Loading...
Loading...
International Federation of Accountants
Guide to Using ISAs in the Audits of Small- and Medium- Sized Entities
VOLUME 1 — CORE CONCEPTS
FOURTH EDITION
International Federation of Accountants 529 Fifth Avenue, New York, NY 10017 USA This Guide to Using ISAs in the Audits of Small- and Medium-Sized Entities was prepared by the International Federation of Accountants (IFAC) with support from its Small and Medium Practices Committee. The committee represents the interests of professional accountants operating in small- and medium-sized practices and other professional accountants who provide services to small- and medium- sized entities. This publication may be downloaded for individual non-commercial use from the IFAC website:
www.ifac.org/smp. The approved text is published in the English language.
IFAC serves the public interest and strengthens the accountancy profession by:
- Supporting the development of high-quality international standards;
- Promoting the adoption and implementation of these standards;
- Building the capacity of professional accountancy organizations; and
- Speaking out on public interest issues.
For further information, please e-mail Christopher Arnold, Head of SME/ SMP and Research at ChristopherArnold@ifac.org.
Exposure Drafts, Consultation Papers, and other IFAC publications are published by, and copyright of, IFAC.
IFAC does not accept responsibility for loss caused to any person who acts or refrains from acting in reliance on the material in this publication, whether such loss is caused by negligence or otherwise. The IFAC logo, ‘International Federation of Accountants’ and ‘IFAC’ are registered trademarks and service marks of IFAC in the US and other countries.
Copyright © 2018 by the International Federation of Accountants (IFAC). All rights reserved. Written permission from IFAC is required to reproduce, store or transmit, or to make other similar uses of this document, save for where the document is being used for individual non-commercial use only. Contact permissions@ifac.org
ISBN: 978-1-60815-353-4
Published by: IFAC
Volume 1 | Primary ISA Reference | Page Number |
|---|---|---|
| Preface | v | |
| Request for Comments | vi | |
| 1. How to Use the Guide | 1 | |
| 2. The ISAs | 6 | |
| Core Concepts | 12 | |
| 3. Ethics, ISAs, and Quality Control | ISQC 1, 200, 220 | 13 |
| 4. The Risk-Based Audit — Overview | Multiple | 24 |
| 5. Internal Control — Purpose and Components | 315 (Revised) | 40 |
| 6. Financial Statement Assertions | 315 (Revised) | 62 |
| 7. Materiality and Audit Risk | 320 | 68 |
| 8. Risk Assessment Procedures | 240, 315 (Revised) | 78 |
| 9. Responding to Assessed Risks | 240, 300, 330, 500 | 86 |
| 10. Further Audit Procedures | 330, 505, 520 | 95 |
| 11. Accounting Estimates | 540 | 112 |
| 12. Related Parties | 550 | 120 |
| 13. Subsequent Events | 560 | 128 |
| 14. Going Concern | 570 (Revised) | 134 |
| 15. Summary of Other ISA Requirements | 250 (Revised), 402, 501, 510, 600, 610 (Revised 2013) 620, 720 (Revised) | 142 |
| 16. Audit Documentation | ISQC 1, 220, 230, 240, 300, 315 (Revised), 330 | 184 |
| 17. Forming an Opinion on Financial Statements | 700 (Revised), 701 | 196 |
Volume 2 | Primary ISA Reference | Page Number |
|---|---|---|
| Preface | v | |
| Request for Comments | vi | |
| 1. How to Use the Guide | 1 | |
| 2. Introduction to the Case Studies | 6 | |
| PHASE 1: Risk Assessment | ||
| 3. Risk Assessment — Overview | 16 | |
| Preliminary Activities | ||
| 4. Engagement Acceptance and Continuance | ISQC 1, 210, 220, 300 | 20 |
| Planning the Audit | ||
| 5. Overall Audit Strategy | 300 | 35 |
| 6. Determining and Using Materiality | 320, 450 | 44 |
| 7. Audit-Team Discussions | 240, 300, 315 (Revised) | 58 |
| Performing Risk Assessment Procedures | ||
| 8. Inherent Risks — Identification | 240, 315 (Revised) | 66 |
| 9. Inherent Risks — Assessment | 240, 315 (Revised) | 88 |
| 10. Significant Risks | 240, 260 (Revised), 315 (Revised), 330 | 98 |
| 11. Understanding Internal Control | 315 (Revised) | 107 |
| 12. Evaluating Internal Control | 315 (Revised) | 119 |
| 13. Communicating Deficiencies in Internal Control | 265 | 142 |
| 14. Concluding the Risk Assessment Phase | 315 (Revised) | 153 |
| PHASE II: Risk Response | ||
| 15. Risk Response — An Overview | – | 163 |
| 16. The Responsive Audit Plan | 260 (Revised), 300, 330, 500 | 166 |
| 17. Determining the Extent of Testing | 330, 500, 530 | 183 |
| 18. Documenting Work Performed | 230 | 207 |
| 19. Written Representations | 580 | 211 |
| PHASE III: Reporting | ||
| 20. Reporting — Overview | – | 221 |
| 21. Evaluating Audit Evidence | 220, 330, 450, 520, 540 | 224 |
| 22. Communicating with Those Charged with Governance | 260 (Revised), 265, 450 | 241 |
| 23. Modifications to the Auditor’s Report | 705 (Revised) | 251 |
| 24. Emphasis of Matter and Other Matter Paragraphs | 570 (Revised), 706 (Revised) | 264 |
| 25. Comparative Information | 710 | 272 |
Welcome to the fourth edition of IFAC’s Guide to Using International Standards on Auditing in the Audits of Small- and Medium-Sized Entities.
Since publication in 2011 of the third edition, the International Audit and Assurance Standards Board (IAASB) has completed projects on Using the Work of Internal Auditors; The Auditor’s Responsibilities Relating to Other Information; Auditor Reporting; Disclosures and Non-Compliance with Laws and Regulations (NOCLAR). The fourth edition has therefore been updated for these recent changes in the ISAs, so it is in accordance with the 2016-2017 Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements. We have also taken the opportunity to refine some of the technical content and to make other minor presentational improvements.
Mindful that many users may be in the process of translating the Guide, we have endeavored to keep the revisions in this edition to a minimum.
First published in 2007, the Guide was originally developed with the Canadian Institute of Chartered Accountants (CICA) — now CPA Canada — and is intended to enable practitioners to develop a deeper understanding of an audit conducted in compliance with International Standards on Auditing (ISAs) through explanation and illustrative examples. It offers a practical “how-to” audit approach that practitioners may use when undertaking a risk-based audit of an SME. Ultimately, it should help practitioners conduct high-quality, cost-effective audits, enabling them to better serve SMEs and the public interest.
The Guide provides non-authoritative guidance on applying ISAs. It is not to be used as a substitute for reading the ISAs, but rather as a supplement to support consistent implementation of these standards in the audits of SMEs. The Guide does not address all aspects of the ISAs and should not be used for the purposes of determining or demonstrating compliance with the ISAs.
In order to help member organizations maximize the use of both this Guide and its sister publication, the Guide to Quality Control for Small- and Medium-Sized Practices, IFAC has developed a Companion Manual, along with additional materials, designed to support the use of the Guides for education and training purposes. The Companion Manual includes suggestions on how IFAC member organizations and firms may make best use of the Guides to suit their own needs and jurisdictions.
Readers may be interested in the current projects of the IAASB, which includes Accounting Estimates, Quality Control, ISA 315 (Revised) and Data Analytics. This Guide does not in any way anticipate possible changes in these areas.
Finally, we welcome readers to visit the SMP area of the IFAC website at www.ifac.org/SMP and the @ IFAC_SMP Twitter feed for further details about the work of the IFAC SMP Committee, and to the Global Knowledge Gateway (www.ifac.org/Gateway)) for access to a wide collection of resources, news and articles. Monica Foerster Chair, IFAC SMP Committee April 2018
This is the fourth edition of the Guide. While we consider this to be a useful, high-quality guide, it can be improved. We are committed to updating this publication on a regular basis to ensure it reflects current standards and is as useful as possible.
We welcome comments from national standard setters, IFAC member organizations, practitioners, and others. In particular, we welcome views on the following questions.
1. How do you use the Guide? For example, do you use it as a basis for training and/or as a practical reference guide, or in some other way?
2. Do you consider the Guide to be sufficiently tailored to the audit of SMEs?
3. Do you find the Guide easy to navigate? If not, can you suggest how navigation can be improved?
4. In what other ways do you think the Guide can be made more useful?
5. Are you aware of any derivative products — such as training materials, forms, checklists, and programs that have been developed based on the Guide? If so, please provide details.
Please submit your comments to Christopher Arnold, Head of SME/ SMP and Research at:
Email: ChristopherArnold@ifac.org
Fax: +1 212-286-9570
Mail: International Federation of Accountants 529 Fifth Avenue New York, NY 10017, USA
This Guide is designed to assist practitioners in the implementation of the International Standards of Auditing (ISAs) on the audit of small- and medium-sized entities, but is not intended to be a substitute for the ISAs themselves. Furthermore, a practitioner should utilize this Guide in light of his/her professional judgment and the facts and circumstances involved in each particular audit. IFAC disclaims any responsibility or liability that may occur, directly or indirectly, as a consequence of the use and application of this Guide. |
The purpose of this Guide is to provide practical guidance to practitioners conducting audit engagements for small- and medium-sized entities (SMEs). However, no material in the Guide should be used as a substitute for:
- Reading and understanding the ISAs
It is assumed that practitioners have read the text of the International Standards on Auditing (ISAs) which are contained in the Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements, and which can be downloaded free of charge from the IAASB Publications & Resources web page at http://www.ifac.org/about-ifac/publications-resources (filter by “Handbooks, Standards, and Pronouncements”). ISA 200.19 states that the auditor shall have an understanding of the entire text of an ISA, including its application and other explanatory material, to understand its objectives and to apply its requirements properly. The ISAs, as well as frequently asked questions (FAQs) and other support materials, can also be obtained from the Clarity Center at www.ifac.org/auditing-assurance/clarity-center.
- Use of professional judgment
In order to apply the ISAs effectively, professional judgment is required based on the particular facts and circumstances involved in the firm and each particular engagement.
While it is expected that small- and medium-sized practices (SMPs) will be a significant user group, this Guide is intended to help all practitioners to implement ISAs on SME audits.
This Guide can be used to:
- Develop a deeper understanding of an audit conducted in compliance with the ISAs;
- Develop a staff manual (supplemented as necessary for local requirements and a firm’s procedure) to be used for day-to-day reference, and as a basis for training sessions and individual study and discussion; and
- Help ensure that staff adopt a consistent approach to planning and performing an audit.
This Guide often refers to an audit team, which implies that more than one auditor is involved in conducting the audit engagement. However, the same general principles also apply to audit engagements performed exclusively by one person (the practitioner).
IFAC encourages and facilitates the reproduction, translation, and adaptation of its publications. Interested parties wishing to reproduce, translate, or adapt this Guide should contact permissions@ifac.org.
Rather than just summarize each ISA in turn, the Guide has been organized into two volumes as follows:
- Volume 1 — Core Concepts
- Volume 2 — Practical Guidance
This is Volume 1 of the Guide, which provides an overview of the entire audit and a discussion of key audit concepts such as materiality, assertions, internal control, risk assessment procedures, and the use of further audit procedures in responding to assessed risks. It also includes a summary of ISA requirements with respect to:
- Specific areas such as accounting estimates, related parties, subsequent events, going concern, and others;
- Documentation requirements; and
- Forming an opinion on the financial statements.
Volume 2 of the Guide focuses on how to apply the concepts outlined in Volume 1. It follows the typical stages involved in performing an audit, starting with client acceptance, planning, and risk assessment, and then the risk response, evaluating audit evidence obtained, and forming an appropriate audit opinion.
Each chapter in both volumes of this Guide has been organized in the following format:
- Chapter Title
- Audit Process Chart — Extract
Most chapters contain an extract from the audit process chart (where applicable) to highlight the particular activities addressed in the chapter.
- Chapter Content
This outlines the content and purpose of the chapter.
- Relevant ISAs
Most chapters in this Guide begin with some extracts from the ISAs that are relevant to the chapter content. These extracts include relevant requirements and, in some cases, the objectives (sometimes highlighted separately if/when a chapter focuses primarily on one particular ISA), selected definitions, and application material. The inclusion of these extracts is not meant to imply that other material in the ISA not specifically mentioned, or other ISAs that relate to the subject matter, do not need to be considered. The extracts in the Guide are based solely on the judgment of the authors as to what is relevant for the content of each particular chapter. For example, the requirements of ISAs 200, 220, and 300 apply throughout the audit process, but have only been addressed specifically in one or two chapters.
- Overview and Chapter Material
The overview in each chapter provides:
+ Extracts from applicable ISAs; and
+ An overview of what is addressed in the chapter.
The overview is followed by a more detailed discussion of the subject matter, and practical step-by-step guidance/methodology on how to implement the relevant ISAs. This can include some cross-references to the applicable ISAs. While the Guide focuses exclusively on the ISAs (other than the 800 series) that apply to audits of historical financial information, reference is also made to the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (the IESBA Code), and the International Standard on Quality Control 1 (ISQC 1), Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements.
- Consider Points
A number of Consider Points are included throughout the Guide. These Consider Points provide practical guidance on audit matters that can easily be overlooked, or where practitioners may have difficulty understanding and implementing certain concepts.
- Illustrative Case Studies
To demonstrate how the ISAs can be applied in practice, Volume 2 of the Guide includes two case studies. At the end of many chapters within Volume 2, two possible approaches to documenting the application of the ISA requirements are discussed. Please refer to Volume 2, Chapter 2 of this Guide for details about the case studies.
- The purpose of the case studies and the documentation presented are purely illustrative. The documentation provided is a small extract from a typical audit file, and it outlines just one possible way of complying with the ISA requirements. The data, analysis, and commentary provided represent only some of the circumstances and considerations that the auditor will need to address in a particular audit. As always, the auditor must exercise professional judgment.
- The first case study is based on a fictional entity called Dephta Furniture. This is a local, family-owned furniture manufacturer with 15 full-time employees. The entity has a simple governance structure, few levels of management, and straightforward transaction processing. The accounting function uses an off- the-shelf, standard software package.
- The second case study is based on another fictional entity called Kumar & Co. This is a micro-sized entity with two full-time staff plus the owner and one part-time bookkeeper.
This Guide may also be read in conjunction with The Guide to Quality Control for Small- and Medium-Sized Practices, which can be downloaded free of charge from the IFAC online publications and resources site at http://www.ifac.org/publications-resources/guide-quality-control-small-and-medium-sized-practices-third-.
The Guide uses many of the terms as defined in the IESBA Code, Glossary of Terms, and ISAs (as contained in the Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements). Both partners and staff must be aware of these definitions.
The Guide also uses the following terms:
These are controls designed by management to prevent or detect misstatements resulting from fraud. With respect to management override, these controls may not prevent a fraud from occurring, but would act as a deterrent and make perpetrating a fraud more difficult to conceal. Typical examples are:
- Policies and procedures that provide additional accountability, such as signed approval for journal entries;
- Improved access controls for sensitive data and transactions;
- Silent alarms;
- Discrepancy and exception reports;
- Audit trails;
- Fraud contingency plans;
- Human resource procedures such as identifying/monitoring individuals with above-average fraud potential (for example, an excessively lavish lifestyle); and
- Mechanisms for reporting potential frauds anonymously.
Some risks and controls pertain to the entity as a whole. Pervasive controls (also referred to as entity-level controls in some jurisdictions) are designed to help support the functioning of transactional controls.
Consequently, pervasive risks and controls are considered at the financial statement level.
Risks and controls that have pervasive effects on the financial statements are those that, in the auditor's judgment:
a) Are not confined to specific elements, accounts or items of the financial statements;
b) If so confined, represent or could represent a substantial proportion of the financial statements; or
c) Relate to disclosures that are fundamental to users' understanding of the financial statements.
Pervasive controls are often less tangible than controls that operate at the assertion level. As such, they form the all-important foundation upon which other internal controls (such as transactional controls) are built. Examples of pervasive controls include management's commitment to ethical behavior, their attitude toward the system of internal control, and the process for hiring competent people, preventing fraud and period-end financial reporting.
Some risks and controls pertain to the individual financial statement areas or to specific assertions (assertion level). Transactional controls are designed by management to mitigate transactional risks. Their purpose is to ensure that all transactions are properly authorized, processed and recorded in the accounting records at the correct amount and in the correct period.
The person(s) with executive responsibility for the conduct of the entity’s operations. For some entities in some jurisdictions, management includes some or all of those charged with governance — for example, executive members of a governance board, or an owner-manager.
The person(s) or organization(s) (for example, a corporate trustee) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity. This includes overseeing the financial reporting process. For some entities, in some jurisdictions, those charged with governance may include management personnel — for example, executive members of a governance board of a private or public sector entity, or an owner-manager.
This refers to the proprietor of an entity involved in the running of the entity on a day-to-day basis. In most instances, the owner-manager will also be the person charged with governance of the entity.
An accounting practice/firm that exhibits the following characteristics:
- Its clients are mostly small- and medium-sized entities (SMEs);
- External sources are used to supplement limited in-house technical resources; and
- It employs a limited number of professional staff.
What constitutes an SMP will vary from one jurisdiction to another.
AR | Accounts receivable |
|---|---|
Assertions (combined)1 | C= Completeness AV = Accuracy and valuation E = Existence P = Presentation |
CAATs | Computer-assisted audit techniques |
CU | Currency units (standard currency unit is referred to as “Є”) |
F/S | Financial statements |
HR | Human resources |
IAASB | International Auditing and Assurance Standards Board |
IC | Internal Control. The five major components of internal control are as follows: CA = Control activities CE = Control environment IS = Information systems MO = Monitoring RA = Risk assessment |
IESBA Code | IESBA Code of Ethics for Professional Accountants |
IFAC | International Federation of Accountants |
IFRS | International Financial Reporting Standards |
ISAs | International Standards on Auditing |
ISAEs | International Standards on Assurance Engagements |
IAPSs | International Auditing Practice Statements |
IPSASs | International Public Sector Accounting Standards |
ISQC | International Standard on Quality Control |
ISREs | International Standards on Review Engagements |
ISRSs | International Standards on Related Services |
IT | Information technology |
KAM | Key Audit Matters |
PC | Personal computer |
R&D | Research and development |
RMM | Risks of material misstatement |
RAPs | Risk assessment procedures |
SME | Small- and medium-sized entity |
SMP | Small- and medium-sized practice |
TOC | Tests of controls |
TCWG | Those charged with governance |
WP | Work papers, working papers |
1 Note that some of the assertions defined in ISA 315 (Revised) have been combined in this manual for ease of use in practice. Where applicable, the Individual assertions (before being combined) can also be tested separately.
The ISAs have a common structure, as outlined below.
ISA Element | Comments |
|---|---|
| Introduction | An explanation of the purpose and scope of the ISA, including how the ISA relates to other ISAs, the subject matter of the ISA, specific expectations on the auditor and others, and the context in which the ISA is set. |
| Objectives | The objective to be achieved by the auditor as a result of complying with the requirements of the ISA. To achieve the overall objectives of the auditor, the auditor is required to use the objectives stated in relevant ISAs in planning and performing the audit, keeping in mind the interrelationships among the ISAs. ISA 200.21 (a) requires the auditor to:
|
| Definitions | A description of the meanings attributed to certain terms for purposes of the ISAs. These are provided to assist in the consistent application and interpretation of the ISAs. They are not intended to override definitions that may be established for other purposes, such as those contained in laws or regulations. Unless otherwise indicated, these terms carry the same meanings throughout the ISAs. |
| Requirements | This section outlines the specific auditor requirements. Each requirement contains the word “shall.” For example, ISA 200.15 contains the following requirement: “The auditor shall plan and perform an audit with professional skepticism, recognizing that circumstances may exist that cause the financial statements to be materially misstated.” |
| Application and Other Explanatory Material | The application and other explanatory material provides further explanation of the requirements of an ISA, and guidance for carrying them out. In particular, it may:
While such guidance does not in itself impose a requirement, it is relevant to the proper application of the requirements of an ISA. The application and other explanatory material may also provide background information on matters addressed in an ISA. |
| Appendices | Appendices form part of the application and other explanatory material. The purpose and intended use of an appendix are explained in the body of the related ISA, or within the title and introduction of the appendix itself. |
The ISA Framework is illustrated below.
Loading...
The following table cross-references the ISAs and ISQC 1 to the corresponding chapters in the Guide. Note: This table only includes cross-references to the chapters in the Guide in which the primary application requirements of the respective standards are addressed. Further references to any given standard may also appear in other chapters.
ISA/ ISQC 1 Reference | Volume and Chapters V1 = Volume 1 V2 = Volume 2 | |
|---|---|---|
| ISQC 1 | Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements | V1-3, 16, V2-4 |
| 200 | Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing | V1-3, 4 |
| 210 | Agreeing the Terms of Audit Engagements | V2-4 |
| 220 | Quality Control for an Audit of Financial Statements | V1-3, 16, V2-4, 21 |
| 230 | Audit Documentation | V1-3, 16, V2-18 |
| 240 | The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements | V1-8, 9, 16 V2-7, 8, 9, 10 |
| 250 (Revised) | Consideration of Laws and Regulations in an Audit of Financial Statements | V1-15 |
| 260 (Revised) | Communication with Those Charged with Governance | V2-16, 22 |
| 265 | Communicating Deficiencies in Internal Control to Those Charged with Governance and Management | V2-13, 22 |
| 300 | Planning an Audit of Financial Statements | V1-9, 16 V2-4, 5, 7, 16 |
| 315 (Revised) | Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment | V1-4, 5, 6, 8, 16 V2-7, 8, 9, 10, 11, 12, 14 |
| 320 | Materiality in Planning and Performing an Audit | V1-7, V2-6 |
| 330 | The Auditor’s Responses to Assessed Risks | V1-4, 9, 10, 16 V2-10, 16, 17, 21 |
| 402 | Audit Considerations Relating to an Entity Using a Service Organization | V1-15 |
| 450 | Evaluation of Misstatements Identified during the Audit | V2-6, 21, 22 |
| 500 | Audit Evidence | V1-9, V2-16, 17 |
| 501 | Audit Evidence — Specific Considerations for Selected Items | V1-15 |
| 505 | External Confirmations | V1-10 |
| 510 | Initial Audit Engagements — Opening Balances | V1-15 |
| 520 | Analytical Procedures | V1-10, V2-21 |
| 530 | Audit Sampling | V2-17 |
| 540 | Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures | V1-11, V2-21 |
| 550 | Related Parties | V1-12 |
| 560 | Subsequent Events | V1-13 |
| 570 (Revised) | Going Concern | V1-14 |
| 580 | Written Representations | V2-19 |
| 600 | Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors) | V1-15 |
610 (Revised 2013) | Using the Work of Internal Auditors | V1-15 |
| 620 | Using the Work of an Auditor’s Expert | V1-15 |
| 700 (Revised) | Forming an Opinion and Reporting on Financial Statements | V1-4, 17 |
| 701 | Communicating Key Audit Matters in the Independent Auditor’s Report | V1-4, 17 |
| 705 (Revised) | Modifications to the Opinion in the Independent Auditor’s Report | V2-23 |
| 706 (Revised) | Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report | V2-24 |
| 710 | Comparative Information — Corresponding Figures and Comparative Financial Statements | V2-25 |
| 720 (Revised) | The Auditor’s Responsibilities Relating to Other Information | V1-15 |
| 800 (Revised) | Special Considerations — Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks | Not addressed* |
| 805 (Revised) | Special Considerations — Audits of Single Financial Statements and Specific Elements, Accounts, or Items of a Financial Statement | Not addressed* |
| 810 | Engagements to Report on Summary Financial Statements | Not addressed* |
* ISAs 800 (Revised), 805 (Revised), and 810 were considered to have limited application in the audits of SMEs at the present time, so this edition of the Guide does not specifically address them.
The following table cross-references the Guide’s chapters to the principal ISA Chapters addressed.
Note: This table provides a general cross-reference only. Many chapters in this Guide cover aspects addressed by more than one particular ISA.
Chapter | Title | ISA /ISQC 1 Reference |
|---|---|---|
| V1 – 3 | Ethics, ISAs, and Quality Control | ISQC 1, 200, 220 |
| V1 – 4 | The Risk-Based Audit— Overview | Multiple |
| V1 – 5 | Internal Control—Purpose and Components | 315 (Revised) |
| V1 – 6 | Financial Statement Assertions | 315 (Revised) |
| V1 – 7 | Materiality and Audit Risk | 320 |
| V1 – 8 | Risk Assessment Procedures | 240, 315 (Revised) |
| V1 – 9 | Responding to Assessed Risks | 240, 300, 330, 500 |
| V1 – 10 | Further Audit Procedures | 330, 505, 520 |
| V1 – 11 | Accounting Estimates | 540 |
| V1 – 12 | Related Parties | 550 |
| V1 – 13 | Subsequent Events | 560 |
| V1 – 14 | Going Concern | 570 (Revised) |
| V1 – 15 | Summary of Other ISA Requirements | 250 (Revised), 402, 501, 510, 600, 610 (Revised 2013), 620, 720 (Revised) |
| V1 – 16 | Audit Documentation | ISQC 1, 220, 230, 240, 300, 315 (Revised), 330 |
| V1 – 17 | Forming an Opinion on Financial Statements | 700 (Revised), 701 |
| V2 – 4 | Engagement Acceptance and Continuance | ISQC 1, 210, 220, 300 |
| V2 – 5 | Overall Audit Strategy | 300 |
| V2 – 6 | Determining and Using Materiality | 320, 450 |
| V2 – 7 | Audit Team Discussions | 240, 300, 315 (Revised) |
| V2 – 8 | Inherent Risks — Identification | 240, 315 (Revised) |
| V2 – 9 | Inherent Risks — Assessment | 240, 315 (Revised) |
| V2 – 10 | Significant Risks | 240, 260 Revised, 315 (Revised), 330 |
| V2 – 11 | Understanding Internal Control | 315 (Revised) |
| V2 – 12 | Evaluating Internal Control | 315 (Revised) |
| V2 – 13 | Communicating Deficiencies in Internal Control | 265 |
| V2 – 14 | Concluding the Risk Assessment Phase | 315 (Revised) |
| V2 – 16 | The Responsive Audit Plan | 260 (Revised), 300, 330, 500 |
| V2 – 17 | Determining the Extent of Testing | 330, 500, 530 |
| V2 – 18 | Documenting Work Performed | 230 |
| V2 – 19 | Written Representations | 580 |
| V2 – 21 | Evaluating Audit Evidence | 220, 330, 450, 520, 540 |
| V2 – 22 | Communicating with Those Charged with Governance | 260 (Revised), 265, 450 |
| V2 – 23 | Modifications to the Auditor’s Report | 705 (Revised) |
| V2 – 24 | Emphasis of Matter and Other Matter Paragraphs | 570 (Revised), 706 (Revised) |
| V2 – 25 | Comparative Information | 710 |
The audit approach outlined in this Guide has been divided into three phases — risk assessment, risk response, and reporting. This is illustrated in Exhibit 2.2-1. For each of the audit phases, the exhibit outlines the major activities, their purpose and the resulting documentation. Additional information on the activities and documentation required in each of the three phases is outlined throughout this Guide and particularly in Volume 2, which follows a typical audit from start to finish.
Exhibit 2.2-1
Loading...
VOLUME 1
CORE CONCEPTS
Chapter Content | Relevant ISAs |
|---|---|
Matters to be addressed in a firm’s system of quality control to ensure compliance with ethical (including independence) requirements and the ISAs. | ISQC 1, 200, 220 |
Exhibit 3.0-1
Loading...
| Paragraph # | ISQC/ISA Objective(s) |
|---|---|
| ISQC 1.11 | The objective of the firm is to establish and maintain a system of quality control to provide it with reasonable assurance that:
|
| 220.6 | The objective of the auditor is to implement quality control procedures at the engagement level that provide the auditor with reasonable assurance that:
|
| ISQC 1.13 | Personnel within the firm responsible for establishing and maintaining the firm’s system of quality control shall have an understanding of the entire text of this ISQC, including its application and other explanatory material, to understand its objective and to apply its requirements properly. |
| ISQC 1.18 | The firm shall establish policies and procedures designed to promote an internal culture recognizing that quality is essential in performing engagements. Such policies and procedures shall require the firm’s chief executive officer (or equivalent) or, if appropriate, the firm’s managing board of partners (or equivalent) to assume ultimate responsibility for the firm’s system of quality control. (Ref: Para. A4-A5) |
| ISQC 1.19 | The firm shall establish policies and procedures such that any person or persons assigned operational responsibility for the firm’s system of quality control by the firm’s chief executive officer or managing board of partners has sufficient and appropriate experience and ability, and the necessary authority, to assume that responsibility. (Ref: Para. A6) |
| ISQC 1.29 | The firm shall establish policies and procedures designed to provide it with reasonable assurance that it has sufficient personnel with the competence, capabilities, and commitment to ethical principles necessary to:
|
| ISQC 1.32 | The firm shall establish policies and procedures designed to provide it with reasonable assurance that engagements are performed in accordance with professional standards and applicable legal and regulatory requirements, and that the firm or the engagement partner issue reports that are appropriate in the circumstances. Such policies and procedures shall include:
|
| ISQC 1.48 | The firm shall establish a monitoring process designed to provide it with reasonable assurance that the policies and procedures relating to the system of quality control are relevant, adequate, and operating effectively. This process shall:
|
| ISQC 1.57 | The firm shall establish policies and procedures requiring appropriate documentation to provide evidence of the operation of each element of its system of quality control. (Ref: Para. A73-A75) |
| 200.14 | The auditor shall comply with relevant ethical requirements, including those pertaining to independence, relating to financial statement audit engagements. (Ref: Para. A16-A19) |
| 200.15 | The auditor shall plan and perform an audit with professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated. (Ref: Para. A20-A24) |
| 200.16 | The auditor shall exercise professional judgment in planning and performing an audit of financial statements. (Ref: Para. A25-A29) |
| 220.17 | On or before the date of the auditor’s report, the engagement partner shall, through a review of the audit documentation and discussion with the engagement team, be satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and for the auditor’s report to be issued. (Ref: Para. A18-A20) |
| 220.18 | The engagement partner shall:
|
| 220.19 | For audits of financial statements of listed entities, and those other audit engagements, if any, for which the firm has determined that an engagement quality control review is required, the engagement partner shall:
|
Performing quality work begins with strong leadership within the firm and engagement partners committed to the highest ethical standards.
