AA - Audit framework & regulation Contents Assurance ............................................................................................................................... 2 DEFINITION: ........................................................................................................................ 2 LEVEL OF ASSURANCE:........................................................................................................ 3 Introduction to an External Audit .......................................................................................... 4 WHAT IS AN AUDIT? ........................................................................................................... 4 AN AUDIT PROCESS CAN BE OUTLINED AS FOLLOWS: ....................................................... 5 PROS AND CONS OF AN EXTERNAL AUDIT: ........................................................................ 5 Fundamental Principles .......................................................................................................... 6 DEFINITION: ........................................................................................................................ 6 Ethical Risks ............................................................................................................................ 8 THREATS TO OBJECTIVITY AND INDEPENDENCE: ............................................................... 8 BREAKING CONFIDENTIALITY: ............................................................................................ 9 Corporate Governance ......................................................................................................... 10 DEFINITION AND PRINCIPLES: .......................................................................................... 10 BOARD OF DIRECTORS: ..................................................................................................... 10 COMMITTEES: ................................................................................................................... 11 AUDITOR’S REPORT: ......................................................................................................... 12 Internal Auditors .................................................................................................................. 13 THE ROLE OF INTERNAL AUDITORS .................................................................................. 13 DIFFERENCES BETWEEN EXTERNAL AND INTERNAL AUDITORS....................................... 14 RELIANCE ON INTERNAL AUDITORS' WORK ..................................................................... 15 OUTSOURCING.................................................................................................................. 15 1 Assurance DEFINITION: A practitioner evaluates a subject matter, that is the responsibility of another party, against a criteria, to express a conclusion, to the user of the subject, where: Practitioner = External auditor; Subject matter = Financial statements; Responsible party = Client management; Conclusion = Audit opinion; Users = Shareholders and other users. By providing assurance you are: 1) Giving confidence to the users who make decisions; 2) Enhancing the credibility of the information in the financial statements. ELEMENTS OF ASSURANCE ENGAGEMENT: There are 5 elements of any assurance engagement: 1) The three parties involved, the practitioner, the responsible party and the user (auditor, the management and the shareholders); 2) The subject matter (financial statements); 3) A suitable criteria (applicable financial reporting framework); 4) Sufficient appropriate evidence (audit procedures carried out); 5) Written assurance report (audit report). 2 LEVEL OF ASSURANCE: IAASB introduces guidance designed for better understanding of two levels of assurance: 1) Reasonable assurance. The practitioner must: Provide sufficient appropriate evidence in order to form reasonable conclusions; Provide high level of assurance; Issue positive report or opinion. 2) Limited assurance. Such engagement provides: Sufficient appropriate evidence in order to form limited conclusions; Moderate level of assurance; Negative report or opinion. Notes: When reviewing information regarding future events, it is impossible to give a positive opinion as we cannot predict future events; The term ‘nothing has come to our attention’ is used if there is a negative opinion. 3 Introduction to an External Audit WHAT IS AN AUDIT? Objective of external auditor: to review the financial statements and form an independent opinion. The auditor must communicate whether financial statements are true and fair and properly prepared. Role of the auditor: to identify any material misstatements so that they can be corrected by the management before the accounts are published. Material misstatements are errors within the financial statements that, if not corrected, could influence the decisions made based on the information given. True and fair means that financial statements are: 1) Factual; 2) Agree with the underlying records; 3) Clear; 4) Unbiased; 5) Free from material misstatements. Properly prepared means that financial statements are prepared in accordance with the applicable reporting framework. EXPECTATION GAP: There is a misconception of the role of external auditor known as expectation gap: Misconception Fact Auditors test transactions on a sample basis Auditors test all transactions and balances. Auditors should detect all fraud and error. It is auditor’s responsibility to report on whether financial statements are free from material misstatements whether caused by fraud or error. Auditors prepare financial statements This is the responsibility of directors, not the auditors 4 AN AUDIT PROCESS CAN BE OUTLINED AS FOLLOWS: 1) Acceptance. The auditors must consider before they begin the audit work whether they want to accept new client or continue with existing one; 2) Engagement. Ensure that agreement between the auditor and the client is in place; 3) The plan. Auditors must carefully plan the audit and identify any risks and other issues that need to be managed; 4) Assess controls and systems. Auditors must review the systems and control procedures in order to identify whether controls are strong or poor; 5) Substantive testing. Auditors perform audit procedures on transactions and balances to identify potential misstatements; 6) Completion and review. Audit manager will review the evidence collected and work completed to ensure it is enough to form an opinion; 7) Audit report. Audit partner will review the audit work and the financial statements and form an independent audit opinion. PROS AND CONS OF AN EXTERNAL AUDIT: Pros Cons 1) It results in greater detection of fraud and 1) There could be misstatements in error; transactions not included in audit sampling; 2) It enhances the credibility of financial 2) Estimates are subjective and difficult to statements; audit; 3) It improves shareholder confidence and 3) Auditors have to rely on evidence company’s reputation; provided by client management; 4) Improvements to control systems are 4) Auditors have to rely on systems and made based on prior experience of the auditors; controls. 5) It helps to resolve disputes between management and assist in better decision making. 5 The relationship between International Standards on Auditing and National Standards The International Standards of auditing are set by the International Audit and Assurance Standards Board (IAASB). The structures and processes that support the operations of the IAASB are facilitated by the International Federation of Accountants (IFAC). IFAC is a worldwide organisation for the accountancy profession dedicated to serving the public interest by strengthening the profession. However, IFAC is not responsible for enforcing these standards. It is up to individual countries to implement the standards if they deem them appropriate. Countries also have the choice to set their own National Standards of implementation or may modify the ISAs’ to suit their needs. National Regulatory bodies will be charged with enforcing the implementation of auditing standards, enforcing quality control of audits and inspecting audit files. Countries may do this by allowing the accountancy profession to implement the above or setting up an independent authority to do it. Fundamental Principles DEFINITION: Ethics - guidance on how to behave morally and professionally. IFAC code of ethics is the key regulative document. Ethic principles must be considered when: Accepting new audit client; Acting for an existing audit client (not to act for a client if it will affect the judgement during the assignment). FUNDAMENTAL PRINCIPLES (OPPIC): O - Objectivity P - Professional behavior P - Professional competence and due care I - Integrity C - Confidentiality Objectivity means that the auditor: Must be objective when making the decision; Does not allow bias or other factors to influence the decision; Is able to make an independent opinion on the financial statements; Is not too connected to client to maintain objectivity. Professional behavior means that the auditor: Complies with relevant laws and regulations; Acts properly to maintain professional standards; Is trusted to give an independent opinion. Professional competence and due care means that the auditor should ensure that: Professional knowledge and skill are maintained; All relevant regulations are followed; Work is not taken on that they are not technically competent to do; Reporting requirements are understood. 6 Integrity means that the auditor should be: Straightforward and honest; Establishing trust. Confidentiality means that the auditor must: Keep the information confidential; Do not pass the information to third parties without the authority; Implement strong controls. 7 Ethical Risks THREATS TO OBJECTIVITY AND INDEPENDENCE: Objectivity is one of fundamental principles given in the ethical code. An auditor should remain objective, which means that they should not allow bias and not be influenced by others. Types of objectivity threats: 1) Self interest - arises when the auditor has personal interest in the client, which could affect the audit; 2) Self review - arises when the auditor has to review work that they previously performed; 3) Familiarity - arises when the auditor is too sympathetic or trusting of the client because of a close relationship with them; 4) Advocacy - arises when the auditor is asked to promote or represent their client in some way; 5) Intimidation - arises when clients put pressure on auditors in order to influence the outcome of the audit. Note: if auditors identify any of these threats, they need to put safeguards in place to reduce the threat to an acceptable level. Conflicts of interest: A conflict of interest arises when the audit firm has the opportunity to audit two connected clients. The main issue with a conflict of interest is confidentiality as there is a risk of sensitive information being leaked. The safeguards are as follows: 1) Discuss with both clients whether they are happy to continue with the same audit firm; 2) Separate audit partners heading up the audit teams; 3) Set up separate audit teams and offices if possible; 4) Provide training on the importance of confidentiality to all staff; 5) Sign confidentiality agreements with the audit staff; 8 Note: If the audit firm cannot guarantee safeguards are strong enough, they should not continue with both audits. BREAKING CONFIDENTIALITY: Keeping client information confidential is it is one of the fundamental principles from the ethical code. Confidentiality should be broken when: Client has given permission to disclose information; There is a legal duty; It may be in the public interest. 9 Corporate Governance DEFINITION AND PRINCIPLES: Corporate governance - a set of guidelines that listed companies should follow. Aim - to allow companies to operate in the shareholders interests and help protect their investment from poor management decisions. The UK version of the corporate governance is presented by Corporate governance code. The code gives us 5 main principles: 1) Leadership - that the board of directors are collectively responsible for the success of the organisation and decisions are made fairly. Non executive directors who are part time and not involved in the day to day activities should assist with decisions made; 2) Effectiveness - the board of directors should have appropriate skills and be provided with the relevant information on a timely basis to ensure the right decisions are made; 3) Accountability - the board of directors should ensure risks are identified and that strategies are formed while communicating openly with the auditors; 4) Remuneration - directors pay should be fair and still be able to attract the right individuals to the role. Pay should not be set by one individual and no one should set their own pay; 5) Shareholder relationships - communication should be clear and objectives and any issues should be dealt with on a timely basis. BOARD OF DIRECTORS: In order for these principles to be implemented, the company must organise the board of directors so that responsibilities are shared and decisions are made fairly. Heading up the board of directors should be: a) The Chairman - a non-executive director who leads the board to ensure strategic decisions are made in the shareholders interests; b) The Chief executive officer (or CEO). The next tier of management would consist of executive and non-executive directors and there should be an equal board mix of these two types of directors. 10 COMMITTEES: Executive and non-executive directors would then form committees who take on responsibilities for the company. The committees are: 1) The audit committee - responsible for financial reporting and system control matters and should be comprised of at least 3 non-executive directors. This committee should ensure that: They increase confidence in the published financial information; They liaise and advise the board of directors to ensure they meet their responsibilities for providing financial information; They improve independence of the external auditor as they communicate directly with them. Responsibilities of the audit committee include: Reviewing the internal controls and recommending changes; Communicating with the internal and external auditors; Reviewing the reliability of the financial statements; Recommending the appointment and removal of external auditors; Arranging for a confidential whistleblowing system for employees and potentially investigate any issues found. 2) The risk committee - responsible for assessing the risks associated with the company and recommending the best approach to reduce these risks. This committee is also made up of non-executive directors, whose role is to identify risks, prioritise them and then assess whether the risk: Can be transferred to another party, for example by insurance cover; Can be avoided all together; Can be reduced by improving controls; Can be accepted. Business risks must be reviewed and reported to the board regularly to ensure they are identified in a timely manner. 