Upload
brooke-hopkins
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
44thth Nexia International Audit Forum Nexia International Audit Forum
Equipping you to achieve qualityEquipping you to achieve quality
Welcome and outline of dayWelcome and outline of day
Felix LozanoFelix Lozano
Outline of day8.45 - 9.00 Audit committee update9.00 – 9.30 Nexia audit tools9.30 – 10.30 Options A and B10.30 – 11.00 Coffee11.00 – 12.30 Options C and D12.30 – 13.30 Lunch13.30 – 14.45 Winning clients the Nexia way14.45 – 15.00 Closing remarks15.00 Close
Audit Committee updateAudit Committee update
Felix LozanoFelix Lozano
Nexia Audit ToolsNexia Audit Tools
Yvonne LangYvonne Lang
Nexia Audit Tools
• Nexia International Quality Assurance Manual
• Independence protocols within the network
NEXIA INTERNATIONAL QUALITY ASSURANCE
MANUAL
Nexia International Quality Assurance Manual• Why have a quality assurance manual?
• What should it include?
• Using existing material
• Preparing your manual – the Nexia template
Why have a quality assurance manual?• Nexia is a quality brand
• Nexia members are quality firms
• ‘Tone at the top’ is vital in a quality firm
• Communication of quality is essential in a quality culture
ISQC 1• Mainly addresses whole firm procedures• Nexia expects members as a minimum to have ISQC 1
compliant policies and procedures
• Para 94 ‘The firm should establish policies and procedures requiring appropriate DOCUMENTATION to provide evidence of the operation of each element of its system of quality control’
What should the manual include?
• Policies and procedures
• Example documents or cross-references thereto
What should the manual include?• Leadership responsibilities• Ethical requirements• Acceptance and continuance of engagements• Human resources• Engagement performance• Monitoring of quality
Using existing material
• Established manuals – use Nexia manual as checklist
• Requirements addressed in operational manuals – include in manual by cross-reference
• No re-writing for the sake of it!
The Nexia template• Blank template
– Use to record your procedures
• Preparers guide– Further guidance and ISQC 1 checklist
• Example manual– Helping you visualise your manual– IT IS A GUIDE ONLY – NEXIA DOES NOT EXPECT YOU
TO HAVE THESE SPECIFIC POLICIES AND PROCEDURES
Where are the templates?
• Members area of the website
• Audit and assurance
• Quality manuals
NEXIA INDEPENDENCE PROTOCOLS
Independence protocols
• Background
• What is required?
• Dealing with potential conflicts
Background• IFAC Code of Ethics• Extension of independence requirements to
‘network’ members• Nexia meets definition of network• Specific requirements vary from country to
country
Extension of independence enquiries to other Nexia members• Where they are auditors
– Use the Nexia group audit instructions
• Where they are not the auditors– Enquiries of client as to possible services– Enquiries of relevant members
Tools to help you
• Nexia independence guide
• Acceptance and reappointment checklist
Conflicts of interest
• If possible, resolve locally
• Direct to Nexia International Secretariat
OptionsOptions
Option AOption A
Risk Based Audit Standards & Electronic Risk Based Audit Standards & Electronic Tools in Documenting RiskTools in Documenting Risk
George DakisGeorge DakisPartnerPartnerNexia ASR MelbourneNexia ASR Melbourne
Overview
1. Audit Risk Model
2. Risk Based Audit Standards
3. Understanding the Client and Documenting Risk
4. Considering the Risk of Fraud
5. The Auditors Response to Risk
6. Audit Evidence, Risk and Assertions
7. Tools to Document Risk
- Combined Risk Assessment- Risk Matrix- Caseware and Risk Documentation
8. Paperless Audit, Myth or Fact?
1. Audit Risk Model1. Audit Risk Model
1. Overview of Audit Risk Model
- Audit risk is the risk that the auditor will give an inappropriate audit opinion when the financial report is materially misstated.
- Before issuing an opinion on the financial report, the auditor needs to reduce audit risk to an acceptable level to ensure the opinion is reliable.
