1B - IRBA
advertisement
QUESTION 1 - SECTION B CANDIDATE NUMBER PART 3 (out of 21) MARK PLAN MARKER NUMBER PART 4 (out of 18) PART 5 (out of 10) TOTAL (out of 49) Part 3 – Additional controls FINDING 1 1. For incomplete or invalid online registration information: 1.1. In terms of the contract with Websites 4 All, no changes may be made to the No unauthorised changes website content/formatting without the written approval of Mrs Lamb. to the (1)website (1) 1.1.1. Before Mrs Lamb grants such approval, the site should be thoroughly tested Changes to be tested to ensure that controls to prevent or detect errors (such as omitted before authorisation information) are functioning effectively. 1.2. The contract with Websites 4 All should also make provision for an ISAE 3402 Report of operating Type B report to be provided to Mrs Lamb on a regular basis, providing assurance effectiveness of website on the operating effectiveness of the controls relating to the website (includes controls (incl. input/edit input/edit checks that should be effective). checks) (1) Alternatively: A staff member from the auctioning division of Farm Solutions(Pty) Alternative: Ltd should on a regular basis test the effective operation of the webpage where Test operating bidder information is captured. effectiveness of website 1.3. After the information from the website has been imported into the AUCTION-IT Exception report of blank system, the system should generate exception reports of key fields that are blank or fields or data anomalies contain other data anomalies (e.g. telephone number has too many/too few digits). 1.3.1. These exception reports should be reviewed by Mr Plough prior to each Exceptions report to be auction and he should ensure that those bidders with missing/anomalous data reviewed are removed from the bidders’ list. 2. For incomplete or invalid information on the forms completed manually: 2.1. The registration form should be designed so that it is easy to complete and (1) Registration form specifically requires that the aspirant bidder provide proof of his identity (e.g. copy easy to complete of ID) and proof of his address (e.g. utility bill). (2) Supporting documents 2.2. Ms Furrow should (on receiving the registration form from the aspirant bidder) Registration form reviewed review each form, compare it to the supporting documents, and initial the form as and compared to evidence of this check – she can then immediately notify the person completing the supporting documents form of any errors/omissions. 2.3. When Ms Furrow captures the data from completed registration forms on the AUCTION-IT system, the system should perform edit checks (such as missing data Edit checks by system checks or field-size checks on telephone numbers) – for Ms Furrow to resolve upon capturing data before the system processes the bidder’s application (can also be done manually). 3. Issuing bidding paddles: 3.1. The responsibility for issuing bidding paddles should be allocated to someone other Segregation of duties for than Ms Furrow (to prevent incompatible functions being performed). issuing (1) paddles 3.2. For online registrations, this ‘new’ employee (someone other than Ms Furrow) Inspect proof of ID and should request and inspect the proof of the bidder’s identity (e.g. copy of ID) and address for online proof of his address (e.g. utility bill) and compare it to the online details. registrations 3.2.1 Note: The webpage should contain information specifically requesting the Webpage should inform person registering online to bring these documents to the auction site in about required proof of ID order to collect a bidding paddle. and address 3.3. For all companies that register as bidders, the company details should first be vetted Details of company by Mr Plough (e.g. by comparing details supplied to those on the website of the bidders to be vetted CIPC) prior to bidding paddle being handed to representative from the company. 4. Further suggestions to improve the system (which will require a redesign of the accounting system): 4.1. An amendment could be made to the company’s policies by requiring that a nonRequire non-refundable refundable deposit be paid (or bank guaranteed cheque provided) by an aspirant deposits to be paid by bidder prior to the registration process being finalised (and the bidding paddle bidders being issued). 4.2. Should certain farmers regularly buy at the company’s auctions, their personal standing data can be added to a bidder master file. Thereafter, they will still have to Bidder master file from register for a specific auction, but their personal data can be automatically extracted which information can be from the bidder master file by the software – rather than it having to be recaptured extracted for every auction. QUESTION 2 B MARK PLAN 2012 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Page 1 of 7 FINDING 2 5. In terms of the contract with Websites 4 All, the service organisation should be: 5.1. Required to maintain strong access controls over all data captured on the website Maintain strong access (e.g. strong firewalls, access granted on a least-privilege basis, other security controls controls such as up to date security software); 5.2. Prohibited from disclosing/selling this information to any third party (e.g. staff to Confidentiality sign confidentiality