcome the opportunity to comment on the audit risk exposure drafts issued by the International Auditing and Assurance Standards Board (“IAASB”). The development of new International Standards on Auditing (“ISAs”) to replace the various existing standards which relate to assessment of and responses to risk is timely given the need to restore public confidence in auditing. Improving the guidance on internal control and risk assessments is vital to the process of obtaining IOSCO and EU endorsement of the ISAs. We believe the exposure drafts accomplish this goal, and the comments that follow should be considered in light of our overall support of these standards.

We note that the IAASB believes that the proposed audit risk standards will increase audit quality as a result of better risk assessment and improved design and performance of audit procedures to respond to risks. Our view is that there is much useful material contained in these proposed standards, but that clarification is required in some areas to ensure that auditors (and others) understand what is required of them. Such areas include risk assessment procedures, the difference between ‘tests of control’ and ‘understanding design and implementation’, analytical procedures, the discussion among the audit team, the use of prior years’ knowledge and the financial reporting closing process.

Also there are aspects of the proposed standard on “Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement” (“Understanding the Entity”) that need to be improved. These include putting much more emphasis on the need for a powerful upfront accounting critique, which is then sustained throughout the audit, pulling together more the material on “out of normal process” transactions and on control override, and on reducing the length of the Appendices, which also need to become less prescriptive.

Deloitte Touche Tohmatsu1633 BroadwayNew York, NY 10019-6754

Tel: 212-492-4118

Deloitte Touche TohmatsuPage 2

We are also concerned that there are aspects of governance that are described in ways which are rather outdated or which are underplayed. This is probably due to the fact that, since the development of the COSO model, there have been other governance developments, notably the increased importance of the audit committee, other control models which place more emphasis on the overall responsibility for internal control being assumed by management or the board, the ongoing identification, prioritisation and management of significant risk, review of the effectiveness of the system of control by the audit committee or the board, more focus on the importance of whistle blowing procedures and on codes of conduct, and the issue of the statements including assertions on internal control.

More needs to be said about the role of those charged with governance in reviewing the process for which management is responsible for identifying and managing the business and financial reporting risks. This involves the need for proper briefing by management on business developments and for financial literacy.

There is also a sense when reading the proposed standard on “Understanding the Entity” that it implies that it should be the auditor, rather than management, who should own the process for identifying significant risk and for documenting systems of control. This is contrary to recent governance developments. It also ignores the increased amount of work that is needed towards developing the basis for proper reporting by management to the audit committee and to the public. Unless more attention is paid to this, the audit process becomes a substitute for processes which management should conduct themselves. In such circumstances these processes do not develop as much as they should and ultimately there is more potential exposure to control failures and audit litigation than there should be.

We are also concerned that the proposed standard on “Understanding the Entity” is too long. The effect of including so much material on the understanding of the entity and its environment is that it seems to downplay the importance of the assessment of risk. There is perhaps scope to move more material to the Appendices. We also consider that Appendix 1 may inadvertently encourage a return to the era when lengthy permanent files were produced which partners stopped reading because they contained too much which was irrelevant. Alternatively Appendix 1 may result in a form filling exercise that distracts auditors from the key place where they now need to start the audit – the powerful upfront accounting critique. Another feature of Appendix 1 is that its prescriptive style adds a considerable cost burden to the audit of smaller entities. It should be made clearer that it is intended for training purposes.

The concept of what is sufficient audit evidence, as described in paragraph 26 of the draft standard “Auditor’s Procedures in Response to Assessed Risk” (“Auditor’s Procedures”) needs to be defined with greater clarity and the concept of “inquiry alone not providing sufficient evidence” needs to be put in bold text or given greater prominence.

Issues relating to audits of groups of companies, for example, control over subsidiary entities, and the aggregation of accounting information and group level risk issues, need to be addressed within the ISAs. We understand that the IAASB has established a Group Audits Task Force, and


we recommend that this task force work with the Audit Risk Task Force to ensure that, as a whole, the ISAs adequately take these issues into account.

