4 th Nexia International Audit Forum Equipping you to achieve quality

44thth Nexia International Audit Forum Nexia International Audit Forum

Equipping you to achieve qualityEquipping you to achieve quality

Welcome and outline of dayWelcome and outline of day

Felix LozanoFelix Lozano

Outline of day8.45 - 9.00 Audit committee update9.00 – 9.30 Nexia audit tools9.30 – 10.30 Options A and B10.30 – 11.00 Coffee11.00 – 12.30 Options C and D12.30 – 13.30 Lunch13.30 – 14.45 Winning clients the Nexia way14.45 – 15.00 Closing remarks15.00 Close

Audit Committee updateAudit Committee update


Nexia Audit ToolsNexia Audit Tools

Yvonne LangYvonne Lang

Nexia Audit Tools

• Nexia International Quality Assurance Manual

• Independence protocols within the network

NEXIA INTERNATIONAL QUALITY ASSURANCE

MANUAL

Nexia International Quality Assurance Manual• Why have a quality assurance manual?

• What should it include?

• Using existing material

• Preparing your manual – the Nexia template

Why have a quality assurance manual?• Nexia is a quality brand

• Nexia members are quality firms

• ‘Tone at the top’ is vital in a quality firm

• Communication of quality is essential in a quality culture

ISQC 1• Mainly addresses whole firm procedures• Nexia expects members as a minimum to have ISQC 1

compliant policies and procedures

• Para 94 ‘The firm should establish policies and procedures requiring appropriate DOCUMENTATION to provide evidence of the operation of each element of its system of quality control’

What should the manual include?

• Policies and procedures

• Example documents or cross-references thereto

What should the manual include?• Leadership responsibilities• Ethical requirements• Acceptance and continuance of engagements• Human resources• Engagement performance• Monitoring of quality

Using existing material

• Established manuals – use Nexia manual as checklist

• Requirements addressed in operational manuals – include in manual by cross-reference

• No re-writing for the sake of it!

The Nexia template• Blank template

– Use to record your procedures

• Preparers guide– Further guidance and ISQC 1 checklist

• Example manual– Helping you visualise your manual– IT IS A GUIDE ONLY – NEXIA DOES NOT EXPECT YOU

TO HAVE THESE SPECIFIC POLICIES AND PROCEDURES

Where are the templates?

• Members area of the website

• Audit and assurance

• Quality manuals

NEXIA INDEPENDENCE PROTOCOLS

Independence protocols

• Background

• What is required?

• Dealing with potential conflicts

Background• IFAC Code of Ethics• Extension of independence requirements to

‘network’ members• Nexia meets definition of network• Specific requirements vary from country to

country

Extension of independence enquiries to other Nexia members• Where they are auditors

– Use the Nexia group audit instructions

• Where they are not the auditors– Enquiries of client as to possible services– Enquiries of relevant members

Tools to help you

• Nexia independence guide

• Acceptance and reappointment checklist

Conflicts of interest

• If possible, resolve locally

• Direct to Nexia International Secretariat

OptionsOptions

Option AOption A

Risk Based Audit Standards & Electronic Risk Based Audit Standards & Electronic Tools in Documenting RiskTools in Documenting Risk

George DakisGeorge DakisPartnerPartnerNexia ASR MelbourneNexia ASR Melbourne

Overview

1. Audit Risk Model

2. Risk Based Audit Standards

3. Understanding the Client and Documenting Risk

4. Considering the Risk of Fraud

5. The Auditors Response to Risk

6. Audit Evidence, Risk and Assertions

7. Tools to Document Risk

- Combined Risk Assessment- Risk Matrix- Caseware and Risk Documentation

8. Paperless Audit, Myth or Fact?

1. Audit Risk Model1. Audit Risk Model

1. Overview of Audit Risk Model

- Audit risk is the risk that the auditor will give an inappropriate audit opinion when the financial report is materially misstated.

- Before issuing an opinion on the financial report, the auditor needs to reduce audit risk to an acceptable level to ensure the opinion is reliable.

1. Audit Risk Model

1. Overview of Audit Risk Model (cont…)

- An auditor reduces audit risk by performing audit procedures until there is sufficient appropriate evidence for each assertion of each significant transaction class or account balance to provide reasonable assurance that the financial reports are not materially misstated.

