Core Auditing Standards for Practitioners : For Practitioners [1 ed.] 9781118707098, 9781118707111

Citation preview

WILEY Core Auditing Standards for Practitioners

ffirs.indd 1

3/18/2014 9:05:11 AM

ffirs.indd 2

3/18/2014 9:05:11 AM

WILEY Core Auditing Standards for Practitioners Katharine Bagshaw John Selwood

ffirs.indd 3

3/18/2014 9:05:12 AM

This edition first published 2014 © 2014 Katharine Bagshaw and John Selwood Registered office John Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please visit our website at www.wiley.com. The right of the author to be identified as the author of this work has been asserted in accordance with the Copyright, Designs and Patents Act 1988 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher. Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com. Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. It is sold on the understanding that the publisher is not engaged in rendering professional services and neither the publisher nor the author shall be liable for damages arising herefrom. If professional advice or other expert assistance is required, the services of a competent professional should be sought. Library of Congress Cataloging-in-Publication Data is available A catalogue record for this book is available from the British Library. ISBN 978-1-118-70711-1 (pbk); ISBN 978-1-118-70709-8 (ebk); ISBN 978-1-118-70706-7 (ebk) Set in Sabon LT Std 10/11 by MPS Ltd, Chennai Printed in Great Britain by TJ International Ltd, Padstow, Cornwall, UK

ffirs.indd 4

3/18/2014 9:05:12 AM

Contents Page Section Title No. 1 2 3 4

5

6

ftoc.indd 5

Introduction Smaller Entity Audits 1.1  The Issues 1.2  What the Regulators Say 1.3  What Practitioners Say 1.4  What the Standards Say Materiality 2.1  The Issues 2.2  What the Regulators Say 2.3  What Practitioners Say 2.4  What the Standards Say Related Parties 3.1  The Issues 3.2  What the Regulators Say 3.3  What Practitioners Say 3.4  What the Standards Say Get This Right and the Rest Falls into Place: Understanding the Entity and Assessing Risk 4.1  The Issues 4.2 What the Regulators Say 4.3  What Practitioners Say 4.4  What the Standards Say Really Efficient Audits: What Sort of Evidence Do I Really Need? 5.1  The Issues 5.2  What the Regulators Say 5.3  What Practitioners Say 5.4  What the Standards Say Fraud 6.1  The Issues 6.2  What the Regulators Say 6.3  What Practitioners Say 6.4  What the Standard Says

1 5 5 7 7 8 19 19 20 22 24 37 37 40 41 44 47 47 51 53 55 83 83 84 85 87 99 99 103 105 112

3/18/2014 8:27:11 AM

Contents

vi

7



8



9



ftoc.indd 6

Communications with Those Charged with Governance 7.1  The Issues 7.2  What the Regulators Say 7.3  What Practitioners Say 7.4  What the Standard Says Group Audits 8.1  The Issues 8.2  What the Regulators Say 8.3  What Practitioners Say 8.4  What the Standards Say Other Things Good Auditors Need to Know About ISAs 9.1 Other Good Things – The Issues 9.2 ISA 230 on Documentation – The Issues 9.3 Documentation – What the Regulators Say 9.4 Documentation – What Practitioners Say 9.5 Documentation – What the Standards Say 9.6 ISA 501 on Additional Considerations for Specific Items – The Issues 9.7 Inventory – What the Regulators Say 9.8 Inventory – What Practitioners Say 9.9 ISA 510 on Initial Engagements and Opening Balances – The Issues 9.10 Initial Engagements – What the Regulators Say 9.11 Initial Engagements – What Practitioners Say 9.12 Initial Engagements – What the Standards Say 9.13 ISA 530 on Audit Sampling – The Issues 9.14 Audit Sampling – What the Regulators Say 9.15 Audit Sampling – What Practitioners Say 9.16 Audit Sampling – What the Standards Say 9.17 ISA 540 on Accounting Estimates – The Issues 9.18 Accounting Estimates – What the Regulators Say 9.19 Accounting Estimates – What Practitioners Say 9.20 Accounting Estimates – What the Standards Say 9.21 ISA 560 on Subsequent Events – The Issues 9.22 Subsequent Events – What the Regulators Say 9.23 Subsequent Events – What Practitioners Say 9.24 Subsequent Events – What the Standards Say

121 121 125 126 126 141 141 143 146 150 159 159 159 160 160 161

Index

185

164 164 164 168 168 168 169 170 170 170 171 173 173 174 174 181 181 181 181

3/18/2014 8:27:12 AM

Introduction Why read this book? Good quality, smaller ISA audits are conducted all over the world, profitably The sole aim of this book is to help auditors perform more efficient and effective ISA audits. While the focus of the technical material in this book is on the requirements of the ISAs, the overriding objective is always to help auditors perform audits in a manner that promotes cost-effectiveness, efficiency and a high level of audit quality in equal measure. We believe that there is a strong link bet­ ween audit quality, and efficient and costeffective audits. We believe that audit firms performing the best audits are often the most profitable, and that firms with audit quality issues are rarely performing profitable audits.

… We believe that audit firms performing the best audits are often the most profitable …

Dispelling the myth that quality and cost-effectiveness are mutually exclusive is important to us. Some, possibly many, practitioners take the view that audit quality and the maintenance of technical standards are little more than a cost to be minimised. We beg to differ. When time spent gaining a better understanding of core auditing standards is seen more as an investment than a cost, it not only enables auditors to perform more cost-effective audits, it also makes them better auditors. Another myth that holds too many auditors back is the belief that ISAs are unsuitable for the audit of SMEs. ISAs were developed so that they could be applied to the largest of audits but that does not mean that they cannot be used perfectly well in smaller audits, given a little thought about how they are applied. We know that there are many firms performing small, good quality and profitable audits as the norm. The main beneficiaries are the owners of the audited entity. The answer to most firm-wide problems in auditing is training and the bedrock of this … smaller audits conducted training is a good understanding of the core under standards based on ISAs. Smaller audits conducted under standISAs are now performed all ards based on ISAs are now performed all over the world … over the world, and there are many jurisdictions using ISAs in which a very large number of very small companies are still subject to statutory audit requirements. Whenever auditors are having problems with quality or efficiency, a better understanding of the core ISAs always helps. Auditors without a clear understanding of the ISAs are far more likely to miss something out, do something that is unnecessary, do something the wrong way or spend time at the end of the audit correcting errors made during the audit process.

cintro.indd 1

3/18/2014 8:14:53 AM

2

Introduction

Where firms perform efficient and effective audits, it is often evident that the audit teams have a good knowledge of the ISAs. Their documentation might be brief, but it is clear that they have done everything that is required of them and they use the correct technical terms in their documentation. That makes it easy for internal and external reviewers to see and understand how they have complied with ISAs. No, you do not need to read all of the ISAs, but you do need to understand them, especially the core ISAs Many experienced auditors might, not entirely unreasonably, think that reading the ISAs or reading about them is a waste of time, because there is no substitute for years of experience. A good proportion of the readers of this text will remember the situation not so long ago when there were just a handful of auditing standards. In the UK, most auditors over the age of 50 remember there being only two auditing standards and a handful of auditing guidelines. There are now over a thousand pages of ISAs (and more in national standards) and the audit approach has to be different now. An audit conducted just a few years ago is unlikely to be compliant with the current, clarified ISAs. There are no requirements, anywhere in auditing standards, audit regulation, ethical standards or the requirements of professional bodies for auditors to ‘read’ all of those pages of ISAs per se, but practitioners are required to understand them. The only people who read all of the ISAs are people working in technical departments and authors such as us (and maybe we need to get out more). Practitioners rely on their firms’ systems, methodologies and training to mediate the requirements of ISAs and if you qualified more than two decades ago, this book is written with you very much in mind. A knowledge of ISAs can be obtained by reading them. After all, they can be downloaded, free of charge, from the IAASB’s website and the websites of many national standardsetters. But even now that they have been clarified, they can be hard work to read, and they have little in the way of guidance on how to apply the requirements to smaller entities. This book seeks to bring the core ISAs to life. Each section, as you might expect, summarises the requirements of the relevant ISA but we also examine why the ISA requires what it does because it helps auditors obtain a better understanding of how the requirements can be applied. We also use feedback from practitioners to help identify real, practical problem areas and provide real, practical solutions. We have used numerous examples. Most of these examples, even the more outlandish, are based on real cases, appropriately anonymised. In the words of Mark Twain: ‘Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn’t.’ Some auditors may find some of these examples challenging and not entirely in line with what they have done in the past. But expectations have changed, regulators the world over are bolder than they once were, and they are expected to deliver changes in auditor behaviour. What was considered adequate not long ago might not pass muster now, and we hope that our examples will give readers a more rounded understanding of the core ISAs, and a better idea of how to apply them, than merely reading them would.

cintro.indd 2

3/18/2014 8:14:53 AM

Introduction 3 Why are these ISAs the ‘core’ auditing standards? It goes without saying (almost) that complying with the relevant requirements of every ISA is essential. But not all ISAs are equally important. A core standard is one that: • has a major impact on most audits; • has challenging requirements; • is often misunderstood; • has a significant impact on audit quality and cost-effectiveness. Regulators regularly comment on a lack of compliance with these ISAs. When reading about ISAs, the Pareto principle applies. Auditors who gain an understanding of 20% of the ISAs will gain an understanding of 80% of the main requirements. These core standards really are that important. Audit quality and professional scepticism Improving audit quality has been at the top of the international agenda for the profession in recent years, particularly in the wake of the various financial crises. While most of us would agree that professional scepticism is the cornerstone of audit quality, it is hard to define, even though its presence, or more usually absence, is usually clear, at least with the benefit of hindsight. The ISAs require the maintenance of an attitude of professional scepticism throughout the audit, but they have very little to say about it. Standard-setters, regulators, audit firms and professional bodies are struggling in an attempt to be clear about how auditors can demonstrate that they have maintained it, and how it can be more clearly embedded in auditing standards, methodologies, training and the culture of audit firms. The examples in this text take into account the latest thinking on professional scepticism. We emphasise again the fact that what might have been considered to be sufficient appropriate audit evidence a few years ago, might not now, even though the relevant ISAs have not changed much. Attitudes towards professional scepticism are an important part of this. Closing the gap between auditing standards and firm methodologies Auditors were auditing long before auditing standards were invented in the 1970s. There are two ways to close the gap between auditing standards and audit firms’ own auditing procedures. One is to wrap the standard around the firms’ procedures and methodologies and adapt what practitioners do to make it conform to the standard. Using the auditing standard on engagement letters as a basis for rewriting the firms’ engagement letter is a simple example. The other is to take what practitioners do, and wrap the standard around that, starting with firm’s engagement letter and working out how to slot in anything the standard requires that happens to be missing, for example.

cintro.indd 3

3/18/2014 8:14:53 AM

Introduction

4

The latter is a better description of what happens most of the time than the former, but regulators prefer the former. It makes their lives easier and they expect larger firms to map their methodologies to the standards. Training and software providers increasingly need to be mindful of this. Causes of audit inefficiency and unprofitability in smaller firms are manifold but there are three key drivers of many problems: • over-engineered audit methodologies and procedures that simultaneously result in under-auditing in important new areas and over-auditing in established areas; • lengthy auditing standards designed with the larger audit in mind that need to be interpreted for smaller entity audits; • regulatory inspections focusing on compliance with the requirements of standards, as well as the judgements made. … over-engineered audit methodologies and procedures … simultaneously result in under-auditing in important new areas and over-auditing in established areas …

… Understanding the core ISAs allows auditors to break free of the shackles of a prescriptive methodology because they are less reliant on lists of what needs to be done …

It is inevitable that any regulatory file ins­ pection will focus on the documentation of compliance with standards, but auditors need to think about more than this. In reality, there is little practitioners can do about audit regulators, but there is a great deal they can do about their own audit methodology. The best way to improve a methodology, and its use in an audit firm, is to get to grips with current standards. If a firm, and auditors in it, understand the ISAs then they will be less reliant on a prescriptive and possibly over-engineered audit methodology. Understanding the core ISAs allows auditors to break free of the shackles of a prescriptive methodology because they are less reliant on lists of what needs to be done. A better understanding of the ISAs should also give audit firms the confidence to adapt their methodology for their audits.

For more information and material related to Core Auditing Standards for Practitioners please visit www.wiley.com/go/bagshaw_selwood.

cintro.indd 4

3/18/2014 8:14:53 AM

1

Smaller Entity Audits 1.1 The Issues

There is a bigger difference between smaller entity audits and larger ones than ISAs imply. Such audits are not given a great deal of coverage by standard-setters or regulators but practitioners know that they can be difficult to perform efficiently. Some practitioners are very comfortable with them; others are not, for a number of reasons. There are issues with the auditing standards themselves, which are supposed to accommodate audits of all sizes but whose length and complexity can cause problems. There are issues with the way auditors apply them – particularly if auditors are not familiar with them, with the way regulators approach them – which needs to be constructive, and with the quality of audit methodologies on which auditors are heavily reliant. Figure 1.1 summarises the challenges facing auditors of smaller entities. Audit exemption in some jurisdictions has taken a very large number of entities out of the audit net, but there are still many that, for a variety of reasons, are required or chose to have an audit. In many jurisdictions, there remain well-established mandatory audit requirements for all entities, regardless of size.

‘One size fits all’ auditing standards

Auditor efficiency

Smaller entity audit challenges

Regulatory attitudes

Quality of audit methodologies

Figure 1.1

c01.indd 5

3/18/2014 6:51:46 AM

6

Core Auditing Standards for Practitioners

1.1.1  One-size-fits-all auditing standards ISAs are written to accommodate larger, more complex entities, as well as smaller ones. The rights and wrongs of this are a moot point but, for the foreseeable future, this is very unlikely to change. Auditors of smaller entities will continue to need to filter out the irrelevant standards and requirements. There are frequent references to internal control systems, for example. Some of these references are important – in understanding the design and implementation of the system, for example – but many are not, particularly where a substantive approach is taken. Auditors cannot, unfortunately, simply ignore all references to internal controls, even if they do take a wholly substantive approach. 1.1.2  Auditor efficiency The issue is not exclusively one of size. Complexity is also relevant. Some smaller entity audits can be complex – entities operating in the biomedical or financial services sector, for example – and some larger entities can be relatively straightforward if they simply shift large volumes of manufactured goods, for example. Generally though, smaller entities are less complex than larger ones. A smaller entity should be easier to understand, it should be more straightforward to assess the risk of error, and audit procedures to detect those errors should be easier to design and perform. Just as importantly though, there is much less room for inefficient auditing where smaller, less complex entities are concerned, simply because of fee constraints. This means that firms need to be clear about how they apply ISAs to smaller audits, and they need to be particularly clear about what does not need to be done and what can be done more simply on smaller audits by comparison with larger audits. It also means that some practitioners are finding it harder than ever to justify conducting just one or two audits. 1.1.3  Regulatory attitudes Regulator behaviour drives auditor behaviour and if regulators take a compliance approach and get bogged down in the detail, auditors follow suit. The regulatory approach to audits of all sizes varies enormously. Some regulators take the view that they have been appointed to police auditor behaviour and impose sanctions where auditors fail to comply with the rules. They keep their distance from the auditors they regulate. Others take the view that they and the auditors they regulate have congruent goals in terms of improved audits, and that their job is to help auditors improve audit quality and only impose sanctions as a last resort. Both are valid approaches and most regulators fall somewhere in-between these two extremes. Auditors the world over complain that regulators are overly concerned with compliance with the detail of auditing standards, and that they pay insufficient attention to the bigger picture. Regulators point out the fact that documented evidence of compliance with ISAs is also necessary. They are both right. 1.1.4  The quality of audit methodologies Methodologies are critical. A good auditor will perform a good audit even with a mediocre methodology, and a poor auditor a poor audit even with a good

c01.indd 6

3/18/2014 6:51:46 AM



Section 1 – Smaller Entity Audits

7

methodology, but a good quality, up-to-date methodology makes a substantial qualitative difference to most audits. The availability and quality of methodologies varies. Some methodologies are provided by professional bodies, some are provided by training consortia and some are commercially available. Many are tied into paperbased or electronic audit systems. One problem for firms that have embedded poor quality methodologies, or methodologies that have deteriorated over time, is that they cannot contemplate the logistics involved in a major overhaul, or replacing the methodology, rather than simply patching it up. Going forward though, firms may well get better at keeping systems up to date, with the increased involvement of younger people with better quality IT skills who are more accustomed and less resistant to constant change.

1.2  What the Regulators Say Regulators should recognise that smaller entity audits are different. In particular, they need to recognise that smaller entity audit documentation can be significantly simpler. Regulatory observations on specific aspects of the conduct of smaller entity audits are provided in each section of this publication, but there are a few common strands to the observations made by regulators everywhere. Auditors: • who perform high quality risk assessments sometimes need to align these better with the work they actually perform; • often perform a good audit but fail to document what they have done; • sometimes try to cut corners and avoid the requirements of ISAs by making inappropriate assumptions in areas such as materiality and related party transactions; • fail to challenge management assumptions in areas such as accounting estimates, and accept management explanations too readily without questioning them. Many of the observations above are not exclusive to smaller entity audits, but it remains the case that all regulators are clear that all audits, large or small, complex or simple, should be performed to the same standard, using the same ISAs.

1.3  What Practitioners Say Some practitioners have understandable concerns about ISAs. ISAs do not always seem appropriate for the audit of smaller entities. Significant effort is sometimes required to interpret and adapt ISAs to make smaller audits cost-effective and there are different views among practitioners about whether it is possible to perform smaller audits efficiently. Not very surprisingly, those who make their living out of them, and do more of them, seem to have a more positive approach. Practitioners who do achieve a degree of efficiency in small entity audits tend to use good quality audit methodologies specifically designed for smaller entity audits, or have taken the bolder step of developing their own methodologies.

c01.indd 7

3/18/2014 6:51:46 AM

Core Auditing Standards for Practitioners

8

Bought-in methodologies that try to address the audit of a wide range of entities do not always scale down easily. The very best methodologies for smaller audits tend to be ­written in-house, by firms. This is not always possible, but firms with poor bought-in systems that derive a significant proportion of their revenue from audit clients, and who intend to stay in that market, may do well to consider developing their own m ­ ethodology. At the very least they might consider commissioning one, adapted to the firm’s needs. Staff experienced in performing efficient smaller audits may not be the right staff to write the methodologies but they can certainly be used to provide input to the staff selected to perform the development work. Staff performing the development work may be a mix of junior staff who have a detailed and up-to-date knowledge of ISAs, any IT specialists, and senior staff and partners who have the experience to adapt ISAs to smaller audits. 1.4  What the Standards Say Rightly or wrongly, there is no ‘smaller entity ISA’. Standard-setters have repeatedly made it clear that they believe that ‘an audit is an audit’, meaning that all audits, regardless of size, must be performed under the same standards. The IAASB’s staff Q&A Applying ISAs proportionality with the size and complexity of an entity1 brings together many of the smaller entity-specific references in the application material in ISAs, under headings such as: • ‘How might the work effort in an SME audit differ from that in a larger entity audit?’; and • ‘Does the auditor have to comply with all ISAs when performing the audit of an SME?’ At the end of the day though, ISAs do not include much specifically directed at smaller entities, hence the need for books such as these.

Proportionality Draft EC legislation and many other regulatory documents increasingly refer to ‘proportionality’, and the ‘proportionate application’ of ISAs to smaller entity audits. It is easier to say what this does not mean than what it does. The proportionate application of ISAs does not mean that auditors can: • ignore relevant ISAs or ISA requirements; • make arbitrary decisions such as ‘materiality in a smaller audit is always £n’ or ‘petty cash is always immaterial’, or ‘no work will be performed on internal controls in smaller audits’.

1

c01.indd 8

www.ifac.org.

3/18/2014 6:51:46 AM



Section 1 – Smaller Entity Audits

9

Proportionality means thinking before putting pen to paper and tailoring the work to the entity, rather than filling in work programmes and performing tests as quickly as possible. In the long run, this has to be the more efficient and better quality approach. Proportionality is not just an issue for practitioners. Standard-setters need to find better ways of developing auditing standards that can be scaled down to smaller audits and regulators needs to take a proportionate approach when reviewing the audit work on smaller audits. Unfortunately, both are easier said than done because it is difficult to specify how standard-setters and regulators should go about this. Auditing standards do need to work for larger entities and the long-standing calls for standard-setters to ‘think small first’ have resulted in little change. Similarly, some regulators recognise that a good audit has been performed, and take note of the judgements made and auditor compliance with the spirit of the standards as well as the letter. Nevertheless, they still require compliance with detailed documentation requirements, which some smaller firms find burdensome.

1.4.1  Defining a smaller entity The glossary of terms in ISAs and ISA 200 on overall objectives define a smaller entity as an entity that typically has the following qualitative characteristics: • a concentration of ownership and management, i.e., it is owned and managed by a single person or a small number of people; and • one or more of the following features: –– uncomplicated transactions –– simple record keeping –– relatively few internal controls –– simple management structures –– a limited number of staff and management with a broad range of responsibilities. It is fair to say that ISAs do not do as much as they might with this definition. The paragraphs specific to smaller entities that appear in the application material usually consist of just a few sentences. Those that are most useful are in the risk ISAs, but there is a need for more guidance to enable auditors to extract better value from the work they are required to perform on internal controls as part of understanding the entity, particularly when they go on to take a substantive approach. Nevertheless, the definition of a smaller entity demonstrates what is different about auditing a smaller entity. The following example illustrates this point.

c01.indd 9

3/18/2014 6:51:46 AM

10

Core Auditing Standards for Practitioners

Todd Airport Todd Airport is a small regional airport. There are very few scheduled passenger flights from Todd airport and most of the air traffic is light aircraft. The airport has hangars for storage and it operates a maintenance facility. It also has a restaurant. The audit engagement partner of Todd Airport audit knows all of the directors of the company. The directors are also the shareholders. Every year the engagement partner, with the audit team, does a tour of the airport where they visit the hangars, get driven down the runway, view the fire crew’s facilities and eat in the restaurant. During this 60 minute tour, the auditors view every major asset owned by the company, meet virtually every employee, obtain an update on the motivation and intentions of the directors/ shareholders and generally update their understanding of the entity and its operations. The ability to see the operations of Todd Airport first hand makes both the risk assessment and the design of simple and effective audit tests straightforward and clear. If this were a larger airport group, the same level of understanding of the entity would be needed, but the processes to achieve it would need to be significantly more sophisticated and formal.

1.4.2  Practice Note 26: smaller entity audit documentation The definition of a smaller entity above was also used by the UK’s Financial Reporting Council (FRC) when it produced its Practice Note 26 Guidance on Smaller Entity Audit Documentation (PN 26).2 The appendix to PN 26 contains a number of practical and helpful examples of smaller entity audit documentation, including planning memoranda and work programmes. 1.4.3  The building blocks of the right approach to smaller entity audits One thing that all audits have in common, regardless of size, is that to do them well firms need the right audit methodology and audit teams with the right expertise and attitude. Having the right audit approach and people is the key to efficiency and effectiveness. ISA 200 and what smaller entity auditors do and don’t have to do  Paragraph 22 of ISA 200 on overall objectives requires auditors to comply with every requirement of each ISA unless: • the entire ISA is irrelevant; or • the individual requirement is irrelevant because it is conditional and the condition is not present.

2

c01.indd 10

www.frc.org.uk.

3/18/2014 6:51:46 AM



Section 1 – Smaller Entity Audits

At first sight, this appears to be glaringly obvious. Auditors will not attempt to comply with the requirements of ISA 402 on service organisations if there is no service organisation, and they will not attempt to attend an inventory count if there is no inventory. The more subtle and important point is that most auditors use a structured audit methodology that is very likely to have sections with requirements that are irrelevant to a particular audit. The right audit methodology Because smaller entities tend to be less complex, standard checklists can cause problems. Pages of checklists listing the requirements of ISAs tend to lead to point after point marked ‘not applicable’, rather than a useful record of work performed. In short, many audit methodologies are over-engineered for smaller entities. They often need a great deal of tailoring, but they do not always get it. Is it better to take the time to write one paragraph justifying the deletion of a section, or to write ‘not applicable’ 25 times over two pages? A checklist-heavy approach to a smaller audit is not only inefficient, it can also lead to poor audit quality. When faced with pages of irrelevant issues on audit programmes and checklists, the audit team can easily miss something that is relevant. An audit methodology that will work for a smaller entity audit needs to be flexible enough to be scaled up for audits where there are more complex issues, and scaled down for simpler audits. The ‘blank piece of paper’ approach is the ultimate in scalable audit documentation, but some auditors fear that the lack of structure could mean that something gets missed.

11

… The more subtle and important point to appreciate is that most auditors use a structured audit methodology that is very likely to have sections covering requirements that are irrelevant to a particular audit …

… Pages of checklists listing the requirements of ISAs tend to lead to point after point marked ‘not applicable’, rather than a useful record of work performed. In short, many audit methodologies are overengineered for smaller entities. They often need a great deal of tailoring, but they do not always get it. Is it better to take the time to write one paragraph justifying the deletion of a section, or to write ‘not applicable’ 25 times over two pages?

… the firms that tend to achieve the most cost-effective approach to smaller audits use very few mandatory checklists or standard programmes … the success of this approach is hugely dependent upon well trained audit staff with a good knowledge of ISAs.

Nevertheless, the firms that tend to achieve the most cost-effective approach to smaller audits use very few mandatory checklists or standard programmes. They tailor their audit approach to the individual needs of the entity, which leads to a higher quality of

c01.indd 11

3/18/2014 6:51:46 AM

12

Core Auditing Standards for Practitioners

audit as well as a more efficient one. The success of this approach is hugely dependent upon well trained audit staff with a good knowledge of ISAs. The approach is more dependent on audit teams knowing what they are required to do under ISAs and how to properly document their work to demonstrate compliance. In jurisdictions in which there are low thresholds for audit exemption, many audit firms have small company audit working paper packs that work well. But in jurisdictions in which audit exemption thresholds have risen, these packs have not always been updated and some firms now use a ‘one-size-fits-all’ pack, with extensive sections of material that are not applicable to smaller entities. In fairness, the over-engineering of audit packs is sometimes motivated by a genuine, albeit misdirected, desire to help auditors. Designers sometimes produce audit packs to ‘hand-hold’ auditors through the audit process with the best of intentions, often at the request of auditors themselves. An unfortunate side-effect of this is that such packs sometimes constrain auditors to a single, narrow and inefficient path through the audit, and the widespread use of electronic audit working papers in some jurisdictions has done little to help. Automated systems are sometimes worse because they force auditors to go through superfluous checklists before they can proceed to the next stage for the audit. These checklists can be every bit as over-engineered as the manual systems, but when it is automated you cannot throw it in the bin and ignore it! It is essential that if firms use bought-in methodologies, regardless of whether they are manual or automated, they should recognise that for many smaller entity audits, it is possible that between a half and two-thirds of the requirements will not apply and that the audit approach the auditors will adopt needs to be tailored accordingly. The investment in this type of tailoring is worthwhile, to avoid being distracted by irrelevancies. The right audit team  Thorough, appropriate audit training as well as on-the-job coaching are needed to ensure that audit teams can perform the audit to an acceptable standard. If audit teams understand the detailed requirements of ISAs they can adapt their audit approach to the requirements of the individual assignment and document their work briefly to record what they have done to demonstrate that they have followed ISAs, without relying on checklists. Auditors without a proper understanding of the ISAs have no choice but to use checklists to ensure that they do not miss anything. This makes it much more difficult to flex an audit approach to cater for smaller and less complex entities. It is even possible that auditors may be encouraged by a checklist to do something superfluous, because they do not know that the procedure does not apply. Understanding ISAs involves reading them, reading about them, training, coaching and experience. The sheer volume of ISAs can be daunting but a co-operative approach within a firm that requires regular meetings of staff who each take an ISA and prepare a short presentation on it, on a weekly basis for a few months, can be very effective.

c01.indd 12

3/18/2014 6:51:46 AM



Section 1 – Smaller Entity Audits

13

1.4.4  Ten top tips for cost-effective smaller and less complex audits Figure 1.2 summarises our ten top tips for cost-effective smaller and less complex audits.  1. Make better use of the prior year audit file!  Audit trainers are often heard imploring audit staff not to blindly follow last year’s file: it leads to a thoughtless audit approach, it does not take into account current year changes and it might well repeat last year’s mistakes. But there is a balance to be struck between taking account of new circumstances and ignoring the important resource that is last year’s file. The reality is that smaller and less complex entities tend to change very little from year to year. With appropriate updating, much of last year’s documentation can be reused, particularly for understanding the entity, risk assessment and the design of audit procedures. Make better use of the prior year audit file! • strike a balance between starting from scratch and blindly following last year’s file

Avoid excessive documentation of risks • list the risks and the intended response, rather than listing the same risk repeatedly

Use more narrative notes • they are a great deal easier to understand than checklists and produce better quality audits

Focus on what matters from the outset • drive documentation by understanding the entity, assessing risks and designing tests, not vice versa

Avoid over–documentation of audit evidence • recording a unique identifying feature of each item selected that would enable the test to be repeated – such as an invoice number – is sufficient. More detail is often superfluous

Non–audit service work • properly recorded non-audit service work can provide audit evidence

Simplify the approach to internal controls • focus on information systems and controls over the books and records, and use walkthroughs to confirm implementation

Document planning and completion together when little has changed • where the documentation of planning and completion are aligned, issues identified in the planning are clearly linked to their resolution and duplication is avoided

Minimise unnecessary documentation • keep copies of extracts rather than full documents and use an overflow file

Don’t forget to budget • work will expand to fill the time available.

Figure 1.2  Ten top tips for cost-effective smaller and less complex audits

c01.indd 13

3/18/2014 6:51:46 AM

14

Core Auditing Standards for Practitioners

Auditors clearly need to make inquiries to make sure that this documentation is still relevant and up to date, and they will need to re-perform risk assessment procedures and reassess the appropriateness of last year’s tests. To make the best use of work in subsequent years, documentation of the understanding of the entity and the risk assessment can be placed on a permanent file or a permanent section of the current file. Audit programmes can be carried forward for editing in future years. 2.  Avoid excessive documentation of risks  The risks of material misstatement tend to be fairly obvious to the auditors of smaller entities. This is not to say that they should be complacent, but where an entity is simple to understand the risks really are more readily apparent. Auditors should still perform all of the appropriate risk assessment procedures, but care should be taken not to record the same risk over and over again in the checklist or programme for each procedure. Many audit methodologies use programmes and checklists in the planning section that mirror the requirements of ISAs. It is common for each checklist to cover a series of related procedures, such as understanding the entity, understanding internal controls, preliminary analytical procedures, and the inherent and fraud risk assessments. On a smaller audit, this degree of formality is unlikely to be necessary to identify risks. There is a real concern that the same risk of error is identified when each different risk assessment procedure is performed and that it gets recorded again and again, every time a new procedure identifies it. When auditing a smaller entity it may be better simply to list the risks of misstatement, together with how auditors intend to respond to them. A separate list can then be made of the procedures that auditors undertook in performing the risk assessment. This requires more of a ‘blank sheet of paper’ approach to the documentation of risk and is suitable for more experienced staff. … There is a real concern that the same risk of error is identified when each different risk assessment procedure is performed and that it gets recorded again and again, every time a new procedure identifies it. When auditing a smaller entity it may be better simply to simply list the risks of misstatement, together with how auditors intend to respond to them. A separate list can then be made of the procedures that auditors undertook in performing the risk assessment.

c01.indd 14

3. Use more narrative notes  The most flexible approach to audit documentation will always be narrative notes. Small, simple entities tend to have few internal controls, no internal auditors and they are not part of a group. Their financing is often simple and there are no complex assets or liabilities to be valued. Checklists tend to include something to address all of these eventualities, which is useful on larger or more complex audits but does not work so well for smaller entities because so many requirements are irrelevant. Most file reviewers say that narrative notes tend to give the reviewer a much better picture than a checklist. Checklists can be completed without auditors really stopping to think about the audit. Writing narrative notes puts more pressure on them to think about what they have done and why. These

3/18/2014 6:51:46 AM



Section 1 – Smaller Entity Audits

15

notes can be used as the basis for audit documentation in subsequent audits. It is harder for checklists to be used in this way. 4. Focus on what matters from the outset  The focus in audit planning should always be on understanding the entity, assessing risk and designing appropriate audit procedures. Whilst ISAs have many specific requirements that relate to these processes that should not be forgotten, auditors must never lose sight of the purpose of the processes. Completing standardised documentation can be a major distraction. Experienced auditors should do what they know they need to do, and then document what they have done, rather than reading through a checklist to find out what needs to be done next. Checklists can be completed later to make sure that everything has been covered. 5. Avoid over-documentation of audit evidence  Audit teams sometimes document too much information when recording the results of a test. For example, when recording a sales test, auditors sometimes document the purchase order number, the date, the gross amount, VAT and net amount, the goods sold and the supplier. Much of this is often superfluous. The minimum required documentation is a unique identifying feature of each item selected, such as a purchase invoice number that would enable the test to be repeated should it be necessary to challenge its findings. Documenting any more than this may be superfluous. File reviewers may want a little more documentation if the team member is inexperienced, to aid the review process. With inexperienced, junior auditors, fuller documentation can help with on-the-job coaching. In other cases, too much information is costly to produce, slows down the review process and results in superfluous schedules when a simple record of what was done on the audit programme might have sufficed.

… The minimum required documentation is a unique identifying feature of each item selected, such as a purchase invoice number that would enable the test to be repeated should it be necessary to challenge its findings. Documenting any more than this may be superfluous.

6. Non-audit service work  The provision of non-audit services presents threats to auditor independence. But auditors sometimes forget that it also brings significant benefits to the quality of the audit. Typically, auditors of smaller entities assist with the preparation of the statutory financial statements, tax computations and tax returns. Sometimes, auditors advise on a range of other matters such as funding, VAT and employment taxes. If auditors have prepared the financial statements, the accountancy work can be used as audit evidence. If auditors have prepared the schedules for prepayments and accruals, for example, they need to document how they were prepared. If the entity’s records were used to prepare the figures, auditors should record that fact to demonstrate the quality of audit evidence obtained. If comparisons were made to prior periods, auditors should record this in the same way that audit evidence from analytical procedures would be recorded. With the right documentation, accountancy work can be used as audit evidence.

c01.indd 15

3/18/2014 6:51:46 AM

16

Core Auditing Standards for Practitioners

Providing non-audit services also enables auditors to obtain a much better understanding of the entity than they might otherwise. This makes the risk assessment easier. Again, this understanding of the entity needs to be documented if it is to be relied on. In practice this is a substantial benefit because auditors, as trusted advisors to management, have a very good insight into management’s thinking, making the audit much easier. Nevertheless, auditors are always required to assess threats to independence, such as the self-review threat, and the self-interest and familiarity threats. Appropriate safeguards are needed but auditors should not ignore the beneficial effects of providing non-audit services on audit quality and efficiency. 7. Simplify the approach to internal controls  The application material in ISA 315 on risk assessment recognises that smaller entities tend to have fewer internal controls. This means that standardised checklists that take a formal approach to documenting internal controls are either less relevant or not relevant at all to smaller entities. ISA 315 has a five-fold categorisation of internal controls: • the control environment; • the entity’s risk assessment process; • the information system, including the related business processes, relevant to financial reporting, and communication; • control activities relevant to the audit; • monitoring of controls. The application of this categorisation to smaller entities is considered in detail in subsequent sections but in general, in a smaller entity audit, it is unlikely that there will be much for auditors to consider in terms of the control environment, risk assessment procedures and monitoring. For many smaller entities, these three issues can be summarised as one question: Are the directors honest and are they any good at running the business? There are often few control activities, such as authorisation and approval controls, and those that there are may well not be good enough to be relied on by auditors. Smaller entities do have information systems though, in terms of books, records, computers and related business systems. This approach to internal controls in smaller audits is very different to larger entity audits, so a firm’s standard audit methodology will need to be adapted. Narrative notes tend to be a better way to document the system of internal control in smaller entity audits. Auditors are also required to understand the implementation of the internal control system. This is typically done through walkthroughs. In a smaller entity, the approach is straightforward. The main internal controls are the books and records and related business systems. Simple walkthroughs of transactions in the main business cycles, often sales, purchases and wages, may be sufficient to understand implementation.

c01.indd 16

3/18/2014 6:51:46 AM



Section 1 – Smaller Entity Audits

17

8. Document planning and completion together when little has changed  This idea may seem radical to the many auditors who have always maintained separate documentation for planning and completion, but for smaller entities it can make sense. The issues that are considered during the planning of a smaller entity audit are often the same when they are considered again during completion – there are few if any changes. For example, auditors may record the existence of certain financial difficulties during the preliminary consideration of a going concern. At the end of the audit, if nothing has changed, there is a possibility that duplicate documentation will be prepared, in the completion section of the file. This applies in many areas, such as appointment and reappointment, preliminary analytical procedures and overall analytical procedures, communications with management and materiality. Documenting planning and completion together has the additional benefit that issues identified in the planning are clearly linked to their resolution in completion. This makes it difficult to miss something during the audit and not follow through properly on planning. 9. Minimise unnecessary documentation  Audit teams sometimes produce more documentation than necessary, including copies of invoices, and all of the accounts team’s spreadsheets, sales ledger and general ledger prints, for example. Auditors might think it important to hold copies of documents such as articles of association, leases, valuations and minutes of meetings, but it may only be necessary to keep copies of extracts from such documents. Most auditors are only really interested in certain key parts of these documents, so why not hold a copy of the relevant extract? It makes the file thinner, easier to read, and the relevant part of the document is simpler to find. A more radical idea is to keep an audio recording of meetings instead of written notes.

… it may only be necessary to keep copies of extracts …

Excessive documentation creates a number of problems that are not conducive to audit quality or efficiency. Unnecessary documents make the file harder and slower to review, which has cost implications, and it is easy for reviewers to miss important points when there is excessive documentation, which compromises quality. There is a cost involved in the original preparation of unnecessary documentation and there are … Unnecessary documents on-going file storage and archiving costs. make the file harder and slower to review, which has There are two common causes of excessive cost implications and it is easy audit documentation. Firstly, audit staff for reviewers to miss imporgenerally – and junior staff in particular – keep documentation for safety. They do not tant points … which comprowant to ask management for it again and they mises quality. do not want to be asked why they did not

c01.indd 17

3/18/2014 6:51:47 AM

18

Core Auditing Standards for Practitioners

keep a copy. Auditors and archivists are first cousins. Audit staff might be encouraged to reduce documentation by suggesting that they place documentation that will probably not be needed in an overflow file that can be disposed of shortly after the audit is completed. … audit staff generally – and junior staff in particular – keep documentation for safety …  reduce documentation by suggesting that they place documentation that will probably not be needed in an overflow file that can be disposed of …

The second cause of excessive documentation is more difficult to deal with. If file reviewers, such as audit managers and partners, lack trust in the audit team, they effectively reperform parts of the audit by inspecting documents themselves, rather than the record of it being viewed by the audit team member. The reviewer’s lack of trust might often be misplaced, but sometimes is not.

In all cases, audit teams need to be properly briefed, which includes trying to reduce excessive documentation over time. 10. Don’t forget to budget  At first sight this point might not seem to have anything to do with ISAs. However, ISAs do require auditors to prepare a time and fee budget. In the real world the most important thing to do with the budget is to use it to compare the actual time spent to the budget. Work expands to fill the time available. Sticking to a time budget is therefore essential, but not at the expense of audit quality. Auditors the world over are subject to enormous fee pressures and regulators observe that cuts in budgets potentially compromise audit quality. Budgets need to be set by experienced members of the audit team. If the budget is realistic, the audit team can be encouraged to stick to it. After every assignment a debriefing is needed to discuss within the team what went well and what needs to be improved on the next audit. Part of the debrief should be a discussion of performance against budget.

c01.indd 18

3/18/2014 6:51:47 AM

2 Materiality 2.1 The Issues Materiality worries everyone. Too low, and the audit becomes unprofitable. Too high, and there is a risk that things will be missed and that audit inspectors will question it. Materiality has been described as one of auditing’s ‘best-kept secrets’, and as a ‘black hole’. Audit firm methodologies aside, there is very little guidance on it, and it has a huge impact on the extent of audit work performed. Materiality drives the audit. The risks auditors are concerned about are the risks of material misstatement. Materiality and performance materiality are among the most significant audit judgements made. Practitioners know that small adjustments can make all the difference to the extent of work needed and, critically, whether they can continue the audit as planned, or whether they have to start again. Materiality affects sample sizes, it determines whether the financial statements need adjustments, and it represents the difference between a qualified and an unqualified audit report. Every audit junior knows that systematic errors found in sampling are a problem because they may mean a material misstatement when extrapolated. Material misstatements in automated areas imply serious control deficiencies and possibly fraud. The implications of all of that – together with the need to reassess risk, materiality levels and the audit approach generally in such circumstances – do not bear thinking about. It is for these reasons that one of the first things audit juniors learn is that it is critically important at the outset to be clear about what an error actually is, and to ensure that when errors are identified, that they are in fact errors.

… Materiality and performance materiality are among the most significant audit judgements made … small adjustments can make all the difference to the extent of work needed … Materiality affects sample sizes, it determines whether the financial statements need adjustments, and it represents the difference between a qualified and an unqualified audit report.

IFRS, UK GAAP and most other financial reporting frameworks define materiality in terms of misstatements, which individually or in aggregate could reasonably be expected to influence the economic decisions of users based on financial statements.1 How do preparers or auditors know what would reasonably influence the decisions

1

c02.indd 19

ISA 320, Materiality in Planning and Performing an Audit.

3/18/2014 6:56:21 AM

20

Core Auditing Standards for Practitioners

of users? The short answer is that they probably do not, at least not with any degree of certainty, and that the question is often thought to be not that important anyway, given the generally accepted methods of calculating materiality. However, despite the difficulty of this question, auditors are still required to try and answer it when setting materiality. 2.1.1  Issues for standard-setters and regulators The problem for standard-setters is that bright lines – such as statements to the effect that ‘materiality is n% of profits’– are a recipe for avoidance. The problem for regulators is that materiality is (a) highly sensitive to small changes in the percentages applied to benchmarks such as profits, turnover or assets, and (b) that the range of percentages commonly applied is wide. The ‘acceptable’ difference of 3% between the 2% to 5% commonly applied to net assets is a substantial figure where net assets themselves are substantial. The variation in acceptable limits across different firms is significant and there is a fair amount of latitude within firms. Despite periodic attempts to pin auditors down on the issue, standard-setters, professional bodies and mature regulators are generally loath to mandate anything more precise, however, for fear of creating an avoidance industry and causing firms to tinker with those aspects of methodologies more deeply embedded, less obvious or open to challenge than materiality. Ultimately, determining materiality is a matter of professional judgement and it is one of the most important judgements that auditors need to make at the beginning of the audit.

2.2  What the Regulators Say 2.2.1 AQRT A recent AQRT2 report on audit inspections makes links between audit firm efficiency, fee pressures, materiality, the extent of work performed and the need to protect overall audit quality, particularly where fee reductions are agreed. In short, auditors should not cut corners when under pressure. There is nothing new here but inspectors are aware that one way of ‘managing’ the necessary work on an audit is by revising materiality levels. The report goes on to say that while audit should represent value for money, firms are under pressure, there is more tendering than there used to be and substantial fee reductions. Sometimes these lead to cuts in audit work through the application of higher materiality levels and reduced sample sizes, among other things. In group audits,

2

c02.indd 20

Audit Quality Review Team of the FRC, formerly the Audit Inspection Unit (AIU)—inspects listed and other public interest audits in the UK. Audit Quality Inspections 2011/2012 www.frc.org.uk.

3/18/2014 6:56:21 AM



Section 2 – Materiality

materiality levels applied to components have been increased and therefore the number of components subject to audit reduced. The report does not go so far as to suggest that firms should alter their materiality levels, circumstances are always changing after all. It does say that firms should ensure that they maintain appropriate controls to ensure that efficiency is not achieved at the expense of quality, particularly where the extent of procedures performed are dependent on judgements relating to materiality, all of which seems fair enough.

