Implementing of ISA’s in SME Audits Prepared for the use of MGI-alliance on October 10, 2013 and extended on November 27, 2013 by Auditors’ Network Finland Ltd. / Kari W. Saari, APA Implementing of ISA’s in SME Audits - IFAC's Risk Based Audit Process Model Basic Audit Procedures Scaling of ISA-standards SME Audit Process Contents of audit engagement file Implementing of ISA’s for SME Audits, contents - - - 3 IFAC's ISA –SME-Guide as background - Presentation of IFAC's Risk Based Audit Process Model - General comments concerning this model Way to downscale ISA-standards for SME Audits SME audit process using IFAC's model extended with basic audit procedures - Preliminary Audit Procedures and materiality limits - Risk Register and Risk Assessment Procedures - Basic Audit Procedures - Responding to Assessed Risks - Reporting phase Case example: Risks in sales process and use of assertions Extension: Contents of audit engagement file (IFAC’s ISQC 1- SME Guide) IFAC’s Model as Risk Based Audit Process I Risk Based Audit Process: - This ‘Risk Based Audit Process is described in IFACs publication named ‘Guide to Using ISAs in the Audits of Small- and Medium-Sized Entities’ The main phases of the model are: 4 - Risk Assessment - Risk Response - Reporting IFAC’s Model as Risk Based Audit Process II Main phase 'Risk Assessment', Activities: 5 - Preliminary Engagement Activities - Planning of the Audit - Risk Assessment Procedures IFAC’s Model as Risk Based Audit Process III Preliminary Engagement Activities: Purpose: Deciding whether to accept engagement Documentation: Listing of risk factors Independence Engagement letter 6 IFAC’s Model as Risk Based Audit Process IV Plannig of the Audit: Purpose: Developing an overall audit strategy and audit plan Documentation: Materiality Audit team discussions Overall audit strategy 7 IFAC’s Model as Risk Based Audit Process V Risk Assessment Procedures: Purpose: Identifying and assessing risks of material misstatement through understanding the entity Documentation: Busines and fraud risks including significant risks Design and implementation of relevant internal controls Assessed risks of material misstatement on the level of financial statements and on the level of assertions 8 IFAC’s Model as Risk Based Audit Process VI Main phase 'Risk Respose', Activities: 9 - Design overall responses and further audit procedures (as risk responses) - Implement responses to risks of material misstatement IFAC’s Model as Risk Based Audit Process VII Design overall responses and further audit procedures (as risk responses): Purpose: Developing of appropriate responses to the assessed risks of material misstatement Documentation: Update of overall strategy Overall responses to assessed risks Audit plan that links assessed risks of material misstatement to further audit procedures 10 IFAC’s Model as Risk Based Audit Process VIII Implement responses to risks of material misstatement : Purpose: Reducing audit risk to an acceptably low level Documentation: Work performed Audit findings Staff supervision Working paper review 11 IFAC’s Model as Risk Based Audit Process IX Main phase 'Reporting', Activities: 12 - Evaluate the audit evidence obtained - Decision: is additional work required? Yes = back to perform risk assesment procedures No = continue to the next step - Prepare the auditor’s report IFAC’s Model as Risk Based Audit Process X Evaluate the audit evidence obtained : Purpose: Determine what additional audit work (if any) is required Documentation: New or revised risk factors and audit procedures Changes in materiality Communications on audit findings Conclusions on audit procedures performed 13 IFAC’s Model as Risk Based Audit Process XI Prepare the auditor’s report : Purpose: Form an opinion based on audit findings Documentation: Significant decisions Signed auditor’s report 14 Comments to IFAC’s Model as Risk Based Audit Process Comments to IFAC's model : As the way of thinking the model is applicable in all audits The description as audit process helps to adopt ISA-standards Risk based approach is built on materialities The model gives more systematics for the planning phase of any audit The model gives the basics of how to recognize and evaluate risks Risk based approach helps to scale ISA-standards for SME audits Examples are concretizing the need of documentation in SME-audits Lack: the model says nothing of basic audit procedures 15 The downscaling of ISA standards I Good Audit Practice means audits in compliance with ISA-standards At least in Finland, according to ISAs, ISQC 1 etc., the implementation of ISA-standards is reviewed by authorities through external quality control procedures There are two ways to approach ISA-standards: To document something of the implementation of every ISA-standard (this way is too heavy for SME audits) Risk based approach: ISA standards are needed only where they are relevant in reducing audit risk to an acceptable low level (this way enables rational, effective and efficient SME-audits) 16 The downscaling of ISA standards II Audit procedure groups including into every audit: 17 - Preliminary engagement procedures (= IFAC’s model main phase ‘Risk Assessment’) - Basic audit procedures (IFAC’s model says nothing) - Audit procedures responding