3) The remuneration committee - set pay for the board of directors. It is made up of non- executive directors to ensure that: The executive directors are not paid excessive amounts; Performance is considered in decisions; They are not setting their own pay. 11 4) The nomination committee - responsible for appointing directors to the board. The board is made up of non-executive directors which ensures that the best person is appointed for the role and reduces the risk of bias in decisions being made on recruitment. AUDITOR’S REPORT: The following recommendations should be followed by the companies: Listed companies should produce much more detailed financial information in their annual report. It will report on the corporate governance code and whether they have followed all of the principles; The auditors must audit the financial statements, plus they must report and review the compliance of the corporate governance code; The auditors must prepare their audit report and report on whether the financial statements are true and fair. They must also report on any inconsistencies found with the other information in the annual report, including the directors statement. 12 The provisions of international codes of corporate governance (such as OECD) that are most relevant to auditors The International Codes of Corporate Governance are intended: - To improve the legal, institutional and regulatory framework for corporate governance. To provide guidance and suggestions for stock exchanges, investors, corporations and other parties that have a role in the process of developing good corporate governance. The six Principles most relevant to the Auditors are: 1. Corporate Governance: There should be a clear basis for an effective corporate governance framework which should ensure there is transparency and acceptance of responsibility of all parties involved. 2. Agency: Management of the company should recognise that they are agents of the shareholders and should uphold their rights and act in their interest at all times 3. Equitable Treatment: There should be equitable treatment amongst shareholders so that regardless of whether institutional or minority, they are all treated in a fair and just manner. 4. Shareholder Rights: The Rights of Stakeholders should be recognised, and there should be cooperation between the organisation and it’s stakeholders. 5. Disclosure: All material matters, such as the financial situation, performance, ownership and governance of the company, should be disclosed in a timely and accurate manner. 6. Board Duties: The strategic guidance of the company should be ensured by the corporate governance framework and monitored by the board. Evaluate corporate governance deficiencies and provide recommendations to allow compliance with international codes of corporate governance The below table demonstrates recommendations for “good” corporate governance. In situations where the below does not exist, it would imply a corporate governance deficiency with regard to the International Codes of Corporate Governance, as shown. Good Corporate Governance The Board - - - Remuneration - - - Corporate Governance Deficiency The Chairman and Chief Executive should be different people to prevent unfettered power Half of the board to be NonExecutive Directors (NEDs) There should be a rigorous and transparent nomination process. Directors should submit for re-election regularly. - Excessive remuneration should be avoided. Remuneration should be linked to the performance of the business. The directors should not be responsible for setting their own pay. There should be a transparent procedure for - - - The Chairman and Chief Executive are the same person. There are no or few NonExecutive Directors (NEDs) There is no nomination process. Directors don’t submit for reelection regularly. Directors are given excessive remuneration. Remuneration is unrelated to the performance of the business. The directors are responsible for setting their own pay. There is no procedure for setting directors remuneration. setting directors remuneration. Auditor Committee - - - - Directors understand they are responsible for preparing financial statements. An Audit Committee is in place with at least 3 nonexecutive directors. The Audit Committee terms of reference are set out in writing and there is a whistleblowing facility. The Audit Committee reviews and monitor’s internal control system and is responsible for the appointment of an external auditor. - - - - Directors aren’t aware they are responsible for preparing financial statements. There is no Audit Committee in place or it does not comprise of non-executive directors. There is no Audit Committee terms of reference in writing and there is no whistle-blowing facility. The Audit Committee does not review and monitor the internal control system or does not take responsibility for the appointment of an external auditor. Internal Auditors THE ROLE OF INTERNAL AUDITORS Internal auditor’s key role: advise and report to management. Other roles: 1. 2. 3. 4. 5. 6. 7. Review of control systems within the entity; and Highlighting any control deficiencies that may need to be addressed. Regular review of systems and ensuring that issues are reported. Identifying whether a decision is appropriate for the organisation; 3E's (economy, efficiency, effectiveness). Review of the entity and its control systems; Reporting to management; and Recommendations on how to reduce the risk. Expertise to identify noncompliance with laws and regulations; Reporting to management; and Assessing how this can be avoided in the future. Audit committee - a group of nonexecutive directors who manage external and internal auditors. Special investigations requested by the entity management, including mystery shopper reviews, inventory counts, and asset inspections. Review of control activities Examining the timeliness of control information Value for money audits Identifying business risks Examine compliance Supporting the audit committee Special purpose tasks 13 DIFFERENCES BETWEEN EXTERNAL AND INTERNAL AUDITORS Difference External Auditors Internal Auditors 1 Independence External auditors must be independent to form an opinion on the FS. Internal auditors are not independent as they are employees and report directly to directors. 2 Scope of details Plan and perform audit procedures on control systems, transactions and balances in FS. Cover many areas looking at the systems and controls used by the entity. Amount of work depends on the management’s requirements. 3 Objectives Form an independent opinion on whether the FS are true and fair. Advise management and improve the control system. 4 Written report at the end of audit. To shareholders 5 Reporting 6 Appointment and removal By shareholders by vote, usually at the AGM. 7 Whether they are a legal requirement Required by law (there are some exemptions). To directors or the audit committee By the board of directors or the audit committee. Not required by law. Recommended by corporate governance to ensure sound control systems. 14 RELIANCE ON INTERNAL AUDITORS' WORK Review of control systems is what the internal auditor carries out. External auditors can use some of this work, so that they can then concentrate on other areas of the audit. Considerations in respect of reliability of internal audit: Consider how reliable the internal audit is. A. Scope of work; B. Technical competence; C. Report quality; and D. Independence. Indicators of requiring the internal audit function: 1. Company is large; 2. It has complex systems and regulations that must be followed; 3. It is listed on the stock exchange; and 4. It has been known to have problems. OUTSOURCING Outsourcing: Not all companies will benefit from a full-time internal audit function. In this case audit firms provide expertise for clients needing an internal audit. Advantages and disadvantages of internal audit outsourcing: Advantages Removing employment costs (recruitment and tax); Audit firms may have more specialised skills; Increased independence; and Reducing the burden of having a department to manage. 15 Disadvantages Lack of knowledge of the business; Long-term use may become less cost effective; Services may not be available immediately; and Conflicts of interest may arise if the audit firm carried out the external audit. AA - Audit framework & regulation Contents The Acceptance Stage ............................................................................................................ 2 The Engagement Letter .......................................................................................................... 3 TERMINOLOGY USED .......................................................................................................... 3 PURPOSE AND CONTENTS OF THE ENGAGEMENT LETTER ................................................ 3 Audit Risk ................................................................................................................................ 6 TERMINOLOGY USED: ......................................................................................................... 6 AUDIT RISK MODEL: ............................................................................................................ 6 Identifying Audit Risks ............................................................................................................ 8 TERMINOLOGY USED: ......................................................................................................... 8 USING ANALYTICAL PROCEDURES: ..................................................................................... 9 1 The Acceptance Stage At the acceptance stage the auditor will consider: – – Whether to continue to act for an existing client; Whether to accept a new engagement. New audit clients are generally gained by three methods: 1) Client request; 2) Advertising; 3) Tendering. Considerations as to why auditors may not accept new client: 1) At pre-conditions stage (ISA 210): – – Is the client following an acceptable financial reporting framework (is it consistent and relevant)? Does the client management accept their responsibilities (ensures that controls are sufficient and provides all relevant information)? Note: if preconditions are not met, the auditor should not accept the audit assignment. 2) Other considerations: – – – Professional clearance. Writing a letter to previous auditor asking about any professional reasons why auditors should not accept the client (breach of law, disagreements with management, lack of integrity from management, overdue fees). Note: permission is required from the client to write such letter; -Audit risk considerations - identify any issues that may indicate that audit risk is high; - Time needed; - Skills required; - The fee. Ethical considerations - identify any conflicts of interest with the existing clients or threats to objectivity; Then a decision is made: Reject if the risks being associated with the client are too high. Accept and move to the next stage of audit process, the engagement letter. 2 The Engagement Letter TERMINOLOGY USED Engagement letter: An agreement that is put in place at the start of the audit process. The engagement letter is prepared once the acceptance stage is concluded. PURPOSE AND CONTENTS OF THE ENGAGEMENT LETTER Purpose of the engagement letter: 1. To minimize the risk of misunderstandings; 2. To explain the audit process and the terms and conditions; and 3. For accepting the audit process in writing. ISA 210 requirements: Contents of the engagement letter (ISA 210): 1. Objective of the audit: Sufficient appropriate evidence to form an independent opinion; 2. Scope of the audit: a. Plan and perform audit procedures to audit; b. Statement of financial position; c. Statement of profit or loss; d. Statement of changes in equity; and e. Statement of cash flows. 3 3. Auditor’s responsibilities: 4. Client management responsibilities: 5. Financial reporting framework (for example IFRS); 6. Form and contents of any reports used: a. The formal written audit report will show the audit opinion; and b. Any control deficiencies will also be reported in writing in the form of the management letter or report to management. 7. Other matters that may be included: a. Confirming the use of experts during the audit engagement; b. The basis of fees; c. The reliance of some of the internal auditor's work if appropriate; d. Acknowledgement of any specific regulations relating to the audit; e. Provision of additional services; 4 f. The limitations of the audit; and g. Timings of any communications during the audit. The importance of the engagement letter being reviewed every year: 1. Information may be out of date; 2. Auditors may provide services not included in the engagement letter; 3. Fee basis may have changed; 4. Not received confirmation that the management accept their responsibilities; and 5. ISA 210 is not being followed. 5 Audit Risk TERMINOLOGY USED: Audit risk is the risk of the auditor giving an inappropriate opinion on the financial statements, i.e. there are material misstatements present in the financial statements. Misstatement is: 1) a difference between the amount, classification, presentation or disclosure of a reported financial statement item; and the amount, classification, presentation or disclosure that is required for the item to be in accordance with the applicable financial reporting framework (ISA 450); 2) the difference between what is in the financial statements and what should be in the financial statements in accordance with the applicable financial reporting framework. Note: Material misstatement not identified by the auditor leads to incorrect decisions made by users and affects the auditor’s reputation. AUDIT RISK MODEL: In order to calculate audit risk, the auditors use the audit risk model: AR=IR*CR*DR, where: AR - Audit risk; IR - Inherent risk - is the risk of a material misstatement in the financial statements due to the nature of the client, whether it be the business itself or the industry which they operate within; CR - Control risk - is the risk of a material misstatement in the financial statements due to poor client controls; DR - Detection risk - is the risk of a material misstatement in the financial statements due to the auditor not spotting the error. Note: Inherent risk and Control risk cannot be changed, but must be identified to decide what should be the level of Detection risk. If Inherent risk and Control risk are high, then Detection risk must be low, meaning that: – More audit procedures would be needed; – More time should be spent on the audit; 6 – Sample sizes should be increased; – More experienced audit staff should be used. If Inherent risk and Control risk are low, then Detection risk can be high, meaning that: – Smaller samples of transactions can be tested; – Less time will be spent on the audit. If audit risk is assessed correctly, the audit opinion will be appropriate at the end of the process. 7 Identifying Audit Risks TERMINOLOGY USED: Audit risk is the risk of the auditor giving an inappropriate opinion on the financial statements. For example, stating the financial statements are true and fair when there is a material misstatement uncorrected. Audit risk = Inherent risk * Control risk * Detection risk ISA 315: Auditors required to perform risk assessment procedures. ISA 200: Auditors must apply ‘professional scepticism’ during the audit Professional scepticism is an attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence. Risk assessment includes two main pieces of work: 1) Understanding the entity and its environment 2) Using analytical procedures. UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT: The process of understanding includes the following: – – – – – – – Understanding the industry and other external factors; Laws and regulations affecting the entity; Organisational structure; Accounting policies that company follows; Client business plan and risks; Financial performance; Internal controls. Three main methods of gathering information about the client are: 1) Enquiry; 2) Observation; 3) Inspection. 