21

… while audit should represent value for money, firms are under pressure, there is more tendering than there used to be and substantial fee reductions. Sometimes these lead to cuts in audit work through the application of higher materiality levels … firms should ensure that they maintain appropriate controls to ensure that efficiency is not achieved at the expense of quality …

In December 2013, the FRC issued the first in a series of Audit Quality Thematic Reviews on the subject of materiality.3 The document is essentially a list of to-do points for audit firms and audit committees but the data on which it is based includes a fair amount of detail about how larger firms calculate materiality, and that data is included in the report. It makes interesting reading. 2.2.2 QAD A recent QAD report refers to firms not using performance materiality to support the scope of audit procedures.4 This problem is almost certainly caused by a lack of familiarity with the clarified version of the ISA. The concepts on which performance materiality is based are not new, but their application in the clarified ISAs is. The QAD points out that performance materiality is either not being determined at all or not properly applied during audit procedures or when evaluating errors. It is fairly clear that performance materiality is poorly understood in most jurisdictions in which ISAs are applied and that standard-setters will, at some point, address the issue. 2.2.3  Other regulators A recent Malaysian Auditor Oversight Board Annual Report5 notes the Board’s concern about: • areas in which materiality is determined purely by references to limited quantitative factors; • situations in which uncorrected misstatements above the overall materiality were deemed immaterial based on a different materiality level such as ‘over total assets’; • instances in which some smaller firms established no materiality threshold at all. 3 4

5

c02.indd 21

www.frc.org.uk. The Quality Assurance Department of ICAEW—inspects audits not covered by the AQRT. Audit Monitoring 2011 www.icaew.com. www.sc.com.my. Report dated 2011.

3/18/2014 6:56:21 AM

22

Core Auditing Standards for Practitioners

Another Malaysian Board report6 notes weaknesses in the scoping of, or work on, material joint ventures and associates, and that the basis of setting materiality thresholds is not always clearly supported or documented. A recent Australian Securities and Investments Commission Audit Inspection Program Report7 notes that some firms should consider additional training, guidance and quality reviews covering the materiality of disclosures. 2.2.4  IAASB’s ISA Implementation Monitoring Project A report on IAASB’s ISA implementation monitoring project8 notes the following issues with the application of ISA 320: • inconsistencies in the determination of materiality and performance materiality and the need for guidance on the following topics to deal with it: –– benchmarks, percentages and including industry specific considerations; –– the qualitative aspects of materiality; –– year-on-year assessments, particularly where there are significant changes and when changes in benchmarks may be appropriate; –– separate materiality levels for the balance sheet and income statement; –– documentation to demonstrate the judgements made; –– component materiality in group audits; –– the relationship between materiality and estimation uncertainty, including appropriate actions when estimation uncertainty is greater than materiality; • unnecessary complexity caused by the requirement to determine materiality for classes of transaction, account balances or disclosures and a lack of clarity as to when and how to apply it. The IAASB will at some point open ISA 230 to deal with at least some of these issues. It might be a short standard, but it is one of the least well-understood ISAs. 2.3  What Practitioners Say The real issues with materiality are not a lack of understanding about who the hypothetical user might be, or at what level his or her decisions might be affected, or even a lack of detailed guidance on how to calculate it. Materiality is, after all, a fundamental accounting concept and not a hard one to understand. What practitioners struggle with is a lack of clarity about performance materiality, materiality in specific areas and the sensitivity of audit work to small changes in what is essentially a broad assessment. 6 7 8

c02.indd 22

Dated 2010. Report 317, December 2012, www.asic.gov.au. The Clarified ISAs—Findings from the Post-Implementation Review A three year project designed to assess the effects of clarified ISA implementation www.ifac.org.

3/18/2014 6:56:21 AM



Section 2 – Materiality

This confusion is understandable. There are a number of new technical terms in ISA 230 based on existing concepts, but they are poorly explained. Auditors and accountants who have used the concept of materiality for the whole of their working lives are struggling to deal with the application of these new terms.

23

… The real issues with materiality are not a lack of understanding about who the hypothetical user might be, or at what level his or her decisions might be affected, or even a lack of detailed guidance on how to calculate it … What practitioners struggle with is a lack of clarity about performance materiality, materiality in specific areas and the sensitivity of audit work to small changes in what is essentially a broad assessment …

The distinction between an accountant’s view of materiality and an auditor’s is important. In some jurisdictions and with the application of appropriate safeguards, auditors are permitted to provide accountancy services to their audit clients. Where that is the case, auditors frequently work to a very low materiality level when preparing the financial statements because they are being paid to prepare them properly and as accurately as possible. There is sometimes the danger that this approach is carried over into the audit and that auditors do too much audit work in immaterial areas. There has always been a great deal of professional judgement involved in materiality calculations and there is substantial scope for use and abuse, and auditor judgements are now being questioned more than ever. These are all good reasons for firms to do whatever it takes to be confident in the integrity of their audit methodologies. Audit manuals should set out a template for how appropriate benchmarks are to be used in determining materiality. However, it is just as important for individual auditors to apply the templates to appropriate benchmarks and then use their experience and knowledge of the audited entity to refine materiality levels. This is easier said than done. Changing a methodology is easy but changing the mindset of audit teams is significantly more challenging. A particular problem for some audit practitioners is the separation of materiality and audit risk. Higher audit risk does not automatically lead to lower materiality levels, although they are connected. For example, poor internal controls leading to a high assessed risk of material misstatement means that more and better quality evidence is required. This does not mean that materiality should be reduced, though. The firm’s audit methodology should have mechanisms other than adjustments to materiality that change samples sizes or influence audit procedures in other ways. Similarly, adjustments to the nature and extent of audit work will be required independently of the risk assessment if users are highly sensitive to changes in a particular account area.9 For example, a high level of risk in an area that does not concern users, such as petty cash, results in more audit work than would have been performed had risk 9

c02.indd 23

This is not true of performance materiality which is directly correlated to one particular risk, the risk that aggregated uncorrected and undetected misstatements will be material.

3/18/2014 6:56:21 AM

24

Core Auditing Standards for Practitioners

been assessed as low. The additional work in this case arises from the risk assessment and not because of the materiality level. On the other hand, an area that concerns users, such as directors’ remuneration, may be assessed as low risk but, because of user concerns, auditors may determine a lower level of materiality resulting in more testing.10 In practice, some auditors readily admit that they sometimes struggle to differentiate between issues of risk and materiality. This is partly because the relationship is complex but also because firm methodologies confuse the issues. Once again, performance materiality confuses matters because it is affected by the auditors’ risk assessment. Some practitioners treat certain sensitive areas as having a materiality level of zero, i.e. they will not tolerate any error in such areas, particularly disclosures concerning related parties and directors’ remuneration. Account-area materiality may be zero in certain limited circumstances where absolute accuracy is essential to users of financial statements, but this approach effectively applies accounting materiality to the audit. This is not necessarily a problem, it just creates more work. 2.4  What the Standards Say Standard-setters are aware of the levels of confusion about performance materiality. Given the sensitivity of audit work, sample sizes and costs to even small changes in materiality, a great deal of guidance about materiality might be expected but, as is often the case with difficult issues requiring the use of judgement, there is relatively little guidance available. Determining, and to an extent applying, materiality is mostly about the proper exercise of professional judgement. Inevitably, two auditors presented with same situation might well end up with different answers, because judgement is involved. The examples given below are just examples, not models. 2.4.1  Materiality and performance materiality Definitions of materiality  Paragraph 11 of ISA 200 on overall objectives11 states that one overall objective of auditors is to obtain reasonable assurance about whether the financial statements are free from material misstatement, enabling auditors to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. Paragraph 2 of ISA 320 on materiality states that misstatements include omissions and are considered material if, individually or in aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.

10

11

c02.indd 24

High risk does not necessarily result in lower materiality but a low level of materiality implies a higher level of risk. ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing.

3/18/2014 6:56:21 AM



Section 2 – Materiality

25

A simple way to think about materiality is in a circular manner: materiality is what matters to the users of the financial statements and what matters to the users of financial statements is material. Quantitative and qualitative aspects  Size is important in the context of materiality but some ‘smaller’ items are material because their qualitative characteristics lend them disproportionate significance, such as: • items that tip a profit over the line into a loss, or turn net assets into net liabilities; • related party transactions that are significant to the related party; • items that effectively result in entities failing to comply with lending and other covenants; • items affecting compliance with regulatory requirements, such as items that overdraw client accounts or affect capital maintenance ratios. Assessing the qualitative aspects of materiality currently tends to happen when evaluating misstatements, rather than at the planning stage. Performance materiality  Here cometh the problem child! Paragraph 9 of ISA 320 states that the purpose of performance materiality is to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements could exceed materiality for the financial statements as a whole. Performance materiality is therefore lower than materiality for the financial statements as a whole. Performance materiality is about taking into account the likely total undetected and uncorrected misstatements. In other words, it builds in a comfort factor. In practice it is often calculated as a simple percentage of materiality. That percentage can vary between 50% and 90% of financial statement materiality, depending upon the level of assessed risk, and is probably between 70% and 80% on the majority of typical assignments. While it is important to recognise that there is no guidance that says that this is the way it should be calculated, it is interesting to note that many auditors have interpreted this aspect of the ISA that way. ISA 450 on evaluating misstatements12 notes that some errors will always remain undetected and even some detected errors are not 12

c02.indd 25

… the purpose of performance materiality is to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements could exceed materiality for the financial statements as a whole. Performance materiality is therefore lower than materiality for the financial statements as a whole … it is often calculated as a simple percentage of materiality …

ISA 450, Evaluation of Misstatements Identified During the Audit.

3/18/2014 6:56:21 AM

26

Core Auditing Standards for Practitioners

corrected because they are so very small, i.e. ‘clearly trivial or inconsequential’. The risk that aggregated undetected and uncorrected errors will exceed materiality is reduced to an acceptable level using performance materiality. Firms give various other names to performance materiality, such as ‘working materiality’, reflecting the fact that it is used at the planning and detailed testing stages. Performance materiality is easily confused with tolerable misstatement, and both are confused with tolerable error, a term not used in the clarified ISA. The confusion is understandable because the concepts are very similar and related. Tolerable misstatement is effectively the maximum error auditors are prepared to accept and still conclude that the audit objective has been achieved in the context of sampling. Tolerable misstatement addresses the risk that aggregated immaterial misstatements are collectively material and provides a margin for possible undetected misstatements. Tolerable error is an application of performance materiality to sampling procedures. Tolerable misstatement may be the same as, or lower than, performance materiality. In the UK, auditors of listed entities are now required to disclose in the audit report the absolute level of materiality for the financial statements as a whole. They also report how they have calculated materiality levels, what those levels are and how they have been used in response to risk assessments. Whether this will a­ ctually result in better auditor behaviour, lower materiality levels, or more enlightened investors is a moot point but it seems that some investors, at least, want this information. Performance materiality is used: • to establish areas in which no audit work is required, or analytical procedures only; • in sample selection, by selecting all items over tolerable misstatement for example; • in evaluating the results of testing by applying tolerable misstatement to the extrapolated errors found in a population tested – if the amounts are below tolerable misstatement, no material error is deemed to exist; • in evaluating the results of analytical procedures by applying it to the difference between expected and actual results.

2.4.2  Applying materiality and performance materiality Different levels of materiality  Materiality and performance materiality are both applied to the financial statements as a whole and to individual account areas such as transactions, balances and disclosures. Financial statement level materiality calculations take account of the: • industrial and economic environment in which the entity operates; • sensitivities of users;

c02.indd 26

3/18/2014 6:56:21 AM



Section 2 – Materiality

27

• entity’s stage of development; • entity’s sources of finance. Separate materiality levels should be considered where users might be more sensitive to errors. This is sometimes called account-level, class-level or area-specific materiality. Users of the financial statements of indebted entities are more likely to be interested in the assets over which they have charges than its earnings, for example, and auditors need to take account of this in determining materiality. Another example involves director’s remuneration: If the overall materiality in the financial statements of a large bank was €20m, would users find it acceptable if the CEO’s remuneration was understated by €15m? This example explains why areas such as directors’ remuneration and related party disclosures often have separate materiality levels allocated to them below the level for the financial statements as a whole. In practice, materiality in individual account areas may reflect risks or sensitivities in that particular area, for related party transactions and transactions with directors, for example, and for areas to which management draws attention. Regulatory and reporting requirements may affect users’ expectations and the figures used to calculate capital maintenance ratios and other KPIs may be expected to be deemed material for that reason although, to the surprise of many, KPIs appearing in the annual report are often not audited and are often calculated inconsistently, even within the same industries. We note above that materiality is not directly affected by audit risk and that it is addressed separately within the audit methodology. However, where a lower level of materiality is set for a particular account area, auditors will also consider the need to set performance materiality which is affected by the risk assessment. Benchmarks and percentages  Percentages applied to benchmarks, such as profits or assets, are used to calculate materiality. Materiality at the financial statement level is often calculated by averaging percentages of turnover, adjusted profits and assets. All of these must be adjusted to take account of the circumstances of the entity. Calculations for start-ups, growing entities, those experiencing volatility, or changes in group structure are likely to be tweaked. Professional judgement has to be exercised in setting materiality using different benchmarks and audit firm methodologies are not a substitute for the use of judgement. It would only be acceptable for auditors to use materiality calculated mechanically using a firm’s model if, in the auditors’ judgement, that was an appropriate figure. Materiality calculations are performed on the draft financial statements themselves if available, or on prior period financial statements, results to date, or budgets and forecasts if nothing else is available. Benchmarks should be ‘normalised’ for non-recurring and discretionary items such as directors’ remuneration in smaller entities, but this is sometimes missed in practice. Fixed formulae should not be applied in calculating materiality. The one ‘bright line’ in ISA 320 notes that where 5% of profit before tax might be appropriate as a starting point for calculating materiality for a manufacturing entity, 1% of total revenue

c02.indd 27

3/18/2014 6:56:21 AM

28

Core Auditing Standards for Practitioners

or expenses might be appropriate for a not-for-profit entity. These percentages should certainly not be used as fixed points, and they should not be regarded as starting points either. They merely demonstrate that different benchmarks are appropriate in different circumstances. Benchmarks and percentages used are wide-ranging: • 0.5–5% of total revenue and gross profit; • 5–10% of profit before or after tax; • 0.5–5% of total assets; • 1–5% of net assets. Using the right benchmark involves identifying which areas of the financial statements will be the focus of users’ attention. In an investment company, users might be interested in asset values. In a trading company, profits might be critical. In a start-up, growth of turnover might initially be more important than profits. Applying the right percentage to the most relevant benchmark is much more difficult. It is hard to look at the issue in isolation without considering risk models, sampling models and other aspects of audit firm methodology, and two audit firms might have methodologies that give significantly different materiality levels in the same area, but have compensating factors in their risk model. Any decent methodology should require the application of judgement to materiality levels, and that application might well ultimately lead the two firms to design and perform similar audit procedures, despite the difference in calculations. One issue that can influence the percentages used in practice is the size of the entity being audited. Some firms apply a stepped approach to determining materiality, i.e. the percentage reduces as the benchmarked figure increases. This takes account of the fact that proportionally larger errors can be tolerated in some financial statements with relatively small figures for income, expenditure and assets, because the amounts involved are trivial to users. This approach requires care and auditors should be confident that taking this approach to smaller entities is appropriate before proceeding. As noted above, performance materiality is often set somewhere between 50 and 90% of materiality – the former in relatively high risk situations and the latter in lower risk situations. 2.4.3  Audit documentation The importance of good planning documentation should not be underestimated. Determining materiality can be complex and is always sensitive. Documentation needs to be good to demonstrate compliance with ISAs and to inform the audit team about how to approach the audit.

c02.indd 28

3/18/2014 6:56:21 AM



Section 2 – Materiality

29

The following examples are intended to illustrate the documentation of materiality as well as some of the technical points made above. Example working paper – Brasilia  Brasilia Industries is a family-owned manufacturer that has been in business for many years. The users of the financial statements are family members who own shares in the company and receive regular dividends out of profits. Brasilia’s performance has been in gradual decline over many years but it has remained profitable.

Documentation of Materiality Brasilia Industries Year ending: December 31, 20X4 Materiality for the financial statements as a whole Benchmark

factor

$10,000,000

1%

$100,000

Assets

$5,000,000

2%

$100,000

Profit

$400,000

5%

$20,000

Turnover

Materiality for the financial statements a whole is set at $60,000. Brasilia Industries is a family company and profitability and turnover are considered key benchmarks. Materiality has been set at a level reflecting the family’s emphasis on profitability. Area-specific materiality There is no area in the financial statements with lower materiality. Performance materiality Performance materiality

$48,000

Inherent risk has been assessed as low. Performance material has been set at 80% of materiality. Trivial errors Errors below $2,500 are considered to be trivial. This is approximately 5% of performance materiality.

c02.indd 29

3/18/2014 6:56:21 AM

Core Auditing Standards for Practitioners

30

Example working paper – Nassau  Nassau is a technology start-up in its second year. It has received significant second-round funding from new investors. It is expected to grow exponentially over the next two years and the shareholders expect to seek a stock exchange listing when revenues exceed €100m.

Documentation of Materiality Nassau Year ending: 31 March, 20X5 Materiality for the financial statements as a whole Benchmark

factor

£10,000,000

1%

£100,000

Assets

£5,000,000

2%

£100,000

Profit

£400,000

5%

£20,000

Turnover

The users of the financial statements are looking for growth and the focus is on turnover. At this stage assets and profitability are not of concern. Materiality for the financial statements as a whole is set at £100,000. Area-specific materiality External investors are likely to be particularly concerned with related party transactions and directors’ transactions and remuneration. Materiality in these areas is £10,000. Performance materiality Financial statements as a whole Related parties and directors transactions

£80,000 £8,000

Inherent risk has been assessed as low. Performance materiality has been set at 80% of materiality. Trivial errors Errors below £4,000 are considered trivial. This is approximately 5% of performance materiality.

c02.indd 30

3/18/2014 6:56:21 AM



Section 2 – Materiality

31

Example working paper – Sucra  Sucra holidays is an owner-managed travel agent. The company has struggled to compete with national competition and whilst turnover has gone up, profitably has declined and the company is making significant losses while bank borrowing has increased. The company is in breach of interest cover covenants at the year-end.

Documentation of Materiality Sucra Holidays Year ending June 30, 20X6 Materiality for the financial statements as a whole Benchmark

factor

€10,000,000

1%

€100,000

Assets

€5,000,000

2%

€100,000

Loss

€1,200,000

5%

€60,000

Turnover

Materiality for the financial statements as a whole has been set at €100,000. Users of the financial statements are equally interested in all relevant areas of the financial statements. Area-specific materiality There have been significant related party transactions in previous years relating to sale of holidays. Related party transactions and directors

€ 5,000

Performance materiality Financial statements as a whole Related parties and directors transactions

€50,000 €2,500

Inherent risk has been assessed as high. Performance material has therefore been set at 50% of materiality. Trivial errors Errors below €2,500 are considered trivial. This is approximately 5% of performance materiality.

Observations on example working papers  The working papers above are examples and are not intended as models or to be used as components of audit methodologies. Audits in practice are too varied and there is too much professional judgement required for it to be possible to produce a model working paper in that way. The examples illustrate the documentation of the thought processes involved when determining materiality levels.

c02.indd 31

3/18/2014 6:56:22 AM

32

Core Auditing Standards for Practitioners

By way of commentary on these examples it is worth noting that: • the benchmarks in Brasilia and Nassau are similar but different materiality thresholds are determined. This is because in the auditors’ professional judgement, users of the respective financial statements had different needs; • Sucra Holidays had severe financial difficulties and there was thought to be a high risk of error in the financial statements. This did not reduce the materiality at the financial statement level, but performance materiality did reflect this risk; • in Brasilia, no specific account areas were identified as having a lower level of materiality. This is not uncommon. In practice auditors are often over-eager to identify areas that they think are important, but the area’s importance to users is what matters for materiality purposes; • In Nassau and Sucra Holidays, disclosures such as related party transactions were identified as areas of user interest. In these cases, performance materiality was also determined in that area, using the same percentage as that used to calculate performance materiality at the financial statement level; • in each example, a triviality threshold is determined. Above this level, identified errors need further attention principally through aggregation with other errors. The triviality threshold is also used to determine which errors are reported to management. Trivial errors can generally be ignored by auditors; • materiality figures are generally rounded to one or two significant figures. Spurious accuracy is not helpful and there is little point in setting materiality at €56,781. Setting materiality is intelligent guesswork, and there are no precise answers. 2.4.4  Revising materiality, final materiality Auditors are required to reassess materiality as the audit progresses, but revising it can cause problems. If it is not revised when it should be, even more problems arise. In practice, auditors sometimes use the final revised materiality figure as a guide to the following year’s audit. This is not its primary purpose. The final materiality figure helps auditors evaluate unadjusted errors and assists in the finalisation of the audit and forming the audit opinion. Auditors also need to compare the final materiality level to planning materiality. If final materiality is lower than planning materiality, it might mean that auditors need to do more. The likelihood of the need to revise materiality depends upon a number of issues. Firstly, materiality is sometimes based on prior year figures at the planning stage, because current year figures are not available. This greatly increases the chances of materiality having to be revised. Where planning materiality is based upon current year figures, unexpected changes and new information coming to light are the two main causes for the revision of materiality, such as changes to bad debt or inventory provisions. 2.4.5  What is ‘clearly trivial’? The idea of errors that are ‘clearly trivial’ is a useful notion when evaluating identified errors. Triviality is considered during the fieldwork and at the completion stage but the

c02.indd 32

3/18/2014 6:56:22 AM



Section 2 – Materiality

33

threshold for triviality needs to be set at the planning stage to enable the audit team to identify the errors that should be carried forward for consideration in aggregate and errors that can simply be forgotten. Many auditors do not give proper consideration to setting a ‘clearly trivial’ threshold at the planning stage. As a result, inconsequential errors are sometimes addressed and aggregated unnecessarily. Opinions vary on how to determine what is trivial. ISA 320 gives little guidance and, in practice, auditors use benchmarks from anywhere between 1% of performance materiality to 10% of materiality. Between 2% and 5% of materiality is probably a good guide. As always, professional judgement is needed. 2.4.6  Evaluating misstatements When errors are identified during the audit, auditors need to consider their impact on the financial statements. Errors other than those found when sampling  Errors found when sampling are evaluated using tolerable misstatement. Other individual errors are evaluated with reference to performance materiality. All errors that are not clearly trivial should be aggregated and considered in total. At this stage, auditors should be thinking about whether the aggregate effect on the financial statements is material. Ultimately, the auditors will have to modify their audit opinion if aggregated errors are greater than materiality. Performance materiality is not the appropriate level of materiality to use at this stage of the audit when considering the financial statements as a whole. Auditors should not disregard immaterial errors that will be reported to management and auditors will ask for them to be adjusted for. Errors found when sampling  The aim of sampling is to form conclusions about the whole population being tested. If an error is identified then it cannot be considered isolated unless there is evidence to support that view. An error found in a batch of transactions entered by a temporary member of staff might be considered isolated, or at least limited to transactions processed by that member of staff. In practice it is very unusual to find neat examples such as these and the presumption is that errors are not isolated and that they are errors applying to the entire population. Tolerable misstatement should not be compared with individual errors. It should be compared with either the expected error rate for the population as a whole, or extrapolated error. Errors need to be extrapolated before they can be properly evaluated. The level of tolerable misstatement is often set at the same level as performance materiality because they are based on similar ideas. Evaluating aggregated unadjusted errors  At the completion stage, auditors should look at the aggregated effect of all errors identified during the audit. Auditors

c02.indd 33

3/18/2014 6:56:22 AM

Core Auditing Standards for Practitioners

34

should consider trends that might indicate a degree of management bias not previously identified, as well as the total potential error, in light of materiality. The following example seeks to illustrate the points above and to demonstrate what a working paper might look like. Evaluating Errors Ottawa Research Year ending July 31, 20X5

ADJUSTED errors Schedule Reference

Balance sheet £

Income statement £

Detail

Actual or Estimate

Cr

Dr

Bad debt provision missed

Actual

20,000

20,000

Sales cut-off error

Actual

26,000

26,000

46,000

46,000

Dr

Actual change in profit from adjusted errors

Cr

UNADJUSTED errors Schedule Reference

Detail

Actual, Estimate, Projection

Purchase cut-off error

Actual

FOREX adjustment missed

Actual

Provision for legal claim not made

Estimate

Balance sheet £ Dr

Cumulative effect on profit of errors

Cr

Dr

10,000

10,000

6,000

Cr 6,000

50,000

Cumulative effect on profit of errors which client declined to correct Projected error from sales test Projection

Income statement £

50,000 54,000

32,967

32,967 21,033

Notes Materiality

£80,000

Now that bad debt and sales cut-off errors have been adjusted for, the aggregate unadjusted errors are immaterial. Management have been informed of the other errors. They consider the purchases cut-off error and the FOREX error to be immaterial. They disagree with our judgement on the likelihood of the legal claim against the company succeeding. Management have declined to investigate further the projected error rate in the sales population as it is immaterial.

c02.indd 34

3/18/2014 6:56:22 AM



Section 2 – Materiality

35

Reporting unadjusted errors  Management should be informed about all non-trivial unadjusted errors and asked to correct misstatements. In practice, this request is often refused on the grounds that errors are immaterial. Auditors may suggest that correcting all misstatements enables management to maintain accurate records and reduces the risks of misstatement in future financial statements because of the cumulative effect uncorrected misstatements in prior periods, but management may have heard this before. Management’s refusal to correct misstatements may be an indicator of possible management bias and auditors should consider this when obtaining an understanding of management’s reasons for not making the corrections. The management letter might be the appropriate place to communicate these errors to management.

c02.indd 35

3/18/2014 6:56:22 AM

c02.indd 36

3/18/2014 6:56:22 AM

3

Related Parties 3.1 The Issues

The audit of related parties and transactions, like materiality, makes auditors nervous. It can involve asking difficult, personal questions of management. Such questions are sometimes met with hostility and are treated as an implied accusation of impropriety. This remains a problem even in jurisdictions in which the requirements for the ­disclosure of such transactions is long-established, and where deference to elders and superiors is not a significant cultural consideration. For a long time, the focus of audit effort was on the disclosure of related party transactions that auditors became aware of. The revised ISA 5501 takes a much more risk-based approach and requires auditors to assess the risk of material misstatement relating to related parties and transactions.

… The audit of related ­parties and transactions … makes auditors nervous. It can involve asking difficult, personal questions of management. Such questions are sometimes met with hostility …

What is material in the context of related parties is not always straightforward. This issue is complicated by the fact that there is a rebuttable presumption that transactionswwith related parties are not at arm’s length. The area becomes even more difficult when auditors realise that the word ‘fraud’ or ‘fraudulent’ appears in 20 different paragraphs in the ISA out of a total of 78. In short, ISA 550 is mostly about fraud. This is hardly surprising, given that most corporate collapses involve some inappropriate transactions with related parties. There have been many well-publicised instances of large corporations using transactions with related parties to manipulate the reported results of the group. A common fraud involves using a related party to remove debt from the group’s balance sheet. Auditors who are conscious of the increased risk of fraud when dealing with related party issues are more likely to detect these frauds. The ISA states that the auditors’ understanding of the area is relevant to the understanding of fraud risk factors. Paragraph 5 of ISA 550 states that fraud is easier commit through related parties and the auditors’ first objective in ISA 550 is to recognise fraud risk factors arising from related party relationships and transactions. The engagement team discussion required by ISAs 3152 on risk assessment and ISA 240 on fraud3 1 2 3

c03.indd 37

ISA 550, Related Parties. ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements. ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment.

3/18/2014 6:59:54 AM

38

Core Auditing Standards for Practitioners

includes specific consideration of the risk of material misstatement due to fraud or error resulting from related party relationships and transactions. The relationship between fraud and related party transactions could not be clearer. However, understanding the importance of related parties does little of itself to help beleaguered auditors address the issue. While financial reporting frameworks place the responsibility for identifying related parties and transactions squarely with management, in a large number of cases the entity relies on its auditors for help in this area, and the auditors are then required to audit the area for completeness. In jurisdictions which permit it, this assistance may form part of accountancy services provided by auditors and the appropriate ethical requirements will need to be applied. There are suggestions that the accounting and auditing requirements for related party transactions are routinely flouted, because auditors are often unwilling to ask the sort of direct questions of senior management that the ISA seems to require – about their private financial relationships and those of their close family and other dependents, for example. The requirements of IFRS and UK GAAP in this area effectively mandate the disclosure of material related party transactions with directors’ children, spouses and domestic partners, and any other financially dependent individuals including, in some cases, brothers, sisters, parents, grandparents and others. One key word in this context is ‘material’. When preparing the financial statements, management needs only concern themselves with identifying related parties with whom there might be material transactions. Auditors are required by ISA 550 to make inquires about the identity of all related parties. This is clearly very different and potentially far more intrusive. In practice, auditors do their best. There are ways and means of asking difficult questions, and of finding out about related parties, without necessarily asking direct questions. But the area does make practitioners feel uncomfortable and presents some very significant practical and technical challenges. 3.1.1  Issues for standard-setters and regulators Cultural differences  Some regulators, particularly those operating in regimes such as the USA and those parts of Europe in which legal systems rely on civil codes rather than common law, tend to prefer prescription in auditing standards to high-level principlesbased standards. They believe that auditors need more help to ensure that they exercise their professional judgement properly, in the form of mandated audited procedures. Regulators acknowledge that simply performing more prescribed procedures will not necessarily lead to the detection of more misstatements involving related party transactions. However, they consider this irrelevant because they believe that applying high-level principles-based standards probably fares worse. At least the public and the business community knows what it is getting if the audit process is clearly set out in auditing standards. This belief is held by the regulators as genuinely as the belief among many auditors and professional bodies that such prescription does not improve audit quality, and may even damage it. Many auditors and professional bodies also believe that mandated procedures at best shift attention away from judgemental areas and force auditors into a compliance mentality.

c03.indd 38

3/18/2014 6:59:54 AM



Section 3 – Related Parties

39

The tension between these differing approaches shows in the development of standards in difficult areas such as these. There are also tensions between jurisdictions in which there are traditionally close relationships between companies and families, together with a culture of deference and sometimes secrecy, and jurisdictions in which these values do not, or no longer, hold sway. Standard-setters, particularly international standard-setters, whether they are aware of it or not, operate on the assumption that there is a set of shared values underlying the conduct of business globally to which all stakeholders aspire. In developing accounting and auditing standards for related party transactions, standard-setters have had to deal with some uncomfortable silences when it has become clear that the values they thought were universally shared, about transparency, for example, are at best ‘understood differently’. In the area of related parties, perhaps more than any other, it is likely that the require… At present, substantively ments of IFRS, UK GAAP and the related testing for completeness in the auditing requirements are very widely inter­ absence of controls remains preted. The accounting and auditing standarddifficult because auditors are setters, knowing or suspecting the likelihood not sure when to stop. How of this, have probably set standards where long should auditors spend they believed they should be, i.e. at the upper reviewing ledgers and minend of best practice, in the knowledge that utes of meetings looking for any attempt to accommodate everyone’s potentially undisclosed related views on the subject would be a non-starter. This means that at least in theory, there is parties or transactions? … room for improvement in many if not most cases, and that as standard-setters they cannot be accused of setting lowest common denominator standards when virtually all major corporate collapses have involved transactions with related parties. Auditing for completeness  From both an accounting and auditing point of view, a key objective is the completeness of related party disclosures. An issue for auditors is that virtually no smaller entities, and not all larger entities, have systems dealing with these relationships or transactions so there are few, if any, controls auditors can test. They are often forced into a substantive approach. That said, when auditors make enquiries of management about related parties, management may not know how to respond. This is often because management has never previously given related parties much thought beyond identifying those with whom there are discloseable transactions. Management often asks auditors for assistance in putting together the required disclosure on related parties, and auditors should propose that management introduces systems to help identify related parties and transactions. Such systems typically involve management making regular written enquiries of directors and trustees, or their equivalents, and of key shareholders. At present, substantively testing for completeness in the absence of controls remains difficult because auditors are not sure when to stop. How long should auditors spend

c03.indd 39

3/18/2014 6:59:54 AM

40

Core Auditing Standards for Practitioners

reviewing ledgers and minutes of meetings looking for potentially undisclosed related parties or transactions? The ISA attempts to provide guidance in terms of the nature of testing (where to look) but, as with many other ISAs, there is little in the way of guidance as to the extent. 3.2  What the Regulators Say 3.2.1 QAD A recent QAD report4 notes incomplete documentation of the names of related parties, including documentation relating to other businesses in which trustees, directors and their close families have an interest. The report also refers to the fact that while the new requirements in this area are significant, they only really reflect best practice and that firms having difficulties usually need to engage with their clients more. Interestingly, the QAD focuses on the need to document the names of businesses that might be related parties, which is sensible because it is more likely that there will be material transactions with businesses than with individuals. While the requirement to document all related parties is clear in the ISA, there is no evidence to suggest that the QAD is pushing for the documentation of the names of family members, with whom there are likely to be fewer, if any, transactions. The QAD’s 2012 report refers again to the requirements for auditors to establish a full record of related parties and to the completeness issue. Even where firms are confident that they know who related parties are, audit files do not always document them fully. During file reviews, the QAD sometimes finds undisclosed related party transactions that auditors have not dealt with. 3.2.2  Other regulators A recent Malaysian Auditor Oversight Board Annual Report5 notes the Board’s acknowledgement of the steps taken by major firms to rectify deficiencies in procedures in this area, including paying more attention to understanding management processes for identifying related parties. The report notes a continuing tendency to rely on management representations in some cases, and a lack of evidence supporting assertions that transactions were at arm’s length. A recent Australian Securities and Investments Commission Audit Inspection Program Report6 notes that the audit of related party transactions is an important area for improvement. Some auditors performed inadequate procedures in respect of completeness and the report notes a failure to either assess, discuss or document the processes and risks associated with undetected related parties and transactions at the planning stage. 4

5 6

c03.indd 40

The Quality Assurance Department of ICAEW—inspects audits not covered by the AQRT. Audit Monitoring 2011 www.icaew.com. www.sc.com.my. Report dated 2011. Report 317, December 2012, www.asic.gov.au.

3/18/2014 6:59:54 AM



Section 3 – Related Parties

41

The International Forum of Independent Audit Regulators (IFIAR) noted in its 2012 Summary Report of Inspection Findings that several members, i.e. national audit regulators, stated that they most commonly found shortcomings in audit procedures in line items that included related party transactions.7 Observations in a recent report of Singapore’s Accounting and Corporate Regulatory Authority on its Practice Monitoring Program8 neatly summarise the position not just in Singapore, but elsewhere. The report notes that in the light of recent corporate scandals, auditors must be mindful of related parties and transactions that present opportunities for collusion, concealment, manipulation and fraud. The Authority reminds auditors that they should ‘not take at face value, lists of related parties identified by management’, without auditing their completeness. It emphasises the requirements of the Singaporean version of the ISA, including what to do when there is a higher risk of misstatement. Previous versions of the ISA did not have much guidance on responding to assessed risks, but the revised version does. It requires auditors to inspect documents such as bank and legal confirmations for indications of the existence of further related relationships or transactions that management has not previously disclosed. 3.2.3  IAASB’s ISA Implementation Monitoring project A report on IAASB’s ISA implementation monitoring project9 notes a few concerns about auditors over-emphasising the testing of related parties and transactions already disclosed, and under-emphasising inquires of management about undisclosed transactions. 3.3  What Practitioners Say Practitioners make clear connections between problems with obtaining information about related parties and transactions, and broader problems with an audited entity. Management of entities may initially be a little embarrassed to discover that a transaction that they thought was essentially a private matter has to be disclosed, but in most cases they will accept the disclosure requirements of accounting standards. Where management object to such disclosures, practitioners have to ask questions about their integrity. Auditors are required in any case to assess the integrity of their clients before taking them on, and as part of the fraud risk assessment. Most practitioners do not want to be involved with clients who lack integrity because they are often more trouble than they are worth. An unwillingness to make the proper disclosures of transactions with related parties is often symptomatic of wider 7

8 9

c03.indd 41

Other areas included revenue recognition, inventory, commitments and contingencies and subsequent events www.ifiar.org. Dated July 2011 www.acra.gov.sg. The Clarified ISAs—Findings from the Post-Implementation Review. A three-year project designed to assess the effects of clarified ISA implementation www.ifac.org.

3/18/2014 6:59:54 AM

42

Core Auditing Standards for Practitioners

… Practitioners make clear connections between problems with obtaining information about related parties and transaction, and broader problems with an audited entity … Where management object to such disclosures, practitioners have to ask questions about their integrity …

problems. Omitting related party disclosures is a deliberate manipulation of the financial ­statements and may be motivated by a desire to conceal a fraudulent transaction. Managers who are willing to manipulate one area of the ­financial statements will almost certainly be willing to manipulate other areas.

Many smaller entities rely on their auditors for advice on who the entity’s related parties are, and on what should be disclosed. Ethical standards and guidance prohibit auditors providing this type of assistance in some cases, such as the audit of listed entities. In many cases though, auditors will be able to assist management with the identification of related parties provided that safeguards are applied. Pragmatically, auditors can provide ‘input to the process’ and provide advice on evidence-gathering about related parties in the early stages of a client relationship. Auditors can explain or discuss the accounting issues with an owner-manager, inspect relevant documentation and generally point the client in the right direction while obtaining the required evidence at the same time, effectively providing the client with the tools to perform the same exercise in subsequent years. Auditors need to pay particular attention to certain types of related party transactions. Many related parties are group companies and transactions with them are in the normal course of business even if they are not at arm’s length. When it comes to the sale of entity assets to management or shareholders or their families though, transactions are not in the normal course of business, nor are they at arm’s length when they are on preferential terms. There are often legal requirements for the approval of such transactions in advance by shareholders, to prevent the enrichment of directors at the expense of companies. While most such transactions are legal, they are a common feature of fraud and other criminal activity. … Many related parties are group companies and transactions with them are in the normal course of business … When it comes to the sale of entity assets to management or shareholders or their families though, transactions are not in the normal course of business, nor are they at arm’s length when they are on preferential terms …

c03.indd 42

Tax considerations are also big factor in these transactions. There is often a tax benefit associated with understating the value of these transactions, which pass value into an owner’s hands and avoid tax on distributions. For owner-managed companies, this is often a significant risk. For these reasons, materiality and performance materiality for related party transactions are often set at fairly low levels. Auditors, particularly of owner-managed and family companies, have always been aware of these risks and they know that disclosure is not necessarily the problem.

3/18/2014 6:59:54 AM



Section 3 – Related Parties

43

Family-owned Businesses and Related Party Transactions Berlin Hotels Berlin Hotels is a family owned company that runs a group of city-based hotels. The entire Berlin family is involved, including all of the children who work in or manage hotels in the group. They are clearly related parties. There are regular transactions between family members and the company. The auditors record the existence of loans to directors and other family members. Personal expenditure is frequently met by the company which should be posted to the relevant loan accounts. Hotel services are sometimes supplied to family members. One of the daughters had her wedding reception at one of the hotels. There are no systems to record these transactions. The auditors may assess the risk of error as high in this case because family members might try to pass off personal expenses as business expenses. They might be motivated to do this to avoid tax charges on extracting value from the company, and the tax and legal consequences of overdrawn loan accounts. This risk assessment might lead auditors to design the following procedures: • examine the documentation relating to all non-current asset disposals, looking for sales at undervalue to family members; • scrutinise the loan accounts with family members for unusual entries; • scrutinise high-risk profit and loss expenses codes for personal expenditure, such as entertaining, repairs and renewals, looking for possible repairs to personal properties, for example; • examine additions to non-current assets and all other relevant asset codes for company assets being used personally, such as motor vehicles or assets that might not seem appropriate for a city-based hotel group to hold, such as a ski chalet; • test for and be generally vigilant regarding hotel, restaurant or banqueting sales to family members not at arm’s length; • request specific representations from management regarding the various categories of likely transactions and balances with related parties. At first sight, this might appear to be a great deal of extra work for the auditors. In some cases, it could be. However, if Berlin operates in a jurisdiction in which the provision of tax services by auditors is permitted, and the auditors of Berlin are assisting the company with the preparation of tax computations, none of this would amount to ‘extra’ work. Enquiries of this nature are a routine part of tax work for a family company. All Berlin’s auditors might need to do is remember to document the work that they do as part of the tax service, in a way that demonstrates that audit evidence has been obtained.

c03.indd 43

3/18/2014 6:59:54 AM

44

Core Auditing Standards for Practitioners 3.4  What the Standards Say

IFRS, UK GAAP and most other financial reporting frameworks define related parties. Related parties usually include: • persons or entities with control; • persons or entities with significant influence; • key management personnel which includes director, trustees or their equivalents. Related parties also include close family members. These are defined in IFRS and UK GAAP as close family who can influence, or be influenced by: • a member of key management; • a person who controls the entity; • someone with significant influence over the entity. Close family members specifically include: • a spouse or domestic partner; • children; • children of a spouse or domestic partner; • dependents. Sometimes there may be individuals or entities who do not meet this definition who auditors need to keep an eye on. The CEO’s longstanding tennis partner is as likely to collude in a fraud as the CEO’s spouse. This can be a problem if the tennis partner’s company transacts business with the entity, particularly if these transactions are outside the normal course of business. Auditors might not identify these relationships initially, but they should remain vigilant for the possibility of there being transactions with such entities or persons. ‘Non-related’ Related Parties Madrid Consultants Madrid is a consultancy that is building a new corporate headquarters. Madrid engages a building contractor, owned and managed by the brother of Madrid’s CEO. While building the headquarters, the contractor fraudulently diverts building materials and labour, billed to Madrid Consultants, to the building of a pool and summer house at the CEO’s own home. This fraud might have been possible even if the building contractor was not a related party. However, it is easier to convince related parties to be involved in fraud as they may be more willing to manipulate the documentation to conceal the fraud and perhaps even lie if the need arises, in this case to protect Madrid’s CEO. This is why auditors need to identify all related parties, particularly those that are businesses. The ability to influence is the key factor to look out for.

c03.indd 44

3/18/2014 6:59:54 AM



Section 3 – Related Parties

45

Some financial reporting frameworks have few or no accounting requirements for related party transactions. ISA 550 includes a definition that applies in such cases. It requires auditors to understand related party transactions, because (it argues) they are always relevant to the fair presentation of financial statements as well as to compliance frameworks. The rationale for the latter is on the basis that the non-­ disclosure of such transactions could be ‘misleading’, even in the absence of a disclosure requirement.

3.4.1  Unidentified and undisclosed related parties and transactions The basic procedures required to understand related parties and transactions include: • a discussion among audit team members about the susceptibility of the financial statements to material misstatement arising from transactions with related parties. This should be a proper discussion and exchange of ideas and experiences, not just a briefing for the engagement partner; • inquiries of management regarding the identity of related parties, transactions with them and any significant transactions outside the normal course of business which need to be treated as significant risks; • understanding any control procedures over the identification, disclosure and authorisation of transactions with related parties; • remaining alert to the possibility of undisclosed transactions; • inspecting bank and legal confirmations, minutes of shareholder and other meetings and similar documents for evidence of undisclosed transactions; • obtaining written representations about the completeness of disclosures. Undisclosed relationships and transactions that come to light that management has not identified or told auditors about are a headache. Auditors have to understand why controls did not identify them. If controls did identify them, auditors have to understand why they remained undisclosed, and whether there are any more. The original risk assessment needs to be re-visited. When performing procedures resulting from the discovery of an unidentified related party, it is important to remember risk. If the previously unidentified related party is transacting significant amounts of business with the entity outside the normal course of business, auditors will need to take the issue seriously, and consider the pursuit of other unidentified related parties.