to risks (= IFAC’s model main phase ‘Risk Response’) - Other audit procedures (= IFAC’s model main phase ‘Reporting’) The downscaling of ISA standards III The purposeful course of risk based audit process in any SME-audit: - 18 Preliminary engagement procedures according to IFAC’s model Designing of audit strategy and determining of materiality limits according to IFAC’s model Basic audit procedures and updates into risk register, differ from IFAC’s model Risk assessment and audit plan according to IFAC’s model Audit procedures responding to risks acccording to IFAC’s model Other audit procedures as reporting according to IFAC’s model The downscaling of ISA standards IV Risk based audit process is able to scale down the ISA standards: 19 - In case preliminary engagement procedures accepts the audit engagement, the next step is to design audit strategy and determine materiality limits - Then perform basic audit procedures with updates into risk register - Risk assessment can be part of risk register updates but should be finalized not until all basic audit procedures are performed - After this is the time to implement more ISA standards, but only so far where after performed basic audit procedures still exist significant or material risks without sufficient responses Preliminary engagement procedures I Obtain and document an understanding of the entity and its environment, issues to be considered and documented: 20 - External factors (nature of industry; regulatory environment; financial reporting framework) - Nature of Entity (operations and key personnel; ownership and governance; investment; structure and financing) - Accounting policies (selection and application; reasons for changes; appropriateness to entity) (Continues) Preliminary engagement procedures II Obtain and document an understanding of the entity and its environment, issues to be considered and documented, continues: 21 - Entity objectives and strategies (business plans and strategies; financial implications and risks undertaken) - Measurement and review of financial performance (what is measured; who reviews financial results) - Internal control relevant to the audit (processes and relevant controls to mitigate risks at the entity level (and at the transactional level)) Preliminary engagement procedures III Assess and document competency and independency, independency threat factors: 22 - threat of self interest threat of self-review threat of advocacy threat of familiarity threat of intimidation - safeguards if needed Preliminary engagement procedures IV Prelimiary audit implementation plan issues: 23 - Is it enough that the performing of all audit happens after the end of the period under audit, or - what kind of audit procedures, if any, are needed during the period under audit. - Is it possible to perform the whole audit alone, or - is there also needed team structures or other help. Preliminary engagement procedures V Decision to accept or continue the engagement 24 - when preliminary understanding of the entity is obtained and when both competency and independency are noticed and when prelimiary audit implementation plan is prepared then assess your own capability and adequacy of time - if then the decision to accept is yes prepare or update the engagement letter Determining of audit strategy and materiality levels I How to complement consideration of the entity to audit strategy: - 25 the six aspects of the concideration of the entity should be complemented as general audit strategy with following extensions Control environment of the entity (tone at the top; management is always able to override controls) Entity level IT-controls (how IT-management is organized) Income sources and recording of incomes (always material risk area) Related parties and related transactions (always material risk area) Possible fraud risks (fraud triangle: pressure, opportunity, rationalization, always material risk) Determining of audit strategy and materiality levels II Materiality levels according to IFAC's model: Overall materiality (the highest materiality level on the whole financial statements) Overall performance materiality (lower than the above allowing room to prevent the possibility existence of undetected and immaterial misstatements from aggregating to a material amount) “Specific” materiality (lower than the above for particular financial statement areas as classes of transactions, account balances, or disclosures) “Specific” performance materiality (lower than the above giving more room as explained above, roughly 50 % of the highest materiality level) . 