agreement); agreement (1) 5.3. Instructed that only employees authorised by Mrs Lamb should be able to access or Access to bidder info. on download the bidder information on website (currently Ms Furrow has such website limited access). (1) 6. The contract with Websites 4 All should also make provision for an ISAE 3402 Type B Report of operating report to be provided to Mrs Lamb on a regular basis, providing assurance on the effectiveness of website operating effectiveness of the controls relating to the website (mark awarded already controls under Finding 1). (refer 1.2) 7. Ms Furrow should be instructed by Mrs Lamb that the password she uses to access the website should be: 7.1. Kept confidential at all times, and that any disclosure thereof will lead to Password for website disciplinary action (kept confidential) (1) 7.2. (If Ms Furrow can select/change the password): be at least six characters long; Strong password, changed comprise a mix of alphabetical and numerical characters; not be easy to guess; and regularly be changed regularly. (1) 8. The downloaded file, as well as the personal details stored on the AUCTION-IT system, Data encryption should be encrypted. (1) 9. All hard-copy records of the bidder data (e.g. bidder register) should be destroyed (e.g. Hard-copy records shredded) after the auction has been completed by Mr Plough. should be destroyed after auction 9.1. For as long as the records containing the personal information of bidders have to be in hard-copy format (e.g. printouts), these should be locked away securely at all Hard-copy records times that they are not being used for company purposes by the authorised securely stored employees. 10. Access to the AUCTION-IT system and related data should be granted by Mrs Lamb on Restricted access to a least-privilege basis to employees who need such access. AUCTION-IT (1) system 10.1. Strong password controls should be required for those employees who are granted Password controls such access to the AUCTION-IT system (see 7.2 above). (refer 7.2) 11. Controls should be in place to ensure that the company (and its service provider) POPI compliance complies with POPI (the Protection of Personal Information) Act. QUESTION 2 B MARK PLAN 2012 1 1 1 0 1 1 1 1 1 1 0 1 Page 2 of 7 FINDING 3 12. To prevent Mr Plough from recording the incorrect details, a second person should also record the bidder number and final bid amount on their own copy of the lot catalogue, and these should be compared prior to capturing. (Alternatively the successful bidder could sign next to the details jotted down by Mr Plough to confirm the correctness.) 13. Batch-control totals can be computed by Mr Plough in respect of the key fields to be captured (e.g. bidder number, final bid amount, auction item number), and these should be recorded onto a batch-control sheet. 13.1. Once the page of the lot catalogue has been captured, the system should request that the batch totals on the batch-control sheet are entered by Ms Furrow. 13.2. If the control totals computed by the system do not correspond to those entered, a log of details captured should be generated for Ms Furrow to compare to the completed page of the lot catalogue – only once the necessary corrections have been made (and the control totals balance) should the batch be processed. 14. Edit checks should be applied to the data captured by Ms Furrow, i.e.: 14.1. Validity checks on the auction item numbers/bidder numbers – i.e. are they on the AUCTION-IT system? 14.2. Range/limit checks on final bid amounts input. And a suitable exception report generated. 15. Prior to the invoices being printed, an exception report should be generated if the output is not reasonable (e.g. a lot of 10 cattle is sold for below, say, R1 000). 16. Only once the exception reports for the above two points have been investigated and resolved by, say, Mr Metcalf, should he approve the printing of the invoices. Second person should also record bidder no. and bid amount (1) (1) Batch-control totals can be computed (1) Batch-control totals captured on system Batch-control totals captured and as per system reconciled Edit checks on data captured: (1) Validity checks (2) Range/Limit checks Exception report (unreasonable output) (1) Review exception reports (2) Approve invoices Ability to capture auction data should be restricted Log of data captured compared to lot catalogue (1) 17. The ability to capture auction data should be restricted to Ms Furrow, and after she has logged on to the AUCTION-IT system using her unique user-ID and password [this will ensure that only someone who understands how the input works captures data]. 18. A log of all data captured by Ms Furrow should be generated, and this should be compared by Mr Plough to the lot catalogue he completed – and he should initial the log as evidence of this check. 19. Fixed video cameras should be installed and used to record the whole auction, and should there be any queries/disputes by bidders, the video footage should be viewed to Video cameras to resolve the matter. This footage should be kept for at least, say, six months after the record auction date of the auction (until all queries have been resolved). 