3.4.2  Fraud risk factors Those who exercise dominant influence over an entity represent a fraud risk factor, particularly if they are in a position to override internal controls. A significant risk is deemed to arise if this situation co-exists with other fraud risk factors, such as a high turnover of senior staff, the use of intermediaries for no clear reason or the dominant individual being overly concerned with certain accounting issues.

c03.indd 45

3/18/2014 6:59:54 AM

46

Core Auditing Standards for Practitioners

Additional investigative procedures are required: • when there is an identified significant risk of fraud due to the presence of a related party with dominant influence; and • where there is a significant risk that management will fail to deal with party transactions properly. Unfortunately for the auditors of smaller entities, owner-managers of smaller businesses often exercise as much, if not more, dominant influence as certain individuals do over larger entities. It is not uncommon for smaller entities to have poor controls over transactions with such individuals and other related parties. If there is a lack of control in some larger entities, it may be a deliberate attempt to hide discloseable transactions and relationships, although in most cases ignorance or incompetence is more likely. 3.4.3  Transactions not at arm’s length, outside the normal course of business and with Special Purpose Entities Many accounting frameworks require disclosure of transactions at under or overvalue, i.e. not at arm’s length. Such transactions are sometimes used legitimately within groups for tax planning, cash flow and operational purposes. Where such transactions are with individuals and they are significant, they often require shareholder approval. Assertions to the effect that such transactions are on normal commercial terms need to be supported with evidence to that effect. Some transactions outside the normal course of business involve related parties. The sale of company cars to directors or their spouses is a common example. Auditors are required in such cases to confirm that the appropriate approvals have been obtained from shareholders, the board or others as required. They are required to inspect the relevant documents to establish the business rationale for the transaction, and to determine if its terms are consistent with management’s explanations and whether it may have been fraudulent. Special purpose entities (SPEs), sometimes known as special purpose vehicles (SPVs), are used for legitimate as well as illegitimate purposes. They have featured in many corporate collapses in which circular transactions are used to hide losses or remove liabilities using entities set up in jurisdictions lacking transparency. As a result, they will be associated with illegitimate purposes for a long time to come. SPEs are established legitimately for narrow and well-defined purposes, such as research and development, the securitisation of financial assets and to facilitate certain types of leases. They are constituted in various ways to ring-fence the assets and associated liabilities transferred to them. They are generally designed to avoid consolidation. SPEs may nevertheless be caught by disclosure requirements if they come within the definition of a related party, particularly if the reporting entity controls them, regardless of legal ownership. The required engagement team discussion of fraud may cover this area.

c03.indd 46

3/18/2014 6:59:54 AM

4

Get This Right and the Rest Falls into Place: Understanding the Entity and Assessing Risk 4.1 The Issues

Assessing risk by understanding the entity is, without question, the key to performing an efficient audit. If auditors get the risk assessment right and understand the entity properly, the foundations have been built for a high quality and cost-effective audit. Get it wrong and, at best, the audit processes will be inefficient. At worst, auditors are heading for problems with audit regulators, disciplinary action and ultimately, although mercifully rarely, the courts. For many years, audit regulators have criticised auditors’ risk assessment processes and firms have paid the price for this in time spent improving procedures and in some cases, fines. It is worth saying again: getting the risk assessment right and linking it to the response is critical to all audits. The only other judgements that even approach the importance of this one are the assessment of materiality and the scoping of group audits. 4.1.1  Risk-based auditing is not new The profession has been talking about moving towards ‘risk-based auditing’ for decades. It has long been thought of as the most effective and efficient way to audit because it permits auditors to look at what really matters and no more, which increases the probability of identifying errors and should reduce the overall amount of work needed. The alternative to risk-based auditing is conducting huge amounts of detailed testing which is hopelessly inefficient. Auditors use their judgement to work out where errors are most likely to occur, the exact nature of the likely errors, and they concentrate their audit efforts on looking for those errors. Risk-based auditing should be efficient and effective in terms of audit quality, and therefore profitable, provided of course that fees are commensurate with the work required. Ideas as to what constitutes a risk-based audit have changed over time and, quite rightly, each generation looks at what the previous generation did and thinks it can do better. This is one reason why the term ‘risk-based auditing’ feels overused. The focus of risk-based auditing is on ‘what really matters’. There is increasing awareness, however, of how performing procedures that are not essential affect this. The ‘… and no more’ element of the equation is important. Regulators naturally tend to focus on what auditors have failed to do and auditors are far more likely to be criticised for

c04.indd 47

3/18/2014 7:26:15 AM

48

Core Auditing Standards for Practitioners

… Regulators naturally tend to focus on what auditors have failed to do and auditors are far more likely to be criticised for under-auditing … than for over-auditing or excessive ­documentation. Regulator behaviour drives auditor behaviour but simply adding to the work required all the time is not necessarily a recipe for audit efficiency …

under-auditing or documenting in unfamiliar areas, than for over-auditing or excessive ­documentation. Regulator behaviour drives auditor behaviour but simply adding to the work required all the time is not necessarily a recipe for audit efficiency. 4.1.2  Over-auditing low risk areas is a distraction: it diverts attention from more significant risks

When businesses change, auditors may well pay a lot of attention to dealing with new systems, products, markets or assets, but less attention is paid to what might be done to modify the approach to existing systems, products, markets or assets. Where a business is expanding, it may well be possible that everything that was done before still has to be done. But the natural tendency is to assume that this is always the case which, in the long run, is a recipe for ­inefficiency, a failure to identify or deal with significant risks, under-auditing in high risk areas, over-auditing in low risk areas, problems with regulators and ultimately a lack of profitability. … Over-auditing is the enemy of risk-based auditing because resources expended on redundant procedures divert attention from other potentially more risky areas … over-­ auditing is almost inevitable over time if auditors make no conscious effort to deal with it …

Over-auditing is the enemy of risk-based auditing because resources expended on redundant procedures divert attention from other potentially more risky areas. Underauditing and over-auditing at the same time are common, sometimes even in the same area, but dealing with the under-auditing problem is, perversely, probably far easier in most cases than dealing with over-auditing. Worse still, over-auditing is almost inevitable over time if auditors make no conscious effort to deal with it.

4.1.3  Over-auditing: harder to tackle than under-auditing and a threat to audit quality Deciding that something done previously was unimportant or unhelpful, or that a procedure was redundant and can be abandoned, takes courage. Such decisions attract attention and they are very likely to be questioned, particularly if they are read as implying criticism of whoever performed the audit in previous periods. Add to this the fact that in larger firms, the person who took responsibility for the audit in prior periods may well be the person performing a review in subsequent periods, and the dangers of rocking the boat become clear. Younger, more inexperienced auditors simply

c04.indd 48

3/18/2014 7:26:15 AM



Section 4 – Understanding the Entity and Assessing Risk

49

don’t want to go there. Better to do something ‘just in case’ than have to explain why you haven’t. A fear of attracting unwanted attention, inertia and the pressure of budgets, time constraints, checklists and the demands of methodologies – all conspire to push auditors into taking the same approach to every audit. This cycle has to be broken at some point if risk-based auditing is to work. But this is not the same as saying that auditors need to start with a blank sheet of paper and re-invent the wheel every year. Using the prior year file as a starting point is a very effective approach, as those using paper-based systems which do not automatically roll-forward the prior year’s file will testify. Omissions are an ever-present risk in such cases. But using the previous year’s file as a starting point is just that, a starting point. Auditors also need to allow time to consider the following: • whether the existing approach to a particular area is still the most effective way of dealing with it – such as where the response rate to a receivables circularisation has been slowly declining, or where an area of increasing importance which in the past was poorly controlled, now has new staff and systems in place; • whether the existing mix of detailed procedures and the balance between tests of controls and substantive procedures still represent the optimum mix of sufficient, appropriate audit evidence; • whether sample sizes and sample selection procedures remain appropriate; • the possibility that a particular risk might have increased, diminished or disappeared altogether; • whether there are any new risks and, if there are, whether they are sufficient to warrant assessment. High level risks that threaten the business as a whole – such as potentially major competitors trying to gain a foothold in a market – can ‘hover’ on the horizon for a long time before they become a ‘real’ problem and judgement is needed to determine when the potential threat becomes a real risk. Judgement is also needed to determine when lowlevel creeping change in a business, such as a loss of staff and the slow deterioration in systems in a particular area, warrants a change of risk assessment or a change of approach. All of these examples are significant judgement calls and engineering change is a thankless task at the best of times, especially when fees are under pressure. In the long run though, doing nothing probably costs more. File reviews within auditors’ quality control systems should address some of these issues, but for smaller audits there can be a long gap between these reviews. If a small amount of time can be built into an audit to consider whether there are any procedures that might be redundant, and redundant procedures are eliminated, it may be easier for auditors to face the need for more work in areas that do become more of an ‘issue’ over time.

c04.indd 49

3/18/2014 7:26:15 AM

50

Core Auditing Standards for Practitioners

4.1.4  Understanding the entity, assessing risk and responding to it The key to good risk assessment is understanding the entity. Only if auditors understand an entity can they assess risk properly. When ISA 315 was last revised, its name was changed from: Understanding the entity and its environment and assessing the risks of material misstatement to: Identifying and assessing the risks of material misstatement through understanding the entity and its environment This shift reflects the fact that understanding and risk assessment is a continuum and an iterative process, rather than a sequential one in which understanding the business and risk assessment are separate exercises. In practice, the risk assessment changes as the auditors’ understanding of the business changes. Even if there is no formal change to the broad level of risk assessed in a given area, an awareness of changes within different categorisations of risk assessment is important, particularly on the margins. Similarly, while this section deals primarily with ISA 315 on risk assessment through understanding the business, and the next section with ISA 330 on responses to assessed risks, the two ISAs operate in tandem.

4.1.5  ISA 315: too long, too complicated, too focused on internal control . . . ISA 315 is currently one of the longest and most complex ISAs, although in truth it is hardly rocket science. When it was first issued by IAASB over a decade ago, adapting to its requirements represented a significant challenge for many auditors. Any significant change in regulation is hard for firms that are already struggling. Some practitioners decide … ISA 315 requires all to retire early and some firms decide that they ­auditors on every audit to no longer want to be involved in the regulated understand both the design activity when these major changes happen. and implementation of an Importantly though, for those who remain, ­entity’s ­internal controls it is very easy to blame pre-existing ­problems … some ­auditors assume on the changes. Some of the ­problems practithat the work that they are tioners have with the internal control requirerequired perform in this area ments of ISA 315 were in fact problems ­automatically e ­ ntitles them to before ISA 315 was introduced. ISA 315 is rely on the relevant internal clear about the assumption that no business, however small, can operate without internal controls. Auditors can only controls, and that auditors need to be familiar rely on c­ ontrols … if they with these controls, even if they do not test decide to complete the final them and take a wholly substantive approach. stage, which is testing of But this was not a completely new idea in controls … many jurisdictions, even a decade ago.

c04.indd 50

3/18/2014 7:26:15 AM



Section 4 – Understanding the Entity and Assessing Risk

51

ISA 315 requires all auditors on every audit to understand both the design and implementation of an entity’s internal controls, regardless of the audit approach. The requirement is intended to ensure that auditors properly understand the relevant risks and to enable them to design appropriate audit procedures. But understanding the design and implementation of controls does not entitle auditors to rely on them. This causes confusion because some auditors assume that the work that they are required to perform in this area automatically entitles them to rely on the relevant internal controls. Auditors can only rely on controls and reduce the level of substantive procedures they perform if they decide to complete the final stage, which is testing of controls (compliance tests). 4.2  What the Regulators Say Barring over-reliance on management representations, regulators across the world have more to say about risk assessment and understanding the entity than just about any other area. Some technical issues become topical hot potatoes from time to time and then fade away. Risk assessment is not one of them. 4.2.1 AQRT A recent AQRT1 report on audit inspections identifies inadequate approaches to risk assessment and inadequate assessments, in the areas of groups, fraud and revenue recognition. This will not come as a surprise to most practitioners and poor documentation of these risks is common. The report also notes some inappropriate responses in areas assessed as low risk. Low risk is not the same as no risk, and only no risk means no audit work. 4.2.2 QAD Risk assessment issues are not new. Well before the UK adopted ISAs, the QAD2 reported that risk assessment procedures were sometimes weak and that the documentation of identified risks generally was inadequate both as a record of the work performed and as a support for conclusions reached. When ISA 315 was first adopted in the UK in 2005, the QAD reported that a number of issues were not always properly addressed, including: • the documentation of relevant internal controls; • a lack of evidence of work on the implementation of internal controls, such as walkthroughs; • inadequate consideration of the risk of fraud in revenue recognition. 1

2

c04.indd 51

Audit Quality Review Team of the FRC, formerly the Audit Inspection Unit (AIU)—inspects listed and other public interest audits in the UK. Audit Quality Inspections 2011/2012 www.frc.org.uk. Quality Assurance Department of ICAEW—inspects audits not covered by the AQRT.

3/18/2014 7:26:15 AM

52

Core Auditing Standards for Practitioners

These issues continue to crop up in regulatory inspections but the position overall seems to have improved over time, as those auditors who never really adapted to the changes either ceased to perform audits or retired, and more recent reports make fewer references to some of the issues above. 4.2.3  Other regulators The Malaysian Auditor Oversight Board and Singapore’s Accounting and Corporate Regulatory Authority have both highlighted the following in recent reports: • a failure to properly assess risk at all; • a disconnect between assessed risk and procedures performed; • a disconnect between procedures performed, conclusions reached and reporting. Joined-up Audits A disconnect between understanding the business, risk assessment, response and reporting is an important undercurrent in the reports of many regulators. If auditors fail to understand the business, the audit fails at the first hurdle. There is no possibility of a proper risk assessment or response. But even where auditors do understand the business – and it is probably fair to say that in the vast majority of cases auditors do at least attempt this – they do not always link the risk assessment to their understanding. And even where these two are linked, it is very common for regulators to observe that auditors continue to perform the procedures they have always performed, instead of addressing the risks they have assessed.

A recent Australian Securities and Investments Commission Audit Inspection Program Report3 notes that areas of focus in future inspections will include: • auditor understanding of the entity’s business model; • risk assessment for individual engagements; • auditor interactions with audit committees to ensure that key risks are included in the audit strategy. 4.2.4  IAASB’s ISA Implementation Monitoring project A recent report on IAASB’s ISA implementation monitoring project4 notes that respondents to various surveys undertaken in this area were concerned about inconsistencies in the nature and number of significant risks identified by auditors in practice. Respondents, who included auditors and professional bodies as well as regulators, also noted that auditors seem to have difficulties in applying the requirement to obtain an understanding of internal control. 3 4

c04.indd 52

Report 317 December 2012 www.asic.gov.au. The Clarified ISAs—Findings from the Post-Implementation Review A three-year project designed to assess the effects of clarified ISA implementation www.ifac.org.

3/18/2014 7:26:15 AM



Section 4 – Understanding the Entity and Assessing Risk

53

The IAASB has long been aware that the requirements regarding internal control are particularly problematic for auditors of smaller businesses. To date, there have been some heroic attempts to make the requirements work for smaller audits by professional bodies, some standard-setters and the SMP Committee of IFAC, but little thought has, as yet, been given to how the requirements themselves might be changed. 4.3  What Practitioners Say 4.3.1  The importance of a risk-based audit Despite the problems associated with the requirements of the ISAs covering risk assessment, and there are many, few practitioners disagree with the basic concept of riskbased auditing. The main complaint is that despite the claim of reliance on auditor judgement in risk assessment, some ISAs, including those dealing with risk, are in fact quite prescriptive, not least in terms of how they direct auditors to use their judgement. 4.3.2  Why so much emphasis on internal control? Practitioners have very different views on risk assessment. ISA 315 sits more easily with larger entities partly because the internal control framework on which it is based is the US COSO framework,5 which sets out five components of an internal control system that was designed to accommodate a huge range of entities, including the very largest. Despite this, the framework is remarkably simple – it had to be to gain acceptance – and it has stood the test of time with little fundamental change since it was first developed in 1992. The components are: • the control environment; • the entity’s risk assessment process; • the information system; • control activities; • monitoring of controls.6 Applying these categories to smaller entities is not so difficult – indeed the ISA permits the use of other classifications but most methodologies use this one. Much of what is described as internal control within this framework – particularly within the information system category – might once have been referred to as the accounting system. The owners and managers of all entities have some sort of risk assessment in place, albeit informal and undocumented in the case of some smaller entities, and the control environment and monitoring of controls in such entities can be seen as largely about management’s overall attitude to systems and processes. Few practitioners find these concepts difficult. Many do, however, query the need for a formal assessment of the design and implementation of this relatively elaborate structure when 5

6

c04.indd 53

The COSO Framework is a long and well-established US framework of controls originally designed in the 1980s, partly in response to a number of high profile frauds www.coso.org The 2013 revision to the COSO Framework left the five control components unaltered.

3/18/2014 7:26:15 AM

54

Core Auditing Standards for Practitioners

All internal controls Relevant internal controls Controls to be tested Figure 4.1

the only controls that can in fact be tested – the control activities such as bank reconciliations and the use of pre-numbered documents – are not in fact tested because they are performed or checked on an ad-hoc basis. A large part of ISA 315, nearly half, deals with internal control. This includes the requirements in paragraphs 11 to 24, i.e. 13 requirements out of a total of 27. This seems like a lot but it is important to remember that: • ISA 315 was redrafted (clarified) in 2010 and is now substantially easier read than it used to be; • auditors are only required to understand the design and implementation of relevant controls, not all controls. Relevant controls are those that affect the risk assessment and design of audit procedures, and testing of controls is only required when it is expected that they are strong enough to be relied on. Figure 4.1 shows the three main categories of each control component. Auditors need only concern themselves with the latter two categories of control. They need to understand the design and implementation of all relevant controls, some of which they may decide to test. 4.3.3  Documenting the auditors’ understanding of the entity Regulators readily admit that auditors usually do understand the entities they audit, and are aware of the nature of the risks of error in the financial statements. Nevertheless, the fact that auditors do not always document these issues remains a problem. There are many reasons why auditors fail to document their work, the most common reason being that they are familiar with the entity. Its workings are so blindingly obvious to them, that recording it all seems superfluous. There is often a mismatch between the informal manner in which auditors go about understanding the entity and formulating the risk assessment, involving many casual conversations, and the more regimented manner in which ISA 315 approaches understanding the entity and risk assessment. Where this mismatch is substantial, auditors can be at a loss as to how to record what they know and think in a way that will demonstrate compliance. 4.3.4  Presumptions in ISAs about risk In a few cases, ISAs can appear to dictate the outcome of the risk assessment, regardless of the particular circumstances of the entity. A failure to deal with these ‘presumed’

c04.indd 54

3/18/2014 7:26:15 AM



Section 4 – Understanding the Entity and Assessing Risk

55

risks is a recurring issue noted by regulators despite the fact that the following are still rarely straightforward in any audit: • the rebuttable presumption of a risk of fraud in revenue recognition; • the presumption of a risk management override of controls in all cases; • the presumption that all risks of material misstatement due to fraud are significant risks. ISA 240 on fraud states that there is a rebuttable presumption of a significant risk of fraud in revenue recognition. Regulators complain that practitioners sometimes simply ignore the presumption, or mark the risk as ‘not applicable’, rather than giving a reason rebutting the presumption.7 Presumptions aside, auditing for the completeness of income is one of the most difficult assertions to deal with. Auditors must test from somewhere outside the population of sales – such as a list of customers or prior year balances for example, both of which have their limitations – back to sales. It is just more important to get this right when auditors cannot, or decide not to, rebut the presumption of fraud in revenue recognition. In some smaller audits, particularly those of owner-managed businesses, these presumptions can seem pointless, particularly if the entity is well-known to auditors. The rights and wrongs of these issues aside, the important matter is that the presumption must either be rebutted, if that is permitted and possible, or addressed. Auditors cannot simply ignore them. Unfortunately, a low risk of fraud in revenue recognition is not the same as no risk of fraud, and it can be quite hard to prove that some sort of fraud in revenue is not a possibility. In practice, this means that the risk often has to be addressed, even where it is low, and the additional procedures required in such cases can seem disproportionate.

4.4  What the Standards Say Risk assessment is the core of most audits. It is the central phase of audit planning coming after the preliminary information gathering exercise and before designing the response. Figure 4.2 gives an overview of the relationship between understanding the entity and the rest of the risk assessment and evidence-gathering process. Figure 4.3 lists some of the more important ISAs at the planning stage of the audit. This is not meant to be an exhaustive list but it does demonstrate that the risk ISAs are not the only ISAs relevant to planning. 4.4.1  Understanding the entity and risk assessment: how they interact In theory, understanding the entity and risk assessment ought to be a sequential process. For example, auditors might understand that inventory is slow-moving, which may lead to an assessment of a risk of error in the inventory valuation arising from obsolete inventory, and tests being performed on slow-moving inventory.

7

c04.indd 55

This is noted in the QAD report Audit Monitoring 2011 www.icaew.com.

3/18/2014 7:26:15 AM

Core Auditing Standards for Practitioners

56

Understand the entity in order to ... ... perform risk assessment requiring mandatory work on ...

- analytical procedures - design and implementation of controls

... design further audit procedures

... tests of controls i.e. compliance tests, or tests of the operational effectiveness of controls

... substantive procedures which may include analytical procedures

Figure 4.2

Understand the entity • ISA 315 on risk assessment • ISA 240 on fraud • ISA 540 on estimates • ISA 600 on groups

Assess risk • ISA 315 on risk assessment • ISA 240 on fraud • ISA 600 on groups

Design tests in response to risk • ISA 330 on responses to assessed risks • ISA 540 on estimates • ISA 600 on groups

Figure 4.3

In practice, understanding the entity, risk assessment and the design of tests work together as an iterative process, like a game of leap frog. Understanding facilitates risk assessment, and that facilitates the design of tests, but understanding invariably begs further questions, the answers to which further enhance understanding, as do the results of tests. Both in turn facilitate a refinement of the risk assessment. And so on.

c04.indd 56

3/18/2014 7:26:15 AM



Section 4 – Understanding the Entity and Assessing Risk

57

Example of how understanding the entity and risk assessment work in practice Understanding the entity

Auditors identify slow-moving inventory

Risk assessment

This could indicate a risk of error in inventory valuation. Why is inventory slow-moving?

Understanding the entity

Inventory constitutes spare parts for highly specialised machines

Risk assessment

Inventory could become obsolete with low net realisable value. What is the expected life of these machines?

Understanding the entity

The machines have a long life and demand for spare parts will remain high

Risk assessment

This may indicate a lower level of risk Can management back up these assertions?

Understanding the entity

Review sales of these parts at the beginning of the subsequent period to confirm strong net recoverable values when they are sold

Risk assessment

Lower risk confirmed

4.4.2  Understanding the entity: focusing on what is important by ignoring what is irrelevant There is a lot to understand about many entities. Auditors cannot and should not try to understand everything. A key skill involves identifying what can and should be ignored, however interesting it might be. While auditors do need a bird’s-eye view of a business, they also need to focus on those matters that are likely to affect the financial statements. A broad but shallow understanding of everything may overlook critical risk areas. Some operational and regulatory issues may be fascinating but auditors will rarely need a detailed understanding of the following example areas because they are generally too far removed from the audit to be of real audit significance: • data mining techniques that facilitate an understanding of the detailed buying patterns of supermarket customers and how they affect the decisions of buyers and those who control advertising spend and promotional activities; • analyses of the effectiveness of advertising campaigns; • the regulatory requirements affecting the day-to-day operations of airlines and others operating in highly regulated areas. Auditors need to understand that such areas may be critical to the operations of an entity, but unless they are likely to result in a major change in the business, or are going badly wrong, auditors only need an overview. When things do go wrong, specialist help may well be required. ISA 315 has extensive requirements on what auditors need to understand as well as the processes that they need to undertake to obtain their understanding. It is worth

c04.indd 57

3/18/2014 7:26:15 AM

58

Core Auditing Standards for Practitioners

remembering the objective of ISA 315: to identify and assess the risks of material misstatement arising for whatever reason, be it error or fraud, by understanding the entity and its environment, and thereby providing a basis for designing and implementing responses to those risks. In other words, auditors must understand the entity in order to assess risks and design tests. This may seem obvious but auditors often find themselves trying to understand something that assists with none of these, and they are wasting their time! Experienced auditors should be good at honing in on what matters to the financial statements and ignoring other issues, however important they may appear to be to others, including management. But it can be hard at the best of times to keep this in mind and stay focused. Overview of ISA 315  There are 14 paragraphs of requirements in ISA 315 relating to understanding the entity. An astonishing 13 of those paragraphs relate to understanding internal control. Only one, paragraph 11, addresses other issues. Even if internal control is read as including the accounting system, this statistic is massively misleading if it is taken to reflect the importance of understanding the entity beyond internal controls. Paragraph 11 is a long one and there are 25 paragraphs of application material supporting it. Understanding of the entity is vital to help auditors identify where there are risks of error. In practice, there are different levels of understanding: an individual auditor can gain an understanding of a business during the course of one audit. That individual’s understanding is likely to be much deeper after the third year of the audit. An auditor close to retirement is likely to have a greater breadth and depth of general understanding of how a business works than a junior partner. While the engagement partner may sign the audit report, in many jurisdictions the reporting firm as a whole is deemed to take responsibility for the audit. The collective knowledge of the firm as a whole can be regarded as being brought to bear on the audit in such cases. Example of Understanding the Entity Proton Construction This company undertakes construction work, primarily for medium sized businesses and local government. Typical contracts are fixed price and take between six months and two years to complete. Stage payments are made monthly to Proton Construction by agreement with their customers’ surveyors. The construction business is heading into a cyclical downturn. With these limited basic facts to hand, auditors should nevertheless quickly identify that the risks of error might be in the following areas: • completeness of income: does Proton have the right revenue recognition accounting policy and is it applied properly? • work in progress: is it properly accounted for and is it recoverable? • future losses: are they considered and recognised where relevant? • cash flow: are any going concern issues properly disclosed?

c04.indd 58

3/18/2014 7:26:15 AM



Section 4 – Understanding the Entity and Assessing Risk

59

The point of this simple example is to demonstrate the value of understanding the entity, including the industry in which it operates, and the relationship between understanding and risk assessment. Understanding the industry and the wider economy, i.e. the environment in which the entity operates, allows auditors to focus on areas whose significance are likely to change, and risks are often enhanced when the economy or an industry are in decline, as well as in periods of rapid growth. Risk assessment is a judgement and judgements are easily challenged, which is why documentation of the rationale for risk assessment is particularly important. Auditors might have assessed the risks properly and designed the correct procedures, but without the right documentation of how the business works it will not be possible to demonstrate that they got it right, if challenged. What auditors need to understand, why it matters, what might not matter  Internal controls aside, the main areas that auditors need to understand under ISA 315 are set out in Table 4.1. The table also gives practical examples of how each area could influence risk assessment. Table 4.1 is not exhaustive and the issues noted are unlikely to be relevant in all cases. The extent of auditor understanding should be limited to what is needed to assess risk and design and perform tests. In practice, auditors occasionally have to investigate an area to determine whether it does have an effect, but this is most likely in emerging areas or with new technologies. Table 4.1  What Auditors Need to Understand, Why it Matters, and What Might Not Matter Relevant industry, regulatory and other external factors What auditors need to understand Industry conditions: is the market competitive? Is it seasonal? Is there anything unusual about the product or service? Does it involve cutting-edge technology, for example?

Examples of why it matters, and what might not matter If an entity manufactures products utilising ­cutting-edge technology such as computer chips, auditors need to understand the impact of that technology on the financial statements. Will the value of inventory decline quickly as products become out of date? Could the business be left behind or have going concern problems? Auditors will need to obtain a thorough knowledge of the product and industry, otherwise they will not be in a position to address these issues. If, on the other hand, an entity uses cutting-edge or unusual technology in the production of high-end furniture, for example, its design and manufacture might be unique, but this is unlikely to be of interest to auditors because it does not directly affect the financial statements. Auditors do not need to understand this manufacturing process any better than any other. (continued)

c04.indd 59

3/18/2014 7:26:16 AM

60

Core Auditing Standards for Practitioners Table 4.1  (Continued) Relevant industry, regulatory and other external factors

What auditors need to understand

Examples of why it matters, and what might not matter

Regulatory factors: does the entity ­operate in any highly regulated areas such as financial services, alcohol licensing, waste disposal or hazardous chemicals, for example?

Where an entity is regulated, auditors need to understand the regulation in sufficient detail to be able to determine its potential impact on the financial statements. If an entity has a licence to serve alcohol, for example, auditors need to understand what might lead to the loss of the licence, and the impact such a loss would have on the financial statements. Auditors need to know about regulation that has a fundamental impact on the operations of an entity. Some laws or regulations will not be relevant to the audit. Most businesses are required to comply with some elements of health and safety legislation, and any business with motor vehicles will be affected by the normal legal requirements to tax and insure them. The effects of non-compliance with such legislation are rarely material to the financial statements and the risk of related material misstatements is therefore generally low. Auditors need to be aware of such legislation, but they do not need to understand it in detail.

Other external factors: are there other general economic factors that might affect the entity, such as inflation or deflation, high or low i­nterest rates, exchange rates, problems with the availability of finance or cheap credit, or low or negative growth? Are there other external market factors that might affect the entity?

Auditors need a good general understanding of other external factors, and of how they affect individual businesses, in all audits. Most businesses are affected to some extent by general economic factors, some are much more susceptible to changes in specific markets. For example, when auditing a property developer that needs to refinance the business during a recession, auditors need to be aware of the general economic factors that are likely to cause difficulties. When the economy is growing and banks are keen to lend, while there is less likely to be a going concern risk arising from cash flow problems, auditors need to be aware of the risks associated with over-expansion, which include different types of going concern considerations. Some entities are less susceptible to changes in the wider economy, such as those dealing in luxury goods, certain commodities, those with captive markets and those with no borrowing or foreign sales. These entities may however be susceptible to changes in technology, which may render commodities obsolete, and changes in fashion, for example. All-purpose documentation relating to general economic factors relevant to most audits is of little use in these cases and more specific information is needed about the market in which the entity operates.

c04.indd 60

3/18/2014 7:26:16 AM



Section 4 – Understanding the Entity and Assessing Risk

61

The nature of the entity What auditors need to understand

Examples of why it matters, and what might not matter

The entity’s operations including:

The auditors of an entity selling ‘revolutionary’ cleaning products through concession stands in large retailers do not necessarily need to understand how well, or why, the miraculous cleaning products work. Instead, auditors need to understand the contractual arrangements between suppliers and the customers. Is the product held by the retailer as consignment inventory? Who controls pricing? How is revenue accounted for and remitted?

• sources of revenue • products, services and markets • alliances, joint ventures and outsourcing activities • involvement in e-commerce • geographic dispersion • industry segmentation • key customers and suppliers • employment practices • research and development activities.

The entity’s ownership and governance Different ownership structures result in different structure and its legal form. pressures on management. An owner-managed business might feel little pressure to produce a large profit, but it might be interested in tax mitigation. Auditors need to understand ownership, governance and legal structures: • for risk assessment purposes • so that they can conduct and design appropriate audit procedures • so that they conduct the audit efficiently by directing inquiries to the right people. If an entity has an unusual corporate or legal structure, auditors need to understand the applicable accounting requirements and types of error that might arise in the financial statements. Proposed and current investments

Understanding what the entity’s plans are for investment in other entities, financial assets and property, plant and equipment can alert auditors to the possibility of incentives to manipulate reported results to progress these plans. Accounting policies

What auditors need to understand

Examples of why it matters, and what might not matter

How does the entity deal with significant or unusual transactions?

Errors and fraud often involve unusual transactions. For example, if a property developer sells a plot of land and exchanges contracts it would be unusual for legal completion to be scheduled to take place after five years. To assess risk for such a transaction and to provide evidence supporting the relevant accounting treatment, auditors need a detailed understanding of the contract, the circumstances of the transaction and its purpose. (continued)

c04.indd 61

3/18/2014 7:26:16 AM

62

Core Auditing Standards for Practitioners Table 4.1  (Continued) Accounting policies

What auditors need to understand

Examples of why it matters, and what might not matter Auditors would be much less likely to need a detailed knowledge of the nature of contracts for sale between a shoe manufacturer and a shoe retailer. Such transactions are neither significant nor unusual. A property transaction, however, that might be routine for a property developer might be significant or unusual in the case of the shoe manufacturer. This may be an obvious example but it demonstrates the necessary variations in the approach to understanding the entity from audit to audit.

Changes in accounting policies

If an entity changes its accounting policy for revenue to recognise it earlier, this could indicate a higher level of audit risk. Changes in policies often represent a risk in themselves, and changes that enhance profits can always represent a fraud risk if management is seeking to manage earnings aggressively, for example. If the change in policy is a result of a change in an accounting standard, similar risks arise, in addition to the risks of error in interpreting the standard and in the disclosures relating to changes of accounting policy. If there is no change in policy where there should be one arising from a change in accounting requirements, a risk of error also arises.

The entity’s objectives and strategies and related business risks What auditors need to understand

Examples of why it matters, and what might not matter

How the entity conducts its business in A chain of restaurants may have a policy of operatthe context of industry, regulatory and ing through large premises encouraging a broad other internal and external factors. range of customers. Low price may be a key focus and the chain may buy drinks in bulk. Some drinks may have a short shelf life. It is important for auditors to understand this because there may be high inventory levels and management may fail to identify some of the drinks as un-saleable. Other aspects of the entity’s business plan are less relevant to auditors. Low profit margins do not tend to represent a greater level of audit risk than high margins, but high levels of perishable goods can be a problem. What are the entity’s plans for the future?

c04.indd 62

Continuing the example above, if the chain of restaurants is buying up premises across the county with the intention of opening 10 new units next year, auditors need to understand this but only in so far as risks relating to over-expansion and financing are concerned. If the chain is funding the expansion through bank borrowing, there is an incentive for management to show the best possible results in the entity’s financial statements.

3/18/2014 7:26:16 AM



Section 4 – Understanding the Entity and Assessing Risk

63

Measurement and review of the entity’s financial performance What auditors need to understand

Examples of why it matters, and what might not matter

Performance measures that influence the behaviour of management

Bonuses based on an entity’s reported profits always incentivise management to show the best results that they can. This is often a significant fraud risk. The example may be obvious but auditors ignore the risk more often than might be expected.

4.4.3  Understanding the entity: internal controls Overview of internal controls  The basic requirement is for auditors to understand all internal controls that are relevant to the audit. Not all internal controls are relevant to the audit, so auditors have to identify those controls that are relevant and those that are not. A relevant internal control is one that auditors need to understand in order assess risk and/or design further audit procedures. Auditors must understand the design and implementation of relevant internal controls regardless of whether they intend to rely on internal controls or conduct an audit consisting entirely of substantive procedures.

… Not all internal controls are relevant to the audit, so auditors have to identify those controls that are relevant and those that are not. A relevant internal control is one that auditors need to understand in order assess risk and/or design further audit procedures. Auditors must understand the design and implementation of relevant internal controls, regardless of whether they intend to rely on them or conduct an audit consisting entirely of substantive procedures …

Understanding design and implementation requires a combination of inquiry, observation, inspection and walk-through procedures. Only when auditors intend to rely on the effective operation of controls to reduce substantive procedures are they then required to complete the third step, which is to test controls. Figure 4.4 shows what auditors are required to do with respect to relevant controls.

What are internal controls?  It is helpful to start by looking at the five components of internal control dealt with in ISA 315 and summarised below. It is often useful to ‘Relevant’ internal controls

All audits

• Those controls it is necessary to understand to assess risk and design audit procedures • Understand the design and implementation of relevant internal controls

Audits in which • Perform tests of controls auditors intend to rely on internal controls Figure 4.4

c04.indd 63

3/18/2014 7:26:16 AM

64

Core Auditing Standards for Practitioners

plan and document work on internal controls using this structure, and certainly easier where audit software or paper-based methodologies use this structure, which most do, but contrary to popular belief, using the five headings is not mandatory, provided that all relevant elements are covered. For some smaller entities with fewer formal internal controls, it can sometimes be easier to ignore this structure and use ‘a blank piece of paper’ when considering and documenting how internal controls work. When auditors think of internal controls, they often think of control activities such as account reconciliations, document counts and sequence checks. Control activities are just one of the five components of internal control now dealt with by ISA 315. Many of those who studied the subject many years ago had it drummed into them that a control was a check or process on another system. Such control activities are still described as controls, but they are only part of an entity’s overall ‘internal control’. The issue is one of language. The term ‘internal control’ (singular) is now used to refer to internal controls or control in the broadest sense, encompassing all five components. To re-iterate, the five control components are: • the control environment; • the entity’s risk assessment process; • the information system; • control activities; • monitoring of controls. The five internal control components are shown in Table 4.2 together with a description of the their nature, the procedures that auditors might undertake to gain an understanding of them, and their impact on the audit. Understanding the design and implementation of controls: is it really necessary?  One of the more contentious aspects of ISA 315 is its requirement for auditors to understand internal control, regardless of whether tests of control are to be performed. ISA 315 requires auditors to understand and evaluate the design of internal controls and determine whether they have been implemented in all cases. Part of the apparent problem is that much of what would once have been described as an accounting system, which auditors have always expected to understand in some detail, is now referred to as an information system, which is classified as an internal control component. ISA 315 specifies that understanding design and implementation must be achieved by performing procedures which include: • inquiry of the entity’s personnel; • inspection of documents; • observation of procedures; • tracing transactions through the system (walk-through procedures). ISA 315 states that inquiries alone are insufficient to understand design and implementation. One of the other procedures needs to be used to corroborate explanations.

c04.indd 64

3/18/2014 7:26:16 AM

Table 4.2  Internal control

Description

Relevant procedures

Impact on the audit

Control environment

The control environment is how the entity approaches internal control overall. It encompasses the governance and management functions and the attitudes, awareness, and actions of those charged with governance and management. The guidance in ISA 315 suggests that it is about the tone of an organisation, and how management influences the ‘control awareness’ of staff.

In most smaller entities, much of the auditors’ understanding of the control environment will be gained from the information provided in response to inquiries of management and other relevant personnel. In larger, entities there are also likely to be written procedures and manuals to refer to but auditors are aware of the difference between what is supposed to happen, and what actually happens. The views of less senior personnel may well be important.

In simple terms, if management, those charged with governance and senior staff, have a culture of ‘doing things properly’, the risk of material misstatement changes. If the control environment is weak, the risk is usually higher.

In smaller audits, this often amounts to little more than the general attitude of management to running the business and their attitude towards specific controls. Do they regard them as a nuisance, or do they see value in them?

Auditors must always evaluate the control environment even where there is little evidence to support the assessment, other than inquiries of management and observations regarding the ‘tone at the top’.

Most owner-managers of smaller businesses do not think they have a risk assessment process, but they do. Assessing the risks facing the business is often an informal and instinctive process involving many discussions, but owner-managers may not write anything down. Inquiries of owner-managers should give auditors a good idea of whether they are aware of the risks the business faces.

Auditors should make inquiries about any formal risk assessment processes. If they exist, further inquires to establish the nature and effectiveness of those processes relevant to financial reporting are needed.

The entity’s risk assessment process

In all audits, the auditors’ past experience of the entity and gut instinct will be a factor. Where possible, this should be backed up with evidence. A good quality formal risk assessment process is likely to enhance the quality of the auditors’ own risk assessment process.

(continued)

 65

c04.indd 65

3/18/2014 7:26:16 AM

Table 4.2  (Continued) Internal control

Description

Relevant procedures

Impact on the audit

To understand relevant elements of the information system, auditors make inquiries, examine documents, observe relevant procedures and perform walk-through procedures to ensure that their understanding is correct, and that the system has actually been implemented.

In all audits, auditors are likely to focus their efforts here, regardless of whether a substantive audit approach is to be adopted. Auditors will need to understand the information system in order to properly design the relevant substantive procedures.

As with the information system, auditors obtain an understanding of control activities through inquiry, examination and observation and walkthrough procedures.

The key issue is identifying which internal controls are relevant. ISA 315 suggests that they are those that auditors think it necessary to understand with a view to assessing the risks of material misstatement and designing further audit procedures.

In larger entities there may be some sort of formally constituted risk management function as part of a formal corporate governance process. The function might be charged with identifying and evaluating different categories of risk, including risks relevant to financial reporting, and proposing actions to manage them. The information system, including the related business processes, relevant to financial reporting

ISA 315 specifically requires auditors to understand the following elements of the information system, much of which would once have been described as the accounting system, or perhaps the books and records: • classes of transactions that are significant to the financial statements • procedures relating to how those transactions are initiated, recorded, processed, corrected and posted • the accounting records and information supporting those transactions • how systems capture other matters that are significant to the financial statements • the process used to prepare the financial statements, including significant accounting estimates and disclosures • controls over journal entries.

Control activities relevant to the audit

ISA 315 describes a control activity as a policy or procedure that helps ensure that management directives are carried out. Control activities include segregation of duties, authorisation controls, physical controls and information processing controls such as pre-programmed document counts and sequence checks on invoice runs, bank reconciliations and the maintenance of control accounts.

66

c04.indd 66

3/18/2014 7:26:16 AM

Table 4.2  Internal control

Description

Relevant procedures

Impact on the audit Auditors do not require an understanding of all control activities. Auditors intending to rely on these control activities by performing compliance tests on them will of course need to understand them in some detail. Where a substantive approach is taken then there will be fewer relevant control activities.

Monitoring of controls

This process assesses whether controls are functioning and effective. Once again, many smaller entities may not appear to have such controls but in practice, they do engage in activities designed to make sure that the systems are operating as they should.

For all audits, auditors should obtain an Auditors should consider informal as understanding of the ways in which enti- well as formal controls. A great deal ties monitor internal financial controls. of comfort can be obtained where, for example, there is a well-resourced Larger entities may have internal audit and properly managed internal audit functions which auditors need to under- function, a periodic review of systems stand. In smaller entities, the process by management, or systematic routine might involve a combination of day-tochecks on the proper performance of day oversight, and some sort of periodic control activities, such as daily bank or appraisal function by the owner-manager, cash reconciliations in organisations that possibly with the help of accounting process large volumes of cash. software providers, for example.

 67

c04.indd 67

3/18/2014 7:26:16 AM

68

Core Auditing Standards for Practitioners

Example of Understanding the Design and Implementation of Controls Bakersfield IT Bakersfield IT sells computer hardware via its website and call centres. The auditors meet the finance director and the sales ledger manager in order to understand the sales system. At this stage, all that the auditors have done is to inquire into the design of the internal control relating to the sales system. They still need to record it, evaluate it and see whether it has been implemented properly. After making these inquiries, the auditors document the systems using narrative notes and take copies of Bakersfield IT’s own internal systems records. They record the following, which describes that part of the sales system that processes orders from existing Bakersfield account holders: 1. the order arrives through the website or over the phone; 2. any agreed discounts are checked to what is permitted for that customer on the system. New discount arrangements are referred to the sales manager; 3. the sales team check with credit control to ensure that there is sufficient credit on the account to accommodate the transaction; 4. once approved, credit control finalises the sale on the system and create a delivery note and sales invoice; 5. following this, a pick note appears in the warehouse, together with all the relevant paperwork for shipping. The item is picked and taken to dispatches, and the delivery note is included with the consignment. A unique goods outward reference is created from the delivery note for tracking purposes; 6. once the goods are dispatched, a copy dispatch note goes to the sales and credit control teams. This record helps auditors evaluate the design of the system. If the system works as it is supposed to do, will it be effective? Do the controls that auditors have recorded prevent, detect and if necessary correct errors that might appear in the financial statements? Should the system, if it is operating as described, prevent invoices being raised for the wrong amounts or being posted to the wrong accounts? If auditors are satisfied that the system works on paper, they then have to evaluate its implementation by deciding whether it actually operates as described, in the way that auditors have understood and recorded it. To determine this auditors might: • inspect relevant hard copy or electronic documents such purchase orders, delivery notes, good outwards records and sales invoices; • trace one or more transactions through the system from order through dispatch to final payment (walkthroughs); • while tracing the transaction, making inquiries of those in sales, credit control, warehousing and dispatch to confirm the auditors’ understanding of how the system works. Auditors only need to understand internal controls that are relevant to the audit. Bakersfield might have a complex ISA 9001 compliant quality control system with many physical and

c04.indd 68

3/18/2014 7:26:16 AM



Section 4 – Understanding the Entity and Assessing Risk

69

electronic checks on the sales process, but these are unlikely to be relevant to the preparation of the financial statements. Understanding these internal controls is just as relevant where controls are not to be tested. Auditors need to understand these systems in order to design appropriate substantive audit tests for completeness of income.

