1. No category

Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Preface
1.
How to Use the Guide
2.
Clarified ISAs
BASIC CONCEPTS
3. The Risk-Based Audit – Overview
4. Ethics, Independence, ISAs and Quality Control
Multiple
ISQC 1, 200, 220
5. Internal Control – Purpose and Components
315
6. Financial Statement Assertions
315
7. Materiality and Audit Risk
320
8. Risk Assessment Procedures
9. Responding to Assessed Risks
10. Further Audit Procedures
240, 315
240, 300, 330, 500
330, 505, 520
11. Accounting Estimates
540
12. Related Parties
550
13. Subsequent Events
560
14. Going Concern
570
15. Summary of Other ISA Requirements
16. Audit Documentation
06/10/2010
250, 402, 501, 510, 600,
610, 620, 720
ISQC 1, 220, 230, 240, 300,
315, 330
Page 1
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
17. Forming an Opinion on Financial Statements
1.
How to Use the ISA Audit Guide
2.
Introduction to the Case Studies
700
PHASE 1: RISK ASSESSMENT
3.
Risk Assessment – Overview
Preliminary Activities
4. Client Acceptance and Continuance
ISQC 1, 210, 220, 300
Planning the Audit
5. Overall Audit Strategy
6. Determining and Using Materiality
7. Audit Team Discussions
300
320, 450
240, 300, 315
Performing Risk Assessment Procedures
8. Inherent Risks — Identification
240, 315
9. Inherent Risks — Assessment
240, 315
10. Significant Risks
11. Understanding Internal Control
06/10/2010
240, 315, 300
240, 315
12. Evaluating Internal Control
315
13. Communicating Deficiencies in Internal Control
265
14. Concluding the Risk Assessment Phase
315
Page 2
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
PHASE II: RISK RESPONSE
15. Risk Response – An Overview
16. The Responsive Audit Plan
17. Determining the Extent of Testing
18. Documenting Work Performed
19. Written Representations
–
260, 300, 330, 500
330, 500, 530
230, 500
580
PHASE III: REPORTING
20. Reporting – Overview
21. Evaluating Audit Evidence
22. Communicating with Those Charged with
Governance
06/10/2010
–
220, 330, 450, 520, 540
260, 450
23. Modifications to the Auditor’s Report
705
24. Emphasis of Matter and Other Matter Paragraphs
706
25. Comparative Information
710
Page 3
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
PREFACE
This Guide was commissioned by the IFAC Small and Medium Practices (SMP) Committee to assist
practitioners on the audit of small- and medium-sized entities (SMEs) and to promote consistent
application of the International Standards on Auditing (ISAs).
The Guide provides non-authoritative guidance on applying ISAs issued by the IAASB as at April 1,
2010 as set out in the 2010 edition of IFAC’s Handbook of International Quality Control, Auditing,
Review, Other Assurance, and Related Services Pronouncements.1 The Guide is not to be used as a
substitute for reading the ISAs, but rather as a supplement intended to help practitioners understand and
consistently implement these standards on SME audits. The Guide does not address all aspects of ISAs,
and should not be used for the purposes of determining or demonstrating compliance with the ISAs.
The Guide provides a detailed analysis of the ISAs and their requirements in the context of an SME audit.
It addresses, amongst other things: the key concepts underlying risk assessment; planning and performing
risk assessment procedures, including; understanding the entity and its environment; identifying,
assessing and responding to the risks of material misstatement; evaluating audit evidence; and reporting.
In addition, the Guide offers some useful practice aids and two in-depth illustrative case studies based on
typical SME audits. It does not, however, provide a comprehensive toolkit with all the accompanying
forms, checklists and programs necessary for conducting an audit.
The Guide is intended to explain and illustrate so as to develop a deeper understanding of an audit
conducted in compliance with ISAs. This Guide provides practitioners with the analysis and some of the
tools needed to effectively and efficiently implement ISAs. It offers a practical “how-to” audit approach
that practitioners may use when undertaking a risk-based audit of an SME.
Ultimately it should help practitioners conduct high quality, cost-effective SME audits and to enable them
to better serve the public interest. We also see it being used by member bodies, audit firms and others as a
basis for educating and training professional accountants and students.
The Guide, while developed by the Canadian Institute of Chartered Accountants (the CICA), is the full
responsibility of the IFAC SMP Committee. A global advisory panel with members drawn from a broad
cross-section of IFAC member bodies have assisted in reviewing the Guide. Input was also received from
members of IFAC staff.
We hope that member bodies and audit firms will use the Guide, either as it is or, where necessary,
tailored to suit their own needs and jurisdiction. We believe the Guide will be a basis from which member
bodies and others can develop “derivative products” such as training materials, audit software, checklists,
forms and audit programs.
Sylvie Voghel
1
SMP is used to refer to accounting practices that exhibit the following characteristics: its clients are
mostly SMEs; external sources are used to supplement limited in-house technical resources; and it
employs a limited number of professional staff. What constitutes an SMP will vary from one jurisdiction
to another.
1
The 2010 Handbook is published in two parts. For a free download of Part I, Part II or both, go to:
http://web.ifac.org/publications/international-auditing-and-assurance-standards-board
06/10/2010
Page 4
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Chair, IFAC SMP Committee
August 2010
REQUEST FOR COMMENTS
This is the second version of the Guide. While we consider this Guide to be of high quality and useful, it
can be improved. Hence, we are committed to updating this Guide on a regular basis so as to ensure it
reflects current standards and is as useful as possible.
The next update is tentatively scheduled for the second half of 2011. In order to ensure the next version is
even more useful than this one, we welcome comments from national standard setters, IFAC member
bodies, practitioners and others over the coming months.
Please submit your comments to Paul Thompson, Senior Technical Manager at:
E-mail: [email protected]
Fax: +1 212-286-9570
Mail: Small and Medium Practices Committee
International Federation of Accountants
545 Fifth Avenue, 14th Floor
New York, New York 10017, USA
DISCLAIMER
This Guide is designed to assist practitioners in the implementation of the International Standards
of Auditing (ISAs) on the audit of small- and medium-sized entities, but is not intended to be a
substitute for the ISAs themselves. Furthermore, a practitioner should utilize this Guide in light of
his or her professional judgment and the facts and circumstances involved in each particular audit.
IFAC disclaims any responsibility or liability that may occur, directly or indirectly, as a
consequence of the use and application of this Guide.
1.
HOW TO USE THE GUIDE
The purpose of this Guide is to provide practical guidance to practitioners conducting audit engagements
for small- and medium-sized entities (SMEs). However, no material in the Guide should be used as a
substitute for:
•
Reading and understanding of the ISAs
It is assumed that practitioners have read the text of the International Auditing standards as published
in the 2010 edition of IFAC’s Handbook of International Quality Control, Auditing, Review, Other
Assurance, and Related Services Pronouncements. ISA 200.19 states that the auditor shall have an
understanding of the entire text of an ISA, including its application and other explanatory material, to
understand its objectives and to apply its requirements properly.
06/10/2010
Page 5
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Use of professional judgment
The exercise of professional judgment is required at various stages in planning and performing an
audit of financial statements.
While it is expected that small- and medium-sized practices (SMPs) will be a significant user group, this
Guide is intended to help all practitioners to implement ISAs on SME audits.
The Guide offers a practical “how-to” audit approach that practitioners may use when undertaking a riskbased audit of an SME.
This Guide can be used to:
•
Develop a deeper understanding of an audit conducted in compliance with the ISAs;
•
Develop a staff manual (supplemented as necessary for local requirements and a firm’s procedure) to
be used for day-to-day reference and as a basis for training sessions and individual study and
discussion; and
•
Ensure staff adopt a consistent approach to planning and performing an audit;
This Guide often refers to an audit team, which implies more than one auditor is involved in conducting
the audit engagement. However, the same general principles also apply to audit engagements performed
exclusively by one person (the practitioner).
1.1
Customization of the Guide
Translation
To facilitate translation, the Guide has used ISA terminology to the maximum extent possible. In
situations where ISA terminology was not available for use, the author made every attempt to use
terminologies that could be easily translated.
Currency
A non-specific common currency unit of CU (Є) has been used. During translation, individual countries
may choose to change the currency to a local or standard international currency.
National Adaptation
In situations where the national standards differ from the ISAs (whether for legislative or other reasons),
this Guide may provide a starting point and to be adapted for the national requirements.
1.2
Content and Organization
Rather than just summarize each ISA in turn, the Guide has been organized into two volumes. The first
volume of this Guide addresses key audit concepts such as materiality, internal control and the type and
nature of audit procedures. The second volume focuses on how to apply these concepts in practice. It
follows the typical stages of an audit from client acceptance, planning and risk assessment through to risk
response, evaluating audit evidence and forming an audit opinion. However, to avoid repetition Volume 2
has not repeated the requirements of ISAs that address specific audit issues such as estimates, related
parties, subsequent events and going concern. Volume 1 summarizes these requirements either as a
separate chapter or as part of Chapter 15, which is entitled “Summary of Other ISA Requirements”.
The two volumes are entitled:
•
Volume 1 — Core Concepts
06/10/2010
Page 6
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Volume 2 — Practical Guidance.
Summary of Organization
Each chapter in both volumes of this Guide has been organized in the following format:
•
Chapter Title
•
Audit Process Chart – Extract
Most chapters contain an extract from the audit process chart (where applicable) to highlight the
particular activities that will be addressed in the chapter.
•
Chapter Content
This outlines the content and purpose of the chapter.
•
Relevant ISAs
Most chapters in this Guide begin with some extracts from the ISAs that are relevant to the chapter
content. These extracts include relevant requirements and, in some cases, the objectives (sometimes
highlighted separately where a chapter focuses primarily on one particular ISA), selected definitions
and application material. The inclusion of these extracts is not meant to infer that other material in the
ISA not specifically mentioned or other ISAs that relate to the subject matter do not need to be
considered. The extracts in the Guide are based solely on the judgment of the authors as to what is
relevant for the content of each particular chapter. For example, the requirements of ISA 200, 220 and
300 have applicability throughout the audit process but have only been addressed specifically in one
or two chapters.
•
Overview and Chapter Material
The overview in each chapter provides:
– Extracts from applicable ISAs; and
– An overview of what is addressed in the chapter.
The overview is followed by a more detailed discussion of the subject matter and practical step-bystep guidance/methodology on how to implement the relevant ISAs. This can include some crossreferences to the applicable ISAs.
•
Consider Point
A number of Consider Points are included throughout the Guide. These Consider Points provide
practical guidance on audit matters that can easily be overlooked or where practitioners often have
difficulty in understanding and implementing certain concepts.
The Guide also makes reference to, but does not outline, the requirements of the Code of Ethics for
Professional Accountants issued by the IESBA (the IESBA Code) effective as of January 1, 2010
and the requirements of International Standards on Quality Control 1 (ISQC 1), Quality Control for
Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related
Services Engagements
•
Illustrative Case Studies
To demonstrate how the ISAs can be applied in practice, Volume 2 of the Guide includes two simple
case studies. At the end of most chapters within Volume 2, one possible approach to documenting the
application of the ISA requirements is discussed. Please refer to Volume 2, Chapter 2 of this Guide
for details about the case studies.
Note:
06/10/2010
The purpose of the case studies and the documentation presented are purely illustrative. The
documentation provided is a small extract from a typical audit file and it illustrates just one
Page 7
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
possible way of complying with the ISA requirements. The data, analysis and commentary
provided represent only some of the circumstances and considerations that the auditor will
need to address in a particular audit. As always, the auditor must exercise professional
judgment.
The first case study is based on a fictional entity called Dephta Furniture. This is a local, family-owned
furniture manufacturer with 10 full-time employees. The entity has a simple governance structure, few
levels of management and straightforward transaction processing. The accounting function uses an offthe-shelf, standard software package. The second case study is based on another fictional entity called
Kumar & Co. This is a micro-sized entity with two full-time staff plus the owner and one part-time
bookkeeper.
1.3
Glossary of Terms
Refer to the glossary of terms in the 2010 edition of IFAC’s Handbook of International Quality Control,
Auditing, Review, Other Assurance, and Related Services Pronouncements for terms that are used
throughout the ISAs and in this Guide.
1.4
Acronyms Used in the Guide
AR
Assertions
(combined)
CAATs
CU
F/S
HR
IAASB
IC
IESBA Code
IFAC
IFRS
ISAs
ISAEs
IAPSs
ISQCs
ISREs
ISRSs
IT
PC
R&D
RMM
RAPs
06/10/2010
Accounts receivable
C= Completeness
E = Existence
A = Accuracy and cut off
V = Valuation
Computer-assisted audit techniques
Currency units (standard currency unit is referred to as “Є”)
Financial statements
Human resources
International Auditing and Assurance Standards Board
Internal Control. The five major components of internal control are as follows:
CA = Control activities
CE = Control environment
IS = Information systems
MO = Monitoring
RA = Risk assessment
IESBA Code of Ethics for Professional Accountants
International Federation of Accountants
International Financial Reporting Standards
International Standards on Auditing
International Standards on Assurance Engagements
International Auditing Practice Statements
International Standards on Quality Control
International Standards on Review Engagements
International Standards on Related Services
Information technology
Personal computer
Research and development
Risks of material misstatement
Risk assessment procedures
Page 8
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
SME
SMP
TOC
TCWG
1.5
Small- and medium-sized entities
Small- and medium-sized (accounting) practices
Tests of controls
Those charged with governance
Other Terms Used in the Guide
Anti-Fraud Controls
These are controls designed by management to prevent or detect and correct frauds. With respect to
management override, these controls may not prevent a fraud from occurring but would act as a deterrent
and make perpetrating a fraud more difficult to conceal. Typical examples are:
•
Policies and procedures that provide additional accountability, such as signed approval for journal
entries;
•
Improved access controls for sensitive data and transactions;
•
Silent alarms;
•
Discrepancy and exception reports;
•
Audit trails;
•
Fraud contingency plans;
•
Human resource procedures such as identifying/monitoring individuals with above-average fraud
potential (for example, an excessively lavish lifestyle); and
•
Mechanisms for reporting potential frauds anonymously.
Entity Level Controls
Entity level controls address pervasive risks. They set the “tone at the top” of an organization and to
establish expectations for the control environment. They are often less tangible than controls that operate
at the transaction level but have a pervasive and significant impact and influence over all other internal
controls. As such, they form the all-important foundation upon which other internal controls (if any) are
built. Examples of entity level controls include management’s commitment to ethical behavior, attitudes
toward internal control, hiring and competence of staff employed, anti-fraud and period-end financial
reporting. These controls will have an impact on all other business processes operating within the entity.
Management
The person(s) with executive responsibility for the conduct of the entity's operations. For some entities in
some jurisdictions, management includes some or all of those charged with governance, for example,
executive members of a governance board, or an owner-manager.
Those Charged with Governance
The person(s) or organization(s) (for example, a corporate trustee) with responsibility for overseeing the
strategic direction of the entity and obligations related to the accountability of the entity. This includes
overseeing the financial reporting process. For some entities, in some jurisdictions, those charged with
governance may include management personnel, for example, executive members of a governance board
of a private or public sector entity, or an owner-manager.
Owner-Manager
This refers to the proprietors of an entity who are involved in the running of the entity on a day-to-day
basis.
06/10/2010
Page 9
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
In most instances, the owner-manager will also be the person charged with governance of the entity.
IAASB Pronouncements
This Guide focuses exclusively on the ISAs (other than the 800 series) that apply to audits of historical
financial information.
Other IFAC Publications
The following IFAC publications may also be read in conjunction with this Guide:
•
IESBA Code of Ethics for Professional Accountants
•
Guide to Quality Control for Small- and Medium-Sized Practices.
06/10/2010
Page 10
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
2.
CLARIFIED ISAs
In March 2009, the IAASB announced the completion of its 18-month long program to comprehensively review all
of its ISAs and ISQC1 to improve their clarity (Clarity project). Auditors now have access to 36 newly updated and
clarified ISAs and a clarified ISQC. This includes one new ISA (ISA 265), 16 ISAs that contain new and revised
requirements and 19 ISAs that have been redrafted for clarity only. These ‘clarified’ standards are designed to
enhance understanding and to facilitate implementation and translation.
The clarified standards are effective for audits of financial statements for periods beginning on or after December
15, 2009.
Structure of Clarified Standards
The clarified ISAs have a common structure as outlined below.
ISA Element
Comments
Introduction
An explanation of the purpose and scope of the ISA, including how the ISA
relates to other ISAs, the subject matter of the ISA, specific expectations on
the auditor and others, and the context in which the ISA is set.
Objectives
The objective to be achieved by the auditor as a result of complying with the
requirements of the ISA. To achieve the overall objectives of the auditor, the
auditor is required use the objectives stated in relevant ISAs in planning and
performing the audit, having regard to the interrelationships among the ISAs.
ISA 200.21 (a) requires the auditor to:
(a)
Determine whether any audit procedures in addition to those required
by the ISAs are necessary in pursuance of the objectives stated in the ISAs;
and
(b)
Evaluate whether sufficient appropriate audit evidence has been
obtained.
Definitions
A description of the meanings attributed to certain terms for purposes of the
ISAs. These are provided to assist in the consistent application and
interpretation of the ISAs. They are not intended to override definitions that
may be established for other purposes, such as those contained in laws or
regulations. Unless otherwise indicated, these terms carry the same meanings
throughout the ISAs.
Requirements
This section outlines the specific auditor requirements. Each requirement
contains the word “shall”. For example, ISA 200.15 contains the following
requirement:
“The auditor shall plan and perform an audit with professional
skepticism recognizing that circumstances may exist that cause
the financial statements to be materially misstated”.
Application and
06/10/2010
The application and other explanatory material provides further explanation of
Page 11
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISA Element
Comments
Other Explanatory
Material
the requirements of an ISA and guidance for carrying them out. It also
contains.
In particular, it may:
• Explain more precisely what a requirement means or is
intended to cover.
• Where applicable, include considerations specific to smaller
entities,
• Include examples of procedures that may be appropriate in
the circumstances. However, the actual procedures selected by
the auditor require the use of professional judgement based on
the particular circumstances of the entity and the assessed risks
of material misstatement.
While such guidance does not in itself impose a requirement, it is relevant to
the proper application of the requirements of an ISA. The application and other
explanatory material may also provide background information on matters
addressed in an ISA.
Appendices
2.1
Appendices form part of the application and other explanatory material. The
purpose and intended use of an appendix are explained in the body of the
related ISA or within the title and introduction of the appendix itself.
ISA Index and Cross-References
The ISA Framework is illustrated below.
06/10/2010
Page 12
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
International Standards on Quality Control ISQCs 1-99
International Framework for
Assurance Engagements (audit & review)
Historical
Financial Information
International Standards
on Related Services
(compilations etc)
Other
Financial Information
International
Standards on
Assurance
Engagements
ISAEs
3000-3699
International
Standards on
Auditing
ISAs
100-999
International
Standards on
Related
Services
ISRSs
4000-4699
International
Auditing Practice
Statements
IAPSs
1000-1999
International
Standards on
Review
Engagements
ISREs
2000-2699
The following table cross-references the ISAs (relevant to SME auditing) and ISCQ1 to the corresponding
chapters in the Guide. Note that many ISAs (such as the use of analytical procedures) apply at various
stages of the audit. This table only includes cross-references to the principal chapters in the Guide in
which the requirements are addressed. Some of the material in the ISAs is also addressed in other
chapters, in recognition that many of the ISA requirements have some (but not primary) application in
many chapters (such as the use of professional judgment).
ISA/ISQC
Reference
ISQC 1
200
06/10/2010
Primary
Guide Chapter
Quality Control for Firms that Perform Audits and Reviews of
Financial Statements, and Other Assurance and Related Services
Engagements
V1-4, 16
Overall Objectives of the Independent Auditor and the Conduct of an
Audit in Accordance with International Standards on Auditing
V1-3, 4
V2-4
Page 13
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISA/ISQC
Reference
Primary
Guide Chapter
210
Agreeing the Terms of Audit Engagements
V2-4
220
Quality Control for an Audit of Financial Statements
V1-16
V2-4, 21
230
Audit Documentation
V1-4, 16
V2-18
240
The Auditor’s Responsibilities Relating to Fraud in an Audit of
Financial Statements
V1-8, 9, 16
V2-7, 8, 9, 10
250
Consideration of Laws and Regulations in an Audit of Financial
Statements
260
Communication with Those Charged with Governance
265
Communicating Deficiencies in Internal Control to Those Charged
with Governance and Management
300
Planning an Audit of Financial Statements
V1-15
V2-16, 22
V2-13
V1-9, 16
V2-4, 5, 7, 10, 16
315
Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and its Environment
V1-3, 5, 6, 8, 16
V2-7, 8, 9, 10, 11,
12, 14
320
Materiality in Planning and Performing an Audit
V1-7
V2-6
330
The Auditor’s Responses to Assessed Risks
V1-3, 9, 10, 16
V2-16, 17, 21
402
06/10/2010
Audit Considerations Relating to an Entity Using a Service
V1-15
Page 14
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISA/ISQC
Reference
Primary
Guide Chapter
Organization
450
Evaluation of Misstatements Identified during the Audit
500
Audit Evidence
V2-6, 21, 22
V1-9
V2- 16, 17, 18
501
Audit Evidence—Specific Considerations for Selected Items
V1-15
505
External Confirmations
V1-10
510
Initial Audit Engagements—Opening Balances
V1-15
520
Analytical Procedures
V1-10
V2 - 21
530
Audit Sampling
V2-17
540
Auditing Accounting Estimates, Including Fair Value Accounting
Estimates, and Related Disclosures
V1-11
V2 - 21
550
Related Parties
V1-12
560
Subsequent Events
V1-13
570
Going Concern
V1-14
580
Written Representations
V2-19
600
Special Considerations—Audits of Group Financial Statements
(Including the Work of Component Auditors)
V1-15
610
Using the Work of Internal Auditors
V1-15
620
Using the Work of an Auditor’s Expert
V1-15
06/10/2010
Page 15
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISA/ISQC
Reference
Primary
Guide Chapter
700
Forming an Opinion and Reporting on Financial Statements
705
Modifications to the Opinion in the Independent Auditor’s Report
V2-23
706
Emphasis of Matter Paragraphs and Other Matter Paragraphs in the
Independent Auditor’s Report
V2-24
710
Comparative Information― Corresponding Figures and Comparative
Financial Statements
V2-25
720
The Auditor’s Responsibilities Relating to Other Information in Documents
Containing Audited Financial Statements
V1-15
800
Special Considerations—Audits of Financial Statements
Prepared in Accordance with Special Purpose Frameworks
805
Special Considerations—Audits of Single Financial Statements
V1-3, 17
Not addressed
Not addressed
and Specific Elements, Accounts or Items of a Financial Statement
810
Engagements to Report on Summary Financial Statements
Not addressed
ISAs 800, 805 and 810 were considered to have limited application in the audits of SMEs at the present
time so they have not been specifically addressed in this edition of the Guide.
The following table cross-references the Guide’s chapters to the principal ISA Chapters addressed.
Note:
This table provides a general cross-reference only. Many chapters in this Guide cover aspects
addressed by more than one particular ISA.
Chapter
Title
Primary ISA
Reference
V1 - 3
The Risk-Based Audit – Overview
V1 - 4
Ethics, Independence, ISAs and Quality Control
V1 - 5
Internal Control – Purpose and Components
315
V1 - 6
Financial Statement Assertions
315
V1 - 7
Materiality and Audit Risk
320
06/10/2010
Multiple
ISQC 1, 200, 220
Page 16
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Chapter
Title
Primary ISA
Reference
V1 - 8
Risk Assessment Procedures
V1 - 9
Responding to Assessed Risks
V1 - 10
Further Audit Procedures
V1 - 11
Accounting Estimates
540
V1 - 12
Related Parties
550
V1 - 13
Subsequent Events
560
V1 - 14
Going Concern
570
V1 - 15
Summary of Other ISA Requirements
250, 402, 501, 510,
600, 610, 620, 720
V1 - 16
Audit Documentation
ISQC 1, 220, 230,
240, 300, 315, 330
V1 – 17
Forming an Opinion on Financial Statements
V2 – 4
Client Acceptance and Continuance
V2 – 5
Overall Audit Strategy
V2 – 6
Determining and Using Materiality
V2 – 7
Audit Team Discussions
V2 – 8
Inherent Risks – Identification
240, 315
V2 – 9
Inherent Risk – Assessment
240, 315
06/10/2010
240, 315
240, 300, 330, 500
330, 505, 520
700
ISQC 1, 210, 220,
300
300
320, 450
240, 300, 315
Page 17
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Primary ISA
Reference
Chapter
Title
V2 – 10
Significant Risks
V2 – 11
Understanding Internal Control
315
V2 – 12
Evaluating Internal Control
315
V2 – 13
Communicating Deficiencies in Internal Control
265
V2 – 14
Concluding the Risk Assessment Phase
315
V2 – 16
The Responsive Audit Plan
V2 – 17
Determining the Extent of Testing
V2 – 18
Documenting Work Performed
V2 – 19
Written Representations
V2 – 21
Evaluating Audit Evidence
V2 – 22
Communicating with Those Charged with Governance
V2 – 23
Modifications to the Auditor’s Report
705
V2 – 24
Emphasis of Matter and Other Matter Paragraphs
706
V2 – 25
Comparative Information
710
2.2
240, 315, 300
260, 300, 330, 500
330, 500, 530
230, 500
580
220, 330, 450, 520,
540
260, 450
The Audit Process
The audit approach outlined in this Guide has been divided into three phases – risk assessment, risk
response and reporting. The following chart illustrates the nature of each phase and the interrelationships
between the activities and phases.
Exhibit 2.2-1
06/10/2010
Page 18
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Response
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Develop appropriate
responses to the
assessed RMM3
Implement responses
to assessed RMM3
Evaluate the audit
evidence obtained
Reporting
Documentation1
yes
Reduce audit risk
to an acceptably
low level
Work performed
Audit findings
Staff supervision
Working paper review
Determine what
additional audit work
(if any) is required
Is
additional
work
required?
no
Prepare the
auditor’s report
Form an opinion
based on audit
findings
Significant decisions
Signed audit opinion
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3 RMM = Risks of material misstatement
06/10/2010
Page 19
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Volume 1
Core Concepts
3.
THE RISK-BASED AUDIT — OVERVIEW
Chapter Content
Auditor objectives, basic elements and approach to
performing a risk-based audit.
Relevant ISAs
Multiple
Exhibit 3.0-1
Paragraph #
200.11
ISA Objective(s)
In conducting an audit of financial statements, the overall objectives of the auditor are:
(a)
To obtain reasonable assurance about whether the financial statements as a whole are free from
material misstatement, whether due to fraud or error, thereby enabling the auditor to express an
opinion on whether the financial statements are prepared, in all material respects, in accordance
with an applicable financial reporting framework; and
(b)
To report on the financial statements, and communicate as required by the ISAs, in accordance
with the auditor's findings.
Paragraph #
Relevant Extracts from ISAs
200.3
The purpose of an audit is to enhance the degree of confidence of intended users in the financial
statements. This is achieved by the expression of an opinion by the auditor on whether the financial
statements are prepared, in all material respects, in accordance with an applicable financial reporting
framework. In the case of most general purpose frameworks, that opinion is on whether the financial
statements are presented fairly, in all material respects, or give a true and fair view in accordance with
the framework. An audit conducted in accordance with ISAs and relevant ethical requirements enables
06/10/2010
Page 20
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
the auditor to form that opinion. (Ref: Para. A1)
As the basis for the auditor’s opinion, ISAs require the auditor to obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement, whether due to fraud or
error. Reasonable assurance is a high level of assurance. It is obtained when the auditor has obtained
sufficient appropriate audit evidence to reduce audit risk (i.e., the risk that the auditor expresses an
inappropriate opinion when the financial statements are materially misstated) to an acceptably low level.
However, reasonable assurance is not an absolute level of assurance, because there are inherent
limitations of an audit which result in most of the audit evidence on which the auditor draws conclusions
and bases the auditor’s opinion being persuasive rather than conclusive. (Ref: Para. A28-A52)
200.5
200.A34
The risks of material misstatement may exist at two levels:
•
The overall financial statement level; and
•
The assertion level for classes of transactions, account balances, and disclosures.
200.A40
The ISAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined
assessment of the "risks of material misstatement." However, the auditor may make separate or
combined assessments of inherent and control risk depending on preferred audit techniques or
methodologies and practical considerations. The assessment of the risks of material misstatement may be
expressed in quantitative terms, such as in percentages, or in non-quantitative terms. In any case, the
need for the auditor to make appropriate risk assessments is more important than the different
approaches by which they may be made.
200.A45
The auditor is not expected to, and cannot, reduce audit risk to zero and cannot therefore obtain absolute
assurance that the financial statements are free from material misstatement due to fraud or error. This is
because there are inherent limitations of an audit, which result in most of the audit evidence on which
the auditor draws conclusions and bases the auditor's opinion being persuasive rather than conclusive.
The inherent limitations of an audit arise from:
3.1
•
The nature of financial reporting;
•
The nature of audit procedures; and
•
The need for the audit to be conducted within a reasonable period of time and at a reasonable
cost.
Overview
The auditor’s overall objectives in a risk-based audit are:
(a) To obtain reasonable assurance about whether the financial statements as a whole are free from
material misstatement, whether due to fraud or error, thereby enabling the auditor to express an
opinion on whether the financial statements are prepared, in all material respects, in accordance
with an applicable financial reporting framework; and
(b) To report on the financial statements, and communicate as required by the ISAs, in accordance
with the auditor's findings.
Reasonable Assurance
ISAs require the auditor to obtain reasonable assurance about whether the financial statements as a whole
are free from material misstatement, whether due to fraud or error.
Reasonable assurance is a high but not absolute level of assurance. It is obtained when the auditor has
obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor
06/10/2010
Page 21
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
expresses an inappropriate opinion when the financial statements are materially misstated) to an
acceptably low level. The auditor cannot provide absolute assurance due to the inherent limitations in the
work carried out. This results from the majority of audit evidence (on which the auditor draws
conclusions and bases the auditor's opinion) being persuasive rather than conclusive.
Inherent Limitations of an Audit
The following exhibit outlines some of the inherent limitations of audit work performed.
Exhibit 3.1-1
Limitations
Reasons
The Nature of
Financial Reporting
The preparation of financial statements involves:
Nature of Audit
Evidence Available
•
judgment by management in applying the applicable financial reporting
framework; and
•
subjective decisions or assessments (such as estimates) by management
involving a range of acceptable interpretations or judgments.
Most of the auditor's work in forming the auditor's opinion consists of
obtaining and evaluating audit evidence. This evidence tends to be persuasive
in character rather than conclusive.
Audit evidence is primarily obtained from audit procedures performed during
the course of the audit. It may also include information obtained from other
sources such as:
• Previous audits;
• A firm's quality control procedures for client acceptance and continuance;
• The entity's accounting records; and
• Audit evidence prepared by an expert employed or engaged by the entity.
The Nature of Audit
Procedures
Timeliness of
Financial Reporting
Audit procedures, however well designed will not detect every misstatement.
Consider the following:
•
Any sample of less than 100% of a population introduces some risk
that a misstatement will not be detected.
•
Management or others may not provide, intentionally or
unintentionally, the complete information required. Fraud may involve
sophisticated and carefully organized schemes designed to conceal it.
•
Audit procedures used to gather audit evidence may not detect that
some information is missing.
The relevance/value of financial information tends to diminish over time so a
balance needs to be struck between the reliability of information and its cost.
There is an expectation by users of financial statements that the auditor will
form their opinion within a reasonable period of time and at a reasonable cost.
Consequently it is impracticable to address all information that may exist or to
pursue every matter exhaustively on the assumption that information is in error
06/10/2010
Page 22
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Limitations
Reasons
or fraudulent until proved otherwise.
Scope of an Audit
The scope of the auditor’s work and the opinion provided are usually confined to whether the financial
statements are prepared, in all material respects, in accordance with the applicable financial reporting
framework. As a result, an unmodified auditor’s report does not provide any assurance about the future
viability of the entity nor the efficiency or effectiveness with which management has conducted the
affairs of the entity.
Any extension of this basic audit responsibility, such as required by local laws or securities regulation,
would require the auditor to undertake further work and to modify or expand the auditor’s report
accordingly.
Material Misstatements
A material misstatement (the aggregate of all uncorrected misstatements and missing/misleading
disclosures in the financial statements, including omissions) has occurred when they could reasonably be
expected to influence the economic decisions of users taken on the basis of the financial statements.
Assertions
Assertions are representations by management, explicit or otherwise, that are embodied in the financial
statements. They relate to the recognition, measurement, presentation and disclosure of the various
elements (amounts and disclosures) in the financial statements. For example, the completeness assertion
relates to all transactions and events that should have been recorded having been recorded. They are used
by the auditor to consider the different types of potential misstatements that may occur.
3.2
Audit Risk
Audit risk is the risk of expressing an inappropriate audit opinion on financial statements that are
materially misstated. The objective of the audit is to reduce this audit risk to an acceptably low level.
Audit risk has two key elements as illustrated below.
Exhibit 3.2-1
Risk
Nature
Source
Inherent and
Control Risks
The financial statements may
contain a material misstatement.
Entity objectives/operations and
managements design/implementation of
internal control
Detection Risk
The auditor may fail to detect a
material misstatement in the
financial statements.
Nature and extent of the procedures
performed by the auditor
To reduce audit risk to an acceptably low level, the auditor is required to:
•
Assess the risks of material misstatement; and
06/10/2010
Page 23
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Limit detection risk. This may be achieved by performing procedures that respond to the assessed
risks of material misstatement at the financial statement level and at the assertion level for classes of
transactions, account balance and disclosures.
Audit Risk Components
The major components of audit risk are described in the exhibit below.
Exhibit 3.2-2
Nature
Description
Commentary
Inherent
Risk
The susceptibility of an assertion
about a class of transaction, account
balance or disclosure to a
misstatement that could be material,
either individually or when
aggregated with other misstatements,
before consideration of any related
controls.
This includes events or conditions (internal or
external) that could result in a misstatement
(error or fraud) in the financial statements.
The sources of risk (often categorized as
business or fraud risks) can arise from the
entity’s objectives, nature of
operations/industry, the regulatory
environment in which it operates and its size
and complexity.
Control Risk
The risk that a misstatement that
could occur in an assertion about a
class of transaction, account balance
or disclosure and that could be
material, either individually or when
aggregated with other misstatements,
will not be prevented, or detected and
corrected, on a timely basis by the
entity’s internal control.
Management designs controls to mitigate a
specified inherent (business or fraud risk)
factor. An entity assesses its risks (risk
assessment) and then designs and implements
appropriate controls to reduce its risk
exposure to a tolerable (acceptable) level.
The risk that the procedures
performed by the auditor to reduce
audit risk to an acceptably low level
will not detect a misstatement that
exists and that could be material,
either individually or when
aggregated with other misstatements. The auditor assesses the risk of material
misstatement (inherent and control risk) at the
financial statement and assertion levels.
Detection
Risk
06/10/2010
Controls may be:
• Pervasive in nature such as management’s
attitude toward control, commitment to
hiring competent people and prevention
of fraud. These are generally called entity
level controls; and
• Specific to the initiation, processing or
recording of a particular transaction.
These are often called business process,
activity level or transaction controls.
Audit procedures are then developed to
reduce audit risk to an acceptably low level.
This includes consideration of the potential
Page 24
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Nature
Description
Commentary
risk of:
• Selecting an inappropriate audit
procedure;
• Misapplying an appropriate audit
procedure; or
• Misinterpreting the results from an audit
procedure.
Note: The ISAs define the risk of material misstatement at the assertion level as consisting of two components, being inherent risk and control risk. Consequently, the ISAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the "risks of material misstatement." However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. Consider Point
Many inherent risks can result in both business and fraud risks. Where this occurs, list and assess the
fraud risk factors separately from the business risk factors. Otherwise it is possible that the audit
response will only address the business risk element and not the fraud risk.
Separating the fraud risk element from a business risk also enables the fraud to be assessed in relation
to all the other fraud risks identified. This may help to reveal an unusual pattern of events/transactions
for investigation or an individual(s) with the motive opportunity and rationalization to commit fraud.
For example, a new accounting system may create potential for errors (business risk) but may also
provide an opportunity for someone to manipulate financial results or misappropriate funds (fraud
risk).
Summary of the Audit Risk Components
Exhibit 3.2-3
Entity Objective
Prepare Financial Statements that are not materially misstated
Low Risk
Inherent
Risk
Moderate Risk
High Risk
Business/fraud risks that would prevent objective being achieved
Control
Risk
Managements Response:
Internal controls that mitigate the risks identified
Risk of
material
misstatement
Low
Risk exposure to fraud and error
High
Note:
06/10/2010
Page 25
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The length of the bars in the chart would vary based on the particular circumstances and risk profile of the
entity.
Exhibit 3.2-4
Auditor’s Objective
Determine whether entity’s financial statements are free from material misstatement
Low Risk
Inherent
Risk
Moderate Risk
High Risk
Where could material misstatements in the financial statements occur?
Control
Risk
Do managements internal controls
mitigate the inherent risks identified?
Risk of
material
misstatement
Audit procedures designed to respond to risks of misstatement identified
Audit risk reduced to
an acceptably low level
Low
Risk exposure to fraud and error
High
Note:
The length of the bars in the chart would vary based on the particular circumstances and risk profile of the
entity and the nature of the auditor’s response.
3.3
How to Perform a Risk-Based Audit
Paragraph #
Relevant Extracts from ISAs
200.15
The auditor shall plan and perform an audit with professional skepticism recognizing that circumstances
may exist that cause the financial statements to be materially misstated. (Ref: Para. A18-A22)
200.16
The auditor shall exercise professional judgment in planning and performing an audit of financial
statements. (Ref: Para. A23-A27)
200.17
200.21
To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce
audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on
which to base the auditor’s opinion. (Ref: Para. A28-A52)
To achieve the overall objectives of the auditor, the auditor shall use the objectives stated in relevant
ISAs in planning and performing the audit, having regard to the interrelationships among the ISAs, to:
(Ref: Para. A67-A69)
(a) Determine whether any audit procedures in addition to those required by the ISAs are necessary in
pursuance of the objectives stated in the ISAs; and (Ref: Para. A70)
(b) Evaluate whether sufficient appropriate audit evidence has been obtained. (Ref: Para. A71)
06/10/2010
Page 26
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
A risk-based audit has three key steps, as illustrated below.
Exhibit 3.3-1
Steps (Phases)
Description
Risk Assessment
Performing risk assessment procedures to identify and assess the risks of
material misstatement in the financial statements.
Risk Response
Designing and performing further audit procedures that respond to identified
and assessed risks of material misstatements at both the financial statement and
assertion level.
This involves:
a) forming an opinion based on the audit evidence obtained; and,
b) preparing and issuing a report that is appropriate to the conclusions
reached.
Reporting
A simple way of describing the three elements is illustrated below.
Exhibit 3.3-2
*
An “event” is simply a business or fraud risk factor (see descriptions in Exhibit 3.2-2) that, if it actually occurred, would adversely affect
the entity’s ability to achieve its objective of preparing financial statements that do not contain material misstatements resulting
from error and fraud. This would also include risks resulting from the absence of internal control to mitigate the potential for
material misstatements in the financial statements.
The various tasks involved in each of these three phases are outlined below. Each phase is addressed in
more detail in subsequent chapters of this Guide.
Risk Assessment
Paragraph #
315.3
ISA Objective(s)
The objective of the auditor is to identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity's internal control,
thereby providing a basis for designing and implementing responses to the assessed risks
of material misstatement.
Exhibit 3.3-3
06/10/2010
Page 27
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Documentation1
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
An effective risk assessment phase requires:
Exhibit 3.3-4
Requirements
Description
Up-Front
Involvement of
Senior Team
Members
The engagement partner and other key members of the engagement team need
to be actively involved in planning the audit and in planning and participating
in the discussion among engagement team members. This will ensure the audit
plan takes advantage of their experience and insight. Note that ISAs usually
refer to the term “auditor” as the person(s) performing the engagement. Where
an ISA intends a requirement or responsibility be fulfilled by the engagement
partner, the term "engagement partner" rather than "auditor" is used.
An emphasis on
“Professional
Skepticism”
The auditor cannot be expected to disregard past experience of the honesty and
integrity of the entity's management and those charged with governance.
Nevertheless, a belief that management and those charged with governance are
honest and have integrity does not relieve the auditor of the need to maintain
professional scepticism or allow the auditor to be satisfied with less-thanpersuasive audit evidence when obtaining reasonable assurance.
Planning
The time spent in audit planning (developing the overall audit strategy and
audit plan) will ensure that audit objectives are properly met and that the work
of audit staff is always focused on gathering evidence on the most critical areas
of potential misstatement.
Team Discussions
A team planning discussion/meeting with the engagement partner present
06/10/2010
Page 28
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Requirements
Description
and Ongoing
Communication
provides an excellent forum for:
•
Informing staff about the client in general and discussing potential risk
areas;
•
Discussing the effectiveness of the overall audit strategy and the audit plan
and then making changes as necessary;
•
Brainstorming how fraud could occur and then designing an appropriate
response; and
•
Allocating audit responsibilities and setting timeframes.
Ongoing communication among the audit team throughout the engagement is
also important to discuss and address audit issues as they arise, any unusual
activities noted or possible indicators of fraud. This will enable timely
communications to management and, where necessary changes to the audit
strategy and audit procedures.
Focus on Risk
Identification
The most important step in a risk assessment process is to identify all the
relevant risks. If business and fraud risks factors are not identified by the
auditor, they will not be assessed or documented and an appropriate audit
response (if required) will not be designed. This is why well-designed risk
assessment procedures are so important to the effectiveness of the audit. These
risk assessment procedures also need to be performed by the appropriate level
of staff.
Ability to Evaluate
Management’s
Response(s) to Risk
A key step in the risk assessment process is to evaluate the effectiveness of
management’s responses (that is, management’s control
design/implementation), if any, to mitigate the identified risks of material
misstatement in the financial statements. In smaller entities, more reliance will
likely be placed on the control environment and monitoring of controls and
less on the traditional control activities.
Use of Professional
Judgment
The ISA audit requirements require the use and then documentation of
significant judgments made by the auditor throughout the audit. Typical
examples of tasks throughout the risk assessment process include:
06/10/2010
•
Deciding to accept or continue with the client;
•
Developing the overall audit strategy;
•
Establishing materiality;
•
Assessing risks of material misstatement including the identification of
significant risks and other areas where special audit consideration may be
necessary; and
•
Developing expectations for use when performing analytical procedures.
Page 29
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Risk Response
Paragraph #
ISA Objective(s)
330.3
The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks
of material misstatement, through designing and implementing appropriate responses to those risks.
Exhibit 3.3-5
Activity
Purpose
Documentation1
Risk Response
Develop appropriate
responses to the
assessed RMM3
Implement responses
to assessed RMM3
Reduce audit risk
to an acceptably
low level
Work performed
Audit findings
Staff supervision
Working paper review
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
In this phase, the auditor considers the reasons (inherent and control risks) for the risk assessments at the
financial statement level and at the assertion level (for each class of transactions, account balance, and
disclosure) and develops responsive audit procedures.
The auditor’s response to the assessed risks of material misstatement is documented in an audit plan that:
•
Contains an overall response to the risks identified at the financial statement level;
•
Addresses the material financial statement areas; and
•
Contains the nature, extent and timing of specific audit procedures tailored to respond to the
assessed risks of material misstatement at the assertion level.
The overall responses address assessed risks of material misstatement at the financial statement level.
Such responses would include the assignment and supervision of appropriate personnel, need for
professional skepticism, extent of corroboration required for management’s explanations/representations,
consideration of the audit procedures to be performed and what documentation would be examined in
support of material transactions.
Further audit procedures generally consist of substantive procedures such as tests of details, analytical
procedures and tests of control (where there is an expectation that such controls have been operating
effectively during the period).
Some of the matters the auditor should consider when planning the appropriate mix of audit procedures to
respond to identified risks include the following:
06/10/2010
Page 30
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Use of tests of controls
– Identify relevant internal controls that, if tested, would reduce the need/scope for other
substantive procedures. As a general rule, the sample size for testing controls is often
significantly less than for a substantive test of a transaction stream. Assuming that the relevant
controls operate consistently and control deviations are unlikely, the use of tests of controls can
often result in less work being performed. However, there is no requirement that the operating
effectiveness of internal controls (direct or indirect) be tested.
– Identify any assertions that cannot be addressed by substantive procedures alone. For example,
this can often apply to completeness of sales in a small entity and situations where there is highly
automated processing of transactions (such as internet sales) with little or no manual intervention.
•
Substantive analytical procedures
These are procedures where the total amount of a transaction stream can be reliably predicted based
on available evidence. This expectation is compared to the actual amount in the accounting records
and the extent of any misstatement readily identified (See Volume 1, Chapter 10). In some cases, if
the assessed risk for a particular assertion is low, (without considering related controls) the auditor
may determine that substantive analytical procedures alone would provide sufficient appropriate audit
evidence.
•
Unpredictability
The need to incorporate an element of unpredictability in procedures performed. A typical example
would be procedures to address possible fraud.
•
Management override
The need for specific audit procedures to address the potential for management override.
•
Significant risks
The audit response to “significant risks” that have been identified. (See Volume 2, Chapter 10)
Reporting
Paragraph #
ISA Objective(s)
700.6
The objectives of the auditor are:
(a) To form an opinion on the financial statements based on an evaluation of the conclusions drawn from
the audit evidence obtained; and
(b) To express clearly that opinion through a written report that also describes the basis for that opinion.
Exhibit 3.3-6
06/10/2010
Page 31
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Back to risk
assessment2
Activity
Reporting
Evaluate the audit
evidence obtained
yes
Purpose
Documentation1
Determine what
additional audit work
(if any) is required
Is
additional
work
required?
no
Prepare the
auditor’s report
Form an opinion
based on audit
findings
Significant decisions
Signed audit opinion
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3 RMM = Risks of material misstatement
The final phase of the audit is to assess the audit evidence obtained and determine whether it is sufficient
and appropriate to reduce audit risk to an acceptably low level.
It is important during this phase of the audit to determine:
•
Any change in the assessed level of risk;
•
Whether conclusions drawn from the work performed are appropriate;
•
If any suspicious circumstances have been encountered; and
•
That additional risks (not previously identified) have been appropriately assessed and further audit
procedures performed as required.
A team debriefing meeting (towards or at the end of the fieldwork) is not a specific requirement of the
ISAs but can be useful for staff to discuss the audit findings, identify any indications of fraud and
determine the need (if any) to perform any further audit procedures.
When all procedures have been performed and conclusions reached:
•
Audit findings should be reported to management and those charged with governance; and
•
An audit opinion should be formed and a decision made on the appropriate wording for the auditor’s
report.
3.4 Documentation
Sufficient audit documentation is required to enable an experienced auditor, having no previous
connection with the audit, to understand:
•
The nature, timing and extent of the audit procedures performed,
•
The results of performing those procedures and the audit evidence obtained; and
06/10/2010
Page 32
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Significant matters arising during the audit, the conclusions reached thereon, and significant
professional judgments made in reaching those conclusions.
Audit documentation for a smaller entity is generally less extensive than that for the audit of a larger
entity. For example, various aspects of the audit could be recorded together in a single document, with
cross-references to supporting working papers, as appropriate.
It is not necessary for the auditor to document:
3.5
•
Every minor matter considered, or every professional judgment made, in an audit.
•
Compliance with matters for which compliance is demonstrated by documents included within
the audit file. For example; an audit plan on file demonstrates that the audit was planned and a
signed engagement letter demonstrates that the auditor has agreed the terms of the audit
engagement.
Benefits of the Risk-Based Audit
Some of the benefits of the risk-based approach are summarized in the exhibit below.
Exhibit 3.5-1
Benefits
Description
Time Flexibility
When Audit
Work Needs
to be Performed
Risk assessment procedures can often be performed earlier in the entity’s fiscal
period than was possible before risk-based auditing was introduced. Because
risk assessment procedures do not involve the detailed testing of transactions
and balances, they can be performed well before the period-end, assuming no
major operational changes are anticipated. This can help in balancing the
workload of audit staff more evenly throughout the period. It may provide the
client with time to respond to identified (and communicated) weaknesses in
internal control and other requests for assistance before the commencement of
period-end audit fieldwork. However, where interim financial information is
not readily available, the analytical risk assessment procedures may have to be
performed at a later date.
Audit Team’s Effort
Focused on Key
Areas
By understanding where the risks of material misstatement can occur in
financial statements, the auditor can direct the audit team’s effort toward highrisk areas and perhaps reduce work in lower risk areas. This will also help to
ensure audit staff resources are used effectively.
Audit Procedures
Focused on Specific
Risks
Further audit procedures are designed to respond to assessed risks.
Consequently, tests of details that only address risks in general terms may be
significantly reduced or even eliminated.
Understanding of
Internal Control
The required understanding of internal control enables the auditor to make
informed decisions on whether to test the operating effectiveness of internal
control. Tests of controls (for which some controls may only require testing
every three years) will often result in much less work being required than
performing extensive tests of details. (See Volume 2, Chapter 17.)
06/10/2010
Page 33
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Benefits
Description
Timely
Communication of
Matters of Interest
to Management
The improved understanding of internal control may enable the auditor to
identify weaknesses in internal control (such as in the control environment and
general IT controls) that were not previously recognized. Communicating
these weaknesses to management on a timely basis will enable them to take
appropriate action, which is to their benefit. This may also save time in
performing the audit.
3.6 ISAs for Smaller Audits
Paragraph #
Relevant Extracts from Application Material in ISAs
200.A63
When appropriate, additional considerations specific to audits of smaller entities and public sector entities
are included within the application and other explanatory material of an ISA. These additional
considerations assist in the application of the requirements of the ISA in the audit of such entities. They do
not, however, limit or reduce the responsibility of the auditor to apply and comply with the requirements
of the ISAs.
200.A64
For purposes of specifying additional considerations to audits of smaller entities, a “smaller entity” refers
to an entity which typically possesses qualitative characteristics such as:
(a) Concentration of ownership and management in a small number of individuals (often a single
individual – either a natural person or another enterprise that owns the entity provided the owner
exhibits the relevant qualitative characteristics); and
(b) One or more of the following:
(i) Straightforward or uncomplicated transactions;
(ii) Simple record-keeping;
(iii) Few lines of business and few products within business lines;
(iv) Few internal controls;
(v) Few levels of management with responsibility for a broad range of controls; or
(vi) Few personnel, many having a wide range of duties.
These qualitative characteristics are not exhaustive, they are not exclusive to smaller entities, and smaller
entities do not necessarily display all of these characteristics.
200.A65
The considerations specific to smaller entities included in the ISAs have been developed primarily with
unlisted entities in mind. Some of the considerations, however, may be helpful in audits of smaller listed
entities.
200.A66
The ISAs refer to the proprietor of a smaller entity who is involved in running the entity on a day-to-day
basis as the “owner-manager.”
ISAs do not distinguish between the audit approach required for a one-person entity from that required for
a national entity employing thousands of people. An audit is an audit. Consequently, the basic approach to
an audit does not change just because the entity is small.
The word “audit” is intended to convey a clear message to users of financial statements. That message is
that the auditor has obtained reasonable assurance that the financial statements are free from material
misstatements, regardless of the size or type of the entity that has been audited.
06/10/2010
Page 34
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
This issue of proportionality was addressed by IAASB staff in a Staff Questions and Answers document,
entitled “Applying ISAs Proportionately with the Size and Complexity of an Entity”2, issued in August
2009. Its purpose is to assist auditors in applying the clarified ISAs in a cost-effective manner. The
response to the question “How do ISAs address the different characteristics of a small entity from a
larger, more complex entity” was as follows:
“The auditor’s objectives are the same for audits of entities of different sizes and
complexities. This, however, does not mean that every audit will be planned and
performed in exactly the same way. The ISAs recognize that the specific audit
procedures to be undertaken to achieve the auditor’s objectives and to comply with
the requirements of the ISAs may vary considerably depending on whether the entity
being audited is large or small and whether it is complex or relatively simple. The
requirements of the ISAs, therefore, focus on matters that the auditor needs to address
in an audit and do not ordinarily detail the specific procedures that the auditor should
perform.
The ISAs also explain that the appropriate audit approach for designing and
performing further audit procedures depends on the auditor’s risk assessment. For
example, based on the required understanding of the entity and its environment,
including its internal control and the assessed risks of material misstatement, the
auditor may determine that a combined approach using both tests of controls and
substantive procedures is an effective approach in the circumstances in responding to
the assessed risks. In other cases, for example, in the context of an SME audit where
there are not many control activities in the SME that can be identified by the auditor,
the auditor may decide that it is efficient to perform further audit procedures that are
primarily substantive procedures.
It is also important to note that the ISAs acknowledge that the appropriate exercise of
professional judgment is essential to the proper conduct of an audit. Professional
judgment is necessary, in particular, regarding decisions about the nature, timing, and
extent of audit procedures used to meet the requirements of the ISAs and gather audit
evidence.5 However, while the auditor of an SME needs to exercise professional
judgment, this does not mean that the auditor can decide not to apply a requirement
of an ISA except in exceptional circumstances and provided that the auditor performs
alternative audit procedures to achieve the aim of the requirement.”
The key points in the excerpt above can be summarized as follows:
1. Audit objectives are the same for any size of audit.
2. The specific audit procedures required may vary considerably depending on the size of entity and
the assessed risks.
3. The ISAs focus on matters the auditor needs to address − not on the details of specific
procedures.
4. The design of further audit procedures depends on the auditor’s risk assessment.
5. The appropriate exercise of professional judgment is essential in tailoring the procedures to
respond appropriately to the assessed risks.
2
Applying ISAs Proportionately with the Size and Complexity of an Entity is at:
http://web.ifac.org/publications/international-auditing-and-assurance-standards-board/practice-alerts-and-q-as#applying-isasproportionate
06/10/2010
Page 35
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
6. Professional judgment cannot be used to avoid compliance with any ISA requirements except in
exceptional circumstances.
In addition, the ISAs contain a number of special paragraphs that address considerations specific to audits
of SMEs. This material provides useful guidance material in applying specific ISA requirements in the
context of an SME audit.
Some suggestions for successfully implementing ISAs on smaller engagements are as follows:
Exhibit 3.6-1
1. Take time to read the clarified ISAs and to train staff.
Failure to understand the requirements can lead to:
•
The entire risk assessment phase of the audit becoming an “add on” to the other substantive
audit work performed. It should be the risk assessment that drives the selection of audit
procedures to be performed, not a standardized listing of procedures that could be applied to
any entity. The purpose of the risk assessment is to focus the audit effort on areas where
there is a greater risk of material misstatement in the financial statements and away from
less risky areas.
•
Turning what should be a simple audit into a complex and time-consuming project. This can
arise if efforts are focused on completing needless standard audit forms and checklists rather
than using professional judgment to scale the work according to the size and complexity of
the entity being audited and the risks involved.
•
Failure to comply with an ISA (“the auditor shall”) requirement.
2. Take time to plan well - no matter how small the engagement
It has been said an hour spent in planning, can save many more in execution. Effective audit
planning is often the difference between a quality audit within budget and a poor quality audit
over budget. This does not necessarily mean having dedicated team meetings held in the office.
On very small engagements, planning can be achieved through brief discussions at the start of the
engagement and as the audit progresses.
Key areas to address in planning:
•
Encourage staff to identify areas where the usual audit procedures seem excessive in
relation to the risk of misstatement being addressed.
•
Take time to ensure each staff member understands the necessity and purpose of the
documentation they are required to complete. Countless hours can be lost by staff
attempting to complete a form they do not understand.
•
Discuss the potential for fraud. Encourage staff to be skeptical and inquisitive and
empower them to raise issues, observations, or unexplained matters.
•
Discuss known related parties and the nature/size of transactions.
•
Consider whether the audit documentation prepared in previous periods can simply be
updated for changes that have occurred rather than be prepared all over again.
Documentation and assessment of risk factors and relevant internal controls should be
sufficient to enable auditors in subsequent periods to leverage their understanding of the
entity and focus attention on new industry trends, key operational changes, new inherent
risks, and revised internal controls.
06/10/2010
Page 36
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
3. Evaluate the control environment
Take time to understand the pervasive internal controls that are part of the control environment.
Pervasive controls are quite different from transactional controls; they address such matters such
as integrity and ethics, corporate governance, employee competence, managements’ attitudes
toward control, fraud prevention, risk management and control monitoring. If the “tone at the
top” is poor, management override can easily occur and even the very best transactional controls
over processes such as purchases and sales could be undermined.
4. Aim for continual improvement
There is a tendency for some auditors to blindly follow the example of the previous auditor,
resulting in a file that mirrors that of last year. A much better approach is to continually
review/challenge the work performed in previous years and identify changes that will make the
audit more efficient and effective.
06/10/2010
Page 37
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
4.
ETHICS, ISAs AND QUALITY CONTROL
Chapter Content
Matters to be addressed in a firm’s system of quality
control to ensure compliance with ethical (including
independence) requirements and the ISAs.
Relevant ISAs/ICQCs
ISQC 1, 200, 220,
Exhibit 4.0-1
Paragraph #
ICQC/ISA Objective(s)
ISQC 1.11
The objective of the firm is to establish and maintain a system of quality control to provide it with
reasonable assurance that:
(a) The firm and its personnel comply with professional standards and applicable legal and
regulatory requirements; and
(b) Reports issued by the firm or engagement partners are appropriate in the circumstances.
220.6
The objective of the auditor is to implement quality control procedures at the engagement level that
provide the auditor with reasonable assurance that:
(a)
(b)
The audit complies with professional standards and applicable legal and regulatory
requirements; and
The auditor's report issued is appropriate in the circumstances.
Paragraph #
Relevant Extracts from ISAs/ISQC1
ISQC 1.13
Personnel within the firm responsible for establishing and maintaining the firm’s system of quality
control shall have an understanding of the entire text of this ISQC, including its application and
other explanatory material, to understand its objective and to apply its requirements properly.
ISQC 1.18
The firm shall establish policies and procedures designed to promote an internal culture
recognizing that quality is essential in performing engagements. Such policies and procedures
06/10/2010
Page 38
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs/ISQC1
shall require the firm’s chief executive officer (or equivalent) or, if appropriate, the firm’s
managing board of partners (or equivalent), to assume ultimate responsibility for the firm’s system
of quality control. (Ref: Para. A4-A5)
ISQC 1.19
The firm shall establish policies and procedures such that any person or persons assigned
operational responsibility for the firm’s system of quality control by the firm’s chief executive
officer or managing board of partners has sufficient and appropriate experience and ability, and
the necessary authority, to assume that responsibility. (Ref: Para. A6)
ISQC 1.29
The firm shall establish policies and procedures designed to provide it with reasonable assurance
that it has sufficient personnel with the competence, capabilities, and commitment to ethical
principles necessary to:
(a) Perform engagements in accordance with professional standards and applicable legal and
regulatory requirements; and
(b) Enable the firm or engagement partners to issue reports that are appropriate in the
circumstances. (Ref: Para. A24-A29)
ISQC 1.32
The firm shall establish policies and procedures designed to provide it with reasonable assurance
that engagements are performed in accordance with professional standards and applicable legal
and regulatory requirements, and that the firm or the engagement partner issue reports that are
appropriate in the circumstances. Such policies and procedures shall include:
(a) Matters relevant to promoting consistency in the quality of engagement performance; (Ref:
Para. A32-A33)
(b) Supervision responsibilities; and (Ref: Para. A34)
(c) Review responsibilities. (Ref: Para. A35)
ISQC 1.48
The firm shall establish a monitoring process designed to provide it with reasonable assurance that
the policies and procedures relating to the system of quality control are relevant, adequate, and
operating effectively. This process shall:
(a) Include an ongoing consideration and evaluation of the firm’s system of quality control
including, on a cyclical basis, inspection of at least one completed engagement for each
engagement partner;
(b) Require responsibility for the monitoring process to be assigned to a partner or partners or
other persons with sufficient and appropriate experience and authority in the firm to assume
that responsibility; and
(c) Require that those performing the engagement or the engagement quality control review are
not involved in inspecting the engagements. (Ref: Para. A64-A68)
ISQC 1.57
06/10/2010
The firm shall establish policies and procedures requiring appropriate documentation to provide
evidence of the operation of each element of its system of quality control. (Ref: Para. A73-A75)
Page 39
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs/ISQC1
200.14
The auditor shall comply with relevant ethical requirements, including those pertaining to
independence, relating to financial statement audit engagements. (Ref: Para. A14-A17)
200.15
The auditor shall plan and perform an audit with professional skepticism recognizing that
circumstances may exist that cause the financial statements to be materially misstated. (Ref: Para.
A18-A22)
200.16
The auditor shall exercise professional judgment in planning and performing an audit of
financial statements. (Ref: Para. A23-A27)
220.17
On or before the date of the auditor’s report, the engagement partner shall, through a review of
the audit documentation and discussion with the engagement team, be satisfied that sufficient
appropriate audit evidence has been obtained to support the conclusions reached and for the
auditor’s report to be issued. (Ref: Para. A18-A20)
220.18
The engagement partner shall:
(a) Take responsibility for the engagement team undertaking appropriate consultation on
difficult or contentious matters;
(b) Be satisfied that members of the engagement team have undertaken appropriate
consultation during the course of the engagement, both within the engagement team and
between the engagement team and others at the appropriate level within or outside the firm;
(c) Be satisfied that the nature and scope of, and conclusions resulting from, such consultations
are agreed with the party consulted; and
(d) Determine that conclusions resulting from such consultations have been implemented.
(Ref: Para. A21-A22)
220.19
For audits of financial statements of listed entities, and those other audit engagements, if any,
for which the firm has determined that an engagement quality control review is required, the
engagement partner shall:
(a) Determine that an engagement quality control reviewer has been appointed;
(b) Discuss significant matters arising during the audit engagement, including those identified
during the engagement quality control review, with the engagement quality control
reviewer; and
(c) Not date the auditor’s report until the completion of the engagement quality control review.
(Ref: Para. A23-A25)
4.1
Overview
Performing quality work begins with strong leadership within the firm and engagement partners
committed to the highest ethical standards.
This chapter focuses on developing the system of quality control within a firm. It provides some practical
guidance on matters that need to be considered whenever a firm decides to perform audit engagements.
The provision of quality audits and related services is vital to:
•
Safeguarding the public interest
06/10/2010
Page 40
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Maintaining client satisfaction;
•
Delivering value for money;
•
Ensuring compliance with professional standards; and
•
Establishing and maintaining a professional reputation.
The IFAC “Guide to Quality Control for Small- and Medium-Sized Practices” provides a detailed
description of the quality control standards and guidance on how to implement a system of quality control
for small- and medium-sized practices (SMPs). 3
The Code of Ethics for Professional Accountants, issued by the IESBA, can be downloaded from the
IFAC web site. In 2009, a revised Code of Ethics for Professional Accountants was issued that clarifies
some requirements and significantly strengthens the independence requirements of auditors such as
outlined below:
•
Extending the independence requirements for audits of listed entities to all public interest entities;
•
Requiring a cooling off period before certain members of the firm can join public interest audit clients
in certain specified positions;
•
Extending partner rotation requirements to all key audit partners;
•
Strengthening some of the provisions related to the provision of non-assurance services to audit
clients, such as tax planning and other advisory services. Some prohibitions may apply in cases of
non-public interest entities audits with regard to tax planning and other advisory services as well as to
assistance in resolution of tax services;
•
Requiring a pre- or post-issuance review if total fees from a public interest audit client exceed 15% of
the total fees of the firm for two consecutive years; and
•
Prohibiting key audit partners from being evaluated on, or compensated for, selling non-assurance
services to their audit clients.
The revised code will be effective from January 1, 2011.
4.2 Quality Control systems
The system of quality control in an accounting firm could be mapped to the five internal control elements
that auditors are required to evaluate as part of understanding any entity being audited. In a firm, these five
internal control elements would also be applicable to control systems in place (other than quality control)
such as time and billing, office workflow, expense control and marketing activities.
The following diagram maps the quality control elements outlined in ISQC 1 and ISA 220 to the five
internal control components contained in ISA 315, which are applicable to entities being audited. Each of
these five control elements is more fully addressed in Volume 1, Chapter 5 of this Guide.
Exhibit 4.2-1
Internal Control Elements
(ISA 315)
3
Firm Level QC Elements
(ISQC 1)
Engagement Level QC
Elements (ISA 220)
The web link is www.ifac.org/Store/Details.tmpl?SID=1236610272184921.
06/10/2010
Page 41
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Internal Control Elements
(ISA 315)
Firm Level QC Elements
(ISQC 1)
Engagement Level QC
Elements (ISA 220)
Control Environment
(Tone at the top)
Leadership Responsibilities for
Quality within the Firm
Leadership Responsibilities for
Quality on Audits
Relevant Ethical Requirements
Relevant Ethical Requirements
Human Resources
Assignment of Engagement
Teams
Acceptance and Continuance of
Client Relationships and
Specific Engagements
Acceptance and Continuance of
Client Relationships and Audit
Engagements
Risk Assessment
(What could go wrong?)
Risks that the report might not
be appropriate in the
circumstances
Quality Control System
Documentation
Audit Documentation
(Tracking performance)
Control Activities
Engagement Performance
Engagement Performance
Ongoing Monitoring of the
Firm’s Quality Control Policies
and Procedures
Applying Results of Ongoing
Monitoring to Specific Audit
Engagements
Information Systems
(Prevent & detect/correct controls)
Monitoring
(Are the firm’s/engagement’s
objectives being met?)
4.3
The Control Environment
Delivery of high quality and cost-effective services is the principal driver of success for professional audit
firms. Quality service is also vital in relation to the public interest responsibilities of professional
accountants.
The provision of quality services should always be a key objective in the firm’s business strategy and
something that needs to be communicated to all personnel on a regular basis with results being monitored.
This requires leadership and holding people accountable for their promised actions. Poor quality control
can lead to inappropriate opinions, poor client service, lawsuits and loss of reputation.
In smaller firms, some of the hindrances to a strong tone at the top could include matters set out below.
Exhibit 4.3-1
Hindrance
Description
Poor Attitudes
A poor attitude is at the heart of most hindrances to quality. It includes such
attitudes (but not necessarily this extreme) as the following:
•
06/10/2010
Firm continually operates in a crisis mode;
Page 42
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Hindrance
Description
•
Poorly planned engagements and activities are the norm;
•
Poor commitment to quality or compliance with the highest ethical
standards;
•
Not caring about the expectations of quality by the public and other
stakeholders;
•
Regard changes in auditing standards as only applicable for big entities.
Some practices and terminology may get changed to demonstrate
compliance on the surface but in substance the old audit practices continue
as before;
•
Belief that there is no risk to the firm in small audits ─ so work performed
should be minimal;
•
Audit work to be tailored to the fee received ─ not the risk involved;
•
Clients are considered totally trustworthy by control partner;
•
Minimizing or avoiding the need for “engagement quality control
reviews”;
•
Belief that, as the clients pay the bill, they must get what they want;
•
Partners keeping (or accepting) an audit client (for the fees generated)
even though it is (would be) highly risky for the firm;
•
Unwillingness to adopt standard firm policies on quality control. A partner
wants files and working papers to be prepared in his/her way without
regard for what others do; and
•
Asking staff to follow the firm’s policies but not complying personally
(i.e., an attitude of “do what I say, not what I do”).
Unwillingness to
Invest in Training
or Development
Conducting a quality audit is dependent on retaining qualified and competent
people to perform the work. This requires ongoing professional development
and performance appraisals for all partners and professional staff (every
period). Lack of investment in staff also leads to staff turnover.
Lack of Discipline
A failure to discipline partners or staff when the firm’s policies are
contravened sends a very clear message to personnel that written policies are
really not that important. This undermines compliance with all of the firm’s
policies and increases risk to the firm.
A healthy tone at the top can be set by the firm’s management and engagement partners through the
activities outlined below.
06/10/2010
Page 43
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 4.3-2
Setting the Tone
Description
Establish the Firm’s
Objectives,
Priorities and
Values
This could include:
• An unwavering commitment to quality and high ethical standards;
• Investment in staff’s learning, training and skills development;
• Investment in the required technological, human and financial resources;
• Policies to ensure sound engagement and fiscal management; and
• Risk tolerances for use in decision-making.
Communicate
Regularly
Reinforce the firm’s values and commitments by communicating regularly
(verbally and in writing) with staff. Communications would address the need
for integrity, objectivity, independence, professional skepticism, staff
development and accountability to the public. Communications could be made
through the performance appraisal system, partner updates, emails, office
meetings and internal newsletters.
Update the Quality
Control Manual
Each period, update the firm’s quality control policies and procedures to
address weaknesses and any new requirements.
Hold People
Accountable
Assign clear responsibilities and accountabilities for quality control functions
(such as independence issues, consultation, file review, etc.).
Develop Staff
Competence and
Reward Quality
Work
Develop staff through:
• Clear job descriptions and documented annual performance appraisals that
put quality of work as a priority;
• Providing incentives/rewards for delivering quality work; and
• Taking disciplinary action when the firm’s policies are contravened.
Continually
Improve
Take prompt action to correct deficiencies when identified, such as through the
firm’s engagement file monitoring including the cyclical inspection of
completed engagement files.
Set an Example
Provide staff with a role model in the positive example set by partners in their
day-to-day behavior. For example, if a policy emphasizes the need for quality
work, a staff member should then not be criticized for legitimately going over
the budgeted time.
4.4
Firm Risk Assessment
Risk management is an ongoing process that helps a firm to anticipate negative events, develop a
framework for effective decision-making and profitably deploy the firm’s resources.
Some form of risk management occurs in most firms, it is often informal and undocumented. Individual
partners typically identify risks and respond to them based on their direct involvement with the firm and
with their client base. Formalizing and documenting the process for the firm as a whole is a proactive and
more effective approach to risk assessment. This does not have to be time-consuming or cumbersome to
06/10/2010
Page 44
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
implement. Notably, effectively managing the firm’s risk assessment can result in less stress for partners
and staff, savings in time and costs, and improved chances of achieving the firm’s goals.
A simple risk assessment process can be used in any size of firm, even a sole proprietorship. It consists of
the activities set out below.
Exhibit 4.4-1
Activity
Description
Establish the Risk
Tolerances for the
Firm
These tolerances could be quantitative amounts such as allowable write offs of
work in process or qualitative factors such as characteristics of clients that
would not be acceptable to the firm. Once established, these tolerances provide
partners and staff with a useful reference point for decision-making (e.g., write
offs and client acceptance, etc.).
Identify What Can
go Wrong
Identify the events (that is, the risk factors or exposures) that could prevent the
firm from achieving its stated goals. This step implies that the firm has already
established clear objectives and a commitment to performing quality work.
Prioritize Risks
Using the risk tolerances established above, prioritize the events identified
based on an assessment of likelihood and impact.
What is the
Response Needed?
Develop an appropriate response to the assessed risks to reduce the potential
impact to within the firm’s acceptable tolerances. Potential events (risks) with
the highest priority would be addressed first.
Assign
Responsibility
For all risks that require action or monitoring, assign someone with the
responsibility to take the appropriate action and to manage the risk on a day-today basis.
Monitor Progress
Require periodic (simple) reports from each person assigned to manage risks
on behalf of the firm (this could address matters such as compliance with the
firms quality control procedures, training requirements, staff appraisals and
independence issues addressed).
A sample of a firm’s risk assessment worksheet could be as shown in the exhibit below.
Exhibit 4.4-2
06/10/2010
Page 45
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
4.5
Information Systems
Most firms have well-developed information systems for keeping track of clients, time and billing,
expenditures, people and engagement file management. However, information systems that track the
quality of work produced and compliance with the firm’s quality control manual are often not as well
developed.
Information systems should also be designed to address the risks identified and assessed as part of the
firm’s risk assessment process.
Aspects of quality control that merit documentation and ongoing review include keeping track of matters
set out below.
Exhibit 4.5-1
Keep track of:
Firm’s Risk
Exposure and
Staff’s Commitment
to Quality
Description
•
•
•
•
•
Ethics and
06/10/2010
•
•
Client acceptance/continuance assessments.
Reports from all persons responsible for some aspect of quality. This could
include minutes of committee meetings (i.e., quality control), issues
addressed or simply that there is nothing to report.
Firm-wide communications on the subject of quality.
Most recent monitoring report and the specific action steps required for
each deficiency found or recommendation made (who, what, when, etc.).
Also track dates when action steps are completed and send out reminders
when necessary.
Details of any client or third party complaints about the firm’s work or the
behaviour of the firm’s personnel. Also track how these complaints were
investigated, the results and communication with the complainant and any
actions taken.
List of prohibited investments.
Details on what ethical (including independence) threats were identified
Page 46
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Keep track of:
Description
and the relevant safeguards that have been applied to eliminate or at least
mitigate such threats.
Independence
Personnel
•
•
•
•
•
•
•
•
Engagement
Management
•
•
•
•
•
•
•
4.6
Offer of employment.
Evidence of reference checks being performed on new employees.
Actions to mentor, guide and train new recruits.
Copy and date of the annual staff confirmations on independence and staff
knowledge of the firm’s quality control manual.
Evidence of staff appraisals, including the date and any actions resulting
such as attending training, etc.
Staff scheduling with comparisons of planned scheduling to actual.
Dates and the topic covered of internal and external training sessions along
with names of those who attended.
Details of any disciplinary actions taken.
Date when the team planning meeting was scheduled and when it actually
took place for all audit engagements.
What files require engagement quality control reviews, who is assigned
and the planned date. Then match the plan to who actually performed the
review, when it occurred and what, if any, issues were raised and their
resolution.
Reasons for any departures from any applicable ISA requirement and the
alternative audit procedures performed to achieve the aim of that
requirement.
Details of consultations with others and resolution of audit/accounting
issues, if any, raised.
Reasons for engagement delays and how such delays were addressed and
resolved. These could include changes in staff personnel, delays in
obtaining information, unavailability of client staff, scope restrictions and
any disagreements with client management.
Dating of the auditor’s report and compliance with the 60-day
recommendation for assembly of final engagement files.
How monitor’s comments on the file were addressed.
Control Activities
Control activities are designed to ensure compliance with the firm’s established policies and procedures.
One possible way to design, implement and monitor quality control is to follow the PDCA (plan-docheck-act) process. Each of the elements is described below.
Exhibit 4.6-1
Step
Description
PLAN
DO
Establish the objectives and quality control processes necessary to deliver the required outputs.
Implement the new processes; often on a small scale if possible.
06/10/2010
Page 47
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
CHECK
Measure the new processes and compare the results against the expected results to ascertain any
differences.
Analyze the differences to determine their cause. Each will be part of either one or more
of the P-D-C-A steps. Determine where to apply changes that include improvement.
ACT
For example, a firm objective may be to not release the audit report until all queries and outstanding items
have been cleared. The required policy is that the final engagement report may not be released, filed or
otherwise distributed until certain specified approvals have been obtained. Implementation of the policy
could be controlled through a final release process where a person verifies that all approvals have, in fact,
been obtained and documented. The effectiveness of the policy could be checked by periodic inspections
of the approval sign offs. If deviations are identified, the reasons would be investigated and appropriate
action such as discipline, training or changes in the policy would be considered.
Control activities to address all policies and procedures would not be possible or cost-effective. Firms
should use professional judgment and their assessment of risk to determine what controls need to be
implemented. Control activities could be considered for:
•
All the policies and procedures documented in the firm’s quality control manual;
•
Office workflow policies;
•
Operational policies and procedures; and
•
Other personnel policies and procedures.
The scope for control activity design would address all the quality control, ethical and independence
requirements and the firm’s compliance with ISAs relevant to the audit.
Exhibit 4.6-2
4.7
Monitoring
An important element of a control system is to monitor its adequacy and operational effectiveness. This
can be achieved through an independent review of the operating effectiveness of the firm-level and
06/10/2010
Page 48
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
engagement-level policies/procedures and inspection of completed engagement files.
An effective monitoring process helps to develop a culture of continual improvement where partners and
staff are committed to quality work and are rewarded for improving performance.
A firm’s monitoring process could be divided into two parts as follows:
1. Ongoing Monitoring (other than the cyclical file inspections)
An ongoing (suggest annual) consideration and evaluation of the firm’s system of quality control helps
to ensure the policies and procedures in place are relevant, adequate and operating effectively. When
performed and documented on an annual basis, this monitoring will support the requirement to
communicate with staff each year about the firm’s plans to improve engagement quality. This scope
of ongoing monitoring addresses each of the quality control elements and includes an assessment of
whether:
– The firm’s quality control manual has been updated for new requirements and
developments;
– Those assigned with quality control responsibilities in the firm (if any) have actually
fulfilled their roles;
– Written confirmations (by partners and staff) have been obtained to ensure each
individual’s compliance with the firm’s policies and procedures on independence and
ethics;
– There is ongoing professional development for partners and staff;
– Decisions related to acceptance and continuance of client relationships and specific
engagements are in compliance with the firm’s policies and procedures;
– The code of ethics has been followed;
– Suitably qualified people were assigned as the engagement quality control reviewers and
completion of such reviews occurred before the audit report was dated;
– Communication has been made to the appropriate personnel about deficiencies that have
been identified; and
– Appropriate follow-up has been made to ensure identified deficiencies in quality have
been addressed on a timely basis.
2. Cyclical Completed File Inspections
The ongoing consideration and evaluation of the firm's system of quality control includes a cyclical
inspection of at least one completed engagement file for each partner. This is required to ensure
compliance with professional/legal requirements and that assurance reports being issued are appropriate
in the circumstances. Cyclical inspections help to identify deficiencies and training needs on a timely
basis. It also enables the firm to make needed changes on a timely basis.
Upon completion of the review, the monitor would prepare a report that, after discussion with the
partners, would be communicated to all managers and professional staff along with the action steps to be
taken.
Who Can be Appointed as Monitor?
•
Monitoring of firm-level policies
The review of compliance with the firm’s policies would be performed by a suitably qualified person
who ideally is not also responsible for managing or developing quality control within the firm.
However, ISQC 1 recognizes that this may not always be possible in smaller firms, so self monitoring
06/10/2010
Page 49
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
is acceptable. Alternatively, an individual external to the firm, with the competence and capabilities to
act as an engagement partner, could be appointed. This would enhance the independence and
objectivity of the firm.
•
Completed file inspections
The person appointed to inspect completed engagement files must be suitably qualified and must not
have been involved in performing the engagement or the engagement quality control review on the file.
4.8
Compliance with Relevant ISAs
Paragraph #
Relevant Extracts from ISAs
200.18
The auditor shall comply with all ISAs relevant to the audit. An ISA is relevant to the audit when the ISA
is in effect and the circumstances addressed by the ISA exist. (Ref: Para. A53-A57)
200.22
Subject to paragraph 23, the auditor shall comply with each requirement of an ISA unless, in the
circumstances of the audit:
(a)
The entire ISA is not relevant; or
(b)
The requirement is not relevant because it is conditional and the condition does not exist. (Ref:
Para. A72-A73)
200.23
In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement in a
ISA. In such circumstances, the auditor shall perform alternative audit procedures to achieve the aim of
that requirement. The need for the auditor to depart from a relevant requirement is expected to arise only
where the requirement is for a specific procedure to be performed and, in the specific circumstances of the
audit, that procedure would be ineffective in achieving the aim of the requirement. (Ref: Para. A74)
230.12
If, in exceptional circumstances, the auditor judges it necessary to depart from a relevant requirement in an
ISA, the auditor shall document how the alternative audit procedures performed achieve the aim of that
requirement, and the reasons for the departure. (Ref: Para. A18-A19)
The ISAs set out the responsibilities and requirements of auditors in conducting an audit. As stated in ISA
200.18, 22 and 23, each relevant requirement (set out in the requirements section of the ISAs) is to be
followed by the auditor, except in exceptional circumstances, where alternative audit procedures would be
performed to achieve the aim of that particular requirement.
Note the following:
Exhibit 4.8-1
ISAs
Description
Status
The ISAs, taken together, provide the standards for the auditor’s work in
fulfilling the overall objectives of the auditor.
The ISAs deal with the general responsibilities of the auditor, as well as the
auditor’s further considerations relevant to the application of those
responsibilities to specific topics.
Relevance
06/10/2010
Some ISAs (and therefore all of its requirements) may not be relevant in the
circumstances (for example, internal audit or group accounts).
Page 50
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISAs
Description
Some ISAs contain conditional requirements. These requirements are relevant
when the circumstances envisioned apply and the condition exists.
Departures from relevant ISA requirements need to be documented along with
the alternative audit procedures performed and the reasons for the departure.
Local Laws
Auditors may be required (in addition to the ISAs) to comply with certain legal
or regulatory requirements or other auditing standards of a specific jurisdiction
or country.
Other
The scope, effective date and any specific limitation of the applicability of a
specific ISA is made clear in the ISA. However, the effective date of the ISA
may also be affected by legal requirements in a particular jurisdiction.
Unless otherwise stated in the ISA, the auditor is permitted to apply an ISA
before the effective date specified therein.
06/10/2010
Page 51
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
5.
INTERNAL CONTROL — PURPOSE AND COMPONENTS
Chapter Content
To outline the purpose, scope and nature of internal
control over financial reporting including the five
components to be evaluated by the auditor.
Relevant ISAs
315
Exhibit 5.0-1
Paragraph #
Relevant Extracts from ISAs
315.4(c)
Internal control – The process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or
more of the components of internal control.
315.12
The auditor shall obtain an understanding of internal control relevant to the audit. Although most
controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to
financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether
a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A42-A65)
315.13
When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the
design of those controls and determine whether they have been implemented, by performing procedures
in addition to inquiry of the entity’s personnel. (Ref: Para. A66-A68)
5.1
Overview
Internal control is designed, implemented and maintained by those charged with governance, management
and other personnel to address identified business and fraud risks that threaten the achievement of stated
objectives such as the reliability of financial reporting.
Note:
A control is always designed to respond (mitigate) to a possible risk. A control that does not
address a risk is obviously redundant.
06/10/2010
Page 52
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The first step in evaluating control design is to identify the risks that require mitigation by control. The
second step is then to identify what controls are in place to address those risks.
5.2
Internal Control Objectives
Internal control is management’s response to mitigate an identified risk factor or achieve a control
objective. There is a direct relationship between an entity’s objectives and the internal control it
implements to ensure their achievement. Once objectives are set, it is possible to identify and assess
potential events (risks) that would prevent the achievement of the objectives. Based on this information,
management can develop appropriate responses, which will include the design of internal control.
Internal control objectives can be broadly grouped into four categories:
•
Strategic, high-level goals that support the mission of the entity;
•
Financial reporting (internal control over financial reporting);
•
Operations (operational controls); and
•
Compliance with laws and regulations.
Internal control relevant to an audit primarily pertains to financial reporting. This addresses the entity’s
objective of preparing financial statements for external purposes.
Operational controls, such as production and staff scheduling, quality control, and employee compliance
with health and safety requirements, would not normally be relevant to the audit, except where:
•
The information produced is used to develop an analytical procedure; or
•
The information is required for disclosure in the financial statements.
For example, if production statistics were used as a basis for an analytical procedure, the controls to
ensure the accuracy of such data would be relevant. If non-compliance with certain laws and regulations
has a direct and material effect on the financial statements, the controls for detecting and reporting on
such non-compliance would be relevant.
Internal Control Components
The term “internal control” as used in ISA 315 is broader than just control activities such as segregation
of duties, authorizations and account reconciliations, etc.
Internal control encompasses five key components:
•
The control environment;
•
The entity’s risk assessment process;
•
The information system, including the related business processes, relevant to financial reporting and
communication;
•
control activities relevant to the audit; and
•
Monitoring of internal control.
These components as they relate to the entity’s financial reporting objectives are illustrated below.
The Five Components of Internal Control
Exhibit 5.2-1
06/10/2010
Page 53
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The division of internal control into these five components provides a useful framework for auditors in
understanding the different aspects of an entity’s internal control system. However, it should be noted
that:
•
The way in which the internal control system is designed and implemented will vary based on the
entity’s size and complexity. Smaller entities often use less formal means and simpler processes and
procedures to achieve their objectives. The five components of internal control may not be so clearly
distinguished; however, their underlying purposes are equally valid. For example, an owner-manager
may (and, in the absence of additional staff, should) perform functions belonging to several of the
components of internal control.
•
Different terminology or frameworks than those used in ISA 315 can be used to describe the various
aspects of internal control, and their effect on the audit, but all five components are to be addressed in
the audit.
•
The auditor’s primary consideration is whether, and how, a specific control prevents, or detects and
corrects, material misstatements in classes of transactions, account balances or disclosures, and their
related assertions.
A summary of the five internal control components follows.
5.3
The Control Environment
Paragraph #
Relevant Extracts from ISAs
315.14
The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
(a) Management, with the oversight of those charged with governance, has created and maintained a
culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an appropriate foundation for
the other components of internal control, and whether those other components are not undermined by
deficiencies in the control environment. (Ref: Para. A69-A78)
06/10/2010
Page 54
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The control environment is the foundation for effective internal control, providing discipline and structure
for the entity. It sets the tone of an organization, influencing the control consciousness or awareness of its
people.
The control environment addresses the governance and management functions. It also addresses the
attitudes, awareness, and actions of those charged with governance and management concerning the
entity’s internal control and its importance within the entity.
Note:
Control environment controls are generally pervasive in nature. They will not directly prevent, or
detect and correct, a material misstatement. Instead, they form an important foundation upon
which all other controls will be built.
Exhibit 5.3-1
Control environment controls will influence the auditor’s evaluation of the effectiveness of other specific
control activities that may address specific areas such as sales and purchase transactions. For example, if
management has a negative attitude toward control in general, this would undermine the effectiveness of
other controls (such as sales, etc.) no matter how well they were designed.
The auditor’s evaluation of the design of the entity’s control environment would include the elements set
out below.
Exhibit 5.3-2
Key Elements to
Address
06/10/2010
Description
Page 55
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Key Elements to
Address
Description
Communication and
Enforcement of
Integrity and Other
Ethical Values
Integrity and ethical values are essential (foundational) elements, which
influence the effectiveness of the design, administration and monitoring of
other controls.
Commitment to
Competence
Management’s consideration of the competence levels for particular jobs and
how those levels translate into requisite skills and knowledge.
Participation by
those Charged with
Governance
Attributes of those charged with governance such as:
•
Their independence from management;
•
Their experience and stature;
•
The extent of their involvement and the information they receive, and the
scrutiny of activities; and
•
The appropriateness of their actions, including the degree to which
difficult questions are raised and pursued with management, and their
interaction with internal and external auditors.
Management’s
Philosophy and
Operating Style
Management’s approach to taking and managing business risks, and
management’s attitudes and actions toward financial reporting, information
processing, accounting functions, and personnel.
Organizational
Structure
The framework within which an entity’s activities for achieving its objectives
are planned, executed, controlled, and reviewed.
Assignment of
Authority and
Responsibility
How authority and responsibility for operating activities are assigned and how
reporting relationships and authorization hierarchies are established.
Human Resources
Policies and
Practices
Recruitment, orientation, training, evaluating, counselling, promoting,
compensating, and remedial actions.
The controls outlined above are pervasive to the entire entity and are often more subjective to evaluate
than the traditional control activities (such as segregation of duties). Therefore, the auditor will exercise
professional judgment in this evaluation.
Control environment strengths can compensate or even replace weak transactional controls in some
situations. However, control environment weaknesses can undermine and even negate good design in
other components of internal control. For example, if a culture of honesty and ethical behaviour did not
exist, the auditor would have to consider carefully what types of (additional) audit procedures would be
effective in finding material misstatements in the financial statements. In some cases, the auditor may
conclude that internal control has broken down to such an extent that the only option is to withdraw from
06/10/2010
Page 56
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
the engagement.
The Control Environment in Smaller Entities
The control environment within small entities will differ from larger entities but is just as important. This
is particularly true when the entity does not have the staff or resources to implement traditional control
activities such as segregation of duties.
In smaller entities the active involvement of a competent owner-manager (a control environment strength)
may well reduce the need for other control activities such as segregation of duties. Consequently, control
environment strengths can serve to indirectly prevent or detect and correct certain types of misstatement.
For example, when the owner-manager reviews and approves individual transactions before they are
completed, it may serve to prevent or detect and correct certain specific errors or fraud. However, this
control environment strength would not mitigate other risks such as management override of controls.
In smaller entities, there will typically be less documentation available to support control environment
controls. Consequently, the attitudes, awareness and actions of management (such as owner-managers)
will often form the basis for evaluating control design and implementation. For example, larger entities
are likely to provide staff with a code of conduct that outlines acceptable behaviours and consequences
for breaking them. Smaller entities may communicate similar values and acceptable behaviours through
oral communications and by management example.
Where there is no supporting documentation for a particular control, the auditor would prepare a
memorandum for the file. For example, in addressing whether there is communication and enforcement of
integrity and ethical values above the auditor could:
•
Identify the entity’s values, acceptable behaviours and enforcement actions through discussions
with management. The auditor would then assess whether they are sufficient which would
address the control design.
•
Ask one or two employees what they believe are the entity’s values, acceptable behaviours and
enforcement actions. These interviews would address whether managements values, acceptable
behaviours have been communicated and enforced. This would address control implementation.
Consider point
Small entities are often reluctant to document internal controls which operate on an informal basis.
However, there can often be benefits to management of taking the time to document some of the more
important policies and procedures. Such policies and procedures could be provided to staff joining the
entity and audit time may be saved in having to make inquiries each period. In the example cited above
even the smallest entity could prepare a simple statement of values and acceptable behaviours that could
be provided to employees and then referred to when an issue arises.
In smaller entities, some of the key areas to address in assessing the control environment are outlined in
the exhibit below.
Exhibit 5.3-3
Control Element
The key question
Communication
What management actions
06/10/2010
Possible Controls
•
Management continually demonstrates, through words and actions, a
commitment to high ethical standards.
Page 57
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Control Element
The key question
Possible Controls
and Enforcement
of Integrity and
Ethical Values
•
serve to eliminate or
mitigate incentives or
temptations that might
•
prompt personnel to engage
in dishonest, illegal, or
•
unethical acts?
•
Commitment to
Competence
Do personnel have the
knowledge and skills
necessary to accomplish
their tasks?
•
•
•
•
Participation by
Those Charged
with Governance
(TCWG)
other than where
management are
TCWG
How effective is the
governance (if any) being
provided over entity
operations?
Management’s
Philosophy and
Operating Style
What are management's
attitudes and actions toward
financial reporting?
•
•
•
•
•
•
•
•
Organizational
Structure
Has a relevant
organizational structure
been established?
•
•
•
•
06/10/2010
Management removes or reduces incentives or temptations that might
cause personnel to engage in dishonest or unethical acts.
A code of conduct or equivalent exists that sets out expected standards
of ethical and moral behaviour.
Employees clearly understand what behaviour is acceptable and
unacceptable and know what to do when they encounter improper
behaviour.
Enforcement actions are taken when required
Management takes the necessary steps to ensure personnel have the
requisite knowledge and skills required for their job.
Job descriptions exist and are effectively used.
Management provides personnel with access to training programs on
relevant topics.
Initial and ongoing matching of staff skills to their job descriptions.
A majority of TCWG are independent of management.
TCWG have the appropriate experience, stature and financial
expertise.
Significant issues and financial results are communicated to TCWG in
a timely manner.
TCWG provide effective oversight over management’s activities.
This includes raising difficult questions and pursuing answers.
TCWG meet on a regular basis and minutes of meetings are circulated
on a timely basis.
Management demonstrates positive attitudes and actions toward:
o Sound internal control over financial reporting, (including
management override and other fraud),
o Appropriate selection/application of accounting policies,
o Information processing controls, and
o The treatment of accounting personnel.
Management has established procedures to prevent unauthorized
access to, or destruction of assets, documents and records.
Management analyzes business risks and takes appropriate action.
The organizational structure is appropriate to facilitate achievement of
entity objectives, operating functions and regulatory requirements.
Management clearly understands its responsibility and authority for
business activities and possesses the requisite experience and levels of
knowledge to properly execute its positions.
The entity structure facilitates the flow of reliable and timely
information to the appropriate people for planning and controlling
activities.
Incompatible duties are segregated to the extent possible.
Page 58
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Control Element
The key question
Assignment of
Authority and
Responsibility
Have key areas of authority
and responsibility been
appropriately assigned?
Possible Controls
•
•
•
Human
Resources
Policies and
Practices
5.4
What standards are in place
to ensure:
• Recruitment of the most
competent and
trustworthy people
• Training is provided to
ensure people can perform
their job
• Promotions are driven by
performance appraisals
•
•
•
•
There are policies and procedures for authorization and approval of
transactions.
Appropriate lines of reporting and accountability exist, (appropriate to
the entity’s size and nature of activities).
Job descriptions include control-related responsibilities.
Management establishes/enforces standards for hiring the most
qualified individuals,
Recruiting practices include employment interviews, background
checks, communication of values, expected behaviours and
management’s operating style.
Job performance is periodically evaluated, the results reviewed with
each employee and appropriate action taken.
Training policies address prospective roles and responsibilities and
expected levels of performance and evolving needs.