20. A report should be generated by AUCTION-IT of the total value invoiced on the day. Total value invoiced This total should be compared (e.g. by Mrs Lamb) to the total of the final bid amounts compared to total bid on the lot catalogues/batch-control sheets. amounts on lot catalogue General: 21. Invoices should contain the contact details of an employee at Farm Solutions (other than Complaints process Mr Plough and Ms Furrow) for successful bidders to lodge their complaints regarding (F2 or F3) incorrect invoicing (which will detect mainly overstatements). (1) 22. Other valid observations Other valid Communication skills (structure and logic of answer) Communication skills Maximum QUESTION 2 B MARK PLAN 2012 1 1 1 1 1 1 1 1 1 1 1 1 1 2 1 21 Page 3 of 7 QUESTION 2 B MARK PLAN 2012 Page 4 of 7 Part 4 – Going concern Part (i) 1. The audit procedures performed by the trainee to identify going concern indicators are incomplete as they are limited to ‘inspection of the board minutes and discussions with the client management and staff’ – per ISA 570.11 the auditor should ‘remain alert throughout the audit for audit evidence’ of going concern indicators (ISA 570.11). 1.1 The deficiencies in the procedures performed are further exacerbated by the fact that management integrity appears to be lacking, therefore relying on management representations would be inappropriate. 2. Accordingly, the following going concern indicators that are evident from the available audit work papers were not identified or addressed by the directors or Joe Sheep: 2.1 Problems with the invoicing of successful bidders in the auctioneering division, which will undermine profitability and cash flows. 2.2 The poor quality of service rendered (e.g. see work papers for details in respect of tax services; underperformance on the Kenphuto contract; and the negligence on the compilation engagement performed for Kool Crops (Pty) Ltd, which will: 2.2.1 Cause reputational damage to the company, and result in the loss of existing clients, and the inability to attract new clients – undermining the company’s future revenue streams; and 2.2.2 Result in legal claims relating to inferior work performed – which will have a negative effect on cash flows and profits (e.g. due to the legal costs that have to be incurred to defend the cases, and the payment of damages awarded by the court). The company has a weak quality-control system, which is further undermined by the board’s resolution to embark on a cost-cutting strategy (e.g. terminating staff training) – and there is therefore no reason to believe that the rendering of poor quality services will change in the foreseeable future. 2.3 The unprofessional conduct of Mr McDonald and Mrs Lamb (discussed in part (a) above) will undermine the going concern ability of the company – i.e. if they are subjected to disciplinary action by SAICA, this may have a disastrous effect on the ability of the company to render professional accountancy and assurance services, a significant part of the company’s business, in future. 2.4 The granting of the loan to Mr McDonald will have a negative effect on the company’s liquidity position. 2.5 The company has taken speculative positions on commodity contracts – which exposes the company to sizeable losses and cash outflows to settle such contracts – should the commodity prices turn against the company (as has already happened once). 2.6 The liquidity ratio of the company should also have been considered as a further going concern indicator. Part (ii) 3. The evaluation of ‘management’s assessment of the entity’s ability to continue as a going concern’ is inadequate. 3.1 As going concern indicators exist (e.g. see Table A of the work paper and point 2 above), management should specifically have been requested to make an assessment of the company’s ability to continue as a going concern (per ISA 570.16) using cash-flow forecasts, revenue and expenditure budgets covering a period of at least 12 months after reporting date. 3.2 However, no such request was made by Joe Sheep. Managements’ assessment in 3.1 should have been evaluated by the auditor. 4. The written representation letter signed by Mr McDonald does not provide relevant/appropriate audit evidence, as he has not made the representations required by ISA 570.16 (e) – even though this was specified in the ‘audit approach’ column. 4.1 Moreover, the evidence is of little value as Mr McDonald is making representations that are known to be false (e.g. he states that he is ‘not aware of events or conditions that may cast doubt on Farm Solutions’ ability to continue as a going concern’). 4.2 Rather than documenting this finding as part of the audit evidence relating to the going concern assumption, the audit team member should have referred the matter to the engagement partner for further consideration (e.g. whether it constitutes a reportable irregularity to the IRBA). QUESTION 2 B MARK PLAN 2012 Identification of going concern indicators incomplete (should not only inspect minutes and discuss with staff) Management integrity lacking (inappropriate to rely on management’s representations) ADDITIONAL INDICATORS: Problems with invoicing of bidders: auctioneering Poor quality of work leading to reputational damage and loss of clients (1) 1 1 1 1 Poor quality of work leading to legal claims 1 Weak quality control system, cost-cutting could make worse 1 Unprofessional conduct of Mr McDonald & Mrs Lamb 1 Granting of loan to Mr McDonald 1 Speculative positions on commodity contracts (1) Problems with liquidity ratio Inadequate evaluation (audit work) of going concern Management should have been requested to make a going concern assessment (using cashflow forecasts etc) Management’s assessment in 3.1 should have been evaluated Rep letter inadequate (does not address correct issues) Rep letter of little value (contains false representations) Should have referred to engagement partner (Reportable Irregularity?) 