26 Regarding SMEs, one materiality level may be much enough Determining of audit strategy and materiality levels III Determining materiality levels in practise: - Professional consideration is always needed - An helping comparision value can be calculated as average of the following four figures according to the financial statements: 1 % of financial periods turnover (or of the sum of all incomes) 2 % of balance sheet total (0,2 % if dwelling house) 5 % as absolutive value of the total of own capital (0,5 % if dwelling house) 10 % as absolute value of financial periods net result - 27 Risk register and handling of risks I Risk register definition: Basic working paper in customer file for continual updates done beside any other audit procedure Register that collects information of all finded (material) risks and of controls implemented to reduce these risks Practical hints It is efficient to collect risk information beside basic audit procedures, and to finalize risk assessment not until all basic audit procedures are done after this, further audit procedures can be focused to reduce those significant risks not reduced sufficiently through basic audit procedures 28 Risk register and handling of risks II Risk handling through 'long formula': (= the way explained in IFAC’s ISA-SME-guide) 29 - Phase 1: risk identification (what could go wrong) - Phase 2: control design (planned way to control risks by the entity itself) - Phase 3: control implementation (are these controls implemented) - Phase 4: control documentation (are these controls used properly and assessment of remainder risks after these controls) Risk register and handling of risks III Risk handling through 'short formula': 30 - Also in small entities the ‘long formula’ functions well as model of thinking, but to document the four phases separately may mean too heavy process - An experienced auditor with good understanding of the customer, when identifying a risk, may be able to assess it straight according to phase 4 and then to document only this result Basic audit procedures I General aspects regarding 'basic audit procedures': The concept ‘basic audit procedures’ means such procedures that at least are to be performed in any audit so far they are relevant These ‘basic audit procedures’ are to be performed in spite of materiality lines and in any sequence The issues disclosed in appendix 2 of the old review standard ISRE 2400 (in force until the end of the year 2012) can be applicably adapted and interpreted to describe the contents of ‘basic audit procedures’ so far they are relevant risk register should be continually updated beside these procedures ‘Basic audit procedures’ means a kind of review and becomes as audit when extended according to the risk based audit process 31 Basic audit procedures II The contents of 'basic audit procedures': - 32 Updates to basic customer information Review of minutes and other entity governance aspects Comparison of opening balance figures in ledgers Comparisons of cash figures in bank statements and ledgers Comparisons of vouchers and ledgers Financial statements process and comparisions of figures Substantive analytical procedures Other basic audit procedures Basic audit procedures III Updates to basic customer information: 33 - Key persons and connections - Those charged with governance, management and related parties - Preciseness of disclosed information in public registers Basic audit procedures IV Review of minutes and other entity governance aspects: 34 - Review of the minutes of shareholders’ meetings or general meetings - Review of board minutes - Review of other entity governance aspects Basic audit procedures V Comparision of opening balance figures in ledgers: 35 - Comparing of opening balance figures in ledgers to the figures in preceding financial statements - A rapid routine when same auditor has audited also the preceding financial statements - Can be much more troublesome when the previous financial statements is audited by another auditor or totally lacks the audit Basic audit procedures VI Comparision of cash figures in bank statements and ledgers: - 36 Comparisions to recognize how the figures in bank statements and figures in ledgers are corresponding each others Suggested to be done monthly covering both volumes and balances means pervasive external control which is not easy to override by management Effectiveness of this control is depending on how far bank accounts are covering all money transactions this procedure also helps to assess the quality of ledgers and their appropriateness as object for other audit procedures Basic audit procedures VII Comparision of vouchers and ledgers: 37 - Comparisions of cash figures in bank statements and in ledgers are also a part of these audit procedures - In addition, these audit procedures should cover at least material general ledger transactions and vouchers near the end of financial period Basic audit procedures VIII Financial statements preparing process and comparisions of figures, questions to be answered: - Is the accounting system producing appropriate journals and general ledgers? Does the accounting system produce also balance sheets and income statements per account? Does the structure of financial statements correspond their previous structure? Are the comparing figures same as in previous financial statements? (continues) 38 Basic audit procedures IX Financial statements preparing process and comparisions of figures, questions to be answered (continues): - Are the comparing figures sufficient? Are the financial statements figures correspondig to ledgers? Are the figures in the specifications of financial statements corresponding both to ledgers and financial statements figures? Are the calculations in financial statements correct? Are the specifications of financial statements appropriate and sufficient? Are the notes in financial statements according to circumstances sufficient? (continues) 39 