8 The four main sources of information are: a) Within the audit firm (previous years workings, discussions with audit partner and manager); b) From external sources (companies house, internet and trade press, industry surveys, credit reference agencies); c) From the client (discussions with management, observation of procedures, website, brochures); d) From the individual auditor. USING ANALYTICAL PROCEDURES: Analytical procedures are defined as: 1) Evaluations of financial information through analysis of plausible relationships among both financial and non-financial data (ISA 520). 2) Comparing financial and non-financial data to understand changes. Note: Analytical procedures are used on planning stage, substantive testing stage and completion and review stage of the audit. The purpose of analytical procedures at the planning stage is to understand the business the client operates, identify unusual balances, transactions and events, and identify potential material misstatements. 9 Ratios can be categorised to review the following: 1) Profitability ratios: Gross profit Gross profit margin = PBT * 100% Net margin = Revenue 2) * 100% Revenue Efficiency ratios: Receivables Payables Receivable days = * 365 days Payable days = Revenue * 365 days Purchases Inventory Inventory days = * 365 days Cost of sales 3) Liquidity ratios: Current assets Current assets - Inventory Current ratio = Quick ratio = Current liabilities 4) Current liabilities Return ratios: Borrowings Debt Gearing ratio = = Equity Share capital and reserves Equity Share capital and reserves Note: Comparison of current year ratios to previous year, budgets and averages helps to identify unusual differences which could be the result of a material misstatement. 10 AA - Audit and Assurance Contents Laws and Regulations ............................................................................................................. 2 REGULATORY BODY ............................................................................................................ 2 REQUIREMENT OF EXTERNAL AUDIT.................................................................................. 2 THE RIGHTS AND DUTIES OF THE AUDITOR ....................................................................... 3 APPOINTMENT AND REMOVAL OF THE AUDITOR ............................................................. 4 Fraud ...................................................................................................................................... 5 AUDITOR'S RESPONSIBILITIES ............................................................................................. 5 FRAUD ................................................................................................................................. 6 The Planning Process.............................................................................................................. 7 THE PURPOSE OF THE PLAN ............................................................................................... 7 IDENTIFYING AUDIT RISKS .................................................................................................. 7 AUDIT STRATEGY ................................................................................................................ 8 MATERIALITY AND PERFORMANCE MATERIALITY ............................................................. 8 Audit Documentation ........................................................................................................... 10 AUDIT DOCUMENTATION ................................................................................................. 10 CURRENT AUDIT FILE ........................................................................................................ 11 ACCESS TO WORKING PAPERS .......................................................................................... 12 Quality Management (ISA 220 - Revised) ............................................................................ 13 1. The H is for HUMAN RESOURCES: ................................................................................ 13 2. The E is for ETHICAL REQUIREMENTS: .......................................................................... 13 3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS: ....................................... 14 4. The R is for RESPONSIBILITIES OF LEADERSHIP: ........................................................... 14 5. The M is for MONITORING: .......................................................................................... 14 6. Finally, E is for ENGAGEMENT PERFORMANCE: ........................................................... 15 Evaluating quality management deficiencies and providing recommendations to allow compliance with quality management requirements: ..................................................... 15 1 Laws and Regulations REGULATORY BODY External auditors must follow strict guidance to ensure their work is of the correct standard. This includes: – The code of ethics which is guidance on behaviour of the auditor; – Auditing standards that must be followed; and – Corporate law specific to where they are based and where the client operates. The IFAC, International Federation of Accountants, is a global supervisory body. The IAASB, International Auditing and Assurance Standards Board, is the group that looks after the external auditor. They have 2 key outputs: 1. The development of international standards on auditing, or ISAs (currently 36); and 2. International standard on quality control, or ISQC (only 1). ISAs are published in a book, regularly reviewed and periodically updated by the IAASB. Each ISA gives the auditor specific guidance on elements of the audit process. For a new ISA to be developed, there is a lengthy process, which includes: – A debate within the IAASB on the issue; – An issue of an exposure draft, which is a draft of the standard; – Comments from external parties are taken on board and approval from the IAASB is sought; and – The new or adapted ISA is published. Note: Many countries may have created their own version of auditing standards and choose not to follow the international ones. This is permitted as the IFAC has no legal standing in each country. REQUIREMENT OF EXTERNAL AUDIT Who needs an audit? 1. Registered companies are required to have an external audit. 2 2. In UK law there is an exemption which allows small companies (companies with revenue not more than £6.5 million) to not appoint external auditors, but they can still have an external audit if they wish. Who is allowed to form an independent opinion? – The practitioners (those responsible for the audit and decisions made on it) are required to be a member of a recognised supervisory body or RSB (ACCA and ICAEW), and be allowed to be a practitioner by their rules. – Once a member, they are allowed to form an opinion on financial statements and sign audit reports. THE RIGHTS AND DUTIES OF THE AUDITOR The key rights of an auditor are: 1. They must be allowed access to all relevant company books and records; 2. They must be given all information and explanations necessary to complete their audit; 3. They must be allowed to attend any general meetings between the management and the shareholders, including the AGM; 4. They are allowed to be heard at such meetings; and 5. They must be given copies of any written resolutions of the company. The auditor's duties are: 1. To audit the financial statements and form an independent opinion on them, stating whether or not they are true and fair; 2. To report on any specific legal requirements relevant to the company being audited; and 3. To ensure they follow auditing standards and their ethical code while carrying out the audit. 3 APPOINTMENT AND REMOVAL OF THE AUDITOR Auditors are generally appointed by the shareholders. However there are some exceptions to this rule: − If it is the first year that the audit has been required, or if it is the first year the company has been set up, the directors are allowed to appoint the auditors initially. − If neither the directors or shareholders have appointed the auditors, and deadlines for submission of an audit report have passed, then the government would usually step in. There are two main situations where auditors would no longer act for a company: 1. They are no longer able to act for the company and resign as auditors. Auditors issue a statement of circumstances which gives the reasons for the resignation, and would then be available to assist with a handover to the next audit firm appointed; or 2. They are sacked or removed. Notes: – The shareholders are responsible for removing the auditors; – Notice is given to both the directors and auditors; – If auditors feel the decision is unjust, they have the right to send a response to all parties explaining why they should not be removed. 4 Fraud AUDITOR'S RESPONSIBILITIES ISA 240 Auditor’s responsibilities relating to fraud: The auditors have a duty to identify and communicate any evidence found that fraud is present. Auditor’s responsibility: To obtain reasonable assurance that the financial statements as a whole are free from material misstatements, whether they arise from fraud or error. Note: The key difference between fraud and error is whether the misstatement was intentional or not. The primary responsibility towards fraud (remains with directors) is to ensure that fraud is not present in the financial statements and the company as a whole. The secondary responsibility towards fraud (auditor’s responsibility) is to identify misstatements during the audit process and assess whether they are as a result of fraud or error. In order to maintain responsibility, the auditor must: – Maintain professional scepticism throughout the audit process; – Assess any audit risks that could lead to fraud; – Generally assess the risk of material misstatements for the entity; – Review how management react and manage fraud; – Talk to management to see if they are aware of any instances of fraud; and – Gather sufficient appropriate evidence from audit procedures designed to assess the risk of fraud. 5 FRAUD Fraud is criminal activity. There are two types of fraud: 1. Fraudulent financial reporting; and 2. Misappropriation of assets. A high risk of fraud requires: 1. Planning of appropriate procedures to ensure auditors are in the best position to detect fraud; 2. Ensuring that more experienced audit staff is available for the audit team; 3. Changing audit procedures from what auditors would normally do, as being less predictable could catch out anyone trying to conceal fraud; 4. Focusing on balances containing estimates from management as this would be a popular area to manipulate figures; and 5. Focusing on the transactions posted around the year end, as cut-off errors are often an intentional way of increasing or reducing balances. If fraud is found by the auditor, the following steps must be followed: 1. Report it to those responsible for the audit team, for example, the audit manager and audit partner; 2. They should then consider the evidence obtained and report this to the highest level of management at the client; 3. If the auditor is suspicious that the management are involved, they should seek legal advice and consider whether they should report externally; 4. Caution should be taken when reporting externally as the auditor has a duty to maintain confidentiality; 5. If the fraud detected is material to the users of the financial information, then the auditor would need to modify the audit report to make the shareholders aware of the issue. 6 RESPONSIBILITY OF INTERNAL AND EXTERNAL AUDITORS FOR PREVENTING FRAUD Internal auditors and external auditors both play a crucial role in the prevention and detection of fraud and error. While their roles may overlap to some extent, there are key differences in their responsibilities and approach. Internal auditors are employees of the organization they work for, and their primary responsibility is to provide independent and objective assurance to management and the board of directors. They evaluate the effectiveness of internal controls and assess the risk of fraud and error occurring in the organization's operations. Internal auditors also identify opportunities for improvement in internal control systems and recommend changes to reduce the risk of fraud and error. To prevent and detect fraud and error, internal auditors may conduct risk assessments, perform fraud investigations, and analyze financial data. They may also review contracts, policies, and procedures to ensure compliance with laws and regulations. Additionally, internal auditors may provide training and guidance to employees on how to identify and report potential fraud and error. External auditors, on the other hand, are typically hired by the organization to provide an independent evaluation of the financial statements. Their primary responsibility is to express an opinion on the fairness of the financial statements and provide reasonable assurance that they are free from material misstatement. While external auditors are not responsible for detecting all instances of fraud and error, they do have a responsibility to identify and report any material misstatements they become aware of during their audit. To prevent and detect fraud and error, external auditors may perform various procedures such as reviewing transactions, testing internal controls, and verifying the accuracy of financial information. They may also conduct interviews with key personnel and review documents to gain a better understanding of the organization's operations. Precisely, internal auditors and external auditors both have a responsibility to prevent and detect fraud and error in an organization. Internal auditors focus on providing independent assurance and identifying opportunities for improvement in internal controls, while external auditors focus on expressing an opinion on the fairness of the financial statements and identifying any material misstatements. By working together, these two types of auditors can help ensure the integrity of an organization's operations and financial reporting. The Planning Process THE PURPOSE OF THE PLAN ISA 300: The objective of planning the audit is to ensure it is performed in an effective manner. There are some key reasons why a plan is important for an audit: – It will ensure the auditor can give enough attention to more problematic areas; – It gives auditors time to assess the risks associated with the audit before they start the audit work; – They are able to plan appropriate audit procedures in relation to these risks; – They can select the right level of experience needed on the audit team; and – They can consider the need for experts and assistance from internal auditors which can then be planned properly. IDENTIFYING AUDIT RISKS The audit plan begins with identifying potential audit risks. An audit risk is the risk of the auditor providing an inappropriate opinion, for example, reporting that the financial statements are true and fair when they are not. The auditor must assess risks using the audit risk model: AR = IR x CR x DR, where IR = Inherent risk - the risk of material misstatement due to the nature of the entity; CR = Control risk - the risk of material misstatement due to poor controls; and DR = Detection risk - the risk of material misstatement due to the auditor not spotting errors. There are two main pieces of work that assist auditors in identifying these risks: 1. Analytical procedures: These are comparisons of financial and non-financial data to help the auditor understand material changes in the financial statements. With the use of ratios, auditors can identify changes in balances which may then need to be investigated when carrying out their audit procedures later on. 2. Understanding the entity and its environment: This is an important procedure because if the auditor lacks a fundamental understanding of what the client does, there is a real risk they may make poor decisions and issue an inappropriate opinion. 