Recent developments in auditing standards
advertisement
Recent developments in auditing standards CA Suresh DM Bangalore Branch of SIRC of ICAI 15th December 2010 All U DO IS TICKING Auditing Standards: Indian Perspective Auditing Standards are codification of existing best practices in the area of auditing. International Standards on Auditing (ISAs) are issued by the IAASB of IFAC. In India, the ICAI formulates Auditing and Assurance Standards (AASs). Basic Considerations behind AASs formulation ◦ Harmonization with ISAs, to the extent possible – a Membership obligation for ICAI ◦ Applicable laws in India. ◦ Customs, usages & business environment in India. Auditing Standards: Indian Perspective Companies Bill 2009 – NACAAS to be given authority to notify Auditing Standards MCA has observed that Auditing Standards are currently issued by a “Single Institute”. The fact is standards are issued after due consultations by releasing Exposure Drafts Auditing Standards: Indian Perspective (contd. …) Scope of AASs Apply whenever independent audit carried out. Apply irrespective of size, legal form or commercial motives of the client. May appropriately apply to other functions of auditors. Authority Attached to AASs Mandatory compliance by members of ICAI. Material departures from AASs to be brought out in the report Engagement & Quality Control Standards Road to Convergence – Clarity Project AASB founder member of IFAC Auditing standards based to the extent possible on corresponding International Standards (IS) of International Auditing and Assurance Standards Board (IAASB). Chalked out timeline for bridging gap in convergence with IS under IAASB Clarity Project Revised the entire suite of 36 Standards on Auditing in line with the International Standards. Engagement & Quality Control Standards AASB’s response to IAASB Clarity Project (2006 till date): ◦ Revised & more rigorous Due Process ◦ Revised Framework & Preface ◦ AASs renamed & renumbered in line with IAASB terminology – ENGAGEMENT STANDARDS: Standards on Auditing Standards on Review Engagements Standards on Assurance Engagements Standards on Related Services ◦ Mother Standard on Quality Control ◦ Revised/ new Standards on Fraud, Audit Planning & Risk-based Audits ◦ Many new/ revised Standards in pipeline Diagrammatic presentation of structure of standards under New preface Chartered Accountants Act, 1949 Pronouncements by ICAI Standards on Quality Controls (SQC) Assurance services Related Services Framework for Assurance Engagements Audits and review of historical financial information Assurance engagements other than Audits and review of historical financial information Standards on Review engagements (SRE) Standards on Assurance Engagements (SAE) Standards on Related Services (SRS) 3000- 3699 4000 - 4699 Standards on Audting (SA) 100-999 2000- 2699 Clarity Project Exercise to rewrite and Update. Includes : Identifying the overall objectives of the auditor when conducting an audit in accordance with ISAs, setting an objective in each ISA, and establishing an obligation on the auditor in relation to those objectives Clarifying the obligations imposed on auditors by the requirements of the ISAs and the language used to communicate such requirements Eliminating ambiguity about the requirements the auditor needs to fulfil. Engagement & Quality Control Standards Layout of Standards Scope Effective Date Objective Definitions Requirements Application and Other Explanatory material ( Basically details out requirements) Audit Process Standard on Quality Control – SQC 1 QUALITY CONTROL FOR FIRMS THAT PERFORM AUDITS AND REVIEWS OF HISTORICAL FINANCIAL INFORMATION, AND OTHER ASSURANCE AND RELATED SERVICES ENGAGEMENTS SQC 1 – Quality Control for Firms Definitions Elements of a System of Quality Control Leadership Responsibilities for quality within the Firm Ethical Requirements Acceptance and Continuance of Client Relationships Human Resources Engagement Performance Monitoring Documentation Objective of SQC 1 The firm should establish a system of quality control designed to provide it with reasonable assurance that the firm and its personnel comply with professional standards and regulatory and legal requirements, and that reports issued by the firm or engagement partner(s) are appropriate in the circumstances Meaning of certain terms Engagement quality control review – How: a process designed to provide an Why objective evaluation, When before the report is issued, What of the significant judgments the engagement team made and the conclusions they reached in formulating the report Meaning of Certain Terms Engagement quality control reviewer Any individual with capabilities to act as engagement partner or a partner, other person in the firm, suitably qualified external person, an employee of another a team made up of such individuals, firm with sufficient and appropriate experience and authority to objectively evaluate, before the report is issued, the significant judgments the engagement team made and the conclusions they reached in formulating the report. However, in case the