- The audit risk model focuses audit effort on those classes of transactions or balances (and the particular assertions) that are likely to contain material misstatements.

1. Audit Risk Model

2. Three components of audit risk Refer ISA 200

- Inherent risk (IR):Susceptibility of an assertion to material misstatement given inherent and environmental characteristics, but without regard to prescribed control procedures.

- Control risk (CR): Risk that material misstatement might not be prevented or detected by internal control procedures.

- Detection risk (DR): Risk that auditors’ substantive procedures will lead auditor to conclude no material misstatement exists when, in fact, one does.

1. Audit Risk Model

1. Audit Risk Model

3. Reducing Audit Risk

- Auditors cannot change inherent risk.

- Auditors cannot directly change control risk. An auditor can obtain evidence to support an assessed level of control risk less than high (expect to rely on internal control) by examining control environment, risk assessment process, information system, control activities and monitoring of controls, and testing their effectiveness.

1. Audit Risk Model

3. Reducing Audit Risk (cont…)

The level of detection risk is the level an auditor can pull to reduce audit risk by:

- Appropriate planning, direction, supervision and review

- Decisions on the nature, timing and extent of audit procedures

- Effective performance of procedures and evaluation of results

1. Audit Risk Model

1. Audit Risk Model

4. Inter-relationship Between Business and Audit Risk

Business Risk is defined as:

“The risk that an entity’s business objectives will not be obtained as a result of external and internal factors,

pressures and forces brought to bear on an entity and, ultimately, the risk associated with the entity’s survival

and profitability.”

- Requires extensive knowledge of client’s business and industry.

1. Audit Risk Model

1. Audit Risk Model

2. Risk Based Audit Standards2. Risk Based Audit Standards

- Key new standards have been released which change the way risk assessments are carried out.

- ISA 315, 330 and 500 are they key standards

- Broadly speaking, the audit risk model has been replaced by a business risk method of assessing risk

2. Risk Based Audit Standards

3.3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement

ISA 315 deals with 5 key issues:

1. Risk assessment procedures, including internal controls

2. Understanding the entity and its environment, including internal controls

3. Assessing the risks of material misstatement, including identifying significant risks

4. Communicating with management regarding weaknesses in controls

5. Documenting the work done

3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement

1. Risk Assessment Procedures

Perform the following risk assessment procedures to obtain an understanding of the entity, its environment, and its controls:

a) Inquiries of management/staff

b) Analytical procedures

c) Observation and inspection


1. Risk Assessment Procedures (cont…)

• The members of the audit team should discuss the susceptibility of the entity’s financial report to material misstatements


2. The entity and its environment, including internal controls

You need to obtain an understanding of:

• relevant industry, regulatory, and other external factors including the applicable financial reporting framework; and

• the nature of the entity.


2. The entity and its environment, including internal controls (cont…)

• Understand the entity’s accounting policies and consider whether they are appropriate and consistent with the applicable financial reporting framework and the industry.



• Obtain an understanding of the entity’s objectives and strategies, and the related business risks that may result in material misstatements.



• Obtain an understanding of the measurement and review of the entity’s financial performance.



• Obtain an understanding of internal control relevant to the audit.

• Refer page 13.

• Obtain an understanding of the control environment



• Obtain an understanding of the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof.



• Obtain an understanding of the information system relevant to financial reporting, including:- The significant classes of transactions- The procedures by which those transactions are initiated, recorded, processed & reported- The related accounting records- How the information system captures events and conditions that are significant to the financial report- the financial reporting process used to prepare the financial report



• Understand how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting



• Obtain a sufficient understanding of control activities to assess the risks of material misstatement at the assertion level and to design further audit procedures responsive to addressed risks



• Obtain an understanding of how the entity has responded to risks arising from IT

• Understand the major types of activities that the entity uses to monitor and correct controls


3. Assessing the Risk of Material Misstatement

• Using the information obtained thus far, identify and assess the risks of material misstatement at the financial report level and at the assertion level for classes of transactions, account balances and disclosures


3. Assessing the Risk of Material Misstatement (cont…)

• As part of the risk assessment, determine which of the risks identified are risks that require special audit consideration (such risks are defined as ‘significant risks’)