7 AUDIT STRATEGY The audit strategy is produced to identify the overall plan for the audit. We can separate the audit strategy into three components: 1. The scope: specific details relating to the audit for the client (inventory locations, reporting systems, etc.); 2. The timing: Considers when areas of the audit process should be completed. The audit may need to include an interim and a final audit; and 3. The overall direction of the audit: The auditor decides what style of procedures are required and the volume of work needed. The auditor will be able to determine whether control systems look reliable and decide whether direction will be controls based (the level of substantive work can be reduced), or procedural (more detailed audit testing, larger sample sizes, skilled staff and more time needed). MATERIALITY AND PERFORMANCE MATERIALITY At the planning stage, the auditor must decide what a material misstatement is, which means that it can influence the users of the financial information. An item can be material by: 1. Its size: If that is the case, the auditor would request that the client correct this in the financial statements. If they don’t, the auditor would conclude that the financial statements are not true and fair. The guidelines on materiality state that an item is material if it is above: a. 5-10% of profit; b. 1/ 2 - 1% of revenue; or c. 1-2% of total assets. 2. Its nature: A prime example is directors' transactions which must be transparent to the users. The auditor must also consider and set performance materiality. If any misstatements identified while performing audit procedures are above performance materiality, they are recorded and presented in the summary of unadjusted errors. The auditor would then request the client to adjust these errors in the financial statements. 8 WRITTEN AUDIT PLAN The audit planning document is a detailed document that proves whether the auditor has planned the audit properly and includes all information needed to then carry out the rest of the audit process. The planning document should include the following: – Assessment of materiality and performance materiality; – Details from the analytical review performed at the planning stage; – Key audit risks; – Background information regarding the client in understanding the entity; – Any specific laws and regulations; – Staff booked for the audit team and budgets set; – The overall audit strategy; and – Deadlines set to ensure the audit process is completed on time. 9 Audit Documentation AUDIT DOCUMENTATION ISA 230: The auditors must ensure they have written documentation that: – Proves that the audit was planned and performed in accordance with auditing standards; – Helps the audit team plan and perform the audit; – Helps more senior members of the audit team direct and supervise, as well as review the work completed; – Is a sufficient appropriate record of audit work completed to assist in forming the audit opinion; – Assists future audits; and – Enables the audit team to prove they did the work. For every client, the audit firm will keep files to organise documentation. There will be: 1. Current audit file: Stores all relevant evidence and documentation relating to the current audit: a. It should be completed in a timely manner; b. Files must be retained by the audit firm for a minimum of 5 years; and c. It enables the auditor to prove what they did (e.g., in case of legal action). 2. Permanent audit file: Stores all client-related documentation that would be useful for current and future audits (previous years' financial statements, client organisation structure, key personnel, contact details, etc.). 3. Correspondence: Evidence that proves that communication between the auditor and the client is effective (may be electronic or physical). 10 CURRENT AUDIT FILE The current audit file has three main sections: 1. The planning section: Includes all considerations made during the planning stage; – Assessment of materiality and performance materiality; – Details from the analytical review performed at the planning stage; – Key audit risks; – Background information regarding the client in understanding the entity; – Any specific laws and regulations; – Staff booked for the audit team and budgets set; – The overall audit strategy; and – Deadlines set to ensure the audit process is completed on time. 2. Audit performance: Note: The audit performance section will include all documentation and evidence collected that relates to the audit procedures carried out on the systems, transactions, balances and disclosures relating to the financial statements. Without this work the auditor cannot form an opinion on the financial statements. For every test carried out, the auditor needs to prepare something called working papers. The working papers will usually include: i. Lead schedule: The first document for each balance that will show the total balance, which will agree with the balance shown in the financial statements; ii. Backup schedules: Individual schedules for each sub balance which makes up the total balance in the financial statements; iii. Audit programmes: Detailed documents which explain the audit procedures carried out on the balance. Each audit programme must show the following: – Objective of the test; – Description of the audit work; – How the sample was chosen to test; – Outcome or conclusion from the work; 11 – Who did the work; – Date it was completed; and – Who reviewed the work at the completion stage. 3. Completion: The section where the final review is carried out and post year end audit procedures are carried out. The key areas of the completion stage are: – – – – – – – – – Final analytical procedures; Disclosure checklist for accounting standards; Summary of unadjusted errors; Record of adjustments made since the trial balance was produced; The subsequent event review; The going concern review; Written representations; Draft financial statements; and Draft management letter or report to those charged with governance. ACCESS TO WORKING PAPERS The audit file and all of the working papers produced by the audit team belong to the auditor. Access to the working papers is only permitted if authorisation is given by the auditor. The reasons for this are: – The working papers will contain sensitive information about the client; – If any of the work is lost or stolen, it would need to be recreated in order to form an opinion; and – There is a risk of evidence being tampered with. 12 Quality Management (ISA 220 - Revised) The topic of Quality Management directly relates to the auditing standard, ISA220 (Revised) – Quality Management for an Audit of Financial Statements. This auditing standard focuses on the audit firm’s own quality management procedures. Overall objective and importance of quality management: The standard states that the objective of the auditor is to implement quality management procedures at the engagement level that provide the auditor with reasonable assurance that: (a) The audit complies with professional standards and applicable legal and regulatory requirements; and (b) The auditor’s report issued is appropriate in the circumstances. For this to happen, the standard gives a recommended set of policies and procedures that should be carried out. To help remember the key policies and procedures from the standard, you could use ‘HEAR ME’. 1. The H is for HUMAN RESOURCES: The audit firm, and in particular, the engagement partner who is responsible for the client, should ensure that their audit team is capable. – They should assess the competence of the team members to ensure that the audit is performed at an appropriate standard. – They should ensure that the audit team has sound knowledge of the client being audited, and therefore understands the entity and its environment. – However, they must also ensure the technical skills within the audit team are enough to reach appropriate conclusions. 2. The E is for ETHICAL REQUIREMENTS: Quite simply, the audit firm must ensure that they comply with the ACCA code of ethics. – They must ensure the fundamental principles are followed, and; – That they manage any ethical threats, conflicts of interest or other risks appropriately. 13 3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS: The audit firm must consider whether they should accept every engagement. – Once they have accepted the client engagement, they must then review every year to ensure the entity should continue to be their client. – The key issue is that the audit firm must only accept clients with an acceptable level of risk. 4. The R is for RESPONSIBILITIES OF LEADERSHIP: – The engagement partner must take overall responsibility for the audit team and the audit process. – This means they must also ensure the quality management procedures within the audit firm are of a high standard so as to follow professional standards accordingly. 5. The M is for MONITORING: We have already said that strong policies and procedures should be in place. However, to ensure these are followed, there must be an element of review from the audit firm. The standard recommends 2 types of monitoring: – HOT review – COLD review An independent partner within the audit firm undertakes the hot review usually. They review the audit work and conclusions reached. This is to ensure that the overall conclusion, i.e. the opinion is appropriate. Hot reviews are usually carried out for listed clients or those with significant audit risks. A hot review is carried out before the audit report is signed. It is also known as an EQR or engagement quality review. A senior member of staff at the audit firm performs a cold review. An external consultant can carry it out. They review the work carried out for the client and the conclusions reached. The key difference is that the review takes place after the audit has been completed and the audit report is signed. A sample of clients is selected across the audit firm to review. This ensures consistency across audit teams, and identifies if there is a risk of noncompliance of professional standards. 14 6. Finally, E is for ENGAGEMENT PERFORMANCE: This looks at the overall performance of the audit assignments across the audit firm. This is made up of 3 elements: – Direction of audit: The direction focuses on ensuring everyone is aware of the objectives of the audit, knowledge of the client business, the risks and any problems that may arise. – Supervision of audit: Supervision is looking to ensure that the audit is reviewed by someone senior who can ensure the team is competent and the deadlines are met to provide timely information for the client. – Review of the audit: The review is to ensure professional standards have been followed, that there is evidence to back up conclusions made and that the evidence collected is sufficient and appropriate. Each of these 6 components is explained in ISA220 to enable audit firms to ensure the highest quality work is performed. This therefore ensures that an appropriate audit opinion is formed on the financial statements for every client, which ties back to the obligation to ensure they follow professional standards and that their reports are appropriate for the client’s requirements. Evaluating quality management deficiencies and providing recommendations to allow compliance with quality management requirements: Regarding monitoring and remediation, the standard provides following guidance (section A111. of ISA 220 (revised)): In considering information communicated by the firm through its monitoring and remediation process and how it may affect the audit engagement, the engagement partner may consider the remedial actions designed and implemented by the firm to address identified deficiencies and, to the extent relevant to the nature and circumstances of the engagement, communicate accordingly to the engagement team. The engagement partner may also determine whether additional remedial actions are needed at the engagement level. For example, the engagement partner may determine that: 15 • • An auditor’s expert is needed; or The nature, timing and extent of direction, supervision and review needs to be enhanced in an area of the audit where deficiencies have been identified. If an identified deficiency does not affect the quality of the audit (e.g., if it relates to a technological resource that the engagement team did not use) then no further action may be needed. However, the standard further states that an identified deficiency in the firm’s system of quality management does not necessarily indicate that an audit engagement was not performed in accordance with professional standards and applicable legal and regulatory requirements, or that the auditor’s report was not appropriate in the circumstances. 16 AA – Internal control Contents The Auditors Approach to Internal Controls .......................................................................... 2 UNDERSTANDING OF CONTROL: ........................................................................................ 2 OBJECTIVES OF CONTROL SYSTEMS: .................................................................................. 2 LIMITATIONS OF CONTROL SYSTEM: .................................................................................. 2 AUDITOR’S EXPECTATION OF INTERNAL CONTROL SYSTEM:............................................. 2 AUDITOR’S WORK AND APPROACH: .................................................................................. 3 Identifying and Reporting Internal Control Deficiencies ....................................................... 4 HOW THE AUDITOR IDENTIFIES DEFICIENCIES: .................................................................. 4 THE MANAGEMENT REPORT: ............................................................................................. 4 TIMING OF COMMUNICATING DEFICIENCIES: ................................................................... 5 Control Cycles ......................................................................................................................... 6 KEY CONTROL CYCLES ......................................................................................................... 6 SALES CYCLE ........................................................................................................................ 7 PURCHASE CYCLE ................................................................................................................ 8 ASSETS CYCLE ...................................................................................................................... 9 INVENTORY CYCLE .............................................................................................................. 9 PAYROLL CYCLE ................................................................................................................. 11 CASH CYCLE ....................................................................................................................... 