1. Audit Risk Model
1. Overview of Audit Risk Model (cont…)
- An auditor reduces audit risk by performing audit procedures until there is sufficient appropriate evidence for each assertion of each significant transaction class or account balance to provide reasonable assurance that the financial reports are not materially misstated.
- The audit risk model focuses audit effort on those classes of transactions or balances (and the particular assertions) that are likely to contain material misstatements.
1. Audit Risk Model
2. Three components of audit risk Refer ISA 200
- Inherent risk (IR):Susceptibility of an assertion to material misstatement given inherent and environmental characteristics, but without regard to prescribed control procedures.
- Control risk (CR): Risk that material misstatement might not be prevented or detected by internal control procedures.
- Detection risk (DR): Risk that auditors’ substantive procedures will lead auditor to conclude no material misstatement exists when, in fact, one does.
1. Audit Risk Model
1. Audit Risk Model
3. Reducing Audit Risk
- Auditors cannot change inherent risk.
- Auditors cannot directly change control risk. An auditor can obtain evidence to support an assessed level of control risk less than high (expect to rely on internal control) by examining control environment, risk assessment process, information system, control activities and monitoring of controls, and testing their effectiveness.
1. Audit Risk Model
3. Reducing Audit Risk (cont…)
The level of detection risk is the level an auditor can pull to reduce audit risk by:
- Appropriate planning, direction, supervision and review
- Decisions on the nature, timing and extent of audit procedures
- Effective performance of procedures and evaluation of results
1. Audit Risk Model
1. Audit Risk Model
4. Inter-relationship Between Business and Audit Risk
Business Risk is defined as:
“The risk that an entity’s business objectives will not be obtained as a result of external and internal factors,
pressures and forces brought to bear on an entity and, ultimately, the risk associated with the entity’s survival
and profitability.”
- Requires extensive knowledge of client’s business and industry.
1. Audit Risk Model
1. Audit Risk Model
2. Risk Based Audit Standards2. Risk Based Audit Standards
- Key new standards have been released which change the way risk assessments are carried out.
- ISA 315, 330 and 500 are they key standards
- Broadly speaking, the audit risk model has been replaced by a business risk method of assessing risk
2. Risk Based Audit Standards
3.3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
ISA 315 deals with 5 key issues:
1. Risk assessment procedures, including internal controls
2. Understanding the entity and its environment, including internal controls
3. Assessing the risks of material misstatement, including identifying significant risks
4. Communicating with management regarding weaknesses in controls
5. Documenting the work done
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
1. Risk Assessment Procedures
Perform the following risk assessment procedures to obtain an understanding of the entity, its environment, and its controls:
a) Inquiries of management/staff
b) Analytical procedures
c) Observation and inspection
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
1. Risk Assessment Procedures (cont…)
• The members of the audit team should discuss the susceptibility of the entity’s financial report to material misstatements
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls
You need to obtain an understanding of:
• relevant industry, regulatory, and other external factors including the applicable financial reporting framework; and
• the nature of the entity.
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Understand the entity’s accounting policies and consider whether they are appropriate and consistent with the applicable financial reporting framework and the industry.
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Obtain an understanding of the entity’s objectives and strategies, and the related business risks that may result in material misstatements.
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Obtain an understanding of the measurement and review of the entity’s financial performance.
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Obtain an understanding of internal control relevant to the audit.
• Refer page 13.
• Obtain an understanding of the control environment
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Obtain an understanding of the entity’s process for identifying business risks relevant to financial reporting objectives and deciding about actions to address those risks, and the results thereof.