• For significant risks, evaluate the design of the entity’s related controls and determine whether they have been implemented



• As part of the risk assessment, evaluate the entity’s controls over those risks for which it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures


4. Communicating with Management

• Make those charged with governance / management aware as soon as practicable, of material weaknesses in internal control


5. Documentation

• Matters to be documented include:- Discussions amongst the audit team; e.g. in relation to likely material misstatements- Key elements of the understanding obtained of the entity, including each of the internal control components, and the risks of material misstatements- The assessed risk of material misstatement at the financial report and assertion level- risk areas where substantive procedures were considered not

to provide sufficient evidence, and the related controls evaluated


4.4. Considering the Risk of Fraud


1. Responsibilities of the auditor

2. Risk assessment procedures

3. Evaluation of audit evidence

4. Communication with management


1. Responsibilities of the Auditor

• Obtain reasonable assurance that the financial report is free from material misstatement due to fraud


2. Risk Assessment Procedures

• Consider the risk of fraud as part of your risk assessment procedures

• Next step is to assess the risk of material misstatement due to fraud at the financial report and assertion level (balances, transactions, disclosures)


2. Risk Assessment Procedures (cont…)

• Then determine how to respond to those risks and design and perform appropriate procedures


3. Evaluation of Audit Evidence

• Evaluate whether your risk assessment in relation to fraud remains appropriate

• Consider whether any misstatements found are indicative of fraud


3. Evaluation of Audit Evidence (cont…)

• Consider whether concluding analytical procedures indicate a previously unrecognised risk of fraud

• Obtain management representations in relation to fraud


4. Communicate with Management

• Communicate with management and / or the governing body if fraud is identified or indicated


5.5. The Auditors Response to Risk


1. Audit procedures responsive to risks of material misstatement at the assertion level

2. Evaluating the sufficiency and appropriateness of audit evidence obtained

3. Documentation


1. Audit Procedures Responsive to Risks

• Design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks at the assertion level

• Choice of two approaches – see diagram on pg 24


1. Audit Procedures Responsive to Risks (cont…)

• In determining the audit procedures, consider inherent and control risk, as this will affect the procedures selected. For example, if inherent risk is low for a particular account, then analytical procedures may be considered sufficient



• When your assessment of risk of material misstatement at the assertion level includes an expectation that controls are operating effectively, you perform tests of controls to obtain evidence that this was the case



• Where it is not possible to reduce the risks of material misstatement to an acceptably low level only via substantive procedures, tests of control should be performed



• When you obtain audit evidence about the effectiveness of controls during an interim period, you should determine what additional evidence should be obtained for the remaining period



• Irrespective of the assessed risk of material misstatement, you should design and perform substantive procedures for each material class of transactions, account balance and disclosure


2. Evaluating Audit Evidence

• Conclude whether sufficient, appropriate audit evidence has been obtained to reduce to an acceptably low level, the risk of material misstatement in the financial report


3. Documentation

• Document the overall responses to address the assessed risks, the further audit procedures, the link of those procedures with the assessed risks at the assertion level, and the results of audit procedures


6.6. Audit Evidence, Risk and Assertions


1. Concept of Audit Evidence

2. Sufficient appropriate audit evidence

3. The use of assertions in obtaining evidence

4. Audit procedures for obtaining audit evidence


1. Concept of Audit Evidence

• Obtain sufficient appropriate audit evidence to draw reasonable conclusions on which to base the audit opinion


2. Sufficient, Appropriate Audit Evidence

• When you use information produced by the entity, obtain evidence about the accuracy and completeness of the information


3. The use of Assertions

• Use assertions for classes of transactions, account balances and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures

• See pg 4 for the new audit assertions


3. The use of Assertions (cont…)

• Directors and managers make assertions (embodied in the financial report) when they present a financial report

• Auditors use these assertions to assess risks by considering different types of potential misstatements that may occur and designing audit procedures in response to risks

• There are three categories of assertions:- Classes of transactions and events- Account balances- Presentation and disclosure



Assertions about classes of transactions and events for the period under audit:

• Occurrence – transactions and events that have been recorded have occurred and pertain to the entity

• Completeness – all transactions and events that should have been recorded have been recorded

• Accuracy – amounts and other data relating to recorded transactions and events have been recorded appropriately