Risk Assessment
Paragraph #
Relevant Extracts from ISAs
315.15
The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks. (Ref: Para. A79)
315.16
315.17
If the entity has established such a process (referred to hereafter as the “entity’s risk assessment process”),
the auditor shall obtain an understanding of it, and the results thereof. If the auditor identifies risks of
material misstatement that management failed to identify, the auditor shall evaluate whether there was an
underlying risk of a kind that the auditor expects would have been identified by the entity’s risk
assessment process. If there is such a risk, the auditor shall obtain an understanding of why that process
failed to identify it, and evaluate whether the process is appropriate to its circumstances or determine if
there is a significant deficiency in internal control with regard to the entity’s risk assessment process.
If the entity has not established such a process or has an ad hoc process, the auditor shall discuss with
management whether business risks relevant to financial reporting objectives have been identified and
how they have been addressed. The auditor shall evaluate whether the absence of a documented risk
assessment process is appropriate in the circumstances, or determine whether it represents a significant
deficiency in internal control. (Ref: Para. A80)
A risk assessment process provides management with the information needed to determine what
06/10/2010
Page 59
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
business/fraud risks should be managed and the actions (if any) to be taken. Management may initiate
plans, programs or actions to address specific risks or it may decide to accept a risk because of cost or
other considerations.
If the entity’s risk assessment process is appropriate to the circumstances, it will assist the auditor in
identifying risks of material misstatement. A risk assessment process would normally address such matters
as:
•
Changes in operating environment;
•
New senior personnel;
•
New or revamped information systems;
•
Rapid growth;
•
New technology;
•
New business models, products, or activities;
•
Corporate restructurings (including divestitures and acquisitions);
•
Expanded foreign operations; and
•
New accounting pronouncements.
In smaller entities where a formal risk assessment process is unlikely to exist, the auditor would discuss
with management how business risks are identified and how they are addressed.
Matters the auditor should consider are how management:
•
Identifies risks relevant to financial reporting;
•
Estimates the significance of the risks;
•
Assesses the likelihood of their occurrence; and
•
Decides upon actions to manage them.
If the auditor identifies risks of material misstatement that management failed to identify, he or she should
consider:
•
Why did management’s processes fail?
•
Are the processes appropriate to the circumstances?
If a significant deficiency exists in the entity’s risk assessment process (or there is no process at all), it
would be communicated with management and those charged with governance.
Conditions and Events that May Indicate Risks of Material Misstatement
Appendix 2 of ISA 315 contains a useful list of possible conditions and events that may indicate the
existence of risks of material misstatement.
5.5
Information System
(Including the related business processes relevant to financial reporting and communication)
Paragraph #
Relevant Extracts from ISAs
315.18
The auditor shall obtain an understanding of the information system, including the related business
06/10/2010
Page 60
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
processes, relevant to financial reporting, including the following areas:
(a) The classes of transactions in the entity’s operations that are significant to the financial statements;
(b) The procedures, within both information technology (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general
ledger and reported in the financial statements;
(c) The related accounting records, supporting information and specific accounts in the financial
statements that are used to initiate, record, process and report transactions; this includes the
correction of incorrect information and how information is transferred to the general ledger. The
records may be in either manual or electronic form;
(d) How the information system captures events and conditions, other than transactions, that are
significant to the financial statements;
(e) The financial reporting process used to prepare the entity’s financial statements, including significant
accounting estimates and disclosures; and
(f)
315.19
Controls surrounding journal entries, including non-standard journal entries used to record nonrecurring, unusual transactions or adjustments. (Ref: Para. A81-A85)
The auditor shall obtain an understanding of how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting, including: (Ref: Para. A86-A87)
(a) Communications between management and those charged with governance; and
(b) External communications, such as those with regulatory authorities.
Management (and those charged with governance) requires reliable information to:
•
Manage the entity (such as planning, budgeting, monitoring performance, allocating resources,
pricing, and preparing financial statements for reporting purposes);
•
Achieve objectives; and
•
Identify, assess, and respond to risk factors.
This requires pertinent information to be identified, captured and communicated/distributed on a timely
basis to personnel (at all levels of the entity) that need it for decision-making.
An information system consists of infrastructure (physical and hardware components), software, people,
procedures and data. Many information systems make extensive use of information technology (IT). They
identify, capture, process and distribute information supporting the achievement of financial reporting and
internal control objectives.
An information system relevant to financial reporting objectives includes the entity’s business processes
and accounting system, as set out below.
Exhibit 5.5-1
06/10/2010
Page 61
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Business Processes
(sales, purchases,
payroll, etc.)
Business processes are structured sets of activities designed to produce a
specified output. They result in transactions being recorded, processed and
reported by the information system.
Accounting System
This includes accounting software, electronic spreadsheets and the policies and
procedures used to prepare periodic financial reports and the period-end
financial statements and disclosures.
An information system has procedures, policies and records (manual and automated) that are designed to
address the matters set out below.
Exhibit 5.5-2
In larger companies, information systems can be complex, automated and highly integrated. Smaller
companies will often rely on manual or stand-alone information technology applications.
Consider Point
Many mainstream accounting software packages (even smaller ones) come with a variety of built-in
application controls that could be used to improve control over financial reporting. These controls
include automated reconciliations, reporting of exceptions for management review and ensuring
general consistency over financial reporting.
In obtaining an understanding of the information system (including business processes), the auditor would
address (in addition to Exhibit 5.5-2 above) the matters outlined below.
06/10/2010
Page 62
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 5.5-3
Identify
Address
Sources of
Information Used
What classes of transactions are significant to the financial statements?
How do transactions originate within the entity’s business processes?
What accounting records (electronic or manual) exist?
How does the system capture events and conditions (other than classes of
transactions) that are significant to the financial statements?
How Information is
Captured and
Processed
What are the financial reporting processes used to:
• Initiate, record, process and report transactions and non-standard
transactions (such as related party transactions, etc.?
•
Prepare the financial statements, including significant accounting estimates
and disclosures?
What procedures address:
• Risks of material misstatement associated with inappropriate override of
controls including use of standard and non-standard journal entries;
•
•
How the
Information
Produced is Used
Override or suspension of automated controls; and
Identification of exceptions and reporting the actions that have been taken
to remedy these?
How does the entity communicate financial reporting roles, responsibilities
and significant matters relating to financial reporting?
What reports are regularly produced by the information system and how are
they used to manage the entity?
What information is provided by management to those charged with
governance (if different from management) and to external parties such as
regulatory authorities?
Communication
Communication is inherent in information systems. Consequently, if information is to be used in
decision-making and to facilitate the functioning of internal control, it needs to be communicated on a
timely basis (both internally and externally) to the appropriate people.
Effective internal communication helps the entity’s personnel clearly understand internal control
objectives, the business processes in use, and their individual roles and responsibilities. It also helps them
understand the extent their activities relate to the work of others and the means of reporting exceptions to
an appropriate higher level within the entity.
The means of communication may be informal (verbal) or formal, i.e., documented in policy and financial
reporting manuals.
Internal communication between top management and employees is often easier and less formal in
smaller companies, due to fewer levels and numbers of personnel and the greater availability and presence
06/10/2010
Page 63
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
of senior management.
Effective external communication ensures that matters affecting the achievement of financial reporting
objectives are communicated with relevant outside parties such as key stakeholders, financial institutions,
regulators and government agencies.
Lack of IT systems documentation
Smaller entities may have less sophisticated and less documented information and communication
systems. If management does not have extensive descriptions of accounting procedures, sophisticated
accounting records, or written policies, the understanding required by the auditor will be obtained more
by inquiry and observation than review of documentation.
5.6
Control Activities
Paragraph #
Relevant Extracts from ISAs
315.20
The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor
judges it necessary to understand in order to assess the risks of material misstatement at the assertion level
and design further audit procedures responsive to assessed risks. An audit does not require an
understanding of all the control activities related to each significant class of transactions, account balance,
and disclosure in the financial statements or to every assertion relevant to them. (Ref: Para. A88-A94)
315.21
In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity
has responded to risks arising from IT. (Ref: Para. A95-A97)
Control activities are the policies and procedures that help ensure management’s directives are carried
out. Examples include controls to ensure goods are not shipped to a bad credit risk or to ensure only
authorized purchases are made. These controls address risks that, if not mitigated, would threaten the
achievement of the entity’s objectives.
Control activities (whether within information or manual systems) are designed to mitigate the risks
involved in everyday activities such as transaction processing (business processes such as sales, purchases
and payroll) and safeguarding of assets.
Business processes are structured sets of activities designed to produce a specified output. Business
process controls can generally be classified as preventive, detective and corrective, compensating or
steering, as outlined in the exhibit below.
Exhibit 5.6-1
Controls
Classification
Description
Preventive Controls
Avoid errors or irregularities.
06/10/2010
Page 64
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Controls
Classification
Description
Detective Controls
Identify errors or irregularities after they have occurred so corrective action
can be taken.
Compensating
Controls
Provide some assurance where resource limitations may preclude other more
direct controls.
Steering Controls
(for example,
policies)
Guide actions towards the desired objectives.
The nature of business process controls will vary based on the risks involved and the specific application.
Typical controls at the business process level would include the matters, set out below.
Exhibit 5.6-2
Controls
Description
Examples
Segregation
of Duties
These controls can reduce the
opportunities for a person to be in a
position to both perpetrate and conceal
errors or fraud.
The employee responsible for the
accounts receivable processing has no
access to cash receipts.
Authorization
Controls
These controls define who has the
authority to approve various routine and
non-routine transactions and events.
Assigning responsibility to authorize:
• Hiring of new employees;
• Making investments;
• Ordering goods and services;
and
• Extending credit to a customer.
Account
Reconciliations
This includes preparing and reviewing
account reconciliations on a timely basis
and taking any necessary corrective
actions.
Reconciliations of bank accounts, sales
transactions, intercompany balances,
suspense accounts, etc.
IT Application
Controls
These controls are programmed into IT
applications such as sales or purchases.
They include fully automated and
partially automated controls.
Checking the arithmetical accuracy of
records, pricing of invoices, edit checks
of input data, numerical sequence
checks and production of exception
reports for manager review.
Actual Results
Reviews
These controls involve the regular
review and analyses of actual results
Analysis of operating results and
comparing actual results to budget and
06/10/2010
Page 65
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Controls
Physical
Controls
Description
Examples
versus budgets, forecasts and priorperiod performance. It also involves
relating different sets of data (operating
or financial) to one another and
comparing internal data with external
sources of information. Unexpected
variations would be investigated and
corrective actions taken.
investigating variances.
These controls relate to the physical
security of assets and permitted access
to entity premises, accounting records,
computer programs and data files.
Such controls consist of asset security
(door locks and restricted access to
inventory/records) and comparing the
results of periodic cash, security and
inventory counts with accounting
records.
Smaller entities
Control activities are designed to directly prevent a material misstatement from occurring or detecting and
then correcting a misstatement after it has occurred. In smaller entities, the concepts underlying control
activities are likely to be similar to larger entities but their relevance to the auditor may vary considerably.
Consider the following:
Exhibit 5.6-3
Control activities
in smaller entities
Comments
Informal and
limited
documentation
Many controls may operate informally and may not be well documented. For example,
granting credit to a customer may be more reliant on the judgement and knowledge of the
manager than a pre-established credit limit.
Limited scope
Control activities (to the extent they exist) are likely to relate to the main transaction cycles
such as revenues, purchases and employment expenses.
Risks may be
mitigated by the
control environment
(see Volume 1,
Chapter 5.3)
Certain types of control activities may not be relevant because of controls applied by senior
management. For example, management's approval of significant transactions can provide
strong control over important account balances and transactions, lessening or removing the
need for more detailed control activities. Some transactional misstatements (usually
addressed by control activities in larger entities) could be mitigated by:
• The corporate culture that emphasizes the importance of control;
• Employing highly competent staff;
• Monitoring revenues and expenditures against an established budget;
• Requiring senior management’s approval of all major transactions;
• Monitoring of key performance indicators; and
• Assigning responsibilities among staff so as to maximize the segregation of duties.
Control activities, relevant to the audit, would potentially mitigate risks such as:
•
Significant risks
06/10/2010
Page 66
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Identified and assessed risks of material misstatement that, in the auditor’s judgment, require special
audit consideration. Refer to Volume 2, Chapter 10.
•
Risks that cannot easily be addressed by substantive procedures
These are identified and assessed risks of material misstatement for which substantive procedures
alone would not provide sufficient appropriate audit evidence.
•
Other risks of material misstatement
The auditor’s judgment about whether a control activity is relevant to the audit is influenced by:
•
Knowledge about the presence/absence of control activities identified in other components of internal
control. If a particular risk has already been adequately addressed (such as by the control
environment, information system, etc.), there is no need to identify any additional controls that may
exist.
•
The existence of multiple control activities that achieve the same objective. It is unnecessary to obtain
an understanding of each of the control activities related to such objective.
•
Increased audit efficiency that will be gained from testing the operating effectiveness of certain key
controls. This could occur when:
– Obtaining audit evidence through a test of the operating effectiveness of controls may be more
cost efficient than performing substantive procedures. Tests of control typically result in smaller
sample sizes than substantive tests. If the controls are automated, a sample size of just one item
(assuming good IT general controls) may be all that is required. In addition, if the control system
and personnel involved have not changed from previous years, it may be possible (under certain
conditions) to limit the test of operating effectiveness of controls to once in every three years (See
Volume 2, Chapter 17).
– Substantive procedures alone would not provide sufficient appropriate audit evidence at the
assertion level. For example, the completeness assertion for sales revenue can be difficult (and
sometimes impossible) to address by substantive procedures alone. In these situations, it would be
worthwhile to identify any internal controls that address the risk and assertion involved. If the
internal controls are expected to work effectively, the necessary audit evidence could be obtained
through a test of the operating effectiveness of those controls.
5.7
Understanding IT Risks and Controls
Most entities today use information technology (IT) to manage, control and report on at least some of
their activities. IT operations are often managed by a central support team that ensures the day-to-day
users (staff) have appropriate access to the hardware, software and applications to perform their
responsibilities. In smaller entities, IT management may be the responsibility of just one or even a parttime or outsourced person.
Regardless of the entity’s size, there are a number of risk factors relating to IT management and
applications that, if not mitigated, could result in a material misstatement in the financial statements.
There are two types of IT controls that need to work together to ensure complete and accurate information
processing:
•
General IT controls
These controls operate across all applications and usually consist of a mixture of automated controls
(embedded in computer programs) and manual controls (such as the IT budget and contracts with
service providers); and
06/10/2010
Page 67
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
IT application controls
These controls are automated controls that relate specifically to applications (such as sales processing
or payroll).
There is also a third kind of control which has a manual and IT element. These controls can be called ITdependent controls. The control is performed manually but its effectiveness relies on information
produced by an IT application. For example, the financial manager may review the monthly/quarterly
financial statement (generated by the accounting system) and investigate variances.
The following exhibit outlines the scope of general IT controls.
Exhibit 5.7-1
General IT Controls
Standards,
Planning,
Policies, etc.
(The IT Control
Environment)
The IT governance structure.
How IT risks are identified, mitigated and managed.
The required information system, strategic plan (if any) and budget.
IT policies, procedures and standards.
The organizational structure and segregation of duties.
Contingency planning.
Security over Data,
the IT
Infrastructure and
Daily Operations
Acquisitions, installations, configurations, integration and maintenance of the
IT infrastructure.
Delivery of information services to users.
Management of third-party providers.
Use of system software, security software, database management systems and
utility program.
Incident tracking, system logging and monitoring functions.
Access to Programs
and Application
Data
Issue/removal and security of user passwords and IDs.
Internet firewalls and remote access controls.
Data encryption and cryptographic keys.
User accounts and access privilege controls.
User profiles that permit or restrict access.
Program
Development and
Program Changes
06/10/2010
Acquisition and implementation of new applications.
System development and quality assurance methodology.
The maintenance of existing applications, including controls over program
changes.
Page 68
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
General IT Controls
Monitoring of IT
Operations
Policies, procedures, inspections and exception reports that ensure:
• Information users are receiving accurate data for decision-making;
• Ongoing compliance with IT general controls; and
• IT is serving the entity’s needs and is aligned with the business
requirements.
IT Application Controls
IT application controls relate to a particular software application that is used at the business process level.
Application controls can be preventive or detective in nature and are designed to ensure the integrity of
the accounting records.
Typical application controls relate to procedures used to initiate, record, process and report transactions or
other financial data. These controls help ensure that transactions occurred, are authorized and are
completely and accurately recorded and processed. Examples include edit checks of input data with
correction at the point of data entry and numerical sequence checks with manual follow-up of exception
reports.
5.8
Monitoring
Paragraph #
Relevant Extracts from ISAs
315.22
The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal
control over financial reporting, including those related to those control activities relevant to the audit, and
how the entity initiates remedial actions to deficiencies in its controls. (Ref: Para. A98-A100)
315.24
The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring
activities, and the basis upon which management considers the information to be sufficiently reliable for
the purpose. (Ref: Para. A104)
Monitoring assesses the effectiveness of the internal control’s performance over time. The objective is to
ensure the controls are working properly and, if not, to take necessary corrective actions.
Monitoring provides feedback to management on whether the internal control system they have designed
to mitigate risks is:
•
Effective in addressing the stated control objectives;
•
Properly implemented and understood by employees;
•
Being used and complied with on a day-to-day basis; and
•
In need of modification or improvement to reflect changes in conditions.
06/10/2010
Page 69
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Management accomplishes the monitoring of controls through ongoing activities, separate evaluations or
a combination of these two.
Ongoing monitoring activities in smaller entities are informal and are usually built into the normal
recurring activities of an entity. This includes regular management and supervisory activities and the
review of exception reports that may be produced by the information system. Where management is
closely involved in operations, they will often identify significant variances from expectations and
inaccuracies in financial data and take corrective action to modify or improve the control.
Periodic monitoring (separate evaluations of specific areas within the entity, such as those performed by
an internal audit function in a much larger company) is not common in smaller entities. However,
periodic evaluations of critical processes could be conducted by qualified employees not directly involved
or by hiring an external and suitably qualified person.
Management’s monitoring activities may also include the use of information received from external
parties that indicates problems or highlights areas in need of improvement. Examples of this could
include:
•
Complaints from customers;
•
Comments from governing bodies such as franchisors, financial institutions and regulators; and
•
Communications relating to internal control from external auditors and consultants.
Sources of Information used for Monitoring
Much of the information used in monitoring will be produced by the entity’s information system.
Management may tend to assume that this information is accurate. If this information is not accurate,
there is a risk that management could reach incorrect conclusions and, as a result, make poor decisions.
Accordingly, when the auditor is evaluating the monitoring of controls, an understanding is required of:
•
The sources of the information related to the entity’s monitoring activities; and
•
The basis upon which management considers the information to be sufficiently reliable for the
purpose.
5.9
Understanding of Internal Controls Relevant to the Audit
The following table summarizes the steps involved in obtaining an understanding of internal controls
relevant to the audit.
Exhibit 5.9-1
Identify
Address
Specific Risks of
Material
Misstatement
Requiring
Mitigation
The potential risks of material misstatement (related to significant classes of
transactions, account balances, and financial statement disclosures) that exist at
the assertion level. For example:
• Regular day-to-day transactional risks;
• Fraud risks (such as management override and asset misappropriation);
• Disclosure risks (incomplete or missing information);
• Significant risks;
• Non-routine risks (such as implementing a new accounting system); and
• Judgmental risks (estimates, valuations, etc.),
06/10/2010
Page 70
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Identify
Address
Management’s
Response to the
Identified Risks of
Material
Misstatement
What specific (manual or IT application) control activities that (individually or
in combination with others) prevent, or detect and correct, material errors and
fraud.
Significant
Deficiencies
Failure by management to mitigate a risk of material misstatement would
likely result in a significant deficiency. These would be reported to
management and an audit response developed.
Implementation of
Relevant Controls
This involves procedures (in addition to inquiry of the client’s personnel) to
determine that relevant controls identified actually exist and are in use by the
entity. This can be carried out at a point in time such as tracing one transaction
through the system on a particular day. This is not a test of control, which is
designed to evaluate whether a control operated effectively throughout the
period covered by the audit.
5.10
This step does not require the auditor to identify all the control activities that
may exist. For example, an entity may have implemented 15 control
procedures to address a particular risk. If the auditor concluded that the first
three control procedures identified were sufficient to mitigate the risk
involved, there is no need to carry on work to identify and document the other
12 control procedures.
Manual versus Automated Controls
For most entities, the system of internal control will consist of a mixture of manual and automated
controls. The risks and benefits associated with the different types of control are outlined below.
Exhibit 5.10-1
Benefits
Manual Controls
•
•
•
•
Used to monitor the effectiveness of
automated controls.
Suited to areas where judgment and discretion
are required over large, unusual or nonrecurring transactions.
Beneficial when errors are difficult to define,
anticipate or predict.
Changing circumstances may require a control
response outside the scope of an existing
automated control.
Automated Controls
•
•
•
•
•
06/10/2010
Consistently apply predefined business rules
and perform complex calculations in
processing large volumes of transactions or
data.
Enhance the timeliness, availability and
accuracy of information.
Facilitate the additional analysis of
information.
Enhance the ability to monitor the
performance of the entity’s activities and its
policies and procedures.
Reduce the risk that internal control will be
circumvented.
Page 71
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Benefits
•
Enhance the ability to achieve effective
segregation of duties by implementing
appropriate system access restrictions in
applications, databases and operating systems.
Risks
Manual Controls
•
•
•
•
•
•
Automated Controls
Less reliable than automated controls, as
•
performed by people.
More easily bypassed, ignored or overridden.
Prone to simple errors and mistakes.
•
Consistency of application cannot be assumed.
Less suitable for high volume or recurring
transactions where automated controls would
be more efficient.
Less suitable for activities where the specific
ways to perform the control can be adequately
designed and automated.
•
•
•
•
•
•
06/10/2010
Reliance can be placed on systems or
programs that are inaccurately processing data,
processing inaccurate data, or both.
Unauthorized access to data that may result in
destruction of data or improper changes to
data, including the recording of unauthorized
or non-existent transactions, or inaccurate
recording of transactions (particular risks may
arise where multiple users access a common
database).
The possibility of IT personnel gaining access
privileges beyond those necessary to perform
their assigned duties, thereby breaking down
the segregation of duties.
Unauthorized changes to data in master files.
Unauthorized changes to systems or programs.
Failure to make necessary changes to systems
or programs.
Inappropriate manual intervention.
Potential loss of data or inability to access data
as required.
Page 72
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
When the entity has a mix of manual and automated controls, always identify who is responsible for
the operation of each control. For example, suppose a warehouse manager is responsible for shipping
goods. The warehouse manager manually inputs the data into a sales system that has an application
control to match the shipment to the original order. If something went wrong in the matching process,
is it the responsibility of the warehouse manager, the IT department or the accounting department?
Unless one person is assigned responsibility for the entire process, people will inevitably blame each
other when errors are made.
Where responsibility has not been assigned, consider:
•
The likelihood and magnitude of potential misstatements that could occur in the financial
statements;
•
The appropriate audit response; and
•
Whether the matter should be reported to management.
5.11
Pervasive Controls
Paragraph #
Relevant Extracts from ISAs
315.14 (b)
The auditor shall …evaluate whether…:
(b) The strengths in the control environment elements collectively provide an appropriate foundation for
the other components of internal control, and whether those other components are not undermined by
deficiencies in the control environment. (Ref: Para. A69-A78)
This chapter has now addressed each of the five components of internal control. Some of these controls
are pervasive in nature and only indirectly serve to prevent a misstatement from occurring or to detect and
correct it after it has occurred. Other controls relate to particular transaction risks (such as payroll, sales
and purchases) and are designed specifically to prevent or detect and correct misstatements.
The following table shows the interaction of the two levels of control over transactions as they journey
from initiation and processing (transactional level) through the accounting records (entity level) and
finally to the financial statements. Notice that at least three of the five internal control components consist
primarily of pervasive controls.
Exhibit 5.11-1
06/10/2010
Page 73
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Notes:
1. The above illustration is a general guide. In some instances, pervasive controls can be designed to
operate at a level of precision that would prevent or detect specific misstatements at the business
process level. For example, a detailed budget approved by those charged with governance may be
used by management to detect unauthorized administration expenditures. In other instances, there
may be control activities and parts of the information system that relate to entity level activities.
2. Entity level controls (such as the commitment to competence) may be less tangible than those at the
business process level (such as matching goods received to a purchase order) but are just as critical in
preventing and detecting fraud and error.
3. The period-end financial reporting process includes procedures to:
• Enter transaction totals into the general ledger;
• Select and apply accounting policies;
• Initiate, authorize, record and process journal entries in the general ledger;
• Record recurring and non-recurring adjustments to the financial statements; and
• Prepare the financial statements and related disclosures.
4. General information technology (IT) controls are similar to entity level controls except that they focus
on how IT operations (such as organization, staffing, data integrity) are managed across the entity.
5. IT application controls are similar to transaction controls. They relate to how specific transactions are
processed at the business process level.
Pervasive controls form the basis from which specific transactional controls are built. They set the “tone
at the top” and establish expectations for the organization’s control environment in general. Poorly
designed pervasive controls may actually encourage all types of error and fraud to take place. For
example, an entity may have a highly controlled and effective sales process. However, if senior
management has a poor attitude toward control and has sometimes overridden these controls, a material
06/10/2010
Page 74
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
error could still occur in the financial statements. Management override and poor “tone at the top” are
common themes in corporate wrongdoing.
Pervasive controls also include the monitoring controls that assess whether the actual tone at the top is
what was intended and how well control expectations are being fulfilled.
The pervasive (sometimes called entity-level controls) could include:
•
Controls related to the control environment;
•
Controls over management override;
•
The entity’s risk assessment process;
•
Controls to monitor results of operations and other controls;
•
Controls over the period-end financial reporting process; and
•
Policies that address significant business control and risk management practices.
Smaller Entities
In smaller entities, the lack of specific business process controls (due to limited staff and resources) is
often offset by the high degree of involvement by management (such as the owner manager) in
performing controls. In fact some pervasive controls in smaller entities can often operate at a level of
precision that will actually serve to prevent or detect specific misstatements. However, the increased
involvement of senior management also increases the risk of management override. This could be
addressed through further audit procedures or the design of suitable anti-fraud controls. See Volume 1,
Chapter 5.12 below.
Pervasive Control Deficiencies
Although weaknesses in pervasive controls do not generally result in an immediate deficiency or errors in
the financial statements, they still have a significant influence on the likelihood of misstatements resulting
at the business process control level. The absence of good pervasive controls may seriously undermine
other business process controls and, consequently, significant deficiencies in these controls would be
reported to management and those charged with governance.
5.12
Anti-Fraud Controls
In the last few years a new type of internal control has begun to emerge sometimes called anti-fraud
controls. Since the vast majority of sizable frauds tend to involve senior management, the establishment
of strong anti-fraud programs and controls is considered a healthy part of the control environment in
larger entities. Anti-fraud controls can be likened to speed bumps on a road that are designed to slow
down traffic but not stop it altogether. Anti-fraud controls are designed to deter bad behaviour before it
happens but can never stop it altogether.
Anti-fraud controls are particularly relevant for larger entities but can be designed to discourage fraud in
smaller entities. They may not prevent frauds from occurring, but they do provide a powerful
disincentive. They cause the perpetrators to think carefully about the repercussions of their actions.
Anti-fraud controls can be designed to address all five internal control components. However, in relation
to risks of material misstatement in the financial statements, special emphasis is placed on the tone set at
the top of the entity. This addresses the attitudes and actions of management toward control and is part of
the control environment (see Volume 1, Chapter 5.3 above) which influences the control consciousness of
all personnel. A good “tone at the top” is considered by far the most effective anti-fraud control of all.
Two examples of anti-fraud controls applicable for smaller entities include:
06/10/2010
Page 75
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Journal entries
Non-routine journal entries have often been used by managers to commit fraud. A policy that nonroutine journal entries (over a specified amount) must be supported by an explanation and manager’s
signature (indicating approval) is a simple anti-fraud control that can be implemented in any size of
entity. Such a policy empowers the entity’s accountant to always ask the manager (requesting an
entry) for an explanation and approval. This will not necessarily stop a senior manager from
demanding an inappropriate entry to be made but the thought of having to physically document the
approval and provide an explanation may be enough to deter the request from ever being made in the
first place. If it does not deter the request, the auditor may notice that the entry was not approved and
would ask why. This could then lead to further investigation.
•
Segregation of duties
In smaller entities, the accountant or bookkeeper is often in a trusted position, has minimal
supervision and therefore lots of opportunity to commit fraud. A possible (but somewhat costly) antifraud control would be to hire a part-time bookkeeper to take over that person’s job for at least one or
more weeks per year, such as when the person is on holiday or performing other tasks. The policy of
employing a replacement person could deter the bookkeeper from committing fraud at all and if fraud
is already taking place, it might provide an opportunity to detect it.
06/10/2010
Page 76
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
6.
FINANCIAL STATEMENT ASSERTIONS
Chapter Content
Relevant ISAs
315
Use of management’s assertions in auditing.
Exhibit 6.0-1
Extent of monetary error
Correctly stated amount for transaction/balance
Combined Assertions
Completeness
(missing transactions)
Existence
(invalid transactions)
Valuation
(recorded at incorrect value)
Understated.
6.1
-
+
Overstated
Overview
Paragraph #
Relevant Extracts from ISAs
Assertions
315.4(a)
Assertions – Representations by management, explicit or otherwise, that are embodied in the financial
statements, as used by the auditor to consider the different types of potential misstatements that may
occur.
When management make a representation to the auditors such as “the financial statements as a whole are
presented fairly in accordance with the applicable financial reporting framework” it actually contains a
number of embedded assertions.
These embedded assertions (by management) relate to the recognition, measurement, presentation and
disclosure of the various elements (amounts and disclosures) in the financial statements.
Examples of management’s assertions include:
•
All the assets in the financial statements exist;
•
All sales transactions have been recorded in the appropriate period;
06/10/2010
Page 77
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Inventories are stated at appropriate values;
•
Payables represent proper obligations of the entity;
•
All recorded transactions occurred in the period under review; and
•
All amounts are properly presented and disclosed in the financial statements.
These assertions are often summarized by a single word such as completeness, existence, occurrence,
accuracy, valuation, etc. For example, management may assert to the auditor that the sales balance in the
accounting records contains all the sales transactions, (completeness assertion), the transactions took
place and are valid (occurrence assertion), and transactions have been properly recorded in the accounting
records and in the appropriate accounting period (accuracy and cut off assertion).
6.2
Description of Assertions
Paragraph A111 of ISA 315 describes the categories of assertions that can be used by the auditor to
consider the different types of potential misstatements that may occur. These categories are described in
the exhibit below.
Exhibit 6.2-1
Classes of
Transactions
and Events
for the Period
under Audit
Account
Balances at
the Period
End
06/10/2010
Assertion
Description
Occurrence
Transactions and events that have been recorded, have occurred
and pertain to the entity.
Completeness
All transactions and events that should have been recorded have
been recorded.
Accuracy
Amounts and other data relating to recorded transactions and
events have been recorded appropriately.
Cut off
Transactions and events have been recorded in the correct
accounting period.
Classification
Transactions and events have been recorded in the proper
accounts.
Assertion
Description
Existence
Assets, liabilities, and equity interests exist.
Rights and
Obligations
The entity holds or controls the rights to assets and liabilities are
the obligations of the entity.
Completeness
All assets, liabilities and equity interests that should have been
recorded have been recorded.
Page 78
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Presentation
and
Disclosure
Assertion
Description
Valuation and
Allocation
Assets, liabilities and equity interests are included in the
financial statements at appropriate amounts and any resulting
valuation or allocation adjustments are appropriately recorded.
Assertion
Description
Occurrence,
Rights and
Obligations
Disclosed events, transactions and other matters have occurred
and pertain to the entity.
Completeness
All disclosures that should have been included in the financial
statements have been included.
Classification and
Understandability
Financial information is appropriately presented and described,
and disclosures are clearly expressed.
Accuracy and
Valuation
Financial and other information are disclosed fairly and at
appropriate amounts.
The applicability of assertions to the financial statement areas is summarized below.
Exhibit 6.2-2
Classes of
Transactions
Account
Balances
Presentation and
Disclosure
Existence/occurrence
9
9
9
Completeness
9
9
9
9
9
Assertions
Rights and obligations
Accuracy/classification
9
Cut Off
9
Classification and
understandability
Valuation/allocation
6.3
9
9
9
9
9
Combined Assertions
06/10/2010
Page 79
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISA 315 allows the auditor to use the assertions exactly as described above or to express them differently,
provided all aspects described above have been covered.
To make the use of assertions slightly easier to apply for auditing smaller entities, this Guide has
combined a number of the assertions so that they may apply across all three categories (that is, balances,
transactions and disclosure). The four combined assertions and the individual assertions they address are
illustrated in the exhibit below.
Exhibit 6.3-1
Combined Assertions
Classes of
Transactions
Account
Balances
Presentation and
Disclosure
Completeness (C)
Completeness
Completeness
Completeness
Existence (E)
Occurrence
Existence
Occurrence
Accuracy and
Cut off (A)
Accuracy
Cut-off
Classification
Rights and Obligations
Accuracy
Rights and Obligations
Classification and
Understandability
Valuation and
allocation
Valuation
Valuation (V)
Note:
When the auditor chooses to use combined assertions such as outlined above, it is important to remember
that the accuracy and cut off assertion also includes rights and obligations, and classification and
understandability.
The following exhibit provides a description of the four combined assertions used in this Guide.
Exhibit 6.3-2
Combined Assertion
Description
Completeness (C)
Everything that should be recorded or disclosed in the financial statements has
been included.
There are no unrecorded or undisclosed assets, liabilities, transactions or
events; there are no missing or incomplete financial statement notes.
Existence (E)
Everything that is recorded or disclosed in the financial statements exists at the
appropriate date and should be included.
Assets, liabilities, recorded transactions and other matters included in the
financial statement notes exist, have occurred and pertain to the entity.
Accuracy and
Cut off (A)
06/10/2010
All liabilities, revenues, expense items, rights to assets (in the form of a hold or
control) are the property or obligation of the entity and have been recorded at
Page 80
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Combined Assertion
Description
the proper amount and allocated (cut off) to the proper period. This also
includes proper classification of amounts and disclosures in the financial
statements.
Assets, liabilities and equity interests are recorded in the financial statements
at the appropriate amount (value).
Valuation (V)
Any valuation or Allocation adjustments required by their nature or applicable
accounting principles have been appropriately recorded.
6.4
Using Assertions in Auditing
Paragraph #
Relevant Extracts from ISAs
315.25
The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level; and (Ref: Para. A105-A108)
(b) the assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A109A113)
to provide a basis for designing and performing further audit procedures.
As previously stated, the financial statements contain a number of embedded assertions. Assertions can be
used by the auditor in assessing risks at the financial statement level and the assertion level.
Exhibit 6.4-1
Assessing Risks at:
Commentary
Financial Statement
Level
The risks of material misstatement at the financial statement level tend to be
pervasive and therefore address all the assertions. For example, if the senior
accountant is not competent enough for the assigned tasks, it is quite possible
that errors could occur in the financial statements. However, the nature of such
errors will not often be confined to a single account balance, transaction stream
or disclosure. In addition, the error will not likely be confined to a single
assertion such as the completeness of sales. It could just as easily relate to
other assertions such as accuracy, existence and valuation.
Assertion Level
Risks at the assertion level relate to individual account balances at a point in
time (i.e., the period end), classes of transactions (for the fiscal period) and
presentation and disclosure in the financial statements.
The relevance of each assertion to an individual account balance (or class of
transactions or presentation and disclosure) will vary based on the
characteristics of the balance and the potential risks of material misstatement.
For example, when considering the valuation assertion, the auditor could
assess the risk of error in payables as low; however, for inventory where
06/10/2010
Page 81
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Assessing Risks at:
Commentary
obsolescence is a factor, the auditor would assess the valuation risk as high.
Another example would be where the risks of material misstatement due to
completeness (missing items) in the inventory balance are low, but high in
relation to the sales balance.
The difference between the two levels of risk assessment is illustrated in partial form in the exhibit below.
Exhibit 6.4-2
C
E
A
V
Note:
This chart uses the combined assertions described in Volume 1, Chapter 6.3.
Assertions are used by the auditor to form a basis for:
•
Considering the different types of potential misstatements that may occur;
•
Assessing the risks of material misstatement; and
•
Designing further audit procedures that are responsive to the assessed risks.
Exhibit 6.4-3
Use of Assertions
Procedures
Considering
Types of Potential
Misstatement
This would include performing risk assessment procedures to identify possible
risks of material misstatement. For example, the auditor might ask questions
such as the following:
• Does the asset exist? (Existence)
• Does the entity own it? (Rights and obligations)
06/10/2010
Page 82
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Use of Assertions
Procedures
•
•
•
•
•
Are all the sales transactions properly recorded? (Completeness)
Has the inventory balance been adjusted for slow-moving and obsolete
items? (Valuation)
Does the payable balance include all known liabilities at the period end?
(Completeness)
Were transactions recorded in the right period? (Cut off)
Are amounts properly presented and disclosed in the financial statements?
(Accuracy)
Assessing Risks of
Material
Misstatement
The risk of material misstatement is a combination of inherent risk and control
risk. The assessment process includes:
• Inherent risk
Identify potential misstatements and the assertions involved and then
assess the likelihood of the risk’s occurrence and possible magnitude.
• Control risk
Identify and evaluate any relevant internal controls in place that mitigate
the assessed risks and address the underlying assertions.
Designing Audit
Procedures
The final step is to design audit procedures to be responsive to the assessed
risks by assertion. For example, if the risk is high that receivables are
overstated (existence assertion), the audit procedures should be designed to
specifically address the existence assertion. If sales completeness was a risk,
the auditor could design a tests of controls that addresses the completeness
assertion.
06/10/2010
Page 83
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
7.
MATERIALITY AND AUDIT RISK
Chapter Content
Relevant ISAs
Applying the concept of materiality appropriately in
planning and performing the audit.
320
Paragraph #
ISA Objective(s)
320.8
The objective of the auditor is to apply the concept of materiality appropriately in planning and
performing the audit.
Exhibit 7.0-1
Identifying and assessing the
risks of material misstatement
Risk Response
Determining:
- materiality for the financial
statements as a whole
Reporting
Risk Assessment
Use of Materiality in the Audit
Determining the nature, timing and extent
of further audit procedures
Revisions to materiality as a result of a
change in circumstances during the audit
Evaluating the effect of uncorrected
misstatements,
Forming the opinion in the auditor's report
Paragraph #
Relevant Extracts from ISAs
320.9
For purposes of the ISAs, performance materiality means the amount or amounts set by the auditor at less
than materiality for the financial statements as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the
financial statements as a whole. If applicable, performance materiality also refers to the amount or
amounts set by the auditor at less than the materiality level or levels for particular classes of transactions,
account balances or disclosures.
320.10
When establishing the overall audit strategy, the auditor shall determine materiality for the financial
statements as a whole. If, in the specific circumstances of the entity, there is one or more particular classes
of transactions, account balances or disclosures for which misstatements of lesser amounts than materiality
for the financial statements as a whole could reasonably be expected to influence the economic decisions
of users taken on the basis of the financial statements, the auditor shall also determine the materiality level
or levels to be applied to those particular classes of transactions, account balances or disclosures. (Ref:
Para. A2-A11)
320.11
The auditor shall determine performance materiality for purposes of assessing the risks of material
06/10/2010
Page 84
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
misstatement and determining the nature, timing and extent of further audit procedures. (Ref: Para. A12)
7.1
Overview
Materiality addresses the significance of financial statement information to economic decisions taken by
users on the basis of the financial statements. The concept of materiality recognizes that some matters,
either individually or in the aggregate, are important to people making an economic decision based on the
financial statements. This could include decisions such as whether to invest in, purchase, do business with or
lend money to an entity.
This chapter addresses the use of materiality in auditing in general. See Volume 2, Chapter 6 of this
Guide for additional guidance on establishing specific materiality amounts.
When a misstatement (or the aggregate of all misstatements) is significant enough to change or influence
the decision of an informed person, a material misstatement has occurred. Below this threshold, the
misstatement is generally regarded as not material. This threshold, above which the financial statements
would be materially misstated, is called ‘materiality for the financial statements as a whole’. For the
purposes of this guide this term has been shortened to ‘overall’ materiality.
Note:
The determination of ‘materiality for the financial statements as a whole’ (overall materiality)
is not based on any assessment of audit risk. It is determined entirely in relation to the users of
the financial statements. It would typically be the same as that used by the preparer of the
financial statements.
Let’s assume that the decision of a financial statement user group would be influenced by a misstatement
of 10,000Є in the financial statements. This would be the materiality for the financial statements as a
whole (or overall materiality) for both the preparer and the auditor. Any individual misstatement or
aggregate of individually immaterial misstatements that exceeds the 10,000Є amount would result in the
financial statements being materially misstated.
The responsibility of the auditor is to reduce to an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements in the financial statements exceeds the materiality
for the financial statements as a whole. If the auditor simply planned to perform audit procedures that
would identify individual misstatements exceeding 10,000Є there is a risk that the aggregate of
individually immaterial misstatements, not identified during the audit, would result in the 10,000Є
materiality threshold being exceeded. So the auditor needs to perform some additional work that is
sufficient to allow for a margin or buffer for possible undetected misstatements. The purpose of
performance materiality is to provide such a buffer.
Performance materiality enables the auditor to establish materiality amounts, (based upon but lower than
overall materiality), that reflect the risk assessments for the various financial statement areas. These lower
amounts provide a safety buffer between the materiality (performance materiality) used for determining
the nature and extent of audit procedures to be performed and the overall materiality.
In the example above, the auditor using professional judgement may decide that a performance
materiality of 6,000Є would be used in designing the extent of the audit procedures to be performed. The
buffer of 4,000Є (10,000Є - 6,000Є) between performance materiality and overall materiality provides a
06/10/2010
Page 85
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
safety margin for any undetected misstatements that may exist.
7.2 Financial statement users
Materiality is used in both preparing and auditing the financial statements. Materiality for the financial
statements as a whole (overall materiality) is often explained (such as in financial reporting frameworks)
in the terms such as below.
Exhibit 7.2-1
Influence on
Making Economic
Decisions
Misstatements, including omissions, are considered to be material if they,
individually or in the aggregate, could reasonably be expected to influence the
economic decisions of users taken on the basis of the financial statements.
Surrounding
Circumstances
Judgments about materiality are made in light of surrounding circumstances
and are affected by the size or nature of a misstatement or a combination of
both.
Common Needs
of Users
Judgments about matters that are material to users of the financial statements
are based on a consideration of the common financial information needs of
users as a group. The possible effect of misstatements on specific individual
users, whose needs may vary widely, is not considered.
The auditor determines materiality based on his/her perception of the needs of users. In applying his/her
professional judgment, it is reasonable for the auditor to assume that users of the financial statements:
•
Have a reasonable knowledge of business, economic activities, and accounting and have a
willingness to study the information in the financial statements with reasonable diligence;
•
Understand that financial statements are prepared and audited to levels of materiality;
•
Recognize the uncertainties inherent in the measurement of amounts based on the use of estimates,
judgment and the consideration of future events; and
•
Make reasonable economic decisions on the basis of the information in the financial statements.
7.3 Nature of misstatements
Misstatements may arise from a number of causes and can be based on the following.
•
Size — the monetary amount involved (quantitative);
•
Nature of the item (qualitative); and
•
Circumstances surrounding the occurrence.
Exhibit 7.3-1
Typical
Misstatements
06/10/2010
•
•
•
•
•
•
Errors and fraud identified in the preparation of the financial statements;
Departures from the applicable financial reporting framework;
Fraud perpetrated by employees or management;
Management error;
Preparation of inaccurate or inappropriate estimates; or
Inappropriate or incomplete descriptions of accounting policies or note
Page 86
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
disclosures.
Materiality is not an absolute number. It represents a grey area between what is very likely not material
and what is very likely material. Consequently, the assessment of what is material is always a matter of
professional judgment.
In some situations, a matter well below the quantitative materiality level may be determined as material
based on the nature of the item or the circumstances related to the misstatement. For example, the
information that there are a number of transactions with related parties may be very significant to a person
making a decision based on the financial statements. Finally, a series of immaterial items may well
become material when aggregated together.
Exhibit 7.3-2
Extent of Misstatements
(Quantitative and qualitative)
The Subject
Matter Information
Reasonable
User
Misstatements
are
material
Decision would
be changed or
influenced
Materiality
threshold
Misstatements
are
immaterial
7.4
Decision would
not be changed or
influenced
Materiality and Audit Risk
Materiality (as discussed above) and audit risk are related and are considered together throughout the
audit process.
Audit risk is the possibility that an auditor expresses an inappropriate audit opinion on financial
statements that are materially misstated.
Exhibit 7.4-1
Audit Risk Components
Risks of Material
Misstatement
(RMM)
06/10/2010
The risk that the financial statements are materially misstated prior to the start
of any audit work. These risks are considered at the financial statement level
(often pervasive risks, affecting many assertions) and at the assertion level,
Page 87
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Audit Risk Components
which relates to classes of transactions, account balances, and disclosures.
RMM is a combination of inherent risk (IR) and control risk (CR), which can
be summarized as IR x CR = RMM
Detection Risk
The risk that the auditor fails to detect a misstatement that exists in an
assertion that could be material. Detection risk (DR) is addressed through:
• Sound audit planning;
• Performing audit procedures that respond to the risks of material
misstatement identified;
• Proper assignment of audit personnel;
• The application of professional skepticism; and
• Supervision and review of the audit work performed.
Detection risk can never be reduced to zero. This is because of the inherent
limitations in the audit procedures carried out, the human judgments
(professional) required and the nature of the evidence examined.
Audit risk (AR) can therefore be summarized as:
AR = RMM x DR
Materiality and audit risk are considered throughout the audit in:
•
Identifying and assessing the risks of material misstatement;
•
Determining the nature, timing and extent of further audit procedures;
•
Determining revisions to materiality (overall and performance) as a result of becoming aware of new
information during the audit that would have caused the auditor to have determined a different
amount (or amounts) initially; and
•
Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming
the opinion in the auditor’s report.
Using a simple analogy of a high jump in athletics, materiality would be equivalent to the height of the
bar that the athlete has to jump over. Audit risk is equivalent to the level of difficulty inherent in the jump
at that particular height (RMM) combined with the additional risk of making a mistake in jump strategy
or execution (detection risk).
7.5
Materiality Levels
Paragraph #
Relevant Extracts from ISAs
320.12
The auditor shall revise materiality for the financial statements as a whole (and, if applicable, the
materiality level or levels for particular classes of transactions, account balances or disclosures) in the
event of becoming aware of information during the audit that would have caused the auditor to have
determined a different amount (or amounts) initially. (Ref: Para. A13)
320.13
If the auditor concludes that a lower materiality for the financial statements as a whole (and, if applicable,
materiality level or levels for particular classes of transactions, account balances or disclosures) than that
06/10/2010
Page 88
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
initially determined is appropriate, the auditor shall determine whether it is necessary to revise
performance materiality, and whether the nature, timing and extent of the further audit procedures remain
appropriate.
320.14
The auditor shall include in the audit documentation the following amounts and the factors considered in
their determination:
(a)
Materiality for the financial statements as a whole;
(b)
If applicable, the materiality level or levels for particular classes of transactions, account
balances or disclosures;
(c)
Performance materiality; and
(d)
Any revision of (a)-(c) as the audit progressed.
Exhibit 7.5-1
Financial
statement
level
Account balance,
class of transactions
and disclosures level
‘Overall’ Materiality
(for the financial statements as a whole)
‘Overall’ Performance Materiality
‘Specific’ Materiality
(for particular financial statement areas)
‘Specific’ Performance
Materiality
Quantitative amount
Note: The terms ‘overall’ and ‘specific’ used in the chart above and in the text below are used for the
purposes of this Guide and are not terms used in the ISAs. Overall materiality refers to materiality
for the financial statements as a whole and specific materiality relates to materiality for particular
classes of transactions, account balances or disclosures.
At the start of the audit, the auditor makes judgments about the size and nature of misstatements that
would be considered material. This includes establishing materiality amounts as set out below.
Establishing Materiality Amounts
Exhibit 7.5-2
Overall materiality
Overall materiality relates to the financial statements as a whole. It is based on
what could reasonably be expected to influence the economic decisions of the
financial statement users, taken on the basis of the financial statements. It
would be changed during the audit if the auditor becomes aware of information
that would have caused him/her to have determined a different amount (or
amounts) initially.
Overall performance
Performance materiality is set at a lower amount than the overall materiality.
06/10/2010
Page 89
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
materiality
Performance materiality enables the auditor to respond to specific risk
assessments (without changing the overall materiality) and to reduce to an
appropriately low level the probability that the aggregate of uncorrected and
undetected misstatements exceeding the overall materiality. Performance
materiality would be changed based on audit findings (such as where a risk
assessment was revised).
Specific materiality
Specific materiality is established for classes of transactions, account balances
or disclosures where misstatements of lesser amounts than overall materiality
could reasonably be expected to influence the economic decisions of users,
taken on the basis of the financial statements.
Specific
performance
materiality
Specific performance materiality is set at a lower amount than the specific
materiality. This enables the auditor to respond to specific risk assessments
and to allow for the possible existence of undetected and immaterial
misstatements aggregating to a material amount.
Materiality for the financial statements as a whole
Materiality for the financial statements as a whole (overall materiality) is based on the auditor’s
perception of the financial information needs of users of the financial statements. This would typically be
determined at a similar amount to that used by the financial statement preparer. Using professional
judgment, the auditor would set materiality at the highest amount of misstatement that would not
influence the economic decisions of financial statement users.
Once established, the overall materiality amount becomes one of the factors by which the ultimate
success or failure of the audit will be judged. For example, assume overall materiality was set at an
amount of 20,000Є. If as a result of performing audit procedures:
•
No misstatements were identified – an unmodified opinion would be provided.
•
Some small (immaterial) misstatements were identified and not corrected - an unmodified opinion
would be provided.
•
Uncorrected misstatements exceeding materiality (of 20,000Є) were found and management was
unwilling to make the necessary adjustments – a qualified or adverse opinion would be required.
•
Uncorrected errors exceeding materiality (of 20,000Є) exist in the financial statements but were not
detected by the auditor – then an inappropriate unmodified audit opinion may be issued.
Refer to Volume 2, Chapter 21 for guidance on how to use materiality in evaluating the audit evidence
obtained.
Auditors are sometimes tempted to lower the overall materiality amount when the risk of material
misstatement is assessed as high. This would not be appropriate; however, as overall materiality addresses
the needs of financial statements users, not the level of audit risk involved.
If audit risk was a factor in setting overall materiality, a high-risk audit would end up with a lower overall
materiality amount than that set for a similar-sized entity where audit risk was low. Assuming that the
information needs of financial statement users are the same, regardless of audit risk, setting the overall
materiality amount at a lower level would result in:
06/10/2010
Page 90
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Providing financial statement users with an expectation that smaller misstatements in the financial
statements (than is actually necessary) will be identified by the auditor; and
•
Additional audit work to ensure that audit risk has been reduced to an appropriately low level.
Because overall materiality is set in relation to the needs of financial statement users, it would not be
changed as a result of audit findings and changes in assessed risks. Overall materiality is required to be
updated when the auditor becomes aware of information that would have caused the initial determination
of materiality to be a different amount (or amounts).
At the conclusion of the audit, overall materiality will be used for evaluating the effect of identified
misstatements on the financial statements and the appropriateness of the opinion in the auditor’s report.
Performance Materiality
Performance materiality allows the auditor to address the risks of misstatement in account balances,
classes of transactions and disclosures without having to change overall materiality. Performance
materiality enables the auditor to establish materiality amounts that are based on the overall materiality
but are set at lower amounts to reflect the risk of not detecting misstatements and to reflect risk
assessments. This lower amount(s) establishes a safety buffer between the materiality used for
determining the nature and extent of testing (performance materiality) and the materiality amount for the
financial statements as a whole (overall materiality).
Setting an appropriate amount for performance materiality will ensure that more work is performed which
increases the likelihood that misstatements (if they exist) will be identified. For example, if overall
materiality was 20,000Є and audit procedures were planned to detect all errors in excess of 20,000Є, it is
quite possible that an error of say 8,000Є would go undetected. If three such errors existed, amounting to
24,000Є, the financial statements would be materially misstated. However, if performance materiality
was set at 12,000Є, it would be much more likely that at least one or all of the 8,000Є errors would be
detected. Even if only one of the three errors was identified and corrected, the remaining misstatement of
16,000Є would be less than the overall materiality and the financial statements as a whole would not be
materially misstated.
Setting an appropriate amount for performance materiality involves the exercise of professional judgment
and is not a simple mechanical calculation such as a percentage (for example, 75%) of the overall
materiality level. However, based on the particular circumstances of the entity being audited, it could be
set as a single amount for the financial statements as a whole, or at individual amounts for particular
balances, transactions and disclosures.
The determination of performance materiality involves the exercise of professional judgment based on
factors that address audit risk such as the following:
•
Understanding of the entity and results of performing risk assessment procedures;
•
Nature and extent of misstatements identified in previous audits; and,
•
Expectations of possible misstatements in the current period.
Performance materiality as a whole or for individual balances, transactions and disclosures may have to
be changed at any time during the audit (without impacting overall materiality) to reflect revised risk
assessments, audit findings and new information obtained. At the conclusion of the audit, the overall
materiality would be used for evaluating the effect of identified misstatements on the financial statements
and determining the opinion to be expressed in the auditor’s report. See Volume 2, Chapter 21 for further
guidance.
06/10/2010
Page 91
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
When a possible misstatement is identified, address the circumstances of occurrence and the impact on risk assessments/audit
plans before reconsidering performance materiality.
Specific Materiality
There are some situations where misstatements of lesser amounts than materiality for the financial
statements as a whole could reasonably be expected to influence the economic decisions of users, taken
on the basis of the financial statements.
Exhibit 7.5-3
Decision Influencers
Possible Examples
•
Sensitive financial statement disclosures such as the remuneration of
management and those charged with governance.
•
Related party transactions.
•
Non-compliance with loan covenants, contractual agreements,
regulatory provisions and statutory/regulatory reporting requirements.
•
Certain types of expenditures such as illegal payments or executives’
expenses.
Key Industry
Disclosures
•
Reserves and exploration costs for a mining entity.
•
Research and development costs for a pharmaceutical entity.
Disclosure of
Significant Events
and Important
Changes in
Operations
•
Newly acquired businesses or expansion of operations.
•
Discontinued operations.
•
Unusual events or contingencies (e.g., lawsuits).
•
Introduction of new products and services.
Laws, Regulations
and Accounting
Framework
Requirements
The auditor would consider the existence of matters such as the above for one or more particular classes
of transactions, account balances or disclosures. The auditor may also find it useful to obtain an
understanding of the views and expectations of those charged with governance and management.
Specific Performance Materiality
This is the same as the performance materially discussed above except that it relates to the amounts set for
specific materiality. Specific performance materiality would be set at a smaller amount than specific
materiality to ensure sufficient audit work is performed to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements exceeding the specific
materiality.
7.6
Documentation of Materiality
Paragraph #
Relevant Extracts from ISAs
320.14
The auditor shall include in the audit documentation the following amounts and the factors considered in
their determination:
06/10/2010
Page 92
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a)
Materiality for the financial statements as a whole;
(b)
If applicable, the materiality level or levels for particular classes of transactions, account
balances or disclosures;
(c)
Performance materiality and
(d)
Any revision of (a)-(c) as the audit progressed.
Because materiality amounts are based on the auditor’s professional judgment, it is important that the
factors and amounts involved in determining materiality at the various levels be properly documented.
This would typically occur as follows:
•
During the planning phase when decisions are made about the extent of work required
•
During the audit when based on audit findings, revisions may be required to either overall
materiality or performance materiality for particular classes of transactions, account balances or
disclosures.
Documentation would address:
1. The users of the financial statements
2. The factors used in determining;
a. Materiality for the financial statements as a whole and if applicable, the materiality level or
levels for particular classes of transactions, account balances or disclosures
b. Performance materiality; and
3. Any revision of materiality amounts in point 2 above as the audit progressed.
06/10/2010
Page 93
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
8.
RISK ASSESSMENT PROCEDURES
Chapter Content
The nature and use of risk assessment procedures by
an auditor to identify and assess the risks of material
misstatement.
Relevant ISAs
240, 315
The three risk assessment procedures are illustrated in the exhibit below.
Exhibit 8.0-1
Paragraph #
Relevant Extracts from ISAs
315.5
The auditor shall perform risk assessment procedures to provide a basis for the identification and
assessment of risks of material misstatement at the financial statement and assertion levels. Risk
assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on
which to base the audit opinion. (Ref: Para. A1-A5)
315.6
The risk assessment procedures shall include the following:
(a) Inquiries of management and of others within the entity who in the auditor’s judgment may have
information that is likely to assist in identifying risks of material misstatement due to fraud or error.
(Ref: Para. A6)
(b) Analytical procedures. (Ref: Para. A7-A10)
(c) Observation and inspection. (Ref: Para. A11)
315.11
The auditor shall obtain an understanding of the following:
(a) Relevant industry, regulatory, and other external factors including the applicable financial reporting
framework. (Ref: Para. A17-A22)
(b) The nature of the entity, including:
(i) its operations;
06/10/2010
Page 94
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including investments in
special-purpose entities; and
(iv) the way that the entity is structured and how it is financed to enable the auditor to understand the
classes of transactions, account balances, and disclosures to be expected in the financial
statements. (Ref: Para. A23-A27)
(c) The entity’s selection and application of accounting policies, including the reasons for changes
thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its
business and consistent with the applicable financial reporting framework and accounting policies
used in the relevant industry. (Ref: Para. A28)
(d) The entity’s objectives and strategies, and those related business risks that may result in risks of
material misstatement. (Ref: Para. A29-A35)
(e) The measurement and review of the entity’s financial performance. (Ref: Para. A36-A41)
315.12
8.1
The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls
relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial
reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control,
individually or in combination with others, is relevant to the audit. (Ref: Para. A42-A65)
Overview
The purpose of risk assessment procedures is to identify and assess risks of material misstatement. This is
achieved through understanding the entity and its environment, including internal control. Information
may be obtained from external sources, such as the internet and trade publications, and from internal
sources such as discussions with key personnel. This understanding of the entity becomes a continuous,
dynamic process of gathering, updating and analyzing information throughout the audit.
8.2
Audit Evidence
Risk assessment procedures provide audit evidence to support the assessment of risks at the financial
statement and assertion levels. However, this evidence does not stand alone. Evidence obtained from risk
assessment procedures is supplemented by further audit procedures (that respond to the risks identified)
such as tests of controls and/or substantive procedures.
Required Procedures
The auditor uses professional judgment to determine the risk assessment procedures to be performed and
the scope or depth of understanding of the entity that is required. In the first year that the auditor conducts
the audit for an entity, the work required to obtain and document this information will often require a
significant amount of time. However, if the information obtained is well documented in the first year, the
time required to update the information in subsequent years should be considerably less than that required
in the first year.
The auditor needs to perform sufficient risk assessment procedures to identify the business and fraud risk
factors that could result in material misstatement. This includes consideration of any events or conditions
that may cast significant doubt on the entity's ability to continue as a going concern.
The required scope or depth for understanding the entity is set out in paragraphs 11 and 12 of ISA 315
(reproduced above). This depth of overall understanding by the auditor will be less than that possessed by
management in managing the entity.
06/10/2010
Page 95
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider point
When designing the nature and extent of risk assessment procedures to be performed remember that some
ISA’s outline specific matters to be considered. Some examples are included below:
ISA 240.16
Fraud in an audit of financial statements
When performing risk assessment procedures and related activities to obtain an understanding of the entity and
its environment, including the entity's internal control, required by CAS 315, 7 the auditor shall perform the
procedures in paragraphs 17-24 (of ISA 240) to obtain information for use in identifying the risks of material
misstatement due to fraud.
ISA 540.8
Auditing accounting estimates
When performing risk assessment procedures and related activities to obtain an understanding of the entity and
its environment, including the entity's internal control, as required by CAS 315, 4 the auditor shall obtain an
understanding of the following in order to provide a basis for the identification and assessment of the risks of
material misstatement for accounting estimates:
(a)
The requirements of the applicable financial reporting framework relevant to accounting estimates,
including related disclosures.
(b)
How management identifies those transactions, events and conditions that may give rise to the need for
accounting estimates to be recognized or disclosed in the financial statements. In obtaining this understanding,
the auditor shall make inquiries of management about changes in circumstances that may give rise to new, or the
need to revise existing, accounting estimates.
(c)
How management makes the accounting estimates, and an understanding of the data on which they are
based, including:
(i)
The method, including, where applicable, the model, used in making the accounting
estimate;
(ii)
Relevant controls;
(iii) Whether management has used an expert;
(iv)
The assumptions underlying the accounting estimates;
(v)
Whether there has been or ought to have been a change from the prior period in the methods
for making the accounting estimates, and if so, why; and
(vi)
ISA 550.11
Whether and, if so, how management has assessed the effect of estimation uncertainty.
Related Parties
As part of the risk assessment procedures and related activities that CAS 315 and CAS 240 require the auditor to
perform during the audit, the auditor shall perform the audit procedures and related activities set out in
paragraphs 12-17 (of ISA 550) to obtain information relevant to identifying the risks of material misstatement
associated with related party relationships and transactions.
ISA 570.10
Going Concern
When performing risk assessment procedures as required by CAS 315, 3 the auditor shall consider whether there
are events or conditions that may cast significant doubt on the entity's ability to continue as a going concern.
06/10/2010
Page 96
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
In smaller entities, the procedures required to identify these risks may be minimal whereas in larger and
more complex entities the procedures could be extensive.
8.3
The Three Risk Assessment Procedures
Each of the three risk assessment procedures should be performed during the audit, but not necessarily for
each aspect of the understanding required. In many situations, the results from performing one type of
procedure may lead to performing another. For example, in an interview with the sales manager, an
unusual but significant sales contract might be identified. This could be followed up by an inspection of
the actual sales contract and an analysis of the impact on sales margins. Alternatively, findings from
performing analytical procedures on preliminary operating results may trigger some questions for
management. The answers to these questions may then lead to requests to inspect certain documents or
observe some activities.
The nature and use of the three procedures is outlined below.
8.4
Inquiries of Management and Others (including inquiries relating to fraud)
Paragraph #
Relevant Extracts from ISAs
240.17
The auditor shall make inquiries of management regarding:
(a) Management’s assessment of the risk that the financial statements may be materially misstated due to
fraud, including the nature, extent and frequency of such assessments; (Ref: Para. A12-A13)
(b) Management’s process for identifying and responding to the risks of fraud in the entity, including any
specific risks of fraud that management has identified or that have been brought to its attention, or
classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist;
(Ref: Para. A14)
(c) Management’s communication, if any, to those charged with governance regarding its processes for
identifying and responding to the risks of fraud in the entity; and
(d) Management’s communication, if any, to employees regarding its views on business practices and
ethical behavior.
240.18
The auditor shall make inquiries of management, and others within the entity as appropriate, to determine
whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. (Ref: Para.
A15-A17)
240.20
Unless all of those charged with governance are involved in managing the entity, the auditor shall obtain
an understanding of how those charged with governance exercise oversight of management’s processes for
identifying and responding to the risks of fraud in the entity and the internal control that management has
established to mitigate these risks. (Ref: Para. A19-A21)
06/10/2010
Page 97
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
240.21
Unless all of those charged with governance are involved in managing the entity, the auditor shall make
inquiries of those charged with governance to determine whether they have knowledge of any actual,
suspected or alleged fraud affecting the entity. These inquiries are made in part to corroborate the
responses to the inquiries of management.
Inquiry is used by the auditor in conjunction with other risk assessment procedures to assist in identifying
risks of material misstatement. The focus of the questions is to obtain an understanding of each of the
required aspects as set out in paragraphs 11 and 12 of ISA 315 (reproduced above).
Typically, most information from inquiries is obtained from management and those responsible for
financial reporting. However, inquiries of others within the entity and employees with different levels of
authority can provide a different perspective and additional information that can be useful in identifying
risks of material misstatement that may otherwise be missed. For example, a discussion with the sales
manager might reveal that certain sales transactions (late in the period) were rushed through and not
recorded in accordance with the entity’s revenue recognition policies.
Areas of inquiry are outlined in the chart below.
Exhibit 8.4-1
Interview:
Inquire About…
•
Those Charged with
•
Governance
(if not involved in
managing the entity)
•
•
Management and
Those Responsible
for Financial
Reporting
•
•
•
•
•
•
•
•
•
•
Key Employees
(purchasing,
payroll, accounting,
etc.)
06/10/2010
•
•
•
Environment in which the financial statements are prepared.
Oversight of management’s processes for identifying and responding to
the risks of fraud or error in the entity and the internal control that
management has established to mitigate these risks.
Knowledge of any actual, suspected or alleged fraud affecting the entity.
Consider attending a meeting of those charged with governance and
reading the minutes of their past meetings.
Management’s assessment of the risk that the financial statements may be
materially misstated due to fraud or error, including the nature, extent and
frequency of such assessments.
Management’s communication, if any, to employees regarding its views
on business practices and ethical behavior.
The entity’s culture (values and ethics).
Management’s operating style.
Management incentive plans.
Potential for management override.
Knowledge of fraud or suspected fraud.
How estimates are prepared.
The financial statement preparation and review process.
Management’s communication, if any, to those charged with governance.
Business trends and unusual events.
The initiating, processing or recording of complex or unusual transactions.
The extent of management override (i.e., have these employees ever been
asked to override internal controls?).
Page 98
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Interview:
Marketing or Sales
Personnel
Inquire About…
•
The appropriateness/application of the accounting policies used.
•
•
•
•
Marketing strategies and sales trends.
Sales performance incentives.
Contractual arrangements with customers.
The extent of management override (i.e., have these employees ever been
asked to override internal controls or revenue recognition accounting
policies?).
Consider Point
Do not confine your questions (especially in smaller audits) to the owner-manager and the accountant.
Ask other employees (if any) in the entity (such as the sales manager, production manager or other
employees) about trends, unusual events, major business risks, the functioning of internal control and
any instances of management override.
If a possible fraud involving senior management or those charged with governance is discovered,
consult immediately with the engagement partner, and consider obtaining legal advice on how to
proceed. The information should also be kept confidential to ensure privacy and confidentiality
requirements are properly followed. Also check the code of ethics for any additional requirements and
guidance.
8.5
Analytical Procedures
Analytical procedures used as risk assessment procedures help to identify matters that have financial
statement and audit implications. Some examples are unusual transactions or events, amounts, ratios and
trends.
In addition to being a risk assessment procedure, analytical procedures can also be used as further audit
procedures in:
•
Obtaining evidence about a financial statement assertion. This would be a substantive analytical
procedure and is discussed in further detail in Volume 1, Chapter 10 of this Guide; and
06/10/2010
Page 99
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Performing an overall review of the financial statements at, or near, the end of the audit.
Most analytical procedures are not very detailed or complex. They often use data aggregated at a high
level, which means the results can only provide a broad initial indication about whether a material
misstatement may exist.
The steps involved in performing analytical procedures are outlined in the exhibit below.
Exhibit 8.5-1
What To Do
How To Do It
Identify
Relationships within
the Data
Develop expectations about plausible relationships among the various types of
information that could reasonably be expected to exist. Where possible, seek to
use independent sources of information (i.e., not internally generated).
The financial and non-financial information could include:
• Financial statements for comparable previous periods;
• Budgets, forecasts and extrapolations, including extrapolations from
interim or annual data; and
• Information regarding the industry in which the entity operates and current
economic conditions.
Compare
Compare expectations with recorded amounts or ratios developed from
recorded amounts.
Evaluate Results
Evaluate the results.
Where unusual or unexpected relationships are found, consider potential risks
of material misstatement.
The results of these analytical procedures should be considered along with other information gathered to:
•
Identify the risks of material misstatement related to assertions embodied in significant financial
statement items; and
•
Assist in designing the nature, timing and extent of further audit procedures.
Note: Some smaller entities may not be able to provide the auditor with current financial information such
as interim or monthly financial information for performing analytical procedures. In these
circumstances, some information may be obtained through inquiry, but detailed inquiries may need
to wait until an early draft of the entity's financial statements is available.
8.6
Observation and Inspection
06/10/2010
Page 100
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Observation and inspection:
•
Support the inquiries made of management and others; and
•
Provide additional information about the entity and its environment.
Observation and inspection procedures ordinarily include a procedure and an application, as outlined in
the chart below.
Exhibit 8.6-1
Procedure
Potential Application
Observation
Consider observing:
• How the entity operates and is organized;
• Entity's premises and plant facilities;
• Management’s operating style and attitude toward internal control;
• Operation of various internal control procedures; and
• Compliance with key policies.
Inspection
Consider inspecting documents such as:
• Business plans, strategies and proposals;
• Industry studies and media reports on the entity;
• Major contracts and commitments;
• Regulations and correspondence with regulators;
• Correspondence with lawyers, bankers and other stakeholders;
• Accounting policies and records;
• Internal control manuals;
• Reports prepared by management (such as performance data and interim
financial statements); and
• Other reports such as minutes from meetings of those charged with
governance, reports from consultants, etc.
8.7
Design and Implementation of Internal Controls
Risk assessment procedures also include the procedures involved in evaluating the design and
implementation of relevant internal controls. These procedures are addressed in more detail in Volume 2,
Chapter 11.
8.8
Other Sources of Information about Risks
Other procedures performed by the auditor may be used for risk assessment purposes. Some typical
examples are set out below.
06/10/2010
Page 101
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 8.8-1
Source
Description
Client Acceptance
or Continuance
Relevant information obtained from performing preliminary procedures.
Previous Work
Relevant experience gained from previous engagements and other types of
engagements performed for the entity.
This could include:
• Areas of concern in previous audits;
• Weaknesses in internal control;
• Changes in organizational structure, business processes and internal
control systems; and
• Past misstatements and whether they were corrected on a timely basis.
External
Information
•
•
•
Audit Team
Discussions
Results of team discussion (including the partner) about the susceptibility of
the entity’s financial statements to material misstatements, including fraud.
06/10/2010
Inquiries of the entity’s external legal counsel or valuation experts.
Review of reports by prepared by banks or rating agencies
Information on the industry and state of the economy obtained from
internet searches, trade and economic journals and regulatory and financial
publications.
Page 102
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
9.
RESPONDING TO ASSESSED RISKS
Chapter Content
Relevant ISAs
Designing and implementing appropriate responses to
assessed risks.
240, 300,
330, 500
Exhibit 9.0-1
Assessed Risks...
At
Assertion Level
At Financial
Statement Level
Auditor’s Response
Overall
Responses
Further Audit
Procedures
Examples include:
- Professional skepticism
- Level of staff assigned
- Ongoing staff supervision
- Evaluate accounting policies
- Nature/extent/timing
and unpredictability
of planned procedures
- Other further procedures
Substantive
procedures
Tests of
detail
Tests of
Control
Substantive
Analytical
Result
Sufficient appropriate audit evidence to
reduce audit risk to an acceptably low level
Paragraph #
330.3
ISA Objective(s)
The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of
material misstatement, through designing and implementing appropriate responses to those risks.
Paragraph #
Relevant Extracts from ISAs
300.9
The auditor shall develop an audit plan that shall include a description of:
(a) The nature, timing and extent of planned risk assessment procedures, as determined under ISA 315.
(b) The nature, timing and extent of planned further audit procedures at the assertion level, as determined
under ISA 330.
(c) Other planned audit procedures that are required to be carried out so that the engagement complies
with ISAs. (Ref: Para. A12)
06/10/2010
Page 103
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
330.7
In designing the further audit procedures to be performed, the auditor shall:
(a) Consider the reasons for the assessment given to the risk of material misstatement at the assertion
level for each class of transactions, account balance, and disclosure, including:
(i) The likelihood of material misstatement due to the particular characteristics of the relevant class of
transactions, account balance, or disclosure (i.e., the inherent risk); and
(ii) Whether the risk assessment takes account of relevant controls (i.e., the control risk), thereby
requiring the auditor to obtain audit evidence to determine whether the controls are operating
effectively (i.e., the auditor intends to rely on the operating effectiveness of controls in
determining the nature, timing and extent of substantive procedures); and (Ref: Para. A9-A18)
(b) Obtain more persuasive audit evidence the higher the auditor’s assessment of risk. (Ref: Para. A19)
500.6
9.1
The auditor shall design and perform audit procedures that are appropriate in the circumstances for the
purpose of obtaining sufficient appropriate audit evidence. (Ref: Para. A1-A25)
Overview
Risk assessment procedures (see Volume 1, Chapter 8 of this Guide) are designed to identify and assess
risks at both the financial statement level and at the assertion level for material classes of transactions,
account balances and disclosures.
Further audit procedures (see Volume 1, Chapter 10 of this Guide) are designed to be responsive to the
assessed risks of material misstatement at the assertion level. Their purpose is to obtain sufficient
appropriate audit evidence to reduce audit risk to an acceptably low level.
The three main categories of audit procedures are illustrated below.
Exhibit 9.1-1
Risk assessment
procedures
Further
audit procedures
Overall
responses
Evidence to support
assessed risks
Evidence that will
reduce audit risk to
acceptably low level
To address assessed
RMM at the F/S
level
RMM = Risks of Material Misstatement
F/S = Financial Statements
Assessed risks at the financial statement level are pervasive in nature and require overall audit responses
such as determining the experience of those assigned to perform the work, the level of supervision
required and any required modification to the nature and extent of planned audit procedures.
Assessed risks at the assertion level relate to particular account balances, classes of transactions and
disclosures. The response is to perform further audit procedures such as tests of details, tests of controls
and substantive analytical procedures
06/10/2010
Page 104
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The design of further audit procedures will be affected by:
•
Results of performing risk assessment procedures and the resulting assessments of risk at the
assertion level
•
Overall responses developed by the auditor in relation to the assessed risks of material
misstatement at the financial statement level.
9.2
Overall Responses to Risks at the Financial Statement Level
Paragraph #
Relevant Extracts from ISAs
330.5
The auditor shall design and implement overall responses to address the assessed risks of material
misstatement at the financial statement level. (Ref: Para. A1-A3)
Risks of material misstatement at the financial statement level refer to risks that relate pervasively to the
financial statements as a whole and potentially affect many assertions. As a result these risks (such as
management having a poor attitude toward control), can contribute indirectly to material misstatements at
the assertion level. For example, if the entity’s accountant is not competent, many opportunities may
arise for error or fraud in multiple financial statement balances, classes of transactions or disclosures.
Consequently, risks at the financial statement level cannot often be addressed by performing specific
audit procedures but require an overall response.
ISA 240 and 330 outline some possible overall responses to risks identified at the financial statement
level. Some examples are set out below.
Exhibit 9.2-1
Possible Overall Responses to Assessed Risks at the Financial Statement Level
Engagement
Management
Emphasize to the audit team the need to maintain professional skepticism.
Assign more experienced staff or those with special skills such as forensic,
valuation and IT specialists
Provide more ongoing supervision to staff as they perform the work.
Incorporate
Unpredictability in
Selection of Further
Audit Procedures
Incorporate an element of unpredictability in the selection of the nature, timing
and extent of further audit procedures to be performed. This is particularly
important when addressing fraud risks because individuals within the entity
may be familiar with audit procedures normally performed and therefore more
able to conceal fraudulent financial reporting.
Unpredictability can be achieved by:
• Performing substantive procedures on selected account balances and
assertions not otherwise tested due to their materiality or risk;
• Adjusting the timing of audit procedures from that otherwise expected;
• Using different sampling methods; and
• Performing audit procedures at different locations or at locations on an
unannounced basis (such as inventory counts).
06/10/2010
Page 105
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Possible Overall Responses to Assessed Risks at the Financial Statement Level
Revise the Planned
Audit Procedures
Make changes to the nature, timing or extent of audit procedures. For example:
• Perform substantive procedures at the period end instead of at an interim
date;
• Perform a physical observation or inspection of certain assets;
• Perform further review of inventory records to identify unusual items,
unexpected amounts and other items for follow-up procedures;
• Perform further work to evaluate the reasonableness of management
estimates and the underlying judgments and assumptions;
• Increase sample sizes or perform analytical procedures at a more detailed
level;
• Use computer-assisted audit techniques (CAATs) to:
− Gather more evidence about data contained in significant accounts or
electronic transaction files,
− Perform more extensive testing of electronic transactions and account
files,
− Select sample transactions from key electronic files,
− Sort transactions with specific characteristics, and
− Test an entire population instead of a sample;
• Request additional information in external confirmations. For example, on
a receivables confirmation, the auditor could ask for confirmation on the
details of sales agreements, including date, any rights of return and
delivery terms; and
• Modify the nature and extent of audit procedures to obtain more
substantive audit evidence.
Changes in the
Audit Approach
Consider the understanding obtained of the control environment.
If the control environment is effective the auditor may have more confidence
in internal control and the reliability of audit evidence generated internally
within the entity. This could mean:
•
More audit work conducted at an interim date rather than at the period end;
and
•
An approach that uses tests of controls as well as substantive procedures
(combined approach).
If the control environment is ineffective it could result in:
Review Accounting
Policies being Used
06/10/2010
•
Conducting more audit procedures as of the period end rather than at an
interim date.
•
Obtaining more extensive audit evidence from substantive procedures.
•
Increasing the number of locations to be included in the audit scope.
Evaluate whether the selection and application of accounting policies by the
entity, particularly those related to subjective measurements and complex
transactions, may be indicative of fraudulent financial reporting resulting from
Page 106
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Possible Overall Responses to Assessed Risks at the Financial Statement Level
management’s effort to manage earnings.
Consider Points
Timing
Overall responses can be developed at the planning stage and then incorporated into the overall audit
strategy. In new engagements the overall responses can be developed on a preliminary basis during
planning and later confirmed or changed based on the results of the risk assessment.
Documentation
Establishing the overall audit response and audit strategy in a small entity need not be a complex or timeconsuming exercise. In some cases both steps could be completed by preparing a brief memorandum at
the completion of the previous audit (assuming it covers all the required matters) which can later be
updated based on discussions with management.
Management Override
Paragraph #
Relevant Extracts from ISAs
240.32
Irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall
design and perform audit procedures to:
(a) Test the appropriateness of journal entries recorded in the general ledger and other adjustments made
in the preparation of the financial statements. In designing and performing audit procedures for such
tests, the auditor shall:
(i) Make inquiries of individuals involved in the financial reporting process about inappropriate or
unusual activity relating to the processing of journal entries and other adjustments;
(ii) Select journal entries and other adjustments made at the end of a reporting period; and
(iii) Consider the need to test journal entries and other adjustments throughout the period. (Ref: Para.
A41-A44)
(b) Review accounting estimates for biases and evaluate whether the circumstances producing the bias, if
any, represent a risk of material misstatement due to fraud. In performing this review, the auditor
shall:
(i) Evaluate whether the judgments and decisions made by management in making the accounting
estimates included in the financial statements, even if they are individually reasonable, indicate a
possible bias on the part of the entity’s management that may represent a risk of material
misstatement due to fraud. If so, the auditor shall reevaluate the accounting estimates taken as a
whole; and
(ii) Perform a retrospective review of management judgments and assumptions related to significant
accounting estimates reflected in the financial statements of the prior year. (Ref: Para. A45-A47)
(c) For significant transactions that are outside the normal course of business for the entity, or that
otherwise appear to be unusual given the auditor’s understanding of the entity and its environment
and other information obtained during the audit, the auditor shall evaluate whether the business
rationale (or the lack thereof) of the transactions suggests that they may have been entered into to
engage in fraudulent financial reporting or to conceal misappropriation of assets. (Ref: Para. A48)
240.26
06/10/2010
When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on
a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue,
revenue transactions or assertions give rise to such risks. Paragraph 47 (of ISA 240) specifies the
documentation required where the auditor concludes that the presumption is not applicable in the
Page 107
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
circumstances of the engagement and, accordingly, has not identified revenue recognition as a risk of
material misstatement due to fraud. (Ref: Para. A28-A30)
240.33
The auditor shall determine whether, in order to respond to the identified risks of management override of
controls, the auditor needs to perform other audit procedures in addition to those specifically referred to
above (i.e., where there are specific additional risks of management override that are not covered as part of
the procedures performed to address the requirements in paragraph 32).
Management override and fraudulent revenue recognition are presumed to be significant risks (see
Volume 2, Chapter 10 of this Guide) and addressed as such. As a result, there are certain audit procedures
that would be performed in every audit. These are outlined in the ISA extracts quoted above. Some
additional comments are included in the following exhibit.
Exhibit 9.2-2
Procedures to Address Management Override
Journal Entries
Identify, select and test journal entries and other adjustments based on:
• An understanding of the entity’s financial reporting process and
design/implementation of internal control; and
• Consideration of the:
− Characteristics of fraudulent journal entries or other adjustments,
− Presence of fraud risk factors that relate to specific classes of journal
entries and other adjustments, and
− Inquiries of individuals involved in the financial reporting process
about inappropriate or unusual activity.
Estimates
Review estimates relating to specific transactions and balances to identify
possible biases on the part of management. Further procedures could include:
• Reconsidering the estimates taken as a whole;
• Performing a retrospective review of management’s judgments and
assumptions related to significant accounting estimates made in the prior
period; and
• Determining whether the cumulative effect amounts to a material
misstatement in the financial statements.
Significant
Transactions
Obtain an understanding of the business’ rationale for significant transactions
that are unusual or outside the normal course of business. This includes an
assessment as to whether:
• Management is placing more emphasis on the need for a particular
accounting treatment than on the underlying economics of the transaction;
• The arrangements surrounding such transactions are overly complex;
• Management has discussed the nature of, and accounting for, such
transactions with those charged with governance;
• The transactions involve previously unidentified related parties or parties
06/10/2010
Page 108
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Procedures to Address Management Override
•
•
Revenue
Recognition
that do not have the substance or the financial strength to support the
transaction without assistance from the entity under audit;
Transactions that involve non-consolidated related parties, including
special purpose entities, have been properly reviewed and approved by
those charged with governance; and
There is adequate documentation.
Perform substantive analytical procedures. Consider computer-assisted audit
techniques to identify unusual or unexpected revenue relationships or
transactions.
Confirm with customers relevant contract terms (acceptance criteria, delivery
and payment terms) and the absence of side agreements (right to return the
product, guaranteed resale amounts, etc.).
9.3
Response to Assessed Risks at the Assertion Level
Paragraph #
Relevant Extracts from ISAs
330.6
The auditor shall design and perform further audit procedures whose nature, timing, and extent are based
on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4A8)
The auditor’s assessment of identified risks at the assertion level provides the starting point for:
•
Considering the appropriate audit approach; and
•
Designing and performing further audit procedures. Refer to Volume 1 Chapter 10 for a detailed
description of further audit procedures
An Appropriate Audit Approach
The audit approach for designing and performing further audit procedures will be based on the assessment
of the identified risks at both the financial statement level and at the assertion level.
Because assessed risks will differ between the material classes of transactions, account balances and
disclosures, the most effective audit approach will vary. For example, it might be appropriate to test
controls over sales completeness and use substantive procedures for the other assertions. For payables, a
substantive approach could be applicable for all assertions. The key is to develop audit procedures that
respond appropriately to the risks identified.
The following exhibit outlines some of the considerations in developing the appropriate audit approach
for an account balance or class of transactions.
Exhibit 9.3-1
06/10/2010
Page 109
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Would substantive tests alone
provide sufficient appropriate
audit evidence at the assertion level?
No
Would it be more
efficient to
obtain the audit
evidence through
tests of controls?
Yes
Yes
No
(such as reducing
the extent of
substantive
procedures?)
Note: In smaller entities reliable control activities may not exist or be very limited. In these cases a
primarily substantive approach may be the only alternative.
Designing and Performing Further Audit Procedures
The nature, timing, and extent of further audit procedures are based on and are responsive to the assessed
risks of material misstatement at the assertion level. This provides a clear linkage between the auditor’s
further audit procedures and the risk assessment.
The first step is to review the information obtained to date that will form the basis for the design further
audit procedures. This would include:
•
The nature and the reasoning for the assessed risks (such as business and fraud risks) at both the
financial statement and assertion level;
•
The account balances, classes of transactions or disclosures that are material to the financial
statements;
•
The need (if any) to perform tests of controls. This would occur where substantive procedures alone
cannot provide sufficient appropriate audit evidence at the assertion level.
•
The auditor’s understanding of the control environment and controls activities. In particular, have any
relevant internal controls been identified that, if tested, would provide an effective response to the
assessed risks of material misstatement for a particular assertion; and
•
The nature and extent of specific audit procedures that may be required by certain ISAs or by local
rules and regulations.
Based on the information above, the auditor can design the nature and extent of the procedures to be
performed. Some design considerations are addressed below.
Exhibit 9.3-2
Consider
Impact on Audit Procedure Design
Nature of the
Assertion being
Addressed
What is the most appropriate audit procedure to address the particular
assertion? Consider:
• Effectiveness
Evidence for completeness of sales may best be obtained through a test of
controls, whereas evidence to support the valuation of inventory will
06/10/2010
Page 110
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider
Impact on Audit Procedure Design
•
Reasons for the
Assessed Risk
Assessed Level
of Risk
Sources of
Information Used
probably be obtained with substantive procedures; and
Reliability of evidence obtained
Provide more reliable evidence for an assertion. A confirmation of
receivables to determine existence may provide better evidence than
simply examining invoices or performing some analytical procedures.
What are the underlying reasons for the risk assessments?
This will include consideration of the characteristics of the financial statement
area, the identified and assessed inherent risks and relevant internal controls.
If the assessed risk appears to be low as a result of relevant internal controls
having been designed and implemented, tests of controls could be considered
to confirm the assessed risk and possibly to reduce the extent of substantive
procedures that would otherwise be required.
Is more reliable and relevant audit evidence required for some assessed risks?
The scope of existing procedures may need to be expanded or some different
types of audit procedures may need to be combined to provide the assurance
necessary. For example, to ensure the existence of a high value inventory item,
a physical inspection may be performed in addition to examining the
supporting documents.
Do the planned audit procedures rely on non-financial information produced
by the entity’s information system?
If so, evidence should be obtained about its accuracy and completeness. For
example, in a high-rise apartment, the number of rental units multiplied by the
monthly rent may be used to compare with total revenues. If so, it would be
important to ensure the number of rental units is factual and the monthly rents
agree to the signed lease contracts.
Potential for Dual
Purpose Tests
Would it be efficient to perform a test of controls concurrently with a test of
details on the same transaction?
For example, if an invoice was being examined for evidence of approval (tests
of controls), it could also be examined at the same time to substantiate other
aspects of the transaction (tests of details).
Use of Assertions in Selecting the Population to be Tested
When designing a procedure, the auditor would carefully consider the nature of the assertion for which
evidence is being obtained. This will determine the type of evidence to be examined, the nature of the
procedure and the population from which to select the sample.
For example, evidence for the existence assertion would be obtained by selecting items that are already
contained in a financial statement amount. Selecting receivable balances for confirmation will provide
evidence that the receivable balance exists. However, selecting items that are already contained in a
financial statement amount would not provide any evidence in respect of the completeness assertion. For
06/10/2010
Page 111
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
completeness, items would be selected from evidence indicating that an item should be included in the
relevant financial statement amount. To determine whether the sales are complete (that is, no unrecorded
sales), the selection of shipping orders and matching them to sales invoices would (subject to the
completeness of the shipping orders) provide evidence for omitted sales.
Timing of Procedures
Timing refers to when audit procedures are performed or the period or date to which the audit evidence
applies.
Before or at the Period End?
In most instances (particularly with small entities), audit procedures will be carried out at the period end
and later. In addition, the higher the risks of material misstatement, the more likely it would be for
substantive procedures to be performed nearer to, or after, the period end.
In some situations, there can be some advantages to performing audit procedures before the period end.
For example:
•
Helping to identify significant matters at an early stage. This provides time for the issues to be
addressed and further audit procedures to be performed;
•
Balancing the audit firm’s workload by shifting some busy season procedures to a period when there
is more time;
•
Balancing the client’s workload by reducing the time required after the period end to answer audit
inquiries and provide requested evidence and schedules; and
•
Performing procedures unannounced or at unpredictable times.
The following exhibit outlines the factors to consider when determining whether to perform procedures at
an interim date.
Exhibit 9.3-3
Factors to Consider
Audit Procedures
Performed Before the
Period End
How good is the overall control environment? Counting inventory at an
interim date and then updating the count for movements (in and out) is
unlikely to be enough if the control environment is poor.
How good are the specific controls over the account balance or class of
transactions being considered?
Is the required evidence available to perform the test? Electronic files may
subsequently be overwritten or procedures to be observed may occur only at
certain times.
Would a procedure before the period end address the nature and substance of
the risk involved?
Would the interim procedure address the period or date to which the audit
evidence relates?
06/10/2010
Page 112
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Factors to Consider
How much additional evidence will be required for the remaining period
between the date of procedure and the period end?
Volume 1, Chapter 10.5 provides further information on the timing of tests of controls.
After Period End
Certain audit procedures can be performed only at, or after, the period end. This would include cut-off
procedures (where there is minimal reliance on internal control), period-end adjustments and subsequent
events.
06/10/2010
Page 113
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
10.
FURTHER AUDIT PROCEDURES
Chapter Content
Relevant ISAs
The characteristics and use of further audit procedures.
330, 505, 520
Exhibit 10.0-1
Paragraph #
Relevant Extracts from ISAs
330.4
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Substantive procedure – An audit procedure designed to detect material misstatements at the assertion
level. Substantive procedures comprise:
(i) Tests of details (of classes of transactions, account balances, and disclosures); and
(ii) Substantive analytical procedures.
(b) Test of controls – An audit procedure designed to evaluate the operating effectiveness of controls in
preventing, or detecting and correcting, material misstatements at the assertion level.
10.1
Overview
This chapter outlines the characteristics and use of further audit procedures designed in response to
assessed risks at the assertion level.
Substantive Procedures
Substantive procedures are performed by the auditor to:
•
Gather evidence regarding the underlying assertions (C, E, AC, V) that are embedded in the account
balances and underlying classes of transactions; and
•
Detect material misstatements.
Typical substantive procedures include selection of an account balance or a representative sample of
transactions to:
•
Recalculate recorded amounts for accuracy;
•
Confirm existence of balances (receivables, bank accounts, investments, etc.);
•
Ensure transactions are recorded in the right period (cut-off tests);
06/10/2010
Page 114
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Compare amounts between periods or with expectations (analytical procedures);
•
Inspect supporting documentation (such as invoices or sales contracts);
•
Observe physical existence of recorded assets (inventory counts); and
•
Review the adequacy of allowances made for loss of value (doubtful accounts and obsolete
inventory).
Tests of Control
Tests of control are performed by the auditor to gather evidence as to the operational effectiveness of
internal control procedures that:
•
Address specific assertions where reliance on controls is planned; and
•
Prevent or detect/correct material errors or fraud from occurring.
Typical tests of control include the selection of a representative sample of transactions or supporting
documentation to:
•
Observe the operation of an internal control procedure being performed;
•
Inspect evidence that the control procedure was performed;
•
Inquire about how and when the procedure was performed; and
•
Re-perform the operation of the control procedure (such as where information system is
computerized).
Evidence on control operation may also be gathered using computer assisted audit techniques (CAATs).
10.2
Substantive Procedures
Paragraph #
Relevant Extracts from ISAs
330.18
Irrespective of the assessed risks of material misstatement, the auditor shall design and perform
substantive procedures for each material class of transactions, account balance, and disclosure. (Ref: Para.
A42-A47)
330.19
The auditor shall consider whether external confirmation procedures are to be performed as substantive
audit procedures. (Ref: Para. A48-A51)
330.20
The auditor’s substantive procedures shall include the following audit procedures related to the financial
statement closing process:
(a) Agreeing or reconciling the financial statements with the underlying accounting records; and
(b) Examining material journal entries and other adjustments made during the course of preparing the
financial statements. (Ref: Para. A52)
330.21
If the auditor has determined that an assessed risk of material misstatement at the assertion level is a
significant risk, the auditor shall perform substantive procedures that are specifically responsive to that
risk. When the approach to a significant risk consists only of substantive procedures, those procedures
shall include tests of details. (Ref: Para. A53)
330.22
If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by
performing:
(a) substantive procedures, combined with tests of controls for the intervening period; or
06/10/2010
Page 115
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(b) if the auditor determines that it is sufficient, further substantive procedures only that provide a
reasonable basis for extending the audit conclusions from the interim date to the period end. (Ref:
Para. A54-A57)
330.23
If misstatements that the auditor did not expect when assessing the risks of material misstatement are
detected at an interim date, the auditor shall evaluate whether the related assessment of risk and the
planned nature, timing, or extent of substantive procedures covering the remaining period need to be
modified. (Ref: Para. A58)
Substantive procedures are designed by the auditor to detect material misstatements at the assertion level.
There are two types of substantive procedures, as set out below.
Exhibit 10.2-1
Procedure:
Description
Tests of Details
Procedures designed to gather evidence that will substantiate a financial
statement amount. They are used to obtain audit evidence regarding assertions
such as existence, accuracy and valuation.
Substantive
Analytical
Procedures
Procedures designed to substantiate a financial statement amount by using
predictable relationships among both financial and non-financial data. They
are mostly applicable to large volumes of transactions that tend to be
predictable over time.
Tests of Details
When designing substantive procedures to respond to assessed risks, the auditor would consider a number
of matters, as set out below.
Exhibit 10.2-2
Address:
Description
Each Material
Account Balance,
Class of
Transactions and
Disclosure
This is required irrespective of the assessed risks of material misstatement.