12 1 The Auditors Approach to Internal Controls UNDERSTANDING OF CONTROL: A control is a procedure put in place to achieve company’s objectives. For any organisation to run well it needs sound control systems in place. OBJECTIVES OF CONTROL SYSTEMS: – – – – To ensure accurate accounting records; To safeguard assets held by the organisation; To prevent and detect fraud; To ensure an efficient working environment. LIMITATIONS OF CONTROL SYSTEM: – Human error; – Fraudulent collusion; – Abuse of authority. AUDITOR’S EXPECTATION OF INTERNAL CONTROL SYSTEM: ISA 315: Auditors must understand the client’s internal controls. In particular: – To assess whether control system is strong or weak; – Develop an understanding of what is expected from control system; To give a benchmark of what is a good control system, ISA 315 provides 5 components of an internal control system: – Control activities - all individual procedures and policies of the system (authorisation, performance review, accounting reconciliations, segregation of duties, IT controls, physical controls); – Risk assessment procedures - procedures to identify and manage business risks; – Information systems - organised system for collection, organisation, storage and communication of financial information; – Monitoring of controls - role of internal auditor; – Environment - overall control environment of the entity. 2 AUDITOR’S WORK AND APPROACH: The aim of the auditor is to assess whether internal control would ensure material misstatements are identified and corrected. Poor control system increases the risk of material misstatements. Step by step approach of control systems review: 1) Identify and understand the control system. Methods used: enquiry, inspection, observation. 2) Document the system. Methods used: detailed notes, flowcharts. 3) Assess the system. Identify whether it is strong or weak through enquiry, inspection, observation sending questionnaires (ICQ’s or ICEQ’s). 4) Report any issues identified and provide recommendations. 5) Gather evidence for a strong control system in a form of control tests or control procedures. 6) Decide how much further audit work is needed to form the audit opinion. 7) Perform substantive procedures. 3 The factors to be taken into account when assessing the need for an internal audit When assessing the need for an internal audit, the audit committee should consider: - The scale, diversity and complexity of the business. The resources available to carry out an internal audit. The level of internal controls within the organisation. Some of the reasons to have an Internal Audit function include: - - Internal Controls: IA could determine where control systems are needed and recommend/ monitor the implementation of these. Audit Fee: IA may decrease the audit fee where external auditors can place reliance on the work of internal audit Assistance to Financial Accountant: IA could support the financial accountant in compliance with financial reporting standards, as well as recommending control systems Corporate Governance: IA could recommend policies for good corporate governance Accounting Systems: IA could audit the accounting systems to ensure they are operating correctly. Computer Systems: IA could review the effectiveness of controls specifically around the computer systems, for example reviewing the backup and disaster recovery arrangements and ensuring compliance with regulations. Value For Money (VMF) Audits: IA could offer VFM audit services, such as reviewing the potential upgrade of systems. Where no internal audit function exists, the reasons behind its absence should be explained in the annual report. The factors that may be considered against establishing of internal audit department include: - No Statutory Requirements: Given it is not a statutory requirement, the directors may deem IA as an unnecessary use of resources. Non-complex Systems: The directors may deem the systems in place non-complex and, as such, not deem review needed. Potential Cost: The cost associated with establishing and maintaining IA may be deemed too high. - Internal Resistance to Review: Management and staff may feel challenged by IA review, and it may affect morale. The elements of best practice in the structure and operations of internal audit Elements of Best Practice in IA: - - Scope & Reporting: The scope of IA work should be determined by the Audit Committee, and IA should report their findings to the Audit Committee (or Board if no Audit Committee exists). Competence & Resources: The IA function will need to be professionally competent, sufficiently resourced and well-organised in order to carry out its function effectively. In particular, the head of the internal audit should be sufficiently experienced and professionally qualified. Independence: IA will need to maintain the independence of internal audit from management, and care must be taken to keep it objective and independent. They should report to an independent committee (i.e. the Audit Committee), maintain good regard with other departments, and have a ‘whistle-blowing’ function to report serious misconduct when found. Alongside this, controls should be established to avoid self-review by internal auditors, and staff should be regularly rotated into different work areas. The scope of internal audit and the limitations of the internal audit function The scope of the IA function is as follows: - Reporting on and monitoring the effectiveness of internal controls. Assisting with the implementation of required accounting standards. Liaising with the external auditor to reduce the time and expense of the external audit. Ensuring compliance with OECD Principles. Some limitations of the IA function (as well as potential safeguards) include: - - - Reporting: The IA function may be reporting information back to the individual who prepared that information (e.g. Finance Director). A safeguard for this is to also report relevant information to the Audit Committee. Scope: The scope of IA may be decided by executives who intentionally focus on certain areas and avoid others. A safeguard for this is to have the scope decided by the Chief Internal Auditor or the Audit Committee. Self-Review Threat: IA may find themselves reviewing their own work. A safeguard for this is to ensure IA is removed from the setting and management of controls. Familiarity Threat: IF members of the IA function have been there for too long, they risk becoming over-familiar with areas and losing their professional scepticism. A safeguard for this is to rotate roles and members within the IA function. The nature and purpose of internal audit assignments, including value for money, IT, financial, regulatory compliance, fraud investigations and customer experience (VFM, Financial and Regulatory are Included) The main function of internal audit in the area of IT will be to assess the controls in place. The internal audit function of an organisation may have an IT specialist in the team who will support this. Other functions will be to ensure that the systems in place represent value for money and also to ensure effective controls over the awarding of IT contracts. The internal audit function may also conduct assignments to assess the handling of fraud or customer complaints independently from management. Again their role is to monitor that the controls in place are being appropriately followed and are aligned with relevant legislation, and they should report significant matters to the Audit Committee. Discuss the nature and purpose of operational internal audit assignments Operational audit assignments should identify the possible risks involved in that operation, the procedures in place to mitigate the risks and whether those procedures are being followed. Some examples of operations and the areas looked at by IA include: - Marketing: Is the company getting value for money from its advertising? Were the objectives of the campaigns achieved? Procurement: Are the systems in place for control of purchasing operating effectively? What procedures are in place to reduce procedure risk? Treasury: Are there procedures in place to manage currency risk, interest rate risk, and inflation impacts? Human Resources: Are policies in place to ensure the appropriate hiring, management and layoff of employees? Describe the format and content of internal audit review reports and make appropriate recommendations to management and those charged with governance Internal audit reports will usually be issued to the Audit Committee or those charged with governance. The Internal Audit Review Report should be set out clearly and concisely, be fair and consistent, and highlight findings, making recommendations as appropriate. IA should be engaged in ongoing discussions with management as they conduct their assignment, and as such, any issues that arise should be well communicated and not included as unexpected findings in the report. The format and content of the report should include the following: - Cover: Setting out the subject, recipient, date, and any relevant rating required. Executive Summary: Summarize the key points of the report concisely. Key findings and recommendations: Giving an overview of the main problems discovered, any breaches in procedures and any ineffective controls. Detailed findings and agreed actions: Setting out the key findings and the timing and responsibilities for corrective action. Assessment grading or rating: Internal audit may undertake a rating system for grading the systems under review, in which case this should be provided. Identifying and Reporting Internal Control Deficiencies HOW THE AUDITOR IDENTIFIES DEFICIENCIES: 1) Each system must be reviewed and understood by the auditor; 2) Then the system is documented for evidence; 3) It is decided whether the system can cause material misstatements; 4) Auditor identifies if there are any issues with the way the system operates; 5) Using their skills auditors may notice control activities that are missing. All this gives the auditor opportunity to find deficiencies within the system. Note: For every control deficiency found the auditor has an obligation to provide recommendation about how the entity could improve that control. THE MANAGEMENT REPORT: Report to those charged with governance = Management letter = Management report. ISA 265: Significant deficiencies should be communicated in writing to the entity’s management. The management report is addressed to the directors and: – Contains all deficiencies found during the audit; – Explains the impact of deficiencies; – Provides recommendations. Specific information in management report: – Report is not a comprehensive list of all deficiencies, it contains only those found by the auditor; – Information is solely for the use of the company; – Nothing within the report should be disclosed to a third party without written auditor’s permission; – No responsibility is assumed to any other parties. 4 TIMING OF COMMUNICATING DEFICIENCIES: Management report is usually communicated at the end of the audit. 5 Computer systems controls, including general IT controls and information processing controls. A good IT system should have both application and general IT controls. General IT controls to ensure that the information system can run properly. Examples of these controls include: ● ● ● ● Software system acquisition controls Software change and maintenance controls Security (password etc.) controls Backup controls Information processing controls apply to the processing of transactions. Examples of these controls include: ● ● ● ● ● Existence checks Authorisation checks Sequence checks Arithmetic checks Batch total checks Control Cycles KEY CONTROL CYCLES Control cycles are systems linked to financial statements that have an impact on whether the financial statements are true and fair. They are: – Sales; _ Inventory; – Purchases; _ Payroll; and – Assets; _ Cash; 6 SALES CYCLE Stage # 1. Order is received 2. Goods are dispatched Control objective Orders are accepted for customers who can pay. Example of risk An order is taken for a customer who has exceeded their credit limit. The order is not recorded properly. Goods dispatched are on time The goods sent out are for Original order must be agreed to the dispatch to the right customer. the wrong quantity. note and goods. This check must be signed. All orders are processed. Controls put in place Access to customer accounts where credit limits can be reviewed. All goods are sent out. 3. Invoice is prepared and sent A customer was not invoiced for All goods have been invoiced for. the right product. Sequentially numbered copy of dispatch note is sent to accountants and reviewed by them. The amounts are correct. 4. Transaction is recorded Include all invoices on the system. Sales are not recorded accurately or recorded in the wrong period. The amounts are correct. Cash is received on a timely basis. The cash is not paid on time. 5. Cash is received Cash is recorded correctly in the correct account. 7 Invoices are sequentially numbered. Regular check of the system for missing invoices. Perform credit control procedures: analyse overdue debts, chase customers for payments. PURCHASE CYCLE Stage # 1. Requisition 2. Order is placed 3. Goods are received Control objective Example of risk The requisition note may not be received by Ensure goods are requested and are for business purposes. the purchasing department. Ensure suppliers are checked for reliability, quality and price. Controls put in place Requisitions must be sent by email to the purchasing department who must respond when they make the order. A supplier is not reliable and delivers late, leading to a delay in production. Select a supplier from an authorised supplier list. Goods received have not been ordered by the company. Goods should be inspected and agreed to the delivery note and purchase order. The invoice is not for goods ordered. Invoice is matched with the corresponding purchase order and requisition note. Invoice may be missed, thus, purchases and payables may be understated. Allocate sequential number to each invoice. Ensure orders are made considering disruptions to production. Ensure only goods ordered are received and accepted. Ensure goods are received on time. Ensure invoices received are for goods received. 4. Invoice is received 5. Invoice is recorded 6. Payment is sent Goods received are for business purposes. Amounts and products are correct. Ensure all invoices are recorded accurately and in the correct period. Check the system regularly for missing invoices. Ensure payments are made on time for the correct amounts, for goods ordered and received. 