• Cut-off – transactions and events have been recorded in the correct accounting period

• Classification — transactions and events have been recorded in the proper accounts



Assertions about account balances at the period end:

• Existence – assets, liabilities and equity interests exist• Rights and obligations – the entity holds or controls the rights to

assets, and the liabilities are the obligation of the entity• Completeness – all assets, liabilities and equity interests that

should have been recorded have been recorded• Valuation and allocation – assets, liability and equity interests

are included in the financial report at appropriate amounts and any resulting valuation adjustments are appropriately recorded



Assertions about presentation and disclosure:

• Occurrence and rights and obligations – disclosed events, transactions and other matters have occurred and pertain to the entity

• Completeness – all disclosures that should have been included in the financial report have been included

• Classification and understanding – financial information is appropriately presented and described, and disclosures are clearly expressed

• Accuracy and valuation – financial and other information is disclosed fairly and at appropriate amounts


3. The use of Assertions (cont…)(Inventory)


Financial report assertion

Illustrative audit objectives

Existence • Inventories included in the balance sheet physically exist.• Inventories represent items held for sale in normal course of business.

Completeness • Inventory quantities as per the accounting records include all products, materials and supplies owned by the company that are on hand.

• Inventory quantities include all products, materials and supplies owned by the company that are in transit or stored at outside locations.

Rights & Obligations • The company has legal title or similar rights or ownership to the inventories.• Inventories exclude items billed to customers or owned by others.

Valuation & Allocation • Inventories are properly stated at cost (except when the net realisable value is lower).• Slow-moving, excess, defective and obsolete items included in inventories are properly

identified and value.


• The key issue when using a combined approach is:

- How do you link your tests of controls to substantive tests in order to reduce the extent of the latter?



Tests of controls can be linked to substantive tests using audit assertions

• Accuracy and cut-off links to valuation and allocation

• Occurrence links to existence and rights and obligations

• Completeness links to completeness



Example:

• If sales are accurate and cut-off is appropriate, we have evidence that debtors are properly valued and allocated

• If sales occurred, we have evidence that debtors exist


4. Audit Procedures

• Audit programs should be driven by assertions

• Risk profile of account balance or transaction should be assertion focused

• No mandatory requirements

• Standard discusses different types of procedures, e.g. inspection of documents, recalculation of amounts, CAATs etc


7.7. Tools to Document Risk

1. Combined Risk Assessment

• Refer to APPENDIX A


2. Risk Matrix

• Refer to APPENDIX B


3. Caseware and Risk Documentation

• See example caseware file on screen


8.8. Paperless Audit, Myth or Fact?

• See example of caseware file on screen

8. Paperless Audit, Myth or Fact?

QuestionsQuestions

Risk Based Audit Standards & Electronic Risk Based Audit Standards & Electronic Tools in Documenting RiskTools in Documenting Risk

George DakisGeorge DakisPartnerPartnerNexia ASR MelbourneNexia ASR Melbourne

COFFEECOFFEE

Option COption C

Audit quality considerations on Audit quality considerations on the smaller engagementthe smaller engagement

Michel Girbes and Anton Lewis

Agenda1. Ethical requirements

2. Acceptance and continuance of client relationship

3. Fraud

4. Engagement performance

5. Monitoring with respect to audit engagements

Ethics on the “small” entity audit

The audit specific requirements that require documentation on the audit file are:

• Independence

• Professional competence

• Time and fees budget

• General

Engagement performance

Small Entity Characteristics

The presence of small entity characteristics provides additional context for

our understanding of the entity with regard to the significance and

relevance of the entity’s circumstances as well as the nature and extent of

the audit procedures to be performed on the entity.

Refer Schedule 1 for an example of a Small Entity Characteristics

Checklist that can be used in assisting the auditor to determine whether an

entity can be classified as “small”.

Acceptance and continuance of clients - New clients (1)• We need new clients for the continuation of our

own business• So, can we accept without research on clients?• Answer, no

New clients (2)

• Is there more (audit) risk in smaller engagements?• If so - how do you mitigate that risk?