Basic audit procedures X Financial statements preparing process and comparisions of figures, questions to be answered (continues): - 40 Are the financial statements properly signed? Is the explanation of ledgers and vouchers appropriate and sufficient? Are the stuctures and contents of the financial statements appropriate according to circumstances? What other accounting systems and ledgers are in use in addition to entity level journals and general ledgers (payroll ledgers?; debitors’ ledgers?; creditors’ ledgers?; inventory ledgers?; what else?) and are they comparing to the contents of general ledger? Basic audit procedures XI Substantive analytical procedures: 41 - Analyses concerning the contents of income statement and balance sheet - Supplying basis evidence of the contents of income statement and balance sheet items - Comparisions to information from other sources - assessments of material trends - Also analyze systems and programs can be used as help Basic audit procedures XII Other basic audit procedures: The following significant questions are to be answered (verbally): 42 - How the conclution has been reveived that all incomes of the entity are recognized in ledgers? - How the conclution has been received that all inventories are recognized in ledgers as appropriately valued? - Assessment of the the entitys risk management and insurance issues - How earlier audit results are utilized by the entity? Risk response and further audit procedures I Finalizing of risk assessment: - 43 Beside basic audit procedures, update entitys risk register Finalize risk assessment not until all basic audit procedures are performed the first phase is to assess risks ignoring internal control effects then chart the internal controls which are reducing these risks then assess if there still exist such significant risks that still need mitigations through further audit procedures Risk response and further audit procedures II Further audit procedures: Inquire and assess the material risk reducing internal controls that the entity may have implemented and which are able to be tested As far such internal controls exist, consider the needs to test them and perform proper testing procedures If such intenal controls cannot be found (typical circumstance in SMEs), or if these controls are not reliable, risk response shouls be based on substantive audit procedures all significant risks (in SMEs typically half dozen or less) should be responded (on assertion level) In case the evidence received through basic audit procedures can be assessed as sufficient to reduce all significant risks to an acceptable low level, then no further audit procedures are needed and then it is much enough and sufficient to document this conclusion 44 Conclusions and process to correct misstatements - 45 Document received conclusions and their reasons Prepare audit memorandum of recognized misstatements etc. Communicate with management and others involved into the financial statements preparing process, as far as needed Ask them to perform the needed corrective actions Review the corrections Prepare management’s representation letter (in SMEs typically not more than one page) Management’s representation letter and auditor’s report - - - 46 Management’s representation letter may need following appendicies: Audit memorandum of recognized misstatements etc. Explanation of principles regarding related parties Management’s representation letter, when signed by authorized management’s representative, also gives evidence of communications with those charged with governance Prepare auditor’s report Regarding SMEs it may be rational, that in same occasion both management’s representative signs the representation letter and auditor signs auditor’s report In case during this occasion new material issues are founded, then, if needed, continue the audit Case example, risks in sales process and use of assertions I Case example, Risks in salesprocess, background: The following case example is prepared according to the contents of IFACs publication ‘Guide to Using ISAs in the Audits of Small- and Medium-Sized Entities’, Third Edition, Volume 2 – Practical Quidance, pages 166 - 167 This case example descibes also the purposeful contents of risk register Risks and assertions Assertions are managements implicite or disclosed statements that the items and issues disclosed in financial statements are correct. Risks are suspicions raised through auditor’s professional scepticism that these assertions may include misstatements Risks can be mitigated by control activities implemented by management and audit procedures performed by auditor 47 Case example, risks in sales process and use of assertions II Case example, existing risks and controls in salesprocess Risk 1: goods shipped or services performed not invoiced (assertion completeness) Control a: received order ise immediately entered into accounting system, which automatically assigns a sequencial number Control b: when the order is ready for shipment, a shipping document is prepared, entered into the system and matched with the order Control c: An invoice is then prepared by Karla from the accountingsystem, which automatically assigns a sequential number (continues) 48 Case example, risks in sales process and