Do auditors need to understand all controls at the same level of detail?  As a rule, sales tend to involve higher levels of risk, particularly fraud risk, than purchases. Auditors may therefore need to have a better or deeper understanding of sales than they do of purchases. Walkthroughs on purchases might be limited to inspecting documents, whereas walkthroughs in sales might involve observing processes, as well as a document inspection. This again demonstrates the iterative nature of risk assessment. Auditors need to understand controls to assess risks, but their assessment of risk in previous periods and in similar businesses affects the way they go about understanding changes to controls in subsequent periods and in other businesses. Relying on internal controls and walkthroughs  The work required by ISA 315 … Work on understanding on design and implementation can be conthe design and implementafusing. Some auditors take the view that tion of internal controls helps because they have taken time to understand auditors perform their risk internal controls, they can rely on internal assessment and design further controls and reduce the extent of substanaudit procedures. If auditors tive testing. Rightly or wrongly, this is not want to rely on controls and the case. Work on understanding the design reduce the extent of substanand implementation of internal controls helps auditors perform their risk assessment tive testing, they need take and design further audit procedures. If audione further step and perform tors want to rely on controls and reduce the tests of controls (compliance extent of substantive testing, they need to tests), designed to provide take one further step and perform tests of evidence that internal controls controls (compliance tests), designed to proare in fact operating effectively vide evidence that internal controls are in as described, throughout the fact operating effectively throughout the relrelevant period … evant period. Walkthroughs and other work on design and implementation do not give this comfort because they tend to be performed on a limited basis, and tests of control need to cover the relevant period more systematically and in greater detail. That is not to say that walkthroughs cannot serve several different purposes. If a walkthrough in the sales system involves checking that an authorisation control has been applied, as evidenced by the signature of a credit controller on a large discount, for example, a walkthrough can serve as a compliance test, as well as helping auditors understand the sales system including the design and implementation of controls within systems. This works best when systems are relatively straightforward and well-controlled.

c04.indd 69

3/18/2014 7:26:16 AM

70

Core Auditing Standards for Practitioners

4.4.4  Understanding the entity: documentation It is clearly important that auditors understand the entity, but the problem in practice is demonstrating that understanding in the audit documentation. Much of what regulators say about this issue are really about failings in documentation rather than poor auditor understanding. Documentation is important to demonstrate that auditors have complied with ISAs and to support the risk assessment. Without the right documentation, the audit file cannot adequately support audit assertions about some areas of the financial statements being more important, from a risk perspective, than others. If the risk assessment is unsupported, it will be impossible to show that audit procedures are sufficient and appropriate and ultimately whether the audit opinion is justified. ISA 315 requirements are for documentation of: • the discussion among the engagement team covering the understanding of the entity, the risk assessment and the response to assessed risks; • key elements of the understanding of each of the five internal control components; • the source of the information supporting the understanding; • the procedures performed to obtain the understanding. This documentation is not just about compliance. Good documentation about how the entity operates can help individuals who are new to the audit team to progress more quickly along the learning curve. Standard forms and checklists  Auditors have an uneasy relationship with standard forms and checklists. On the one hand, there is often a very real problem with the sheer volume of boxes that have to be ticked and the extent to which this can divert attention from the ‘real’ issues. On the other hand, standardised documentation helps enormously to ensure consistency within a practice and to ensure that nothing is missed. Standardised documentation has its place. It is important for consistency, completeness, efficiency and the education of junior auditors. Major problems can arise when completing it becomes the central focus of the audit. Standardised forms can encourage a mechanical one-dimensional approach to all audits, which is not useful when entities vary so much. While a clean sheet of paper is sometimes seen as too risky an approach to risk assessment, taking the standardised documentation away can put pressure on auditors, it can liberate them so that they can really think about the entity and the risk of error in its financial statements. Many firms use standard forms and checklists to assist when documenting their understanding of an entity. Table 4.3 summarises the advantages and disadvantages of using standard forms in understanding the entity. Narrative notes  Narrative notes can be used instead of standard forms and checklists, or in conjunction with them. Some judgement may be needed in deciding the optimum mix and firms might find it useful to develop guidance, otherwise some staff will always use narrative notes and others will always fill in forms. Standard forms need to be kept

c04.indd 70

3/18/2014 7:26:16 AM



Section 4 – Understanding the Entity and Assessing Risk

71

Table 4.3 Standard Forms Used in Understanding the Entity: Advantages and Disadvantages Advantages

Disadvantages

Pre-determined structures can make it quicker to document work effectively.

A standard approach designed to work for all audits is often excessively detailed for smaller audits.

Less experienced staff can use standard forms to guide their inquiries and ensure that nothing is overlooked.

Where an entity is unusual, standard approaches need very radical tailoring to remain relevant.

Experienced staff can benefit from using checklists to remind them of what is required. Standard forms are often drafted using verbatim quotes from ISAs which helps firms demonstrate compliance. Where audits are large or complex, standard forms and checklists reduce the risk that audit teams miss issues that they have rarely previously encountered.

Staff can over-rely on standard forms. There is a risk that the audit is reduced to form filling without any real thought given to how audit work should be focused. Standard forms sometimes actively discourage good auditors from using their judgement in assessing risk and they can be distracting, even for experienced auditors.

up to date for changes in auditing standards and the features of common accounting packages, and complex systems may need narrative notes to support the completion of checklists. Narrative notes could at least be considered for most very small systems. Audit software packages may or may not provide options, but firms can adapt the approach. Narrative notes can be freeform, or have minimal headings. They can be easier to write but can be harder to assess than standard forms: seemingly confusing or incomplete notes can indicate a poor system or a poor record of an adequate system and it can be difficult to distinguish between the two. There are many advantages to narrative notes, and very experienced auditors may prefer them to standard forms because they are quicker to complete, provide greater depth and are easier to assess if they are well-written. It is important that auditors have a good and up-to-date knowledge of ISAs for this approach to work, so that the notes can be shown to demonstrate compliance, or at least be easily worked into a file that shows compliance overall. Narrative notes should be more concise than standard forms because everything documented relates to the audited entity. Standard forms try to cater for all eventualities and often become voluminous as a result. Permanent information  The auditors’ understanding of the entity does not have to be re-documented in subsequent periods. But updating the systems documentation for changes is a common area of weakness. Most audited entities do not change significantly year to year, but small changes each year that are not documented can and do accumulate over time. A policy of budgeting for a full scale review of systems documentation every five years, say, might prevent the build-up becoming too great. For some smaller audits, auditors might consider storing this documentation on the current file and transferring it forward each year. This can work well if documentation is not too cumbersome and it goes some way to preventing permanent files gathering dust.

c04.indd 71

3/18/2014 7:26:16 AM

72

Core Auditing Standards for Practitioners

Getting the documentation right  Sometimes junior members of the audit team are encouraged to record the auditors’ understanding of the entity or update the permanent audit file. This is sometimes done for no better reason than the junior has nothing else to do or they have the lowest charge out rate! This overlooks the importance of this area in achieving a high quality, efficient audit. The auditors’ understanding of the entity needs to be performed by and documented by an auditor who understands risk assessment and the necessary responses to risk. This ensures that the right things get recorded. 4.4.5  Risk assessment Risk assessment is one of the most important and sometimes difficult processes in any audit. It can also be one of the most intellectually challenging and rewarding. If auditors get this right, they will spend their time looking for the right things in the right areas. It is useful to start with a reminder of what audit risk is and what it is not. Audit risk is not the same as business risk. A large number of business risks, such as poor customer or after-sales service that can lead to reputational damage, generally have no immediate effect on the financial statements. They only become audit risks when they become so great as to affect the going concern status of the entity or the recovery of receivables. Similarly, some audit risks, such as the risk of error in the financial statements arising from poor financial information systems, do not amount to significant business risks. Confusing the two is a common error. Auditors are only interested in the risk that the financial statements are materially misstated. In other words, they are only interested in risks to the business to the extent that they have an impact on the financial statements. Losing customers because of poor service may be a big issue for management, but it is not an audit risk unless the entity is losing so many as to threaten the viability of the business as a whole. 4.4.6  Risk at the financial statement and assertion levels ISA 315 requires that auditors identify and assess risk at the level of the financial statements as a whole and at the assertion level, i.e. risks relating to the completeness of income and the existence of inventory, for example. The analysis and classification of these are the basis for designing and performing further audit procedures. Risks at the financial statement level and assertion levels sometimes appear to be similar, but their consequences are very different. The risk of material misstatement at the financial statement level  The risk of material misstatement at the financial statement level can be difficult to grasp. ISA 315 states that such risks relate to the financial statements as a whole and potentially affect many assertions. For example, the risk of fraud, management override of control and those relating to a deficient control environment (including management incompetence) may relate to specific assertions but they may well affect many assertions, as the following example demonstrates.

c04.indd 72

3/18/2014 7:26:16 AM



Section 4 – Understanding the Entity and Assessing Risk

73

Risks of Material Misstatement at the Financial Statement Level Monster Electronics Monster Electronics manufactures and distributes accessories for portable audio devices. It produces a very high quality product, but cheap imports have hit sales and resulted in several periods of poor profitability and difficult cash flow. Last year the company was forced to refinance itself. There are covenants attached to the bank borrowing that require the company to maintain profits at a minimum level, calculated by reference to a multiple of the interest payable (interest cover covenants). The company met these requirements last year, but with little to spare. This year, trading has been very difficult again. The management team at Monster Electronics now has an incentive to manipulate the financial statements and fraudulently misstate the results to demonstrate to the bank that the covenants are being met. This fraud risk could manifest itself in: • under-provision for bad debts; • under provision for trade payables or other liabilities, such as litigation against the company; • under-provisions for warranty costs; • excessive prepayments or inadequate accruals; • inadequate recognition of slow-moving or obsolete inventory; • early recognition of revenue; • excessive addition of overheads to work in progress. Under-depreciation could also be an issue, although many bank covenants are tied to profit before depreciation. This lack of profitability and the associated risk of manipulation represent a financial statement-level risk that increases the risk of material misstatement across the whole audit.

The risk of material misstatement at the assertion level  What are assertions? In asserting that the financial statements that have been prepared are accordance with the applicable financial reporting framework, management implicitly and explicitly makes assertions regarding the recognition, measurement, presentation and disclosure of the various elements of the financial statements and related disclosures. Financial Statement Assertions • Assertions about classes of transactions and events for the period under audit: occurrence, completeness, accuracy, cut-off and classification. • Assertions about account balances at the period end: existence, rights and obligations, completeness, valuation and allocation. • Assertions about presentation and disclosure: occurrence, rights and obligations, completeness, classification and understandability, accuracy and valuation.

c04.indd 73

3/18/2014 7:26:17 AM

Core Auditing Standards for Practitioners

74

FINANCIAL STATEMENT ASSERTIONS Transaction and events • Occurrence • Completeness • Accuracy • Cut-off • Classification

Account balances

Presentation and disclosure

• Existence • Completeness

• Occurrence

• Valuation and Allocation

• Accuracy and valuation

• Rights and obligations

• Classification and understandability

• Completeness

• Rights and obligations Figure 4.5

Figure 4.5 shows the financial statement assertions as they are currently classified. Standard-setters may change them again in the foreseeable future to recognise the increasing importance of disclosure. Most auditors will have learned some variation of these assertions and, as with internal control, any classification will do provided that everything above is covered, although for most it is simply easier to use the classifications provided rather than having to prove that an alternative fits the bill. An assertion-level risk is a risk that relates to one or more assertions. The nearer it gets to relating to all of the assertions the more likely it is to become a risk at the financial statement level. It is important to identify both the assertions to which the risk relates and the nature of the risk. Without this, the appropriate response to the risk cannot be determined. Assertion-Level Risks Bon Voyage Renovations Bon Voyage does residential property renovation and construction work for private individuals. It specialises in large projects that can take six to twelve months to complete. Work in progress is therefore significant. Bon Voyage does the work on a fixed price basis and if there are extras they are agreed before the extra work commences. A key audit risk at the assertion level for Bon Voyage is that the work in progress is calculated using an incorrect level of completion for each project. This will affect both revenue in the income statement and work in progress in the balance sheet. The costs may be reliably recorded and the overall revenue may be relatively certain, but there are still uncertainties about the existence of work in progress and the completeness of income. The issue also has implications for risks relating to other assertions such as the accuracy, occurrence and cut-off of income, as well as completeness, and the completeness and valuation of work in progress as well as its existence. However, these assertion level risks are limited to certain balances and transactions, which should lead auditors to focus on those areas without the need for increased levels of work elsewhere.

c04.indd 74

3/18/2014 7:26:17 AM



Section 4 – Understanding the Entity and Assessing Risk

75

Identifying a risk incorrectly as a financial statement-level risk rather than an assertionlevel risk has cost implications. Financial statement-level risks demand more vigilance in auditors and suggest that more work is required overall across a range of areas and assertions. The assessment of risk at assertion level is more contained, in that it results in more work in specific areas. Assertion-level risks also translate more easily into the design of focused audit procedures. Of course, financial statement-level risk also has to translate into assertion risk, but its impact will still be broad. 4.4.7  Risk assessment procedures ISA 315 prescribes a number of procedures to be performed in risk assessment. They are: • inquiries of management and others within the entity who may have information about factors affecting risks; • analytical procedures; • observation and inspection. Inquiries of management and others  Much of what auditors understand about an entity comes from inquiries of management. Inquiries, like analytical procedures and observation and inspection, are required as part of the risk assessment process, but auditors often over-rely on inquiries. If inquiries are the only source of information used by auditors, fraudulent activity by management might be very difficult to identify. Equally, errors other than fraud might not be obvious because auditors are seeing the business through management’s eyes and are inculcated in management’s way of thinking. Professional scepticism is very difficult without an objective understanding of how the entity operates. Inquiries of any kind are never good enough on their own either as a basis for risk assessment or as audit evidence. Other procedures are always required. When auditors do make inquiries, they should consider making inquiries of others in the organisation as well as management to obtain a different point of view. Preliminary analytical procedures  Analytical procedures are still required at the risk assessment and final stages of the audit, but they are less used now than they once were as a source of substantive audit evidence – and they are optional at that stage. Figure 4.6 summarises the requirements for analytical procedures. Used properly, analytical procedures are an effective and necessary tool to supplement other evidence-gathering procedures. Using them properly, however, requires a good understanding of the business. Using them as substantive procedures also requires a willingness to predict likely outcomes and to investigate variances. The use of such procedures by relatively junior staff who are less able to predict outcomes or deal with variances, may be one of the reasons why analytical procedures are not used as much now as they once were in substantive evidence-gathering. Sample sizes for substantive procedures have increased in some cases, perhaps to compensate for the decline in use of analytical procedures. Preliminary analytical procedures are risk assessment procedures and help the auditor obtain a better understanding of the entity. Their purpose is to direct the audit and alert auditors to areas that might represent a risk. Preliminary analytical procedures further

c04.indd 75

3/18/2014 7:26:17 AM

76

Core Auditing Standards for Practitioners

enhance the understanding of the entity, because auditors can see how the business model manifests itself financially. Preliminary analytical procedures may involve discussions with management to support ratio analysis and the examination of other relationships for reasonableness. Preliminary analytical procedures are typically carried out on high level information such as draft financial statements, management accounts and budgets and forecasts. Trial balances or other lower level material can be used if nothing else exists at the time the procedures are performed. Regardless of what is being done, auditors are seeking out unusual or unexpected results that might require further attention. In some jurisdictions, auditors are permitted to provide non-audit services to the audited entity that include the preparation of the period-end financial statements and auditors may, if there is nothing else to go on, prepare a draft set of financial statements first and then perform a risk assessment. The following is an example of preliminary analytical procedures performed in a small, simple entity. Example of Preliminary Analytical Procedures Closets Campers Closets Campers is a business that maintains motor homes and camper vans, doing repairs and servicing. Work can include very simple repair or servicing work as well as larger refurbishments. The key ratios for the current and prior periods are: 20X4

20X5

Sales

$8.2M

$7.9M

GP%

22%

19%

Debtor days

18 days

3 days

Creditor days

28 days

30 days

Work in progress days

22 days

5 days

The business has been doing more large refurbishments, some of which straddle accounting periods. These are more profitable than repairs and servicing. This should result in higher work in progress days and a small increase in profit. Otherwise there are no other significant changes expected in the business. There has been no change in the customer base.

Impact on the risk assessment The business’s plan to do more major refurbishment work at higher margins is reflected in work in progress and margins as expected. One risk area may relate to revenue on these longer term contacts, which must be properly accounted for across different accounting periods as appropriate. The increase in debtor days is not expected or explained and recoverability of receivables could therefore be a risk.

c04.indd 76

3/18/2014 7:26:17 AM



Section 4 – Understanding the Entity and Assessing Risk

77

The example demonstrates the fact that preliminary analytical procedures are: • part of the risk assessment process; • undertaken at a high level; • designed to direct the audit, and not to obtain audit evidence although it is perfectly possible to do both at the same time on some very simple audits. The process does not involve the immediate investigation of issues identified, which will be followed up during the fieldwork (detailed testing).

Analytical procedures.... ... are required as risk assessment procedures...

... are optional as substantive procedures...

... are required during audit finalisation.

Figure 4.6

As an aside, it is worth noting that there can be significant duplication between preliminary analytical procedures and analytical procedures performed during finalisation. It is important to avoid repeating work if possible, although sometimes it is necessary, particularly where there have been significant amendments to the draft financial statements on which the preliminary procedures were performed. Where that is the case, auditors will need to consider again any comparisons or ratios which have been affected by the amendments. However, where there are no such amendments, as is often the case in smaller audits, provided the original risks identified have been dealt with, the financial statements should make sense by the time the final procedures are performed. The documentation of analytical procedures performed during finalisation being combined with preliminary procedures, using the same working papers, is efficient, where it can be done. It means recording work done, results and conclusions rather than repeating lists of ratios and explanations. Observation and inspection  Observation and inspection of people, processes and documents are required to support inquiries of management and to further understand the entity and support the risk assessment. ISA 315 suggests that observation and inspection might cover: • the entity’s operations, such as a manufacturing process; • documents such as business plans, records such as inventory sheets and records of internal control systems;

c04.indd 77

3/18/2014 7:26:17 AM

78

Core Auditing Standards for Practitioners

• management reports or management accounts; • minutes of board meetings or other relevant committees or groups; • the entity’s premises (land and buildings). Author’s Note John Selwood When I was first an engagement partner, I made a point of attending inventory counts personally on all audits that were new to me. This was so that I could actually see what the entity did and meet people other than the directors and the accounts team. If there was no inventory count, I would find an excuse to visit one or more of the entity’s site or sites of operations for a tour. Observing what the entity does with your own eyes is invaluable. When you then look at the financial statements, they make more sense than they would have otherwise, and if they do not make sense you know there is a problem! Also, by talking to operational staff rather than management, I often discovered how the business and the company really operated rather than how it was supposed to operate, or how management thought (or wanted me to think) it was operating.

4.4.8  Fraud risks We noted above concerns among practitioners about the: • rebuttable presumption of the risk of fraud in revenue recognition; • presumption that there is a risk of fraud arising from management’s ability to override internal controls. The level of this varies but it is present in all entities and all risks of material misstatement due to fraud must be treated as significant risks. ISA 315 requires auditors to address and document the issues relating to both of these. Fraud risk is important because misstatements arising from fraud are more difficult to identify than unintentional errors. If management prepares the financial statements fraudulently, the people involved are unlikely to be truthful when responding to inquiries. Any evidence that might lead auditors to the fraud or make them suspicious is likely to be concealed. Even where no fraud has been committed, fraud risks can be hard to identify where management simply fails to tell auditors about embarrassing problems. Most auditors do not experience a great deal of fraud in their careers and where a heightened risk of fraud is identified, auditors need to think very carefully about the exact nature of the risk, and how it needs to be managed, before designing audit procedures. Dealing with fraud risks requires experience. The following example demonstrates the importance of having experienced audit staff do this work.

c04.indd 78

3/18/2014 7:26:18 AM



Section 4 – Understanding the Entity and Assessing Risk

79

Seen on an audit file: ‘There is a low risk of fraud in revenue recognition and due to management override of internal controls because management closely monitor every transaction’. Experienced auditors will quickly identify the nonsense in this statement. Close supervision of transactions by management tends to elevate the risk of fraud from override rather than reduce it. What could lead an auditor, even an inexperienced one, to document something so stupid? There are two misunderstandings at work here: • inexperienced auditors may equate fraud risks with the risk of assets being misappropriated, i.e. theft, without understanding the nature of fraudulent misstatement of financial statements; • junior staff may assume that the audited entity’s staff are more likely than management to perpetrate fraud, because management is there to prevent fraud when in fact management is more likely to perpetrate significant frauds, but not the sort of frauds junior auditors sometimes think about. 4.4.9  Risks that require special audit consideration ISA 315 specifically requires auditors to identify significant risks. Significant risks are those that auditors think require special audit consideration. It is important to get this judgement right. Auditors should consider the following when deciding whether an assessed risk is significant: • has management addressed the risk? • is the risk a risk of fraud? • does the risk relate to recent significant economic, accounting or other develop­ments? • does it involve complex transactions? • does it involve transactions with related parties? • is there a significant degree of subjectivity in the measurement of the financial information related to the risk (such as a valuation)? • does the risk involve significant transactions that are outside the normal course of business? All risks of material misstatement arising from fraud are considered significant risks. There is a presumed risk of fraud arising from management override of controls and a rebuttable presumption of the same risk in revenue recognition. The consequences of classifying a risk as significant are that: • the risk and how it is to be addressed should be documented – which will have already happened as part of the risk assessment in most cases;

c04.indd 79

3/18/2014 7:26:18 AM

80

Core Auditing Standards for Practitioners

• auditors must obtain an understanding of the internal controls, including control activities, in relation to that risk. Again, this may already have been done but it is important because auditors might have otherwise determined that the related controls are not relevant to the audit; • auditors must comply with additional requirements in specific ISAs relating to significant risks. 4.4.10  Revising the risk assessment Evidence may be obtained during the course of the audit that causes auditors to change their original understanding of the entity or risk assessment. The implications of this can be serious in terms of budgets and it is better to get this right first time if at all possible. 4.4.11  Documenting the risk assessment Documenting assessed risk can be a problem, particularly on smaller audits. Sometimes auditors do not record the risks identified or record them in insufficient detail. Auditors should document the: • identified and assessed risks of material misstatement at the financial statement and assertion levels; • risks identified, and controls relevant to significant risks; • risks identified and related controls for risks where substantive procedures alone are insufficient. 4.4.12  Risks where substantive procedures alone are insufficient ISA 315 suggests that there are some risks for which it is not possible or practicable to obtain sufficient appropriate audit evidence from substantive procedures alone. The broad examples given are the risks of inaccurate or incomplete recording of transactions or balances. In such cases, some evidence must come from tests of control and any control that auditors wish to test they must first understand. A good example might be the audit of an entity that trades exclusively online and does not produce any hard copy documentation. It might be difficult to obtain sufficient evidence about the completeness of sales without confirming that the systems are operating effectively. 4.4.13  Reliance on internal controls Apart from risks for which substantive procedures alone are insufficient, auditors can choose whether to rely on internal controls. Even where there are good internal controls, auditors are not compelled to rely on them and in some cases it is more efficient to take a substantive approach. There are concerns about whether auditors should consider relying on internal control more often.

c04.indd 80

3/18/2014 7:26:18 AM



Section 4 – Understanding the Entity and Assessing Risk

81

If internal controls are to be relied on, they should be tested and auditors can reduce the substantive procedures they perform. Auditors of large entities have no choice but to perform tests of controls. It is relatively rare for auditors of smaller entities to do so. The auditors’ understanding of the entity’s internal controls will need to be more detailed when they are tested. Where auditors are not relying on internal controls and are not undertaking compliance tests, risk cannot be reduced on the grounds of effective internal controls. In other words, even for an entity with the best internal controls, auditors cannot reduce their substantive procedures unless those internal controls have been tested. 4.4.14  Engagement team discussions Both ISA 240 on fraud and ISA 315 require an audit team discussion. Ideally, all members of the audit team should attend. The engagement partner is responsible for ensuring that those who do not attend are properly briefed. There are a number of issues which should be discussed and documented during the audit team discussion, including fraud and related parties. Some regulators suggest that better use could be made of the audit team discussion to ensure that everyone on the audit team is properly briefed, but the discussion is primarily an opportunity for everyone in the engagement team to gain a better understanding of the entity and the areas of risk for audit purposes.

c04.indd 81

3/18/2014 7:26:18 AM

c04.indd 82

3/18/2014 7:26:18 AM

5

Really Efficient Audits: What Sort of Evidence Do I Really Need? 5.1 The Issues

All auditors know that the higher the audit risk, the more persuasive audit evidence needs to be. There needs to be more of it and it needs to be better quality. But judging how much evidence is enough, and determining the right balance of evidence from different types of test, can be hard. It is the central and a recurring theme in responding to the risk analysis. ISA 330 The auditor’s responses to assessed risks deals with the ‘further audit procedures’ auditors perform when they have completed the preliminary risk assessment. It is often referred to as the fieldwork stage. A lot of what is now included within risk assessment would once have been referred to as planning, and there is a blurred boundary between risk assessment and further audit procedures, particularly if tests of controls and substantive procedures are performed at the same time as work on the design and implementation of controls. This is partly … judging how much e ­ vidence why the whole risk assessment process can is enough, and determining sometimes seem so over-elaborate, and it is the right balance of evidence also why responding to the risk assessment does not seem to have such a high profile from different types of test can and is sometimes less well understood. But be hard … getting a good link between the risk assessment and the response is critical. Regulators observe that auditors sometimes perform an excellent risk assessment, only to ignore the risks they have identified by repeating the same audit tests as those performed in the prior period! ‘Responding to risk’ means different things in different circumstances and there are usu… auditors sometimes perally decisions to be made about the options form an excellent risk assessavailable for the response: does the design ment, only to ignore the risks and implementation work on controls sugthey have identified … gest that they are good enough for tests of controls to be performed? If they are, is this the route the auditors want to take? Or will a substantive approach be adopted?

c05.indd 83

3/18/2014 7:08:31 AM

84

Core Auditing Standards for Practitioners

Whatever the approach, the response needs to be appropriate to the magnitude and nature of the risk. ISA 315 on risk assessment asks ‘what is the problem?’, ISA 330 deals with ‘what to do about it’.

5.2  What the Regulators Say Regulators have matured. Understanding the entity and risk assessment were for many years a focal point for regulators worldwide. More recently, regulators have started to pay more attention to appropriate responses to risk. This is partly a reflection of a general push for higher quality auditing all round following recent economic crises, and being able to demonstrate an appropriate degree of professional scepticism is increasingly important. The word ‘scepticism’ is certainly appearing more in regulatory reports and auditors are increasingly expected to show that they have responded appropriately to an assessment of higher audit risk by demonstrating more professional scepticism. Surprisingly, what this really means has yet to be properly thought out but standard-setters are considering the issue – and simple examples involving the need to substantiate management explanations are the starting point.

5.2.1 AQRT Recent AQRT1 reports on audit inspections identify inadequate auditor responses in certain higher risk areas. Predictably, these areas include group audits, fraud risks and revenue recognition. There are also criticisms of auditor responses in low risk areas as it seems that some auditors are deciding to do nothing in response to risks classified as low. The report points out that low risk does not mean no risk, and that evidence is required in all material areas, regardless of the risk assessment.

5.2.2 QAD … it seems that some auditors are deciding to do nothing in response to risks classified as low … low risk does not mean no risk and that evidence is required in all material areas …

1

2

c05.indd 84

The QAD in the UK is one regulator that increasingly focuses on auditor responses to risk. Recent QAD2 reports refer to auditors failing to respond appropriately in a number of areas. Linking risks and responses  The links between risk analysis and response could be better. Auditors are often adept at spotting the high risk areas, but even where they are

Audit Quality Review Team of the FRC, formerly the Audit Inspection Unit (AIU)—inspects listed and other public interest audits in the UK. Audit Quality Inspections www.frc.org.uk. The Quality Assurance Department of ICAEW—inspects audits not covered by the AQRT. Audit Monitoring www.icaew.com.

3/18/2014 7:08:32 AM



Section 5 – Really Efficient Audits

85

well documented, the response is sometimes inadequate or even absent. This probably has something to do with the over-auditing issue referred to in the previous chapter. Auditors spend a lot of time performing work that they have always performed because it is easier and safer to take this approach than to justify changing it. It means that there is less time available to deal with new, possibly unfamiliar, areas. Weaknesses in responses to risks in accounting estimates  Accounting estimates, including provisions for depreciation, slow-moving inventory and bad debts, are a key area in many audits, including smaller audits. It seems that while auditors rarely fail to identify the risk at all, they sometimes assess it inappropriately as low. More often, even if the assessment is right, the response is inadequate. Auditors fail to test management’s process for developing the estimate or the data underlying it, for example, or they fail to compare it with the outcome, or to prepare their own estimate. In particular, it seems that auditors need to respond more appropriately to risks of estimation uncertainty. This may be because all of these requirements involve the application of judgement and do not lend themselves easily to standardisation. This is an area where professional scepticism is particularly important and auditors do not always properly challenge management’s approach. Fraud in revenue recognition: is it worth trying to rebut the presumption?  There is a presumed risk of fraud in revenue recognition. Rebutting the presumption should be quite easy in some cases. A property investment company that holds one property which is in receipt of the four quarterly rents from the same long-standing tenant is much less likely to be subject to a fraud risk than one that holds many properties in many different locations with a high turnover of tenants, for example. Nevertheless, most of the time, auditors do not rebut this presumption. Unfortunately, they do not always respond to the risk, either. All risks of fraud are significant risks that require ‘special audit consideration’ and simply following a standard methodology is rarely going to be an adequate response to these risks. In some cases, therefore, it might be worth revisiting the benefits of rebutting the presumption of fraud in revenue recognition. More importantly, auditors should properly identify the fraud risk that revenue often represents and design a specific response to the specific risks identified. 5.3  What Practitioners Say Practitioners recognise the importance of obtaining sufficient appropriate audit evidence. But determining the appropriate response to assessed risks and how much needs to be done can be difficult. 5.3.1  Reliance on internal control in smaller audits is often inefficient On very large, complex audits where there is a good system of internal control, a purely substantive approach is now out of the question. On smaller audits, where control risk is low and controls are good enough to test, auditors still have a choice. They can either rely on an assessment of control risk as low by testing controls, and reduce substantive procedures, or they can take a substantive approach.

c05.indd 85

3/18/2014 7:08:32 AM

86

Core Auditing Standards for Practitioners

Many auditors choose not to incorporate low control risk into their risk model on the basis that is not cost-effective to test internal controls. In other words it is quicker to design and perform purely substantive tests, ignoring control risk, rather than test controls and then perform reduced substantive procedures. For many audits this is exactly the right approach. Nevertheless, auditors of smaller entities sometimes overlook opportunities to rely on internal controls out of habit or because they so rarely test controls that they lack experience. Some auditors do not realise that reliance on controls is not ‘all or nothing’. Auditors can choose to use controls in some areas and to take a substantive approach in others. Relying on controls in areas that present significant risks can be particularly efficient, as substantive procedures can otherwise be time consuming.

5.3.2  Over-documenting, under-documenting and wrestling with methodologies All auditors understand the need to obtain sufficient appropriate audit evidence, but struggling with documentation is a perennial problem. Regulators remain critical in this area. While in theory, audit evidence that is not properly documented cannot by definition be adequate, the need to have a record on file is often the main problem rather than the ‘evidence’ itself. Poor documentation is often a ­combination of: • over-documentation of irrelevant matter, low level routine tests or poor quality evidence, often by more junior staff, all of which has to be reviewed; • under-documentation of good quality evidence obtained from discussions with management or third parties, with high quality corroborative evidence, for example, often by more senior staff. Regulators are more likely to take issue with the latter than the former, but the former is a waste of resources that could be directed elsewhere. If there was an easy answer to this problem, someone would have found it by now, but recognising where problems lie is at least a start and everyone, not just the junior staff, needs technical training and on-the-job coaching. All practitioners recognise the significant impact an efficient audit methodology can have but many, unable to face the prospect of changing them, simply accept their inefficiencies as a necessary evil and soldier on.

5.3.3  Can we use analytical procedures to obtain audit evidence? Auditors experiencing fee pressures have in the past looked to substantive analytical procedures as a means of making auditing more profitable. Analytical procedures can be quicker and easier than substantive tests of detail. Used correctly, analytical procedures are indeed a very powerful tool, but when regulators started looking closely at their use, they found that auditors were not always developing the necessary

c05.indd 86

3/18/2014 7:08:32 AM



Section 5 – Really Efficient Audits

87

expectations before performing the procedures, and they were not following up variations from expectations when they occurred. Both of these areas require the use of judgement, which means that inexperienced staff performing the procedures need to be closely supervised. Practitioners are aware that analytical procedures can be used, but they are now perhaps less keen on them than they once were. 5.4  What the Standards Say 5.4.1  Responding to risk: substantive procedures Substantive Audit Procedures A substantive audit procedure is an audit procedure designed to detect material misstatements in the financial statements at the assertion level. Figure 5.1 shows that these procedures comprise tests of detail and substantive analytical procedures. Substantive procedures are always required to address assertion level risk.

Analytical procedures at this stage of the audit are used less than they once were, but they are still used heavily at the risk assessment stage and as part of the final review of financial statements when forming an overall conclusion. Indeed preliminary and overall analyti… Cash is sometimes overcal procedures are requirements of ISAs. audited because it is relatively easy to audit, property valuNo matter how low the risk of error is, some ations are more likely to be substantive procedures need to be carried under-audited … out. This is a key requirement of ISA 330. An important thing to remember here, and something surprisingly easily forgotten, is that the design of substantive procedures should be in response to assessed risk taking account of the likelihood of material misstatement and the nature of the risk. Cash is sometimes over-audited because it

… The trick is to consciously resist the temptation to overaudit cash to make room for active consideration of what to do with the property valuation …

Substantive Procedures Analytical procedures

Tests of detail

Figure 5.1

c05.indd 87

3/18/2014 7:08:32 AM

88

Core Auditing Standards for Practitioners .

is relatively easy to audit, property valuations are more likely to be under-audited because auditors are operating outside their comfort zone. The trick is to consciously resist the temptation to over-audit cash to make room for active consideration of what to do with the property valuation. Similarly, non-current assets often get more attention because they are usually one of the first sections in the audit file! Auditors should not prioritise audit work in areas that come first in the file, are easy to do or are otherwise of interest to the audit team. The deciding factor must always be where the largest errors are most likely. In other words, where audit risk is greatest. An important element of risk is control risk. If control risk can be shown to be low through tests of the operating effectiveness of controls throughout the period, auditors can reduce the extent of substantive testing, but they cannot eliminate it altogether.

5.4.2  Responding to significant risks Significant Risks Significant risks are risks that require ‘special audit consideration’.

Auditors are required to design and perform audit procedures that are specifically responsive to significant risks, which means that standard audit programmes almost always need to be tailored. What constitutes a ‘significant risk’ is a matter of judgement affected by whether the risk is outside the normal course of business, whether it involves potential fraud or related parties, and the subjectivity and complexity of the matter, for example. The only specific requirements in ISA 330 for the generality of significant risks is that auditors obtain an understanding of the controls relating to them. Subjective, nonroutine and complex matters do not lend themselves to day-to-day controls and this can be a tricky area. However, a number of specific ISAs contain requirements that apply where significant risks are identified. Some of these requirements are summarised below. Fraud risks and the risk of management override: ISA 240  ISA 240 on fraud requires that auditors treat all risks of material misstatement due to fraud as significant. Management is, without exception, always in a position to override controls, which is why even if there are no other significant risks in an audit the risk of management override will always need to be addressed. Frauds are harder to detect than errors because they are hidden, and while errors are to be expected, albeit hopefully not material ones, fraud is not, or at least not in the same

c05.indd 88

3/18/2014 7:08:33 AM



Section 5 – Really Efficient Audits

89

way. Regardless of whether fraud involves the misappropriation of assets or fraudulent misstatement in the financial statements, the perpetrators are likely to go to greater lengths to hide it than they would to hide an error, however embarrassing. The fabrication of fictitious invoices and employees are examples of fraudulent misstatement, both of which also usually involve the misappropriation of assets, i.e. cash in both cases. But many frauds simply involve the manipulation of profits for tax purposes or to mislead investors or financiers. ISA 240 requires that auditor respond to the risk of fraud by: • testing journal entries and considering the processing of journal entries; • considering errors detected in aggregate and the implications for the fraud risk assessment; • paying special attention to transactions outside the normal course of business. Accounting estimates: ISA 540  We noted above the fact that estimates are a key area in many, if not most, audits and that regulators are concerned with how auditors approach them. Estimates, whether they be simple provisions for obsolete inventory or complex financial instrument valuations, can be subject to manipulation. Fraudulent misstatement in the financial statements is often engineered through the manipulation of the data underlying estimates or the models applied to the data. ISA 540 on accounting estimates requires that for all significant risks: • auditors should evaluate how management has considered alternative assumptions, such the method for calculating depreciation, or how management might have otherwise addressed the problems of estimation uncertainty; • auditors consider whether management’s assumptions, such as asset lives, are reasonable; • if management’s assumptions include carrying out certain actions, auditors should evaluate whether management are in a position to carry out those actions. If the sale of inventory involves advertising spend, for example, does the advertising budget have the capacity for this and is the cash available? Related parties: ISA 550  ISA 550 on the audit of related parties specifically requires that auditors consider whether the risks associated with related parties are significant risks, for all audits. It recognises that fraud is easily committed through related parties, and one of the main objectives of auditors is to recognise and deal with fraud risk factors in related party transactions. There is a presumption that any significant transactions with related parties outside the ordinary course of business are significant risks. Selling a large property to the spouse of a director of a small software developer would be one example. Auditors need to

c05.indd 89

3/18/2014 7:08:33 AM

90

Core Auditing Standards for Practitioners

… There is a presumption that any significant transactions with related parties outside the ordinary course of business are a significant risk …

inspect the underlying records for such transactions and consider the business rationale, whether management’s explanations are consistent with the terms of the transactions and whether it has been properly disclosed. Most financial reporting frameworks have specific disclosure requirements for transactions such as these.

Any statement to the effect that transactions with a related party were at arm’s length needs to be substantiated. There are also specific procedures for situations in which related parties not previously identified by management come to light, and in which previously unidentified significant transactions with any related party come to light. External confirmations: ISA 505  ISA 330 notes that auditors may place more emphasis on obtaining evidence directly from third parties with a high level of reliability when dealing with significant risks. Common areas dealt with through external confirmations include receivables and payables, and bank and cash, which may well not be considered to be significant risks. However, the presumed risk of fraud in other areas, including revenue recognition, is more likely to be significant. Requests for confirmations of bank balances are often accompanied by requests for confirmation of the contractual terms for loan agreements and of assets held as security, which may be relevant to disclosures that are significant risks. Similarly, in confirming receivables auditors may request confirmation of rights of return and delivery dates to respond to a risk of fraud in revenue recognition. 5.4.3  Using analytical procedures in response to risk … The use of analytical procedures is mandatory during risk assessment … and during the final review of financial statements … when they are performed as substantive procedures … they remain powerful and efficient if used properly …

The use of analytical procedures is mandatory during risk assessment as part of understanding the entity, and during the final review of financial statements when forming an overall conclusion. The only stage at which analytical procedures are optional are when they are performed as substantive procedures. Despite the fact that they are not relied on as much as they once were as substantive procedures, they remain powerful and efficient if used properly.

Auditors are required, irrespective of the assessed risks, to design and perform substantive procedures for all material assertions in the financial statements. Analytical procedures are substantive procedures, but there are clearly defined boundaries limiting their use.

c05.indd 90

3/18/2014 7:08:33 AM



Section 5 – Really Efficient Audits

Analytical procedures are ...

• mandatory: risk assessment • optional: substantive procedures • mandatory: final review when forming an opinion

Analytical procedures can be used alone as substantive procedures where risks ...

• are significant and tests of controls show that controls are operating effectively • are not significant

91

Figure 5.2

When the approach to a significant risk consists solely of substantive procedures, i.e. where tests of control are not performed, substantive procedures must include tests of detail. In other words analytical procedures alone are never sufficient as a response to significant risks. Analytical procedures might, however, be the only source of audit evidence, in a particular audit area where there are no significant risks. In practice this is only possible where risk is assessed as low and the quality of the audit evidence obtained from analytical procedures is very good. Analytical procedures work best in audit areas where auditors can develop reliable expectations of the reported balances or transactions can be developed. Small, stable payrolls outsourced to reputable and reliable third parties might qualify, as well as establishment costs and immaterial balances such as petty cash and accruals. Figure 5.2 summarises the use of analytical procedures. Where internal controls are tested and there is evidence that they are operating effectively, analytical procedures might be viewed differently. Even where control risk has been proven to be low, substantive procedures will still be required but they might consist solely of analytical procedures even for significant risks. However, tests of detail can be very cost-effective, analytical procedures require predictable relationships and the ability to deal with unexpected results, and the evidence from analytical procedures might simply be insufficient in some cases. For these reasons, auditors might choose to perform tests of details instead of, or in addition to, analytical procedures. Why use analytical procedures rather than tests of detail?  Practitioners generally recognise the value of analytical procedures, particularly at the risk assessment and final review stages, because it puts them in touch with the real workings of the business and gives considerable comfort that balances and transactions are not materially misstated. However, the disaggregated, granular data to which analytical procedures are applied when used as substantive procedures, often includes large numbers of small transactions that are cancelled, reversed and re-entered. The apparent short-term variations these transactions can appear to show are sometimes more trouble than they are worth, and auditors may decide that tests of details are preferable.

c05.indd 91

3/18/2014 7:08:33 AM

92

Core Auditing Standards for Practitioners

The main problems auditors experience in performing analytical procedures involve over-reliance on analytical procedures in combination with a failure to: • develop expectations for outcomes; • question the reliability of data on which the procedures are performed and reconcile the data on which procedures are performed with the information used to prepare the financial statements; • deal with unexpected variations; • follow up management explanations by obtaining appropriate corroborative evidence. All of these are the ‘hard bits’ of analytical procedures which require some confidence in the procedures themselves, a good knowledge of the audited entity and a willingness to follow up when outcomes are not as expected. These qualities are generally found in more senior staff but the work is often delegated to junior staff. Analytical procedures: the four-stage approach  • determine whether analytical procedures are appropriate: they are not always appropriate for significant risks where controls are not tested, for example. Nor are they appropriate if the underlying data cannot be shown to be reliable or if expectations cannot be developed because predictable relationships do not exist or because they are volatile. Analytical procedures are harder to apply to growing businesses and those in emerging technologies, simply because of the absence of predictable patterns of development. They generally work better on automated areas such as payroll, revenue, purchases and expenses; • assess the reliability of data: the data used to form expectations must be reasonably accurate, i.e. well-controlled. Where it consist of information outside the financial reporting system, such as management accounts or budgets, then the information must be reconciled to the information within the system that is used to prepare the financial statements. Otherwise, auditors are auditing one set of information and reporting on another; • develop expectations regarding recorded amounts: this is probably the most common area of weakness in that auditors tend to analyse the data and explain any changes, rather than developing expectations beforehand; • compare information against expectations and investigate variances: where oral representations are obtained to explain variances, they need to be supported with additional evidence. For example, if the rent costs have doubled and management explains that there was an adverse rent review at the start of the period, auditors should inspect documentation to support this assertion. 5.4.4  Using internal controls efficiently While for very large entities, reliance on internal control is usually unavoidable, the auditors of many smaller entities rarely test controls. If controls are either weak or non-existent, it is often not worth trying to test them because the resulting reduction in substantive work would be too small to justify the additional tests of controls.

c05.indd 92

3/18/2014 7:08:33 AM



Section 5 – Really Efficient Audits

93

Example of Using Analytical Procedures as Substantive Procedures Dublin Foundation The Dublin foundation is a not-for-profit entity that provides guidance and counselling to the homeless. They operate from city centre offices using full-time staff. Dublin receives half of its income from grant funding from government and non-government organisations (NGOs), and the other half from private donations. The auditors consider using substantive analytical procedures in the following areas.

Grant funding Are analytical procedures suitable? Government grant income may be predicable but revenue recognition might be a significant risk area and analytical procedures alone might not be sufficient. It might be more effective and efficient to review correspondence with all of the grant funding bodies to test that grant income is complete, particularly if there are a relatively small number of large entries to deal with.

Income from donations Income from donations follows patterns in that it generally rises as a result of fund-raising campaigns, for example. However, factors such as ‘competing’ charities, donor fatigue, public reactions to media coverage and the general economy are very hard to account for and forming meaningful expectations might be impossible. Testing the internal controls governing the receipt of donations provides essential audit evidence. Analytical procedures are unlikely to be suitable on their own.