Required Audit
Procedures
This would include any specific procedures necessary to comply with
International Standards on Auditing and any local requirements. A summary of
some such procedures is contained in Volume 1, Chapters 11 to 15. Required
procedures include:
• Examining material journal entries and other adjustments made during the
06/10/2010
Page 116
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address:
Description
•
•
Need for External
Confirmation
Procedures
course of preparing the financial statements;
Addressing management override (see Volume 1, Chapter 9.2); and
Agreeing the financial statements to the underlying accounting records.
Consider the need to obtain external confirmations to address assertions
associated with account balances and their elements (bank balances,
investments, receivables, etc.) or other matters such as:
• Terms of agreements and contracts;
• Transactions between an entity and other parties; and
• Evidence about the absence of certain conditions (such as no “side
agreement” exists on a sales contract).
Also see the discussion on external confirmations below.
Significant Risks
Design and perform substantive procedures (tests of detail) that are specifically
responsive to the identified risks and provide the high level of audit assurance
required.
Timing
If procedures are performed before the period end, the remaining period needs
to be addressed by performing substantive procedures, combined with tests of
controls or further substantive procedures that provide a reasonable basis for
extending the audit conclusions from the interim date to the period end. If
unexpected misstatements are identified at the interim date, modification to the
planned remaining procedures needs to be considered.
In determining what substantive procedures are most responsive to the assessed risks, the auditor may
perform:
•
Only tests of details; or
•
Where there is not a significant risk of material misstatement, only substantive analytical procedures; or
•
A combination of tests of details and substantive analytical procedures.
When substantive analytical procedures are performed, the auditor is required to establish the reliability
of data from which the auditor's expectation of recorded amounts or ratios was developed (such as nonfinancial data).
Performing Substantive Procedures at an Interim Date
When substantive procedures are performed at an interim date, the auditor should perform further
substantive procedures or substantive procedures combined with tests of controls to cover the remaining
period. This provides a reasonable basis for extending the audit conclusions from the interim date to the
period end and reduces the risk that misstatements existing at the period end are not detected. However, if
substantive procedures alone would not be sufficient, tests of the relevant controls should also be
performed.
Procedures to Address the Period between the Interim Date and Period End
When procedures are performed at an interim date:
06/10/2010
Page 117
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Compare information at the period end with comparable information at the interim date;
•
Identify amounts that appear unusual. These amounts should be investigated by performing further
substantive analytical procedures or tests of details for the intervening period;
•
When substantive analytical procedures are planned, consider whether the period-end balances of the
particular classes of transactions or account balances are reasonably predictable with respect to
amount, relative significance and composition; and
•
Consider the entity’s procedures for analyzing and adjusting the classes of transactions or account
balances at interim dates and for establishing proper accounting cut-offs.
The substantive procedures related to the remaining period depend on whether the auditor has performed
tests of controls.
Use of Substantive Procedures Performed in Prior Periods
The use of audit evidence obtained from substantive procedures performed in prior periods may be useful
in audit planning but (unless there is ongoing relevance to the current year such as the cost price of noncurrent assets or details of contracts) it usually provides little or no audit evidence for the current period.
10.3
External Confirmations
Paragraph #
505.5
ISA Objective(s)
The objective of the auditor, when using external confirmation procedures, is to design and perform such
procedures to obtain relevant and reliable audit evidence.
Paragraph #
Relevant Extracts from ISAs
505.7
When using external confirmation procedures, the auditor shall maintain control over external
confirmation requests, including:
(a) Determining the information to be confirmed or requested; (Ref: Para. A1)
(b) Selecting the appropriate confirming party; (Ref: Para. A2)
(c) Designing the confirmation requests, including determining that requests are properly addressed and
contain return information for responses to be sent directly to the auditor; and (Ref: Para. A3-A6)
(d) Sending the requests, including follow-up requests when applicable, to the confirming party. (Ref:
Para. A7)
505.8
If management refuses to allow the auditor to send a confirmation request, the auditor shall:
(a) Inquire as to management’s reasons for the refusal, and seek audit evidence as to their validity and
reasonableness; (Ref: Para. A8)
(b) Evaluate the implications of management’s refusal on the auditor’s assessment of the relevant risks of
material misstatement, including the risk of fraud, and on the nature, timing and extent of other audit
procedures; and (Ref: Para. A9)
(c) Perform alternative audit procedures designed to obtain relevant and reliable audit evidence. (Ref:
Para. A10)
505.9
06/10/2010
If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is
unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit
Page 118
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
procedures, the auditor shall communicate with those charged with governance in accordance with ISA
260. The auditor also shall determine the implications for the audit and the auditor’s opinion in accordance
with ISA 705.
505.10
If the auditor identifies factors that give rise to doubts about the reliability of the response to a
confirmation request, the auditor shall obtain further audit evidence to resolve those doubts. (Ref: Para.
A11-A16)
505.11
If the auditor determines that a response to a confirmation request is not reliable, the auditor shall evaluate
the implications on the assessment of the relevant risks of material misstatement, including the risk of
fraud, and on the related nature, timing and extent of other audit procedures. (Ref: Para. A17)
505.12
In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant
and reliable audit evidence. (Ref: Para. A18-A19)
505.13
If the auditor has determined that a response to a positive confirmation request is necessary to obtain
sufficient appropriate audit evidence, alternative audit procedures will not provide the audit evidence the
auditor requires. If the auditor does not obtain such confirmation, the auditor shall determine the
implications for the audit and the auditor’s opinion in accordance with ISA 705. (Ref: Para. A20)
505.14
The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements.
(Ref: Para. A21-A22)
505.15
Negative confirmations provide less persuasive audit evidence than positive confirmations. Accordingly,
the auditor shall not use negative confirmation requests as the sole substantive audit procedure to address
an assessed risk of material misstatement at the assertion level unless all of the following are present: (Ref:
Para. A23)
(a) The auditor has assessed the risk of material misstatement as low and has obtained sufficient
appropriate audit evidence regarding the operating effectiveness of controls relevant to the assertion;
(b) The population of items subject to negative confirmation procedures comprises a large number of
small, homogeneous, account balances, transactions or conditions;
(c) A very low exception rate is expected; and
(d) The auditor is not aware of circumstances or conditions that would cause recipients of negative
confirmation requests to disregard such requests.
505.16
The auditor shall evaluate whether the results of the external confirmation procedures provide relevant and
reliable audit evidence, or whether further audit evidence is necessary. (Ref: Para. A24-A25)
External confirmations are frequently used in relation to account balances (typically assets) and their
components, but need not be restricted to these items.
External confirmations are often used to provide audit evidence about completeness of a liability and
existence of an asset. It also provides evidence on whether the amount has been accurately recorded in the
accounting records (accuracy) and in the appropriate period (cut-off). Confirmations are less relevant in
addressing valuation issues such as the recoverability of accounts receivable or the obsolescence of
inventory being held.
Typical situations where external confirmation procedures provide relevant audit evidence include:
•
Bank balances and other information relevant to banking relationships;
06/10/2010
Page 119
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Accounts receivable balances and terms;
•
Inventories held by third parties at bonded warehouses for processing or on consignment;
•
Property title deeds held by lawyers or financiers for safe custody or as security;
•
Investments held for safekeeping by third parties, or purchased from stockbrokers but not delivered at
the balance sheet date;
•
Amounts due to lenders, including relevant terms of repayment and restrictive covenants; and
•
Accounts payable balances and terms.
Matters the auditor would consider are set out below.
Exhibit 10.3-1
Address
Description
Dual Purpose Tests
Is there an opportunity to obtain audit evidence about other important matters
at the same time (such as terms of a contract, etc.)?
Confirming Party’s
Knowledge of the
Subject Matter
Responses will be more reliable if provided by a person knowledgeable in the
subject matter.
Ability/Willingness
of Confirming Party
to Respond
Consider the reliability of the evidence obtained if there is possibility of the
confirming party:
• Not accepting responsibility;
• Viewing a response as too costly or time consuming;
• Having concerns about potential legal liability;
• Accounting for transactions in different currencies; or
• Not treating the confirmation requests as significant.
Objectivity of the
Confirming Party
Consider the reliability of the evidence obtained if the confirming party is a
related party. In such situations, consider:
• Confirming additional details about the subject matter such as terms of
sales agreements, including dates, any rights of return and delivery terms;
and
• Supplementing the confirmation with inquiries of non-financial personnel
regarding the subject matter such as changes in sales agreements and
delivery terms.
Audit evidence is generally considered more reliable when it is obtained from independent sources outside
the entity. For this reason, written responses to confirmation requests received directly from unrelated third
parties may assist in reducing the risk of material misstatement for the related assertions to an acceptably
low level.
The confirmation requirements can be summarized as set out below.
Exhibit 10.3-2
06/10/2010
Page 120
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
Maintain Control
over Confirmation
Process
This includes:
• The information to be confirmed or requested;
• Selecting the appropriate confirming party;
• Evaluating reasons for any refusal by management to allow sending of
confirmations. This includes consideration of the implications on assessed
risks, the possibility of fraud and what further audit procedures will now
be required;
• Designing the confirmation requests;
• Determining that requests are properly addressed and contain return
information for responses to be sent directly to the auditor; and
• Sending the requests, including follow-up requests when applicable, to the
confirming party.
Are Responses
Reliable?
If factors that give rise to doubts about the reliability of the response:
• Obtain further audit evidence to resolve or confirm doubts;
• Consider fraud and other impacts on assessed risks; and
• Investigate exceptions to determine if these are indicative of
misstatements.
When No Response
is Received
Perform alternative audit procedures (if possible) to obtain relevant and
reliable audit evidence.
Evaluate Overall
Results
Did the results of the external confirmation procedures provide the relevant
and reliable audit evidence required?
10.4
Substantive Analytical Procedures
Paragraph #
Relevant Extracts from ISAs
520.5
When designing and performing substantive analytical procedures, either alone or in combination with tests
of details, as substantive procedures in accordance with ISA 330, the auditor shall: (Ref: Para. A4-A5)
(a) Determine the suitability of particular substantive analytical procedures for given assertions, taking
account of the assessed risks of material misstatement and tests of details, if any, for these assertions;
(Ref: Para. A6-A11)
(b) Evaluate the reliability of data from which the auditor’s expectation of recorded amounts or ratios is
developed, taking account of source, comparability, and nature and relevance of information
available, and controls over preparation; (Ref: Para. A12-A14)
(c) Develop an expectation of recorded amounts or ratios and evaluate whether the expectation is
sufficiently precise to identify a misstatement that, individually or when aggregated with other
misstatements, may cause the financial statements to be materially misstated; and (Ref: Para. A15)
(d) Determine the amount of any difference of recorded amounts from expected values that is acceptable
without further investigation as required by paragraph 7. (Ref: Para. A16)
Substantive analytical procedures involve a comparison of amounts or relationships in the financial
statements with an expectation developed from information obtained from understanding the entity and
06/10/2010
Page 121
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
other audit evidence.
If the inherent risks are low for a class of transactions, substantive analytical procedures alone may
provide sufficient appropriate audit evidence. However, if the assessed risk is low because of related
internal controls, the auditor would also perform tests of those controls. Consequently for significant risks
identified, analytical procedures would always be used in combination with other substantive tests or tests
of control.
To use an analytical procedure as a substantive procedure, the auditor should design the procedure to
reduce the risk of not detecting a material misstatement in the relevant assertion to an acceptably low
level. This means that the expectation of what the recorded amount should be is precise enough to
indicate the possibility of a material misstatement, either individually or in the aggregate.
Consider Point
For audit planning purposes, substantive analytical procedures may be grouped into three distinct
levels based on the level of assurance obtained. These are described below.
Exhibit 10.4-1
Impact on Reducing
Audit Risk
Description
Highly Effective
(low level of risk that
the recorded amount
is misstated)
Procedure is intended to be the primary source of evidence regarding a
financial statement assertion. It “effectively” proves the recorded amount.
However, if the risk involved is significant, it would be supplemented by other
relevant procedures.
Moderately
Effective
Procedure is only intended to corroborate evidence obtained from other
procedures. A moderate level of assurance is obtained.
Limited
Basic procedures, such as comparing an amount in the current period to a
previous period, are useful but only provide a limited level of assurance.
Techniques
There are a number of possible techniques that can be used to perform the analytical procedures. The
objective is to select the most appropriate technique to provide the intended levels of assurance and
precision. Techniques include:
•
Ratio analysis;
•
Trend analysis;
•
Break-even analysis;
•
Pattern analysis; and
•
Regression analysis.
06/10/2010
Page 122
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Each technique has its particular strengths and weaknesses that the auditor needs to consider when
designing the analytical procedures. A complex technique such as regression analysis may provide
statistically reliable conclusions about a recorded amount. However, a simple technique such as
multiplying the number of apartments by the approved rental rates (per leases) and adjusting the result for
actual vacancies may provide a reliable and precise estimate of the rental revenue.
Exhibit 10.4-2
Factors to Consider
Designing
Substantive
Analytical
Procedures
Suitability given the nature of the assertions.
Reliability of the data (internal or external) from which the expectation of
recorded amounts or ratios is developed. This will require tests on the
accuracy, existence and completeness of the underlying information such as
tests of controls or performing other specific audit procedures, possibly
including the use of computer-assisted audit techniques (CAATs).
Whether the expectation is sufficiently precise to identify a material
misstatement at the desired level of assurance.
Amount of any difference in recorded amounts from expected values that
would be acceptable.
Questions to Address
Establishing
Meaningful
Relationships
between
Information
Are the relationships developed from a stable environment?
• Reliable and precise expectations may not be possible in a dynamic or
unstable environment.
Are the relationships considered at a detailed level?
• Disaggregation of amounts can provide more reliable and precise
expectations than an aggregated level.
Are there offsetting factors or complexity among highly summarized
components that could obscure a material misstatement?
Do the relationships involve items subject to management discretion?
• If so, they may provide less reliable or less precise expectations.
The degree of reliability of data used to develop expectations needs to be consistent with the levels of
assurance and precision intended to be derived from the analytical procedure. Other substantive
procedures may also be required to determine whether the underlying data is sufficiently reliable. Tests of
controls may also be considered to address other assertions such as the data’s completeness, existence and
accuracy. Internal control over non-financial information can often be tested in conjunction with other
06/10/2010
Page 123
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
tests of controls.
Exhibit 10.4-3
Questions to Address
Is the Data
Sufficiently Reliable
for Achieving the
Audit Objective?
Is the data obtained from sources within the entity or from independent sources
outside the entity?
• The reliability of audit evidence is increased (with some exceptions) when
it is obtained from independent sources outside the entity.
Is data from sources within the entity developed by persons not directly
responsible for its accuracy?
• If so, consider further procedures to check on accuracy.
Was the data developed under a reliable system with adequate internal control?
Is broad industry data available for comparison with the entity’s data?
Was the data subject to audit testing in the current or prior periods?
Were the auditor’s expectations regarding recorded amounts developed from a
variety of sources?
To avoid unwarranted reliance on a source of data used, the auditor would perform substantive tests of the
underlying data to determine whether it is sufficiently reliable, or test whether internal controls over the
data’s completeness, existence and accuracy are operating effectively.
In some cases, non-financial data (for example, quantities and types of items produced) will be used in
performing analytical procedures. Accordingly, the auditor needs an appropriate basis for determining
whether the non-financial data is sufficiently reliable for the purposes of performing the analytical
procedures.
Differences from Expectations
When differences are identified between recorded amounts and the auditor’s expectations, the auditor
would consider the level of assurance that the procedures are intended to provide and the auditor’s
performance materiality. The amount of the acceptable difference without investigation would, in any
event, need to be less than performance materiality.
Procedures used for the investigation could include:
•
Reconsidering the methods and factors used in forming the expectation;
•
Making inquiries of management regarding the causes of differences from the auditor’s expectations
and assessing management’s responses, taking into account the auditor’s understanding of the
business obtained during the course of the audit; and
•
Performing other audit procedures to corroborate management’s explanations.
As a result of this investigation, the auditor may conclude that:
•
Differences between the auditor’s expectations and recorded amounts do not represent misstatements;
06/10/2010
Page 124
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
or
•
Differences may represent misstatements and that further audit procedures need to be performed to
obtain sufficient appropriate audit evidence as to whether a material misstatement exists or does not
exist.
Examples of Effective Substantive Analytical Procedures
Exhibit 10.4-4
Financial
Statement Amount
Relationship and Procedure
Sales
Selling price applied to the quantities shipped.
Amortization
Expenses
Amortization rate applied to capital asset balances, allowing for effect of
additions and disposals.
Overhead Element
of Inventory
Relating actual overheads to actual direct labour or production volumes.
Payroll Expense
Pay rates applied to number of employees.
Commission
Expense
Commission rate applied to sales.
Payroll Accruals
Daily payroll applied to number of days accrued.
Other Analytical Procedures
Analysis can take the form of:
•
Detailed comparisons of current financial statement or financial data with that of prior periods
or with current operating budgets.
An increase in accounts receivable with no corresponding increase in sales could indicate that a
problem exists in the collectability of accounts receivable. An increase in the number of employees in
a professional organization would lead the auditor to expect an increase in salary expense and a
corresponding increase in professional fee revenue.
•
Comparative data on the various types of products sold or types of customers.
This could help explain month-to-month or period-to-period fluctuations in sales.
•
Ratio analysis.
Ratios can provide support to the current financial statements (for example, comparable to industry
norms or prior periods’ results) or raise points for discussion. Certain institutions, such as banks and
trade associations, produce financial statistics on an industry-wide basis. Such statistics can be useful
when compared to those of an entity’s operation and inquiries made where differences from industry
trends occur.
•
Graphs.
Finally, consider the use of graphs to portray the results of procedures. Graphs visually highlight
06/10/2010
Page 125
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
significant differences from month to month or period to period.
Use of Analytical Procedures in Forming an Opinion
Paragraph #
Relevant Extracts from ISAs
520.6
The auditor shall design and perform analytical procedures near the end of the audit that assist the auditor
when forming an overall conclusion as to whether the financial statements are consistent with the auditor’s
understanding of the entity. (Ref: Para. A17-A19)
Upon substantial completion of the audit, the auditor is required to use analytical procedures to assist in
evaluating the overall financial statement presentation.
The purpose of using analytical procedures at or near the end of the audit is to determine whether the
financial statements as a whole are consistent with the auditor’s understanding of the entity.
These procedures would address questions such as:
•
Do the conclusions drawn from such procedures corroborate the conclusions formed during the
audit of individual components or elements of the financial statements?
Analytical procedures may reveal that certain financial statement items differ from expectations
formed by the auditor based on knowledge of the entity’s business and other information accumulated
during the audit. Such differences would need to be investigated using procedures such as those
described above. This investigation may indicate the need for changes in presentation or disclosure in
the financial statements.
•
Is there a risk of material misstatement that has not been previously recognized?
If additional risks are identified, the auditor may need to re-evaluate the planned audit procedures to
respond appropriately.
10.5
Tests of Controls
Paragraph #
Relevant Extracts from ISAs
330.8
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the
operating effectiveness of relevant controls if:
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an expectation
that the controls are operating effectively (that is, the auditor intends to rely on the operating
effectiveness of controls in determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
(Ref: Para. A20-A24)
330.9
In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the
greater the reliance the auditor places on the effectiveness of a control. (Ref: Para. A25)
330.10
In designing and performing tests of controls, the auditor shall:
(a) Perform other audit procedures in combination with inquiry to obtain audit evidence about the operating
effectiveness of the controls, including:
(i)
How the controls were applied at relevant times during the period under audit;
(ii) The consistency with which they were applied; and
06/10/2010
Page 126
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(iii) By whom or by what means they were applied. (Ref: Para. A26-A29)
(b) Determine whether the controls to be tested depend upon other controls (indirect controls) and, if so,
whether it is necessary to obtain audit evidence supporting the effective operation of those indirect
controls. (Ref: Para. A30-A31)
330.11
The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends
to rely on those controls, subject to paragraphs 12 and 15 below, in order to provide an appropriate basis for
the auditor’s intended reliance. (Ref: Para. A32)
Purpose
Tests of controls are tests designed to obtain audit evidence about the operating effectiveness of controls.
Controls can prevent material misstatements at the assertion level from occurring altogether, or detect and
then correct them after they occurred. The controls selected for testing would be those that provide
necessary audit evidence for a relevant assertion.
Consider Point
A walk-through procedure to determine whether a control has been implemented is not a test of
control. It is a risk assessment procedure, the results of which may determine whether a tests of
controls would be useful and if so, how they would be designed.
Tests of controls are considered by the auditor when:
•
The risk assessment is based on an expectation that internal control operates effectively; or
•
Substantive procedures alone will not provide sufficient appropriate audit evidence at the assertion
level. This might apply where sales are made over the Internet and no documentation of transactions
is produced or maintained, other than through the IT system.
Selecting sample sizes for tests of controls is addressed in Volume 2, Chapter 17 on extent of testing.
Tests of controls are designed to obtain audit evidence about:
•
How internal control procedures were applied throughout or at relevant times during the period under
audit. If substantially different controls were used at different times during the period, each control
system should be considered separately;
•
The consistency with which internal control procedures were applied; and
•
By whom or by what means controls were applied.
06/10/2010
Page 127
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
When auditing smaller entities, auditors often plan to perform substantive procedures on the
assumption that tests of existing control activities would not be practical due to limited segregation of
duties, etc. Before jumping to that conclusion, consider:
•
The strength of the control environment and other elements of internal control;
•
Existence of control activities over assertions where it would be more efficient to gain
evidence through tests of controls; and
•
Assertions where substantive procedures alone will not reduce the risks of material
misstatement to an acceptably low level. For instance, this may be the case for the completeness of
revenues.
Designing Tests of Controls
Tests of controls are used to gain evidence about the operating effectiveness of controls included in any of
the five elements of internal control. See the illustration below and Volume 1, Chapter 5 of this Guide for
additional information on each of the five internal control elements.
Exhibit 10.5-1
Specific controls (such as control activities) directly address the prevention or detection and correction of
misstatements, whereas pervasive controls provide the foundation for the specific controls and influence
their operation.
In smaller entities, some pervasive controls (such as the control environment) may also serve to address
specific risks of misstatement for a relevant assertion (for example, where senior management is directly
involved in supervising and approving day-to-day transactions). In this case, if the pervasive controls
were tested and found to operate effectively, there would be no need to test other controls (such as control
06/10/2010
Page 128
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
activities) related to the particular risks involved.
Consider Point
Domination of management by a single individual does not mean that internal control is weak or does
not exist. In fact, the involvement of a competent owner-manager in the detailed day-to-day operations
would be an important control environment strength. The opportunity for management override of
internal control still exists, but can be reduced to some extent (in virtually any size of entity) by
implementing some simple anti-fraud controls. (See Volume 1, Chapter 5).
In other cases, the link between pervasive and specific controls may be more direct. For example, some
monitoring controls may identify control breakdowns in specific (business process) controls. Testing
these monitoring controls for effectiveness might reduce (but not eliminate) the need for testing more
specific controls.
Tests of pervasive controls (often referred to as entity level and general IT controls) tend to be more
subjective (such as evaluating the commitment to integrity or competence) and therefore tend to be more
difficult to document than specific internal control at the business process level (such as checking to see if
a payment was authorized). As a result, the testing of entity level and IT general controls is often
documented with memorandums to the file explaining the approach taken and the action steps (for
example, staff interviews, assessments, review of employee files, etc.), along with supporting evidence.
This approach is illustrated in the following example.
Exhibit 10.5-2
Testing pervasive (entity level) Controls
Control Component = Control Environment
Risk Addressed
No emphasis is placed on need for integrity and ethical values.
Controls
Identified
Management requires all new employees to sign a form stating
their agreement with the firm’s fundamental values and
understanding of the consequences for non-compliance.
Control Design
Read the form to be signed by employees and ensure it does
indeed address integrity and ethical values.
Control
Implementation
Review one employee file to ensure there is a signed form and
consider what evidence exists (such as discipline) that
employees actually practice the values. This could be based on
a short interview with an employee.
06/10/2010
Page 129
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Control Component = Control Environment
Test of Control
Effectiveness
Select a sample of employee files and ensure there are
agreement forms on file and they are signed by the employee.
This would be supplemented by asking a sample of
employees, some questions about the stated entity policies.
Documentation
Prepare a memo that provides details of the employee files
selected, notes from interviews (including the name of the
person and the date) along with the conclusions reached.
Some key factors for the auditor to consider when designing a test of controls are listed below.
Exhibit 10.5-3
Address
Description
What Risk of
Material
Misstatement and
Assertion is being
Addressed?
Identify the risk of material misstatement and the related assertion that would
be addressed by performing tests of control. Then consider whether audit
evidence about the relevant assertion can be best be obtained by a performing
tests of control or through substantive procedures.
Reliability of the
Controls
As a general rule, it is not worth testing controls that may prove to be
unreliable. This is because the small sample sizes commonly used for testing
controls are based on no deviations being found. If any of the following factors
are significant, it may be more effective to perform substantive procedures (if
possible):
• History of errors.
• Changes in the volume or nature of transactions.
• The underlying entity level and general IT controls weak.
• Controls can be (or have been) circumvented by management.
• Infrequent operation of the control.
• Changes in personnel or competence of people performing the control?
• There is a significant manual element in the control that could be prone to
error.
• Complex operation and major judgments are involved with its operation.
Existence of Indirect Does control depend on effective operation of other controls?
Controls
This could include non-financial information produced by a separate process,
the treatment of exceptions and periodic reviews of reports by managers.
Nature of Test
to Meet Objectives
06/10/2010
Tests of control usually involve a combination of the following:
• Inquiries of appropriate personnel;
Page 130
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
•
•
•
Inspection of relevant documentation;
Observation of the company’s operations; and
Re-performance of the application of the control.
Note that inquiry alone would not be sufficient evidence to support a
conclusion about the effectiveness of a control. For example, to test the
operating effectiveness of internal control over cash receipts, the auditor might
observe the procedures for opening the mail and processing cash receipts.
Because an observation is pertinent only at the point in time at which it is
made, the auditor would supplement the observation with inquiries of entity
personnel and inspection of documentation about the operation of such internal
control at other times.
Consider Point
Determine what constitutes a control deviation.
When designing a test of control, spend time to define exactly what constitutes an error or exception
to the test. This will save time spent by audit staff in determining whether a seemingly minor
exception (such as an incorrect telephone number) is, in fact, a control deviation.
Automated Controls
There may be some instances where control activities are performed by a computer and supporting
documentation does not exist. In these situations, the auditor may have to re-perform some controls to
ensure the software application controls are working as designed. Another approach is to use Computer
Assisted Audit Techniques ( CAATs). One example of a CAAT is a software package that can import an
entity’s data file (such as sales or payables), which can then be tested. Such programs can analyze client
data to provide the audit evidence needed. In addition, they provide the potential to perform much more
extensive testing of electronic transactions and account files. Some possible uses of CAATs are outlined
below.
Exhibit 10.5-4
Use of CAATs
Extract specific records such as payments more than a specified amount or
transactions before a given date
Extract top or bottom records in a database
Identify missing and duplicate records
Typical Types of
06/10/2010
Identify possible fraud (using Benford's Law)
Page 131
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Use of CAATs
Procedures
Select sample transactions from electronic files which match pre-determined
parameters or criteria.
Sort transactions with specific characteristics.
Test an entire population instead of a sample.
Recalculate (add up) the total monetary amount of records in a file (such as
inventory) and check extensions such as pricing.
Stratify, summarize and age information.
Match data across files.
Smaller entities often use off-the-shelf packaged accounting and other relevant software without
modification. However, many software packages actually contain proven application controls that could
be used by the entity to reduce the extent of errors and possibly deter fraud. Auditors might want to ask
their clients whether these controls are being used and, if not, whether there would be value to using
them.
Timing of Tests of Controls
Paragraph #
Relevant Extracts from ISAs
330.11
The auditor shall test controls for the particular time, or throughout the period, for which the auditor
intends to rely on those controls, subject to paragraphs 12 and 15 below, in order to provide an appropriate
basis for the auditor’s intended reliance. (Ref: Para. A32)
330.12
If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period,
the auditor shall:
(a) Obtain audit evidence about significant changes to those controls subsequent to the interim period;
and
(b) Determine the additional audit evidence to be obtained for the remaining period. (Ref: Para. A33A34)
330.15
If the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the
auditor shall test those controls in the current period.
Tests of controls may provide evidence of effective operation:
•
At a particular point in time (i.e., physical inventory count); or
•
Over a period of time such as the period under audit.
When the tests of controls take place before the period end, the auditor would consider what additional
evidence may be required to cover the remaining period. This evidence may be obtained by extending the
06/10/2010
Page 132
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
tests to cover the remaining period or testing the entity’s monitoring of internal control.
Exhibit 10.5-5
Factors to Consider
Gap between the
Tests of Controls
and Period End
Significance of assessed risks of material misstatement at the assertion level.
Specific controls that were tested during the interim period.
Degree to which audit evidence about the operating effectiveness of those
controls was obtained.
Length of the remaining period.
Extent to which the auditor intends to reduce further substantive procedures
based on the reliance on internal control.
The control environment.
Any significant changes in internal control, including changes in the
information system, processes and personnel that occurred subsequent to the
interim period.
Consider Point
Where efficient, consider performing tests on the operating effectiveness of internal controls at the
same time as evaluating the design and implementation of controls.
Using Audit Evidence Obtained in Previous Audits
Paragraph #
Relevant Extracts from ISAs
330.13
In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls
obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a
control, the auditor shall consider the following:
(a) The effectiveness of other elements of internal control, including the control environment, the entity’s
monitoring of controls, and the entity’s risk assessment process;
(b) The risks arising from the characteristics of the control, including whether it is manual or automated;
(c) The effectiveness of general IT-controls;
(d) The effectiveness of the control and its application by the entity, including the nature and extent of
deviations in the application of the control noted in previous audits, and whether there have been
personnel changes that significantly affect the application of the control;
(e) Whether the lack of a change in a particular control poses a risk due to changing circumstances; and
(f)
06/10/2010
The risks of material misstatement and the extent of reliance on the control. (Ref: Para. A35)
Page 133
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
330.14
If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of
specific controls, the auditor shall establish the continuing relevance of that evidence by obtaining audit
evidence about whether significant changes in those controls have occurred subsequent to the previous
audit. The auditor shall obtain this evidence by performing inquiry combined with observation or
inspection, to confirm the understanding of those specific controls, and:
(a) If there have been changes that affect the continuing relevance of the audit evidence from the
previous audit, the auditor shall test the controls in the current audit. (Ref: Para. A36)
(b) If there have not been such changes, the auditor shall test the controls at least once in every third
audit, and shall test some controls each audit to avoid the possibility of testing all the controls on
which the auditor intends to rely in a single audit period with no testing of controls in the subsequent
two audit periods. (Ref: Para. A37-A39)
330.29
If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous
audits, the auditor shall include in the audit documentation the conclusions reached about relying on such
controls that were tested in a previous audit.
Rotational Testing of Controls
Assuming that the factors outlined in the exhibit below do not apply, it is possible that the tests of operating
effectiveness of internal controls may only need to be performed once every third audit. The actual period of
reliance will be based on professional judgment but cannot exceed two years.
Factors that would rule out the use of rotational testing are outlined below:
Exhibit 10.5-6
Use of control testing performed in prior years is NOT permitted when:
1. Reliance on the control is required to mitigate a “significant risk”;
2. The operation of the internal control has changed during the period or the risk being mitigated
by the control has changed;
3. A weak control environment exists;
4. The ongoing monitoring of internal control operation is poor;
5. There is a significant manual element to the operation of relevant controls;
6. Personnel changes have occurred that significantly affect the application of the control;
7. Changing circumstances indicate the need for changes in the operation of the control; and/or
8. General IT controls are weak or ineffective.
Before audit evidence obtained in prior audits can be used, the continuing relevance of such evidence
needs to be established each period. This will include confirming the understanding of those specific
controls through:
•
Inquiry of management and others about changes; and
•
Observation or inspection of the internal control to determine its continuing implementation
When there are a number of controls where evidence could be used from prior audits, the reliance should be
staggered so that some testing of internal control is performed during each audit. Testing at least a few
controls each period also provides collateral evidence about the continuing effectiveness of the control
06/10/2010
Page 134
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
environment.
In general, the higher the risks of material misstatement or the greater the reliance placed on internal
control, the shorter the time period should be between tests of controls.
06/10/2010
Page 135
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
11.
ACCOUNTING ESTIMATES
Chapter Content
Relevant ISAs
Audit procedures relating to the audit of accounting
estimates, including fair value accounting estimates and
related disclosures in an audit of financial statements.
540
How were the estimates prepared?
How significant are the estimates?
Is an auditors expert required?
How accurate were prior years
estimates?
Any evidence of management bias?
Risk Response
What estimates are required?
Have estimates been prepared properly
using consistent methodology?
Is the supporting evidence reliable?
Any evidence of fraud?
Extent of estimation uncertainty
involved?
Reporting
Risk Assessment
Exhibit 11.0-1
Paragraph #
540.6
Are financial statements disclosures
of accounting estimates in accordance
with the financial reporting framework?
If a significant risk, has disclosure been
made of the estimation uncertainty?
Obtain management representations
ISA Objective(s)
The objective of the auditor is to obtain sufficient appropriate audit evidence about whether:
(a)
accounting estimates, including fair value accounting estimates, in the financial statements, whether
recognized or disclosed, are reasonable; and
(b)
related disclosures in the financial statements are adequate,
in the context of the applicable financial reporting framework.
Paragraph #
Relevant Extracts from ISAs
540.7
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Accounting estimate – An approximation of a monetary amount in the absence of a precise means of
06/10/2010
Page 136
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
measurement. This term is used for an amount measured at fair value where there is estimation
uncertainty, as well as for other amounts that require estimation. Where this ISA addresses only
accounting estimates involving measurement at fair value, the term “fair value accounting estimates”
is used.
(b) Auditor’s point estimate or auditor’s range – The amount, or range of amounts, respectively, derived
from audit evidence for use in evaluating management’s point estimate.
(c) Estimation uncertainty – The susceptibility of an accounting estimate and related disclosures to an
inherent lack of precision in its measurement.
(d) Management bias – A lack of neutrality by management in the preparation of information.
(e) Management’s point estimate – The amount selected by management for recognition or disclosure in the
financial statements as an accounting estimate.
(f)
Outcome of an accounting estimate – The actual monetary amount which results from the resolution
of the underlying transaction(s), event(s) or condition(s) addressed by the accounting estimate.
11.1 Overview The objective when auditing estimates is to obtain sufficient appropriate audit evidence about whether:
•
•
Accounting estimates, including fair value accounting estimates in the financial statements, whether
recognized or disclosed, are reasonable; and
Related disclosures in the financial statements are adequate, in the context of the applicable financial
reporting framework.
Some financial statement items cannot be measured precisely and therefore have to be estimated. Such
accounting estimates range from the straightforward (such as net realizable values for inventory and
accounts receivable) to the more complex (such as calculating revenues to be recorded from long-term
contracts and future liabilities on product warranties and guarantees). Estimates can often involve
considerable analyses of historical and current data and the forecasting of future events such as sales
transactions.
The measurement of accounting estimates may vary based on the requirements of the applicable financial
reporting framework and the financial item involved. For example, the measurement objective of an
estimate may be to:
•
Forecast the outcome of one or more transactions, events or conditions that gave rise to the
accounting estimate; or
•
Determine the value of a current transaction or financial statement item based on conditions prevalent
at the measurement date, such as estimated market price for a particular type of asset or liability. This
would include fair value measurements.
The risk of material misstatement arising from an estimate will often be based on the degree of estimation
uncertainty involved. Some of the factors to consider are outlined in the following exhibit.
Exhibit 11.1-1
Level of estimation uncertainty involved
Low level of uncertainty (Less RMM)
06/10/2010
High level of uncertainty (Higher RMM)
Page 137
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Business activities that are not complex
Highly dependent upon judgment, such as the
outcome of litigation or the amount and timing of
future cash flows dependent on uncertain events many
years in the future.
Relate to routine transactions.
NOT calculated using recognized measurement
techniques.
Derived from data (referred to as "observable" in the
context of fair value accounting) that is readily
available, such as published interest rate data or
exchange-traded prices of securities.
Results of the auditor's review of similar accounting
estimates made in the prior period financial statements
indicate a substantial difference between the original
accounting estimate and the actual outcome.
Method of measurement prescribed by the applicable
financial reporting framework is simple and applied
easily
Fair value accounting estimates for derivative
financial instruments are not publicly traded.
Fair value accounting estimates where the model used
to measure the accounting estimate is well-known or
generally accepted, provided that the assumptions or
inputs to the model are observable.
Fair value accounting estimates for which a highly
specialized entity-developed model is used or for
which there are assumptions or inputs that cannot be
observed in the marketplace
Note: The auditor (using professional judgement) is required to determine whether, any of the
identified accounting estimates (those having a high estimation uncertainty) give rise to
significant risks. If a significant risk is identified, the auditor is also required to obtain an
understanding of the entity's controls, including control activities.
When the audit evidence had been obtained the reasonableness of the estimates would be evaluated and
the extent of any misstatement identified.
•
Where the evidence supports a point estimate, the difference between the auditor's point estimate
and management's point estimate constitutes a misstatement.
•
Where the auditor has concluded that using the auditor's range of reasonableness provides
sufficient appropriate audit evidence, a management point estimate that lies outside the auditor's
range would not be supported by audit evidence. In such cases, the misstatement is no less than
the difference between management's point estimate and the nearest point of the auditor's range.
A difference between the outcome of an accounting estimate and the amount originally recognized or
disclosed in the financial statements does not necessarily represent a misstatement of the financial
statements. This is particularly the case for fair value accounting estimates, as any observed outcome is
invariably affected by events or conditions subsequent to the date at which the measurement is estimated
for purposes of the financial statements.
11.2 Risk Assessment Paragraph #
Relevant Extracts from ISAs
540.8
When performing risk assessment procedures and related activities to obtain an understanding of the entity
and its environment, including the entity’s internal control, as required by ISA 315,the auditor shall obtain
an understanding of the following in order to provide a basis for the identification and assessment of the
risks of material misstatement for accounting estimates: (Ref: Para. A12)
(a) The requirements of the applicable financial reporting framework relevant to accounting estimates,
including related disclosures. (Ref: Para. A13-A15)
06/10/2010
Page 138
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(b) How management identifies those transactions, events and conditions that may give rise to the need
for accounting estimates to be recognized or disclosed in the financial statements. In obtaining this
understanding, the auditor shall make inquiries of management about changes in circumstances that
may give rise to new, or the need to revise existing, accounting estimates. (Ref: Para. A16-A21)
(c) How management makes the accounting estimates, and an understanding of the data on which they
are based, including: (Ref: Para. A22-A23)
(i) The method, including where applicable the model, used in making the accounting estimate;
(Ref: Para. A24-A26)
(ii) Relevant controls; (Ref: Para. A27-A28)
(iii) Whether management has used a management expert; (Ref: Para. A29-A30)
(iv) The assumptions underlying the accounting estimates; (Ref: Para. A31-A36)
(v) Whether there has been or ought to have been a change from the prior period in the methods for
making the accounting estimates, and if so, why; and (Ref: Para. A37)
(vi) Whether and, if so, how management has assessed the effect of estimation uncertainty. (Ref:
Para. A38)
540.9
The auditor shall review the outcome of accounting estimates included in the prior period financial
statements, or, where applicable, their subsequent re-estimation for the purpose of the current period. The
nature and extent of the auditor’s review takes account of the nature of the accounting estimates, and
whether the information obtained from the review would be relevant to identifying and assessing risks of
material misstatement of accounting estimates made in the current period financial statements. However,
the review is not intended to call into question the judgments made in the prior periods that were based on
information available at the time. (Ref: Para. A39-A44)
540.10
In identifying and assessing the risks of material misstatement, as required by ISA 315, the auditor shall
evaluate the degree of estimation uncertainty associated with an accounting estimate. (Ref: Para. A45A46)
540.11
The auditor shall determine whether, in the auditor’s judgment, any of those accounting estimates that
have been identified as having high estimation uncertainty give rise to significant risks. (Ref: Para. A47A51)
For smaller entities, the amount of work involved in preparing estimates will be less complex as their
business activities are often limited and transactions are less complex. Often a single person, such as the
owner-manager, will identify the need for accounting estimates and the auditor may focus the inquiries
accordingly. However smaller entities will also be less likely to have a management expert available who
would use their experience and competence to make the required point estimates. In these cases the risk of
material misstatement might actually increase, unless of course such an expert is hired.
Consider point
Where the use of a management expert would greatly assist the estimating process, discuss this need with
entity management as early as possible in the audit process, so that appropriate action can be taken.
The key areas for the auditor to address are outlined in the table below.
Exhibit 11.2-1
Address
06/10/2010
Description
Page 139
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
How is the Need for
an Estimate
Identified?
This could result from the accounting framework being used or from
transactions, events and conditions that may give rise to the need for
accounting estimates to be recognized or disclosed in the financial statements.
In addition, the auditor would make inquiries of management about changes in
circumstances that give rise to new, or the need to revise existing, accounting
estimates.
Management’s
Process for Making
Estimates
Review and evaluate management’s estimation processes including the
development of the underlying assumptions, reliability of data used and any
internal approval or review process. Where applicable, this could also include
the use of a management expert.
The need for a management expert may arise because of, for example:
Outcomes of
Estimates Prepared
in Previous Periods
•
The specialized nature of the matter requiring estimation
•
The technical nature of models required to meet requirements of the
applicable financial reporting framework, (such as certain measurements
at fair value).
•
The unusual or infrequent nature of the condition, transaction or event
requiring an accounting estimate.
Review the outcome of the previous period’s estimates and understand the
reasons for differences between prior period estimates and the actual amounts.
This will help to understand:
• Effectiveness (or not) of management’s estimation process;
• Existence of any possible management bias (a review of estimates for
possible fraud is also required by ISA 240);
• Existence of pertinent audit evidence; and
• Extent of estimation uncertainty involved, which may be required to be
disclosed in the financial statements.
Extent of Estimation Consider the following:
• Extent of management’s judgement involved;
Uncertainty
• Sensitivity to changes in assumptions;
Involved
• Existence of recognized measurement techniques that mitigate the
uncertainty;
• Length of the forecast period and relevance of data used;
• Availability of reliable data from external sources;
• Extent estimate is based on observable or unobservable inputs; and
• Susceptibility to bias.
Note: Determine whether the accounting estimates with a high estimation
uncertainty are also ‘significant risks’ to be addressed by the auditor.
Significance of the
Estimates
06/10/2010
In assessing the risks of material misstatement, consider:
• Matters addressed above in this table;
Page 140
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
•
•
11.3
Actual or expected magnitude of the estimate; and
Whether the estimate is a significant risk. See ‘extent of estimation
uncertainty’ above.
Responses to Assessed Risks
Paragraph #
Relevant Extracts from ISAs
540.12
Based on the assessed risks of material misstatement, the auditor shall determine: (Ref: Para. A52)
(a) Whether management has appropriately applied the requirements of the applicable financial reporting
framework relevant to the accounting estimate; and (Ref: Para. A53-A56)
(b) Whether the methods for making the accounting estimates are appropriate and have been applied
consistently, and whether changes, if any, in accounting estimates or in the method for making them
from the prior period are appropriate in the circumstances. (Ref: Para. A57-A58)
540.13
In responding to the assessed risks of material misstatement, as required by ISA 330, the auditor shall
undertake one or more of the following, taking account of the nature of the accounting estimate: (Ref:
Para. A59-A61)
(a) Determine whether events occurring up to the date of the auditor’s report provide audit evidence
regarding the accounting estimate. (Ref: Para. A62-A67)
(b) Test how management made the accounting estimate and the data on which it is based. In doing so,
the auditor shall evaluate whether: (Ref: Para. A68-A70)
(i) The method of measurement used is appropriate in the circumstances; and (Ref: Para. A71-A76)
(ii) The assumptions used by management are reasonable in light of the measurement objectives of
the applicable financial reporting framework. (Ref: Para. A77-A83)
(c) Test the operating effectiveness of the controls over how management made the accounting estimate,
together with appropriate substantive procedures. (Ref: Para. A84-A86)
(d) Develop a point estimate or a range to evaluate management’s point estimate. For this purpose: (Ref:
Para. A87-A91)
(i) If the auditor uses assumptions or methods that differ from management’s, the auditor shall
obtain an understanding of management’s assumptions or methods sufficient to establish that the
auditor’s point estimate or range takes into account relevant variables and to evaluate any
significant differences from management’s point estimate. (Ref: Para. A92)
(ii) If the auditor concludes that it is appropriate to use a range, the auditor shall narrow the range, based
on audit evidence available, until all outcomes within the range are considered reasonable. (Ref:
Para. A93-A95)
540.14
In determining the matters identified in paragraph 12 or in responding to the assessed risks of material
misstatement in accordance with paragraph 13, the auditor shall consider whether specialized skills or
knowledge in relation to one or more aspects of the accounting estimates are required in order to obtain
sufficient appropriate audit evidence. (Ref: Para. A96-A101)
540.15
For accounting estimates that give rise to significant risks, in addition to other substantive procedures
performed to meet the requirements of ISA 330, 7 the auditor shall evaluate the following: (Ref: Para.
A102)
(a)
How management has considered alternative assumptions or outcomes, and why it has rejected
them, or how management has otherwise addressed estimation uncertainty in making the accounting
06/10/2010
Page 141
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
estimate. (Ref: Para. A103-A106)
(b)
A109)
Whether the significant assumptions used by management are reasonable. (Ref: Para. A107-
(c)
Where relevant to the reasonableness of the significant assumptions used by management or the
appropriate application of the applicable financial reporting framework, management's intent to carry out
specific courses of action and its ability to do so. (Ref: Para. A110)
540.16
If, in the auditor's judgment, management has not adequately addressed the effects of estimation
uncertainty on the accounting estimates that give rise to significant risks, the auditor shall, if considered
necessary, develop a range with which to evaluate the reasonableness of the accounting estimate. (Ref:
Para. A111-A112)
In smaller entities there is likely to be active management involvement in the financial reporting process
which includes accounting estimate preparation. As a result, controls over the estimating process may not
exist, or if they do exist, may operate informally. For this reason, the auditor's response to the assessed
risks is likely to be substantive in nature, with the auditor performing one or more of the other responses
outlined below.
Exhibit 11.3-1
Address
Have Estimates
been Prepared
Appropriately?
How Reliable is the
Supporting
Evidence?
06/10/2010
Description
a) Test how management made the accounting estimate and the data on
which it is based. Evaluate whether:
• The method of measurement used is appropriate in the circumstances;
and
• The assumptions used by management are reasonable in light of the
measurement objectives of the applicable financial reporting
framework.
b) Test the operating effectiveness of the controls, if any, over how
management made the accounting estimate, together with appropriate
substantive procedures.
c) Develop a point estimate or a range to evaluate management's point
estimate. If the assumptions or methods used by the auditor differ from
management's, obtain an understanding of management's assumptions or
methods sufficient to establish that the auditor's point estimate or range
takes into account relevant variables. Also evaluate any significant
differences from management's point estimate. If it is appropriate to use a
range, narrow the range, based on audit evidence available, until all
outcomes within the range are considered reasonable.
Undertake one or more of the following procedures taking into account the
nature of the accounting estimate, the nature of the evidence that will be
obtained and the assessed risk of material misstatement, including whether the
assessed risk is a significant risk:
Page 142
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
•
•
•
•
Possible
Management Bias
•
•
Review events subsequent to the period end to ensure they support
management's estimates. This may be particularly relevant in some smaller
owner-managed entities, where management does not have formalized
control procedures over accounting estimates
Test the information, controls (if any), methods and assumptions used.
Based on available evidence and discussions with management, develop an
independent point estimate or range of reasonableness for comparison with
the entity’s estimate. The amount by which management’s estimate differs
from the point estimate or falls outside the range of reasonableness would
be considered as a misstatement.
When there is a longer period between the balance sheet date and the date
of the auditor's report, the auditor's review of events in this period may be
an effective response for accounting estimates other than fair value
accounting estimates.
Identify whether there are indicators of possible management bias. This
could include changes in the way estimates are calculated or the selection
of a point estimate that indicates a pattern of optimism or pessimism. This
could occur where estimates consistently lie at one boundary of the
auditors range of reasonableness or where the bias moves from one
boundary of the range to the other in successive periods. For example
where management put the business up for sale and the earnings goal
changes from tax minimization to maximization of earnings.
Consider the cumulative effect of bias in the preparation of management’s
accounting estimates.
Where the estimate is complex or involves specialized techniques, the auditor may determine it is
necessary to use the work of an auditor’s expert (see Volume 1, Chapter 15.7 (ISA 620) for guidance on
using the work of an auditor’s expert).
11.4
Reporting
Paragraph #
Relevant Extracts from ISAs
540.19
The auditor shall obtain sufficient appropriate audit evidence about whether the disclosures in the financial
statements related to accounting estimates are in accordance with the requirements of the applicable
financial reporting framework. (Ref: Para. A120-A121)
540.20
For accounting estimates that give rise to significant risks, the auditor shall also evaluate the adequacy of
the disclosure of their estimation uncertainty in the financial statements in the context of the applicable
financial reporting framework. (Ref: Para. A122-A123)
The final step is to determine whether:
a) sufficient appropriate evidence has been obtained. Where sufficient appropriate evidence is not
available or the evidence refutes management’s estimates, the auditor would discuss the findings
06/10/2010
Page 143
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
with management and consider the need to change the risk assessment and perform further audit
procedures.
b) the accounting estimates are either reasonable in the context of the applicable financial reporting
framework, or are misstated.
c) disclosures in the financial statements about the estimates:
•
Are in accordance with the requirements of the applicable financial reporting framework; and
•
Adequately disclose their estimation uncertainty, if they give rise to significant risks.
Written Representations
The auditor would obtain written representations from management regarding the reasonableness of
significant assumptions.
Also consider obtaining a written representation as to whether the assumptions appropriately reflect
management’s intent and ability to carry out specific courses of action relevant to any fair value
measurements or disclosures.
06/10/2010
Page 144
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
12.
RELATED PARTIES
Chapter Content
Relevant ISAs
Audit procedures regarding related parties and
transactions with such parties.
550
Understand nature, extent and
purpose of transactions
Consider potential for fraud
Remain alert for related party
transactions throughout audit
Risk Response
Identify related parties including
changes from previous periods
Consider significant risks
Reporting
Risk Assessment
Exhibit 12.0-1
Do any circumstances identified by the auditor
suggest involvement of related parties?
Obtain evidence to support managements
assertions about the nature, extent and
purpose of transactions .
If outside normal course of business
consider significance of transactions
Consider measurement and recognition
of transactions and balances
Consider possible fraud
Has sufficient appropriate evidence been
obtained?
Does a material misstatement exist?
Is financial statement disclosure adequate?
Obtain management representations
Report on any findings
Paragraph #
550.9
ISA Objective(s)
The objectives of the auditor are:
(a)
Irrespective of whether the applicable financial reporting framework establishes related party
requirements, to obtain an understanding of related party relationships and transactions sufficient to be able:
(i)
To recognize fraud risk factors, if any, arising from related party relationships and transactions that
are relevant to the identification and assessment of the risks of material misstatement due to fraud; and
(ii)
To conclude, based on the audit evidence obtained, whether the financial statements, insofar as they
are affected by those relationships and transactions:
a.
Achieve fair presentation (for fair presentation frameworks); or
b.
Are not misleading (for compliance frameworks); and
(b)
In addition, where the applicable financial reporting framework establishes related party
requirements, to obtain sufficient appropriate audit evidence about whether related party relationships and
transactions have been appropriately identified, accounted for and disclosed in the financial statements in
accordance with the framework.
06/10/2010
Page 145
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
550.10
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Arm’s length transaction – A transaction conducted on such terms and conditions as between a willing
buyer and a willing seller who are unrelated and are acting independently of each other and pursuing their
own best interests.
(b) Related party – A party that is either: (Ref: Para. A4-A7)
(i) A related party as defined in the applicable financial reporting framework; or
(ii) Where the applicable financial reporting framework establishes minimal or no related party
requirements:
a. A person or other entity that has control or significant influence, directly or indirectly
through one or more intermediaries, over the reporting entity;
b. Another entity over which the reporting entity has control or significant influence, directly
or indirectly through one or more intermediaries; or
c. Another entity that is under common control with the reporting entity through having:
i.
Common controlling ownership;
ii.
Owners who are close family members; or
iii. Common key management.
However, entities that are under common control by a state (i.e., a national, regional or local
government) are not considered related unless they engage in significant transactions or share
resources to a significant extent with one another.
12.1
Overview
As related parties are not independent of each other, there are often higher risks of material misstatement
through the related-party transactions than through transactions with unrelated parties. Consequently,
financial reporting frameworks often contain accounting and disclosure requirements regarding relatedparty transactions and balances. These requirements are intended to provide financial statement users with
an understanding of the nature of these transactions/balances and the actual or potential effects.
Some of the potential risk factors with regard to related-party transactions are set out below.
Exhibit 12.1-1
Overly complex
transactions
Relationships and
transactions not
identified
Not conducted in the
normal course of
06/10/2010
Description
Related parties may operate through an extensive and complex range of
relationships and structures.
• Related party relationships may be concealed as they present a greater
opportunity for collusion, concealment or manipulation by management.
• The entity’s information systems may be ineffective at identifying or
summarizing transactions and outstanding balances between the entity and
its related parties.
• Management may be unaware of the existence of all related party
relationships and transactions,
Related-party transactions may not be conducted under normal market terms
and conditions such as above, below fair values or even with no exchange of
Page 146
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
business
consideration at all.
Management is responsible for the identification and disclosure of related parties and accounting for the
transactions. This responsibility requires management to implement adequate internal control to ensure
that transactions with related parties are appropriately identified and recorded in the information system
and disclosed in the financial statements.
The auditor is responsible to maintain an alertness for related party information when reviewing records
or documents during the audit. This includes the inspection of certain key documents but does not require
an extensive investigation of records and documents to specifically identify related parties.
In smaller entities, these procedures are likely to be less sophisticated and informal. Management may not
readily have information about related parties (the accounting systems are unlikely to have been designed
to identify related parties) so the auditor may need to make inquiries and review accounts with specific
parties, etc. beyond the accounting records and disclosures in the accounts.
Financial Reporting Frameworks
Because related parties are not independent of each other, many financial reporting frameworks establish
specific accounting and disclosure requirements for related party relationships, transactions and balances.
This enables the users of financial statements to understand their nature and actual or potential effects on
the financial statements.
Where the applicable financial reporting framework establishes requirements for related party accounting
and disclosure, the auditor has a responsibility to perform audit procedures to identify, assess and respond
to the risks of material misstatement arising from the entity's failure to appropriately account for or
disclose related party relationships, transactions or balances in accordance with the requirements of the
framework.
Where the applicable financial reporting framework establishes minimal or no related party requirements,
the auditor still needs to obtain an understanding of the entity's related party relationships and transactions
sufficient to be able to conclude whether the financial statements, insofar as they are affected by those
relationships and transactions:
(a)
Achieve fair presentation (for fair presentation frameworks); or
(b)
Are not misleading (for compliance frameworks).
When information is identified that suggests the existence of related party relationships or transactions
that were not previously identified or disclosed by management, the auditor is required to determine
whether the underlying circumstances confirm the existence of such relationships or transactions.
ISA 550 provides guidance on the auditor’s responsibility and audit procedures regarding related parties
and transactions with such parties.
Exhibit 12.1-2
Auditor Responsibility
Where
Description
Accounting framework
establishes minimal or no
requirements
Obtain an understanding of the entity's related party relationships and
transactions sufficient to:
06/10/2010
•
recognize fraud risk factors, if any, arising from related party
Page 147
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
relationships and transactions that are relevant to the
identification and assessment of the risks of material
misstatement due to fraud; and
•
The applicable financial
reporting framework sets out
the requirements
12.2
conclude, based on the audit evidence obtained, whether the
financial statements, insofar as they are affected by those
relationships and transactions, achieve fair presentation (for fair
presentation frameworks); or are not misleading (for
compliance frameworks)
In addition to the steps described above, obtain sufficient appropriate
audit evidence to comply with the specific accounting and disclosure
requirements for related party relationships, transactions and balances.
Risk Assessment
Paragraph #
Relevant Extracts from ISAs
550.11
As part of the risk assessment procedures and related activities that ISA 315 and ISA 240 require the
auditor to perform during the audit, the auditor shall perform the audit procedures and related activities set
out in paragraphs 12-17 to obtain information relevant to identifying the risks of material misstatement
associated with related party relationships and transactions. (Ref: Para. A8)
550.12
The engagement team discussion that ISA 315 and ISA 240 require shall include specific consideration of
the susceptibility of the financial statements to material misstatement due to fraud or error that could result
from the entity’s related party relationships and transactions. (Ref: Para. A9-A10)
550.13
The auditor shall inquire of management regarding:
(a) The identity of the entity’s related parties, including changes from the prior period; (Ref: Para. A11A14)
(b) The nature of the relationships between the entity and these related parties; and
(c) Whether the entity entered into any transactions with these related parties during the period and, if so,
the type and purpose of the transactions.
550.14
The auditor shall inquire of management and others within the entity, and perform other risk assessment
procedures considered appropriate, to obtain an understanding of the controls, if any, that management has
established to: (Ref: Para. A15-A20)
(a) Identify, account for, and disclose related party relationships and transactions in accordance with the
applicable financial reporting framework;
(b) Authorize and approve significant transactions and arrangements with related parties; and (Ref: Para.
A21)
(c) Authorize and approve significant transactions and arrangements outside the normal course of
business.
550.15
During the audit, the auditor shall remain alert, when inspecting records or documents, for arrangements
or other information that may indicate the existence of related party relationships or transactions that
management has not previously identified or disclosed to the auditor. (Ref: Para. A22-A23)
In particular, the auditor shall inspect the following for indications of the existence of related party
relationships or transactions that management has not previously identified or disclosed to the auditor:
(a) Bank and legal confirmations obtained as part of the auditor’s procedures;
(b) Minutes of meetings of shareholders and of those charged with governance; and
06/10/2010
Page 148
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(c) Such other records or documents as the auditor considers necessary in the circumstances of the entity.
For example:
550.16
•
Income tax returns and other information supplied to regulatory authorities.
•
Shareholder registers to identify the entity's principal shareholders.
•
Contracts and agreements with key management or those charged with governance.
•
Significant contracts and agreements not in the entity's ordinary course of business.
•
Specific invoices and correspondence from the entity's professional advisors.
•
Life insurance policies acquired by the entity.
•
Significant contracts re-negotiated by the entity during the period.
If the auditor identifies significant transactions outside the entity’s normal course of business when
performing the audit procedures required by paragraph 15 or through other audit procedures, the auditor
shall inquire of management about: (Ref: Para. A24-A25)
(a) The nature of these transactions; and (Ref: Para. A26)
(b) Whether related parties could be involved. (Ref: Para. A27)
550.17
The auditor shall share relevant information obtained about the entity’s related parties with the other
members of the engagement team. (Ref: Para. A28)
550.18
In meeting the ISA 315 requirement to identify and assess the risks of material misstatement, the auditor
shall identify and assess the risks of material misstatement associated with related party relationships and
transactions and determine whether any of those risks are significant risks. In making this determination,
the auditor shall treat identified significant related party transactions outside the entity’s normal course of
business as giving rise to significant risks.
550.19
If the auditor identifies fraud risk factors (including circumstances relating to the existence of a related
party with dominant influence) when performing the risk assessment procedures and related activities in
connection with related parties, the auditor shall consider such information when identifying and assessing
the risks of material misstatement due to fraud in accordance with ISA 240. (Ref: Para. A6 and A29-A30)
To identify and assess the risks of material misstatement associated with related party relationships and
transactions, the auditor would consider the matters set out below.
Exhibit 12.2-1
Identifying Risks
Description
Address Existence/
Nature/
Impact of Related
Parties and
Transactions
Inquire about the:
a) Identity of related parties, including changes from prior period.
b) Nature of relationships between the entity and related parties
c) Type and purpose of any transactions with related parties
d) Controls, if any, that management has established to:
• Identify, account for, and disclose related party relationships and
transactions in accordance with the applicable financial reporting
framework;
• Authorize and approve significant transactions and arrangements with
06/10/2010
Page 149
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Identifying Risks
Description
•
Consider Possible
Fraud
related parties; and
Authorize and approve significant transactions and arrangements
outside the normal course of business.
Discuss among the engagement team the susceptibility of financial statements
to material misstatement due to fraud or error resulting from related-party
relationships and transactions.
Also consider whether domination of management occurs by a single person or
small group of persons without compensating controls. Indicators of dominant
influence include:
•
The related party has vetoed significant business decisions taken by
management or those charged with governance.
•
Significant transactions are referred to the related party for final
approval.
•
There is little or no debate among management and those charged with
governance regarding business proposals initiated by the related party.
•
Transactions involving the related party (or a close family member of
the related party) are rarely independently reviewed and approved.
Dominant influence may also exist in some cases if the related party has
played a leading role in founding the entity and continues to play a leading role
in managing the entity.
If fraud risk factors are identified, make an assessment of the risks of material
misstatement. If a risk of material misstatement could occur, develop an
appropriate audit response.
Remain Alert when
Inspecting Records
or Documents
When inspecting records or documents always remain alert to undisclosed
related party relationships or transactions. In particular, inspect the following
records and documents for related parties not previously identified or
disclosed:
a) Bank and legal confirmations obtained;
b) Minutes of meetings of shareholders and of those charged with
governance; and
c) Such other records or documents as considered necessary in the
circumstances
Always share information obtained about possible related parties with other
team members.
Identify Significant
Risks
Significant related-party transactions outside the normal course of business
would give rise to significant risks.
06/10/2010
Page 150
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
In smaller entities, the identification of related-party transactions can often be difficult. If the client
uses a standard software package to record transactions, consider obtaining an electronic copy of the
transactions and importing them into an electronic spreadsheet. By using the sort features and
configuring the selection criteria, it may be possible to obtain information about customers/suppliers
with only a few, but large transactions, or those with significant transactions of a size or nature that is
unusual.
12.3
Risk Response
Paragraph #
Relevant Extracts from ISAs
550.20
As part of the ISA 330 requirement that the auditor respond to assessed risks, the auditor designs and
performs further audit procedures to obtain sufficient appropriate audit evidence about the assessed risks
of material misstatement associated with related party relationships and transactions. These audit
procedures shall include those required by paragraphs 21-24. (Ref: Para. A31-A34)
550.21
If the auditor identifies arrangements or information that suggests the existence of related party
relationships or transactions that management has not previously identified or disclosed to the auditor, the
auditor shall determine whether the underlying circumstances confirm the existence of those relationships
or transactions.
550.22
If the auditor identifies related parties or significant related party transactions that management has not
previously identified or disclosed to the auditor, the auditor shall:
(a) Promptly communicate the relevant information to the other members of the engagement team; (Ref:
Para. A35)
(b) Where the applicable financial reporting framework establishes related party requirements:
(i) Request management to identify all transactions with the newly identified related parties for the
auditor’s further evaluation; and
(ii) Inquire as to why the entity’s controls over related party relationships and transactions failed to
enable the identification or disclosure of the related party relationships or transactions;
(c) Perform appropriate substantive audit procedures relating to such newly identified related parties or
significant related party transactions; (Ref: Para. A36)
(d) Reconsider the risk that other related parties or significant related party transactions may exist that
management has not previously identified or disclosed to the auditor, and perform additional audit
procedures as necessary; and
(e) If the non-disclosure by management appears intentional (and therefore indicative of a risk of
material misstatement due to fraud), evaluate the implications for the audit. (Ref: Para. A37)
550.23
For identified significant related party transactions outside the entity’s normal course of business, the
auditor shall:
(a) Inspect the underlying contracts or agreements, if any, and evaluate whether:
(i) The business rationale (or lack thereof) of the transactions suggests that they may have been
entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets;
(Ref: Para. A38-A39)
(ii) The terms of the transactions are consistent with management’s explanations; and
(iii) The transactions have been appropriately accounted for and disclosed in accordance with the
applicable financial reporting framework; and
(b) Obtain audit evidence that the transactions have been appropriately authorized and approved. (Ref:
06/10/2010
Page 151
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
Para. A40-A41)
550.24
If management has made an assertion in the financial statements to the effect that a related party
transaction was conducted on terms equivalent to those prevailing in an arm’s length transaction, the
auditor shall obtain sufficient appropriate audit evidence about the assertion. (Ref: Para. A42-A45)
In responding to the identified risks of material misstatement associated with related-party relationships
and transactions, the auditor would consider the matters set out below.
Exhibit 12.3-1
Address
Description
Where Auditor
Identifies
Arrangements or
Information that
Suggests Existence
of Related Party
Relationships or
Transactions
•
•
•
•
•
•
Significant Related
Party Transactions
Outside Normal
Course of Business
•
•
Determine whether underlying circumstances confirm their existence;
Promptly communicate the information to engagement team;
Request management to identify all transactions with the related party;
If related party was not previously identified ask why. Consider:
– Failure of any related-party identification controls, and
– Fraud (non-disclosure by management appears intentional);
Reconsider the risk that other undisclosed related parties or significant
related-party transactions may exist and perform additional audit
procedures as necessary; and
Perform appropriate substantive audit procedures.
Inspect underlying contracts or agreements, if any, and evaluate whether:
– Rationale suggests possible fraudulent financial reporting or
concealment of misappropriated assets,
– Terms are consistent with management’s explanations, and
– Transactions are accounted for and disclosed in accordance with the
applicable financial reporting framework; and
Ensure transactions have been appropriately authorized and approved.
Obtain sufficient appropriate audit evidence about management’s assertions
about the nature and extent of related-party transactions.
Management’s
Assertions
Consider whether external confirmation of the balances would provide reliable
evidence.
Consider the collectability of period end balances valuation of period end .
12.4
Reporting
Paragraph #
Relevant Extracts from ISAs
550.25
In forming an opinion on the financial statements in accordance with ISA 700, the auditor shall evaluate:
(Ref: Para. A46)
06/10/2010
Page 152
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a) Whether the identified related party relationships and transactions have been appropriately accounted
for and disclosed in accordance with the applicable financial reporting framework; and (Ref: Para.
A47)
(b) Whether the effects of the related party relationships and transactions:
(i) Prevent the financial statements from achieving fair presentation (for fair presentation
frameworks); or
(ii) Cause the financial statements to be misleading (for compliance frameworks).
550.26
Where the applicable financial reporting framework establishes related party requirements, the auditor
shall obtain written representations from management and, where appropriate, those charged with
governance that: (Ref: Para. A48-A49)
(a) They have disclosed to the auditor the identity of the entity’s related parties and all the related party
relationships and transactions of which they are aware; and
(b) They have appropriately accounted for and disclosed such relationships and transactions in
accordance with the requirements of the framework.
550.27
Unless all of those charged with governance are involved in managing the entity, the auditor shall
communicate with those charged with governance significant matters arising during the audit in
connection with the entity’s related parties. (Ref: Para. A50)
550.28
The auditor shall include in the audit documentation the names of the identified related parties and the
nature of the related party relationships.
The auditor would consider the following matters.
Exhibit 12.4-1
Address
Document
and Report
Description
•
•
Document the names of the identified related parties and the nature of the
related party relationships; and
Communicate with those charged with governance any significant matters
arising during the audit in connection with related parties.
Obtain
Management
Representation
Obtain written representations from management (and those charged with
governance) that:
• All related parties and transactions have been disclosed; and
• Such relationships and transactions have been appropriately accounted for
and disclosed in the financial statements.
Determine if the
Audit
Opinion Needs
to be Modified
Modify the auditor’s report if:
• It is not possible to obtain sufficient appropriate audit evidence concerning
related parties and transactions; or
• Management’s disclosure in the financial statements (as required by the
financial framework) is not considered adequate.
06/10/2010
Page 153
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
13.
SUBSEQUENT EVENTS
Chapter Content
Auditor’s responsibility regarding subsequent events.
Paragraph #
560.4
Relevant ISAs
560
ISA Objective(s)
The objectives of the auditor are:
(a)
To obtain sufficient appropriate audit evidence about whether events occurring between the date of
the financial statements and the date of the auditor's report that require adjustment of, or disclosure in, the
financial statements are appropriately reflected in those financial statements in accordance with the
applicable financial reporting framework; and
(b)
To respond appropriately to facts that become known to the auditor after the date of the auditor's
report, that, had they been known to the auditor at that date, may have caused the auditor to amend the
auditor's report
Paragraph #
Relevant Extracts from ISAs
560.5
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Date of the financial statements – The date of the end of the latest period covered by the
financial statements.
(b) Date of approval of the financial statements – The date on which all the statements that
comprise the financial statements, including the related notes, have been prepared and those
with the recognized authority have asserted that they have taken responsibility for those
financial statements. (Ref: Para. A2)
(c) Date of the auditor's report – The date the auditor dates the report on the financial statements
in accordance with ISA 700. (Ref: Para. A3)
(d) Date the financial statements are issued – The date that the auditor's report and audited
financial statements are made available to third parties. (Ref: Para. A4-A5)
(e) Subsequent events – Events occurring between the date of the financial statements and the
date of the auditor's report, and facts that become known to the auditor after the date of the
auditor's report.
13.1
Overview
This standard provides guidance on the auditor’s responsibility regarding subsequent events.
Subsequent events occur after the date of the financial statements (the period-end date). Other key dates
in the preparation, audit and release of financial statements are outlined in the exhibit below.
Exhibit 13.1-1
06/10/2010
Page 154
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Date of
Financial
Statements
Date of
management
approval of
Financial
Statements
Date of
Auditors report
on Financial
Statements
Date Financial
Statements
are issued
Timelines
“Subsequent events” refers to:
•
Events occurring between the date of the financial statements and the date of the auditor's report; and
•
Facts that become known to the auditor after the date of the auditor's report.
Paragraph #
Relevant Extracts from ISAs
560.6
The auditor shall perform audit procedures designed to obtain sufficient appropriate audit evidence that all
events occurring between the date of the financial statements and the date of the auditor’s report that
require adjustment of, or disclosure in, the financial statements have been identified. The auditor is not,
however, expected to perform additional audit procedures on matters to which previously applied audit
procedures have provided satisfactory conclusions. (Ref: Para. A6)
560.7
The auditor shall perform the procedures required by paragraph 6 so that they cover the period from the
date of the financial statements to the date of the auditor’s report, or as near as practicable thereto. The
auditor shall take into account the auditor’s risk assessment in determining the nature and extent of such
audit procedures, which shall include the following: (Ref: Para. A7-A8)
(a) Obtaining an understanding of any procedures management has established to ensure that subsequent
events are identified.
(b) Inquiring of management and, where appropriate, those charged with governance as to whether any
subsequent events have occurred which might affect the financial statements. (Ref: Para. A9)
(c) Reading minutes, if any, of the meetings, of the entity’s owners, management and those charged with
governance, that have been held after the date of the financial statements and inquiring about matters
discussed at any such meetings for which minutes are not yet available. (Ref: Para. A10)
(d) Reading the entity’s latest subsequent interim financial statements, if any.
560.8
If, as a result of the procedures performed as required by paragraphs 6 and 7, the auditor identifies events
that require adjustment of, or disclosure in, the financial statements, the auditor shall determine whether
each such event is appropriately reflected in those financial statements in accordance with the applicable
financial reporting framework.
560.9
The auditor shall request management and, where appropriate, those charged with governance, to provide
a written representation in accordance with ISA 580 that all events occurring subsequent to the date of the
financial statements and for which the applicable financial reporting framework requires adjustment or
06/10/2010
Page 155
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
disclosure have been adjusted or disclosed.
560.10
The auditor has no obligation to perform any audit procedures regarding the financial statements after the
date of the auditor’s report. However, if, after the date of the auditor’s report but before the date the
financial statements are issued, a fact becomes known to the auditor that, had it been known to the auditor
at the date of the auditor’s report, may have caused the auditor to amend the auditor’s report, the auditor
shall: (Ref: Para. A11)
(a) Discuss the matter with management and, where appropriate, those charged with governance.
(b) Determine whether the financial statements need amendment and, if so,
(c) Inquire how management intends to address the matter in the financial statements.
560.11
If management amends the financial statements, the auditor shall:
(a) Carry out the audit procedures necessary in the circumstances on the amendment.
(b) Unless the circumstances in paragraph 12 apply:
(i) Extend the audit procedures referred to in paragraphs 6 and 7 to the date of the new auditor’s
report; and
(ii) Provide a new auditor’s report on the amended financial statements. The new auditor’s report
shall not be dated earlier than the date of approval of the amended financial statements.
560.12
Where law, regulation or the financial reporting framework does not prohibit management from restricting
the amendment of the financial statements to the effects of the subsequent event or events causing that
amendment and those responsible for approving the financial statements are not prohibited from restricting
their approval to that amendment, the auditor is permitted to restrict the audit procedures on subsequent
events required in paragraph 11(b)(i) to that amendment. In such cases, the auditor shall either:
(a) Amend the auditor’s report to include an additional date restricted to that amendment that thereby
indicates that the auditor’s procedures on subsequent events are restricted solely to the amendment of
the financial statements described in the relevant note to the financial statements; or (Ref: Para. A12)
(b) Provide a new or amended auditor’s report that includes a statement in an Emphasis of Matter
paragraph or Other Matter(s) paragraph that conveys that the auditor’s procedures on subsequent
events are restricted solely to the amendment of the financial statements as described in the relevant
note to the financial statements.
560.13
In some jurisdictions, management may not be required by law, regulation or the financial reporting
framework to issue amended financial statements and, accordingly, the auditor need not provide an
amended or new auditor’s report. However, if management does not amend the financial statements in
circumstances where the auditor believes they need to be amended, then: (Ref: Para. A13-A14)
(a) If the auditor’s report has not yet been provided to the entity, the auditor shall modify the opinion as
required by ISA 705 and then provide the auditor’s report; or
(b) If the auditor’s report has already been provided to the entity, the auditor shall notify management
and, unless all of those charged with governance are involved in managing the entity, those charged
with governance, not to issue the financial statements to third parties before the necessary
amendments have been made. If the financial statements are nevertheless subsequently issued without
the necessary amendments, the auditor shall take appropriate action, to seek to prevent reliance on the
auditor’s report. (Ref. Para. A15-A16)
560.14
06/10/2010
After the financial statements have been issued, the auditor has no obligation to perform any audit
procedures regarding such financial statements. However, if, after the financial statements have been
issued, a fact becomes known to the auditor that, had it been known to the auditor at the date of the
auditor’s report, may have caused the auditor to amend the auditor’s report, the auditor shall:
Page 156
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a) Discuss the matter with management and, where appropriate, those charged with governance.
(b) Determine whether the financial statements need amendment and, if so,
(c) Inquire how management intends to address the matter in the financial statements.
560.15
If management amends the financial statements, the auditor shall: (Ref: Para. A17)
(a) Carry out the audit procedures necessary in the circumstances on the amendment.
(b) Review the steps taken by management to ensure that anyone in receipt of the previously issued
financial statements together with the auditor’s report thereon is informed of the situation.
(c) Unless the circumstances in paragraph 12 apply:
(i) Extend the audit procedures referred to in paragraphs 6 and 7 to the date of the new auditor’s
report, and date the new auditor’s report no earlier than the date of approval of the amended
financial statements; and
(ii) Provide a new auditor’s report on the amended financial statements.
(d) When the circumstances in paragraph 12 apply, amend the auditor’s report, or provide a new
auditor’s report as required by paragraph 12.
560.16
The auditor shall include in the new or amended auditor’s report an Emphasis of Matter paragraph or
Other Matter(s) paragraph referring to a note to the financial statements that more extensively discusses
the reason for the amendment of the previously issued financial statements and to the earlier report
provided by the auditor.
560.17
If management does not take the necessary steps to ensure that anyone in receipt of the previously issued
financial statements is informed of the situation and does not amend the financial statements in
circumstances where the auditor believes they need to be amended, the auditor shall notify management
and, unless all of those charged with governance are involved in managing the entity, those charged with
governance, that the auditor will seek to prevent future reliance on the auditor’s report. If, despite such
notification, management or those charged with governance do not take these necessary steps, the auditor
shall take appropriate action to seek to prevent reliance on the auditor’s report. (Ref: Para. A18)
Date of financial statement approval
This may be determined as follows:
Exhibit 13.1-2
Date of the Report
The Recognized Authority
Need for Shareholder Approval
The earlier date on which those with the recognized authority:
• determine that all the statements that comprise the financial statements,
including the related notes, have been prepared and
• have asserted that they have taken responsibility for those financial
statements.
• Individuals prescribed by law or regulation who follow the necessary
financial statement approval procedures
• individuals specified by the entity itself who follow their own financial
statement approval procedures
Final approval by shareholders is not necessary for the auditor to conclude
that sufficient appropriate audit evidence on which to base the auditor's
opinion on the financial statements has been obtained.
In determining the existence of subsequent events and assessing their impact, the auditor would carry out
the steps set out below.
06/10/2010
Page 157
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 13.1-3
Procedure
Description
Identify any
Subsequent Events
Perform audit procedures to identify any subsequent events that would require
adjustment of, or disclosure in, the financial statements. This would include:
• Understanding management procedures (if any) to identify subsequent
events;
• Making inquiries of management (and those charged with governance)
about:
– new commitments, borrowings or guarantees
– sales or acquisitions of assets that have occurred or are planned.
– increases in capital or issuance of debt instruments
– agreements to merge or liquidate
– assets that have been appropriated by government or destroyed, for
example, by fire or flood.
– litigation, claims and contingencies
– any unusual accounting adjustments made or contemplated.
– any events that have occurred or are likely to occur that will bring into
question the appropriateness of the going-concern assumption or other
accounting policies
– any events relevant to the measurement of estimates or provisions in
the financial statements.
– any events relevant to the recoverability of assets.
• Reading minutes, if any, of the meetings (management and those charged
with governance), held after the date of the financial statements and
inquiring about matters discussed at meetings for which minutes are not
yet available; and
• Reading financial reports produced after the period end, if any.
Obtain Written
Representations
Consider whether written representations covering particular subsequent
events may be necessary to support other audit evidence and thereby obtain
sufficient appropriate audit evidence.
Facts become
known to the
auditor
(after Date of
Auditor’s Report but
before Financial
Statements are
Issued)
•
Discuss the matter with management (and those charged with governance).
•
Determine whether the financial statements need amendment and, if so:
•
06/10/2010
–
Inquire how management intends to address the matter in the financial
statements,
–
Perform any further audit procedures required, and
–
Issue a new auditor’s report on the amended financial statements. This
could also include dual dating of the report, restricted to the amendment
(see Volume 1, Chapter 13.2) or inclusion of an emphasis of matter
paragraph
Where management does not amend the financial statements, the auditor
would issue a modified auditor’s opinion.
Page 158
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Procedure
Facts become
known to the
auditor
(after the Financial
Statements are
Issued)
Description
•
If the auditor’s report has already been released, notify management (and
those charged with governance) not to issue the financial statements to third
parties before the necessary amendments have been made.
•
If the financial statements are released despite the notification, take appropriate
action (after consulting with legal counsel) to prevent reliance on the auditor’s
report.
•
Discuss the matter with management (and those charged with governance).
•
Determine whether the financial statements need amendment and, if so,
inquire how management intends to address the matter in the financial
statements.
•
If management amends the financial statements:
–
–
Extend the subsequent event audit procedures to the date of the new
auditor’s report unless the auditor’s report is amended to include an
additional date restricted to a particular amendment (see Volume 1,
Chapter 13.2),
–
Perform any further audit procedures required,
–
Review management’s actions to ensure anyone in receipt of the
previously issued financial statements and auditor’s report thereon is
informed of the situation,
–
Provide a new auditor’s report on the amended financial statements, and
Issue a new or amended auditor’s report that includes an “Emphasis of
Matter” paragraph (see Volume 1, Chapter 13.2). If management does not
take steps to ensure anyone in receipt of the previously issued financial
statements is informed of the situation:
–
•
Notify management (and those charged with governance) that the
auditor will take appropriate action to seek to prevent reliance on the
auditor’s report.
If, despite such notification, management (or those charged with
governance) does not take the necessary steps, take appropriate action (such
as consulting with legal counsel) to prevent reliance on the auditor’s report.
Consider Point
It is in the interests of both auditor and the client to complete the work necessary to issue the auditor’s
report on a timely basis. This will minimize the extent of work involved to identify, assess and
possibly disclose subsequent events in the financial statements.
06/10/2010
Page 159
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
13.2
Dual Dating
Subsequent events that become known after the date of the auditor report often result in additional audit work being required affecting account balances, accounting estimates, provisions and other disclosures in the financial statements. In such situations a new auditor's report would be issued that would not be dated earlier than the date of approval of the amended financial statements. However, for certain subsequent events, the additional audit work required can be restricted solely to the amendment of the financial statements as described in the relevant note to the financial statements. In these situations, (assuming local laws or regulations permit) the original date of the auditor’s report would be retained but a new date is added (dual dating) to inform readers that the auditor’s procedures subsequent to the original date were restricted to the subsequent amendment. An example of a situation involving dual dating: • The original auditor’s report was dated September 15, 20xx, • On October 22, 20xx the entity announced the sale of a major part of it’s business. A new note Y, describing the event, was prepared by management for inclusion in the financial statements • The audit work performed on the details of note Y was completed on November 3, 20xx The revised wording for dual dating the auditor’s report would be as follows: “September 15, 20xx except as to Note Y, which is as of November 3, 20xx.”
06/10/2010
Page 160
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
14.
GOING CONCERN
Chapter Content
Relevant ISAs
Auditor’s responsibility with respect to management’s
use of the going-concern assumption in the financial
statements and management’s assessment of the
entity’s ability to continue as a going concern.
570
Review management assessment
of possible events/conditions,
and any response/plans.
Remain alert for possible conditions
or events throughout audit
Risk Response
Consider and ask management
about existence of any
events/conditions that may cast
doubt on entity's ability to continue
as a going concern?
Reporting
Risk Assessment
Exhibit 14.0-1
If events/conditions have been identified:
- ask management for their plan of action
- evaluate managements plan of action
- review reliably of data used and support
for the assumptions used in
cash flow forecasts
Ask management about events/conditions
beyond managements assessment period
Consider any additional facts or
information that has become available
Determine whether:
- a material uncertainty exists in relation
to the identified events/conditions
- the use of the going concern assumption
is appropriate.
Do financial statements fully describe any
going concern events/conditions and
disclose any material uncertainty?
Obtain management representations
Paragraph #
ISA Objective(s)
570.9
The objectives of the auditor are:
(a) To obtain sufficient appropriate audit evidence regarding the appropriateness of management’s use of
the going concern assumption in the preparation of the financial statements;
(b) To conclude, based on the audit evidence obtained, whether a material uncertainty exists related to
events or conditions that may cast significant doubt on the entity’s ability to continue as a going
concern; and
(c) To determine the implications for the auditor’s report.
14.1
Overview
The going-concern assumption is fundamental to the preparation of financial statements.
06/10/2010
Page 161
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISA 570 provides guidance on the auditor’s responsibility in the audit of financial statements with respect
to the going-concern assumption and management’s assessment of the entity’s ability to continue as a
going concern.
Paragraph #
Relevant Extracts from ISAs
570.2
Under the going concern assumption, an entity is viewed as continuing in business for the foreseeable
future. General purpose financial statements are prepared on a going concern basis, unless management
either intends to liquidate the entity or to cease operations, or has no realistic alternative but to do so.
Special purpose financial statements may or may not be prepared in accordance with a financial reporting
framework for which the going concern basis is relevant (for example, the going concern basis is not relevant
for some financial statements prepared on a tax basis in particular jurisdictions).
When the use of the going concern assumption is appropriate, assets and liabilities are recorded on the
basis that the entity will be able to realize its assets and discharge its liabilities in the normal course of
business. (Ref: Para. A1)
Under the going-concern assumption, an entity is ordinarily viewed as continuing in business for the
foreseeable future with neither the intention nor the necessity of liquidation, ceasing trading or seeking
protection from creditors pursuant to laws or regulations. Accordingly, assets and liabilities are recorded
on the basis that the entity will be able to realize its assets and discharge its liabilities in the normal course
of business.
14.2
Risk Assessment Procedures
Paragraph #
Relevant Extracts from ISAs
570.10
When performing risk assessment procedures as required by ISA 315, the auditor shall consider whether
there are events or conditions that may cast significant doubt on the entity’s ability to continue as a going
concern. In so doing, the auditor shall determine whether management has already performed a
preliminary assessment of the entity’s ability to continue as a going concern, and: (Ref: Para. A2-A5)
(a) If such an assessment has been performed, the auditor shall discuss the assessment with management
and determine whether management has identified events or conditions that, individually or
collectively, may cast significant doubt on the entity’s ability to continue as a going concern and, if
so, management’s plans to address them; or
(b) If such an assessment has not yet been performed, the auditor shall discuss with management the
basis for the intended use of the going concern assumption, and inquire of management whether
events or conditions exist that, individually or collectively, may cast significant doubt on the entity’s
ability to continue as a going concern.
570.11
06/10/2010
The auditor shall remain alert throughout the audit for audit evidence of events or conditions that may cast
significant doubt on the entity’s ability to continue as a going concern. (Ref: Para. A6)
Page 162
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The requirements can be summarized as follows:
Exhibit 14.2-1
Any events that may
cast significant doubt on
the entity's ability to
continue as a
going concern?
Ask
Has management
performed a preliminary
assessment of entity’s
ability to continue as a
going concern?
Yes
Identify any
events/conditions
and obtain managements
action plans in
response
No
Discuss existence of
any events/conditions with
management and obtain
their response
Remain alert throughout audit for evidence of events/conditions that may cast
significant doubt on entity's ability to continue as a going concern
Evaluate
managements plan of
action and/or supporting
documentation
Conclude if a material
uncertainty exists or if the
use of the going concern
assumption is
inappropriate
Examples of some events or conditions that, individually or collectively, may cast significant doubt about
the going-concern assumption are set out below.
Exhibit 14.2-2
Indicators
Descriptions
•
•
•
•
Financial
•
•
•
•
•
•
•
06/10/2010
Net liability or net current liability position.
Fixed-term borrowings approaching maturity without realistic prospects of
renewal or repayment or excessive reliance on short-term borrowings to
finance long-term assets.
Indications of withdrawal of financial support by creditors.
Negative operating cash flows indicated by historical or prospective
financial statements.
Adverse key financial ratios.
Substantial operating losses or significant deterioration in the value of
assets used to generate cash flows.
Arrears or discontinuance of dividends.
Inability to pay creditors on due dates.
Inability to comply with the terms of loan agreements.
Change from credit to cash-on-delivery transactions with suppliers.
Inability to obtain financing for essential new product development or
other essential investments.
Page 163
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Indicators
Descriptions
•
•
•
Operating
•
•
•
•
•
Other
•
•
Management’s intentions to liquidate the entity or to cease operations.
Loss of key management without replacement.
Loss of a major market, key customer(s), franchise, license or principal
supplier(s).
Labor difficulties.
Shortages of important supplies.
Emergence of a highly successful competitor.
Non-compliance with capital or other statutory requirements.
Pending legal or regulatory proceedings against the entity that may, if
successful, result in claims that the entity is unlikely to be able to satisfy.
Changes in law or regulation or government policy expected to adversely
affect the entity.
Uninsured or underinsured catastrophes.
The significance of the above events or conditions often can be mitigated by other factors. For example,
the effect of an entity being unable to make its normal debt repayments may be counter-balanced by
management’s plans to maintain adequate cash flows by alternative means, such as by disposing of assets,
rescheduling loan repayments or obtaining additional capital. Similarly, the loss of a principal supplier
may be mitigated by the availability of a suitable alternative source of supply.
14.3
Evaluating Management’s Assessment
Paragraph #
Relevant Extracts from ISAs
570.12
The auditor shall evaluate management’s assessment of the entity’s ability to continue as a going concern.
(Ref: Para. A7-A9; A11-A12)
570.13
In evaluating management’s assessment of the entity’s ability to continue as a going concern, the auditor shall
cover the same period as that used by management to make its assessment as required by the applicable
financial reporting framework, or by law or regulation if it specifies a longer period. If management’s
assessment of the entity’s ability to continue as a going concern covers less than twelve months from the date
of the financial statements as defined in ISA 560, the auditor shall request management to extend its
assessment period to at least twelve months from that date. (Ref: Para. A10-A12)
570.14
In evaluating management’s assessment, the auditor shall consider whether management’s assessment
includes all relevant information of which the auditor is aware as a result of the audit.
570.15
The auditor shall inquire of management as to its knowledge of events or conditions beyond the period of
management’s assessment that may cast significant doubt on the entity’s ability to continue as a going
concern. (Ref: Para. A13-A14)
Evaluating Management’s Plans in Smaller Entities
Management of smaller entities may not have prepared a detailed assessment of the entity’s ability to
continue as a going concern. They may rely instead on their in-depth knowledge of the business and
anticipated future prospects.
06/10/2010
Page 164
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The auditor’s typical evaluation procedures would include:
•
Discussing medium- and long-term financing with management;
•
Corroborating management’s intentions with the understanding of the entity obtained and documentary
evidence;
•
Satisfying the requirement for management to extend its assessment period to at least 12 months. This
could be achieved through discussion, inquiry and inspection of supporting documentation and the
results evaluated by the auditor as to their feasibility. For example, a prediction of future sales revenues
could be supported by potential sales orders or sales contracts; and
•
Inquiring if management has knowledge of events/conditions beyond the period of management’s
assessment that would cast significant doubt on the entity’s ability to continue as a going concern.
Particular factors that could cast significant doubt on the entity’s ability to continue as a going concern
include:
•
The entity’s ability to withstand adverse conditions.
Small entities may be able to respond quickly to exploit opportunities, but may lack reserves to
sustain operations.
•
Availability of financing
This could include banks and other lenders ceasing to support the entity. It could also include a
withdrawal or major alteration in the terms of a loan or loan guarantees from the owner-manager
(or other related parties such as family members).
•
Other major changes
This could include the possible loss of a principal supplier, major customer, key employee, or the
right to operate under a license, franchise or other legal agreement.
The following exhibit sets out the auditor’s procedures in these situations.
Exhibit 14.3-1
Address
Documentary
Evidence Available
Additional Support
Available
Other Major
06/10/2010
Description
Document:
• Terms of any loans and financing provided to the entity;
• Details of subordinated loans to a third party such as the bank;
• Details of financing by third parties based on guarantees or personal assets
pledged as collateral; and
• Details of other changes that could cast significant doubt on the entity’s
ability to continue as a going concern.
Evaluate the ability of the owner-manager or other related parties to:
• Provide the necessary additional support such as loans or guarantees; and,
• Meet the obligations under the support arrangements
Address the impact on operations of a major change such as loss of key
Page 165
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
customer, supplier, key employee or loss of sales revenue due to technical
obsolescence, new competition etc.
Changes
Request Written
Confirmations
14.4
Request written confirmation of the:
• Terms and conditions of the financial support being provided; and
• The owner-manager’s intentions or understanding in respect of the support
being provided.
Risk Response – When Events are Identified
Paragraph #
Relevant Extracts from ISAs
570.16
If events or conditions have been identified that may cast significant doubt on the entity’s ability to continue
as a going concern, the auditor shall obtain sufficient appropriate audit evidence to determine whether or not
a material uncertainty exists through performing additional audit procedures, including consideration of
mitigating factors. These procedures shall include: (Ref: Para. A15)
(a) Where management has not yet performed an assessment of the entity’s ability to continue as a going
concern, requesting management to make its assessment.
(b) Evaluating management’s plans for future actions in relation to its going concern assessment, whether
the outcome of these plans is likely to improve the situation and whether management’s plans are
feasible in the circumstances. (Ref: Para. A16)
(c) Where the entity has prepared a cash flow forecast, and analysis of the forecast is a significant factor
in considering the future outcome of events or conditions in the evaluation of management’s plans for
future action: (Ref: Para. A17-A18)
(i) Evaluating the reliability of the underlying data generated to prepare the forecast; and
(ii) Determining whether there is adequate support for the assumptions underlying the forecast.
(d) Considering whether any additional facts or information have become available since the date on
which management made its assessment.
(e) Requesting written representations from management and, where appropriate, those charged with
governance, regarding their plans for future action and the feasibility of these plans.
Where the auditor identifies going-concern events/conditions, the next step is to perform additional
procedures (including consideration of mitigating factors) to determine whether or not a material
uncertainty exists.
Material Uncertainty
Events or conditions may be identified that cast doubt on the entity's ability to continue as a going
concern. A material uncertainty exists when the magnitude of its potential impact and likelihood of
occurrence is such that, in the auditor's judgment, appropriate disclosure of the nature and implications of
the uncertainty is necessary for the fair presentation of the financial statements, or in the case of a
compliance framework, the financial statements not to be misleading.
Management’s action plans to address going-concern issues typically include one or more of the
following strategies:
•
Liquidating assets;
06/10/2010
Page 166
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Borrowing money or restructuring debt;
•
Reducing or delaying expenditures;
•
Restructuring operations including products and services;
•
Seeking a merger or acquisition; or
•
Increasing capital.
The following exhibit sets out the steps the auditor would take to address going-concern issues.
Exhibit 14.4-1
Address
Description
Obtaining
Management’s
Assessment and Plan
If not already provided, request management to make an assessment of the
entity’s ability to continue as a going concern.
Evaluating
Management’s
Plans of Action
Evaluate management’s future actions to address the going-concern
assessment. Address:
• Will outcome of plans improve the situation?