8 The payment is not made and the supplier Review the aged payables list regularly for may no longer grant credit. older debts and ensure they are paid on time. ASSETS CYCLE The control system for assets would work in the same way as the purchase system. However, there would be some additional controls required: – Authorisation of costs by a senior level of management; and – Use of the asset register. This spreadsheet will record date, cost, depreciation, carrying value, location and disposal date, and proceeds in relation to the assets. It must be updated, reviewed regularly and compared to the accounting system to ensure there are no errors. INVENTORY CYCLE Key objective: To keep inventory safe and maintain its value. The risks are: – Goods could be stolen; – Goods could be damaged; – Goods may become obsolete. Storage controls are: – Increased security measures such as CCTV, alarm systems, and security guards; – Restricted access to the warehouse; – Swipe card access or fingerprint recognition at entry points; 9 – Practical packaging of inventory items; – Shelving for organised storage; – Training for handling of items; – First in first out system for items being dispatched; – Not to hold excessive amounts of inventory; – Regular monitoring of aged inventory list for old, slow-moving items; – Special offers potentially to shift items that are not selling faster. Controls over monitoring of inventory count should also be implemented. Important elements of the inventory count are: – The people counting - they should be objective (i.e., no warehouse staff); – The admin or paperwork; – The count itself; and – The end process of the count. There are 2 key pieces of paperwork to be made: 1. The count instructions: They should be clear and easy to follow. They should be given out before the count and the staff should be briefed so they fully understand what they are to do. 2. The count sheets: They should be sequentially numbered. Spare sheets for inventory found not on them, should also be pre-numbered so sheets cannot go missing. The count sheets should be signed out and divided between the teams. Additional controls over inventory count: – Count staff should inspect inventory for evidence of damage which could affect the valuation and flag this on the count sheets or inform the count supervisor; – Areas can be marked once counted to also reduce the risk of mistakes; and – At the end of the count, the sheets should all be signed back in and the sequence checked to ensure no inventory sheets are missing. 10 PAYROLL CYCLE Stage # 1. Fixed and variable data is recorded Control objective Example of risk Ensure that data is kept secure and only Including fraudulent working hours, as authorised access is allowed. information is opened to manipulation. Risk of unauthorised access. Controls put in place CCTV over the clock card area as a deterrent. Authorisation of overtime from a senior official. Supervision of employees. 2. Calculations are made by the system The software is up-todate and checked for updates. System is not updated. Regular checks on calculations, taking samples and making recalculations. Ensure that data is kept secure and only authorised access is allowed. Risk of unauthorised access. 3. Outputs from system are created Secure password access. Access only by those authorised. Sending payslips straight to employees' homes. Payroll report is reviewed by manager. Payments are correct, made on time and to 4. Payments are made Payment is missing or not made on time Payment sheets are reviewed by manager. valid employees. Deadlines for submissions are identified. 11 CASH CYCLE Stage # Control objective Example of risk Controls put in place 1. Payment is requested Cash is kept to a minimum. Cash is stolen. Use imprest system for petty cash. Payments can only be made with proper authorisation. Unauthorised payments are made. All payments must be authorised. Payments are for Payments are made for business purposes only. personal purposes. Cash book and petty cash book are reviewed regularly. 2. Payment is authorised Cash is protected from theft. Cash is kept in safe. 3. Payment is made Cash is banked regularly. Implement procedures to avoid theft. 4. Transaction is recorded 12 AA - Audit evidence Contents The Financial Statement Assertions ....................................................................................... 2 TERMINOLOGY USED: ......................................................................................................... 2 ASSERTIONS: ....................................................................................................................... 2 Gathering Evidence ................................................................................................................ 4 AUDIT PROCEDURES: .......................................................................................................... 4 CRAVE COCA: ...................................................................................................................... 4 QUALITY OF EVIDENCE: .......................................................................................................... 5 METHODS OF GATHERING EVIDENCE: ................................................................................... 6 REVIEW THE RESULTS OF AUDIT PROCEDURES:................................................................. 7 Computer Assisted Audit Techniques (CAAT's) ...................................................................... 8 TEST DATA: ......................................................................................................................... 8 AUDIT SOFTWARE:.............................................................................................................. 9 Data Analytics in Audit ......................................................................................................... 10 What is Data Analytics? .................................................................................................... 10 Data Analytics and Audit .................................................................................................. 10 Benefits of Data Analytics ................................................................................................. 10 Challenges in Data Analytics ............................................................................................. 11 Relying on the Work of Others ............................................................................................. 13 KEY CONSIDERATIONS ...................................................................................................... 13 AUDITOR'S OWN EXPERT.................................................................................................. 14 EXTERNAL EXPERT - INTERNAL AUDIT .............................................................................. 14 EXTERNAL EXPERT - SERVICE ORGANISATION.................................................................. 15 Smaller Entities and Not-for-Profit Organisations ............................................................... 16 AUDIT OF SMALLER ENTITIES ........................................................................................... 16 AUDIT OF NOT-FOR-PROFIT ORGANISATIONS ................................................................. 17 1 The Financial Statement Assertions TERMINOLOGY USED: Financial statement assertions represent the key objectives of the substantive audit procedures. If a substantive procedure does not address an assertion, it does not assist the auditor in forming an audit opinion. Overall objective of the external auditor is to decide whether the financial statements are true and fair and properly prepared. Financial statement assertions are given to assist the auditor in planning audit procedures to decide whether the balance is free from material misstatement. ASSERTIONS: C - Completeness C - Cut-off R - Rights and obligations O - Occurrence A - Allocation C - Classification and understandability A - Accuracy V - E - Valuation Existence Completeness ensures that all transaction and events recorded are present in the financial statements. Rights and obligations ensures that ownership and responsibility of assets and liabilities are reviewed. Accuracy ensures that all transactions, balances and other items have been accurately recorded. Valuation and allocation ensures that items in the statement of financial position are presented correctly and at the correct values. Existence ensures that items in the statement of financial position actually exist. Presentation ensures all transactions events and disclosures are clearly described, relevant, understandable and applicable to the financial reporting framework. Occurrence ensures that transactions and events actually happened. Classification and understandability ensures that transactions are in the correct accounts and items have been disclosed correctly. 2 Cut-off ensures that transactions are recorded in the correct financial period. Note: CRAVE assertions are mainly used to test assets, liabilities and equity. POCC assertions are mainly used to test income and expenses. The assertions which cover the whole financial statements and can therefore be used to test all balances and transactions are COMPLETENESS ACCURACY PRESENTATION CLASSIFICATION 3 Gathering Evidence AUDIT PROCEDURES: - Controls procedures - procedures which identify whether the controls systems being reviewed actually work; - Substantive procedures - procedures which identify material misstatements present in financial statements. Control procedures include: 1) Assessing the internal control systems which relate to financial statements; 2) Identification whether the control system is strong or weak; 3) Testing by the auditor to gather evidence to back up a conclusion. Note: Substantive testing is carried out after controls have been assessed. Reliable controls ⟹ Lower risk of material misstatement Financial statements assertions (e.g. objective of substantive procedures) - CRAVE COCA: C - Completeness C - Cut-off R - Rights and obligations O - Occurrence - Allocation and valuation C - Classification and understandability - Existence A - Accuracy A V E Note: Every procedure must cover at least one assertion. 4 The problems associated with the audit and review of accounting estimates Accounting estimates are of particular concern to the auditor as, by their nature, there may not be any physical evidence to support them, and they are prone to inaccuracy. They are also subjective and, therefore, prone to management bias. If the directors wished to manipulate the accounts in any way, accounting estimates are an easy way for them to do this. The auditor must take care when auditing estimates to ensure this has not been the case. Common accounting estimates include: - Provisions and contingent liabilities Inventory valuations Fixed asset valuations where revaluations have occurred Depreciation method and useful life Irrecoverable debts and allowances In accordance with ISA 540 Auditing Accounting Estimates, auditors need to obtain an understanding of: - How management identifies those transactions, events and conditions that give rise to the need for estimates; and How management actually makes the estimates, including the control procedures in place to minimise the risk of misstatement. The degree of uncertainty associated with an accounting estimate and if the uncertainty gives rise to significant risks. In response to this assessment, the auditors may perform the following further procedures: - Review of the outcome of the estimates made in the prior period (or their subsequent reestimation) Consider events after the reporting date that provide additional evidence about estimates made at the year-end Test the basis and data upon which management made the estimate (e.g. review mathematical methods) Test the operating effectiveness of controls over how estimates are made Develop an independent estimate to use as a point of comparison - Consider whether specialist skills/knowledge are required (e.g. lawyer) QUALITY OF EVIDENCE: ISA 500 main requirement - Sufficient appropriate audit evidence Sufficient = enough evidence. Points for consideration when deciding if the evidence is sufficient: 1) Risk of material misstatement; 2) Materiality of balance/item; 3) Reliability of control systems; 4) Conclusions of control test performed previously; 5) Size of sample being tested; 6) Reliability of evidence that can be collected. Appropriate = relevant + reliable evidence Relevant evidence in: 1) Control procedures - evidence should identify whether the control system operates effectively; 2) Substantive procedures: - Evidence must achieve at least one of the FS assertions; - Evidence should help to conclude whether the FS are true and fair. Reliable evidence should be (ideally): - Independent; - Obtained directly by the auditor; - From strong control system; - Written; - In original form. Less characteristics ⟹ More evidence to obtain 5 METHODS OF GATHERING EVIDENCE: ISA 500 methods: 1) Analytical procedures - comparison of data in FS; 2) Enquiry - talking to client staff and management; 3) Inspection - inspecting documentation that confirms balances and transactions; 4) Observation - observing processes at the client to understand and review reliability; 5) Recalculation - recalculating transactions and balances for accuracy; 6) Confirmation - written confirmation of balances and transactions; 7) Reperformance - carrying out the procedure the client has performed. Note: Most appropriate method should be selected. Sampling (ISA 530 definition) - the application of audit procedures to less than 100% of items within a population of audit relevance such that all sampling units have a chance of selection in order to provide the auditor with a reasonable basis on which to draw conclusions about the entire population. Sampling risk - risk of not selecting transaction that contain a material misstatement. Sampling considerations: 1) Sampling requires auditor judgement and skills; 2) Sample size should be sufficient to reduce sampling risk to the acceptable level; 3) Sample chosen should represent the whole population of transactions. Sampling methods: 1) Statistical sampling - auditor has not influenced the selection the transaction (random selection, probability theory); 2) Non-statistical sampling (any other method). 6 Commonly used methods: - Random number tables; - Systematic selection (for example every 10th transaction); - Block selection (e.g. cut-off test); - Monetary unit selection (largest items); - Haphazard methods (no bias!). REVIEW THE RESULTS OF AUDIT PROCEDURES: Identified misstatements are material? 1) Yes ⟹ Misstatements are misleading to users ⟹ Amend FS; 2) No ⟹ Smaller errors could accumulate in material misstatement ⟹ Record on the spreadsheet and review it at the end of the audit. 7 The results of statistical sampling, including consideration of whether additional testing is required Tolerable misstatement looks at individually immaterial misstatements added together. The smaller the tolerable misstatement or rate of deviation, the greater the required sample size. The higher the expected misstatement or rate of deviation, the greater the required sample size. Furthermore, the auditor should investigate the nature and cause of all material misstatements/ deviations and evaluate their effect. Computer Assisted Audit Techniques (CAAT's) Two main areas where CAATs are widely used: 1) Controls - using test data; 2) Substantive testing - using audit software. TEST DATA: Test data is where the auditor will access the client’s computer controls. They will perform audit tests on the system by entering dummy data into the system and monitoring how it progresses through the control cycle. This method of testing will allow the auditor to see if the control functions of the computer system perform properly. There are several ways of data testing: Narrative Live data tests Dead data tests Definition The auditor has access to the computer systems during the operating hours of the client. The auditor can enter dummy data in a batch after working hours. Demand has impact on efficiency of the controls; Easier to reverse; Advantages Disadvantages Remove the risk of material misstatement; Detect that system does not cope when there are multiple users, all posting onto and reviewing the data on the system; Enabling test of the system by taking copy to install on own computer; Effective way of testing controls; Dummy entries may be forgotten and not reversed; Auditor cannot assess whether the system would have problems when busy; 8 AUDIT SOFTWARE: Audit software - software assisting at substantive testing stage where the auditor is performing audit procedures that help to detect potential material misstatements. Audit procedures which may be performed using audit software: 1. Analytical procedures: Calculate ratios; Compare to previous year’s results, budgets and industry averages; Investigate unusual results with client; 2. Selecting samples using systematic method; 3. Checking calculations: 4. Adding-up transactions to agree balances in the system; Recalculating other transactions (for example VAT); Reduces risk of human error; Exceptions reporting: 5. Highlighting unusual trends; Detect balances that look unusual; Balances and transactions detected by the system can be investigated for potential material misstatement; Note: Auditor must be able to import all client transactions and balances onto the audit software. Benefits of audit software: Drawbacks of audit software: It can save time due to automatic Bespoke system can be very expensive; procedure being carried out by software; Risk of data corruption when carrying out the It can save on labour costs for audit process; assignment; Risk of data leak; It reduces the risk of human error. Confidentiality is a concern; Strong security controls are required. 