1 1 1 1 1 1 1 1 Page 5 of 7 5 Very little/no audit work has been performed to determine whether the management’s plans for future actions identified are likely to be effective in improving the situation. 5.1 No consideration was given to whether the bank overdraft facility and size of subordination of shareholders is large enough to ensure that the company’s solvency and liquidity problems will not reoccur in the foreseeable future. 6 5.2 No consideration was given to the findings of the audit work performed (elsewhere during the audit) on the existence of work-in-progress and the recoverability of debtors, and evaluating their impact on the company’s liquidity situation (Mrs Lamb’s statement about ‘interim billings’ to generate cash refers). 5.3 While the new charge-out rate schedule was inspected (which reflected an increase of 25% in rates), the audit team member did not perform any further audit procedures to investigate whether this will have any positive effect on the company’s cash flows/profits, especially given the statement on WP 224 ‘in order to remain competitive, the amount invoiced is often less than the balance accumulated in TIME-SOL’ (and this was before the rates were increased). (Could also check invoices after year-end to see whether they reflect the 25% increase) 5.3.1 Audit work should also have been undertaken to understand the ‘priceelasticity of demand’ – e.g. to what extent will an increase in the fees charged result in a reduction in the revenues earned? 5.4 No consideration was given to the implications of the finding that there was no staff training expenditure and a reduction in total staff costs in the first few months of the 2014 financial year of the company’s future revenues and likelihood of legal claims and related expenditures for the foreseeable future. 5.5 While it was verified that the advertising campaign had been implemented, no work was done on determining whether it was successful in attracting new clients, for whom engagements can be rendered on a profitable basis. While some audit work was done on the feasibility of management’s plans for future actions, this was inadequate, for the following reasons: 6.1 While a bank confirmation was used to confirm the overdraft limit, other relevant details (such as the duration of the facility, the likelihood of its renewal and the existence of any loan covenants) were not considered. 6.2 While the subordination agreement was inspected, no audit evidence has been gathered as to whether the shareholders have committed to the subordination or whether they have the resources to do so. Further audit work is also required to consider the legal enforceability of the agreement, whether the amount subordinated is enough to cover future losses and whether the agreement is in effect for the foreseeable future (is a further letter of support required?) 6.2.1 7 8 Regarding the subordination of the loans, there is a significant risk that this was only done for the convenience of the auditor, given that Mr McDonald has already obtained an advance from the company (which negates the benefits of the subordination, and questions his own financial resources to be able to subordinate the loan). Further audit procedures include: 7.1 Enquiries should be made of the company’s attorneys and/or legal advisors regarding any legal proceedings that might affect future profits and going concern. 7.2 With the permission of the specific debtor, enquiries should be made to collection/credit agencies regarding the credit quality/rating of large/long outstanding debtors. 7.3 The company’s post year end performance (for period 1 July to 30 September) should be evaluated to ascertain whether there has been improvement. It is incorrect to state in the conclusion that ‘I am satisfied that use of the going concern assumption in the preparation of the financial statements is appropriate’, as: 8.1 Insufficient audit evidence has been gathered to reach this conclusion, and further audit procedures should be undertaken – i.e. it is premature to draw a conclusion based on the evidence gathered. 9 Other valid observations. Communication skills (clarity and logic of answer) Will management’s future actions be effective in improving situation? Consider size of bank overdraft and shareholder loans: enough to cover? 1 1 Consider existence of work-in-progress and recoverability of debtors 1 Is new charge-out rate reflected on invoices / improves position? 1 Will increase in fees lead to fewer clients? 1 Effect of no staff training and less staff (legal claims and other expenses) 1 Advertising campaign successful? 