This chapter focuses on developing the system of quality control within a firm. It provides some practical guidance on matters that need to be considered whenever a firm decides to perform audit engagements.
The provision of quality audits and related services is vital to:
- Safeguarding the public interest;
- Maintaining client satisfaction;
- Delivering value for money;
- Ensuring compliance with professional standards; and
- Establishing and maintaining a professional reputation.
The IFAC Guide to Quality Control for Small- and Medium-Sized Practices provides a detailed description of the quality control standards and guidance on how to implement a system of quality control for small- and medium-sized practices (SMPs).1 The Code of Ethics for Professional Accountants (effective January 1, 2011), issued by the IESBA, can be downloaded from the IFAC website.2
1 The web link is:
http://web.ifac.org/publications/small-and-medium-practices-committee/implementation-guides.
2 The web link is: https://www.ethicsboard.org/iesba-code.
The system of quality control in an accounting firm could be mapped to the five internal control elements that auditors are required to evaluate as part of understanding any entity being audited. In a firm, these five internal control elements would also be applicable to control systems in place (other than quality control), such as time and billing, office workflow, expense control, and marketing activities.
The following diagram maps the quality control elements outlined in ISQC 1 and ISA 220 to the five internal control components contained in ISA 315 (Revised), which are applicable to entities being audited. Each of these five control elements is more fully addressed in Volume 1, Chapter 5 of this Guide.
Exhibit 3.2-1
Internal Control Elements (ISA 315 (Revised)) | Firm-Level QC Elements (ISQC 1) | Engagement-Level QC Elements (ISA 220) |
|---|---|---|
Control Environment (Tone at the Top) | Leadership Responsibilities for Quality within the Firm Relevant Ethical Requirements Human Resources | Leadership Responsibilities for Quality on Audits Relevant Ethical Requirements Assignment of Engagement Teams |
Risk Assessment (What Could Go Wrong?) | Acceptance and Continuance of Client Relationships and Specific Engagements | Acceptance and Continuance of Client Relationships and Audit Engagements Risks that the report might not be appropriate in the circumstances |
Information Systems (Tracking performance) | Quality Control System Documentation | Audit Documentation |
| Control Activities (Prevent & detect/correct controls) | Engagement Performance | Engagement Performance |
Monitoring (Are the firm’s/engagement’s objectives being met?) | Ongoing Monitoring of the Firm’s Quality Control Policies and Procedures | Applying Results of Ongoing Monitoring to Specific Audit Engagements |
Delivery of high-quality and cost-effective services is the principal driver of success for professional audit firms. Quality service is also vital in relation to the public-interest responsibilities of professional accountants.
The provision of quality services should always be a key objective in the firm’s business strategy; that objective needs to be communicated to all personnel on a regular basis, and the results monitored. This requires leadership and accountability for promised actions. Poor quality control can lead to inappropriate opinions, poor client service, lawsuits, and loss of reputation.
Hindrances to a strong tone at the top could include matters set out below.
*Exhibit 3.3-1 *
Hindrance | Description |
|---|---|
| Poor Attitudes | A poor attitude is at the heart of most hindrances to quality. It includes such attitudes (but not necessarily this extreme) as the following:
|
| Unwillingness to Invest in Training or Development | Conducting a quality audit is dependent on attracting and retaining qualified and competent people to perform the work. This requires ongoing professional development and performance appraisals for all partners and professional staff (every period). Lack of investment in staff also leads to staff turnover. |
| Lack of Discipline | A failure to discipline partners or staff when the firm’s policies are willfully contravened sends a very clear message to personnel that written policies are really not that important. This undermines compliance with all of the firm’s policies, and increases the risk to the firm. |
A healthy tone at the top can be set by the firm’s management and engagement partners through the following activities.
Exhibit 3.3-2
Setting the Tone | Description |
|---|---|
| Establish the Firm’s Objectives, Priorities, and Values | This could include:
|
| Communicate Regularly | Reinforce the firm’s values and commitments by communicating regularly (verbally and in writing) with staff. Communications would address the need for integrity, objectivity, independence, professional skepticism, staff development, and accountability to the public. Communications could be made through the Performance-appraisal system, partner updates, emails, office meetings, and internal newsletters. |
| Update the Quality Control Manual | Each period, update the firm’s quality control policies and procedures to address weaknesses and any new requirements. |
| Hold People Accountable | Assign clear responsibilities and accountabilities for quality-control functions (such as independence issues, consultation, file review, etc.). |
| Develop Staff Competence and Reward Quality Work | Develop staff through:
|
| Continually Improve | Take prompt action to correct deficiencies when identified, such as through the firm’s engagement file monitoring, including the cyclical inspection of completed engagement files. |
| Set an Example | Provide staff with a role model in the positive example set by partners in their day- to-day behavior. For example, if a policy emphasizes the need for quality work, a staff member should then not be criticized for legitimately going over the budgeted time. |
Risk management is an ongoing process that helps a firm to anticipate negative events, develop a framework for effective decision-making, and profitably deploy the firm’s resources.
Some form of risk management occurs in most firms, and it is often informal and undocumented. Individual partners typically identify risks and respond to them based on their direct involvement with the firm and with their clients. Formalizing and documenting the process for the firm as a whole is a proactive and more effective approach to risk assessment. This does not have to be time-consuming or cumbersome to implement. Notably, effectively managing the firm’s risk assessment can result in less stress for partners and staff, savings in time and costs, and improved chances of achieving the firm’s goals.
A simple risk assessment process can be used in any size of firm, even a sole proprietorship. It consists of the following activities.
Exhibit 3.4-1
Activity | Description |
|---|---|
| Establish the Risk Tolerances for the Firm | These tolerances could be quantitative amounts, such as allowable write-offs of work in process, or qualitative factors, such as characteristics of clients that would not be acceptable to the firm. Once established, these tolerances provide partners and staff with a useful reference point for decision-making (e.g., write-offs and client acceptance, etc.). |
| Identify What Can Go Wrong | Identify the events (that is, the risk factors or exposures) that could prevent the firm from achieving its stated goals. This step implies that the firm has already established clear objectives and a commitment to performing quality work. |
| Prioritize Risks | Using the risk tolerances established above, prioritize the events identified based on an assessment of likelihood and impact. |
| What is the Response Needed? | Develop an appropriate response to the assessed risks to reduce the potential impact to within the firm’s acceptable tolerances. Potential events (risks) with the highest priority would be addressed first. |
| Assign Responsibility | For all risks that require action or monitoring, assign someone with the responsibility to take the appropriate action and to manage the risk on a day-to-day basis. |
| Monitor Progress | Require periodic (simple) reports from each person assigned to manage risks on behalf of the firm (this could address matters such as compliance with the firm’s quality control procedures, training requirements, staff appraisals, and independence issues addressed). |
A sample of a firm’s risk assessment worksheet could be as shown in the following exhibit.
Exhibit 3.4-2 19
Firm
Prepared by
Date prepared
| # | Event — Risk Factor What would prevent the firm’s goals being achieved | Likely consequences | Inherent risk assessment | Firm’s response to mitigate/manage risk | Who is responsible? | Residual Risk (H, M, L) | Additional action required? What? Who? | |||
|---|---|---|---|---|---|---|---|---|---|---|
| Likelihood to occur | Impact | Combined score | ||||||||
| 1 | A high-risk client is accepted by firm | Unbillable time and/ or litigation. | 4 | 4 | 16 | QC manual sets out criteria and managing partner must approve all new clients. | Managing Partner | Low | None | |
| 2 | Independence issue may not be identified on new/existing client | Inappropriate to give an opinion, the result of which could be a loss of reputation in the community. | 2 | 4 | 8 | QC manual sets out rules. Staff sign annual declaration and Jack Billing addresses any issues raised. | Jack Billing | Low | None | |
| 3 | Audit engagements are not properly planned | Time wasted by staff. Missed risk factors (that is, fraud) and inadequate audit response. | 4 | 5 | 20 | A planning meeting required on all audits. Cindy keeps a list of clients and records planning dates. Joe Gisp follows up with partners. | Joe Gisp | Low | None | |
| 4 | Staff unaware of new clarity standards coming into force | Poor quality work that does not comply with ISA standards. | 4 | 5 | 20 | Joe Gisp enrolls staff in training courses appro- priate to their needs. | Joe Gisp | Medium | Joe to develop process for tracking if staff actually attend courses. | Joe Gisp by 1/1/xx |
Notes:
Assess likelihood to occur on a scale of 1 - 5 (Remote = 1 Unlikely = 2 Possible = 3 Likely = 4 Almost certain = 5) Assess the impact on a scale of 1 - 5 (Immaterial = 1 Minor = 2 Moderate = 3 Major = 4 Material = 5)
Assess the residual risk as low, moderate, or high. This is the remaining risk after the firm response has been applied
Most firms have well-developed information systems for keeping track of clients, time and billing, expenditures, staff, and engagement file management. However, information systems that track the quality of work produced and compliance with the firm’s quality control manual are often not as well developed.
Information systems should also be designed to address the risks identified and assessed as part of the firm’s risk assessment process.
Aspects of quality control that merit documentation and ongoing review include keeping track of the matters set out in the following exhibit.
Exhibit 3.5-1
Keep track of: | Description |
|---|---|
| Firm’s Risk Exposure and Staff’s Commitment to Quality |
|
| Ethics and Independence |
|
| Personnel |
|
| Engagement Management |
|
Control activities are designed to ensure compliance with the firm’s established policies and procedures.
One possible way to design, implement, and monitor quality control is to follow the PDCA (plan-do- check-act) process. Each of the elements is described below.
Exhibit 3.6-1
Step | Description |
|---|---|
| PLAN | Establish the objectives and quality control processes necessary to deliver the required outputs. |
| DO | Implement the new processes, often on a small scale if possible. |
| CHECK | Measure the new processes, and compare the results against the expected results to ascertain any differences. |
| ACT | Analyze the differences to determine their cause. Each will be part of either one or more of the P-D-C-A steps. Determine where to apply changes that include improvement. |
For example, a firm objective may be not to release the audit report until all queries and outstanding items have been cleared. The required policy is that the final engagement report may not be released, filed, or otherwise distributed until certain specified approvals have been obtained. Implementation of the policy could be controlled through a final release process wherein a person verifies that all approvals have in fact been obtained and documented. The effectiveness of the policy could be checked by periodic inspections of the approval sign-offs. If deviations are identified, the reasons would be investigated, and appropriate action such as discipline, training, or changes in the policy would be considered.
Control activities to address all policies and procedures would not be possible or cost-effective. Firms should use professional judgment and their assessment of risk to determine what controls need to be implemented. Control activities could be considered for:
- All the policies and procedures documented in the firm’s quality control manual;
- Office workflow policies;
- Operational policies and procedures; and
- Other personnel-related policies and procedures.
The scope for control-activity design would address all the quality control, ethical, and independence requirements and the firm’s compliance with ISAs relevant to the audit.
Exhibit 3.6-2
Scope of Possible Control Activities:
Loading...
An important element of a control system is the monitoring of its fitness and operational effectiveness. This can be achieved through an independent review of the operating effectiveness of the firm-level and engagement-level policies/procedures, and inspection of completed engagement files.
An effective monitoring process helps to develop a culture of continual improvement, wherein partners and staff are committed to quality work and rewarded for improving performance.
A firm’s monitoring process could be divided into two parts, as follows:
- Ongoing policy monitoring (other than the cyclical file inspections)
An ongoing (suggest annual) consideration and evaluation of the firm’s system of quality control helps to ensure that the policies and procedures in place are relevant, adequate, and operating effectively. When performed and documented on an annual basis, this monitoring will support the requirement to communicate with staff each year about the firm’s plans to improve engagement quality. This scope of ongoing monitoring addresses each of the quality control elements, and includes an assessment of whether:
+ The firm’s quality control manual has been updated for new requirements and developments,
+ Those assigned quality control responsibilities in the firm (if any) have actually fulfilled their roles,
+ Written confirmations (by partners and staff) have been obtained to ensure each individual’s compliance with the firm’s policies and procedures on independence and ethics,
+ There is ongoing professional development for partners and staff,
+ Decisions related to acceptance and continuance of client relationships and specific engagements are in compliance with the firm’s policies and procedures,
+ The code of ethics has been followed,
+ Suitably qualified people were assigned as the engagement quality control reviewers and completion of such reviews occurred before the audit report was dated,
+ Communication has been made to the appropriate personnel about deficiencies that have been identified, and
+ Appropriate follow-up has been made to ensure that identified deficiencies in quality have been addressed on a timely basis.
- Cyclical completed file inspections
The ongoing consideration and evaluation of the firm’s system of quality control includes a cyclical inspection of at least one completed engagement file for each partner. This is required to ensure compliance with professional/legal requirements, and that assurance reports being issued are appropriate in the circumstances. Cyclical inspections help to identify deficiencies and training needs, and enable the firm to make necessary changes, on a timely basis.
Upon completion of the review, the monitor would prepare a report that, after discussion with the partners, would be communicated to all managers and professional staff along with the action steps to be taken.
Who can be appointed as monitor?
- Monitoring of firm-level policies
The review of compliance with the firm’s policies would be performed by a suitably qualified person who ideally is not also responsible for managing or developing quality control within the firm. However, ISQC 1 recognizes that this may not always be possible in smaller firms, so self-monitoring is acceptable.
Alternatively, an individual external to the firm, with the competence and capabilities to act as an engagement partner, could be appointed. This would enhance the independence and objectivity of the firm.
- Completed file inspections
The person appointed to inspect completed engagement files must be suitably qualified, and must not have been involved in performing the engagement or the engagement quality control review on the file.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 200.18 | The auditor shall comply with all ISAs relevant to the audit. An ISA is relevant to the audit when the ISA is in effect and the circumstances addressed by the ISA exist. (Ref: Para. A55-A59) |
| 200.22 | Subject to paragraph 23, the auditor shall comply with each requirement of an ISA unless, in the circumstances of the audit:
|
| 200.23 | In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement in a ISA. In such circumstances, the auditor shall perform alternative audit procedures to achieve the aim of that requirement. The need for the auditor to depart from a relevant requirement is expected to arise only where the requirement is for a specific procedure to be performed and, in the specific circumstances of the audit, that procedure would be ineffective in achieving the aim of the requirement. (Ref: Para. A76) |
| 230.12 | If, in exceptional circumstances, the auditor judges it necessary to depart from a relevant requirement in an ISA, the auditor shall document how the alternative audit procedures performed achieve the aim of that requirement, and the reasons for the departure. (Ref: Para. A18-A19) |
The ISAs set out the responsibilities and requirements of auditors in conducting an audit. As stated in ISA 200.18, 22, and 23, each relevant requirement (set out in the requirements section of the ISAs) is to be followed by the auditor, except in exceptional circumstances, where alternative audit procedures would be performed to achieve the aim of that particular requirement. Note the following.
Exhibit 3.8-1
ISAs | Description |
|---|---|
| Status | The ISAs, taken together, provide the standards for the auditor’s work in fulfilling the overall objectives of the auditor. The ISAs deal with the general responsibilities of the auditor, as well as the auditor’s further considerations relevant to the application of those responsibilities to specific topics. |
| Relevance | Some ISAs (and therefore all of their requirements) may not be relevant in the circumstances (e.g., internal audit or group accounts). Some ISAs contain conditional requirements. These requirements are relevant when the circumstances envisioned apply and the condition exists. Departures from relevant ISA requirements need to be documented, along with the alternative audit procedures performed and the reasons for the departure. |
| Local Laws | Auditors may be required (in addition to the ISAs) to comply with certain legal or regulatory requirements or other auditing standards of a specific jurisdiction or country. |
| Other | The scope, effective date, and any specific limitation of the applicability of a specific ISA is made clear in the ISA. However, the effective date of the ISA may also be affected by legal requirements in a particular jurisdiction. Unless otherwise stated in the ISA, the auditor is permitted to apply an ISA before the effective date specified therein. |
Chapter Content | Relevant ISAs |
|---|---|
Auditor objectives, basic elements, and approach to performing a risk- based audit. | Multiple |
Exhibit 4.0-1
Loading...
| Paragraph # | ISA Objective(s) |
|---|---|
| 200.11 | In conducting an audit of financial statements, the overall objectives of the auditor are:
|
| 200.3 | The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements. This is achieved by the expression of an opinion by the auditor on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. In the case of most general-purpose frameworks, that opinion is on whether the financial statements are presented fairly, in all material respects, or give a true and fair view in accordance with the framework. An audit conducted in accordance with ISAs and relevant ethical requirements enables the auditor to form that opinion. (Ref: Para. A1) |
| 200.5 | As the basis for the auditor’s opinion, ISAs require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (i.e., the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level. However, reasonable assurance is not an absolute level of assurance, because there are inherent limitations of an audit which result in most of the audit evidence on which the auditor draws conclusions and bases the auditor’s opinion being persuasive rather than conclusive. (Ref: Para. A30-A54) |
| 200.A36 | The risks of material misstatement may exist at two levels:
|
| 200.A42 | The ISAs do not ordinarily refer to inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement.” However, the auditor may make separate or combined assessments of inherent and control risk depending on preferred audit techniques or methodologies and practical considerations. The assessment of the risks of material misstatement may be expressed in quantitative terms, such as in percentages, or in non-quantitative terms. In any case, the need for the auditor to make appropriate risk assessments is more important than the different approaches by which they may be made. |
| 200.A47 | The auditor is not expected to, and cannot, reduce audit risk to zero and cannot therefore obtain absolute assurance that the financial statements are free from material misstatement due to fraud or error. This is because there are inherent limitations of an audit, which result in most of the audit evidence on which the auditor draws conclusions and bases the auditor’s opinion being persuasive rather than conclusive. The inherent limitations of an audit arise from:
|
The auditor’s overall objectives as stated in ISA 200.11 can be summarized as follows:
- To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and
- To report on the financial statements, and communicate as required by the ISAs, in accordance with the auditor’s findings.
Reasonable assurance is a high but not absolute level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (that is, the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level. The auditor cannot provide absolute assurance due to the inherent limitations in the work carried out. This results from the majority of audit evidence (on which the auditor draws conclusions and bases the auditor’s opinion) being persuasive rather than conclusive.
The following exhibit outlines some of the inherent limitations of audit work performed.
Exhibit 4.1-1
Limitations | Reasons |
|---|---|
| The Nature of Financial Reporting | The preparation of financial statements involves:
|
| Nature of Audit Evidence Available | Most of the auditor’s work in forming the auditor’s opinion consists of obtaining and evaluating audit evidence. This evidence tends to be persuasive in character rather than conclusive. Audit evidence is primarily obtained from audit procedures performed during the course of the audit. It may also include information obtained from other sources such as:
|
| The Nature of Audit Procedures | Audit procedures, however well designed, will not detect every misstatement. Consider the following:
|
| Timeliness of Financial Reporting | The relevance/value of financial information tends to diminish over time, so a balance needs to be struck between the reliability of information and its cost. Users of financial statements expect that the auditor will form his or her opinion within a reasonable period of time and at a reasonable cost. Consequently, it is impracticable to address all information that may exist, or to pursue every matter exhaustively on the assumption that information is in error or fraudulent until proved otherwise. |
The scope of the auditor’s work and the opinion provided are usually confined to whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. As a result, an unmodified auditor’s report does not assure the future viability of the entity, nor the efficiency or effectiveness with which management has conducted the affairs of the entity.
Any extension of this basic audit responsibility, such as that required by local laws or securities regulations, would require the auditor to undertake further work and to modify or expand the auditor’s report accordingly.
A material misstatement (either individually or the aggregate of all uncorrected misstatements and missing/misleading disclosures in the financial statements) has occurred when it could reasonably be expected to influence the economic decisions of users made on the basis of the financial statements.
Assertions are representations by management, explicit or otherwise, that are embodied in the financial statements. They relate to the recognition, measurement and presentation of classes of transactions and events, account balances and disclosures in the financial statements. For example, the completeness assertion relates to all transactions and events that should have been recorded having been recorded. They are used by the auditor to consider the different types of potential misstatements that may occur.
Audit risk is the risk of expressing an inappropriate audit opinion on financial statements that are materially misstated. The objective of the audit is to reduce this audit risk to an acceptably low level.
Audit risk has two key elements, as illustrated below.
Exhibit 4.2-1
Risk | Nature | Source |
|---|---|---|
| Inherent and Control Risks | The financial statements may contain a material misstatement. | Entity objectives/operations and management’s design/ implementation of internal control. |
| Detection Risk | The auditor may fail to detect a material misstatement in the financial statements. | Nature and extent of the procedures performed by the auditor. |
To reduce audit risk to an acceptably low level, the auditor is required to:
- Assess the risks of material misstatement; and
- Limit detection risk. This may be achieved by performing procedures that respond to the assessed risks of material misstatement, both at the financial statement level and at the assertion level for classes of transactions, account balance, and disclosures.
The major components of audit risk are described in the following exhibit.
Exhibit 4.2-2
Nature | Description | Commentary |
|---|---|---|
| Inherent Risk | The susceptibility of an assertion about a class of transaction, account balance, or disclosure to a misstatement that could be material, either individually or when aggregated with other misstatements, before consideration of any related controls. | This includes events or conditions (internal or external) that could result in a misstatement (error or fraud) in the financial statements. The sources of risk (often categorized as business or fraud risks) can arise from the entity’s objectives, the nature of its operations/industry, the regulatory environment in which it operates, and its size and complexity. |
| Control Risk | The risk that a misstatement that could occur in an assertion about a class of transaction, account balance, or disclosure and that could be material, either individually or when aggregated with other misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s internal control. | Management designs controls to mitigate a specified inherent (business or fraud) risk factor. An entity assesses its risks (risk assessment) and then designs and implements appropriate controls to reduce its risk exposure to a tolerable (acceptable) level. Controls may be:
toward control, commitment to hiring competent people, and prevention of fraud. These controls are assessed at the financial statement level; and
|
| Detection Risk | The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. | The auditor assesses the risks of material misstatement (inherent and control risk) at the financial statement and assertion levels. Audit procedures are then developed to reduce audit risk to an acceptably low level. This includes consideration of the potential risk of:
|
Note: The ISAs define the risk of material misstatement at the assertion level as consisting of two components: inherent risk and control risk. Consequently, the ISAs do not ordinarily refer to
inherent risk and control risk separately, but rather to a combined assessment of the “risks of material misstatement.” However, the auditor may make separate or combined assessments of inherent and control risk, depending on preferred audit techniques or methodologies and practical considerations.
CONSIDER POINT Separate business and fraud risks Many inherent risks can result in both business and fraud risks. For example, a new accounting system may create potential for errors (business risk), but may also provide an opportunity for someone to manipulate financial results or misappropriate funds (fraud risk). So when a business risk is identified always consider whether this also creates a fraud risk. If it does, record and assess the fraud risk separately from the business risk factors. Otherwise it is possible that the audit response will only address the business-risk element and not the fraud risk. Recording fraud risks Fraud is often identified through the examination of:
If such matters are observed (during any stage of the audit) they should be recorded and assessed as fraud risks, even if they seem on the surface to be immaterial. Recording such risks will help ensure they are appropriately considered when developing the audit response. |
|---|
Exhibit 4.2-3
The following chart shows the interrelationship between risk and control. The inherent risk bar contains all the business and fraud risk factors that could result in the financial statements being materially misstated (before any consideration of internal control). The control risk bars reflect the pervasive and transactional control procedures put into effect by management to mitigate the risk that the financial statements are misstated. The extent to which the control risk bars do not completely mitigate the inherent risks is often called management’s residual risk, risk appetite or risk tolerance.
Loading...
Note: The length of the bars in the exhibit would vary based on the particular circumstances and risk profile of the entity.
Exhibit 4.2-4
This chart outlines the auditor’s role in assessing the risks of material misstatement in the financial statements and then performing responsive audit procedures designed to reduce the audit risk to an appropriately low level.
Loading...
Note: The length of the bars in the exhibit would vary based on the particular circumstances and risk profile of the entity, and the nature of the auditor’s response.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 200.15 | The auditor shall plan and perform an audit with professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated. (Ref: Para. A20-A24) |
| 200.16 | The auditor shall exercise professional judgment in planning and performing an audit of financial statements. (Ref: Para. A25-A29) |
| 200.17 | To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion. (Ref: Para. A30-A54) |
| 200.21 | To achieve the overall objectives of the auditor, the auditor shall use the objectives stated in relevant ISAs in planning and performing the audit, having regard to the interrelationships among the ISAs, to: (Ref: Para. A69-A71)
|
A risk-based audit has three key steps, as illustrated below.
Exhibit 4.3-1
Steps (Phases) | Description |
|---|---|
| Risk Assessment | Performing risk assessment procedures to identify and assess the risks of material misstatement in the financial statements. This includes the assessment of significant risks, control deficiencies and identified or suspected non-compliance with laws and regulations that will be addressed in the audit and communicated to TCWG. The auditor would also select key audit matters for inclusion in the auditor’s report for listed entities and for all audits where ISA 701, related to key audit matters, is to be applied as required by local law, regulation or voluntarily. |
| Risk Response | Designing and performing further audit procedures that respond to identified and assessed risks of material misstatement, at both the financial statement and assertion levels. |
| Reporting | This involves:
|
A simple way of describing the three elements is illustrated below.
Exhibit 4.3-2
Loading...
The various tasks involved in each of these three phases are outlined below. Each phase is addressed in more detail in subsequent chapters of this Guide.
| Paragraph # | ISA Objective(s) |
|---|---|
| 315.3 | The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. |
Exhibit 4.3-3
Loading...
An effective risk assessment phase would include the following.
Exhibit 4.3-4
Requirements | Description |
|---|---|
| Up-Front Involvement of Senior Team Members | The engagement partner and other key members of the engagement team need to be actively involved in planning the audit, and in planning and participating in the discussion among engagement team members. This will ensure the audit plan takes advantage of their experience and insight. Note that ISAs usually refer to the term “auditor” as the person(s) performing the engagement. Where an ISA intends a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “auditor” is used. |
| An Emphasis on “Professional Skepticism” | The auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance. Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional skepticism, or allow the auditor to be satisfied with less-than- persuasive audit evidence when obtaining reasonable assurance. |
| Planning | The time spent in audit planning (developing the overall audit strategy and audit plan) will ensure that audit objectives are properly met, and that the work of audit staff is always focused on gathering evidence on the most critical areas of potential misstatement. |
| Team Discussions and Ongoing Communication | A team planning discussion/meeting with the engagement partner present provides an excellent forum for:
Ongoing communication among the audit team throughout the engagement is also important, for example discussing and addressing audit issues, unusual activities or possible indicators of fraud. This will enable timely communications to management and, where necessary, changes to the audit strategy and audit procedures. |
| Focus on Risk Identification | The most important step in a risk assessment process is to identify all the relevant risks. If business and fraud risk factors are not identified by the auditor, they will not be assessed or documented, and an appropriate audit response will not be designed. This is why well-designed risk assessment procedures are so important to the effectiveness of the audit. These risk assessment procedures also need to be performed by the appropriate level of staff. |
| Financial Statement Disclosures | In assessing risks, disclosures in the financial statements are also taken into account. Disclosures in the financial statements of SMEs may be less detailed or less complex (for example, some financial reporting frameworks allow smaller entities to provide fewer disclosures in their financial statements). However this does not relieve the auditor of the responsibility to obtain an understanding of disclosures and assess the risks of material misstatement in disclosures that are required. |
| Ability to Evaluate Management’s Response(s) to Risk | A key step in the risk assessment process is to evaluate the effectiveness of management’s responses (that is, management’s control design/implementation), if any, to mitigate the identified risks of material misstatement in the financial statements. In smaller entities, more reliance will likely be placed on the control environment (such as the competence and integrity of managements, etc.) and less on the traditional control activities (such as segregation of duties, etc.). |
| Use of Professional Judgment | The ISA audit requirements require the use and then documentation of significant judgments made by the auditor throughout the audit. Typical examples of tasks throughout the risk assessment process include:
|
| Paragraph # | ISA Objective(s) |
|---|---|
| 330.3 | The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks. |
Exhibit 4.3-5
Loading...
In this phase, the auditor considers the reasons (inherent and control risks) for the risk assessments at the financial statement level and at the assertion level (for each class of transactions, event, account balance, and disclosure), and develops responsive audit procedures.
The auditor’s response to the assessed risks of material misstatement is documented in an audit plan that:
- Contains an overall response to the risks identified at the financial statement level;
- Identifies the material financial statement areas and significant disclosures; and
- Contains the nature, extent, and timing of specific audit procedures tailored to respond to the assessed risks of material misstatement at the assertion level.
The overall responses address assessed risks of material misstatement at the financial statement level.