Administrative expenditure Administrative expenditure may be a suitable area for analytical procedures. This is likely to be the case if expenses are assessed as low risk on the grounds that they are predictable, mostly consisting of a complement of long-serving full-time staff, and the expenses of operating an office. Is the data reliable? If Dublin uses a well-known standard accounting package operated by a part-time bookkeeper who also works for other charities, and an annual budget and quarterly management accounts are produced and used by board of trustees who actively question the data, it is probably sufficiently reliable. Some controls testing of expenditure may be possible but it might not be efficient. If any of these conditions are not present, the data may not be reliable for the purposes of analytical procedures generally and tests of details may be more appropriate. Developing expectations: expenditure in the previous period forms a good guide to the level of current expenditure. If Dublin has, for example, implemented a wage and recruitment freeze, current period staff costs should be the same as the previous period. If office expenses are subject to inflation and energy costs are currently increasing, expectations can be developed. Comparing information against expectations: if, when auditors compare their expectations to recorded amounts, the office rent is significantly lower than expected, for example, and Dublin’s management tell the auditors that the landlord has voluntarily reduced the level of rent for the next three years as a charitable gesture, auditors can review the correspondence with the landlord to corroborate this.

c05.indd 93

3/18/2014 7:08:33 AM

94

Core Auditing Standards for Practitioners

Nevertheless, where significant risks are concerned, if there are controls that can be tested it is worth thinking about because it can save time. It is important to remember that auditors can only rely on internal controls if they have been tested. Testing provides evidence that the control is operating effectively throughout the relevant period. Auditors will always seek to understand the design and implementation of controls as part of their risk assessment process, because that is what ISA 315 on risk assessment requires. But this work is not the same as testing the operating effectiveness of controls. Control risk can only be assessed as low when controls have been tested. 5.4.5  Tests of control Auditors are only required to test internal controls if: • the intention is to rely on internal controls and reduce the extent of substantive procedures; or • it is not possible to obtain sufficient appropriate audit evidence using substantive procedures alone. This might be the case where there is a large volume of automated transactions in a growing business that may be recorded inaccurately and do not lend themselves to analytical procedures, i.e. where auditors have no option but to rely on internal control. Example: Where Substantive Procedures Alone are Insufficient Lisbon Telecommunications Lisbon is a large telecoms provider. It bills its customers on their usage of the network. No hard copy bills are produced as billing information can only be accessed online. All sales information arises electronically and is posted directly into Lisbon’s bespoke accounting system. A substantive approach is impossible in this situation as all the relevant information comes from Lisbon’s IT systems, so auditors are forced to rely on the internal controls within those systems. In these situations, auditors may well need to buy in, develop or adapt existing computer-assisted audit techniques.

As part of the risk assessment, auditors obtain, document and evaluate their understanding of internal controls. They decide whether controls appear to be designed and implemented such that if they are operating effectively, they will prevent, detect and correct errors in the financial statements. Tests that controls are operating effectively throughout the period are commonly referred to as compliance tests.

c05.indd 94

3/18/2014 7:08:33 AM



Section 5 – Really Efficient Audits

95

Designing tests of controls involves inquiries of management and others regarding how the controls were applied during the period, whether they were applied consistently and whether they changed, and who applied them. Controls do not exist in isolation and are usually multi-layered such that if one control fails, another takes its place. The manual review of automated output is a simple example. Example: Factors to be Considered Before Designing Tests of Control Prague Eateries Prague Eateries runs a chain of around 50 large restaurants. The inventory in each restaurant is counted every two months. Prague Eateries has a team of inventory counters who visit the restaurants every two months. The counts have the following features: • counts take always takes place very early in the morning when the restaurant is closed; • no deliveries are planned or taken during inventory counts; • all inventory is counted and compared to the inventory record for each restaurant; • wastage levels are measured and the restaurant manager is asked to explain greater than expected wastage. Wastage levels greater than 4% can lead to disciplinary action against the manager and ultimately dismissal. The restaurant manager must be present for the inventory count. The auditors intend to rely upon this control so they will need to design tests of control. The nature and extent of the test needs to be determined. Will they observe a count or merely inspect the documentation produced by the Prague head office staff? How many inventory counts will they observe or inspect and how will they decide which restaurants to visit? The first consideration relates to the assertions this control covers, i.e. the existence and condition of inventory, the completeness of revenue and to an extent certain assertions regarding purchases. Other controls, particularly the use of management accounts to identify problem restaurants, for example, will be relevant. The number and identity of restaurants to be visited, and/or documentation to be inspected, and the nature and extent of the tests to be performed, will be affected by: • the relevant audit risks: there are likely to be significant risks in the audit of inventory in Prague Eateries meaning that tests of controls are important; • restaurants where risk is considered to be greater than others as determined by auditors: this will be affected by management’s risk assessment, any restaurants visited in prior periods, and any significant changes in the management of restaurants, for example; • the level of competence and experience in the inventory counting team; • any significant changes in the inventory counting procedure during the period; • any high risk periods during the year such as holidays, and periods close to or at the year-end to help provide substantive audit evidence of inventory existence and condition. However, testing needs to cover the entire period.

c05.indd 95

3/18/2014 7:08:33 AM

96

Core Auditing Standards for Practitioners

Relying on tests of controls in previous audits  One of the reasons that reliance on internal controls can be so cost-effective for auditors is that once the hard work has been done in year one, the benefits can be enjoyed in subsequent periods. Some auditors report that in year one they barely recover their costs, and that it is only the following years that audits are profitable in this respect. As a general rule, auditors may test internal controls in one period and then continue to rely on them in future periods without the need to retest all of them subject to the following restrictions: • where an internal control has changed: auditors need to establish that the relevant internal control has not changed through observation, inspection and inquiry; • where related controls have changed: auditors need to consider whether the relevant control is still appropriate; • where the internal control addresses a significant risk: these controls need to be tested annually; • the three-year rule: if internal controls have not changed, auditors are required to test them at least once every three years or audits. This rotational approach should not result in all of the controls being tested in year one and none in years two and three. It specifically requires that auditors test some controls each audit to avoid the possibility of relying on internal controls in a year in which no controls have been tested. Some thought also needs to be given to audit documentation where tests of control are performed on a rotational basis. The fact that this approach has been taken, and the justification for it, need to be documented. Auditors should also document the conclusions in prior years if they are being relied on in the current year. Interim audits  Sometimes, particularly where auditors have tight reporting deadlines after the year-end, testing of controls takes place during an interim audit. Auditors need to take care to ensure that the period between the interim audit and the year-end are covered during the final audit. The same obviously applies if substantive procedures are performed at the interim audit. 5.4.6  Substantive procedures during the financial statement closing process ISA 330 also includes requirements for the auditors towards the end of the audit. Auditors are required to: • agree the financial statements to the accounting records; • examine material journal entries or other relevant adjustments made during the financial statement preparation process. Agreeing the financial statements to the accounting records is a very basic audit procedure. Auditors are unlikely to miss this, but it is possible they may forget to document exactly what they have done.

c05.indd 96

3/18/2014 7:08:33 AM



Section 5 – Really Efficient Audits

97

Testing journal entries is also a critical requirement in an area associated with a high risk of error and fraud. It is dealt with in more detail in the section on fraud. 5.4.7 Documentation Auditors are required to document: • the response to risks at the financial statement level, including the nature, timing and extent of the procedures that were designed and performed; • how those procedures linked to the risks identified at the assertion level; • the results of those audit procedures. In practice, one of the hardest things to get right is clearly documenting that the risks identified were properly addressed by the audit procedures carried out. Example of Audit Documentation Beijing Merchandise Inventory valuation testing Year-end 31 March 20X5

Prepared by HW 3.6.X5 Reviewed by SC 15.6.X5

Objective of test: to obtain sufficient appropriate evidence that inventory is not overvalued. Audit procedure: inventory is valued at the lower of cost and net realisable value (NRV). Select 45 product lines at random from the year-end inventory list and agree to relevant purchase invoices to support cost. Select sales around the year-end to test for NRV. Sample size: a sample size of 45 has been selected as in our judgement it is sufficient to address the level of risk in this area. The sample has been selected at random using monetary unit sampling. Risk: there is a risk that inventory valuation could be used to manipulate the financial statements. Management might overstate NRV in order to improve the reported results. Therefore, management representations will be supported with corroborating evidence if necessary. Results: see schedule X.1

Conclusion The objectives of the test have been achieved.

c05.indd 97

3/18/2014 7:08:33 AM

c05.indd 98

3/18/2014 7:08:33 AM

6 Fraud 6.1  The Issues 6.1.1  Brief, complicated encounters Most auditors rarely encounter major frauds. Fraudsters and those involved with organised crime are more likely to employ unqualified and unregulated accountants who are not registered as auditors. They are often cheaper and likely to ask fewer questions. This means that auditors are not as well versed in fraud as some might expect, but the auditing and reporting requirements relating to fraud are less than straightforward and are more detailed than ever before.

… Most auditors rarely encounter major frauds … auditors are not as well versed in fraud as some might expect, but the auditing and reporting requirements relating to fraud are less than straightforward and are more detailed than ever before …

Besides the misappropriation of small amounts of money, inventory and other sundry assets, together with the understatement of income for tax purposes, most auditors encounter very few frauds. In order to survive, the businesses they audit are, and need to be, sufficiently well controlled to prevent significant frauds, the effects of which can be fatal. Not long ago, the responsibility to ‘report fraud’ was limited and well understood. It was effectively limited to the professional requirement to disengage from clients where practitioners knew them to be presenting false information to the tax authorities. But the last decade has seen the introduction of a number of less than straightforward rights and duties such as: • duties under money-laundering legislation that operates throughout the EU and in many other jurisdictions, to make Suspicious Activity Reports (SARs) and to avoid ‘tipping-off’; • the need to consider the possibility of reporting and self-reporting under legislation covering bribery, such as the UK Bribery Act 2010. This, combined with a relatively new auditing standard1 with some fairly tough requirements, makes practitioners understandably nervous and sometimes confused

1

c06.indd 99

ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements.

3/18/2014 7:13:25 AM

100

Core Auditing Standards for Practitioners

about their exact responsibilities. There are new requirements in ISA 240 on fraud for auditors to assume in all cases that there is a risk of material misstatement due to fraud in revenue recognition, and that there is a risk of material misstatement due to the management override of controls, with all that such assumptions entail. Figure 6.1 summarises the requirements of the ISA which are for: • evaluation of fraud risk factors and discussions of fraud risks within the engagement team; • inquiries of management, those charged with governance and internal audit about fraud; • work on journal entries focused on fraud; and • significant further procedures where the risk increases or evidence arises.

... discussion of fraud risks within engagement team

... inquiries of management, those charged with governance and internal audit

ISA 240 requires specific evaluation of fraud risk factors and ... ... work on journal entries

... further procedures where the risk increases

Figure 6.1

Demonstrating to regulators through documentation that discussions within the engagement team have taken place and that inquiries of management have been made, requires some thought. The inquiries themselves can be difficult. There is a danger that auditors might ask management about the existence of fraud using leading questions with a built-in expectation that the answer will be negative. Auditors generally do not expect fraud after all, so they might not ask the right questions, in the right way, of the right people. In some cultures, where there are expectations of deference to elders, questions regarding fraud might appear impertinent if asked by a relatively junior person of a relatively senior one. Even where that is not the case, questions about fraud can easily offend. It is important that such matters are handled … There are new ­requirements in the ISA for auditors to assume in all cases that there is a risk of material misstatement due to fraud in revenue recognition, and that there is a risk of material misstatement due to the management override of controls …

c06.indd 100

3/18/2014 7:13:25 AM



Section 6 – Fraud

101

diplomatically and that the relevant questions are asked by the right people within the audit team. Fraud encompasses a lot of bad behaviour. Legislation in different jurisdictions describe various activities as fraudulent, much of it overlapping. In the UK alone, insolvency legislation refers to fraudulent trading, the Misrepresentation Act 1967 refers to fraudulent misrepresentation, and the Fraud Act 2006 which deals with the old offences of obtaining goods and pecuniary advantage by deception, refers to fraud by false representation, by failing to disclose information and by abuse of position. There is a wealth of case law on fraud, including blackmail. Auditors do not need to be familiar with all of this legislation and case law. The auditors’ main concern is with fraud that affects the financial statements. Fraud in the financial statements involves the misappropriation of assets or the manipulation of the reported transactions, balances or disclosures. In other words fraud tends to involve people ‘stealing stuff’ or ‘fiddling the accounts’, and often both, as ‘missing stuff’ leads to errors in the accounts. ISA 240 gives special consideration to misstatements resulting from fraud because fraud is usually well concealed and therefore harder to detect than inadvertent errors that no-one is trying to cover up. 6.1.2  Where does fraud really start? Businesses are both the victims and perpetrators of fraud. Managers, employees and third parties such as customers and suppliers may all be involved. Management fraud in particular represents a significant risk because of the need for auditors to obtain and use management representations that can be difficult to corroborate. Frauds most likely to affect the financial statements are often perpetrated by management. Typical frauds that affect the financial statements include: • overstating profits, by understating bad debt provisions or overstating accrued revenue, for example; • misleading users such as lenders or investor by overstating asset values; • concealing financial difficulties through the omission of going concern or subsequent events disclosures. All misstatements are the result of either fraud or error. Fraud is intentional, error is not, but the distinction can be fuzzy. Management’s optimistic view reflected in a valuation at the margins of what is acceptable may be deemed acceptable. However, when one position at the margins combines with others, particularly over a long period of time and in deteriorating conditions, they can degenerate into error, and finally into financial statement fraud. But at what point? An entity may make a genuine mistake and underpay tax. Only if management does nothing to rectify the position when it becomes apparent, does it become a fraud, but the point at which this happens will rarely be clear.

c06.indd 101

3/18/2014 7:13:25 AM

102

Core Auditing Standards for Practitioners

Aggressive Earnings Management A paper dated 2001 on aggressive earnings management published by the UK’s Auditing Practices Board in 2001,2 gives an example of how legitimate business practices can easily degenerate into fraud. It is as relevant now as it was then. It describes a large manufacturer that grew rapidly during an economic upturn, and then found itself struggling to meet targets because of a slow-down. To meet targets, staff overtime was authorised and the necessary dispatches were made and invoiced. The following year, targets were even higher but the slowdown continued. The entity had to make up even more ground because of the sales taken in the prior period that would otherwise have been taken in the current period. Management again authorised overtime, offered additional discounts and reduced provisions for bad debts, returns and warranties. Taken individually, each of the provisions was reasonable, if a little optimistic. As before, targets were met. But in the third year, efforts to meet targets started to fail and management resorted to invoicing on a sale or return basis without providing for any returns, bringing forward invoices that belonged in the subsequent period and making false journal entries to meet the targets.

6.1.3  Does fraud really matter for audit purposes? Some significant frauds do not affect the numbers in the financial statements, but they may nevertheless have implications for disclosures. If an entity holds client money, for example, auditors are often required to report on compliance with client money regulations intended to prevent misuse. But even if client money has been mishandled, it does not usually appear in the financial statements. Provided it has not been stolen, the main and probably only effect on the financial statements might be the need to accrue for any fines or penalties imposed by the regulator. In serious cases, there might be a need to consider the going concern status of the entity if a regulator threatened to withdraw its operating licence. The risk of non-detection of fraud is greater for management fraud than employee fraud simply because management is in a better position to override the controls it has implemented and to cover its tracks. The extent to which auditors are likely to detect fraud depends on, among other things, the extent of manipulation, the skill of the perpetrators and the degree of collusion involved. Auditors may be aware that auditing standards make it clear that there is an unavoidable risk that material misstatements due to fraud go undetected, even in a properly conducted audit, but this still often comes as a surprise to many otherwise well-informed professionals – particularly lawyers. 6.1.4  Issues for policy-makers Fraud is an emotive, political issue with complex technical aspects. Standard-setters, regulators, government and others like to be seen to be ‘tackling fraud’. However, the more experienced among them are very well aware that if fraud were easily dealt with, it would have been dealt with a long time ago.

2

c06.indd 102

www.frc.org.uk.

3/18/2014 7:13:25 AM



Section 6 – Fraud

103

Policy-makers have to strike a balance. Requiring auditors and others to report suspicions of fraud sounds attractive but it risks damaging long-established relationships of trust, which can serve to drive legitimate business into the hands of the unregulated and the unscrupulous. It exposes auditors to the threat of litigation, and worse. If auditors and others are required to report, they need a safe environment in which to do so, and there are advanced jurisdictions which would like to introduce general requirements for the reporting of fraud, but are unable to do so because the necessary infrastructure, in terms protection from litigation and other ‘safe harbour’ mechanisms, are simply not there. The tortuous process by which the EC’s money laundering legislation was implemented in the UK is testament to these difficulties. An even more serious risk is that regulation is introduced but is ineffective because it is not policed, is ignored, used for purposes other than those for which it was intended, or is applied inconsistently. 6.2  What the Regulators Say 6.2.1 AQRT A recent AQRT3 report on audit inspections notes that auditor fraud risk assessments could do with improvement generally. Specifically, it notes instances of auditors giving insufficient consideration to risks relating to management’s override of controls, and a failure to test management journals during the year or at year-end. 6.2.2 QAD A recent QAD report4 notes a failure among auditors to address the risk of fraud in revenue recognition, as well as risks relating to management’s override of controls. It notes that there is often insufficient evidence to show that fraud has been considered in a thoughtful way at the engagement team meeting. The report ascribes some cases of this to over-familiarity with a long-standing audit client (‘we know this client inside out’), and states that while this may be justifiable, there is a need for more robust documentation to support that assessment. The report also notes that the risk of management override of controls is frequently dismissed without much apparent thought. Auditors need to demonstrate that they are more open-minded about the possibility of fraud. Sometimes auditors do not appear open to this possibility which makes it very difficult for them the detect fraud. 6.2.3  Other regulators A recent Malaysian Auditor Oversight Board Annual Report5 notes that because auditing standards presume that revenue recognition is susceptible to fraud, it remains an area of focus for the Board. 3

4

5

c06.indd 103

Audit Quality Review Team of the FRC, formerly the Audit Inspection Unit (AIU)—inspects listed and other public interest audits in the UK. Audit Quality Inspections 2011/2012 www .frc.org.uk. The Quality Assurance Department of ICAEW—inspects audits not covered by the AQRT. Audit Monitoring 2011 www.icaew.com. www.sc.com.my. Report dated 2011.

3/18/2014 7:13:25 AM

104

Core Auditing Standards for Practitioners

Regulators note ... ... summary dismissal of the risk of management override of controls, due to over-familiarity

... a failure to test journal entries

... little evidence of ‘thoughtful’ fraud risk discussions within the engagement team

Figure 6.2

Singapore’s Accounting and Corporate Regulatory Authority notes in a recent report of its Practice Monitoring Program6 that transactions with related parties represent an increased risk of fraud. A recent Australian Securities and Investments Commission Audit Inspection Program Report7 notes that in many instances, the Commission found that auditors had not discussed fraud risks with management or those charged with governance, and other instances in which auditors did not adequately consider the risk of fraud in revenue recognition. These findings, which are summarised in Figure 6.2, are hardly surprising. The assumption of risk in revenue recognition and the assumption of a risk of fraud relating to the management override of controls were both new requirements when ISA 240 was last revised. They were included under pressure from the USA in the face of opposition, particularly in respect of revenue recognition. Neither assumption ‘goes without saying’ and auditors sometimes have to make an effort to find ways of showing that the ‘risks’ of fraud in revenue recognition and management override have been addressed. 6.2.4  IAASB’s ISA Implementation Monitoring project A recent report on IAASB’s ISA implementation monitoring project8 notes the following issues with the application of ISA 240: • inconsistent interpretation of the presumed fraud risk in revenue recognition, some taking it to mean that revenue recognition automatically creates a fraud risk and is therefore a significant risk, others rebutting the presumption without the appropriate documentation to support it; • inconsistencies in applying the requirement to test journal entries, in terms of sample sizes and, given the variation in what can be considered as a journal entry, the identification of the underlying population. 6 7 8

c06.indd 104

Dated July 2011. Report 317 December 2012 www.asic.gov.au. The Clarified ISAs—Findings from the Post-Implementation Review A three-year project designed to assess the effects of clarified ISA implementation www.ifac.org.

3/18/2014 7:13:25 AM



Section 6 – Fraud

105

6.2.5  IESBA proposals for reporting on illegal acts The International Ethics Standards Board for Accountants (IESBA) recently proposed a standard that would have required auditors to report illegal acts to an ‘appropriate authority’ in a manner above and beyond what is already required in jurisdictions with long-established fraud reporting mechanisms, such as the UK. The ED Responding to a Suspected Illegal Act9 proposed that, among other things: • practitioners performing services for audited entities would be required to disclose to an ‘appropriate authority’, suspected illegal acts that affect financial reporting or otherwise fall within their expertise, where reporting would be ‘in the public interest’; • practitioners performing services for non-audit clients and accountants in business, would be required to disclose suspected illegal acts to the entity’s external auditor where they were unable to escalate the matter internally, or where the entity or employing organisation failed to take appropriate action, and the matter was such that disclosure would be in the public interest. If the external auditor’s response was not appropriate, the accountant would have a right to disclose certain acts to an appropriate authority. The accountant would be expected to exercise the right to disclose. Only in exceptional circumstances, would practitioners and accountants not be required or expected to disclose the suspected illegal act, i.e. where the effect of disclosure would be severe, such as where there were threats to the physical safety of the accountant, their employees or families. Commercial consequences, such as the loss of the client or income, would not be considered exceptional, and disengaging from the client or resigning from the employer would not eliminate the need for disclosure. These proposals were a genuine attempt to help accountants ‘do the right thing’ by giving them the right (and indeed the obligation) to report serious frauds. The proposals were met with fierce criticism even from jurisdictions that have similar requirements, demonstrating the difficulties for regulators making changes in these areas. Who are ‘appropriate authorities’? What damage will be done to the ‘trusted advisor’ status that is so critical to the livelihood of many practitioners? What protection would accountants have from litigation should the suspected illegal act turn out not to be true? Only in some jurisdictions do whistle-blowing regimes protect accountants who report in this way. The ‘public interest’ is a notion well-established in common law jurisdictions but it does not translate so well elsewhere and there are very different notions of what is ‘in the public interest’ in different cultures. 6.3  What Practitioners Say Practitioners might not encounter much fraud but they are conscious of the need to be vigilant. Regulators claim that auditors fail to consider the risks of fraud in revenue recognition and in relation to the management override of controls. This is worrying because auditors say that these are risks that are often associated with real instances of fraud. 9

c06.indd 105

www.ifac.org/iesba.

3/18/2014 7:13:25 AM

106

Core Auditing Standards for Practitioners

Fraud Risks: Management Override Valletta Wholesale Valletta Wholesale is a subsidiary of a foreign company and Valletta’s management is paid profit-related bonuses that are based on the company’s audited financial statements. Valletta has a strong system of internal control. Performance has been worse than expected and the finance director has manipulated the year-end inventory figures by adding in additional product lines that do not exist. Without these additions, the company would have reported a loss, but the additional value added to inventory means that the directors now qualify for a bonus. How should Valletta’s auditors approach the audit if they are to have the best chance of detecting this fraud? The auditors should have identified in their risk assessment that management might be motivated to manipulate the financial statements to enhance their profit-related bonus. This is a significant risk and the auditors would need to consider how management, if they were minded to do so, might manipulate the financial statements for their own benefit. The identification of this risk should have led to the performance of additional work on accounting estimates. In the case of this particular fraud, this process might not have helped because fictitious additions to inventory do not involve an estimate that has been manipulated. However, the risk should have had some impact on other tests of detail, perhaps by increasing focus on this and other areas susceptible to manipulation generally. The auditors should also have determined that there was a risk of fraud because management is in a position to override internal controls. Despite good internal controls, management is always able to override some systems. In this instance, the finance director has manipulated inventory. The auditors should have identified areas that were susceptible to management override and increased sample sizes, for example. When the year-end inventory count sheets were checked to the physical inventory, a sufficient quantity should have been tested to reflect the increased risk, and to give at least some chance of any ‘errors’ being detected. If any ‘errors’ were found in the sample, the auditors should not have simply accepted management representations to the effect that they were isolated.

Fraud Risks – Revenue Recognition Nicosia Contractors Nicosia Contractors is an owner-managed business that engages in large building contracts. A typical contract takes between two and four years to complete. At the year-end, revenue on incomplete contracts is taken to the income statement in line with the percentage of completion of the contract.

c06.indd 106

3/18/2014 7:13:25 AM



Section 6 – Fraud

107

The owner-manager uses costing records to estimate the percentage of completion. At this year-end he falsifies costing records to give a lower accrued revenue figure. His motivation is to reduce the company’s tax bill and ease cash flow. The auditors can rebut the presumption of a significant risk of fraud in revenue recognition but in this instance they do not and should not. They also identify the risks associated with the owner-manager seeking to minimise tax. The auditors recognise that there is scope for the manipulation of revenue, and that the owner-manager could redirect income away from the company. Significant risks require special auditor attention and the auditors will specifically design tests to address these fraud risks. Experienced auditors should be in a position to identify the risk areas in Nicosia Contractors and focus their work on them.

6.3.1  What is fraud? The Fraud Advisory Panel (FAP)10 focuses on fraud in the UK in the context of global trends. It has a wealth of resources, facts and figures on the subject. It is recognised that fraud is always under-reported but common themes in the many reports to which its web-site refers include the following: • fraud is as common as it ever has been and the estimated amounts involved rarely diminish; • most frauds against businesses are frauds committed by outsiders rather than employees; • ‘traditional’ debit and credit card fraud has reduced overall in recent years due to better controls, but bogus invoicing, VAT fraud and asset theft are still common; • new frauds, such as corporate identity fraud and the theft of intellectual property across borders, are difficult and expensive for small businesses to deal with once they have taken place. If the consequences of any of these frauds include material errors, the auditors should consider how their testing might identify them. However, the manipulation of financial statements tends to be the more important fraud risk that auditors need to address. The FAP document Fraud Hotspots in Smaller Businesses notes a number of new frauds to which smaller businesses are particularly vulnerable, beside the traditional misappropriation of assets, debit and credit card fraud, false/inflated supplier invoices and non-existent employee/contractor fraud, including: • false reporting of non-deliveries from online retailers; • the theft of goods subsequently returned for cash refunds; • the generation of fictitious refunds/returns by employees; 10

c06.indd 107

www.fraudadvisorypanel.org.

3/18/2014 7:13:25 AM

108

Core Auditing Standards for Practitioners

• the theft and misuse of confidential information; • corporate identity fraud used to obtain goods, services and access to facilities; • online banking fraud. 6.3.2  Assessing fraud risks: trusting auditor instincts Fraud usually requires an incentive, the opportunity to commit it and some rationalisation. Occasionally, fraud appears to be perpetrated ‘for the fun of it’ and it can be ­difficult for auditors to detect because such frauds do not necessarily make sense. Many if not most people might have an incentive, anyone in a position of trust may have some opportunity. A widespread general sense of unjustness in society and at work in particular will often serve as rationalisation and a sense of ‘entitlement’ often drives fraud. However, the vast majority of people have an incentive, opportunity and the ability to rationalise fraud, but they do not commit it. One of the reasons for this is that there are internal controls designed to protect everyone by preventing it. If auditors understand the incentives, opportunities and possible fraud rationalisations in an audit, they have taken the first all important step in assessing fraud risks. … If auditors understand the incentives, opportunities and possible fraud rationalisations in an audit, they have taken the first all important step in assessing fraud risks …

Assessing Fraud Risks Kingston Cruises Kingston Cruises operates a cruise ship. The ship has a crew of 800 staff, including cooks, waiters, cleaners, bar staff and engineers. Minimum wage legislation does not apply because the ship operates in international waters. Most of the junior crew earn less than $20 a day. Crew are entitled to receive their share of tips but a new company policy means that if certain customer satisfaction scores are not achieved, tips are withheld. This change has been poorly received by the crew. What issues should auditors consider when assessing the risk of fraud? Incentives to commit fraud: the majority of the crew receive low rates of pay and such staff might seek to increase their income through theft to provide for a family at home. Withholding tips is likely to increase the incentive significantly. Rationalisation: the combination of low pay and the change in tips policy gives plenty of scope for fraud to be rationalised. There might be a sense of entitlement that has built up amongst the crew. Auditors should not ignore the possibility of there being widespread collusion to commit fraud because the crew as a group feels poorly treated.

c06.indd 108

3/18/2014 7:13:25 AM



Section 6 – Fraud

109

Opportunity to commit fraud: the most likely fraud in this circumstance is the theft of cash, food or drink or other consumables such as tools or linen. Not every crew member will have the opportunity to commit fraud. Engineers and cleaners might have little access to cash or marketable assets. Bar staff, cooks and waiters have more access to attractive goods. Auditors should assess how these matters affect risks in areas such as inventory and revenue and then consider the effectiveness of internal controls, such as physical controls over access to food and drink, before designing appropriate tests.

6.3.3  Audit as a deterrent to fraud An Association of Certified Fraud Examiners’11 (ACFE) 2012 report notes that while external audits can have a strong preventive effect on potential fraud, their usefulness as a means of uncovering fraud is limited. The ACFE is an international organisation, although it is based in the USA where there is no statutory audit requirement. The report states that despite the fact that external audits detect only 3% of the frauds reported to the ACFE, they are commonly implemented as a control mechanism in the belief that audit is a way of detecting fraud. The expectation gap with regard to audits and fraud detection seems as widespread as ever. The ACFE states that its research continues to show that small businesses (less than 100 employees) are particularly vulnerable to fraud. They have fewer resources and less effective anti-fraud controls than larger entities, and losses resulting from fraud tend to have a bigger impact on such businesses. The ACFE suggests that the three principal ways in which the frauds reported to them come to light are through employee tips, internal audit and management review. Many frauds are still uncovered by accident. The report also suggests most fraudsters exhibit red flag behavioural traits, such as living beyond their means or exhibiting excessive control issues, neither of which will generally be dealt with by traditional internal controls. This reinforces the notion that an important element of fraud detection for experienced auditors involves trusting their instincts. Just because something doesn’t feel quite right doesn’t necessarily mean that something is wrong, but something that is wrong rarely feels completely right. Anecdotal evidence suggests that awareness of a fraud often emerges slowly. It starts with a vague sense that something doesn’t seem quite right. The feeling is dismissed as other issues take precedence but it comes back later, sometimes in another guise. After a time, there is a very real sense that too many things just aren’t stacking up and alarm bells start ringing as the realisation of what is probably really going on dawns. This is not a good place to be for auditors who then have to extricate themselves from the situation.

11

c06.indd 109

www.acfe.com. ACFE’s UK chapter is at www.acfeuk.co.uk.

3/18/2014 7:13:25 AM

110

Core Auditing Standards for Practitioners

Trusting Auditor Instincts Dublin Kitchenware During the fieldwork for Dublin Kitchenware, the audit senior finds that this year there are no late purchase invoices. In previous years, the payables ledger was closed 21 days after the year-end. Any additional purchase invoices in respect of that year received after then were dealt with in the next accounting period, but a copy of the invoice was taken and put in the ‘late invoice’ file. The senior notes this change and tests post year-end purchase invoices to find that none relate to the prior period. The auditors therefore accept that there are no late purchases or payables. The audit engagement partner is suspicious about the absence of late creditors. He thinks that it does not ‘feel right’ and, on reflection, considers whether this could reflect management manipulation of the financial statements because of pressure applied to the company by the bank due to recent poor trading results. The engagement partner confronts the financial controller who admits that the finance director has instructed the accounts team to give him the late invoice file and not to show it to the auditors. The finance director gives the file to the engagement partner saying that it was a ‘mistake’ and that he took the file to draw up the year-end journal entry but forgot all about it. The auditors now have to make a decision. If the integrity of Dublin Kitchenware’s management is in doubt, the auditors should consider whether they should resign, assuming it is practicable and legal for them to do so. If the auditors stay in office and complete the audit, a reassessment of the risk of fraud is essential and future management representations will need robust corroboration.

6.3.4  Management fraud It is common for fraud to be perpetrated by management, which presents particular problems. The auditors’ main point of contact is nearly always a member of management, which can make detecting fraud especially difficult. The auditors’ response to any fraud risks must always be robust and procedures need to be designed with this in mind. While auditors are not generally required to authenticate source documentation when there is no suggestion that something might be amiss, a fraud risk might prompt auditors to go further. This means that they are permitted to assume that an invoice is genuine unless something comes to their attention to suggest it might not be. Any fraud risk calls into question the authenticity of documents and an appropriate response must allow for the possibility of auditors being presented with false documents, or lied to. Where fraud risks are present, auditors will seek higher quality evidence generally, and to corroborate management representations with evidence from independent sources, preferably third parties outside the audited entity.

c06.indd 110

3/18/2014 7:13:25 AM



Section 6 – Fraud

111

Management Fraud The Sarajevo Foundation The Sarajevo Foundation is a not-for-profit entity which manages theatrical productions. Every year, it presents several high-profile, high-quality productions bringing in an income of over $50m. Its main costs are staff costs, although there are few employees because most of the actors and support staff are either freelance or engaged through agencies. Sarajevo has a full-time finance director (FD) who has been employed by the foundation for over 30 years. The FD is a qualified accountant, supported by two administrative staff. There is a system of internal control whereby all expenses are approved by the FD. There is also an internal audit function, conducted by the FD. The FD deals with all staff matters, including hiring and firing, he prepares the year-end and management accounts and he liaises with all external advisors. As part of the risk assessment, the auditors have identified that there is very little segregation of duties. The FD is responsible for virtually everything and is naturally the auditors’ main point of contact for all queries. The trustees of The Sarajevo Foundation have said that they do not know what they would do without the FD and he and his assistants are frequently described as the longest standing and most trusted members of the management team. Consequently, the auditors have assessed the risk of fraud as high on the basis that the FD has the opportunity to perpetrate fraud. There are no particular reasons why the FD might be motivated to manipulate the financial statements, other than to conceal a fraud involving the theft of Sarajevo’s funds. The auditors’ response to this risk is to: • seek confirmations from staff other than the FD where possible; • seek third party confirmations where possible, such as payables circularisations, or direct confirmations from employment agencies; • ensure that all third party confirmations are sent directly to the auditors rather than to Sarajevo, to avoid the risk of tampering; • be particularly alert for anything that looks unusual, including any indications that the FD’s lifestyle does not accord with his salary; • try to build in some unpredictability into audit tests. This is very important in long-standing audit engagements. The FD might come to design fraud around the auditors’ tests; • ensure that the audit staff performing the work are properly briefed and that they are sufficiently experienced to be able to address the relevant risks; • ensure that the audit team is adequately supported by senior staff and that the work is properly supervised and reviewed. The auditors’ response to the assessed fraud risk is not necessarily to perform more audit work, although that might be appropriate in some situations. The response may be to design tests in a way that gives auditors the best chance of identifying fraud. For example, Sarajevo’s FD is trusted and can override any internal control. This means that it would be relatively straightforward to misappropriate the foundation’s funds and provide false documents to make the theft appear to be expenditure on agency staff. Getting confirmations direct from agencies might show up this fraud. Auditors might also ask a producer or stage manager rather than the FD when querying specific transactions.

c06.indd 111

3/18/2014 7:13:26 AM

112

Core Auditing Standards for Practitioners

The audit approach to the risk of fraud required by ISA 240 requires auditors to: • ensure that the risk of error is assessed in terms of its nature and extent; • identify risks at the assertion level and design specific tests in response to that risk; • assign the right staff to the audit team, and properly supervise them; • incorporate an unpredictable element into testing, so that the perpetrators of fraud do not simply design their activities around the auditors’ known procedures.

6.4  What the Standard Says 6.4.1  What fraud is ISA 240 defines frauds as intentional acts involving the use of deception to obtain unjust or illegal advantages. This catches more than legislation and case law because under this definition, fraud need not necessarily be illegal. The definition also refers to an ‘unjust’ advantage. Misstatements arising from fraud involve either • reported assets that have been misappropriated; or • fraudulent financial reporting. Non-existent revenue and assets resulting from theft can result in material misstatements in the financial statements. Reported inventory that has been stolen may result in a misstatement, for example, although not all asset misappropriation necessarily leads to misstatement. The theft of intellectual property is increasingly common as entities become aware of its value and how rights can be exploited and enforced. The personal use of the entity’s assets is also a possible fraud, but neither will necessarily affect the financial statements directly, although there are control implications for the broader risk assessment in such cases. Misstatements arising from asset misappropriation are more likely when assets are poorly controlled, poorly recorded, portable and when redundancies are likely. Fraudulent financial reporting as a cause of material misstatement includes the fabrication of revenue and assets that never existed, where empty silos are counted as full, for example. Financial reporting fraud often involves altering or fabricating records, including invoices and journal entries, leaving transactions and balances out altogether, and engaging in complex transactions to hide their true nature. Given the quality of controls over most automated systems, it is hardly surprising that journal entries, and particularly significant last-minute journal entries, are known to be a common means of perpetrating the latter type of fraud, which is why ISA 240 requires auditors to examine such entries.

c06.indd 112

3/18/2014 7:13:26 AM



Section 6 – Fraud

113

6.4.2  Assessing fraud risks Professional scepticism  Regulators point out that scepticism can be difficult to demonstrate when the client is a long-standing one and is well-known to the practitioner. But scepticism means recognising that a material misstatement might exist, regardless of the auditor’s past experience of the honesty and integrity of the entity. Auditors do not disregard their past experience, but they cannot assume that because management has been honest in the past that this will not change, which is not the same as assuming that management is dishonest. Auditors only need to investigate the authenticity of documents if they have reason to believe that documents may not be authentic, in which case they must investigate. Trusting instincts rather than forensic skills comes in again here. The Parmalat case involved a forged bank confirmation of balances of over $5bn with a US Bank. No complex technology was involved, it appears that that the fraudulent bank confirmation was created with scissors, tape and a scanner. Audit team discussion of the susceptibility of financial statements to misstatements due to fraud, fraud risk factors and indicators of fraud  The audit team discussion takes places as part of the general discussion required by ISA 315 on risk assessment.12 It might cover fraud risk factors and indicators, such as evidence of earnings management, possible incentives, opportunities and rationalisations for fraud, changes in behaviour, allegations of fraud made by client staff to audit team members and the need for unpredictability in testing. One of the main objectives of the discussion is to raise the audit team’s awareness of the fraud risks to give everybody a better chance of identifying fraud or additional indicators that fraud might exist. Personal incentives to fraud can include financial difficulties created by alcohol or gambling problems, divorce or individuals simply living beyond their means. Pressure to meet earnings or other targets, particularly if they trigger bonuses or prevent inquiries as to why targets have not been met, are relevant at a personal and corporate level. The list of corporate incentives for fraud look similar to indicators of going concern problems. It includes: • increased competition; • technological change; • decline in demand; • rapid growth; • changes in legislation or regulation; • pressure applied by analysts or investors to meet targets; • complex group structures or transactions; 12

c06.indd 113

ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment.

3/18/2014 7:13:26 AM

114

Core Auditing Standards for Practitioners

• assets being held in tax havens; • a poor control environment, poor monitoring of controls and ineffective IT; • a high turnover of staff; • low morale; • owners making no distinction between personal and business assets. Indicators of fraud also include: • significant last-minute adjustments; • pressure to complete the audit quickly; • delays in providing information; • missing or altered documents; • significant unexplained items in large suspense accounts; • explanations from management that do not stack up; • poor documentation of changes to systems; • changes in accounting policies and estimates; • a history of disputes with auditors. All of this can amount to little more than common sense for experienced practitioners but sometimes, with the benefit of hindsight, it is possible to see that the warning signs were there and were missed. As always, scepticism is the key. Completion of the financial statements and audits are often pressurised and complex group structures and transactions are sometimes necessary for legitimate business reasons. Low morale and a high turnover of staff are not of themselves unusual, and some businesses seem to manage to make a profit despite having little or no documentation of their very poor accounting and control systems. However, discussing these risk factors and documenting them can help crystallise thoughts that might otherwise have remained as vague worries. At the very least, documentation of the discussions will show that a proper attempt was made to identify the risks. Inquiries of management, internal audit and those charged with governance about actual, alleged and suspected fraud  ISA 240 requires the auditors to make inquiries about: • management’s controls to prevent and detect fraud; • management’s assessment of the susceptibility of the financial statements as a whole to fraud; • the susceptibility of different locations and business segments to fraud. Management’s communications of its ethical expectations to employees, how those charged with governance oversee management’s actions in this area and internal audit’s

c06.indd 114

3/18/2014 7:13:26 AM



Section 6 – Fraud

115

approach to fraud are also relevant. Does, for example, management respond satisfactorily to internal audit’s findings? Assessing the risk of fraud: rebuttable presumptions  The risk of material misstatement due to fraud will always include: • the presumed risk of a risk of material misstatement due to fraud in revenue recognition. This presumption can be rebutted, but the rebuttal needs to be documented; • the risk of management override of controls. The rebuttable presumption of fraud in revenue recognition is sometimes misinterpreted. The presumption is rebuttable which means that fraud in revenue recognition is not always a significant risk, but where it is not, auditors must document why. Rebutting the Presumption of a Significant Risk of Fraud in Revenue Recognition Cardiff Commercial Property Cardiff Commercial Property owns two office buildings. Each building is rented to a good quality corporate tenant under a long, repairing lease. Rent is received quarterly in advance. The rent and related service charges are Cardiff’s only income, therefore each year there should only be eight receipts. Cardiff is a good example of where the auditors should almost certainly rebut the presumed risk of fraud in revenue recognition. Revenue is a straightforward area with few transactions that are easy to control and predict.

Just as importantly, where the presumption is not rebutted auditors must document the nature of the fraud risk in revenue recognition. Even where revenue recognition is a significant fraud risk, it is unusual for the risk to relate to all aspects of revenue. Cutoff, valuation, classification or disclosure might be the issue, or some combination of them. Only through properly understanding the exact nature of the risk can auditors properly respond to it and design the appropriate audit tests. Journal entries and accounting estimates  Journal entries and accounting estimates are the easiest and most common targets for management seeking to override the controls for which it has responsibility. Auditors are therefore always required to: • test year-end journal entries and other adjustments, paying particular attention to equal and opposite entries just before and after the year-end; • consider the need to test journal entries throughout the year; • inquire about inappropriate or unusual journal entries; • review estimates for bias, evaluate whether individual estimates might collectively display bias and whether it might be material;

c06.indd 115

3/18/2014 7:13:26 AM

116

Core Auditing Standards for Practitioners

• review management judgements and assumptions retrospectively; • evaluate the business rationale for transactions that are outside the normal course of business or are otherwise unusual. An important requirement listed above which is sometimes overlooked in practice is the requirement to consider any misstatements in accounting estimates as a whole, even immaterial ones. This enables auditors to see trends and detect bias that was not particularly pronounced in individual areas.

Considering Estimates Collectively Havana Kitchen Equipment During the finalisation of the audit of Havana Kitchen Equipment, the auditors examine the unadjusted misstatements found during the testing of accounting estimates. $ Bad debts provisions

23,000 overstated

Warranty provisions

64,000 overstated

Inventory provisions

38,000 overstated

The fact that the misstatements all lead to an understatement of profits is important. Whether the unadjusted misstatements are material in aggregate is ultimately important for the audit opinion, because if they remain unadjusted, the auditors may need to qualify their opinion. However, if they are immaterial the misstatements still matter because they could indicate management bias which has implications for testing in other areas, in that auditors will need to be more vigilant. In any event, the auditors should reconsider their risk assessment and determine whether sufficient evidence has been obtained in these and other areas. In this case, auditors might be particularly concerned if they also found that the useful lives of intangible assets assessed were unusually short, for example. Typically such bias is designed to reduce tax liabilities. If this appears to be the case, work should be focused on tax-sensitive areas. Bias is sometimes the result of error and it is possible that the finance director of Havana might simply be a very prudent accountant who believes overestimation of provisions to be a good thing. If this appears to be the case, auditors may need to revisit other audit areas.

c06.indd 116

3/18/2014 7:13:26 AM



Section 6 – Fraud

117

Mandatory Testing of Journal Entries Oslo Productions Oslo Productions is a large film production company, listed on a regulated stock exchange. Oslo’s in-house financial accountants prepare the year-end journal entries. The auditors approach testing as follows: • the auditors obtain a list of journals from the finance director and test them for completeness; • every material journal is selected for testing; • a random sample of journals is taken from the residual population; • all items selected are tested to relevant supporting documentation. Nearly every item selected has already been subjected to other audit testing so the auditors frequently check back to evidence already obtained; • the auditors consider testing journals during the year, but they decide not to because most are put through to prepare monthly management accounts and are reversed the following month.

Helsinki Guest House Helsinki is a small business and local auditing regulations permit the auditors to prepare the financial statements for the company. All of Helsinki’s journals are prepared by the auditors as part of their accountancy work. At first sight, it might seem superfluous for the auditors to test journals, as the auditors prepared them. However, journals remain the responsibility of management and auditors are likely to have discussed any provision for legal claims with management. If management suggest that Helsinki will probably have to pay damages, the claim needs to be audited as well as simply prepared as a journal entry and the auditors will seek to inspect relevant correspondence.