The proposed audit risk standards do not do much to clarify the expectation gap between what the public expects and what an audit actually delivers. It is difficult to say whether this can ever be achieved in auditing standards, but perhaps ISA 200 requires additional guidance to supplement the existing material around reasonable assurance. It also needs to state categorically that an audit is not a guarantee that the financial statements are free of material misstatement and that there is no such thing as absolute assurance. (Because a doctor conducts an annual physical examination with a clean bill of health does not guarantee that the patient will not drop dead the next day.) Standards may never eliminate the expectation gap, particularly without an ongoing major public relations educational campaign.

We are supportive of the new assertions and the distinction between those relating respectively to the balance sheet and to the income statement.

Our responses to the specific issues raised by IAASB:

1. Small entities

We note the inclusion of some guidance on small entities. This is welcome, but a key principle that should be incorporated (and one that is particularly applicable to small entities) is the need to keep the understanding of the entity and its environment and the assessment of risk simple. Otherwise there is a danger that, unless the auditor focuses on the key business issues and the significant risks, the auditor will not see the “woods for the trees”.

There is also a need to recognise that the entity’s objectives and strategies and related business risks are rarely articulated well within small entities. Similarly such entities may not have much measurement and review of financial performance.

2. Understanding the internal control

Paragraphs 50 through 94 of “Understanding the Entity” seem to be based largely on previous material. However internal control expectations have moved on during the past decade and again more recently in various countries in response to significant scandals. In particular the section on internal control needs to reflect the following developments:

Control environment Legal or regulatory requirements that expect management or the directors of listed

(and some other entities) to make public statements on internal control. The need for periodic review of the arrangements for whistle blowing.

Legal or regulatory requirements relating to disclosures by management to the audit committee and on the nature of the process for reviewing the effectiveness of the system of control.


Information and communication Increased focus on disclosure controls rather than merely financial controls.

Control procedures Increasing expectations that management have proper documentation themselves of

their systems of control and of the apportionment of key functions relating to risk management and control.

Greater recognition of the need for proper procedures to deal with deviations from codes of conduct.

Monitoring and corrective action Increased focus (and possibly public disclosure) of the process taken to rectify

significant problems arising from control weaknesses disclosed in the annual report. Legal or regulatory requirements relating to disclosures by management to the audit

committee and on the nature of the process for reviewing the effectiveness of the system of control.

More emphasis is needed on the types of questions which modern audit committees are likely to ask of external auditors. These may include:

What are you views about the tone at the top? What is the quality of management’s documentation of the systems of internal control

(which should be owned by management rather than by the auditors)? What the key issues relating to risk and lack of control about which the audit

committee should be aware? What are your views about our whistle blowing procedures? What are the key things we need to know about the closedown of the books and in

relation to control (or lack of control) of parts of the business that are material to the group?

A significant topic, which is dealt with in a manner that is too fragmented, is the possibility of management override of key controls, particularly over out of normal process transactions. Currently guidance on this vital topic (which seems to account for more than its fair share of major scandals) is scattered within paragraphs 67, 79, 80 (3rd and 4th Bullets) and 107 to 109 of “Understanding the Entity”. This material needs to be gathered together more and given even greater emphasis.

Another issue that needs to be given more attention is that some modern business process related technology driven systems are not strong on key issues such as bank reconciliations or control over personal accounts. The section on IT controls can perhaps focus more on the importance of auditors being consulted before IT systems are introduced. Auditors also need to be ready to deal with the question from audit committee members, “Are there controls issues relating to our IT systems which could give rise to accounting break downs?”


3. The auditor’s procedures in response to assessed risk

We concur with the requirement that the auditor should test the operating effectiveness of controls on which the audit plans to rely at least every third year.

4. Documentation

We have some concern that paragraph 117(b) of “Understanding the Entity” could recreate the spectre of thick permanent files which are then ignored but which among the detail contain key points that are easy to overlook. We therefore recommend that the documentation in this area should be confined to an understanding of the matters identified in paragraph 26 which the auditor considers to be of importance. Perhaps the focus should be on what has changed, what appears to the auditor to be dysfunctional and what might contribute to material misstatement arising from fraud.

The documentation of the discussion among the audit team referred to in paragraph 117(a) would more usefully follow the understanding referred to in paragraph 117(b), and therefore these paragraphs could be reversed. There is also a need to limit the documentation of the discussion to the key points that arose. Otherwise the documentation of the discussion could be rambling, contain matters whose likelihood are regarded as too remote and increase unfairly the litigation risk against the auditor. We suggest including some grey-lettered guidance that states that the documentation of the discussion is intended to be a brief overview of the topics discussed and key points, not a verbatim documentation of the discussion.