review is done by a team of individuals, such team should be headed by a member of the Institute Meaning of Certain Terms Engagement team – all personnel performing an engagement, including any experts contracted by the firm in connection with that engagement Meaning of Certain Terms Network Firm – Change made during Clarity Project BEFORE An entity under common control, ownership or management with the firm or Any entity that a reasonable and informed third party having knowledge of all relevant information would reasonably conclude as being part of the firm nationally or internationally AFTER That is aimed at cooperation, and aimed at profit or cost-sharing or shares common ownership, control or management, common quality control policies and procedures, common business strategy, Use of a common brand name, or a significant part of professional resources. Elements of a System of Quality Control – Policies to address (a) Leadership responsibilities for quality within the firm. (f) Monitoring (b) Ethical requirements. (e) Engagement performance. (c) Acceptance and continuance of client relationships (d) Human resources. Leadership Responsibilities for Quality within the Firm promote an internal culture for stressing upon quality in deliverance firm’s chief executive officer to assume ultimate responsibility for the firm’s system of quality control Perform work that complies with professional standards and regulatory and legal requirements How to promote quality-oriented internal culture clear, consistent and frequent actions and messages from all levels culture that recognizes and rewards high quality work training seminars, meetings, formal or informal dialogue, mission statements, newsletters, or briefing memoranda. Ethical Requirements The firm should establish procedures that enable its personnel comply with ethical requirements: (a) Integrity; (b) Objectivity; (c) Professional competence and due care; (d) Confidentiality; and (e) Professional behavior. INDEPENDENCE Scope of various services provided to Client not to be threat to Independence Annual Independence confirmation from all the personnel of the Audit Firm regarding independence. Rotation of Partners and Managers to reduce familiarity threat ( SEC Rules – 7 years for listed entities and 10 years for other engagements) Note: For Sole Proprietors/Individuals auditing listed entities, rotation policy is not applicable. However they need to undergo compulsory Peer Review Process. Threats to Independence Prohibited Activities • An auditor of an entity is prohibited from providing an audit client, any of nine specified non-audit services. Prohibited Non-Audit Activities 1. Bookkeeping or other services related to the accounting records or financial statements of the audit client; 2. Financial information systems design and implementation; 3. Appraisal or valuation services, fairness opinions, or contribution-in-kind reports; 4. Actuarial services; Prohibited Non-Audit Activities 4. Internal audit services; 5. Management functions or human resources; 6. Broker or dealer, investment adviser, or investment banking services; 7. Legal services and expert services unrelated to the audit; and Independence Firm Should frame policies so that ◦ Firm’s personnel are aware of the independence requirements ◦ Partners are provided with relevant data about client hierarchy and threats to independence. Threats to Independence Independence of Mind Independence of Appearance ◦ Threat of potential employment ◦ Threat of undue dependence on fees and fear of losing client ◦ Threat of self review – review of judgements made in earlier periods ◦ Threat of investment in client’s shares Acceptance & Continuance ( A&C) Undertake or continue relationships and engagements. Ascertain Integrity of Client Auditor is competent to perform and has sufficient resources. Compliance with ethical requirements achieved Human Resource Firms should frame policies to address (a) Recruitment; (b) Performance evaluation; (c) Capabilities; (d) Competence; (e) Career development; (f) Promotion (g) Compensation; and (h) Estimation of personnel needs Engagement Performance establish consistency in the quality of engagement performance which is accomplished through standardized documentation. Qualitative deliverance involves consultation Review of Quality Controls and Risks ( RQR process) Engagement Quality control review – Objective evaluation of Judgments used, which should be done before issue of report. Must for all Listed Companies Audit Criteria to be set out for other Audits RQR Process Nature, Timing and Extent Criteria for Reviewers Documentation Requirements Other Matters Engagement Documentation ◦ Final Working Files to be completed and assembled before reports have been finalized. ◦ (Means before release of report) ◦ Confidentiality, Safe Custody, Integrity, Accessibility and Retrievability of Documentation ◦ Retention of Documentation ◦ Ownership of Documentation ◦ Monitoring Process International Standard on QC Vs Indian Standard on QC Subject Matter International SQC Indian SQC Engagement