Fraudulent journal entries are more likely than others to: • involve little-used accounts; • be made by people who do not normally make them; • have little or no explanation; • be round numbers. Transactions may be suspect if they involve related parties, particularly non-consolidated related parties in a group situation, and have not been properly reviewed or approved, or if management is overly concerned about their presentation.

c06.indd 117

3/18/2014 7:13:26 AM

118

Core Auditing Standards for Practitioners

6.4.3  Responding to assessed risks of fraud Paragraph 27 of ISA 240 states that all assessed risks of material misstatement due to fraud are significant risks requiring auditors, if they have not already done so, to: • obtain an understanding of related controls; • investigate inconsistencies, particularly in responses to inquiries; • consider unusual or unexpected relationships in analytical procedures. Analytical procedures are less used than they once were but they can be a powerful tool to highlight fraud as well as error. If, rather than inflating revenue using journals, fictitious invoices are raised and cancelled after the year-end with credit notes, they will not show up in a review of journal entries, but properly applied detailed analytical procedures might highlight them. Written representations confirm that management has disclosed: • the results of its assessment of the risk of material misstatement due to fraud; • its knowledge of actual or suspected fraud involving management and certain senior employees; • its knowledge of alleged frauds affecting the financial statements made by employees, including former employees, among others. Written representations also acknowledge management’s responsibility for internal controls covering fraud. 6.4.4  Additional procedures Overall responses to an increased risk of misstatement resulting from fraud are much as they are for an increased risk of misstatement in any area. They include assigning more experienced staff, greater supervision, considering whether forensic or systems experts are needed, paying particular attention to accounting policies, incorporating more unpredictability into testing and paying greater attention to documentation and the corroboration of management explanations. Scrutinising management explanations where management is expected to meet earnings targets might involve not just confirming balances, for example, but confirming contractual terms such as rights of return. It might also involve performing more detailed substantive testing on dispatch notes and invoices, checking dates to detect any invoicing prior to dispatch, for example. Increasing sample sizes, performing more detailed analytical procedures, more substantive procedures at the year-end and less controls testing generally might also be appropriate responses to an increased risk of misstatement due to fraud. Attending more inventory counts, performing more test counts, and using tests of detail to analyse inventory shortages might be an appropriate response where inventory is subject to an increased risk of misstatement.

c06.indd 118

3/18/2014 7:13:26 AM



Section 6 – Fraud

119

6.4.5  Reporting within the entity In more extreme circumstances, material misstatements due to fraud that are not corrected might mean that auditors should consider resigning if possible, particularly if a disclaimer of opinion is necessary, because of the implications regarding the integrity of management. In some jurisdictions, resignation is prohibited and in many, such as the UK, resignation or any other change in appointment must be accompanied by statements about whether there is anything that needs to be brought to the attention of members or creditors. Where suspected fraud involving management comes to the auditors’ attention, they report it to the next highest level of management. Where the most senior levels of management or those charged with governance are involved, reporting to shareholders or third parties might be the only option. 6.4.6  Reporting outside the entity to shareholders and third parties Reporting directly to shareholders on fraud is rare but there are an increasing number of situations in which auditors are required to report suspicions of specific crimes, such as terrorism, drug trafficking and money laundering, to different authorities. Reporting to regulators in the banking, insurance, pensions, other financial services and the notfor-profit sectors is also required. In many jurisdictions, auditors also have legal or regulatory rights or duties to report matters to individuals or bodies outside the audited entity in the ‘public’ or ‘national’ interest, or in the interests of ‘national security’. Auditors in many jurisdictions have a legal right or a duty to report suspicions of money laundering and other serious frauds to national Financial Intelligence Units and serious fraud authorities such as the Serious Organised Crime Agency (SOCA) and the Serious Fraud Office (SFO) in the UK. Other authorities might include competition authorities, government departments, the police or tax authorities. A duty to report is usually clear, a right requires auditors to make a judgement as to whether reporting is appropriate. In practice, rights are rarely exercised. Efforts to encourage practitioners to exercise rights to report to regulators rather than requiring them to do so have rarely, if ever, been successful. There are few precedents for exercising rights to report and legal advice should be taken. If auditors have a right to report, it is generally appropriate for them to encourage the entity, in writing, to report the matter itself in the first instance. Only if the entity fails to provide evidence that it has done so, or if auditors have lost confidence in the integrity of those charged with governance, should auditors consider doing it themselves. Legislation and regulation sometimes protect practitioners who report to third parties from claims of defamation, or claims that that they have breached their duty of confi­ dentiality, in order to encourage reporting. The protection where it exists is generally available provided practitioners act reasonably and in good faith, and report to a proper authority.

c06.indd 119

3/18/2014 7:13:26 AM

120

Core Auditing Standards for Practitioners

In deciding what is in the public interest and whether to report, practitioners might consider: • the likely damage caused, any corrective action taken by the entity and the extent to which the public is affected; • the entity’s attitude towards the law, the weight of evidence and the possibility of the fraud being repeated; • the seriousness of the matter. If the decision to report is questioned later, auditors are likely to be judged based on what they: • knew at the time; • should have known; • should have concluded; • should have done. The fact that a reported matter subsequently turns out not to have constituted an offence, does not of itself mean that auditors should not have reported it.

c06.indd 120

3/18/2014 7:13:26 AM

7

Communications with Those Charged with Governance 7.1 The Issues

7.1.1  The distinction between management and those charged with governance ‘Those charged with governance’ is a cumbersome phrase, and there is no abbreviation for it, unfortunately. The idea of communicating with those charged with governance rather than management is relatively new, and the idea of communicating different matters to those charged with governance and management is still confusing for some auditors. It would all be much simpler if those charged with governance and management were the same people. Sometimes, they still are. But even in smaller entities, there have always been directors who do not take part in the day-to-day running of the business. To an extent, auditors used to ignore them provided nothing was amiss, but that is no longer possible. The corporate scandals of the last 50 years that have led to modern notions of corporate governance mean that auditors must clearly distinguish between management and those charged with governance. The UK and the US have retained the idea of a unitary board with executive and nonexecutive directors, and combined oversight and management functions, i.e. a single group of people runs the company in all respects. However, attempts to reduce the inherent conflicts of interest that a unitary board embodies, such as directors deciding on their own remuneration, have slowly gained traction as nomination, remuneration and audit committees have become the norm. Executive and non-executive directors now have clearly different roles. All of this has diluted the sense that management is fully ‘in charge’. While some supporters of the Anglo-American business model shudder at the thought of European-style oversight of management by supervisory boards with their ‘workers’ representatives’ among others, it is probably fair to say that awareness of this ‘other’ way of doing things has had an effect. Communicating with all of these ‘other people’ is here to stay. Unfortunately, there is little or no guidance on how to apply these requirements to smaller audits but they do apply to smaller audits, even where ‘management’ and ‘those charged with governance’ are one and the same person.

c07.indd 121

3/18/2014 7:17:26 AM

Core Auditing Standards for Practitioners

122

Communication with Those Charged with Governance in Smaller Entities Athens Contracts Athens Contracts is a company with three directors, two of whom are executive directors. They are also shareholders with the following holdings: Shareholding

Status

Mr A

60%

Non-executive director

Mr B

20%

Full-time executive director

Mr C

20%

Full-time executive director

Before the audit commences, the auditors of Athens Contracts are told by Mr B and Mr C about a restructuring that has taken place. A new company has been established, Tunis Contracts, which is taking over one part of the business of Athens. Mr B and Mr C are the directors and shareholders of this company and Mr A has no involvement. All of the auditors’ day-to-day communications are with the management of Athens Contracts, namely Mr B and Mr C. The auditors have never met Mr A. Mr B and Mr C make various representations during the audit about the transfer of assets from Athens Contracts to Tunis Contracts. The restructure is in fact a fraud by Mr B and Mr C on Mr A. The auditors of Athens Contracts should ask for written confirmation of Mr B and Mr C’s oral representations about the restructuring and a copy of the representation letter should go to Mr A in his role as one of those charged with governance. The communication of deficiencies in internal controls, which is still commonly known as the management letter, should also include significant matters discussed with management, such as those concerning the restructuring. This communication is made to those charged with governance as well as management. In this instance, if the auditors fail to do any of this, they may miss the fraud. Auditors’ communications are frequently with management, but even in smaller entities there are often those charged with governance who are not part of management and such frauds are, unfortunately, not uncommon. This example also illustrates the need for auditors to consider how the necessary communications with those charged with governance are made. Auditors need to consider whether the various written communications are being appropriately distributed and whether they should send a copy of the representation and management letters directly to Mr A themselves.

c07.indd 122

3/18/2014 7:17:26 AM



Section 7 – Communications with Those Charged with Governance

123

7.1.2  What needs to be communicated: matters of governance interest The management letter used to comprise a few observations about accounting policies and how the audit went, together with a list of internal control problems, what was going wrong or what might go wrong as a result, and what had to, or might, be done about it. It still does, but now there is more. The role of audit committees and the requirements of … Smaller entities may well corporate governance codes have expanded fail to appreciate the sig­ in recent years and Figure  7.1 shows that nificance of the difference communications with those charged with between management and governance are now about matters of governance interest which include: those charged with govern­ ance, and they are likely to be • the auditors’ responsibilities; irritated if they believe that they are paying for two letters • the scope of the audit; from auditors, setting out • independence, and in particular the more or less the same thing, threats arising from the provision of nonparticularly when the content audit services; is not news, or appears to be • significant findings from the audit; boilerplate. • the financial reporting process. 7.1.3  Communications with smaller audited entities: avoiding irritation Smaller entities may well fail to appreciate the significance of the difference between management and those charged with governance, and they are likely to be irritated if they believe that they are paying for two letters from auditors, setting out more or less

The auditors’ responsibilities

The financial reporting process

Matters of governance interest

Significant audit findings

The scope of the audit

Independence and non-audit services

Figure 7.1

c07.indd 123

3/18/2014 7:17:26 AM

124

Core Auditing Standards for Practitioners

the same thing, particularly when the content is not news, or appears to be boilerplate. Understanding the requirements, and in particular what needs to be communicated in writing, what can be discussed and how it can be documented helps auditors minimise duplication and avoids boilerplate letters. … a number of provisions permit discussions in the place of written communications … there are specific require­ ments for auditors to document these communications even if a formal letter is not sent, which means that oral communications do not really exist at all …

There are a number of provisions in ISAs 260 on communications with those charged with governance and ISA 265 on communicating significant deficiencies1 that permit discussions in the place of written communications. Unfortunately, there are specific requirements for auditors to document these communications even if a formal letter is not sent, which means that oral communications do not really exist at all for the purposes of compliance with the ISAs, despite the fact that they appear to permit them.

In practice, auditors tend to produce and send written communications to those charged with governance. Whilst there are circumstances where oral communications are acceptable, a written communication has advantages: • if auditors have to write down everything they have said to comply with the documentation requirements of ISA 260, then they might as well just write it down and send it in the form of a letter; • there is less scope for misunderstandings if communications are written; • auditors may have more confidence that they have communicated to all of those charged with governance, rather than just those who were present at a meeting; • the entity might appreciate the benefit of receiving written communications. Other requirements that worry practitioners relate to: • documenting the two-way communication process, especially management’s response; • documenting the response in relation to unadjusted errors. 7.1.4  Issues for standard-setters and regulators Standard-setters have tried, not very successfully, to make life easier for auditors of smaller entities by permitting oral communications instead of formal written communications in some cases. However, they have yet to find a way of doing so without requiring documentation, which for many practitioners renders the provisions redundant.

1

c07.indd 124

ISA 260. Communication with Those Charged with Governance and ISA 265, Communicating Deficiencies in Internal Control to Those Charged with Governance and Management.

3/18/2014 7:17:26 AM



Section 7 – Communications with Those Charged with Governance

125

Requirements for communications seem to be … Requirements for communi­ an attempt to help auditors and audited entities face difficult issues together. If the ISAs cations seem to be an attempt require a matter to be communicated, neither to help auditors and audited the entity nor the auditor can avoid the issue, entities face difficult issues and it is the job of regulators to make sure together. If the ISAs require a that auditors have not avoided important matter to be communicated, issues. Human nature dictates that auditors neither the entity nor the audiand the entities that they audit will seek to tor can avoid the issue … communicate on matters within their comfort zones. One area that auditors do seem to forget about is the need to communicate threats to independence and the safeguards applied, possibly because this is a relatively new area, although it seems that regulators do not always rigorously enforce these requirements. Communications with those charged with governance are changing. At the moment these changes only affect the audits of listed entities and/or those with complex corporate governance arrangements. The UK has made changes to auditor reporting already and it is proposed that similar changes are made internationally. For listed entities, auditors are required to communicate ‘key audit matters’ in the audit report, and in all cases these are likely to be a selection of matters communicated with those charged with governance.2 Key audit matters are not necessarily all of the matters discussed with those charged with governance, but firms are likely to have to justify excluding from the audit report anything they have discussed with audit committees. 7.2 What the Regulators Say 7.2.1 AQRT A recent AQRT3 report on audit inspections states that reports to audit committees are often acceptable, sometimes good and generally made on a timely basis. However, it notes the need for significant improvement in communicating threats to independence and safeguards surrounding non-audit services. These comments refer to the requirements regarding listed entities. Other deficiencies included inadequate reporting of audit findings and inconsistencies and omissions in the reporting of significant risks. The report states that the AQRT expects firms to make further improvements in their quality control processes over audit committee reporting to ensure the standard of reporting is more consistent in the future. 7.2.2  Other regulators Other regulators observe the need for better reporting to those charged with governance of significant matters such as going concern risks, fraud risks, impairment issues and other judgemental areas such as estimates. 2 3

c07.indd 125

www.frc.org.uk and www.ifac.org. Audit Quality Review Team of the FRC, formerly the Audit Inspection Unit (AIU)—inspects listed and other public interest audits in the UK. Audit Quality Inspections 2011/2012 www .frc.org.uk.

3/18/2014 7:17:26 AM

126

Core Auditing Standards for Practitioners

7.2.3  IAASB’s ISA Implementation Monitoring project Part of the IAASB’s ISA Implementation monitoring project involved a survey of 43 audit committee members from Australia, Brazil, the Netherlands and South Africa about communications between auditors and those charged with governance.4 A report on the project notes that participating entities included listed and unlisted entities, private entities, public sector bodies and not-for-profit entities. The audit committees that participated reported no significant problems concerning the implementation of the relevant standards. Most respondents agreed that communications about auditor responsibilities, the planned scope and timing of the audit and significant findings ranged from ‘adequate’ to ‘useful’, and were relevant and timely. A few noted that weaknesses in internal control were either under or over-reported. Despite this, the report goes on to state that there is a need for auditors to be required to communicate how professional scepticism has been applied to those charged with governance. This probably reflects the desires of regulators as well as audit committees. In the context of SMEs where those charged with governance and management are the same people, the IAASB report suggests that the level of required communication may be excessive. 7.3 What Practitioners Say The required communications in engagement and representation letters about the ‘preconditions’ of an audit and the ‘premise’ on which an audit is conducted, including management’s responsibility for the financial statements, can seem hard work, particularly for smaller entities. It is hard to see them as anything other than boilerplate that many smaller entities never read, do not understand, and probably think of as wrong in principle in any case in jurisdictions in which auditors routinely provide accountancy services. For larger entities, the wording required is probably more useful and serves an educational purpose, but it is important in these cases that the firm makes sure that it keeps its standard documentation up to date, and tailors it properly to fit the entity’s circumstances. 7.4 What the Standard Says 7.4.1  Who are those charged with governance? Paragraph 10 of ISA 260 states that those charged with governance are those with responsibility for overseeing the strategic direction of the entity and its obligations regarding accountability, which include the financial reporting process and the preparation of the financial statements. 4

c07.indd 126

The Clarified ISAs—Findings from the Post-Implementation Review. A three-year project designed to assess the effects of clarified ISA implementation www.ifac.org.

3/18/2014 7:17:26 AM



Section 7 – Communications with Those Charged with Governance

127

Reminding Management and Those Charged with Governance about Their Responsibilities Vienna Philanthropic Foundation The trustees of the Vienna Philanthropic Foundation have identified that there has been a fraud. The CEO of the foundation has been diverting funds into his own private bank account. There is evidence that this has been happening for the past six years and that the sums are substantial. The trustees were shocked by the discovery and have started to ask questions about why the auditors failed in their responsibility to detect this fraud. Have the auditors done anything wrong? In terms of the audit not detecting the fraud, the auditors may have done little or nothing wrong. Frauds perpetrated by management are very difficult to detect, particularly if the internal controls are weak. However, there are certain important things the auditors should have done regarding the risk of fraud in general: • they should have reminded the trustees, every year, in their capacity as those charged with governance, of their responsibilities regarding the prevention and detection of fraud. The trustees of the Vienna Philanthropic Trust may not have understood this as they appear to assume that the purpose of audit is to detect fraud. Preventing and detecting fraud is the job of management and those charged with governance; • they should have asked the trustees about actual or suspected fraud and what prevention measures are in place; • the auditors should also have ensured that any oral representations from the CEO were put into writing and that a copy of the representation letter was sent to the trustees; • if the auditors detected weak internal controls that could have done more to prevent fraud, it should have been reported to those charged with governance. Even if the trustees had been dismissive of this on the grounds that Vienna is a philanthropic foundation and does not have the resources for sophisticated internal controls, the auditors should have persisted in reporting this and in explaining why internal control is important; • in written communications to the trustees, the auditors should have made it clear that they do not report on internal controls and that an audit has limitations with regard to fraud detection. The trustees should not be complacent about fraud because the foundation’s financial statements are subject to audit. If the auditors failed to communicate any of these matters clearly on a timely basis, then they could be open to criticism from their own regulators. It is always important for the auditors to take their responsibilities to communicate these matters seriously. Communications should be clear and made on a timely basis. However, clear communications do not always prevent misunderstandings, particularly when what is being communicated is unwelcome. Clear communications might also help protect auditors in the event of legal action against them, and will help demonstrate that they approached the audit of fraud appropriately.

c07.indd 127

3/18/2014 7:17:26 AM

128

Core Auditing Standards for Practitioners

Governance is usually a collective responsibility of a governing body such as a board of directors or trustees, a managing board of partners, a supervisory board, a management committee, council of governors or similar. The UK version of the ISA notes that in the UK and Ireland, those charged with governance include executive and non-executive directors and members of any audit committee. For entities that are not companies, the equivalents might be partners, proprietors, governors, members of a management committee or trustees. The UK version also notes that those charged with governance are responsible for the preparation of the financial statements and that management does not normally include non-executive directors. … Those charged with govern­ ance therefore include those responsible for approving the financial statements, regard­ less of who they actually are and how they are described, and regardless of who actu­ ally prepares the financial statements …

Those charged with governance therefore include those responsible for approving the financial statements, regardless of who they actually are and how they are described, and regardless of who actually prepares the financial statements. In practice, auditors may communicate on a day-to-day basis with a sub-group of those charged with governance, such as an audit committee, and report in summary to the main body charged with governance, such as the main board.

Management and those charged with governance are often the same people in smaller entities. Much of what needs to be reported to those charged with governance must also be reported to management, and several requirements of ISA 260 do not apply if all of those charged with governance are involved in managing the entity. However, while there is often a substantial degree of overlap, there are sometimes directors who hold the position in name only. Those directors, sometimes family members, may be surprised to learn that they have any real responsibilities regarding the company. They may object to being provided with information, particularly financial information that they struggle to understand and statements to the effect that they do have quite substantial responsibilities. Keeping a family member out of the day-to-day running of the business can be important to management. The proper course of action in such cases is of course to remove the individual concerned as a director. While this is often much easier said than done, the issue cannot be avoided. Paragraph A37-1 of the UK version of the ISA states that auditors discuss issues with those charged with governance in a manner designed to help ensure that implications are likely to be ‘fully comprehended by them’. ‘Two-way communication’  ISA 260 requires auditors of entities of all sizes to promote effective two-way communication. In the vast majority of cases, particularly with smaller entities, most of the information communicated is one way – from auditors to those charged with governance. The developments in corporate governance in recent years mean that two-way communication is no longer a formality, certainly for larger entities. Auditors are

c07.indd 128

3/18/2014 7:17:26 AM



Section 7 – Communications with Those Charged with Governance

129

required to establish a constructive working relationship, to help them with the information they need for the audit, and to help those charged with governance fulfil their responsibilities. Conveying this notion to some smaller entities can be a tall order. The good news is that auditors do not necessarily require much from smaller entities. Management and those charged with governance will often be very willing to accept guidance from their auditors. However, problems arise if the response to a management letter is non-existent or inadequate, or the entity is dismissive of unadjusted errors found by the auditor. In all such cases, auditors should remind the entity of the requirement for two-way communication. If an entity continues to fail to respond in an appropriate manner, auditors should at the very least consider this in their risk assessment and some thought might be given to the wisdom of accepting reappointment. ISA 260 recognises a natural reluctance on the part of all concerned to communicate difficult issues. Management, as well as auditors, has a responsibility to communicate matters of governance interest to those charged with governance. Communications by auditors do not relieve management of their responsibility, or vice versa, but there is no need to repeat excessive amounts of detail because the ISA recognises that communication of matters by management may affect the ‘form or timing’ of communications. Auditors are required to evaluate whether the two-way communication has been adequate for audit purposes. The willingness, ability and extent to which those charged with governance respond to matters raised by auditors is relevant to this evaluation. Poor two-way communications may indicate a weak control environment. Auditors of smaller entities do not really need to be told that clients who never return letters or calls are more trouble than they’re worth. But having a requirement to promote two-way communication gives auditors the ammunition they need to jolly along those charged with governance or management when they are being awkward, or to part company if need be. How can auditors document the adequacy of this process? Simple observations about the entity’s responsiveness to queries and communications will generally suffice unless management and those charged with governance are particularly uncommunicative. If this is the case, auditors may need to document how they have compensated for that, perhaps by means of a new engagement letter or a reminder of one, for example, together with a discussion with the entity about its responsibilities. 7.4.2  What gets communicated? Communications to audit committees subsequently included in the audit report  What gets communicated matters a great deal more now than it used to. Going forward, the auditors of listed entities will be required to communicate ‘key audit matters’ in the audit report, i.e. those that were of most significance in the audit of the financial statements. These are likely to be a selection of matters communicated to those charged with governance and auditors will have to justify including or excluding matters reported to the audit committee in the audit report. In the UK, reporting requirements along these lines are already in place.

c07.indd 129

3/18/2014 7:17:26 AM

130

Core Auditing Standards for Practitioners

Despite the reporting requirements being restricted to listed entities, the effect of these changes is not limited to listed entities. Proposals at the time of writing are likely to require all auditors to discuss with those charged with governance: • significant risks identified by auditors and the response thereto; • significant transactions outside the entity’s normal course of business or transactions that otherwise appear to be unusual, the auditors’ understanding of their business rationale and the audit approach. Communicating the planned scope and timing of the audit and significant findings  The main matters to be communicated to those charged with governance that are most likely to change year-on-year are: • auditor responsibilities and the planned scope and timing of the audit; • significant findings from the audit. Auditor responsibilities and the planned scope and timing of the audit  The engagement letter usually communicates auditor responsibilities. It might draw attention to the fact that auditors are not required to perform procedures specifically for the benefit of those charged with governance. The engagement letter is addressed to management, those charged with governance, or both, depending on who is responsible for the financial statements. For example, an engagement letter to a UK company would typically be addressed to the directors. Audit committees in larger entities have a more substantial role to play than they once did in the approval and management of non-audit services provided by the  auditors and the liaison between internal and external auditors. An overview of the planned scope and timing of the audit in general terms should not compromise the effectiveness of audit procedures, provided they remain sufficiently unpredictable. Matters communicated on larger audits might include an overview of the intended approach to significant risks, internal control and materiality. To the extent that this information will now end up in the audit report for listed entities, the auditors of such e­ ntities will be looking at how they word these written communications very carefully indeed. As with other matters covered in engagement letters, it is not necessary to re-communicate the same matters every year if nothing has changed. It is important, though, to consider if anything has changed and, even if not, whether the entity needs to be told that, or whether any sort of reminder about who is responsible for the preparation of the financial statements is needed. For larger audits, other planning matters might cover co-operation with internal auditors, the entity’s objectives, strategies and business risks, communications with regulators and internal control. A comprehensive annual written communication for larger entities may be necessary.

c07.indd 130

3/18/2014 7:17:26 AM



Section 7 – Communications with Those Charged with Governance

131

Practicalities When Those Charged with Governance are All Involved in Management Ankara Recruitment Ankara Recruitment is an owner-managed business. All shareholders are involved with the management of the company, so those charged with governance are the same as management. The auditors are still required to communicate the planned scope and timings of the audit. Too much information on the scope of the audit might be counter-productive because Ankara is owner-managed. Giving lots of detail might make it possible from management to conceal fraud more easily because they know what the auditors intend to do, and the fraud can be designed around the testing. The auditors of Ankara might approach the required communications as follows: • the engagement letter sets out the scope of the audit including, for example, generalities about materiality, risk assessment and sampling; • the auditors review the engagement letter each year to ensure that it is still current. If it is not, a new signed engagement letter is obtained. In general, the engagement letter might only need to be updated once every three years, say; • just before Ankara’s year-end the auditors send what they call a ‘scoping letter’. This reminds management that the engagement letter contains details about the scope of the audit and that nothing has changed since the previous year. It also sets out administrative details such as: –– when the fieldwork and completion will take place; –– who will be on the audit team; –– the audit fee and details of when it is payable; –– what information will be needed, such as suppliers’ statements and payroll records; • at the end of the audit all important issues are discussed with management. These are reflected in a final written management letter and management is encouraged to respond.

Audit committees are expected to consider whether the letter has been updated to reflect changes since the previous year. Communicating significant findings from the audit  The wording of communications on significant findings is another area likely to keep auditors awake at night because the issues covered may ultimately appear in the audit report. From a purely practical point of view, a discussion of significant findings is important to make sure that auditors have their facts straight. Figure 7.2 summarises significant findings which include: • significant qualitative aspects of the entity’s accounting practices, including accounting policies, estimates and disclosures, and an explanation where relevant of why a

c07.indd 131

3/18/2014 7:17:26 AM

132

Core Auditing Standards for Practitioners

practice that might be acceptable under the accounting framework might not be the most appropriate; • significant difficulties encountered during the audit including: –– financial information that is to be subject to audit being delayed; –– a short time to finish the audit; –– unexpected difficulties in obtaining evidence and/or unavailable evidence; –– restrictions imposed by management; • unless all of those charged with governance are also management: –– significant matters discussed with management including business issues affecting the risk of material misstatement and the appointment of the firm (including fees, auditing or accounting matters and discussions with other firms); –– written representations requested of management; • other significant matters such as inconsistencies between the financial statements and other information in the annual report. For auditors of smaller entities, there may well be no significant findings with the exception of the written representations requested. Even where no statement needs to be made regarding the absence of significant findings on the grounds that all of those charged with governance are also involved in management, as in so many other areas, a written statement to the effect that there are no significant findings is probably prudent in some cases. It is generally acceptable to discuss matters with management before communicating them to those charged with governance, not least to ensure that they are right. However, in some areas, such as significant difficulties arising during the audit, this may not be appropriate, where management is the significant difficulty. Where management and those charged with governance are at odds with each other, as they are from time to time in more formally governed businesses and families alike, auditors need to be tactful. While some of these issues can be discussed after the event, it may be more appropriate to communicate some of the issues before the financial statements are approved. Listed entities and additional UK requirements: threats to independence, safeguards and reporting under the UK Corporate Governance Code  Increasingly, auditing standards have additional requirements for listed entities and more distinctions of this type seem likely in the future. In the UK, auditors of listed entities are required to make an additional statement that the firm, network and engagement team have complied with independence requirements, and to disclose all relationships that might reasonably be thought to have a bearing on independence, together with related safeguards. Paragraph 16-1 of the UK version of the ISA also imposes additional reporting responsibilities for entities reporting under the UK Corporate Governance Code (mostly listed entities). This includes ‘information relevant to’: • the board’s responsibility to prepare a fair, balanced and understandable annual report and the audit committee’s responsibility to advise on this;

c07.indd 132

3/18/2014 7:17:26 AM



Section 7 – Communications with Those Charged with Governance

133

Delayed information Qualitative aspects of accounting practices Short time to complete the audit Audit difficulties ... Difficulties in obtaining evidence

Restrictions imposed by management

Significant findings

Unless all of those charged with governance are also management ... Other significant matters

Significant matters discussed with management Written representations requested of management

Figure 7.2

• board and audit committee responsibilities to conduct annual risk assessments, monitor the integrity of the financial statements and review internal financial controls, for example. Relevant information here means the auditors’ ‘views’ about: • business risks relevant to financial reporting, materiality and their implications for the audit; • significant accounting policies; • management’s valuations and disclosures of material assets and liabilities; • the effectiveness of the entity’s system of internal control relevant to financial reporting and other risks coming to the auditors’ attention during the audit.

c07.indd 133

3/18/2014 7:17:26 AM

134

Core Auditing Standards for Practitioners

Other matters requiring communication  There are currently 15 other specific communication requirements in other ISAs listed in the appendix to ISA 260, such as the requirement to communicate any unreasonable management refusal to allow auditors to send confirmation requests, matters casting significant doubt on an entity’s going concern status and non-compliance with laws or regulations. ISA 4505 includes a requirement to identify material uncorrected misstatements individually, and a requirement for auditors to request that management corrects all uncorrected misstatements (a total can be given). The requirement in paragraph 12 of ISA 450 to communicate these uncorrected misstatements and the effect that they may have on the audit opinion worries auditors. What are auditors supposed to do when management and those charged with governance simply refuse to correct immaterial errors, as they so often do? Probably very little, but the application material suggests that auditors ‘may discuss with those charged with governance the reasons for, and the implications of a failure to correct misstatements’. It boils down to whether individually immaterial misstatements could lead to a material one and whether the refusal amounts to a problem in the control environment, both of which are judgements that auditors often do not want to make, but which they must make and document. A practical issue arises for auditors who have assisted in the preparation of the financial statements. When preparing the financial statements, the auditors might identify immaterial errors that are not trivial. When these errors are discussed with management during the financial statement preparation process, as auditors they should not agree that such errors do not require adjustment. Auditors are required to encourage management to adjust for all non-trivial errors, even if not doing so would not result in a modified audit opinion. In any case, accountants tend to like the financial statements to be as accurate as practicable. Auditors assisting with the preparation of the financial statements will adjust the financial statements for all errors found. This means that where accountancy services are provided by auditors, there may be no unadjusted errors to report other than extrapolated errors resulting from sampling. 7.4.3  What has to be in writing The crux of the communications issue is what needs to be in writing. Auditors should discuss how, when and what they are going to communicate with management and those charged with governance at the outset. If they do not wish to discuss this, auditors need to set that fact out in writing anyway. On the face of it, only the following need to be in writing: • significant audit findings; • the independence statement for listed entities; • anything for which oral communication would be inadequate.

5

c07.indd 134

ISA 450, Evaluation of Misstatements Identified During the Audit.

3/18/2014 7:17:26 AM



Section 7 – Communications with Those Charged with Governance

135

For an unlisted entity with no significant audit findings, this is straightforward except for the decision as to whether there is anything ‘for which oral communication would be inadequate’. Oral communications are therefore acceptable provided they are not about significant issues. Unfortunately, anything communicated orally needs to be recorded in writing and, as noted above, auditors need to consider whether they communicate the fact that nothing is to be communicated, and whether they do so in writing. Smaller entities may not think it worthwhile for their auditors to be in touch with them about audit matters on a regular basis, and might prefer a single communication at the end of the audit. But auditors have to consider whether anything significant needs dealing with immediately rather than at the end of the audit. Some auditors are concerned that what is put in writing to those charged with governance could be used against them in legal actions. They may therefore attempt to restrict the distribution of written communications and include caveats to the effect that communications have been prepared for the sole use of the entity and should not be relied on by third parties, and disclaimers to the effect that no responsibility is assumed to third parties. Table 7.1 summarises matters to be communicated.

Table 7.1 Matters to be communicated

All entities

Listed entities

Via

Auditor responsibilities

✓

✓

Engagement letter

Planned scope and timing of audit

✓

✓

Engagement letter

Statement of independence

×

✓

Engagement letter

Significant audit findings

✓

✓

‘Management letter’

Including

1.  Views on qualitative aspects of accounting 2.  Significant difficulties Unless all of those charged with governance are management: 3.  Significant matters discussed with management 4.  Written representations requested

c07.indd 135

3/18/2014 7:17:27 AM

136

Core Auditing Standards for Practitioners

7.4.4  ISA 265: Communicating deficiencies in internal control There is now a separate ISA on communicating deficiencies in internal control. There is also increasing recognition that in many smaller audits it is difficult for auditors to extract much value from the work they are required to perform on the design and implementation of controls, because those controls often cannot or are not tested in any meaningful way. A substantive approach is still taken in many cases. Nevertheless, auditors do detect deficiencies in internal control in the early risk assessment stage of the audit, as well as at later stages, and ISA 265 introduced some new requirements. When is a deficiency a significant deficiency?  A deficiency is a control that is missing, or one designed, implemented or operated such that that it fails to prevent, detect or correct misstatements. A significant deficiency is one or more deficiencies that auditors consider important enough to be brought to the attention of those charged with governance. Auditors must communicate significant deficiencies to those charged with governance. This rather unhelpful, circular line of thought leaves it to the auditors’ judgement to decide what might be significant because there is no definition of the word ‘significant’.6 In most cases, a significant deficiency will not have led to a material misstatement, but it may well have the potential to do so. Good internal control systems are designed to prevent reliance on a single control, and particularly to prevent reliance on the actions of a single individual. Any system that is not designed that way is likely to have significant deficiencies. Controls are normally structured so that if one fails, another one catches it, such as the failure to check that an invoice adds up being caught by a review of invoices before they go out. The issue is not straightforward with some smaller entities. If the control system consists of the day-to-day involvement of the owner-manager in the running of the business – combined with controls in a basic accounting package and a few informal checks performed by a part-time bookkeeper – is the system deficient? If so, do the deficiencies warrant the attention of those charged with governance, the owner-manager and his wife? The risk of material misstatement may be substantial but it may never happen because the owner-manager is diligent. Is it worth a new auditor bringing the issue to their attention? If there is scope for significant errors in the financial statements or misappropriation of business assets then the answer has to be yes! Indicators of significant deficiencies referred to in the ISA include: • a poor control environment or risk assessment process; • management fraud; 6

c07.indd 136

ISAs are peppered with the words ‘significant’, ‘significantly’ and ‘significance’. Terms such as ‘significant component’ and ‘significant risk’ are defined in the Glossary of Terms, as well as the word ‘significance’ – ‘the relative importance of a matter taken in context’ – but the term ‘significant’ itself is not defined.

3/18/2014 7:17:27 AM



Section 7 – Communications with Those Charged with Governance

137

• misstatements detected in the first instance by auditors; • a failure to correct highlighted weaknesses. Common sense factors to take into account when deciding whether a deficiency is significant include: • the size of potential errors arising from the deficiency; • how likely it is to occur; • the strength of associated controls, particularly monitoring controls; • whether the matter has been or should be reported to a regulator, or has been picked up by a regulator. Communicating deficiencies and previously communicated deficiencies  Significant deficiencies must be communicated in writing on a timely basis to those charged with governance. They must also be communicated to management, provided of course they do not relate to management. The communication to management might not necessarily be in writing. Non-significant deficiencies are also reported to management if they have not already been reported by others, such as internal audit or regulators for example. ‘On a timely basis’ means sooner rather than later and orally in the first instance where necessary to facilitate correction, but the final decision on whether to fix deficiencies remains, as it always has done, with management and those charged with governance. As before, repeating uncorrected deficiencies may also be necessary year after year, but auditors do need to ask themselves why management is not correcting them, particularly where previous responses have been to the effect that it is not practicable or ­economically viable to improve internal controls. If the issue is one of cost, as it often is, and there is nothing to compensate for the deficiency, repetition may be necessary even though it may irritate management. Auditors might decide to cross-refer to previous management letters when reporting deficiencies previously reported. Content of communications  Even if there are no significant deficiencies, there really is no alternative to sending a management letter because without it – or at least a note on file recoding a conversation, which is probably just as time consuming – there is no evidence that deficiencies have been considered and communicated. Management letters have not changed much over the years, apart from getting a little longer, perhaps. They generally contain: • standard caveats, including a statement that the audit is not designed to identify deficiencies and that what is reported is what has arisen during the audit; • other required communications in ISA 260; • a description of deficiencies, potential consequences, management’s response and whether auditors have verified it. Note that care should be taken where auditors choose to go further than this and make recommendations to improve deficient internal controls. This is not strictly part of

c07.indd 137

3/18/2014 7:17:27 AM

138

Core Auditing Standards for Practitioners

their responsibilities. Auditors should focus on how an internal control is deficient and what the consequences are. Designing internal controls is not part of this and it might be argued that there are possible ethical issues to consider where auditors are making recommendations on internal controls that they will audit in future years. Nevertheless, auditors are in a good position to make recommendations because of their training and experience in different businesses. Auditors may make recommendations but they should make it clear that it is not their responsibility to do so and consider carefully whether any safeguards are needed to cover threats to independence that may arise. Integrated audits  Confusion sometimes arises in relation to integrated audits conducted in the USA, and on non-US subsidiaries of US parents. Auditors of SEC registrants are required to conduct such audits under standards set by the Public Company Accounting Oversight Board (PCAOB). These audits involve an opinion on internal control effectiveness, as well as an opinion on the financial statements. ISA audits do not require this. ISA 265 deals with significant deficiencies in internal control. PCAOB standards deal with material deficiencies and significant weaknesses. 7.4.5  ISA 210 Engagement letters It is a requirement of ISA 2107 for auditors to obtain either an engagement letter or a similar written contract. The engagement letter will include the following: • the objective and scope of the audit; • the respective responsibilities of auditors and management; • the accounting basis under which the financial statements will be prepared; • details regarding the form and content of the audit report. Most audit firms use a bank of model engagement letters. These can be produced inhouse but many firms purchase these from professional bodies, training organisations or publishers. Subsequent periods  A very important issue, in practice, is how often engagement letters need to be updated. ISA 210 recognises that where nothing has changed in subsequent periods, auditors should consider whether a new letter is needed, whether to remind the entity of the existing terms or whether to let the existing letter stand. The ISA does not specify how long a letter can be relied on in situations where nothing changes from year to year. However, the application material does suggest some factors auditors might take into account when considering whether to update an engagement letter: • are there signs that the entity has misunderstood the scope and objective of the audit? • have the terms of the engagement changed in any way? • have there been changes of personal in senior management? • have there been any significant changes in ownership? 7

c07.indd 138

ISA 210, Agreeing the Terms of Audit Engagements.

3/18/2014 7:17:27 AM



Section 7 – Communications with Those Charged with Governance

139

• has the nature or size of entity changed significantly? • have there been changes in legislation, regulations or other reporting requirements? • has the accounting framework changed? Even if nothing has changed, as a rule of thumb it is worth considering updating the engagement letter every third year. If nothing else, it is an opportunity to remind management of the terms of the appointment. 7.4.6  Representation letters It is a requirement of ISA 5808 on representation letters that auditors obtain written representations from management. Broadly, a representation letter will include: • representations specifically required by ISA 580; • representations required by other ISAs, such as the ISA on laws and regulations, related parties and fraud; • written representations to back up any significant oral representations, such as the expected outcome of litigation. As with model engagement letters, many audit firms purchase model letters of representation from external suppliers. Unlike engagement letters, a great deal of tailoring is required for a representation letter to reflect the representations made during that particular audit. How reliable are written representations?  Auditors have historically been accused of placing too much reliance on written representations. Auditors should not rely upon significant management representations without appropriate corroborative evidence. The ISA specifically states that written representations do not constitute audit evidence on their own. That said, whilst written representations do not provide conclusive audit evidence, not having them is a real worry for auditors. If management refuse to put representations in writing, auditors need to respond robustly. What if management refuses to make representations requested by auditors?  Sometimes management refuse to make key written representations to the effect that: • management takes responsibility for the preparation of the financial statements and they have fulfilled that responsibility; • they have provided the auditors with all necessary information and explanations; • all transactions have been recorded and reflected in the financial statements.

8

c07.indd 139

ISA 580, Written Representations.

3/18/2014 7:17:27 AM

140

Core Auditing Standards for Practitioners

In these circumstances, the auditors start by discussing the matter with management. They would then need to reconsider their assessment of management’s integrity and reappraise the value of other representations given. Ultimately, auditors need to consider modifying the audit report and might want to think very carefully before accepting reappointment. If management really does not accept responsibility for the preparation of the financial statements, then the preconditions for re-accepting appointment are not present. Does the representation letter have to be on the entity’s letterhead?  In the past there have been a number of different approaches adopted to drafting representation letters. The three most popular approaches are: • drafting the letter on the entity’s own letterhead; • using a blank piece of paper, but addressing the letter to the auditors from management; • the auditors draft a letter from them to management setting out the representations that have been made. The last option is no longer permitted by ISAs as ISA 580 specifically requires the letter to be addressed to the auditors. The second option might be acceptable. However, the communication has to be from the entity to the auditors and most entities are required to include certain details on all written communications such as the entity’s name, company number, place of incorporation and the address of its registered office. Clearly the representation letter has to comply with this, like any other communication, so in practice it is virtually always best for the representation letter to be on the entity’s letterhead.

c07.indd 140

3/18/2014 7:17:27 AM

8

Group Audits 8.1 The Issues

Group audits have never been easy. Recent changes to ISAs have not made them any easier. Rising audit exemption levels, particularly in Europe, mean that more work must now performed on audit-exempt subsidiaries and other components. On the other hand, there are many jurisdictions in emerging economies which are imposing statutory audit requirements in accordance with ISAs for the first time, and the increasing use of ISAs globally is levelling the playing field, and making life somewhat easier for auditors of groups with foreign components. The issues for audit teams who audit all of the components in a group themselves are generally fairly straightforward. This happy situation is, unfortunately, largely confined to the simplest of groups within one jurisdiction. For a whole raft of commercial, technical and political reasons, and simple accidents of history, most groups of any size tend to involve more than one auditor. ISA 6001 was revised some time ago but auditors all over the world are still struggling to get to grips with the new requirements. Many jurisdictions implemented the revised ISA 600 alongside all of the other clarified ISAs.2 Unfortunately, the significance of the … ISA 600 was revised some revisions were not always fully appreciated time ago but auditors all over and were sometimes lost in the sheer volume the world are still struggling of what were essentially structural changes to get to grips with the new that ‘clarified’ the auditors’ responsibilities requirements … rather than making substantive changes.

The Main Changes to Group Audit Requirements The main changes that have caused auditors to change what they do on group audits involve requirements: • for group auditors to understand the component auditors, to be involved in their work, to evaluate the adequacy of their work and to communicate with them; • distinguishing between significant and non-significant components, and outlining the type of work to be performed in each case. This process, often referred to as scoping, has become central to group audits.

1

2

c08.indd 141

ISA 600, Special Considerations—Audits of Group Financial Statements (Including the Work of Component Auditors). Clarified ISAs were introduced in many jurisdictions in 2010 or shortly thereafter.