Detailed comments on the specific documents:

(a) Amendment to ISA 200 ‘Objective and Principles governing an audit of financial statements’

It would be useful if this document could refer more to the concept of professional skepticism.

(b) Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement.

The applicable financial reporting framework is far too important a topic to be part of a section on Industry, Regulatory and Other External Factors and then dispersed within paragraphs 5, 26(b), 30, 34 and 35. We recommend an upfront financial reporting critique, as the scandals over recent years have frequently involved the selection of inappropriate accounting policies and practices which affect not just year-end financial reporting but also interim reporting. Unless there is a robust challenge early on, management may become more entrenched in any bad accounting practices that have been the basis for interim reporting. Also, with the acceleration of the timetable for financial reporting in various parts of the world, this is not an area that should be left until the end of the audit. Furthermore, it is arguable that until an upfront accounting critique


is performed, the understanding of the business and of its misstatement risks cannot be put in its proper context.

Issues that may need to be considered during an upfront financial reporting critique include:

What are the critical accounting policies?

How do those policies compare with industry norms?

What do analysts, the media and financial management say about the accounting?

Could the accounting be subject to regulatory criticism?

What are the key accounting judgments?

To what extent is the financial position dependent on accounting judgments?

What is the history of accounting issues in recent years?

Are there items in the balance sheet or off balance sheet that are questionable?

Are there indications that prior year accounting judgments have been revised or need revision?

What terms of trade with customers or suppliers could have accounting implications?

Are there signs that management could be taking an excessively aggressive approach in the areas of earnings and revenue recognition and treatment of costs or promotional discounts?

If the auditor were senior management, how would he or she manipulate the results to meet market expectations?

Have there been any specific changes in accounting policies in the current year?

To what extent are there non-cash consideration transactions, swaps, financial instruments, possible impairments, valuation, unrealised transactions, one-off items and other contentious items, and how justifiable are the treatments?

What is the impact of new or forthcoming accounting standards?

Has management been proactive with respect to accounting policy developments and would their attitude be characterised as aggressive or overly conservative?

Such a critique should be updated at subsequent stages of the audit and during interim review.

Communication with those charged with governance or management seems to be dealt with in a manner that is just one way. Therefore, there needs to be a much stronger recognition of a two way process, particularly in respect of the audit committee’s reasonable expectations of the audit.

It would be inconceivable that the auditor’s understanding would be greater than that of management unless the latter are incompetent. The term “ordinarily less” referred to in paragraph 6 should therefore be strengthened.


Paragraph 7 indicates that the auditor can obtain audit evidence when conducting “risk assessment procedures”. However it is unclear how much assurance the auditor obtains from this evidence. We recommend that the Task Force ensure that this is not interpreted to allow over-reliance on these types of procedures, as there is a danger that, without specific limits, some auditors could rely on superficial procedures as substantive audit evidence.

Those charged with governance should be elevated to the top of the list set out in paragraph 9.

Paragraph 12 says that because analytical procedures ordinarily use data aggregated at a high level, the results only provide a broad initial indication about whether a material misstatement may exist. We would suggest however that, if an auditor chooses to develop detailed expectations, which are appropriately disaggregated, this one test may be used to satisfy both the “understanding” requirement as well as provide substantive assurance.

Paragraph 18 requires a meeting of the team to discuss susceptibility of material misstatement and paragraph 19 states, “An objective ….”, indicating that this is one of perhaps many objectives. If the standard is going to require a meeting to be held for every audit, then it needs to be more definitive as to why this required, what is expected to be accomplished and what the outcomes from the meeting should be; put another way, assuming such meetings are not being held in all cases now, what is it that is expected to be accomplished and the audit improved by mandating such meetings for all audits; without such guidance, meetings may be held because the standard requires them but little improvement to the audit process may result.

There needs to be a paragraph for small entities included in the section on discussion among the audit team. It needs to be recognised that the extent of discussion on simple, smaller entities would need to be much less than for a more complex, larger entity.