Such responses would include the assignment and supervision of appropriate personnel, need for professional skepticism, the extent of corroboration required for management’s explanations/ representations, consideration of the type of audit procedures to be performed, and what documentation would be examined in support of material transactions.
Further audit procedures generally consist of substantive procedures such as tests of details, analytical procedures, and tests of controls (where there is an expectation that such controls have been operating effectively during the period).
Some of the matters the auditor should consider when planning the appropriate mix of audit procedures to respond to identified risks include the following:
- Use of tests of controls
+ Identify relevant internal controls that, if tested, would reduce the need/scope for other substantive procedures. As a general rule, the sample size for testing controls is often significantly less than that of a substantive test of a transaction stream. Assuming that the relevant controls operate consistently and control deviations are unlikely, the use of tests of controls can often result in less work being performed. However, there is no requirement that the operating effectiveness of internal controls (direct or indirect) be tested.
+ Identify any assertions that cannot be addressed by substantive procedures alone. For example, this can often apply to completeness of sales in a small entity, and situations where there is highly automated processing of transactions (such as Internet sales) with little or no manual intervention.
- Substantive analytical procedures
These are procedures for which the total amount of a transaction stream can be reliably predicted based on available evidence. This expectation is compared to the actual amount in the accounting records, and the extent of any misstatement readily identified (see Volume 1, Chapter 10). In some cases, if the assessed risk for a particular assertion is low (without considering related controls), the auditor may determine that substantive analytical procedures alone would provide sufficient appropriate audit evidence.
- Unpredictability
The need to incorporate an element of unpredictability in procedures performed, such as when responding to a risk of material misstatement due to possible fraud. For example, visits to inventory count locations could be unannounced or certain procedures could be carried out prior to the year- end that are unannounced. Unpredictability also needs to be considered in how much information is provided to management with regard to planned audit procedures and their timing.
- Management override
The need for specific audit procedures to address the potential for management override.
- Significant risks
The audit response to “significant risks” that have been identified. (See Volume 2, Chapter 10.)
| Paragraph # | ISA Objective(s) |
|---|---|
| 700.6 | The objectives of the auditor are:
|
Exhibit 4.3-6
Loading...
The final phase of the audit is to assess the audit evidence obtained and determine whether it is sufficient and appropriate to reduce audit risk to an acceptably low level.
It is important during this phase of the audit to determine:
- Any change in the assessed level of risk;
- Whether conclusions drawn from the work performed are appropriate;
- If any suspicious circumstances have been encountered; and
- That additional risks (not previously identified) have been appropriately assessed and further audit procedures performed as required.
A team debriefing meeting (towards or at the end of the fieldwork) is not a specific requirement of the ISAs, but can be useful for staff to discuss the audit findings, identify any indications of fraud, and determine the need (if any) to perform any further audit procedures.
When all procedures have been performed and conclusions reached:
- Audit findings should be reported to management and those charged with governance; and
- An audit opinion should be formed and a decision made on the appropriate wording for the auditor’s report.
Sufficient audit documentation is required to enable an experienced auditor, having no previous connection with the audit, to understand:
- The nature, timing, and extent of the audit procedures performed;
- The results of performing those procedures and the audit evidence obtained; and
- Significant matters arising during the audit, the conclusions reached thereon; and significant professional judgments made in reaching those conclusions.
Audit documentation for a smaller entity is generally less extensive than that for the audit of a larger entity. For example, various aspects of the audit could be recorded together in a single document, with cross-references to supporting working papers, as appropriate.
It is not necessary for the auditor to document:
- Every minor matter considered, or every professional judgment made, in an audit; and
- Compliance with matters for which compliance is demonstrated by documents included within the audit file. For example, an audit plan on file demonstrates that the audit was planned, and a signed engagement letter demonstrates that the auditor has agreed to the terms of the audit engagement.
Some of the benefits of the risk-based approach are summarized in the exhibit below.
Exhibit 4.5-1
Benefits | Description |
|---|---|
Time Flexibility When Audit Work Needs to Be Performed | Because risk assessment procedures do not involve the detailed testing of transactions and balances, they can be performed well before the period end, assuming no major operational changes are anticipated. This can help in balancing the workload of audit staff more evenly throughout the period. It may provide the client with time to respond to identified (and communicated) weaknesses in internal control and other requests for assistance before the commencement of period-end audit fieldwork. However, where interim financial information is not readily available, the analytical risk assessment procedures may have to be performed at a later date. |
| Audit Team’s Effort Focused on Key Areas | By understanding where the risks of material misstatement can occur in financial statements, the auditor can direct the audit team’s effort toward high-risk areas and perhaps reduce work in lower-risk areas. This will also help to ensure that audit staff resources are used effectively. |
| Audit Procedures Focused on Specific Risks | Further audit procedures are designed to respond to assessed risks. Consequently, tests of details that only address risks in general terms may be significantly reduced or even eliminated. |
| Understanding of Internal Control | The required understanding of internal control enables the auditor to make informed decisions on whether to test the operating effectiveness of internal control. Tests of controls (for which some controls may only require testing every three years) will often result in much less work being required than performing extensive tests of details. (See Volume 2, Chapter 17.) |
| Timely Communication of Matters of Interest to Management | The improved understanding of internal control may enable the auditor to identify weaknesses in internal control (such as in the control environment and general IT controls) that were not previously recognized. Communicating these weaknesses to management on a timely basis will enable them to take appropriate action, which is to their benefit. This may also save time in performing the audit. |
| Paragraph # | Relevant Extracts from Application Material in ISAs |
|---|---|
| 200.A65 | When appropriate, additional considerations specific to audits of smaller entities and public sector entities are included within the application and other explanatory material of an ISA. These additional considerations assist in the application of the requirements of the ISA in the audit of such entities. They do not, however, limit or reduce the responsibility of the auditor to apply and comply with the requirements of the ISAs. |
| 200.A66 | For purposes of specifying additional considerations to audits of smaller entities, a “smaller entity” refers to an entity which typically possesses qualitative characteristics such as:
These qualitative characteristics are not exhaustive, they are not exclusive to smaller entities, and smaller entities do not necessarily display all of these characteristics. |
| 200.A67 | The considerations specific to smaller entities included in the ISAs have been developed primarily with unlisted entities in mind. Some of the considerations, however, may be helpful in audits of smaller listed entities. |
| 200.A68 | The ISAs refer to the proprietor of a smaller entity who is involved in running the entity on a day-to-day basis as the “owner-manager.” |
ISAs do not distinguish the audit approach required for a one-person entity from that required for a national entity employing thousands of people. An audit is an audit. Consequently, the basic approach to an audit does not change just because the entity is small.
The word “audit” is intended to convey a clear message to users of financial statements. That message is that the auditor has obtained reasonable assurance that the financial statements are free from material misstatements, regardless of the size or type of the entity that has been audited.
This issue of proportionality was addressed by IAASB staff in a Staff Questions and Answers document, entitled Applying ISAs Proportionately with the Size and Complexity of an Entity,1 issued in August 2009. Its purpose is to assist auditors in applying the clarified ISAs in a cost-effective manner. The response to the question “How do the ISAs address the fact that the characteristics of an SME are significantly different from those of a larger, more complex entity” was as follows:
“The auditor’s objectives are the same for audits of entities of different sizes and complexities. This, however, does not mean that every audit will be planned and performed in exactly the same way. The ISAs recognize that the specific audit procedures to be undertaken to achieve the auditor’s objectives and to comply with the requirements of the ISAs may vary considerably depending on whether the entity being audited is large or small and whether it is complex or relatively simple.
The requirements of the ISAs, therefore, focus on matters that the auditor needs to address in an audit and do not ordinarily detail the specific procedures that the auditor should perform.
The ISAs also explain that the appropriate audit approach for designing and performing further audit procedures depends on the auditor’s risk assessment. For example, based on the required understanding of the entity and its environment, including its internal control and the assessed risks of material misstatement, the auditor may determine that a combined approach using both tests of controls and substantive procedures is an effective approach in the circumstances in responding to the assessed risks. In other cases, for example, in the context of an SME audit where there are not many control activities in
1 Applying ISAs Proportionately with the Size and Complexity of an Entity is at www.ifac.org/publications-resources/applying-isas-proportionate-.
the SME that can be identified by the auditor, the auditor may decide that it is efficient to perform further audit procedures that are primarily substantive procedures.
It is also important to note that the ISAs acknowledge that the appropriate exercise of professional judgment is essential to the proper conduct of an audit. Professional judgment is necessary, in particular, regarding decisions about the nature, timing, and extent of audit procedures used to meet the requirements of the ISAs and gather audit evidence. However, while the auditor of an SME needs to exercise professional judgment, this does not mean that the auditor can decide not to apply a requirement of an ISA except in exceptional circumstances and provided that the auditor performs alternative audit procedures to achieve the aim of the requirement.”
The key points in the excerpt above can be summarized as follows:
- Audit objectives are the same for any size of audit;
- The specific audit procedures required may vary considerably depending on the size of entity and the assessed risks;
- The ISAs focus on matters the auditor needs to address — not on the details of specific procedures;
- The design of further audit procedures depends on the auditor’s risk assessment;
- The appropriate exercise of professional judgment is essential in tailoring the procedures to respond appropriately to the assessed risks; and
- Professional judgment cannot be used to avoid compliance with any ISA requirements except in exceptional circumstances.
In addition, the ISAs contain a number of paragraphs that address considerations specific to audits of SMEs. This material provides useful guidance material in applying specific ISA requirements in the context of an SME audit.
Some suggestions for successfully implementing ISAs on smaller engagements are included in the following exhibit.
Exhibit 4.6-1
1. Take time to read the clarified ISAs and to train staff. |
|---|
Failure to understand the requirements can lead to:
|
2. Take time to plan well, no matter how small the engagement. |
It has been said an hour spent in planning can save many more in execution. Effective audit planning is often the difference between a quality audit within budget and a poor-quality audit that goes over budget. This does not necessarily mean holding dedicated team meetings in the office. On very small engagements, planning can be achieved through brief discussions at the start of the engagement and as the audit progresses. Key areas to address in planning:
|
3. Evaluate the control environment. |
| Take time to understand the pervasive internal controls that are part of the control environment. Pervasive controls are quite different from transactional controls; they address such matters such as integrity and ethics, corporate governance, employee competence, management’s attitudes toward control, fraud prevention, risk management, and control monitoring. If the “tone at the top” is poor, management override can easily occur, and even the very best transactional controls over processes such as purchases and sales could be undermined. |
4. Aim for continual improvement. |
| There is a tendency for some auditors to blindly follow the example of the previous auditor, resulting in a file that mirrors that of the previous year. A much better approach is to continually review/challenge the work performed in previous years, and identify changes that will make the audit more efficient and effective. |
Chapter Content | Relevant ISA |
|---|---|
To outline the purpose, scope, and nature of internal control over financial reporting, including the five components to be evaluated by the auditor. | 315 (Revised) |
Exhibit 5.0-1
Loading...
The first bar in the chart represents all the business and fraud risk factors that could result in the financial statements being materially misstated (before any consideration of internal control). The second bar reflects the control procedures designed and implemented by management to mitigate the identified risks. The extent to which the second bar does not completely mitigate the identified risks is often called management’s residual risk.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.4(c) | Internal control — The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control. |
| 315.12 | The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A50-A73) |
| 315.13 | When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel. (Ref: Para. A74-A76) |
Internal control is designed, implemented, and maintained by those charged with governance and management of other personnel to address identified business and fraud risks that threaten the achievement of stated objectives, such as the reliability of financial reporting.
The auditor is required to understand how the entity addresses each of the five components of internal control as they relate to a financial statement audit. These components are described in this chapter and in ISA 315 (Revised) paragraphs 4(c), 14-24 and A76-A117. Appendix 1 of ISA 315 (Revised) also provides further explanation on each of these components.
This understanding of internal control is required to determine control risk. The understanding is to be obtained irrespective of any decision by the auditor to test such controls as part of an audit strategy.
Note: Only internal controls that are relevant to the audit need to be identified, documented and assessed.
A relevant control is one that addresses a risk of misstatement in the financial statements.
Internal control is management’s response intended to mitigate an identified risk factor or achieve a control objective. There is a direct relationship between an entity’s objectives and the internal control it implements to ensure their achievement. Once objectives are set, it is possible to identify and assess potential events (risks) that would prevent the achievement of the objectives. Based on this information, management can develop appropriate responses, which will include the design of internal control.
Internal control objectives can be broadly grouped into four categories:
- Strategic, high-level goals that support the mission of the entity;
- Financial reporting (internal control over financial reporting);
- Operations (operational controls); and
- Compliance with laws and regulations.
Internal control relevant to an audit primarily pertains to financial reporting. This addresses the entity’s objective of preparing financial statements for external purposes.
Operational controls, such as production and staff scheduling, quality control, and employee compliance with health and safety requirements, would not normally be relevant to the audit, except where:
- The information produced is used to develop an analytical procedure; or
- The information is required for disclosure in the financial statements.
For example, if production statistics were used as a basis for an analytical procedure, the controls to ensure the accuracy of such data would be relevant. If non-compliance with certain laws and regulations has a direct and material effect on the financial statements, the controls for detecting and reporting on such non-compliance would be relevant.
The term “internal control” as used in ISA 315 (Revised) is broader than just control activities such as segregation of duties, authorizations and account reconciliations, etc. Internal control encompasses five key components:
- The control environment;
- The entity’s risk assessment process;
- The information system, including the related business processes, relevant to financial reporting and communication;
- Control activities relevant to the audit; and
- Monitoring of internal control.
These components as they relate to the entity’s financial reporting objectives are illustrated below.
Exhibit 5.2-1
Loading...
The division of internal control into these five components provides a useful framework for auditors in understanding the different aspects of an entity’s internal control system. However, it should be noted that:
The way in which the internal control system is designed and implemented will vary based on the entity’s size and complexity. Smaller entities often use less formal means and simpler processes and procedures to achieve their objectives. The five components of internal control may not be so clearly distinguished; however, their underlying purposes are equally valid. For example, an owner-manager may (and, in the absence of additional staff, should) perform functions belonging to several of the components of internal control.
- Different terminology or frameworks from those used in ISA 315 (Revised) can be used to describe the various aspects of internal control and their effect on the audit, but all five components are to be addressed in the audit.
- The auditor’s primary consideration is whether, and how, a specific control prevents, or detects and corrects, material misstatements in classes of transactions, account balances, or disclosures, and their related assertions.
A summary of the five internal control components follows.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.14 | The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether:
whether those other components are not undermined by deficiencies in the control environment. (Ref: Para. A77–A87) |
Control Environment
The control environment is the foundation for effective internal control, providing discipline and structure for the entity. It sets the tone of an organization, influencing the control consciousness or awareness of its people.
The control environment addresses the governance and management functions. It also addresses the attitudes, awareness, and actions of those charged with governance and management concerning the entity’s internal control and its importance within the entity.
Note: Control-environment controls are generally pervasive in nature. They will not directly prevent, or detect and correct, a material misstatement. Instead, they form an important foundation upon which all other controls will be built.
Exhibit 5.3-1 outlines the various elements of the control environment that need to be considered. Note that the importance and order (priority) of these elements will inevitably vary from entity to entity.
Exhibit 5.3-1
Loading...
Control environment controls will influence the auditor’s evaluation of the effectiveness of other control activities that may address specific areas such as sales and purchase transactions. For example, if management has a negative attitude toward control in general, this will undermine the effectiveness of other controls (such as sales, etc.) no matter how well they were designed.
The auditor’s evaluation of the design of the entity’s control environment would include the elements set out below.
Exhibit 5.3-2
Key Elements to Address | Description |
|---|---|
| Communication and Enforcement of Integrity and Other Ethical Values | Integrity and ethical values are essential (foundational) elements, which influence the effectiveness of the design, administration, and monitoring of other controls. |
| Commitment to Competence | Management’s consideration of the competence levels for particular jobs, and how those levels translate into requisite skills and knowledge. |
| Participation by Those Charged with Governance | Attributes of those charged with governance such as:
|
| Management’s Philosophy and Operating Style | Management’s approach to taking and managing business risks, and management’s attitudes and actions toward financial reporting, information processing, accounting functions, and personnel. |
| Organizational Structure | The framework within which an entity’s activities for achieving its objectives are planned, executed, controlled, and reviewed. |
| Assignment of Authority and Responsibility | How authority and responsibility for operating activities are assigned, and how reporting relationships and authorization hierarchies are established. |
| Human Resources Policies and Practices | Recruitment, orientation, training, evaluating, counselling, promoting, compensating, and remedial actions. |
The controls outlined above are pervasive to the entire entity and are often more subjective to evaluate than the traditional control activities (such as segregation of duties). Therefore, the auditor will exercise professional judgment in this evaluation.
Control-environment strengths can compensate or even replace weak transactional controls in some situations. However, control-environment weaknesses can undermine and even negate good design in other components of internal control. For example, if a culture of honesty and ethical behavior did not exist, the auditor would have to consider carefully what types of (additional) audit procedures would be effective in finding material misstatements in the financial statements. In some cases, the auditor may conclude that internal control has broken down to such an extent that the only option is to withdraw from the engagement.
The control environment within small entities will differ from larger
entities, but is just as important. This is particularly true when the
entity does not have the staff or resources to implement traditional
control activities such as segregation of duties.
In smaller entities, the active involvement of a competent
owner-manager (a control-environment strength) may well reduce the
need for other control activities, such as segregation of duties.
Consequently, control environment strengths can serve to indirectly
prevent or detect and correct certain types of misstatement. For
example, when the owner-manager reviews and approves individual
transactions before they are completed, it may serve to prevent or
detect and correct certain specific errors or fraud. However, this
control environment strength would not mitigate other risks such as
management override of controls.
In smaller entities, there will typically be less documentation available to support control environment controls. Consequently, the attitudes, awareness, and actions of management (such as owner-managers) will often form the basis for evaluating control design and implementation. For example, larger entities are likely to provide staff with a code of conduct that outlines acceptable behaviors and consequences for violating codes or rules. Smaller entities may communicate similar values and acceptable behaviors through oral communications and by management example.
Where there is no supporting documentation for a particular control, the auditor would prepare a memorandum for the file. For example, in addressing whether there is communication and enforcement of integrity and ethical values, the auditor could:
- Identify the entity’s values, acceptable behaviors, and enforcement actions through discussions with management. The auditor would then assess whether they are sufficient to address the control design.
- Ask one or two employees what they believe are the entity’s values, acceptable behaviors, and enforcement actions. These interviews would address whether management’s values and acceptable behaviors have been communicated and enforced. This would address control implementation.
CONSIDER POINT Small entities are often reluctant to document internal controls which operate informally. However, there can often be benefits to management in taking the time to document some of the more important policies and procedures. Such policies and procedures could be provided to staff joining the entity, and audit time may be saved versus having to make inquiries each period. In the example cited above, even the smallest entity could prepare a simple statement of values and acceptable behaviors that could be provided to employees and then referred to when an issue arises. |
|---|
In smaller entities, some of the key areas to address in assessing the control environment are outlined in the exhibit below.
Exhibit 5.3-3
Control Element | The Key Question | Possible Controls |
|---|---|---|
| Communication and Enforcement of Integrity and Ethical Values | What management actions serve to eliminate or mitigate incentives or temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts? |
|
| Commitment to Competence | Do personnel have the knowledge and skills necessary to accomplish their tasks? |
|
Participation by Those Charged With Governance (TCWG) (Other than Where Management is TCWG) | How effective is the governance (if any) being provided over entity operations? |
|
| Management’s Philosophy and Operating Style | What are management's attitudes and actions toward financial reporting? |
|
| Organizational Structure | Has a relevant organizational structure been established? |
|
| Assignment of Authority and Responsibility | Have key areas of authority and responsibility been appropriately assigned? |
|
| Human Resources Policies and Practices | What standards are in place to ensure: Recruitment of the most competent and trustworthy people? Training is provided to ensure people can perform their jobs? Promotions are driven by performance appraisals? |
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.15 | The auditor shall obtain an understanding of whether the entity has a process for:
|
| 315.16 | If the entity has established such a process (referred to hereafter as the “entity’s risk assessment process”), the auditor shall obtain an understanding of it, and the results thereof. If the auditor identifies risks of material misstatement that management failed to identify, the auditor shall evaluate whether there was an underlying risk of a kind that the auditor expects would have been identified by the entity’s risk assessment process If there is such a risk, the auditor shall obtain an understanding of why that process failed to identify it, and evaluate whether the process is appropriate to its circumstances or determine if there is a significant deficiency in internal control with regard to the entity’s risk assessment process. |
| 315.17 | If the entity has not established such a process or has an ad hoc process, the auditor shall discuss with management whether business risks relevant to financial reporting objectives have been identified and how they have been addressed. The auditor shall evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances, or determine whether it represents a significant deficiency in internal control. (Ref: Para. A89) |
Risk Assessment
Risk assessment is the second of the five internal control elements. An effective risk assessment process implemented and maintained by management would provide important information needed to determine what business/fraud risks should be managed, so that appropriate actions can be taken. Management may initiate plans or programs, or implement policies and procedures to address specific risks. Or, it may decide to accept a risk because of cost or other considerations.
If the entity’s risk assessment process is appropriate to the circumstances, it will assist the auditor in identifying risks of material misstatement. A risk assessment process would normally address such matters as:
- Changes in operating environment;
- New senior personnel;
- New or revamped information systems;
- Rapid growth;
- New technology;
- New business models, products, or activities;
- Corporate restructurings (including divestitures and acquisitions);
- Expanded foreign operations; and
- New accounting pronouncements.
In smaller entities where a formal risk assessment process is unlikely to exist, the auditor would discuss with management how business risks are identified and how they are addressed.
Matters the auditor should consider are how management:
- Identifies risks relevant to financial reporting;
- Estimates the significance of the risks;
- Assesses the likelihood of their occurrence; and
- Decides upon actions to manage them.
The auditor is also required to evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances, or determine whether it represents a significant deficiency in internal control.
If the auditor identifies risks of material misstatement that management failed to identify, he/she should consider:
- Why did management’s processes fail?
- Are the processes appropriate to the circumstances?
If a significant deficiency exists in the entity’s risk assessment process (or there is no process at all), it would be communicated to management and those charged with governance.
Appendix 2 of ISA 315 (Revised) contains a useful list of possible conditions and events that may indicate the existence of risks of material misstatement.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.18 | The auditor shall obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas: (Ref: Para. A90-A92 and A95-A96)
This understanding of the information system relevant to financial reporting shall include relevant aspects of that system relating to information disclosed in the financial statements obtained from within or outside of the general and subsidiary ledgers. |
| 315.19 | The auditor shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting, including: (Ref: Para. A97-A98)
|
Information System and Communication
Management (and those charged with governance) requires reliable information to:
- Manage the entity (such as planning, budgeting, monitoring performance, allocating resources, pricing, and preparing financial statements for reporting purposes);
- Achieve objectives; and
- Identify, assess, and respond to risk factors.
This requires pertinent information to be identified, captured, and communicated/distributed on a timely basis to personnel (at all levels of the entity) who need it for decision-making.
An information system consists of infrastructure (physical and hardware components), software, people, procedures, and data. Many information systems make extensive use of information technology (IT). They identify, capture, process, and distribute information supporting the achievement of financial reporting (including disclosures) and internal control objectives.
An information system relevant to financial reporting objectives includes the entity’s business processes and accounting system, as set out below.
Exhibit 5.5-1
| Business Processes (Sales, Purchases, Payroll, etc.) | Business processes are structured sets of activities designed to produce a specified output. They result in transactions being recorded, processed, and reported by the information system. |
| Accounting Systems | These include accounting software, electronic spreadsheets, relevant information from other sources and the policies and procedures used to prepare periodic financial reports and the period-end financial statements including disclosures. |
| Other Information Sources | The preparation of some financial statement amounts and disclosures may require use of information that is obtained from within or from outside of the general and subsidiary ledgers. |
Financial statements and disclosures may contain information that is not generated by the entity’s general ledger system. This information is often obtained from outside of the general and subsidiary ledgers, and may include examples such as:
Exhibit 5.5-2
Nature of Information | Examples |
|---|---|
| Contractual Agreements | Information obtained from lease agreements may be disclosed in the financial statements, such as renewal options or future lease payments. |
| Non-compliance | Information that would identify actual or suspected non-compliance with relevant laws and regulations. |
| Fair Value Information | Information that may be produced by management’s experts and disclosed in the financial statements. |
| Risk Assessments | Information disclosed in the financial statements that is produced by an entity’s risk management system. For example, the financial reporting framework may require disclosure of certain matters related to the entity’s risk management system. |
| Assumptions and Data Used to Prepare Estimates | Information that has been obtained from models, or from other calculations used to develop estimates recognized or disclosed in the financial statements. This would include information relating to the underlying data and assumptions used in those models, such as:
|
| Sensitivity Analysis | Information disclosed in the financial statements about sensitivity analysis derived from financial models, which could be used to demonstrate that management has considered alternative assumptions. |
| Tax Returns and Similar Records | Information recognized or disclosed in the financial statements that has been obtained from an entity’s tax returns and records. |
| Going Concern Information | Information that has been obtained from analyses prepared to support management’s assessment of the entity’s ability to continue as a going concern. For example, disclosures, if any, related to events or conditions that have been identified that may cast significant doubt on the entity’s ability to continue as a going concern. |
The extent of understanding required about the information system related to financial reporting is a matter of the auditor’s professional judgment. Factors to consider include:
- Sources of information used, both internal and external;
- The reliability of the financial reports used for decision making;
- The underlying accounting records and supporting information;
- How the information system captures events and conditions, other than transactions, that are significant to the financial statements;
- The financial reporting process including preparation of estimates, controls over journal entries, and controls over use of spreadsheets; and
- Communications between management or those charged with governance and external parties such as banks and regulatory authorities.
An information system has procedures, policies, and records (manual and automated) designed to address the matters set out below.
Exhibit 5.5-3
Loading...
In larger companies, information systems can be complex, automated, and highly integrated. Smaller companies will often rely on manual or stand-alone information technology applications.
CONSIDER POINT Many mainstream accounting software packages (even smaller ones) come with a variety of built-in application controls that could be used to improve control over financial reporting. These controls include automated reconciliations, reporting of exceptions for management review, and ensuring general consistency over financial reporting. |
|---|
In obtaining an understanding of the information system (including business processes), the auditor would address (in addition to the exhibit above):
- Business processes; and
- Relevant aspects of the systems relating to the information included in the financial statements including disclosures. This may be obtained from within or outside of the general and subsidiary ledgers.
The extent of understanding required is a matter of the auditor’s professional judgment. Matters to consider include the:
- Control activities that relate to information included in the financial statements including disclosures. However, the auditor is not required to understand all control activities, only those that are relevant to financial reporting.
- Extent of management’s active involvement in financial reporting. Small entities may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies.
- Extent of information, necessary for the audit and financial statement disclosures, that management has obtained from outside of the entity’s general and subsidiary ledgers.
The scope of understanding required would include the matters outlined in the table below.
Exhibit 5.5-4
Identify | Address |
|---|---|
| Sources of Information Used | What classes of transactions are significant to the financial statements? How do transactions and disclosures originate within the entity’s business processes? What accounting records (electronic or manual) exist? How does the accounting system relevant to financial reporting capture events and conditions (other than classes of transactions) that are significant to the financial statements? This is particularly important where information included in the financial statements is obtained from outside of the general and subsidiary ledgers. |
| How Information is Captured and Processed | What are the financial reporting processes used to:
What procedures address:
|
| How the Information Produced is Used | How does the entity communicate financial reporting roles, responsibilities, and significant matters relating to financial reporting? What reports are regularly produced by the information system, and how are they used to manage the entity? What information is provided by management to those charged with governance (if different from management) and to external parties such as financial institutions and regulatory authorities? |
Communication is a key component of successful information systems. Consequently, if information is to be used in decision-making and to facilitate the functioning of internal control, it needs to be communicated on a timely basis (both internally and externally) to the appropriate people.
Effective internal communication helps the entity’s personnel clearly understand internal control objectives, the business processes in use, and their individual roles and responsibilities. It also helps them understand the extent to which their activities relate to the work of others, and the means of reporting exceptions to an appropriate higher level within the entity.
The means of communication may be informal (verbal) or formal (i.e., documented in policy and financial reporting manuals).
Internal communication between top management and employees is often easier and less formal in smaller companies, due to fewer levels and smaller numbers of personnel and the greater availability and presence of senior management.
Effective external communication ensures that matters affecting the achievement of financial reporting objectives are communicated with relevant outside parties such as key stakeholders, financial institutions, regulators, and government agencies.
Smaller entities may have less sophisticated and less thoroughly documented information and communication systems. If management does not have extensive descriptions of accounting procedures, sophisticated accounting records, or written policies, the understanding required by the auditor will be obtained more by inquiry and observation than by review of documentation.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.20 | The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures responsive to assessed risks. An audit does not require an understanding of all the control activities related to each significant class of transactions, account balance, and disclosure in the financial statements or to every assertion relevant to them. (Ref: Para. A99–A106) |
| 315.21 | In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks arising from IT. (Ref: Para. A107–A109) |
Control Activities
Control activities are the policies and procedures that help ensure that management’s directives are carried out. Examples include controls to ensure that goods are not shipped to a bad credit risk, or that only authorized purchases are made. These controls address risks that, if not mitigated, would threaten the achievement of the entity’s objectives.
Control activities (whether within or outside of the general and subsidiary ledgers) are designed to mitigate the risks involved in everyday activities such as transaction processing (business processes such as sales, purchases, and payroll) and safeguarding of assets.