1 Audit work on feasibility of future actions inadequate 1 Other details regarding overdraft not considered 1 Subordination: (1) Do shareholders have resources to honour (2) Legal enforceability (3) Enough to cover future losses? Subordination only done for auditor: Mr McDonald already obtained an advance from company Ma x2 1 Enquiries of legal advisors 1 Enquiries from collection / credit agencies 1 Evaluate post-year end performance Incorrect conclusion on WP Insufficient audit evidence has been obtained to draw conclusion Other valid Communication skills 1 1 1 1 1 Maximum 18 QUESTION 2 B MARK PLAN 2012 Page 6 of 7 PART 5 – Compilation 1. 2. 3. 4. 5. 6. 7. Allegation re taking no action re incomplete sales 1.1. By failing to take any action after realising that the sales in Kool Crops (Pty) Ltd’s accounting records were incomplete, Sue Straw (and Mr McDonald) did not adhere to the requirements of ISRS 4410 (revised) – the Standard which applies to this engagement. 1.2. Specifically, in terms of ISRS 4410.32, if the practitioner becomes aware that records provided by management for the compilation engagement are incomplete, inaccurate or otherwise unsatisfactory, he shall bring that to the attention of management and request the additional or corrected information. However, this was not done. Allegation re use of ‘generally accepted accounting practice’ as financial reporting framework 2.1. In terms of regulation 27 of the Companies Regulations, 2011, the financial reporting standard to be used in the compilation of the financial statements of a ‘profit company’ (such as Kool Crops (Pty) Ltd) is either IFRS or IFRS for SMEs (if the company falls within its scope) – ‘generally accepted accounting practice’ is not acceptable. 2.2. Prior to accepting the engagement, the client (Kool Crops (Pty) Ltd) should have been informed that the engagement cannot be accepted unless agreement is reached on the ‘applicable financial reporting framework’ – which would be either IFRS or IFRS for SMEs. Given that the financial statements are not prepared in terms of either, this could not have been done. Allegation re inappropriate person signing the compilation report 3.1. Per ISRS 4410.40 (l) the compilation report has to be signed by ‘the practitioner’. 3.2. Per ISRS 4410.17 (f) ‘practitioner’ is defined as the professional accountant in public practice who conducts the compilation engagement. However, this term includes the engagement partner or other members of the engagement team. Where the ISRS expressly intends the engagement partner to fulfil a requirement, it shall be stated as such. Therefore, in terms of ISRS 4410, there is no problem with Sue Straw signing the compilation report. Mr McDonald’s being on holiday It is of concern that Mr McDonald was on holiday at the time of signing the report, which may mean that he did not take responsibility for the ‘overall quality of each compilation engagement to which that partner is assigned’ – a requirement per ISRS 4410.23 (a). 4.1. This will specifically constitute negligence on the part of Mr McDonald should: 4.1.1. Sue Straw not have any or little experience in the compilation of financial statements, and 4.1.2. no one else suitable have been assigned to direct, supervise or review her work. Regulation 26 of the Companies Regulations, 2011 5.1 In terms of this regulation, in order to meet the client’s requirement that the financial statements be ‘independently compiled’, the financial statements should be prepared, amongst others by an independent accounting professional – i.e. a Registered Auditor, Chartered Accountant (SA), or someone who is qualified to be appointed as the accounting officer of a close corporation. 5.1 Given the lack of Mr McDonald’s involvement, if Sue Straw is not an independent accounting professional, this requirement may not be satisfied (legal advice will have to be obtained). Legal standing of minority shareholder 6.1. As the minority shareholder will not be a party to the engagement letter, she will have to first prove a delictual claim against Farm Solutions (Pty) Ltd before being able to proceed with the case of negligence. Conclusion 7.1. On the basis of the foregoing, there is evidence to believe that Farm Solutions (Pty) Ltd was negligent in the performance of its duties due to the non-adherence by staff of Farm Solutions (Pty) Ltd to the requirements of the applicable professional standards and regulations. 7.2. However, before the minority shareholder can sue Farm Solutions (Pty) Ltd, she will have to prove that all the other conditions for a delictual claim are satisfied (including that she suffered damage as a direct result of the negligence of Farm Solutions). Should have taken action: incomplete sales (Apply) 1 ISRS 4410: incomplete records be brought to management attention and corrected (Principle) 1 Companies Act requires IFRS or IFRS for SMEs, cannot use GAAP (Principle) 1 Engagement should not be accepted until acceptable framework decided upon (Apply) ISRS 4410: Report signed by practitioner (Principle) 1 Acceptable that Sue Straw signs report (Apply) 1 Concern that Mr McDonald on holiday: did he take responsibility of overall quality? 1 Negligence if: (1) Sue Straw little experience (2) No one else supervising 1 1 For FS to be independently complied: must be done by independent accounting professional(IAP) 1 Is Sue Straw an IAP? (if Mr McDonald not involved) 1 Minority shareholder not party to engagement letter 1 Conclusion: there was negligence 1 Will have to prove delict 1 Maximum QUESTION 2 B MARK PLAN 2012 1 10 Page 7 of 7