Quality Control Reviewer Reviewer can be anyone with sufficient and appropriate experience Reviewer should be a member of ICAI Minimum Period of Retention of Working papers 5 Years 7 Years Rotation of Auditors 7 years No specific time limit SA’s applicable for audits relating to accounting periods beginning on or after 1.4.2010 SA Title of the Standard 200 ( Revised) Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing 210 (Revised) Agreeing the Terms of Audit Engagements 220 ( Revised) Quality Control for an Audit of Financial Statements 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management 320 ( Revised) Materiality in Planning and Performing an Audit 402 ( Revised) Audit Considerations Relating to an Entity Using a Service Organization 450 Evaluation of Misstatements Identified during the Audit 501 ( Revised) Audit Evidence – Specific Considerations for Selected Items 505 ( Revised) External Confirmations SA’s applicable for audits relating to accounting periods beginning on or after 1.4.2010 SA Title of the Standard 510 ( Revised) Initial Audit Engagements — Opening Balances 520 ( Revised) Analytical Procedures 550 (Revised) Related Parties 610 ( Revised) Using the work of Internal Auditors 620 ( Revised) Using the Work of an Auditor’s Expert 720 The Auditor’s Responsibility in Relation to Other Information in Documents Containing Audited Financial Statements SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT Scope Auditor is required to obtain understanding of internal Control. This understanding is to design appropriate audit procedures and not for purpose of expressing opinion on internal controls. Standard is only a carve out standard from SA 260 – Communicating to those charged with governance. No such separate reporting requirements normally.(Other than SOX assignments) SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT This standard is very simple. Contains Just 11 Para in the Main Text. Others clauses are Application and explanatory Material SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT Identify deficiencies in Internal Control on the basis of audit work performed Determine whether they constitute significant deficiencies ( Deficiency which merit immediate attention of Management in terms of likelihood, susceptibility to Loss or Fraud, Amount exposed) Communicate to those charged with Governance Please note it is “communicate to the Management” and not the owners. ◦ (Auditor Report under legal framework will be addressed to the Owners/Shareholders.) SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT What Should be Communicated ◦ Description of Deficiencies ◦ Context and effect of such deficiencies ◦ Highlight the fact that these are only identified deficiencies in designing the Audit Procedures. SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT What type of controls are analysed. General monitoring controls (such as oversight of management). Controls over the prevention and detection of fraud. Controls over the selection and application of significant accounting policies. Controls over significant transactions with related parties. Controls over significant transactions outside the entity’s normal course of business. Controls over the period-end financial reporting process (such as controls over non-recurring journal entries). SA 402 – Audit Considerations relating to an entity using a service organisation. This standard deals with auditors responsibility to obtain sufficient appropriate audit evidence when an entity uses the services of service organisations. Common examples are Actuary Services, Payroll outsourcings,Vendor payment process etc. SA 402 – Audit Considerations relating to an entity using a service organisation. Methodology of obtaining Audit Comfort ◦ Obtain a Type 1 or Type 2 Report ◦ Contact/Visit the Service Organization. ◦ Using the work of another auditor. SA 501 – Audit Evidence – Selected Items This standard mainly deals with ◦ Inventory ◦ Litigation and Claims ◦ Segment Information ◦ Compared to earlier SA 501, this revised standard does not deal with Valuation and Disclosure of Long Term Investments. SA 501 – Audit Evidence – Selected Items - Inventory Attendance at Physical Count ◦ Evaluate managements instructions and procedures ◦ Observe the performance of managements count procedures ◦ Inspect the inventory ◦ Perform test counts ◦ Verify financial inventory records to ensure it reflects physical counts SA 501 – Audit Evidence – Selected Items - Inventory If count < or > “Balance Sheet Date”, perform roll forward/backward testing Inventory lying with third party ◦ Obtain confirmation ◦ Perform Inspection Inventories – Basic Principles 50,000 lbs Quantities and prices Ending inventories = Net income Cenco Corporation l l l Changed quantities on inventory tags Altered quantities on computer listings Management created fictitious tags Cenco Corporation = l Management explains: l Computer keypunch errors l Tags discarded Cenco Corporation "I am unable to definitely say that the inventory is being inflated, but there are a few things about