Control activities relevant to the audit may also include controls established by management that address disclosures being prepared in accordance with the applicable financial reporting framework — this would be in addition to controls that address risks related to account balances and transactions.
Business processes are structured sets of activities designed to produce a specified output. Business process controls can generally be classified as preventive, detective and corrective, or compensating or steering, as outlined in the exhibit below.
Exhibit 5.6-1
Controls Classification | Description |
|---|---|
| Preventive Controls | Avoid errors or irregularities. |
| Detective Controls | Identify errors or irregularities after they have occurred so corrective action can be taken. |
| Compensating Controls | Provide some assurance where resource limitations may preclude other more direct controls. |
Steering Controls (e.g., Policies) | Guide actions towards the desired objectives. |
The nature of business process controls will vary based on the risks involved and the specific application. Typical controls at the business process level would include the matters set out below.
Exhibit 5.6-2
Controls | Description | Examples |
|---|---|---|
| Segregation of Duties | These controls can reduce the opportunities for a person to be in a position to both perpetrate and conceal errors or fraud. | The employee responsible for the accounts receivable processing has no access to cash receipts. |
| Authorization Controls | These controls define who has the authority to approve various routine and non-routine transactions and events. | Assigning responsibility to authorize:
|
| Account Reconciliations | This includes preparing and reviewing account reconciliations on a timely basis and taking any necessary corrective actions. | Reconciliations of bank accounts, sales transactions, intercompany balances, suspense accounts, etc. |
| IT Application Controls | These controls are programmed into IT applications such as sales or purchases. They include fully automated and partially automated controls. | Checking the arithmetical accuracy of records, pricing of invoices, edit checks of input data, numerical sequence checks, and production of exception reports for manager review. |
| Actual Results Reviews | These controls involve the regular review and analyses of actual results versus budgets, forecasts, and prior-period performance. It also involves relating different sets of data (operating or financial) to one another and comparing internal data with external sources of information. Unexpected variations would be investigated and corrective actions taken. | Analysis of operating results, comparing actual results to budget, and investigating variances. |
| Physical Controls | These controls relate to the physical security of assets and permitted access to entity premises, accounting records, computer programs, and data files. | Such controls consist of asset security (door locks and restricted access to inventory/records) and comparing the results of periodic cash, security, and inventory counts with accounting records. |
Control activities are designed to directly prevent a material misstatement from occurring or detecting and then correcting a misstatement after it has occurred. In smaller entities, the concepts underlying control activities are likely to be similar to larger entities, but their relevance to the auditor may vary considerably. Consider the following.
Exhibit 5.6-3
Control Activities in Smaller Entities | Comments |
|---|---|
| Informal and Limited Documentation | Many controls may operate informally and may not be well documented. For example, granting credit to a customer may be more reliant on the judgment and knowledge of the manager than on a pre-established credit limit. |
| Limited Scope | Control activities (to the extent they exist) are likely to relate to the main transaction cycles such as revenues, purchases, and employment expenses. |
Risks May be Mitigated by the Control Environment (See Volume 1, Chapter 5.3) | Certain types of control activities may not be relevant because of controls applied by senior management. For example, management's approval of significant transactions can provide strong control over important account balances and transactions, lessening or removing the need for more detailed control activities. Some transactional misstatements (usually addressed by control activities in larger entities) could be mitigated by:
|
| Financial Statement Disclosures | Auditors are required to understand management’s internal control as it relates to financial statement disclosures. However, disclosures in smaller entities may be less detailed or less complex (e.g., some financial reporting frameworks allow smaller entities to provide fewer disclosures in the financial statements). |
Control activities, relevant to the audit, would potentially mitigate risks such as:
- Significant risks
Identified and assessed risks of material misstatement that, in the auditor’s judgment, require special audit consideration. (Refer to Volume 2, Chapter 10.)
- Risks that cannot easily be addressed by substantive procedures
These are identified and assessed risks of material misstatement for which substantive procedures alone would not provide sufficient appropriate audit evidence.
The auditor’s judgment about whether a control activity is relevant to the audit is influenced by:
- Knowledge about the presence/absence of control activities identified in other components of internal control. If a particular risk has already been adequately addressed (such as by the control environment, information system, etc.), there is no need to identify any additional controls that may exist.
- The existence of multiple control activities that achieve the same objective. It is unnecessary to obtain an understanding of each of the control activities related to such an objective.
- Increased audit efficiency that will be gained from testing the operating effectiveness of certain key controls. This could occur when:
+ Obtaining audit evidence through a test of the operating effectiveness of controls may be more cost efficient than performing substantive procedures. Tests of controls typically result in smaller sample sizes than substantive tests. If the controls are automated, a sample size of just one item (assuming good general IT controls) may be all that is required. In addition, if the control system and personnel involved have not changed from previous years, it may be possible (under certain conditions) to limit the test of operating effectiveness of controls to once every three years. (See Volume 2, Chapter 17.)
+ Substantive procedures alone would not provide sufficient appropriate audit evidence at the assertion level. For example, the completeness assertion for sales revenue can be difficult (and sometimes impossible) to address by substantive procedures alone. In these situations, it would be worthwhile to identify any internal controls that address the risk and assertion involved. If the internal controls are expected to work effectively, the necessary audit evidence could be obtained through a test of the operating effectiveness of those controls.
Most entities today use information technology (IT) to manage, control, and report on at least some of their activities. IT operations are often managed by a central support team that ensures the day-to-day users (staff) have appropriate access to the hardware, software, and applications required to perform their responsibilities. In smaller entities, IT management may be the responsibility of just one, or even a part-time or outsourced, person.
Regardless of the entity’s size, there are a number of risk factors relating to IT management and applications that, if not mitigated, could result in a material misstatement in the financial statements.
There are two types of IT controls that need to work together to ensure complete and accurate information processing:
- General IT controls
These controls operate across all applications and usually consist of a mixture of automated controls (embedded in computer programs) and manual controls (such as the IT budget and contracts with service providers); and
- IT application controls
These controls are automated controls that relate specifically to applications (such as sales processing or payroll).
There is also a third kind of control, which has a manual and an IT element. These controls can be called IT- dependent controls. The control is performed manually, but its effectiveness relies on information produced by an IT application. For example, the financial manager may review the monthly/quarterly financial statement (generated by the accounting system) and investigate variances.
The following exhibit outlines the scope of general IT controls.
Exhibit 5.7-1
General IT Controls | |
|---|---|
Standards, Planning, Policies, etc. (The IT Control Environment) | The IT governance structure. How IT risks are identified, mitigated, and managed. The required information system, strategic plan (if any), and budget. IT policies, procedures, and standards. The organizational structure and segregation of duties. Contingency planning. |
| Security over Data, the IT Infrastructure, and Daily Operations | Acquisitions, installations, configurations, integration, and maintenance of the IT infrastructure. Delivery of information services to users. Management of third-party providers. Use of system software, security software, database-management systems, and utility programs. Incident tracking, system logging, and monitoring functions. |
| Access to Programs and Application Data | Issuance/removal and security of user passwords and IDs. Internet firewalls and remote-access controls. Data encryption and cryptographic keys. User accounts and access-privilege controls. User profiles that permit or restrict access. |
| Program Development and Program Changes | Acquisition and implementation of new applications. System development and quality-assurance methodology. The maintenance of existing applications, including controls over program changes. |
| Monitoring of IT Operations | Policies, procedures, inspections, and exception reports ensuring:
|
IT application controls relate to a particular software application used at the business process level. Application controls can be preventive or detective in nature, and are designed to ensure the integrity of the accounting records.
Typical application controls relate to procedures used to initiate, record, process, and report transactions or other financial data. These controls help ensure that transactions occurred, are authorized, and are completely and accurately recorded and processed. Examples include edit checks of input data with correction at the point of data entry, and numerical sequence checks with manual follow-up of exception reports.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.22 | The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial reporting, including those related to those control activities relevant to the audit, and how the entity initiates remedial actions to deficiencies in its controls. (Ref: Para. A110–A112) |
| 315.24 | The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring activities, and the basis upon which management considers the information to be sufficiently reliable for the purpose. (Ref: Para. A121) |
Monitoring
Monitoring assesses the effectiveness of the internal control’s performance over time. The objective is to ensure that the controls are working properly and, if not, to take necessary corrective actions.
Monitoring provides feedback to management on whether the internal control system they have designed to mitigate risks is:
- Effective in addressing the stated control objectives;
- Properly implemented and understood by employees;
- Being used and complied with on a day-to-day basis; and
- In need of modification or improvement to reflect changes in conditions.
Management accomplishes the monitoring of controls through ongoing activities, separate evaluations (including the use of an internal audit function), or a combination of these two.
Ongoing monitoring activities in smaller entities are informal, and are usually built into the normal recurring activities of an entity. This includes regular management and supervisory activities and the review of exception reports that may be produced by the information system. Where management is closely involved in operations, they will often identify significant variances from expectations and inaccuracies in financial data, and take corrective action to modify or improve the control.
Periodic monitoring (separate evaluations of specific areas within the entity, such as those performed by an internal audit function in a much larger company) is not common in smaller entities. However, periodic evaluations of critical processes could be conducted by qualified employees not directly involved in those processes, or by hiring an external and suitably qualified person.
Management’s monitoring activities may also include the use of information received from external parties that indicates problems or highlights areas in need of improvement. Examples of this could include:
- Complaints from customers;
- Comments from governing bodies such as franchisors, financial institutions, and regulators; and
- Communications relating to internal control from external auditors and consultants.
Much of the information used in monitoring will be produced by the entity’s information system. Management may tend to assume that this information is accurate. If this information is not accurate, there is a risk that management could reach incorrect conclusions, and make poor decisions as a result.
Accordingly, when the auditor is evaluating the monitoring of controls, an understanding is required of:
- The sources of the information related to the entity’s monitoring activities; and
- The basis upon which management considers the information to be sufficiently reliable for the purpose.
The following exhibit summarizes the steps involved in obtaining an understanding of internal controls relevant to the audit.
Exhibit 5.9-1
Identify | Address |
|---|---|
| Specific Risks of Material Misstatement Requiring Mitigation | The potential risks of material misstatement (related to significant classes of transactions, account balances, and financial statement disclosures) that exist at the assertion level. For example:
|
| Management’s Response to the Identified Risks of Material Misstatement | What specific (manual or IT application) control activities that (individually or in combination with others) prevent, or detect and correct, material errors and fraud. This step does not require the auditor to identify all the control activities that may exist. For example, an entity may have implemented 15 control procedures to address a particular risk. If the auditor concluded that the first three control procedures identified were sufficient to mitigate the risk involved, there is no need to carry on work to identify and document the other 12 control procedures. |
| Significant Deficiencies | Failure by management to mitigate a risk of material misstatement would likely result in a significant deficiency. These would be reported to management and an audit response developed. |
| Implementation of Relevant Controls | This involves procedures (in addition to inquiry of the client’s personnel) to determine that relevant controls identified actually exist and are in use by the entity. This can be carried out at a point in time such as tracing one transaction through the system on a particular day. This is not a test of controls, which is designed to evaluate whether a control operated effectively throughout the period covered by the audit. |
| Inquire About the Role of Internal Audit (where applicable) | Where an entity has an internal audit function, paragraph 23 in ISA 315 (Revised) requires the auditor to obtain an understanding of the nature of the internal audit function's responsibilities, its organizational status, and the activities performed or to be performed. |
For most entities, the system of internal control will consist of a mixture of manual and automated controls. The risks and benefits associated with the different types of control are outlined below.
Exhibit 5.10-1
| Benefits | |
|---|---|
| Manual Controls | Automated Controls |
|
|
| Risks | |
|---|---|
| Manual Controls | Automated Controls |
|
risks may arise where multiple users access a common database).
|
CONSIDER POINT When the entity has a mix of manual and automated controls, always identify who is responsible for the operation of each control. For example, suppose a warehouse manager is responsible for shipping goods. The warehouse manager manually inputs the data into a sales system that has an application control to match the shipment to the original order. If something goes wrong in the matching process, is it the responsibility of the warehouse manager, the IT department, or the accounting department? Unless one person is assigned responsibility for the entire process, people will inevitably blame each other when errors are made. Where responsibility has not been assigned, consider:
|
|---|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
315.14 (b) | The auditor shall…evaluate whether: (a) The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by deficiencies in the control environment. (Ref: Para. A77-A87) |
This chapter has now addressed each of the five components of internal control. Some of these controls are pervasive in nature (financial statement level risks) and only indirectly serve to prevent a misstatement from occurring, or to detect and correct it after it has occurred. Other controls relate to particular transaction (assertion level) risks (such as payroll, sales, and purchases) and are designed specifically to prevent or detect and correct misstatements.
The following exhibit shows the interaction of the two levels of control over transactions as they journey from initiation and processing (transactional level) through the accounting records (financial statement level) and finally to the financial statements. Notice that at least three of the five internal control components consist primarily of pervasive controls.
Exhibit 5.11-1
Loading...
Notes:
1. The above illustration is a general guide. In some instances, pervasive controls can be designed to operate at a level of precision that would prevent or detect specific misstatements at the business process level. For example, a detailed budget approved by those charged with governance may be used by management to detect unauthorized administration expenditures. In other instances, there may be control activities and parts of the information system that relate to financial statement-level activities.
2. Pervasive controls relating to the entity as a whole (such as the commitment to competence) may be less tangible than those at the business process level (such as matching goods received to a purchase order), but are just as critical in preventing and detecting fraud and error.
3. The period-end financial reporting process includes procedures to:
- Enter transaction totals into the general ledger;
- Select and apply accounting policies;
- Initiate, authorize, record, and process journal entries in the general ledger;
- Record recurring and non-recurring adjustments to the financial statements; and
- Prepare the financial statements and related disclosures.
4. General information technology (IT) controls are pervasive to the entity as a whole, as they focus on how IT operations (such as organization, staffing, data integrity) are managed across the entity.
5. IT application controls are similar to transaction controls. They relate to how specific transactions are processed at the business process level.
Pervasive controls (at the financial statement level) form the basis or foundation upon which specific assertion level (transactional) controls can be built. They set the “tone at the top” and establish expectations for the organization’s control environment in general. Poorly designed pervasive controls may actually encourage all types of error and fraud to take place. For example, an entity may have a highly controlled and effective sales process. However, if senior management has a poor attitude toward control and has sometimes overridden these controls, a material error could still occur in the financial statements. Management override and poor “tone at the top” are common themes in corporate wrongdoing.
Pervasive controls also include the monitoring controls that assess whether the actual tone at the top is what was intended, and how well control expectations are being fulfilled.
The pervasive controls (that pertain to the financial statements as a whole) could include:
- Controls related to the control environment;
- Controls over management override;
- The entity’s risk assessment process;
- Controls to monitor results of operations and other controls;
- Controls over the period-end financial reporting process; and
- Policies that address significant business control and risk management practices.
In smaller entities, the lack of specific business process controls (due to limited staff and resources) is often offset by a high degree of involvement by management (such as the owner-manager) in performing controls. In fact, some pervasive controls in smaller entities can often operate at a level of precision that actually serves to prevent or detect specific misstatements.
However, the increased involvement of senior management also increases the risk of management override. This could be addressed through further audit procedures or the design of suitable anti-fraud controls. (See Volume 1, Chapter 5.12 below.)
Although weaknesses in pervasive controls do not generally result in an immediate deficiency or errors in the financial statements, they still have a significant influence on the likelihood of misstatements resulting at the business process control level. The absence of good pervasive controls may seriously undermine other business process controls; consequently, significant deficiencies in these controls would be reported to management and those charged with governance.
In the last few years, a new type of internal control has begun to emerge, sometimes called anti-fraud controls. Since the vast majority of sizable frauds tend to involve senior management, the establishment of strong anti- fraud programs and controls is considered a healthy part of the control environment in larger entities. Anti- fraud controls can be likened to speed bumps on a road that are designed to slow down traffic but not stop it altogether. Anti-fraud controls are designed to deter bad behavior before it happens, but can never stop it entirely.
Anti-fraud controls are particularly relevant for larger entities, but can also be designed to discourage fraud in smaller entities. They may not prevent frauds from occurring, but they do provide a powerful disincentive; they cause the perpetrators to think carefully about the repercussions of their actions.
Anti-fraud controls can be designed to address all five internal control components. However, in relation to risks of material misstatement in the financial statements, special emphasis is placed on the tone set at the top of the entity. This addresses the attitudes and actions of management toward control, and is part of the control environment (see Volume 1, Chapter 5 above) which influences the control consciousness of all personnel. A good “tone at the top” is considered by far the most effective anti-fraud control of all.
Two examples of anti-fraud controls applicable for smaller entities include:
- Journal entries
Non-routine journal entries have often been used by managers to commit fraud. A policy that non-routine journal entries (over a specified amount) must be supported by an explanation and manager’s signature (indicating approval) is a simple anti-fraud control that can be implemented in any size entity. Such a policy empowers the entity’s accountant to always ask the manager (requesting an entry) for an explanation and approval. This will not necessarily stop a senior manager from demanding an inappropriate entry to be made, but the thought of having to physically document the approval and provide an explanation may be enough to deter the request from ever being made in the first place. If it does not deter the request, the auditor may notice that the entry was not approved and ask why. This could then lead to further investigation.
- Segregation of duties
In smaller entities, the accountant or bookkeeper is often in a trusted position, with minimal supervision and therefore ample opportunity to commit fraud. One possible (but somewhat costly) anti-fraud control would be to hire a part-time bookkeeper to take over that person’s job for at least one or more weeks per year, such as when the accountant is on holiday or performing other tasks. The policy of employing a replacement could deter the bookkeeper from committing fraud at all, and if fraud is already taking place, the replacement policy might provide an opportunity to detect it.
Chapter Content | Relevant ISAs |
|---|---|
Use of management’s assertions in auditing. | 315 (Revised) |
Exhibit 6.0-1
Loading...
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.4(a) | Assertions — Representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur. |
When management makes a representation to the auditors such as “the financial statements as a whole are presented fairly in accordance with the applicable financial reporting framework,” it actually contains a number of embedded assertions.
These embedded assertions (by management) relate to the recognition, measurement and presentation of classes of transactions and events, account balances and disclosures in the financial statements.
Examples of management’s assertions include:
- All the assets in the financial statements exist;
- All sales transactions have been recorded in the appropriate period;
- Inventories are stated at appropriate values;
- Payables represent proper obligations of the entity;
- All recorded transactions occurred in the period under review;
- All amounts are properly presented in the financial statements. This includes transactions, balances, and events being appropriately aggregated or disaggregated and clearly described. It also includes related disclosures being relevant and understandable in the context of the applicable financial reporting framework; and
- The presentation of amounts or disclosures does not obscure useful information or result in misleading information.
These assertions are often summarized by a single word, such as completeness, existence, occurrence, accuracy, valuation, presentation, et al. For example, management may assert to the auditor that the sales balance in the accounting records contains all the sales transactions (completeness assertion), the transactions took place and are valid (occurrence/existence assertion), and transactions have been properly recorded in the accounting records and in the appropriate accounting period (accuracy/valuation assertion).
Paragraph A129 of ISA 315 (Revised) describes the categories of assertions that can be used by the auditor to consider the different types of potential misstatements. These categories are described in the exhibit below.
Exhibit 6.2-1
Assertion | Description | |
|---|---|---|
| Classes of Transactions and Events and Related Disclosures for the Period Under Audit | Occurrence | Transactions and events that have been recorded or disclosed have occurred and such transactions and events pertain to the entity. |
Completeness | All transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included in the context of the requirements of the applicable financial reporting framework. | |
Accuracy | Amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been appropriately measured and described in the context of the requirements of the applicable financial reporting framework. | |
Cutoff | Transactions and events have been recorded in the correct accounting period. | |
Classification | Transactions and events have been recorded in the proper accounts. | |
Presentation | Transactions and events are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework. | |
Account Balances and Related Disclosures at the Period End | Existence | Assets, liabilities, and equity interests exist. |
Rights and Obligations | The entity holds or controls the rights to assets and liabilities [that] are the obligations of the entity. | |
Completeness | All assets, liabilities, and equity interests that should have been recorded have been recorded and all related disclosures that should have been included in the financial statements have been included in the context of the requirements of the applicable financial reporting framework. | |
Accuracy Valuation and Allocation | Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts, any resulting valuation or allocation adjustments are appropriately recorded, and related disclosures have been appropriately measured and described, in the context of the requirements of the applicable financial reporting framework. | |
Classification | Assets, liabilities and equity interests have been recorded in the proper accounts. | |
Presentation | Assets, liabilities and equity interests are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework. |
The assertions described above can be adapted, as appropriate, when considering potential misstatements in disclosures that are not directly related to recorded classes of transactions, events or account balances. For example, the entity may be required by the applicable financial reporting framework to present exposure to risks arising from a transaction that is not yet recorded in the financial statements.
The applicability of assertions to the financial statement areas is summarized below.
Exhibit 6.2-2
Assertions | Classes of Transactions | Account Balances |
|---|---|---|
| Existence/occurrence | ✔ | ✔ |
| Completeness | ✔ | ✔ |
| Rights and Obligations | ✔ | |
| Accuracy and Allocation | ✔ | ✔ |
| Valuation | ✔ | |
| Cutoff | ✔ | ✔ |
| Classification | ✔ | ✔ |
| Presentation | ✔ | ✔ |
ISA 315 (Revised) allows the auditor to use the assertions exactly as described above, or to express them differently, provided all aspects described above have been covered.
To make the use of assertions slightly easier to apply for auditing smaller entities, this Guide has combined a number of the assertions so that they may apply across all three categories (i.e., balances, transactions, and disclosures). The four combined assertions and the individual assertions they address are illustrated in the exhibit below.
Exhibit 6.3-1
Combined Assertions | Classes of Transactions | Account Balances |
|---|---|---|
| Completeness (C) | Completeness | Completeness |
| Accuracy and Valuation (AV) | Accuracy Cutoff Classification | Accuracy Valuation Allocation Classification |
| Existence (E) | Occurrence | Existence Rights and Obligations |
| Presentation (P) | Presentation | Presentation |
Note:
When the auditor chooses to use combined assertions such as those outlined above, it is important to remember that the existence assertion also includes rights and obligations.
The following exhibit provides a description of the four combined assertions used in this Guide.
Exhibit 6.3-2
Combined Assertion | Description |
|---|---|
| Completeness (C) | Everything that should be recorded or disclosed in the financial statements has been included. There are no unrecorded or undisclosed assets, liabilities, transactions, or events; there are no missing or incomplete financial statement disclosures, in the context of the requirements of the applicable financial reporting framework. |
| Existence (E) | Everything that is recorded or disclosed in the financial statements exists at the appropriate date. Assets, liabilities, recorded transactions, and other matters included in the financial statement notes exist, have occurred, and pertain to the entity in the context of the requirements of the applicable financial reporting framework. |
| Accuracy and Valuation (AV) | Assets, liabilities, and equity interests are included in the financial statements at appropriate amounts; any resulting valuation or allocation adjustments are appropriately recorded, and related disclosures have been appropriately measured and described in the context of the requirements of the applicable financial reporting framework. |
| Presentation (P) | Assets, liabilities, transactions, and events are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.25 | The auditor shall identify and assess the risks of material misstatement at:
to provide a basis for designing and performing further audit procedures. |
As previously stated, the financial statements contain a number of embedded assertions. Assertions can be used by the auditor in assessing risks at the financial statement level and the assertion level.
Exhibit 6.4-1
Assessing Risks at: | Commentary |
|---|---|
| Financial Statement Level | The risks of material misstatement at the financial statement level tend to be pervasive and therefore address all the assertions. For example, if the senior accountant is not competent enough for the assigned tasks, it is quite possible that errors could occur in the financial statements. However, the nature of such errors will not often be confined to a single account balance, transaction stream, or disclosure. In addition, the error will not likely be confined to a single assertion such as the completeness of sales. It could just as easily relate to other assertions such as accuracy, existence, and valuation. |
| Assertion Level | Risks at the assertion level relate to individual account balances at a point in time (i.e., the period end), classes of transactions (for the fiscal period), and presentation and disclosure in the financial statements. The relevance of each assertion to an individual account balance (or class of transactions, or presentation and disclosure) will vary based on the characteristics of the balance and the potential risks of material misstatement. For example, when considering the valuation assertion, the auditor could assess the risk of error in payables as low; however, for inventory where obsolescence is a factor, the auditor would assess the valuation risk as high. Another example is a situation in which the risks of material misstatement due to completeness (missing items) in the inventory balance are low, but high in relation to the sales balance. |
The difference between the two levels of risk assessment is illustrated in partial form in the exhibit below.
Exhibit 6.4-2
Loading...
Note: This exhibit uses the combined assertions described in Volume 1, Chapter 6.3. Assertions are used by the auditor to form a basis for:
- Considering the different types of potential misstatements that may occur;
- Assessing the risks of material misstatement; and
- Designing further audit procedures that are responsive to the assessed risks.
Exhibit 6.4-3
Use of Assertions | Procedures |
|---|---|
| Considering Types of Potential Misstatement | This would include performing risk assessment procedures to identify possible risks of material misstatement. For example, the auditor might ask questions such as the following:
|
| Assessing Risks of Material Misstatement | The risk of material misstatement is a combination of inherent risk and control risk. The assessment process includes:
Identify potential misstatements and the assertions involved, then assess the likelihood of the risk’s occurrence and possible magnitude.
Identify and evaluate any relevant internal controls in place that mitigate the assessed risks and address the underlying assertions. |
| Designing Audit Procedures | The final step is to design audit procedures to be responsive to the assessed risks by assertion. For example, if the risk is high that receivables are overstated (existence assertion), the audit procedures should be designed to specifically address the existence assertion. If sales completeness is a risk, the auditor can design a test of controls that addresses the completeness assertion. |
Chapter Content | Relevant ISAs |
|---|---|
Applying the concept of materiality appropriately in planning and performing the audit. | 320 |
Exhibit 7.0-1
Loading...
| Paragraph # | ISA Objective(s) |
|---|---|
| 320.8 | The objective of the auditor is to apply the concept of materiality appropriately in planning and performing the audit. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 320.9 | For purposes of the ISAs, performance materiality means the amount or amounts set by the auditor at less than materiality for the financial statements as a whole to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. If applicable, performance materiality also refers to the amount or amounts set by the auditor at less than the materiality level or levels for particular classes of transactions, account balances or disclosures. |
| 320.10 | When establishing the overall audit strategy, the auditor shall determine materiality for the financial statements as a whole. If, in the specific circumstances of the entity, there is one or more particular classes of transactions, account balances or disclosures for which misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements, the auditor shall also determine the materiality level or levels to be applied to those particular classes of transactions, account balances or disclosures. (Ref: Para. A3-A12) |
| 320.11 | The auditor shall determine performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing and extent of further audit procedures. (Ref: Para. A13) |
Materiality addresses the significance of financial statement information to economic decisions made by users on the basis of the financial statements. The concept of materiality recognizes that some matters, either individually or in the aggregate, are important to people making an economic decision based on the financial statements. This could include decisions such as whether to invest in, purchase, do business with, or lend money to an entity.
This chapter addresses the use of materiality in auditing in general. See Volume 2, Chapter 6 of this Guide for additional guidance on establishing specific materiality amounts.
When a misstatement (or the aggregate of all misstatements) is significant enough to change or influence the decision of an informed person, a material misstatement has occurred. Below this threshold, the misstatement is generally regarded as not material. This threshold, above which the financial statements would be materially misstated, is called “materiality for the financial statements as a whole.” For the purposes of this Guide, this term has been shortened to “overall materiality.”
Materiality applies not only to amounts in the financial statements, but also to disclosures that are non-quantitative. For example, a description of the events or circumstances that have led to the recognition of an impairment loss could be material to the users of the financial statements.
Note: The determination of “materiality for the financial statements as a whole” (shortened to “overall materiality” for the purposes of this Guide) is not based on any assessment of audit risk. It is determined entirely in relation to the users of the financial statements. It would typically be the same as that used by the preparer of the financial statements.
Let’s assume that the decision of a financial statement user group would be influenced by a misstatement of 10,000Є in the financial statements. This would be the materiality for the financial statements as a whole (or overall materiality) for both the preparer and the auditor. Any individual misstatement or aggregate of individually immaterial misstatements that exceeds the 10,000Є amount would result in the financial statements being materially misstated.
The responsibility of the auditor is to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in the financial statements exceeds the materiality for the financial statements as a whole. If the auditor simply planned to perform audit procedures that would identify individual misstatements exceeding 10,000Є, there is a risk that the aggregate of individually immaterial misstatements not identified during the audit would result in the 10,000Є materiality threshold being exceeded. So the auditor needs to perform some additional work that is sufficient to allow for a margin or buffer for possible undetected misstatements. The purpose of performance materiality is to provide such a buffer.
Performance materiality enables the auditor to establish materiality amounts (based upon, but lower than, overall materiality) that reflect the risk assessments for the various financial statement areas. These lower amounts provide a safety buffer between the materiality (performance materiality) used for determining the nature and extent of audit procedures to be performed and the overall materiality.
In the example above, the auditor using professional judgment may decide that a performance materiality of 6,000Є would be used in designing the extent of the audit procedures to be performed. The buffer of 4,000Є (10,000Є – 6,000Є) between performance materiality and overall materiality provides a safety margin for any undetected misstatements that may exist.
Materiality is used in both preparing and auditing the financial statements. Materiality for the financial statements as a whole (overall materiality) is often explained (such as in financial reporting frameworks) in the terms such as below.