With regard to paragraph 24, it is difficult to contemplate a situation for a recurring audit where the auditor would not use information about the entity and its environment obtained in prior periods. Would the auditor simply ignore prior years’ knowledge and not use it in the current audit? Instead, this paragraph needs to be rewritten to assume that prior years’ knowledge will always be used and that the auditor cannot assume that nothing has changed but rather needs to confirm that this knowledge remains valid and appropriate.

It is unclear what, “consider whether the entity’s selection and application of accounting policies are appropriate for its business and consistent with the applicable reporting framework” in paragraph 24 means. What does “consider” mean in terms of work effort; it is easy to consider or to say, “Yes, I considered that.” What is it we expect the auditor to do? Does this mean that the standard wants the auditor to determine that the accounting policies selected are first within the acceptable alternatives within GAAP and


secondly, whether among the alternatives the most appropriate has been selected? This is more onerous and would lead to a lot of useful discussion with management and the audit committee as to the policies chosen. It is not clear precisely why these procedures are required; while they make sense, understanding why they are required will assist the auditor determine the nature and extent of work effort in this area. Generally this area requires much more consideration, particularly in the light of recent scandals and the general concern about aggressive earnings and balance sheet management. See our comments above on the need for an upfront financial reporting critique updated subsequently during the audit and interim reviews.

The last sentence of paragraph 33 puts too much emphasis on the auditor’s responsibility to ensure that management has properly disclosed all matters in the footnotes, when in actuality, the primary responsibility rests with management.

Paragraph 36 requires the auditor to obtain an understanding of the entity’s objectives and strategies and the related business risks; how is this done for small entities where objectives, strategies and risks are rarely articulated; given the lack of sophistication of many of these entities, what does the auditor do to comply with this paragraph?

Paragraph 7 defines “risk assessment procedures” which seem to be the auditor’s procedures; paragraph 41 defines “risk assessment process” which seems to be something management does that the auditor needs to know about; the similarity of these terms will undoubtedly result in confusion.

Paragraph 44 seems to need something more to indicate the relationship between management’s and the auditor’s objectives; perhaps it needs to state that not all the risks of interest to management are necessarily of audit interest.

Paragraph 45 requires the auditor to obtain an understanding of the measurement and review of the entity’s financial performance; how does this apply to smaller entities where much of what is suggested may not exist; does the auditor simply state that the information is not available?

Paragraph 54 contains an important concept that may be lost in the guidance. We recommend that this paragraph be moved to the end of paragraph 50, so that it is associated with the black letter requirement in paragraph 50.

Should the concept of management override be included here, now? This may ultimately be covered in revisions to ISA 240 but this seems like the appropriate place to put it and later reference to the revised ISA 240.

Paragraph 73 indicates that owner-manager controls may mitigate a lack of segregation of duties in a small business. More guidance should be provided as to the nature and extent of owner-manager controls contemplated that would mitigate such a risk; while professional judgment will be required some guidance could result in greater consistency in approach.


Paragraph 77 lists the areas where an understanding is required; systems selection and maintenance with related change management processes and implementation and maintenance of logical security are not explicitly included in the list; these items might be inferred by some of the items listed, but due to their significance to a well controlled environment in today’s business world warrants more prominence (this is NOT part of IT auditing or some specialty but rather everyday auditing); further using evidence from a prior period when testing controls requires knowledge of change management and logical security as prerequisite knowledge to permit such use of prior period evidence.

In paragraph 80, the third sentence in bullet “o” is very confusing. Why would management develop a system to calculate an amount that represents an immaterial misstatement? We suggest that an example be provided, or that this sentence be deleted.

The last sentence of paragraph 81 includes the definition of an entity’s business processes, however it is not clear if the processes listed are only relevant under the “information system” heading, or rather relevant to all aspects of the audit. We suggest further clarification of the definition of this term.

The difference between a reference to “controls” versus “control procedures” in various contexts throughout the proposed standards is a subtlety than many readers may not grasp. For example, in paragraph 84, the second sentence states, “An audit does not require an understanding of the control procedures related to each class of transactions, account balance and disclosure in the financial statements or to every assertion relevant to them.” In paragraph 7, the third sentence states, “In addition, in performing risk assessment procedures, the auditor may obtain audit evidence about classes of transactions, account balances or disclosures and related assertions and about the operating effectiveness of controls, even though such audit procedures were not specifically planned as substantive procedures or tests of controls.” Paragraph 95 states, “The auditor should assess the risks of material misstatement at the financial statement level, and at the assertion level for classes of transactions, account balances and disclosures.” Paragraph 96 goes on to indicate that the auditor would use knowledge obtained in evaluating the design of controls. Paragraph 99 introduces the concept of mitigating controls and implies that an understanding of control procedures is required to determine whether risk of material misstatement has been mitigated. We recommend that the Task Force find a way to make the distinction between “controls” and “control procedures” clearer and describe the implications of the use of each word. One possible way to clarify may be to remind readers in paragraph 84 that control procedures are a subset of controls.