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Obtain an understanding of the information system relevant to financial reporting, including:- The significant classes of transactions- The procedures by which those transactions are initiated, recorded, processed & reported- The related accounting records- How the information system captures events and conditions that are significant to the financial report- the financial reporting process used to prepare the financial report
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Understand how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Obtain a sufficient understanding of control activities to assess the risks of material misstatement at the assertion level and to design further audit procedures responsive to addressed risks
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
2. The entity and its environment, including internal controls (cont…)
• Obtain an understanding of how the entity has responded to risks arising from IT
• Understand the major types of activities that the entity uses to monitor and correct controls
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
3. Assessing the Risk of Material Misstatement
• Using the information obtained thus far, identify and assess the risks of material misstatement at the financial report level and at the assertion level for classes of transactions, account balances and disclosures
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
3. Assessing the Risk of Material Misstatement (cont…)
• As part of the risk assessment, determine which of the risks identified are risks that require special audit consideration (such risks are defined as ‘significant risks’)
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
3. Assessing the Risk of Material Misstatement (cont…)
• For significant risks, evaluate the design of the entity’s related controls and determine whether they have been implemented
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
3. Assessing the Risk of Material Misstatement (cont…)
• As part of the risk assessment, evaluate the entity’s controls over those risks for which it is not possible or practicable to reduce the risks of material misstatement at the assertion level to an acceptably low level with audit evidence obtained only from substantive procedures
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
4. Communicating with Management
• Make those charged with governance / management aware as soon as practicable, of material weaknesses in internal control
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
5. Documentation
• Matters to be documented include:- Discussions amongst the audit team; e.g. in relation to likely material misstatements- Key elements of the understanding obtained of the entity, including each of the internal control components, and the risks of material misstatements- The assessed risk of material misstatement at the financial report and assertion level- risk areas where substantive procedures were considered not
to provide sufficient evidence, and the related controls evaluated
3. Understanding the Entity and its Environment and Assessing the Risks of Material Misstatement
4.4. Considering the Risk of Fraud
ISA 240 deals with 4 key issues:
1. Responsibilities of the auditor
2. Risk assessment procedures
3. Evaluation of audit evidence
4. Communication with management
4. Considering the Risk of Fraud
1. Responsibilities of the Auditor
• Obtain reasonable assurance that the financial report is free from material misstatement due to fraud
4. Considering the Risk of Fraud
2. Risk Assessment Procedures
• Consider the risk of fraud as part of your risk assessment procedures
• Next step is to assess the risk of material misstatement due to fraud at the financial report and assertion level (balances, transactions, disclosures)
4. Considering the Risk of Fraud
2. Risk Assessment Procedures (cont…)
• Then determine how to respond to those risks and design and perform appropriate procedures
4. Considering the Risk of Fraud
3. Evaluation of Audit Evidence
• Evaluate whether your risk assessment in relation to fraud remains appropriate
• Consider whether any misstatements found are indicative of fraud
4. Considering the Risk of Fraud
3. Evaluation of Audit Evidence (cont…)
• Consider whether concluding analytical procedures indicate a previously unrecognised risk of fraud
• Obtain management representations in relation to fraud
4. Considering the Risk of Fraud
4. Communicate with Management
• Communicate with management and / or the governing body if fraud is identified or indicated
4. Considering the Risk of Fraud
5.5. The Auditors Response to Risk
ISA 330 deals with 3 key issues:
1. Audit procedures responsive to risks of material misstatement at the assertion level
2. Evaluating the sufficiency and appropriateness of audit evidence obtained
3. Documentation
5. The Auditors Response to Risk
1. Audit Procedures Responsive to Risks
• Design and perform further audit procedures whose nature, timing and extent are responsive to the assessed risks at the assertion level
• Choice of two approaches – see diagram on pg 24
5. The Auditors Response to Risk
1. Audit Procedures Responsive to Risks (cont…)
• In determining the audit procedures, consider inherent and control risk, as this will affect the procedures selected. For example, if inherent risk is low for a particular account, then analytical procedures may be considered sufficient