Exhibit 7.2-1
| Influence on Making Economic Decisions | Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. |
| Surrounding Circumstances | Judgments about materiality are made in light of surrounding circumstances, and are affected by the size or nature of a misstatement or a combination of both. |
| Common Needs of Users | Judgments about matters that are material to users of the financial statements are based on a consideration of the common financial information needs of users as a group. The possible effect of misstatements on specific individual users, whose needs may vary widely, is not considered. |
The auditor determines materiality based on his/her perception of the needs of users. In applying his/her professional judgment, it is reasonable for the auditor to assume that users of the financial statements:
- Have a reasonable knowledge of business, economic activities, and accounting, and have a willingness to study the information in the financial statements with reasonable diligence;
- Understand that financial statements are prepared and audited to levels of materiality;
- Recognize the uncertainties inherent in the measurement of amounts based on the use of estimates, judgment, and the consideration of future events; and
- Make reasonable economic decisions on the basis of the information in the financial statements.
Misstatements may arise from a number of causes and can be based on the following:
- Size — the monetary amount involved (quantitative);
- Nature of the item (qualitative); and
- Circumstances surrounding the occurrence.
Exhibit 7.3-1
Loading...
Exhibit 7.3-2
| Typical Misstatements |
|
Materiality is not an absolute number. It represents the area between what is very likely not material and what is very likely material. Consequently, the assessment of what is material is always a matter of professional judgment.
Note: Auditors are required, during the audit, to accumulate misstatements other than those that are clearly trivial. “Clearly trivial” is not another expression for “not material.” Trivial matters are clearly inconsequential, whether taken individually or in aggregate and whether judged by any criteria of size, nature or circumstances.
Qualitative Factors
In some situations, a matter well below the quantitative materiality level may be determined as material based on the nature of the item or the circumstances related to the misstatement.
When considering whether misstatements in qualitative disclosures could be material, the auditor may consider relevant factors such as the following:
Exhibit 7.3-3
Factor | Examples |
|---|---|
| Nature of Transactions During the Period | A number of transactions with related parties could be very significant to a financial statement user. |
| Numerous Small Misstatements | A series of individually immaterial items may well become material when aggregated together. |
| Circumstances of the Entity | Examples could include:
|
| The Applicable Financial Reporting Framework | A new financial reporting standard may require new qualitative disclosures that are significant to the entity. |
| Nature of the Entity | Some disclosures arising from the nature of an entity could be important to users of the financial statements. An example would be liquidity risk disclosures in the financial statements for a financial institution. |
Materiality (as discussed above) and audit risk are related, and are considered together throughout the audit process.
Audit risk is the possibility that an auditor expresses an inappropriate audit opinion on financial statements that are materially misstated.
Exhibit 7.4-1
Audit Risk Components | |
|---|---|
| Risks of Material Misstatement (RMM) | The risk that the financial statements are materially misstated prior to the start of any audit work. These risks are considered at the financial statement level (often pervasive risks, affecting many assertions) and at the assertion level, which relates to classes of transactions, account balances, and disclosures. RMM is a combination of inherent risk (IR) and control risk (CR), which can be summarized as IR x CR = RMM. |
| Detection Risk | The risk that the auditor fails to detect a misstatement that exists in an assertion that could be material. Detection risk (DR) is addressed through:
Detection risk can never be reduced to zero, because of the inherent limitations in the audit procedures carried out, the human judgments (professional) required, and the nature of the evidence examined. |
Audit risk (AR) can therefore be summarized as:
AR = RMM x DR
Materiality and audit risk are considered throughout the audit in:
- Identifying and assessing the risks of material misstatement;
- Determining the nature, timing, and extent of further audit procedures;
- Determining revisions to materiality (overall and performance) after becoming aware of new information during the audit, which would have caused the auditor to have determined a different amount (or amounts) initially; and
- Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming the opinion in the auditor’s report.
Using the simple analogy of a high jump in athletics, materiality would be equivalent to the height of the bar the athlete has to jump over. Audit risk is equivalent to the level of difficulty inherent in the jump at that particular height (RMM), combined with the additional risk of making a mistake in jump strategy or execution (detection risk).
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 320.12 | The auditor shall revise materiality for the financial statements as a whole (and, if applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures) in the event of becoming aware of information during the audit that would have caused the auditor to have determined a different amount (or amounts) initially. (Ref: Para. A14) |
| 320.13 | If the auditor concludes that a lower materiality for the financial statements as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures) than that initially determined is appropriate, the auditor shall determine whether it is necessary to revise performance materiality, and whether the nature, timing and extent of the further audit procedures remain appropriate. |
| 320.14 | The auditor shall include in the audit documentation the following amounts and the factors considered in their determination:
|
Exhibit 7.5-1
Loading...
Note: The terms “overall” materiality and “specific” materiality used in the exhibit above and in the text below are used solely for the purposes of this Guide and are terms that are not used in the ISAs. Overall materiality refers to the financial statements as a whole, and specific materiality relates to materiality of particular classes of transactions, account balances, or disclosures.
At the start of the audit, the auditor makes judgments about the size and nature of misstatements that would be considered material. This includes establishing materiality amounts as set out in the following table.
Exhibit 7.5-2
| Overall Materiality | Overall materiality relates to the financial statements as a whole. It is based on what could reasonably be expected to influence the economic decisions of the financial statement users, taken on the basis of the financial statements. It would be changed during the audit if the auditor becomes aware of information that would have caused him/her to have determined a different amount (or amounts) initially. |
Overall Performance Materiality | Performance materiality is set at a lower amount than the overall materiality. Performance materiality enables the auditor to respond to specific risk assessments (without changing the overall materiality), and to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeding overall materiality. Performance materiality would be changed based on audit findings (such as where a risk assessment was revised). |
| Specific Materiality | Specific materiality is established for classes of transactions, account balances, or disclosures where misstatements of lesser amounts than overall materiality could reasonably be expected to influence the economic decisions of users, taken on the basis of the financial statements. |
Specific Performance Materiality | Specific performance materiality is the same concept as performance materiality, except that it is set in relation to specific materiality and not overall materiality. |
Materiality for the financial statements as a whole (overall materiality) is based on the auditor’s perception of the financial-information needs of users of the financial statements. This would typically be determined at an amount similar to that used by the financial statement preparer. Using professional judgment, the auditor would set materiality at the highest amount of misstatement that would not influence the economic decisions of financial statement users.
Once established, the overall materiality amount becomes one of the factors by which the ultimate success or failure of the audit will be judged. For example, assume overall materiality was set at an amount of 20,000Є. If, as a result of performing audit procedures:
- No misstatements were identified—an unmodified opinion would be provided.
- Some small (immaterial) misstatements were identified and not corrected — an unmodified opinion would be provided.
- Uncorrected misstatements exceeding materiality (of 20,000Є) were found and management was unwilling to make the necessary adjustments — a qualified or adverse opinion would be required.
- Uncorrected errors exceeding materiality (of 20,000Є) exist in the financial statements but were not detected by the auditor — then an inappropriate unmodified audit opinion may be issued.
Refer to Volume 2, Chapter 21 for guidance on how to use materiality in evaluating the audit evidence obtained.
Auditors are sometimes tempted to lower the overall materiality amount when the risk of material misstatement is assessed as high. This would not be appropriate, however, as overall materiality addresses the needs of financial statements users, not the level of audit risk involved.
If audit risk was a factor in setting overall materiality, a high-risk audit would end up with a lower overall materiality amount than that set for a similar-sized entity where audit risk was low. Assuming that the information needs of financial statement users are the same, regardless of audit risk, setting the overall materiality amount at a lower level would result in:
- Providing financial statement users with an expectation that smaller misstatements in the financial statements (than is actually necessary) will be identified by the auditor; and
- Additional audit work to ensure that audit risk has been reduced to an appropriately low level.
Because overall materiality is set in relation to the needs of financial statement users, it would not be changed as a result of audit findings and changes in assessed risks. Overall materiality is required to be updated when the auditor becomes aware of information that would have caused the initial determination of materiality to be a different amount (or amounts).
At the conclusion of the audit, overall materiality will be used for evaluating the effect of identified misstatements on the financial statements and the appropriateness of the opinion in the auditor’s report.
Performance materiality is an audit tool. It enables the auditor to address the risks of misstatement in account balances, classes of transactions, and disclosures without having to change overall materiality.
Amounts set for performance materiality are always less (based on professional judgment) than the materiality amount set for the financial statements as a whole. This lower amount(s) establishes a safety buffer between the materiality used for determining the nature and extent of testing (based on performance materiality) and the materiality amount for the financial statements as a whole (overall materiality).
Setting an appropriate amount for performance materiality will ensure the appropriate amount of work is performed. The lower the amount, the more work will be required. For example, if overall materiality was 20,000Є and audit procedures were planned to detect all errors in excess of 20,000Є, it is quite possible that an error of, say, 8,000Є would go undetected. If three such errors existed, amounting to 24,000Є, the financial statements would be materially misstated. However, if performance materiality was set at 12,000Є, it would be much more likely that at least one or all of the 8,000Є errors would be detected. Even if only one of the three errors was identified and corrected, the remaining misstatement of 16,000Є would be less than the overall materiality, and the financial statements as a whole would not be materially misstated.
Setting an appropriate amount for performance materiality involves the exercise of professional judgment, and is not a simple mechanical calculation such as a percentage (e.g., 75%) of the overall materiality level. However, based on the particular circumstances of the entity being audited, it could be set as a single amount for the financial statements as a whole, or at individual amounts for particular balances, transactions, and disclosures.
The determination of performance materiality involves the exercise of professional judgment based on factors that address audit risk, such as the following:
- Understanding of the entity and the results of performing risk assessment procedures;
- Nature and extent of misstatements identified in previous audits; and
- Expectations of possible misstatements in the current period.
Performance materiality as a whole or for individual balances, transactions, and disclosures can be changed at any time during the audit (without impacting overall materiality) to reflect revised risk assessments, audit findings, and new information obtained.
At the conclusion of the audit, the overall materiality would be used for evaluating the effect of identified misstatements on the financial statements and determining the opinion to be expressed in the auditor’s report. (See Volume 2, Chapter 21 for further guidance.)
CONSIDER POINT When a possible misstatement is identified, address the circumstances of occurrence and the impact on risk assessments/audit plans before reconsidering performance materiality. |
|---|
There are some situations where misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users, taken on the basis of the financial statements.
Exhibit 7.5-3
Decision Influencers | Possible Examples |
|---|---|
| Laws, Regulations, and Accounting Framework Requirements |
|
| Key Industry Disclosures |
|
| Disclosure of Significant Events and Important Changes in Operations |
|
The auditor would consider the existence of matters such as the above for one or more particular classes of transactions, account balances, or disclosures. The auditor may also find it useful to obtain an understanding of the views and expectations of management and those charged with governance.
In the same way that performance materiality is set at a lower threshold amount than overall materiality, an amount for specific performance materiality would be set by the auditor at a lower threshold than that of the specific materiality.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 320.14 | The auditor shall include in the audit documentation the following amounts and the factors considered in their determination:
|
Because materiality amounts are based on the auditor’s professional judgment, it is important that the factors and amounts involved in determining materiality at the various levels be properly documented. This would typically occur as follows:
- During the planning phase, when decisions are made about the extent of work required.
- During the audit, when, based on audit findings, revisions may be required to either overall materiality or performance materiality for particular classes of transactions, account balances, or disclosures.
Documentation would address:
1. The users of the financial statements; and
2. The factors used in determining:
- Materiality for the financial statements as a whole and, if applicable, the materiality level or levels for particular classes of transactions, account balances, or disclosures;
- Performance materiality; and
3. Any revision of materiality amounts in point 2 above as the audit progressed.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 320.12 | The auditor shall revise materiality for the financial statements as a whole (and, if applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures) in the event of becoming aware of information during the audit that would have caused the auditor to have determined a different amount (or amounts) initially. (Ref: Para. A14) |
| 320.13 | If the auditor concludes that a lower materiality for the financial statements as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures) than that initially determined is appropriate, the auditor shall determine whether it is necessary to revise performance materiality, and whether the nature, timing and extent of the further audit procedures remain appropriate. |
At the start of the engagement, the auditor determines overall materiality in relation to financial statement users and performance materiality in order to plan the nature and extent of audit procedures.
During the engagement new information may be obtained that, if known earlier, would have resulted in a different amount being used for overall materiality. This could result from matters such as the following:
- a decision to dispose of a major part of the entity's business or acquire a new one;
- actual financial results being substantially different from the anticipated period-end financial results. This could include profitability, revenues, expenses, assets and liabilities; and
- a change in the auditor's understanding of the entity and its operations as a result of performing further audit procedures.
Where new information is obtained, the auditor is required to consider a revision to overall materiality. The auditor should also consider the need to revise performance materiality and the impact of the change on the nature and extent of procedures required to obtain sufficient appropriate audit evidence.
Chapter Content | Relevant ISAs |
|---|---|
The nature and use of risk assessment procedures by an auditor to identify and assess the risks of material misstatement. | 240, 315 (Revised) |
The three types of risk assessment procedure required under ISA 315 (Revised) are illustrated in the exhibit below.
Exhibit 8.0-1
Loading...
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.5 | The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. (Ref: Para. A1–A5) |
| 315.6 | The risk assessment procedures shall include the following:
|
| 315.11 | The auditor shall obtain an understanding of the following:
|
| 315.12 | The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A50–A73) |
The purpose of risk assessment procedures is to identify and assess risks of material misstatement. This is achieved through understanding the entity and its environment, including internal control. Information may be obtained from external sources, such as the Internet and trade publications, and from internal sources such as discussions with key personnel. This understanding of the entity becomes a continuous, dynamic process of gathering, updating and analyzing information throughout the audit.
Risk assessment procedures provide audit evidence to support the assessment of risks at the financial statement and assertion levels. However, this evidence does not stand alone. Evidence obtained from risk assessment procedures is supplemented by further audit procedures (that respond to the risks identified) such as tests of controls and/or substantive procedures.
The auditor uses professional judgment to determine the risk assessment procedures to be performed, and the scope or depth of understanding of the entity that is required. In the first year that the auditor conducts the audit for an entity, the work required to obtain and document this information will often require a significant amount of time. However, if the information obtained is well documented in the first year, the time required to update the information in subsequent years should be considerably less than that required in the first year.
The auditor needs to perform sufficient risk assessment procedures to identify the business and fraud risk factors that could result in material misstatement. This includes consideration of any events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern.
The required scope or depth for understanding the entity is set out in paragraphs 11 and 12 of ISA 315 (Revised) (reproduced above). This depth of overall understanding by the auditor will be less than that possessed by management in managing the entity.
CONSIDER POINT When designing the nature and extent of risk assessment procedures to be performed, remember that some ISAs outline specific matters to be considered. Some examples are included below: |
|---|
ISA 240.16 Fraud in an audit of financial statements |
| When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity's internal control, required by ISA 315 (Revised), the auditor shall perform the procedures in paragraphs 17–24 (of ISA 240) to obtain information for use in identifying the risks of material misstatement due to fraud. |
ISA 540.8 Auditing accounting estimates |
When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity's internal control, as required by ISA 315 (Revised), the auditor shall obtain an understanding of the following in order to provide a basis for the identification and assessment of the risks of material misstatement for accounting estimates:
|
ISA 550.11 Related Parties |
| As part of the risk assessment procedures and related activities that ISA 315 (Revised) and ISA 240 require the auditor to perform during the audit, the auditor shall perform the audit procedures and related activities set out in paragraphs 12-17 (of ISA 550) to obtain information relevant to identifying the risks of material misstatement associated with related-party relationships and transactions. |
ISA 570.10 (Revised) Going Concern |
| When performing risk assessment procedures as required by ISA 315 (Revised), the auditor shall consider whether there are events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern. |
In smaller entities, the procedures required to identify these risks may be minimal, whereas in larger and more complex entities, the procedures could be extensive.
Each of the three risk assessment procedures should be performed during the audit, but not necessarily for each aspect of the understanding required. In many situations, the results from performing one type of procedure may lead to performing another. For example, in an interview with the sales manager, an unusual but significant sales contract might be identified. This could be followed up by an inspection of the actual sales contract and an analysis of the impact on sales margins. Alternatively, findings from performing analytical procedures on preliminary operating results may trigger some questions for management. The answers to these questions may then lead to requests to inspect certain documents or observe some activities.
The nature and use of the three procedures are outlined below.
Inquiries of Management and Others
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 240.17 | The auditor shall make inquiries of management regarding:
such assessments; (Ref: Para. A12–A13)
|
| 240.18 | The auditor shall make inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. (Ref: Para. A15–A17) |
| 240.20 | Unless all of those charged with governance are involved in managing the entity, the auditor shall obtain an understanding of how those charged with governance exercise oversight of management’s processes for identifying and responding to the risks of fraud in the entity and the internal control that management has established to mitigate these risks. (Ref: Para. A19–A21) |
| 240.21 | Unless all of those charged with governance are involved in managing the entity, the auditor shall make inquiries of those charged with governance to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. These inquiries are made in part to corroborate the responses to the inquiries of management. |
Inquiry is used by the auditor in conjunction with other risk assessment procedures to assist in identifying risks of material misstatement. The focus of the questions is to obtain an understanding of each of the required aspects as set out in paragraphs 11 and 12 of ISA 315 (Revised – reproduced above).
Typically, most information from inquiries is obtained from management and those responsible for financial reporting. However, inquiries of others within the entity and employees with different levels of authority can provide a different perspective, and additional information that can be useful in identifying risks of material misstatement that may otherwise be missed. For example, a discussion with the sales manager might reveal that certain sales transactions (late in the period) were rushed through and not recorded in accordance with the entity’s revenue recognition policies.
Areas of inquiry are outlined in the exhibit below.
Exhibit 8.4-1
Interview | Inquire About |
|---|---|
| Those Charged With Governance (TCWG) (If Not Involved in Managing the Entity) |
|
| Management and Those Responsible for Financial Reporting |
|
| Key Employees (Purchasing, Payroll, Accounting, etc.) |
|
| Marketing or Sales Personnel |
|
| Internal Auditors |
|
CONSIDER POINT Do not confine your questions (especially in smaller audits) to the owner-manager and the accountant. Ask other employees (if any) in the entity (such as the sales manager, production manager, or other employees) about trends, unusual events, major business risks, the functioning of internal control, and any instances of management override. If a possible fraud involving senior management or those charged with governance is discovered, consult immediately with the engagement partner, and consider obtaining legal advice on how to proceed. The information should also be kept confidential to ensure that privacy and confidentiality requirements are properly followed. Also check the code of ethics for any additional requirements and guidance. |
|---|
Analytical Procedures
Analytical procedures used as risk assessment procedures help to identify matters that have financial statement and audit implications. Some examples are unusual transactions or events, amounts, ratios, and trends.
In addition to being a risk assessment procedure, analytical procedures can also be used as further audit procedures in:
- Obtaining evidence about a financial statement assertion. This would be a substantive analytical procedure and is discussed in further detail in Volume 1, Chapter 10 of this Guide; and
- Performing an overall review of the financial statements at, or near, the end of the audit.
Most analytical procedures are not very detailed or complex. They often use data aggregated at a high level, which means the results can only provide a broad initial indication about whether a material misstatement may exist.
The steps involved in performing analytical procedures are outlined in the exhibit below.
Exhibit 8.5-1
What To Do | How To Do It |
|---|---|
| Identify Relationships within the Data | Develop expectations about plausible relationships among the various types of information that could reasonably be expected to exist. Where possible, seek to use independent (i.e., not internally generated) sources of information. The financial and non-financial information could include:
|
| Compare | Compare expectations with recorded amounts or ratios developed from recorded amounts. |
| Evaluate Results | Evaluate the results. Where unusual or unexpected relationships are found, consider potential risks of material misstatement. |
The results of these analytical procedures should be considered along with other information gathered to:
- Identify the risks of material misstatement related to assertions embodied in significant financial statement items; and
- Assist in designing the nature, timing, and extent of further audit procedures.
Note: Some smaller entities may not be able to provide the auditor with current financial information such as interim or monthly financial information for performing analytical procedures. In these circumstances, some information may be obtained through inquiry, but detailed inquiries may need to wait until an early draft of the entity’s financial statements is available.
Observation and Inspection
Observation and inspection:
- Support the inquiries made of management and others; and
- Provide additional information about the entity and its environment.
Observation and inspection procedures ordinarily include a procedure and an application, as outlined in the exhibit below.
Exhibit 8.6-1
Procedure | Examples of Application |
|---|---|
| Observation | Consider observing:
|
| Inspection | Consider inspecting documents such as:
|
Risk assessment procedures also include the procedures involved in evaluating the design and implementation of relevant internal controls. These procedures are addressed in more detail in Volume 2, Chapter 11.
Other procedures performed by the auditor may be used for risk assessment purposes. Some typical examples are set out in the following exhibit.
Exhibit 8.8-1
Source | Description |
|---|---|
| Client Acceptance or Continuance | Relevant information obtained from performing preliminary procedures. |
| Previous Work | Relevant experience gained from previous engagements and other types of engagements performed for the entity. This could include:
|
| External Information |
|
| Audit Team Discussions | Results of team discussion (including the partner) about the susceptibility of the entity’s financial statements (including disclosures) to material misstatements including fraud. |
The following table contains a list of ISAs with specific risk assessment procedures to be performed on every audit, where applicable.
Exhibit 8.9-1
ISA | Title |
|---|---|
| 240 | The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements |
| 250 (Revised) | Consideration of Laws and Regulations in an Audit of Financial Statements |
| 315 (Revised) | Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment |
| 320 | Materiality in Planning and Performing an Audit |
| 540 | Auditing Accounting Estimates, Including Fair Value Accounting Estimates and Related Disclosures |
| 550 | Related Parties |
| 560 | Subsequent Events |
| 600 | Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors) |
Chapter Content | Relevant ISAs |
|---|---|
Designing and implementing appropriate responses to assessed risks. | 240, 300, 330, 500 |
Exhibit 9.0-1
Loading...
| Paragraph # | ISA Objectives |
|---|---|
| 330.3 | The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement, through designing and implementing appropriate responses to those risks. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 300.9 | The auditor shall develop an audit plan that shall include a description of:
|
| 330.7 | In designing the further audit procedures to be performed, the auditor shall:
|
| 500.6 | The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence. (Ref: Para. A1–A25) |
Risk assessment procedures (see Volume 1, Chapter 8 of this Guide) are designed to identify and assess risks at both the financial statement level and the assertion level for material classes of transactions, account balances, and disclosures.
Further audit procedures (see Volume 1, Chapter 10 of this Guide) are designed to be responsive to the assessed risks of material misstatement at the assertion level. Their purpose is to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level.
The three main categories of audit procedures are illustrated below.
Exhibit 9.1-1
Loading...
Assessed risks at the financial statement level are pervasive in nature, and require overall audit responses such as determining the experience of those assigned to perform the work, the level of supervision required, and any required modification to the nature and extent of planned audit procedures.
Assessed risks at the assertion level relate to particular account balances, classes of transactions, and disclosures. The response is to perform further audit procedures such as tests of details, tests of controls, and substantive analytical procedures.
The design of further audit procedures will be affected by:
- Results of performing risk assessment procedures and the resulting assessments of risk at the assertion level; and
- Overall responses developed by the auditor in relation to the assessed risks of material misstatement at the financial statement level.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.5 | The auditor shall design and implement overall responses to address the assessed risks of material misstatement at the financial statement level. (Ref: Para. A1–A3) |
Risks of material misstatement at the financial statement level refer to risks that relate pervasively to the financial statements as a whole, and potentially affect many assertions. As a result, these risks (such as management having a poor attitude toward control) can contribute indirectly to material misstatements at the assertion level. For example, if the entity’s accountant is not competent, many opportunities may arise for error or fraud in multiple financial statement balances, classes of transactions, or disclosures. Consequently, risks at the financial statement level cannot often be addressed by performing specific audit procedures, but require an overall response.
ISAs 240 and 330 outline some possible overall responses to risks identified at the financial statement level. Some examples are set out below.
Exhibit 9.2-1
Possible Overall Responses to Assessed Risks at the Financial Statement Level | |
|---|---|
| Engagement Management | Emphasize to the audit team the need to maintain professional skepticism. Assign more experienced staff or those with special skills such as forensic, valuation, and IT specialists. Provide more ongoing supervision to staff as they perform the work. If the entity has an internal audit function, consider whether their work can be used to:
|
| Incorporate Unpredictability in Selection of Further Audit Procedures | Incorporate an element of unpredictability in the selection of the nature, timing, and extent of further audit procedures to be performed. This is particularly important when addressing fraud risks, because individuals within the entity may be familiar with audit procedures normally performed, and therefore more able to conceal fraudulent financial reporting. Unpredictability can be achieved by:
|
| Revise the Planned Audit Procedures | Make changes to the nature, timing, or extent of audit procedures. For example:
|
| Changes in the Audit Approach | Consider the understanding obtained of the control environment. If the control environment is effective, the auditor may have more confidence in internal control and the reliability of audit evidence generated internally within the entity. This could mean:
If the control environment is ineffective, it could result in:
|
| Review Accounting Policies being Used | Evaluate whether the selection and application of accounting policies by the entity, particularly those related to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from management’s effort to manage earnings. |
CONSIDER POINTS Timing Overall responses can be developed at the planning stage and then incorporated into the overall audit strategy. In new engagements, the overall responses can be developed on a preliminary basis during planning, and later confirmed or changed based on the results of the risk assessment. Documentation Establishing the overall audit response and audit strategy in a small entity need not be a complex or time-consuming exercise. In some cases, both steps could be completed by preparing a brief memorandum at the completion of the previous audit (assuming it covers all the required matters), which can be updated later based on discussions with management. |
|---|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 240.26 | When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue, revenue transactions or assertions give rise to such risks. Paragraph 47 of ISA 240 specifies the documentation required where the auditor concludes that the presumption is not applicable in the circumstances of the engagement and, accordingly, has not identified revenue recognition as a risk of material misstatement due to fraud. (Ref: Para. A28–A30) |
| 240.32 | Irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design and perform audit procedures to:
they are individually reasonable, indicate a possible bias on the part of the entity’s management that may represent a risk of material misstatement due to fraud. If so, the auditor shall reevaluate the accounting estimates taken as a whole; and
shall evaluate whether the business rationale (or the lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets. (Ref: Para. A48) |
| 240.33 | The auditor shall determine whether, in order to respond to the identified risks of management override of controls, the auditor needs to perform other audit procedures in addition to those specifically referred to above (that is, where there are specific additional risks of management override that are not covered as part of the procedures performed to address the requirements in paragraph 32). |
Management override and fraudulent revenue recognition are presumed to be significant risks (see Volume 2, Chapter 10 of this Guide) and addressed as such. As a result, there are certain audit procedures that would be performed in every audit. These are outlined in the ISA extracts quoted above. Some additional comments are included in the following exhibit.
Exhibit 9.2-2
| Procedures to Address Management Override | |
|---|---|
| Journal Entries | Identify, select, and test journal entries and other adjustments based on:
|
| Estimates | Review estimates relating to specific transactions and balances to identify possible biases on the part of management. Further procedures could include:
|
| Significant Transactions | Obtain an understanding of the business’ rationale for significant transactions that are unusual or outside the normal course of business. This includes an assessment as to whether:
|
| Revenue Recognition | Perform substantive analytical procedures. Consider computer-assisted audit techniques to identify unusual or unexpected revenue relationships or transactions. Confirm with customers relevant contract terms (acceptance criteria, delivery and payment terms) and the absence of side agreements (right to return the product, guaranteed resale amounts, etc.). |
| Financial Statement Disclosures | Perform procedures to evaluate whether the overall presentation of the financial statements is in accordance with the applicable financial reporting framework. In making this evaluation, consider whether the financial statements are presented in a manner that reflects the appropriate:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.6 | The auditor shall design and perform further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level. (Ref: Para. A4–A8) |
The auditor’s assessment of identified risks at the assertion level provides the starting point for:
- Considering the appropriate audit approach; and
- Designing and performing further audit procedures. Refer to Volume 1, Chapter 10 for a detailed description of further audit procedures.
The audit approach for designing and performing further audit procedures will be based on the assessment of the identified risks at both the financial statement level and the assertion level.
Because assessed risks will differ between the material classes of transactions, account balances, and disclosures, the most effective audit approach will vary. For example, it might be appropriate to test controls over sales completeness, and use substantive procedures for the other assertions. For payables, a substantive approach could be applicable for all assertions. The key is to develop audit procedures that respond appropriately to the risks identified.
The following exhibit outlines some of the considerations in developing the appropriate audit approach for an account balance or class of transactions.
Exhibit 9.3-1
Loading...
Note: In smaller entities, reliable control activities may not exist or may be very limited. In these cases, a primarily substantive approach may be the only alternative.
The nature, timing, and extent of further audit procedures are based on, and are responsive to, the assessed risks of material misstatement at the assertion level. This provides a clear linkage between the auditor’s further audit procedures and the risk assessment.
The first step is to review the information obtained to date that will form the basis for the design of further audit procedures. This would include:
- The nature and the reasoning for the assessed risks (such as business and fraud risks) at both the financial-statement and assertion levels;
- The account balances, classes of transactions, or disclosures that are material to the financial statements;
- The need (if any) to perform tests of controls. This would occur where substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level;
- The auditor’s understanding of the control environment and control activities. In particular, have any relevant internal controls been identified that, if tested, would provide an effective response to the assessed risks of material misstatement for a particular assertion; and
- The nature and extent of specific audit procedures that may be required by certain ISAs, or by local rules and regulations.
Based on the information above, the auditor can design the nature and extent of the procedures to be performed. Some design considerations are addressed below.