the new tags which bother me." SA 501 – Audit Evidence – Selected Items – Litigations and Claims Inquiry of in house legal personnel/ Management Reviewing Minutes of Meetings Review Legal Expenses accounts Request confirmation from External Legal Counsel Written representations about completeness of disclosures SA 520(R) – Analytical Procedures Types of Procedures ◦ Trends ◦ Reasonableness Testing For Eg: Bank Deposits to Interest earned Raw Material Consumption to Production ◦ Ratios Affected by reliability of data, precision of estimation, source of information etc SA’s applicable for audits relating to accounting periods beginning on or after 1.4.2011 SA 700 (Revised) – • Forming an opinion and Reporting on Financial Statements SA 705 • Modifications to the Opinion in the Independent Auditor’s Report SA 706 • Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report SA 710 ( Revised) • Comparative Information –Corresponding Figures and Comparative Financial Statements Gist of requirements of the new SAs Indicate on the top of the report that it is “INDEPENDENT AUDITORS REPORT” Title should be prominently indicated about ◦ ◦ ◦ ◦ “MANAGEMENT RESPONSIBILITY “AUDITOR’S RESPONSIBILITY” “OPINION” Report under other LEGAL FRAMEWORK Reference to CARO, Companies Act to be included in this clause. Gist of requirements of the new SAs Opinion on corresponding figures in financial statements ◦ Generally audit report is for current period numbers ◦ If corresponding figure in previous period was qualified and such matter is unresolved than report should continue reference to the previous corresponding number also. RISK AND ASSESSMENT ASSESSING RISK IN AUDIT PLANNING Focus on Risk Management Out of the total 35 general standards ◦ There are 6 standards on Risk Management ◦ ICAI has come up with a separate Implementation Guide to Risk Based Audit ◦ Hence Risk Management is important as the entire Audit Process Revolves around Risk Audit involves Assessing the risks – Risk of Material Misstatements Designing and performing audit procedures to obtain reasonable assurance Issue of audit report Key Definitions Risk: The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk assessment: A systemic process for assessing and integrating professional judgments about probable adverse conditions and/or events. Risk management: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. Why only reasonable assurance and not absolute assurance Limitation on Testing – Use of sampling Internal Control Limitations Undetected Frauds Persuasive nature of audit evidence Reliance on Judgement Key Risks in Audit Financial Statements contains Material Misstatements • Inherent • Control Auditor will not detect such Material Misstatements • Detection Interrelationship of Audit Risk Components 3 Phases in Risk Based Audit Risk Assessment Risk Response Risk Reporting Risk Assessment Risk Response Reporting Audit Time Spent Strategy Decision Making & Process Information collected about Mgt Decisions Financial Statements Ideal Audit Time Spending Strategy Decision Making & Processes Information about Decisions Financial Statements Risk Assessment Procedures Inquiries of Management and Others Observations and Inspections Analytical Procedures Results of Risk Assessment Process H L Target audit resources where risk is greatest! H Probability of Risk Fraud Risk Components of Fire Heat Oxygen FIRE Fuel Components of Fraud Situational Opportunity Rationalization FRAUD Pressure or Motive Page 75 Top Management The ability of top management to override controls significantly increases the likelihood of fraud Page 76 Fraud Comes in Bunches Theft Embezzlement Check Kiting Conversion Credit Card Financial Statement Expense Report Laundering Page 77 The Perfect Crime Any three people can commit the perfect crime as long as two of the three are dead Page 78 Materiality Immaterial Page 79 Documentation Standardized Documentation to be practiced Importance of Documentation Risk Assessment in Annual Planning: The Tennessee Valley Authority Model A systemic process designed to yield a comprehensive risk assessment • core business processes • enabling processes Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Planning Model Impact on Enterprise Operations Visibility and Sensitivity IDENTIFY AUDIT AREAS PROBABILITY MATERIALITY Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Materiality Points ( account balances in INR) Audit Area > 100 million Audit Area 10 million < 100 million Audit Area < 10 million 8-10 4-7 1-3 Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Impact on Operations Points 8-10 Significant impact on core business Significant impact on specific program moderate impact on core business Negligible impact on specific program or core business 4-7 1-3 Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Public Sensitivity Likely to result in public or congressional interest May result in public or congressional interest Unlikely to result in public or congressional interest Points 8-10 4-7 1-3 Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Probability