In paragraph 89, the second sentence states, “Obtaining evidence about the implementation of a manually operated control may not provide much evidence about the operating effectiveness of the control at relevant times during the period under audit.” This seems to be a fairly significant concept that may be lost particularly considering the length of the document. Should this be given more prominence?


Paragraph 114’s revision of risk assessment seems to be a very important concept. Perhaps the paragraph could be reconstructed to have the concept in the last sentence be “black lettered”.

Paragraph 81 could also usefully refer to close down and group aggregation procedures, given their importance.

Paragraph 82 needs to go further than communication roles to also deal with acknowledgement of responsibility.

Paragraph 82 needs expansion to reflect the increasing role of audit committees and disclosure controls. The extent of work and documentation of how IT affects control procedures should reflect the level of usage of IT within the business (see paragraphs 85 to 89).

Monitoring of controls needs to be extended to the process within the entity for reviewing the effectiveness of the system of internal control.

The determination of significant risk is not a matter that should be left to the auditor to determine, as is suggested by paragraph 105. Responsibility in the first instance should rest with management.

Paragraphs 111 to 113 seem to be related too much to routinely processed transactions when there is a need to focus more attention on “out of normal” process transactions.

Appendix 1 needs perhaps to deal with the extended business enterprise and with business empires, given that they can frequently be part of the background to business scandals.

The final part of Appendix 1 needs to deal with significant disparity between reported earnings and cash outflows.

Appendix 2 should deal with whistle blowing procedures, reporting fraud on the part of those responsible for internal control and for violations of codes of conduct.

More focus should be given to significant change. Perhaps paragraph 6 of Appendix 2 should be part of the main body of a standard.

Appendix 2 should deal with transactions which do not make business sense or which seem contrary to the principles of fiduciary responsibility.

Generally more needs to be done to put making risk assessments at the central part of the audit and to relate that assessment process more to fraudulent financial reporting, which is the key issue which Enron and other scandals demonstrate need to be tackled. Currently this standard seems, by the nature of its structure, to put gaining an understanding of the entity at the centre of the audit.


(c) The auditor’s procedures in response to assessed risks

The last two sentences of paragraph 9 seem to be making a link back to “Understanding the Entity”, paragraph 110 - risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. Reference should be made in paragraph 9 to paragraphs 110 to 113 of “Understanding the Entity”. While this reference is made in paragraph 23 it deserves repetition, as this is an important, and likely new, concept for many which should receive greater emphasis.

Paragraph 26 indicates that inquiry alone will not be sufficient to provide audit evidence for testing the operating effectiveness of controls. This is an important concept that is not “black lettered” and buried in the middle of the paragraph; should this be “black lettered” or at the least given greater prominence? The last sentence indicates that the auditor may supplement observation with other procedures – the word “may” indicates that this is optional and that observation alone is sufficient audit evidence; while observation is often one of the only methods to test certain control procedures, the auditor needs to do more to ensure that the observed control is functioning throughout the period of reliance.

Paragraph 34 seems to imply that, based upon the auditor’s assessment of risk, the operating effectiveness of controls in the remaining period need not be tested.

Paragraph 35 states, “Additional audit evidence may be obtained by extending the testing of operating effectiveness of controls over the remaining period, considering the entity’s monitoring of controls, or performing substantive procedures.” Does this mean that the auditor relies on the entity’s monitoring controls for the remaining period to provide assurance that the controls were effective in the remaining period? Does performing substantive procedures mean “perform increased extent of substantive procedures for the remaining period,” as the auditor does not have evidence concerning the operating effectiveness of controls in the remaining period?

The last sentence of paragraph 30 states, “The absence of misstatements detected by a substantive procedure does not imply that controls related to the assertion being tested are effective.” This seems to conflict with what is being suggested in paragraph 35.