9 Data Analytics in Audit What is Data Analytics? Data analytics is the process of examining the available data in order to draw meaningful conclusions. It enables the businesses to identify new opportunities, to harness costs savings and to enable faster decision making, by drawing data from multiple sources to inform decisions or draw conclusions. The data is often both internal and external and is often aided by specialised software. Data Analytics and Audit Data analytics for audit involves discovering and analysing patterns, deviations and inconsistencies, and extracting other useful information in the data related to the subject matter of an audit. This can be done through analysis, modelling and visualisation for the purpose of planning and performing the audit. The process can reduce the risk of error in the audit as well as offering value to the client, as they often use visual methods such as graphs to present data, helping to identify trends and correlations. For auditors, the main driver of using data analytics is to improve audit quality. It allows auditors to more effectively audit the large amounts of data held and processed in IT systems in larger clients, and by doing so they can better understand the client’s information and better identify the risks. Data analytics tools have the power to turn all the data into an understandable presentation for both the auditors and clients. Large firms often have the resources to create their own data analytics platforms, whereas smaller firms may opt to acquire an off the shelf package. Larger firms may also generate audit programmes tailored to client-specific risks or to provide data directly into computerised audit procedures, allowing them to more efficiently arrive at the result. Benefits of Data Analytics – Data analytics enable increased business understanding as you gain a more thorough analysis of a client’s data. – It gives auditors a better focus on risk. This increased understanding, aids the identification of risks associated with a client, enabling testing to be better directed at those areas. – It results in increased consistency across group audits where all auditors are using the same technology 10 – and process, enabling the group auditor to direct specific tools for use in component audits and to execute testing across the group. – There’s increased efficiency through the use of computer programmes to perform very fast processing of large volumes of data and provide analysis to auditors, saving time and focus for judgemental and risk areas. – Data can be more easily manipulated by the auditor as part of audit testing, for example performing sensitivity analysis on management assumptions. – There is increased fraud detection through the ability to interrogate all data and to test segregation of duties, – The information obtained through data analytics can be shared with the client, adding value to the audit and providing a real benefit to management in that they are provided with useful information perhaps from a different perspective. Challenges in Data Analytics – There is a lack of consistency or a widely accepted standard across firms and even within a firm often. Moreover, there is currently no specific regulation or guidance which covers all the uses of data analytics within an audit, which can make quality control guidelines difficult. – Storing client data gives rise to the risk of breach of confidentiality and data protection. This data could be misused or illegal access obtained if the firm’s data security is weak or hacked, which may result in serious legal and reputational consequences. – The completeness and integrity of the extracted client data may not be guaranteed. Specialists are often required to perform the extraction and there may be limitations to the data extraction where either the firm does not have the appropriate tools or understanding of the client data to ensure that all data is collected. – There may be compatibility issues with the client systems which may render standard tests ineffective if data is not available in the expected formats. – The audit staff may not be competent to understand the exact nature of the data and output to draw appropriate conclusions. In this case training may need to be provided which can be expensive. – There could be insufficient or inappropriate evidence retained on file due to failure to understand or – document the procedures and inputs fully. 11 – Another issue arises relating to data storage and accessibility for the duration of the required retention period for audit evidence. The data obtained must be held for several years in a form which can be retested. As large volumes will be required firms may need to invest in hardware to support such storage or outsource data storage which compounds the risk of lost data or privacy issues. – There can be an expectation gap among stakeholders who think that because the auditor is testing 100% of transactions in a specific area, the client’s data must be 100% correct, which may not be the case. 12 Relying on the Work of Others KEY CONSIDERATIONS Aim: To obtain sufficient and appropriate audit evidence. Reasons to rely on the work of others: 1. Lack of technical knowledge. 2. This is the most efficient way of obtaining evidence. Examples of work of others which may be relied upon: Own Expert Client's Expert 1. Using a property valuer to verify property figures; 2. Bringing in an inventory expert; 3. Experts to assist with progress values; and 4. Legal advice on legal cases. 1. Client lawyers' documentation; 2. Relying on internal auditor’s work; and 3. Service organisations used by client. Steps in relying on the work of others: Decide if experts are needed ⇩ Plan work required of them ⇩ Reduce disruption to the audit ⇩ 13 Form the audit opinion AUDITOR'S OWN EXPERT Assessment of competence and independence: According to ISA 620 the auditor should determine whether the work of the expert is adequate for the auditor’s purposes. How to ensure that work is adequate: 1. Review qualifications, experience, memberships; and 2. Review any business or personal connections. Key tips: 1. Communicate to the client before audit work; and 2. Include in engagement letter. EXTERNAL EXPERT - INTERNAL AUDIT Importance and responsibilities of internal auditor: 1. Fundamental to control systems; 2. Carries out control procedures; 3. Identifies deficiencies and implements changes. Auditor can rely on: 1 Control test; 2 Risk assessment; and 3 Special investigations (fraud). 14 Auditor should consider: 1 Scope of work; 2 Level of detail; 3 Reasonability of assurance; and 4 Further work (if necessary). Audit requirements: Work adequacy considerations: 1. Assessment of technical competence; and Independence considerations: Quality of report: 1. Evidence collected is fundamental in forming an independent opinion; 2. Ideally - written evidence; if no such evidence is available, auditor may still need some further work to be done. 1. Internal auditors are employees – independence is unlikely; 2. Audit committee is formed of non2. Review of qualifications executive directors = Independence and experience. from board is improved; and 3. Less independence the expert has from the entity = Less reliance can be placed on their work. EXTERNAL EXPERT - SERVICE ORGANISATION Service organisation - outsourced function used by client (for example payroll function). Audit considerations: 1. Understand organisations and assess risk; 2. Decide testing level and assess procedures; and 3. Consider visit. Advantages Disadvantages 1. Increased expertise and skills; 2. Increased directors. independence 1. Obtaining information on a timely basis may be difficult; from 2. May not be allowed to perform audit work; and 3. Not being able to obtain sufficient appropriate evidence. 15 The extent to which refers to the work of others can be made in the independent auditor's report The auditor should make no reference to the use of the work of others in the audit report. It is the auditors' opinion in the report - the work of others is simply one piece of evidence that may be used, if sufficient and reliable, in forming that opinion. Smaller Entities and Not-for-Profit Organisations AUDIT OF SMALLER ENTITIES Smaller entities may not require a statutory audit in some countries. The reasons for not requiring a statutory audit are: – The shareholders are often the directors of the entity; – Companies may have only a few members of staff; – Audits are expensive; and – With fewer resources, the systems may be more straightforward, and not require expert advice from the auditor. Note: If a smaller entity requires an external audit, the auditors would ensure that they have an experienced audit team. The advantages of such an audit are: 1. It can be a relatively low risk audit; 2. With direct control, the management will have a full understanding and responsibility for the organisation, and can assist the auditor effectively; and 3. The systems will often be straightforward and easier to understand. The disadvantages of such an audit are: 1. Shareholders are in a position to manipulate the figures in the financial statement or hide personal expenses; 2. There is an increased risk of human error which needs to be identified and addressed by the auditor; 3. Having one staff member responsible for an entire control system can increase the risk of fraud; and 4. There is limited amount of written evidence the auditor can obtain from the client. 16 Summary: – There may be elements of the audit that are far more straightforward than dealing with a larger organisation; and – There will possibly be less substantive testing. However, careful planning is still needed to assess the risks and review the control systems and any limitations. AUDIT OF NOT-FOR-PROFIT ORGANISATIONS Not-for-profit organisations include charities and public sector entities. It is even more important that specialised audit staff are involved in the audit process for this kind of entity. The key differences we would see with a not-for-profit organisation are: – They are not driven by profits; – They will not have shareholders; – There will be no dividend payments; and – A charity would prepare a statement of financial activities which is formatted differently to a statement of profit and loss. Auditing not-for-profit organisations comes with its own audit risks and some of these are: – There may be a lack of segregation of duties and simple systems may not be documented. This could increase the risk of fraud and error; – Entities may not have the expertise or time to make good strategic decisions; – Volunteers are used to keep costs down. They may lack skills and make mistakes, but also, they may not stay long and then not be available to assist the auditor with explanations; – Income may depend on external factors (government grants and donations); – Entities may have very complex regulations to follow. This increases the risk of disclosure notes being inadequate; and – Any sudden change in circumstances could affect the entity in the short term. The audit approach for this type of entity should include: 1. Careful planning; 17 2. A specialised audit team; 3. Pure substantive testing if controls are not deemed effective; and 4. Analytical procedures. Note: If there are any issues gathering the evidence needed to form an audit opinion, as always, the auditor may need to modify their audit report. 18 AA - Audit and Assurance Contents Audit of Specific Balances - Intro and Non-current Assets .................................................... 2 GENERAL PRINCIPLES OF AUDIT PROCEDURES .................................................................. 2 SUBSTANTIVE AUDIT PROCEDURES .................................................................................... 3 NON-CURRENT ASSETS ....................................................................................................... 3 Audit of Specific Balances - Current Assets ............................................................................ 6 BANK ................................................................................................................................... 6 ACCOUNTS RECEIVABLE...................................................................................................... 7 Audit of Specific Balances Liabilities ...................................................................................... 9 ACCRUALS ........................................................................................................................... 9 PROVISIONS ........................................................................................................................ 9 OTHER LIABILITIES ............................................................................................................ 10 TRADE PAYABLES .............................................................................................................. 10 Audit of Specific Balances - P&L, Directors, and Equity ....................................................... 12 THE STATEMENT OF PROFIT AND LOSS ............................................................................ 12 DIRECTORS' EMOLUMENTS .............................................................................................. 13 EQUITY .............................................................................................................................. 