use of assertions III Case example, existing risks and controls in salesprocess (continues) Risk 1: goods shipped or services performed not invoiced (assertion completeness) Control d: It is a strict rule that no shipment can be made without the shipping document number being entered into the system Control e: The system can then track which orders have been filed and which ones are still pending by delivery date (continues) 49 Case example, risks in sales process and use of assertions IV Case example, existing risks and controls in salesprocess (continues) Risk 2: revenues incorrect/not recorded (i.e. Cash sales) in the accounts (assertion completeness) Control a: Sales orders are prepared for each order received and entered into the accounting system, which automatically assigns a sequential number Control b: The only exception is furniture sold directly from the shop or other small items on hand (continues) 50 Case example, risks in sales process and use of assertions V Case example, existing risks and controls in salesprocess (continues) Risk 3: related party transactions not identified (assertion existence) Control a: no controls in place at present (continues) 51 Case example, risks in sales process and use of assertions VI Case example, existing risks and controls in salesprocess (continues) Risk 4: revenue recognition policies not followed (assertion accuracy and cutoff) Control a: revenue is recorded when invoice is submitted Control b: all orders over 500 euros, or where the sales price is below the minimum sales price, must be reviewed and approved by Arjan (continues) 52 Case example, risks in sales process and use of assertions VII Case example, existing risks and controls in salesprocess (continues) Risk 5: fictitious sales/sales credits recorded in accounts (assertion existence) Control a: all orders over 500 euros, or where the sales price is below the minimum sales price, must be reviewed and approved by Arjan (continues) 53 Case example, risks in sales process and use of assertions VIII Case example, existing risks and controls in salesprocess (continues) Risk 6: goods shipped/services provided to a bad credit risk (assertion valuation) Control a: Arjan does not do a credit check on customers unless he does not know them or the order is large (continues) 54 Case example, risks in sales process and use of assertions IX Case example, existing risks and controls in salesprocess (continues) Risk 7: sales/services recorded in wrong accounting period (assertion accuracy and cutoff) Control a: Karla prepares a month end report of revenue and cash receipts for the month Control b: the month end report is reviewed by Suraj (continues) 55 Case example, risks in sales process and use of assertions X Case example, existing risks and controls in salesprocess (continues) Risk 8: receipts are partially or not deposited/recorded (fraud or error) (assertion completeness) Control a: cheques received are listed, totaled and reviewed before deposit Control b: Karla prepares the daily deposit slips but Jawad makes the cash deposit to ensure functions are segregated (continues) 56 Case example, risks in sales process and use of assertions XI Case example, existing risks and controls in salesprocess (continues) Risk 9: receipts are credited to the wrong account (fraud or error) (assertions completeness; accuracy and cutoff) Control a: Could be noticed during the review of monthly sales and receivables (continues) 57 Case example, risks in sales process and use of assertions XII Case example, existing risks and controls in salesprocess (continues) Risk 10: receipts are recorded in wrong accounting period (assertion accuracy and cutoff) Control a: Karla checks for proper cut off each month to ensure receipts are recorded in the correct period (continues) 58 Case example, risks in sales process and use of assertions XIII Case example, existing risks and controls in salesprocess (continues) Risk 11: no allowance is recorded for doubtful or uncolleltible balances (assertion valuation) Control a: accounts over 60 days are followed up for payment but no allowance is made for doubtful accounts other than at year end (continues) 59 Case example, risks in sales process and use of assertions XIV Case example, existing risks and controls in salesprocess (continues) Risk 12: overdue receivables are not followed up on timely basis (all assertions: completeness; existence; accuracy and cutoff; valuation) Control a: Jawad prepares an aged accounts receivable listing and gives the lising to Suraj for his review Control b: Accounts over 60 days are followed up each month and comments are made on the listing as to when the customer has agreed to pay the balance Control c: For customers who are over 90 days and have not made alternative payment arrangements, future sales are made on cash-on-delivery basis 60 Final contents of audit engagement file I Procedures for final assembly of the engagement file should be performed ordinarily no more than 60 days after the date of the report IFAC’s Guide to Quality Control for Small- and Medium-Sized Practices, section 7, includes the following checklist (year-end audit file index) of the divisons and sections of work that sould be included into the final documentation of each engagement file as far as relevant. It is suggested that in the end of each engagement, go through these checklist items in order to check that each item includes proper documented contents. In case an item of this checklist is not relevant, document this conclusion. 