Paragraph 41 needs to recognise that where the expected deviation is high, no level of testing of control is sufficient to justify reliance.

In paragraph 42, perhaps an additional example of tests to be performed should include review of administration of logical security to provide assurance that unauthorized access was not possible during the period of reliance. This could be recommended at the end of the paragraph as a method by which many of the other suggested tests could be accomplished and/or corroborated.

In paragraph 43, the second sentence states, “The higher the assessed risk, the more likely it is that the substantive procedures will be performed close to the end of the period end


and the extent of such procedures increases.” This may be misleading, as the timing of the procedures may not be relevant to the risk; if a business combination occurs in the first quarter, the audit of this risky accounting does not need to wait until year end – rather the sooner the auditor looks at it the better. Further, suggesting that the extent of substantive procedures increases could also be misleading, as perhaps it may be more important to change the nature, rather than the extent, of the procedures. There is potential here for confusion and the wrong message to be delivered. Perhaps wording similar to that in paragraph 44 should be included, as at the start of paragraph 43 such as, “The auditor should perform substantive procedures that are specifically responsive to the risk identified.” This is the behaviour that is desired.

Does examination of one supporting document constitute tests of detail as required by paragraph 45?

We think that the auditor must use judgment to determine the nature and extent of substantive procedures to employ.

Paragraph 49 states, “The auditor’s substantive procedures include agreeing the financial statements to the accounting records, examining material adjustments made during the course of preparing the financial statements and other procedures relating to the financial reporting closing process.” This paragraph is positioned at the end of the section (Nature of Substantive Procedures) with no further reference or guidance in the remainder of the document as to the extent of such procedures which appear to be required, or can these be ignored because they are not “black lettered”?

In paragraph 50, what are the “other procedures relating to the financial reporting closing process” required by this process? If the auditor confirms the long-term debt and it agrees to the client’s final balance, does the auditor also need to audit the journal entry the client made for long-term debt? When is it appropriate to take a “balance” versus a “transaction” approach to the audit of a financial statement item?

Also in paragraph 50, what does “made during the course of preparing the financial statements” mean; post closing entries; entries made after period end; or all material entries made throughout the year that will ultimately be reflected in the financial statements? The significance of this paragraph needs to be considered and more guidance provided to ensure that the desired outcome is better understood and ultimately achieved.

The last sentence in paragraph 52 is very long and confusing. We suggest that the last thought in the paragraph be split into a separate sentence (“and the ability of the auditor to reduce…”).

(d) Audit evidence

How do the assertions in paragraph 7, which appear to be management’s, relate to the auditor’s responsibilities and audit evidence?


In relation to paragraph 20, perhaps a better example than EDI would be e-commerce (e-business) where the transactions are capture electronically over the Internet. This is much more common than the formal procedures required by EDI.

Paragraph 27 is too detailed and would be better positioned in an Appendix for training purposes.

Within paragraph 31 both sentences contain the word “ordinarily” – what does this mean? When would inquiry alone represent sufficient appropriate audit evidence? This seems to be contemplated by this paragraph but no guidance is provided as to when such unordinary circumstances would occur. Should this paragraph or a portion thereof be “black lettered”?

The concept of assertion needs to deal with freedom from bias.

Editorial comments on the specific documents:

(a) Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement

Paragraph 19, last sentence: at the end of the sentence, add the words “in other areas.”

Paragraph 64: add the phrase “the possibility of” after “IT also poses specific risks to an entity’s internal control, including.”

Paragraph 103, third sentence: change the word “conducted” to “completed.”

Paragraph 113: change “may find it impossible” to “may not find it possible.”

Appendix 2, paragraph 3, bullet “d”: delete the words “and conservatism.”

(b) The auditor’s procedures in response to assessed risks

Paragraph 43, third sentence: move the word “becomes” to the end of the sentence.

Paragraph 61: add the following introduction to the first sentence, “If an instance of fraud or error is detected,”

We hope that the above comments will be of assistance. If you require any clarification or amplification, please contact P. Nicholas Fraser at the address above.

Yours faithfully,

Deloitte Touche Tohmatsu

Documents

DTT Letter with logo€¦ · Web viewHowever internal control expectations have moved on during the past decade and again more recently in various countries in response to ... To