Factors Probability of Risk Points 0.8-1.0 High probability of significant issues Moderate probability of significant issues and high probability of improvement needed Low probability of significant issues and moderate to low probability of improvement needed 0.4-0.7 0.1-0.3 Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Example of Risk Assessment Potential Audit Subject Asset Capitalisation Payroll Processing 4 7 5 16 0.5 8.0 7 7 8 22 0.6 13.2 3 5 9 17 0.3 5.1 Bank Transactions Risk-Based Audit Engagements: 1 Understand Processes and Objectives 6 Develop Audit Objectives & Program 2 Identify Risks 5 3 Evaluate and Prioritize Risks 4 Evaluate Controls and Estimate Probability Measure Potential Impacts Largest Bankruptcy Filings (1980 to Present) Company Assets (Billions) When Filed 1. WorldCom $101.9 July, 2002 2. Enron $63.4 Dec., 2001 3. Texaco $35.9 April, 1987 4. Financial Corp of America $33.9 Sept., 1988 5. Global Crossing $25.5 Jan., 2002 6. Adelphia $24.4 June, 2002 7. United Airlines $22.7 Dec. 2002 8. PG&E $21.5 June, 2002 9. MCorp. $20.2 March, 1989 10. Kmart $17.0 Jan., 2002 Auditing in the ERP Environments SAP -R/3 Enterprises - Application components SD MM PP CO FI ERP AM QM PS PM WF IS HR RISK ASSESMENT METHODOLOGY – BY A QUANTIFICATION MODEL Key business processes in Sales and Distribution (SD), Materials Management (MM) and Financial Accounting (FI) need to be studied in detail to identify their vulnerability to threats from within and outside. Based on this and experience of internal audit team, risk statements relevant to businesses are to be captured. For each risk statement, risk impact and risk exposure is to be assessed as under Risk impact-Severity X Detection Risk impact ( Severity x Detectability) to be assessed on a scale of 1 – 100 (100 being the highest adverse impact. A-Risk Severity ( on a scale of 1- 10 ) is determined based on weighted average affect on 5 parameters ie i- PBT, ii- Statutory / regulatory compliance iiiStrategic value iv- Financial statement accuracy , vReliability/ operational effectiveness . B- Risk Detectability ( on a scale of 1 – 10 ) is determined based on the stage of detectability of adverse event ie with in the co.or from outside customers. Risk exposure Risk exposure (likelihood of occurrence) to be assessed on a scale of 1-10 (10 being most likely). Risk exposure is determind based on weighted average effect of 10 parameters,responsible for the exposure ie I-Incorrect source data/ data entry ii Incorrect incomplete execution iii-Incorrect/ non verification of output iv-Skill/ resource constraint v-Inadequate segregation of duties vi-Lack of system documentation vii-Authority norms not defined/ followed viiiInappropriate configuration/ process logic ix-Weak internal/ compensating controls x-Others (i.e.: process complexity, frequency of changes, software limitation, unassignable causes etc.) RISK STATEMENTS – SD-Examples Risk S . N o 1 2 3 Risk statement Severi ty DetectabIlit y Impa ct Risk exposu re Heat zone Invoice may be raised without effecting physical delivery of the goods from depot/ plant (bill and hold) 7 8 56 5 R1 Sales order may not be executed in time and in full 4 6 24 3 Y2 Debit / credit notes sent to customers may not contain adequate supporting details 2 4 8 4 G2 RISK STATEMENTS – MM-Examples Risk S . N o 1 2 3 Risk statement Severi ty DetectabIlit y Impa ct Risk exposu re Heat zone Financial authority norms for release of PO may not be mapped into SAP 4 8 32 6 GR may be prepared for a quantity lower/ higher than vendor delivery challan 4 6 24 4 Y2 CENVAT credit availed may be lower than CENVATABLE excise duty credited to vendor through invoice verification 3 6 18 4 G2 R3 RISK STATEMENTS – FI-Examples Risk S . N o 1 2 3 Risk statement Risk exposu re Heat zone Severi ty DetectabIlit y Impa ct Depreciation rates may have been incorrectly set up 5 6 30 5 R3 Vendors account may not have been reconciled/ confirmed as per laid down frequency 5 6 30 4 Y2 Line items (individual entries) clearing may not have been carried out in vendor accounts 3 6 18 4 G2 RISK STATEMENTS – Common to all functions Examples Risk S . N o Risk statement 1 2 3 Risk expos ure Heat zone Sever ity DetectabIl ity Imp act SAP transaction authorizations granted to users may not relate to their assigned role/responsibility 8 8 64 8 R1 SAP transactions may be carried out using group IDs resulting in non traceability of transactions to any specific individual (employee) 8 8 64 8 R1 Audit trails (chronological log of changes) may not be reviewed/ analyzed by process owners 5 8 40 7 R3 Risk Registers and Heat Maps – Module wise Using the risk impact and risk exposure scores as worked out above,all possible risk statements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of a RISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1 page HEAT MAP. R I S K I M P A C T HIGH 100 Y1 R2 R1 G1 Y2 R3 G3 G2 Y3 40 MEDIUM LOW 20 0 2 LOW RISK 4 MEDIUM EXPOSURE → 10 HIGH INTEGRATED INTERNAL CONTROL FRAMEWORK 101 THANK YOU suresh _dms@rediffmail.com Thank You suresh _dms@rediffmail.com