• Are the plans feasible in the circumstances?
• How reliable are the profit/cash flow forecasts and what support is there
for the assumptions used?
• Identifying, discussing and obtaining evidence for other factors that may
affect entity’s ability to continue as going concern such as:
– Poor recent operating results,
– Breaches in terms of debentures and loan agreements,
– References in meeting minutes to financing difficulties,
– Existence of litigation/claims and estimates of financial implications,
– Existence, legality and enforceability of arrangements to provide or
maintain financial support with related and third parties,
– Financial ability of related and third parties to provide additional funds
or loan guarantees,
– Other subsequent events, and
– Indicators of fraud such as management override, fictitious
transactions or concealment of material facts.
• Continued existence, terms and adequacy of borrowing facilities.
• Reports on regulatory actions.
• Adequacy of support for any planned disposals of assets.
Also consider the impact of any additional facts or information since the date
management made its assessment and plans.
Obtaining Written
Confirmations
14.5
Request written representations from management (and those charged with
governance) regarding their plans for future action and feasibility.
Reporting
06/10/2010
Page 167
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
570.17
Based on the audit evidence obtained, the auditor shall conclude whether, in the auditor's judgment, a
material uncertainty exists related to events or conditions that, individually or collectively, may cast
significant doubt on the entity's ability to continue as a going concern. A material uncertainty exists when
the magnitude of its potential impact and likelihood of occurrence is such that, in the auditor's judgment,
appropriate disclosure of the nature and implications of the uncertainty is necessary for: (Ref: Para. A19)
(a)
In the case of a fair presentation financial reporting framework, the fair presentation of the
financial statements, or
(b)
570.18
In the case of a compliance framework, the financial statements not to be misleading.
If the auditor concludes that the use of the going concern assumption is appropriate in the circumstances
but a material uncertainty exists, the auditor shall determine whether the financial statements:
(a) Adequately describe the principal events or conditions that may cast significant doubt on the entity’s
ability to continue as a going concern and management’s plans to deal with these events or
conditions; and
(b) Disclose clearly that there is a material uncertainty related to events or conditions that may cast
significant doubt on the entity’s ability to continue as a going concern and, therefore, that it may be
unable to realize its assets and discharge its liabilities in the normal course of business. (Ref: Para.
A20)
570.19
If adequate disclosure is made in the financial statements, the auditor shall express an unmodified opinion
and include an Emphasis of Matter paragraph in the auditor’s report to:
(a) Highlight the existence of a material uncertainty relating to the event or condition that may cast
significant doubt on the entity’s ability to continue as a going concern; and to
(b) Draw attention to the note in the financial statements that discloses the matters set out in paragraph
18. (See ISA 706.) (Ref: Para. A21-A22)
570.20
If adequate disclosure is not made in the financial statements, the auditor shall express a qualified opinion
or adverse opinion, as appropriate, in accordance with ISA 705. The auditor shall state in the auditor’s
report that there is a material uncertainty that may cast significant doubt about the entity’s ability to
continue as a going concern. (Ref: Para. A23-A24)
570.21
If the financial statements have been prepared on a going concern basis but, in the auditor’s judgment,
management’s use of the going concern assumption in the financial statements is inappropriate, the auditor
shall express an adverse opinion. (Ref: Para. A25-A26)
570.22
If management is unwilling to make or extend its assessment when requested to do so by the auditor, the
auditor shall consider the implications for the auditor’s report. (Ref: Para. A27)
570.23
Unless all those charged with governance are involved in managing the entity the auditor shall
communicate with those charged with governance events or conditions identified that may cast significant
doubt on the entity’s ability to continue as a going concern. Such communication with those charged with
governance shall include the following:
(a) Whether the events or conditions constitute a material uncertainty;
(b) Whether the use of the going concern assumption is appropriate in the preparation and presentation of
the financial statements; and
(c) The adequacy of related disclosures in the financial statements.
570.24
06/10/2010
If there is significant delay in the approval of the financial statements by management or those charged
Page 168
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
with governance after the date of the financial statements, the auditor shall inquire as to the reasons for the
delay. If the auditor believes that the delay could be related to events or conditions relating to the going
concern assessment, the auditor shall perform those additional audit procedures necessary, as described in
paragraph 16, as well as consider the effect on the auditor’s conclusion regarding the existence of a
material uncertainty, as described in paragraph 17.
The final step is to determine the impact of identified events/conditions on the audit report and
communicate the decision to management and those charged with governance, where applicable. The
following exhibit summarizes the requirements:
Exhibit 14.5-1
06/10/2010
Page 169
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
15.
SUMMARY OF OTHER ISA REQUIREMENTS
Chapter Content
A summary of audit requirements in specific ISAs that
are not addressed elsewhere in this Guide.
15.1
Relevant ISAs
250, 402, 501,
510, 600, 610,
620, 720
Overview
This chapter contains a summary of the audit requirements contained in the ISAs that have not been
specifically addressed elsewhere in the Guide, as set out in the exhibit below.
Exhibit 15.1-1
Chapter
Reference
ISA
Title
250
Consideration of Laws and Regulations in an Audit of Financial
Statements
V1-15.2
402
Audit Considerations Relating to an Entity Using a Service Organization
V1-15.3
501
Audit Evidence — Specific Considerations for Specific Items
V1-15.4
510
Initial Audit Engagements — Opening Balances
V1-15.5
600
Special Considerations — Audits of Group Financial Statements
(including the Work of Component Auditors)
V1-15.6
610
Using the Work of Internal Auditors
V1-15.7
620
Using the Work of an Auditor’s Expert
V1-15.8
720
Other Information in Documents Containing Audited Financial Statements
V1-15.9
06/10/2010
Page 170
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
15.2
ISA 250 — Consideration of Laws and Regulations in an Audit of Financial
Statements
Exhibit 15.2-1
Paragraph #
ISA Objective(s)
250.10
The objectives of the auditor are:
(a) To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws
and regulations generally recognized to have a direct effect on the determination of material amounts and
disclosures in the financial statements;
(b) To perform specified audit procedures to help identify instances of non-compliance with other laws and
regulations that may have a material effect on the financial statements; and
(c) To respond appropriately to non-compliance or suspected non-compliance with laws and regulations
identified during the audit.
Paragraph #
Relevant Extracts from ISAs
250.11
For the purposes of this ISA, the following term has the meaning attributed below:
Non-compliance – Acts of omission or commission by the entity, either intentional or unintentional, which
are contrary to the prevailing laws or regulations. Such acts include transactions entered into by, or in the
name of, the entity, or on its behalf, by those charged with governance, management or employees. Noncompliance does not include personal misconduct (unrelated to the business activities of the entity) by
those charged with governance, management or employees of the entity.
06/10/2010
Page 171
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Non-compliance by the entity with laws and regulations could result in a material misstatement of the
financial statements.
The responsibility for the prevention and detection of non-compliance with laws and regulations rests with
management and those charged with governance. Management actions to address these risks could include:
•
Maintaining a register of significant laws and a record of any complaints received;
•
Monitoring legal requirements and designing procedures/internal controls to ensure compliance with
these requirements;
•
Engaging legal advisors to assist in monitoring legal requirements; and
•
Developing, publicizing, implementing and following a code of conduct.
When the auditor detects instances of non-compliance, the impact on the financial statements and other
aspects of the audit (such as the integrity of management/employees) will need to be considered.
Risk Assessment
Paragraph #
Relevant Extracts from ISAs
250.12
As part of obtaining an understanding of the entity and its environment in accordance with ISA 315, the
auditor shall obtain a general understanding of:
(a) The legal and regulatory framework applicable to the entity and the industry or sector in which the
entity operates; and
(b) How the entity is complying with that framework. (Ref: Para. A7)
250.14
The auditor shall perform the following audit procedures to help identify instances of non-compliance
with other laws and regulations that may have a material effect on the financial statements: (Ref: Para. A9A10)
(a) Inquiring of management and, where appropriate, those charged with governance, as to whether the
entity is in compliance with such laws and regulations; and
(b) Inspecting correspondence, if any, with the relevant licensing or regulatory authorities.
Risk assessment procedures involve obtaining a general understanding of the legal and regulatory
framework and how the entity complies with that framework. This general understanding could include
the matters set out below.
Exhibit 15.2-2
Address
Description
Identifying Laws
and Regulations
Relevant to the
Financial
Statements
What laws and regulations address:
• The form and content of financial statements?
• Industry-specific financial reporting issues?
• Accounting for transactions under government contracts?
• The accrual or recognition of expenses for income tax or pension costs?
Making Inquiries of
06/10/2010
•
What other laws or regulations exist that may be expected to have a
fundamental effect on the operations of the entity? (Examples include
Page 172
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
Management
•
•
•
Inspecting
Correspondence
operating licenses, bank covenants, environmental regulations, etc.)
What policies and procedures are being used for:
– Ensuring compliance with laws and regulations?
– Identifying, evaluating and accounting for litigation claims?
What breaches (if any) of regulations and other laws have occurred and
resulted in fines, litigation or other consequences?
What pending litigation or other actions exist for alleged non-compliance
with laws and regulations?
Review correspondence, reports and other interactions with relevant licensing
and regulatory authorities.
Risk Response
Paragraph #
Relevant Extracts from ISAs
250.13
The auditor shall obtain sufficient appropriate audit evidence regarding compliance with the provisions of
those laws and regulations generally recognized to have a direct effect on the determination of material
amounts and disclosures in the financial statements. (Ref: Para. A8)
250.15
During the audit, the auditor shall remain alert to the possibility that other audit procedures applied may
bring instances of non-compliance or suspected non-compliance with laws and regulations to the auditor’s
attention. (Ref: Para. A11)
250.16
The auditor shall request management and, where appropriate, those charged with governance to provide
written representations that all known instances of non-compliance or suspected non-compliance with
laws and regulations whose effects should be considered when preparing financial statements have been
disclosed to the auditor. (Ref: Para. A12)
250.17
In the absence of identified or suspected non-compliance, the auditor is not required to perform audit
procedures regarding the entity’s compliance with laws and regulations, other than those set out in
paragraphs 12-16.
06/10/2010
Page 173
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The audit plan would address matters such as outlined in the following exhibit.
Exhibit 15.2-3
Address
Description
Are there Instances
of Non-Compliance?
Audit procedures could include:
• Reading minutes and relevant documents, correspondence, etc.;
• Inquiring of management and legal counsel concerning litigation, claims
and assessments; and
• Performing substantive tests of details of classes of transactions, account
balances or disclosures.
Obtain
Management
Representations
Require management to confirm that all known instances of non-compliance or
suspected non-compliance with laws and regulations have been disclosed.
Non-Compliance Identified or Suspected
Paragraph #
Relevant Extracts from ISAs
250.18
If the auditor becomes aware of information concerning an instance of non-compliance or suspected noncompliance with laws and regulations, the auditor shall obtain:
(a) An understanding of the nature of the act and the circumstances in which it has occurred; and
(b) Further information to evaluate the possible effect on the financial statements.
250.19
If the auditor suspects there may be non-compliance, the auditor shall discuss the matter with management
and, where appropriate, those charged with governance. If management or, as appropriate, those charged
with governance do not provide sufficient information that supports that the entity is in compliance with
laws and regulations and, in the auditor’s judgment, the effect of the suspected non-compliance may be
material to the financial statements, the auditor shall consider the need to obtain legal advice. (Ref: Para.
A15-A16)
250.20
If sufficient information about suspected non-compliance cannot be obtained, the auditor shall evaluate the
effect of the lack of sufficient appropriate audit evidence on the auditor’s opinion.
250.21
The auditor shall evaluate the implications of non-compliance in relation to other aspects of the audit,
including the auditor’s risk assessment and the reliability of written representations, and take appropriate
action. (Ref: Para. A17-A18)
250.22
Unless all of those charged with governance are involved in management of the entity, and therefore are
aware of matters involving identified or suspected non-compliance already communicated by the auditor,
the auditor shall communicate with those charged with governance matters involving non-compliance with
laws and regulations that come to the auditor’s attention during the course of the audit, other than when
the matters are clearly inconsequential.
250.23
If, in the auditor’s judgment, the non-compliance referred to in paragraph 22 is believed to be intentional
and material, the auditor shall communicate the matter to those charged with governance as soon as
practicable.
06/10/2010
Page 174
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
250.24
If the auditor suspects that management or those charged with governance are involved in noncompliance, the auditor shall communicate the matter to the next higher level of authority at the entity, if it
exists, such as an audit committee or supervisory board. Where no higher authority exists, or if the auditor
believes that the communication may not be acted upon or is unsure as to the person to whom to report,
the auditor shall consider the need to obtain legal advice.
When instances of possible non-compliance with laws and regulations are suspected, the auditor would
respond as set out below.
Exhibit 15.2-4
1.
Obtain an understanding of the nature of the act and the circumstances.
This should be sufficient to evaluate the possible effect on the financial statements.
2.
Document the findings and discuss them with management.
If non-compliance is believed to be intentional and material, the auditor should communicate the
finding without delay. When adequate information about suspected non-compliance and the potential
effects on the financial statement cannot be verified, the auditor should consider the effect of the lack
of sufficient appropriate audit evidence on the auditor’s report.
3.
Consider the implications of non-compliance in relation to other aspects of the audit.
In particular, consider the reliability of management representations.
4.
Report the matter to the next higher level of authority if it involves senior management or those
charged with governance.
Where no higher authority exists, the auditor would consider the need to obtain legal advice.
5.
Express a qualified or an adverse opinion if non-compliance has a material effect on the financial
statements, and has not been properly reflected in the financial statements. (See Volume 2, Chapter
23.)
06/10/2010
Page 175
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Documentation
Paragraph #
Relevant Extracts from ISAs
250.29
The auditor shall include in the audit documentation identified or suspected non-compliance with laws and
regulations and the results of discussion with management and, where applicable, those charged with
governance and other parties outside the entity. (Ref: Para. A21)
Typical documentation will include:
•
Copies of relevant records or documents; and
•
Minutes of discussions held with management, those charged with governance or other parties outside
the entity.
15.3
ISA 402 — Audit Considerations Relating to an Entity Using a Service
Organization
Paragraph #
ISA Objective(s)
402.7
The objectives of the user auditor, when the user entity uses the services of a service organization, are:
(a) To obtain an understanding of the nature and significance of the services provided by the service
organization and their effect on the user entity’s internal control relevant to the audit, sufficient to
identify and assess the risks of material misstatement; and
(b) To design and perform audit procedures responsive to those risks.
Exhibit 15.3-1
06/10/2010
Page 176
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
402.8
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Complementary user entity controls – Controls that the service organization assumes, in the design of
its service, will be implemented by user entities, and which, if necessary to achieve control
objectives, are identified in the description of its system.
(b) Report on the description and design of controls at a service organization (referred to in this ISA as a
type 1 report) – A report that comprises:
(i) A description, prepared by management of the service organization, of the service organization’s
system, control objectives and related controls that have been designed and implemented as at a
specified date; and
(ii) A report by the service auditor with the objective of conveying reasonable assurance that
includes the service auditor’s opinion on the description of the service organization’s system,
control objectives and related controls and the suitability of the design of the controls to achieve
the specified control objectives.
(c) Report on the description, design, and operating effectiveness of controls at a service organization
(referred to in this ISA as a type 2 report) – A report that comprises:
(i) A description, prepared by management of the service organization, of the service organization’s
system, control objectives and related controls, their design and implementation as at a specified
date or throughout a specified period and, in some cases, their operating effectiveness
throughout a specified period; and
(ii) A report by the service auditor with the objective of conveying reasonable assurance that
includes:
a. The service auditor’s opinion on the description of the service organization’s system, control
objectives and related controls, the suitability of the design of the controls to achieve the
specified control objectives, and the operating effectiveness of the controls; and
b. A description of the service auditor’s tests of the controls and the results thereof.
(d) Service auditor – An auditor who, at the request of the service organization, provides an assurance
report on the controls of a service organization.
(e) Service organization – A third-party organization (or segment of a third-party organization) that
provides services to user entities that are part of those entities’ information systems relevant to
financial reporting.
(f)
Service organization’s system – The policies and procedures designed, implemented and maintained
by the service organization to provide user entities with the services covered by the service auditor’s
report.
(g) Subservice organization – A service organization used by another service organization to perform
some of the services provided to user entities that are part of those user entities’ information systems
relevant to financial reporting.
(h) User auditor – An auditor who audits and reports on the financial statements of a user entity.
(i)
User entity – An entity that uses a service organization and whose financial statements are being
audited.
Many entities (including very small ones) often outsource certain financial processing activities such as:
•
Payroll;
•
Internet sales
•
IT services
•
Asset management (inventory warehousing, investments, etc.); and
•
Bookkeeping services
06/10/2010
Page 177
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
This would include processing of transactions, maintaining accounting records and preparing
financial statements.
These third-party organizations (providing services relevant to financial reporting) are referred to as
“service organizations”.
Where service organizations are used, the auditor needs to consider the effect of such arrangements on the
entity’s internal control. This includes:
•
obtaining sufficient information to assess the risks of material misstatement; and,
•
designing an appropriate response.
In smaller entities the outsourced services may well be important to the ongoing operation of the entity,
but may not be relevant to the audit. This would occur where there are sufficient internal controls within
the entity to address the risks of material misstatement or where substantive audit procedures can be
performed to address the identified risks.
Consider Point
Using a service organization to prepare financial statements does not relieve management (and those
charged with governance) of their responsibilities for the financial statements.
There are two types of reports that service organizations can provide to their users:
•
Type 1 reports - description and design of controls at a service organization
These reports provide evidence about the design and implementation of controls but not their
operating effectiveness. Such reports may be informative but are of limited use to the auditor in
understanding whether the key controls, at the service organization, operated effectively during the
period being audited.
•
Type 2 reports - description, design, and operating effectiveness of controls
These reports can be used by the auditor to consider whether:
– The controls tested by the service organization auditor are relevant to the entity’s transactions,
account balances, disclosures and related assertions, and
– The service organization auditor’s tests of controls and the results are adequate (that is, the length
of the period covered by the service organization auditor’s tests and the time elapsed since the
performance of those tests).
Risk Assessment
Paragraph #
Relevant Extracts from ISAs
402.9
When obtaining an understanding of the user entity in accordance with ISA 315, the user auditor shall
obtain an understanding of how a user entity uses the services of a service organization in the user entity’s
operations, including: (Ref: Para. A1-A2)
(a) The nature of the services provided by the service organization and the significance of those services
to the user entity, including the effect thereof on the user entity’s internal control; (Ref: Para. A3-A5)
(b) The nature and materiality of the transactions processed or accounts or financial reporting processes
affected by the service organization; (Ref: Para. A6)
(c) The degree of interaction between the activities of the service organization and those of the user
entity; and (Ref: Para. A7)
06/10/2010
Page 178
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(d) The nature of the relationship between the user entity and the service organization, including the
relevant contractual terms for the activities undertaken by the service organization. (Ref: Para. A8A11)
402.10
When obtaining an understanding of internal control relevant to the audit in accordance with ISA 315
the user auditor shall evaluate the design and implementation of relevant controls at the user entity that
relate to the services provided by the service organization, including those that are applied to the
transactions processed by the service organization. (Ref: Para. A12-A14)
402.11
The user auditor shall determine whether a sufficient understanding of the nature and significance of the
services provided by the service organization and their effect on the user entity’s internal control relevant
to the audit has been obtained to provide a basis for the identification and assessment of risks of material
misstatement.
402.12
If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall
obtain that understanding from one or more of the following procedures:
(a) Obtaining a type 1 or type 2 report, if available;
(b) Contacting the service organization, through the user entity, to obtain specific information;
(c) Visiting the service organization and performing procedures that will provide the necessary
information about the relevant controls at the service organization; or
(d) Using another auditor to perform procedures that will provide the necessary information about the
relevant controls at the service organization. (Ref: Para. A15-A20)
Where service organizations are used, the auditor would consider the matters set out in the exhibit below.
Exhibit 15.3-2
Address
What Services
(relevant to the
audit) are Provided?
Description
•
•
•
•
What Relevant
Internal Controls
are in Place?
•
•
06/10/2010
Identify:
– The nature of services provided,
– Materiality of transactions processed, and
– Accounts or financial reporting processes affected.
Review the terms of the contract or service level agreement between the
user entity and the service organization.
Determine the degree of interaction (activities) between the service
organization and the entity.
Review reports by service organizations, service auditors (including
management letters), internal auditors or regulatory authorities on controls
at the service organization.
Are the controls at the service organization relevant to the audit? If no, a
substantive approach is sufficient. If yes, the auditor must get comfort that
the controls at the service organization are appropriately designed and
implemented.
Are there controls established by the user (that could be tested) that
mitigate material processing risks regardless of controls at the service
Page 179
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
organization? For example, user controls over payroll could include:
– Comparing data submitted to the service organization with reports
from the service organization after data processing,
– Re-computing a sample of the payroll amounts for clerical accuracy,
and
– Reviewing the total amount of the payroll for reasonableness.
Extent of Reliance
Placed on Controls
in Place at Service
Organization?
•
•
•
•
Obtain any type 1 or type 2 reports available. Contracts with service
organizations often include the provision of such reports;
Contact the service organization to obtain specific information;
Visit the service organization and perform required procedures; or
Use another auditor to perform required procedures.
Consider Point
Check the wording of service organization reports for possible restrictions as to use. Such restrictions
can apply to management, the service organization and its customers, and the entity’s auditors.
Risk Response
Paragraph #
Relevant Extracts from ISAs
402.13
In determining the sufficiency and appropriateness of the audit evidence provided by a type 1 or type 2
report, the user auditor shall be satisfied as to:
(a) The service auditor’s professional competence and independence from the service organization; and
(b) The adequacy of the standards under which the type 1 or type 2 report was issued. (Ref: Para. A21)
402.14
If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s
understanding about the design and implementation of controls at the service organization, the user
auditor shall:
(a) Evaluate whether the description and design of controls at the service organization is at a date or for a
period that is appropriate for the user auditor’s purposes;
(b) Evaluate the sufficiency and appropriateness of the evidence provided by the report for the
understanding of the user entity’s internal control relevant to the audit; and
(c) Determine whether complementary user entity controls identified by the service organization are
relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed
and implemented such controls. (Ref: Para. A22-A23)
402.15
In responding to assessed risks in accordance with ISA 330, the user auditor shall:
(a) Determine whether sufficient appropriate audit evidence concerning the relevant financial statement
assertions is available from records held at the user entity; and, if not,
(b) Perform further audit procedures to obtain sufficient appropriate audit evidence or use another auditor
to perform those procedures at the service organization on the user auditor’s behalf. (Ref: Para. A24A28)
06/10/2010
Page 180
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
402.16
When the user auditor’s risk assessment includes an expectation that controls at the service
organization are operating effectively, the user auditor shall obtain audit evidence about the operating
effectiveness of those controls from one or more of the following procedures:
(a) Obtaining a type 2 report, if available;
(b) Performing appropriate tests of controls at the service organization; or
(c) Using another auditor to perform tests of controls at the service organization on behalf of the user
auditor. (Ref: Para. A29-A30)
402.17
If, in accordance with paragraph 16(a), the user auditor plans to use a type 2 report as audit evidence
that controls at the service organization are operating effectively, the user auditor shall determine whether
the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the
controls to support the user auditor’s risk assessment by:
(a) Evaluating whether the description, design and operating effectiveness of controls at the service
organization is at a date or for a period that is appropriate for the user auditor’s purposes;
(b) Determining whether complementary user entity controls identified by the service organization are
relevant to the user entity and, if so, obtaining an understanding of whether the user entity has
designed and implemented such controls and, if so, testing their operating effectiveness;
(c) Evaluating the adequacy of the time period covered by the tests of controls and the time elapsed since
the performance of the tests of controls; and
(d) Evaluating whether the tests of controls performed by the service auditor and the results thereof, as
described in the service auditor’s report, are relevant to the assertions in the user entity’s financial
statements and provide sufficient appropriate audit evidence to support the user auditor’s risk
assessment. (Ref: Para. A31-A39)
402.19
The user auditor shall inquire of management of the user entity whether the service organization has
reported to the user entity, or whether the user entity is otherwise aware of, any fraud, non-compliance
with laws and regulations or uncorrected misstatements affecting the financial statements of the user
entity. The user auditor shall evaluate how such matters affect the nature, timing and extent of the user
auditor’s further audit procedures, including the effect on the user auditor’s conclusions and user auditor’s
report. (Ref: Para. A41)
In responding to the assessed risks, the auditor would consider the following matters.
Exhibit 15.3-3
Address
Description
Can Necessary
Evidence be
Obtained from
within Entity?
If yes, obtain sufficient appropriate audit evidence concerning the relevant
financial statement assertions involved.
Determine Extent of
Reliance that can be
06/10/2010
If no, perform additional procedures to obtain evidence such as using another
auditor to perform procedures at the service organization on the user auditor’s
behalf.
•
Consider the auditor’s professional competence and independence and
adequacy of standards under which the report was issued.
Page 181
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
Placed on the Type
1 or Type 2 Report.
•
Evaluate whether the description and design of controls at the service
organization is at a date or for a period that is appropriate for the user
auditor's purposes
•
Evaluate the sufficiency and appropriateness of the evidence provided by
the report for the understanding of the user entity's internal control
relevant to the audit; and
•
Determine whether complementary user entity controls identified by the
service organization are relevant to the user entity and, if so, obtain an
understanding of whether the user entity has designed and implemented
such controls.
Note that a Type 1 report provides no evidence that the internal controls at the
service organization operated effectively over a period of time. If a Type 2
report is not available it may be necessary for the auditor to perform tests of
controls at the service organization or use another auditor to perform such
tests.
Testing User Records Where possible obtain sufficient appropriate audit evidence concerning the
relevant financial statement assertions from the records held by the user entity.
and Controls
Obtaining Audit
Evidence from the
Service
Organization
If user records are not sufficient, obtain audit evidence about the operating
effectiveness of controls at the service organization by:
• Obtaining a type 2 report, if available;
• Performing appropriate tests of controls at the service organization; or
• Using another auditor to perform tests of controls at the service
organization on behalf of the user auditor.
Making Inquiries
about Significant
Events (fraud, etc.)
Inquire of management whether they have become aware (or received notice
from the service organization) of any fraud, non-compliance with laws and
regulations or uncorrected misstatements that could affect the financial
statements.
Reporting
Paragraph #
Relevant Extracts from ISAs
402.20
The user auditor shall modify the opinion in the user auditor’s report in accordance with ISA 705 if the
user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the
service organization relevant to the audit of the user entity’s financial statements. (Ref: Para. A42)
402.21
The user auditor shall not refer to the work of a service auditor in the user auditor’s report containing an
unmodified opinion unless required by law or regulation to do so. If such reference is required by law or
regulation, the user auditor’s report shall indicate that the reference does not diminish the user auditor’s
responsibility for the audit opinion. (Ref: Para. A43)
06/10/2010
Page 182
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
402.22
If reference to the work of a service auditor is relevant to an understanding of a modification to the user
auditor’s opinion, the user auditor’s report shall indicate that such reference does not diminish the user
auditor’s responsibility for that opinion. (Ref: Para. A44)
When a type 1 or 2 report from a service organization is used, the auditor’s report on the entity would not
make reference to the service organization report unless required by law.
However, a modified auditor’s report is appropriate if sufficient appropriate audit evidence, relevant to
the audit about the service organization, could not be obtained.
15.4
ISA 501— Audit Evidence — Specific Considerations for Selected Items
Paragraph #
ISA Objective(s)
501.3
The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the:
(a) Existence and condition of inventory;
(b) Completeness of litigation and claims involving the entity; and
(c) Presentation and disclosure of segment information in accordance with the applicable financial reporting
framework.
Attendance at Physical Inventory Count
Paragraph #
Relevant Extracts from ISAs
501.4
If inventory is material to the financial statements, the auditor shall obtain sufficient appropriate audit
evidence regarding the existence and condition of inventory by:
(a) Attendance at physical inventory counting, unless impracticable, to: (Ref: Para. A1-A3)
(i) Evaluate management’s instructions and procedures for recording and controlling the results of the
entity’s physical inventory counting; (Ref: Para. A4)
(ii) Observe the performance of management’s count procedures; (Ref: Para. A5)
(iii) Inspect the inventory; and (Ref: Para. A6)
(iv) Perform test counts; and (Ref: Para. A7-A8)
(b) Performing audit procedures over the entity’s final inventory records to determine whether they
accurately reflect actual inventory count results.
501.5
If physical inventory counting is conducted at a date other than the date of the financial statements, the
auditor shall, in addition to the procedures required by paragraph 4, perform audit procedures to obtain
audit evidence about whether changes in inventory between the count date and the date of the financial
statements are properly recorded. (Ref: Para. A9-A11)
501.6
If the auditor is unable to attend physical inventory counting due to unforeseen circumstances, the auditor
shall make or observe some physical counts on an alternative date, and perform audit procedures on
intervening transactions.
501.7
If attendance at physical inventory counting is impracticable, the auditor shall perform alternative audit
procedures to obtain sufficient appropriate audit evidence regarding the existence and condition of
inventory. If it is not possible to do so, the auditor shall modify the opinion in the auditor’s report in
accordance with ISA 705. (Ref: Para. A12-A14)
06/10/2010
Page 183
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
501.8
If inventory under the custody and control of a third party is material to the financial statements, the
auditor shall obtain sufficient appropriate audit evidence regarding the existence and condition of that
inventory by performing one or both of the following:
(a) Request confirmation from the third party as to the quantities and condition of inventory held on
behalf of the entity. (Ref: Para. A15)
(b) Perform inspection or other audit procedures appropriate in the circumstances. (Ref: Para. A16)
Where inventory is material to the financial statements, the auditor would address its existence and
condition as set out below.
Exhibit 15.4-1
Procedure
Description
Attend the Physical
Count
Confirm/Inspect
Inventory held by
Others
•
•
•
•
•
Evaluate management’s instructions for recording/controlling count results;
Observe performance of management’s count procedures;
Inspect the inventory and perform test counts;
Reconcile changes in inventory between the count date and period end;
and
Perform alternative procedures if a physical count is impracticable.
•
•
Request confirmations as to quantities/condition of inventory held; and
Perform inspection or other appropriate audit procedures.
Inquiry Regarding Litigation and Claims
Paragraph #
Relevant Extracts from ISAs
501.9
The auditor shall design and perform audit procedures in order to identify litigation and claims involving
the entity which may give rise to a risk of material misstatement, including: (Ref: Para. A17-A19)
(a) Inquiry of management and, where applicable, others within the entity, including in-house legal
counsel;
(b) Reviewing minutes of meetings of those charged with governance and correspondence between the
entity and its external legal counsel; and
(c) Reviewing legal expense accounts. (Ref: Para. A20)
501.10
06/10/2010
If the auditor assesses a risk of material misstatement regarding litigation or claims that have been
identified, or when audit procedures performed indicate that other material litigation or claims may exist,
the auditor shall, in addition to the procedures required by other ISAs, seek direct communication with
the entity’s external legal counsel. The auditor shall do so through a letter of inquiry, prepared by
management and sent by the auditor, requesting the entity’s external legal counsel to communicate
directly with the auditor. If law, regulation or the respective legal professional body prohibits the entity’s
external legal counsel from communicating directly with the auditor, the auditor shall perform alternative
Page 184
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
audit procedures. (Ref: Para. A21-A25)
501.11
If:
(a) management refuses to give the auditor permission to communicate or meet with the entity’s
external legal counsel, or the entity’s external legal counsel refuses to respond appropriately to the
letter of inquiry, or is prohibited from responding; and
(b) the auditor is unable to obtain sufficient appropriate audit evidence by performing alternative audit
procedures, the auditor shall modify the opinion in the auditor’s report in accordance with ISA 705.
501.12
The auditor shall request management and, where appropriate, those charged with governance to provide
written representations that all known actual or possible litigation and claims whose effects should be
considered when preparing the financial statements have been disclosed to the auditor and accounted for
and disclosed in accordance with the applicable financial reporting framework.
To identify litigation and claims which may give rise to a risk of material misstatement, the auditor would
perform the procedures set out below.
Exhibit 15.4-2
Procedure
Description
Make Inquiries and
Review Relevant
Documents
•
•
•
•
Inquire of management and others;
Review minutes of meetings of those charged with governance;
Review correspondence between the entity and its legal counsel; and
Review legal expense accounts.
Communicate with
External Legal
Counsel
Where litigation or claims are identified or suspected, the auditor would
request a letter of inquiry, prepared by management and sent by the auditor,
requesting external legal counsel to communicate details of claims, etc.
directly with the auditor. If this procedure is prohibited or where management
refuses permission to contact external counsel, alternative procedures would be
performed such as reviewing all the available documentation and making
additional inquiries. If alternate procedures are insufficient, then the auditor’s
opinion would be modified.
Obtain
Management
Representation
Request a written representation from management and those charged with
governance that all known actual or possible litigation and claims have been
disclosed and properly accounted for in the financial statements.
Segment Information
Paragraph #
Relevant Extracts from ISAs
501.13
The auditor shall obtain sufficient appropriate audit evidence regarding the presentation and disclosure of
segment information in accordance with the applicable financial reporting framework by: (Ref: Para. A26)
06/10/2010
Page 185
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a) Obtaining an understanding of the methods used by management in determining segment information,
and: (Ref: Para. A27)
(i) Evaluating whether such methods are likely to result in disclosure in accordance with the
applicable financial reporting framework; and
(ii) Where appropriate, testing the application of such methods; and
(b) Performing analytical procedures or other audit procedures appropriate in the circumstances.
As segment information is often not applicable in the audit of SMEs, they have not been addressed any
further in this Guide.
15.5
ISA 510 — Initial Audit Engagements – Opening Balances
Paragraph #
ISA Objective(s)
510.3
In conducting an initial audit engagement, the objective of the auditor with respect to opening balances is to
obtain sufficient appropriate audit evidence about whether:
(a) Opening balances contain misstatements that materially affect the current period's financial statements;
and
(b) Appropriate accounting policies reflected in the opening balances have been consistently applied in the
current period's financial statements, or changes thereto are appropriately accounted for and adequately
presented and disclosed in accordance with the applicable financial reporting framework.
This standard provides guidance regarding opening balances when the financial statements are audited for
the first time or when the financial statements for the prior period were audited by another auditor.
Paragraph #
Relevant Extracts from ISAs
510.5
The auditor shall read the most recent financial statements, if any, and the predecessor auditor’s report
thereon, if any, for information relevant to opening balances, including disclosures.
510.6
The auditor shall obtain sufficient appropriate audit evidence about whether the opening balances contain
misstatements that materially affect the current period’s financial statements by: (Ref: Para. A1–A2)
(a) Determining whether the prior period’s closing balances have been correctly brought forward to the
current period or, when appropriate, have been restated;
(b) Determining whether the opening balances reflect the application of appropriate accounting policies;
and
(c) Performing one or more of the following: (Ref: Para. A3–A7)
(i) Where the prior year financial statements were audited, reviewing the predecessor auditor’s
working papers to obtain evidence regarding the opening balances;
(ii) Evaluating whether audit procedures performed in the current period provide evidence relevant
to the opening balances; or
(iii) Performing specific audit procedures to obtain evidence regarding the opening balances.
510.7
06/10/2010
If the auditor obtains audit evidence that the opening balances contain misstatements that could materially
affect the current period’s financial statements, the auditor shall perform such additional audit procedures
as are appropriate in the circumstances to determine the effect on the current period’s financial statements.
If the auditor concludes that such misstatements exist in the current period’s financial statements, the
Page 186
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
auditor shall communicate the misstatements with the appropriate level of management and those charged
with governance in accordance with ISA 450.
510.8
The auditor shall obtain sufficient appropriate audit evidence about whether the accounting policies
reflected in the opening balances have been consistently applied in the current period’s financial
statements, and whether changes in the accounting policies have been appropriately accounted for and
adequately presented and disclosed in accordance with the applicable financial reporting framework.
510.9
If the prior period’s financial statements were audited by a predecessor auditor and there was a
modification to the opinion, the auditor shall evaluate the effect of the matter giving rise to the
modification in assessing the risks of material misstatement in the current period’s financial statements in
accordance with ISA 315.
510.10
If the auditor is unable to obtain sufficient appropriate audit evidence regarding the opening balances, the
auditor shall express a qualified opinion or disclaim an opinion on the financial statements, as appropriate,
in accordance with ISA 705. (Ref: Para. A8)
510.11
If the auditor concludes that the opening balances contain a misstatement that materially affects the current
period’s financial statements, and the effect of the misstatement is not appropriately accounted for or not
adequately presented or disclosed, the auditor shall express a qualified opinion or an adverse opinion, as
appropriate, in accordance with ISA 705.
510.12
If the auditor concludes that:
(a) the current period’s accounting policies are not consistently applied in relation to opening balances in
accordance with the applicable financial reporting framework; or
(b) a change in accounting policies is not appropriately accounted for or not adequately presented or
disclosed in accordance with the applicable financial reporting framework, the auditor shall express a
qualified opinion or an adverse opinion as appropriate in accordance with ISA 705.
510.13
If the predecessor auditor’s opinion regarding the prior period’s financial statements included a
modification to the auditor’s opinion that remains relevant and material to the current period’s financial
statements, the auditor shall modify the auditor’s opinion on the current period’s financial statements in
accordance with ISA 705 and ISA 710. (Ref: Para. A9)
The requirements are summarized below.
Exhibit 15.5-1
Address
Do Opening
Balances Contain
Misstatements that
Could Affect the
Current Period?
Determine Impact
06/10/2010
Description
•
•
•
•
•
Read most recent financial statements and predecessor auditor’s report (if
any);
Determine that prior period’s closing balances have been correctly brought
forward and reflect use of appropriate accounting policies;
Review predecessor auditor’s working papers; and
Perform audit procedures in current period to obtain evidence regarding
the opening balances. This is particularly important where the previous
year’s financial statements were not audited.
Perform such additional audit procedures as are appropriate;
Page 187
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Address
Description
on Current Period
of Identified
Misstatements
•
•
Determine Impact
(if any) on Audit
Opinion
If the predecessor auditor’s modified audit opinion remains relevant or the
opening balances contain a misstatement that materially affects the current
period’s financial statements (the effect of which was not appropriately
accounted for, presented or disclosed), a qualified opinion or an adverse
opinion would be necessary.
15.6
Evaluate any predecessor auditor’s modification to the audit opinion; and
Ensure accounting policies reflected in opening balances have been
consistently applied through the current period.
ISA 600 — Special Considerations — Audits of Group Financial Statements
(Including the Work of Component Auditors)
Paragraph #
ISA Objective(s)
600.8
The objectives of the auditor are:
(a) To determine whether to act as the auditor of the group financial statements; and
(b) If acting as the auditor of the group financial statements:
(i) To communicate clearly with component auditors about the scope and timing of their work on financial
information related to components and their findings; and
(ii) To obtain sufficient appropriate audit evidence regarding the financial information of the
components and the consolidation process to express an opinion on whether the group financial
statements are prepared, in all material respects, in accordance with the applicable financial
reporting framework.
Paragraph #
Relevant Extracts from ISAs
600.9
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Component – An entity or business activity for which group or component management prepares
financial information that should be included in the group financial statements. (Ref: Para. A2-A4)
(b) Component auditor – An auditor who, at the request of the group engagement team, performs work
on financial information related to a component for the group audit. (Ref: Para. A7)
(c) Component management – Management responsible for preparing the financial information of a
component.
(d) Component materiality – The materiality for a component determined by the group engagement team.
(e) Group – All the components whose financial information is included in the group financial
statements. A group always has more than one component.
(f)
Group audit – The audit of group financial statements.
(g) Group audit opinion – The audit opinion on the group financial statements.
(h) Group engagement partner – The partner or other person in the firm who is responsible for the group
audit engagement and its performance, and for the auditor’s report on the group financial statements
that is issued on behalf of the firm. Where joint auditors conduct the group audit, the joint
engagement partners and their engagement teams collectively constitute the group engagement
partner and the group engagement team. This ISA does not, however, deal with the relationship
between joint auditors or the work that one joint auditor performs in relation to the work of the other
joint auditor.
06/10/2010
Page 188
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(i)
Group engagement team – Partners, including the group engagement partner, and staff who establish
the overall group audit strategy, communicate with component auditors, perform work on the
consolidation process, and evaluate the conclusions drawn from the audit evidence as the basis for
forming an opinion on the group financial statements.
(j)
Group financial statements – Financial statements that include the financial information of more than
one component. The term “group financial statements” also refers to combined financial statements
aggregating the financial information prepared by components that have no parent but are under
common control.
(k) Group management – Management responsible for preparing and presenting the group financial
statements.
(l)
Group-wide controls – Controls designed, implemented and maintained by group management over
group financial reporting.
(m) Significant component – A component identified by the group engagement team (i) that is of
individual financial significance to the group, or (ii) that, due to its specific nature or circumstances,
is likely to include significant risks of material misstatement of the group financial statements. (Ref:
Para. A5-A6)
This standard provides guidance on the special considerations that apply to group audits. It outlines
responsibilities, communications and requirements for and between the:
•
Group engagement partners, group engagement teams; and
•
Component auditors who perform work (such as auditing a division, branch, subsidiary of the group)
on behalf of the group engagement team and then report on the results.
The requirements outlined may also be useful for other situations where an auditor involves another
auditor in some part of the audit of financial statements. (This could include observing an inventory count
or performing specific procedures at a remote location.)
Consider point
The definition of a group component is broad. Before concluding that this standard is not applicable,
ensure that a significant component does not in fact exist. A component could result from the entities
organization structure (such as subsidiaries, divisions, branches, joint ventures, or investees
accounted for by the equity or cost methods of accounting) or financial reporting systems organized
by function, product, service or geographical location.
If a significant component exists, this standard outlines a number of requirements relating to:
• Responsibility of the group engagement partner
• Audit planning and materiality
• Risk assessment and response
• Relationships between the group engagement team and component auditors.
• Nature and extent of communications
• Group-wide controls and the consolidation process.
Note:
On the assumption that group audits are not that common in the audit of SMEs, the following
exhibit contains only extracts from the many requirements contained in the standard.
06/10/2010
Page 189
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 15.6-1
Summarized Extracts from the Requirements Section
Responsibility
•
600.11
•
Acceptance/Continu
ance and Planning
600.12-16
•
•
•
Understanding the
Group, its
Components and
their Environments
600.17-18
Understanding the
Component Auditor
600.19-20
Materiality
600.21-23
06/10/2010
The group engagement partner is responsible for the direction, supervision
and performance of the group audit engagement in compliance with
professional standards.
The auditor’s report on the group financial statements shall not refer to a
component auditor.
The group engagement team shall obtain an understanding of the group, its
components and their environments that is sufficient to identify
components that are likely to be significant components.
The group engagement partner shall agree on the terms of the group audit
engagement.
The group engagement team shall establish an overall group audit strategy
and shall develop a group audit plan.
The group engagement team shall obtain an understanding that is sufficient to:
• Confirm or revise its initial identification of components that are likely to
be significant; and
• Assess the risks of material misstatement of the group financial
statements, whether due to fraud or error.
If the group engagement team plans to request a component auditor to perform
work on the financial information of a component, the group engagement team
shall obtain an understanding of:
• Whether the component auditor understands and will comply with the
ethical requirements that are relevant to the group audit and, in particular,
is independent;
• The component auditor’s professional competence;
• Whether the group engagement team will be able to be involved in the
work of the component auditor to the extent necessary to obtain sufficient
appropriate audit evidence; and
• Whether the component auditor operates in a regulatory environment that
actively oversees auditors.
The group engagement team shall determine:
• Materiality for the group financial statements as a whole when establishing
the overall group audit strategy;
• Lower amounts than group materiality, where applicable, for particular
classes of transactions, account balances or disclosures;
• Component materiality for those components where component auditors
will perform an audit or a review for purposes of the group audit; and
• The threshold above which misstatements cannot be regarded as clearly
trivial to the group financial statements.
Page 190
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Summarized Extracts from the Requirements Section
The group team shall also evaluate the appropriateness of performance
materiality determined by the component auditor at the component level.
Responding to
Assessed Risks
The auditor is required to design and implement appropriate responses to
address the assessed risks of material misstatement of the financial statements.
600.24-31
The group engagement team shall:
• Determine the type of work to be performed by the group engagement
team, or the component auditors on its behalf, on the financial information
of the components;
• Evaluate the appropriateness of further procedures to respond to identified
significant risks of material misstatement of the group financial
statements; and
• Evaluate the appropriateness, completeness and accuracy of consolidation
adjustments and reclassifications, and shall evaluate whether any fraud
risk factors or indicators of possible management bias exist.
For a component that is significant due to its individual financial significance
to the group, the group engagement team, or a component auditor on its behalf,
shall perform an audit of the financial information of the component using
component materiality.
Consolidation
Process
600.32-37
The group engagement team shall design and perform further audit procedures
on the consolidation process to respond to the assessed risks of material
misstatement of the group financial statements arising from the consolidation
process. This shall include evaluating whether all components have been
included in the group financial statements.
If the group financial statements include the financial statements of a
component with a financial reporting period end that differs from that of the
group, the group engagement team shall evaluate whether appropriate
adjustments have been made to those financial statements in accordance with
the applicable financial reporting framework.
Subsequent Events
600.38-39
The group engagement team or the component auditors shall perform
procedures designed to identify subsequent events that may require adjustment
to or disclosure in the group financial statements.
The group engagement team shall request the component auditors to notify the
group engagement team if they become aware of subsequent events.
Communication
with the Component
Auditor
600.40-41
06/10/2010
The group engagement team shall communicate its requirements to the
component auditor on a timely basis. This communication shall set out the
work to be performed, the use to be made of that work, and the form and
content of the component auditor’s communication with the group engagement
team. This would include:
• Confirmation that the component auditor will cooperate with the group
Page 191
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Summarized Extracts from the Requirements Section
•
•
•
•
engagement team;
Relevant ethical and independence requirements;
Component materiality;
Identified significant risks of material misstatement of the group financial
statements, due to fraud or error, and that are relevant to the work of the
component auditor; and
A list of related parties prepared by group management, and the timely
communication of related parties not previously identified by group
management or the group engagement team.
The group engagement team shall request the component auditor to
communicate matters relevant to the group engagement team’s conclusion
with regard to the group audit. For example:
• Compliance by component auditor with:
– Ethical requirements including independence and professional
competence, and
– The group engagement team’s requirements;
• What financial information of the component is being reported upon;
• Instances of non-compliance with laws or regulations;
• A list of uncorrected misstatements;
• Indicators of possible management bias;
• Any identified significant deficiencies in internal control at the component
level;
• Other significant matters that the component auditor communicated or
expects to communicate to those charged with governance of the
component, including fraud or suspected fraud;
• Any other matters that may be relevant to the group audit, including
exceptions noted in the written representations that the component auditor
requested from component management; and
• The component auditor’s overall findings, conclusions or opinion.
Evaluating the
Sufficiency and
Appropriateness of
Audit Evidence
Obtained
600.42-45
The group engagement team shall:
• Discuss significant matters arising from the evaluation of evidence with
the component auditor, component management or group management, as
appropriate; and
• Determine whether it is necessary to review other relevant parts of the
component auditor’s audit documentation.
If the work of the component auditor is insufficient, the group engagement
team shall determine what additional procedures are to be performed, and
whether they are to be performed by the component auditor or by the group
engagement team.
The group engagement team shall evaluate whether sufficient appropriate audit
evidence has been obtained from the audit procedures performed.
The group engagement partner shall evaluate the effect on the group audit
06/10/2010
Page 192
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Summarized Extracts from the Requirements Section
opinion of any uncorrected misstatements and any instances where there has
been an inability to obtain sufficient appropriate audit evidence.
Communication
with Group
Management and
Those Charged with
Governance of the
Group
600.46-49
Documentation
600.50
06/10/2010
The group engagement team shall determine which identified deficiencies in
internal control to communicate to group management and those charged with
governance.
If fraud has been identified the group engagement team shall communicate this
on a timely basis to the appropriate level of group management.
The group engagement team shall communicate the following matters:
• An overview of the type of work to be performed on the financial
information of the components;
• An overview of the nature of the group engagement team’s planned
involvement in the work to be performed by the component auditors on the
financial information of significant components;
• Instances where the group engagement team’s evaluation of the work of a
component auditor gave rise to a concern about the quality of that
auditor’s work;
• Any limitations on the group audit, for example, where the group
engagement team’s access to information may have been restricted; and
• Fraud or suspected fraud involving group management, component
management, employees who have significant roles in group-wide controls
or others where the fraud resulted in a material misstatement of the group
financial statements.
The group engagement team shall include in the audit documentation the
following matters:
• An analysis of components, indicating those that are significant, and the
type of work performed on the financial information of the components;
• The nature, timing and extent of the group engagement team’s
involvement in the work performed by the component auditors on
significant components including, where applicable, the group engagement
team’s review of relevant parts of the component auditors’ audit
documentation and conclusions thereon; and
• Written communications between the group engagement team and the
component auditors about the group engagement team’s requirements.
Page 193
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
15.7
ISA 610 — Using the Work of Internal Auditors
Paragraph #
610.6
ISA Objective(s)
The objectives of the external auditor, where the entity has an internal audit function that
the external auditor has determined is likely to be relevant to the audit, are:
(a)
To determine whether, and to what extent, to use specific work of the
internal auditors; and
(b)
If using the specific work of the internal auditors, to determine whether
that work is adequate for the purposes of the audit.
Exhibit 15.7-1
Paragraph #
Relevant Extracts from ISAs
610.8
The external auditor shall determine:
(a) Whether the work of the internal auditors is likely to be adequate for purposes of the audit;
and
(b) If so, the planned effect of the work of the internal auditors on the nature, timing or extent of
the external auditor’s procedures.
610.9
06/10/2010
In determining whether the work of the internal auditors is likely to be adequate for purposes of
the audit, the external auditor shall evaluate:
Page 194
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a) The objectivity of the internal audit function;
(b) The technical competence of the internal auditors;
(c) Whether the work of the internal auditors is likely to be carried out with due professional
care; and
(d) Whether there is likely to be effective communication between the internal auditors and the
external auditor. (Ref: Para. A4)
610.10
In determining the planned effect of the work of the internal auditors on the nature, timing or
extent of the external auditor’s procedures, the external auditor shall consider:
(a) The nature and scope of specific work performed, or to be performed, by the internal
auditors;
(b) The assessed risks of material misstatement at the assertion level for particular classes of
transactions, account balances, and disclosures; and
(c) The degree of subjectivity involved in the evaluation of the audit evidence gathered by the
internal auditors in support of the relevant assertions. (Ref: Para. A5)
610.11
In order for the external auditor to use specific work of the internal auditors, the external auditor
shall evaluate and perform audit procedures on that work to determine its adequacy for the
external auditor’s purposes. (Ref: Para. A6)
610.12
To determine the adequacy of specific work performed by the internal auditors for the external
auditor’s purposes, the external auditor shall evaluate whether:
(a) The work was performed by internal auditors having adequate technical training and
proficiency;
(b) The work was properly supervised, reviewed and documented;
(c) Adequate audit evidence has been obtained to enable the internal auditors to draw
reasonable conclusions;
(d) Conclusions reached are appropriate in the circumstances and any reports prepared by the
internal auditors are consistent with the results of the work performed; and
(e) Any exceptions or unusual matters disclosed by the internal auditors are properly resolved.
610.13
If the external auditor uses specific work of the internal auditors, the external auditor shall
include in the audit documentation the conclusions reached regarding the evaluation of the
adequacy of the work of the internal auditors, and the audit procedures performed by the external
auditor on that work, in accordance with paragraph 11.
Overview
In larger entities, an internal audit department is often established to monitor the effectiveness of various
06/10/2010
Page 195
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
aspects of internal control. The scope of internal audit activities could include:
•
Monitoring of certain elements of internal control;
•
Examination of financial and operating information;
•
Review of operating activities;
•
Review of compliance with laws and regulations;
•
Risk management; and/or
•
Governance.
Where the objectives and scope of internal audit work includes a review of internal controls over financial
reporting, the work of the internal auditor may (subject to its adequacy) be relied upon by the external
auditor to modify the nature and extent of the external auditor’s procedures. However, because internal
auditors are hired by the entity and form part of its internal control, they are not completely independent.
Consequently, their work would not be relied upon to the same extent as that performed by the external
audit team.
Summary of Requirements
The following chart outlines a summary of the requirements.
Exhibit 15.7-2
Task
Considerations
Will Internal
Audit Work be
Adequate for
External Audit
Purposes?
•
What are the objectives and scope of the internal audit function?
•
How objective (independent) is the internal audit function?
•
Are the internal auditors technically competent?
•
Will their work be carried out with due professional care?
•
Is the communication between the internal and external auditors effective?
What Effect will
Reliance on
Internal Audit
Work have on the
External Audit?
Evaluate the
Adequacy of
Internal Work for
External Audit
Reliance
06/10/2010
Consider:
• Nature and scope of specific work performed or to be performed by internal
auditor;
•
Assessed risks of material misstatement at the assertion level for particular
classes of transactions, account balances and disclosures; and
•
Degree of subjectivity involved in the evaluation of the audit evidence
gathered by the internal auditors in support of the relevant assertions.
•
Did the internal auditors performing the work have adequate technical
training and proficiency?
•
Was the work properly supervised, reviewed and documented?
•
Was adequate audit evidence obtained to enable the internal auditors to
Page 196
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Task
Considerations
draw reasonable conclusions?
Document Results
•
Were the conclusions reached appropriate in the circumstances?
•
Were any reports prepared by the internal auditors consistent with the
results of the work performed?
•
Were any exceptions or unusual matters disclosed by the internal auditors
properly resolved?
•
Conclusions reached on the evaluation of adequacy of internal auditors
work; and
•
Description of audit procedures performed by the external auditor on that
work.
In some cases, the services of the internal audit group may be made available to the external auditor to
speed up the audit process and reduce the costs of the external audit. In such situations, it would be useful
to agree in advance (preferably in writing) matters such as the following:
•
The timing and extent of the work delegated to internal audit;
•
Materiality for the financial statements as a whole (and, if applicable, materiality level or levels for
particular classes of transactions, account balances or disclosures), and performance materiality;
•
Proposed methods of item selection;
•
Documentation of the work performed; and
•
Review and reporting procedures.
Reporting
The external auditor has sole responsibility for the audit opinion expressed and that responsibility is not
reduced by the external auditor’s use of the work of the internal auditors. Consequently, no reference would
be made in the external auditor’s report to the work of the internal auditors.
15.8
ISA 620 — Using the Work of an Auditor’s Expert
Paragraph #
ISA Objective(s)
620.5
Objectives of the auditor are:
(a) To determine whether to use the work of an auditor’s expert; and
(b) If using the work of an auditor’s expert, to determine whether that work is adequate for the auditor’s
purposes.
06/10/2010
Page 197
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Can we understand the nature of
work performed by auditor’s expert?
Agree on terms of engagement
with the auditor’s expert
Risk Response
Is an auditor’s expert needed to
obtain audit evidence? If yes:
- what procedures will be required?
- is expert selected competent,
capable and objective?
Reporting
Risk Assessment
Exhibit 15.8-1
Evaluate adequacy of work performed
by auditor’s expert including findings,
conclusions, assumptions used and
sources of data.
Determine if any further audit work required
Do not make reference to work of a
auditor’s expert unless auditor's report
has been modified?
If insufficient appropriate audit evidence
was obtained, modify the auditors report
Paragraph #
Relevant Extracts from ISAs
620.6
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Auditor’s expert – An individual or organization possessing expertise in a field other than accounting
or auditing, whose work in that field is used by the auditor to assist the auditor in obtaining sufficient
appropriate audit evidence. An auditor’s expert may be either an auditor’s internal expert (who is a
partner or staff, including temporary staff, of the auditor’s firm or a network firm), or an auditor’s
external expert. (Ref: Para. A1-A3)
(b) Expertise – Skills, knowledge and experience in a particular field.
(c) Management’s expert – An individual or organization possessing expertise in a field other than
accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing
the financial statements
In some situations, the auditor may require expertise (other than accounting or auditing) to obtain
sufficient appropriate audit evidence. This could involve using the work of an auditor’s expert who would
provide audit evidence in the form of reports, opinions, valuations and statements. Some examples are
included in the exhibit below.
Exhibit 15.8-2
Need for an
Auditor’s Expert?
06/10/2010
•
•
Specialized inventory counters;
Valuations of assets such as land and buildings, plant and machinery,
works of art, precious stones, inventory and complex financial
instruments;
Page 198
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
•
•
•
•
Determination of quantities or physical condition of assets such as
minerals stored in stockpiles, underground mineral and petroleum reserves
and the remaining useful life of plant and machinery;
Determination of amounts using specialized techniques or methods such as
actuarial valuation;
The analysis of complex or unusual tax compliance issues;
The measurement of work completed and to be completed on contracts in
progress; and
Legal opinions concerning interpretations of agreements, statutes and
regulations.
This standard provides guidance on how the work of an auditor’s expert can be used as appropriate audit
evidence.
In some cases, an auditor who is not an expert in a relevant field other than accounting or auditing may be
able to obtain a sufficient understanding of that field to perform the audit without an auditor's expert.
Such an understanding may be obtained through:
•
Experience in auditing entities requiring similar expertise.
•
Education or professional development in the particular field. This may include formal courses, or
discussion (but not consultation where all the relevant facts are provided) with experts in the relevant
field.
•
Discussion with auditors who have performed similar engagements.
Note: Regardless of whether the work of an expert is used or not, the auditor maintains sole
responsibility for the audit opinion expressed.
Risk Assessment
Paragraph #
Relevant Extracts from ISAs
620.7
If expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit
evidence, the auditor shall determine whether to use the work of an auditor’s expert. (Ref: Para. A4-A9)
620.8
The nature, timing and extent of the auditor’s procedures with respect to the requirements in paragraphs 913 of this ISA will vary depending on the circumstances. In determining the nature, timing and extent of
those procedures, the auditor shall consider matters including: (Ref: Para. A10)
(a) The nature of the matter to which that expert’s work relates;
(b) The risks of material misstatement in the matter to which that expert’s work relates;
(c) The significance of that expert’s work in the context of the audit;
(d) The auditor’s knowledge of and experience with previous work performed by that expert; and
(e) Whether that expert is subject to the auditor’s firm’s quality control policies and procedures. (Ref:
Para. A11-A13)
620.9
06/10/2010
The auditor shall evaluate whether the auditor’s expert has the necessary competence, capabilities and
objectivity for the auditor’s purposes. In the case of an auditor’s external expert, the evaluation of
objectivity shall include inquiry regarding interests and relationships that may create a threat to that
expert’s objectivity. (Ref: Para. A14-A20)
Page 199
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
620.10
The auditor shall obtain a sufficient understanding of the field of expertise of the auditor’s expert to enable
the auditor to: (Ref: Para. A21-A22)
(a) Determine the nature, scope and objectives of that expert’s work for the auditor’s purposes; and
(b) Evaluate the adequacy of that work for the auditor’s purposes
620.11
The auditor shall agree, in writing when appropriate, on the following matters with the auditor’s expert:
(Ref: Para. A23-A26)
(a) The nature, scope and objectives of that expert’s work; (Ref: Para. A27)
(b) The respective roles and responsibilities of the auditor and that expert; (Ref: Para. A28-A29)
(b) The nature, timing and extent of communication between the auditor and that expert, including the
form of any report to be provided by that expert; and (Ref: Para. A30)
(b) The need for the auditor’s expert to observe confidentiality requirements. (Ref: Para. A31)
Exhibit 15.8-3
no
Is an auditor’s expert
needed to obtain
audit evidence?
yes
What procedures
are required?
(Nature/timing/extent)
no
Is chosen expert
yes
competent, capable
and objective?
no
Do we (auditor)
yes
understand experts
field of expertise?
no
Agree on terms
of engagement
Plan alternative audit procedures appropriate to the circumstances
Exhibit 15.8-4
Consider
Is an Auditor’s Expert
Needed to Obtain
Audit Evidence?
06/10/2010
Discussion
Consider need in relation to:
- Obtaining an understanding of the entity, including internal control
- Identifying/assessing the risks of material misstatement.
- Determining/implementing overall responses to assessed risks at the financial
Page 200
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
What Audit Procedures
are Required?
Is Chosen Auditors
Expert
Competent, Capable
And Objective?
Do we (Auditor)
Understand Experts
Field Of Expertise?
Agree on Terms
of Engagement
statement level.
- Designing/performing further audit procedures to respond to assessed risks at the
assertion level.
- Evaluating the sufficiency/appropriateness of audit evidence obtained to form an
opinion
Consider:
- The nature of the matter and the risks of material misstatement.
- The significance of the expert's work in the context of the audit.
- Previous work (if any) performed by that expert.
- Whether the expert is subject to the auditor's firm's quality control policies and
procedures.
• Competence relates to the nature and level of expertise of the auditor's expert.
• Capability relates to the ability of the auditor's expert to exercise that competence in
the circumstances of the engagement (e.g. geographic location, and the availability
of time and resources).
• Objectivity relates to the possible effects that bias, conflict of interest, or the
influence of others may have on the professional or business judgment of the
auditor's expert.
Other factors to consider include:
• Personal experience with previous work of that expert.
• Discussions with that expert.
• Discussions with others familiar with that expert's work.
• Knowledge of that expert's qualifications, membership of a professional body
or industry association, license to practice, or other forms of external
recognition.
• Published papers or books written by that expert.
• The auditor's firm's quality control policies and procedures
Is there sufficient understanding of the auditor’s experts field of work to:
• Plan the audit?
• Review the results of work performed.
In establishing the terms of engagement, consider factors such as the following:
• Access of the auditor's expert to sensitive or confidential entity information.
• The respective roles or responsibilities of the auditor and the auditor’s expert
• Any multi-jurisdictional, legal or regulatory requirements
• The complexity of the work required
• Previous experience by the auditor’s expert with the entity
• The extent of the auditor's expert's work, and its significance in the context of
the audit.
The written agreement would address:
- Nature, scope and objectives of expert's work.
- Respective roles and responsibilities.
- Nature, timing and extent of communication including the report format.
- Need for confidentiality.
Appendix to ISA 620 sets out matters that the auditor may consider for inclusion in any
written agreement with an auditor’s external expert.
Evaluating the work performed
Paragraph #
Relevant Extracts from ISAs
620.12
The auditor shall evaluate the adequacy of the auditor’s expert’s work for the auditor’s purposes,
including: (Ref: Para. A32)
06/10/2010
Page 201
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a) The relevance and reasonableness of that expert’s findings or conclusions, and their consistency with
other audit evidence; (Ref: Para. A33-A34)
(b) If that expert’s work involves use of significant assumptions and methods, the relevance and
reasonableness of those assumptions and methods in the circumstances; and (Ref: Para. A35-A37)
(c) If that expert’s work involves the use of source data that is significant to that expert’s work, the
relevance, completeness, and accuracy of that source data. (Ref: Para. A38-A39)
620.13
If the auditor determines that the work of the auditor’s expert is not adequate for the auditor’s purposes,
the auditor shall: (Ref: Para. A40)
(a) Agree with that expert on the nature and extent of further work to be performed by that expert; or
(b) Perform additional audit procedures appropriate to the circumstances.
Exhibit 15.8-5
If the results of the expert’s work are unsatisfactory or inconsistent with other evidence, the auditor
should resolve the matter. This may involve:
•
Discussions with the entity and the expert;
•
Applying additional audit procedures;
•
Possibly engaging another expert; or
•
Modifying the auditor’s report.
Reporting
Paragraph #
Relevant Extracts from ISAs
620.14
The auditor shall not refer to the work of an auditor’s expert in an auditor’s report containing an
unmodified opinion unless required by law or regulation to do so. If such reference is required by law or
regulation, the auditor shall indicate in the auditor’s report that the reference does not reduce the auditor’s
responsibility for the auditor’s opinion. (Ref: Para. A41)
620.15
If the auditor makes reference to the work of an auditor’s expert in the auditor’s report because such
reference is relevant to an understanding of a modification to the auditor’s opinion, the auditor shall
indicate in the auditor’s report that such reference does not reduce the auditor’s responsibility for that
opinion. (Ref: Para. A42)
The auditor’s report would not refer to the work of an expert. Such a reference might be misunderstood to
be a modification of the auditor’s opinion or a division of responsibility, neither of which is intended.
06/10/2010
Page 202
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
However, if the auditor decides to issue a modified auditor’s report as a result of the expert’s
involvement, it may be appropriate, in explaining the nature of the modification, to refer to or describe the
work of the expert (including the identity of the expert and the extent of the expert’s involvement). In
these circumstances, the auditor would obtain the permission of the expert before making such a
reference. If permission is refused and the auditor believes a reference is necessary, the auditor may need
to seek legal advice.
15.9
ISA720 — Other Information in Documents Containing Audited Financial
Statements
Paragraph #
720.4
ISA Objective(s)
The objective of the auditor is to respond appropriately when documents containing
audited financial statements and the auditor's report thereon include other information
that could undermine the credibility of those financial statements and the auditor's report.
Paragraph #
Relevant Extracts from ISAs
720.6
The auditor shall read the other information to identify material inconsistencies, if any,
with the audited financial statements.
720.7
The auditor shall make appropriate arrangements with management
or those charged with governance to obtain the other information prior to the date of the
auditor’s report. If it is not possible to obtain all the other information prior to the date of
the auditor’s report, the auditor shall read such other information as soon as practicable.
(Ref: Para. A5)
720.8
If, on reading the other information, the auditor identifies a material inconsistency, the
auditor shall determine whether the audited financial statements or the other information
needs to be revised.
720.9
If revision of the audited financial statements is necessary and management refuses to
make the revision, the auditor shall modify
the opinion in the auditor’s report in accordance with ISA 705.
720.10
06/10/2010
If revision of the other information is necessary and management refuses to make the
revision, the auditor shall communicate this matter to those charged with governance,
unless all of those charged with governance are involved in managing the entity; and
(a) Include in the auditor’s report an Other Matter paragraph describing the material
inconsistency in accordance with ISA 706;
(b) Withhold the auditor’s report; or
(c) Withdraw from the engagement, where withdrawal is possible under applicable law
or regulation. (Ref: Para. A6-A7)
Page 203
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
720.11
If revision of the audited financial statements is necessary, the auditor shall follow the
relevant requirements in ISA 560.
720.12
720.13
720.14
720.15
720.16
If revision of the other information is necessary and management agrees to make the
revision, the auditor shall carry out the procedures necessary under the circumstances.
(Ref: Para. A8)
If revision of the other information is necessary, but management refuses to make the
revision, the auditor shall notify those charged with governance, unless all of those
charged with governance are involved in managing the entity, of the auditor’s concern
regarding the other information and take any further appropriate action. (Ref: Para. A9)
If, on reading the other information for the purpose of identifying material
inconsistencies, the auditor becomes aware of an apparent material misstatement of fact,
the auditor shall discuss the matter with management. (Ref: Para. A10)
If, following such discussions, the auditor still considers that there is an apparent material
misstatement of fact, the auditor shall request management to consult with a qualified
third party, such as the entity’s legal counsel, and the auditor shall consider the advice
received.
If the auditor concludes that there is a material misstatement of fact in the other
information which management refuses to correct, the auditor shall notify those charged
with governance, unless all of those charged with governance are involved in managing
the entity, of the auditor’s concern regarding the other information and take any further
appropriate action. (Ref: Para. A11)
Overview
Some entities, such as those with many stakeholders, will publish (on paper or electronically) an annual
report or attach some additional information to the audited financial statements. Where this occurs, the
auditor has a responsibility to read the other information to identify any information that could undermine
the credibility of the financial statements and the auditor’s report. Should such information be found, the
auditor needs to take appropriate steps to rectify the situation
A summary of some of the key requirements is outlined in the chart below.
06/10/2010
Page 204
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 15.9-1
06/10/2010
Page 205
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
16.
AUDIT DOCUMENTATION
Chapter Content
The various requirements associated with the
documentation of audit planning, audit evidence
obtained and its ultimate storage.
Paragraph #
230.5
Relevant ISAs
ISQC 1, 220, 230,
240, 300, 315, 330
ISA Objective(s)
The objective of the auditor is to prepare documentation that provides:
(a)
A sufficient and appropriate record of the basis for the auditor's report; and
(b)
Evidence that the audit was planned and performed in accordance with ISAs and applicable legal
and regulatory requirements.
Paragraph #
Relevant Extracts from ISAs
230.6
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Audit documentation – The record of audit procedures performed, relevant audit evidence obtained,
and conclusions the auditor reached (terms such as “working papers” or “workpapers” are also
sometimes used).
(b) Audit file – One or more folders or other storage media, in physical or electronic form, containing the
records that comprise the audit documentation for a specific engagement.
(c) Experienced auditor – An individual (whether internal or external to the firm) who has practical audit
experience, and a reasonable understanding of:
(i) Audit processes;
(ii) ISAs and applicable legal and regulatory requirements;
(iii) The business environment in which the entity operates; and
(iv) Auditing and financial reporting issues relevant to the entity’s industry.
230.7
16.1
The auditor shall prepare audit documentation on a timely basis. (Ref: Para. A1)
Overview
Audit file documentation (whether maintained on paper or electronically) plays a critical role in:
•
Assisting the engagement team in planning and performing the audit;
•
Providing evidence to demonstrate that the planned audit procedures were in fact performed;
•
Assisting engagement reviewers (including engagement quality control reviewers) in carrying out
their responsibilities in accordance with professional standards;
•
Recording the judgments involved in forming the audit opinion; and
•
Recording matters of continuing significance for future audits of the entity.
06/10/2010
Page 206
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
There is no need to provide documentation about ISA requirements that are not relevant in the
circumstances. This would apply where the entire ISA is not relevant (such as ISA 610 when the entity
has no internal audit function) or where the ISA requirement is conditional and the condition does not
exist.
Good audit documentation is appropriately organized, provides a record of the work done, the audit
evidence obtained, the significant professional judgments applied and the conclusions reached.
Exhibit 16.1-1
•
The Need for Audit
File
Documentation
•
•
Supports the basis for the auditor’s conclusions concerning every relevant
financial statement assertion.
Provides evidence that the engagement complies with professional
standards.
Provides evidence that the underlying accounting records agree or
reconcile with the financial statements.
Audit documentation for smaller entities will generally be less extensive than that for larger entities. This
particularly applies where:
•
The engagement partner performs all the audit work. Documentation would not include matters
related to team discussions, allocation of responsibilities or supervision; and
•
Some matters are so straightforward that they can be more conveniently addressed in a single
document with cross-references to supporting working papers. This could include one or more of the
areas such as the understanding of the entity and its internal control, the overall audit strategy and
audit plan, materiality, assessed risks, significant matters noted and the conclusions reached.
Many ISAs contain specific documentation requirements that serve to clarify the requirements of ISA
230. The following table provides a reference to the paragraphs in ISAs that outline specific
documentation requirements. This does not imply that there are no documentation requirements in the
ISAs that are not included in the list below.
Exhibit 16.1-2
ISA
Title
210
Agreeing the Terms of Audit Engagements
10-12
220
Quality Control for an Audit of Financial Statements
24-25
230
Audit Documentation
240
The Auditor’s Responsibilities Relating to Fraud in an
Audit of Financial Statements
44-47
250
Consideration of Laws and Regulations in an Audit of
Financial Statements
29
06/10/2010
Paragraph
All
Page 207
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISA
Title
260
Communication with Those Charged with Governance
23
300
Planning an Audit of Financial Statements
12
315
Identifying and Assessing the Risks of Material
Misstatement Through Understanding the Entity and Its
Environment
32
320
Materiality in Planning and Performing an Audit
14
330
The Auditor’s Responses to Assessed Risks
450
Evaluation of Misstatements Identified During the Audit
15
540
Auditing Accounting Estimates, Including Fair Value
Accounting Estimates, and Related Disclosures
23
550
Related Parties
28
600
Special Considerations—Audits of Group Financial
Statements (Including the Work of Component Auditors)
50
610
Using the Work of Internal Auditors
13
16.2
Paragraph
28-30
Audit File Organization
An area to be addressed by firm-wide policies is audit file organization and indexing. A consistent
approach using a standard index has a number of advantages such as the following:
•
Enables specific working papers to be easily located and shared among audit team members;
•
Facilitates file review by the various reviewers such as the manager, engagement partner, engagement
quality control reviewer and quality control monitors;
•
Provides consistency between audit files in the firm; and
•
Assists with quality control functions such as checking for missing sign-offs, invalid cross-references
and unclear review notes.
Audit documentation is usually organized into logical divisions of work using an indexing system. If the
file is electronic, the indexing can be in the form of folders and sub-folders. As each piece of audit
documentation is created, it will be given a unique reference that ties directly into the overall file index.
Two examples of possible audit file indices are summarized in the exhibit below. The first example
groups documents according to the stage when documents are prepared in the audit process. Note that
completion documents (on paper files) are usually filed near the top of the file for easy reference. The
second index groups documents by the financial statement area such as payables, receivables, sales, etc.
06/10/2010
Page 208
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
In this file, all the documents relating to risk assessment and risk response for inventory would be
maintained under the inventory chapter. A third alternative would be to combine the two approaches with
some documents organized by the stage in the audit process and others by the financial statement area.
Exhibit 16.2-1
Index by Audit Phase
Index by Financial Statement Area
(extracts from an index)
(extracts from an index)
100-200 Financial statements and auditor’s
report
201-300 Tax returns, etc.
301-400 File completion such as memos on
significant decisions, checklists and
management representation letters
401-500 Audit planning, including audit
strategy and materiality
501-600 Risk assessment, including
understanding the entity and internal
control
601-700 Risk response, including detailed
audit plans by financial statement
area
701- 799 Other supporting documents
such as trial balances and reports
800
Financial reporting frameworks
10
06/10/2010
11
12
15
A
C
D
BB
DD
20
30
40
50
100
120
150
Financial statements and auditor’s
report
File completion memos, checklists, etc.
Overall audit strategy
Materiality
Cash
Receivables
Inventory
Payables
Long-term debt
Revenues
Purchases
Payroll
Taxation
Subsequent events
Contingencies
Other supporting documents
such as trial balances and reports
Page 209
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
16.3
Common Questions about Audit Documentation
Exhibit 16.3-1
Question
Response
Who Owns the Audit File?
Unless otherwise specified by legislation or regulation, audit
documentation is the property of the audit firm.
Are Copies of Entity Records
Examined Required to be Kept
on the Audit File?
No. All that is required is some identifying characteristics of the
transactions/procedure being examined so that the work could be
replicated or exceptions investigated as necessary. Identifying
characteristics include:
• Dates and unique transaction numbers for a test of details;
• Scope of procedure and the population used (that is, all journal
entries over a specified amount from the journal register);
• Source, starting point and sampling interval for systematic
samples;
• For staff inquiries, their names, job designations and dates of
inquiry; and
• For observations, the process or matter being observed,
relevant individuals, their respective responsibilities and
where/when the observation was carried out.
However, abstracts or copies of the entity’s records (such as
significant contracts and agreements) may be included if
considered appropriate.
Does each Page of the Audit
File need to be Initialled and
Dated by the Preparer and then
by the Reviewer?
Yes. This discipline has the effect of holding the engagement team
accountable for the work performed or reviewed. For file
reviewers, the extent of their review should also be evident on the
file. A detailed review (typically at the manager level) would
involve reviewing every page, whereas a general review (at the
partner level) might involve only looking at key sections of the file
where significant professional judgments were made.
Should ALL Considerations
and Use of Professional
Judgments be Documented?
No. It is neither necessary nor practicable for the auditor to
document every matter considered, or professional judgment
made. It is the significant matters and significant judgments made
on those matters during the audit that need to be documented.
Documentation of significant matters and judgments explains the
auditor’s conclusions and reinforces the quality of the judgments.
This can often be achieved through the preparation of the
significant issues memorandum at the completion of the audit.
Are Preliminary Drafts of
Financial Statements Required
to be kept if Materially
No. There is no requirement to retain documentation that was
incorrect or superseded.
06/10/2010
Page 210
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Question
Response
Inconsistent with the Final
Financial Statements?
Is it Necessary to Document
Non-Compliance with ISA
Requirements that are Really
not Applicable to the Audit?
16.4
No. Other than in exceptional circumstances, compliance is
required with each ISA requirement that is “relevant”. An ISA is
clearly not relevant when the entire ISA is not applicable or when
an ISA requirement is conditional and the condition does not exist.
Specific Documentation Requirements
Risk Assessment
Paragraph #
Relevant Extracts from ISAs
240.44
The auditor shall include the following in the audit documentation of the auditor’s understanding of the
entity and its environment and the assessment of the risks of material misstatement required by ISA 315:
(a) The significant decisions reached during the discussion among the engagement team regarding the
susceptibility of the entity’s financial statements to material misstatement due to fraud; and
(b) The identified and assessed risks of material misstatement due to fraud at the financial statement level
and at the assertion level.
240.47
If the auditor has concluded that the presumption that there is a risk of material misstatement due to fraud
related to revenue recognition is not applicable in the circumstances of the engagement, the auditor shall
include in the audit documentation the reasons for that conclusion.
300.12
The auditor shall include in the audit documentation:
(a) The overall audit strategy;
(b) The audit plan; and
(c) Any significant changes made during the audit engagement to the overall audit strategy or the audit
plan, and the reasons for such changes. (Ref: Para. A16 – 19)
315.32
The auditor shall include in the audit documentation:
(a) The discussion among the engagement team where required by paragraph 10, and the significant
decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment specified in paragraph 11 and of each of the internal control components specified in
paragraphs 14-24; the sources of information from which the understanding was obtained; and the
risk assessment procedures performed;
(c) The identified and assessed risks of material misstatement at the financial statement level and at the
assertion level as required by paragraph 25; and
(d) The risks identified, and related controls about which the auditor has obtained an understanding, as a
result of the requirements in paragraphs 27-30. (Ref: Para. A131 – A134)
Typical audit documentation would include the items listed below.
06/10/2010
Page 211
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 16.4-1
Risk Assessment Phase
•
•
•
•
•
•
•
•
•
•
Pre-engagement (client acceptance) procedures.
Independence and ethics assessments.
Terms of engagement.
Materiality considerations.
Overall audit strategy.
Audit team discussions, including possible causes of
material misstatement due to fraud.
Risk assessment procedures performed and the results.
Assessed risks of material misstatement identified (at
overall and assertion levels) based on the understanding of
the entity obtained and related internal control (if any).
Significant risks.
Communications with management and those charged
with governance.
Comments
Remember to update risk assessment
documentation for:
• Any new risks identified later in
the audit; and
• Changes needed in risk
assessments or materiality
identified as a result of
performing further audit
procedures.
Risk Response
Paragraph #
Relevant Extracts from ISAs
230.9
In documenting the nature, timing and extent of audit procedures performed, the auditor shall record:
(a) The identifying characteristics of the specific items or matters tested; (Ref: Para. A12)
(b) Who performed the audit work and the date such work was completed; and
(c) Who reviewed the audit work performed and the date and extent of such review. (Ref: Para. A13)
240.45
The auditor shall include the following in the audit documentation of the auditor’s responses to the
assessed risks of material misstatement required by ISA 330:
(a) The overall responses to the assessed risks of material misstatement due to fraud at the financial
statement level and the nature, timing and extent of audit procedures, and the linkage of those
procedures with the assessed risks of material misstatement due to fraud at the assertion level; and
(b) The results of the audit procedures, including those designed to address the risk of management
override of controls.
330.28
The auditor shall include in the audit documentation:
(a) The overall responses to address the assessed risks of material misstatement at the financial statement
level, and the nature, timing, and extent of the further audit procedures performed;
(b) The linkage of those procedures with the assessed risks at the assertion level; and
(c) The results of the audit procedures, including the conclusions where these are not otherwise clear.
(Ref: Para. A63)
330.30
06/10/2010
The auditors’ documentation shall demonstrate that the financial statements agree or reconcile with the
underlying accounting records.
Page 212
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Typical audit documentation would include the items below.
Exhibit 16.4-2
Risk Response Phase
1. An audit plan that addresses:
• All material financial statement areas;
• The assessed risks of material misstatement at the
financial statement and assertion level;
• The nature, timing, and extent of the further audit
procedures performed that respond to the assessed
risks; and
• Significant risks identified.
2. Nature and extent of consultations with others.
3. Significance and nature of the evidence obtained to the
assertion being tested.
4. A clear explanation of the results obtained from the test
and how any exceptions or deviations were followed up.
This includes:
• The basis for the test;
• The choice of population;
• The level of assessed risk; and
• The sampling intervals and choice of the starting
point.
Comments
Audit documentation should stand by
itself and not need to be
supplemented by oral explanations.
See experienced auditor discussion
below.
Take care in choosing the right
population for the assertion being
tested.
Copies of client records inspected are
not necessary on file but some
identifying characteristics(s) such as a
number or date etc. is required so that
a person could re-perform the test if
necessary.
5. Actions taken as a result of auditing procedures that
indicate:
• Need to modify planned auditing procedures;
• Material misstatements may exist;
• Omissions in the financial statements; or
• The existence of significant deficiencies in internal
control over financial reporting.
6. Changes, if any, required to the overall audit strategy.
7. Use of significant judgments applied on significant
matters, in performing work and evaluating results.
8. Discussions with management on significant matters.
9. Memoranda, analysis, details of assumptions used and
how the validity of the underlying information used was
established.
10. Cross-references to supporting documentation and
evidence that the financial statements agree or reconcile
with the underlying accounting records.
06/10/2010
Page 213
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Reporting
Paragraph #
Relevant Extracts from ISAs
230.10
The auditor shall document discussions of significant matters with management, those charged with
governance, and others, including the nature of the significant matters discussed and when and with whom
the discussions took place. (Ref: Para. A14)
230.11
If the auditor identified information that is inconsistent with the auditor’s final conclusion regarding a
significant matter, the auditor shall document how the auditor addressed the inconsistency. (Ref: Para.
A15)
230.12
If, in exceptional circumstances, the auditor judges it necessary to depart from a relevant requirement in an
ISA, the auditor shall document how the alternative audit procedures performed achieve the aim of that
requirement, and the reasons for the departure. (Ref: Para. A18-A19)
240.46
The auditor shall include in the audit documentation communications about fraud made to management,
those charged with governance, regulators and others.
The following chart lists the typical audit documentation that addresses the reporting or file completion
phase.
Exhibit 16.4-3
Reporting
Comments
•
Completed audit programs.
•
Evidence of file reviews (that is, initials and checklists,
etc.):
– Detailed (manager/supervisor review),
– Engagement partner review, and
– Engagement quality control review, where applicable.
Take notes of verbal discussions with
management on significant matters
and record their responses. This will
help to ensure that audit
documentation contains the reasoning
for all significant decisions made.
•
Information that is inconsistent with or contradicts the
final conclusions.
•
Summary of financial effect of unadjusted errors
identified and management’s response (that is,
adjustments made).
•
Non-trivial uncorrected misstatements.
•
Significant matters arising;
– Actions taken to address them (including additional
evidence obtained), and
– The basis for the conclusions reached.
•
If assistance was provided (where permissible under
independence requirements) in preparing draft financial
06/10/2010
Include copies of relevant e-mails or
text messaging exchanged with the
client that address significant matters.
Page 214
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Reporting
Comments
statements, describe the nature of discussions held with
management to review the content of the statements. This
would include:
– Dates discussions were held,
– Explanations provided on the application of complex
accounting principles, and
– Major questions raised by management.
•
Copy of the financial statements and the auditor’s report
cross-referenced to the audit file chapters.
•
Reasons for any departure from a relevant ISA
requirement and the alternative procedures performed to
achieve the aim of that requirement.
•
Any engagement completion documents required by the
firm.
•
Copy of all communication with management and those
charged with governance.
•
Audit report date and the documentation completion date
(see discussion on file completion below).
16.5
The Experienced Auditor
Paragraph #
Relevant Extracts from ISAs
230.8
The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor, having
no previous connection with the audit, to understand: (Ref: Para. A2-A5, A16-A17)
(a) The nature, timing and extent of the audit procedures performed to comply with the ISAs and
applicable legal and regulatory requirements; (Ref: Para. A6-A7)
(b) The results of the audit procedures performed, and the audit evidence obtained; and
(c) Significant matters arising during the audit, the conclusions reached thereon, and significant
professional judgments made in reaching those conclusions. (Ref: Para. A8-A11)
The audit documentation should be such that an experienced auditor, who has had no previous connection
with the audit, is able to understand (that is, without the need for verbal explanations):
•
The nature, timing, and extent of the audit procedures performed to comply with the applicable legal,
regulatory and professional requirements;
•
The results of the audit procedures and the audit evidence obtained; and
•
The nature of significant matters arising and the conclusions reached.
16.6
Electronic Documents
Many accounting firms have replaced (or are in the process of replacing) paper-based engagement files
with electronic files. In some cases, even though the work was performed and reviewed electronically,
06/10/2010
Page 215
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
paper files are maintained as the permanent record of work performed. Documents/forms are initiated in
digital form, client records are scanned electronically, and all data is stored electronically. It is printed on
paper only after all the work is completed and reviewed.
There are two types of electronic documents:
•
Work-in-process; and
•
Static information.
Work-in-Process
Work-in-process consists of dynamic information that is being developed and updated as the audit
progresses. Examples include blank audit forms and letter templates, industry knowledge and key
performance indicators, questionnaires, logic trees, the firm’s policies, diagnostics and the previous
period’s financial data, information, assumptions, etc. that may be used in performing this period’s
analytical procedures. This information is often contained within software applications and electronic
audit tools.
Static Information
Static information consists of final file documents such as the financial statements and completed working
papers that will not change and may well be required for reference in future years. Final or static
documents must be retained in a format where the information can be retrieved easily in later years.
Legacy Software
Leaving the information in a format used by a software application can be problematic if the software
application is updated with a new file format. The old file may not be capable of being opened unless a
copy of the old software application is also maintained. To overcome this problem, many firms are now
saving their final file documents in a medium called portable document format (PDF). PDF has been
accepted and used by government agencies and accounting firms around the world. The firm’s policies
should state that final documents are not to be edited.
Advantages of Automation
Maintaining audit files in an electronic form enables some administrative functions to be automated and
provides additional flexibility for engagement team members. For example:
•
Specific working papers can be accessed directly from the index;
•
Files and documents can be easily shared or reviewed with others in distant locations;
•
New audit folders and documents can be created, renamed, moved, copied or deleted from the index;
•
The detailed index can be collapsed to reveal its overall structure or expanded as needed, making it
easier to see the big picture and locate key documents;
•
Custom names can be given to important documents. This can help other team members to interpret
the contents of a document from its name;
•
Review functions can be automated such as checking all or part of the audit file for exceptions,
outstanding review notes and preparer/reviewer sign-offs;
•
Engagement team members can share file documents by using electronic check-in and check-out
tools;
•
Certain documents can be password-protected for enhanced security; and
•
Access to files can be restricted to authorized personnel.
06/10/2010
Page 216
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Using Electronic Tools in Working Papers
There are three important principles to note when using electronic tools in working paper preparation:
•
All the requirements of the ISAs still apply;
•
Electronic files require electronic document management. This addresses matters such as accessibility
(such as password access), data security, application management (including training), back-up
routines, edit rights, storage locations, review procedures, and decisions on what changes to files will
be tracked to provide the necessary audit trail; and
•
Final documents (all documents that are required to be maintained to support the audit opinion) must
be retained and be accessible in accordance with the firm’s file retention policies.
16.7
File Completion
Paragraph #
Relevant Extracts from ISAs
230.13
If, in exceptional circumstances, the auditor performs new or additional audit procedures or draws new
conclusions after the date of the auditor’s report, the auditor shall document: (Ref: Para. A20)
(a) The circumstances encountered;
(b) The new or additional audit procedures performed, audit evidence obtained, and conclusions reached,
and their effect on the auditor’s report; and
(c) When and by whom the resulting changes to audit documentation were made and reviewed.
230.14
The auditor shall assemble the audit documentation in an audit file and complete the administrative
process of assembling the final audit file on a timely basis after the date of the auditor’s report. (Ref: Para.
A21-A22)
230.15
After the assembly of the final audit file has been completed, the auditor shall not delete or discard audit
documentation of any nature before the end of its retention period. (Ref: Para. A23)
230.16
In circumstances other than those envisaged in paragraph 13 where the auditor finds it necessary to modify
existing audit documentation or add new audit documentation after the assembly of the final audit file has
been completed, the auditor shall, regardless of the nature of the modifications or additions, document:
(Ref: Para. A24)
(a) The specific reasons for making them; and
(b) When and by whom they were made and reviewed.
The dating of the auditor’s report signifies that the audit work is complete. After that date, there is no
continuing responsibility to seek further audit evidence.
After the audit report date, the final assembly of audit files should take place on a timely basis. An
appropriate time limit within which to complete the assembly of the final audit file is ordinarily not more
than 60 days after the date of the auditor’s report. This is illustrated in the exhibit below. Refer to ISQC 1
and ISA 230 for more details.
Exhibit 16.7-1
06/10/2010
Page 217
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Making Changes to the Audit File
Exhibit 16.7-2
Period
1
Dates
Requirements
BETWEEN
the Audit Report
Date and
Documentation
Completion Date
For administrative changes:
• Document the nature of audit evidence obtained, who prepared
and reviewed each document, and any additional memos to file
that may be required;
• Delete or discard superseded documentation;
• Sort, collate, and cross-reference working papers; and
• Sign off any completion checklists relating to the file assembly
process.
For changes in the audit evidence or conclusions reached, additional
documentation should be prepared that addresses three key
questions:
• When and by whom such additions were made, and (where
applicable) reviewed;
• The specific reasons for the additions; and
• The effect, if any, of the additions on the audit conclusions.
2
06/10/2010
AFTER
the Documentation
Completion Date
NO documentation should be deleted or discarded from the audit file
until the firm’s file retention period has expired.
Where it is necessary to make additions (including amendments) to
audit documentation after the documentation completion date, the
three key questions about changes in audit evidence, outlined in
Period 1 above, should be answered, regardless of the nature of the
additions.
Page 218
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
17.
FORMING AN OPINION ON FINANCIAL STATEMENTS
Chapter Content
Relevant ISAs
Requirements and considerations related to:
•
Forming an opinion on the financial statements; and
•
Preparing an appropriately worded auditor’s report.
700
Exhibit 17.0-1
Back to risk
assessment2
Activity
Reporting
Evaluate the audit
evidence obtained
yes
Purpose
Documentation1
Determine what
additional audit work
(if any) is required
Is
additional
work
required?
no
Prepare the
auditor’s report
Form an opinion
based on audit
findings
Significant decisions
Signed audit opinion
Notes:
1. Refer to ISA 230 for a more complete list of documentation required
Paragraph #
700.6
ISA Objective(s)
The objectives of the auditor are:
(a)
To form an opinion on the financial statements based on an evaluation of the conclusions drawn
from the audit evidence obtained; and
(b)
To express clearly that opinion through a written report that also describes the basis for that
opinion.
Paragraph #
Relevant Extracts from ISAs
700.7
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) General purpose financial statements – Financial statements prepared in accordance with a general
purpose framework.
06/10/2010
Page 219
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(b) General purpose framework – A financial reporting framework designed to meet the common
financial information needs of a wide range of users. The financial reporting framework may be a fair
presentation framework or a compliance framework.
The term “fair presentation framework” is used to refer to a financial reporting framework that
requires compliance with the requirements of the framework and:
(i) Acknowledges explicitly or implicitly that, to achieve fair presentation of the financial
statements, it may be necessary for management to provide disclosures beyond those specifically
required by the framework; or
(ii) Acknowledges explicitly that it may be necessary for management to depart from a requirement
of the framework to achieve fair presentation of the financial statements. Such departures are
expected to be necessary only in extremely rare circumstances.
The term “compliance framework” is used to refer to a financial reporting framework that requires
compliance with the requirements of the framework, but does not contain the acknowledgements in
(i) or (ii) above.
(c)
Unmodified opinion – The opinion expressed by the auditor when the auditor concludes that the
financial statements are prepared, in all material respects, in accordance with the applicable financial
reporting framework.
700.8
Reference to “financial statements” in this ISA means “a complete set of general purpose financial
statements, including the related notes.” The related notes ordinarily comprise a summary of significant
accounting policies and other explanatory information. The requirements of the applicable financial
reporting framework determine the form and content of the financial statements, and what constitutes a
complete set of financial statements.
700.9
Reference to “International Financial Reporting Standards” in this ISA means the International Financial
Reporting Standards issued by the International Accounting Standards Board, and reference to
“International Public Sector Accounting Standards” means the International Public Sector Accounting
Standards issued by the International Public Sector Accounting Standards Board.
17.1
Overview
The final step in the audit process is to evaluate the audit evidence obtained, consider the impact of any
misstatements identified, form an audit opinion and prepare an appropriately worded audit report.
This chapter addresses:
•
Financial statements prepared in accordance with one or both of the two general purpose frameworks
designed to meet the common financial information needs of a wide range of users;
•
Forming an opinion on a complete set of general purpose financial statements. This is based on an
evaluation of the conclusions drawn from the audit evidence obtained; and
•
Expressing clearly that opinion through a written report that also describes the basis for that opinion.
Chapters 23 and 24 of Volume 2 of this Guide deal with situations where a modified opinion, Emphasis
of Matter paragraph or Other Matter paragraphs are required in the auditor’s report.
For audits conducted in accordance with ISAs, the wording of the unmodified auditor’s report will
contain a minimum number of elements. The wording will be standard except where additional
paragraphs are added for an emphasis of a matter or other reporting matters.