Exhibit 9.3-2
Consider | Impact on Audit Procedure Design |
|---|---|
| Nature of the Assertion Being Addressed | What is the most appropriate audit procedure to address the particular assertion? Consider:
Evidence for completeness of sales may best be obtained through a test of controls, whereas evidence to support the valuation of inventory will probably be obtained with substantive procedures; and
Provide more reliable evidence for an assertion. A confirmation of receivables to determine existence may provide better evidence than simply examining invoices or performing some analytical procedures. |
| Reasons for the Assessed Risk | What are the underlying reasons for the risk assessments? This will include consideration of the characteristics of the financial statement area, the identified and assessed inherent risks, and relevant internal controls. If the assessed risk appears to be low as a result of relevant internal controls having been designed and implemented, tests of controls could be considered to confirm the assessed risk, and possibly to reduce the extent of substantive procedures that would otherwise be required. |
| Assessed Level of Risk | Is more reliable and relevant audit evidence required for some assessed risks? The scope of existing procedures may need to be expanded, or some different types of audit procedures may need to be combined, to provide the assurance necessary. For example, to ensure the existence of a high-value inventory item, a physical inspection may be performed in addition to examining the supporting documents. |
| Sources of Information Used | Do the planned audit procedures rely on non-financial information produced by the entity’s information system? This could be information obtained from within or outside of the general and subsidiary ledgers. If so, evidence should be obtained about its accuracy and completeness. For example, in a high-rise apartment, the number of rental units multiplied by the monthly rent may be used to compare with total revenues. If so, it would be important to ensure that the number of rental units is factual and that the monthly rents agree to the signed lease contracts. |
| Potential for Dual- Purpose Tests | Would it be efficient to perform a test of controls concurrently with a test of details on the same transaction? For example, if an invoice was being examined for evidence of approval (tests of controls), it could also be examined at the same time to substantiate other aspects of the transaction (tests of details). |
When designing a procedure, the auditor would carefully consider the nature of the assertion for which evidence is being obtained. This will determine the type of evidence to be examined, the nature of the procedure and the population from which to select the sample.
For example, evidence for the existence assertion would be obtained by selecting items that are already contained in a financial statement amount. Selecting receivable balances for confirmation will provide evidence that the receivable balance exists. However, selecting items that are already contained in a financial statement amount would not provide any evidence with respect to the completeness assertion.
For completeness, items would be selected from evidence indicating that an item should be included in the relevant financial statement amount. To determine whether the sales are complete (that is, no unrecorded sales), the selection of shipping orders and matching them to sales invoices would (subject to the completeness of the shipping orders) provide evidence for omitted sales.
Timing refers to when audit procedures are performed, or the period or date to which the audit evidence applies.
In most instances (particularly with small entities), audit procedures will be carried out at the period end and later. In addition, the higher the risks of material misstatement, the more likely it would be for substantive procedures to be performed nearer to, or after, the period end.
In some situations, there can be some advantages to performing audit procedures before the period end. For example:
- Helping to identify significant matters at an early stage. This provides time for the issues to be addressed and further audit procedures to be performed;
- Balancing the audit firm’s workload by shifting some busy-season procedures to a period when there is more time;
- Balancing the client’s workload by reducing the time required after the period end to answer audit inquiries and provide requested evidence and schedules; and
- Performing procedures unannounced or at unpredictable times.
The following exhibit outlines the factors to consider when determining whether to perform procedures at an interim date.
Exhibit 9.3-3
Factors to Consider | |
|---|---|
| Audit Procedures Performed Before the Period End | How good is the overall control environment? Counting inventory at an interim date and then updating the count for movements (in and out) is unlikely to be enough if the control environment is poor. How good are the specific controls over the account balance or class of transactions being considered? |
| Is the required evidence available to perform the test? Electronic files may subsequently be overwritten, or procedures to be observed may occur only at certain times. | |
| Would a procedure before the period end address the nature and substance of the risk involved? | |
| Would the interim procedure address the period or date to which the audit evidence relates? | |
| How much additional evidence will be required for the remaining period between the date of procedure and the period end? | |
Volume 1, Chapter 10.5 provides further information on the timing of tests of controls.
Certain audit procedures can be performed only at, or after, the period end. This would include cutoff procedures (where there is minimal reliance on internal control), period-end adjustments, and subsequent events.
Chapter Content | Relevant ISAs |
|---|---|
The characteristics and use of further audit procedures. | 330, 505, 520 |
Exhibit 10.0-1
Loading...
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.4 | For purposes of the ISAs, the following terms have the meanings attributed below:
|
This chapter outlines the characteristics and use of further audit procedures designed in response to assessed risks at the assertion level.
Substantive procedures are performed by the auditor to:
- Gather evidence regarding the underlying assertions (C, E, AV, P) that are embedded in the account balances and underlying classes of transactions; and
- Detect material misstatements.
Typical substantive procedures include selection of an account balance or a representative sample of transactions to:
- Recalculate recorded amounts for accuracy;
- Confirm existence of balances (receivables, bank accounts, investments, etc.);
- Ensure transactions are recorded in the right period (cutoff tests);
- Compare amounts between periods or with expectations (analytical procedures);
- Inspect supporting documentation (such as invoices or sales contracts);
- Observe physical existence of recorded assets (inventory counts); and
- Review the adequacy of allowances made for loss of value (doubtful accounts and obsolete inventory).
Tests of controls are performed by the auditor to gather evidence as to the operational effectiveness of internal control procedures that:
- Address specific assertions where reliance on controls is planned; and
- Prevent or detect/correct material errors or fraud from occurring.
Typical tests of controls include the selection of a representative sample of transactions or supporting documentation to:
- Observe the operation of an internal control procedure being performed;
- Inspect evidence that the control procedure was performed;
- Inquire about how and when the procedure was performed; and
- Re-perform the operation of the control procedure (such as where the information system is computerized).
Evidence on control operation may also be gathered using computer-assisted audit techniques (CAATs).
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.18 | Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance, and disclosure. (Ref: Para. A42–A47) |
| 330.19 | The auditor shall consider whether external confirmation procedures are to be performed as substantive audit procedures. (Ref: Para. A48–A51) |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.20 | The auditor’s substantive procedures shall include the following audit procedures related to the financial statement closing process:
|
| 330.21 | If the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor shall perform substantive procedures that are specifically responsive to that risk. When the approach to a significant risk consists only of substantive procedures, those procedures shall include tests of details. (Ref: Para. A53) |
| 330.22 | If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by performing:
that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. (Ref: Para. A54–A57) |
| 330.23 | If misstatements that the auditor did not expect when assessing the risks of material misstatement are detected at an interim date, the auditor shall evaluate whether the related assessment of risk and the planned nature, timing or extent of substantive procedures covering the remaining period need to be modified. (Ref: Para. A58) |
Substantive procedures are designed by the auditor to detect material misstatements at the assertion level. There are two types of substantive procedures, as set out below.
Exhibit 10.2-1
Procedure | Description |
|---|---|
| Tests of Details | Procedures designed to gather evidence that will substantiate a financial statement amount. They are used to obtain audit evidence regarding assertions such as existence, accuracy, and valuation. |
| Substantive Analytical Procedures | Procedures designed to substantiate a financial statement amount by using predictable relationships among both financial and non-financial data. They are mostly applicable to large volumes of transactions that tend to be predictable over time. |
When designing substantive procedures to respond to assessed risks, the auditor would consider a number of matters, as set out below.
Exhibit 10.2-2
Address | Description |
|---|---|
| Each Material Account Balance, Class of Transactions, and Disclosure | This is required irrespective of the assessed risks of material misstatement. |
| Required Audit Procedures | This would include any specific procedures necessary to comply with International Standards on Auditing and any local requirements. A summary of some such procedures is contained in Volume 1, Chapters 11 to 15. Required procedures include:
|
| Need for External Confirmation Procedures | Consider the need to obtain external confirmations to address assertions associated with account balances and their elements (bank balances, investments, receivables, etc.) or other matters such as:
Also see the discussion on external confirmations below.. |
| Significant Risks | Design and perform substantive procedures (tests of detail) that are specifically responsive to the identified risks and provide the high level of audit assurance required. |
| Key Audit Matters (where applicable) | Where ISA 701 is being applied and key audit matters have been identified, there needs to be a clear description of each such matter along with the auditor's response. Information on key audit matters required for disclosures in the financial statements also needs to be identified and addressed. |
| Timing | If procedures are performed before the period end, the remaining period needs to be addressed by performing substantive procedures, combined with tests of controls or further substantive procedures that provide a reasonable basis for extending the audit conclusions from the interim date to the period end. If unexpected misstatements are identified at the interim date, modification to the planned remaining procedures needs to be considered. |
In determining what substantive procedures are most responsive to the assessed risks, the auditor may perform:
- Only tests of details; or
- Where there is not a significant risk of material misstatement, only substantive analytical procedures; or
- A combination of tests of details and substantive analytical procedures.
When substantive analytical procedures are performed, the auditor is required to establish the reliability of data from which the auditor’s expectation of recorded amounts or ratios was developed (such as non- financial data).
When substantive procedures are performed at an interim date, the auditor should perform further substantive procedures, or substantive procedures combined with tests of controls, to cover the remaining period. This provides a reasonable basis for extending the audit conclusions from the interim date to the period end, and reduces the risk that misstatements existing at the period end are not detected. However, if substantive procedures alone would not be sufficient, tests of the relevant controls should also be performed.
When designing substantive procedures, or substantive procedures combined with tests of control, to address the period between the interim date and period end, consider the following:
- Compare information at the period end with comparable information at the interim date;
- Identify amounts that appear unusual. These amounts should be investigated by performing further substantive analytical procedures or tests of details for the intervening period;
- When substantive analytical procedures are planned, consider whether the period-end balances of the particular classes of transactions or account balances are reasonably predictable with respect to amount, relative significance, and composition; and
- Consider the entity’s procedures for analyzing and adjusting the classes of transactions or account balances at interim dates, and for establishing proper accounting cutoffs.
The use of audit evidence obtained from substantive procedures performed in prior periods may be useful in audit planning, but (unless there is ongoing relevance to the current year such as the cost price of non- current assets or details of contracts) it usually provides little or no audit evidence for the current period.
Where the auditor is planning to use the work of the internal audit function, it would be useful to discuss the following matters:
1. The timing of the required work;
2. The nature of the work performed and extent of audit coverage;
3. Materiality for the financial statements as a whole, and performance materiality;
4. Proposed methods of item selection and sample sizes;
5. Documentation of the work performed; and
6. Review and reporting procedures.
| Paragraph # | ISA Objective(s) |
|---|---|
| 505.5 | The objective of the auditor, when using external confirmation procedures, is to design and perform such procedures to obtain relevant and reliable audit evidence. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 505.7 | When using external confirmation procedures, the auditor shall maintain control over external confirmation requests, including:
|
| 505.8 | If management refuses to allow the auditor to send a confirmation request, the auditor shall:
|
| 505.9 | If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is unreasonable, or the auditor is unable to obtain relevant and reliable audit evidence from alternative audit procedures, the auditor shall communicate with those charged with governance in accordance with ISA 260 (Revised). The auditor also shall determine the implications for the audit and the auditor’s opinion in accordance with ISA 705 (Revised). |
| 505.10 | If the auditor identifies factors that give rise to doubts about the reliability of the response to a confirmation request, the auditor shall obtain further audit evidence to resolve those doubts. (Ref: Para. A11–A16) |
| 505.11 | If the auditor determines that a response to a confirmation request is not reliable, the auditor shall evaluate the implications on the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing and extent of other audit procedures. (Ref: Para. A17) |
| 505.12 | In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit evidence. (Ref: Para. A18–A19) |
| 505.13 | If the auditor has determined that a response to a positive confirmation request is necessary to obtain sufficient appropriate audit evidence, alternative audit procedures will not provide the audit evidence the auditor requires. If the auditor does not obtain such confirmation, the auditor shall determine the implications for the audit and the auditor’s opinion in accordance with ISA 705 (Revised). (Ref: Para. A20) |
| 505.14 | The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements. (Ref: Para. A21–A22) |
| 505.15 | Negative confirmations provide less persuasive audit evidence than positive confirmations. Accordingly, the auditor shall not use negative confirmation requests as the sole substantive audit procedure to address an assessed risk of material misstatement at the assertion level unless all of the following are present: (Ref: Para. A23)
|
| 505.16 | The auditor shall evaluate whether the results of the external confirmation procedures provide relevant and reliable audit evidence, or whether further audit evidence is necessary. (Ref: Para. A24–A25) |
External confirmations are often used to provide audit evidence about completeness of a liability and existence of an asset. External confirmations can also provide evidence on whether the amount has been accurately recorded in the accounting records (accuracy) and in the appropriate period (cutoff). Confirmations are less relevant in addressing valuation issues such as the recoverability of accounts receivable or the obsolescence of inventory being held.
Typical situations where external confirmation procedures provide relevant audit evidence include:
- Bank balances and other information relevant to banking relationships;
- Accounts receivable balances and terms;
- Inventories held by third parties at bonded warehouses for processing or on consignment;
- Property title deeds held by lawyers or financiers for safe custody or as security;
- Investments held for safekeeping by third parties, or purchased from stockbrokers but not delivered at the balance-sheet date;
- Amounts due to lenders, including relevant terms of repayment and restrictive covenants; and
- Accounts payable balances and terms.
Matters the auditor would consider are set out in the following table.
Exhibit 10.3-1
Address | Description |
|---|---|
| Dual Purpose Tests | Is there an opportunity to obtain audit evidence about other important matters at the same time (such as terms of a contract, etc.)? |
| Confirming Party’s Knowledge of the Subject Matter | Responses will be more reliable if provided by a person knowledgeable in the subject matter. |
| Ability/Willingness of Confirming Party to Respond | Consider the reliability of the evidence obtained if there is possibility of the confirming party:
|
| Objectivity of the Confirming Party | Consider the reliability of the evidence obtained if the confirming party is a related- party. In such situations, consider:
|
Although there may be exceptions (see ISA 500.A31), audit evidence is generally considered more reliable when it is obtained from independent sources outside the entity. For this reason, written responses to confirmation requests received directly from unrelated third parties may assist in reducing the risk of material misstatement for the related assertions to an acceptably low level.
The confirmation requirements can be summarized as set out below.
Exhibit 10.3-2
Address | Description |
|---|---|
| Maintain Control over Confirmation Process | This includes:
|
| Are Responses Reliable? | If factors give rise to doubts about the reliability of the response:
|
| When No Response Is Received | Perform alternative audit procedures (if possible) to obtain relevant and reliable audit evidence. |
| Evaluate Overall Results | Did the results of the external confirmation procedures provide the relevant and reliable audit evidence required? |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 520.5 | When designing and performing substantive analytical procedures, either alone or in combination with tests of details, as substantive procedures in accordance with ISA 330, the auditor shall: (Ref: Para. A4–A5)
|
Substantive analytical procedures involve a comparison of amounts or relationships in the financial statements with an expectation developed from information obtained from understanding the entity, and other audit evidence.
If the inherent risks are low for a class of transactions, substantive analytical procedures alone may provide sufficient appropriate audit evidence. However, if the assessed risk is low because of related internal controls, the auditor would also perform tests of those controls. When addressing significant risks, any use of analytical procedures would need to be in combination with other substantive tests or tests of control.
To use an analytical procedure as a substantive procedure, the auditor should design the procedure to reduce the risk of not detecting a material misstatement in the relevant assertion to an acceptably low level. This means that the expectation of what the recorded amount should be is precise enough to indicate the possibility of a material misstatement, either individually or in the aggregate.
CONSIDER POINT For audit-planning purposes, substantive analytical procedures may be grouped into three distinct levels based on the level of assurance obtained. These are described below. |
|---|
Exhibit 10.4-1
Impact on Reducing Audit Risk | Description |
|---|---|
Highly Effective (Low Level of Risk that the Recorded Amount is Misstated) | Procedure is intended to be the primary source of evidence regarding a financial statement assertion. It “effectively” proves the recorded amount. However, if the risk involved is significant, it would be supplemented by other relevant procedures. |
| Moderately Effective | Procedure is only intended to corroborate evidence obtained from other procedures. A moderate level of assurance is obtained. |
| Limited | Basic procedures, such as comparing an amount in the current period to a previous period, are useful but only provide a limited level of assurance. |
There are a number of possible techniques that can be used to perform the analytical procedures. The objective is to select the most appropriate technique to provide the intended levels of assurance and precision. Techniques include:
- Ratio analysis;
- Trend analysis;
- Break-even analysis;
- Pattern analysis; and
- Regression analysis.
Each technique has its particular strengths and weaknesses that the auditor needs to consider when designing the analytical procedures. A complex technique such as regression analysis may provide statistically reliable conclusions about a recorded amount. However, a simple technique such as multiplying the number of apartments by the approved rental rates (per leases) and adjusting the result for actual vacancies may provide a reliable and precise estimate of the rental revenue.
Exhibit 10.4-2
Factors to Consider | |
|---|---|
| Designing Substantive Analytical Procedures | Suitability given the nature of the assertions. |
| Reliability of the data (internal or external) from which the expectation of recorded amounts or ratios is developed. This will require tests on the accuracy, existence, and completeness of the underlying information such as tests of controls or performing other specific audit procedures, possibly including the use of computer-assisted audit techniques (CAATs). | |
| Whether the expectation is sufficiently precise to identify a material misstatement at the desired level of assurance. | |
| Amount of any difference in recorded amounts from expected values that would be acceptable. | |
Questions to Address | |
|---|---|
| Establishing Meaningful Relationships between Information | Are the relationships developed from a stable environment?
|
Are the relationships considered at a detailed level?
| |
| Are there offsetting factors or complexity among highly summarized components that could obscure a material misstatement? | |
Do the relationships involve items subject to management discretion?
| |
The degree of reliability of data used to develop expectations needs to be consistent with the levels of assurance and precision intended to be derived from the analytical procedure. Other substantive procedures may also be required to determine whether the underlying data is sufficiently reliable. Tests of controls may also be considered to address other assertions such as the data’s completeness, existence, and accuracy.
Internal control over non-financial information can often be tested in conjunction with other tests of controls.
Exhibit 10.4-3
Questions to Address | |
|---|---|
| Is the Data Sufficiently Reliable for Achieving the Audit Objective? | Is the data obtained from sources within the entity, or from independent sources outside the entity?
|
Is data from sources within the entity developed by persons not directly responsible for its accuracy?
| |
| Was the data developed under a reliable system with adequate internal control? | |
| Is broad industry data available for comparison with the entity’s data? | |
| Was the data subject to audit testing in the current or prior periods? | |
| Were the auditor’s expectations regarding recorded amounts developed from a variety of sources? | |
To avoid unwarranted reliance on a source of data used, the auditor would perform substantive tests of the underlying data to determine whether it is sufficiently reliable, or test whether internal controls over the data’s completeness, existence, and accuracy are operating effectively.
In some cases, non-financial data (for example, quantities and types of items produced) will be used in performing analytical procedures. Accordingly, the auditor needs an appropriate basis for determining whether the non-financial data is sufficiently reliable for the purposes of performing the analytical procedures.
When differences are identified between recorded amounts and the auditor’s expectations, the auditor would consider the level of assurance that the procedures are intended to provide and the auditor’s performance materiality. The amount of the acceptable difference without investigation would, in any event, need to be less than performance materiality.
Procedures used for the investigation could include:
- Reconsidering the methods and factors used in forming the expectation;
- Making inquiries of management regarding the causes of differences from the auditor’s expectations and assessing management’s responses, taking into account the auditor’s understanding of the business obtained during the course of the audit; and
- Performing other audit procedures to corroborate management’s explanations.
As a result of this investigation, the auditor may conclude that:
- Differences between the auditor’s expectations and recorded amounts do not represent misstatements; or
- Differences may represent misstatements, and further audit procedures need to be performed to obtain sufficient appropriate audit evidence as to whether a material misstatement does or does not exist.
Exhibit 10.4-4
Financial Statement Amount | Relationship and Procedure |
|---|---|
| Sales | Selling price applied to the quantities shipped. |
| Amortization Expenses | Amortization rate applied to capital asset balances, allowing for effect of additions and disposals. |
| Overhead Element of Inventory | Relating actual overheads to actual direct labor or production volumes. |
| Payroll Expense | Pay rates applied to number of employees. |
| Commission Expense | Commission rate applied to sales. |
| Payroll Accruals | Daily payroll applied to number of days accrued. |
Analysis can take the form of:
- Detailed comparisons of current financial statement or financial data with that of prior periods or with current operating budgets.
An increase in accounts receivable with no corresponding increase in sales could indicate that a problem exists in the collectability of accounts receivable. An increase in the number of employees in a professional organization would lead the auditor to expect an increase in salary expense and a corresponding increase in professional fee revenue.
- Comparative data on the various types of products sold or types of customers.
This could help explain month-to-month or period-to-period fluctuations in sales.
- Ratio analysis.
Ratios can provide support for the current financial statements (e.g., comparable to industry norms or prior periods’ results) or raise points for discussion. Certain institutions, such as banks and trade associations, produce financial statistics on an industry-wide basis. Such statistics can be useful when compared to those of an entity’s operation, and inquiries made where differences from industry trends occur.
- Graphs.
Finally, consider the use of graphs to portray the results of procedures. Graphs visually highlight significant differences from month to month or period to period.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 520.6 | The auditor shall design and perform analytical procedures near the end of the audit that assist the auditor when forming an overall conclusion as to whether the financial statements are consistent with the auditor’s understanding of the entity. (Ref: Para. A17–A19) |
Upon substantial completion of the audit, the auditor is required to use analytical procedures to assist in evaluating the overall financial statement presentation.
The purpose of using analytical procedures at or near the end of the audit is to determine whether the financial statements as a whole are consistent with the auditor’s understanding of the entity.
These procedures would address questions such as:
- Do the conclusions drawn from such procedures corroborate the conclusions formed during the audit of individual components or elements of the financial statements?
Analytical procedures may reveal that certain financial statement items differ from expectations formed by the auditor based on knowledge of the entity’s business and other information accumulated during the audit. Such differences would need to be investigated using procedures such as those described above. This investigation may indicate the need for changes in presentation or disclosure in the financial statements.
- Is there a risk of material misstatement that has not been previously recognized?
If additional risks are identified, the auditor may need to re-evaluate the planned audit procedures to respond appropriately.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.8 | The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if:
|
| 330.9 | In designing and performing tests of controls, the auditor shall obtain more persuasive audit evidence the greater the reliance the auditor places on the effectiveness of a control. (Ref: Para. A25) |
| 330.10 | In designing and performing tests of controls, the auditor shall:
|
| 330.11 | The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls, subject to paragraphs 12 and 15 below, in order to provide an appropriate basis for the auditor’s intended reliance. (Ref: Para. A32) |
Tests of controls are tests designed to obtain audit evidence about the operating effectiveness of controls. Controls can prevent material misstatements at the assertion level from occurring altogether, or detect and then correct them after they have occurred. The controls selected for testing would be those that provide necessary audit evidence for a relevant assertion.
CONSIDER POINT A walk-through procedure to determine whether a control has been implemented is not a test of controls. It is a risk assessment procedure, the results of which may determine whether tests of controls would be useful, and if so, how they would be designed. |
|---|
Tests of controls are considered by the auditor when:
- The risk assessment is based on an expectation that internal control operates effectively; or
- Substantive procedures alone will not provide sufficient appropriate audit evidence at the assertion level. This might apply where sales are made over the Internet and no documentation of transactions is produced or maintained, other than through the IT system.
Selecting sample sizes for tests of controls is addressed in Volume 2, Chapter 17 on the extent of testing. Tests of controls are designed to obtain audit evidence about:
- How internal control procedures were applied throughout, or at relevant times during, the period under audit. If substantially different controls were used at different times during the period, each control system should be considered separately;
- The consistency with which internal control procedures were applied; and
- By whom or by what means controls were applied.
CONSIDER POINT When auditing smaller entities, auditors often plan to perform substantive procedures, on the assumption that tests of existing control activities would not be practical due to limited segregation of duties, etc. Before jumping to that conclusion, consider:
|
|---|
Tests of controls are used to gain evidence about the operating effectiveness of controls included in any of the five elements of internal control. See the illustration below and Volume 1, Chapter 5 of this Guide for additional information on each of the five internal control elements.
Exhibit 10.5-1
Loading...
Assertion-level controls (such as control activities) directly address the prevention or detection and correction of misstatements, whereas controls at the financial statement level (pervasive controls, such as the control environment) provide the foundation for the assertion-level controls and influence their operation.
In smaller entities, some controls at the financial statement level, (pervasive controls) may also serve to address assertion-level risks of misstatement such as where senior management is directly involved in supervising and approving day-to-day transactions). In this case, if the pervasive controls were tested and found to operate effectively, there would be no need to test other controls (such as control activities) related to the particular risks involved.
CONSIDER POINT Domination of management by a single individual does not mean that internal control is weak or does not exist. In fact, the involvement of a competent owner-manager in the detailed day-to-day operations could be an important control-environment strength. However, the flip side is the ever-present opportunity for management override to occur. This risk of management override can be reduced to some extent (in virtually any size of entity) by implementing some simple anti-fraud controls. (See Volume 1, Chapter 5.) |
|---|
In other cases, the link between financial statement-level (pervasive controls) and assertion-level (transactional) controls may be more direct. For example, some monitoring controls may identify control breakdowns in specific (business process) controls. Testing these monitoring controls for effectiveness might reduce (but not eliminate) the need for testing more specific controls.
Tests of financial statement level (pervasive controls) can often be subjective such as evaluating the commitment to integrity or competence. Consequently, they tend to be more difficult to document than the operation of transactional internal controls at the assertion level, such as checking to see if a payment was authorized.
As a result, the testing of pervasive controls is often documented with memoranda to the file explaining the approach taken and the action steps. Examples would include staff interviews, assessments, review of employee files, etc., along with supporting evidence.
This approach is illustrated in the following example.
Exhibit 10.5-2
Testing financial statement level (Pervasive Controls)
Control Component = Control Environment | |
|---|---|
| Risk Addressed | No emphasis is placed on need for integrity and ethical values. |
| Controls Identified | Management requires all new employees to sign a form stating their agreement with the firm’s fundamental values and understanding of the consequences for non-compliance. |
| Control Design | Read the form to be signed by employees and ensure it does indeed address integrity and ethical values. |
| Control Implementation | Review one employee file to ensure there is a signed form, and consider what evidence exists (such as discipline) that employees actually practice the values. This could be based on a short interview with an employee. |
| Test of Controls Effectiveness | Select a sample of employee files and ensure there are agreement forms on file and they are signed by the employee. This would be supplemented by asking a sample of employees some questions about the stated entity policies. |
| Documentation | Prepare a memo that provides details of the employee files selected, and notes from interviews (including the name of the person and the date) along with the conclusions reached. |
Some key factors for the auditor to consider when designing a test of controls are listed below.
Exhibit 10.5-3
Address | Description |
|---|---|
| What Risk of Material Misstatement and Assertion Is Being Addressed? | Identify the risk of material misstatement and the related assertion that would be addressed by performing tests of control. Then consider whether audit evidence about the relevant assertion can be best obtained by performing tests of controls or through substantive procedures. |
| Reliability of the Controls | As a general rule, it is not worth testing controls that may prove to be unreliable, because the small sample sizes commonly used for testing controls are based on no deviations being found. If any of the following factors are significant, it may be more effective to perform substantive procedures (if possible):
|
| Existence of Indirect Controls | Does control depend on effective operation of other controls? This could include non-financial information produced by a separate process, the treatment of exceptions, and periodic reviews of reports by managers. |
| Nature of Test to Meet Objectives | Tests of controls usually involve a combination of the following:
Note that inquiry alone would not be sufficient evidence to support a conclusion about the effectiveness of a control. For example, to test the operating effectiveness of internal control over cash receipts, the auditor might observe the procedures for opening the mail and processing cash receipts. Because an observation is pertinent only at the point in time at which it is made, the auditor would supplement the observation with inquiries of entity personnel and inspection of documentation about the operation of such internal control at other times. |
CONSIDER POINT Determine what constitutes a control deviation. When designing a test of control, spend time to define exactly what constitutes an error or exception to the test. This will save time spent by audit staff in determining whether a seemingly minor exception (such as an incorrect telephone number) is, in fact, a control deviation. |
|---|
There may be some instances where control activities are performed by a computer and supporting documentation does not exist. In these situations, the auditor may have to re-perform some controls to ensure the software application controls are working as designed. Another approach is to use Computer- Assisted Audit Techniques (CAATs). One example of a CAAT is a software package that can import an entity’s data file (such as sales or payables), which can then be tested. Such programs can analyze client data to provide the audit evidence needed. In addition, they provide the potential to perform much more extensive testing of electronic transactions and account files. Some possible uses of CAATs are outlined below.
Exhibit 10.5-4
Use of CAATs | |
|---|---|
| Typical Types of Procedures | Extract specific records such as payments more than a specified amount or transactions before a given date. |
| Extract top or bottom records in a database. | |
| Identify missing and duplicate records. | |
| Identify possible fraud (using Benford's Law). | |
| Select sample transactions from electronic files which match predetermined parameters or criteria. | |
| Sort transactions with specific characteristics. | |
| Test an entire population instead of a sample. | |
| Recalculate (add up) the total monetary amount of records in a file (such as inventory) and check extensions such as pricing. | |
| Stratify, summarize, and age information. | |
| Match data across files. | |
Smaller entities often use off-the-shelf packaged accounting and other relevant software without modification. However, many software packages actually contain proven application controls that could be used by the entity to reduce the extent of errors and possibly deter fraud. Auditors might want to ask their clients whether these controls are being used and, if not, whether there would be value in using them.