3/18/2014 8:05:40 AM

142

Core Auditing Standards for Practitioners

While the problems experienced by auditors applying ISA 600 seem to be universal, with real commercial and technical consequences, the former category of changes causes the most difficulties by far. Central to this problem is the fact that subsidiaries are often geographically dispersed and group auditors often need to travel to visit them and their auditors. Add to this the possibility of a language barrier and unfamiliarity with a particular jurisdiction and the audit can become a daunting prospect. 8.1.1  Issues for standard-setters and regulators Few regulators seem to be happy with the way ISA 600 is applied. It seems that auditors sometimes completely fail to get involved in the audit of components as required, or they do get involved but more or less at random. Staff are sent to visit components or their auditors without any clear idea of what they are supposed to be doing. They come away from components without having understood the significance of what they have been told, they fail to make the necessary instructions clear to component auditors, or follow up when component auditors fail to reply to requests, and they fail to review the work of component auditors properly or follow up the risks component auditors identify. These issues are not insignificant! Another key issue for regulators involves components that auditors classify as ‘significant’. The work required in respect of significant components is very different to the work required for non-significant components. Subtle adjustments to how auditors approach the scoping process can make a big difference to audit costs, by effectively scoping components out of full audit requirements. Regulators everywhere have noted the need for auditors to justify their approach. The project to revise ISA 600 was commenced in 2002 and the final standard was issued in July 2007. This is a long time even by IAASB standards, and it is the only ISA in recent years to have been exposed three times, such were the disagreements about it. There was general agreement that auditing practices needed to improve, and recognition of the fact that group audits were performed very inconsistently, but there was little agreement on what changes to make. Strong arguments were made in favour of, and against, ‘bright lines’, for example. Many argued that it was important for group auditors to audit a minimum proportion of a group themselves if they were to sign off on the consolidated financial statements. It was also argued that a ‘significant’ component should be defined as one that constituted a fixed percentage to the group revenues, assets or turnover. Others argued that such ‘bright lines’ would actively encourage the engineering of group structures to meet targets, rather than applying the spirit of the requirements, i.e. for auditors to evaluate whether they are competent and have the resources to do the job and whether components are in fact individually financially significant to a group. One of the main areas of disagreement is now of little consequence but it did take up a lot of IAASB time. ‘Divided responsibility’, permitted in jurisdictions that take the lead from auditing practices in the USA, means that group auditors can effectively absolve themselves of responsibility for those elements of the consolidated financial statements that they did not audit themselves. They effectively disclaim their opinion

c08.indd 142

3/18/2014 8:05:40 AM



Section 8 – Group Audits

143

in that respect in the auditors’ report. There is a fundamental conflict between this approach and the approach taken in Europe, which prohibits divided responsibility and requires group auditors to take responsibility for the full group audit regardless of who actually performs the work. The issue was resolved by requiring the same work on components regardless of whether responsibility is divided. Performance materiality presents many problems to auditors in general. However, in the context of group audits there are interactions with component materiality and requirements for both to be lower than group materiality. These concepts have proved particularly difficult for practitioners to apply. Auditing standard-setters are aware that these areas require some attention. The issue has arisen again recently in the context of discussions about materiality and performance materiality as they apply to disclosures. 8.2  What the Regulators Say 8.2.1 AQRT A recent AQRT3 report notes that even for auditors of listed entities, not all firms have fully recognised the need for change and improvement to group audits. The main issue seems to be a lack of proper involvement in the planning of component audits on the part of group auditors, and in particular a failure to consider the component auditors’ risk assessment, or to be involved in determining the procedures to be performed on significant components. The group auditors’ involvement in the audit of components needs to have a clear purpose and the involvement needs to be documented. Auditors should not make assumptions about the quality of component auditors or their work simply on the basis that they say they have applied ISAs. The same holds true of making assumptions about the quality of work performed based solely on … Group auditors cannot the size of the firm. Group auditors cannot assume that firms of a certain assume that firms of a certain size will persize will perform adequate form adequate audits simply because they audits simply because they are are a global brand. When group auditors a global brand … Large firms are a small local firm and component audisometimes have complex, tors are all larger firms, the dynamics and rigid and impenetrable ways economics of the relationship and communiof doing things even when cations between group and component audiacting as component auditors, tors can be difficult. Large firms sometimes which can be off-putting to have complex, rigid and impenetrable ways of doing things even when acting as composmaller firms acting as group nent auditors, which can be off-putting to auditors … smaller firms acting as group auditors. 3

c08.indd 143

Audit Quality Review Team of the FRC, formerly the Audit Inspection Unit (AIU)—inspects listed and other public interest audits in the UK. Audit Quality Inspections 2011/2012 www.frc.org.uk.

3/18/2014 8:05:40 AM

144

Core Auditing Standards for Practitioners

In relation to larger audits, the AQRT report notes that when reviewing the report on the audit plan submitted by auditors, audit committees should consider whether the report is sufficiently clear about the extent to which group auditors have been involved in component audits. Other issues highlighted in the AQRT report include: • insufficient justification of the assessment of components as significant or non-­ significant, the calculation of materiality and of the procedures performed; • unclear objectives and outcomes of visits to component auditors; • inadequate reviews of component auditors’ work. 8.2.2 QAD A recent QAD report refers pointedly to the fact that ISA 600 is a revised standard, rather than a mere clarification, and to the significance of the changes.4 The QAD has identified the extent of group auditor involvement in subsidiary audits as a risk area for several years. Group auditors need to ensure that their work deals adequately with: • situations in which components are in different jurisdictions applying different accounting and auditing standards; • risks highlighted by component auditors; • the evaluation of component auditors and group auditor involvement in the planning of component audits. While most firms inspected by the QAD are not involved in complex group audits, the QAD finds significant group audit issues in a small number of cases, often related to administration rather than technical matters. 8.2.3  Other regulators A recent Malaysian Auditor Oversight Board Annual Report5 notes that firms are inconsistent in the work they perform on components, that there is a need for more critical evaluation of the work of component auditors, and that insufficient work is sometimes performed on non-significant components. Another report refers to the limited access auditors have to the financial information of some components, principally associated entities, particularly when the associate is listed. The figures audited and consolidated are preliminary figures and the required information is sometimes made available after the event. A recent Australian Securities and Investments Commission Audit Inspection Program Report6 notes instances in which firms should have reviewed their approaches to the 4

5 6

c08.indd 144

The Quality Assurance Department of ICAEW—inspects audits not covered by the AQRT. Audit Monitoring 2011 www.icaew.com. Report dated 2011 www.sc.com.my. Report 317, December 2012, www.asic.gov.au.

3/18/2014 8:05:40 AM



Section 8 – Group Audits

145

reliance on other auditors to ensure that they obtained appropriate independent evidence to support their audit opinions, particularly in the context of business components in emerging markets and interests in joint ventures. It concedes that there are cost implications. Singapore’s Accounting and Corporate Regulatory Authority notes in recent reports of its Practice Monitoring Program7 recurring cases of group auditors failing to evaluate component auditor competence, objectivity or work performed. Group audits are therefore a continuing area of focus. Reports note the need for auditors to understand the laws and regulations of jurisdictions in which significant components operate, and problems caused by a lack of understanding that can sometimes arise when group auditors try to perform audits of components in foreign jurisdictions, in jurisdiction-specific areas such as employment taxes, for example. The regulator suggests that firms might consider involving experts, member network firms, or other suitably experienced component auditors. That said, there are also references in the report to a lack of evaluation of the com­ petence and objectivity of component auditors where they are part of the same network. The competence, objectivity and audit quality of a network member firm should not be taken as read. Reports note: • insufficient evidence of work performed on subsequent events at the component at the date of the audit report; • the absence of reconciliations of differences between foreign GAAP and accounting policies used by other entities within the group; • an expectation that group engagement partners will spend more time on the audit and specifically be more proactive in understanding the group and its components, and component auditors themselves, which will involve more communications with them. Professional scepticism, group audits, revenue recognition and the role of the engagement quality control reviewer were the subject of detailed discussion between The International Forum of Independent Audit Regulators (IFIAR) and the six largest international audit firms, according to its 2012 Summary Report of Inspection Findings. 8.2.4  IAASB’s ISA Implementation Monitoring project A report on IAASB’s ISA implementation monitoring project8 notes extensive concern regarding inconsistencies in the extent of group auditor involvement in the work of components and in the determination of materiality. There are also concerns about the approach to material equity investments, situations in which engagement partners are located far from where the audit work is performed and ‘funds of funds’ audits.

7 8

c08.indd 145

Dated July 2011 and August 2012 www.acra.gov.sg. The Clarified ISAs—Findings from the Post-Implementation Review A three-year project designed to assess the effects of clarified ISA implementation www.ifac.org.

3/18/2014 8:05:40 AM

146

Core Auditing Standards for Practitioners 8.3  What Practitioners Say

Today’s practitioner is far more likely than his or her predecessor to have to deal with group audit issues. Component auditors have to deal with complex and sometimes poorly drafted group audit instructions. Group auditors now have to assess the competence and independence of component auditors and get involved in component risk assessments, as well issue instructions, impose deadlines, get replies and audit (and in some cases perform) the consolidation process. Decisions have to be made about whether to visit components or their auditors, whether to review files and whether to have specific schedules translated. Where big distances, language barriers and unfamiliarity with a jurisdiction are involved, making the wrong decision can be costly. Even within a relatively small space, such as Western Europe, significant logistical problems can arise where there is no common language. Group auditors now tend to perform work at components themselves, rather than relying on work performed by component auditors, which is a change from past practice. This is sometimes because of serious doubts about the independence, competence or diligence of component auditors. Just as often though, the group auditors decide that it is simply easier to do the work themselves, rather than going through the processes involved in relying on component auditor work.

Rely on Component Auditors or Obtain the Evidence Directly? Edinburgh Ltd and Milan Produce Edinburgh Ltd is the parent undertaking in a group of companies that grow and distribute fresh produce around the world. Milan Produce is a 100% owned subsidiary of Edinburgh Ltd. The auditors of Edinburgh Ltd consider Milan to be an individually financially significant component of the group. As such, they require audit evidence for all material areas of the financial statements of Milan Produce. Milan Produce is based in Italy and is an Italian company. It qualifies as a small company in Italy and is eligible for audit exemption, which the directors of Milan take advantage of. The directors of Edinburgh Ltd have told the group auditors that since Milan is audit exempt, they can ignore it. What should the auditors do? Just because Milan Produce is audit exempt in Italy does not mean that it can be ignored for group purposes. As it is an individually financial significant component of the group, it has to be subject to audit for group purposes. One approach the group auditors could take is to request that the directors of Edinburgh Ltd, who control Milan Produce, do not take advantage of audit exemption in Italy. If Milan Produce were subject to audit by an Italian audit firm, the group auditors would then need to go through the processes of understanding Milan Produce, its environment and its auditors, getting involved in their risk assessment and reviewing their work as necessary. This might

c08.indd 146

3/18/2014 8:05:40 AM



Section 8 – Group Audits

147

involve visits to Italy and a significant amount of homework on how audits are performed and regulated in Italy, which could be time-consuming and expensive. Another approach would be for the group auditors to obtain the evidence themselves by visiting Milan Produce and conducting their own audit procedures. It is worth noting that group auditors will work to a higher level of materiality for group audit purposes than would be applied for local purposes, meaning that this approach would almost certainly consume fewer resources than a local statutory audit performed by an Italian auditor. Many group auditors find this to be an efficient and effective approach. Group auditors who are part of a network might ask their network firm in Italy to perform work for group audit purposes, effectively as subcontractors. Auditors who are not part of a network could engage a local firm to do the same, provided they are willing to make the necessary enquiries to establish the competence and independence of the firm and the standards they apply. If the directors of Edinburgh Ltd refuse to permit audit work to be undertaken on Milan Produce, it is likely to constitute an enforced limitation in audit scope and the group auditors must therefore consider withdrawing from the engagement.

Regulator complaints aside, the main issues with group audits for practitioners working as group auditors are: • understanding the group structure and determining which components are significant, component materiality and the work to be performed on components; • evaluating the independence and competence of component auditors, especially when they operate in remote locations. This includes understanding what auditing standards and ethical framework the component auditors apply as well as how they are regulated; • providing component auditors with clear instructions, getting the necessary information out of them on time and determining whether it can be relied on; • taking part in the component audit risk assessment. An important practical issue is whether this involvement is by way of a phone call, video conference or face-to-face meeting – phone calls are common except on the largest audits; • deciding what component auditor planning documentation needs to be inspected and how access will be arranged. Group auditors sometimes have the right to demand access, sometimes they do not, and some component auditors are willing to send copies of documents, sometimes a visit necessary; • deciding which elements of the component audit documentation need to be reviewed by the group auditors; • dealing with the cost of work for group purposes on associated entities. This has to be agreed up front with management of the parent undertaking and different billing arrangements are possible.

c08.indd 147

3/18/2014 8:05:40 AM

148

Core Auditing Standards for Practitioners

The systems and methodologies used by firms of all sizes, whether they are developed in house or are bought in from professional bodies, commercial training consortia or other providers, make a huge difference to the efficiency of group audits. Where firms buy in their methodology rather than designing their own, it will need to be adapted to suit the characteristics of the firm’s audit client base. 8.3.1  The audit of letterbox companies A letterbox company is a parent undertaking registered with a ‘letterbox’ in a jurisdiction different to the jurisdiction in which the company operates. For example, the parent undertaking of a business based in India might be registered in the UK and have a ‘letterbox’ in London. They are sometimes known as shell companies. Nothing in ISA 600 dictates that group auditors must audit a minimum proportion of a group, which means that auditing a large group without auditing any of its components is possible. But regulators are likely to take a close look at competence and resourcing issues in such cases and auditors are expected to be satisfied that they can expect to obtain sufficient appropriate audit evidence before taking on such an engagement. This now means being involved in the risk assessment, and understanding groupwide controls and the consolidation process. Letterbox companies can be audited properly if the audit approach is appropriate. The right approach will tend to encompass significant involvement, on the part of the group auditors, in the audit of components.

Letterbox Company Audits London Plc London Plc is a UK registered company with a single 100% owned subsidiary, the New Delhi Manufacturing Co, which is a manufacturer based in India. An Indian firm of auditors audits the New Delhi Manufacturing Co. An unconnected UK firm of auditors has been asked to audit London Plc. How should the auditors of London Plc approach the audit? London plc is a ‘letterbox’ company as there is virtually no activity in London Plc. The consolidated financial statements mostly consist of the activities of New Delhi Manufacturing Co, which is obviously an individually financial significant component. This presents the auditors of London Plc with a challenge because of the extent to which they need to be involved in the audit of the Indian company. The auditors of London plc might: • perform procedures to understand the group structure, its purpose and the risks associated with it, such as those associated with aggressive tax planning. This is likely to include discussions with key shareholders and management;

c08.indd 148

3/18/2014 8:05:40 AM



Section 8 – Group Audits

149

• seek to understand the regulation of auditors in India and the professional standards applied; • make enquiries of subsidiary auditors about quality control procedures, including cold file review findings and recent regulatory inspections; • consider visiting India shortly after the year-end to talk to the management of the New Delhi Manufacturing Co, to better understand the entity and it environment. Meet with subsidiary auditors to discuss the risk assessment and take part in the audit team discussion; • finalise and send group audit instructions; • consider visiting India again once the fieldwork is complete to attend the final meetings with management and/or those charged with governance; • review the final audit file before sign off, and discuss key audit issues with engagement partner. If the directors of London Plc do not agree with the proposed approach and refuse to accept a fee that covers the necessary work, the auditors need to consider very carefully whether they are in a position to conduct the audit.

8.3.2  The impact of ISA 600 on component auditors Component auditors are not bound by the requirements of ISA 600 in the same way as group auditors, but they need to make sense of the group audit instructions, avoid duplicating work and provide group auditors with what they need, when they need it. Component auditors also need to consider, as a matter of firm policy, how to deal with communications from group auditors and requests for access to audit documentation. 8.3.3  Group auditors and networks that also audit all components Having a single auditor for all group companies simplifies many group audit issues. If a firm or network shares common methodologies and quality control systems, group auditors must still assess the independence and competence of component firms and get involved in the risk assessment, but the process should simply be easier than it would be were non-network firms involved. However, firms and networks differ. Sometimes there are common procedures within a firm or network and sometimes there are not. The position for a firm, network or other association of firms without common policies and procedures is much as it would be for an unrelated auditor. In the real world, components are often audited by many different firms. Some jurisdictions require the appointment of local firms. In larger audits, group auditors may already act for competitors, and in many cases local firms simply have more local expertise than group auditors.

c08.indd 149

3/18/2014 8:05:41 AM

Core Auditing Standards for Practitioners

150

8.4  What the Standards Say 8.4.1  Work required: significant and non-significant components

Financially Significant Components 15%?

Non -Significant Components

Components Significant due to Risks

Figure 8.1

All components within a group, whether they are parent undertakings, subsidiaries, associates or joint ventures, are either significant or non-significant. The distinction is critical because the nature and extent of work performed depends on this assessment. Figure 8.1 summarises the work required on significant and non-significant components. Components are considered to be significant because of their size, or because of the risks associated with them. Paragraph A5 of ISA 600 states that firms may apply percentages to benchmarks such as assets, turnover, cash flows or profits to determine financial significance and, by way of example, it suggests that 15% of a benchmark might be chosen as the relevant percentage. This example benchmark is often used as a starting point. A possible model is set out in Table 8.1. Table 8.1  Financial Significance Percentage of group

Individually financially significant?

20% or greater

Probably.

15% to 20%

Maybe. Use professional judgement.

15% or less

Probably not.

Identifying a component as being individually financially significant to the group has very important implications in terms of how much work the group auditor needs to do. Figure 8.2 summarises the work required on different types of component. The reference to audit evidence relates to the group financial statements not to the component itself. The evidence that might be required to form an opinion on the component’s individual financial statements is almost certainly greater than that required by group auditors for the purposes of the group financial statements.

c08.indd 150

3/18/2014 8:05:41 AM



Section 8 – Group Audits

151

Work required: components Non-significant: Analytical procedures and

Financially significant: Audit using component materiality

Significant due to risk: Audit using component materiality or Audit of risk areas or Specific procedures

where work on significant components and analytical procedures at group level and testing group-wide controls do not provide sufficient evidence, for selected non-significant components: Audit or Audit of specific areas or Review or Specific procedures

Figure 8.2

Individually financially significant components  Where a local statutory audit has been performed appropriately, it will often provide group auditors with sufficient evidence regarding the component’s financial statements for group purposes. Where an adequate local statutory audit has not been performed, an audit will need to be performed for group purposes for individually financially significant components. Components that are significant financially require an audit using component materiality, which is likely to be higher than materiality for local audit purposes. Components that are significant due to risk  Some audit work is needed on components that are significant because of the risks associated with them. This is an increasingly important issue as audit exemption levels rise, particularly in Europe. Components that are significant due to risk require an audit using component materiality, which may already have been covered by a local audit, or an audit of relevant areas, or specific procedures to address the risks. Specific procedures to address group risks are sometimes the most cost-effective way of gaining the necessary evidence. Non-significant components  Non-significant components always require analytical procedures, but group auditors also need to consider additional procedures. Additional procedures are required where the work at group level on significant components, analytical procedures and group-wide control testing do not, together, provide sufficient evidence. Deciding whether additional procedures are needed for

c08.indd 151

3/18/2014 8:05:41 AM

152

Core Auditing Standards for Practitioners

non-significant components is a significant judgement and auditors may well perform additional procedures on some non-significant components anyway, particularly if they are ‘nearly’ significant or if there are worries about a particular risk area or concerns about the quality of work in borderline cases. … Deciding whether additional procedures are needed for non-significant components is a significant judgement and auditors may well perform additional procedures on some non-significant components anyway, particularly if they are ‘nearly’ significant or if there are worries about a particular risk area or concerns about the quality of work in borderline cases …

The additional procedures might consist of requiring an audit, an audit of specific areas, a review using component materiality or specific procedures.

ISA 600 does not really address situations in which there are a large number of nonsignificant components. Can auditors treat them all as non-significant and rely upon analytical procedures alone in such cases? Silence on the matter in ISA 600 suggests that auditors can, but common sense and a small amount of professional judgement clearly indicate that this is a risky approach. In practice, auditors increase the amount of evidence they obtain in these situations. Professional judgement dictates that auditors do this, and professional judgement has to determine what audit evidence is needed. 8.4.2  Group and component materiality Auditors are required to determine materiality and performance materiality at group level and for specific transactions, balances and disclosures in the group financial statements. Auditors also need to determine component materiality when components are subject to audit or review. Group auditors communicate component materiality to component auditors, and component materiality is often higher than materiality for local statutory audit purposes in any case. Materiality and performance materiality for local statutory audit purposes can be aligned with component materiality but in individual account areas, group and component risks, and therefore materiality, may well not be aligned if the businesses are significantly different. Component materiality needs to be lower than materiality for the group as a whole. This can create problems where a very large associate is included in the financial statements of a small group, and is audited to a higher level of materiality than the group as a whole. In such cases, component auditors need to be asked to work to a lower level of materiality. This can be problematic because component auditors might be reporting to one group auditor as a subsidiary, and to another as an associate. Parent entities cannot control associates and cannot insist on an audit to another level of materiality. Component materiality is sometimes equated with performance materiality because it deals with undetected and uncorrected misstatements that might, when aggregated, exceed group materiality. This means that a very large number of small components

c08.indd 152

3/18/2014 8:05:41 AM



Section 8 – Group Audits

153

may well give rise to a lower level of component materiality than a small number of large ones, because there are more errors and potential errors to aggregate. 8.4.3  Evaluating the competence and independence of component auditors Group auditors often need component auditors to perform additional audit work specifically for group purposes, such as adjusting for different accounting policies, different year-ends and different risks at group and component level. It is interesting to observe that as IFRS become more widely used, the need for adjustments by components is diminishing. Where possible, it is nearly always cost-effective to use the work already performed by component auditors for group purposes. However, reliance on any work performed by component auditors is not possible if group auditors cannot show that component auditors are competent, independent, meet other ethical requirements and are subject to an acceptable audit oversight regime. There are legal requirements in some jurisdictions such as the UK for component auditors to cooperate with group auditors for the purposes of group audits. Elsewhere, component auditors may be under no obligation to permit group auditors to be involved in the component audit and may refuse or fail to provide the requested information. Group auditors have to work round these impediments. One way of doing so is by asking group management to obtain formal acceptance and acknowledgement of group audit instructions from component auditors as soon as possible. The problem is particularly acute with associated entities because group management does not control them and the entity may not regard itself as an associated entity of the group in any case. Evaluating component auditors operating in the same jurisdiction as group auditors with regard to oversight should generally be straightforward, but independence and competence have to be dealt with on a case by case basis. Competence is generally only evaluated with hindsight. Network firms operating in remote locations can help with this evaluation, as can professional bodies, but evaluating the quality of oversight in remote locations is difficult at best. Given that oversight is a relatively new phenomenon and takes time to embed, even in the developed world, firms have little choice but to assume that oversight is inadequate unless it can be shown to be adequate. Firms are often and rightly sceptical about statements to the effect that international standards are used in some jurisdictions. Examining regulatory reports on firms is probably only feasible in jurisdictions such as the USA, which make them public.

c08.indd 153

… component auditors may be under no obligation to permit group auditors to be involved in the component audit … Group auditors have to work round these impediments. One way of doing so is by asking group management to obtain formal acceptance and acknowledgement of group audit instructions from component auditors as soon as possible. The problem is particularly acute with associated entities because group management do not control them and the entity may not regard itself as an associated entity of the group in any case …

3/18/2014 8:05:41 AM

154

Core Auditing Standards for Practitioners

Group audit instructions and questionnaires cover the accounting, auditing and ethical standards applied and firms are no longer permitted to assume that just because a firm operates in the same jurisdiction or network, the questions do not need to be asked. 8.4.4  Understanding the group, the consolidation process and subsequent events Group audit planning is like planning for any other audit. Understanding the group involves understanding its structure, components, environment and group-wide controls. There is a specific requirement to understand the consolidation process, including instructions issued by group management to component management and to evaluate: • whether all component have been included in the consolidation; • the appropriateness, completeness and accuracy of consolidation adjustments, with particular reference to fraud risk factors and management bias. Consolidation adjustments include adjustments bringing the accounting policies of components into line with those of the group, and adjustments dealing with different year-ends. Subsequent events often fall through the cracks and there is a specific requirement for group auditors to request component auditors to communicate these. Non-routine consolidation adjustments is an easy area for management to manipulate. They are rarely well controlled, often put through late and, as with other late, significant journal entries, group auditors are required to pay particular attention to them. 8.4.5  Group auditor involvement in component risk assessments and communications with component auditors and group management Group auditors must as a minimum: • discuss significant business activities with component auditors or management; • discuss the susceptibility of component financial statements to material misstatement with component auditors; • review component auditor documentation of significant group risks and their responses thereto.

This is a minimum. Beyond this auditors commonly review the component auditors’ audit strategy and plan and on larger audits they sometimes attend opening and closing meetings and meet with component management. Where component auditors and management have no right or duty to cooperate with group auditors, and group auditors have no right to demand information, permissions are needed for component auditors to communicate with group auditors and it is important to get these before the audit starts. The information usually needed from component auditors includes information: • relating to the independence, competence and oversight of component auditors and the auditing, accounting and ethical standards applied;

c08.indd 154

3/18/2014 8:05:41 AM



Section 8 – Group Audits

155

• to be consolidated in the group financial statements; • about the procedures performed and conclusions reached; • confirming that the required work has been completed. Group audit questionnaires and confirmation requests are often cumbersome and sometimes poorly drafted. This does not encourage their timely completion. Group auditors must give as much notice as they can of the timetable and emphasise the need for information to be returned on time. At the end of the day, if the information is not supplied, or it appears to be unreliable, or component auditors appear to lack independence, group auditors will have to do the work themselves or, failing that, qualify their audit opinion on the grounds of a limitation of scope. Communications with management and those charged with governance regarding the audit plan, findings, limitations in audit scope, suspected fraud and internal control deficiencies are required for group audits in the same way as they are for other audits. Reviewing component auditors’ files can be time-consuming, expensive and difficult and using the response to the group audit questionnaire is generally preferable. But group auditors are nevertheless required to discuss significant issues with component auditors, management or group management to determine whether they need to review those files. If they are in another language, it may be necessary to obtain translations of key schedules. 8.4.6  Practical examples ‘Long-haul’ components  When a significant component’s auditors are a short distance from group auditors, the decision to visit is sometimes easy. When significant distances are involved, the issue is genuinely more difficult because of the cost implications and because of unfamiliarity with the environment.

Deciding Whether to Visit a Distant Component Jakarta Mining Co The Jakarta Mining Co is an individually financially significant component within a group, audited by a local firm of auditors unconnected with the group auditors. Group auditors are aware that they are required to understand the entity, be involved in the component auditors’ risk assessment process and that they are required to review documentation on how significant risks are to be addressed. In this case they may wish to do more than the minimum prescribed by ISA 600. (Continued)

c08.indd 155

3/18/2014 8:05:41 AM

156

Core Auditing Standards for Practitioners

However, a visit to the local auditors and operations of the Jakarta Mining Co will entail a 14-hour return flight for group auditors. Ideally, they would visit at the planning stage and during the completion of the audit, but they are concerned about costs and time and want to develop an efficient approach to fulfilling their responsibilities as group auditors. Other ways that the group auditors might approach their involvement in the Jakarta Mining Co include: • deciding whether group auditor involvement is most needed during the understanding of the entity/risk assessment process, or at completion, and visit just once; • reviewing the completed audit file with earlier involvement by phone call or teleconference; • visiting early on to better understand the entity, meet local management, view operations and take part in local auditor discussions on significant risks. Later in the audit process the local auditors might be willing to share their audit file electronically; • subcontracting group audit work to a local audit firm who would act on their instructions at the risk assessment stage, completion or both. Significant work would be needed to establish the reliability of the subcontract auditors’ work and their independence; • adopting a rotational approach to reduce the number of visits. If there were meetings during audit planning with local management and the local auditors last year, then a phone call might be adequate this year. The approach group auditors take depends on many things, including the assessed risks of error and the feasibility of alternative approaches to obtaining the evidence required.

The value of a network firm  Using a network firm to perform group audit work on components can be a mixed experience. It is important to remember that the same standards apply regardless of whether a network firm is used and regardless of whether the network firm is closely integrated. Where the work of a closely integrated firm is used, the assessment process is simply easier.

Using a Network Firm to Perform Group Audit Work on Components Canberra, Wellington and Manila Group auditors have identified three subsidiaries that are individually financially significant to the group. Group auditors therefore have to be involved in the audit of these subsidiaries. Two are audited by network firms, the third is audited by an independent firm. The following table summarises the group auditors’ intended approach to the audit.

c08.indd 156

3/18/2014 8:05:41 AM



Section 8 – Group Audits

Subsidiary

157

Subsidiary auditors

Possible Approach

Canberra

Canberra is audited by the group auditors’ network firm in Australia. The Australian auditor applies the firms’ global technical and ethical standards and uses the firm’s global audit approach. The last firm-wide report on audit quality give them a high score. This may mean that the group auditors’ involvement need not involve a very detailed assessment of independence, competence and oversight, etc. It can be ‘light touch’.

Telephone Canberra’s management to discuss developments in the business. Telephone the network firm to discuss and agree the risk assessment and discuss the intended approach to significant risk areas. Issue group audit instructions/questionnaires. Review the memorandum of the results of work performed against the group audit instructions/questionnaire and significant risks.

Wellington

Wellington is audited by the network firm in New Zealand. It is a new firm to the network and is only just starting to adopt the firm’s global standards and audit approach. The results of the last firm-wide report on audit quality indicated that there was some work to be done to reach the required standards. More work needs to be performed to ensure that an appropriate standard of evidence has been obtained in this case. The group auditors’ approach will be similar to that used for a subsidiary audited by an unrelated firm.

Visit New Zealand to meet local management and the local auditors to better understand Wellington. Review all audit documentation on understanding the entity and risk assessment. Issue group audit instructions/questionnaires. Visit again to review the full audit file before completion and meet with the engagement partner, or obtain electronic copies of files for review and follow up with a teleconference with the engagement partner. Ensure that group audit instructions have been complied with and that any questionnaire has been completed.

Manila

Manila is audited by an independent firm of auditors. The group auditors have been working with the independent firm on the audit of Manila for the past ten years. Their work has always been of a good standard and the firm has consistently showed good judgement, integrity and competence. There are, however, some high risk areas that appear in the financial statements of Manila so a good degree of involvement will still be required.

Telephone Manila’s management to discuss any new issues that might have arisen since the previous audit. Telephone the engagement partner of the local audit firm to discuss how the high risk areas are to be addressed. Issue group audit instructions/questionnaires. The local engagement partner is willing to e-mail a copy of the planning memorandum for the group auditors to review. After the fieldwork has been completed, visit the local auditors to discuss key issues, review key areas of the audit file, or obtain electronic copies of key areas of the audit file and follow up with a teleconference to discuss. Ensure that group audit instructions have been complied with/questionnaires completed.

These approaches are not models to follow in similar situations. They simply illustrate the fact that not all networks, or network firms, are the same and that the approach needs to be tailored. They also demonstrate the fact that group auditors might choose to do less work on an unrelated firm of subsidiary auditors than a network firm, in certain circumstances.

c08.indd 157

3/18/2014 8:05:41 AM

158

Core Auditing Standards for Practitioners

Review, access to working papers and reporting to group auditors  Access to working papers for review purposes is often one of the biggest headaches for group auditors. Privacy and confidentiality laws are often cited in Europe as reasons for not allowing audit files to cross borders, and many firms are very unwilling to allow working papers to be moved to the USA for review because of potential liability issues and the litigious environment there. There are various ways and means of dealing with this. Summaries of working papers can be prepared. Group auditors may be permitted to visit and review files. Sometimes they are permitted to take copies of papers, sometimes they are not. Hold harmless letters are sometimes issued by component auditors, disclaiming responsibility regarding the group audit. Sometimes component auditors will provide information to component management that is then passed to group management and group auditors, also in an attempt to relieve component auditors of responsibility for the group audit. Some firms rely heavily on responses to group audit questionnaires, others seek memoranda of work performed and others again seek direct reports from component auditors. Many seek some combination and negotiate individually with component auditors on a case-by-case basis.

c08.indd 158

3/18/2014 8:05:41 AM

9

Other Things Good Auditors Need to Know About ISAs 9.1  Other Good Things – The Issues

This section covers the critical elements of a number of other ISAs that practitioners sometimes struggle with, and which have a direct effect on audit efficiency or attract comment by regulators. The ISAs covered in this section are shorter and less complex, but not necessarily any less difficult to apply than some of the other ISAs which have entire sections devoted to them. They are: • ISA 230, Audit Documentation; • ISA 501, Audit Evidence – Specific Considerations for Selected Items; • ISA 510, Initial Audit Engagements – Opening Balances; • ISA 530, Audit Sampling; • ISA 540, Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures; • ISA 560, Subsequent Events. 9.2 ISA 230 on Documentation – The Issues On the face of it, there is very little that is obviously ‘wrong’ with ISA 230. It is a fairly short ISA and it sets out general principles about the standard of documentation and timing for the completion of files. But many of the specific documentation requirements in individual ISAs are quite vague and could be summarised as requiring auditors to ‘document everything’. All in all, audit documentation is one of the most contentious areas in auditing. Too little documentation can result in serious regulatory problems. Too much documentation is inefficient and has a negative impact on audit quality as well as profitability – and most firms have both problems.

c09.indd 159

… many of the specific documentation requirements in individual ISAs are quite vague and could be summarised as requiring auditors to ‘document everything’… Too little documentation can result in serious regulatory problems. Too much documentation is inefficient … and most firms have both problems.

3/18/2014 8:08:51 AM

160

Core Auditing Standards for Practitioners 9.3 Documentation – What the Regulators say

The issue of documentation comes up repeatedly in all regulators’ reports. The general thrust of their complaints is that auditors under-document in judgemental and difficult areas. Regulators are less likely to complain that auditors also over-document and over-audit in more straightforward areas, for obvious reasons, but it still matters enormously in practice. … Conflicts between regulators and auditors arise when regulators take the view that audit files somehow need to ‘survive a nuclear attack’ … issues arise when auditors think that oral explanations ‘should’ be permitted to support documentation, and regulators take the view that oral explanations are in fact being used to compensate for inadequate documentation.

Conflicts between regulators and auditors arise when regulators take the view that audit files somehow need to ‘survive a nuclear attack’, i.e. they need to stand-alone without requiring any explanation whatsoever in the face of the most aggressive examination imaginable. The test is that a file should enable a reasonably experienced auditor having no previous experience of the audit to understand what was done. The ISA makes it clear that oral explanations alone are insufficient but that they may be used to ‘clarify or explain’ audit documentation. The operative word here is ‘may’ and issues arise when auditors think that oral explanations ‘should’ be permitted to support documentation, and regulators take the view that oral explanations are in fact being used to compensate for inadequate documentation.

9.4 Documentation – What Practitioners Say ISA 230 recognises several reasons for auditors to document their work, but demonstrating compliance with the ISAs and supporting the opinion are the main drivers. Balancing them is not always straightforward. Practitioners complain that auditing standards and regulators increasingly require them to demonstrate why they have not gone down a particular route, such as deciding not to obtain a management representation in a significant area, or attend an inventory count, or refer to a matter in the audit report. Explaining why something was done is sometimes harder than doing it and the net effect is sometimes ‘defensive auditing’, in which auditors find it easier to do something, even if they think it unnecessary, than to have to explain why they have not. Many practitioners believe that they spend too much time on documenting compliance with ISAs and not enough on supporting the audit opinion. Essentially, they are disagreeing with regulators and standard-setters as to what is required in order to perform a good audit. Auditors are often uncertain. It is clearly impractical to keep verbatim records of every conversation or every email or notes of every phone call. But regulators have the advantage of hindsight which can lend disproportionate significance to phone calls that

c09.indd 160

3/18/2014 8:08:51 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

161

seemed innocuous at the time they were made. This, understandably, makes practitioners nervous. On the one hand they seek not to clutter files or waste reviewer time with superfluous matters, on the other, after being challenged by regulators, they feel obliged to keep everything ‘just in case’. Meeting both sets of demands requires very careful consideration given how easy it seems to be to get it wrong. It is important for regulators to be consistent and reasonable. Regulators are entitled to change their focus and to develop their approach but they should seek to communicate their interpretations and views on what constitutes acceptable documentation as widely as they can. On riskier audits, auditors are not just concerned about regulators. They know that if the quality of the firm’s work is ever examined in court, it is the documentation that will be judged. Getting the audit work right is one thing but it is the documentation that auditors ultimately fall back on.

9.5 Documentation – What the Standards Say 9.5.1  Documentation: objectives The two primary objectives of audit documentation are to provide: • a record of the basis for the audit report; • evidence of compliance with ISAs. Evidencing compliance with ISAs is now harder than it once was because of the sheer number of mandatory requirements. Audit methodologies do not always demonstrate clearly the relationship between procedures and the requirements they fulfil, which can make it hard for auditors who rely on methodologies for compliance, and who are not familiar with the detailed requirements of ISAs, to defend what they have done. Some methodologies, developed over time by adding new requirements to an existing base, partly account for over-auditing in some areas, even if they do not justify underauditing in others. Complications arose when IAASB’s clarity project was completed in 2009. It resulted in a re-written suite of ISAs that some jurisdictions, including the UK, first implemented in 2010. Most of the changes simply promoted what was previously guidance material to the status of requirements. This often meant that auditors continued to do what they had always done, but what they were doing now was required, rather than best practice. However, it became important to document this work better than had previously been necessary because it was now mandatory, where before, to an extent, it had been ‘optional’. This is a subtle but important point. Many auditors were probably documenting at least some of this work before, but other auditors might not have been documenting it at all.

c09.indd 161

3/18/2014 8:08:51 AM

162

Core Auditing Standards for Practitioners

9.5.2  Documentation: of what? Auditors should document their work to a standard that enables an experienced auditor with no previous connection with the audit to understand: • the nature, timing and extent of procedures performed; • the results of these procedures and the audit evidence obtained; • all significant matters considered during the audit, the conclusions reached and information to support professional judgements made. The broad categories of matters requiring documentation are: • characteristics identifying the items tested; • who performed the work, and when; • who reviewed the work, and when. There is no requirement for documentation to be in hard copy, nor is there any requirement for it to be in writing – what is required is a record, which can be, as we noted in Section 1 on smaller entities, an electronic record including audio or video. We also noted in Section 1 the importance of what to instruct junior staff to exclude, such as full copies of leases and major contracts which may not be required – even if they do make the file look bigger – where copies of extracts will do instead. In some circumstances audit documentation can be very brief and there is no longer any need for large spreadsheets showing every last detail within each invoice that was checked to price lists, VAT rates, orders and dispatch notes, for example. A summary is generally enough. However, it is important to ensure that the pendulum does not swing too far in the opposite direction: junior staff must include just enough information for the test to be repeated if necessary, wherever possible. This means for each item tested, including a unique identifying number such as an invoice number. It is not enough to simply state that 45 invoices were selected at random, covering a 10-month period, for checking to price lists and orders. The ‘Experienced Auditor’ The way to think about what is needed and what is sufficient in terms of documentation, is to imagine a colleague who is an experienced auditor, sitting with the team that has performed the audit, looking at the file. The colleague has audited similar businesses to this one in the past, and the team is there to answer questions. The colleague’s principal objective is not to review the file for compliance with internal quality control requirements or ISAs, i.e. the second objective noted above, but to achieve the first objective, which is to ensure that the file is an adequate record of the basis for the audit report. The way the colleague does this is by understanding what was done in terms of the procedures, results and judgements. This is not to say that compliance is not important, or that the two objectives do not overlap, but there is a difference of focus. This is where auditors and regulators sometimes cross swords: auditors focus on the first of the two objectives, regulators focus on second. Both are right.

c09.indd 162

3/18/2014 8:08:51 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

163

9.5.3  Other reasons for documentation that might result in ‘more’ on the file Supporting the audit opinion and demonstrating compliance with ISAs are sufficient, but more documentation is useful in practice because: • reviewers might require more details concerning the work performed by less experienced staff to ensure that it was done properly; • less experienced staff can receive better on-the-job coaching if reviewers can see more of their workings with a view to suggesting more efficient or effective ways of doing things; • it can be useful to help plan future audits, particularly if it enables new staff to get up to speed quickly; • fuller documentation assists with cold file reviews for quality control purposes; • on larger audits, the quality of the work of individuals can be more easily evaluated; • tracking progress on the audit is easier; • it assists with technical consultations and engagement quality control reviews (EQCRs). Figure 9.1, which summarises these points, looks like a recipe for more documentation rather than less. A better angle is to view low risk, uncomplicated audits with stable audits teams as candidates for leaner audit documentation, even if they are larger audits.

... hot and cold file reviews ... staff training & performance evaluation

... tracking progress

... planning future audits

Documentation facilitates...

... recording the basis for the audit report

... technical consultations & EQCRs

... demonstrating compliance with ISAs

Figure 9.1

c09.indd 163

3/18/2014 8:08:51 AM

164

Core Auditing Standards for Practitioners

9.5.4  Assembling the final audit file ISAs do not require auditors to document their work when they perform it. It makes practical sense to do so but there is no requirement per se. ISA 230 requires that auditors assemble the file and complete the documentation on a ‘timely’ basis, which it suggests is not more than 60 days after the date of the audit report. If amendments are made to the file after that time, there should be a record of when the changes were made, by whom and why. ISA 230 does not permit documentation to be removed or deleted after completion. In practice, auditors often seek to complete the audit file before the audit report is signed. The ‘60 day rule’ is of more relevance to larger international group audits where the logistics of assembling the audit evidence are a challenge. Problems with documentation can arise when senior staff make important audit judgements towards the end of the audit process and do not document them in a timely manner. Memory is fickle and documenting thought processes is a skill to be developed in staff. Documenting thought processes also adds to the quality of judgements. The pressure of having to articulate an issue in writing can force clarity of thought. Welldocumented judgements can be more convincing than oral explanations because they often highlight deficiencies in arguments, which can then be thought through. Important judgements may also be the focus of a second partner or engagement quality control reviews. Reviewers greatly benefit from having something in writing to review! 9.6 ISA 501 on Additional Considerations for Specific Items – The Issues The IAASB seeks to ensure that ISAs are principles-based, encouraging auditors to use their professional judgement to determine appropriate audit procedures. Exceptions to this include the audit of inventory.1 9.7 Inventory – What the Regulators say Regulators make little comment in this area except to the extent that they comment generally on over-reliance on management representations and on the need to properly test accounting estimates. The only specific comment occasionally made is to remind auditors that they should attend inventory counts where inventory is material. 9.8 Inventory – What Practitioners Say The requirements of ISA 501 regarding inventory are straightforward and uncontentious. They have not changed significantly for many years. ISA 501 states that where inventory is material, auditors should obtain audit evidence relating to its existence and condition by attendance at the physical count ‘unless 1

c09.indd 164

ISA 501 also covers litigation and claims, and segment information. ISA 505 covers external confirmations.

3/18/2014 8:08:51 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

165

impracticable’. ISA 501 points out and regulators observe that ‘impracticable’ is not the same as ‘inconvenient’. Inconveniently located inventory and counts at inconvenient times are not of themselves a reason not to attend a count. Practitioners generally recognise the importance of attending counts where inventory is material and evidence cannot be obtained in other ways. Impracticable might cover inventory: • that is hazardous or dangerous, such as nuclear fuel rods. Attending a count at an alligator farm might appear impracticable, but auditors may observe how the farm counts the alligators without entering the pens themselves to do test counts. It is rarely impracticable to attend the counts on these grounds; • that is located in a situation that poses a threat to the safety of auditors, such as locations in which travel is not advised. Attendance at a Count is Impracticable Tashkent Expedition Equipment Tashkent Expedition Equipment manufactures and stores its products at its factory in China. Auditors based in Europe might find it inconvenient to attend the count but this does not make it impracticable. The auditors should attend the count, but that does not necessarily require a member of the audit team to travel to China, although this is sometimes the best solution. The auditors could subcontract the attendance of the count to a local audit firm. This would be a firm in the same network, preferably, but this is not essential provided the auditors satisfy themselves that the local firm will undertake work to an appropriate standard. This involves similar considerations to those relevant to using the work of a subsidiary auditor for group audit purposes, i.e. the firm must be independent and competent, for example. The local auditors can be sent instructions covering what do to at the count and what to document. The documentation should be provided to Tashkent’s auditors. In some circumstances, auditors might consider sending someone from the audit team to China to attend the count and at the same time obtain a better understanding of Tashkent’s business, which would improve the risk assessment and testing.

9.8.1  Can auditors use the work of external experts who count inventory? ISA 501 requires auditors to attend counts regardless of whether external independent inventory counters are used by the audited entity. Where auditors intend to use the work of external counters, the auditors’ attendance can sometimes seem superfluous. But where inventory is significant to the financial statements there is often a high risk of error and fraud associated with it. Auditors therefore require a high standard of evidence for the existence and condition of inventory, which means that it will be difficult to justify relying on the assumption that the expert inventory counters will do a good

c09.indd 165

3/18/2014 8:08:51 AM

166

Core Auditing Standards for Practitioners

job, even where they are independent and competent. The auditors need at least some evidence that they have generated themselves by observing the count to ensure that the external counters’ processes are satisfactory, among other things.