Consistency in the auditor’s report helps:
06/10/2010
Page 220
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
promotes credibility in the global marketplace by making more readily identifiable those audits that
have been conducted in accordance with globally recognized standards.
•
promotes the user's understanding and helps to identify unusual circumstances (such as modifications
to the auditor’s report) when they occur.
In some jurisdictions, the laws or regulations governing the audit of financial statements may prescribe
different wording for the auditor’s opinion. However, the auditor’s responsibilities for forming the
opinion remain the same. Where the wording differs significantly from the standard international
wording, the auditor would consider the risk that users might misunderstand the assurance obtained. If
such a risk exists, further explanation could be added to the auditor’s report.
17.2
Financial Reporting Frameworks
The auditor’s opinion on the financial statements will be made in the context of an applicable “general
purpose” framework. This is a financial reporting framework designed to meet the common financial
information needs of a wide range of users. Acceptable frameworks include:
•
Accounting Standards for Private Enterprises;
•
International Financial Reporting Standards; and
•
Public Sector Accounting Standards.
There are two types of general purpose frameworks: the “fair presentation” framework and the
“compliance” framework.
Exhibit 17.2-1
Frameworks
Description
“Fair Presentation”
A financial reporting framework (such as International Financial Reporting
Standards) that requires compliance with the requirements of the framework
and:
i)
Acknowledges explicitly or implicitly that, to achieve fair presentation of
the financial statements, it may be necessary for management to provide
disclosures beyond those specifically required by the framework; or
ii) Acknowledges explicitly that it may be necessary for management to
depart from a requirement of the framework to achieve fair presentation of
the financial statements. Such departures are expected to be necessary only
in extremely rare circumstances.
The auditor reports on whether the financial statements “present fairly, in all
material respects” or “give a true and fair view of” the information that the
financial statements are designed to present.
“Compliance”
06/10/2010
A financial reporting framework that requires compliance with the
requirements of the framework, but does not contain the acknowledgements in
(i) or (ii) above for ‘fair’ presentation. The auditor is not required to evaluate
whether the financial statements achieve fair presentation. An example would
be a financial reporting framework stipulated by a law or regulation which is
designed to meet the financial information needs of a wide range of users.
Page 221
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Frameworks
Description
The auditor reports on whether the financial statements are prepared, in all
material respects, in accordance with, for example, “Jurisdiction X
Corporations Act”.
A decision tree for forming an opinion under the two general purpose frameworks is outlined below.
Exhibit 17.2-2
General Purpose Financial Reporting Frameworks
Fair presentation
Compliance
Are the F/S prepared in
accordance with an
applicable framework?
Are
F/S
“presented
fairly”?
yes
Standard
audit opinion
no
no
Report issue to
management and
those charged with
governance
yes
Issue
yes
resolved?
no
Modified
audit opinion
Do
F/S
comply with the
framework?
yes
Standard
audit opinion
no
Make changes to
the auditor’s report
In some cases, the auditor may be required to conduct an audit in accordance with both frameworks. In
these situations, the auditor’s opinion would refer to both the fair presentation framework and the
applicable legal or regulatory requirements.
National Standards
A reference in the auditor’s report to both International Standards on Auditing and the national auditing
standards is appropriate when no conflict exists between the requirements of both sets of standards. If a
conflict exists, the auditor’s report would only refer to the auditing standards (either International
Standards on Auditing or the national auditing standards) in accordance with which one the auditor’s
report has been prepared.
06/10/2010
Page 222
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
For example, ISA 570 requires the auditor to add an Emphasis of Matter paragraph to highlight a goingconcern problem whereas some national auditing standards prohibit such a paragraph.
17.3
Forming the Opinion
Paragraph #
Relevant Extracts from ISAs
700.10
The auditor shall form an opinion on whether the financial statements are prepared, in all material
respects, in accordance with the applicable financial reporting framework.
700.11
In order to form that opinion, the auditor shall conclude as to whether the auditor has obtained reasonable
assurance about whether the financial statements as a whole are free from material misstatement, whether
due to fraud or error. That conclusion shall take into account:
(a) The auditor’s conclusion, in accordance with ISA 330, whether sufficient appropriate audit evidence
has been obtained;
(b) The auditor’s conclusion, in accordance with ISA 450, whether uncorrected misstatements are
material, individually or in aggregate; and
(c) The evaluations required by paragraphs 12-15.
700.12
The auditor shall evaluate whether the financial statements are prepared, in all material respects, in
accordance with the requirements of the applicable financial reporting framework. This evaluation shall
include consideration of the qualitative aspects of the entity’s accounting practices, including indicators of
possible bias in management’s judgments. (Ref: Para. A1-A3)
700.13
In particular, the auditor shall evaluate whether, in view of the requirements of the applicable financial
reporting framework:
(a) The financial statements adequately disclose the significant accounting policies selected and applied;
(b) The accounting policies selected and applied are consistent with the applicable financial reporting
framework and are appropriate;
(c) The accounting estimates made by management are reasonable;
(d) The information presented in the financial statements is relevant, reliable, comparable and
understandable;
(e) The financial statements provide adequate disclosures to enable the intended users to understand the
effect of material transactions and events on the information conveyed in the financial statements;
and (Ref: Para. A4)
(f)
700.14
The terminology used in the financial statements, including the title of each financial statement, is
appropriate.
When the financial statements are prepared in accordance with a fair presentation framework, the
evaluation required by paragraphs 12-13 shall also include whether the financial statements achieve fair
presentation. The auditor’s evaluation as to whether the financial statements achieve fair presentation shall
include consideration of:
(a) The overall presentation, structure and content of the financial statements; and
(b) Whether the financial statements, including the related notes, represent the underlying transactions
and events in a manner that achieves fair presentation.
700.15
The auditor shall evaluate whether the financial statements adequately refer to or describe the applicable
financial reporting framework. (Ref: Para. A5-A10)
700.16
The auditor shall express an unmodified opinion when the auditor concludes that the financial statements
06/10/2010
Page 223
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
are prepared, in all material respects, in accordance with the applicable financial reporting framework.
700.17
If the auditor:
(a) concludes that, based on the audit evidence obtained, the financial statements as
a whole are not free from material misstatement; or
(b) is unable to obtain sufficient appropriate audit evidence to conclude that the financial statements as a
whole are free from material misstatement,
the auditor shall modify the opinion in the auditor’s report in accordance with ISA 705.
700.18
If financial statements prepared in accordance with the requirements of a fair presentation framework do
not achieve fair presentation, the auditor shall discuss the matter with management and, depending on the
requirements of the applicable financial reporting framework and how the matter is resolved, shall
determine whether it is necessary to modify the opinion in the auditor’s report in accordance with
ISA 705. (Ref: Para. A11)
700.19
When the financial statements are prepared in accordance with a compliance framework, the auditor is not
required to evaluate whether the financial statements achieve fair presentation. However, if in extremely
rare circumstances the auditor concludes that such financial statements are misleading, the auditor shall
discuss the matter with management and, depending on how it is resolved, shall determine whether, and
how, to communicate it in the auditor’s report. (Ref: Para. A12)
When forming an opinion, the auditor needs to ensure that the statements are prepared in accordance with
the applicable financial reporting framework, as shown in the exhibit below.
Exhibit 17.3-1
Considerations
Materiality
Conclude whether:
• Materiality remains appropriate in the context of the entity's actual
financial results.
• Uncorrected misstatements, (including uncorrected misstatements related
to prior periods) either individually or in aggregate, could result in a
material misstatement
Forming an Audit
Opinion
Audit Evidence
• Has sufficient appropriate audit evidence been obtained?
• Are the accounting estimates made by management reasonable?
• Did the analytical procedures performed at or near the end of the audit
corroborate conclusions formed during the audit?
Accounting Policies
• Do the financial statements adequately disclose the significant accounting
policies selected and applied?
• Are the accounting policies consistent with the financial reporting
framework and appropriate in the circumstances?
06/10/2010
Page 224
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Considerations
Forming an Audit
Opinion
(continued)
Financial Statement Disclosures
• Do the financial statements refer to or describe the applicable reporting
framework?
• Have all financial statement disclosures been made as required by the
applicable financial reporting framework?
• Is the terminology used in the financial statements, including the title of
each financial statement, appropriate?
• Are there adequate disclosures to enable intended users to understand the
effect of material transactions and events on the information conveyed in
the financial statements?
• Is the information presented relevant, reliable, comparable, understandable
and sufficient?
• Do the financial statements provide adequate disclosures to enable the
intended users to understand the effect of material transactions and events
on the information conveyed in the financial statements?
Fair Presentation Frameworks
• Do the overall presentation, structure and content (including the note
disclosures) faithfully represent the underlying transactions and events in
accordance with the applicable financial reporting framework? If not, is
there a need to provide disclosures beyond those specifically required by
the framework to ensure fair presentation?
• Are the financial statements, after any adjustments made by management
as a result of the audit process, consistent with the understanding obtained
about the entity and its environment?
Compliance Frameworks
• Are the financial statements misleading? This is likely only in extremely
rare circumstances.
Based on the results of the evaluations outlined above, the auditor would determine what form of audit
report (unmodified or modified) is appropriate in the circumstances.
Exhibit 17.3-2
Type of Opinion
Auditor’s Conclusions
Unmodified Opinion
The financial statements are prepared, in all material respects, in accordance
with the applicable financial reporting framework, and an unmodified opinion
would be appropriate.
Modified Opinion
(Qualified, Adverse
or Disclaimer)
06/10/2010
•
•
Based on the audit evidence obtained, the financial statements as a whole
are not free from material misstatement; or
Sufficient appropriate audit evidence could not be obtained to conclude
that the financial statements as a whole are free from material
misstatement.
Page 225
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Type of Opinion
Auditor’s Conclusions
Volume 2, Chapter 23 of this Guide addresses the subject of modifications to
the auditor’s report.
17.4
Form and Wording of the Auditor’s Report
Paragraph #
Relevant Extracts from ISAs
700.20
The auditor’s report shall be in writing. (Ref: Para. A13-A14)
700.21
The auditor’s report shall have a title that clearly indicates that it is the report of an independent auditor.
(Ref: Para. A15)
700.22
The auditor’s report shall be addressed as required by the circumstances of the engagement. (Ref: Para.
A16)
700.23
The introductory paragraph in the auditor’s report shall: (Ref: Para. A17-A19)
(a) Identify the entity whose financial statements have been audited;
(b) State that the financial statements have been audited;
(c) Identify the title of each statement that comprises the financial statements;
(d) Refer to the summary of significant accounting policies and other explanatory information; and
(e) Specify the date or period covered by each financial statement comprising the financial statements.
700.24
Management's Responsibility for the Financial Statements
This section of the auditor’s report describes the responsibilities of those in the organization that are
responsible for the preparation of the financial statements. The auditor’s report need not refer specifically
to “management,” but shall use the term that is appropriate in the context of the legal framework in the
particular jurisdiction. In some jurisdictions, the appropriate reference may be to those charged with
governance.
700.25
The auditor’s report shall include a section with the heading “Management’s [or other appropriate term]
Responsibility for the Financial Statements.”
700.26
The auditor’s report shall describe management’s responsibility for the preparation of the financial
statements. The description shall include an explanation that management is responsible for the
preparation of the financial statements in accordance with the applicable financial reporting framework,
and for such internal control as it determines is necessary to enable the preparation of financial statements
that are free from material misstatement, whether due to fraud or error. (Ref: Para. A20-A23)
700.27
Where the financial statements are prepared in accordance with a fair presentation framework, the
explanation of management’s responsibility for the financial statements in the auditor’s report shall refer
to “the preparation and fair presentation of these financial statements” or “the preparation of financial
statements that give a true and fair view,” as appropriate in the circumstances.
700.28
The auditor’s report shall include a section with the heading “Auditor’s Responsibility.”
700.29
The auditor’s report shall state that the responsibility of the auditor is to express an opinion on the
06/10/2010
Page 226
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
financial statements based on the audit. (Ref: Para. A24)
700.30
The auditor’s report shall state that the audit was conducted in accordance with International Standards on
Auditing. The auditor’s report shall also explain that those standards require that the auditor comply with
ethical requirements and that the auditor plan and perform the audit to obtain reasonable assurance about
whether the financial statements are free from material misstatement. (Ref: Para. A25-A26)
700.31
The auditor’s report shall describe an audit by stating that:
(a) An audit involves performing procedures to obtain audit evidence about the amounts and disclosures
in the financial statements;
(b) The procedures selected depend on the auditor’s judgment, including the assessment of the risks of
material misstatement of the financial statements, whether due to fraud or error. In making those risk
assessments, the auditor considers internal control relevant to the entity’s preparation of the financial
statements in order to design audit procedures that are appropriate in the circumstances, but not for
the purpose of expressing an opinion on the effectiveness of the entity’s internal control. In
circumstances when the auditor also has a responsibility to express an opinion on the effectiveness of
internal control in conjunction with the audit of the financial statements, the auditor shall omit the
phrase that the auditor’s consideration of internal control is not for the purpose of expressing an
opinion on the effectiveness of internal control; and
(c) An audit also includes evaluating the appropriateness of the accounting policies used and the
reasonableness of accounting estimates made by management, as well as the overall presentation of
the financial statements.
700.32
Where the financial statements are prepared in accordance with a fair presentation framework, the
description of the audit in the auditor’s report shall refer to “the entity’s preparation and fair presentation
of the financial statements” or “the entity’s preparation of financial statements that give a true and fair
view,” as appropriate in the circumstances.
700.33
The auditor’s report shall state whether the auditor believes that the audit evidence the auditor has
obtained is sufficient and appropriate to provide a basis for the auditor’s opinion.
700.34
The auditor’s report shall include a section with the heading “Opinion.”
700.35
When expressing an unmodified opinion on financial statements prepared in accordance with a fair
presentation framework, the auditor’s opinion shall, unless otherwise required by law or regulation, use
one of the following phrases, which are regarded as being equivalent:
(a) The financial statements present fairly, in all material respects, … in accordance with [the applicable
financial reporting framework]; or
(b) The financial statements give a true and fair view of … in accordance with [the applicable financial
reporting framework]. (Ref: Para. A27-A33)
700.36
When expressing an unmodified opinion on financial statements prepared in accordance with a
compliance framework, the auditor’s opinion shall be that the financial statements are prepared, in all
material respects, in accordance with [the applicable financial reporting framework]. (Ref: Para. A27,
A29-A33)
700.37
If the reference to the applicable financial reporting framework in the auditor’s opinion is not to
International Financial Reporting Standards issued by the International Accounting Standards Board or
International Public Sector Accounting Standards issued by the International Public Sector Accounting
Standards Board, the auditor’s opinion shall identify the jurisdiction of origin of the framework.
06/10/2010
Page 227
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
700.38
If the auditor addresses other reporting responsibilities in the auditor’s report on the financial statements
that are in addition to the auditor’s responsibility under the ISAs to report on the financial statements,
these other reporting responsibilities shall be addressed in a separate section in the auditor’s report that
shall be sub-titled “Report on Other Legal and Regulatory Requirements,” or otherwise as appropriate to
the content of the section. (Ref: Para. A34-A35)
700.39
If the auditor’s report contains a separate section on other reporting responsibilities, the headings,
statements and explanations referred to in paragraphs 23-37 shall be under the sub-title “Report on the
Financial Statements.” The “Report on Other Legal and Regulatory Requirements” shall follow the
“Report on the Financial Statements.” (Ref: Para. A36)
700.40
The auditor’s report shall be signed. (Ref: Para. A37)
700.41
The auditor’s report shall be dated no earlier than the date on which the auditor has obtained sufficient
appropriate audit evidence on which to base the auditor’s opinion on the financial statements, including
evidence that: (Ref: Para. A38-A41)
(a) All the statements that comprise the financial statements, including the related notes, have been
prepared; and
(b) Those with the recognized authority have asserted that they have taken responsibility for those
financial statements.
700.42
The auditor’s report shall name the location in the jurisdiction where the auditor practices.
700.43
If the auditor is required by law or regulation of a specific jurisdiction to use a specific layout or wording
of the auditor’s report, the auditor’s report shall refer to International Standards on Auditing only if the
auditor’s report includes, at a minimum, each of the following elements: (Ref: Para. A42)
(a) A title;
(b) An addressee, as required by the circumstances of the engagement;
(c) An introductory paragraph that identifies the financial statements audited;
(d) A description of the responsibility of management (or other appropriate term, see paragraph 24) for
the preparation of the financial statements;
(e) A description of the auditor’s responsibility to express an opinion on the financial statements and the
scope of the audit, that includes:
•
A reference to International Standards on Auditing and the law or regulation; and
•
A description of an audit in accordance with those standards;
(f)
An opinion paragraph containing an expression of opinion on the financial statements and a reference
to the applicable financial reporting framework used to prepare the financial statements (including
identifying the jurisdiction of origin of the financial reporting framework that is not International
Financial Reporting Standards or International Public Sector Accounting Standards, see paragraph
37);
(g) The auditor’s signature;
(h) The date of the auditor’s report; and
(i)
700.44
06/10/2010
The auditor’s address.
An auditor may be required to conduct an audit in accordance with the auditing standards of a specific
jurisdiction (the “national auditing standards”), but may additionally have complied with the ISAs in the
conduct of the audit. If this is the case, the auditor’s report may refer to International Standards on
Auditing in addition to the national auditing standards, but the auditor shall do so only if: (Ref: Para. A43-
Page 228
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
A44)
(a) There is no conflict between the requirements in the national auditing standards and those in ISAs
that would lead the auditor (i) to form a different opinion, or (ii) not to include an Emphasis of Matter
paragraph that, in the particular circumstances, is required by ISAs; and
(b) The auditor’s report includes, at a minimum, each of the elements set out in paragraph 43(a)(i) when
the auditor uses the layout or wording specified by the national auditing standards. Reference to law
or regulation in paragraph 43(e) shall be read as reference to the national auditing standards. The
auditor’s report shall thereby identify such national auditing standards.
700.45
When the auditor’s report refers to both the national auditing standards and International Standards on
Auditing, the auditor’s report shall identify the jurisdiction of origin of the national auditing standards.
700.46
If supplementary information that is not required by the applicable financial reporting framework is
presented with the audited financial statements, the auditor shall evaluate whether such supplementary
information is clearly differentiated from the audited financial statements. If such supplementary
information is not clearly differentiated from the audited financial statements, the auditor shall ask
management to change how the unaudited supplementary information is presented. If management refuses
to do so, the auditor shall explain in the auditor’s report that such supplementary information has not been
audited.
700.47
Supplementary information that is not required by the applicable financial reporting framework but is
nevertheless an integral part of the financial statements because it cannot be clearly differentiated from the
audited financial statements due to its nature and how it is presented shall be covered by the auditor’s
opinion.
The auditor’s report communicates the following information to the reader:
•
Responsibilities of management;
•
Responsibilities of the auditor and a description of the audit;
•
The audit was conducted in accordance with International Standards on Auditing;
•
The financial reporting framework used; and
•
The auditor’s opinion on the financial statements.
The form of the auditor’s report will be affected by the financial reporting framework used, any additional
requirements required by law or regulations and the inclusion of any supplementary information. The
auditor’s report is entitled the “Independent Auditor’s Report” and headings are required for each
paragraph as follows:
•
Report on the Financial Statements;
•
Management’s Responsibility for the Financial Statements;
•
Auditor’s Responsibility; and
•
Opinion.
Other headings for paragraphs that may be used where applicable are:
•
Emphasis of a Matter; and
06/10/2010
Page 229
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Report on Other Legal and Regulatory Requirements
The main components of the auditor’s report, which have to be in writing, are outlined in the exhibit below.
Exhibit 17.4-1
Component
Comments
Title
Independent Auditor’s Report
Using the word “independent” distinguishes the independent auditor’s report
from reports issued by others.
Addressee
Those for Whom the Report Is Prepared
(typically shareholders or those charged with governance)
This may also be dictated by the circumstances of the engagement or local
regulations.
Introductory
Paragraph
•
•
•
•
•
Identifies the entity whose financial statements have been audited.
States that the financial statements have been audited.
Identifies the title of each of the financial statements that comprise the
complete set of financial statements.
Refers to the summary of significant accounting policies and other
explanatory notes.
Specifies the date and period covered by the financial statements.
Where supplementary information is presented, explain whether it is covered
by the audit opinion or clearly differentiate it as not being covered.
Management’s [or
other appropriate
term] Responsibility
for the Financial
Statements
Explains that management is responsible for the preparation of the financial
statements in accordance with the applicable financial reporting framework.
The report states that management is responsible for:
•
The preparation and fair presentation of the financial statements in
accordance with the applicable financial reporting framework; and
•
Such internal control as management determines is necessary to enable the
preparation of financial statements that are free from material misstatement,
whether due to fraud or error.
Management responsibility includes:
• Accepting responsibility for internal control necessary to enable the
financial statements to be free from material misstatement, whether due to
fraud or error;
• Selecting and applying appropriate accounting policies;
• Ensuring the information contained in the financial statements is relevant,
reliable, comparable and understandable;
• Ensuring adequate disclosure to ensure material transactions are
understood by users of the financial statements; and
• Making accounting estimates that are reasonable in the circumstances.
06/10/2010
Page 230
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Component
Comments
Auditor’s
Responsibility
States that the responsibility of the auditor is to express an opinion on the
financial statements based on the audit. This includes:
• Stating that the audit was conducted in accordance with International
Standards on Auditing. The auditor’s report should also explain that those
standards require that the auditor comply with ethical requirements and
that the auditor plan and perform the audit to obtain reasonable assurance
about whether the financial statements are free from material
misstatement.
• Describing an audit by stating:
− An audit involves performing procedures to obtain audit evidence
about the amounts and disclosures in the financial statements,
− The procedures selected depend on the auditor’s judgment, including
the assessment of the risks of material misstatement of the financial
statements, whether due to fraud or error. In making those risk
assessments, the auditor considers internal control relevant to the
entity’s preparation of the financial statements in order to design audit
procedures that are appropriate in the circumstances but not for the
purpose of expressing an opinion on the effectiveness of the entity’s
internal control, and
− An audit also includes evaluating the appropriateness of the
accounting policies used, the reasonableness of accounting estimates
made by management as well as the overall presentation of the
financial statements.
• Stating that the auditor believes that the audit evidence the auditor has
obtained is sufficient and appropriate to provide a basis for the auditor’s
opinion.
• Where financial statements are prepared in accordance with a fair
presentation framework, the description of the audit shall refer to "the
entity's preparation and fair presentation of the financial statements" or
"the entity's preparation of financial statements that give a true and fair
view," as appropriate in the circumstances.
Auditor’s Opinion
Fair Presentation Frameworks
State whether the financial statements present fairly, in all material respects,
(or give a true and fair view of) in accordance with the applicable financial
reporting framework or such similar wording as required by law or regulation.
Compliance Frameworks
State whether the financial statements are prepared in all material respects in
accordance with the applicable financial reporting framework.
When International Financial Reporting Standards are not used as the financial
reporting framework, the wording of the opinion should identify the
jurisdiction or country of origin of the financial reporting framework (for
example, … in accordance with accounting principles generally accepted in
06/10/2010
Page 231
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Component
Comments
country X …).
Other Reporting
Responsibilities
Certain standards, laws or generally accepted practice in a jurisdiction may
require or permit the auditor to report on other responsibilities. Such matters
would be addressed in a separate paragraph following the auditor’s opinion.
Auditor’s Signature
The auditor’s signature will be based on what is appropriate for the particular
jurisdiction. It could be the firm name, personal name of the auditor or both. It
may also require the auditor’s professional accountancy designation or
reference to the fact that the auditor/firm has been recognized by the
appropriate licensing authority.
Date of Report
This is no earlier than the date on which the auditor obtained sufficient
appropriate audit evidence on which to base the opinion. This evidence
includes:
• A complete set of financial statements has been prepared;
• Consideration of the effect of events and transactions (of which the auditor
became aware) that occurred up to that date (refer to ISA 560); and
• Assertions by those with the recognized authority that they have taken
responsibility for the financial statements.
Auditor’s Address
Indicate the name of the auditor’s location in the jurisdiction where the auditor
practices.
Unmodified Audit Opinion − Fair Presentation Framework
The standard wording for an auditor’s report (from ISA 700) on general purpose financial statements
prepared in accordance with a fair presentation framework and expressing an unmodified opinion is
illustrated below.
Exhibit 17.4-2
INDEPENDENT AUDITOR’S REPORT
[Appropriate Addressee]
We have audited the accompanying financial statements of ABC Company, which comprise the
balance sheet as at December 31, 20X1, and the income statement, statement of changes in equity and
cash flow statement for the period then ended, and a summary of significant accounting policies and
other explanatory information.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation and fair presentation of these financial statements in
accordance with International Financial Reporting Standards, and for such internal control as
management determines is necessary to enable the preparation of financial statements that are free
from material misstatement, whether due to fraud or error.
06/10/2010
Page 232
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit. We
conducted our audit in accordance with International Standards on Auditing. Those standards require
that we comply with ethical requirements and plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures
in the financial statements. The procedures selected depend on the auditor’s judgment, including the
assessment of the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to the entity’s
preparation and fair presentation of the financial statements in order to design audit procedures that are
appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness
of the entity’s internal control. An audit also includes evaluating the appropriateness of accounting
policies used and the reasonableness of accounting estimates made by management, as well as
evaluating the overall presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis
for our audit opinion.
Opinion
In our opinion, the financial statements present fairly, in all material respects (or give a true and fair
view of) the financial position of ABC Company as at December 31, 20X1, and (of) its financial
performance and its cash flows for the period then ended in accordance with International Financial
Reporting Standards.
[Auditor’s signature]
[Date of the auditor’s report]
[Auditor’s address]
06/10/2010
Page 233
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Unmodified Audit Opinion − Compliance Framework
The standard wording for an auditor’s report on general purpose financial statements prepared in
accordance with a compliance framework and expressing an unmodified opinion is illustrated below.
Exhibit 17.4-3
INDEPENDENT AUDITOR’S REPORT
[Appropriate Addressee]
We have audited the accompanying financial statements of CDE Company, which comprise the balance
sheet as at December 31, 20X1, and the income statement, statement of changes in equity and cash flow
statement for the period then ended, and a summary of significant accounting policies and other
explanatory information.
Management’s Responsibility for the Financial Statements
Management is responsible for the preparation of these financial statements in accordance with XYZ
Law of Jurisdiction X, and for such internal control as management determines is necessary to enable
the preparation of financial statements that are free from material misstatement, whether due to fraud or
error.
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit. We
conducted our audit in accordance with International Standards on Auditing. Those standards require
that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance
about whether the financial statements are free from material misstatement.
An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in
the financial statements. The procedures selected depend on the auditor’s judgment, including the
assessment of the risks of material misstatement of the financial statements, whether due to fraud or
error. In making those risk assessments, the auditor considers internal control relevant to the entity’s
preparation of the financial statements in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s
internal control. An audit also includes evaluating the appropriateness of accounting policies used and
the reasonableness of accounting estimates made by management, as well as evaluating the presentation
of the financial statements.
We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for
our audit opinion.
Opinion
In our opinion, the financial statements of CDE Company for the period ended December 31, 20X1 are
prepared, in all material respects, in accordance with XYZ Law of Jurisdiction X.
[Auditor’s signature]
[Date of the auditor’s report]
[Auditor’s address]
06/10/2010
Page 234
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
17.5 Other Reporting Requirements
In some jurisdictions, the auditor may be required to report on matters in addition to the auditor’s
responsibility under the ISAs.
Exhibit 17.5-1
Discussion
Additional
Reporting
Requirements
The auditor may be required to comment on matters such as:
• The adequacy of the entity’s accounting records;
• Specific matters if they come to the auditor’s attention during the course of
the audit; and
• Results of performing additional specified procedures.
Report Under
Separate Heading
To ensure users understand these additional responsibilities, the auditor would
report on them within a separate section in the auditor’s report. For example,
under a new sub-heading such as “Report on Other Legal and Regulatory
Requirements”.
17.6
Supplementary Information Presented with the Financial Statements
Supplementary information is information presented with the audited financial statements but not required
by the applicable financial reporting framework. Supplementary information may be required by law,
regulation or standards or may be presented voluntarily.
Supplementary information (not required by the applicable financial reporting framework) needs to be
clearly differentiated from the audited financial statements unless it is an integral part of the audited
financial statements. If such supplementary information is not clearly differentiated, the auditor shall ask
management to change how the unaudited supplementary information is presented. If management
refuses to do so, the auditor shall explain in the auditor's report that such supplementary information has
not been audited.
Exhibit 17.6-1
Presenting Supplementary Information with the Financial Statements
Clearly
Differentiate
Supplementary
Information
•
•
•
•
Clearly label the information as “unaudited”.
Remove any cross-references from the financial statements to unaudited
supplementary information.
Place the unaudited supplementary information outside of the financial
statements.
Identify the page numbers in the auditor’s report on which the audited
financial statements are presented.
The fact that supplementary information is not audited does not relieve the auditor of the responsibility to
ensure that the information is not misleading or inconsistent with the other information contained in
audited financial statements. Refer to volume 1 chapter 15.9 that addresses ISA720 - Other Information in
Documents Containing Audited Financial Statements.
06/10/2010
Page 235
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
17.7
Audits Conducted in Accordance with ISAs and National Auditing
Standards
Where the auditor is required to report on compliance with national auditing standards and the ISAs,
reference would be made to both sets of standards in the auditor’s report.
A reference to both International Standards on Auditing and the national auditing standards is appropriate
when the following conditions are met.
Exhibit 17.7-1
Conditions
•
Refer to Compliance
•
With both ISAs and
National Standards
•
•
The auditor’s report complies with each of the ISAs relevant to the audit.
All further audit procedures, necessary to comply with national standards,
have been performed.
The jurisdiction or country of origin of the auditing standards has been
identified in the auditor’s report.
All elements (see Exhibit 17.4-1) of the standard auditor’s report (even if
using the layout and wording specified by national laws or regulations)
have been included.
A reference to both International Standards on Auditing and the national auditing standards is not
appropriate where a conflict exists between the requirements in ISAs and those in the national auditing
standards that would result in:
•
The auditor forming a different opinion on the national standards than that appropriate for the ISA
standards; and
•
Omission of additional information such as an Emphasis of Matter paragraph that is required by the
ISAs but not permitted under national standards.
17.8
Modified Auditor Reports
Please refer to Volume 2, Chapter 23 of this Guide, which addresses modifications to the auditor’s report.
06/10/2010
Page 236
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Volume 2
Practical Guidance
06/10/2010
Page 237
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
VOLUME 1 CONTENTS
Primary ISA Reference
Page
Number
Preface
1.
How to Use the Guide
2.
Clarified ISAs
BASIC CONCEPTS
3. The Risk-Based Audit – Overview
CORE CONCEPTS
4. Ethics, Independence, ISAs and Quality Control
Multiple
ISQC 1, 200, 220
5. Internal Control – Purpose and Components
315
6. Financial Statement Assertions
315
7. Materiality and Audit Risk
320
8. Risk Assessment Procedures
9. Responding to Assessed Risks
10. Further Audit Procedures
240, 315
240, 300, 330, 500
330, 505, 520
11. Accounting Estimates
540
12. Related Parties
550
13. Subsequent Events
560
14. Going Concern
570
15. Summary of Other ISA Requirements
16. Audit Documentation
17. Forming an Opinion on Financial Statements
06/10/2010
250, 402, 501,
510, 600, 610, 620, 720
ISQC1, 220, 230, 240, 300,
315, 330
700
Page 238
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
VOLUME 2 CONTENTS
Primary ISA Reference
1.
How to Use the ISA Audit Guide
2.
Introduction to the Case Studies
Page
Number
PHASE 1: RISK ASSESSMENT
3.
Risk Assessment – Overview
Preliminary Activities
4. Client Acceptance and Continuance
ISQC 1, 210, 220, 300
Planning the Audit
5. Overall Audit Strategy
6. Determining and Using Materiality
RISK ASSESSMENT
7. Audit Team Discussions
300
320, 450
240, 300, 315
Performing Risk Assessment Procedures
8. Inherent Risks — Identification
240,315
9. Inherent Risks — Assessment
240,315
10. Significant Risks
240, 315, 330
11. Understanding Internal Control
315
12. Evaluating Internal Control
315
13. Communicating Deficiencies in Internal Control
265
14. Concluding the Risk Assessment Phase
315
PHASE II: RISK RESPONSE
15. Risk Response – An Overview
16. The Responsive Audit Plan
17. Determining the Extent of Testing
260, 300, 330, 500
330, 500, 530
18. Documenting Work Performed
230, 500
19. Management Representations
580
PHASE III: REPORTING
06/10/2010
Page 239
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
20. Reporting – Overview
21. Evaluating Audit Evidence
22. Communicating with Those Charged with
Governance
06/10/2010
220, 330, 450, 520, 540
260, 450
23. Modifications to the Auditor’s Report
705
24. Emphasis of Matter and Other Matter Paragraphs
706
25. Comparative Information
710
Page 240
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
This page is intentionally left blank.
06/10/2010
Page 241
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
1.
HOW TO USE THE GUIDE
The purpose of this Guide is to provide practical guidance to practitioners conducting audit engagements
for small- and medium-sized entities (SMEs). However, no material in the Guide should be used as a
substitute for:
•
Reading and understanding of the ISAs
It is assumed that practitioners have read the text of the International Auditing standards as published
in the 2010 edition of IFAC’s The Handbook of International Quality Control, Auditing, Review,
Other Assurance, and Related Services Pronouncements. ISA 200.19 states that the auditor shall have
an understanding of the entire text of an ISA, including its application and other explanatory material,
to understand its objectives and to apply its requirements properly.
•
Use of professional judgment
The exercise of professional judgment is required at various stages in planning and performing an
audit of financial statements.
While it is expected that small- and medium-sized practices (SMPs) will be a significant user group, this
Guide is intended to help all practitioners to implement ISAs on SME audits.
The Guide offers a practical “how-to” audit approach that practitioners may use when undertaking a riskbased audit of a SME.
This Guide can be used to:
•
Develop a deeper understanding of an audit conducted in compliance with the ISAs;
•
Develop a staff manual (supplemented as necessary for local requirements and a firm’s procedure) to
be used for day-to-day reference and as a basis for training sessions and individual study and
discussion; and
•
Ensure staff adopt a consistent approach to planning and performing an audit;
This Guide often refers to an audit team, which implies more than one auditor is involved in conducting
the audit engagement. However, the same general principles also apply to audit engagements performed
exclusively by one person (the practitioner).
1.1
Customization of the Guide
Translation
To facilitate translation, the Guide has used ISA terminology to the maximum extent possible. In
situations where ISA terminology was not available for use, the author made every attempt to use
terminologies that could be easily translated.
Currency
A non-specific common currency unit of CU (Є) has been used. During translation, individual countries
may choose to change the currency to a local or standard international currency.
National Adaptation
In situations where the national standards differ from the ISAs (whether for legislative or other reasons),
this Guide may provide a starting point and be adapted for the national requirements.
1.2
Content and Organization
06/10/2010
Page 242
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Rather than just summarize each ISA in turn, the Guide has been organized into two volumes. The first
volume of this Guide addresses key audit concepts such as materiality, internal control and the type and
nature of audit procedures. The second volume focuses on how to apply these concepts in practice. It
follows the typical stages of an audit from engagement acceptance, planning and risk assessment through
to risk response, evaluating audit evidence and forming an audit opinion. However, to avoid repetition
Volume 2 has not repeated the requirements of ISAs that address specific audit issues such as estimates,
related parties, subsequent events and going concern. Volume 1 summarizes these requirements either as
a separate chapter or as part of Chapter 15, which is entitled “Summary of Other ISA Requirements”.
The two volumes are entitled:
•
Volume 1 — Core Concepts
•
Volume 2 — Practical Guidance.
Summary of Organization
Each chapter in this Guide has been organized in the following format:
•
Chapter Title
•
Audit Process Chart – Extract
Most chapters contain an extract from the audit process chart (where applicable) to highlight the
particular activities that will be addressed in the chapter.
•
Chapter Content
This outlines the content and purpose of the chapter.
•
Relevant ISAs
Most chapters in this Guide begin with some extracts from the ISAs that are relevant to the chapter
content. These extracts include relevant requirements and, in some cases, the objectives, selected
definitions and application material. The inclusion of these extracts is not meant to infer that other
material in the ISA not specifically mentioned or other ISAs that relate to the subject matter do not
need to be considered. The extracts in the Guide are based solely on the judgment of the authors as to
what is relevant for the content of each particular chapter. For example, the requirements of ISA 200,
220 and 300 have applicability throughout the audit process but have only been addressed specifically
in one or two chapters.
•
Overview and Chapter Material
The overview in each chapter provides:
– Extracts from applicable ISAs; and
– An overview of what is addressed in the chapter.
The overview is followed by a more detailed discussion of the subject matter and practical step-bystep guidance/methodology on how to implement the relevant ISAs. This can include some crossreferences to the applicable ISAs.
•
Consider Point
A number of Consider Points are included throughout the Guide. These Consider Points provide
practical guidance on audit matters that can easily be overlooked or where practitioners often have
difficulty in understanding and implementing certain concepts.
The Guide also makes reference to, but does not outline, the requirements of the Code of Ethics for
Professional Accountants issued by the IESBA (the IESBA Code) effective as of January 1, 2010 and
the requirements of International Standards on Quality Control 1 (ISQC 1), Quality Control for Firms
06/10/2010
Page 243
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services
Engagements
•
Illustrative Case Studies
To demonstrate how the ISAs can be applied in practice, Volume 2 of the Guide includes two simple
case studies. At the end of most chapters within Volume 2, one possible approach to documenting the
application of the ISA requirements is discussed. Please refer to Volume 2, Chapter 2 of this Guide
for details about the case studies.
Note:
The purpose of the case studies and the documentation presented are purely illustrative. The
documentation provided is a small extract from a typical audit file and it illustrates just one
possible way of complying with the ISA requirements. The data, analysis and commentary
provided represent only some of the circumstances and considerations that the auditor will
need to address in a particular audit. As always, the auditor must exercise professional
judgment.
The first case study is based on a fictional entity called Dephta Furniture. This is a local, family-owned
furniture manufacturer with 10 full-time employees. The entity has a simple governance structure, few
levels of management and straightforward transaction processing. The accounting function uses an offthe-shelf, standard software package. The second case study is based on another fictional entity called
Kumar & Co. This is a micro-sized entity with two full-time staff plus the owner and one part-time
bookkeeper.
1.3
Glossary of Terms
Refer to the glossary of terms in the 2010 edition of IFAC’s The Handbook of International Quality
Control, Auditing, Review, Other Assurance, and Related Services Pronouncements for terms that are
used throughout the ISAs and in this Guide.
1.4
Acronyms Used in the Guide
AR
Assertions
(combined)
CAATs
CU
F/S
HR
IAASB
IC
IESBA Code
IFAC
IFRS
ISAs
06/10/2010
Accounts receivable
C= Completeness
E = Existence
A = Accuracy and cut off
V = Valuation
Computer-assisted audit techniques
Currency units (standard currency unit is referred to as “Є”)
Financial statements
Human resources
International Auditing and Assurance Standards Board
Internal Control. The five major components of internal control are as follows:
CA = Control activities
CE = Control environment
IS = Information systems
MO = Monitoring
RA = Risk assessment
IESBA Code of Ethics for Professional Accountants
International Federation of Accountants
International Financial Reporting Standards
International Standards on Auditing
Page 244
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
ISAEs
IAPSs
ISQCs
ISREs
ISRSs
IT
PC
R&D
RMM
RAPs
SME
SMP
TOC
TCWG
1.5
International Standards on Assurance Engagements
International Auditing Practice Statements
International Standards on Quality Control
International Standards on Review Engagements
International Standards on Related Services
Information technology
Personal computer
Research and development
Risks of material misstatement
Risk assessment procedures
Small- and medium-sized entities
Small- and medium-sized (accounting) practices
Tests of controls
Those charged with governance
Other Terms Used in the Guide
Anti-Fraud Controls
These are controls designed by management to prevent, detect and/or correct frauds. With respect to
management override, these controls may not prevent a fraud from occurring but would act as a deterrent
and make perpetrating a fraud more difficult to conceal. Typical examples are:
•
Policies and procedures that provide additional accountability, such as signed approval for journal
entries;
•
Improved access controls for sensitive data and transactions;
•
Silent alarms;
•
Discrepancy and exception reports;
•
Audit trails;
•
Fraud contingency plans;
•
Human resource procedures such as identifying/monitoring individuals with above-average fraud
potential (for example, an excessively lavish lifestyle); and
•
Mechanisms for reporting potential frauds anonymously.
Entity Level Controls
Entity level controls address pervasive risks. They set the “tone at the top” of an organization and to
establish expectations for the control environment. They are often less tangible than controls that operate
at the transaction level but have a pervasive and significant impact and influence over all other internal
controls. As such, they form the all-important foundation upon which other internal controls (if any) are
built. Examples of entity level controls include management’s commitment to ethical behavior, attitudes
toward internal control, hiring and competence of staff employed, anti-fraud and period-end financial
reporting. These controls will have an impact on all other business processes operating within the entity.
Management
The person(s) with executive responsibility for the conduct of the entity's operations. For some entities in
some jurisdictions, management includes some or all of those charged with governance, for example,
executive members of a governance board, or an owner-manager.
Those Charged with Governance
The person(s) or organization(s) (for example, a corporate trustee) with responsibility for overseeing the
06/10/2010
Page 245
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
strategic direction of the entity and obligations related to the accountability of the entity. This includes
overseeing the financial reporting process. For some entities, in some jurisdictions, those charged with
governance may include management personnel, for example, executive members of a governance board
of a private or public sector entity, or an owner-manager. In some smaller entities, however, one person
may be charged with governance, for example, the owner-manager where there are no other owners, or a
sole trustee. When governance is a collective responsibility, a subgroup such as an audit committee or
even an individual, may be charged with specific tasks to assist the governing body in meeting its
responsibilities. Alternatively, a subgroup or individual may have specific, legally identified
responsibilities that differ from those of the governing body.
Owner-Manager
This refers to the proprietors of an entity who are involved in the running of the entity on a day-to-day
basis.
In most instances, the owner-manager will also be the person charged with governance of the entity.
IAASB Pronouncements
This Guide focuses exclusively on the ISAs (other the 800 series) that apply to audits of historical
financial information.
Other IFAC Publications
The following IFAC publications may also be read in conjunction with this Guide:
•
IESBA Code of Ethics for Professional Accountants
•
Guide to Quality Control for Small- and Medium-Sized Practices.
06/10/2010
Page 246
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
2.
INTRODUCTION TO THE CASE STUDIES
To illustrate how the various aspects of the audit process can be documented in practice, two case studies
have been developed based on a fictional medium-sized and very small entity. The first scenario (Case
Study A) is a furniture company called Dephta Furniture Inc. that employs 10 people. The second
scenario (Case Study B) is Kumar & Co., a small entity with two people. The company mainly supplies
goods to Dephta Furniture Inc. Both organizations have decided to use the IFRS reporting framework.
Readers are cautioned that these case studies are purely illustrative. The documentation
provided is a small extract from a typical audit file and it illustrates just one possible way of
complying with the ISA requirements. The data, analysis and commentary provided represent
only some of the circumstances and considerations that the auditor will need to address in a
particular audit. As always, the auditor must exercise professional judgment.
Case Study A ─ Dephta Furniture Inc.
Background
Dephta Furniture Inc. is a family-owned furniture manufacturing company. It produces various
kinds of wooden household furniture, both ready-made and custom built. Dephta has an excellent
reputation for producing quality products.
The company has three major product lines: bedroom sets, dining room sets and tables of all
sorts. Standard pieces of furniture can also be customized for specific needs. To tap into the
power of the Internet, the company recently set up a web site where people can buy furniture
directly and pay by credit card. During the last period, the company shipped custom orders as far
as 900 kilometers away.
The manufacturing facility is located on an acre of land adjacent to Suraj Dephta’s house. An
addition on the west side of Suraj’s home acts as Dephta Furniture’s shop. Major decisions are
often made around the dining room table (which is the first table that Suraj and his father built
together). He likes the symbolism of sharing a meal on the product that produces his family’s
money for food.
Industry Trends
Until recently Dephta had been growing rapidly. However, the furniture industry is currently
experiencing challenging times due to:
•
A declining economy due to a world-wide recession;
•
People are limiting their spending on discretionary goods, including furniture;
•
Competition;
•
Pressure to reduce prices to attract sales; and
•
Some furniture parts manufacturers have gone out of business causing some production
delays.
Governance
The company was started in 1952 by Suraj’s father, Jeewan Dephta. Jeewan first made wooden
spindles and banisters with one lathe in a small workshop next to the family home.
06/10/2010
Page 247
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The company does not have a formal governance structure. Jeewan and Suraj prepare a business
plan each period and then meet once a month with a successful local businessman, Ravi Jain, to
review their progress against the plan. They also pay Ravi to comment on the practicality of their
new dreams and ideas for the business, review the operating results and provide advice on how to
deal with any specific issues that have arisen.
Ravi’s daughter, Parvin (a lawyer by training) usually accompanies her father to the meetings with
Suraj and Jeewan. Parvin offers some legal advice, but her true passion lies in marketing and
promotion. It was Parvin’s idea that Dephta Furniture should expand its boundaries and start selling
their products on the Internet. She also pushed for expansion outside their local region and even to
neighboring countries. Perhaps by accessing additional markets, sales levels can be maintained
despite the current economic downturn.
Personnel
Dephta Furniture Inc. has a full-time staff of 10 employees. About six of these employees are related
in some way to the family. Most of the family members work in the production area (as needed) in
addition to the roles outlined in the chart below. During busy periods, two to four temporary workers
may be employed as necessary. A few of the temporary workers return regularly but, because of the
lack of job security, turnover is quite high.
As managing director, Suraj Dephta oversees all aspects of the business. Arjan Singh is in charge of
sales and he is assisted by two full-time salespeople. Dameer, Suraj’s brother, looks after
production, which includes ordering raw materials and managing the inventory. Because the facility’s
space is limited, Suraj and Dameer are never too far away from the production process and they
share the task of supervising the two staff members.
Jawad Kassab (a cousin of Suraj) is in charge of the finance function and information technology
(IT), and has two staff in his group.
06/10/2010
Page 248
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Ownership
Jeewan is the principal shareholder with a 50% interest in the company. He has plans to start
transferring the shares to his son, Suraj, as long as Suraj continues to manage the company on a
full-time basis and the company remains profitable as a result.
Suraj and his sister, Kalyani, both hold a 15% interest respectively.
The remaining 20% is held by a family friend, Vinjay Sharma. Vinjay is a wealthy investor who has
provided much of the capital needed to grow the company.
Kalyani is a well-known singer who travels extensively. She is not involved in the operations of the
company and totally relies on her father and brother to look after her interests.
In June of each period, Jeewan organizes a more formal business meeting. The shareholders meet
in the morning (primarily to review the financial statements) and, later in the afternoon, hold a party
for all staff. Suraj uses this occasion to tell the staff how well the business is doing and what the
plans are for the future.
Operations
The company started out manufacturing chairs, tables and spindles for railings and banisters, and
has since expanded into making simple household furniture such as dressers, wardrobes and
cabinets. Dephta Furniture has grown considerably through strategies such as:
•
Providing quality products at fair prices to local customers;
•
Accepting larger furniture orders from national retailers. These large orders come with a firm
delivery deadline (there are major penalties for late delivery) and the profit margins are much
tighter than those for custom-made furniture;
•
Being the first company in the region to sell (limited products) over the Internet; and
•
Manufacturing parts such as spindles and round table legs for other local furniture
manufacturers. This has enabled the company to purchase expensive lathes and specialized
tools that other companies cannot afford.
Dephta also sells scrap furniture and wood (pieces rejected in the quality control process) at the
factory for cash only.
Exporting furniture to neighboring countries is also being considered. Suraj recognizes that this will
mean higher shipping costs, dealing with customs, foreign currency exchange risk and the potential
for damage during transport. Although selling to neighboring countries mean higher costs, it seems
06/10/2010
Page 249
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
to be a small price to pay to access potential new customers. Also, Parvin knows many people in
local government and thinks she can help to facilitate the extra paperwork involved.
Sales
The sales breakdown is approximately:
•
Standard furniture (from catalogue) from sales that are negotiated
in person at the store:
40%
•
Sales to furniture retailers:
30%
•
Made-to-order (custom-built) furniture:
15%
•
Internet sales:
12%
•
Scrap sales from factory:
3%
Arjan Singh is a great dealmaker. He is very persistent when negotiating with customers and usually
gets the sale, although the profit margins can be slim. Despite the economic downturn, he recently
bought a beautiful family home overlooking the valley.
•
Notes on the sales system
– Sales contracts are prepared for retail and specialized orders. Deposits of 15% of the order
are required on all custom orders, which are recorded as sales revenue when received. Two
of the large retailers require Dephta to keep 30 days of inventory on hand so that orders can
be shipped quickly to the stores when needed. These contracts also have provisions for
inventory to be returned to Dephta if it doesn’t sell within a specified time period.
– Sales orders are manually filled at the time of sale, except for furniture sold directly from the
shop or other small items on hand. All orders over 500Є or where the sale price is below the
minimum sale price must be approved by Arjan. Invoices are prepared when the items are
shipped and sent to the customer.
– For all sales out of the shop, invoices are prepared at the time of sale and entered into the
accounting system, which automatically numbers each sales transaction and provides an
order receipt upon request.
06/10/2010
Page 250
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
–
–
–
–
A summary of the day’s Internet sales is downloaded from the web site. Details of the items
ordered are prepared and given to the production department. An invoice is prepared at the
same time and recorded into revenue, as the item has already been paid for on the
customer’s credit card. The invoice marked “paid in full” accompanies all Internet orders that
have been shipped.
Arjan rarely performs credit checks on customers. He knows most of them. In the past,
customers paid cash upon delivery; currently, credit is granted to match the terms that
Dephta Furniture’s competitors are providing. As a result, Dephta Furniture requires a line of
credit from the bank. Each period, the number of bad debts seems to be growing.
At the end of each month, Suraj reviews the sales and accounts receivable listing. He
ensures there are no obvious mistakes and personally calls every customer whose account
is over 90 days.
Each member of the sales staff (including Arjan) receives a commission of 15% on each sale
in addition to a minimum base salary. To motivate the salespeople, their base salary is well
below the salaries of most of the other employees. The computer system tracks sales made
by each salesperson. Jawad prints off a report each month and prepares a listing of
commissions that will be paid on the following week’s payroll. Either Suraj or Dameer
reviews the listing of commissions and the sales to ensure the staff are paid the correct
amount. Arjan receives by far the most sales commission.
Information Technology
The system consists of six PCs and a server that is used for hosting the Internet site. The internal
system is mainly used for email, order taking and accounting.
The company runs weekly back-ups of the accounting system on an external hard drive that is kept
in the safe next to the computer room. Firewall protection and password protection have all been
added in the last two periods. Last period, two PCs were stolen from the office. Access to the offices
is now better secured, the PCs are chained to desks and the server is locked in a separate and
specially cooled office.
Internet sales are managed by Jawad. The company has an agreement with the bank to process the
credit cards before any order is approved for shipping and pays the bank 7% on each order
processed. The application program for Internet sales provides the details of each sale, including the
customer’s name, address and the items ordered. Internet transactions are downloaded daily from
the web site and sales orders are prepared and forwarded to the production department.
Human Resources and Payroll
All hiring decisions are made by Dameer and Suraj. Like his father, Suraj is committed to hiring
competent people and expects loyalty from his employees.
Employees are paid in cash at the beginning of each week. One of Jawad’s staff, Karla Winston, is
responsible for payroll. She has a list of employees and calculates the payroll and deductions based
on time card summaries that Dameer provides to her. Suraj reviews payroll each Monday morning
before instructing Karla to hand the envelopes to employees. All employees sign a list when they
pick up their envelope. The company does not keep formal employee records.
Purchasing and Production
Dameer is responsible for purchasing and production. Because the inventory system is not very
sophisticated, he tends to over-order some items, which often results in inventory sitting in the
warehouse gathering dust. This is considered better than under-ordering supplies, which results in
production delays.
06/10/2010
Page 251
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Notes on the purchasing function
– At least two quotes must be obtained before purchases over 5,000Є are approved. The
exception is wood supplied by the local wood mill where Dephta has negotiated a five-year
exclusive supply contract.
– The company prepares purchase orders for all inventory or capital purchases over 1,000Є.
– Dameer approves all new vendors and supplies the details to Jawad. Jawad then sets up the
vendors in the system and enters details of invoices received.
Accounting and Finance
Jawad studied accounting at university and is well-versed in accounting and financial matters. When
he joined Dephta two years ago, he quickly introduced the “Sound Accounting” software package by
Onion Corp. with its integrated accounts payable, accounts receivable and capital assets modules.
•
Notes on the accounting and finance function
– At present, the company does not have a perpetual inventory system. Inventory is counted
twice a period, once at period-end and once halfway through the period. This ensures that
profit margins on sales can be accurately calculated at least twice a period.
– Jawad has been frustrated by the lack of controls over inventory. He had suggested to Suraj
that inventory be counted at least four times per period to ensure that margins are reviewed
throughout the period. Suraj had overridden his recommendation, stating that it would be too
disruptive to count inventory so often and it could cause the company to miss deadlines.
– Although Dephta has been profitable, the gross margins have been inconsistent. Jawad does
not have an explanation as to why inventory costs are not tracked by product line.
– Suraj gets very annoyed at having to pay any form of income tax and usually pressures
Jawad to ensure that accruals are “more than adequate”.
Note: The following income statement and balance sheet were prepared by management. Notes to
the financial statements or a cash flow statement have not been included.
06/10/2010
Page 252
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Appendix A
Dephta Furniture Inc.
Income Statement
(in Currency Units (Є))
For the year ended December 31
20X2
Sales
20X1
20X0
1,437,317Є
1,034,322Є
879,933
689,732
528,653
557,384
344,590
328,747
64,657
41,351
39,450
323,283
206,754
197,248
Finance cost
19,471
19,279
15,829
Depreciation
23,499
21,054
10,343
430,910
288,438
262,870
126,474
56,152
65,877
31,619
14,038
16,469
94,855Є
42,114Є
49,408Є
Cost of goods sold
Gross profit
Distribution costs
Administrative expenses
Profit before tax
Income taxes
Net income
06/10/2010
857,400Є
Page 253
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Appendix B
Dephta Furniture Inc.
Balance Sheet
(in Currency Units (Є))
As at December 31
20X2
20X1
20X0
ASSETS
Current assets
Cash and cash equivalents
22,246Є
32,522Є
22,947Є
Trade and other receivables
177,203
110,517
82,216
Inventories
156,468
110,806
69,707
12,789
10,876
23,877
368,706
264,721
198,747
195,821
175,450
103,430
564,527Є
440,171Є
302,177Є
Bank indebtedness
123,016Є
107,549Є
55,876Є
Trade and other payables
113,641
107,188
50,549
Income tax payable
31,618
14,038
16,470
Current portion of interestbearing loan
10,000
10,000
10,000
278,275
238,775
132,895
70,000
80,000
90,000
18,643
18,643
18,643
197,609
102,753
60,639
564,527Є
440,171Є
Prepayments and other
Non-current assets
Property, plant and equipment
EQUITY AND LIABILITIES
Current liabilities
Non-current liabilities
Interest-bearing loan
Capital and reserves
Issued capital
Accumulated profits
06/10/2010
302,177Є
Page 254
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Background
Kumar & Co. was started in 1990 by Rajesh (Raj) Kumar. It is an incorporated company, but
consists of two production personnel, Rajesh as the owner-manager and some part-time
bookkeeping assistance.
As a young boy, Raj learned the woodcrafting trade from his father, Sanjay. When Sanjay first took
young Raj under his wing, he saw that Raj also had a natural talent for woodworking, and that made
him proud.
After his father died in 1976, Raj decided to invest his small savings in opening his own furniture
shop, which he called Kumar & Co.
Business Proposition
Raj’s business was initially focused on producing small wooden household furniture. However, soon
after starting the business, his cousin, Suraj (of Dephta Furniture) approached him with a business
proposition. Suraj asked that Raj dedicate most of his time and attention to creating spindles and
table legs for furniture the Deptha factory produced. The price Deptha was willing to pay for his
products allowed him a greater profit margin than he could get with any of his other handiwork. Raj
agreed.
To encourage Raj to focus his business on serving Deptha’s supply needs, Deptha purchased a
15% ownership stake in Kumar. This helped Kumar purchase new lathes and tools to improve
production efficiency.
Industry Trends
The furniture industry is currently facing a challenging economy. Kumar & Co. has experienced
healthy and steady growth, but if the demand for products from Deptha declines, Kumar’s sales will
also be hurt. Raj still takes some custom furniture orders but Dephta constitutes approximately 90%
of his business.
Production
Kumar & Co. is an owner-managed company, with Raj owning 85% of the shares. There are two fulltime production personnel in addition to Raj. He is used to long work days and works most
weekends, simply to keep up with the orders from Dephta.
In the current period, though, Raj is rarely in the office or workshop. He does the minimum required
to meet demands but has not been nearly as involved in approving orders, supply purchases or
record-keeping as he once was. Apparently he is dealing with some issues at home. Raj’s teenage
son recently developed a health problem that is threatening to ruin the family’s reputation.
At the beginning of the period, Kumar obtained new bank financing to buy necessary raw materials
and to replace some aging equipment. The loan came with bank covenants that must be maintained
or the funds could be recalled.
Raj deals directly with Deptha personnel on orders and logs them in a notebook. The accountant
then creates invoices and receives payments. He personally organizes shipping and maintains an
order/shipping log.
Raj maintains good records and keeps the following information updated:
•
Order/shipping log: date order was placed, amount, type, pricing, date promised, method of
delivery, quantity sold/shipped, date shipped and if paid;
06/10/2010
Page 255
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Sales log: customer name, date shipped, order details (product type, quantity, type of wood,
special requests, etc.), price, amount paid; and
•
Purchases log: segregated between materials and other items.
Raj matches the shipping log to the sales log each week to ensure that no shipments are missed.
Accounting
Kumar & Co.’s part-time bookkeeper, Ruby, has been working with Raj for over 10 years and is very
competent. She maintains the accounting records and creates the monthly and annual financial
statements. However, she feels that Raj takes her services for granted. He has not increased her
salary in the last three years. Ruby has two children who she wants to go to college but is worried
about how the tuition will be paid.
Appendix A
Kumar & Co.
Income Statement – Prepared by Management
For the year ended December 31
20X2
20X1
20X0
Sales
231,540Є
263,430Є
212,818Є
Cost of goods sold
118,600
122,732
100,220
112,940
140,698
112,598
Distribution costs
13,002
19,450
12,890
Administrative expenses
71,532
91,318
68,101
Finance cost
6,480
0
0
Depreciation
11,541
6,871
5,020
102,555
117,639
86,011
10,385
23,059
26,587
5,765
6,420
8,988
16,639Є
17,599Є
Gross profit
Profit before tax
Income taxes
Net income
06/10/2010
4,620Є
Page 256
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Appendix B
Kumar & Co.
Balance Sheet – Prepared by Management
As at December 31
20X2
20X1
20X0
ASSETS
Current assets
Cash and cash equivalents
1,255Є
10,822Є
6,455Є
Trade and other receivables
67,750
65,110
34,100
Inventories
34,613
15,445
12,607
103,618
91,377
53,162
54,430
22,468
20,216
158,048Є
113,845Є
Trade and other payables
53,100Є
48,820
36,500
Current portion of interestbearing loan
4,000
0
0
57,100
48,820
36,500
31,000
0
0
Issued capital
10,580
10,580
10,580
Accumulated profits
59,368
54,445
26,298
158,048Є
113,845Є
Property, plant and equipment
73,378Є
EQUITY AND LIABILITIES
Current liabilities
Non-current liabilities
Interest-bearing loan
Capital and reserves
06/10/2010
73,378Є
Page 257
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
This page is intentionally left blank.
06/10/2010
Page 258
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
3.
RISK ASSESSMENT – OVERVIEW
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Response
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Develop appropriate
responses to the
assessed RMM3
Implement responses
to assessed RMM3
Evaluate the audit
evidence obtained
Reporting
Documentation1
yes
Reduce audit risk
to an acceptably
low level
Work performed
Audit findings
Staff supervision
Working paper review
Determine what
additional audit work
(if any) is required
Is
additional
work
required?
no
Prepare the
auditor’s report
Form an opinion
based on audit
findings
Significant decisions
Signed audit opinion
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
06/10/2010
ISA Objective(s)
Page 259
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
ISA Objective(s)
315.3
The objective of the auditor is to identify and assess the risks of material misstatement, whether due to
fraud or error, at the financial statement and assertion levels, through understanding the entity and its
environment, including the entity’s internal control, thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement.
A simpler way of describing the three elements is illustrated below.
Exhibit 3.0-1
* An “event” is simply a business or fraud risk factor (see descriptions in Volume 1, Chapter 3, Exhibit
3.2-2) that, if it actually occurred, would adversely affect the entity’s ability to achieve its objective of
preparing financial statements that do not contain material misstatements resulting from error and fraud.
This would also include risks resulting from the absence of internal control to mitigate the potential for
material misstatements in the financial statements.
The major steps involved in the risk assessment phase of the audit, in the order they would normally be
performed, are outlined in the following exhibit.
Exhibit 3.0-2
06/10/2010
Page 260
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
The core concepts addressed in the risk assessment phase are set out below.
Core Concepts Risk Assessment Phase Chapter
Internal Control
V1 - 5
Financial Statement Assertions
V1 - 6
Materiality and Audit Risk
V1 - 7
Risk Assessment Procedures
V1 - 8
06/10/2010
Page 261
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
This page is intentionally left blank.
06/10/2010
Page 262
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
4.
ENGAGEMENT ACCEPTANCE AND CONTINUANCE
Chapter Content
Relevant ISAs/ISQC 1
Guidance on procedures required to:
•
Identify and assess risk factors relevant to deciding
whether to accept or decline the audit engagement;
and
•
Agree upon and document the terms of the
engagement.
210, 220, 300
and ISQC 1
Exhibit 4.0-1
Activity
Purpose
Documentation1
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
The major steps in the engagement acceptance/continuance process are outlined below.
Exhibit 4.0-2
Process to accept/continue with an audit engagement
Does firm have
resources, time
& competence?
Is the firm
independent and
free from conflict?
Are risks involved
acceptable?
Document procedures performed and how threats and issues were resolved
Are the audit
preconditions
present?1
1
Any scope
limitations?
Agree terms
of engagement
Accept or
Continue?
Yes
No
Stop
Prepare/sign
engagement
letter
For further information, refer to Volume 2, Chapter 4.3.
Paragraph #
06/10/2010
ISA Objective(s)
Page 263
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
ISA Objective(s)
210.3
The objective of the auditor is to accept or continue an audit engagement only when the basis upon which
it is to be performed has been agreed, through:
(a)
Establishing whether the preconditions for an audit are present; and
(b)
Confirming that there is a common understanding between the auditor and management and,
where appropriate, those charged with governance of the terms of the audit engagement.
06/10/2010
Page 264
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs/ISQC 1
210.4
For purposes of the ISAs, the following term has the meaning attributed below:
Preconditions for an audit – The use by management of an acceptable financial reporting framework in the
preparation of the financial statements and the agreement of management and, where appropriate, those
charged with governance to the premise on which an audit is conducted.
ISQC1.26
The firm shall establish policies and procedures for the acceptance and continuance of client relationships
and specific engagements, designed to provide the firm with reasonable assurance that it will only
undertake or continue relationships and engagements where the firm:
(a) Is competent to perform the engagement and has the capabilities, including time and resources, to do
so; (Ref: Para. A18, A23)
(b) Can comply with relevant ethical requirements; and
(c) Has considered the integrity of the client, and does not have information that would lead it to
conclude that the client lacks integrity. (Ref: Para. A19-A20, A23)
ISQC1.27
Such policies and procedures shall require:
(a) The firm to obtain such information as it considers necessary in the circumstances before accepting
an engagement with a new client, when deciding whether to continue an existing engagement, and
when considering acceptance of a new engagement with an existing client. (Ref: Para. A21, A23)
(b) If a potential conflict of interest is identified in accepting an engagement from a new or an existing
client, the firm to determine whether it is appropriate to accept the engagement.
(c) If issues have been identified, and the firm decides to accept or continue the client relationship or a
specific engagement, the firm to document how the issues were resolved.
ISQC1.28
The firm shall establish policies and procedures on continuing an engagement and the client relationship,
addressing the circumstances where the firm obtains information that would have caused it to decline the
engagement had that information been available earlier. Such policies and procedures shall include
consideration of:
(a) The professional and legal responsibilities that apply to the circumstances, including whether there is
a requirement for the firm to report to the person or persons who made the appointment or, in some
cases, to regulatory authorities; and
(b) The possibility of withdrawing from the engagement or from both the engagement and the client
relationship. (Ref: Para. A22-A23)
220.12
The engagement partner shall be satisfied that appropriate procedures regarding the acceptance and
continuance of client relationships and audit engagements have been followed, and shall determine that
conclusions reached in this regard are appropriate. (Ref: Para. A8-A9)
220.13
If the engagement partner obtains information that would have caused the firm to decline the audit
engagement had that information been available earlier, the engagement partner shall communicate that
information promptly to the firm, so that the firm and the engagement partner can take the necessary
action. (Ref: Para. A9)
06/10/2010
Page 265
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs/ISQC 1
300.13
The auditor shall undertake the following activities prior to starting an initial audit:
(a) Performing procedures required by ISA 220 regarding the acceptance of the client relationship and
the specific audit engagement; and
(b) Communicating with the predecessor auditor, where there has been a change of auditors, in
compliance with relevant ethical requirements. (Ref: Para. A20)
4.1
Overview
One of the most important decisions that a firm can make is determining what engagements to accept or
which client relationships to retain. A poor decision can lead to unbillable time, unpaid fees, additional
stress on partners and staff, loss of reputation and, worst of all, potential lawsuits.
ISQC 1 and ISA 220 require firms to develop, implement and document their quality control procedures
in regard to their client acceptance and retention policies. Ideally, these policies and procedures should
address the level of risk (risk tolerance) and the client characteristics (such as poor management integrity,
a high-risk industry or a publicly-traded company) that would not be acceptable to the firm.
For more information, refer to ISQC1 and ISA220 and to IFAC’s Guide to Quality Control for Use by
Small- and Medium-sized Practices (QC Guide).
Before a firm decides to accept or retain an engagement, the auditor is required to:
•
Establish the acceptability of the proposed financial reporting framework;
•
Assess whether the firm can comply with relevant ethical requirements;
•
Obtain the agreement of management that it acknowledges and understands its responsibility for:
•
•
the preparation of the financial statements in accordance with the applicable financial
reporting framework,
•
such internal control as management determines is necessary to enable the preparation of
financial statements that are free from material misstatement, whether due to fraud or error;
and
•
to provide the auditor with access to all relevant information and any additional information
that the auditor may request plus unrestricted access to persons within the entity from whom
the auditor determines it necessary to obtain audit evidence.
Perform engagement acceptance or continuance procedures. These procedures would be similar to the
risk assessment procedures outlined in Volume 1, Chapter 8. The results (assuming the engagement is
accepted) can later be used as part of the risk assessment.
The initial and subsequent years’ assessments of the engagement risk help to ensure that the firm is:
•
Independent and that no conflicts of interest exist;
•
Competent to perform the work with the required resources and time availability;
•
Willing to accept the risks involved in performing the audit. This would include an assessment of
management’s integrity and attitudes toward internal control, industry trends, availability of
appropriate audit evidence and other factors such as the ability of the client to pay the fees involved
06/10/2010
Page 266
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
and
•
Not aware of any new information about an existing client that would have caused the firm to decline
the engagement if it was known earlier.
Consider Point
There may be some very small entities requiring an audit where the owner-manager runs the entity,
has few (if any) formal documented controls in place and can therefore override just about everything.
In these situations, the auditor has to determine whether the absence of control activities or of other
components of control may make it impossible to obtain sufficient appropriate audit evidence. If this
is the case, the auditor would exercise professional judgment in determining whether the engagement
should be declined or a modified opinion provided.
Factors to consider include:
•
The entity’s control environment. For example: is the owner-manager trustworthy, competent and
does he/she have a good attitude toward internal control?
•
Is it possible to develop an overall response and further audit procedures that would respond
appropriately to the assessed risk factors? For example, can substantive procedures be used to
determine that all revenues and liabilities are properly recorded in the accounting records?
Once a decision has been reached to accept or continue with the client engagement, the next step is to:
•
Establish whether the preconditions for an audit are present; and
•
Confirm a common understanding between the auditor and management (and where appropriate,
those charged with governance) of the terms of the audit engagement.
4.2
Engagement acceptance
The first step in the client acceptance or continuance process is to assess the auditing firm’s ability to
perform the engagement and the risks involved. The following exhibit outlines some possible lines of
inquiry.
Exhibit 4.2-1
Consider
Line of Inquiry
The Firm’s Quality
Control
Requirements
What (firm and engagement-level) policies and procedures are in place to
provide reasonable assurance that the firm will only undertake or continue
relationships where:
• The firm can comply with the ISA requirements; and
• The engagement risks involved are within the firm’s tolerance for risk?
What Work is
Required?
Does the Firm Have
the Competence,
06/10/2010
•
•
•
•
What is the nature and scope of the audit?
What accounting framework will be used?
How will the auditor’s report and financial statements be used?
What is the deadline (if any) for completing the audit?
•
Does the firm have sufficient personnel with the necessary competence
and capabilities?
Do the selected firm personnel have:
•
Page 267
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider
Line of Inquiry
Resources and Time
Required?
•
•
•
Is the Firm
Independent?
•
•
•
Are the Risks
Involved
Acceptable?
•
•
•
•
•
•
•
•
•
06/10/2010
− Knowledge of relevant industries or subject matters,
− Experience with relevant regulatory or reporting requirements, or
− Ability to gain the necessary skills and knowledge effectively?
Are experts available, if needed?
Where applicable, are there qualified persons available to perform the
engagement quality control review?
Can the firm and the available staff (in light of timing requirements for
other clients) complete the engagement within the reporting deadline?
Can the firm and the engagement team comply with ethical and
independence requirements?
Where conflicts of interest, lack of independence or other threats have
been identified:
− Has appropriate action been taken to eliminate those threats or reduce
them to an acceptable level by applying safeguards, or
− Have steps been taken to withdraw from the engagement?
If the entity being audited is a component of a larger group the group
engagement team may request certain work to be performed on the
financial information of the component. In such cases the group
engagement would first obtain an understanding of the following:
− whether the component auditor understands and will comply with the
ethical (including independence) requirements that are relevant to the
group audit;
− the component auditor's professional competence;
− whether the group engagement team will be able to be involved in the
work of the component auditor to the extent necessary to obtain
sufficient appropriate audit evidence; and
− whether the component auditor operates in a regulatory environment
that actively oversees auditors.
For new engagements, has the firm communicated (as required by ISA
300.13) with the predecessor auditor to determine if there are any reasons
for not accepting the engagement?
Has the firm conducted an Internet search and had discussions with firm
personnel and other third parties (such as bankers) to identify any reasons
why the firm should not accept the engagement?
What are the values (“tone at the top") and future goals of the entity?
How competent are the entity’s senior management and staff?
Are there difficult or time-consuming issues to address (accounting
policies, estimates, compliance with legislation, etc.)?
What changes have taken place this period that will impact the
engagement (business trends and initiatives, personnel changes, financial
reporting, IT systems, purchase/sale of assets, regulations, etc.)?
Is there a high level of public scrutiny and media interest?
Is the entity in good financial health and does it have the ability to pay the
firm’s professional fees?
Will the client provide help to the firm in obtaining information and
Page 268
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider
Line of Inquiry
preparing schedules, analysis of balances, providing data files, etc.?
Can the Client be
Trusted?
•
•
•
•
•
Are there any scope limitations such as unrealistic deadlines or an inability
to obtain the required audit evidence?
Is there any reason (or recent event) that casts doubt on the integrity of the
principal owners, senior management and those charged with governance
of the entity? Consider the client’s operations, including business
practices, the business’ reputation and history of any ethical or regulatory
infringements.
Are there any indications that the client might be involved in money
laundering or other criminal activities?
What is the identity and business reputation of related parties?
Does management have a poor attitude toward internal control and an
aggressive attitude toward interpretation of accounting standards?
Consider corporate culture, organizational structure, risk tolerance,
complexity of transactions, etc.
Background Checks
To ensure the information obtained from the client is accurate, consider what third party information
could be obtained to validate key aspects of the risk assessment. This simple step could avert problems
later on. Examples include information from sources such as previous financial statements, income tax
returns, credit reports and possibly (after receiving permission from the prospective client) discussions
with key advisors such as bankers, etc.
Consider Point
Before contacting third parties and collecting information on a prospective client, take steps to ensure
all partners and staff are aware of:
•
The firm’s policies to protect confidential information maintained on clients;
•
Requirements of any privacy legislation; and
•
Requirements of the applicable code of ethics.
4.3
Pre-Conditions for an Audit
Paragraph #
Relevant Extracts from ISAs
210.6
In order to establish whether the preconditions for an audit are present, the auditor shall:
(a) Determine whether the financial reporting framework to be applied in the preparation of the financial
statements is acceptable; and (Ref: Para. A2-A10)
(b) Obtain the agreement of management that it acknowledges and understands its responsibility: (Ref:
Para A11-A14, A20)
06/10/2010
Page 269
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(i)
For the preparation of the financial statements in accordance with the applicable financial
reporting framework, including where relevant their fair presentation; (Ref: Para. A15)
(ii) For such internal control as management determines is necessary to enable the preparation of
financial statements that are free from material misstatement, whether due to fraud or error; and
(Ref: Para. A16-A19)
(iii) To provide the auditor with:
a.
Access to all information of which management is aware that is relevant to the preparation
of the financial statements such as records, documentation and other matters;
b.
Additional information that the auditor may request from management for the purpose of
the audit; and
c.
Unrestricted access to persons within the entity from whom the auditor determines it
necessary to obtain audit evidence.
Exhibit 4.3-1
Consider
Line of Inquiry
Are the Audit
Preconditions
Present?
Is the financial reporting framework (such as IFRS or a local framework) to be
used in preparing the financial statements acceptable? Factors to consider
include:
•
The nature of the entity (business, public sector or a not-for-profit);
•
The purpose of the financial statements (common purpose or for specific
users);
•
The nature of the financial statements (complete set of financial
statements or a single financial statement); and
•
Whether law or regulation prescribes the applicable financial reporting
framework.
Does management agree to and acknowledge/understand its responsibility for:
• Preparing the financial statements in accordance with the applicable
financial reporting framework, including (where relevant) their fair
presentation;
• Such internal control as management determines is necessary to enable the
preparation of financial statements that are free from material
misstatement, whether due to fraud or error; and
• Providing the auditor with:
− Access to all relevant information such as records, documentation and
other matters,
− Additional information requested from management for the purpose of
the audit (such as written representations), and
− Unrestricted access to persons within the entity to obtain the necessary
audit evidence?
06/10/2010
Page 270
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider
Line of Inquiry
Is There a Scope
Limitation?
Has management or those charged with governance imposed any type of
limitation on the scope of the audit? This could include unrealistic deadlines,
not accepting certain firm’s staff to perform the work and denial of access to a
facility, key personnel or relevant documents. If such a limitation would result
in a disclaimer of opinion, the firm would decline the engagement, unless the
firm is required by law or regulation to proceed with the engagement.
Where management does not acknowledge its responsibilities or agree to provide the written
representations, the auditor will not be able to obtain sufficient appropriate audit evidence. In such
circumstances, or where the financial reporting framework is not acceptable, the auditor is required by
ISA 210.8 to decline the engagement unless required by law or regulation.
4.4
Agreeing the Terms of Engagement
Paragraph #
Relevant Extracts from ISAs
210.7
If management or those charged with governance impose a limitation on the scope of the auditor’s work in
the terms of a proposed audit engagement such that the auditor believes the limitation will result in the
auditor disclaiming an opinion on the financial statements, the auditor shall not accept such a limited
engagement as an audit engagement, unless required by law or regulation to do so.
210.9
The auditor shall agree the terms of the audit engagement with management or those charged with
governance, as appropriate. (Ref: Para. A21)
210.10
Subject to paragraph 11, the agreed terms of the audit engagement shall be recorded in an audit
engagement letter or other suitable form of written agreement and shall include: (Ref: Para. A22-A25)
(a) The objective and scope of the audit of the financial statements;
(b) The responsibilities of the auditor;
(c) The responsibilities of management;
(d) Identification of the applicable financial reporting framework for the preparation of the financial
statements; and
(e) Reference to the expected form and content of any reports to be issued by the auditor and a statement
that there may be circumstances in which a report may differ from its expected form and content.
210.11
If law or regulation prescribes in sufficient detail the terms of the audit engagement referred to in
paragraph 10, the auditor need not record them in a written agreement, except for the fact that such law or
regulation applies and that management acknowledges and understands its responsibilities as set out in
paragraph 6(b). (Ref: Para. A22, A26-A27)
210.12
If law or regulation prescribes responsibilities of management similar to those described in paragraph 6(b),
the auditor may determine that the law or regulation includes responsibilities that, in the auditor's
judgment, are equivalent in effect to those set out in that paragraph. For such responsibilities that are
equivalent, the auditor may use the wording of the law or regulation to describe them in the written
agreement. For those responsibilities that are not prescribed by law or regulation such that their effect is
06/10/2010
Page 271
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
equivalent, the written agreement shall use the description in paragraph 6(b). (Ref: Para. A26)
210.13
On recurring audits, the auditor shall assess whether circumstances require the terms of the audit
engagement to be revised and whether there is a need to remind the entity of the existing terms of the audit
engagement. (Ref: Para. A28)
210.14
The auditor shall not agree to a change in the terms of the audit engagement where there is no reasonable
justification for doing so. (Ref: Para. A29-A31)
210.15
If, prior to completing the audit engagement, the auditor is requested to change the audit engagement to an
engagement that conveys a lower level of assurance, the auditor shall determine whether there is
reasonable justification for doing so. (Ref: Para. A32-A33)
210.16
If the terms of the audit engagement are changed, the auditor and management shall agree on and record
the new terms of the engagement in an engagement letter or other suitable form of written agreement.
210.17
If the auditor is unable to agree to a change of the terms of the audit engagement and is not permitted by
management to continue the original audit engagement, the auditor shall:
(a) Withdraw from the audit engagement where withdrawal is possible under applicable law or
regulation; and
(b) Determine whether there is any obligation, either contractual or otherwise, to report the
circumstances to other parties, such as those charged with governance, owners or regulators
Note: Paragraphs 18-22 of ISA 210 contain some additional considerations in engagement acceptance
such as where financial reporting standards are supplemented by law or regulation and where the
financial reporting framework is prescribed by law or regulation.
To ensure there is a clear understanding between management and the auditor on the terms of
engagement, an engagement letter (or other suitable form of written agreement) is prepared and agreed
with the appropriate representative of senior management. To avoid any potential for misunderstanding,
the engagement letter would be finalized and signed before the engagement work commences.
Even in countries where the audit objective, scope and obligations are established by law, an engagement
letter may still be useful to inform clients about their specific roles and responsibilities.
A sample of an engagement letter based on the example contained in ISA 210 is provided in the case
study materials that follow.
The engagement letter would address the matters set out below.
Exhibit 4.4-1
Terms
The Objective,
Accounting
06/10/2010
Description
•
•
The accounting framework to be used.
Objective of the audit of financial statements and the anticipated form of
auditor’s report or other communication. Also, the circumstances in which
Page 272
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Terms
Framework, Scope
and form of
Auditor’s Report
Resulting from the
Audit of the
Financial
Statements
The Responsibilities
of the Auditor
The Responsibilities
of Management
Description
•
•
•
•
•
•
•
•
•
•
a report may differ from its expected form and content.
The scope of the audit, including reference to applicable legislation,
regulations, ISAs and ethical and other pronouncements of professional
bodies to which the auditor adheres.
Other parties to whom a report is required to be made, e.g., a regulator.
To conduct the audit in accordance with International Standards on
Auditing (ISAs).
Recognition that, due to the inherent limitations of an audit and the
limitations of internal control, there is an unavoidable risk that some
material misstatements may not be detected, even though the audit is
properly planned and performed in accordance with ISAs.
For the preparation of the financial statements in accordance with the
applicable financial framework and for designing and implementing such
internal control as management determines is necessary to enable the
preparation of financial statements that are free from material
misstatement, whether due to fraud or error
Accept the terms of the engagement as outlined in the engagement letter.
Provide unrestricted access to any records, documentation and other
information requested in connection with the audit.
Provide unrestricted access to persons within the entity
Confirm auditor’s expectation of receiving written confirmation from
management concerning representations made in connection with the
audit.
Agreement of management to inform the auditor of facts that may affect
the financial statements, of which management may become aware during
the period from the date of the auditor’s report to the date the financial
statements are issued.
Other matters that could be included in the engagement letter.
Exhibit 4.4-2
Terms
Description
How the Audit will
be Conducted, Any
Dispute Resolution,
Obligations and Fee
Arrangements
Address arrangements regarding:
• The planning and performance of the audit, including the composition of
the audit team and details of what (if any) draft financial statements or
other working papers are to be prepared by the client along with the dates
on which the auditor requires these;
• Involvement of other auditors and experts;
• Involvement of the predecessor auditor, if any, with respect to opening
06/10/2010
Page 273
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Terms
Description
•
balances; and
Other matters:
• Any restrictions of the auditor’s liability where such possibility exists,
• The basis on which fees are computed and any billing arrangements,
• Any obligations by the firm to provide audit working papers to other
parties, and
• Reference to any further agreements between the auditor and the client
or other letters or reports the auditor expects to issue to the client.
Client to confirm the terms of the engagement by acknowledging receipt of the
engagement letter.
Updating the Engagement Letter
When no changes have occurred, the auditor is required to assess whether there is a need to remind the
entity of the existing terms of the audit engagement. The terms of engagement may be reconfirmed at the
time of the auditor’s reappointment without the need to obtain a new letter each year.
The engagement letter is required to be revised when the circumstances change. Matters that may constitute
a change in circumstance include:
•
Any revised or special terms of the engagement;
•
A recent change in senior management;
•
A significant change in ownership;
•
A significant change in nature or size of the entity’s business;
•
A change in legal or regulatory requirements;
•
A change in the financial reporting framework adopted in the preparation of the financial statements;
•
A change in other reporting requirements; and
•
There is some indication that management misunderstand the objective and scope of the audit.
06/10/2010
Page 274
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
A Change in the Terms of the Audit Engagement
If management requests changes to the terms of the audit engagement, the auditor would consider whether
there is reasonable justification for the request and the implications for the scope of the audit engagement.
A reasonable justification could include a change in the client’s circumstances or a misunderstanding of
the nature of the original service requested.
A change would not be reasonable if it is motivated by issues raised during the audit. This could include
audit information that does not support management representations, an inability to obtain certain audit
information (which would effectively limit the scope of the audit) or evidence that is otherwise
unsatisfactory. An example might be where the auditor is unable to obtain sufficient appropriate audit
evidence regarding inventory balances and the entity asks for the audit engagement to be changed to a
review engagement to avoid a qualified opinion or a disclaimer of opinion.
If the change in terms is reasonable, a revised engagement letter or other suitable form of written
agreement would be obtained. If however, the auditor is unable to agree to the proposed change in terms
and is not permitted by management to continue the original audit engagement, the auditor is required to:
4.5
•
Withdraw from the audit engagement where possible under applicable law or regulation; and
•
Determine whether there is any obligation, either contractual or otherwise, to report the
circumstances to other parties, such as those charged with governance, owners or regulators.
Case Studies — Client Acceptance and Continuance
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
Assuming this is an ongoing audit engagement, the partner or senior manager in the audit firm would
make some inquiries to identify and assess any new or revised risk factors relevant to deciding to continue
with the audit engagement. Include inquiries such as the following.
Case Study A ─ Dephta Furniture Inc.
Client Acceptance and Continuance
A questionnaire such as the following could be used.
•
Have the audit preconditions been met?
Dephta’s financial statements will be prepared by
management using IFRS.
The engagement letter has been signed and
management have acknowledged their responsibility
to:
•
Have the acceptance/continuance
requirements in the firm’s quality control
06/10/2010
•
Make available all information as requested.
•
Provide unlimited access to personnel
•
Design and implement such internal control
as management determines is necessary to
enable the preparation of financial
statements that are free from material
misstatement, whether due to fraud or error;
Yes. Refer to policies XX and YY of our QC manual
Page 275
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
manual been followed?
•
Any change in the terms of reference or
requirements for the audit engagement?
No.
•
Any independence issues or conflicts of
interest? Consider: family/personal
relationships with key client people, nonaudit services such as accounting,
financial interests and other business
relationships.
Only matter noted was that one of our staff bought a
lot of bedroom furniture from Dephta; he paid the
catalogue price. This incident is not considered a
threat to our independence.
•
Any circumstances that would cast doubt
on the integrity of the client’s owners?
Consider convictions, regulatory
proceedings/sanctions, suspicion or
confirmation of illegal acts or fraud,
police investigations and any negative
publicity.
No. However, Parvin (daughter of the client’s
business advisor) received some negative publicity in
July. She was an advisor in a land deal where
government officials were accused of receiving
bribes from developers. This matter has also been
noted on our listing of risk factors for the audit.
•
Does the engagement team have
sufficient knowledge of accounting
principles and industry practices to
perform the engagement?
Yes. We plan to use the same staff as last period to
complete the engagement.
•
Are there areas where specialized
knowledge is necessary?
We will use David (who is knowledgeable in the IT
area) to review controls over the Internet sales.
•
Does the firm have the capacity in time,
competencies and resources to
complete the engagement in accordance
with professional and firm standards?
Yes. See the planned budget.
•
Are there any issues identified in
previous audits and other engagements
for this entity that need to be addressed?
Need for a review of the general IT controls in light of
the decision to accept sales over the Internet.
•
Are there any new circumstances that
increase our engagement risk?
No. Management has a good attitude toward internal
control.
•
Can the client continue to pay our fees?
Yes.
Conclusion
Overall assessment of engagement risk = Low
We should continue with this client
06/10/2010
Page 276
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Sang Jun Lee
The terms of engagement would be included in a letter such as outlined below.
06/10/2010
Page 277
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
October 15, 20X2
Mr. Suraj Dephta, Managing Director
Dephta Furniture
2255 West Street
North Cabetown
United Territories
123-50214
Dear Mr. Dephta
You have requested that we audit the financial statements of Dephta Furniture which comprise
the balance sheet as at December 31, 20X2, and the income statement, statement of changes in
equity and cash flow statement for the year then ended, and a summary of significant accounting
policies and other explanatory information. We are pleased to confirm our acceptance and our
understanding of this audit engagement by means of this letter. Our audit will be conducted with
the objective of our expressing an opinion on the financial statements.
Our Responsibilities
We will conduct our audit in accordance with International Standards on Auditing. Those
standards require that we comply with ethical requirements and plan and perform the audit to
obtain reasonable assurance about whether the financial statements are free from material
misstatement. An audit involves performing procedures to obtain audit evidence about the
amounts and disclosures in the financial statements. The procedures selected depend on the
auditor's judgment, including the assessment of the risks of material misstatement of the
financial statements, whether due to fraud or error. An audit also includes evaluating the
appropriateness of accounting policies used and the reasonableness of accounting estimates
made by management, as well as evaluating the overall presentation of the financial statements.
Because of the inherent limitations of an audit, together with the inherent limitations of internal
control, there is an unavoidable risk that some material misstatements may not be detected,
even though the audit is properly planned and performed in accordance with ISAs.
In making our risk assessments, we consider internal control relevant to the entity's preparation
of the financial statements in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the effectiveness of the
entity's internal control. However, we will communicate to you in writing any significant
deficiencies in internal control relevant to the audit of the financial statements that we have
identified during the audit.
Unless unanticipated difficulties are encountered, our report will be substantially in the following
form:
[form and content of the auditor's report not has not been reproduced.]
The form and content of our report may need to be amended in the light of our audit findings.
Management’s Responsibility
06/10/2010
Page 278
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Our audit will be conducted on the basis that management and those charged with governance
acknowledge and understand that they have responsibility:
(a)
For the preparation and fair presentation of the financial statements in accordance with
International Financial Reporting Standards;
(b)
For such internal control as management determines is necessary to enable the
preparation of financial statements that are free from material misstatement, whether due to
fraud or error; and
(c)
To provide us with:
(i)
Access to all information of which you are aware that is relevant to the
preparation of the financial statements such as records, documentation and other
matters;
(ii)
Additional information that we may request from you for the purpose of the audit;
and
(iii) Unrestricted access to persons within the company from whom we determine it
necessary to obtain audit evidence.
As part of our audit process, we will request from management and, where appropriate, those
charged with governance written confirmation concerning representations made to us in
connection with the audit.
We look forward to full cooperation from your staff during our audit.
Fees
Our fees, which will be billed as work progresses, are based on the time required by the
individuals assigned to the engagement plus out-of-pocket expenses. Individual hourly rates vary
according to the degree of responsibility involved and the experience and skill required.
This letter will be effective for future periods unless it is terminated, amended or superseded.
Please sign and return the attached copy of this letter to indicate that it is in accordance with
your understanding of the arrangements for our audit of the financial statements.
Yours truly,
__________________
Sang Jun Lee
Jamel, Woodwind & Wing, LLP
Acknowledged on behalf of Dephta Furniture by
__________________
Suraj Dephta
Managing Director
November 1, 20X2
06/10/2010
Page 279
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Client Acceptance and Continuance
Assuming this is an ongoing audit engagement, the inquiries to identify and assess any new or
revised risk factors could be documented in a memo as follows.
Client Continuance Memo – Kumar & Co.
October 15, 20X2
We spoke to the client, Raj Kumar, on September 15, 20X2 to determine whether we should
accept this engagement.
Matters arising:
-
Raj requires an audit opinion on the financial statements of Kumar & Co. using IFRS.
-
We have not identified any threats to our independence.
-
Nothing new happened that might raise concerns over the integrity of the owner.
-
Operations are similar to the previous period although Raj’s absence from day to day
operations does create more opportunity for fraud to be committed. We should consider
expanding our substantive procedures this year to address the potential fraud risks.
-
No additional specialists are necessary and the same people as last period can perform the
audit.
Two possible concerns this period:
-
The company has experienced a drop in demand for products from its major customer,
Deptha.
-
Raj has diverted much of his focus to personal family matters at home. During our audit, we
should ensure that books and records have been kept up-to-date and no undetected errors
occurred. This could also create a fraud risk.
Overall assessment of engagement risk = Moderate
We will accept this engagement for the current period.
Sang Jun Lee
The terms of engagement would be included in a letter that would be very similar to the example
previously provided in Case Study A: Dephta Furniture Inc.
06/10/2010
Page 280
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
This page is intentionally left blank.
06/10/2010
Page 281
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
5.
OVERALL AUDIT STRATEGY
Chapter Content
Outline of steps involved in developing an overall plan
and strategy for the audit.
Relevant ISAs
300
Exhibit 5.0-1
Paragraph #
ISA Objective(s)
300.4
The objective of the auditor is to plan the audit so that it will be performed in an effective manner.
Paragraph #
Relevant Extracts from ISAs
300.5
The engagement partner and other key members of the engagement team shall be involved in planning the
audit, including planning and participating in the discussion among engagement team members. (Ref:
Para. A4)
300.7
The auditor shall establish an overall audit strategy that sets the scope, timing and direction of the audit,
and that guides the development of the audit plan.
300.8
In establishing the overall audit strategy, the auditor shall:
06/10/2010
Page 282
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a) Identify the characteristics of the engagement that define its scope;
(b) Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of
the communications required;
(c) Consider the factors that, in the auditor’s professional judgment, are significant in directing the
engagement team’s efforts;
(d) Consider the results of preliminary engagement activities and, where applicable, whether knowledge
gained on other engagements performed by the engagement partner for the entity is relevant; and
(e) Ascertain the nature, timing and extent of resources necessary to perform the engagement. (Ref: Para.
A8-A11)
300.9
The auditor shall develop an audit plan that shall include a description of:
(a) The nature, timing and extent of planned risk assessment procedures, as determined under ISA 315.
(b) The nature, timing and extent of planned further audit procedures at the assertion level, as determined
under ISA 330.
(c) Other planned audit procedures that are required to be carried out so that the engagement complies
with ISAs. (Ref: Para. A12)
300.10
The auditor shall update and change the overall audit strategy and the audit plan as necessary during the
course of the audit. (Ref: Para. A13)
300.11
The auditor shall plan the nature, timing and extent of direction and supervision of engagement team
members and the review of their work. (Ref: Para. A14-A15)
200.15
The auditor shall plan and perform an audit with professional skepticism recognizing that circumstances
may exist that cause the financial statements to be materially misstated. (Ref: Para. A18-A22)
5.1
Overview
Planning is important to ensure that the engagement is performed in an efficient and effective manner and
that audit risk has been reduced to an acceptably low level.
Audit planning is not a discrete phase of the audit. It is a continual and iterative process that starts shortly
after completion of the previous audit and continues until the completion of the current audit.
The benefits of audit planning are outlined in the exhibit below.
Exhibit 5.1-1
Benefits of
Audit Planning
06/10/2010
•
Team members learn from the experience/insight of the partner and other key
personnel.
•
The engagement is properly organized, staffed and managed.