5. The Auditors Response to Risk
1. Audit Procedures Responsive to Risks (cont…)
• When your assessment of risk of material misstatement at the assertion level includes an expectation that controls are operating effectively, you perform tests of controls to obtain evidence that this was the case
5. The Auditors Response to Risk
1. Audit Procedures Responsive to Risks (cont…)
• Where it is not possible to reduce the risks of material misstatement to an acceptably low level only via substantive procedures, tests of control should be performed
5. The Auditors Response to Risk
1. Audit Procedures Responsive to Risks (cont…)
• When you obtain audit evidence about the effectiveness of controls during an interim period, you should determine what additional evidence should be obtained for the remaining period
5. The Auditors Response to Risk
1. Audit Procedures Responsive to Risks (cont…)
• Irrespective of the assessed risk of material misstatement, you should design and perform substantive procedures for each material class of transactions, account balance and disclosure
5. The Auditors Response to Risk
2. Evaluating Audit Evidence
• Conclude whether sufficient, appropriate audit evidence has been obtained to reduce to an acceptably low level, the risk of material misstatement in the financial report
5. The Auditors Response to Risk
3. Documentation
• Document the overall responses to address the assessed risks, the further audit procedures, the link of those procedures with the assessed risks at the assertion level, and the results of audit procedures
5. The Auditors Response to Risk
6.6. Audit Evidence, Risk and Assertions
ISA 500 deals with 4 key issues:
1. Concept of Audit Evidence
2. Sufficient appropriate audit evidence
3. The use of assertions in obtaining evidence
4. Audit procedures for obtaining audit evidence
6. Audit Evidence, Risk and Assertions
1. Concept of Audit Evidence
• Obtain sufficient appropriate audit evidence to draw reasonable conclusions on which to base the audit opinion
6. Audit Evidence, Risk and Assertions
2. Sufficient, Appropriate Audit Evidence
• When you use information produced by the entity, obtain evidence about the accuracy and completeness of the information
6. Audit Evidence, Risk and Assertions
3. The use of Assertions
• Use assertions for classes of transactions, account balances and disclosures in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures
• See pg 4 for the new audit assertions
6. Audit Evidence, Risk and Assertions
3. The use of Assertions (cont…)
• Directors and managers make assertions (embodied in the financial report) when they present a financial report
• Auditors use these assertions to assess risks by considering different types of potential misstatements that may occur and designing audit procedures in response to risks
• There are three categories of assertions:- Classes of transactions and events- Account balances- Presentation and disclosure
6. Audit Evidence, Risk and Assertions
3. The use of Assertions (cont…)
Assertions about classes of transactions and events for the period under audit:
• Occurrence – transactions and events that have been recorded have occurred and pertain to the entity
• Completeness – all transactions and events that should have been recorded have been recorded
• Accuracy – amounts and other data relating to recorded transactions and events have been recorded appropriately
• Cut-off – transactions and events have been recorded in the correct accounting period
• Classification — transactions and events have been recorded in the proper accounts
6. Audit Evidence, Risk and Assertions
3. The use of Assertions (cont…)
Assertions about account balances at the period end:
• Existence – assets, liabilities and equity interests exist• Rights and obligations – the entity holds or controls the rights to
assets, and the liabilities are the obligation of the entity• Completeness – all assets, liabilities and equity interests that
should have been recorded have been recorded• Valuation and allocation – assets, liability and equity interests
are included in the financial report at appropriate amounts and any resulting valuation adjustments are appropriately recorded
6. Audit Evidence, Risk and Assertions
3. The use of Assertions (cont…)
Assertions about presentation and disclosure:
• Occurrence and rights and obligations – disclosed events, transactions and other matters have occurred and pertain to the entity
• Completeness – all disclosures that should have been included in the financial report have been included
• Classification and understanding – financial information is appropriately presented and described, and disclosures are clearly expressed
• Accuracy and valuation – financial and other information is disclosed fairly and at appropriate amounts
6. Audit Evidence, Risk and Assertions
3. The use of Assertions (cont…)(Inventory)
6. Audit Evidence, Risk and Assertions
Financial report assertion
Illustrative audit objectives
Existence • Inventories included in the balance sheet physically exist.• Inventories represent items held for sale in normal course of business.
Completeness • Inventory quantities as per the accounting records include all products, materials and supplies owned by the company that are on hand.
• Inventory quantities include all products, materials and supplies owned by the company that are in transit or stored at outside locations.