New clients (3)

Before accepting a new client we have a client

acceptance checklist with the following questions:

1. Can the assignment be done in the right period?

2. Is there any specific legal requirement/law which could be in the way during our audit work?

3. Do we have enough staff with knowledge and experience?

New clients (4)

4. There is no need to use external knowledge

5. The former auditor has no reasons to inform you not to accept the assignment

6. The appraisal of acceptance has lead to contact with the compliance officer

New clients (5)

7. The client and the shareholders are identified

8. The integrity the engagement giver (management/shareholders) gives no reason for not accepting the engagement

New clients (6)

For question 8 think about:- Identity the business reputation- Type of work- Attitude owners/decision makers with respect to

the internal control and audit work

New clients (7)

- Attitude owners/decision makers with respect to audit standards

- Effort client makes to reduce the audit fee- Reason why your office has been chosen- Indication of ‘whitewash’ practice

New clients (8)

9. No problems with the morality of the client

10. The management has no problem in complying with laws and standards.

11. There is no delay with respect to tax return(s) and there are no discussions with the tax authority

New clients (9)

12. There are no major changes in personnel

13. There has not been fraud by management or personnel or there are insufficient procedures to prevent such fraud

14. There is no regular change of accountants/advisers during the last 5 years

New clients (10)

15. There is not a complex information system

16. In the past there was no extreme failure in the EDP environment with loss of data

17. There is no restriction in the assignment

18. There are no essential shortages in the ao/ic in respect of source documents

New clients (11)

19. There is no possibility of collusion within the organisation or with third parties

20. The work of the auditor is subject to limitation in scope

New clients (12)

Conclusion

- We can accept or decline the client

Continuation of clients (1)• Why should we look at clients we already

accepted?• Clients are dynamic just like us!

Continuation of clients (2)• The checklist is not identical to the checklist for

new clients, there are some additional questions

Continuation of clients (3)

1. Does the fee compare with the minimum required audit quality

2. Does the client meet with the payment schedule

3. There are no circumstances for not continuing the relationship

4. Client has been identified as complying with the standards

Continuation of clients (4)

Practical tips- Look on the internet, search for example for

GIRBES

• Chamber of commerce

• Network

• Other auditors

Independence (1)• To accept or to continue a client relationship you

must look at your independence• Checklist for independence

Independence (2)

1. Fee ratio between fee and total income of the office

2. Fee ratio audit and other services

3. There is not a substantial amount receivable (>60 days)

Independence (3)

4. There are no problems to show fee is adequate

5. There are no problems expected for not changing the auditor?

6. The fee does not depend on outcome of several components

Independence (4)

7. There is no financial dependency on the client

8. The relationship is business only

9. None of the audit team members have done administrative work for the client

Independence (5)

10. There is no (material) conflict between the audit organisation and the client

11. There is no reason to assume that one of the audit team members is going to work for the client

12. An audit team member has changed his/her career to the client

Independence (6)

13. There are no financial obligations to this client

14. The audit firm makes no decisions and is not involved in the decision process of the client

15. An employee of the audit firm is not a member of the management board or supervisory board

Independence (7)

16. A member of the audit team has not worked for client in the past 2 years

17. There are no family relations between employees of the audit firm and the client (management level)

18. There is no risk of self review

Independence (8)

19. There are no legal proceedings between the audit firm and the client

20. There are no other services such as:– Implementation of financial information systems

– administrative services

– valuation/impairment

– internal control

– legal services

– recruitment higher level financial staff

Independence (9)

21. In the conditions of employment are sanctions mentioned regarding independence

22. Only independent audit staff has access to the audit files

23. There are no parts that need more attention with respect to independence

Independence (10)

24. Due to the independence check the audit team is changed

25. Some changes of work allocation between the members of the audit team

26. The independence treatments are discussed with the compliance officer

27. The independence treatments are discussed with the management of the client

Fraud (1)• What is a definition of fraud?• Is this fraud?

Fraud (2)Is this fraud?

-your personell works on saturday morning

-with your permission?

Fraud (3)

Fraud (4)I would like to define fraud as follows:

• Fraud is the deliberate taking or receipt of money/material by an individual or company without a legal right thereto

Fraud (5)

Different frauds:- Fraud by management- Fraud by personnel

Fraud (6)• Who is responsible for fraud?• The person/entity who commits fraud

Fraud (7)• Who is responsible to prevent fraud?• Management• There must be enough fraud detection controls

Fraud (8)• Motivation of management ?• Attitude management towards internal control• Behavior of management• Industry characteristics• Operation characteristics• Reporting standards

Fraud (9)

Motivation of management ?