•
Experience gained from previous periods’ engagements and other
Page 283
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
assignments is properly utilized.
•
Important areas of the audit receive the appropriate attention.
•
Potential problems are identified and resolved on a timely basis.
•
Audit file documentation is reviewed on a timely basis.
•
Work performed by others is coordinated (other auditors, experts, etc.).
There are two levels of planning for the audit as illustrated in the exhibit below.
Exhibit 5.1-2
Consider Point
It is often said that an hour spent planning can save five hours in execution. A well planned audit
ensures that the audit effort is directed to addressing the high-risk areas, unnecessary audit procedures
are scoped out and that audit staff know what is expected of them.
Development of the overall audit strategy begins at the commencement of the engagement and is
completed and then updated based on the information obtained from:
•
Previous experience with the entity;
•
Preliminary (client acceptance and continuation) activities;
•
Discussions with the client on changes since last period and recent operating results;
•
Other engagements performed for the client during the period;
•
Audit team discussions and meetings;
•
Other external sources such as newspaper and Internet articles; and
06/10/2010
Page 284
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
New information obtained, failed audit procedures or new circumstances encountered during the audit
that will change previously planned strategies.
The detailed audit plan will begin a little later when the specific risk assessment procedures are planned
and when there is sufficient information about assessed risks to develop an appropriate audit response.
The requirements for developing the detailed audit plan are addressed in Volume 2, Chapter 16.
The time required to prepare an overall audit strategy will vary based on:
•
The size and complexity of the entity;
•
The composition and size of the audit team. Smaller audits will also have smaller teams, making
planning, co-ordination and communication easier;
•
Previous experience with the entity; and
•
Circumstances encountered in performing the audit.
Consider Point
Small entity audits are often conducted by very small audit teams. This makes co-ordination and
communication among the team members easier and development of the overall audit strategy can be
straightforward. Documentation for small entities may be in the form of a brief memorandum that includes:
•
Nature of engagement and timing;
•
Issues identified in the audit just completed;
•
What has changed in the current period;
•
Any revisions required in the overall audit strategy or in the detailed audit plan; and
•
Specific responsibilities of each member of the audit team.
Planning for the current period can start with a brief memo prepared at the end of the previous audit.
However, the memo needs to be updated for the current period, based on discussions with the ownermanager and the results of audit team meetings.
5.2
Developing the Overall Audit Strategy
The overall audit strategy is a record of the key decisions considered necessary to properly plan the audit
and to communicate significant matters to the engagement team. The strategy will document the decisions
arising from conducting the planning steps outlined in the exhibit below. Note that specific details of risk
assessment and further audit procedures to be performed would be documented in the detailed audit plan.
Exhibit 5.2-1
Basic Steps
Description
•
Getting
Started
•
•
06/10/2010
Perform preliminary activities (client acceptance/continuance and establish
the terms of engagement).
Gather relevant information about the entity such as current operating
results, results from previous engagements and significant changes in the
current period.
Assign staff to the engagement including where applicable, the
engagement quality control reviewer and any experts required.
Page 285
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Basic Steps
Description
•
•
•
•
Assessing Risks and
Responses
•
•
•
Schedule the audit team meeting (including the engagement partner) to
discuss the susceptibility of material misstatements (including fraud) in the
financial statements.
Determine the appropriate timeframes (dates) when each aspect of audit
work will be undertaken (inventory counts, risk assessment procedures,
external confirmations, the period-end visit and meetings to discuss audit
results)
Determine materiality for the financial statements as a whole and
performance materiality.
Determine the nature and extent of the required risk assessment procedures
and who will perform them.
When risk has been assessed at the financial statement level, develop an
appropriate overall response (refer to Volume 1, Chapter 9). Also include
the impact on the further audit procedures to be performed.
Communicate an overview of the planned scope and timing of the audit to
those charged with governance.
Update and change the strategy and audit plan as necessary in light of new
circumstances.
When the risks of material misstatement have been identified and assessed, the overall strategy (including
timing, staffing and supervision) can be finalized, and the detailed audit plan developed. The detailed plan
will set out the further audit procedures required at the assertion level that responds to the identified and
assessed risks.
As work commences, changes may be required to the overall strategy and detailed plans to respond to
new circumstances, audit findings and other information obtained. Any such changes are to be
documented along with the reasons in the audit documentation such as the overall audit strategy or audit
plan.
The overall strategy documents relevant matters such as those listed below.
Exhibit 5.2-2
Document
Description
•
•
•
Engagement
Characteristics
•
•
•
•
06/10/2010
The financial reporting framework to be used.
Additional reports required such as stand-alone financial and industryspecific requirements (by regulators, etc.).
Any need for specialized knowledge or expertise to address complex,
specific and high-risk audit areas.
Evidence required from service organizations.
Use of evidence obtained in previous audits (such as risk assessment
procedures and tests of controls).
Effect of information technology on audit procedures (availability of data
and use of computer-assisted audit techniques).
Need to introduce some unpredictability in performing audit procedures.
Page 286
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Document
Description
•
Availability of client personnel and data.
•
•
Entity’s timetable for reporting.
Timing of meetings with management and those charged with governance
to discuss:
− The nature, timing and extent of the audit work. This could include
dates for inventory counts, external confirmations, and interim and
other required procedures,
− Status of audit work throughout the engagement, and
− The auditor’s report and other communications such as management
letters.
Timing of meetings/communications among engagement team members to
discuss:
− Entity risk factors (business and fraud),
− Nature, timing and extent of work to be performed,
− Review of work performed, and
− Other communications with third parties.
Reporting
Objectives
•
Significant Factors
•
•
•
•
•
•
•
•
Significant Changes
and Developments
•
•
•
•
06/10/2010
Materiality (overall, individual financial statement areas and performance
materiality).
Preliminary assessment of risk at the overall financial statement level and
the impact on the audit.
Preliminary identification of:
− Significant and material classes of transactions, account balances and
disclosures, and
− Areas where there may be a higher risk of material misstatement.
How engagement team members will be reminded to maintain a
questioning mind and to exercise professional skepticism in gathering and
evaluating audit evidence.
Relevant results of previous audits including identified control deficiencies
and action taken by management to address them.
Discussions with firm’s personnel who provided other services to the
entity.
Evidence of management’s attitude toward internal control and importance
attached to internal control generally throughout the entity.
Volume of transactions, which may determine whether it is more efficient
for the auditor to rely on internal control.
Significant business developments affecting the entity, including changes
in information technology and business processes, changes in key
management and acquisitions, mergers and divestitures.
Significant industry developments such as changes in industry regulations
and new reporting requirements.
Significant changes in the financial reporting framework such as changes
in accounting standards.
Other significant relevant developments such as changes in the legal
environment affecting the entity.
Page 287
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Document
Description
Nature, Timing and
Extent of Resources
Required
•
•
•
The engagement team (including, where necessary, the engagement quality
control reviewer).
Assignment of audit work to the team members, including the assignment
of appropriately experienced team members to areas where there may be
higher risks of material misstatement.
Engagement budgeting, including considering the appropriate amount of
time to set aside for areas where there may be higher risks of material
misstatement.
If the entity has components (such as subsidiaries or operating divisions), reference should be made to the
additional planning considerations outlined in the Appendix to ISA 300 and to the requirements of ISA 600.
For smaller entities, a brief memorandum may serve as the documented overall strategy. For the audit plan,
standard audit programs or checklists may be used, assuming there are few relevant control activities and
provided that the programs are tailored to the circumstances of the engagement, including the auditor's risk
assessments.
5.3
Communicating the Audit Plan with Management and Those Charged with
Governance
Paragraph #
Relevant Extracts from ISAs
260.15
The auditor shall communicate with those charged with governance an overview of the planned scope and
timing of the audit. (Ref: Para. A11-A15)
An ongoing, two-way dialogue with management and those charged with governance can play an
important role in the audit planning process. Good communication regarding the planned scope and
timing of the audit may assist management and those charged with governance to:
•
Understand the consequences of the auditor’s work;
•
Discuss issues of risk and the concept of materiality with the auditor; and
•
Identify any areas in which they may request the auditor to undertake additional procedures.
This dialogue may also assist the auditor in developing a better understanding of the entity and its
environment.
Take care, though, not to compromise the effectiveness of the audit. For example, communicating the
exact nature and timing of detailed audit procedures may reduce the effectiveness of those procedures by
making them too predictable.
Matters that the auditor may consider for communication include:
•
How the auditor proposes to address the significant risks of material misstatement, whether due to fraud
or error;
•
The auditor’s approach to internal control relevant to the audit; and
•
The application of materiality in the context of an audit.
06/10/2010
Page 288
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Other planning matters that may be appropriate to discuss include:
•
The views of those charged with governance of:
- The allocation of responsibilities between those charged with governance and management,
- The entity’s objectives and strategies, and the related business risks that may result in material
misstatements,
- Matters that those charged with governance consider warrant particular attention during the audit
and any areas where they request additional procedures to be undertaken,
- Significant communications with regulators, and
- Other matters that those charged with governance consider may influence the audit of the
financial statements;
•
The attitudes, awareness and actions of those charged with governance concerning:
- The entity’s internal control and its importance in the entity, including how those charged with
governance oversee the effectiveness of internal control, and
- The detection or possibility of fraud;
•
The actions of those charged with governance in response to developments in accounting standards,
corporate governance practices and other related matters; and
•
The responses of those charged with governance to previous communications with the auditor.
Note:
This two-way communication does not change the auditor’s sole responsibility to establish the
overall audit strategy and the audit plan, including the nature, timing and extent of procedures
necessary to obtain sufficient appropriate audit evidence.
Further matters may be required to be communicated by law or regulation, by agreement with the entity
or by additional requirements applicable to the engagement. Also note that ISA 265 sets out the
requirements to communicate significant deficiencies identified in internal control.
5.4
Documentation
Paragraph #
Relevant Extracts from ISAs
300.12
The auditor shall include in the audit documentation:
(a) The overall audit strategy;
(b) The audit plan; and
(c) Any significant changes made during the audit engagement to the overall audit strategy or the audit
plan, and the reasons for such changes. (Ref: Para. A16-A19)
The overall audit strategy and detailed audit plan, including details of any significant changes made
during the audit engagement, would be documented. The auditor may use a memorandum, standard audit
programs or audit completion checklists, tailored as needed to reflect the particular engagement
circumstances.
06/10/2010
Page 289
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
5.5
Case Studies – The Overall Audit Strategy
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
Once the decision has been made to continue with the audit, the next step is to develop or update the
overall audit strategy for conducting the engagement. This can be documented by some form of planning
checklist or a brief structured memorandum (see the consider point above) such as the examples that
follow.
Case Study A ─ Dephta Furniture Inc.
Dephta Furniture Inc.
Overall strategy memo
Period end December 31, 20X2
Scope
The scope of the audit has not changed this period. Audit to comply with ISAs and the IFRS
accounting framework. There have been no changes in IFRS that affect Dephta this year.
Entity Changes
Dephta is planning to make sales in foreign currencies.
Internet sales are also increasing and Dephta’s IT capabilities will be stretched.
Dephta is now selling to Franjawa Merchandising. This company is renowned for squeezing
profit margins of suppliers in exchange for giving large orders. It also requires suppliers to
maintain additional inventories of some products for instant delivery as required.
Risk
Our assessment of risk at the financial statements level is low (refer to W/P Ref. #). Management
is not particularly sophisticated but there is a strong commitment to competence; it has
introduced a code of ethics and, in general, has a good attitude toward internal control.
Overall Strategy
•
Materiality for the financial statements as a whole will be increased from 8,000Є to 10,000Є
this period to reflect the growth in sales and profitability during the last period. Management
bonuses of approximately 70,000 Є were added back to income for calculating materiality for
the financial statements as a whole (refer to working paper on determining materiality
Volume 2 chapter 6). Performance materiality (based on our assessment of audit risk) has
been set at 7,000Є except for certain account balances as described on W/P ref. #.
•
Use the same senior staff as last period and perform the work at the same time.
•
Perform our risk assessment procedures at the end of August. There are no plans to change
any systems at present.
•
At our team planning meeting to be held on November 15, we need to:
− Consider the susceptibility of the financial statements to fraud,
− Emphasize use of professional skepticism by our staff,
− Identify fraud scenarios by employees and management, and
06/10/2010
Page 290
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
−
Focus on identification of related-party transactions that have been growing and
expanding our testing.
•
Attend the period-end inventory counts. There are still no ongoing inventory control
procedures.
•
Use David (who is knowledgeable about IT systems) to identify the risks of material
misstatement relating to the internet sales and whether any relevant internal controls exist to
mitigate such risks. He will also assess the general IT controls.
Audit partner: (signed) Sang Jun Lee
Date: July 18, 20X2
Case Study B ─ Kumar & Co.
Kumar & Co.
Overall strategy memo
Period end December 31, 20X2
Scope
•
Perform the statutory audit
•
Management want to use IFRS
Risk
•
At the financial statement level is Moderate Risk (refer to W/P Ref. #).
Changes
•
Lower sales due to fewer orders from Deptha.
•
Could lead to unsaleable finished goods inventory and sales returns.
•
Raj not as active in the business as in prior period which could increase the risk of fraud.
•
New financing resulting in new bank covenants to maintain.
Overall Strategy
•
Materiality for the financial statements as a whole will be decreased from 3,000Є to 2,500Є
due to decline in sales and profitability. Performance materiality (based on our assessment
of audit risk) has been set at 1,800Є, except for certain account balances as described on
W/P ref. #.
•
Use the same staff as last period for continuity and audit efficiency.
•
Perform risk assessment procedures at end of December.
•
At our team planning meeting to be held on November 30, we need to:
06/10/2010
Page 291
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
−
−
−
Consider the susceptibility of the financial statements to fraud,
Discuss the potential for employee fraud and management override. The bookkeeper
seems disgruntled and may have motivation and opportunity as Raj has not been as
involved in reviewing the financial statements as he did in the past, and
Focus on the growing related-party transactions to Dephta.
•
Attend the period-end inventory count.
•
Expand our testing with regard to related-party transactions.
Audit partner: (signed) Sang Jun Lee
Date: October 20, 20X2
06/10/2010
Page 292
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
6.
DETERMINING AND USING MATERIALITY
Chapter Content
Relevant ISAs
Determination and use of materiality in an audit
engagement.
320, 450
Exhibit 6.0-1
Risk Assessment
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Perform preliminary
engagement
activities
Plan the audit
Documentation1
Develop an overall
audit strategy and
audit plan 2
Materiality
Audit team discussions
Overall audit strategy
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
Exhibit 6.0-2
Financial
statement
level
Account balance,
class of transactions
and disclosures level
‘Overall’ Materiality
(for the financial statements as a whole)
‘Overall’ Performance Materiality
‘Specific’ Materiality
(for particular financial statement areas)
‘Specific’ Performance
Materiality
Quantitative amount
Note:
The terms “overall” materiality and “specific” materiality used in the chart above and in the text
below are used solely for the purposes of this Guide and are terms that are not used in the ISAs.
Overall materiality refers to the financial statements as a whole and specific materiality relates to
materiality of particular classes of transactions, account balances or disclosures.
06/10/2010
Page 293
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
ISA Objective(s)
320.8
The objective of the auditor is to apply the concept of materiality appropriately in planning and
performing the audit.
450.3
The objective of the auditor is to evaluate:
(a)
The effect of identified misstatements on the audit; and
(b)
The effect of uncorrected misstatements, if any, on the financial statements.
Paragraph #
Relevant Extracts from ISAs
320.9
For purposes of the ISAs, performance materiality means the amount or amounts set by the auditor at less
than materiality for the financial statements as a whole to reduce to an appropriately low level the
probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the
financial statements as a whole. If applicable, performance materiality also refers to the amount or
amounts set by the auditor at less than the materiality level or levels for particular classes of transactions,
account balances or disclosures.
320.10
When establishing the overall audit strategy, the auditor shall determine materiality for the financial
statements as a whole. If, in the specific circumstances of the entity, there is one or more particular classes
of transactions, account balances or disclosures for which misstatements of lesser amounts than materiality
for the financial statements as a whole could reasonably be expected to influence the economic decisions
of users taken on the basis of the financial statements, the auditor shall also determine the materiality level
or levels to be applied to those particular classes of transactions, account balances or disclosures. (Ref:
Para. A2-A11)
320.11
The auditor shall determine performance materiality for purposes of assessing the risks of material
misstatement and determining the nature, timing and extent of further audit procedures. (Ref: Para. A12)
320.12
The auditor shall revise materiality for the financial statements as a whole (and, if applicable, the
materiality level or levels for particular classes of transactions, account balances or disclosures) in the
event of becoming aware of information during the audit that would have caused the auditor to have
determined a different amount (or amounts) initially. (Ref: Para. A13)
320.13
If the auditor concludes that a lower materiality for the financial statements as a whole (and, if applicable,
materiality level or levels for particular classes of transactions, account balances or disclosures) than that
initially determined is appropriate, the auditor shall determine whether it is necessary to revise
performance materiality, and whether the nature, timing and extent of the further audit procedures remain
appropriate.
320.14
The auditor shall include in the audit documentation the following amounts and the factors considered in
their determination:
(a) Materiality for the financial statements as a whole (see paragraph 10);
(b) If applicable, the materiality level or levels for particular classes of transactions, account balances or
06/10/2010
Page 294
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
disclosures (see paragraph 10);
(c) Performance materiality (see paragraph 11); and
(d) Any revision of (a)-(c) as the audit progressed (see paragraphs 12-13).
450.6
The auditor shall determine whether the overall audit strategy and audit plan need to be revised if:
(a)
The nature of identified misstatements and the circumstances of their occurrence indicate that
other misstatements may exist that, when aggregated with misstatements accumulated during the audit,
could be material; or (Ref: Para. A4)
(b)
The aggregate of misstatements accumulated during the audit approaches materiality determined
in accordance with ISA 320. (Ref: Para. A5)
06/10/2010
Page 295
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
6.1
Overview
Decisions made by the auditor on materiality will form the basis for risk assessments and determining the
extent of auditing procedures required.
Determining materiality is a matter of professional judgment. It is based on the auditor's perception of the
common financial information needs of users of the financial statements as a group. Overall materiality
(which is a term used in this Guide to summarize materiality for the financial statements as a whole) is the
total amount of misstatements in a financial statement, including omissions, which if exceeded, could
reasonably be expected to influence the economic decisions of users. This differs from audit risk, which
relates to an inappropriate audit opinion being issued on financial statements that are materially misstated.
This chapter addresses the determination of overall and specific materiality and the auditor’s use of
performance materiality to obtain sufficient and appropriate audit evidence. Materiality is used
throughout the audit for audit planning, risk assessment, risk response and reporting. Additional
information on materiality and audit risk is contained Volume 1, Chapter 7 of this Guide.
There are two levels of materiality to consider – overall materiality and specific materiality, as described
below.
Exhibit 6.1-1
Description
Overall Materiality
(for the financial
statements as a whole)
Materiality for the financial statements as a whole (overall materiality) is
based on the auditor’s professional judgment as to the highest amount of
misstatement(s) that could be included in the financial statements without
affecting the economic decisions taken by a financial statement user. If the
amount of uncorrected misstatements, either individually or in the aggregate, is
higher than the overall materiality established for the engagement, it would mean
that the financial statements are materiality misstated.
Overall materiality is based on the common financial information needs of the
various users as a group. Consequently, the possible effect of misstatements on
specific individual users, whose needs may vary widely, is not considered.
Specific Materiality
(materiality level or
levels for particular
classes of
transactions, account
balances or
disclosures)
In some cases, there may be a need to identify misstatements of lesser amounts
than overall materiality that would affect the economic decisions of financial
statements users. This could relate to sensitive areas such as particular note
disclosures (that is, management remuneration or industry-specific data),
compliance with legislation or certain terms in a contract, or transactions upon
which bonuses are based. It could also relate to the nature of a potential
misstatement.
Nature of misstatements
In addition to the size of a misstatement, the auditor would consider the nature of potential misstatements
and the particular circumstances of their occurrence, when evaluating their effect on the financial
statements. The circumstances related to some misstatements may cause the auditor to evaluate them as
material even if they are below materiality. Examples could include illegal acts, non-compliance with
loan covenants, and non-compliance with statutory/regulatory reporting requirements. However, it is not
considered practicable to design audit procedures to detect misstatements that could be material solely
because of their nature.
06/10/2010
Page 296
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Performance Materiality
Performance materiality is used by the auditor to reduce the risk to an appropriately low level that the
accumulation of uncorrected and unidentified misstatements exceeds materiality for the financial
statements as a whole (overall materiality) or materiality levels established for particular classes of
transactions, account balances or disclosures (specific materiality).
Performance materiality is set at a lower amount (or amounts) than overall or specific materiality. The
objective is to perform more audit work than would be required by the overall or a specific materiality to:
• Ensure that misstatements less than overall or specific materiality are detected, and
• Provide a margin or buffer for possible undetected misstatements. This buffer is between
detected but uncorrected misstatements in the aggregate and the overall or specific materiality.
This margin provides some assurance for the auditor that undetected misstatements, along with all
uncorrected misstatements, will not accumulate to likely reach an amount that would cause the financial
statements to be materially misstated.
The determination of performance materiality is not a simple mechanical calculation. It involves the
exercise of professional judgment based on the specific risk factors identified, the auditor’s understanding
of the entity and any matters the auditor has identified in previous audit engagements.
Performance materiality is set in relation to overall materiality or specific materiality. For example, a
specific performance materiality can be set at a lower amount than overall performance materiality for
testing repairs and maintenance expenses if there is a higher risk of assets not being capitalized. Specific
performance materiality may also be used to perform additional work in areas that may be sensitive due to
the nature of potential misstatements and their occurrence rather than their monetary size.
6.2
How to Determine Materiality
The following paragraphs address the determination and use of overall and specific materiality.
Overall Materiality
Overall materiality is based on the auditor’s perceptions of the needs of financial statement users.
Auditors can assume the following about financial statement users.
Exhibit 6.2-1
Assumptions
•
•
Financial Statement
Users
•
•
•
A reasonable knowledge of business and economic activities and
accounting;
A willingness to study the information in the financial statements with
reasonable diligence;
Understand that financial statements are prepared, presented and audited to
levels of materiality;
Recognize the uncertainties inherent in the measurement of amounts based
on the use of estimates, judgment and the consideration of future events; and
Make reasonable economic decisions on the basis of the information in the
financial statements.
A percentage numerical threshold (or benchmark) is often used as a starting point in the determination.
The nature of the benchmark and the percentage to be applied are based on professional judgment. For
06/10/2010
Page 297
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
example, in an owner-managed business where the owner takes much of the profit before tax in the form
of remuneration, a benchmark such as profit before remuneration and tax may be more relevant.
Consider Point
To provide some consistency, accounting firms may want to establish some firm-wide guidelines on
how materiality will be initially be determined including the use of appropriate benchmarks. However,
the actual benchmark to be used would be based on professional judgement in light of the particular
circumstances of the entity. This also applies to the use of performance materiality which is
essentially a tool used by the auditor to address to the risk of material misstatement by “catching”
misstatements that fall below a certain threshold.
When identifying an appropriate benchmark to use, the auditor would consider the matters outlined in
the exhibit below and obtain an understanding of the views and expectations of management and those
charged with governance.
Exhibit 6.2-2
Consider
Choosing the Right
Benchmark to Use
Choosing the Right
Benchmark to Use
(continued)
Users
Determine who are the likely users of the financial statements. This would
include the entity’s owners (and other shareholders) and those charged with
governance, financial institutions, franchisors, major funders, employees,
customers, creditors and government agencies and departments.
Specific user expectations
Identify any specific user expectations such as the following:
• Measurement or disclosure of items such as related-party transactions,
management remuneration and compliance with sensitive laws and
regulations;
• Industry-specific disclosures such as exploration costs in a mining
company and research costs in a high technology or pharmaceutical
company; and
• Major events or contingencies. This could include disclosure of events
such as an acquisition, divestiture, restructuring or significant legal
proceedings against the entity.
• Existence of covenants in loan agreements, particularly those where the
entity is close to breaching a covenant. If a small uncorrected error would
mean that a covenant had been violated, this could have a significant effect
on the financial statements and could, at worst, effect the appropriateness
of using the going concern assumption in preparing the financial
statements.
Relevant financial statement elements
What are the major elements of the financial statements that will be of interest
to users (for example, assets, liabilities, equity, income and expenses)?
06/10/2010
Page 298
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider
Nature of the entity
Consider the nature of the entity, where the entity fits in the life cycle
(growing, mature, declining, etc.) and the industry and economic environment
in which the entity operates.
Adjustments required
Are adjustments required to “normalize” the benchmark base? For example,
income from continuing operations could be adjusted for:
• Unusual or non-recurring revenue/expense items; and
• Items such as a management bonus, which may be based on profits before
the bonus or simply paid out to reduce income left in the company.
The primary focus of users
What information in financial statement items will attract the most attention by
users? For example, users interested in:
• Evaluating financial performance will focus on profits, revenues or net
assets; and
• The resources utilized to achieve certain goals or ends will focus on the
nature and extent of revenues and expenditures.
Financing
How is the entity financed? If financed solely by debt (rather than equity
capital), users may put more emphasis on the pledged assets and any claims
than on the entity’s earnings.
Volatility
How volatile is the proposed benchmark? For example, a benchmark based on
earnings might normally be appropriate, but if the entity is operating close to
breakeven each period (such as small profits or losses) or their results fluctuate
widely, it may not be the appropriate base for determining materiality.
Alternatives
Is an alternative benchmark necessary to address special circumstances?
Alternative benchmarks could include current assets, net working capital, total
assets, total revenues, gross profit, total equity and cash flow from operations.
Performance Materiality
Whereas overall and specific materiality is set in relation to the needs of financial statement users,
performance materiality is set at a lower amount. This will result in more audit work being performed
(smaller misstatements may be identified) and audit risk being reduced to an appropriately low level.
If the audit was planned solely to detect individually material misstatements, there would be no margin of
error to identify and account for immaterial misstatements that might exist. As a result, it could be
possible for the aggregate of individually immaterial misstatements to cause the financial statements to be
06/10/2010
Page 299
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
materially misstated.
Performance materiality is designed to:
• Ensure that immaterial misstatements less than overall or specific materiality are detected, and
• Provide a margin or buffer for possible undetected misstatements. This buffer is between
detected but uncorrected misstatements in the aggregate and the overall or specific materiality.
The determination of performance materiality would not be a simple mechanical calculation such as 80%
of overall materiality. This simplification would ignore specific risk factors that may be relevant to the
entity. For example, if there was a high risk of errors in inventory pricing, performance materiality could
be lowered so that additional work is performed to identify the extent of misstatements. Conversely, if the
risk of misstatement in the receivables balance is assessed as low, the performance materiality could be
raised resulting in less substantive audit work on the balance.
Performance materiality requires the auditor to exercise professional judgment and is affected by:
•
The auditor’s understanding of the entity, which is updated during the execution of the risk
assessment procedures; and
•
The nature and extent of misstatements identified in previous audits.
Consider Point
Do not reduce the overall materiality level based on high audit risks
Avoid the mistake of reducing the overall (financial statement) materiality level because of an audit
risk assessed as high. Overall materiality is based on users’ information needs, not on how risky a
particular balance might be to audit. Lowering the overall materiality threshold implies that:
•
The decision of a financial statement user is affected by audit risk rather than the information
contained in the financial statements; and
•
Additional work will be performed by the auditor to ensure that no misstatements exist in the
financial statements that individually or accumulated together exceed the overall materiality
threshold.
A better approach is to address audit risk by setting the performance materiality at the class of
transaction or account balance level at a lower level. This will ensure that sufficient work is performed
to detect any misstatements without having to reduce the overall materiality level. It also creates a
safety buffer to cover unidentified misstatements in the work performed.
Establish overall materiality level by reference to financial statement users and then establish
performance materiality for the purpose of designing further audit procedures.
Sensitive financial statement disclosures, balances and issues
Use a specific performance materiality for designing further audit procedures that address specific
risks and balances in sensitive audit areas.
Summary
The materiality levels and use of performance materiality are summarized in the exhibit below.
Exhibit 6.1-2
06/10/2010
Page 300
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Overall
Specific
Performance
Purpose
To establish the threshold
for determining whether the
financial statements are free
from material misstatement,
whether due to error or
fraud.
To establish a threshold(s)
(lower than overall
materiality) to be applied to
particular classes of
transactions, account
balances or disclosures
where misstatements of
lesser amounts than overall
materiality for the financial
statements could reasonably
be expected to influence the
economic decisions of
users.
To establish the threshold(s)
(lower than overall or
specific materiality) that
ensures immaterial
misstatements (less than
overall or specific
materiality) are identified
and provides the auditor
with a safety margin
(misstatements are
accumulated to this level
rather than overall or
specific materiality).
Basis of
Calculation
What level of misstatement
in the financial statements
would be tolerable to users
(that is, would not affect the
economic decisions made
by a financial statement
user)?
What level of misstatement
relating to special
circumstances in a
particular class of
transactions, account
balances or disclosures
could reasonably be
expected to influence the
economic decisions of
users?
What amount of audit work
will be required to:
Materiality is a matter of
professional judgment
rather than a mechanical
exercise. As a result no
specific guidance is
provided in the ISA.
However, income from
continuing operations (3 to
7%) is often used in
practice as having the
greatest significance to
financial statement users. If
income is not a useful
measure, (such as for a not
for profit entity or where
income is not a stable base)
then consider other bases
such as:
Establish a lower, specific
materiality amount (based
on professional judgment)
for the audit of specific or
sensitive financial
statement areas.
No specific guidance is
provided in the ISA.
Percentages range from
60% (of overall or specific
materiality) where there is a
higher risk of material
misstatement up to 85%
where the assessed risk of
material misstatement is
less.
Rules of
Thumb
(for use as
a starting
point)
06/10/2010
•
identify misstatements
below overall or
specific materiality; and
•
leave a buffer for
undetected
misstatements.
Page 301
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Overall
•
•
•
•
•
•
6.3
Performance
Revenues or
expenditures 1 to 3%;
Assets 1 to 3%; or
Equity 3 to 5%.
Use in the Determining whether
uncorrected misstatements
Audit
individually or in aggregate
exceed overall materiality.
Revision
as Audit
Progresses
Specific
•
Determining whether
uncorrected misstatements
•
individually or in aggregate
exceed the specific
materiality.
A change in
A change in the special
circumstances that
circumstances.
occurred during the
audit such as the sale of
part of the business;
New information; or
A change in the
auditor's understanding
of the entity and its
operations, as a result
of performing further
audit procedures. For
example; actual
operating results being
very different from
expected.
•
•
•
Assessing the risks of
material misstatement;
Designing further audit
procedures to respond
to assessed risks.
Changes in assessed
risks;
Nature and extent of
misstatements found
when performing
further audit
procedures; or
Change in
understanding of the
entity.
Materiality in Planning and Risk Assessment
Determining the various materiality levels is a key component of the planning process. This is not a
discrete phase of an audit, but rather a continual and iterative process.
Exhibit 6.3-1
Materiality
Planning
(overall strategy and
audit plans)
06/10/2010
Use materiality to:
• Determine what financial statement areas require auditing.
• Set the context for the overall audit strategy.
• Plan the nature, timing and extent of specific audit procedures.
• Determine specific materiality for particular classes of transactions,
account balances or disclosures where misstatements at lesser amounts
than overall or performance materiality could reasonably be expected to
influence the economic decisions of users.
• Determine performance materiality for each specific materiality level as it
may be necessary for the auditor to work using a performance materiality
Page 302
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Materiality
Risk Assessment
Procedures
Team Meetings
•
level for a particular class of transactions, account balance or disclosure,
depending on the level of risk associated with that item.
Evaluate later evidence to determine the need for any adjustment to any of
the materiality levels. If so, the auditor would revise the nature, timing and
extent of procedures accordingly.
•
•
•
•
Identify what risk assessment procedures are necessary.
Provide a context when evaluating the information obtained.
Assess the magnitude (impact) of the risks identified.
Assess results of risk assessment procedures.
•
Ensure team members understand the identified users and what could
reasonably be expected to change their economic decisions. This may help
in the event a team member become aware of information during the audit
that would have caused a different amount of materiality to be determined
initially. Examples of such matters include:
(a) a decision to dispose of a major part of the entity's business,
(b) new information or risk factors that would have affected the initial
determination of materiality
(c) change in the auditor's understanding of the entity and its
operations as a result of performing further audit procedures, such
as when actual financial results are substantially different from
anticipated results
Establish overall audit strategy.
Determine the extent of testing in relation to:
− Performance materiality, and
− Specific performance materiality.
Identify critical audit issues and areas for significant audit focus.
•
•
•
Consider Point
The determination of overall performance and specific performance materiality levels requires the use
of professional judgment. It is suggested (but not required) that teams discuss the judgments applied in
determining materiality levels with the engagement partner and obtain his/her approval. Finally,
record the judgments used in determining materiality in sufficient detail in the audit working papers.
6.4
Materiality in Performing Audit Procedures
Auditors should consider materiality when determining the nature, timing and extent of audit procedures.
Exhibit 6.4-1
Materiality
Performing Audit
06/10/2010
Use materiality to:
• Identify what further audit procedures are necessary.
Page 303
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Materiality
•
Procedures
•
•
•
•
•
Determine which items to select for testing and whether to use sampling
techniques.
Assist with determining sample sizes (For example, sampling interval =
precision (materiality) ÷ confidence factor).
Evaluate representative sampling errors by extrapolating across population
for “likely” misstatements.
Evaluate the aggregate of total errors at the account level up to the
financial statement level.
Evaluate the aggregate of total errors including the net effect of
uncorrected misstatements in opening retained earnings.
Assess results of procedures.
Note: The overall audit strategy and audit plan will need to be revised where:
•
The nature of identified misstatements and the circumstances of their occurrence
indicate that other misstatements may exist that, when aggregated with misstatements
accumulated during the audit, could be material; or
•
The aggregate of misstatements accumulated during the audit approaches materiality.
Consider Point
Overall materiality is unlikely to change very often. However, it may need to be revised as the auditor
becomes aware of new information or there is a change in the auditor’s understanding of the entity
and its operations. If a change is required ensure the audit team should is informed and the impact on
the audit plan.
Performance materiality may change based on new risk factors or new audit findings that may not
impact overall materiality. Changes in performance materiality will result in the modification of the
nature, timing and extent of audit procedures. Of course, if overall materiality changes, a
corresponding change will likely be required in performance materiality.
6.5
Materiality in Reporting
Paragraph #
Relevant Extracts from ISAs
450.11
The auditor shall determine whether uncorrected misstatements are material, individually or in aggregate.
In making this determination, the auditor shall consider:
(a) The size and nature of the misstatements, both in relation to particular classes of transactions,
account balances or disclosures and the financial statements as a whole, and the particular
circumstances of their occurrence; and (Ref: Para. A13-A17, A19-A20)
(b) The effect of uncorrected misstatements related to prior periods on the relevant classes of
transactions, account balances or disclosures, and the financial statements as a whole. (Ref: Para.
A18)
06/10/2010
Page 304
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
450.12
The auditor shall communicate with those charged with governance uncorrected misstatements and the
effect that they, individually or in aggregate, may have on the opinion in the auditor's report, unless
prohibited by law or regulation. The auditor's communication shall identify material uncorrected
misstatements individually. The auditor shall request that uncorrected misstatements be corrected. (Ref:
Para. A21-A23)
Refer to Volume 2, Chapter 21 for more information on evaluating misstatements.
Prior to issuing an opinion, the auditor would:
•
Confirm the materiality established for the financial statements as a whole;
•
Evaluate the nature and the aggregate of uncorrected misstatements that are identified; and
•
Make an overall assessment as to whether the financial statements are materially misstated.
Exhibit 6.5-1
Materiality
Reporting
The auditor would use materiality to:
• Evaluate the aggregate of total errors at the account level up to the
financial statement level.
• Evaluate the aggregate of total errors including the net effect of
uncorrected misstatements in opening retained earnings.
• Determine whether additional audit procedures should be performed when
the aggregate misstatements are approaching overall or specific
materiality.
• Request that management correct all identified misstatements.
• Consider rechecking areas of highest misstatement.
• Make judgments about the nature and sensitivity of the misstatements
identified as well as size.
• Determine whether the auditor’s report needs to be modified due to
uncorrected material misstatements.
The aggregate of misstatements is made up of:
•
Specific misstatements identified by the auditor as a result of their audit testing; and
•
An estimate of other misstatements identified that cannot otherwise be specifically quantified.
The auditor would then request management to record all the identified misstatements.
Refer to Volume 2, Chapter 21 for additional information on evaluating audit evidence obtained.
6.6
Other Considerations
Other considerations include:
06/10/2010
Page 305
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Communicating to management and those charged with governance;
•
Updating materiality; and
•
Reducing materiality level from previous period.
Communicating with Management and Those Charged With Governance
Management and those charged with governance need to understand the limitations concerning the degree
of precision that can be expected from an audit. They also need to be aware that it is not economically
feasible to design audit procedures that will provide absolute assurance that the financial statements are
not materially misstated. An audit can provide only reasonable assurance in this regard.
When misstatements are identified by the auditor during the course of the audit, the first step is to request
management that all the uncorrected misstatements be corrected. If management decides not to correct
certain misstatements the auditor is then required to communicate with those charged with governance the
following:
• Details of uncorrected misstatements and the effect that they, individually or in aggregate, may
have on the opinion in the auditor's report, (unless prohibited by law or regulation).
• Material uncorrected misstatements individually.
• The effect of uncorrected misstatements related to prior periods on the relevant classes of
transactions, account balances or disclosures, and the financial statements as a whole.
Updating Materiality
The preliminary assessment of overall and performance materiality may change from the initial audit
planning to the time of evaluating the results of the audit procedures. This could result from a change in
circumstances or from a change in the auditor’s knowledge as a result of performing audit procedures. For
example, if audit procedures are performed prior to the period end, the auditor will anticipate the results
of operations and the financial position. If the actual results of operations and financial position are
substantially different, the assessments of materiality and audit risk may also change.
Reducing Materiality Level from Previous Period
When circumstances change from one period to the next, the auditor should consider the effect of any
misstatement on the opening equity. For example, where sales and income are substantially less than the
previous period’s, a lower materiality is required. Errors could exist in opening figures, as the audit was
previously conducted using a higher materiality level. To reduce the risk of a material error occurring in the
opening equity, the auditor may perform further audit procedures on the opening asset and liability balances.
Consider Points:
New engagements
When accepting a new audit engagement, inquire about the overall materiality used by the previous
auditor. If available, this would help in determining whether further audit procedures may be required
on the opening asset and liability balances.
Use of management experts
Ensure that any experts employed by the entity (to assist the entity in preparing the financial
statements) or used by the audit team are instructed to use an appropriate materiality level in relation
to the work they perform.
06/10/2010
Page 306
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
6.7
Documentation
Document the determination of the following and the factors considered in their determination:
•
Overall materiality;
•
Where applicable, the specific materiality level(s) for particular classes of transactions, account
balances or disclosures;
•
Performance materiality; and
•
Any revision of the above factors as the audit progresses.
6.8
Case Studies ─ Determining and Using Materiality
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
Materiality is often documented on a worksheet that includes a summary of operating results and provides
space for other materiality considerations such as qualitative factors.
Case Study A ─ Dephta Furniture Inc.
Dephta Furniture Inc.
(Excerpt)
Materiality assessment
The main users of the financial statements are the bank and the shareholders. The materiality
number used in last period was 8,000Є.
See W/P Ref. # for possible materiality amounts based on income from continuing operations,
as well as revenue. Using our professional judgement we decided to base our materiality on 5%
of the profit before tax after adding back the management bonus of 70,000 Є. Other bases for
materiality such as revenues were also considered but it was felt that profit before tax was the
most meaningful amount in relation to the identified financial statement users.
For this period, the plan is to use 10,000Є as the overall materiality. The concept of materiality
and its use in the audit has been discussed in general terms with the client.
Using professional judgment, and the types of misstatements identified in previous audits,
overall performance materiality has been set at 7,500Є.
A specific materiality for the local sales taxes paid has been set at 1,000Є as we are required to
audit and report on this amount to the local government.
Also see W/P 615 on quantitative analysis……..
Prepared by: JF
Date: December 8, 20X2
Reviewed by: LF
Date: January 5, 20X3
06/10/2010
Page 307
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Kumar & Co.
(Excerpt)
Materiality assessment
The main users of the financial statements are the bank and the owners.
The materiality number used in the last period was 3,000Є.
Based on consideration of user needs, we decided to base materiality at approximately 1% of
sales. In our judgement revenues provide a more stable base for materiality than profits before
tax. For this period, we plan to use 2,500Є as the overall materiality. The concept of materiality
and its use in the audit has been discussed in general terms with the client.
Using professional judgment which is largely based on the history of errors in previous periods,
overall performance materiality has been set at 1,800Є.
Other matters
See W/P 615 for…..
Prepared by: JF
Date: December 8, 20X2
Reviewed by: LF
Date: January 5, 20X3
06/10/2010
Page 308
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
This page is intentionally left blank.
06/10/2010
Page 309
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
7.
AUDIT TEAM DISCUSSIONS
Chapter Content
Purpose and nature of required discussions among the
audit team about the susceptibility of the entity’s
financial statements to material misstatements.
Relevant ISAs
240, 300, 315
Exhibit 7.0-1
Paragraph #
Relevant Extracts from ISAs
315.10
The engagement partner and other key engagement team members shall discuss the susceptibility of the
entity’s financial statements to material misstatement, and the application of the applicable financial
reporting framework to the entity’s facts and circumstances. The engagement partner shall determine
which matters are to be communicated to engagement team members not involved in the discussion. (Ref:
Para. A14-16)
240.15
ISA 315 requires a discussion among the engagement team members and a determination by the
engagement partner of which matters are to be communicated to those team members not involved in the
discussion. This discussion shall place particular emphasis on how and where the entity’s financial
statements may be susceptible to material misstatement due to fraud, including how fraud might occur.
The discussion shall occur setting aside beliefs that the engagement team members may have that
management and those charged with governance are honest and have integrity. (Ref: Para. A10-A11)
240.44
The auditor shall include the following in the audit documentation of the auditor’s understanding of the
entity and its environment and the assessment of the risks of material misstatement required by ISA 315:
06/10/2010
Page 310
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(a) The significant decisions reached during the discussion among the engagement team regarding the
susceptibility of the entity’s financial statements to material misstatement due to fraud; and
(b) The identified and assessed risks of material misstatement due to fraud at the financial statement level
and at the assertion level.
7.1
Overview
A critical element in the success of any audit engagement is good communication among the audit team
members. Communication starts with the assignment of team members, arranging the team meeting to
plan the engagement and then continues throughout the engagement. The benefits of good communication
include those set out in the following exhibit.
Exhibit 7.1-1
Benefits
Audit productivity
• Each person on the team will understand the entity being audited, the
financial reporting framework to be used, what his/her specific role will be
in the audit and the expectations about how and when work will be
performed.
• Potential for over and under auditing will be significantly reduced.
Need for Ongoing
Communication
Among the Audit
Team Members
Audit effectiveness
• Staff is provided insights about the client and audit expectations directly from
the senior personnel such as the engagement partner.
• Team discussions on the susceptibility of the financial statements to material
misstatements will help determine the business and fraud risks that need to be
addressed.
• Better decisions will be made about the nature, timing and extent of risk
assessment and further audit procedures.
• Open lines of communication enable quick reactions to new information in
areas such as unusual transactions/events, related parties and reporting issues.
Staff development
• Best practices in auditing will be transferred from partners to staff.
• Staff will be encouraged to ask questions and reconsider the effectiveness
of the previous period’s responses to assessed risks.
Effective ongoing communication requires:
•
Involvement by (and undivided attention of) the engagement partner and senior personnel; and
•
Willingness of senior personnel to listen to junior staff. This includes understanding the engagement
from the perspective of junior staff, encouraging their questions and suggestions and then providing
06/10/2010
Page 311
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
feedback.
Exhibit 7.1-2
Consider Point
Audit team discussions are critical to an effective audit. Avoid the temptation to rush through the
agenda due to other time pressures. These discussions enable audit risks to be discussed, fraud
scenarios to be developed and possible responses developed. It also provides an opportunity for staff
to learn about the entity’s business and what is expected from them on the audit. Staff can also be
encouraged to put forward their ideas on how the audit could be improved.
7.2
Audit Team Planning Meeting
On larger engagements, a planning meeting should be scheduled well in advance of the commencement of
fieldwork. This will provide the time necessary to prepare or make changes in the detailed audit plan. On
very small engagements, planning may best be achieved through brief discussions at the start of the
engagement and as the audit progresses.
Team members should be encouraged to come to the meeting with a questioning mind and be prepared to
participate and share information with an attitude of professional skepticism. They should set aside any
beliefs that management and those charged with governance are honest and have integrity. The extent of
the discussion should be influenced by the roles, experience and the information needs of the audit
engagement team members.
The three key areas to address are outlined in the exhibit below.
Exhibit 7.2-1
Key Areas
to Address
Purpose: To have an open discussion
Share Insights on
the Entity such as
the People,
The entity
• History and business objectives.
• The corporate culture.
06/10/2010
Page 312
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Key Areas
to Address
Purpose: To have an open discussion
Operations and
Objectives
•
•
Changes in operations, personnel or systems.
Application of the applicable financial reporting framework to the entity’s
facts and circumstances.
Management
• The nature/structure of the entity and management.
• The attitude toward internal control.
• Incentives to commit fraud.
• Unexplained changes in the behavior or lifestyle of key employees.
• Any indications of management bias.
Known risk factors
• Experience from previous audit engagements.
• Significant business risk factors.
• Opportunity for fraud to be perpetrated.
Key Areas
to Address
Brainstorm
Purpose: To brainstorm ideas and possible audit approaches
Potential for errors and fraud
• Which financial statement areas may be susceptible to material
misstatement (fraud and error)? This step is a requirement on all audits.
• How could management perpetrate and conceal fraudulent financial
reporting? It may be helpful to develop various fraud scenarios or, where
possible, use the services of a forensic accountant. Consider journal
entries, management bias in estimates/provisions, changes in accounting
policies, etc.
• How could assets be misappropriated or misused for personal purposes?
• Are there non-selfish incentives (such as to maintain a funding source for a
not-for-profit entity) to manipulate the financial statements?
Response to risks
• What possible audit procedures/approaches might be considered to
respond to the risks identified above?
• Consider whether an element of unpredictability will be incorporated into
the nature, timing and extent of the audit procedures to be performed.
Key Areas
to Address
Audit Planning
06/10/2010
Purpose: To provide direction
Specific areas to address:
Ensure that the specific requirements of all ISAs relevant to the audit are
Page 313
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Key Areas
to Address
Purpose: To provide direction
appropriately addressed in the audit plan. ISAs that include specific procedures
to be performed include:
ISA 240
the auditor's responsibilities relating to fraud in an audit of
financial statements
ISA 402
audit considerations relating to an entity using a service
organization
ISA 540
auditing accounting estimates, including fair value accounting
estimates, and related disclosures
ISA 550
related parties
ISA 600
audits of group financial statements (including the work of
component auditors)
Provide direction to the audit team
• Determine materiality levels.
• Assign roles and responsibilities.
• Provide staff with an overview of the audit sections they are responsible
for completing. Address the approach required, special considerations,
timing, documentation required, the extent of supervision provided, file
review and any other expectations.
• Stress the importance of maintaining professional skepticism throughout
the audit.
Note: If some (junior) members of the audit team are not able (or are not invited) to attend the meeting,
the engagement partner would determine which matters arising are to be communicated to them.
Consider Point
Emphasize the importance for staff to be alert for indications of dishonesty, but also to be careful not
to jump to any conclusions, particularly when discussing findings with the entity’s management or
staff. Indicate possible circumstances (red flags) that, if encountered, might indicate the possibility of
fraud.
Fraud is generally discovered by identifying patterns, exceptions and oddities in transactions and
events. For example, a false claim in an expense account would be immaterial to the financial
statements by itself but could be indicative of a much larger issue, such as lack of management
integrity.
7.3
Communication During and at Completion of the Audit
Each member of the audit team will have a slightly different perspective on the entity. Some of the
information gathered by a particular team member may not even make sense unless it is combined with
information obtained by other team members. This is particularly true in relation to fraud, where it is the
06/10/2010
Page 314
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
identification of small patterns, oddities and exceptions that may lead to its ultimate detection.
A simple analogy is the jigsaw puzzle. Each part by itself does not enable a person to see the entire
picture. It is only when all the pieces are put together that the big picture can be seen. The same is true in
auditing. It is only when the individual knowledge/findings of each auditor are shared with the team that
the bigger picture emerges.
Exhibit 7.3-1
Sharing Findings
Team discussions need not be confined to just the planning meeting. Audit team members should be
encouraged to communicate and share the information that they obtain throughout the audit on any
matters of relevance, particularly when it affects the assessment of risk and planned audit procedures.
06/10/2010
Page 315
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
Hold short debriefing meetings at strategic times during the audit
In addition to the audit planning discussions at the start of the engagement, it may be beneficial (but
not required) for the audit team (however small) to meet (or arrange a conference call) and discuss
audit findings after the following audit phases.
Performing risk assessment procedures and further audit procedures
These debriefing sessions do not need to be formal or long, and enable audit team members to report
verbally on their findings, exceptions found and concerns noted. They can also report on any matters
(however small) that seemed odd or did not make sense. It is often the small matters that, when
combined with information obtained by other team members, point to a possible risk factor (such as
fraud) that may require further work to be performed. Even when the audit team comprises only two
people, these meetings can yield significant results.
Completing the audit
Once the previous audit is complete, the temptation is always to move on and start the next
engagement. As a result, a lot of knowledge that could be helpful for performing next period’s audit
can get lost. A short meeting or conference call after each audit could be used to obtain feedback from
the audit team and determine what can be improved. This would include identifying:
•
Audit areas that might require additional or less attention in the future;
•
Any other unexpected findings, unusual transactions or financial pressures on personnel that may
be an indicator of fraud or an incentive to commit fraud;
•
Any planned changes that will affect future engagements such as key personnel changes, new
financing, an acquisition, new products or services, the installation of a new accounting system or
other internal control changes;
•
Areas where additional assistance could be provided by the entity such as an analysis of certain
financial statement areas; and
•
Where significant risk factors exist, the debriefing meeting could also address whether the firm
wishes to continue with the client the following period. If the firm resigns right after the audit
finishes, the reasons will be fresh in everyone’s mind and it would provide the entity with more
time to find another auditor.
At the initial planning meeting, a time and date for these debriefing sessions can be scheduled.
7.4
Case Studies — Audit Team Discussions
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
The most recent financial statements, the listing of assessed risks from previous periods (or this period, if
updated) and the audit response could usefully be circulated to engagement team members before the
meeting. At the meeting, emphasize the need for professional skepticism and the need to immediately
report any suspicious situations or possible warning signals of fraud.
Documentation may be in the form of a standard agenda or a memo to file.
06/10/2010
Page 316
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study A ─ Dephta Furniture Inc.
Date of meeting: November 15, 20X2
Agenda item
Minutes of meeting
1. Materiality and significant account
balances.
Increase overall materiality to 10,000Є based on
growth in profitability and sales, and performance
materiality to 7,500Є.
2. Timing, key dates and availability of client
personnel.
Confirmed that last period’s timing is appropriate
and our requests for management help in
preparing certain schedules are reasonable.
3. What can we learn from past experience
such as issues/events that caused delays
and areas of over/under auditing?
Inventory internal control was poor last year and
resulted in additional work. Client has indicated
that this will be addressed before this period end.
4. Any new concerns about management
integrity, going concern, litigation, etc.?
See newspaper clipping re: Parvin. This may be
isolated but we need to be cautious.
5. Changes this period in business
operations and/or financial condition,
industry regulations, accounting policies
used and people.
Internet sales now account for 12% of sales.
There are also plans for significant growth. This
will put a strain on cash resources, internal control
and the operating systems. The current economic
downturn puts additional pressure on the
organization to maintain sales levels despite the
drop in demand and sales prices.
6. Susceptibility of the financial statements to
fraud. In what possible ways could the
entity be defrauded? Develop some
possible scenarios and then plan
procedures that would confirm or dispel
any suspicions.
Management bias and override to avoid tax
liability are possible. Management’s estimates,
journal entries and related-party transactions are
susceptible to manipulation. Also, Arjan (the
senior salesperson) lives an expensive lifestyle.
We should also look at the bonus calculations and
the sales revenue.
7. Significant risks that require special
attention.
Defaulting on bank covenants. Suraj says he is
going to renegotiate the bank terms this period to
provide some flexibility.
8. Appropriate audit responses to the risks
identified.
The detailed audit plan was reviewed in some
detail with the staff member responsible and a
number of efficiencies were identified.
9. Consider the need for specialized skills or
IT specialist to look at Internet sales and IT
06/10/2010
Page 317
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
consultants, testing internal controls vs.
substantive procedures, the need to
introduce unpredictability in some audit
tests and work that could be completed by
the client.
10. Audit team roles, scheduling and file
reviews.
controls in general. Scheduled visit for December
this period.
Overall and detailed audit plans have been
updated.
Prepared by: FJ
Date: February 20, 20X3
Reviewed by: LF
Date: March 3, 20X3
06/10/2010
Page 318
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Memo to file: Kumar & Co.
On November 30, 20X2, the audit team (partner and senior) met to plan the Kumar & Co. audit
engagement.
We discussed the following:
•
Overall materiality has been decreased to 2,500Є based on decline in profitability and sales.
Performance materiality has been set at 1,800Є.
•
Raj’s focus has been diverted recently to personal family matters. The bookkeeper’s work
may not be adequately reviewed. That leaves Ruby with a lot of control over the reported
numbers. Any unintentional or intentional errors of Ruby’s could go undetected. This should
be treated as a significant fraud risk in the audit.
•
Management bias and override could occur to avoid tax liability or bank covenant violations.
Management’s estimates have traditionally been conservative. The audit team was reminded
to be alert for anything that appears unusual.
•
We will pay careful attention to transactions and pricing of products with the related party,
Deptha.
Audit Plan:
•
Confirmed that last period’s timing is appropriate and we will again request management’s
help in preparing certain schedules. However, since Kumar & Co. had a difficult time getting
the requested schedules for us on time last period, we will spend time this period with Ruby
in advance and provide her with example schedules to ensure she understands what is
needed and the required due dates.
•
The detailed audit plan was reviewed in some detail. Procedures in some areas were
expanded based on the assessed risk and a number of other procedures were eliminated
where the assessed risk was low.
•
We decided that it will be more efficient to perform substantive procedures than to perform
tests of controls as there are no assertions where substantive procedures alone would not
provide sufficient appropriate audit evidence.
Prepared by: FJ
Date: December 3, 20X2
Reviewed by: LF
Date: December 6, 20X2
06/10/2010
Page 319
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
8.
INHERENT RISKS – IDENTIFICATION
Chapter Content
Relevant ISAs
240, 315
How to identify risks of material misstatement in the
financial statements.
Exhibit 8.0-1
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Documentation1
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
240.10
ISA Objective(s)
The objectives of the auditor are:
(a)
To identify and assess the risks of material misstatement of the financial statements due to fraud;
(b)
To obtain sufficient appropriate audit evidence regarding the assessed risks of material
misstatement due to fraud, through designing and implementing appropriate responses; and
(c)
To respond appropriately to fraud or suspected fraud identified during the audit.
315.3
The objective of the auditor is to identify and assess the risks of material misstatement, whether due to
fraud or error, at the financial statement and assertion levels, through understanding the entity and its
environment, including the entity's internal control, thereby providing a basis for designing and
implementing responses to the assessed risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
200.13
For purposes of the ISAs, the following terms have the meanings attributed below:
06/10/2010
Page 320
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(n) Risk of material misstatement – The risk that the financial statements are materially misstated prior to
audit. This consists of two components, described as follows at the assertion level:
(i)
Inherent risk – The susceptibility of an assertion about a class of transaction, account balance or
disclosure to a misstatement that could be material, either individually or when aggregated with
other misstatements, before consideration of any related controls.
(ii) Control risk – The risk that a misstatement that could occur in an assertion about a class of
transaction, account balance or disclosure and that could be material, either individually or when
aggregated with other misstatements, will not be prevented, or detected and corrected, on a
timely basis by the entity’s internal control.
240.11
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Fraud – An intentional act by one or more individuals among management, those charged with
governance, employees, or third parties, involving the use of deception to obtain an unjust or illegal
advantage.
(b) Fraud risk factors – Events or conditions that indicate an incentive or pressure to commit fraud or
provide an opportunity to commit fraud.
240.12
In accordance with ISA 200, the auditor shall maintain professional skepticism throughout the audit,
recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the
auditor’s past experience of the honesty and integrity of the entity’s management and those charged with
governance. (Ref: Para. A7- A8)
240.13
Unless the auditor has reason to believe the contrary, the auditor may accept records and documents as
genuine. If conditions identified during the audit cause the auditor to believe that a document may not be
authentic or that terms in a document have been modified but not disclosed to the auditor, the auditor shall
investigate further. (Ref: Para. A9)
240.15
ISA 315 requires a discussion among the engagement team members and a determination by the
engagement partner of which matters are to be communicated to those team members not involved in the
discussion. This discussion shall place particular emphasis on how and where the entity’s financial
statements may be susceptible to material misstatement due to fraud, including how fraud might occur.
The discussion shall occur setting aside beliefs that the engagement team members may have that
management and those charged with governance are honest and have integrity. (Ref: Para. A10-A11)
240.17
The auditor shall make inquiries of management regarding:
(a) Management’s assessment of the risk that the financial statements may be materially misstated due to
fraud, including the nature, extent and frequency of such assessments; (Ref: Para. A12-A13)
(b) Management’s process for identifying and responding to the risks of fraud in the entity, including any
specific risks of fraud that management has identified or that have been brought to its attention, or
classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist;
(Ref: Para. A14)
(c) Management’s communication, if any, to those charged with governance regarding its processes for
identifying and responding to the risks of fraud in the entity; and
06/10/2010
Page 321
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(d) Management’s communication, if any, to employees regarding its views on business practices and
ethical behavior.
240.18
The auditor shall make inquiries of management, and others within the entity as appropriate, to determine
whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. (Ref: Para.
A15-A17)
240.22
The auditor shall evaluate whether unusual or unexpected relationships that have been identified in
performing analytical procedures, including those related to revenue accounts, may indicate risks of
material misstatement due to fraud.
240.23
The auditor shall consider whether other information obtained by the auditor indicates risks of material
misstatement due to fraud. (Ref: Para. A22)
240.24
The auditor shall evaluate whether the information obtained from the other risk assessment procedures and
related activities performed indicates that one or more fraud risk factors are present. While fraud risk
factors may not necessarily indicate the existence of fraud, they have often been present in circumstances
where frauds have occurred and therefore may indicate risks of material misstatement due to fraud. (Ref:
Para. A23-A27)
240.44
The auditor shall include the following in the audit documentation of the auditor’s understanding of the
entity and its environment and the assessment of the risks of material misstatement required by ISA 315:
(a) The significant decisions reached during the discussion among the engagement team regarding the
susceptibility of the entity’s financial statements to material misstatement due to fraud; and
(b) The identified and assessed risks of material misstatement due to fraud at the financial statement level
and at the assertion level.
315.11
The auditor shall obtain an understanding of the following:
(a) Relevant industry, regulatory, and other external factors including the applicable financial reporting
framework. (Ref: Para. A17-A22)
(b) The nature of the entity, including:
(i)
its operations;
(ii) its ownership and governance structures;
(iii) the types of investments that the entity is making and plans to make, including investments in
special-purpose entities; and
(iv) the way that the entity is structured and how it is financed to enable the auditor to understand the
classes of transactions, account balances, and disclosures to be expected in the financial
statements. (Ref: Para. A23-A27)
(c) The entity’s selection and application of accounting policies, including the reasons for changes
thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its
business and consistent with the applicable financial reporting framework and accounting policies
used in the relevant industry. (Ref: Para. A28)
(d) The entity’s objectives and strategies, and those related business risks that may result in risks of
06/10/2010
Page 322
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
material misstatement. (Ref: Para. A29-A35)
(e) The measurement and review of the entity’s financial performance. (Ref: Para. A36-A41)
8.1
Overview
Identification of risk is the foundation of the audit. It is based upon and forms an integral part of the
auditor’s procedures to understand the entity and its environment. Without a solid understanding of the
entity, the auditor may miss certain risk factors. For example, if a client’s sales were increasing, it would
be important for the auditor to know that the industry sales as a whole were actually in sharp decline.
The objective of the risk assessment phase of the audit is to identify sources of risk and then to assess
whether they could possibly result in a material misstatement in the financial statements. This provides
the auditor with the information needed to direct audit effort to where the risk of material misstatement is
the highest and away from the less risky areas.
Risk assessment has two distinct parts:
•
Risk identification (asking “what can go wrong”); and
•
Risk assessment (determining the significance of each risk).
Risk assessment is addressed in Volume 2, Chapter 9.
Risk identification is illustrated below.
Exhibit 8.1-1
Risk Identification
What could go wrong and
result in a misstatement
in the Financial Statements?
List the business and fraud
risk factors identified (1-5)
06/10/2010
Perform Risk Assessment
Procedures
Entity objectives, external factors,
nature of entity, accounting policies,
performance measures &
internal control
1
2
3
4
5
Page 323
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Points
First identify the risks
You cannot assess a risk that has not first been identified. Avoid the temptation to assume that because
the entity is small, there are no relevant risks or that the risks of material misstatement will be the
same as the previous period. New risks may now exist and the nature/significance of some previously
identified risks may have changed.
After the first engagement, focus on what has changed from previous period
After the first engagement, focus on what has changed within each of the six risk sources (i.e.,
external nature of entity, etc.) as opposed to starting all over again. This will save time and focuses
attention on the nature and effect of new risks that may now exist and revisions to risks previously
identified.
8.2
Types of Risk
There are two major classifications of risks:
•
Business risks; and
•
Fraud risks.
The difference between business risk and fraud risk is that fraud risk results from a person’s deliberate
actions.
Note: In many instances a risk can be both a business and a fraud risk. For example, the introduction of a
new accounting system creates uncertainty (errors could be made as personnel learn the new
system) and would be classified as business risk. However it could also be classified as a fraud risk
because someone could take advantage of the uncertainty to misappropriate assets or manipulate the
financial statements.
Exhibit 8.2-1
Business Risk
The term “business risk” encompasses more than just the risks of material misstatement in the financial
statements. Business risks result from significant conditions, events, circumstances, actions or inactions
that could adversely affect the entity’s ability to achieve its objectives and execute its strategies. This
06/10/2010
Page 324
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
could also include the setting of inappropriate objectives and strategies.
Business risks also include events that arise from change, complexity or the failure to recognize the need
for change. Change may arise, for example, from:
•
The development of new products that may fail;
•
An inadequate market, even if new products are successfully developed; or
•
Flaws in the products that may result in liabilities and damage to the entity’s reputation.
Fraud Risk
Fraud risk relates to events or conditions that indicate an incentive or pressure to commit fraud or provide
an opportunity to commit fraud.
The auditor’s understanding of business and fraud risk factors increases the likelihood of identifying the
risks of material misstatement. However, there is no responsibility for the auditor to identify or assess all
of the possible business risks.
8.3
Sources of Information about Entity
The first step in the risk assessment process is to gather (or update) as much relevant information about
the entity as possible. This information provides an important frame of reference for identifying and
assessing possible risk factors.
Information about the entity and its environment can be obtained from both internal and external sources.
In many cases, the auditor will start with internal sources of information. This information can then be
checked for consistency with information obtained from external sources such as trade association data
and data about general economic conditions, which can often be obtained from the Internet. The
following exhibit shows some of the potential sources of information available.
Exhibit 8.3-1
06/10/2010
Page 325
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
A major source of information that is often overlooked is the auditor’s working paper files from
previous periods’ engagements. They often contain valuable information on matters such as:
•
Considerations or issues to address in planning this period’s audit;
•
Evaluation and source of possible adjustments and uncorrected errors;
•
Areas where there are recurring disagreements such as the assumptions used for accounting
estimates;
•
Areas which appear to be susceptible to error; and
•
Matters raised in the auditor’s communication with management and those charged with
governance.
The information gained from risk assessment procedures conducted before engagement acceptance or
continuance can be used as part of the audit team’s understanding of the entity.
8.4
Risk Assessment Procedures
Based on the information obtained about the entity, the auditor is now in a position to design the risk
assessment procedures discussed in Volume 1, Chapter 8. These risk assessment procedures will be
designed to obtain and document an understanding of the entity and its environment including internal
control.
The scope of the understanding required by the auditor for identifying risks is contained in six key areas
as follows.
Exhibit 8.4-1
A. External Factors
Nature of industry
Regulatory environment
Financial reporting framework
B. Nature of Entity
Operations and key personnel
Ownership and governance
Investment, structure and financing
C. Accounting Policies
Selection and application
Reasons for changes
Appropriateness to entity
D. Entity Objectives
& Strategies
Business plans and strategies
Financial implications and risks undertaken
E. Measurement/Review of
Financial Performance
What is measured
Who reviews financial results
F. Internal Control Relevant
Processes and relevant controls to mitigate risks
06/10/2010
Page 326
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
to the Audit
at the entity level and at the transactional level
The sufficiency of information (depth of understanding) required by the auditor is a matter of professional
judgment. It is less than that possessed by management in managing the entity. The last section (‘F’ in
Exhibit 8.4-1), which relates to internal controls relevant to the audit, is discussed in Volume 1, Chapter 5
and Volume 2, Chapters 4, 11 and 12.
Obtaining an understanding of the nature of the entity and its environment, including internal control, has
a number of benefits as outlined below.
Exhibit 8.4-2
Provides a Frame of Reference
Benefits Obtained
from Understanding
the Entity
Identifying risks and developing responses
• Making judgments about the risk assessments.
• Developing appropriate responses to identified risks of material
misstatement in the financial statements.
• Establishing materiality (refer to Volume 2, Chapter 6).
• Developing expectations needed for performing analytical procedures.
• Designing/performing further audit procedures to reduce audit risk to an
acceptably low level.
• Evaluating sufficiency/appropriateness of audit evidence obtained (for
example, appropriateness of assumptions used and management’s oral and
written representations).
Financial statement review
• Assessing management’s selection and application of accounting policies.
• Considering the adequacy of financial statement disclosures.
• Identifying audit areas for special consideration (for example, related-party
transactions, unusual or complex contractual arrangements, going-concern
or unusual transactions).
Consider Point
Obtaining an understanding of the entity is not a discrete task that can be completed early in the audit
and then put to one side. It is important to keep learning about the entity throughout the audit and be
alert to risk factors not previously identified or where the original assessment of risk needs updating.
8.5
Sources of Risk
Errors and fraud in financial statements arise from risk factors that have their origin in one or more of the
six required areas of understanding the entity (See Exhibit 8.4-1).
An example would be a new and complex tax being imposed on the entity. This would be an external risk
factor. A risk of misstatement in the financial statements could be a misinterpretation of the new law,
resulting in an incorrect calculation of tax payable and the amount owed. Note that the source (or cause)
06/10/2010
Page 327
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
of the risk is the new tax that affects the entity and not the error in calculation which is the effect of the
risk factor. As a consequence of the new tax the risk of a calculation error increases.
The following chart shows the six areas of understanding as being potential sources of risk.
06/10/2010
Page 328
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 8.5-1
Examples of sources of risk (but not the effect on specific financial statement areas) are outlined below.
Exhibit 8.5-2
Sources of Business and Fraud Risk
Business
Objectives and
Strategies
•
•
•
•
•
•
Inappropriate, unrealistic or overly aggressive objectives and strategies.
New products or services, or moving into new lines of business.
Entering into business areas/transactions with which the entity has little
experience.
Inconsistencies between IT and business strategies.
Response to rapid growth or decline in sales that can strain internal control
systems and people’s skills.
Use of complex financing arrangements.
Corporate restructurings.
Significant transactions with related parties.
•
•
•
•
•
•
•
State of the economy and changes in government regulation.
Declining demand for the entity’s products or services.
High degree of complex regulation.
Changes in the industry.
Inability to obtain required resources (materials or skilled personnel).
Deliberate sabotage of an entity’s products or services.
Constraints on the availability of capital and credit.
•
•
Poor corporate culture and governance.
Incompetent personnel in key positions.
•
•
External
Factors
Nature of Entity
06/10/2010
Page 329
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Sources of Business and Fraud Risk
Performance
Indicators
Accounting
Policies
Internal Control
•
•
•
•
•
•
•
•
Changes in key personnel, including departure of key executives.
Complexity in operations, organizational structure or products.
Product or service flaws that may result in liabilities and reputation risk.
Failure to recognize the need for change (skills required or technology).
Weaknesses in internal control, especially those not addressed by management.
Poor relationships with external funders, such as banks.
Going-concern and liquidity issues, including loss of significant customers.
Installation of new systems related to financial reporting.
•
•
Performance measures not used by management to assess the entity’s
performance and achievement of objectives.
Measures not used to improve operations or take corrective actions.
•
•
Inconsistent application of accounting policies.
Inappropriate use of accounting policies.
•
•
Inadequate management oversight of day-to-day operations.
Poor or nonexistent controls over entity level activities such as human
resources, fraud and preparation of accounting information such as estimates
and financial reports.
Poor or non existent controls over transactions such as revenues, purchases,
expenses and payroll.
Poor safeguarding of assets.
•
•
8.6
Fraud Risks
The term “fraud” refers to an intentional act by one or more individuals among management, those
charged with governance, employees or third parties, involving the use of deception to obtain an unjust or
illegal advantage.
Fraud involving one or more members of management or those charged with governance is referred to as
“management fraud”. Fraud involving only employees of the entity is referred to as “employee fraud”. In
either case, there may be collusion within the entity or with third parties outside of the entity.
The exhibit below outlines the types and characteristics of fraud.
06/10/2010
Page 330
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 8.6-1
Consider Point
For each risk factor identified, consider whether it is a business risk, a fraud risk or both. Many
sources of risk can result in both business and fraud risks. For example, a change in accounting
personnel can result in errors being made (business risk) but may also provide an opportunity for
someone to commit a fraud.
8.7
Types and Characteristics of Fraud
Although fraud can occur at any level in the organization, it tends to be more serious (and involve higher
monetary amounts) when senior management is involved.
Some of the major conditions that create an environment for fraud include:
•
Ineffective corporate governance;
•
Lack of leadership by management and poor “tone at the top”;
•
High incentives provided for financial performance;
•
Taxes or other expenses that are considered very high or onerous;
•
Complexity in the entity’s rules, regulations and policies;
•
Unrealistic expectations from bankers, investors or other stakeholders;
06/10/2010
Page 331
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Downward and unexpected shifts in profitability;
•
Unrealistic budget targets for staff to attain; and
•
Inadequate internal control, especially in the presence of organizational change.
As can be determined from the above, the most effective anti-fraud internal control would be a strong
commitment by those in governance and senior management positions to doing the right thing. This is
evidenced through articulated entity values and a commitment to ethics that are modeled on a day-to-day
basis. This is true for any size of organization.
8.8
The Fraud Triangle
The section, A Primer on Fraud (see Volume 1, Appendix A), outlines three conditions that often provide
clues to the existence of fraud. Forensic accountants often refer to this as the “fraud triangle” because
when all three conditions are present, it is highly likely that fraud may be occurring.
The conditions are:
•
Pressure
This is often generated by immediate needs (such as having significant personal debts or meeting an
analyst’s or bank’s expectations for profit) that are difficult to share with others.
•
Opportunity
A poor corporate culture and a lack of adequate internal control procedures can often create the
confidence that a fraud could go undetected.
•
Rationalization
Rationalization is the belief that a fraud has not really been committed. For example, the perpetrator
rationalizes “this is not a big deal” or “I am only taking what I deserve”.
Exhibit 8.8-1
For example, an owner-manager in the construction business might be offered a job to build a significant
addition to a friend’s house as long as it is a cash-only transaction with no paperwork involved. Consider
the three conditions.
•
The “pressure” on the owner-manager might be to reduce taxes that would otherwise be payable.
•
The “opportunity” is for the owner-manager to override the internal controls over revenue
recognition and not record the revenue from the sale.
•
The “rationalization” could be that the owner-manager is already paying far too much in taxes.
06/10/2010
Page 332
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Note: If any one of the three conditions is not present, the cash sale is unlikely to take place.
In conducting risk assessment procedures, audit team members need to consider the existence of all three
conditions and not just the opportunity for fraud. Consider the sources of fraud risk set out below.
Exhibit 8.8-2
Sources of Fraud Risk
Incentives and
Pressures
•
•
•
•
•
Attitudes and
Rationalizations
Financial stability or profitability is threatened by economic, industry or the
entity’s operating conditions.
Excessive pressure exists for management to meet the requirements or
expectations of third parties or those charged with governance (such as
earnings targets or compliance with onerous environmental regulations,
etc.).
Personal financial obligations may create pressure on management or
employees with access to cash or other assets susceptible to theft to
misappropriate those assets.
Adverse relationships between the entity and employees with access to cash
or other assets. For example:
– Known or anticipated future employee layoffs,
– Recent or anticipated changes to employee compensation or benefit
plans, and
– Promotions, compensation or other rewards inconsistent with
expectations.
The personal financial situation of management or those charged with
governance may be threatened by the entity’s financial performance (such
as financial interests, compensation, guarantees, etc.).
Rationalizations
• Management is interested in employing inappropriate means to:
–
Minimize reported earnings for tax-motivated reasons, and
–
•
•
•
•
•
Increase reported earnings to avoid violating bank covenants, increase
the sale price of the entity or meet targets set by a third party.
Employee behavior indicates displeasure or dissatisfaction with the entity.
Low morale exists among senior management.
Management is tolerant of some employee thefts. For example, no
disciplinary action is taken when an employee is caught stealing.
Management does not enforce the entity’s values or ethical standards.
Management disregards the need for monitoring or reducing risks related to
the misappropriations of assets.
Attitudes
• Management has a known history of violations of laws and regulations or
allegations of fraud.
• Management exhibits changes in behavior or lifestyle that may indicate
assets have been misappropriated.
• Senior managers demonstrate a poor ethical example (such as inflating
expense accounts and committing petty thefts, etc.).
06/10/2010
Page 333
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Sources of Fraud Risk
•
•
•
•
•
•
Opportunities
Management has overridden existing controls.
Management has failed to take appropriate remedial action on known
deficiencies in internal control.
The owner-manager makes no distinction between personal and business
transactions.
Disputes exist between shareholders in a closely-held entity.
Management makes recurring attempts to justify marginal or inappropriate
accounting on the basis of materiality.
The relationship between management and the current or predecessor
auditor is strained.
Assets susceptible to misappropriation
• Large amounts of cash on hand or processed.
• Inventory items that are small in size, of high value or in high demand.
• Easily convertible assets, such as bearer bonds, diamonds or computer
chips.
• Property, plant and equipment are small in size, marketable or lack
observable identification of ownership.
Inadequate internal controls
• Inadequate oversight by those charged with governance of management’s
processes for identifying and responding to the risks of fraud.
• Inadequate segregation of duties or checks.
• Inadequate oversight of senior management expenditures.
• Inadequate management oversight of employees responsible for assets.
• Inadequate job applicant screening for employees with access to assets.
• Inadequate record keeping with respect to assets.
• Inadequate authorization and approval of transactions.
• Inadequate physical safeguards over cash, investments, inventory or
property, plant and equipment.
• Lack of complete and timely reconciliations of assets.
• Lack of timely and appropriate documentation of transactions (for example,
credits for merchandise returns).
• Lack of mandatory vacations for employees performing key control
functions.
• Inadequate management understanding of information technology, which
enables information technology employees to perpetrate a misappropriation.
• Inadequate access controls over automated records, including controls over
and review of computer systems event logs.
Specific areas of vulnerability
• Management estimates, revenue recognition, use of journal entries,
transactions with related parties, etc.
06/10/2010
Page 334
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
Fraud is always intentional. It involves concealment of information from the auditor and deliberate
misrepresentations. Consequently, fraud is discovered by looking for patterns, oddities and exceptions
often in what might be considered very small monetary amounts.
Fraud is unlikely to be detected through substantive procedures alone. For example, an auditor is
unlikely to identify a missing transaction or determine that a transaction is invalid unless there is some
additional “understanding of the entity” that can be used as a frame of reference.
Auditors, depending on their role and position on the audit team, may identify a fraud risk factor that
relates to one or more of the triangle elements. However, it is less likely that any one auditor will identify
all three conditions (opportunity, pressure and rationalization) together. For this reason, it is important for
the audit team to continually discuss their findings throughout the engagement.
The benefits of audit team discussions are outlined in the exhibit below.
Exhibit 8.8-3
In the absence of communication, it would be difficult for any single member of the above audit team to
see the big picture. Ongoing audit team discussion enables the team to pull together small pieces of
information so that the bigger picture can be seen.
8.9
Professional Skepticism
It is the responsibility of the auditor to maintain an attitude of professional skepticism at all times during
the engagement. An attitude of professional skepticism involves matters outlined in the exhibit below.
06/10/2010
Page 335
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 8.9-1
Skepticism involves:
Recognizing that
Management can
Always Commit
Fraud
Management is always in a position to override otherwise good internal
control.
A Questioning Mind
Make critical assessments about the validity of audit evidence obtained.
Being Alert
Does audit evidence contradict or bring into question the reliability of:
• Documents and responses to inquiries?
• Other information obtained from management and those charged with
governance?
Being Careful
Avoid:
• Overlooking unusual circumstances.
• Over-generalizing when drawing conclusions from audit observations.
• Using faulty assumptions in determining the nature, timing and extent of
the audit procedures and evaluating the results thereof.
• Accepting less than persuasive audit evidence in a belief that management
and those charged with governance are honest and have integrity.
• Accepting representations from management as a substitute for obtaining
sufficient appropriate audit evidence.
Engagement team members are to set aside any beliefs that management and
those charged with governance are honest and have integrity notwithstanding
the auditor’s past experience of their honesty and integrity.
Consider Point
Applying professional skepticism to an audit of a client you know and trust can be difficult. There is a
natural human tendency to place trust in people, assuming there is no information to the contrary.
Consequently, partners and staff need to be reminded on a regular basis to apply professional
skepticism. Some practical suggestions for applying this concept include:
•
Create a fictional character (and name) of someone who has a bad attitude toward control and poor
ethics. When the discussion around possible fraud scenarios and financial statement susceptibilities
takes place, imagine this person (not your client) as being the client or the senior manager in charge.
•
Inviting someone (ideally with some forensic experience) who does not know the entity to
participate in the planning discussions about fraud.
06/10/2010
Page 336
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
8.10
How to Identify Inherent Risk Factors
The most effective way to avoid missing a relevant risk factor is to make risk identification an integral
part of understanding the entity. The more that the auditor knows about the six areas of understanding, the
more likely the auditor will be able to identify risk factors. Understanding the entity is also helpful when
identifying and later responding to possible fraud scenarios. Remember that management override is
always a possibility and fraud is concealed (especially from the auditor).
As information is gathered (or updated) about each of the required areas of understanding the entity, the
existence of relevant business and fraud risk factors will be considered. For many of the business risks
identified, there may also be a fraud risk to consider. For this reason, it is suggested that, where possible,
fraud risks be listed separately from business risks and assessed separately. For example, if the sales
outlook for an entity’s products was poor (an external source of risk), consider what could go wrong
(implications for) in the financial statements. Poor sales could result in excess inventory that may need to
be written down but it could also trigger a fraud risk if it provided an incentive for a salesperson to inflate
his/her sales to meet a bonus threshold.
Consider Point
The business and fraud risks (inherent risks) are identified before any consideration of any internal
controls that might mitigate such risks. Internal control to mitigate risks is addressed in Volume 2,
Chapters 11 and 12. This is also important for identifying any significant risks that might exist (refer to
Volume 2, Chapter 10).
The effect of some of the risk factors identified will relate to a specific financial statement area but other
risk factors will be pervasive and will relate to many financial statement areas. For example, if the senior
accountant is incompetent, errors will not likely be limited to one financial statement area. In addition, if
someone took advantage of the situation to commit fraud, misstatements could occur in any number of
asset or liability balances and could be covered up with additional misstatements in revenue and expense
transactions.
Pervasive risks often derive from a weak control environment and potentially affect many financial
statement areas, disclosures and assertions. Pervasive risks will likely affect the assessment of risk at the
financial statement level. Risks at the financial statement level will be addressed through an overall
response by the auditor (such as more audit work performed, assigning more experienced staff members,
etc.).
As the audit progresses, additional risk factors may be identified. These should be added to the list of
identified risks and appropriately assessed before making any decisions as to the impact on audit strategy and
the audit plan such as the nature and extent of further audit procedures required. This will ensure that, when
planning takes place for the next period, the risk identification and assessment will be complete.
A suggested three-step risk identification process is outlined below.
06/10/2010
Page 337
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 8.10-1
Risk Identification
Step 1
Gather Basic
Information about
the Entity
Step 2
Design, Perform
and Document Risk
Assessment
Procedures
The starting point is to obtain a basic understanding or frame of reference for
designing the risk assessment procedures to be performed. Without this
understanding, it would be difficult, if not impossible, to identify what errors
and fraud could occur in the financial statements.
•
Obtain (or update) relevant basic information about the entity, its
objectives, culture, operations, key personnel and the internal organization
and control.
•
Risk assessment procedures/activities (see Volume 1, Chapter 8) are
required to be performed so that:
– The sources of risks of material misstatement are identified,
– An appropriate understanding of the entity is obtained, and
– The necessary supporting audit evidence is obtained.
Using the basic understanding of the entity obtained in step 1 above,
design and perform risk assessment procedures and related activities.
Hold discussions among the audit team regarding the susceptibility of the
entity’s financial statements to material misstatement, caused by error or
fraud (see Volume 2, Chapter 7).
Make inquiries of management as to how they identify and manage risk
factors (particularly fraud) and what risk factors have in fact been
identified and managed. Also ask management if errors or fraud have
actually occurred.
Document all risk factors identified.
•
•
•
•
Step 3
Relate (map) the
Risks Identified to
Material Financial
Statement Areas
06/10/2010
For each risk factor (risk cause) identified, identify the effect (specific
misstatements such as fraud and error) that could occur in the financial
statements as a result. Note that a single risk factor can result in a number of
differing types of misstatements that may affect more than just one financial
statement area. (See the Consider Point below for some examples.)
• Identify the material account balances, class of transactions and
disclosures in the financial statements.
• Relate or map the risks identified to the specific financial statement areas,
disclosures and assertions affected. If the risk identified is pervasive, then
relate it to the financial statements as a whole. Identifying the effect of
risks by financial statement area helps in assessing risks at the assertion
level. Identifying the effect of pervasive risks helps in assessing risks at
the financial statement level.
Page 338
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
A natural tendency for auditors is to use the financial statements as the starting point for identifying
risks. For example, inventory may be considered high risk because of the errors found in previous
periods. However, this is equivalent to identifying the effect of a risk but not the underlying cause.
Knowing inventory is high risk is important; however, it is even better to know the cause of the risk. If
the cause of a risk is not identified, it is possible that some risk factors will be missed altogether.
Consider the following:
Missing balances or transactions
Financial statements only summarize the results of business decisions and transactions that have been
recorded. If transactions have not been recorded, or if assets have been misappropriated or
contingencies are not disclosed, it is quite possible that the risk factors associated with such missing
amounts or disclosures will not be identified or assessed.
Fact gathering versus risk identification
The process of understanding the entity can easily become focused on collecting facts about the entity
rather than identifying sources of risk. When this occurs, new risk factors, events, transactions and
fraud risks may be missed altogether.
Cause and effect of misstatements
The significance of certain risk sources may be missed if attention is paid primarily to the effect or
consequence of the risk factor (such as focusing on the errors in the inventory balance rather than the
reasons for their occurrence in the first place). The source of the risk is the event(s) that would cause
errors to occur in the first place. The source of errors in the inventory balance could be inadequate or
poorly trained staff, an outdated system of internal control, misapplication of accounting policies such
as revenue recognition, lack of security over inventory or outright fraud by employees, etc.
A cause with multiple misstatement effects
An individual risk source may often affect many financial statement balances. For example, a
downturn in the economy may affect the valuation of inventory, the collectability of receivables,
compliance with banking agreements, manipulation of sales transactions to achieve bonus thresholds
and possibly even going-concern issues.
Pervasive risks
By focusing on one financial statement area at a time, certain pervasive risks and fraud risks may not
be identified. For example, the introduction of a new accounting system could result in errors being
made in many financial statement balances. In addition, someone could take advantage of the
uncertainty created by the new system to commit a fraud.
8.11
Documenting the Risk Identification Process
The auditor should use professional judgment regarding the manner in which these matters are
documented. For example, the documentation of the risk identification process following the three steps
outlined above would consist of:
•
Information about the entity;
•
Risk assessment procedures; and
•
Relating identified risks to possible errors and fraud in the financial statements.
06/10/2010
Page 339
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 8.11-1
Document
Information about the
Entity
Risk Assessment
Procedures
Relate Identified Risks
to Possible Errors and
Fraud in the Financial
Statements
Description
Document information obtained under the appropriate area of
understanding, such as the entity’s objectives, external factors,
nature of the entity, etc. Documentation may vary from very
simple to complex, depending on the size of the entity and
could include:
• Client-prepared information (such as business plans and
analysis);
• External data (industry reports, internal staff
communications, documented policies and procedures);
• Relevant correspondence (legal, government agencies,
etc.), emails, consultants’ reports, memoranda; and
• Firm’s checklists.
Document details of the risk assessment procedures
performed. This would include:
•
Discussions among the audit team regarding the
susceptibility of the entity’s financial statements to
material misstatement caused by error or fraud and the
results;
•
Key elements of the understanding of the entity obtained
including:
– Each of the aspects of the entity and its environment
outlined above,
– Each of the five internal control components, as
outlined in Volume 1, Chapter 5, and
– Sources of information from which the understanding
was obtained; and
•
The identified and assessed risks of material misstatement
at the financial statement level and assertion level.
Document the material account balances, class of transactions
and disclosures in the financial statements and then for each
source of risk identified, indicate whether it is:
•
Pervasive to the financial statements as a whole; or
•
Confined to specific financial statement areas, disclosures
and assertions.
There are a number of ways that identified risks can be documented. One way of documenting the risks
identified is outlined below. The exhibit shows the risk source by area of understanding (external factors,
nature of entity, etc.), the impact or possible consequence of the risk and the financial statement areas
affected.
06/10/2010
Page 340
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 8.11-2
Risk Source
Impact of Risk on Financial Statements
(Errors or Fraud)
Financial Statement
Area Affected or
Pervasive Risk
Errors in cost allocation and inventory valuation.
Inventory valuation
New product costing and pricing
methodologies/systems could create opportunities for
fraud to occur.
Inventory accuracy
The new financing required will make it difficult to
comply with existing bank covenants. If the entity is
in breach of covenants the loan may actually be
payable on demand
Note disclosures on
financing and debt
covenants and loan
classification.
Management may be tempted to manipulate financial
statements to ensure compliance with the bank
covenants.
Pervasive risk
Errors in the financial statements.
Pervasive risk
Opportunity for fraud.
Pervasive risk
Entity’s Objectives
Introduction of a
new product during
the year
Nature of the Entity
Senior accountant
not trained properly
06/10/2010
Page 341
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
One location for risks
Consider recording all the risk factors identified in a single document, single place or with a common
file reference number in the working paper file. This has a number of advantages:
•
Ease of file review. All risk factors identified can be found in one place.
•
Consistent assessment. When risks are reviewed together, a particular risk that has been assessed
differently from others will be more evident.
•
Risks can be sorted (using an electronic spreadsheet) enabling the most significant risks to be at
the top of the page. In this way, a file reviewer can check to ensure all the major risks identified
have been addressed with an appropriate audit response.
Separate lists of fraud and business risk factors
List and assess fraud risks separately from business risk factors. Many business risks also create an
opportunity or incentive for fraud to occur. If fraud is not separately considered, some fraud risk
factors may be missed. For example, a new accounting system may create potential for errors
(business risk) but may also provide an opportunity for someone to manipulate the financial results or
misappropriate assets (fraud risk). Another reason for keeping them separate is that the audit response
to a fraud risk (identification of any patterns, exceptions or oddities that might exist) might be quite
different from the response to a related business risk.
Leave the assessment of risk until later
Avoid the temptation to only list risk factors that are likely to be significant or important. A key part
of risk or event identification is to develop as complete a listing of risk factors as possible.
Inconsequential risk factors can always be removed later after each risk is appropriately assessed. This
will help to ensure that all material risks are indeed identified.
Re-use documentation to extent possible
Avoid having to re-document the risk factors identified and the understanding of the entity obtained
each period. If information about risk assessment procedures performed and the risks identified is
captured in a structured way (see “one location for risks above”), it can simply be updated each
period. This may require more time initially (in the first period) to prepare but will save time in
subsequent periods. However, be sure that appropriate risk assessment procedures are carried out and
documented each period and that any changes made can be identified. Also ensure each document
records the fact that the information was updated.
Impact of risks
The most important, but also the most difficult, column to complete is “impact of risk on financial
statements” (see above exhibit). It is in this column that the auditor sets out the implication of the
identified risk. Declining sales is a risk factor but, if recorded accurately by the entity, this would not
result in risks of material misstatement. However, declining sales could result in inventories being
obsolete or overvalued and receivables may become difficult to collect. It is the implication of each
risk factor that the auditor needs to identify so that an appropriate audit response can be developed.
Note:
The risk sources identified in this example have multiple impacts, each of which has been
considered separately. If the various impacts of risk sources are not broken out into discrete
components, not only will the risk assessment process be more difficult but the auditor could
easily miss some risk implications (such as fraud) altogether.
06/10/2010
Page 342
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
8.12
Case Studies ─ Inherent Risks ─ Identification
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
•
Understand the entity
This can be documented in a memo that is similar to the one in Volume 2, Chapter 2 that outlines the
details of these two case studies.
•
Identify risk factors
One way of documenting the cause and effect of identified risks (both business and fraud) is to list
them in a structured format such as the risk assessment form outlined below. This will ensure all risks
are recorded in one place and that the assessment of risks will be consistent. The alternative approach
is to list the risks identified in a memo format. Avoid the temptation to combine business and fraud
risk on one form. The assessment and response to a business risk versus a fraud risk may be quite
different.
Outlined below is a structured format for Dephta Furniture Inc. and a memo approach for Kumar & Co.
Case Study A ─ Dephta Furniture Inc.
Business Risks
Risk Event (source)
Implication of Risk Factor
What financial statement areas could be
misstated and in what way? (that is,
inventory overvalued)
Assertions
P CAEV
Downturn in economy
Receivables may be difficult to collect
V
Downturn in economy
Inventory write-downs may be required
V
Inventory clerk known to make
errors
Inventory balances may be overstated/
understated and possibly impact valuation
Continued growth (despite
downturn) and poor inventory
control
Breach of debt covenants
P
IT general controls are weak in a
number of areas
Data integrity may be compromised or data
may even be lost
P
New sales being sought in other
countries
Foreign exchange risks in receivables
A
CAEV
Assertions impacted are P = Pervasive (all assertions), C = Completeness, A= Accuracy E = Existence V = Valuation
06/10/2010
Page 343
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Fraud Risks
Risk Event (source)
Implication of Risk Factor
What financial statement areas could be
misstated and in what way? (that is, fictitious
sales)
Assertions
P CAEV
Pressures
Minimize tax burden
Management bias in estimates (such as
valuation of inventory) to reduce income
Minimize tax burden
Unauthorized journal entries or manipulation
of financial statements
CAV
P
Rapid growth putting pressure on Financial statement manipulation to avoid
financing
bank covenant being violated
P
Salesman’s bonus based on
sales above certain thresholds
Inflated sales to meet thresholds
E
Paying bribes to obtain contracts
Damage to reputation, overstatement of
expenses, unaccrued fines
CAE
Opportunities
Poor control over inventory
Goods stolen from inventory
E
Poor control over cash sales
Goods stolen/cash stolen
E
Transactions with related parties
Sales/purchases may not be complete, properly
valued or disclosed in the financial statements
P
Significant expansion in the use
of related-party transactions
Sales/purchases could be
undervalued/overvalued.
V
Balances with related parties may not be
collectable. Manipulation of financial
statements could be achieved by
transferring ‘risky’ balances to a related
party. This would replace a risky balance
with a related party balance.
Rationalization
06/10/2010
Page 344
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Low morale among temporary
workers
Goods or cash stolen
E
Assertions impacted are P = Pervasive (all assertions), C = Completeness, A= Accuracy E = Existence V = Valuation
Case Study B ─ Kumar & Co.
Memo to File – Kumar & Co.
Inherent Risk Identification
As a result of performing the risk assessment procedures outlined on working paper X.XX, which
included potential sources of risk arising from the six areas of required understanding, we have
identified the following risk factors:
Business Risks
Raj’s absence from operations – a pervasive risk
•
•
The quality and accuracy of the accounting records could be compromised due to Raj’s
focus on personal family matters. The financial statements could be materially misstated.
Risk Assessment:
(to be addressed in volume 2 chapter 9)
Risk Response:
(to be addressed in volume 2 chapter 16)
Raj used to inspect goods for quality before shipment. The quality of products sold could be
compromised leading to greater returns and/or unsaleable inventory. (Valuation)
Risk Assessment:
(to be addressed in volume 2 chapter 9)
Risk Response:
(to be addressed in volume 2 chapter 16)
Downturn in economy and economic dependence
•
Kumar & Co. is dependent on its primary customer, Dephta Furniture Inc., representing over
90% of its sales. In this economic downturn, Dephta could cancel orders. The impact could
be bank covenant violations and overvalued assets.