Timing of Tests of Controls
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.11 | The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those controls, subject to paragraphs 12 and 15 below, in order to provide an appropriate basis for the auditor’s intended reliance. (Ref: Para. A32) |
| 330.12 | If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor shall:
|
| 330.15 | If the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those controls in the current period. |
Tests of controls may provide evidence of effective operation:
- At a particular point in time (i.e., physical inventory count); or
- Over a period of time, such as the period under audit.
When the tests of controls take place before the period end, the auditor would consider what additional evidence may be required to cover the remaining period. This evidence may be obtained by extending the tests to cover the remaining period, or testing the entity’s monitoring of internal control.
Exhibit 10.5-5
Factors to Consider | |
|---|---|
| Gap Between the Tests of Controls and Period End | Significance of assessed risks of material misstatement at the assertion level. |
| Specific controls that were tested during the interim period. | |
| Degree to which audit evidence about the operating effectiveness of those controls was obtained. | |
| Length of the remaining period. | |
| Extent to which the auditor intends to reduce further substantive procedures based on the reliance on internal control. | |
| The control environment. | |
| Any significant changes in internal control, including changes in the information system, processes, and personnel that occurred subsequent to the interim period. | |
CONSIDER POINT Where efficient, consider performing tests on the operating effectiveness of internal controls at the same time as evaluating the design and implementation of controls. |
|---|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 330.13 | In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the following:
|
| 330.14 | If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor shall establish the continuing relevance of that evidence by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing inquiry combined with observation or inspection, to confirm the understanding of those specific controls, and:
(Ref: Para. A36)
|
| 330.29 | If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous audits, the auditor shall include in the audit documentation the conclusions reached about relying on such controls that were tested in a previous audit. |
Before audit evidence obtained in prior audits can be used, the continuing relevance of such evidence needs to be established each period. This will include confirming the understanding of those specific controls through:
- Inquiry of management and others about changes; and
- Observation or inspection of the internal control to determine its continuing implementation.
Reliance on control testing performed in prior years is NOT permitted when:
- Reliance on the control is required to mitigate a “significant risk”;
- The operation of the internal control has changed during the period; and/or
- The risk being mitigated by the control has changed.
Depending on the auditor’s professional judgment, other factors may also rule out the use of rotational testing (or at least reduce the time period between tests of controls), such as:
- A weak control environment exists;
- The ongoing monitoring of internal control operation is poor;
- There is a significant manual element to the operation of relevant controls;
- Personnel changes have occurred that significantly affect the application of the control;
- Changing circumstances indicate the need for changes in the operation of the control; and/or
- General IT controls are weak or ineffective.
When there are a number of controls where evidence could be used from prior audits, the reliance should be staggered so that some testing of internal control is performed during each audit. Testing at least a few controls each period also provides collateral evidence about the continuing effectiveness of the control environment.
In general, the higher the risks of material misstatement or the greater the reliance placed on internal control, the shorter the time period should be between tests of controls.
Chapter Content | Relevant ISA |
|---|---|
Audit procedures relating to the audit of accounting estimates, including fair value accounting estimates and related disclosures in an audit of financial statements. | 540 |
Exhibit 11.0-1
Loading...
| Paragraph # | ISA Objective(s) |
|---|---|
| 540.6 | The objective of the auditor is to obtain sufficient appropriate audit evidence about whether:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 540.7 | For purposes of the ISAs, the following terms have the meanings attributed below:
|
When auditing estimates, the objective is to obtain sufficient appropriate audit evidence about whether:
- Accounting estimates, including fair value accounting estimates in the financial statements, whether recognized or disclosed, are reasonable; and
- Related disclosures in the financial statements are adequate in the context of the applicable financial reporting framework.
Some financial statement items cannot be measured precisely and therefore have to be estimated. Such accounting estimates range from the straightforward (such as net realizable values for inventory and accounts receivable) to the more complex (such as calculating revenues to be recorded from long-term contracts and future liabilities on product warranties and guarantees). Estimates can often involve considerable analyses of historical and current data, and the forecasting of future events such as sales transactions.
The measurement of accounting estimates may vary based on the requirements of the applicable financial reporting framework and the financial item involved. For example, the measurement objective of an estimate may be to:
- Forecast the outcome of one or more transactions, events, or conditions that gave rise to the accounting estimate; or
- Determine the value of a current transaction or financial statement item based on conditions prevalent at the measurement date, such as estimated market price for a particular type of asset or liability. This would include fair value measurements.
The risk of material misstatement arising from an estimate will often be based on the degree of estimation uncertainty involved. Some of the factors to consider are outlined in the following exhibit.
Exhibit 11.1-1
| Level of Estimation Uncertainty Involved | |
|---|---|
| Low Level of Uncertainty (Less RMM) | High Level of Uncertainty (Higher RMM) |
| Business activities that are not complex. | Highly dependent upon judgment, such as the outcome of litigation or the amount and timing of future cash flows, dependent on uncertain events many years in the future. |
| Relate to routine transactions. | NOT calculated using recognized measurement techniques. |
| Derived from data (referred to as “observable” in the context of fair value accounting) that is readily available, such as published interest-rate data or exchange-traded prices of securities. | Results of the auditor’s review of similar accounting estimates made in the prior period financial statements indicate a substantial difference between the original accounting estimate and the actual outcome. |
| Method of measurement prescribed by the applicable financial reporting framework is simple and applied easily. | Fair value accounting estimates for derivative financial instruments are not publicly traded. |
| Fair value accounting estimates, where the model used to measure the accounting estimate is well known or generally accepted, provided that the assumptions or inputs to the model are observable. | Fair value accounting estimates for which a highly specialized entity-developed model is used, or for which there are assumptions or inputs that cannot be observed in the marketplace |
Note: The auditor (using professional judgment) is required to determine whether any of the identified accounting estimates (those having a high estimation uncertainty) give rise to significant risks. If a significant risk is identified, the auditor is also required to obtain an understanding of the entity’s controls, including control activities.
When the audit evidence had been obtained, the reasonableness of the estimates would be evaluated and the extent of any misstatement identified:
- Where the evidence supports a point estimate, the difference between the auditor’s point estimate and management’s point estimate constitutes a misstatement.
- Where the auditor has concluded that using the auditor’s range of reasonableness provides sufficient appropriate audit evidence, a management point estimate that lies outside the auditor’s range would not be supported by audit evidence. In such cases, the misstatement is no less than the difference between management’s point estimate and the nearest point of the auditor’s range.
A difference between the outcome of an accounting estimate and the amount originally recognized or disclosed in the financial statements does not necessarily represent a misstatement of the financial statements. This is particularly the case for fair value accounting estimates, as any observed outcome is invariably affected by events or conditions subsequent to the date at which the measurement is estimated for purposes of the financial statements
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 540.8 | When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, including the entity’s internal control, as required by ISA 315 (Revised), the auditor shall obtain an understanding of the following in order to provide a basis for the identification and assessment of the risks of material misstatement for accounting estimates: (Ref: Para. A12)
new, or the need to revise existing, accounting estimates. (Ref: Para. A16–A21)
|
| 540.9 | The auditor shall review the outcome of accounting estimates included in the prior period financial statements, or, where applicable, their subsequent re-estimation for the purpose of the current period. The nature and extent of the auditor’s review takes account of the nature of the accounting estimates, and whether the information obtained from the review would be relevant to identifying and assessing risks of material misstatement of accounting estimates made in the current period financial statements. However, the review is not intended to call into question the judgments made in the prior periods that were based on information available at the time. (Ref: Para. A39–A44) |
| 540.10 | In identifying and assessing the risks of material misstatement, as required by ISA 315 (Revised), the auditor shall evaluate the degree of estimation uncertainty associated with an accounting estimate. (Ref: Para. A45–A46) |
| 540.11 | The auditor shall determine whether, in the auditor’s judgment, any of those accounting estimates that have been identified as having high estimation uncertainty give rise to significant risks. (Ref: Para. A47–A51) |
For smaller entities, the amount of work involved in preparing estimates will be less complex, as their business activities are often limited and transactions are less complex. Often a single person, such as the owner- manager, will identify the need for accounting estimates, and the auditor may focus the inquiries accordingly.
However, smaller entities will also be less likely to have a management expert available who would use his or her experience and competence to make the required point estimates. In these cases, the risk of material misstatement might actually increase, unless of course such an expert is hired.
CONSIDER POINT Where the use of a management expert would greatly assist the estimating process, discuss this need with entity management as early as possible in the audit process so that appropriate action can be taken. |
|---|
The key areas for the auditor to address are outlined in the exhibit below.
Exhibit 11.2-1
Address | Description |
|---|---|
| How is the Need for an Estimate Identified? | This could result from the accounting framework being used or from transactions, events, and conditions that may give rise to the need for accounting estimates to be recognized or disclosed in the financial statements. In addition, the auditor would make inquiries of management about changes in circumstances that give rise to new, or the need to revise existing, accounting estimates. |
| Management’s Process for Making Estimates | Review and evaluate management’s estimation processes including the development of the underlying assumptions, reliability of data used, and any internal approval or review process. Where applicable, this could also include the use of a management expert. The need for a management expert may arise because of, for example:
|
| Outcomes of Estimates Prepared in Previous Periods | Review the outcome of the previous period’s estimates and understand the reasons for differences between prior-period estimates and the actual amounts. This will help to understand:
|
| Extent of Estimation Uncertainty Involved | Consider the following:
Note: Determine whether the accounting estimates with a high estimation uncertainty are also “significant risks” to be addressed by the auditor. |
| Significance of the Estimates | In assessing the risks of material misstatement, consider:
|
| Communicating Estimates with High Estimation Uncertainty | Where an accounting estimate has been identified as having a high estimation uncertainty, it may:
If the matter is determined to be a key audit matter, ISA 706 (Revised) prohibits the auditor from including an Emphasis of Matter paragraph in the auditor’s report.2 However, law or regulation may require a matter to be emphasized in the auditor’s report in addition to communicating it as a key audit matter. |
1 ISA 706 (Revised), Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report.
2 ISA 706 (Revised), paragraph 8(b).
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 540.12 | Based on the assessed risks of material misstatement, the auditor shall determine: (Ref: Para. A52)
(Ref: Para. A53–A56)
the method for making them from the prior period are appropriate in the circumstances. (Ref: Para. A57–A58) |
| 540.13 | In responding to the assessed risks of material misstatement, as required by ISA 330, the auditor shall undertake one or more of the following, taking account of the nature of the accounting estimate: (Ref: Para. A59–A61)
into account relevant variables and to evaluate any significant differences from management’s point estimate. (Ref: Para. A92)
|
| 540.14 | In determining the matters identified in paragraph 12 or in responding to the assessed risks of material misstatement in accordance with paragraph 13, the auditor shall consider whether specialized skills or knowledge in relation to one or more aspects of the accounting estimates are required in order to obtain sufficient appropriate audit evidence. (Ref: Para. A96–A101) |
| 540.15 | For accounting estimates that give rise to significant risks, in addition to other substantive procedures performed to meet the requirements of ISA 330, the auditor shall evaluate the following: (Ref: Para. A102)
|
| 540.16 | If, in the auditor’s judgment, management has not adequately addressed the effects of estimation uncertainty on the accounting estimates that give rise to significant risks, the auditor shall, if considered necessary, develop a range with which to evaluate the reasonableness of the accounting estimate. (Ref: Para. A111–A112) |
In smaller entities, there is likely to be active management involvement in the financial reporting process which includes accounting-estimate preparation. As a result, controls over the estimating process may not exist, or, if they do exist, may operate informally. For this reason, the auditor’s response to the assessed risks is likely to be substantive in nature, with the auditor performing one or more of the other responses outlined below.
Exhibit 11.3-1
Address | Description |
|---|---|
| Have Estimates Been Prepared Appropriately? |
|
| How Reliable Is the Supporting Evidence? | Undertake one or more of the following procedures, taking into account the nature of the accounting estimate, the nature of the evidence that will be obtained, and the assessed risk of material misstatement, including whether the assessed risk is a significant risk: Review events subsequent to the period end to ensure they support management’s estimates. This may be particularly relevant in some smaller owner-managed entities, where management does not have formalized control procedures over accounting estimates.
|
| Possible Management Bias |
|
Where the estimate is complex or involves specialized techniques, the auditor may determine it is necessary to use the work of an auditor’s expert (see Volume 1, Chapter 15.8 (ISA 620) for guidance on using the work of an auditor’s expert).
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 540.19 | The auditor shall obtain sufficient appropriate audit evidence about whether the disclosures in the financial statements related to accounting estimates are in accordance with the requirements of the applicable financial reporting framework. (Ref: Para. A120–A121) |
| 540.20 | For accounting estimates that give rise to significant risks, the auditor shall also evaluate the adequacy of the disclosure of their estimation uncertainty in the financial statements in the context of the applicable financial reporting framework. (Ref: Para. A122–A123) |
The final step is to determine whether:
- Sufficient appropriate evidence has been obtained. Where sufficient appropriate evidence is not available or the evidence refutes management’s estimates, the auditor would discuss the findings with management and consider the need to change the risk assessment and perform further audit procedures;
- The accounting estimates are either reasonable in the context of the applicable financial reporting framework, or are misstated; and
- Disclosures in the financial statements about the estimates:
+ Are in accordance with the requirements of the applicable financial reporting framework, and
+ Adequately disclose their estimation uncertainty, if they give rise to significant risks.
The auditor would obtain written representations from management regarding the reasonableness of significant assumptions.
Also consider obtaining a written representation as to whether the assumptions appropriately reflect management’s intent and ability to carry out specific courses of action relevant to any fair value measurements or disclosures.
Chapter Content | Relevant ISA |
|---|---|
Audit procedures regarding related parties and transactions with such parties. | 550 |
Exhibit 12.0-1
Loading...
| Paragraph # | ISA Objective(s) |
|---|---|
| 550.9 | The objectives of the auditor are:
(b) In addition, where the applicable financial reporting framework establishes related- party requirements, to obtain sufficient appropriate audit evidence about whether related-party relationships and transactions have been appropriately identified, accounted for and disclosed in the financial statements in accordance with the framework. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 550.10 | For purposes of the ISAs, the following terms have the meanings attributed below:
However, entities that are under common control by a state (i.e., a national, regional or local government) are not considered related unless they engage in significant transactions or share resources to a significant extent with one another. |
As related parties are not independent of each other, there are often higher risks of material misstatement through related-party transactions than through transactions with unrelated parties. Furthermore, financial reporting frameworks often contain accounting and disclosure requirements regarding related-party transactions and balances. These requirements are intended to provide financial statement users with an understanding of the nature of these transactions/balances and the actual or potential effects.
Some of the potential risk factors with regard to related-party transactions are set out below.
Exhibit 12.1-1
Description | |
|---|---|
| Overly Complex Transactions | Related parties may operate through an extensive and complex range of relationships and structures. |
| Relationships and Transactions Not Identified |
|
| Not Conducted in the Normal Course of Business | Related-party transactions may not be conducted under normal market terms and conditions such as above; below fair values; or even with no exchange of consideration at all. |
Management is responsible for the identification and disclosure of related parties and accounting for the transactions. This responsibility requires management to implement adequate internal control to ensure that transactions with related parties are appropriately identified and recorded in the information system, and disclosed in the financial statements.
The auditor is responsible for maintaining an alertness for related-party information when reviewing records or documents during the audit. This includes the inspection of certain key documents, but does not require an extensive investigation of records and documents to specifically identify related parties.
In smaller entities, these procedures are likely to be less sophisticated and informal. Management may not readily have information about related parties (the accounting systems are unlikely to have been designed to identify related parties), so the auditor may need to make inquiries and review accounts with specific parties, etc. beyond the accounting records and disclosures in the accounts.
Because related parties are not independent of each other, many financial reporting frameworks establish specific accounting and disclosure requirements for related-party relationships, transactions, and balances. This enables the users of financial statements to understand their nature and actual or potential effects on the financial statements.
Where the applicable financial reporting framework establishes requirements for related-party accounting and disclosure, the auditor has a responsibility to perform audit procedures to identify, assess, and respond to the risks of material misstatement arising from the entity’s failure to appropriately account for or disclose related-party relationships, transactions, or balances in accordance with the requirements of the framework.
Where the applicable financial reporting framework establishes minimal or no related-party requirements, the auditor still needs to obtain a sufficient understanding of the entity’s related-party relationships and transactions to be able to conclude whether the financial statements, insofar as they are affected by those relationships and transactions:
- Achieve fair presentation (for fair presentation frameworks); or
- Are not misleading (for compliance frameworks).
When information is identified that suggests the existence of related-party relationships or transactions that were not previously identified or disclosed by management, the auditor is required to determine whether the underlying circumstances confirm the existence of such relationships or transactions.
ISA 550 provides guidance on the auditor’s responsibility and audit procedures regarding related parties and transactions with such parties.
Exhibit 12.1-2
Auditor Responsibility Where | Description |
|---|---|
| Applicable Financial Reporting Framework Establishes Minimal or No Requirements | Obtain an understanding of the entity’s related-party relationships and transactions sufficient to:
|
| Applicable Financial Reporting Framework Sets Out the Requirements | In addition to the steps described above, obtain sufficient appropriate audit evidence to comply with the specific accounting and disclosure requirements for related-party relationships, transactions, and balances. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 550.11 | As part of the risk assessment procedures and related activities that ISA 315 (Revised) and ISA 240 require the auditor to perform during the audit, the auditor shall perform the audit procedures and related activities set out in paragraphs 12–17 to obtain information relevant to identifying the risks of material misstatement associated with related-party relationships and transactions. (Ref: Para. A8) |
| 550.12 | The engagement team discussion that ISA 315 (Revised) and ISA 240 require shall include specific consideration of the susceptibility of the financial statements to material misstatement due to fraud or error that could result from the entity’s related-party relationships and transactions. (Ref: Para. A9–A10) |
| 550.13 | The auditor shall inquire of management regarding:
|
| 550.14 | The auditor shall inquire of management and others within the entity, and perform other risk assessment procedures considered appropriate, to obtain an understanding of the controls, if any, that management has established to: (Ref: Para. A15–A20)
|
| 550.15 | During the audit, the auditor shall remain alert, when inspecting records or documents, for arrangements or other information that may indicate the existence of related-party relationships or transactions that management has not previously identified or disclosed to the auditor. (Ref: Para. A22–A23) In particular, the auditor shall inspect the following for indications of the existence of related- party relationships or transactions that management has not previously identified or disclosed to the auditor:
|
| 550.16 | If the auditor identifies significant transactions outside the entity’s normal course of business when performing the audit procedures required by paragraph 15 or through other audit procedures, the auditor shall inquire of management about: (Ref: Para. A24–A25)
|
| 550.17 | The auditor shall share relevant information obtained about the entity’s related parties with the other members of the engagement team. (Ref: Para. A28) |
| 550.18 | In meeting the ISA 315 (Revised) requirement to identify and assess the risks of material misstatement, the auditor shall identify and assess the risks of material misstatement associated with related- party relationships and transactions and determine whether any of those risks are significant risks. In making this determination, the auditor shall treat identified significant related-party transactions outside the entity’s normal course of business as giving rise to significant risks. |
| 550.19 | If the auditor identifies fraud risk factors (including circumstances relating to the existence of a related-party with dominant influence) when performing the risk assessment procedures and related activities in connection with related parties, the auditor shall consider such information when identifying and assessing the risks of material misstatement due to fraud in accordance with ISA 240. (Ref: Para. A6 and A29–A30) |
To identify and assess the risks of material misstatement associated with related-party relationships and transactions, the auditor would consider the matters set out below.
Exhibit 12.2-1
Identifying Risks | Description |
|---|---|
Address Existence/ Nature/Impact of Related Parties and Transactions | Inquire about the:
|
| Consider Possible Fraud | Discuss among the engagement team the susceptibility of financial statements to material misstatement due to fraud or error resulting from related-party relationships and transactions. Also consider whether domination of management occurs by a single person or a small group of persons without compensating controls. Indicators of dominant influence include:
Dominant influence may also exist in some cases if the related-party has played a leading role in founding the entity and continues to play a leading role in managing the entity. If fraud risk factors are identified, make an assessment of the risks of material misstatement. If a risk of material misstatement could occur, develop an appropriate audit response. |
| Remain Alert When Inspecting Records or Documents | When inspecting records or documents, always remain alert to undisclosed related- party relationships or transactions. In particular, inspect the following records and documents for related parties not previously identified or disclosed:
Always share information obtained about possible related parties with other team members. |
| Identify Significant Risks | Significant related-party transactions outside the normal course of business would give rise to significant risks. |
CONSIDER POINT In smaller entities, the identification of related-party transactions can often be difficult. If the client uses a standard software package to record transactions, consider obtaining an electronic copy of the transactions and importing them into an electronic spreadsheet. By using the sort features and configuring the selection criteria, it may be possible to obtain information about customers/suppliers with only a few, but large, transactions, or those with significant transactions of a size or nature that is unusual. |
|---|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 550.20 | As part of the ISA 330 requirement that the auditor respond to assessed risks, the auditor designs and performs further audit procedures to obtain sufficient appropriate audit evidence about the assessed risks of material misstatement associated with related-party relationships and transactions. These audit procedures shall include those required by paragraphs 21–24. (Ref: Para. A31–A34) |
| 550.21 | If the auditor identifies arrangements or information that suggests the existence of related- party relationships or transactions that management has not previously identified or disclosed to the auditor, the auditor shall determine whether the underlying circumstances confirm the existence of those relationships or transactions. |
| 550.22 | If the auditor identifies related parties or significant related-party transactions that management has not previously identified or disclosed to the auditor, the auditor shall:
|
| 550.23 | For identified significant related-party transactions outside the entity’s normal course of business, the auditor shall:
|
| 550.24 | If management has made an assertion in the financial statements to the effect that a related-party transaction was conducted on terms equivalent to those prevailing in an arm’s length transaction, the auditor shall obtain sufficient appropriate audit evidence about the assertion. (Ref: Para. A42–A45) |
In responding to the identified risks of material misstatement associated with related-party relationships and transactions, the auditor would consider the matters set out below.
Exhibit 12.3-1
Address | Description |
|---|---|
Where Auditor Identifies Arrangements or Information That Suggests Existence of Related-party Relationships or Transactions |
|
| Significant Related- party Transactions Outside Normal Course of Business |
|
| Management’s Assertions | Obtain sufficient appropriate audit evidence about management’s assertions about the nature and extent of related-party transactions. Consider whether external confirmation of the balances would provide reliable evidence. Consider the collectability and valuation of period-end balances. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 550.25 | In forming an opinion on the financial statements in accordance with ISA 700 (Revised), the auditor shall evaluate: (Ref: Para. A46)
|
| 550.26 | Where the applicable financial reporting framework establishes related-party requirements, the auditor shall obtain written representations from management and, where appropriate, those charged with governance that: (Ref: Para. A48–A49)
|
| 550.27 | Unless all of those charged with governance are involved in managing the entity, the auditor shall communicate with those charged with governance significant matters arising during the audit in connection with the entity’s related parties. (Ref: Para. A50) |
| 550.28 | The auditor shall include in the audit documentation the names of the identified related parties and the nature of the related-party relationships. |
The auditor would consider the following matters.
Exhibit 12.4-1
Address | Description |
|---|---|
| Document and Report |
|
| Obtain Management Representation | Obtain written representations from management (and those charged with governance) that:
|
| Determine if the Audit Opinion Needs to Be Modified | Modify the auditor’s report if:
|
Chapter Content | Relevant ISAs |
|---|---|
Auditor’s responsibility regarding subsequent events. | 560 |
| Paragraph # | ISA Objective(s) |
|---|---|
| 560.4 | The objectives of the auditor are:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 560.5 | For purposes of the ISAs, the following terms have the meanings attributed below:
|
This standard provides guidance on the auditor’s responsibility regarding subsequent events.
Subsequent events occur after the date of the financial statements (the period-end date). Other key dates in the preparation, audit, and release of financial statements are outlined in the exhibit below.
Exhibit 13.1-1
Loading...
“Subsequent events” refers to:
- Events occurring between the date of the financial statements and the date of the auditor’s report; and
- Facts that become known to the auditor after the date of the auditor’s report.
Note: ISA 560 (Revised) does not deal with matters relating to other information obtained after the date of the auditor’s report. This is addressed in ISA 720 (Revised). However, such other information may bring to light a subsequent event that is within the scope of ISA 560 (Revised).
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 560.6 | The auditor shall perform audit procedures designed to obtain sufficient appropriate audit evidence that all events occurring between the date of the financial statements and the date of the auditor’s report that require adjustment of, or disclosure in, the financial statements have been identified. The auditor is not, however, expected to perform additional audit procedures on matters to which previously applied audit procedures have provided satisfactory conclusions. (Ref: Para. A6) |
| 560.7 | The auditor shall perform the procedures required by paragraph 6 so that they cover the period from the date of the financial statements to the date of the auditor’s report, or as near as practicable thereto. The auditor shall take into account the auditor’s risk assessment in determining the nature and extent of such audit procedures, which shall include the following: (Ref: Para. A7–A8)
|
| 560.8 | If, as a result of the procedures performed as required by paragraphs 6 and 7, the auditor identifies events that require adjustment of, or disclosure in, the financial statements, the auditor shall determine whether each such event is appropriately reflected in those financial statements in accordance with the applicable financial reporting framework. |
| 560.9 | The auditor shall request management and, where appropriate, those charged with governance, to provide a written representation in accordance with ISA 580 that all events occurring subsequent to the date of the financial statements and for which the applicable financial reporting framework requires adjustment or disclosure have been adjusted or disclosed. |
| 560.10 | The auditor has no obligation to perform any audit procedures regarding the financial statements after the date of the auditor’s report. However, if, after the date of the auditor’s report but before the date the financial statements are issued, a fact becomes known to the auditor that, had it been known to the auditor at the date of the auditor’s report, may have caused the auditor to amend the auditor’s report, the auditor shall: (Ref: Para. A11–A12)
|
| 560.11 | If management amends the financial statements, the auditor shall:
|
| 560.12 | Where law, regulation or the financial reporting framework does not prohibit management from restricting the amendment of the financial statements to the effects of the subsequent event or events causing that amendment and those responsible for approving the financial statements are not prohibited from restricting their approval to that amendment, the auditor is permitted to restrict the audit procedures on subsequent events required in paragraph 11(b)(i) to that amendment. In such cases, the auditor shall either:
|
| 560.13 | In some jurisdictions, management may not be required by law, regulation or the financial reporting framework to issue amended financial statements and, accordingly, the auditor need not provide an amended or new auditor’s report. However, if management does not amend the financial statements in circumstances where the auditor believes they need to be amended, then: (Ref: Para. A14–A15)
|
| 560.14 | After the financial statements have been issued, the auditor has no obligation to perform any audit procedures regarding such financial statements. However, if, after the financial statements have been issued, a fact becomes known to the auditor that, had it been known to the auditor at the date of the auditor’s report, may have caused the auditor to amend the auditor’s report, the auditor shall:
|
| 560.15 | If management amends the financial statements, the auditor shall: (Ref: Para. A19)
|
| 560.16 | The auditor shall include in the new or amended auditor’s report an Emphasis of Matter paragraph or Other Matter(s) paragraph referring to a note to the financial statements that more extensively discusses the reason for the amendment of the previously issued financial statements and to the earlier report provided by the auditor. |
| 560.17 | If management does not take the necessary steps to ensure that anyone in receipt of the previously issued financial statements is informed of the situation and does not amend the financial statements in circumstances where the auditor believes they need to be amended, the auditor shall notify management and, unless all of those charged with governance are involved in managing the entity, those charged with governance, that the auditor will seek to prevent future reliance on the auditor’s report. If, despite such notification, management or those charged with governance do not take these necessary steps, the auditor shall take appropriate action to seek to prevent reliance on the auditor’s report. (Ref: Para. A20) |
This may be determined as shown in the exhibit below.
Exhibit 13.1-2
| Date of the Report | The earlier date on which those with the recognized authority:
|
| The Recognized Authority |
|
| Need for Shareholder Approval | Final approval by shareholders is not necessary for the auditor to conclude that sufficient appropriate audit evidence on which to base the auditor’s opinion on the financial statements has been obtained. |
In determining the existence of subsequent events and assessing their impact, the auditor would carry out the steps set out below.
Exhibit 13.1-3
Procedure | Description |
|---|---|
| Identify Any Subsequent Events | Perform audit procedures to identify any subsequent events that would require adjustment of, or disclosure in, the financial statements. This would include:
|
| Obtain Written Representations | Consider whether written representations covering particular subsequent events may be necessary to support other audit evidence, and thereby obtain sufficient appropriate audit evidence. |
Facts Become Known to the Auditor (After Date of Auditor’s Report but before Financial Statements Are Issued) |
|
Facts Become Known to the Auditor (After the Financial Statements Are Issued) |
|
CONSIDER POINT It is in the interests of both auditor and the client to complete the work necessary to issue the auditor’s report on a timely basis. This will minimize the extent of work involved to identify, assess, and possibly disclose subsequent events in the financial statements. |
|---|
Subsequent events that become known after the date of the auditor’s report often result in additional audit work being required that affects account balances, accounting estimates, provisions, and other disclosures in the financial statements. In such situations, a new auditor’s report would be issued that would not be dated earlier than the date of approval of the amended financial statements.
However, for certain subsequent events, the additional audit work required can be restricted solely to the amendment of the financial statements as described in the relevant note to the financial statements. In these situations (assuming local laws or regulations permit), the original date of the auditor’s report would be retained, but a new date is added (dual dating) to inform readers that the auditor’s procedures subsequent to the original date were restricted to the subsequent amendment.