Rights & Obligations • The company has legal title or similar rights or ownership to the inventories.• Inventories exclude items billed to customers or owned by others.
Valuation & Allocation • Inventories are properly stated at cost (except when the net realisable value is lower).• Slow-moving, excess, defective and obsolete items included in inventories are properly
identified and value.
3. The use of Assertions (cont…)
• The key issue when using a combined approach is:
- How do you link your tests of controls to substantive tests in order to reduce the extent of the latter?
6. Audit Evidence, Risk and Assertions
3. The use of Assertions (cont…)
Tests of controls can be linked to substantive tests using audit assertions
• Accuracy and cut-off links to valuation and allocation
• Occurrence links to existence and rights and obligations
• Completeness links to completeness
6. Audit Evidence, Risk and Assertions
3. The use of Assertions (cont…)
Example:
• If sales are accurate and cut-off is appropriate, we have evidence that debtors are properly valued and allocated
• If sales occurred, we have evidence that debtors exist
6. Audit Evidence, Risk and Assertions
4. Audit Procedures
• Audit programs should be driven by assertions
• Risk profile of account balance or transaction should be assertion focused
• No mandatory requirements
• Standard discusses different types of procedures, e.g. inspection of documents, recalculation of amounts, CAATs etc
6. Audit Evidence, Risk and Assertions
7.7. Tools to Document Risk
1. Combined Risk Assessment
• Refer to APPENDIX A
7. Tools to Document Risk
2. Risk Matrix
• Refer to APPENDIX B
7. Tools to Document Risk
3. Caseware and Risk Documentation
• See example caseware file on screen
7. Tools to Document Risk
8.8. Paperless Audit, Myth or Fact?
• See example of caseware file on screen
8. Paperless Audit, Myth or Fact?
QuestionsQuestions
Risk Based Audit Standards & Electronic Risk Based Audit Standards & Electronic Tools in Documenting RiskTools in Documenting Risk
George DakisGeorge DakisPartnerPartnerNexia ASR MelbourneNexia ASR Melbourne
COFFEECOFFEE
Option COption C
Audit quality considerations on Audit quality considerations on the smaller engagementthe smaller engagement
Michel Girbes and Anton Lewis
Agenda1. Ethical requirements
2. Acceptance and continuance of client relationship
3. Fraud
4. Engagement performance
5. Monitoring with respect to audit engagements
Ethics on the “small” entity audit
The audit specific requirements that require documentation on the audit file are:
• Independence
• Professional competence
• Time and fees budget
• General
Engagement performance
Small Entity Characteristics
The presence of small entity characteristics provides additional context for
our understanding of the entity with regard to the significance and
relevance of the entity’s circumstances as well as the nature and extent of
the audit procedures to be performed on the entity.
Refer Schedule 1 for an example of a Small Entity Characteristics
Checklist that can be used in assisting the auditor to determine whether an
entity can be classified as “small”.
Acceptance and continuance of clients - New clients (1)• We need new clients for the continuation of our
own business• So, can we accept without research on clients?• Answer, no
New clients (2)
• Is there more (audit) risk in smaller engagements?• If so - how do you mitigate that risk?
New clients (3)
Before accepting a new client we have a client
acceptance checklist with the following questions:
1. Can the assignment be done in the right period?
2. Is there any specific legal requirement/law which could be in the way during our audit work?
3. Do we have enough staff with knowledge and experience?
New clients (4)
4. There is no need to use external knowledge
5. The former auditor has no reasons to inform you not to accept the assignment
6. The appraisal of acceptance has lead to contact with the compliance officer
New clients (5)
7. The client and the shareholders are identified
8. The integrity the engagement giver (management/shareholders) gives no reason for not accepting the engagement
New clients (6)
For question 8 think about:- Identity the business reputation- Type of work- Attitude owners/decision makers with respect to
the internal control and audit work
New clients (7)
- Attitude owners/decision makers with respect to audit standards
- Effort client makes to reduce the audit fee- Reason why your office has been chosen- Indication of ‘whitewash’ practice
New clients (8)