•
A decline in sales and liquidity pressures may lead to financial statement manipulation to
avoid bank covenant violations.
•
If the bank called their loan, the company may not be able to continue as a going concern.
This could result in a material uncertainty that should be disclosed in the financial
statements, and an evaluation of the basis (i.e. the going concern assumption) on which the
financial statements are prepared. This would affect all assertions.
Risk Assessment:
(to be addressed in volume 2 chapter 9)
Risk Response:
(to be addressed in volume 2 chapter 16)
Fraud Risks
Tax minimization
06/10/2010
Page 345
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
There may be a management bias to minimize the tax burden. There may be a bias in
management’s estimates or unauthorized journal entries could be used. (Completeness,
Accuracy)
Risk Assessment:
(to be addressed in volume 2 chapter 9)
Risk Response:
(to be addressed in volume 2 chapter 16)
Raj’s absence from operations – a pervasive risk
•
Raj’s absence results in minimal oversight of Ruby’s work. In addition, Ruby appears to have
low morale and personal financial pressures. This creates incentive, opportunity and
rationalization for cash/goods being stolen (Existence) and/or financial statement
manipulation. This should be treated as a fraud risk.
Risk Assessment:
(to be addressed in volume 2 chapter 9)
Risk Response:
(to be addressed in volume 2 chapter 16)
Related Parties
•
Transactions with related parties could be manipulated leading to sales being overvalued.
(Valuation) Attention should also be paid to the possible existence of other related parties
and the valuation/accuracy of balances with related parties at period end.
Risk Assessment:
(to be addressed in volume 2 chapter 9)
Risk Response:
(to be addressed in volume 2 chapter 16)
Prepared by: FJ
Date: September 20, 20X2
Reviewed by: LF
Date: September 24, 20X2
06/10/2010
Page 346
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
9.
INHERENT RISKS ─ ASSESSMENT
Chapter Content
Relevant ISAs
240, 315
How to assess the identified risks of material
misstatement in the financial statements.
Exhibit 9.0-1
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Documentation1
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
240.25
In accordance with ISA 315, the auditor shall identify and assess the risks of material misstatement due to
fraud at the financial statement level, and at the assertion level for classes of transactions, account
balances and disclosures.
240.26
When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on
a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue,
revenue transactions or assertions give rise to such risks. Paragraph 47 specifies the documentation
required where the auditor concludes that the presumption is not applicable in the circumstances of the
engagement and, accordingly, has not identified revenue recognition as a risk of material misstatement due
to fraud. (Ref: Para. A28-A30)
240.27
The auditor shall treat those assessed risks of material misstatement due to fraud as significant risks and
accordingly, to the extent not already done so, the auditor shall obtain an understanding of the entity’s
06/10/2010
Page 347
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
related controls, including control activities, relevant to such risks. (Ref: Para. A31-A32)
315.25
The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level; and (Ref: Para. A105-A108)
(b) the assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A109A113)
(c) to provide a basis for designing and performing further audit procedures.
315.26
For this purpose, the auditor shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its environment,
including relevant controls that relate to the risks, and by considering the classes of transactions,
account balances, and disclosures in the financial statements; (Ref: Para. A114-A115)
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial
statements as a whole and potentially affect many assertions;
(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant
controls that the auditor intends to test; and (Ref: Para. A116-A118)
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and
whether the potential misstatement is of a magnitude that could result in a material misstatement.
9.1
Overview
Risk identification, which was addressed in the previous chapter, involves:
•
Performing risk assessment procedures to identify sources (causes) of risk through understanding the
entity;
•
Determining the possible effects of the risk sources identified (potential misstatements in the financial
statements) including the possibility of fraud; and
•
Relating the effects of risks to the financial statement area and assertions affected or determining that
the risks are pervasive to the financial statements as a whole and potentially affect many assertions.
The next step is to assess the identified risks and determine their significance for the audit of the financial
statements. Again, it is preferable to assess the inherent risks before considering any internal control that
might mitigate such risks.
Risk assessment involves consideration of two attributes about the risk:
•
What is the likelihood of a misstatement occurring as a result of the risk?
•
What would be the magnitude (monetary impact) if the risk did occur?
Likelihood of a Misstatement Occurring
What is the probability that the risk will occur? The auditor could evaluate this probability simply as high,
medium or low or could assign a numerical score, such as 1 to 5. A numerical score provides a slightly
more precise assessment. The higher the score, the more likely the risk would occur.
06/10/2010
Page 348
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Magnitude (Monetary Impact) if the Risk Did Occur
If the risk occurred, what would be the monetary impact? This judgment needs to be assessed against a
specified monetary amount, such as performance materiality. If not, different people (with different
materiality amounts in mind) could come to entirely different conclusions. For audit purposes, the
specified amount would relate to what constitutes a material misstatement for the financial statements as a
whole. This assessment can also be evaluated simply as high, medium or low or by assigning a numerical
score, such as 1 to 5. The higher the score is, the higher the magnitude of the risk.
Consider Point
If numeric scores are used to assess likelihood and magnitude, the numbers can be multiplied to
provide a combined or overall risk assessment score. This calculation can be useful in considering
whether significant risks exist. In addition, if an electronic worksheet is used, the listing of risks may
be ranked and sorted so that the most significant identified risks are always at the top of the list. This
can be useful information when reviewing the file and ensuring an appropriate response has been
developed for the assessed risks.
On smaller entities where the number of risk factors is small and the audit response has already been
established, the two assessments (likelihood and magnitude) can still be considered separately but
documented as one combined assessment.
The steps involved in risk assessment (using assessment criteria of high, medium or low) are illustrated
below.
Exhibit 9.1-1
The results of the risk assessment process can also be set out in a chart, as illustrated below. Some
commercial software packages provide charting capabilities.
06/10/2010
Page 349
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 9.1-2
Risks falling in the “high impact (magnitude), high likelihood” area of the chart clearly require
management action to mitigate. In addition, these risks will likely be determined as being significant,
which will require special audit consideration (refer to Volume 2, Chapter 10).
Consider Points
Discussions with management
When risk factors are documented and assessed by the auditor, it is important that the results are
discussed with the entity’s management. This discussion will help to ensure that a risk factor has not
been overlooked and that the auditor’s assessment of risks (likelihood and impact) is reasonable.
However, it is always important to use professional skepticism when evaluating management’s input
and responses.
9.2
Risk Assessments Performed by the Entity
Risk assessment is one of the five components of internal control (see Volume 1, Chapter 5) that should
be addressed by the entity’s management.
In smaller entities, the risk assessment process is likely to be informal and unstructured. Risk in smaller
entities is often recognized implicitly rather than explicitly. Management may be aware of risks related to
financial reporting through direct personal involvement with employees and outside parties. As a result,
the auditor would make inquiries of management as to how it identifies and manages risk and then what
risks have actually been identified and managed. The auditor would documents the results.
As management understands the benefits of a more formalized risk assessment process, it may decide to
develop, implement and document its own processes. When this occurs, the auditor would evaluate:
•
Controls in place over management’s processes;
•
The completeness of the business and fraud risks identified. This is often recorded on what is
06/10/2010
Page 350
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
commonly referred to as a “risk register”;
•
Management’s assessment of the magnitude of the risks and the likelihood of their occurrence; and
•
Management’s responses to address the assessed risks
If management has failed to identify key risks, consideration should be given as to whether there is a
significant deficiency in the entity’s risk assessment process.
9.3
Documenting Assessed Risks
Professional judgment should be used regarding the manner in which risk factors are assessed.
The assessment of the risks of material misstatement is made at the:
•
Financial statement level; and
•
Assertion level for classes of transactions, account balances and disclosures.
Documentation may be in the form of memoranda or a risk listing (for fraud) such as outlined below.
Note the following:
•
The first two columns in the table below would be completed as part of risk identification as
discussed in Volume 2, Chapter 8.
•
The assertion column is an assessment of:
− The specific assertions that relate to the financial statement area or disclosure impacted by the
risk. This will help in the assessment of risks at the assertion level, and
− Pervasive risks that affect many assertions and would impact the assessment of risk at the
financial statement level.
•
The risks being assessed are inherent risks. Control risk is addressed in Volume 2, Chapters 11 and
12.
•
The assessments of likelihood and magnitude (impact) used the numeric scale of 1 = low
likelihood/magnitude and 5 = high likelihood/magnitude. These scores may be multiplied to provide a
combined overall score. However, these risks could just as easily have been assessed as high, medium
or low.
Exhibit 9.3-1
Period ended: December 31, 20X2
Materiality 50,000Є
Inherent risk
assessment
Risk event (source)
Implication of risk factor
Salespersons’ compensation
based on sales commissions
Sales could be fictitious, recorded in the
wrong period, overstated or at terms
different from the standard terms and
conditions in order to achieve bonus
06/10/2010
Assertions LikeliPervasive hood to
CAEV
occur
EA
4
Є
Impact
Combined
Score
4
16
Page 351
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
targets.
Failure to comply with debt
covenants is covered up to
avoid bank inquiries
P
2
5
10
Fictitious suppliers inserted by Acme pays for expenses at inflated
employees
prices or for which no services/goods
were rendered.
EA
2
4
8
Related- party transactions not Revenue and expenses not recorded at
identified. Shareholders not
FMV (Fair Market Value).
involved in business could be
disadvantaged
P
3
5
15
CAE
4
1
4
Cash sales for parts and
service may go unrecorded
and undeposited
Unauthorized journal entries to defer
expense, bias in management estimates,
etc.
Revenue and assets are understated.
Consider Point
When documenting risk factors, consider how they will be updated and used in subsequent periods.
Recording information in one place and in a structured format (such as above) may take a little longer
to prepare initially but will be much easier to update in the future. A structured format also helps to
ensure:
•
Risks are not addressed more than once (which can occur if spread throughout the audit file);
•
A consistent assessment of each risk;
•
Significant risks are identified;
•
Ease of review. Use of an electronic worksheet enables risks (scored numerically) to be sorted on
their combined score or by likelihood or impact; and
•
The risk listing can be shared with the client (to obtain their input) or to request that the client
prepare the listing of risk factors for the auditor’s review.
9.4
Case Studies ─ Inherent Risks ─ Assessment
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
Where a structured format is used to document the assessment, it can be completed using the same form
as the one started in Volume 2, Chapter 8. The audit response column can be used to cross-reference the
risk factors to the specific audit procedures or audit programs that address the identified risks.
If a memo is to be used, the risk assessment and risk response could be added to the memo started in
Volume 2, Chapter 8.
06/10/2010
Page 352
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study A ─ Dephta Furniture Inc.
Business Risks
Risk event (source)
Implication
What financial statement areas
could be misstated and in what
way? (that is, inventory
overvalued)
Assertions
Inherent Risk Assessment
P CAEV
Likelihood
to occur
Є
Impact
Combined
score
Significant
risk?
Y/N
Continued growth
(despite downturn) and
poor inventory control
Breach of debt covenants
P
4
5
20
Y
Inventory clerk known to
make errors
Inventory balances may be
overstated
E
5
3
15
N
IT general controls are
weak in a number of
areas
Data integrity may be
compromised or data may
even be lost
P
3
5
15
N
Downturn in economy
Inventory write-downs may be
required
V
3
3
9
N
New sales being sought
in other countries
Foreign exchange risks in
receivables
A
2
2
4
N
Receivables may be difficult to
collect (that is, overstated)
V
1
3
3
N
Downturn in economy.
Assertions impacted are P = Pervasive (all assertions) C = Completeness A = Accuracy E = Existence V = Valuation
Assess likelihood (probability) to occur on a scale of 1 — 5 (Remote = 1 Unlikely = 2 Likely = 3 Most likely = 4 Almost certain = 5)
Assess the magnitude (monetary impact) in relation to materiality on a scale of 1 — 5 (Immaterial = 1 Minor = 2 Moderate = 3 Major = 4
Material = 5)
As a guide, risk factors with a combined risk assessment (Likelihood x Impact) score of 20 or more should be considered as “significant”
audit risks.
Note:
The possible violation of the bank covenants has a combined risk score of 20 and is therefore considered to
be a significant risk. Significant risks require special audit consideration by the auditor including obtaining
an understanding of the entity's related controls relevant to such risks.
06/10/2010
Page 353
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Fraud Risks
Risk event (source)
Implication
What financial statement areas
could be misstated and in what
way? (that is, fictitious sales)
Assertions
Inherent Risk Assessment
P CAEV
Likelihood
to occur
Є
Impact
Combined
score
Significant
risk?
Y/N
Pressures
Minimize tax burden
Unauthorized journal
entries/financial statement
manipulation
CAV
4
5
20
Y
Rapid growth putting
pressure on financing
Financial statement
manipulation to avoid bank
covenant being violated
P
4
5
20
Y
Minimize tax burden
Management bias in
estimates to reduce income
CA
4
4
16
Salesman’s bonus based
on sale above certain
thresholds
Inflated sales to meet
thresholds. However the
bonus amounts are small.
E
3
2
6
N
Paying bribes to obtain
contacts
Damage to reputation,
overstatement of expenses,
unaccrued fines
CAE
2
2
4
N
Revenue recognition
Inconsistent application of
accounting policies
CAE
3
4
12
Y
Significant expansion in
the use of relatedparty transactions
Sales/purchases could be
undervalued/overvalued
V
4
5
20
Y
Poor control over
inventory
Goods stolen from inventory
E
4
3
12
N
Poor control over cash
sales
Goods stolen/cash stolen
E
4
3
12
N
Transactions with
related parties
Sales/purchases may not be
complete, properly valued or
disclosed in the financial
Pervasive
3
4
12
N
Y
Opportunities
06/10/2010
Page 354
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Fraud Risks
Risk event (source)
Implication
What financial statement areas
could be misstated and in what
way? (that is, fictitious sales)
Assertions
Inherent Risk Assessment
P CAEV
Likelihood
to occur
Є
Impact
Combined
score
E
3
2
6
Significant
risk?
Y/N
N
statements
Rationalization
Low morale among
temporary workers
Goods or cash stolen
Assertions impacted are P = Pervasive (all assertions), C = Completeness, A = Accuracy E = Existence V = Valuation
Assess likelihood (probability) to occur on a scale of 1 — 5 (Remote = 1 Unlikely = 2 Likely = 3 Most likely = 4 Almost certain = 5)
Assess the magnitude (monetary impact) in relation to materiality on a scale of 1 — 5 (Immaterial = 1 Minor = 2 Moderate = 3 Major = 4
Material = 5)
As a guide, risk factors with a combined risk assessment (Likelihood x Impact) score of 16 or more should be considered as “significant”
fraud risks.
Note: The possible management bias in estimates, unauthorized journal entries, the pressures to
finance the rapid growth and related-party transactions have been assessed as significant
risks (where the combined score exceeded 16). Significant risks require special audit
consideration by the auditor including obtaining an understanding of the entity's related
controls relevant to such risks. If no controls exist it is likely that a significant deficiency
exists. Note that revenue recognition has a combined score of less than 16 but is presumed
to be a significant risk. (Refer to ISA 240.26)
06/10/2010
Page 355
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Memo to File – Kumar & Co.
Inherent Risk Identification
Materiality = 3,000Є
As a result of performing the risk assessment procedures outlined on working paper X.XX, which
included potential sources of risk arising from the six areas of required understanding, we have
identified the following risk factors:
Business Risks
Raj’s absence from operations –a pervasive risk
•
The quality and accuracy of the accounting records could be compromised due to Raj’s
focus on personal family matters. The financial statements could be materially misstated.
Risk Assessment: High likelihood of occurrence/High magnitude (in relation to materiality)
= High Risk and also a significant risk. See WP # X.X
Risk Response:
•
(to be addressed in volume 2 chapter 16)
Raj used to inspect goods for quality before shipment. The quality of products sold could be
compromised leading to greater returns and/or unsaleable inventory. (Valuation)
Risk Assessment: Low Likelihood/Low Magnitude = Low Risk
Risk Response:
06/10/2010
(to be addressed later)
Page 356
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Downturn in economy and economic dependence
•
Kumar & Co. is dependent on their primary customer, Dephta Furniture Inc., representing
over 90% of their sales. In this economic downturn, Dephta could cancel orders. The impact
could be bank covenant violations and overvalued assets. If the bank called its loan, the
company would be unable to continue. (Valuation)
Risk Assessment:
Moderate Likelihood/Moderate Magnitude = Moderate Risk
Risk Response:
(to be addressed in volume 2 chapter 16)
Fraud Risks
Revenue Recognition
•
Possibility of inconsistent application of accounting policies
Moderate Likelihood/Moderate Magnitude = Moderate Risk but this is
Risk Assessment:
presumed by ISA 240.26 to be a significant risk and will be treated as such
Risk Response:
(to be addressed later)
Tax minimization
•
There may be a management bias to minimize the tax burden. There may be a bias in
management’s estimates or unauthorized journal entries could be used. (Completeness,
Accuracy)
High Likelihood/Moderate Magnitude = Moderate to high Risk and
Risk Assessment:
should be considered a significant risk
Risk Response:
(to be addressed)
Downturn in economy and economic dependence
•
A decline in sales and liquidity pressures may lead to financial statement manipulation to
avoid bank covenant violations. (All assertions)
Moderate Likelihood/High Magnitude = Moderate to High Risk and
Risk Assessment:
should be considered a significant risk
Risk Response:
(to be addressed)
Raj’s absence from operations – a pervasive risk
•
Raj’s absence results in minimal oversight of Ruby’s work. In addition, Ruby appears to have
low morale and personal financial pressures. This creates incentive, opportunity and
rationalization for cash/goods being stolen (Existence) and/or financial statement
manipulation.
Risk Assessment:
Moderate likelihood/Moderate Magnitude = Moderate Risk
Risk Response:
(to be addressed)
Related Parties
•
Transactions with related parties could be manipulated leading to sales being overvalued.
(Valuation)
Risk Assessment:
06/10/2010
Moderate Likelihood/Moderate Magnitude = Moderate Risk and
Page 357
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
should be considered a significant risk
Risk Response:
(to be addressed)
Note: Significant risks require special audit consideration by the auditor including obtaining an
understanding of the entity's related controls relevant to such risks. If no controls exist it is
likely that a significant deficiency exists.
06/10/2010
Page 358
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
10.
SIGNIFICANT RISKS
Chapter Content
Relevant ISAs
Guidance on the nature and determination of significant
risks and the consequences for the audit.
240, 315, 330
Exhibit 10.0-1
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Documentation1
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
315.4
For purposes of the ISAs, the following terms have the meanings attributed below:
(e) Significant risk – An identified and assessed risk of material misstatement that, in the auditor’s
judgment, requires special audit consideration.
315.25
The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level; and (Ref: Para. A105-A108)
(b) the assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A109A113)
to provide a basis for designing and performing further audit procedures.
315.27
06/10/2010
As part of the risk assessment as described in paragraph 25, the auditor shall determine whether any of the
risks identified are, in the auditor’s judgment, a significant risk.
Page 359
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
In exercising this judgment, the auditor shall exclude the effects of identified controls related to the risk.
240.26
When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on
a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue,
revenue transactions or assertions give rise to such risks. Paragraph 47 specifies the documentation
required where the auditor concludes that the presumption is not applicable in the circumstances of the
engagement and, accordingly, has not identified revenue recognition as a risk of material misstatement due
to fraud. (Ref: Para. A28-A30)
315.28
In exercising judgment as to which risks are significant risks, the auditor shall consider at least the
following:
(a) Whether the risk is a risk of fraud;
(b) Whether the risk is related to recent significant economic, accounting or other developments and,
therefore, requires specific attention;
(c) The complexity of transactions;
(d) Whether the risk involves significant transactions with related parties;
(e) The degree of subjectivity in the measurement of financial information related to the risk, especially
those measurements involving a wide range of measurement uncertainty; and
(f)
Whether the risk involves significant transactions that are outside the normal course of business for
the entity, or that otherwise appear to be unusual. (Ref: Para. A119-A123)
315.29
If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the
entity’s controls, including control activities, relevant to that risk. (Ref: Para. A124-A126)
330.21
If the auditor has determined that an assessed risk of material misstatement at the assertion level is a
significant risk, the auditor shall perform substantive procedures that are specifically responsive to that
risk.
When the approach to a significant risk consists only of substantive procedures, those procedures shall
include tests of details. (Ref: Para. A53)
550.18
In meeting the ISA 315 requirement to identify and assess the risks of material misstatement, the auditor
shall identify and assess the risks of material misstatement associated with related party relationships and
transactions and determine whether any of those risks are significant risks. In making this determination,
the auditor shall treat identified significant related party transactions outside the entity's normal course of
business as giving rise to significant risks.
550.19
If the auditor identifies fraud risk factors (including circumstances relating to the existence of a related
party with dominant influence) when performing the risk assessment procedures and related activities in
connection with related parties, the auditor shall consider such information when identifying and assessing
the risks of material misstatement due to fraud in accordance with CAS 240. (Ref: Para. A6, A29-A30)
06/10/2010
Page 360
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
10.1
Overview
After the business and fraud risks have been identified and assessed, consideration can be given to the
existence of significant risks. A significant risk is where the assessed risk of material misstatement is so
high that (in the auditor’s judgment), it will require special audit consideration.
Significant risks are assessed before consideration of any mitigating controls. Significant risk is based on the
inherent risk (before considering the related internal control) and not the combined risk (considering both
inherent and internal control risks). For example, a company with a large inventory of diamonds would have a
high inherent risk of theft. Management’s response is to maintain secure facilities. The combined risks of
material misstatement are therefore minimal. However, because the risk of loss (before considering internal
control) is highly likely and its size would have a material impact on the financial statements, the risk would be
determined as “significant”.
Consider Point
When considering the existence of significant risks, it can be difficult to ignore the mitigating effect of
relevant internal control. This is particularly true when the people implementing the control are well
known to the auditor and most likely highly competent in what they do.
What is required is to separate the inherent risk from the controls in place. For example, an adult about
to cross a busy street would not likely consider the activity to be very risky. This is because it is
anticipated that adults use their eyes, ears and previous experience (in crossing streets) to cross safely.
But such a risk assessment combines the inherent risk involved in crossing the street with a number of
control activities (the use of the eyes, ears and previous experience). To assess whether crossing the
street is a significant risk (that is, before any controls), the person would have to be blindfolded, given
earplugs and asked to walk across the street.
10.2
Examples
Examples of significant risks are set out in the exhibit below.
Exhibit 10.2-1
Sources
Examples
High-Risk Activities
Includes operations or events where a material misstatement could easily
occur. For example, an inventory of high value diamonds or gold bars held by
a jeweller or a new/complex accounting system being introduced.
Large Non-Routine
Transactions (Size
or Nature)
Identified significant related party transactions outside the entity's normal
course of business are to be treated as giving rise to significant risks.
Includes infrequent and large transactions. For example:
• Unusual volume of routine transactions with a related party;
• A major sales or supply contract;
• The purchase or sale of major business assets or business segments; and
• Sale of the business to a third party.
Routine non-complex transactions that are subject to systematic processing are
less likely to give rise to significant risks.
06/10/2010
Page 361
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Sources
Examples
Matters Requiring
Judgment or
Management
Intervention
Examples would include:
• The assumptions and calculations used by management in developing
major estimates;
• Complex calculations or accounting principles;
• Revenue recognition (presumed to be a significant risk) that is subject to
differing interpretation;
• Extensive manual data collection and processing; and
• Where management intervention is required to specify the accounting
treatment to be used.
Potential for Fraud
The risk of not detecting a material misstatement resulting from fraud (which
is intentional and deliberately concealed) is higher than the risk of not
detecting one resulting from error.
In evaluating whether significant risks could result from the identified fraud
risk factors and possible scenarios and schemes (see Volume 2, Chapter 7),
consider the following:
• Skilfulness of the potential perpetrator;
• Relative size of individual amounts manipulated;
• Level of authority of management or employee to:
− Directly or indirectly manipulate accounting records, and
− Override control procedures;
• Frequency and extent of manipulation involved;
• Possible degree of collusion;
• Intentional misrepresentations being made to the auditor; and
• Previous audit experience or concerns expressed by other persons.
Significant fraud risks may be identified at any stage in the audit as a result of
new information being obtained.
10.3
Identifying Significant Risks
If the risks of material misstatement have already been identified and assessed, all that is required is to
review the findings and then select (based on the use of professional judgment) those risks that are indeed
significant. For example, if the assessment of risks was charted as illustrated below (the stars represent
assessed risks), it would be the two risks falling within the shaded area (risks with high magnitude and
high likelihood) that would first be considered as significant risks.
Exhibit 10.3-1
06/10/2010
Page 362
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
When considering whether significant risks exist, the auditor would consider the matters set out below:
Considerations
Risk of fraud.
Factors that May
Indicate Possible
"Significant Risks"
Risks related to recent significant economic, accounting or other developments
and, therefore, require specific attention.
Complexity of transactions.
Significant transactions with related parties.
The degree of subjectivity in the measurement of financial information related
to the risk, especially those involving a wide range of measurement
uncertainty.
Significant transactions that are outside the normal course of business for the
entity or that otherwise appear to be unusual.
In smaller entities, significant risks often relate to the matters outlined in the exhibit below.
Exhibit 10.3-2
Subject Matter/
Information
Significant
Non-Routine
Transactions
Characteristics
•
•
•
•
•
•
06/10/2010
High inherent risk (likelihood and impact).
Transactions that occur infrequently and not subject to systematic processing.
Unusual due to their size or nature (such as the acquisition of another
entity).
Require management intervention:
− To specify accounting treatment, and
− For data collection and processing.
Involve complex calculations or accounting principles.
Nature of transactions makes it difficult for entity to implement effective
internal control over the risks.
Page 363
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Subject Matter/
Information
Significant
Judgmental Matters
Characteristics
•
•
•
•
Significant
Transactional Risks
Fraud
10.4
High inherent risk.
Involve significant measurement uncertainty (such as the development of
accounting estimates).
Accounting principles involved may be subject to differing interpretation
(such as preparation of accounting estimates or application of revenue
recognition).
The required judgment by management may be subjective, complex or
require assumptions about the effects of future events (such as judgments
about fair value, valuation of inventory subject to rapid obsolescence, etc.).
•
There may be a small number of transactional risks relating to the major
business processes (such as goods being shipped but not invoiced in a sales
process) that would result in a material misstatement in the financial
statements if not mitigated. Where these risks require special audit
consideration, they would be regarded as significant risks. If there were no
internal controls in place to mitigate such risks, they would also be
reported to management as being a significant deficiency.
•
•
•
•
•
Revenue recognition. This is a presumed significant risk.
Management override or bias in estimates, etc.
Major related-party transactions used to increase sales or purchases.
Collusion with suppliers or customers such as price or bid rigging.
Unrecorded or fictitious transactions.
Responding to Significant Risks
When a risk is classified as being “significant”, the auditor should respond as outlined below.
Exhibit 10.4-1
Audit Steps
Description
Evaluate Internal
Control Design &
Implementation Over
Each Significant Risk
Has management designed and implemented internal control that mitigates
the significant risks? Consider the existence of direct controls such as control
activities and indirect (pervasive) controls which may be included in the
control environment, risk assessment, information systems and monitoring
elements. This information will be helpful in developing an effective audit
response to the identified risks.
Where significant non-routine or judgmental matters are not subject to
routine internal control (such as a one-off or an annual event), the auditor
would evaluate management’s awareness of the risks and the appropriateness
of its response. For example, if the entity purchased the assets of another
business, the entity’s response might include:
• Hiring an independent valuer for the acquired assets;
06/10/2010
Page 364
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Audit Steps
Description
•
•
Applying appropriate accounting principles; and
Proper disclosure of the transaction in the financial statements.
Where the auditor determines that management has not appropriately
responded (by implementing internal control over significant risks), a
significant deficiency would exist in the entity’s internal control which
would be communicated (as soon as possible) to those charged with
governance.
Design an Audit
Response to the
Identified Significant
Risks
Do the planned further audit procedures specifically address the significant
risk? These procedures would be designed to obtain audit evidence with high
reliability and could include tests of controls and substantive procedures.
No Reliance Can be
Placed on Evidence
Obtained in Previous
Periods
Where a test of operating effectiveness is planned for a control that mitigates
a significant risk, the auditor may not rely on audit evidence about the
operating effectiveness of internal control obtained in prior audits.
In many cases, the audit procedures may simply be an extension of
procedures that would be performed in any event. For example, if the
significant risk related to potential management bias such as in the
preparation of an estimate, the extended substantive procedures would
include:
• Assessing the validity of the assumptions used;
• Identifying the sources and reliability of the information used (both
external and internal);
• Considering the existence of any bias in the prior period’s estimates as
compared to actual facts; and
• Reviewing the methods used (including formulas in electronic
spreadsheets) in the estimate calculation.
Substantive Analytical The use of substantive analytical procedures by themselves is not considered
Procedures Alone are an appropriate response to address a significant risk. When the approach to
significant risks consists only of substantive procedures, the audit procedures
Not Sufficient
can consist of:
• Tests of details alone; or
• A combination of tests of details and substantive analytical procedures.
10.5
Documenting Significant Risks
The identification of significant risks and the proposed audit response would be documented. If all risks
are documented in a single location, the documentation of significant risks may simply be an extension of
the information already documented.
Note: If the auditor concludes that revenue recognition is not a significant risk of material misstatement
06/10/2010
Page 365
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
due to fraud, the reasons for that conclusion are to be included in the audit documentation.
10.6
Case Studies ─ Significant Risks
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
Significant risks can be identified from the listing of risk factors and their assessment. See the forms
contained in the case studies’ discussion in Volume 2, Chapters 8 and 9. Such a form can also be used to
cross-reference each significant risk to the related detailed audit plan.
For each significant risk identified, management’s response should be documented and appropriate audit
procedures developed that respond to the specific risk.
Case Study A ─ Dephta Furniture Inc.
(Excerpt)
Significant
Risk
Management’s
Response
Audit Response
Possible
violation of
terms of their
bank’s
financing?
Preparation and
monitoring of cash flow
forecasts.
Look at the company’s growth plans and
whether the forecasted cash flows are
realistic.
Renegotiate amount and
terms of financing.
Review and compare actual results and
cash flows.
W/P
Reference
(Not
included)
Ensure the valuations of receivables and
inventory (the security for the loans) are
reasonable.
Review the company’s refinancing
submission to the bank.
Review any response/correspondence
from the bank.
Financial
statement
manipulation
could occur to
avoid the bank
covenants being
violated.
None. Management does
Carefully review the assumptions used in
not see this as a risk at all. the cash flow forecasts and the basis on
which actual cash flow reports are
prepared.
Inconsistent
revenue
recognition (a
presumed fraud
Sales contracts over 500Є
are reviewed by the sales
manager.
06/10/2010
Ensure the basis for the valuations of
receivables and inventory is valid and
correct. Carefully test the existence and
accuracy of sales, as there is pressure to
maintain and grow sales levels despite the
challenging economic environment.
Review of major contracts (and a sample
of smaller contracts) and discussion with
sales manager to ensure revenue was
appropriately recognized in the period.
Page 366
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Significant
Risk
Management’s
Response
Audit Response
W/P
Reference
risk)
Unauthorized
journal entries
Management has agreed
Identify and review all journal entries over
to put policy in place
1,500Є and all entries in the month before
requiring approval of all
and after the period end.
journal entries but it has
not yet been implemented.
Significant
expansion in the
use of relatedparty
transactions.
Policy is that all relatedparty transactions are
identified as such and
conducted at the normal
terms of sale. This
includes any corporate
assets or services
provided for personal use
by management or
employees.
Review employees’ understanding of the
policy through inquiry and inspection.
Seek to ensure all related-party
transactions have been identified and that
the transactions, terms of sale, nature of
transaction and the dates are indeed
appropriate.
Prepared by: FJ
Date: November 25, 20X2
Reviewed by: LF
Date: November 29, 20X2
06/10/2010
Page 367
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Memo to File: Kumar & Co.
Identification of Significant Risks
The following significant risk areas, including management’s response and the audit response,
are identified below.
Downturn in economy
The company has not suffered to badly in the downturn. However Raj should periodically review
bank covenant calculations, but he has not been attentive to this in the current period under
audit. We will recalculate all ratios to see status against covenants. We will also perform more
audit procedures for audit areas that are input into the calculation. The risk is heightened the
closer the company is to violation, due to possibility of financial statement manipulation.
Tax minimization
There are no management controls that specifically address this issue. The response to this risk
will be to carefully review management’s estimates and journal entries, (see below)
Unauthorized Journal Entries
Raj should authorize all journal entries, but this has not been happening consistently. We will
identify and review all journal entries over 500Є and all entries in the month before and after
period end.
Related-Party Transactions
Company policy is that all related-party transactions are identified as such and conducted at the
normal terms of sale. We will review Raj’s and Ruby’s understanding of the policy through
inquiry and inspection. We will ensure that for all related-party transactions, the terms of sale,
nature of transactions and the dates are indeed appropriate. We will also remain alert throughout
the audit for transactions outside the normal course of business and that all related-party
transactions have, in fact, been identified.
Revenue recognition
Revenue recognition policies on sales are fairly straightforward and the majority of sales made
by Kumar are to Dephta Furniture Inc. The audit work performed on cut off and related party
transactions addressed any potential for fraud through inappropriate revenue recognition.
Prepared by: FJ
Date: November 12, 20X2
Reviewed by: LF
Date: November 16, 20X2
06/10/2010
Page 368
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
11.
UNDERSTANDING INTERNAL CONTROL
Chapter Content
Relevant ISAs
Guidance on the steps involved in understanding
internal control relevant to the audit:
•
Evaluating control design and implementation; and
•
Documentation using two possible approaches.
315
Exhibit 11.0-1
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Documentation1
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
315.4
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Assertions – Representations by management, explicit or otherwise, that are embodied in the
financial statements, as used by the auditor to consider the different types of potential misstatements
that may occur.
(b) Business risk – A risk resulting from significant conditions, events, circumstances, actions or
inactions that could adversely affect an entity’s ability to achieve its objectives and execute its
strategies, or from the setting of inappropriate objectives and strategies.
06/10/2010
Page 369
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(c) Internal control – The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance about the achievement
of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency
of operations, and compliance with applicable laws and regulations. The term “controls” refers to any
aspects of one or more of the components of internal control.
315.12
The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls
relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial
reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control,
individually or in combination with others, is relevant to the audit. (Ref: Para. A42-A65)
315.14
The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
(a) Management, with the oversight of those charged with governance, has created and maintained a
culture of honesty and ethical behavior; and
(b) The strengths in the control environment elements collectively provide an appropriate foundation for
the other components of internal control, and whether those other components are not undermined by
deficiencies in the control environment. (Ref: Para. A69-A78)
315.15
The auditor shall obtain an understanding of whether the entity has a process for:
(a) Identifying business risks relevant to financial reporting objectives;
(b) Estimating the significance of the risks;
(c) Assessing the likelihood of their occurrence; and
(d) Deciding about actions to address those risks. (Ref: Para. A79)
315.18
The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting, including the following areas:
(a) The classes of transactions in the entity’s operations that are significant to the financial statements;
(b) The procedures, within both information technology (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general
ledger and reported in the financial statements;
(c) The related accounting records, supporting information and specific accounts in the financial
statements that are used to initiate, record, process and report transactions; this includes the
correction of incorrect information and how information is transferred to the general ledger. The
records may be in either manual or electronic form;
(d) How the information system captures events and conditions, other than transactions, that are
significant to the financial statements;
(e) The financial reporting process used to prepare the entity’s financial statements, including significant
accounting estimates and disclosures; and
(f)
06/10/2010
Controls surrounding journal entries, including non-standard journal entries used to record nonrecurring, unusual transactions or adjustments. (Ref: Para. A81-A85)
Page 370
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
315.19
The auditor shall obtain an understanding of how the entity communicates financial reporting roles and
responsibilities and significant matters relating to financial reporting, including: (Ref: Para. A86-A87)
(a) Communications between management and those charged with governance; and
(b) External communications, such as those with regulatory authorities.
315.20
The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor
judges it necessary to understand in order to assess the risks of material misstatement at the assertion level
and design further audit procedures responsive to assessed risks. An audit does not require an
understanding of all the control activities related to each significant class of transactions, account balance,
and disclosure in the financial statements or to every assertion relevant to them. (Ref: Para. A88-A94)
315.21
In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity
has responded to risks arising from IT. (Ref: Para. A95-A97)
315.22
The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal
control over financial reporting, including those related to those control activities relevant to the audit, and
how the entity initiates remedial actions to deficiencies in its controls. (Ref: Para. A98-A100)
11.1
Overview
This chapter addresses the scope of work required to understand internal control relevant to the audit.
Volume 1, Chapter 5 addresses the nature of internal control and provides a detailed description of the
five components of internal control. Volume 2, Chapter 12 outlines a four step approach to internal
control evaluation.
Internal control refers to the processes, policies and procedures designed by management to ensure
reliable financial reporting and the preparation of financial statements in accordance with the applicable
accounting framework. Internal control addresses such matters as management’s attitude toward control,
competence of key people, risk assessment, accounting and other financial information systems in use as
well as the traditional control activities.
The auditor is required to obtain an understanding of internal control on all audit engagements. This
applies to any size of entity, even where the auditor has already decided that an entirely substantive
approach would be the appropriate response to the risks of material misstatement.
Obtaining a sufficient understanding of internal control (relevant to the audit) involves the performance of
risk assessment procedures to identify the controls that will directly or indirectly mitigate material
misstatements. The information obtained will assist the auditor in:
•
Assessing the residual risk (inherent and control risk) of material misstatement at the financial
statement and assertion levels; and
•
Designing further audit procedures that are responsive to the assessed risks.
However, not all control activities are relevant to the audit and therefore do not require understanding.
The auditor is only concerned with evaluating those controls that mitigate a risk of a material
06/10/2010
Page 371
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
misstatement (caused by fraud or error) in the financial statements. Control activities that are not relevant
can be scoped out of the audit altogether.
11.2 Risk and Control
The relationship between risk and control can be illustrated as follows.
Exhibit 11.2-1
Entity Objective
To prepare Financial Statements free from error and fraud
Inherent Risk: Events that could lead to misstatements in the F/S
Control Risk: Controls designed to mitigate mistatements
Low
Risk exposure
High
Inherent business and fraud risks are identified during the risk identification and risk assessment phase.
Management mitigates such risks by designing and implementing internal controls and procedures that
will reduce such risks to a acceptably low level. The amount of risk left over (after internal controls have
been designed and implemented) is the risks of material misstatement (sometimes referred to as residual
risk).
Ideally, management would design sufficient controls to ensure that the residual risk is reduced to an
acceptably low level for both internal management purposes and for the external audit. In practice, some
managers will tend to have a high tolerance for risk (i.e., less controls are in place resulting in a higher
residual risk) and some managers (often in the public sector) will tend to be conservative and design
controls to reduce risk to almost nothing.
Consider Point
The sole purpose of a control is to mitigate risk. A control without a risk to mitigate is obviously
redundant. So, a risk has to exist before it can be mitigated by a management control. However, some
auditors ignore this fact. They start their evaluation of internal control by documenting the system and
controls that exist before taking the time to identify what risks actually require mitigation. This
approach can result in a lot of unnecessary work in documenting processes and controls that may later
prove to be totally irrelevant to the audit objectives.
11.3 Pervasive and Specific Internal Controls
Internal controls can be broadly categorized as pervasive (or entity-level controls) that address pervasive
risks and specific (transactional controls) that address specific risks. The differences between these
controls are illustrated below:
06/10/2010
Page 372
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 11.3-1
Pervasive
Governance
Leadership/management
Information Systems
Revenue Purchasing Payroll
Processes Processes Processes
Controls
Pervasive
(entity level)
Inherent Risks
Entity Objectives
Financial Statements
& Assertions
Other
Processes
Transactions
Exhibit 11.3-2
Description
Pervasive (EntityLevel) Controls
Pervasive (entity-level) controls address governance and general management
and serve to establish the overall control environment or “tone at the top”.
Typical control processes include human resources, fraud, risk assessment
(management override), general IT management, preparation of financial
information (including financial statements and underlying estimates, etc.) and
the ongoing monitoring of operations. In small entities, these controls will
refer primarily to management’s attitudes toward integrity and control.
A solid understanding of the pervasive elements of internal control provides an
important foundation for assessing relevant controls over financial reporting at
the transactional (business process) level. For example, if there are poor
controls over data integrity at the entity level, this will impact the reliability of
all information produced by systems such as sales, purchases and payroll.
Specific
(Transactional)
Controls
06/10/2010
Transactional (business process) controls are specific processes/controls that
are designed to ensure:
• Transactions are appropriately recorded for the preparation of financial
statements;
• Accounting records are maintained in reasonable detail to accurately and
fairly reflect all the transactions and dispositions of assets;
• Receipts and expenditures are made only in accordance with the
authorizations of management; and
• Unauthorized acquisition, use or disposition of assets would be prevented
or detected on a timely basis.
Page 373
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Description
Transactional control processes include routine transactions (such as revenues,
purchases and payroll) and non-routine transactions (such as purchasing
equipment or the costs involved in starting a new line of business).
11.4 The Five Internal Control Components
The various types of internal control that exist within an entity have been divided into five key
components as illustrated below.
Each of these components is to be addressed by the auditor as:
•
Part of the understanding of the internal control (over financial reporting); and
•
Information for considering how the different aspects of internal control may affect the audit.
Exhibit 11.4-1
The interrelationships of the five components between the pervasive (entity level) controls and the
specific transactional (business process) controls are illustrated below.
06/10/2010
Page 374
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 11.4-2
Pervasive entity level controls collectively provide the appropriate foundation for all the other components
of internal control. This is because poor entity level controls can render even the best business process
controls ineffective. For example, an entity may have an effective purchasing system but if the
bookkeeper/accountant is incompetent (that is, it is a poor control environment), a wide variety of errors
could occur and possibly result in a material misstatement in the financial statements. Management override
and poor “tone at the top” (that primarily occur at the entity level) are common themes in bad corporate
behavior.
Consider Point
How an entity actually designs and implements its internal control will vary with an entity’s size and
complexity. In smaller entities, the owner-manager may perform functions that address several of the
components of internal control.
11.5
Internal Control in Smaller Entities
In smaller entities, there are often few employees, which may limit the extent to which:
•
Segregation of duties is practicable; and
•
An appropriate paper trail of documentation is available.
Internal control in such entities often derives from the control environment (management’s commitment
to ethical values, competence, attitude toward control and its day-to-day actions) as opposed to specific
controls over transactions. Evaluating the control environment is quite different from traditional control
06/10/2010
Page 375
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
activities as it involves an assessment of the behavior, attitudes, competence and actions of management.
Such assessments are often documented in a memo or with a questionnaire.
The presence of a highly involved owner-manager is often an internal control strength and a control weakness.
The control strength is that the person (assuming his/her competence) will be knowledgeable about all aspects
of operations and it would be highly unlikely that material misstatements will be missed. The control weakness
is the opportunity provided for that person to override the internal control for his/her own benefit.
Consider Point
Identify the pervasive (entity-level) controls
In the audit of small entities, there is a temptation to assume that internal control is nonexistent and, therefore, not worth understanding. However, any entity that wants to continue
operating will have some form of internal control. For example, what business manager does
not care whether the cash receipts are deposited in the bank or that goods shipped are
invoiced?
Consider how the pervasive (entity-level) controls could be evidenced
In cases where the owner-manager or equivalent approves transactions and carefully reviews
financial results, the control can have the effect of preventing or detecting misstatements
occurring at the assertion level. If reliance on such a control would reduce the need for other
substantive procedures, consider whether such controls could be evidenced such as by a
signature on a report or a reconciliation to indicate review or approval. Such evidence could
then be used to test the operating effectiveness of the control.
11.6
Absence of Internal Control
In virtually all entities, there is some form of internal control, such as the competence of the ownermanager (control environment). It may be informal and unsophisticated, but it is still internal control. An
entity that does not mitigate any of the major risks it faces (through control components such as the
control environment, risk assessment, information systems, control activities or monitoring) is unlikely to
stay in business for long.
Where there are not many control activities that can be identified, the auditor would consider whether:
• it is possible to address the relevant assertions by performing further audit procedures that are
primarily substantive procedures or:
• the absence of control activities or of other components of control (in rare cases) make it impossible
to obtain sufficient appropriate audit evidence.
Other matters that would raise questions as to whether the audit should be conducted would include:
•
Concerns about management’s integrity, non-ethical behavior or a poor attitude toward internal
control. Deficiencies in the control environment tend to undermine controls that exist in other control
components. It also raises the risk of management misrepresentation and fraud; and
•
Concerns about the condition and reliability of an entity’s records that make it unlikely that sufficient
appropriate audit evidence will be available to support an unqualified opinion.
If these or similar concerns are present, the auditor should consider the need to modify the auditor’s report
or withdraw from the engagement altogether.
If withdrawal is chosen, the auditor would consider his/her professional and legal responsibilities,
06/10/2010
Page 376
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
including any requirement to report to the persons who made the audit appointment and to regulatory
authorities. The auditor would also discuss the withdrawal and the reasons with the appropriate level of
management and those charged with governance.
11.7 Controls to Prevent Fraud (Anti-Fraud Controls)
Management override can often be mitigated or slowed down in small entities by establishing and then
documenting key policies and procedures. For example, a written policy that says all non-routine journal
entries require approval would empower the bookkeeper to ask the manager to approve proposed journal
entries. It would not prevent management override from occurring but would act as a deterrent. If antifraud policies and procedures are not in operation, the risk of management override will need to be
addressed by the auditor through performing other audit procedures.
Note: Controls that address compliance with regulations that are not relevant to the audit (where noncompliance would not result in a material misstatement in the financial statements) do not need to
be addressed in the audit.
11.8
Internal Controls Relevant to the Audit (the scope of understanding)
Not all controls are relevant to the audit and require understanding. The auditor is only concerned with
understanding and evaluating those controls that would mitigate a risk of a material misstatement (fraud
or error) in the financial statements. This means that certain types of controls can be scoped out of the
audit altogether. These are controls that:
•
Do not drive financial reporting (such as operational controls and controls that address compliance
with regulations); and
•
Even if non-existent, a material misstatement in the financial statements would be unlikely.
Exhibit 11.8-1
In some cases, there may be some overlap between financial controls and controls relating to operations
and compliance objectives. Examples include controls that pertain to data the auditor evaluates or uses in
applying other audit procedures such as:
•
Data required for analytical procedures (for example, production statistics);
06/10/2010
Page 377
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
•
Controls that detect non-compliance with laws and regulations;
•
Safeguarding of asset controls that pertain to financial reporting; and
•
Controls over the completeness and accuracy of information produced that may form the basis for
calculating key performance measures.
Controls that would always be relevant to the audit include those that mitigate the following risks.
Exhibit 11.8-2
Description
Significant Risks
Significant risks are identified and assessed risks of material misstatement that,
in the auditor’s judgment, require special audit consideration.
Risks that Cannot
Easily be Addressed
by Substantive
Procedures
These are identified and assessed risks of material misstatement for which
substantive procedures alone would not provide sufficient appropriate audit
evidence.
Other Risks of
Material
Misstatement
These are identified and assessed risks of material misstatement that in the
judgment of the auditor could potentially result in material misstatements
occurring.
The auditor’s judgment about whether a particular control is relevant to the audit is influenced by:
•
Knowledge about the presence/absence of controls identified in other components of internal control.
If a particular risk has already been addressed (such as by the control environment, information
system, etc.), there is no need to identify any additional controls that may exist;
•
The existence of multiple control activities that achieve the same objective. It is unnecessary to obtain
an understanding of each of the control activities related to such objective;
•
The need to test the operating effectiveness of certain key controls. For example, if there is not a
practical way to test sales completeness (i.e., by performing substantive procedures) a test of the
operating effectiveness of controls would be required; and
•
The impact that testing the operating effectiveness of controls would have on the extent (i.e., the
reduction) of substantive testing required.
Professional judgment is required to determine whether an internal control, individually or in combination
with others, is, in fact, relevant.
06/10/2010
Page 378
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
Top down and risk-based
The auditor’s approach to understanding internal control should be from the top down. The first step is
to identify the relevant entity level and transactional risks and then determine whether management’s
response is appropriate.
A solid understanding of entity level controls provides an important basis for assessing relevant
controls over financial reporting at the transactional (business process) level. For example, if there are
poor controls over data integrity at the entity level, this will impact the reliability of all information
produced by systems such as sales, purchases and payroll.
Example
The top down and risk-based approach to understanding internal control involves:
•
Identifying the business processes involved (including accounting) for each significant account
balance;
•
Determining for each process identified whether a material misstatement in the financial
statements could possibly occur or whether other factors exist that would make it relevant; and
•
Scoping out of the audit those processes and controls that are not relevant.
For example, a biscuit production company may have the following processes that drive the sales
revenue figure:
•
The main sales order system captures details and the progress of each order received by telephone.
This accounts for 70% of sales.
•
“Window sales” are where customers can buy broken biscuits from a small shop at the back of the
production facility. These account for 2% of sales.
•
Internet sales where orders are placed on-line and paid by credit card; these account for 28% of
sales.
•
The accounting system captures details of all types of sales.
In this situation, the window sales are unlikely to result in a material misstatement in the financial
statements and may therefore be scoped out of the audit. However, before this decision is made, it would
still be prudent to either:
•
inquire about the existence of controls over the window sales to ensure all such sales are recorded
and that there is no deliberate breaking of biscuits for sale at reduced prices to related parties.
•
perform an analytical review of the breakdown of sales, to ensure window sales have not deviated
from the expected 2% of sales.
11.9
Case Studies ─ Identifying Relevant Controls
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
Since not all business processes and controls are relevant to the audit, it is important to understand which
financial statement areas and controls could have a material impact on the financial statements.
Determining which financial statement areas and related business processes are in scope involves using
06/10/2010
Page 379
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
overall materiality as a guide to identify:
• What financial statement areas are, or could be material; and
• What entity level controls and business processes are relevant?
Immaterial balances, transactions, business processes and controls where no material misstatements are
likely to result can be scoped out of any further consideration in the audit. However, before scoping an
area out, consider:
•
The possible accumulation of immaterial misstatements that could, in the aggregate, add up to a
material misstatement; and
•
Whether the financial statement area is understated due to fraud or error.
06/10/2010
Page 380
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study A ─ Dephta Furniture Inc.
#
Financial statement level
Pervasive risks identified
Entity level and IT general controls
Identify any processes that mitigate the risks(i.e.,
governance board)
Annual business planning cycle, management/owner monthly
meetings, including financial statement review, IT budgets, dayto-day involvement of management in operations.
Cash and cash equivalent
Receivables, receipts process, investment of short-term (30-60
day)
deposits
at
bank,
bank
reconciliation
and
cash
management.
Trade and other receivables
Revenue, receivables, receipts process, valuation of overdue
accounts, asset sales.
Inventories
Purchases,
payables,
payments
process,
inventory
management, stock taking, valuation of obsolete inventory.
Property, plant and equipment
Purchases,
payables,
payments
process,
calculation
of
amortization, capitalization of assets, asset sales.
Bank indebtedness
Receivables, receipts process, bank reconciliation and cash
management
Trade and other payables
Purchases, payables, payroll, payments process, calculation or
amortization, capitalization or assets.
Income tax payable
Income tax provision preparation.
Interest-bearing loan
Finance charges, bank reconciliation process.
Capital and reserves
Issuance/redemption of capital, dividends.
Sales
Revenue, receivables, receipts process (including cash scrap
sale, Internet sales, catalog and custom sales orders).
Cost of goods sold
Purchases, payables, payroll, payments process, inventory
adjustments.
Distribution costs
Purchases, payables, payroll, payments.
Administrative costs
Purchases, payables, payroll, payments.
Depreciation
Depreciation and amortization calculations.
Finance cost
Finance charges, bank reconciliation process.
Income taxes
Income tax provision preparation.
Prepared by: FJ
Date: December 18, 20X2
Reviewed by: LF
Date: December 22, 20X2
06/10/2010
Page 381
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Memo to File: Scoping material financial statement areas (FSAs) and processes
Entity Level and IT General
•
Raj prepares an annual budget each period for the bank.
•
Raj communicates with the bank manager quarterly when the financial statements are sent to the
bank.
•
Raj usually reviews these with Suraj and Jawad since Dephta is a shareholder, but also because
Raj appreciates their input and Jawad’s accounting and financial knowledge.
There is no formal IT structure or process. Raj decides what software and hardware to replace on an
as-needed basis. Although Raj ensures that Ruby backs up the accounting data weekly, there is no
disaster recovery plan or documented IT process.
Material financial statement areas
With the exception of cash and cash equivalents, which seem to fluctuate from period to period, all
FSAs on the financial statements are material and in scope. Therefore, the following business
processes will need to be examined as part of our audit:
Business Process
Material Financial Statement Areas Affected
Receivables/receipts
Revenue, trade receivables & other, cash and
cash equivalents
Valuation of overdue accounts receivable
Trade receivables & bad debt expense
Sales process (cash sales, sales orders)
Revenue
Purchases, payables, payments
Trade payables & other, property, plant and
equipment, inventories, income statement
expense categories
Payroll
Payroll expenses
Taxes payable and remittances
Income, payroll and sales taxes
Inventory valuation and management
Purchases and inventories
Bank account reconciliations
Cash and cash equivalents, interest-bearing
loan, interest expense
Calculation of depreciation and amortization
Property, plant and equipment and
depreciation/amortization expense.
Prepared by: FJ
Date: November 25, 20X2
Reviewed by: LF
Date: November 30, 20X2
06/10/2010
Page 382
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
12.
EVALUATING INTERNAL CONTROL
Chapter Content
Relevant ISAs
Guidance on the four key steps involved in evaluating
control design and implementation and documenting the
results.
315
Exhibit 12.0-1
06/10/2010
Page 383
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 12.0-2
1. Risk Identification
What risks, if not mitigated by internal controls
could result in material misstatements
in the financial statements?
2 Evaluate Control Design
Are there controls capable of effectively
preventing, or detecting and correcting,
the material misstatements identified in step 1?
Yes
No
3&4 Evaluate Control
Implementation and
document operation
Do the controls exist and
is the entity using them?
No
Yes
Report significant
deficiencies in control to
management & those
charged with governance
Document the results and conclusions reached
Paragraph #
Relevant Extracts from ISAs
315.13
When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the
design of those controls and determine whether they have been implemented, by performing procedures in
addition to inquiry of the entity’s personnel. (Ref: Para. A66-A68)
315.29
If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the
entity’s controls, including control activities, relevant to that risk. (Ref: Para. A124-A126)
315.32
The auditor shall include in the audit documentation:
(a) The discussion among the engagement team where required by paragraph 10, and the significant
decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment specified in paragraph 11 and of each of the internal control components specified in
paragraphs 14-24; the sources of information from which the understanding was obtained; and the
risk assessment procedures performed;
(c) The identified and assessed risks of material misstatement at the financial statement level and at the
assertion level as required by paragraph 25; and
(d) The risks identified, and related controls about which the auditor has obtained an understanding, as a
result of the requirements in paragraphs 27-30. (Ref: Para. A131-A134)
12.1
Overview
Regardless of the whether tests of controls will ultimately be performed to gather audit evidence it is still
necessary for the auditor on every engagement to evaluate control design and implementation. This
06/10/2010
Page 384
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
involves a four-step process, which can be summarized as follows.
Exhibit 12.1-1
Description
Step 1
What Risks Require
Mitigation?
Step 2
Do the Controls
Designed by
Management
Mitigate the Risk?
Identify the inherent risks of material misstatement (business and fraud risks)
and whether they are pervasive risks affecting all assertions or specific risks
that affect particular financial statement areas and assertions.
Identify what business processes are in place (if any).
• Interview entity personnel to identify what controls mitigate the risks
identified in Step 1 above.
• Review results and assess whether the controls do, in fact, mitigate the
risks.
• Communicate any significant deficiencies identified in the entity’s internal
control to management and those charged with governance.
In larger entities, this step may require reference to or preparation of some
system documentation (see Step 3 below) to provide some context regarding
the operation of certain controls.
Step 3
Are the Controls
that Mitigate the
Risks Factors in
Operation?
Observe or inspect the operation of relevant internal controls to ensure they
have indeed been implemented. Note that inquiry of management is not
sufficient to evaluate whether a relevant control has in fact been implemented.
This step can often be combined with Step 2 above.
This step can consist of a simple narrative description (prepared by the entity’s
management or auditor) of the major processes, describing the operation of the
relevant internal controls identified.
Step 4
Has the Operation
of Relevant Controls
Been Documented? This documentation does not have to include:
• A detailed description of the business process or the way paper flows
through the entity; or
• Internal controls that may exist but are not relevant to the audit.
Note:
Regardless of how well a control is designed and implemented, it can only provide reasonable
assurance about the achievement of an entity’s objectives with regard to reliability of financial
reporting due to certain inherent limitations. These are described below.
Exhibit 12.1-2
Description
Internal
Control Limitations
06/10/2010
•
•
•
Human judgments and simple human failures such as errors or mistakes.
Circumvention of internal control by the collusion of two or more people.
Inappropriate management override of internal control, such as revising
Page 385
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Description
the terms of a sales contract or overriding a customer’s credit limit.
Volume 2, Chapter 11 addresses the understanding of internal control required. Volume 1, Chapter 5
addresses the nature of internal control and provides a detailed description of the five components of
internal control.
12.2
Step 1 —What Risks Require Mitigation?
Exhibit 12.2-1
Identify what risks
require mitigation
A Risk Assessment Procedure
What risks exit (pervasive or specific) that
if not mitigated by controls could cause
a material misstatement to occur?
Before the auditor begins to document the controls that may exist, the first step is to identify and then
assess the significant and other risk factors that are present. Otherwise, the internal control evaluation will
take place without an understanding of what risks need to be mitigated by internal control.
The identification of risks has been addressed in Volume 2, Chapter 8. Risks requiring mitigation can be
pervasive, relating to many financial statement areas and assertions or specific relating to particular
financial statement areas and assertions.
The following exhibit summarizes some typical sources of risk and the types of control that could
mitigate such risks.
Exhibit 12.2-2
06/10/2010
Page 386
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
When a listing of risk factors (by business process) has been prepared, it would be useful (but not
required) to:
•
Eliminate any risk factors that would unlikely result in a material misstatement even if it was not
mitigated at all. Controls that address such risks would not be relevant to the audit;
•
Customize the wording of the risk factors to make it relevant for the particular entity;
•
Ensure all relevant assertions have been addressed; and
•
Consider whether there are any additional risks (entity and transactional level) that could result in a
material misstatement if not mitigated.
Consider Point
Some entities may use an internal control framework (such as published by the Committee of
Sponsoring Organizations of the Treadway Commission (COSO)) that provide generic listings of
internal control objectives and internal control procedures. If such a tool is used in the audit, the same
steps outlined above would be followed.
•
Remove the control objectives (or risk factors) that are unlikely to result in a material
misstatement even if no internal control existed;
•
Add any other additional control objectives (risk factors) that could result in a material
misstatement for the entity if not mitigated; and
•
Identify the financial statement areas and assertions affected by the risk factors.
12.3
Step 2 — Do The Controls Designed by Management Mitigate the Risk?
Exhibit 12.3-1
Evaluating whether a control has been designed properly by management involves an assessment of
whether the controls identified (individually or in combination with other controls) will actually mitigate
the risk factor. This involves considering whether the control(s) is capable of effectively:
•
Preventing material misstatements from occurring in the first place; or
•
Detecting and correcting material misstatements after they have occurred.
It is recommended that evaluating control design begin with the pervasive controls. These types of
controls form the all important foundation for assessing the design and operation of specific
(transactional) controls.
At this point some auditors (particularly when auditing larger and more complex entities) may find it
helpful to obtain some information (preferably prepared by the entity) that describes the business process
and the way paper flows through the entity and where controls exist. However, this is not a specific
requirement in the ISA.
There are two common ways to match internal controls to the risk factors (or control objectives) that they
06/10/2010
Page 387
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
are designed to mitigate. For the purposes of this Guide, these approaches have been called:
•
One-risk-to-many controls; and
•
Many-risks-to-many controls.
One-Risk-to-Many Controls
Under this approach, each risk factor is considered by itself. All the controls that address that particular
risk factor are identified. This approach is particularly useful for mapping the pervasive (entity-level) risk
factors to controls. The approach is illustrated below.
Exhibit 12.3-2
Risk/Control Objective
1. Risk factor
Assertion
C
Mitigating Controls
1. Control procedure A
2. Control procedure B
3. Control procedure C
4. Control procedure D
2. Risk factor
EA
1. Control procedure E
2. Control procedure F
3. Control procedure G
4. Control procedure H
3. Risk factor
A
1. Control procedure I
2. Control procedure J
3. Control procedure K
4. Control procedure L
4. Risk factor
CA
1. Control procedure M
2. Control procedure N
3. Control procedure O
4. Control procedure P
This one-risk-to-many controls approach has often been used for mapping all types of control, including
transactional controls. However, because a single transactional control can often address more than one
risk (and therefore get repeated many times in this approach), the many-to-many matrix (outlined below)
is generally considered more effective for transactional controls.
The following example illustrates how the one-risk-to-many controls approach can work. An objective of
the control environment is the need for management, with the oversight of those charged with
governance, to create and maintain a culture of honesty and ethical behavior. This objective stated as a
risk factor could be management has not created or maintained a culture of honesty and ethical behavior.
06/10/2010
Page 388
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Some of the controls that management may design and implement to address this pervasive risk could
include:
•
Management continually demonstrates, through words and actions, a commitment to high ethical
standards;
•
Management removes or reduces incentives or temptations that might cause personnel to engage in
dishonest or unethical acts;
•
A code of conduct or equivalent exists that sets out expected standards of ethical and moral behavior;
•
Employees clearly understand what behavior is acceptable and unacceptable and know what to do
when they encounter improper behavior; and
•
Employees are always disciplined for improper behavior.
The auditor would first read the risk or control objective and then identify, possibly from a list such as
above, what, if any, controls exist to mitigate the risk. The resulting documentation could take the
following form.
Note:
The column on control design outlines the steps the auditor could take to assess control design.
Exhibit 12.3-3
Internal Control (IC)
Component
Risk Factor
Control Identified
Control Design
No emphasis on
integrity or ethics
Code of conduct is signed
by employees each year
and is enforced through
staff discipline
Have read the code and it
does emphasize need for
integrity and ethics.
Control Environment
Incompetent employees
could be hired
Risk Assessment
Management often
surprised by predictable
events
Required knowledge and
skills specified for each
employee position.
Business risks are
identified and assessed
each year as part of
business planning.
Reviewed the job
specifications for key
positions including
accounting and they
appear to be acceptable.
Reviewed the business
plan and risks have been
identified, updated and
assessed.
Once the controls have been identified, the auditor would use professional judgment to conclude whether
the control design is sufficient to address the risk factor.
When forming a conclusion on the control environment, the auditor is required by ISA 315.14 to evaluate
whether:
•
Management, with the oversight of those charged with governance, has created and maintained a
culture of honesty and ethical behavior; and
•
The strengths in the control environment elements collectively provide an appropriate foundation for
06/10/2010
Page 389
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
the other components of internal control, and whether those other components are not undermined by
deficiencies in the control environment.
This wording could be used as the overall conclusion by the auditor on all entity level controls. Such a
conclusion will also have a major impact on the auditor’s assessment of risk at the financial statement
level.
Many-Risks-to-Many Controls
For specific and transactional risks, the most common approach to evaluating design is through the use of
what is sometimes called a “control design matrix”. These matrices enable the auditor to see at a glance:
•
The many-to-many relationships that exist between risks and controls;
•
Where internal control is strong;
•
Where internal control is weak; and
•
The key controls that address many risks/assertions and could be tested for operating effectiveness.
An example of a simple control design matrix is illustrated below.
Exhibit 12.3-4
Process = Sales
Material Risk Factors
Assertions
Controls
Risk A
Risk B
Risk C
Risk D
C
EA
AC
CE
Key
Controls
P
P
yes
P
P
yes
D
D
D
Yes
Yes
Internal Control
Component
Procedure #1
Control Environment
Procedure #2
Information Systems
Procedure #3
Control Activity
P
Procedure #4
Monitoring
D
Procedure #5
Control Activity
Procedure #6
Control Activity
Procedure #7
Information Systems
Is control design OK?
D
D
No
Yes
(Will the identified controls mitigate the
risk factors?)
P = Prevent control D = Detect and correct control
06/10/2010
Page 390
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Note:
The above matrix contains the following information:
• Risk factors that, if not mitigated, could result in a material misstatement in the financial
statements;
• The assertions addressed by the risk factors; and
• Where the internal control procedure addresses (intersects with) the risk on the matrix, it is
recorded as either preventing (P) a misstatement or detecting (D) and then correcting a
misstatement after it has occurred.
Such a matrix can also be expanded to include other information including:
• The frequency the control is operated such as continuous, weekly or monthly;
• Whether the control is manual or automated; and
• The expected reliability of the internal control over a period of time. This could include, for
example, assessing the competence (and independence from other functions) of the person
who performs the control, whether the control is performed on a timely basis and any history
of errors occurring).
Consider Point
Multiple control procedures
Note that any one control procedure by itself is unlikely to mitigate a key risk factor. Often, a
combination of control activities, working together with other components of internal control (such
as the control environment) will be sufficient to address the risk factor.
Start with the risks
Avoid the temptation to list all the known controls and then match them to risks. Risks come first,
then controls to mitigate the risks. It is more efficient to address each risk (or control objective) in turn
and then identify what controls exist to address that risk. Once enough controls have been identified to
address the risk, there is no point spending more time to identify any additional controls.
Matching controls with risks not only helps to evaluate control design but will also identify key controls
(over relevant assertions) that could potentially be tested. It will also help the auditor identify control
deficiencies that may require:
• Communication to management and those charged with governance about the significant deficiency
on a timely basis so that corrective action can be taken; and
• Development of an appropriate audit response.
The control design matrix (see Exhibit 12.3-4) can be used to identify both control strengths and control
deficiencies. This process is described below.
Exhibit 12.3-5
Identify
Description – Using the Control Design Matrix
Internal Control
Deficiencies
Look down each risk column (in the control design matrix above) to see
what internal control procedures exist to mitigate the risks. If sufficient
controls exist, then there is no control deficiency.
Where few or no internal control procedures exist to mitigate the risk, a
significant internal control deficiency may exist. Refer to Risk C in the matrix
06/10/2010
Page 391
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Identify
Description – Using the Control Design Matrix
above, where it appears that a significant deficiency exists. In this case, the
auditor would:
• Inquire about any other internal control procedures or compensating
internal control procedures that might exist. If none exists, a significant
deficiency may exist that would be communicated to management and
those charged with governance as soon as possible so that corrective action
may be taken; and
• Consider what further audit procedures may be necessary to respond to the
risk identified.
Compensating controls may be activities that indirectly impact on the risk
factor. For example, the risk of shipping goods but not invoicing for them
could be detected by the sales manager when he reviews sales results each
quarter. Such a control would obviously not be sufficient by itself to mitigate
the risk.
Internal Control
Strengths
12.4
Look across the rows of the control design matrix above to identify internal
control procedures that would prevent or detect and correct misstatements
arising from a number of risk factors. Note that Control Procedure 3 in the
example matrix above addresses three risks and three assertions. This is an
example of a type of control (often referred to as key controls) that, if
considered reliable, could be considered for testing their operational
effectiveness, particularly where this testing could be used to reduce other
more detailed tests.
How to Identify Internal Controls
Controls are usually identified through discussion (interviews) with the person(s) who are responsible for
managing the risk or the particular process. In smaller entities, this will often be the owner-manager or the
senior manager. A typical approach for identifying controls would be as follows.
Exhibit 12.4-1
Action
Description
Identify the
Inherent Risks
Identify the pervasive (entity level) and specific (transactional) risks that
require mitigation through internal control to prevent or detect and correct
material misstatements.
Ask about Internal
Control Procedures
(if any) that Address
the Inherent Risk
Ask the owner-manager or the responsible person what internal control
procedures exist in the entity to mitigate each particular risk factor one by one.
Document the controls identified in the words of the person being interviewed.
06/10/2010
When (based on professional judgment) enough controls have been identified
Page 392
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Action
Description
to effectively mitigate the risk, stop asking for any more controls. There is no
Address Each Risk
need to list all of the other controls that may exist to mitigate the risk, unless
factor - one at a time.
specifically requested for another purpose.
Document
the Results
The controls identified can be documented in a number of ways. They can be
listed under each risk factor they address or listed on a control matrix and
linked to all the various risk factors they address.
The key is to ensure the control procedures identified are linked to the risk
factor that they were designed to mitigate. This enables an assessment to be
made as to whether the controls identified do actually mitigate the risk. If the
control matrix is used:
• Record the internal control procedures identified directly onto the matrix
and indicate (where they intersect with the risk) whether they would
prevent or detect and correct potential misstatements for risk factors; and
• Consider whether the control would also be effective in mitigating other
risk factors. It is quite possible that some internal control procedures will
prevent or detect a number of the risk factors.
Where controls have not been identified to address a risk, the auditor would
immediately alert management to the control deficiency (likely significant)
that may needs to be addressed.
06/10/2010
Page 393
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
Avoid using generic controls
Avoid the temptation to use generic lists of internal control activities that are appropriate for the socalled “typical” entity. Listings of “standard” or “typical” controls can take time to read and
understand and are often too complex or simply irrelevant for smaller entities. Instead, use them as a
reference source but only when needed. It is much better to document the nature of each control
identified using the client’s own description.
Multi task
Evaluating control design can be combined with control documentation (see Step 3 below) and with
the inspection/observation of documents to support control implementation (see Step 4 below). For
example, if there is a policy identified that no non-routine journal entries can be made without
authorization, ask to see the actual policy (assess control design) and some journal entries for evidence
of approval (control implementation).
Risk management
Many entities assign risk management responsibilities by process (such as sales or purchasing) instead
of by risk. As a result, there may be a number of important risk factors that fall between departments
(such as sales, purchasing and accounting) and no one is directly accountable. If risks are not
specifically identified and responsibility assigned to someone, there is often a lot of finger pointing
when something goes wrong. Staff may blame each other by saying something like “I thought that risk
was being managed by Mary or Jack, or the accounting, IT or sales department, etc.”
Concluding on Control Design
The final step in assessing control design is to draw a conclusion on whether the controls identified
actually mitigate the particular risk factor. This requires the use of professional judgment. For each
relevant assertion or risk factor, consider whether management’s response is sufficient to reduce the risk
of material misstatement to an acceptably low level. If the control design matrix approach is used, the
bottom row of the matrix could be used to document the conclusion as to whether the controls are
sufficient or not to mitigate each risk factor.
A summary of the overall control evaluation (that addresses the five control components) could be set out
in the exhibit below.
06/10/2010
Page 394
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 12.4-2
Notes: White = the underlying risks have been appropriately mitigated.
Grey = some problems may exist.
Black = potentially significant deficiencies.
Consider Point
For smaller entities, there is an even simpler way of assessing transactional controls. First identify the
risk factors (see Step 1 above) and the assertion(s) affected. Then instead of mapping identified controls
to each individual risk factor, identify controls that address the assertions affected by the risk.
If no controls are identified for a particular assertion, a substantive audit response would need to be
developed. If the controls identified are expected to operate reliably, the audit response could include
a test of relevant key controls. For example, the risk of unrecorded sales addresses the completeness
assertion. Identification of relevant controls could be limited to those that address the completeness
assertion in general, rather than the one specific risk.
12.5
Step 3 — Are Controls that Mitigate the Risk Factors In Operation?
Exhibit 12.5-1
Inquiry of management alone is not sufficient to evaluate the design of internal control procedures or to
determine whether they have been implemented. This is because people may genuinely believe or hope
06/10/2010
Page 395
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
that certain controls exist when in fact they do not. A documented description of controls (however good)
that do not exist or do not operate is of no value to the audit.
Some of the reasons for observing internal control in action are:
•
Change
Processes change over time resulting from revised/new products or services, efficiencies in operation,
changes in personnel and implementation of new supporting IT applications;
•
Wishful thinking
The entity’s personnel may explain to the auditor how a system should operate rather than how it
actually operates in practice; and
•
Lack of knowledge
Some aspects of the system may have been inadvertently overlooked in obtaining the understanding
of internal control.
Consider Point
If there is any doubt about whether some controls identified in Step 2 above have not in fact been
implemented, do not assess control design and document the operation of the controls until some work
has been performed to determine they exist and operate. Alternatively, do not take time to assess
controls that are unlikely to be relevant to the audit or have been inappropriately designed.
Risk assessment procedures required to obtain audit evidence about control implementation would
include those listed below.
Exhibit 12.5-2
Description
Assessing Control
Implementation
Note:
•
•
•
•
Inquiring of entity personnel;
Observing or re-performing the application of specific controls;
Inspecting documents and reports; and
Tracing one or two transactions through the information system
relevant to financial reporting. This is often called a walk-through.
A walkthrough is not a test of the operating effectiveness of a control.
Implementation of controls provides evidence about whether a control was actually in operation at a
particular point in time. It does not address operating effectiveness throughout the period being audited.
Evidence of operating effectiveness (if this is part of the audit strategy being developed) would be
achieved through a test of controls that gathers evidence about control operation over a period of time,
such as a year.
Only when it has been established that the internal control relevant to the audit has been properly
designed and implemented is it worth considering:
•
What tests of the operating effectiveness of controls (if any) will reduce the need for other substantive
testing; and
•
What controls require testing because there is no other way of obtaining sufficient appropriate audit
evidence.
06/10/2010
Page 396
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Points
Ensure the audit team has a clear understanding of the difference between control design, control
implementation and tests of controls. These are summarized as follows:
Control design
Have controls been designed that will mitigate the inherent risks?
Control implementation
Are the designed controls actually in operation? Control implementation procedures should be
performed each period to identify any system changes.
Tests of controls
Did the controls operate effectively over a specified period of time? There is no requirement to test the
operating effectiveness of controls unless there is no alternative way (such as in a highly automated
and paperless system) to gain the necessary audit evidence. The decision to test the operating
effectiveness of controls is therefore a matter of professional judgment.
Do not ignore the linkage between control design and implementation
If there is any doubt about whether some of the controls identified in Step 2 above have in
fact been implemented, do not assess control design until some work has been performed to
determine if they exist and operate. Also, if the auditor concludes that control design is
inadequate, there is no point going on and evaluating the control implementation. It is likely
that a significant deficiency already exists.
Assess implementation every period
After the initial audit engagement, first evaluate the control implementation to determine
what has changed. Use the control design documentation already obtained in the previous
period as the starting point. If a change in internal control is identified, consider whether the
revised or new controls continue to mitigate the risk factor or whether there are now new
risks that have to be mitigated.
12.6
Step 4 — Has the Operation of Relevant Controls Been Documented?
Exhibit 12.6-1
The purpose of this step is to provide some information abut the operation of the relevant controls identified
in Step 2 above. The extent of documentation required is determined by professional judgement.
The resulting documentation will help the auditor to:
•
Understand the nature, operation (initiation, processing, recording, etc.) and context (such as who
06/10/2010
Page 397
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
performs the control, where the control is performed, how often and the resulting documentation) of
the identified controls; and
•
Determine whether the controls are likely to be reliable and operate effectively. If so, they could be
tested as part of the audit response to assessed risks. If a decision is made to test the operating
effectiveness of controls, this documentation will also help the auditor in designing the test, such as
what population to use in selecting the sample, what control attributes to examine, who performs the
control and where the necessary documentation may be found.
Consider Point
Documentation of controls does not have to be complex or comprehensive. There is no requirement
for the auditor to document an entire business process or to describe the operation of any controls that
are not relevant to the audit.
Some of the matters to be considered when documenting relevant internal controls are:
Exhibit 12.6-2
Documenting Relevant Internal Controls
•
•
How significant transactions are initiated, authorized, recorded, processed and reported;
The flow of transactions in sufficient detail to identify the points at which material misstatements
caused by error or fraud could occur; and
Internal controls over the period-end financial reporting process, including significant accounting
estimates and disclosures.
•
The most common forms of documentation prepared by management or the auditor are:
•
Narrative descriptions or memoranda;
•
Flowcharts;
•
A combination of flow charts and narrative descriptions; and
•
Questionnaires and checklists.
The nature and extent of the documentation required is a matter of professional judgment. Factors to
consider include:
•
•
•
the nature, size and complexity of the entity and its internal control,
availability of information from the entity and
audit methodology and technology used in the course of the audit.
The extent of documentation may also reflect the experience and capabilities of the audit team. An audit
undertaken by less experienced team may require more detailed documentation to assist them obtain an
appropriate understanding of the entity than one that includes experienced individuals.
12.7
Updating Control Documentation in Subsequent Periods
The auditor may use documentation prepared or obtained in a prior audit period when planning the audit
of a subsequent period. This will involve the following documentation.
06/10/2010
Page 398
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 12.7-1
Description
Updating Control
Documentation
Prepared in
Previous Periods
•
•
•
•
•
•
Make a copy of the previous period’s working papers on controls as the
starting point for updating in the current year. If nothing has changed,
evaluate control implementation before design. If the control has been
implemented and the risk did not change the design will be acceptable.
Update the listing of risks that require mitigation by control;
Identify changes in internal control at the entity and transactional level.
This is achieved by procedures that address control implementation;
Where changes are identified (risk or controls), determine whether new
internal controls have been designed and implemented;
Update the linkage of internal controls with the appropriate risk factor; and
Update the conclusions on control risk.
Where the audit strategy is likely to involve reliance on the effective operation of certain controls (such as
through tests of controls) and control changes have occurred, there will be a need to walk through
transactions that were processed both before and after the change took place.
Consider Point
Changes in pervasive (entity-level) controls
When updating control documentation, carefully consider the changes in pervasive (entity- level)
controls. These changes could have a significant impact on the effectiveness of other specific
(transactional) controls and may affect the audit response to assessed risks. For example,
management’s decision to hire a qualified professional to prepare the financial statements may
considerably reduce the risk of errors in the financial information and enhance the effectiveness of
transactional controls that might previously have been undermined. Alternatively, management’s
failure to replace an incompetent IT manager or commit sufficient resources to address IT security
risks may undermine other internal control procedures in effect. In either case, these changes could
trigger a significant change in the appropriate audit response.
12.8
Written Representations about Internal Control
Written representations should be obtained from management acknowledging its responsibility for such
internal control as management determines is necessary to enable the preparation of financial statements
that are free from material misstatement, whether due to fraud or error.
12.9
Case Studies – Internal Control Evaluation
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
The following extracts from internal control documentation provide an example of the information that
would be obtained from using the four-step process described above.
06/10/2010
Page 399
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study A ─ Dephta Furniture Inc.
Entity Level Controls
This form addresses all four steps described above. It outlines the risks to be addressed and
provides for documentation of the controls identified, how the controls operate and how they are
implemented.
Control environment
Control
exists?
Describe inquiries/
observations to ensure
Describe the nature of
supporting documentation (if any) or controls identified were
implemented
management actions
1. Risk: No emphasis is placed on need for integrity and ethical values
Possible controls
(choose those that apply ):
a)
Management continually
demonstrates, through
words and actions, a
commitment to high
ethical standards.
Yes
Suraj and the management team
consistently reinforce the need for
adherence to safety and ethical standards
through daily communication with
employees.
Interviewed two employees,
Jon and Amad, who confirmed:
b)
Management removes or
reduces incentives or
temptations that might
cause personnel to
engage in dishonest or
unethical acts.
Yes
Suraj accepted our recommendation last
period and prepared a code of conduct
outlining expected behaviors by staff.
Employees have been given a
copy of the code of conduct
and had attended a meeting on
May 13, where the guidelines
were explained.
c)
A code of conduct or
equivalent exists that sets
out expected standards of
ethical and moral
behavior.
Yes
See response to b) above
Reviewed code of conduct.
d)
Employees clearly
understand what behavior
is acceptable and
unacceptable and know
what to do when they
encounter improper
behavior.
Yes
Employees have been disciplined in the
past for improper behavior.
Suraj fires people immediately
if caught stealing or acting
unethically. Two such cases
occurred last year among
temporary workers.
e)
Employees are always
disciplined for improper
behavior.
Yes
Suraj will not tolerate illegal or unethical
behavior amongst employees, customers
or suppliers.
Noted that a new employee
was quickly fired after being
caught stealing office supplies
f)
Other (explain).
No
06/10/2010
Page 400
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Control environment
Control
exists?
Describe inquiries/
observations to ensure
Describe the nature of
supporting documentation (if any) or controls identified were
implemented
management actions
2. Risk: Incompetent employees may be hired or retained
Possible controls
(choose those that apply):
a)
Company personnel have
the competence and
training necessary for
their assigned duties.
Yes
Management specifies
the requisite knowledge
and skills required for
employee positions.
Yes
Job descriptions exist and
are effectively used.
No
d)
Management provides
personnel with access to
training programs on
relevant topics.
No
e)
Adequate staffing levels
are maintained to
effectively perform
required tasks.
Yes
f)
Initial and ongoing
matching of staff skills to
their job descriptions.
No
g)
Staff are compensated
and rewarded for good
performance.
No
h)
Other (explain).
No
b)
c)
All staff are trained on the job and
adequately supervised.
Management is skilled in manufacturing,
sales and administration. Ravi and Parvin
offer advice on business, marketing and
legal issues
There were no vacancies during year in any
of the positions that affect financial
reporting
Interviewed two employees,
Jon and Amad, who:
•
Clearly understood their
roles and responsibilities in
the absence of a written job
description.
•
Indicated they receive
instruction whenever a
machine or process
changes.
•
Receive praise when things
go better than expected and
are told immediately when a
job was not done well.
Inquiries of admin staff (Mirelli
and Cliff) indicated that staffing
levels remained constamt dring
period
Employees are encouraged when they do a
good job. There is no bonus structure other
than for salespeople.
3. Risk: Management has a poor attitude toward internal control and/or managing business risks
Possible controls
(choose those that apply):
06/10/2010
Page 401
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Control environment
Control
exists?
Describe inquiries/
observations to ensure
Describe the nature of
supporting documentation (if any) or controls identified were
implemented
management actions
Management demonstrates
positive attitudes and actions
toward:
a)
The establishment and
maintenance of sound
internal control over
financial reporting,
(including management
override and other fraud):
− Appropriate
selection/application
of accounting
policies,
− Information
processing controls,
and
− The treatment of
accounting
personnel;
b)
Management emphasizes
appropriate behavior to
operating personnel;
c)
Management has
established procedures to
prevent unauthorized
access to, or destruction
of, assets, documents
and records; and
d)
Management analyzes
business risks and takes
appropriate action.
06/10/2010
Yes
Management is very responsive to
recommendations that are not costly or
disruptive to implement and has a good
attitude towards internal control.
Reviewed the business plan
which included:
•
Sales and cash flow
forecast.
•
Anticipated capital
expenditures.
•
Discussion of how
recession may affect their
business in terms of sales
and the possibility of one
supplier going bankrupt.
Our management letter
recommendations have always
been accepted if they were
feasible.
Yes
See comments above on attitudes and the
code of conduct
Based on our employee
interviews (see Step 2),
employees understand what is
required and that rules should
be followed.
Yes
Some
Although risk management is informal,
business risks are discussed at management
meetings and reflected in the business plan.
During our interview with
Jawad, he indicated that Suraj
was open to discussing issues and
that he did not feel pressured to
manipulate the financial
statements. In Suraj’s words,
“the numbers are what they
are, whether they are good this
month or bad”.
Page 402
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Business Process or Transactional Controls
The above control design matrix addresses two of the four steps. It matches the transactional risks
with identified controls and could also be used to cross-reference work on implementation.
Step 3 − Assessing control implementation is addressed below
Extract from the revenue/receivables walkthrough
Make inquiries of the personnel processing the transaction.
Persons interviewed:
Karla
Date
November 15, 20X2
Dameer
Date
November 17, 20X2
Maria Ho
Date
December 3, 20X2
06/10/2010
Page 403
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Describe the procedures performed related to the
transaction. Address initiation, authorization,
recording in the accounting records and reporting
in the financial statements.
System works as described in the systems
documentation. See W/P 530 for copies of
documents that demonstrate the internal controls
in action. However, we noted Maria Ho is a new
employee and knows little about the system at
present.
Describe the process for any information transfers
from one person (process owner) to the next.
There is a hand-over from sales to accounting.
Based on the walkthrough, the transfer worked
well.
Note the frequency and timing of the internal
control procedures performed.
Noted on the control design matrix.
Identify any IT general controls required to protect
the transaction data files and ensure the proper
functioning of application internal controls.
IT general controls are minimal due to small size of
entity.
Document the procedures in place to cover
illnesses and vacations of personnel. If vacations
have not been taken in last 12 months, document
why.
There was a sales clerk vacancy for four months
during the period before Maria was hired. This
meant less segregation of duties during that time.
Ask about the extent and nature of errors found in
the past period.
Most errors were due to mistakes in pricing, which
is mostly a manual process at present.
Ask whether any person has been required to
deviate from documented procedures.
One request made by the sales manager to
substantially reduce the price on a bedroom set for
a friend was denied.
Step 4 − Control documentation is addressed below
Extract From Business Process Documentation Using a Narrative Approach –
Dephta Furniture Inc.
Note: the controls are identified in bold type.
Business Process − Revenue/receivables/receipts system
Sales contracts
Sales contracts for the retail and specialized orders are prepared by Arjan as they involve extensive
work. The contracts are all based on a template that contains the estimated quantities, types of
furniture, special requests as well as standard delivery and payment terms and conditions. Payment
terms and conditions can vary by customer. A 15% deposit is required on all custom orders and is
recorded as revenue at the time of sale.
06/10/2010
Page 404
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
All contracts are reviewed and signed for approval by Suraj prior to being given to the customer
for signature. When the contract is signed by the customer for approval, the order is entered into
the accounting system, which automatically assigns the order a sequential number. When the
order is ready for shipment, a shipping document is prepared, entered into the system and matched
with the order. Karla then prepares an invoice from the accounting system, which automatically
assigns a sequential number. It is a strict rule that no shipments can be made without the shipping
document number being entered into the system. The system can then track which orders have
been filled and which ones are still pending by delivery date.
Regular sales orders
Sales orders are prepared for each order received and entered into the accounting system, which
automatically assigns the order a sequential number. The only exception is furniture sold directly
from the shop or other small items on hand.
All orders over 500Є, or where the sales price is below the minimum sales price, must be approved
by Arjan.
When items are assembled and ready for shipment, Karla prepares an invoice that is sent along with
the order to the customer.
Arjan does not do a credit check on customers unless he does not know them or the order is large.
When granting credit, he relies mostly on his previous experience with the customer.
Shop sales
For all sales out of the shop, invoices are prepared at the time of sale and entered into the
accounting system. The system automatically generates an invoice number for each sale.
Invoices are usually given to customers.
The majority of the shop sales are for cash, so there is little credit risk.
Internet sales
A summary of the day’s Internet sales is downloaded from the website by Karla. She prepares sales
orders that are given to the production department. An invoice is prepared at the same time and
recorded as prepaid revenue since the item has been paid for. The invoice marked “paid in full”
accompanies all Internet orders shipped.
Accounts receivable
Karla opens all of the mail and segregates the payments received for deposit. Jawad usually goes to
the bank on his way home and makes the deposit. Karla then enters the payments into the
accounting system and applies the payment to the invoices indicated.
Jawad prepares an aged accounts receivable listing and gives the listing to Suraj for his review.
Accounts over 90 days are followed up each month and comments are made on the listing as to
when the customer has agreed to pay the balance.
For customers who are over 90 days and have not made alternative payment arrangements, future
sales are made on a cash-on-delivery basis.
06/10/2010
Page 405
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Entity Level and IT General
This form addresses all four steps described above. It outlines the risks to be addressed and
provides for documentation of the controls identified, how the controls operate and how they are
implemented.
Entity Level Controls
Risks to Consider
Relevant Controls
Control Environment:
•
No emphasis placed on importance/need for
integrity and ethical values
•
No commitment to employee competence
•
Ineffective management oversight by those
charged with governance
•
Management has a poor attitude toward
internal control and/or managing business
risks
•
Ineffective/inappropriate organizational
structure for planning, controlling and
achieving objectives
•
No policies/procedures to ensure effective HR
management.
Raj continually communicates the need for
integrity and ethical dealings in day-to-day
communications with employees and his actions.
He has a good attitude for internal control – has
implemented audit recommendations in past that
were feasible.
No formal governance structure, but Raj meets
with Suraj and Jawad (Dephta) regularly.
Do controls mitigate the risk factors?
Yes
Describe inquiries/observations to ensure controls
identified were implemented.
Interviewed Ruby who confirmed Raj’s
commitment to treating suppliers and customers
ethically and fairly.
Reviewed the minutes from the last meeting which
had been prepared by Jawad.
Risks assessment:
•
Management is often surprised by events that
were not previously identified/assessed or is
continually reacting to events rather than
planning ahead.
Business plan prepared annually. Raj monitors
monthly cash flows and sales trends.
Do controls mitigate the risk factors?
Yes
Describe inquiries/observations to ensure controls
identified were implemented.
Reviewed a copy of the business plan which did
highlight the potential for the economy to impact
06/10/2010
Page 406
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Entity Level Controls
Risks to Consider
Relevant Controls
sales.
Reviewed a folder containing monthly cash flows
given to Raj. Evidence of Raj’s review by
comments on the documents and changes
requested.
Financial reporting risks:
•
•
•
Events and conditions, (other than
Raj meets with Suraj and Jawad (Dephta) to
transactions), that are significant to the financial review financial statements and business plans.
statements may not be captured or recorded
Raj reviews financial statements but only reviews
Poor oversight/control over financial reporting, journal entries when he has time. (Risk increased
journal entries and preparation of significant
by lack of segregation of duties and gives Ruby
estimates/disclosures could result in material
ability to book entries undetected.)
misstatements in the financial statements
Significant matters relating to financial
reporting may not be communicated to the
board of directors or external parties such as
bankers or regulators.
Do controls mitigate the risk factors?
No. Control weaknesses include the risk of
management override and the lack of segregation
of duties in such a small entity
Describe inquiries/observations to ensure controls
identified were implemented.
Reviewed a folder containing the monthly
financials given to Raj. However no evidence seen
that Raj actually reviewed the statements.
Fraud prevention:
•
Management has not considered or assessed
the risks of fraud occurring (including
management override).
Raj keeps cash and valuables locked.
Raj is involved in every step of the operations,
including production, so oversight of all operations
minimizes fraud risk.
Do controls mitigate the risk factors?
No. Valuables are kept safe but Raj was absent
quite a bit this year which reduced the extent of
management oversight. In addition, the
bookkeeper is known to have personal financial
problems
Describe inquiries/observations to ensure controls
Inspected where the cash is kept locked and
06/10/2010
Page 407
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Entity Level Controls
Risks to Consider
Relevant Controls
identified were implemented.
verified that only Raj has the key.
IT General Controls
Risks to Consider
Relevant Controls
Risks to consider:
No IT policies and procedures.
•
No policies/procedures exist to ensure
effective IT management or IT staff
supervision
•
No alignment exists between business
objectives, risks and IT plans
•
Reliance is placed on systems/programs that
are inaccurately processing data or processing
inaccurate data
•
Unauthorized access to data. Possible
destruction of data, improper changes,
unauthorized or non-existent transactions or
inaccurate recording of transactions.
IT expenses and capital purchases part of annual
budget (if foreseen).
Raj ensures software is up to date and that Ruby
runs a back-up of the data.
Do controls mitigate the risk factors?
Yes, given small size of operations.
Describe inquiries/observations to ensure controls
identified were implemented.
Reviewed the annual budget with an IT expense
line. No major capital purchases were planned for
the period.
Business Process or Transactional Controls
This form (revenue, receivables, receipts) addresses two of the four steps in the process. It matches
the transactional risks by assertion with identified controls. It could also be used to cross-reference
work on the implementation of controls.
06/10/2010
Page 408
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Step 3 − Control implementation is addressed below.
Transactional control implementation
Extract from the revenue/receivables walkthrough
Persons interviewed:
Ruby
Date
December 12, 20X2
Raj
Date
December 17, 20X2
06/10/2010
Page 409
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Describe the procedures performed related to the
transaction. Address initiation, authorization,
recording in the accounting records and reporting
in the financial statements.
System works as described in the systems
documentation. See W/P 535 for copies of
documents that demonstrate the internal controls
in action.
Describe the process for any information transfers
from one person (process owner) to the next.
There is a hand-over from sales to accounting.
Based on the walkthrough, the transfer worked
well.
Note the frequency and timing of the internal
control procedures performed.
Noted on the control design matrix.
Identify any IT general controls required to protect
the transaction data files and ensure the proper
functioning of application internal controls.
IT general controls are minimal due to small size of
entity.
Document the procedures in place to cover
illnesses and vacations of personnel. If vacations
have not been taken in last 12 months, document
why.
As a part-time employee, Ruby catches up on all
record-keeping whenever she gets back to the
office. Due to the minimal number of transactions,
this has been sufficient.
Ask about the extent and nature of errors found in
the past period.
Most errors were due to mistakes in quantities of
items ordered and shipped. The sales and order
log matching is Raj’s control to catch those errors
and appears to be working effectively in our
walkthrough testing.