1. Management’s remuneration depends on reported financial results

2. Management does not use illegal tax constructions

3. Management has no aggressive attitude towards financial reporting standards

Fraud (10)

Attitude of management towards internal control

4. There is no ineffective communication and support of code of ethics

5. There is no lack of policy regarding conflict of interest

6. Decisions are not dominated by one person (or small group)

Fraud (11)

7. There is no negative attitude towards legal authorities

Fraud (12)

Behavior of management

8. There are only experts involves with financial reporting

9. There is not a high change in personnel at senior level

10.There is not a tense relationship between (former) auditor and client

Fraud (13)

11. There is no unreasonable pressure on the audit team

12. There are no attempts to limit the audit scope

Fraud (14)

Industry characteristics

13.There are no new reporting standards

14.There is no strong competition

15.There are not many bankrupts

16.There are no quick changes in the industry

Fraud (15)

Operation characteristics

17.There are reasonable profits

18.There is a stable cash flow/profit

19.There is no need for a capital injection

Fraud (16)

20. There is no use of tax havens

21. There is not an overly complex structure

22. There is no strong liability of credit

23. There is not an unhealthy quick growth

Fraud (17)

Reporting standards

24.No important transactions between related companies

25.No unusual or complex (large) transactions

26.There are no disqualified or incompetent personnel on financial key positions

Fraud (18)

27. There are no differences between subsidiary and general ledger

28. The goods are not small and expensive

29. There is not a large cash position

30. There are no control weaknesses

Fraud (19)

31. The bookkeeping is sufficient

32. There is an adequate administrative organisation and internal control

33. There is no personnel who does not take a holiday

Engagement performance (1)• Quality of team• Quality of client• Post audit meeting

Engagement performance (2)• Client questionnaire• Discussion

Audit Planning (1)The following documentation MUST exist, even if on a reduced level, on

all “small” entity audits:

Discussions with the client (refer schedule 2 for example)

Minutes of all meetings with the client must be documented. Items

addressed in these meetings would include:

a. Significant events that may have occurred during the period under review.

b. General overview on the financial results for the period under review.

c. Discussion on the susceptibility of the financial statements being materially misstated due to fraud or error.

d. Confirmations of the terms of engagement

e. Staffing, fees, and other logistical issues.

Audit Planning (2)Discussion within the audit team (Refer schedule 3 for example)

Minutes of all meetings that occurred throughout the audit within the audit team

must be documented. Items addressed in these meetings would include:

a. Significant events that may have occurred during the period under review.

b. General overview on the financial results for the period under review.

c. Team discussion on the susceptibility of the financial statements being materially misstated due to fraud or error.

d. Team discussions on other risks identified that could result in the financial statements being materially misstated.

e. Audit approach and any alterations to the approach.

f. Staffing, budgets and other logistical issues, if any.

Audit Planning (3)

Knowledge of the business (refer Schedule 4 for example)

The main items to be covered in obtaining knowledge of the business include:

a. A brief history and background of the entity.

b. An understanding of the industry in which the entity operates.

c. Nature of the entity.

d. Objectives, strategies and business risks of the entity.

e. Key decision makers (and any changes made to key decision makers).

f. Are there any special reporting characteristics (deadlines, profit share arrangements etc).

Audit Planning (4)Risk Assessment

The following will be taken into account when assessing risk at the planning stage:

a. The knowledge of the Business (refer above)

b. The planning ratio analysis

c. Overall Risk Assessment (refer schedule 5 for example)

d. Risk assessment at assertion level (refer schedule 6 for example)

Audit Planning (5a) Overall Risk Assessment

The overall risk assessment schedule should cover the following on the entity:

• The Business environment – The business environment risks includes possible changes to services or products,

any liquidity or solvency concerns, reliance on major customer or supplier.

• Sector and general economy– These risks include any technological change in the entity’s sector, whether the entity

is a primarily cash based business; assets of the entity are susceptible to manipulation or theft.

Audit Planning (5b) • Directors, management and staff

– These risks include any significant changes to management, bonus plans to key staff members, and unusual pressures on key staff such as tight reporting deadlines.