9. No problems with the morality of the client
10. The management has no problem in complying with laws and standards.
11. There is no delay with respect to tax return(s) and there are no discussions with the tax authority
New clients (9)
12. There are no major changes in personnel
13. There has not been fraud by management or personnel or there are insufficient procedures to prevent such fraud
14. There is no regular change of accountants/advisers during the last 5 years
New clients (10)
15. There is not a complex information system
16. In the past there was no extreme failure in the EDP environment with loss of data
17. There is no restriction in the assignment
18. There are no essential shortages in the ao/ic in respect of source documents
New clients (11)
19. There is no possibility of collusion within the organisation or with third parties
20. The work of the auditor is subject to limitation in scope
New clients (12)
Conclusion
- We can accept or decline the client
Continuation of clients (1)• Why should we look at clients we already
accepted?• Clients are dynamic just like us!
Continuation of clients (2)• The checklist is not identical to the checklist for
new clients, there are some additional questions
Continuation of clients (3)
1. Does the fee compare with the minimum required audit quality
2. Does the client meet with the payment schedule
3. There are no circumstances for not continuing the relationship
4. Client has been identified as complying with the standards
Continuation of clients (4)
Practical tips- Look on the internet, search for example for
GIRBES
• Chamber of commerce
• Network
• Other auditors
Independence (1)• To accept or to continue a client relationship you
must look at your independence• Checklist for independence
Independence (2)
1. Fee ratio between fee and total income of the office
2. Fee ratio audit and other services
3. There is not a substantial amount receivable (>60 days)
Independence (3)
4. There are no problems to show fee is adequate
5. There are no problems expected for not changing the auditor?
6. The fee does not depend on outcome of several components
Independence (4)
7. There is no financial dependency on the client
8. The relationship is business only
9. None of the audit team members have done administrative work for the client
Independence (5)
10. There is no (material) conflict between the audit organisation and the client
11. There is no reason to assume that one of the audit team members is going to work for the client
12. An audit team member has changed his/her career to the client
Independence (6)
13. There are no financial obligations to this client
14. The audit firm makes no decisions and is not involved in the decision process of the client
15. An employee of the audit firm is not a member of the management board or supervisory board
Independence (7)
16. A member of the audit team has not worked for client in the past 2 years
17. There are no family relations between employees of the audit firm and the client (management level)
18. There is no risk of self review
Independence (8)
19. There are no legal proceedings between the audit firm and the client
20. There are no other services such as:– Implementation of financial information systems
– administrative services
– valuation/impairment
– internal control
– legal services
– recruitment higher level financial staff
Independence (9)
21. In the conditions of employment are sanctions mentioned regarding independence
22. Only independent audit staff has access to the audit files
23. There are no parts that need more attention with respect to independence
Independence (10)
24. Due to the independence check the audit team is changed
25. Some changes of work allocation between the members of the audit team
26. The independence treatments are discussed with the compliance officer
27. The independence treatments are discussed with the management of the client
Fraud (1)• What is a definition of fraud?• Is this fraud?
Fraud (2)Is this fraud?
-your personell works on saturday morning
-with your permission?
Fraud (3)
Fraud (4)I would like to define fraud as follows:
• Fraud is the deliberate taking or receipt of money/material by an individual or company without a legal right thereto
Fraud (5)
Different frauds:- Fraud by management- Fraud by personnel
Fraud (6)• Who is responsible for fraud?• The person/entity who commits fraud
Fraud (7)• Who is responsible to prevent fraud?• Management• There must be enough fraud detection controls
Fraud (8)• Motivation of management ?• Attitude management towards internal control• Behavior of management• Industry characteristics• Operation characteristics• Reporting standards
Fraud (9)
Motivation of management ?