61 Final contents of audit engagement file II Year-end audit file index, division 'finalization of audit', sections: - - Audit file closing Engagement completion memorandum Subsequent changes to the audit file Financial statements / auditor’s report Final analytical review Reviewer’s checklist Quality control review (if EQCR applicable) Financial statement presentation and disclosure review continues 62 Final contents of audit engagement file III Year-end audit file index, division 'finalixazation of audit', sections: continues - 63 Engagement partner / sole practitioner review Adjusting and closing journal entries Working trial balance Correspondence, discussions, and notes representation letter Discussions with management and others Management letter Notes and queries Final contents of audit engagement file IV Year-end audit file index, division 'audit acceptance', sections: - 64 Audit engagement acceptance checklist New or continuing client Information from predecessor’s files Engagement letter Understanding the entity and its environment Client profile Documents to request Final contents of audit engagement file V Year-end audit file index, division 'overall audit strategy', sections: 65 Establishing the overall audit strategy checklist Determining materiality Evaluating misstatements Identifying risks using analytical procedures Conducting an audit team planning meeting Assessing inherent risks Determining whether the risks indicate the need for an EQCR Audit budget – time and fees Schedule of documents to be prepared by client Overall audit strategy Final contents of audit engagement file VI Year-end audit file index, division 'assessing risks of material misstatement', sections: - - Assessing the risks of material misstatement checklist Inquiries for management for those responsible for governance for those responsible for internal audit for others in the entity Evaluating the control environment Evaluating management’s use of estimates, including fair value continues 66 Final contents of audit engagement file VII Year-end audit file index, division 'assessing risks of material misstatement', sections: continues - Information systems and internal control General IT system and IT controls Revenue, receivables, and receipts Purchases, payables and payments Payroll Inventory, cost of sales, and production Financing and equity continues 67 Final contents of audit engagement file VIII Year-end audit file index, division 'assessing risks of material misstatement', sections: continues - Testing controls Revenue, receivables, and receipts Purchases, payables, and payments Payroll Inventory, cost of sales, and production Financing and equity continues 68 Final contents of audit engagement file IX Year-end audit file index, division 'assessing risks of material misstatement', sections: continues - 69 Review of minutes of all meetings Appointment of auditor (AGM resolution) Review of client’s annual report or other document that will include the audited financial statements Risk assessment summary Final contents of audit engagement file X Year-end audit file index, division 'analytical procedures and tests of balances, balance sheet / statement of financial position', sections: . - Cash and cash equivalents Trade and other receivables Inventories Prepaid expenses Investments Property, plant and equipment Capital assets Goodwill and intangible assets Continues 70 Final contents of audit engagement file XI Year-end audit file index, division 'analytical procedures and tests of balances, balance sheet / statement of financial position', sections: continues - Short-term and long-term debt Accounts payable and accrued liabilities Taxes payable Other liabilities Equity / Net assets Continues 71 Final contents of audit engagement file XII Year-end audit file index, division 'analytical procedures and tests of balances, balance sheet / statement of financial position', sections: continues . Journal entries Responding to indications of fraud Going concern Foreign currency translation Accounting estimates Continues 72 Final contents of audit engagement file XIII Year-end audit file index, division 'analytical procedures and tests of balances, balance sheet / statement of financial position', sections: continues - 73 Changes in accounting policies and correction of prior period errors Related party transactions Significant transactions outside the normal course of business Contingencies and contractual obligations Subsequent events Economic dependence Final contents of audit engagement file XIV Year-end audit file index, division 'analytical procedures and tests of balances, income statement / statement of operations', sections: - 74 Revenue Cost of sales Expenses Other income and expenses Final contents of audit engagement file XV Year-end audit file index, division 'substantive tests of transactions', sections: . - 75 Revenue, receivables, and receipts Purchases, payables, and payments Payroll Inventory, cost of sales, and production Financing and equity