Ask whether any person has been required to
deviate from documented procedures.
None noted.
Step 4 − Internal control documentation is addressed below.
Note: the controls are identified in bold type.
Extract From Business Process Documentation Using a Narrative Approach –
Kumar & Co.
Business Process − Revenue/receivables/receipts system
Sales orders
Sales orders are prepared for each order received and entered into the accounting system, which
automatically assigns the order a sequential number. The only exception is furniture sold directly
from the shop or other small items on hand.
Raj maintains an order log that tracks the date of the order, the amount, the type of product, date
promised, price, etc. He also maintains a sales log with customer name, order details, price, etc.
Raj matches and reviews the order and sales logs at the end of the month for accuracy.
When items are assembled and ready for shipment, Ruby prepares an invoice, which is sent along
with the order to the customer.
06/10/2010
Page 410
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Shop sales
For all sales out of the shop, invoices are prepared at the time of sale by Raj and are entered into
the accounting system. The system automatically generates an invoice number for each sale.
Invoices are given to customers.
The majority of the shop sales are for cash, so there is little credit risk.
Accounts receivable
Ruby opens all of the mail and segregates the payments received for deposit. Raj goes to the bank
on his way home and makes the deposit. Ruby then enters the payments into the accounting system
and applies the payment to the invoices indicated.
Ruby prepares an aged accounts receivable listing and gives the listing to Raj for review.
Accounts over 90 days are followed up by Ruby each month and comments are made on the
listing as to when the customer has agreed to pay the balance.
06/10/2010
Page 411
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
13.
COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL
Chapter Content
Relevant ISAs
Guidance on communicating deficiencies identified in
internal control that, in the auditor’s professional
judgment, merit the attention of management and those
charged with governance.
265
Exhibit 13.0-1
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Documentation1
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
260.10
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Those charged with governance – The person(s) or organization(s) (e.g., a corporate trustee) with
responsibility for overseeing the strategic direction of the entity and obligations related to the
accountability of the entity. This includes overseeing the financial reporting process. For some
entities in some jurisdictions, those charged with governance may include management personnel, for
example, executive members of a governance board of a private or public sector entity, or an owner-
06/10/2010
Page 412
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
manager. For discussion of the diversity of governance structures, see paragraphs A1-A8.
(b) Management – The person(s) with executive responsibility for the conduct of the entity’s operations.
For some entities in some jurisdictions, management includes some or all of those charged with
governance, for example, executive members of a governance board, or an owner-manager.
265.6
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Deficiency in internal control – This exists when:
(i)
A control is designed, implemented or operated in such a way that it is unable to prevent, or
detect and correct, misstatements in the financial statements on a timely basis; or
(ii) A control necessary to prevent, or detect and correct, misstatements in the financial statements
on a timely basis is missing.
(b) Significant deficiency in internal control – A deficiency or combination of deficiencies in internal
control that, in the auditor’s professional judgment, is of sufficient importance to merit the attention
of those charged with governance. (Ref: Para. A5)
265.7
The auditor shall determine whether, on the basis of the audit work performed, the auditor has identified
one or more deficiencies in internal control. (Ref: Para. A1-A4)
265.8
If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on the
basis of the audit work performed, whether, individually or in combination, they constitute significant
deficiencies. (Ref: Para. A5-A11)
265.9
The auditor shall communicate in writing significant deficiencies in internal control identified during the
audit to those charged with governance on a timely basis. (Ref: Para. A12-A18, A27)
265.10
The auditor shall also communicate to management at an appropriate level of responsibility on a timely
basis: (Ref: Para. A19, A27)
(a) In writing, significant deficiencies in internal control that the auditor has communicated or intends to
communicate to those charged with governance, unless it would be inappropriate to communicate
directly to management in the circumstances; and (Ref: Para. A14, A20-A21)
(b) Other deficiencies in internal control identified during the audit that have not been communicated to
management by other parties and that, in the auditor’s professional judgment, are of sufficient
importance to merit management’s attention. (Ref: Para. A22-A26)
265.11
The auditor shall include in the written communication of significant deficiencies in internal control:
(a) A description of the deficiencies and an explanation of their potential effects; and (Ref: Para. A28)
(b) Sufficient information to enable those charged with governance and management to understand the
context of the communication. In particular, the auditor shall explain that: (Ref: Para. A29-A30)
(i)
The purpose of the audit was for the auditor to express an opinion on the financial statements;
(ii) The audit included consideration of internal control relevant to the preparation of the financial
statements in order to design audit procedures that are appropriate in the circumstances, but not
for the purpose of expressing an opinion on the effectiveness of internal control; and
(iii) The matters being reported are limited to those deficiencies that the auditor has identified during
06/10/2010
Page 413
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
the audit and that the auditor has concluded are of sufficient importance to merit being reported
to those charged with governance.
13.1
Overview
During the course of the audit, deficiencies in internal control may be identified. This may occur as a result
of understanding and evaluating internal control (see Volume 2, Chapters 11 and 12), in making risk
assessments, performing audit procedures or from other observations made at any stage of the audit process.
There is no restriction on what control deficiencies can be communicated with those charged with
governance and with management. However, where an identified deficiency is assessed by the auditor as
being significant, the auditor would first discuss it with management and is then required to communicate
it (and any other significant deficiencies) in writing to those charged with governance.
Some of the more common control deficiencies are listed below.
Exhibit 13.1-1
Potential Internal Control Deficiencies
Weak control environment (entity level) controls such as ineffective oversight,
poor attitude toward internal control or instances found of management
override or fraud.
Changes in personnel that have resulted in key positions being unfilled or
where current personnel (such as in accounting) are not competent to perform
the required tasks.
Deficiencies identified in IT general controls.
Pervasive (Entity
Level) Controls
Inadequate controls implemented to address significant non-routine events
such as the introduction of a new accounting system, the automation of a
system such as sales or the acquisition of a new business.
Inability by management to oversee the preparation of the financial statements.
This could include the lack of:
• General monitoring controls (such oversight of financial accounting
personnel);
• Controls over the prevention and detection of fraud;
• Controls over the selection and application of significant accounting
policies;
• Controls over significant transactions with related parties;
• Controls over significant transactions outside the entity’s normal course of
business; and
• Controls over the period-end financial reporting process (such as controls
over non-recurring journal entries).
06/10/2010
Page 414
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Potential Internal Control Deficiencies
Pervasive (Entity
Level) Controls
(continued)
Significant deficiencies previously communicated to management or those
charged with governance remain uncorrected after some reasonable period of
time.
An ineffective management response to identified significant risks (for
example, absence of controls over such a risk).
Specific
(Transactional)
Controls
13.2
Misstatements were detected by the auditor when they should have been
prevented, or detected and corrected, by the entity’s internal control.
The existing internal controls were not:
• Sufficient to mitigate the risk (poor design); and
• Operating as designed (poor implementation). This could result from poor
training, lack of staff competence or inadequate resources to perform the
required tasks.
Fraud
If evidence is obtained that fraud exists or may exist, the matter should be brought to the attention of the
appropriate level of management as soon as practicable. This should be done even if the matter might be
considered inconsequential.
The appropriate level of management is a matter of professional judgment but would be at least one level
above the persons who appear to be involved with the suspected fraud. It would also be affected by the
likelihood of collusion and the nature and magnitude of the suspected fraud. Where the fraud involves
senior management, communication is also required with those charged with governance. This may be
made orally or in writing.
Consider Point
Fraud perpetrated by the owner-manager or those charged with governance
When fraud occurs at the very top of an organization, there is no one within the entity to whom it can
be reported. In these situations, the auditor may obtain legal advice to determine the appropriate
course of action in the circumstances. The purpose of obtaining such advice is to ascertain what steps
(if any) are necessary in considering the public interest aspects of the identified fraud.
In most countries, the auditor's professional duty is to maintain the confidentiality of client
information. This may preclude reporting fraud to an external party. However, the auditor's legal
responsibilities vary by country and, in certain circumstances, the duty of confidentiality may be
overridden by statute, the law or courts of law. In some countries, the auditor of a financial institution
has a statutory duty to report the occurrence of fraud to supervisory authorities. Also, in some
countries the auditor has a duty to report misstatements to authorities in those cases where
management and those charged with governance fail to take corrective action.
06/10/2010
Page 415
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
13.3
Assessing the Severity of a Deficiency
A significant deficiency is defined as a deficiency or combination of deficiencies in internal control that,
in the auditor’s professional judgment, is of sufficient importance to merit the attention of those charged
with governance.
In evaluating internal control (see Volume 2, Chapter 12), it is suggested that risk factors that are unlikely
to result in a material misstatement in the financial statements be eliminated (scoped out) from the
auditor’s understanding of internal control. If this guidance is followed, most of the control deficiencies
identified by the auditor are likely to be significant.
The criteria for determining whether a deficiency is significant or not is similar to that for any other risk
(see Volume 2, Chapter 9). Professional judgment is used to assess the likelihood that a misstatement
could occur and the potential magnitude of the misstatement if it did occur. If a misstatement has, in fact,
occurred, the assessment would be based on the extent of the actual misstatement.
Less serious or even minor control deficiencies may also be identified during the course of the audit.
These could result from interviews with management and staff, observation of internal controls in
operation, performing further audit procedures and any other information that may be obtained. It is a
matter of professional judgment whether these matters are of sufficient importance to be reported to
management and those charged with governance.
Some matters that could be considered by the auditor in assessing the severity of a deficiency are outlined
below.
Exhibit 13.3-1
Identifying a Significant Deficiency
Likelihood of deficiencies leading to material misstatements in the financial
statements in the future.
The susceptibility of an asset or liability to loss or fraud.
The subjectivity and complexity of determining estimated amounts, such as
fair value accounting estimates.
Deficiency
Assessment Criteria
The financial statement amounts exposed to the deficiencies.
The volume of activity that has occurred or could occur in the account balance
or class of transactions exposed to the deficiency or deficiencies.
The importance of the controls to the financial reporting process.
The cause and frequency of the exceptions detected as a result of the
deficiencies in the controls.
The interaction of the deficiency with other deficiencies in internal control.
06/10/2010
Page 416
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
13.4
Smaller Entities
When assessing control deficiencies in smaller entities, the auditor would pay attention to the following
factors.
Exhibit 13.4-1
Consider
Control in a
Small Entity
Controls may operate with less formality and with less evidence of their
performance than in larger entities.
Certain types of control activities may not be necessary at all. The risks may be
mitigated through the controls applied by senior management (for example, entity
level controls, such as the control environment, that would prevent or detect a
specific error from occurring).
There will be fewer employees, which may limit the extent to which segregation of
duties is practicable. This can be offset by the owner-manager exercising more
effective oversight (for example, entity level controls such as the control
environment) than is possible in a larger entity.
Greater potential exists for management override of controls.
In addition, the communication of deficiencies with those charged with governance may be less structured
than in the case of larger entities.
13.5
Documenting Control Deficiencies
There are no specific requirements in the ISAs as to how control deficiencies are to be documented. The
extent of documentation is a matter requiring professional judgement. Where the audit team is less
experienced more detailed documentation and guidance may be required than where the team consists of
highly experienced individuals.
A possible approach to documenting deficiencies as they are identified is outlined below. This
documentation can be used for:
• Discussing deficiencies with management
• Assessing the severity of the deficiencies,
• Considering the need for any additional audit procedures to respond to the unmitigated risk, and
• Preparing the required communication to management and those charged with governance.
An example of such documentation is illustrated below (without the references to supporting and other
working papers).
06/10/2010
Page 417
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 13.5-1
What is the
potential effect on
the financial
statements?
Significant
deficiency?
What is the risk
factor or assertion
effected?
Describe the
deficiency
identified.
Management has
not considered or
assessed the risks
of fraud occurring.
Members of the
management team
trust each other and
are reluctant to
introduce costly
policies, etc. that
address the risk of
fraud.
Management could
override controls
and materially
manipulate the
financial
statements.
Yes
See the specific
procedures
performed on
journal entries,
related parties and
revenue recognition.
Sales/services
recorded in wrong
accounting period.
There are no
controls to prevent
this from occurring
and we found a
number of cut-off
errors in our tests of
details.
Revenues could be
materially
misstated in the
financial
statements.
Yes
See the additional
procedures
performed relating
to cut-off.
Poor oversight and
documentation to
support the
preparation of
estimates.
The client provides
virtually no back-up
documents to
support their
estimates.
Given the size of
the estimates, an
error could result in
a material error in
the financial
statements.
Yes
Obtain evidence to
support the
assumptions and
perform the
calculations again.
06/10/2010
(Yes/No)
Audit response
Page 418
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
Record deficiencies in a single place
Designate one particular audit form to record pertinent details of control deficiencies as they are
identified. This will ensure all identified deficiencies are recorded on a consistent basis and in one
place. If scattered through the file, deficiencies could be missed. This could result in an incomplete
audit response to the risks involved and an incomplete communication to management and those
charged with governance.
Describe the implications
When documenting deficiencies, take time to describe the implications of the deficiency (“what could
go wrong”) and the proposed audit response (if any) to the unmitigated risk.
What is the recommended course of action?
It is useful when recording deficiencies to also consider and document what improvements could be
recommended to the management. At this stage, all the relevant facts are known and a meaningful
recommendation can be made. If this action is left until later, it may lead to additional time being
incurred to become reacquainted with the facts again.
13.6
Oral Discussions with Management
Before issuing a written communication, it is generally considered best practice to discuss the findings
orally (such as a discussion based on a draft letter) with the appropriate person or level of management
and possibly with those charged with governance. The appropriate person is the one who can evaluate the
deficiencies and take the necessary remedial action. This step helps the auditor to ensure that the findings
are factually correct and appropriately worded in the circumstances. It may also enable the auditor to
obtain a preliminary indication of management’s response to the findings.
For significant deficiencies, the appropriate level of management would be the highest in the entity, such
as the owner-manager, chief executive officer or chief financial officer (or equivalent). For other
deficiencies, the appropriate level may be operational management with direct involvement in the control
areas affected. Note that if all of those charged with governance are also involved in managing the entity,
communication with the most senior management may not adequately inform all those with governance
responsibilities.
If the deficiency is directed at management directly (for example, a question about its integrity or
competence), it would not be appropriate to discuss this with management directly. The discussion of
such findings would normally be with those charged with governance.
Consider Point
If a significant deficiency is directed at the conduct or competence of the owner-manager or those
charged with governance, there is no higher level in the entity to report the findings. In these
situations, the auditor would consider his/her ability to continue performing the audit. This may
involve the auditor in seeking legal advice.
The discussion with management provides an opportunity to discuss the findings and obtain
management’s reaction before the findings are finalized and communicated in writing:
06/10/2010
Page 419
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 13.6-1
Benefits
Alerts management, on a timely basis, to the existence of deficiencies.
Discussions with
Management
Opportunity to obtain relevant information for further consideration, such as:
• Confirmation that the description of the deficiency and related facts (such
as the extent of an actual misstatement) is accurate;
• Existence of other possibly compensating controls;
• Management’s reaction and understanding of the actual or suspected
causes of the deficiencies; and
• Existence of exceptions arising from the deficiencies that management has
noted.
Obtain a preliminary management response to the findings.
13.7
Written Communications
Significant deficiencies are to be reported in writing. This reflects the importance attached to such matters
and may assist management and those charged with governance in fulfilling their various responsibilities.
The requirement to communicate significant deficiencies in writing applies to all sizes of entity, including
owner-managed and very small entities. Communicating such matters in writing ensures that those
charged with governance have indeed been informed of the problems.
As soon as practicable after concluding that significant deficiencies exist, the auditor would discuss them
with management and then communicate them in writing to those charged with governance. Often the
communication letter will also contain some suggested recommendations for remedial action. By taking
these steps, management can take corrective action on a timely basis.
13.8
Management’s Response to the Communication
It is the responsibility of management and those charged with governance to respond appropriately to the
auditor’s communication about significant deficiencies in internal control and any recommendations for
remedial action. This may take the form of:
•
Initiating remedial action to correct the deficiencies identified by the auditor;
•
A decision not to take any action. Management may already be aware of the significant deficiencies
and has chosen not to remedy them because of the costs or other considerations; or
•
No action at all. This may be indicative of a poor attitude toward internal control, which has
implications for assessing risk at the financial statement level. In some situations, such non-action
may constitute a significant deficiency in itself.
Regardless of what action is taken by management, the auditor is required to communicate all significant
deficiencies in writing. This includes significant deficiencies already reported in prior periods. It is not the
auditor’s role to determine whether the cost of mitigating a deficiency outweighs the benefit to be
obtained. However, some consideration of proportionality to the size of the entity and the application of
common sense in the circumstances is appropriate.
If a previously communicated significant deficiency remains, the current period’s communication may
repeat the description or simply refer to the previous communication.
06/10/2010
Page 420
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
If the deficiency is not significant, there is no need to put it in writing or to repeat the communication in
the current period. However, it may be appropriate for the auditor to re-communicate the other
deficiencies if there has been a change of management or if new information has come to the auditor’s
attention.
Content of Communication
The communication of significant deficiencies would normally include:
•
Description of the nature of each significant deficiency and the potential effects. There is no need to
quantify those effects;
•
Suggestions for remedial action on the deficiencies;
•
Management’s actual or proposed responses; and
•
A statement as to whether or not the auditor has undertaken any steps to verify whether
management’s responses have been implemented.
Significant deficiencies may be grouped together for reporting purposes where it is appropriate to do so.
As additional context for the communication, the letter would also include the following:
•
An indication that if the auditor had performed more extensive procedures on internal control, the
auditor might have identified more deficiencies to be reported or concluded that some of the reported
deficiencies need not, in fact, have been reported; and
•
An indication that such communication has been provided for the purposes of those charged with
governance and that it may not be suitable for other purposes.
Local Reporting Requirements
Laws or regulations in some jurisdictions may establish additional requirements for the auditor to
communicate one or more specific types of deficiency in internal control identified during the audit. Where
this occurs:
•
The requirements of ISA 265 remain applicable, notwithstanding that law or regulation may require
the auditor to use specific terms or definitions; and
•
The auditor would use the defined terms and definitions for the purpose of communicating in
accordance with the applicable legal or regulatory requirements.
13.9
Timing of the Written Communication
The auditor is required to communicate in writing significant deficiencies in internal control identified
during the audit to those charged with governance on a timely basis. Factors to consider include:
•
•
Would undue delay in the reporting of information cause it to lose its relevance?
Would the information be an important factor in enabling those charged with governance to discharge
their oversight responsibilities?
Unless local requirements specify a particular date, the latest date that a written communication may be
issued is before the date of the auditor’s report or shortly thereafter. This enables the auditor to complete
the assembly of the final audit file on a timely basis.
06/10/2010
Page 421
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Point
Where possible, communicate deficiencies in internal control well before the period-end audit work
commences. Early notification could enable management to take corrective action that may assist the
auditor by lowering the assessed risk of material misstatement at the financial statement or assertion
level. For example, a recommendation to replace or redeploy an incompetent accountant/bookkeeper
could significantly reduce the work required in reviewing the preparation of the period-end financial
statements.
13.10 Case Studies ─ Communicating Deficiencies in Internal Control
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
Deficiencies in internal control are identified throughout all phases of the audit (risk assessment, risk
response and reporting) and the auditor must accumulate them for subsequent reporting to management.
Significant internal control deficiencies (both in design and operation) would be reported to management
using a letter such as the ones below.
Case Study A ─ Dephta Furniture Inc.
March 5, 20X3
Suraj Deptha
Deptha Furniture Inc.
[Address]
Re: Audit of 20X2 Financial Statements
Dear Suraj:
The objective of our audit was to obtain reasonable assurance that the financial statements were
free of material misstatement. Our audit was not designed for the purpose of identifying matters
to communicate. Accordingly, our audit would not usually identify all such matters that may be of
interest to you and it is inappropriate to conclude that no such matters exist.
During the course of our audit of Dephta Furniture Inc. for the period ended December 31, 20X2,
we identified the following deficiencies in internal control that, in our opinion, are significant. A
significant deficiency or combination of deficiencies in internal control is one that, in our
professional judgment, is of sufficient importance to merit the attention of those charged with
governance.
Unauthorized Journal Entries
There are currently no controls over manual journal entries made throughout the period. Without
any segregation of duties and review controls over entries made, errors or misstatements can go
undetected. Although our audit found no such material errors or misstatements, this current
unrestricted and unmonitored access by all company personnel presents a risk to accuracy of
the financial statements.
We recommend that proper segregation of duties be allocated based on roles and
responsibilities. Further, a formalized review process should be established. All significant
06/10/2010
Page 422
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
entries should be approved prior to entry and a secondary review should be conducted by
management on a monthly basis.
Poor Inventory Controls
There are currently very limited controls over inventory. Without proper controls, inventory could
be incomplete, improperly valued or stolen.
We recommend Deptha implement formalized controls over the tagging and periodic counting of
inventory. Inventory records should be compared to actual products in the warehouse on a
monthly basis. A visual inspection on a monthly basis of obsolete and damaged goods should
also be performed to ensure any inventory write-downs are recorded as required.
This communication is prepared solely for the information of management and is not intended for
any other purpose. We accept no responsibility to a third party who uses this communication.
Yours truly,
Jamel, Woodwind & Wing, LLP
Case Study B ─ Kumar & Co.
March 12, 20X3
Rajesh Kumar
Kumar & Co.
[Address]
Re: Audit of 20X2 Financial Statements
Dear Rajesh:
The objective of our audit was to obtain reasonable assurance that the financial statements were
free of material misstatement. Our audit was not designed for the purpose of identifying matters
to communicate. Accordingly, our audit would not usually identify all such matters that may be of
interest to you and it is inappropriate to conclude that no such matters exist.
During the course of our audit of Kumar & Co. for the period ended December 31, 20X2, we
identified the following deficiency in internal control that, in our opinion, is significant. A
significant deficiency or combination of deficiencies in internal control is one that, in our
professional judgment, is of sufficient importance to merit the attention of those charged with
governance.
Lack of Segregation of Duties
There is currently a lack of segregation of duties at Kumar & Co. The part-time bookkeeper has
total access and control over all the record-keeping at Kumar. Without separating duties across
06/10/2010
Page 423
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
multiple employees, there is a risk that the bookkeeper may make unintentional or intentional
errors that go undetected.
We recommend that Kumar & Co. consider hiring another part-time staff person to split functions
with the bookkeeper. Given the small size of the organization and cost restraints, if that is not
practicable, we recommend that Raj Kumar become more involved in the record-keeping aspect
of the business to provide adequate oversight of the bookkeeper’s work.
This communication is prepared solely for the information of management and is not intended for
any other purpose. We accept no responsibility to a third party who uses this communication.
Yours truly,
Jamel, Woodwind & Wing, LLP
06/10/2010
Page 424
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
14.
CONCLUDING THE RISK ASSESSMENT PHASE
Chapter Content
Relevant ISAs
Concluding the risk assessment phase of the audit by
documenting the assessed risks at the financial
statement and assertion levels.
315
Exhibit 14.0-1
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Documentation1
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
315.25
The auditor shall identify and assess the risks of material misstatement at:
(a) the financial statement level; and (Ref: Para. A105-A108)
(b) the assertion level for classes of transactions, account balances, and disclosures (Ref: Para. A109A113)
to provide a basis for designing and performing further audit procedures.
315.26
For this purpose, the auditor shall:
(a) Identify risks throughout the process of obtaining an understanding of the entity and its environment,
including relevant controls that relate to the risks, and by considering the classes of transactions,
account balances, and disclosures in the financial statements; (Ref: Para. A114-A115)
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial
statements as a whole and potentially affect many assertions;
06/10/2010
Page 425
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant
controls that the auditor intends to test; and (Ref: Para. A116-A118)
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and
whether the potential misstatement is of a magnitude that could result in a material misstatement.
315.32
The auditor shall include in the audit documentation:
(a) The discussion among the engagement team where required by paragraph 10, and the significant
decisions reached;
(b) Key elements of the understanding obtained regarding each of the aspects of the entity and its
environment specified in paragraph 11 and of each of the internal control components specified in
paragraphs 14-24; the sources of information from which the understanding was obtained; and the
risk assessment procedures performed;
(c) The identified and assessed risks of material misstatement at the financial statement level and at the
assertion level as required by paragraph 25; and
(d) The risks identified, and related controls about which the auditor has obtained an understanding, as a
result of the requirements in paragraphs 27-30. (Ref: Para. A131-A134)
14.1
Overview
The final step in the risk assessment phase of the audit is to review the results of the risk assessment
procedures performed and then to assess (or, if already assessed, to summarize) the risks of material
misstatements at:
•
The financial statement level; and
•
The assertion level for classes of transactions, account balances and disclosures.
The resulting list of assessed risks will form the foundation for the next phase in the audit, which is to
determine how to respond appropriately to the assessed risks through the design of further audit
procedures.
The two levels of risk assessment are illustrated below:
06/10/2010
Page 426
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 14.1-1
14.2
Audit Evidence Obtained to Date
The evidence obtained to date, by performing risk assessment procedures, consists of identification and
assessment of inherent risks and the design and implementation of internal controls that address those
risks. What is left is the risk of material misstatement. This is simply the remaining risk after taking into
account the effect of internal controls put in place to mitigate the inherent risks. This is illustrated in the
exhibit below.
Exhibit 14.2-1
Low Risk
Inherent
Risk
Moderate Risk
High Risk
Business and fraud risk factors that could result in a material misstatement
Control
Risk
Pervasive
(entity level) controls
Specific
(Response to
inherent risks)
(transactional) controls
Sales, purchases, payroll etc
Combined
Risk
Low
Governance
Culture/values
Competence
Attitudes to control
Risk exposure to fraud and error
High
Note: The length of the horizontal bars in this exhibit is purely for illustrative purposes and would
vary from entity to entity.
06/10/2010
Page 427
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Sources of audit evidence that may be relevant in summarizing and assessing risks at the two levels are
listed below.
Exhibit 14.2-2
Audit Evidence
Relevant Chapters
The overall audit strategy
V2 - 5
Materiality and identification of material financial statement areas and
disclosures
V2 - 6
Audit team discussions
V2 - 7
Results of performing risk assessment procedures
Inherent risk identification and assessment
Significant risks
Understanding and evaluation of internal control
Significant deficiencies identified
14.3
V1 - 4 and
V2 - 3 to V2 - 14
V2 - 8 and 9
V2 - 10
V2 - 11 and 12
V2 - 13
Summarizing the Various Risk Assessments
The purpose of assessing risks is to provide the foundation and a reference point for what is needed to
respond appropriately with well-designed and efficient further audit procedures.
If risks identified to date have already been documented and assessed in a consistent manner, it will be
relatively straightforward to review and summarize them.
The summary of assessed risks brings together the inherent risk factors identified and the evaluation of
any internal control designed to mitigate such risks. This is illustrated below in Exhibit 14.3-1.
Note:
There is a moderate level of risk at the financial statement level which is mitigated by good entity
level and possibly other controls. The result is a low assessed risk at the financial statement level.
The summary of assessed risks at the assertion level is a combination of the assessment of inherent and
control risks that apply to individual financial statement balances, transactions and disclosures. In the case
below, the inherent risks are moderate and there are no relevant internal controls so the control risk is
high. The result is therefore a moderate residual risk for this particular assertion.
06/10/2010
Page 428
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 14.3-1
Inherent Risk
Assessments
Control Risk
Assessments
Risk of Material
Mistatement
Risks at F/S level
Assessment of
pervasive risks
M
Risks at assertion level
Assessment of
specific risks
by F/S area
M
disclosure and
assertion
F/S = Financial statements
Assessment
of mitigating
controls
L
=
L
Assessment
of mitigating
controls
H
=
M
H = High risk M = Moderate risk L = Low risk
Notes:
•
Before concluding there are no particular risks for a financial statement area or disclosure, consider
the existence of other relevant factors, such as history of known errors, susceptibility of the
asset/liability to fraud, potential for management override and the previous period’s experience.
•
If the auditor plans to rely on a control risk that has been assessed as low (for example, reduce the
extent of substantive procedures), there needs to be tests of the operational effectiveness of the
controls to support such an assessment.
•
In some cases, the entity may have some internal controls but the auditor has deemed them not to be
relevant to the audit and therefore no assessment has been made. In these cases, the control risk would
be assessed as high.
•
Specific (transactional) controls generally work (resulting in a low assessed risk) or do not work
(resulting in a high assessed risk). This would imply that there is no assessment of control risk as
being moderate. However, some auditors assess control risk as moderate when a control may not be
totally reliable in operation but is expected to work most of the time. This can often be the case in
smaller entities.
•
The determination of residual risk resulting from the combination of inherent and control risk is a
matter of professional judgment. The exhibit below shows various combinations of risk but is not a
substitute for professional judgment based on the particular circumstances.
06/10/2010
Page 429
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 14.3-2
Inherent Risk
Control Risk
Risk of material
misstatement
H
H
H
H
M
M
H
L
M or L
M
H
M
M
M
M
M
L
L
L
H
M/L
L
M
L
L
L
L
H = High
M = Moderate
L = Low
Consider Point
Document the reasoning behind risk assessments
When summarizing assessed risks, be sure to provide a short description of the reasons for each
assessment or a cross-reference to where they can be found. This is often more important than the
assessment itself because it helps to design tailored and cost-effective responses.
Assessing inherent risks
Remember that the assessment of inherent risk is always completed before any consideration of
controls that may mitigate the risk. Assuming most financial statement areas to be audited will exceed
overall materiality, it is likely (in most instances) that the inherent risk of misstatement (before
internal control) for most assertions will be high.
Low risk for all assertions
When a financial statement area has been assessed as low risk for all assertions, there is no need to
repeat the same reasoning for each individual assertion. However, the reason why all the assessments
are low would be documented.
06/10/2010
Page 430
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
14.4
Revision of Risk Assessments
The assessment of risk does not end at a point in time. New information may be gained as the audit
progresses and the performance of audit procedures may identify additional risks or that internal control is
not operating as intended. When this occurs, the original risk assessment should be revised and the impact
on the nature and extent of further audit procedures considered.
14.5
Documentation
The summary of assessed risks can be documented in a number of ways. Three possible approaches are
outlined below:
1. A standalone document.
A separate document that summarizes the inherent and control assessments, and the key reasons
for the combined risk assessments. This document could also be used for outlining (in general
terms) the risk response.
2. Include with the overall audit strategy and audit plan.
The first part of each section of the audit plan (such as for receivables, payables etc) could outline
the risk assessments and the impact on the planned audit procedures.
3. Incorporate risk assessments as part of the auditor's documentation of further procedures.
In this case the risk assessments, audit plans and the results of work performed could all be
documented in one comprehensive working paper for each financial statement area.
The form and extent of the documentation supporting risk assessments would be influenced by:
•
•
•
the nature, size and complexity of the entity and its internal control;
availability of information from the entity; and
the audit methodology and technology used in the course of the audit.
Other factors to consider when designing documentation include:
•
•
•
•
Ease of understandability;
Cross-references to the design and implementation of an appropriate audit response;
Ability to facilitate updating in subsequent periods; and
Ease of review. A reviewer should be able to determine whether key risks have been identified
and that the resulting audit response was appropriate.
A well-documented summary of assessed risks will also be useful in the team planning meetings in
subsequent periods where the nature of the risks and the audit response can be discussed.
An approach using a standalone document but closely linked to the audit plan is illustrated below. Note
that this illustration uses the four ‘combined’ assertions (used for the purposes of this Guide), as defined
in Volume 1, Chapter 6.
Exhibit 14.5-1
Assessed Levels of Risk
Comb.
As
IR
CR
RMM
Document the key risks and other contributing
factors to risk assessment
The industry is in a general decline as new technologies
emerge. However sales are still strong and the entity is
investing in R&D.
06/10/2010
Page 431
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Comb.
Financial statement level
As
IR
CR
RMM
P
M
L
L
Document the key risks and other contributing
factors to risk assessment
Management’s attitude to internal control is good. Competent
people fill the key positions.
Management override possible but new policies in place
should deter the most common practices.
The governance board is made up of family members.
Assertion Level
FSA or financial statement
disclosure
1
2
3
Sales
Receivables
Inventory
C
H
L
M
Owner wants to save taxes. Revenue recognition has been
inconsistent.
E
M
L
L
Relevant internal controls were identified.
Tests of internal control for this assertion is a possibility.
A
M
L
L
Relevant internal controls were identified and there has been
no history of errors.
V
NA
L
NA
C
L
L
L
Relevant controls were identified and there has been no history
of errors.
E
H
M
M
Salesperson’s bonuses are based on recorded sales.
A
L
L
L
Relevant internal controls were identified and there has been
no history of errors.
V
H
M
M
Recovery of receivables could be an issue in declining
industry.
C
L
L
L
Relevant controls were identified and there has been no
history of errors.
E
H
H
H
Inventory theft and poor physical internal control in
warehouse.
A
L
L
L
Relevant controls were identified and there has been no
history of errors.
V
H
H
H
New technology will make some parts and even whole products
obsolete.
H = High M = Moderate L = Low As = Assertion NA = Not applicable IR = Inherent risk CR = Internal control risk
06/10/2010
Page 432
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Comb.
As
IR
CR
RMM
Document the key risks and other contributing
factors to risk assessment
Comb. RMM = Combined risks of material misstatement FSA = Financial statement area
P = Pervasive risks C = Completeness E = Existence A = Accuracy V=Valuation
Documentation of assessed risks could also make reference to:
•
Details of significant risks that require special attention; and
•
Risks for which substantive procedures alone will not provide sufficient appropriate audit evidence.
14.6
Case Studies ─ Concluding the Risk Assessment Phase
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
The final step in the risk assessment process is to assess the combined risks of material misstatement at
the financial statement and assertion levels.
The risk assessments can be summarized using an approach such as outlined below. Supporting
information (where the assessments of inherent and control risk were documented) has not been shown. In
practice cross references would be made to the supporting data.
Case Study A ─ Dephta Furniture Inc.
Assessed Levels of Risk
Comb.
RMM
Document the key risks and other contributing
factors to risk assessment
Management’s attitude to internal control is good and
competent people fill the key positions.
Financial statement level
P
M
L
L
Management override is possible but we have not found
any instances where this occurred and managements
attitude toward control is good.
The monthly meeting to review performance provides
some accountability to management.
Assertion Level
ASS IR
CR
FSA or financial
statement disclosure
1
Sales
06/10/2010
C
H
L
M
Revenue recognition policies are inconsistent.
E
L
L
M
Revenue recognition policies are inconsistent. Pressure
to inflate sales due to sales bonuses and market
pressures.
A
L
L
L
Sales system operates well.
V
NA L
NA
Page 433
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
2
Receivables
Comb.
RMM
Document the key risks and other contributing
factors to risk assessment
C
L
L
L
No significant risks identified.
E
H
M
M
Salespersons’ bonuses are based on recorded sales.
A
L
L
L
V
H
M
M
Large retailer receivables collection could be an issue if
there is concern over product quality or returns made.
Additionally, despite the declining economy, no credit
checks are performed before credit is granted.
H = High M = Moderate L = Low As = Assertion NA = Not applicable IR = Inherent risk CR = Internal control risk
Comb. RMM = Combined risks of material misstatement FSA = Financial statement area
P = Pervasive risks C = completeness E = Existence A = Accuracy V=Valuation
At this point, it would be good practice to prepare a communication for management that outlines the
significant weaknesses in internal control identified.
06/10/2010
Page 434
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Case Study B ─ Kumar & Co.
Concluding the Risk Assessment Phase
Assessed Levels of Risk
Comb.
RMM
Document the key risks and other contributing
factors to risk assessment
Management’s attitude to internal control is good and
competent people fill the key positions.
Financial statement level
M
Management override is possible due to pressures to
meet bank covenants and minimize taxes. The
bookkeeper’s work was not reviewed by Raj on a
consistent basis throughout the period. The bookkeeper
appears disgruntled and may have opportunity to
misstate the figures. Therefore, both unintentional error
and intentional fraud could go undetected.
The monthly meeting to review performance provides
some accountability to management.
Assertion Level
ASS IR
CR
FSA or financial
statement disclosure
1
2
Sales
Receivables
C
H
L
M
Relevant internal controls were identified for this
assertion.
E
H
L
M
Relevant internal controls were identified for this
assertion but related-party transactions are of concern.
A
H
L
M
Relevant internal controls were identified for this
assertion but related-party transactions are of concern.
V
M
M
M
Potential for sales returns due to state of industry
C
H
L
M
Majority of receivable balance is with Dephta.
No other specific risks identified
E
H
M
M
Majority of receivable balance is with Dephta.
No other specific risks identified
A
M
M
M
Majority of receivable balance is with Dephta.
No other specific risks identified
V
H
M
M
The smaller customers may have difficulty paying their
bills in these tougher economic time
H = High M = Moderate L = Low As = Assertion NA = Not applicable IR = Inherent risk CR = Internal control risk
Comb. RMM = Combined risks of material misstatement FSA = Financial statement area
P = Pervasive risks C = Completeness E = Existence A = Accuracy V=Valuation
06/10/2010
Page 435
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
At this point, it would be good practice to prepare a communication for management that outlines the
significant weaknesses in internal control that were identified.
06/10/2010
Page 436
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
15.
Risk Response – An Overview
Exhibit 15.0-1
Activity
Purpose
Listing of risk factors
Independence
Engagement letter
Risk Response
Risk Assessment
Perform preliminary
engagement
activities
Plan the audit
Perform
risk assessment
procedures
Develop an overall
audit strategy and
audit plan 2
Identify/assess RMM 3
through understanding
the entity
Materiality
Audit team discussions
Overall audit strategy
Business & fraud risks
including significant risks
Design/implementation of
relevant internal controls
Assessed RMM3 at:
- F/S level
- Assertion level
Develop appropriate
responses to the
assessed RMM3
Implement responses
to assessed RMM3
Evaluate the audit
evidence obtained
Reporting
Documentation1
yes
Reduce audit risk
to an acceptably
low level
Work performed
Audit findings
Staff supervision
Working paper review
Determine what
additional audit work
(if any) is required
Is
additional
work
required?
no
Prepare the
auditor’s report
Form an opinion
based on audit
findings
Significant decisions
Signed audit opinion
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
06/10/2010
Page 437
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
330.5
The auditor shall design and implement overall responses to address the assessed risks of material
misstatement at the financial statement level. (Ref: Para. A1-A3)
330.6
The auditor shall design and perform further audit procedures whose nature, timing, and extent are based
on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4A8)
The risk response phase includes the steps outlined below:
Exhibit 15.0-2
The basic concepts addressed in the risk response phase are listed out below.
Chapter
Responding to Assessed Risks
V1 - 9
Further Audit Procedures
V1 - 10
Accounting Estimates
V1 -11
Related Parties
V1 -12
Subsequent Events
V1 -13
Going Concern
V1 -14
Summary of Other ISA Requirements
V1- 15
Audit Documentation
V1-16
06/10/2010
Page 438
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
16.
THE RESPONSIVE AUDIT PLAN
Chapter Content
Relevant ISAs
How to plan an effective audit response to assessed
risks.
260, 300, 330,
500
Risk Response
Exhibit 16.0.-1
Develop appropriate
responses to the
assessed RMM3
Implement responses
to assessed RMM3
Reduce audit risk
to an acceptably
low level
Work performed
Audit findings
Staff supervision
Working paper review
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
300.9
The auditor shall develop an audit plan that shall include a description of:
(a) The nature, timing and extent of planned risk assessment procedures, as determined under ISA 315.
(b) The nature, timing and extent of planned further audit procedures at the assertion level, as determined
under ISA 330
(c) Other planned audit procedures that are required to be carried out so that the engagement complies with ISAs.
(Ref: Para. A12)
300.10
The auditor shall update and change the overall audit strategy and the audit plan as necessary during the
course of the audit. (Ref: Para. A13)
300.11
The auditor shall plan the nature, timing and extent of direction and supervision of engagement team
members and the review of their work. (Ref: Para. A14-A15)
300.12
The auditor shall include in the audit documentation:
(a) The overall audit strategy;
06/10/2010
Page 439
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
(b) The audit plan; and
(c) Any significant changes made during the audit engagement to the overall audit strategy or the audit
plan, and the reasons for such changes. (Ref: Para. A16-A19)
330.5
The auditor shall design and implement overall responses to address the assessed risks of material
misstatement at the financial statement level. (Ref: Para. A1-A3)
330.6
The auditor shall design and perform further audit procedures whose nature, timing, and extent are based
on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4A8)
330.7
In designing the further audit procedures to be performed, the auditor shall:
(a) Consider the reasons for the assessment given to the risk of material misstatement at the assertion
level for each class of transactions, account balance, and disclosure, including:
(i)
The likelihood of material misstatement due to the particular characteristics of the relevant class
of transactions, account balance, or disclosure (that is, the inherent risk); and
(ii) Whether the risk assessment takes account of relevant controls (that is, the control risk), thereby
requiring the auditor to obtain audit evidence to determine whether the controls are operating
effectively (that is, the auditor intends to rely on the operating effectiveness of controls in
determining the nature, timing and extent of substantive procedures); and (Ref: Para. A9-A18)
(b) Obtain more persuasive audit evidence the higher the auditor’s assessment of risk. (Ref: Para. A19)
330.8
The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to
the operating effectiveness of relevant controls if:
(a) The auditor’s assessment of risks of material misstatement at the assertion level includes an
expectation that the controls are operating effectively (that is, the auditor intends to rely on the
operating effectiveness of controls in determining the nature, timing and extent of substantive
procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion
level. (Ref: Para. A20-A24)
330.9
In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the
greater the reliance the auditor places on the effectiveness of a control. (Ref: Para. A25)
330.10
In designing and performing tests of controls, the auditor shall:
(a) Perform other audit procedures in combination with inquiry to obtain audit evidence about the
operating effectiveness of the controls, including:
(i)
How the controls were applied at relevant times during the period under audit.
(ii) The consistency with which they were applied.
(iii) By whom or by what means they were applied. (Ref: Para. A26-A29)
(b) Determine whether the controls to be tested depend upon other controls (indirect controls) and, if so,
whether it is necessary to obtain audit evidence supporting the effective operation of those indirect
06/10/2010
Page 440
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
controls. (Ref: Para. A30-A31)
330.15
If the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the
auditor shall test those controls in the current period.
330.18
Irrespective of the assessed risks of material misstatement, the auditor shall design and perform
substantive procedures for each material class of transactions, account balance, and disclosure. (Ref: Para.
A42-A47)
330.19
The auditor shall consider whether external confirmation procedures are to be performed as substantive
audit procedures. (Ref: Para. A48-A51)
330.20
The auditor’s substantive procedures shall include the following audit procedures related to the financial
statement closing process:
(a) Agreeing or reconciling the financial statements with the underlying accounting records; and
(b) Examining material journal entries and other adjustments made during the course of preparing the
financial statements. (Ref: Para. A52)
330.21
If the auditor has determined that an assessed risk of material misstatement at the assertion level is a
significant risk, the auditor shall perform substantive procedures that are specifically responsive to that
risk. When the approach to a significant risk consists only of substantive procedures, those procedures
shall include tests of details. (Ref: Para. A53)
330.22
If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by
performing:
(a) substantive procedures, combined with tests of controls for the intervening period; or
(b) if the auditor determines that it is sufficient, further substantive procedures only that provide a
reasonable basis for extending the audit conclusions from the interim date to the period end. (Ref:
Para. A54-A57)
260.15
The auditor shall communicate with those charged with governance an overview of the planned scope and
timing of the audit. (Ref: Para. A11-A15)
330.24
The auditor shall perform audit procedures to evaluate whether the overall presentation of the financial
statements, including the related disclosures, is in accordance with the applicable financial reporting
framework. (Ref: Para. A59)
500.6
The auditor shall design and perform audit procedures that are appropriate in the circumstances for the
purpose of obtaining sufficient appropriate audit evidence. (Ref: Para. A1-A25)
500.7
When designing and performing audit procedures, the auditor shall consider the relevance and reliability
of the information to be used as audit evidence. (Ref: Para. A26-A33)
500.10
When designing tests of controls and tests of details, the auditor shall determine means of selecting items
06/10/2010
Page 441
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
for testing that are effective in meeting the purpose of the audit procedure. (Ref: Para. A52-A56)
16.1
Overview
In the risk response phase of the audit, the objective is to obtain sufficient appropriate audit evidence
regarding the assessed risks. This is achieved by designing and implementing appropriate responses to the
assessed risks of material misstatement at the financial statement and assertion levels.
The auditor would approach this task in various ways, such as:
•
Addressing each assessed risk in turn, according to its nature (i.e., a downturn in the economy) and
designing the appropriate audit response in the form of further audit procedures;
•
Addressing the assessed risks by material financial statement area or disclosure affected. The auditor
would then design an appropriate response in the form of further audit procedures; or
•
Starting with a standard list of audit procedures for each material financial statement area and
assertion and tailoring it (adding, modifying and eliminating procedures) to design an appropriate
response to the assessed risks.
Responding to assessed risks implies more than using a standard (“one size fits all”) audit program which
may address each assertion, but has not been tailored to address the assessed risk for the financial
statement area by assertion for a particular entity. Audit programs should generally be tailored (to the
extent necessary) to the entity’s level of risk and its particular circumstances.
16.2
The Starting Point
The starting point for designing an effective audit response is the listing of assessed risks that was
developed at the conclusion of the risk assessment phase of the audit (see Volume 2, Chapter 14).
Risks will have been identified and assessed at:
•
The financial statement level; and
•
The assertion level for financial statement areas and disclosures.
Smaller financial statement areas could be grouped together and treated as one larger area for developing
an appropriate audit response.
Volume 1, Chapter 9 outlines possible responses to risks assessed at the two levels. The types of response
required are summarized in the following exhibit.
06/10/2010
Page 442
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 16.2-1
Assessed Risks...
At
Assertion Level
At Financial
Statement Level
Auditor’s Response
Overall
Responses
Further Audit
Procedures
Examples include:
- Professional skepticism
- Level of staff assigned
- Ongoing staff supervision
- Evaluate accounting policies
- Nature/extent/timing
and unpredictability
of planned procedures
- Other further procedures
Substantive
procedures
Tests of
detail
Tests of
Control
Substantive
Analytical
Result
Sufficient appropriate audit evidence to
reduce audit risk to an acceptably low level
16.3 Overall Responses
Pervasive risks at the financial statement level (risks such as a deficient control environment and/or the
potential for fraud that could affect many assertions) are addressed through the design and
implementation of an overall response by the auditor. Refer to Volume 2, Chapter 8 for additional
information on pervasive risks.
Areas that the auditor would address in developing an overall response include determining:
• The extent that the audit team needs to be reminded about the use of professional skepticism;
• Which staff to assign, including those with special skills or using experts;
• The extent of supervision required throughout the audit;
• The need for incorporating some elements of unpredictability in the selection of further audit
procedures to be performed; and
• Any general changes that need to be made to the nature, timing or extent of audit procedures. These
could include the timing of procedures (interim or period end) or new/extended procedures to address
specific risk factors such as fraud.
Exhibit 16.3-1
Risk Assessment
Possible Overall Response
An Effective
Control
Environment
This allows the auditor to have more confidence in internal control and the
reliability of audit evidence generated internally within the entity.
06/10/2010
An overall response could include some audit procedures being performed at
an interim date rather than at the period end.
Page 443
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Risk Assessment
Possible Overall Response
An Ineffective
Control
Environment
(Deficiencies exist)
This will likely require the auditor to perform some additional work such as :
• Assigning more experienced audit staff;
• Conducting more audit procedures at the period end rather than at an
interim date.
• Obtaining more extensive audit evidence from substantive procedures.
• Making changes to the nature, timing or extent of audit procedures to be
performed.
Consider Point
Where possible, develop an initial assessment of risk at the financial statement level at the planning stage.
This will enable an initial overall response to be developed that addresses matters as to what staff to
assign (including those with specialist skills), the level of supervision needed and what audit procedures
are to be performed. This initial assessment of risk would require updating as the audit progresses and
corresponding changes would be made in the overall response.
However, this may not be possible in smaller entities that do not have interim or monthly financial
information available for performing analytical procedures and identifying/assessing the risks of material
misstatement. Unless limited analytical procedures can be performed or information can be obtained
through inquiry to plan the audit, the auditor may need to wait until an early draft of the entity's financial
statements is available.
16.4
Use of Assertions in Test Design
An assessment of the risks of material misstatement is required at the financial statement and assertion
level. The objective in designing an appropriate audit response is to obtain evidence that addresses the
risk assessments developed for each relevant assertion. Refer to Volume 1, Chapter 6 for more
information about assertions.
When developing a response to specific transaction streams, the auditor would note that the assertions
also provide the common link between internal control testing and substantive procedures. This is
important for identifying when a combination of tests of controls and substantive procedures may be
appropriate to reduce the risks of material misstatement to an acceptably low level.
For example, audit procedures for “existence” of inventory will focus on testing the validity of items
already recorded as part of the inventory balance and the testing of controls that would mitigate the risk of
there being non-existent items in the inventory balance. A test of “completeness” of inventory would
focus on testing items not included in the inventory balance but would provide possible evidence of
missing items. This could include purchase orders for goods and testing controls that would mitigate the
risk of missing inventory.
16.5 Use of Materiality in Test Design
A key factor in considering the extent of an audit procedure deemed necessary is the performance
materiality that has been established. Performance materiality is based on the materiality established for
the financial statements as a whole but may be modified to address particular risks relating to an account
balance, transaction stream or financial statement disclosure.
The extent of required audit procedures judged necessary is determined after considering the performance
06/10/2010
Page 444
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
materiality, the assessed risk, and the degree of assurance the auditor plans to obtain. In general the
extent of audit procedures (such as a sample size for a test of details or the level of detail necessary in a
substantive analytical procedure) would increase as the risk of material misstatement increases. However,
increasing the extent of an audit procedure is effective only if the audit procedure itself is relevant to the
specific risk. See Volume 1, Chapter 7 and Volume 2, Chapter 6 and 17 for more information on the use
of materiality in test design.
16.6
The Auditor’s Toolbox
In developing the detailed audit plan, the auditor would use his/her professional judgment to select the
appropriate types of possible audit procedures. Refer to Volume 1, Chapters 10 to 15 for a more detailed
description of further audit procedures.
An effective audit program will be based on an appropriate mix of procedures that collectively reduce
audit risk to an acceptably low level. For the purposes of this Guide, the various types of audit procedures
available to the auditor have been categorized as illustrated in the exhibit below.
Exhibit 16.6-1
Substantive
Procedures
Basic*
Substantive
Procedures
Extended*
Further Audit
Procedures
Substantive
Analytical
Procedures
Tests of
Controls
Note: The terms “basic” and “extended” are used solely for the purposes of this Guide.
Exhibit 16.6-2
Procedure Type
Description
Substantive – Basic
The term “basic” has been used for the typical substantive procedures that are
required by paragraph 18 of ISA 330 to be performed for each material class of
transactions, account balance, and disclosure irrespective of the assessed risks
of material misstatement (RMM). These basic procedures reflect the fact that:
• The auditor's assessment of risk is judgmental and so may not identify all
06/10/2010
Page 445
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Procedure Type
Description
•
risks of material misstatement; and
There are inherent limitations to internal control, including management
override.
Where the RMM is very low, these basic type procedures may well be all that
is required to obtain sufficient and appropriate evidence for a particular
assertion. Examples of basic substantive procedures would be:
• Obtain a complete list of items that make up a period-end balance;
• Compare the current period’s balance with that of the preceding period;
• Obtain reasons for fluctuations; and
• Perform some period end cut-off procedures.
Substantive –
Extended
The term “extended” is used in this Guide to highlight the nature and extent of
the additional audit work (beyond the basic procedures) required to respond to
situations where the assessed risks for a particular assertion is moderate or
high. This would occur where specific or significant risks exist. An extended
procedure would include:
• Procedures tailored to respond to specific risk factors (such as
management override), other types of fraud or significant risk; and
• Procedures that are similar to basic procedures but where the extent of the
procedure has been increased (such as an enlarged sample size in a test of
details) to obtain the appropriate level of risk reduction.
See Volume 2, Chapter 10 for a more detailed description of significant risks
and the appropriate audit response.
Tests of Controls
Where key controls are in place (that are likely to operate effectively) to
address certain assertions, tests of controls may be performed to obtain the
necessary evidence about an assertion.
Tests of controls performed to reduce risk to a low level (requiring a larger
sample size) may provide the majority of evidence required for a particular
assertion. Alternatively, tests of controls could be performed to reduce risk to a
moderate level (requiring a slightly smaller sample size). In this latter case, to
obtain the required evidence, the auditor would supplement the tests of
controls with substantive procedures that address the same assertion.
Under certain criteria, internal controls need only be tested every third audit.
Refer to the discussion on tests of controls in Volume 1, Chapter 10.5.
Substantive
Analytical
Substantive analytical procedures involve evaluations of financial information
through analysis of plausible relationships among both financial and nonfinancial data. They require the development of precise expectations for certain
amounts (such as sales) that when compared to actual recorded amounts would
be sufficient to identify a misstatement.
Analytical procedures can be categorized as follows:
06/10/2010
Page 446
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Procedure Type
Description
•
•
Simple comparisons of data that would typically be included in basic
substantive procedures. These procedures would normally be combined
with other tests of details at the assertion level. They would not provide
sufficient audit evidence by themselves.
Predictive models that by themselves (or in combination with tests of
controls or other substantive procedures) would be sufficient to reduce
audit risk to an acceptably low level. For example, if an entity had six
employees at fixed rates of pay throughout the period, it could be possible
to estimate the total payroll costs for the period with a high degree of
accuracy. Assuming the number of employees and the rates of pay were
accurate, this procedure could provide the entire audit evidence for payroll.
There may be no need for other substantive procedures (basic or extended)
to be performed.
Note: When addressing a significant risk, the auditor is required to combine
the substantive analytical procedures with other substantive procedures that
include tests of details.
16.7 Developing the Responsive Audit Plan
Professional judgment and careful thought are required to develop an audit plan that responds
appropriately to the assessed risks. The time spent developing an appropriate plan will almost certainly
result in a more effective and efficient audit and less time being spent by staff.
There are three general steps the auditor would take in developing the plan:
•
Respond to assessed risks at the financial statement level (the overall response);
•
Identify any specific procedures required for material financial statement areas; and
•
Determine what audit procedures (tools from the toolbox) and the extent of testing are required.
Step 1 ─ Respond to assessed risks at the financial statement level
The first step is to develop an appropriate overall response to assessed risks at the financial statement
level. Because these risks are pervasive, a moderate or high level of risk assessment will generally result
in additional work being required for virtually every financial statement area. Refer to the discussion on
overall responses in Volume 2, Chapter 16.3.
Step 2 ─ Identify specific procedures required for material financial statement areas
Before developing the detailed response to assessed risks, the auditor may find it helpful to consider (for
each material financial statement area) the questions set out in the exhibit below.
Exhibit 16.7-1
For Each Material or Potentially Material Financial Statement Area
Questions to
Consider When
Developing an
06/10/2010
Are there assertions that cannot be addressed by substantive tests alone? If so,
tests of controls will be required.
This may occur when:
Page 447
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
For Each Material or Potentially Material Financial Statement Area
Appropriate Audit
Response
•
There is no documentation to provide audit evidence about an assertion
such as sales completeness; or
•
An entity conducts its business using IT and no documentation of
transactions is produced or maintained, other than through the IT system.
Are internal controls over related transaction streams/processes expected to be
reliable? If so, a test of controls may be possible unless the number of
transactions is so small that substantive procedures would still be more
efficient.
Are substantive analytical procedures available (such as on related transaction
streams)?
Is an element of unpredictability required (to address fraud risks, etc.)?
Are there “significant risks” (i.e. fraud, related parties etc.) to be addressed that
require special consideration?
Step 3 ─ Determine the nature and extent of audit procedures required
The third step is to use professional judgment to choose the appropriate mix of procedures and extent of
testing required to respond appropriately to the assessed risks at the assertion level.
Outlined below is one possible approach for determining the appropriate mix of procedures to address the
existence of receivables at low, moderate and high levels of assessed risk.
Receivables – Low Level of Assessed Risk
Performance materiality = 12,000 Є
Planned Audit Response
Assessed Risk for Existence
Assertion
Low
Substantive Procedures – Basic
Comments
These procedures would be considered adequate by
themselves to address the assessed risk. They would
include the typical tests of details and simple
analytical procedures that would be performed in
virtually any audit of receivables. These procedures
would often be included in a standard audit program
for receivables.
Receivables – Moderate Level of Assessed Risk
Performance materiality = 10,000 Є
06/10/2010
Page 448
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Planned Audit Response
Assessed Risk for Existence
Assertion
Moderate
Comments
Substantive Procedures – Basic
These procedures would be performed to address the existence
risk in general.
Substantive Procedures –
Extended
These procedures would be designed to:
• Address the specific risks identified in relation to the
existence of receivables (such as a fraud risk); and
• Perform sufficient tests of detail to reduce the assessed
risk to an acceptably low level.
If the entity had internal controls (such as over sales) that addressed the existence of receivables,
an alternative to performing the extended procedure would be a test of the operating effectiveness
of such controls.
Receivables – High Level of Assessed Risk
Performance materiality = 10,000 Є
Planned Audit Response
Assessed Risk for Existence
Assertion - Receivables
High
Comments
Substantive Procedures – Basic
These procedures would be performed to address the
existence risk in general.
Substantive Procedures –
Extended
These procedures would be designed to:
• Address the specific risks identified in relation to the
existence of receivables (such as a fraud risk); and
• Perform sufficient tests of details for a moderate risk
reduction that, combined with the evidence obtained
from testing internal control (see below), would
reduce the assessed risk to an acceptably low level.
Tests of Controls (operating
effectiveness)
To reduce the sample size required for a test of details
that would have reduced risk to a low level, the internal
controls that address existence would be tested to obtain
a moderate level of risk reduction. This combined with
the tests of details outlined above will reduce the
assessed risk to an acceptably low level
In the above example, it may also be possible to obtain the majority of required evidence from
performing a test of controls that reduces the risk to an acceptably low level. This may eliminate
the need for certain extended substantive procedures.
06/10/2010
Page 449
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
When developing an audit strategy on particular account balances or transactions, the auditor
would always consider the work performed on other parts of the transaction stream.
Another example is the completeness of sales for an entity that owns an apartment building and
rents out the units.
Receivables – Moderate Level of Assessed Risk
Performance materiality = 6,000Є
Planned Audit Response
Assessed Risk for
Completeness Assertion
Substantive Procedures – Basic
Substantive Analytical
Procedures
Moderate
-
Comments
In light of the substantive analytical procedure outlined
below, these procedures may not be necessary at all or
limited to obtaining evidence about the assumptions
used.
The known number of rental units is 64 and the rent is
1,000Є a month for the 46 two-bedroom suites and 800Є
for the 18 one-bedroom suites.
• The predicted rental income can be calculated as
724,800Є.
• Actual income recorded in the accounting records
was 718,800Є, a difference of 6,000 Є
The difference was verified as being due to six of the two
bedroom units were vacant for a month during the year.
06/10/2010
Page 450
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Points
1. Avoid defaulting to generic or standard audit procedures where possible
The most effective audit procedures are those that specifically address the causes of
the assessed risks.
2. Multiple assertions
Where possible, choose audit procedures that address multiple assertions. This will
reduce the need for other tests of detail.
3. Low risk areas
Use the information obtained from assessing the risks of material misstatement to
reduce the need for substantive procedures in low risk areas.
4. Consider using Tests of Controls
Use the information obtained about internal control to identify key controls that
could be tested for operating effectiveness. Testing controls (some of which may
only require testing once every three years) can often result in much less work than
performing extensive tests of detail.
5. Do not ignore IT controls
The sample size for testing an automated control can be as little as one item,
because an automated control is likely to operate in the same manner every time,
making it representative of all other items in the population. However, this would
be based on the assumption that the entity has effective IT general controls in
operation.
6. Dual purpose tests
Where tests of control are planned on the same class of transactions as substantive
tests, consider the potential for dual purpose tests. This is where a test of controls is
performed concurrently with a test of details on the same transaction. Although the
purpose of a test of controls is different from a test of details, both objectives may
be accomplished concurrently. For example, an invoice could be examined to
determine whether it has been approved (a test of control) and whether the
transaction was properly recorded in the accounting records (a test of details).
7. Consider work performed on all parts of a transaction stream
Take credit for work performed on other parts of the transaction stream. For
example, a test of controls over sales completeness would provide evidence for the
completeness of receivables.
8. Decide on audit strategy and procedures at the planning phase
Where possible, develop the nature and extent of audit procedures during the
planning phase of the audit, a time at which the team can agree on the approach to
be followed. This avoids junior staff having to design audit procedures by
themselves or simply performing the same procedures as last year.
06/10/2010
Page 451
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Consider Points
9. Remember to use analytical procedures
Analytical procedures are used in each phase of the audit.
a. At the beginning of the audit, analytical procedures are used aS risk
assessment procedure.
b. During the audit, analytical procedures are performed to analyze variances in
data and to substantiate certain transaction streams and account balances.
1.
16.8
c. Near the end of the audit, analytical procedures are performed to determine
whether the financial statement are consistent with the auditor’s understanding
of the entity or to indicate a previously unrecognized risk of material
misstatement due to fraud.
Responding to the Risk of Fraud
The risk of fraud (including management override) can exist in virtually any entity and needs to be
addressed when developing the audit plan. The first step is to assess the potential risk from fraud and then
to design an appropriate overall and detailed response.
Note: The auditor is required to treat assessed risks of material misstatement due to fraud as significant
risks. A significant risk requires the auditor to:
•
•
Obtain an understanding of the entity's related controls, including control activities,
relevant to such risks; and
Perform substantive procedures that are specifically responsive to that risk.
When the approach to a significant risk consists only of substantive procedures, those procedures
shall include tests of details.
In assessing the potential risk and appropriate response to fraud, the auditor would consider the following:
• Overall responses already developed to address risks assessed at the financial statement level;
• Specific responses already developed in relation to other risks assessed at the assertion level;
• The fraud scenarios (if any) developed during the planning discussions;
• Fraud risks (opportunities, incentives and rationale) identified as a result of performing risk
assessment procedures;
• Susceptibility of certain financial statement balances and transactions to fraud;
• Any known instances of actual fraud in the past or in the current period; and
• Risks relating to management override.
The following exhibit outlines some possible responses to the risks identified above.
Exhibit 16.8-1
Overall Responses to Fraud
Pervasive Risks at
06/10/2010
Consider need for:
Page 452
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Overall Responses to Fraud
the Financial
Statement Level
•
•
•
•
Heightened professional scepticism when examining certain
documentation or corroborating significant management representations;
People with specialized skills/knowledge, such as information technology
(IT);
Development of specific audit procedures to identify the existence of
fraud; and
An element of unpredictability in the selection of audit procedures to be
used. Consider adjusting the timing of certain audit procedures, use
different sampling methods or performing procedures on an unannounced
basis.
Specific Responses to Potential Fraud Risks
Specific Risks at the
Assertion Level
06/10/2010
Consider:
• Changing the nature, timing, and extent of the auditing procedures to
address the risk. Examples include the following:
−
Obtain more reliable and relevant audit evidence or additional
corroborative information to support management’s assertions,
−
Perform a physical observation or inspection of certain assets,
−
Observe inventory counts on an unannounced basis, and
−
Perform further review of inventory records to identify unusual
items, unexpected amounts and other items for follow-up
procedures.
• Performing further work to evaluate the reasonableness of management’s
estimates and the underlying judgments and assumptions.
• Increasing sample sizes or performing analytical procedures at a more
detailed level.
• Use computer assisted audit techniques (CAATs). For example,
− Gather more evidence about data contained in significant accounts or
electronic transaction files,
− Perform more extensive testing of electronic transactions and account
files,
− Select sample transactions from key electronic files,
− Sort transactions with specific characteristics, and
− Test an entire population instead of a sample.
• Requesting additional information in external confirmations. For example,
on a receivables confirmation, the auditor could ask for confirmation on the
details of sales agreements, including the date of the agreement, any rights
of return and the delivery terms. However, consider whether a request for
additional information might delay the response time significantly.
• Changing the timing of substantive procedures from an interim date to one
near the period end. However, if a risk of intentional misstatement or
manipulation exists, audit procedures to extend audit conclusions from an
interim date to the period end would not be effective.
Page 453
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Risks Related to Management Override
Source of Risk
Journal Entries
Management’s
Estimates
Significant
Transactions
Related Party
transactions
06/10/2010
Consider
Identifying, selecting and testing journal entries and other adjustments based
on the following:
• An understanding of the entity’s financial reporting process and
design/implementation of internal control.
• Consideration of the:
− Characteristics of fraudulent journal entries or other adjustments,
− Presence of fraud risk factors that relate to specific classes of journal
entries and other adjustments, and
− Inquiries of individuals involved in the financial reporting process
about inappropriate or unusual activity.
Reviewing estimates relating to specific transactions and balances to identify
possible biases on the part of management. Further procedures could include
the following:
• Reconsidering the estimates taken as a whole;
• Performing a retrospective review of management’s judgments and
assumptions related to significant accounting estimates made in the prior
period; and
• Determining whether the cumulative effect of bias in management’s
estimates amount to a material misstatement in the financial statements.
Obtaining an understanding of the business rationale for significant
transactions that are unusual or outside the normal course of business. This
includes an assessment as to whether:
• Management is placing more emphasis on the need for a particular
accounting treatment than on the underlying economics of the transaction;
• The arrangements surrounding such transactions appear overly complex;
• Management has discussed the nature of, and accounting for, such
transactions with those charged with governance;
• The transactions involve previously unidentified related parties or parties
that do not have the substance or the financial strength to support the
transaction without assistance from the entity under audit;
• Transactions that involve non-consolidated related parties, including
special purpose entities, have been properly reviewed and approved by
those charged with governance; and
• There is adequate documentation.
Obtain an understanding of the business relationships that related parties may
have established directly or indirectly with the entity through:
•
Inquiries of, and discussion with, management and those charged with
governance;
Page 454
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Risks Related to Management Override
•
Inquiries of the related party;
•
Inspection of significant contracts with the related party; and,
•
Appropriate background research, such as through the Internet or
specific external business information databases.
Based on the findings above:
Revenue
Recognition
16.9
•
Identify and assess the risks of material misstatement associated with
related party relationships;
•
Treat identified significant related party transactions outside the
entity's normal course of business as giving rise to significant risks;
and
•
Determine the need for substantive audit procedures that are
responsive to the risks identified.
Performing substantive analytical procedures. Consider computer assisted
audit techniques (CAATs) to identify unusual or unexpected revenue
relationships or transactions.
Confirming the relevant contract terms with customers (acceptance criteria,
delivery and payment terms) and the absence of side agreements (such as
offering a customer the right to return the goods immediately after the period
end).
Risk of Misstatements in Presentation and Disclosure
Some assessed risks may arise from financial statement presentation and disclosures in accordance with
the applicable financial reporting framework. As a result, specific procedures may need to be designed to
respond appropriately to the risks involved.
These audit procedures would address whether:
•
The individual financial statements are presented in a manner that reflects the appropriate
classification and description of financial information;
•
The presentation of financial statements includes adequate disclosure of material matters and
uncertainties. This includes the form, arrangement and content of the financial statements and their
appended notes (including terminology used), the amount of detail given, the classification of items in
the statements and the bases of amounts set forth; and
•
Management has disclosed particular matters in light of the circumstances and facts of which the
auditor is aware at the time of signing the auditor’s report.
16.10 Determining Whether the Audit Plan is Complete
Before concluding that the audit is complete, the auditor would consider whether the following factors
have been appropriately addressed.
06/10/2010
Page 455
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Exhibit 16.10-1
Procedure Type
Description
Have All Material
Financial Statement
Areas Been
Addressed?
Substantive procedures are required to be designed and performed for all
material classes of transactions, account balances and disclosures. This is
irrespective of the assessed risks of material misstatement.
Is There a Need For
External
Confirmations?
Consider whether external confirmation procedures are to be performed as
substantive audit procedures. Examples could include:
• Bank balances;
• Receivables;
• Inventories and investments held by third parties;
• Amounts due to lenders;
• Terms of agreements;
• Contracts; and
• Transactions between the entity and other parties.
External confirmation may also be used to address the absence of certain
conditions. For example, there are no “side agreements on sales” that could
affect revenue cut-off.
Can Evidence
Obtained in Prior
Periods be Used?
Assuming the evidence does not address a significant risk and certain other
criteria apply (such as no change in controls and no significant manual element
in the control operation), the tests of operating effectiveness may only need to
be performed once every third audit (see Volume 1, Chapter 10.5 for more
information).
Is there a need for
an auditor’s expert?
Is expertise in a field other than accounting or auditing required to obtain
sufficient appropriate audit evidence?
Has the Financial
Statement Closing
Process Been
Addressed?
The following substantive procedures are required in relation to the financial
statement closing process:
• Agreeing or reconciling the financial statements with the underlying
•
Have Significant
Risks Been
Addressed?
accounting records; and
Examining material journal entries and other adjustments made
during the course of preparing the financial statements.
For each risk assessed as significant, the auditor is required to design and
perform substantive procedures (possibly supplemented by tests of controls).
Substantive analytical procedures cannot be used alone and would be
supplemented with tests of details.
Where reliance is placed on internal controls over a significant risk, the auditor
is required to test those controls in the current period.
Has Evidence
06/10/2010
Update interim substantive procedures by covering the remaining period. This
Page 456
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Procedure Type
Description
Obtained from
Interim Testing
Been Updated?
would include:
• Substantive procedures combined with tests of controls for the
•
Have the Potential
Risks of Fraud Been
Addressed?
intervening period; or
Further substantive procedures that provide a reasonable basis for
extending the audit conclusions from the interim date to the period
end.
For example, heighted professional skepticism, an element of unpredictability
in the design of audit procedures, etc.
(See Volume 2, Chapter 16.8.)
16.11 Documenting the Overall Response and Detailed Audit Plans
The overall responses may be documented as a stand-alone document or more typically as part of
the overall audit strategy.
The detailed plan is often documented in the form of an audit program that outlines the nature
and extent of procedures and the assertion(s) being addressed. Space can then be provided to
record details about who performed each step and the findings.
Consider Points
Timing
Consider whether some of the planned further audit procedures can be carried out at the same
time as the risk assessment procedures.
Changes to plan
If planned procedures need to be modified as a result of audit evidence or other information
obtained, update the overall strategy and audit plan and provide the reasons for the change.
Review
Ensure that audit procedures and related working papers are signed and dated by the preparer
and the reviewer prior to the completion of the audit.
16.12 Communication of the Audit Plan
The overall audit strategy, overall responses and the audit plan are entirely the auditor’s responsibility.
However, it is often useful to discuss some elements of the detailed audit plan (such as timing) with
management. Such discussions often result in minor changes to the plan to coordinate timing and
facilitate the performance of certain procedures.
The exact nature, timing and scope of the planned procedures would not be discussed in detail with
management or changed or scaled back to accommodate a management request. Such requests could
compromise the effectiveness of the audit, make audit procedures too predictable and could constitute a
06/10/2010
Page 457
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
scope limitation.
ISA 260 sets out a number of matters that the auditor is required to communicate with those charged with
governance. Refer to Volume 2, Chapter 5.3 for a listing of such matters. These requirements are
designed to ensure an effective two-way communication between the auditor, management and those
charged with governance.
Consider Point
Auditors should consider having periodic, regular status updates with management to inform them of
any preliminary findings, request any additional documentation or request any assistance required
and/or discuss other issues.
Any significant changes to the audit plan should also be communicated to management and those
charged with governance.
16.13 Case Studies – The Responsive Audit Plan
For details of the case studies, refer to Volume 2, Chapter 2 ─ Introduction to the Case Studies.
The following case study examples outline the considerations and possible audit procedures that could be
used in developing a detailed audit plan for accounts receivable. Since the purpose of the audit plan is to
reduce the risk of a material misstatement to an acceptably low level, it is important to review the risks
identified in the risk assessment phase for the revenue/receivables/receipts cycle.
Case Study A ─ Dephta Furniture Inc.
According to the risk assessment in Volume 2, Chapter 14.6 – Concluding the Risk Assessment Phase – the
assessed risks were:
Assessed risks at financial statement level (High, Moderate or Low)
Assertions (Completeness, Existence, Accuracy and Valuation)
Assessed risks at assertion level (High, Moderate or Low)
Low
C
E
A
V
L
M
L
M
Changes in assessed risks from the previous period. None
Questions to be considered in developing the receivables audit plan:
Planning Considerations
Response
1. Are there assertions that cannot be
addressed by substantive tests alone?
Completeness of sales will be addressed through a
combination of tests of control and analytical
procedures. Note for next year-- if the Internet sales
continue to grow, additional tests of controls may be
required due to the loss of paper trail.
2. Is internal control over related transaction
Tests of controls could be used to reduce the level of
06/10/2010
Page 458
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Planning Considerations
streams/processes expected to be
reliable? If so, could the controls be tested
to reduce need/scope for other substantive
procedures?
3. Are there substantive analytical
procedures available that would reduce
need/scope for other audit procedures?
Response
risk reduction required from other substantive
procedures (confirmations) in accounts receivable. But
we are not totally certain as to the reliability of control
operation so only substantive procedures will be used.
No.
4. Is there a need to incorporate an element
Some extended audit procedures will be performed to
of unpredictability or further audit
address the risks identified for management override.
procedures (such as to address fraud, risk,
etc.)?
5. Are there significant risks that require
special attention?
There are some possible fraud risks (Volume 2
Chapter 9) in relation to revenue recognition. These
will be addressed by substantive “extended”
procedures.
Valuation of accounts receivable is a specific risk
requiring special attention. Additional analysis and
review of subsequent payments will be done.
Need to be mindful of undisclosed related-party
transactions outside of the normal course of business
throughout the audit.
Based on the auditor’s professional judgment, an appropriate mix of procedures is required to
reduce the risks of material misstatement (RMM) to an acceptably low level for relevant assertions
(applicable to the receivable balance). The following is a sample audit response to the assessed
level of risk for accounts receivable.
Summary of proposed audit response
(Check the applicable boxes under CEAV)
C
E
A
V
A. Substantive procedures – basic
x
x
x
x
B. Substantive procedures − extended
(sampling, fraud, significant risks, etc.)
x
x
C. Substantive analytical procedures (proof in total, etc.)
D. Tests of controls (operating effectiveness)
x
Based on professional judgment, are the procedures outlined above yes
sufficient to address the assessed risks? (Yes/No) If no, explain below.
yes
yes
yes
Comments:
06/10/2010
Page 459
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
A sample audit program that responds to the risks identified is outlined in the case study notes for
Volume 2, Chapter 17.7.
Case Study B ─ Kumar & Co.
According to the risk assessment in Volume 2, Chapter 14.6 – Concluding the Risk Assessment
Phase – the assessed risks were:
Assessed risks at financial statement level (High, Moderate or Low)
Assertions (Completeness, Existence, Accuracy and Valuation)
Assessed risks at assertion level (High, Moderate or Low)
Moderate
C
E
A
V
L
M
M
L
Changes in assessed risks from the previous period. None
Increased risks related to related-party transactions and possible fraud resulting from Raj’s absence
Questions to be considered in developing the receivables audit plan:
Planning Considerations
Response
1. Are there assertions that cannot be
addressed by substantive tests alone?
The completeness of sales will be addressed by a
combination of analytical review and extended
substantive testing.
2. Is internal control over related transaction
streams/processes expected to be
reliable? If so, could the controls be tested
to reduce need/scope for other substantive
procedures?
Due to the small size of the company, there are limited
controls. We obtained an understanding of internal
control but we will not test controls or place any
reliance on them.
3. Are there substantive analytical
procedures available that would reduce
need/scope for other audit procedures?
No.
4. Is there a need to incorporate an element
Not considered necessary as the receivables balance
of unpredictability or further audit
at year end relates primarily to Dephta.
procedures (such as to address fraud, risk,
etc.)?
5. Are there significant risks that require
special attention?
The possibility of inconsistent revenue recognition or
fraud will be addressed through substantive ‘extended’
procedures.
Need to be mindful of undisclosed related-party
06/10/2010
Page 460
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Planning Considerations
Response
transactions outside of the normal course of business
throughout the audit.
The following is a sample audit response to the assessed level of risk for accounts receivable.
Summary of proposed audit response
(Check the applicable boxes under CEAV)
C
E
A
V
A. Substantive procedures − basic
x
x
x
x
B. Substantive procedures − extended
(sampling, fraud, significant risks, etc.)
x
x
x
Based on professional judgment, are the procedures outlined above yes
sufficient to address the assessed risks? (Yes/No) If no, explain below.
yes
yes
C. Substantive analytical procedures (proof in total, etc.)
D. Tests of controls (operating effectiveness)
yes
Comments: none
A sample audit program that responds to the risks identified is outlined in the case study notes for
Volume 2, Chapter 17.7.
06/10/2010
Page 461
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
17.
DETERMINING THE EXTENT OF TESTING
Chapter Content
Relevant ISAs
Guidance on determining the extent of testing required to
be responsive to the assessed risks of material
misstatement.
330, 500, 530
Exhibit 17.0-1
Risk Response
Develop appropriate
responses to the
assessed RMM3
Implement responses
to assessed RMM3
Reduce audit risk
to an acceptably
low level
Work performed
Audit findings
Staff supervision
Working paper review
Notes:
1. Refer to ISA 230 for a more complete list of documentation required.
2. Planning (ISA 300) is a continual and iterative process throughout the audit.
3. RMM = Risks of material misstatement.
Paragraph #
Relevant Extracts from ISAs
530.5
For purposes of the ISAs, the following terms have the meanings attributed below:
(a) Audit sampling (sampling) – The application of audit procedures to less than 100% of items within a
population of audit relevance such that all sampling units have a chance of selection in order to
provide the auditor with a reasonable basis on which to draw conclusions about the entire population.
(b) Population – The entire set of data from which a sample is selected and about which the auditor
wishes to draw conclusions.
(c) Sampling risk – The risk that the auditor’s conclusion based on a sample may be different from the
conclusion if the entire population were subjected to the same audit procedure. Sampling risk can
lead to two types of erroneous conclusions:
(i)
06/10/2010
In the case of a test of controls, that controls are more effective than they actually are, or in the
case of a test of details, that a material misstatement does not exist when in fact it does. The
auditor is primarily concerned with this type of erroneous conclusion because it affects audit
Page 462
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
effectiveness and is more likely to lead to an inappropriate audit opinion.
(ii) In the case of a test of controls, that controls are less effective than they actually are, or in the
case of a test of details, that a material misstatement exists when in fact it does not. This type of
erroneous conclusion affects audit efficiency as it would usually lead to additional work to
establish that initial conclusions were incorrect.
(d) Non-sampling risk – The risk that the auditor reaches an erroneous conclusion for any reason not
related to sampling risk. (Ref: Para A1)
(e) Anomaly – A misstatement or deviation that is demonstrably not representative of misstatements or
deviations in a population.
(f)
Sampling unit – The individual items constituting a population. (Ref: Para A2)
(g) Statistical sampling – An approach to sampling that has the following characteristics:
(i)
Random selection of the sample items; and
(ii) The use of probability theory to evaluate sample results, including measurement of sampling
risk.
A sampling approach that does not have characteristics (i) and (ii) is considered non-statistical
sampling.
(h) Stratification – The process of dividing a population into sub-populations, each of which is a group of
sampling units which have similar characteristics (often monetary value).
330.12
(i)
Tolerable misstatement – A monetary amount set by the auditor in respect of which the auditor seeks
to obtain an appropriate level of risk reduction that the monetary amount set by the auditor is not
exceeded by the actual misstatement in the population. (Ref: Para A3)
(j)
Tolerable rate of deviation – A rate of deviation from prescribed internal control procedures set by
the auditor in respect of which the auditor seeks to obtain an appropriate level of risk reduction that
the rate of deviation set by the auditor is not exceeded by the actual rate of deviation in the
population.
If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period,
the auditor shall:
(a) Obtain audit evidence about significant changes to those controls subsequent to the interim period;
and
(b) Determine the additional audit evidence to be obtained for the remaining period. (Ref: Para. A33A34)
330.13
In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls
obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a
control, the auditor shall consider the following:
(a) The effectiveness of other elements of internal control, including the control environment, the entity’s
monitoring of controls, and the entity’s risk assessment process;
(b) The risks arising from the characteristics of the control, including whether it is manual or automated;
(c) The effectiveness of general IT-controls;
(d) The effectiveness of the control and its application by the entity, including the nature and extent of
06/10/2010
Page 463
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
deviations in the application of the control noted in previous audits, and whether there have been
personnel changes that significantly affect the application of the control;
(e) Whether the lack of a change in a particular control poses a risk due to changing circumstances; and
(f)
330.14
The risks of material misstatement and the extent of reliance on the control. (Ref: Para. A35)
If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of
specific controls, the auditor shall establish the continuing relevance of that evidence by obtaining audit
evidence about whether significant changes in those controls have occurred subsequent to the previous
audit. The auditor shall obtain this evidence by performing inquiry combined with observation or
inspection, to confirm the understanding of those specific controls, and:
(a) If there have been changes that affect the continuing relevance of the audit evidence from the
previous audit, the auditor shall test the controls in the current audit.
(b) If there have not been such changes, the auditor shall test the controls at least once in every third
audit, and shall test some controls each audit to avoid the possibility of testing all the controls on
which the auditor intends to rely in a single audit period with no testing of controls in the subsequent
two audit periods. (Ref: Para. A37-A39)
17.1
Overview
Sufficient appropriate audit evidence may be obtained by selecting and examining the following.
Exhibit 17.1-1
Selecting and Examining
All Items
(100% examination)
This is appropriate when:
• The population constitutes a small number of large value items;
• There is a significant risk and other means do not provide sufficient
appropriate audit evidence; and
• CAATs can be used in a larger population to electronically test a repetitive
calculation or other process.
Specific Items
This is appropriate for:
• High value or key items that could individually result in a material
misstatement;
• All items over a specified value;
• Any unusual or sensitive items or financial statement disclosures;
• Any items that are highly susceptible to misstatement;
• Items that will provide information about matters such as the nature of the
entity, the nature of transactions and internal control; and
• Items to test the operation of certain control activities.
Representative
Sample of Items
This is appropriate for reaching a conclusion about an entire set of data
(population) by selecting and examining a representative sample of items
06/10/2010
Page 464
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Selecting and Examining
from the Population
within the population.
Sampling enables the auditor to obtain and evaluate audit evidence about
specified characteristics. The determination of sample size may be made using
either statistical or non-statistical methods.
The decision as to which approach to use will depend on the circumstances. The application of any one or
combination of the above means may be appropriate in particular circumstances.
Choosing sampling as the most efficient method of obtaining the necessary risk reduction for an assertion
has a number of advantages as illustrated below.
Exhibit 17.1-2
Benefits
Use of
Representative
Samples
Valid conclusions can be drawn. The auditor’s objective is obtaining
reasonable risk reduction and not absolute certainty.
Results can be combined with results from other tests.
Evidence obtained from one source can be corroborated by evidence obtained
from another source to provide increased risk reduction.
An examination of all of the data would not provide absolute certainty. For
example, unrecorded transactions will never be detected.
Cost saving. The cost of examining every entry in the accounting records and
all supporting evidence would be uneconomical.
Volume 1, Chapter 10 outlines the nature and use of further audit procedures. This chapter focuses on the
extent of testing and use of sampling techniques.
Sampling Techniques
Sampling does not have to be selected as an audit procedure but where it is used, all the sampling units in
a population (such as sales transactions or receivables balances) are required to have a chance of
selection. This is necessary to enable the auditor to draw reasonable conclusions about the entire
population.
In any sample of less than 100% of the population, there is always the risk that a misstatement may not be
identified and that it might exceed the tolerable level of misstatement or deviation. This is called sampling
risk. Sampling risk can be reduced by increasing the sample size, while non-sampling risk can be reduced
by proper engagement planning, supervision and review.
There are two types of sampling commonly used in auditing, as set out below.
Exhibit 17.1-3
06/10/2010
Page 465
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Sample Attributes
Statistical Sampling
Sample is selected on a random basis. This means that every item in the
population has a known (statistically appropriate) chance of being selected.
Results can be mathematically projected. Probability theory can be used to
evaluate the sample results, including measurement of sampling risk.
Non-Statistical or
Judgmental
Sampling
A sampling approach that does not have the characteristics outlined above for
statistical sampling.
In determining the sample size, the auditor would determine the tolerable rate of deviation (exceptions)
that would be acceptable.
•
Substantive Procedures
Performance materiality (whether overall or for a specific item) is set in relation to overall materiality
(whether overall or for a specific item, respectively). The tolerable misstatement level is set in
relation to performance materiality (either overall or for the specific item, as the case may be). The
higher the tolerable misstatement level is set, the smaller the sample size. The lower the tolerable
level of misstatement is set, the larger the sample size. Note that the tolerable level of misstatement
will often be the same as performance materiality.
•
Tests of Controls
For tests of controls, the tolerable rate of deviation is likely to be very small, often allowing for no
deviations or possibly one. Tests of controls provide evidence whether the controls work or not.
Consequently, they would only be used where the operation of the control was expected to be
reliable.
17.2
Use of Sampling
Paragraph #
Relevant Extracts from ISAs
530.6
When designing an audit sample, the auditor shall consider the purpose of the audit procedure and the
characteristics of the population from which the sample will be drawn. (Ref: Para. A4-A9)
530.7
The auditor shall determine a sample size sufficient to reduce sampling risk to an acceptably low level.
(Ref: Para. A10-A11)
530.8
The auditor shall select items for the sample in such a way that each sampling unit in the population has a
chance of selection. (Ref: Para. A12-A13)
530.9
The auditor shall perform audit procedures, appropriate to the purpose, on each item selected.
530.10
If the audit procedure is not applicable to the selected item, the auditor shall perform the procedure on a
06/10/2010
Page 466
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Paragraph #
Relevant Extracts from ISAs
replacement item. (Ref: Para. A14)
530.11
If the auditor is unable to apply the designed audit procedures, or suitable alternative procedures, to a
selected item, the auditor shall treat that item as a deviation from the prescribed control, in the case of tests
of controls, or a misstatement, in the case of tests of details. (Ref: Para. A15-A16)
530.12
The auditor shall investigate the nature and cause of any deviations or misstatements identified, and
evaluate their possible effect on the purpose of the audit procedure and on other areas of the audit. (Ref:
Para. A17)
530.13
In the extremely rare circumstances when the auditor considers a misstatement or deviation discovered in
a sample to be an anomaly, the auditor shall obtain a high degree of certainty that such misstatement or
deviation is not representative of the population. The auditor shall obtain this degree of certainty by
performing additional audit procedures to obtain sufficient appropriate audit evidence that the
misstatement or deviation does not affect the remainder of the population.
530.14
For tests of details, the auditor shall project misstatements found in the sample to the population. (Ref:
Para. A18-A20)
530.15
The auditor shall evaluate:
(a) The results of the sample; and (Ref: Para. A21-A22)
(b) Whether the use of audit sampling has provided a reasonable basis for conclusions about the
population that has been tested. (Ref: Para. A23)
Building a Foundation
Whenever statistical or non-statistical sampling techniques are being considered, the auditor would
address and document the following matters.
Exhibit 17.2-1
Factors to Consider
Comments
Purpose of Test?
The starting point for the test design is to establish the purpose of the test and
what assertions will be addressed.
Primary Source of
Evidence?
What is the primary source of evidence for each assertion to be addressed and
what is secondary? This differentiation will help to ensure audit effort is
directed to the right place.
Previous
Experience?
What was the experience (if any) in performing similar tests in previous
periods? Consider the effectiveness of the test and the existence and
disposition of deviations (errors), if any, found in the samples selected.
06/10/2010
Page 467
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Factors to Consider
Comments
What Population?
Ensure the population of items to be tested is appropriate to achieve the test
objectives. Sampling will not identify or test items that are not already
included within the population. For example, a sample of receivable balances
may be used to test the existence of receivables but such a population would
not be appropriate for testing the completeness of receivables.
Also consider the size of the population. In some cases, a statistical conclusion
may not be drawn if the population to be tested is too small to sample.
What Sampling Unit Consider the purpose of the test and the assertion being addressed. This
decision will determine what items will be selected to test. Examples include
to Use?
sales invoices, sales orders and customer account balances.
Statistical or NonStatistical?
Statistical conclusions can be drawn from statistical samples. Conclusions
based on professional judgment can be made from judgmental non-statistical
samples. Non-statistical samples are often used in combination with other audit
procedures that address the same assertion.
Definition of a
Deviation?
Failure to properly define a deviation will result in time being wasted by staff
in reviewing minor exceptions that may not constitute a deviation. Also,
determine how the reasons and implications of deviations found will be
followed up by audit staff.
Any High-Value
Items to Exclude?
If there are larger transactions or balances in the population that can be
evaluated separately, it may result in smaller sample sizes from remaining
items in the population. In some cases, the evidence gained from testing the
larger transactions or balances may be sufficient to eliminate the need for
sampling altogether.
Use of CAATs
Could computer-assisted audit techniques (CAATs) provide a better or more
efficient result? For many tests, 100% of the population can be tested by
CAATs (as opposed to just a sample) and custom reports can be prepared that
identify unusual items for follow up.
Any Stratification
Possible?
Consider whether the population can be stratified by dividing it into discrete
subpopulations which have an identifying characteristic.
For example, if a population contained a number of high-value transactions,
the population (for a test of details) could be stratified by monetary value. This
allows greater audit effort to be directed to the larger value items, as these
items may contain the greatest potential misstatement in terms of
overstatement.
A population may also be stratified according to a particular characteristic that
indicates a higher risk of misstatement. When testing the adequacy of the
allowance for doubtful accounts (valuation of accounts receivable), the
06/10/2010
Page 468
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Factors to Consider
Comments
receivable balances may be stratified by age.
Where subpopulations are tested separately, the misstatements will be
projected for each stratum separately. Projected misstatements for each stratum
can then be combined to considering the possible effect of misstatements on
the account balance or class of transactions
What Precision is
Required?
Performance materiality is often used as the basis for tolerable misstatement.
This also represents the precision for a statistical test.
Performance materiality would be set at an amount that allows for the possible
existence of undetected and immaterial misstatements aggregating to a
material amount.
What Confidence
Level Required?
Confidence is the level of acceptable risk (detection risk) that the test will not
produce accurate results. Is a high level of confidence (resulting in a larger
sample) or a lower confidence level (resulting in a smaller sample) required?
The confidence level required in a particular test will be based on factors such
as:
• Evidence obtained from other sources such as analytical review, other
substantive procedures and testing the operational effectiveness of related
controls; and
• The importance of the financial statement assertion or line item compared
with overall materiality.
For example, a 95 percent level of confidence indicates that if a particular test
was performed 100 times (selecting representative transactions at random), the
results would be accurate (within the margin of misstatement) 95 times out of
the 100 tests. There is a risk that 5 tests out of the 100 will produce inaccurate
results.
When statistical sampling is planned, the tolerable misstatement or deviation rate would also be
addressed.
Exhibit 17.2-2
Factors to Consider
Comments
What is the
Tolerable
Misstatement or
Tolerable Deviation
Rate?
Tolerable misstatement is used in sampling tests of details to address the risk
that the aggregate of individually immaterial misstatements may cause the
financial statements to be materially misstated and provide a margin for
possible undetected misstatements. Tolerable misstatement is the application
of performance materiality to a particular sampling procedure. Tolerable
misstatement may be the same amount or an amount lower than performance
materiality.
06/10/2010
Page 469
Guide to Using International Standards on Auditing
in the Audits of Small- and Medium-sized Entities
Factors to Consider
Comments
Tolerable rate of deviation is used for tests of controls where the auditor sets
a rate of deviation from prescribed internal control procedures to obtain an
appropriate level of assurance. The auditor seeks to obtain an appropriate level
of assurance that the set rate of deviation is not exceeded by the actual rate of
deviation in the population.
17.3
Extent of Substantive Procedures (using statistical sampling)
The greater the risks of material misstatement, the greater the extent of substantive procedures required.
The extent of substantive procedures may be reduced by testing the operating effectiveness of internal
control. However, if the results are unsatisfactory, the extent of substantive procedures may actually need
to be increased.
Determining Sample Sizes — Monetary Unit Sampling
The most common method of sampling for tests of details is monetary unit sampling. Under this method,
the probability of an item (for example, an accounts receivable balance) being selected for testing is
directly proportional to the monetary value of the item. Thus, an accounts receivable balance of 6,000Є is
three times as likely to be selected as an accounts receivable balance of 2,000Є. Under this method, it
would not be appropriate to select physical units such as every 50th invoice or transaction.
Although monetary unit sampling may be the most common form of sampling used by auditors, there are
a number of other sampling methods which could be more appropriate in certain circumstances.
Discussion of these other sampling methods has not been included in this Guide.
Selection of Confidence Factors
When designing a substantive test, the auditor may find it useful to use three levels of risk reduction such
as high, moderate and low. The difference between the levels can be based on the confidence factor used
for selecting the sample. The higher the confidence factor, the higher the sample size and the level of risk
reduction obtained. This is illustrated in the following exhibit which provides typical confidence levels to
achieve high, moderate and low risk reductions.
Exhibit 17.3-1
Risk
Reduction
Required
High
Confidence
Level
Confidence
Factor
95%
– 3.0
Moderate
80-90%
1.6 – 2.3
Low
65-75%
1.1 – 1.4
An effective set of audit procedures designed to respond to assessed risks and specific assertions may
contain a mixture of tests of controls and substantive procedures.
06/10/2010
Page 47