External Experts Warsaw Agriculture Warsaw Agriculture operates an arable and dairy farm. Management engages a local firm of valuers, LSE, to count and value the dairy herd, farm stocks and growing crops, which represent significant amounts on the balance sheet. LSE is well-known to the auditors and has a good reputation for a combination of experience, expertise and integrity. Warsaw Agriculture has used them in the past. The auditors, who have a good knowledge of the farm’s operations, intend to use LSE’s work. The auditors have made inquiries of management and LSE about valuation procedures. LSE intends to send an experienced valuer and two assistants to all of Warsaw Agriculture’s operational sites to count all relevant items and inspect them for their condition. LSE will then finalise the valuation based on the physical count. The auditors will evaluate the instructions sent to the valuers, the details of what and where the herd, stocks and crops are to be found, and attend the count and observe LSE’s work to ensure that it is being performed as planned and in accordance with the instructions issued. The auditors will focus on: • whether all items are being counted; • inspecting the herd, stocks and crops for condition; • test counts to provide evidence regarding the accuracy of LSE’s work. Put simply, the auditors are attending the count to obtain evidence that LSE are doing what they are supposed to be doing. Reliance on reputation and past experience alone is not acceptable because of the significance of the amounts involved and the associated risks. It may be possible to reduce the level of test counting and other work performed if tests of controls in the area have shown the relevant systems to be working well in the past.

9.8.2  Attendance at year-end counts ISA 501 not only requires auditors to attend inventory counts but prescribes what they should do when they get there. Simply turning up and performing a few test counts is not enough. Auditors are required to: • evaluate the inventory counting instructions issued by management; • evaluate procedures for recording and controlling the count;

c09.indd 166

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

167

Attending a Count San Marino Joinery and Sawmill San Marino Joinery and Sawmill owns a very large warehouse that supplies timber to the building trade. It counts inventory at the year-end. The quantities of timber and other materials mean that the San Marino inventory count takes a full day to complete. The warehouse closes for the day and the count starts at 6am with the intention of finishing by 3pm, but sometimes it takes a great deal longer if the finance director finds errors and requests a recount. The auditors know that they are required to attend the San Marino inventory count, but they believe they will need to spend more than 9 hours on site and attend the whole count. The auditors therefore attend the inventory count at 9am. They talk to the finance director to establish what procedures are being followed and what instructions have been given. They observe the counting procedures and inspect the inventory for condition, noting anything that looks damaged or in poor condition. They discuss this and other slowing moving inventory with the finance director. At this stage the auditors cannot perform their test counts because the handheld devices used to scan bar codes and to record quantities are all in use, and in any event the count is not complete yet so the whole population of inventory is not available for testing. The auditors therefore agree to return later when the count is complete. The finance director contacts them at 4pm to say that counting is complete and auditors can review the output from counting and perform test counts. Alternatively, if two visits are not practical, the auditors could attend later in the day to view the count and do the tests immediately afterwards. However, if they attend too late then they will not have the opportunity to observe the count in progress.

• observe counts; • inspect the inventory; • perform test counts. If the inventory count does not take place at the year-end, auditors will generally attend the count nearest to the year-end. They then need to obtain evidence on inventory movements that occur between the year-end and the date of the count. Larger organisations often operate some combination of perpetual counting system and permanent inventory records. One way of reducing the level of reliance on work performed at the year-end count is to attend counts during the year as a test of controls. If the controls are operating properly, the level of substantive evidence needed at the year-end may be reduced.

c09.indd 167

3/18/2014 8:08:52 AM

Core Auditing Standards for Practitioners

168

9.9 ISA 510 on Initial Engagements and Opening Balances – The Issues ISA 510 applies to situations in which the prior period financial statements were unaudited or audited by other auditors. The challenges that this presents to auditors are in obtaining sufficient appropriate evidence regarding: • opening balances; • the consistency of accounting policies with the prior period. 9.10 Initial Engagements – What the Regulators say Regulators observe that auditors sometimes pay little attention to the fact that an audit is an initial engagement and that opening balances need to be audited, or that there is insufficient audit evidence on comparative information. Used properly, analytical procedures can be useful in both cases where more direct tests of details are more difficult to perform. 9.11 Initial Engagements – What Practitioners Say 9.11.1  Limitation of scope There will be circumstances where it might not be possible to obtain sufficient audit evidence regarding opening balances or comparative information. For example, if auditors were unable to attend the inventory count at the beginning of the period and there is no other detailed evidence regarding the existence and condition of opening inventory, the auditors’ opinion may be qualified on the basis of a limitation in the scope of this audit. This is not uncommon in some jurisdictions. … Where auditors are able to access the predecessor’s audit file, it may be possible to obtain adequate evidence using a combination of the predecessor auditors’ work and the new auditors’ own work in the current period …

In jurisdictions where auditors are able to access the predecessor’s audit file, it may be possible to obtain adequate evidence using a combination of the predecessor auditors’ work and the new auditors’ own work in the current period. Regulations concerning access to the predecessor’s working papers are intended to make changing auditors easier. They should help avoid the need for a qualified audit opinion in these situations.

9.11.2  Reliance on accountancy work Where the prior period financial statements were not audited, auditors cannot rely on audit work conducted in the prior period, but it is common for financial statements to be prepared by a professional firm of accountants. Auditors can evaluate the work performed to prepare the financial statements and consider how much of it can be used for audit purposes. This is only really possible when

c09.indd 168

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

169

the firm preparing the financial statements is also now performing the audit, because another firm is unlikely to grant access to its working papers. For example, auditors often check that the bad debt provision is complete by ensuring that all year-end receivables have been paid after the year-end. Similar work is performed on payables. Control accounts are often reconciled for the bank sales and income taxes accounts. Much of this work can be used for the purposes of auditing opening balances, although the existence and condition of inventory and the physical verification of non-current assets are hard to support in this way. 9.12 Initial Engagements – What the Standards Say ISA 510 has a number of specific requirements relating to the audit of opening balances. Auditors are required to: • read a copy of the most recent financial statements to obtain information on the opening balances, including the predecessor’s audit report if there is one; • determine that opening balances have been properly brought forward; • determine that the opening balances have been prepared applying appropriate accounting policies; • perform specific procedures in relation to the opening balances including at least one of the following: –– review the predecessor’s working papers where available; –– evaluate current year procedures to see if they provide evidence regarding the opening balances; –– perform specific procedures to obtain evidence on the opening balances, such as analytical procedures or tests of detail. In practice, auditors should consider reviewing the predecessor’s file where it is practical and possible. It provides good quality audit evidence and will often be sufficient to avoid a qualified audit opinion on issues such as the existence and condition of inventory.

… In practice, auditors should also consider reviewing the predecessor’s file where it is practical and possible. It provides good quality audit evidence and will often be sufficient to avoid a qualified audit opinion on an issue such existence and condition of inventory …

The value of audit work in the current period to support opening balances should not be underestimated. Also, in jurisdictions in which auditors are permitted to provide accountancy services, such services can provide highly persuasive evidence on opening balances—the reconciliation of control accounts is particularly useful.

In addition to the current period’s work and accountancy work, auditors should consider analytical procedures to further improve the overall quality of evidence. Tests of detail are occasionally needed. Where there was no audit in the prior period and auditors had no involvement in the preparation of the prior or current period’s

c09.indd 169

3/18/2014 8:08:52 AM

Core Auditing Standards for Practitioners

170

financial statements, analytical procedures might need to be supplemented with some sampling of opening balances. Tests of detail might also be considered where there are specific risks associated with opening balances, such as evidence of management bias in accounting estimates including inventory valuation adjustments and bad debt provisions. If management displays potential bias in the closing provisions, it is reasonable to ask whether they have been biased in the opening provisions. In these circumstances, more robust audit evidence provided by tests of detail may be needed. 9.13 ISA 530 on Audit Sampling – The Issues Sampling is one of the most efficient and effective ways to obtain reliable audit evidence for a large population of transactions or balances. Sometimes it is the only way. Either way, it has to be done properly if it is to be of value. The purpose of sampling is to form an opinion on an entire population by applying procedures to a representative sample from it. 9.14  Audit Sampling – What the Regulators say A recurring message from UK regulators over the years is that auditors do not document sampling processes properly. In particular auditors should document how: • samples sizes are determined; • samples are selected; • errors found when sampling are dealt with. 9.15  Audit Sampling – What Practitioners Say The big issues for practitioners are determining sample sizes and the degree to which a rigid statistical approach is necessary. 9.15.1  Sample sizes The size of the sample is important to practitioners because, while large samples sizes might be good for the quality of audit evidence, they are bad for the budget. Balancing effectiveness and efficiency is a constant battle and developing an audit methodology that gets the balance right is the objective of every audit firm. ISA 530 gives little guidance other than lists of factors that affect sample sizes, and views on samples sizes have historically followed fashion rather than robust statistical techniques. Following the financial crisis of 2008, many auditors increased sample sizes and reduced reliance on analytical procedures. 9.15.2  The need for statistical methods Smaller entities have small populations of transactions and balances to test and in general they have lower audit risk. This, combined with fee pressures, makes rigid statistical sampling methods time-consuming. More judgemental approaches can sometimes

c09.indd 170

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

171

be quicker and, if used properly, just as effective. However, where errors are found using more judgemental approaches, it is harder to extrapolate the results reliably and form an opinion on the population as a whole. So risk does have to be low if statistical methods are to be discounted altogether. 9.16  Audit Sampling – What the Standards Say ISA 520 has not changed greatly in recent years and the key issues continue to be determining the right sample sizes, selecting the sample appropriately and properly evaluating errors. 9.16.1  Sample sizes Auditors need to understand the relationship between sample size and risk. The higher the inherent risk of error in a population, the lower the detection risk auditors can tolerate if audit risk is to be maintained at an appropriate level. This means larger sample sizes if the risk of error is high, because auditors cannot afford to miss them. Where risk is low, sample sizes may be smaller. ISA 530 permits the determination of sample sizes using statistical methods or professional judgement. Statistical methods often involve statistical models that use normal distributions to deal with the risk of error in populations. These models permit auditors to specify an acceptable level of risk that errors might be missed using confidence levels, i.e. auditors determine sample sizes partly be reference to whether they want to be 95% or 99% confident that the sample selected is representative of the population from which it is drawn. Audit firms sometimes develop their own models and/ or sample size calculators to adopt this statistical approach or they outsource it to independent technical and training consultancies. These models are often made to be user friendly using simple sample size calculators that have inputs for high, medium and low risk. When determining sample sizes using professional judgement, auditors need to be prepared to be challenged, and to ensure that they can clearly demonstrate that the related evidence is adequate. 9.16.2  Sample selection The most important thing about sample selection is that every item in the chosen population has to have a known chance of being selected, although not necessarily an equal chance. Any sample selection method that does not give the opportunity of being selected to every item in the population means that auditors are not selecting from the whole population, which means that results cannot be validly extrapolated. One example of this involves the common practice of auditors testing large or unusual items in a population. This can be a very efficient way of obtaining audit evidence on a large proportion or high risk element of the population. However, when items are selected this way, they cannot be representative of the population as a whole and errors in them cannot be extrapolated to the population as a whole.

c09.indd 171

3/18/2014 8:08:52 AM

172

Core Auditing Standards for Practitioners

9.16.3  Stratifying the sample Sometimes, one part of a population has different characteristics to the remainder. It is common for a large proportion of receivables, say 80% by monetary value, to be made up of just 10% of account balances. Stratifying or separating the sample between the larger items and the smaller items means that auditors can focus their effort on the larger items, providing proportionately more audit evidence with a smaller sample size. One practical problem is that auditors can make the mistake of seeking coverage of a population at the expense of forming an opinion on the population as a whole. For example, while it may be of value to test the 10 largest balances in a given population, and thereby achieve coverage of, say, 60% of the population, this provides no evidence on the remaining 40%, which cannot be ignored. 9.16.4  Selection methodologies ISA 230 suggests that there are three main selection methods: • random selection, using random number tables or generators; • systematic selection, where the number of units in the population is divided by the chosen sample size to give a sampling interval; • haphazard selection, which does not approximate to random selection, because of the risk of bias, and which should not be considered to be a proper statistical method of selection. It can be used, but the evidence provided will be of lower quality than that provided using a more rigorous selection method. A commonly applied variation of systematic selection is monetary unit sampling. The monetary value of the population, rather than the number of units in the population, is divided by the sample size. This method prioritises larger balances, which are effectively selected several times. This example shows how an audit might use sampling when performing a receivables circularisation. Sampling in a Receivables Confirmation The Tallinn Cushion Company The Tallinn Cushion company manufactures cushions and gives 60 days credit to its customers. At the year-end, receivables total €2.3m. The five highest balances total €1.1m. Auditors select the five largest items for the receivables circularisation because an individual error in any of these could be material, leaving a residual population of €1.2m. Using the firm’s statistical methodology, auditors determine the sample size as follows. Population size/performance materiality × assessed risk factor = sample size

c09.indd 172

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

173

This is an example of a sample size calculation based on a statistically based model that would calculate the risk factor. In practice, the detailed calculations used in different audit firm models vary significantly. Assuming that in this instance the sample size is calculated as 15 for the residual population, auditors use a random number generator to select 15 items at random from the original population.

9.16.5  How to deal with errors If auditors detect an error during sampling, ISA 530 requires auditors to determine whether it is isolated. If it is not, auditors project errors to the whole population to estimate the possible effect of the error on the financial statements. They do this by evaluating the error against the level of tolerable misstatement. In practice, errors are very rarely isolated, and ISA 530 requires auditors to presume that they are not isolated unless they can prove otherwise. It is important for these reasons for auditors to be clear about what an error actually is, what the assessed level of control risk is and the confidence level required. 9.17 ISA 540 on Accounting Estimates – The Issues Accounting estimates range widely from simple depreciation methods and calculations through to the valuation of complex financial instruments. Estimates are often among the highest risk areas in any audit because of the level of judgement required, and the extent of manipulation possible, in developing and choosing among different policies, models, methods and the assumptions underlying them. Junior auditors often confuse accounting policies, models, methods, underlying assumptions and the estimates themselves. For example, an accounting policy requires that non-current assets be depreciated in accordance with a financial reporting framework. The method may be the reducing balance method and assumptions will relate to the length of useful lives and residual values. Models are generally confined to valuations. The estimate is simply the result, i.e. the depreciation figure, arrived at by applying the policy using the method chosen in line with the underlying assumptions. ISA 540 requirements focus on the evaluation of accounting policies, models, methods and assumptions, as well as on the calculation of the estimates themselves which must be appropriate and in line with the relevant financial reporting framework. Auditors also consider the appropriateness of the chosen policies, whether they are applied consistently within the entity and from year to year, and the quality of related disclosures. 9.18  Accounting Estimates – What the Regulators say Regulators note the need for auditors to demonstrate how they have considered estimation uncertainties and whether they have considered the impact of errors on the

c09.indd 173

3/18/2014 8:08:52 AM

174

Core Auditing Standards for Practitioners

financial statements. Auditors need to identify significant accounting estimates at the planning stage of the audit and ensure that they properly understand them. The days when estimates were dealt with towards the end of the audit are long gone. 9.19  Accounting Estimates – What Practitioners Say The message from auditors is that accounting estimates tend to be the riskiest part of audits, particular when there is a need for an impairment review or where there are long term provisioning issues. More senior members of the audit team, including audit engagement partners, are often expected to consider most of the major estimates. Estimates are often considered very thoroughly and a wide range of good quality audit evidence is obtained, but documentation is sometimes lacking. 9.20  Accounting Estimates – What the Standards Say 9.20.1  Summary of Requirements The overarching requirements of ISA 540 can be summarised as follows: • auditors must understand the entity’s accounting estimates, which is more than simply understanding its accounting policies; • auditors should review the outcome of the prior period accounting estimates as part of the risk assessment; • auditors must assess the degree of estimation uncertainty in relation to each material accounting estimate; • where estimation uncertainty is high, auditors should consider whether accounting estimates represents a significant risk. 9.20.2  Understanding accounting estimates Understanding accounting estimates is necessary to assess the risk of material error in order to better design audit procedures to detect these errors. Accounting policies are important but there is a great deal more to understanding estimates and auditors need to understand how management makes the estimates and how they identify the need for estimates. Management in smaller entities will often have no formal processes or indeed any processes for any of this, and in some cases will rely on auditors to point out that an asset needs to be depreciated over time, for example. 9.20.3  The prior period review ISA 540 requires auditors to review the outcomes of accounting estimates, such as provisions for obsolete inventory, in the opening balances. This is not a procedure to obtain evidence regarding opening balances. Auditors review outcomes to understand the quality of the policies, methods, models and assumptions used in the closing accounting estimates and gain a general understanding of how they work. An understanding of how far estimates deviate from the ‘actual’ results means that auditors are better placed to assess estimation uncertainty and design better quality audit procedures.

c09.indd 174

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

175

The review of the opening accounting estimates may consist of tests of detail, but more commonly procedures involve discussions with management and relevant staff, combined with analytical procedures. ISA 540 notes that where this is not possible, auditors might instead look at the re-estimation of accounting estimates in the current period. 9.20.4  Estimation uncertainty and risk assessment ISA 540 specifically requires auditors to assess estimation uncertainty for each material accounting estimate. Estimation uncertainty is the susceptibility of an estimate to a lack of precision in its measurement. Estimation uncertainty is not the same as risk, although it has a relationship with risk. High estimation uncertainty often increases risk. The wider the possible range for an estimate, the greater the risk of it being materially misstated. Even where estimation uncertainty is low, the risk of fraud may contribute to a higher risk assessment. If management is motivated to show higher earnings, bias may be present in accounting estimates. Where estimation uncertainty is high, ISA 540 requires auditors to consider whether it represents a significant risk. 9.20.5  Responding to risk – all accounting estimates As with all issues relating to risk, procedures should be designed to respond to the risks assessed. However, regardless of the assessed risks, ISA 540 requires auditors to undertake certain specific procedures for all material accounting estimates. Paragraph 13 requires that auditors undertake one or more of the four procedures set out below. The first two procedures can be very effective and efficient, particularly when auditing smaller entities. The latter two are significantly more time-consuming, but they might be the only way of responding to risk relating to accounting estimates in larger entities with more formal procedures, or where risk is high. 1. Consider post-balance sheet events  Considering post-balance sheet events can be a highly efficient and effective way of obtaining evidence regarding accounting estimates, if there is sufficient time after the year-end. Auditors basically ‘wait and see’. For example, if management is valuing inventory at the lower of cost and net realisable value (NRV), testing the actual sales made shortly after the year-end provides reliable evidence as to the NRV. 2. Test how management made the accounting estimates  The auditors should consider whether the methods and assumptions used by management are appropriate and in accordance with the relevant financial reporting framework. 3. Relying on internal controls  If auditors wish to rely on internal controls, they are required to test their operating effectiveness. Once it has been established that internal controls over how management makes the accounting estimates are operating effectively throughout the period, auditors can reduce the level of substantive evidence required at the year-end. For example, this may mean attending several

c09.indd 175

3/18/2014 8:08:52 AM

176

Core Auditing Standards for Practitioners

inventory counts during the year where continuous inventory accounting procedures are in place. 4. Auditors develop their own range of estimates or a point estimate  This is a powerful way to challenge management’s models, methods, and assumptions, but it can be very difficult and time-consuming. Nevertheless, there are areas in which nothing else will really work, such as complex impairment reviews.

Responding to Risk in Accounting Estimates Georgetown Properties Georgetown Properties has a portfolio of investment properties. Georgetown revalues the properties at the year-end using an external firm of valuers, Rothmans. Half of the property portfolio comprises residential properties on short-term lets. Rothmans value these at market value using price comparisons with similar properties in the same geographical area that have recently been sold. The other half of the portfolio is specialist buildings with medium-term tenancies. There are few comparable properties with similar leases and Rothmans have used an existing use valuation assuming rental growth rates of 5% per annum for the foreseeable future. The auditors have evaluated the revaluation of the properties as a significant risk. The auditors will need to establish that Rothmans is independent, reputable, appropriately qualified and that it has the skills, expertise and experience to undertake the valuation. The valuation represents a significant risk and in any event the auditors will need to do more than simply use the valuers’ work. In relation to residential properties, the auditors’ response might be to: • discuss the appropriateness of the valuation models, methods and assumptions in discussion with management of both Georgetown Properties and Rothmans. If other valuation methods were considered, the auditors should consider why they were rejected; • evaluate whether the models, methods and assumptions are appropriate and reasonable given generally accepted accounting practices within the property sector; • view the sales particulars and price comparisons for similar properties used by Rothmans. Auditors may sometimes be able to verify what the comparison properties actually sold for, not just what they were offered at; • if more evidence is needed, auditors can examine property indices, comparing price movements in the property portfolio of the company with relevant national or local indices. In practice obtaining this evidence can be a great deal more difficult than it should be but

c09.indd 176

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

177

where it is needed and possible to obtain, it potentially represents very high quality, third party, externally generated evidence. The auditors need to approach the specialist properties in a similar way allowing for the different valuation model. The auditors should discuss the valuation models with management of Georgetown Property. Management might say that they have followed the advice of Rothmans. If Rothmans say that they have not considered alternatives to the 5% growth rate in rental income because that is the rate of growth built into the leases, auditors need to consider the reasonableness of this approach. Even if the auditors conclude that it is reasonable to assume this rate of growth until the current leases end in seven years time, achieving the same rate of growth thereafter might seem optimistic. Auditors may need to remind management that lower rents might be received at the end of the current leases, and that this possibility needs to be factored into management’s valuations. The 5% growth rate might not represent the market rate. It could be a commercial arrangement to end-load the lease payments. Because of the nature of the audit risk, the auditors’ response has to be robust and the management of Georgetown Property should be urged to consider alternative approaches to the valuation. In practice, auditors might very occasionally find it necessary to engage their own expert to assist them for specialist audits or where there is high risk, although the cost may be prohibitive.

In situations such as those outlined above, auditors sometimes say that they are not surveyors and that they find it difficult to challenge an expert’s view. When audit risk is high, auditors need to be especially robust and challenge assumptions. If assumptions do not seem right or cannot be supported with audit evidence, auditors need to continue challenging them until they receive sufficient appropriate audit evidence to support them. If the evidence is not forthcoming or what is provided is inadequate, the auditors should consider the impact on their opinion. 9.20.6  Estimates that represent significant risks Additional ISA 540 requirements for accounting estimates that represent a significant risk are as follows. Has management considered alternative assumptions?  In making accounting estimates, assumptions that can be considered by management include assumptions about the rates of return on an investment, and about interest, inflation and exchange rates. Sensitivity analysis quickly shows which assumptions are more susceptible to smaller changes and auditors can focus on these areas.

c09.indd 177

3/18/2014 8:08:52 AM

178

Core Auditing Standards for Practitioners

Evaluating Managements Assumptions Pristina Freight Forwarding Pristina Freight Forwarding has a national network of delivery depots which they service using a fleet of commercial vehicles. Pristina’s management decide that it is necessary to conduct an impairment review of the company’s assets because of poor trading. The market value of Pristina’s assets, which include buildings and the fleet of commercial vehicles, is below book value, and management is reliant on a valuation of the assets based upon their existing use value within various income-generating business units. Pristina’s management selects a number of income-generating units and predicts a rate of growth of 5% and a discount rate of 3%. It concludes that assets are not impaired. The auditors’ documentation of the impairment review is limited to a note to the effect that management has carried out an impairment review, that the auditors have reviewed management’s work, and a conclusion that forecasts seem reasonable. In this example, the auditors’ limited response to the impairment review does not appear to be adequate. Note that regulators say that in practice, auditors sometimes do take this approach. The risk of error needs to be carefully assessed before formulating an appropriate response. Active consideration needs to be given to the risk of fraud in the form of deliberate manipulation of the financial statements. Consideration also needs to be given to the seemingly high level of estimation uncertainty. Auditors should consider what assumptions about growth and discount rates are most appropriate. Most auditors would struggle to support a 5% growth rate in a mature economy and a challenging approach needs to be taken with management of Pristina.

Are management’s significant assumptions reasonable?  For example, if an impairment review calculation uses a growth rate of 5%, can it be supported? Is there a more appropriate rate? What are management’s intentions and are they able to carry out plans?  Estimates often involve assumptions about future actions, such as continuing to use an asset as opposed to selling it or plans to sell inventory in one geographical market rather than another. These assumptions often change valuations and auditors need evidence that management is able and willing to carry out the course of action built into the assumptions. 9.20.7 Example The following case study seeks to illustrate all of the requirements relating to accounting estimates.

c09.indd 178

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

179

Accounting Estimates Example The Bridgetown Habitation Company The Bridgetown Habitation Company is a sub-contractor in the construction industry. Revenue on contracts is recognised as the contract progresses as a proportion of the total revenue due based on the percentage of completion at the year-end. The percentage of completion is calculated by an independent quantity surveyor. The Bridgetown Habitation Company gives terms to its debtors of 30 days. The auditors’ approach to these areas is as follows.

The Bridgetown Habitation Company

Bad debts

Revenue recognition

Understanding accounting estimates

Auditors identify and record bad debts as material accounting estimates. Auditors discuss with management and record how bad debt provisions are calculated. Auditors review the relevant accounting standard to evaluate whether the correct accounting treatment has been adopted.

Auditors identify and record that revenue recognised on incomplete contracts at the year-end is a material accounting estimate. Auditors discuss and record how revenue is recognised with management of Bridgetown and the contract manager. The involvement of the contract manager is sought to obtain a different view on what could be a high risk audit area. Auditors review the requirements of the relevant revenue recognition standard together with any relevant industry-specific guidance to evaluate whether the correct accounting treatment has been adopted. Accounting requirements relating to revenue recognition in the building industry are likely to be complex and can even be controversial. Copies of extracts from the accounting standard and related guidance are recorded on file so that the whole audit team can familiarise themselves with the issues Auditors discuss with the contracts manager how the external quantity surveyors assess the percentage of completion. They base their assessment on the costs expensed to date compared with future total expected costs. (continued)

c09.indd 179

3/18/2014 8:08:52 AM

180

Core Auditing Standards for Practitioners

(Continued)

c09.indd 180

The Bridgetown Habitation Company

Bad debts

Revenue recognition

Assessing estimation uncertainty and risk

After auditors have obtained an understanding of the issues they can assess the degree of estimation uncertainty present. Bad debt provisions should be relatively easy to estimate as most debtors pay within 30 days, and where a debtor is late contract work ceases. Management may be in a position to manipulate the bad debt provision. Auditors discuss the opening bad debt provision with the receivables ledger manager. All of the opening debts that were expected to be received, have been. None of the amounts given as doubtful have been received. This indicates that the provisions have been reliably made in the past and support a lower assessment of estimation uncertainty.

Revenue recognition represents high estimation uncertainty because contracts are long and sometimes profits and losses on contracts are hard to predict and circumstances can change very quickly. Auditors discuss the outcome of the opening position on contracts in progress at the beginning of the period with the contract manager. Some contracts thought to be profitable at the beginning of the year made significant losses. This confirms the auditors’ view that there is high estimation uncertainty in relation to revenue on incomplete contracts. Accrued income on construction contracts is a significant figure in the financial statements. Management is in a position to manipulate the figure by negotiating with the quantity surveyors. Auditors therefore consider this to be a significant risk. The area will require a more thorough audit approach and auditors will seek to obtain highly persuasive evidence and be vigilant for fraud.

Procedures to obtain audit evidence

The sufficiency of the bad debt provisions are tested by checking a sample of receivables balances to after date receipts. Written representations are obtained from management.

Post-balance sheet contract activity is reviewed to identify trends in profitability on incomplete contracts at the year-end. Any contracts competed after the year-end will be scrutinised. Auditors review the assumptions used by the quantity surveyors for reasonableness in the light of the accounting objectives. Management is asked whether they considered alternative assumptions for this valuation as an alternative to the model used by the quantity surveyors. Auditors consider the need to contact the quantity surveyors directly to discuss their approach and confirm valuations. Written representations are obtained from management.

3/18/2014 8:08:52 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

181

9.21 ISA 560 on Subsequent Events – The Issues Auditors consider subsequent events because events after the balance sheet date sometimes require adjustments in the financial statements (adjusting events) or disclosure (non-adjusting events). Auditors need to look for adjusting or non-adjusting events that might be omitted from the financial statements. Adjusting events give evidence regarding conditions at the balance sheet date, non-adjusting events reflect conditions arising after the balance sheet date. Management has a responsibility to consider subsequent events and auditors typically review how management does this. However, once management has approved the financial statements, it will no longer actively look for subsequent events and auditors need to be more vigilant until they sign the audit report. This is a good reason to keep the time between management approving the financial statements and the date of the audit report as short as possible. The ISA has many requirements addressing situations in which facts come to the auditors’ attention after the date of the audit report. This is a relatively unusual situation and is not addressed here. 9.22 Subsequent Events – What the Regulators Say Common themes reported by regulators in the past include the following: • auditors need to document how they have considered subsequent events right up until they sign the audit report; • auditors need to make the gap between management approval of the financial statements and the date of the audit report as short as possible; • audit documentation needs to show what auditors have done to review subsequent events. 9.23 Subsequent Events – What Practitioners Say Practitioners sometimes struggle with ensuring that the review extends all the way to the date of the audit report. At the end of the audit process, there are many calls on the auditors’ attention, particularly if there are issues that might lead to a modification of the opinion. The subsequent events review sometimes seems relatively unimportant. It is therefore useful for there to be an element of the audit methodology or system of working papers designed to remind the engagement partner of the need to document the review immediately before signing the audit report. The documentation should specify what was done, and not merely record the fact that a review took place. 9.24 Subsequent Events – What the Standards Say 9.24.1  Summary of Audit Procedures Required by the Standard ISA 560 requires auditors to perform the following procedures as part of the subsequent events review: • understand how management undertakes the review and determine what procedures management might use;

c09.indd 181

3/18/2014 8:08:52 AM

182

Core Auditing Standards for Practitioners

• inquire of management about the existence of subsequent events; • read minutes of meetings, such as shareholder or owner meetings, held since the balance sheet date; • read board meeting minutes, held since the balance sheet date; • read the latest ‘interim financial statements’, i.e. any financial statements, including management accounts, that have been prepared since the balance sheet date. These requirements are not particularly controversial, but they are detailed and can be overlooked. Management procedures  Management is responsible for the identification of subsequent events and any consequent amendments to the financial statements. Auditors should make inquiries about how management undertakes this and, where necessary, test management’s procedures. In a large organisation with dispersed operations, management will need to have a system for contacting these operational managers to inquire about subsequent events. Inquiries of management  An essential element in auditing subsequent events is making inquiries of management. Auditors should take care with the timing and content of these inquiries and ensure that they are made of the right people. General inquiries should be made until very shortly before the audit report is signed. Specific inquires are also needed such as: • has litigation against the company progressed since management and auditors last spoke? • has the large receivable discussed been paid? • has the large new contract continued to be profitable, or are there predicted losses that might need to be recognised in the period? • is year-end inventory selling at above cost or at the net realisable values estimated in the financial statements? Representations from management received in response to auditor inquiries may be oral and written. Oral responses should be recorded and where necessary corroborated with other evidence. Written representations are always needed regarding subsequent events but care needs to be taken to corroborate them. General representations that all subsequent events have been identified and recognised in the financial statements are always necessary. Any significant specific oral representations should be included in the representation letter. The following example illustrates how auditors might deal with specific representations.

c09.indd 182

3/18/2014 8:08:53 AM



Section 9 – Other Things Good Auditors Need to Know About ISAs

183

Specific Representations Regarding Subsequent Events Dhaka Extracts Wholesale Dhaka Extracts distributes organic products. It holds inventory at its distribution centres and supplies large retailers. Dhaka Extracts has a year-end of 31 December 20X4. Auditors identify some slow-moving inventory lines. There was also a large debt from a small supermarket chain that was three months old at the year-end and Dhaka Extracts had stopped supplying that customer. At the closing meeting in March 20X4, the auditors asked management about these issues. Management said that the slow-moving inventory was still selling at a price above cost and that the debt was being chased by their lawyers. The finance director of the supermarket was promising payment in three installments in April, May and June. After the closing meeting the auditors corroborated these representations by testing the post year-end sales of slow-moving products and reviewing correspondence with the supermarket. Management approved the financial statements on 2 May 20X4 and auditors plan to sign the audit report on 3 May 20X4. The auditors ask management to sign a representation letter that, in addition to general representations on subsequent events, includes representations relating to the slow-moving inventory lines and the receivable. Before signing the audit report, the auditors contact the finance director to confirm that the supermarket is paying the installments agreed and that the slow-moving inventory is continuing to sell above cost. The auditors ask to see evidence of the payments being received and the sale price of the inventory.

Minutes of meetings  Auditors should review the minutes of all relevant meetings held after the year-end as part of the subsequent events review. They should document which minutes have been read, The review of the minutes is intended to identify any indication of events that might affect the financial statements such as: • plans for restructuring; • matters affecting the going concern status of the entity; • problems with financing the business; • natural disasters such as floods or fire. Where meetings have been held prior to the sign-off of the audit but minutes have not yet been produced, auditors should make inquiries about what was discussed at the meeting.

c09.indd 183

3/18/2014 8:08:53 AM

184

Core Auditing Standards for Practitioners

An important issue that needs to be raised before the auditors sign the audit report is whether any meetings have occurred since the previous review. Review of ‘interim financial statements’  Interim financial statements are any financial statements prepared since the year-end, whether for internal or external use. Typically, in smaller entities, they are management accounts. Where auditors have reviewed interim financial statements but sign-off is delayed, another set of interim financial statements might have been prepared. These would then need to be reviewed. If no interim financial statements are available, auditors can review the entities accounting records, budgets or forecasts.

c09.indd 184

3/18/2014 8:08:53 AM

INDEX accountants  23, 105 accounting estimates  173–180 case study  178–180 estimation uncertainty  175–178 fraud 115–117 ISA 540  173–175, 177 prior period review  174–175 accounting policies  61–62 ACFE see Association of Certified Fraud Examiners aggressive earnings management  102 analytical procedures  86–87, 90–93 Ankara Recruitment  131 AQRT see Audit Quality Review Team assertion-level risk  72–75 assessment of risk see risk assessment Association of Certified Fraud Examiners (ACFE)  109 Athens Contracts  122 audit committees  129–130 audit documentation see documentation audit methodologies  3–8, 11–12 Audit Quality Review Team (AQRT) efficient auditing  84 fraud 103 group audits  143–144 materiality 20–21 risk assessment  51 those charged with governance  125 audit reports  129–130 audit risk  23–24, 72 audit sampling  170–173 Australia fraud 104 group audits  144–145 related parties  40 risk assessment  52 Bakersfield IT  68–69 benchmarks 27–28 Beijing Merchandise  97 Berlin Hotels  43 Bon Voyage Renovations  74

bindex.indd 185

Brasilia Industries  29, 32 Bridgetown Habitation Company 179–180 ‘bright lines’, group audits  142 Cardiff Commercial Property  115 checklists 70 clearly trivial errors  32–33 Closets Campers  76 communications with those charged with governance  121, 128–140 group audits  154–155 internal controls  136–138 letters  135, 137–140 significant findings  130, 131–132 smaller entities  135 those charged with governance  121, 128–140 two-way 128–129 written  134–135, 137–140 completeness 39–40 complexity of audit  13–18 component auditors  153–154 controls see internal controls Corporate Governance Code, UK 132–133 cost-effectiveness  1, 13–18, 151 Dhaka Extracts Wholesale  183 divided responsibility  142–143 documentation 159–164 efficient auditing  86, 97 excessive documentation of risks  14 ISA 230  159, 160, 164 materiality 28–32 minimisation 17–18 objectives 161 over-documentation 15 planning 17 risk assessment  14, 54, 80 smaller entities  10, 14–17 standardised 70–71 understanding the entity  54, 70–72

3/18/2014 8:10:46 AM

186 Dublin foundation  93 Dublin Kitchenware  110 earnings management  102 Edinburgh Ltd  146–147 engagement letters  135, 138–139 engagements, initial  168–170 engagement team discussions  81 errors aggregated unadjusted  33–34 audit sampling  173 clearly trivial  32–33 material misstatements  33–34 sampling/nonsampling 33 unadjusted  33–34, 35 estimation uncertainty  175–178 see also accounting estimates ethics, IESBA  105 evidence  83, 86–87 experienced auditors  162 external confirmations  90 external experts  165–166 family-owned businesses  43 FAP see Fraud Advisory Panel financially significant audit components 151 financial statements  72–75, 96–97, 113–114 fraud 99–120 audit as deterrent  109–110 definitions  107–108, 112 importance of  102 management fraud  110–112 policy-makers 102–103 related parties  37–38 reporting 119–120 responses to risk  118 risk assessment  78–79, 108–109, 113–118 smaller entities  107–108 Fraud Advisory Panel (FAP)  107–108 Georgetown Properties  176–177 governance 61

bindex.indd 186

Index see also those charged with governance group audits  141–158 communications 154–155 component auditors  153–154 letterbox companies  148–149 materiality 152–153 networks/network firms  149, 156–157 other jurisdictions  145 risk assessment  154–155 significant components  142, 150–152 standard-setter issues  142–143 understanding the group  154 Havana Kitchen Equipment  116 Helsinki Guest House  117 IAASB see International Auditing and Assurance Standards Board IESBA see International Ethics Standards Board for Accountants information, permanent  71 information systems  66 in-house audit methodologies  8 initial engagements  168–170 integrated audits  138 interim audits  96 interim financial statements  184 internal controls accounting estimates  175–176 communicating deficiencies  136–138 control activities  66 control environment  65 definition 63–64 design of  64, 68–69 five components  63–64, 65–67 implementation of  64, 68–69 ISA 315  50–51, 54 smaller entities  16 tests of controls  94–96 understanding the entity  63–69

3/18/2014 8:10:47 AM

Index 187 International Auditing and Assurance Standards Board (IAASB)  52–53, 104, 126, 145 International Ethics Standards Board for Accountants (IESBA)  105 International Standards on Auditing (ISAs) core standards  3–4 implementation monitoring project  22, 41, 52–53, 104, 126, 145 ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing 10–12 ISA 210, Agreeing the Terms of Audit Engagements 138–139 ISA 230, Audit Documentation 159, 160, 164 ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements  88–89, 100, 112, 114 ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment  50–51, 54, 56, 57–59, 70, 75 ISA 320, Materiality in Planning and Performing an Audit 22 ISA 330, The Auditor’s Responses to Assessed Risks 83 ISA 501, Audit Evidence—Specific Considerations for Selected Items  164–165, 166 ISA 505, External Confirmations 90 ISA 510, Initial Audit Engagements—Opening Balances 168–169 ISA 530, Audit Sampling 170–171, 173 ISA 540, Auditing Accounting Estimates, Including Fair Value

bindex.indd 187

Accounting Estimates, and Related Disclosures  89, 173–175, 177 ISA 550, Related Parties  37, 45, 89–90 ISA 560, Subsequent Events 181 ISA 600, Special Considerations— Audits of Group Financial Statements (Including the Work of Component Auditors) 141–142, 149, 152 materiality 22 quality of audit  1, 3 reading/understanding 2 inventory 164–167 investments 61 ISAs see International Standards on Auditing Jakarta Mining Co  155–156 journal entries  115–117 Kingston Cruises  108–109 letterbox companies  148–149 Lisbon Telecommunications  94 London Plc  148–149 Madrid Consultants  44 Malaysia fraud 103 group audits  144 materiality 21–22 related parties  40 risk assessment  52 management fraud  106, 110–112 letters  135, 137–138 override  88–89, 106 those charged with governance  121, 131 materiality 19–35 benchmarks 27–28 clearly trivial errors  32–33 definitions 24–25 documentation 28–32 group audits  152–153

3/18/2014 8:10:47 AM

188

Index

materiality (Continued) material misstatements  19, 33–35, 72–75 percentages 27–28 performance  24–28, 143 practitioners 22–24 qualitative/quantitative aspects  25 regulators 20–22 revisions 32 standards 24–35 material misstatements  19, 33–35, 72–75 see also misstatements material transactions  38 methodologies, audit  3–8, 11–12 Milan Produce  146–147 minutes of meetings  163–164 misstatements  112, 113 see also material misstatements monitoring of controls  66 Monster Electronics  73 narrative notes  14–15, 70–71 Nassau technology start-up  30, 32 networks/network firms  149, 156–157 Nicosia Contractors  106–107 non-audit services  15–16 ‘non-related’ related parties  44–45 non-significant components  150–152 opening balances  168–170 Oslo Productions  117 Ottawa Research  34 over-auditing 48–49 over-documentation 15 override  88–89, 106 performance materiality  24–28, 143 permanent information  71 planning/plans  17, 62 policies, accounting  61 Prague Eateries  95 presumed risks  54–55, 85, 115 prior period accounting  168–170, 174–175

bindex.indd 188

prior year audit files  13–14 Pristina Freight Forwarding  178 professional scepticism  3, 113 proportionality 8–9 Proton Construction  58 QAD see Quality Assurance Department Quality Assurance Department (QAD) fraud 103 group audits  144 materiality 21 related parties  40 risk assessment  51–52 rebuttable presumptions  115 regulators accounting estimates  173–174 audit sampling  170 documentation 160 efficient auditing  84–85 fraud 103–105 group audits  142–145 initial engagements  168 inventory 164 materiality 20–22 related parties  38–39, 40–41 risk assessment  51–53 smaller entities  7 subsequent events  181 those charged with governance 124–126 understanding the entity  51–53 related parties  37–46 completeness 39–40 cultural differences  38–39 family-owned businesses  43 fraud  37–38, 45–46 SPEs 46 transactions not at arm’s length  46 undisclosed 45 unidentified 45 reporting fraud 119–120

3/18/2014 8:10:47 AM

Index 189 group audits  158 UK Corporate Governance Code 132–133 unadjusted errors  35 representation letters  139–140 responding to risk  83–97 analytical procedures  86–87, 90–92 internal controls  85–86, 92, 94–96 significant risks  88–90 smaller audits  5, 6, 85–86 standards 87–97 substantive procedures  87–88, 93, 94, 96–97 tests of control  94–96 responses to risk  83–85, 87–88, 90–91, 118 responsibility, divided 142–143 revenue recognition  106–107 risk assessment  47–81 accounting estimates  175–178 assertion-level risk  72–75 documentation  14, 54, 80 engagement team discussions  81 financial statements  72–75 fraud  78–79, 108–109, 113–118 group audits  154–155 internal controls  53–54, 65, 80–81 over-auditing 48–49 preliminary analytical procedures 75–77 procedures 75–78 risk-based auditing  47–48, 53 risks assertion-level risk  72–75 audit risk  23–24, 72 presumptions about  54–55, 85, 115 significant risks  88–89, 177–178 sampling errors  33 San Marino Joinery and Sawmill  167 Sarajevo Foundation  111 scepticism  3, 113 shell companies see letterbox companies significant components  142, 150–152

bindex.indd 189

significant deficiencies  136–137 significant findings, communicating  130, 131–132 significant risks  88–90, 177–178 Singapore  41, 52, 104, 145 smaller entities  1–2, 5–18 auditor responsibilities  10–12 communications 135 defining 9–10 documentation  10, 14–17 fraud 107–108 less complexity  13–18 methodologies  5, 6–7, 11–12 one-size-fits-all standards  5, 6 proportionality 8–9 regulatory aspects  5, 6, 7 ten top tips  13–18 those charged with governance  122, 123–124 Special Purpose Entities (SPEs)  46 SPEs see Special Purpose Entities standardised documentation  70–71 standards see International Standards on Auditing statistical methods  170–171 subsequent events  181–184 subsidiary auditing  156–157 substantive procedures  80, 87–88, 93, 94, 96–97 Sucra Holidays  31, 32 Tallinn Cushion Company  172–173 Tashkent Expedition Equipment  165 tests of detail  169–170 those charged with governance 121–140 communications  121, 128–140 smaller entities  122, 123–124 standard-setter issues  124–125 who they are  126–129 Todd Airport  10 tolerable misstatement  26, 33 trivial errors 32–33 two-way communications  128–129

3/18/2014 8:10:47 AM

190 uncertainty, estimation  175–178 understanding the entity  47–81 accounting policies  61–62 documentation  54, 70–72 external factors  60 future plans  62 governance 61 industry conditions  59 internal controls  63–69 irrelevant aspects  57–63 objectives/strategies 62 overview of ISA 315  58–59 ownership 61 performance measures  63

bindex.indd 190

Index Valletta Wholesale  106 Vienna Philanthropic Foundation 127 walkthroughs 69 Warsaw Agriculture  166 working papers  158 written communications  118, 134–135, 137–140 written representations  118 year-end counts, inventory  166–167

3/18/2014 8:10:47 AM