• Financial reporting– These risks include history of significant audit adjustments, instances of fraud in the past, history of

qualified audit reports and new accounting policies.

• It is important to document that you have considered the overall risk assessment of the entity under each of the above categories, although in many instances the above items may be not applicable in small entities.

• A conclusion on whether the overall risk of the company is high, medium or low needs to be made and documented.

Audit Planning (6)Materiality (refer schedule 7 for example)

Materiality must be calculated on the appropriate bases for the entity. (E.g.

total assets would be an appropriate basis for a property owning

company)

Sample Sizes

Each firm will set their standard sampling methodology and sample sizes.

The sample sizes selected for testing will depend on the risks associate with the entity and its classes of transactions and account balances.

Audit Planning (7a)

Understanding and Documenting the Accounting and Internal Control Systems

• It is very important to understand and document the entity’s accounting and

internal control systems, regardless of the size of the entity. Typical cycles that

MAY exist in “small” entity’s are: • Revenue / Receipts cycle• Purchases / Payments cycle• Payroll / Personnel cycle• Stock / Production cycle• Finance / Investment cycle

Audit Planning (7b)For each system, identify the functions that are performed within each cycle to

authorise, record and safeguard assets.

Identify the control objectives for each function, which are as follows:

• Validity

• Authorisation

• Completeness

• Accuracy

• Recording

• Classification

• Cut-off

Document any specific computer programmed controls on which reliance may be

placed.

Audit Planning (8a)

Tests and Evaluation of Control Environment

The internal control systems must be reviewed to determine whether reliance can possibly be placed on them by:

• Discussion with management and client personnel• Review of the client’s system descriptions and flowcharts• Knowledge obtained in prior years• System walk through tests• Inspection of source documentation• Observation of activities

Audit Planning (8b)

Preliminary assessment findings on “small” entity audits OFTEN indicate one of the following (due to their nature normally being relatively unsophisticated):

• The control environment is unsatisfactory

• Previous experience indicates reliance on controls is not justified

• The general controls in the computer environment are weak / strong

• Low volumes of transactions

• Nature of the assets makes substantive testing more cost-effective

Due to the above, often on “small” entity audits no reliance is placed on internal controls and a substantive audit approach is adopted.

Audit Planning (8c)• Should reliance be placed on the systems, then tests of control must be designed and

performed.

• These tests of controls should determine whether the controls are properly designed to detect misstatements due to fraud and / or errors, and that they functioned properly throughout the whole period of reliance.

• Where reliance on a control is justified, the effect on reducing the substantive procedures must be recorded.

• Where reliance is not placed on a control, the effect on increasing the substantive procedures must be recorded.

• Any weaknesses should be recorded for reporting to management.

Audit Planning (9)Audit Approach

As mentioned above often where an entity has been classified as small in nature, limited internal controls exist and often the auditor does not expect to be able to place reliance on those that do exist. This will result in a substantive based audit approach being the most effective approach for the client. Standard substantive audit procedures, tailored in respect of their nature, timing and extent as a result of the risks identified during the planning stage of the audit should be adopted.

Where reliance on internal controls is taken then regardless of the size of the entity, a combination of tests of control and reduced substantive testing will be the most effective approach for the client. Standard substantive audit procedures, tailored in respect of their nature, timing and extent as a result of the risks identified during the planning stage of the audit should be adopted.

As mentioned previously “small” audits often don’t warrant reliance on internal controls and a substantive approach is often the most efficient approach.

Audit fieldwork

• Where a substantive approach is taken, depending on the risks identified:

• a “coverage” sample size must be determined to audit ALL material balances in the financial statements; and

• detailed transactions must be vouched, again based on the \sample size selected.

Audit completionAudit procedures must be performed on the following:

• Related party balances and transactions

• Going concern

• Subsequent events

• Contingencies and commitments

In addition to the above, a management representation letter

must be obtained from the client, and a management letter

issued to the client giving details of any weaknesses identified

during the audit.

Audit quality considerations on Audit quality considerations on the smaller engagementthe smaller engagement

Michel Girbes and Anton Lewis

LUNCHLUNCH

Closing remarksClosing remarks


Documents

4 th Nexia International Audit Forum Equipping you to achieve quality