14 1 Audit of Specific Balances - Intro and Non-current Assets GENERAL PRINCIPLES OF AUDIT PROCEDURES Substantive audit procedures are procedures that identify if material misstatements are present within the financial statements. They test the transactions, balances and disclosures for these misstatements. The steps to performing a substantive test are: 1. Identify the item to test and set the objectives of the test; 2. Consider the quality of evidence required. It must be sufficient and appropriate; 3. Design the test and ensure it meets the objective; 4. Select the sample of transactions to perform the test on; 5. Record the test, method, results and other evidence as working papers; and 6. Consider the conclusion of the test. The objective of a substantive test must be at least one of these financial statement assertions: C Completeness C Cut-off R Rights and obligations O Occurrence A V Allocation and valuation E Existence C Classification and understandability A Accuracy 2 SUBSTANTIVE AUDIT PROCEDURES Procedures that can be performed for any balance can be remembered using the mnemonic TOAD: – Trial balance: To agree the balance in the financial statements to the trial balance; – Opening balance: To agree the opening balance to last year's closing balance and investigate any differences with the client; – Add up and recalculate: All balances need to be checked for accuracy; and – Disclosure check: To review any specific accounting standards relating to the area of the financial statements and ensure they have been followed when preparing the financial statements. NON-CURRENT ASSETS In order to ensure non-current assets are audited effectively, the auditor will need to review: – The financial statements, including the statement of financial position and the noncurrent asset note; – The asset register, which includes all details relating to the assets held by the company; and – The trial balance and ledger accounts forming the non-current asset balance. The key assertions to be verified for non-current assets are: – Completeness (C); – Rights and obligations (R&O); – Valuation (V); and – Existence (E). The auditor needs to ensure that each balance has been audited, therefore auditing: 1. Opening and closing balances: Procedures include: a. Agreeing the opening balance to last year's financial statement; b. Adding up the non-current asset note to ensure the auditor agrees with the closing balance shown; and 3 c. Agreeing the closing balance for non-current assets in the note, to the balance shown on the statement of financial position. 2. New assets purchased or additions: Procedures include: a. Agreeing the additions balance in the financial statements to the asset register (C); b. Adding up the additions in the asset register to ensure they agree with the total in the financial statements (C); and c. For additions in the year, trace to invoice, to agree amounts recorded and whether the invoice is in the company name (R&O). 3. Disposals of assets in the year: The auditor should: a. Obtain a list of all disposals of assets made in the year and agree them to the asset register to ensure they have now been removed (E and A); b. Agree disposals to documentation, for example, sales receipts and bank statements to prove they were disposed of (E and A); and c. Review the profit or loss on disposal and agree with what has been recorded in the statement of profit and loss (E and A). 4. Depreciation: Must be audited by: a. Recalculating the depreciation charge for a sample of assets (V and A); b. Reviewing the accounting policies to see if the treatment being used is consistent with prior years’ (V and A); and c. Inspecting the budgets for capital expenditure to see if plans for disposals and new assets mean the depreciation methods are appropriate (V and A). 5. Revaluations: Procedures would be: a. Inspect the valuer's report and agree the amount concluded by them with what has been recorded in the financial statements (V); and b. Review the methods used by the valuer described in their report and ensure they agree with what is required by the accounting standards for revaluations (V). Notes: – The key for an auditor is to gather as much sufficient appropriate evidence as possible. 4 – The more written, detailed, independent evidence auditors can collect, the better. – Each audit procedure must verify at least one of the financial statement assertions. 5 Audit of Specific Balances - Current Assets BANK The bank is an asset presented in the financial statements. It is shown under the heading "Current Assets" in the statement of financial position. The key assertions that should be verified are: – Valuation (V); and – Existence (E). The evidence that the auditor would obtain can be referred to as the three B’s: 1. The bank statement: This will show all movements in the bank balance during the period that can be agreed with the movements in the cash book (E and V); 2. The bank report: This is written confirmation from the bank sent directly to the auditor, which confirms all the bank balances held by the client for the year end and any balances of liabilities held by them. The auditor should also agree the bank accounts to the trial balance (E, V and C); and 3. The bank reconciliation: This will show the differences between what the cash book states as the balance and what the bank states as the balance. Auditors should also ensure that balances agree to the bank statement, bank report and cash book. Unpresented cheques are any payments that have not yet been cleared by the bank. The auditor would usually: – Agree the amounts on the bank reconciliation to the cheque stubs and cash book; – Ensure none of the payments are missing or belong in the following period; and – Inspect the bank statements after the year end to ensure the payments have now cleared. Then any uncleared receipts would be audited. Auditors would need to: – Agree that all uncleared receipts on the bank reconciliation are in the cash book; – Ensure there are no missing receipts from the cash book; and – Inspect the bank statements after the year end to ensure the receipts have now cleared. 6 ACCOUNTS RECEIVABLE Accounts receivable balance is actually made up of two balances in the ledger, the trade receivables, and any provision for bad debts. There are three important tests auditors should carry out on this balance: 1. Circularisation: It is writing to a sample of trade receivable customers requesting that they confirm the balance they owe from their records. If the response does not agree with the ledger, the auditor will then need to complete a reconciliation between the client and customer balance to identify if the difference is due to timings issues, or due to a misstatement; 2. Cash received after the year end: The auditor will select a sample of receivable customer balances and then agree these balances to receipts in the post year end bank statements (E); 3. Cut-off: The auditor should review invoices just before and after the year end, and inspect their goods dispatch notes, reviewing the delivery date to ensure they are in the correct period. The next step is then to audit the provision for bad debts. The key assertion to verify is valuation. Examples of procedures include: – Comparing the provision to the previous year and investigating any differences; – Calculating the receivables days ratio and comparing it to the previous year; – Reviewing the aged receivables list and investigating old balances to see if they should be included in the provision or written off; – Enquiry with management about any specific provisions; and – Post year end event review to see if the customer has paid. 7 INVENTORY Key assertion Procedures According to IAS 2, inventory should be valued at the lower of cost and net realisable value. _ Valuation _ _ _ Existence and completeness _ The auditor must review sales around the year end; Sales prices of items should be compared to the calculations for net realisable value to ensure the selling price looks reasonable; and The auditor should trace the cost used in valuation to the source document such as the purchase invoice. This assertion can be verified by attending the inventory count. This also enables the auditor to review the control procedures carried out by the client. Using samples for counting, the auditor verifies the existence and completeness of counting records. Inspection of ownership documentation should be carried out; as well as review of the purchase invoices; and Rights and obligations _ Inspection of any inventory stored at third party warehouses and review of respective agreements. 8 Audit of Specific Balances Liabilities Key concern: The client may have understated the balance to make the business look healthier and more liquid than it is. Key assertions: Completeness, rights and obligations, valuation. ACCRUALS Accruals balance is based on costs that may not have been invoiced in the year but belong to the current year. The following procedures should be performed: – Obtain a breakdown of the accruals balance and ensure it adds up and agrees with the accruals balance in the financial statements; – Compare accruals balance to last year and investigate any differences; and – Review invoices dated after the year end to identify if the costs belong to the current year; PROVISIONS Provisions could arise from events such as potential compensation payments from court cases. The client needs to ensure they have followed the rules of IAS 37: – If there is a remote chance of the client suffering an outflow of resources, then there should be nothing included in the financial statements; – If there is a possible chance of the client suffering an outflow of resources, then there should be a disclosure note called a contingent liability note explaining the possible event, but still, no provision; – If there is a probable outflow of resources, then a provision may be included in the financial statements and a disclosure note explaining the balance. There are three criteria that must be met for a provision to be allowed: 1. There must be a present obligation due to a past event; 2. There must be a probable outflow of resources; and 3. There must be a reliable estimate. In order to be satisfied that all criteria mentioned above are met, the auditor must perform the following procedures: 9 – They must inspect correspondence, for example, from the company lawyer, and also discuss the event with them; – They can inspect any other external evidence, such as press reports, if they relate to a court case; and – They must then obtain evidence on the estimate of costs and ensure it is from a reliable source. This must not be an estimate from the client management. OTHER LIABILITIES Other liability balances include: – Sales tax; – Employee tax; – Payroll; and – Bank overdrafts. The following procedures may be performed to verify these balances: – Agree each of these balances to the bank statement as the payment should be shown after the year end (except for bank overdraft, as there may be timing differences); and – The bank reconciliation will play a part in verifying the bank overdraft balance, along with the bank report. TRADE PAYABLES Trade payables is the total balance of all outstanding balances owed to trade suppliers. Audit procedures will include: 1. Cut-off testing: The procedure would be to identify the invoices posted just before and after the year end, compare them to the goods received note, review the delivery date, and ensure the invoice is posted in the correct period; 2. Reconciling supplier statements: The auditor should select a sample of suppliers and reconcile the supplier statement sent at the year end to the ledger (timing differences are acceptable); 10 3. Post year end invoice review: Inspecting purchase invoices since year end and reviewing the details will be required to ensure that there were no invoices that should have been included in the current year; 4. Analytical procedures: These include: – Comparing the balance to the previous year and investigating any significant differences; – Calculating the payable days ratio and comparing to the previous year; – Identifying the trade payables balance for each month and comparing the level of payables to the expected trend of the company; and – Inspecting the aged payable analysis, in particular, identifying the old and slow moving balances and investigating these with the client. 11 Audit of Specific Balances - P&L, Directors, and Equity THE STATEMENT OF PROFIT AND LOSS Remember: Much of the transactions in the P&L have already been tested via the corresponding debit or credit balance in the SFP. The key assertions for the statement of profit and loss balances are: – Cut-off (C/O); – Occurrence (O); – Completeness (CO); – Classification (C); and – Accuracy (A). For the payroll balance, a few specific audit procedures include: – For a sample of employee balances, recalculate the deductions, such as tax, and investigate any differences; – Agree the net pay as per the payroll records to the bank statements and cash book; and – Agree total wages and salaries from the payroll system to the trial balance and financial statements. Analytical procedures: – Proof in total of the wages and salaries balance (estimate the balance from management information such as average wages and the percentage pay rise) and compare it to the actual balance. – Comparing the current year's balance to the previous year's will also identify potential misstatements if significantly different. The revenue balance substantive tests include: – For a sample of invoices, to recalculate the sales tax and discounts for accuracy; – Agree a sample of customer orders to the dispatch notes and invoices to ensure they were recorded; and – Inspecting credit notes issued shortly after the year end and supporting documentation for evidence that they were related to actual sales and not created to overstate 12 revenue. – Analytical procedures: – Comparing the revenue balance to the previous year; – Calculating and comparing gross profit margins to previous years; and – Comparing the balance to budgeted figures. The purchase and other expense balance procedures include: – Inspecting purchase orders and agreeing these to the goods received notes and invoices recorded; – Recalculating sales tax and discounts on a sample of invoices; and – Agreeing the balance on the ledger to the trial balance and financial statements. Analytical procedures: – Calculate operating profit margin to compare to the previous year, investigating any significant differences; and – Comparing each expense account to budget to identify anything to investigate further. DIRECTORS' EMOLUMENTS Remember: the auditor regards any director's transactions as material by nature. The key assertion is accuracy. An example of audit procedures would be: – Obtain the detailed list of directors' transactions which shows the split between wages, bonuses, pensions etc., and check it to ensure all the totals are correct; – Inspect payroll records and agree the balances to the list; – Inspect bank statements and agree amounts actually paid; and – Obtain a written representation from the directors that they have included all directors' remuneration to the auditor. 13 EQUITY The financial statements will include the statement of changes in equity (SOCIE) which will show the movement in equity section from the beginning of the year. The equity section will include the following balances: 1. Share capital: To verify this balance, the auditor will need to: a. Inspect share certificates or other official documentation and agree to disclosures made in the financial statements; b. Inspect board minutes for evidence of a share issue; and c. Inspect the cash book for evidence of money coming in from a share issue. 2. Dividends: This will require the auditor to: a. Inspect board minutes to ensure the amount and that the date declared was before the year end; and b. Inspect the bank statement to agree the amounts paid and that they were before the year end also. 3. Other reserves: To audit this balance, the auditor must ensure: a. The opening balance agrees to last year; b. The movements in reserves add up to the closing balance; and c. Any movements agree with supporting documentation, for example, a valuation report. 14