1. Management’s remuneration depends on reported financial results
2. Management does not use illegal tax constructions
3. Management has no aggressive attitude towards financial reporting standards
Fraud (10)
Attitude of management towards internal control
4. There is no ineffective communication and support of code of ethics
5. There is no lack of policy regarding conflict of interest
6. Decisions are not dominated by one person (or small group)
Fraud (11)
7. There is no negative attitude towards legal authorities
Fraud (12)
Behavior of management
8. There are only experts involves with financial reporting
9. There is not a high change in personnel at senior level
10.There is not a tense relationship between (former) auditor and client
Fraud (13)
11. There is no unreasonable pressure on the audit team
12. There are no attempts to limit the audit scope
Fraud (14)
Industry characteristics
13.There are no new reporting standards
14.There is no strong competition
15.There are not many bankrupts
16.There are no quick changes in the industry
Fraud (15)
Operation characteristics
17.There are reasonable profits
18.There is a stable cash flow/profit
19.There is no need for a capital injection
Fraud (16)
20. There is no use of tax havens
21. There is not an overly complex structure
22. There is no strong liability of credit
23. There is not an unhealthy quick growth
Fraud (17)
Reporting standards
24.No important transactions between related companies
25.No unusual or complex (large) transactions
26.There are no disqualified or incompetent personnel on financial key positions
Fraud (18)
27. There are no differences between subsidiary and general ledger
28. The goods are not small and expensive
29. There is not a large cash position
30. There are no control weaknesses
Fraud (19)
31. The bookkeeping is sufficient
32. There is an adequate administrative organisation and internal control
33. There is no personnel who does not take a holiday
Engagement performance (1)• Quality of team• Quality of client• Post audit meeting
Engagement performance (2)• Client questionnaire• Discussion
Audit Planning (1)The following documentation MUST exist, even if on a reduced level, on
all “small” entity audits:
Discussions with the client (refer schedule 2 for example)
Minutes of all meetings with the client must be documented. Items
addressed in these meetings would include:
a. Significant events that may have occurred during the period under review.
b. General overview on the financial results for the period under review.
c. Discussion on the susceptibility of the financial statements being materially misstated due to fraud or error.
d. Confirmations of the terms of engagement
e. Staffing, fees, and other logistical issues.
Audit Planning (2)Discussion within the audit team (Refer schedule 3 for example)
Minutes of all meetings that occurred throughout the audit within the audit team
must be documented. Items addressed in these meetings would include:
a. Significant events that may have occurred during the period under review.
b. General overview on the financial results for the period under review.
c. Team discussion on the susceptibility of the financial statements being materially misstated due to fraud or error.
d. Team discussions on other risks identified that could result in the financial statements being materially misstated.
e. Audit approach and any alterations to the approach.
f. Staffing, budgets and other logistical issues, if any.
Audit Planning (3)
Knowledge of the business (refer Schedule 4 for example)
The main items to be covered in obtaining knowledge of the business include:
a. A brief history and background of the entity.
b. An understanding of the industry in which the entity operates.
c. Nature of the entity.
d. Objectives, strategies and business risks of the entity.
e. Key decision makers (and any changes made to key decision makers).
f. Are there any special reporting characteristics (deadlines, profit share arrangements etc).
Audit Planning (4)Risk Assessment
The following will be taken into account when assessing risk at the planning stage:
a. The knowledge of the Business (refer above)
b. The planning ratio analysis
c. Overall Risk Assessment (refer schedule 5 for example)
d. Risk assessment at assertion level (refer schedule 6 for example)
Audit Planning (5a) Overall Risk Assessment
The overall risk assessment schedule should cover the following on the entity:
• The Business environment – The business environment risks includes possible changes to services or products,
any liquidity or solvency concerns, reliance on major customer or supplier.
• Sector and general economy– These risks include any technological change in the entity’s sector, whether the entity
is a primarily cash based business; assets of the entity are susceptible to manipulation or theft.
Audit Planning (5b) • Directors, management and staff
– These risks include any significant changes to management, bonus plans to key staff members, and unusual pressures on key staff such as tight reporting deadlines.
• Financial reporting– These risks include history of significant audit adjustments, instances of fraud in the past, history of
qualified audit reports and new accounting policies.
• It is important to document that you have considered the overall risk assessment of the entity under each of the above categories, although in many instances the above items may be not applicable in small entities.
• A conclusion on whether the overall risk of the company is high, medium or low needs to be made and documented.
Audit Planning (6)Materiality (refer schedule 7 for example)
Materiality must be calculated on the appropriate bases for the entity. (E.g.
total assets would be an appropriate basis for a property owning
company)
Sample Sizes
Each firm will set their standard sampling methodology and sample sizes.
The sample sizes selected for testing will depend on the risks associate with the entity and its classes of transactions and account balances.
Audit Planning (7a)
Understanding and Documenting the Accounting and Internal Control Systems
• It is very important to understand and document the entity’s accounting and
internal control systems, regardless of the size of the entity. Typical cycles that
MAY exist in “small” entity’s are: • Revenue / Receipts cycle• Purchases / Payments cycle• Payroll / Personnel cycle• Stock / Production cycle• Finance / Investment cycle
Audit Planning (7b)For each system, identify the functions that are performed within each cycle to
authorise, record and safeguard assets.
Identify the control objectives for each function, which are as follows:
• Validity
• Authorisation
• Completeness
• Accuracy
• Recording
• Classification
• Cut-off
Document any specific computer programmed controls on which reliance may be
placed.
Audit Planning (8a)
Tests and Evaluation of Control Environment
The internal control systems must be reviewed to determine whether reliance can possibly be placed on them by:
• Discussion with management and client personnel• Review of the client’s system descriptions and flowcharts• Knowledge obtained in prior years• System walk through tests• Inspection of source documentation• Observation of activities
Audit Planning (8b)
Preliminary assessment findings on “small” entity audits OFTEN indicate one of the following (due to their nature normally being relatively unsophisticated):
• The control environment is unsatisfactory
• Previous experience indicates reliance on controls is not justified
• The general controls in the computer environment are weak / strong
• Low volumes of transactions
• Nature of the assets makes substantive testing more cost-effective
Due to the above, often on “small” entity audits no reliance is placed on internal controls and a substantive audit approach is adopted.
Audit Planning (8c)• Should reliance be placed on the systems, then tests of control must be designed and
performed.
• These tests of controls should determine whether the controls are properly designed to detect misstatements due to fraud and / or errors, and that they functioned properly throughout the whole period of reliance.
• Where reliance on a control is justified, the effect on reducing the substantive procedures must be recorded.
• Where reliance is not placed on a control, the effect on increasing the substantive procedures must be recorded.
• Any weaknesses should be recorded for reporting to management.
Audit Planning (9)Audit Approach
As mentioned above often where an entity has been classified as small in nature, limited internal controls exist and often the auditor does not expect to be able to place reliance on those that do exist. This will result in a substantive based audit approach being the most effective approach for the client. Standard substantive audit procedures, tailored in respect of their nature, timing and extent as a result of the risks identified during the planning stage of the audit should be adopted.
Where reliance on internal controls is taken then regardless of the size of the entity, a combination of tests of control and reduced substantive testing will be the most effective approach for the client. Standard substantive audit procedures, tailored in respect of their nature, timing and extent as a result of the risks identified during the planning stage of the audit should be adopted.
As mentioned previously “small” audits often don’t warrant reliance on internal controls and a substantive approach is often the most efficient approach.
Audit fieldwork
• Where a substantive approach is taken, depending on the risks identified:
• a “coverage” sample size must be determined to audit ALL material balances in the financial statements; and
• detailed transactions must be vouched, again based on the \sample size selected.
Audit completionAudit procedures must be performed on the following:
• Related party balances and transactions
• Going concern
• Subsequent events
• Contingencies and commitments
In addition to the above, a management representation letter
must be obtained from the client, and a management letter
issued to the client giving details of any weaknesses identified
during the audit.
Audit quality considerations on Audit quality considerations on the smaller engagementthe smaller engagement
Michel Girbes and Anton Lewis
LUNCHLUNCH
Closing remarksClosing remarks
Felix LozanoFelix Lozano