An example of a situation involving dual dating:
- The original auditor’s report was dated September 15, 20XX;
- On October 22, 20XX, the entity announced the sale of a major part of its business. A new note (Y) describing the event was prepared by management for inclusion in the financial statements; and
- The audit work performed on the details of note Y was completed on November 3, 20XX.
The revised wording for dual dating the auditor’s report would be as follows:
“September 15, 20XX except as to Note Y, which is as of November 3, 20XX.”
Chapter Content | Relevant ISAs |
|---|---|
Auditor’s responsibility with respect to going concern and the implications for the auditor’s report. | 570 (Revised) |
Exhibit 14.0-1
Loading...
| Paragraph # | ISA Objective(s) |
|---|---|
| 570.9 | The objectives of the auditor are:
|
The assumption that the entity will continue as a going concern is fundamental to the preparation of financial statements.
ISA 570 (Revised) provides guidance on the auditor’s responsibility in the audit of financial statements with respect to the going concern assumption and management’s assessment of the entity’s ability to continue as a going concern.
For listed entities and others that are reporting on key audit matters, the identification of a material uncertainty relating to going concern would certainly meet the criteria of a key audit matter. However, going concern uncertainties are not reported as key audit matters in the auditor’s report. Instead, they are reported in a separate section of the audit report headed “Material uncertainty related to going concern”. Refer to ISA 570 (Revised) for examples of audit reports containing a going concern uncertainty.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 570.2 | Under the going concern basis of accounting, the financial statements are prepared on the assumption that the entity is a going concern and will continue its operations for the foreseeable future. General purpose financial statements are prepared using the going concern basis of accounting, unless management either intends to liquidate the entity or to cease operations, or has no realistic alternative but to do so. Special purpose financial statements may or may not be prepared in accordance with a financial reporting framework for which the going concern basis of accounting is relevant (e.g., the going concern basis of accounting is not relevant for some financial statements prepared on a tax basis in particular jurisdictions). When the use of the going concern basis of accounting is appropriate, assets and liabilities are recorded on the basis that the entity will be able to realize its assets and discharge its liabilities in the normal course of business. (Ref: Para. A2) |
When using the going concern basis of accounting, an entity is ordinarily viewed as continuing in business for the foreseeable future with neither the intention nor the necessity of liquidation, ceasing trading, or seeking protection from creditors pursuant to laws or regulations. Accordingly, assets and liabilities are recorded on the basis that the entity will be able to realize its assets and discharge its liabilities in the normal course of business.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 570.10 | When performing risk assessment procedures as required by ISA 315 (Revised), the auditor shall consider whether events or conditions exist that may cast significant doubt on the entity’s ability to continue as a going concern. In so doing, the auditor shall determine whether management has already performed a preliminary assessment of the entity’s ability to continue as a going concern, and: (Ref: Para. A3–A6)
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 570.11 | The auditor shall remain alert throughout the audit for audit evidence of events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern. (Ref: Para. A7) |
The requirements can be summarized as shown in the exhibit below.
Exhibit 14.2-1
Loading...
Examples of some events or conditions that, individually or collectively, may cast significant doubt about the use of the going concern basis of accounting are set out below.
Exhibit 14.2-2
Indicators | Descriptions |
|---|---|
| Financial |
|
| Operating |
|
| Other |
|
The significance of the above events or conditions often can be mitigated by other factors. For example, the effect of an entity being unable to make its normal debt repayments may be counterbalanced by management’s plans to maintain adequate cash flows by alternative means, such as by disposing of assets, rescheduling loan repayments, or obtaining additional capital. Similarly, the loss of a principal supplier may be mitigated by the availability of a suitable alternative source of supply.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 570.12 | The auditor shall evaluate management’s assessment of the entity’s ability to continue as a going concern. (Ref: Para. A8–A10; A12–A13) |
| 570.13 | In evaluating management’s assessment of the entity’s ability to continue as a going concern, the auditor shall cover the same period as that used by management to make its assessment as required by the applicable financial reporting framework, or by law or regulation if it specifies a longer period. If management’s assessment of the entity’s ability to continue as a going concern covers less than twelve months from the date of the financial statements as defined in ISA 560, the auditor shall request management to extend its assessment period to at least twelve months from that date. (Ref: Para. A11–A13) |
| 570.14 | IIn evaluating management’s assessment, the auditor shall consider whether management’s assessment includes all relevant information of which the auditor is aware as a result of the audit. |
| 570.15 | The auditor shall inquire of management as to its knowledge of events or conditions beyond the period of management’s assessment that may cast significant doubt on the entity’s ability to continue as a going concern. (Ref: Para. A14–A15) |
Management of smaller entities may not have prepared a detailed assessment of the entity’s ability to continue as a going concern. They may rely instead on their in-depth knowledge of the business and anticipated future prospects.
The auditor’s typical evaluation procedures would include:
- Discussing medium- and long-term financing with management;
- Corroborating management’s intentions with the understanding of the entity obtained and documentary evidence;
- Satisfying the requirement for management to extend its assessment period to at least 12 months. This could be achieved through discussion, inquiry, and inspection of supporting documentation, and the results evaluated by the auditor as to their feasibility. For example, a prediction of future sales revenues could be supported by potential sales orders or sales contracts; and
- Inquiring if management has knowledge of events/conditions beyond the period of management’s assessment that would cast significant doubt on the entity’s ability to continue as a going concern.
Particular factors that could cast significant doubt on the entity’s ability to continue as a going concern include:
- The entity’s ability to withstand adverse conditions
Small entities may be able to respond quickly to exploit opportunities, but may lack reserves to sustain operations.
- Availability of financing
This could include banks and other lenders ceasing to support the entity. It could also include a withdrawal or major alteration in the terms of a loan or loan guarantees from the owner-manager (or other related parties such as family members).
- Other major changes
This could include the possible loss of a principal supplier, major customer, key employee, or the right to operate under a license, franchise, or other legal agreement. The following exhibit sets out the auditor’s procedures in these situations.
Exhibit 14.3-1
Address | Descriptions |
|---|---|
| Documentary Evidence Available | Document:
|
| Additional Support Available | Evaluate the ability of the owner-manager or other related parties to:
|
| Other Major Changes | Address the impact on operations of a major change such as loss of key customer, supplier, key employee, or loss of sales revenue due to technical obsolescence, new competition, etc. |
| Request Written Confirmations | Request written confirmation of the:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 570.16 | If events or conditions have been identified that may cast significant doubt on the entity’s ability to continue as a going concern, the auditor shall obtain sufficient appropriate audit evidence to determine whether or not a material uncertainty exists related to events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern (hereinafter referred to as “material uncertainty”) through performing additional audit procedures, including consideration of mitigating factors. These procedures shall include: (Ref: Para. A16)
|
Where the auditor identifies going concern events/conditions, the next step is to perform additional procedures (including consideration of mitigating factors) to determine whether or not a material uncertainty exists.
Events or conditions may be identified that cast doubt on the entity’s ability to continue as a going concern. A material uncertainty exists when the magnitude of its potential impact and likelihood of occurrence is such that, in the auditor’s judgment, appropriate disclosure of the nature and implications of the uncertainty is necessary for the fair presentation of the financial statements, or, in the case of a compliance framework, for the financial statements not to be misleading.
Management’s action plans to address going concern issues typically include one or more of the following strategies:
- Liquidating assets;
- Borrowing money or restructuring debt;
- Reducing or delaying expenditures;
- Restructuring operations, including products and services;
- Seeking a merger or acquisition; or
- Increasing capital.
The following exhibit sets out the steps the auditor would take to address going concern issues.
Exhibit 14.4-1
Address | Descriptions |
|---|---|
| Obtaining Management’s Assessment and Plan | If not already provided, request management to make an assessment of the entity’s ability to continue as a going concern. |
| Evaluating Management’s Plans of Action | Evaluate management’s future actions to address the going concern assessment. Address:
Also consider the impact of any additional facts or information since the date management made its assessment and plans. |
| Obtaining Written Confirmations | Request written representations from management (and those charged with governance) regarding their plans for future action and feasibility. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 570.17 | The auditor shall evaluate whether sufficient appropriate audit evidence has been obtained regarding, and shall conclude on, the appropriateness of management’s use of the going concern basis of accounting in the preparation of the financial statements. |
| 570.18 | Based on the audit evidence obtained, the auditor shall conclude whether, in the auditor’s judgment, a material uncertainty exists related to events or conditions that, individually or collectively, may cast significant doubt on the entity’s ability to continue as a going concern. A material uncertainty exists when the magnitude of its potential impact and likelihood of occurrence is such that, in the auditor’s judgment, appropriate disclosure of the nature and implications of the uncertainty is necessary for: (Ref: Para. A21–A22)
|
| 570.19 | If the auditor concludes that management’s use of the going concern basis of accounting is appropriate in the circumstances but a material uncertainty exists, the auditor shall determine whether the financial statements: (Ref: Para. A22–A23)
|
| 570.20 | If events or conditions have been identified that may cast significant doubt on the entity’s ability to continue as a going concern but, based on the audit evidence obtained, the auditor concludes that no material uncertainty exists, the auditor shall evaluate whether, in view of the requirements of the applicable financial reporting framework, the financial statements provide adequate disclosures about these events or conditions. (Ref: Para. A24–A25) |
| 570.21 | If the financial statements have been prepared using the going concern basis of accounting but, in the auditor’s judgment, management’s use of the going concern basis of accounting in the preparation of the financial statements is inappropriate, the auditor shall express an adverse opinion. (Ref: A26–A27) |
| 570.22 | If adequate disclosure about the material uncertainty is made in the financial statements, the auditor shall express an unmodified opinion and the auditor’s report shall include a separate section under the heading “Material Uncertainty Related to Going Concern” to: (Ref: Para. A28–A31, A34)
|
| 570.23 | If adequate disclosure about the material uncertainty is not made in the financial statements, the auditor shall: (Ref: Para. A32–A34)
to continue as a going concern and that the financial statements do not adequately disclose this matter. |
| 570.24 | If management is unwilling to make or extend its assessment when requested to do so by the auditor, the auditor shall consider the implications for the auditor’s report. (Ref: Para. A35) |
| 570.25 | Unless all those charged with governance are involved in managing the entity, the auditor shall communicate with those charged with governance events or conditions identified that may cast significant doubt on the entity’s ability to continue as a going concern. Such communication with those charged with governance shall include the following:
|
| 570.26 | If there is significant delay in the approval of the financial statements by management or those charged with governance after the date of the financial statements, the auditor shall inquire as to the reasons for the delay. If the auditor believes that the delay could be related to events or conditions relating to the going concern assessment, the auditor shall perform those additional audit procedures necessary, as described in paragraph 16, as well as consider the effect on the auditor’s conclusion regarding the existence of a material uncertainty, as described in paragraph 18. |
The final step is to determine the impact of identified events/conditions on the audit report and communicate the decision to management and those charged with governance, where applicable. The following exhibit summarizes the requirements.
Exhibit 14.5-1
Loading...
Chapter Content | Relevant ISAs |
|---|---|
A summary of audit requirements in specific ISAs that are not addressed elsewhere in this Guide. | 250 (Revised), 402, 501, 510, 600, 610 (Revised 2013), 620, 720 (Revised) |
This chapter contains a summary of the audit requirements contained in the ISAs that have not been specifically addressed elsewhere in the Guide, as set out in the exhibit below.
Exhibit 15.1-1
ISA | Title | Chapter Reference |
|---|---|---|
| 250 (Revised) | Consideration of Laws and Regulations in an Audit of Financial Statements | V1-15.2 |
| 402 | Audit Considerations Relating to an Entity Using a Service Organization | V1-15.3 |
| 501 | Audit Evidence — Specific Considerations for Selected Items | V1-15.4 |
| 510 | Initial Audit Engagements — Opening Balances | V1-15.5 |
| 600 | Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors) | V1-15.6 |
610 (Revised 2013) | Using the Work of Internal Auditors | V1-15.7 |
| 620 | Using the Work of an Auditor’s Expert | V1-15.8 |
| 720 (Revised) | The Auditor’s Responsibilities Relating to Other Information | V1-15.9 |
Exhibit 15.2-1
Loading...
| Paragraph # | ISA Objective(s) |
|---|---|
| 250.11 | The objectives of the auditor are:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 250.12 | For the purposes of this ISA, the following term has the meaning attributed below: Non-compliance – Acts of omission or commission intentional or unintentional, committed by the entity, by those charged with governance, by management, or by other individuals working for or under the direction of the entity, which are contrary to the prevailing laws or regulations. Non-compliance does not include personal misconduct unrelated to the business activities of the entity. (Ref: Para. A9–A10) |
ISA 250 (Revised) distinguishes the auditor’s responsibilities in relation to compliance with two different categories of laws and regulations as follows:
(a) The provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements such as tax and pension laws and regulations; and
(b) Other laws and regulations that do not have a direct effect on the determination of the amounts and disclosures in the financial statements, but compliance with which may be fundamental to:
- the operating aspects of the business;
- the entity’s ability to continue its business; and
- avoiding material penalties (e.g., non-compliance with the terms of an operating license, regulatory solvency requirements, or environmental regulations).
Non-compliance with such laws and regulations may therefore have a material effect on the financial statements.
Acts of non-compliance with laws and regulations includes:
(a) Transactions entered into by, or in the name of, the entity, or on its behalf, by those charged with governance, by management or by other individuals working for or under the direction of the entity.
(b) Personal misconduct related to the business activities of the entity. For example, a key management person accepting, in a personal capacity, a bribe from a supplier of the entity in return for securing the appointment of that supplier to provide services or contracts to the entity.
Some of the categories of laws and regulations where noncompliance would likely have an effect on the financial statements include:
(a) fraud, corruption and bribery
(b) money laundering, terrorist financing and proceeds of crime
(c) securities markets and trading
(d) banking and other financial products and services
(e) data protection
(f) tax and pension liabilities and payments
(g) environmental protection
(h) public health and safety
The responsibility for the prevention and detection of non-compliance with laws and regulations rests with management and those charged with governance. Management actions to address these risks could include:
- Maintaining a register of significant laws, and a record of any complaints received;
- Monitoring legal requirements and designing procedures/internal controls to ensure compliance with these requirements;
- Engaging legal advisors to assist in monitoring legal requirements
- Developing, publicizing, implementing, and following a code of conduct; and
- Ensuring employees are properly trained and understand the code of conduct.
Differing requirements are specified for each of the two categories of laws and regulations. For those generally recognized to have a direct effect the auditor’s responsibility is to obtain sufficient appropriate evidence regarding compliance with the provisions of those laws and regulations. For those that do not have a direct effect the auditor’s responsibility is limited to undertaking specified audit procedures to help identify non-compliance with those laws and regulations that may have a material effect on the financial statements.
The auditor is also required to respond appropriately to identified or suspected non-compliance with laws and regulations identified during the audit (for example, there may be additional communication requirements).
Note that the auditor is not responsible for preventing non-compliance with laws and regulations and cannot be expected to detect non-compliance with all laws and regulations.
Whether an act constitutes non-compliance with laws and regulations is a matter to be determined by a court or other adjudicative body. However, an auditor’s training, experience and understanding of the entity and its industry or sector may provide a basis to recognize that some acts, coming to the auditor’s attention, may constitute non-compliance with laws and regulations.
When the auditor identifies instances of non-compliance, the impact on the financial statements and other aspects of the audit (such as the integrity of management/employees) will need to be considered.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 250.13 | As part of obtaining an understanding of the entity and its environment in accordance with ISA 315 (Revised), the auditor shall obtain a general understanding of:
|
Risk assessment procedures involve obtaining a general understanding of the legal and regulatory framework and how the entity complies with that framework. Obtaining this general understanding could include the matters set out below.
Exhibit 15.2-2
Address | Descriptions |
|---|---|
| Identifying Laws and Regulations Relevant to the Financial Statements | What laws and regulations address:
|
| Making Inquiries of Management |
|
| Inspecting Relevant Correspondence | Review correspondence, reports, and other interactions with relevant licensing and regulatory authorities. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 250.14 | The auditor shall obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements. (Ref: Para. A12) |
| 250.15 | The auditor shall perform the following audit procedures to help identify instances of non- compliance with other laws and regulations that may have a material effect on the financial statements: (Ref: Para. A13–A14)
|
| 250.16 | During the audit, the auditor shall remain alert to the possibility that other audit procedures applied may bring instances of non-compliance or suspected non-compliance with laws and regulations to the auditor’s attention. (Ref: Para. A15) |
| 250.17 | The auditor shall request management and, where appropriate, those charged with governance to provide written representations that all known instances of non-compliance or suspected non-compliance with laws and regulations whose effects should be considered when preparing financial statements have been disclosed to the auditor. (Ref: Para. A16) |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 250.18 | In the absence of identified or suspected non-compliance, the auditor is not required to perform audit procedures regarding the entity’s compliance with laws and regulations, other than those set out in paragraphs 13–17. |
The audit plan would address matters such as outlined in the following exhibit.
Exhibit 15.2-3
Address | Descriptions |
|---|---|
| Identifying Instances of Non-Compliance? | Audit procedures could include:
|
| Inquiries of Management and TCWG | Ask management and, where appropriate, TCWG whether the entity is in compliance with those laws and regulations laws (already identified) that may have a material effect on the financial statements. |
| Obtaining Evidence | Some provisions in the laws and regulations may be directly relevant to specific assertions in an account balance while others may be directly relevant to the financial statements as a whole. The auditor is required to obtain sufficient appropriate audit evidence regarding the determination of amounts and disclosures in the financial statements to show compliance (or not) with the relevant provisions of those laws and regulations. |
| Obtaining Management Representations | Require management to confirm that all known instances of identified or suspected non-compliance with laws and regulations have been disclosed. |
The following matters may provide an indication of non-compliance with laws and regulations:
Exhibit 15.2-4
Consider: | |
|---|---|
| Indicators of Non- Compliance With Laws and Regulations | Investigations by regulatory organizations and government departments or payment of fines or penalties. |
| Payments for unspecified services or loans to consultants, related parties, employees or government employees. | |
| Sales commissions or agent's fees that appear excessive in relation to those ordinarily paid by the entity or in its industry or to the services actually received. | |
| Purchasing at prices significantly above or below market price. | |
| Unusual payments in cash, purchases in the form of cashiers' cheques payable to bearer or transfers to numbered bank accounts. | |
| Unusual transactions with companies registered in tax havens. | |
| Payments for goods or services made other than to the country from which the goods or services originated. | |
| Payments without proper exchange control documentation. | |
| Existence of an information system which fails, whether by design or by accident, to provide an adequate audit trail or sufficient evidence. | |
| Unauthorized transactions or improperly recorded transactions. | |
| Adverse media comment. | |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 250.19 | If the auditor becomes aware of information concerning an instance of non-compliance or suspected non-compliance with laws and regulations, the auditor shall obtain: (Ref: Para. A17–A18)
|
| 250.20 | If the auditor suspects there may be non-compliance, the auditor shall discuss the matter, unless prohibited by law or regulation, with the appropriate level of management and, where appropriate, those charged with governance. If management or, as appropriate, those charged with governance, do not provide sufficient information that supports that the entity is in compliance with laws and regulations and, in the auditor's judgment, the effect of the suspected non-compliance may be material to the financial statements, the auditor shall consider the need to obtain legal advice. (Ref: Para. A20–A22) |
| 250.21 | If sufficient information about suspected non-compliance cannot be obtained, the auditor shall evaluate the effect of the lack of sufficient appropriate audit evidence on the auditor’s opinion. |
| 250.22 | The auditor shall evaluate the implications of identified or suspected non-compliance in relation to other aspects of the audit, including the auditor’s risk assessment and the reliability of written representations, and take appropriate action. (Ref: Para. A23–A25) |
| 250.23 | Unless all of those charged with governance are involved in management of the entity, and therefore are aware of matters involving identified or suspected non-compliance already communicated by the auditor, the auditor shall communicate, unless prohibited by law or regulation, with those charged with governance matters involving non-compliance with laws and regulations that come to the auditor’s attention during the course of the audit, other than when the matters are clearly inconsequential. |
| 250.24 | If, in the auditor’s judgment, the non-compliance referred to in paragraph 23 is believed to be intentional and material, the auditor shall communicate the matter with those charged with governance as soon as practicable. |
| 250.25 | If the auditor suspects that management or those charged with governance are involved in non-compliance, the auditor shall communicate the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or supervisory board. Where no higher authority exists, or if the auditor believes that the communication may not be acted upon or is unsure as to the person to whom to report, the auditor shall consider the need to obtain legal advice. |
When instances of possible non-compliance with laws and regulations are suspected, the auditor would respond as set out in the following exhibit.
Exhibit 15.2-5
Steps | Auditor Response |
|---|---|
| 1. | Obtain an understanding of the nature of the act and the circumstances. This should be sufficient to evaluate the possible effect on the financial statements or determine whether there are other reporting responsibilities. |
| 2. | Document the findings and discuss them with the appropriate level of management (unless prohibited to do so by law or regulation). If non-compliance is believed to be intentional and material, the auditor should communicate the finding without delay. When adequate information about suspected non-compliance and the potential effects on the financial statement cannot be verified, the auditor should consider the effect of the lack of sufficient appropriate audit evidence on the auditor’s report. |
| 3. | Evaluate the implications of identified or suspected non-compliance in relation to other aspects of the audit. In particular, consider the reliability of management representations where management or those charged with governance are involved or are aware of the matter. |
| 4. | Report the matter to the next higher level of authority if it involves senior management or those charged with governance. Where no higher authority exists, the auditor would consider the need to obtain legal advice. |
| 5. | Consider the potential implications of identified or suspected non-compliance for the Auditor's Report and any requirement to report to an appropriate authority outside the entity. This would include the group auditors where relevant. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 250.26 | If the auditor concludes that the identified or suspected non-compliance has a material effect on the financial statements, and has not been adequately reflected in the financial statements, the auditor shall, in accordance with ISA 705 (Revised), express a qualified opinion or an adverse opinion on the financial statements. |
| 250.27 | If the auditor is precluded by management or those charged with governance from obtaining sufficient appropriate audit evidence to evaluate whether non-compliance that may be material to the financial statements has, or is likely to have, occurred, the auditor shall express a qualified opinion or disclaim an opinion on the financial statements on the basis of a limitation on the scope of the audit in accordance with ISA 705 (Revised). |
| 250.28 | If the auditor is unable to determine whether non-compliance has occurred because of limitations imposed by the circumstances rather than by management or those charged with governance, the auditor shall evaluate the effect on the auditor's opinion in accordance with ISA 705 (Revised). |
| 250.29 | If the auditor has identified or suspects non-compliance with laws and regulations, the auditor shall determine whether law, regulation or relevant ethical requirements: Ref: Para. A28-A34)
|
If after discussion with management the auditor concludes that the identified or suspected non-compliance has a material effect on the financial statements and has not been adequately reflected then a modified opinion may be required as outlined below:
Conclusion reached | Auditor’s Response |
|---|---|
| Non-compliance has a material effect of the F/S | Express a qualified opinion or an adverse opinion on the financial statements in accordance with ISA 705 (Revised). |
| Management placed a scope limitation on work performed | Express a qualified opinion or disclaim an opinion on the financial statements on the basis of a limitation on the scope of the audit in accordance with ISA 705 (Revised). |
| Limitations on work performed imposed by the circumstances rather than by management or TCWG | Evaluate the effect on the auditor's opinion in accordance with ISA 705 (Revised). |
In addition to the reporting implications for the auditor’s report it may be necessary to report identified or suspected non-compliance with laws and regulations to an appropriate authority outside of the entity. This would apply where:
(a) Law, regulation or relevant ethical requirements require the auditor to report;
(b) The auditor has determined reporting is an appropriate action to respond to identified or suspected non-compliance in accordance with relevant ethical requirements; or
(c) Law, regulation or relevant ethical requirements provide the auditor with the right to.
For example, the IESBA Code requires the auditor to take steps to respond to identified or suspected non- compliance with laws and regulations and determine whether further action is needed, which may include reporting to an appropriate authority outside the entity. The IESBA Code explains that such reporting would not be considered a breach of the duty of confidentiality under the IESBA Code. However, in certain circumstances reporting may be precluded by the auditor’s duty of confidentiality under law, regulation or relevant ethical requirements.
The auditor is required to discuss suspected non-compliance with the appropriate level of management and, where appropriate, those charged with governance, as they may be able to provide additional audit evidence. However, in some jurisdictions law or regulation may restrict the auditor’s communication of certain matters with management and those charged with governance. Law or regulation may specifically prohibit a communication, or other action, that might prejudice an investigation by an appropriate authority into an actual, or suspected, illegal act. In these circumstances, the auditor may consider it appropriate to obtain legal advice.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 250.30 | The auditor shall include in the audit documentation identified or suspected non- compliance with laws and regulations and: (Ref: Para. A35–A36)
|
Typical documentation will include: | |
|---|---|
| Work Performed | Details of the procedures performed, the significant professional judgments made and the conclusions reached. |
| Relevant Documents | Copies of relevant records or documents. |
| Discussions and Conclusions | Notes on discussions held in relation to possible non-compliance with management, those charged with governance (TCWG), or other parties outside the entity. These notes should also include managements and TCWG’s responses to the matters raised and the conclusions reached. |
| Other Requirements | Any additional documentation requirements as set out in laws, regulations or relevant ethical requirements regarding identified or suspected non-compliance with laws and regulations. |
| Paragraph # | ISA Objective(s) |
|---|---|
| 402.7 | The objectives of the user auditor, when the user entity uses the services of a service organization, are:
|
Exhibit 15.3-1
Loading...
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 402.8 | For purposes of the ISAs, the following terms have the meanings attributed below:
|
Many entities (including very small ones) often outsource certain financial processing activities such as:
- Payroll;
- Internet sales;
- IT services;
- Asset management (inventory warehousing, investments, etc.); and
- Bookkeeping services. This would include processing of transactions, maintaining accounting records, and preparing financial statements.
These third-party organizations (providing services relevant to financial reporting) are referred to as “service organizations.”
Where service organizations are used, the auditor needs to consider the effect of such arrangements on the entity’s internal control. This includes:
- Obtaining sufficient information to assess the risks of material misstatement; and
- Designing an appropriate response.
In smaller entities, the outsourced services may well be important to the ongoing operation of the entity, but may not be relevant to the audit. This would occur where there are sufficient internal controls within the entity to address the risks of material misstatement, or where substantive audit procedures can be performed to address the identified risks.
CONSIDER POINT Using a service organization to prepare financial statements does not relieve management (and those charged with governance) of their responsibilities for the financial statements. |
|---|
There are two types of reports that service organizations can provide to their users:
- Type 1 reports — description and design of controls at a service organization
These reports provide evidence about the design and implementation of controls, but not their operating effectiveness. Such reports may be informative, but are of limited use to the auditor in understanding whether the key controls at the service organization operated effectively during the period being audited.
- Type 2 reports — description, design, and operating effectiveness of controls
These reports can be used by the auditor to consider whether:
- The controls tested by the service organization auditor are relevant to the entity’s transactions, account balances, disclosures, and related assertions, and
- The service organization auditor’s tests of controls and the results are adequate (i.e., the length of the period covered by the service organization auditor’s tests, and the time elapsed since the performance of those tests).
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 402.9 | When obtaining an understanding of the user entity in accordance with ISA 315 (Revised), the user auditor shall obtain an understanding of how a user entity uses the services of a service organization in the user entity’s operations, including: (Ref: Para. A1–A2)
|
| 402.10 | When obtaining an understanding of internal control relevant to the audit in accordance with ISA 315 (Revised), the user auditor shall evaluate the design and implementation of relevant controls at the user entity that relate to the services provided by the service organization, including those that are applied to the transactions processed by the service organization. (Ref: Para. A12–A14) |
| 402.11 | The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the service organization and their effect on the user entity’s internal control relevant to the audit has been obtained to provide a basis for the identification and assessment of risks of material misstatement. |
| 402.12 | If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that understanding from one or more of the following procedures:
(Ref: Para. A15–A20) |
Where service organizations are used, the auditor would consider the matters set out in the exhibit below.
Exhibit 15.3-2
Address | Descriptions |
|---|---|
| What Services (Relevant to the Audit) are Provided? |
|
| What Relevant Internal Controls are in Place? |
|
| Extent of Reliance Placed on Controls in Place at Service Organization? |
|
CONSIDER POINT Check the wording of service organization reports for possible restrictions as to use. Such restrictions can apply to management, the service organization and its customers, and the entity’s auditors. |
|---|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 402.13 | In determining the sufficiency and appropriateness of the audit evidence provided by a type 1 or type 2 report, the user auditor shall be satisfied as to:
|
| 402.14 | If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s understanding about the design and implementation of controls at the service organization, the user auditor shall:
(Ref: Para. A22–A23) |
| 402.15 | In responding to assessed risks in accordance with ISA 330, the user auditor shall:
|
| 402.16 | When the user auditor’s risk assessment includes an expectation that controls at the service organization are operating effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of the following procedures:
|
| 402.17 | If, in accordance with paragraph 16(a), the user auditor plans to use a type 2 report as audit evidence that controls at the service organization are operating effectively, the user auditor shall determine whether the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment by:
|
| 402.19 | The user auditor shall inquire of management of the user entity whether the service organization has reported to the user entity, or whether the user entity is otherwise aware of, any fraud, non-compliance with laws and regulations or uncorrected misstatements affecting the financial statements of the user entity. The user auditor shall evaluate how such matters affect the nature, timing and extent of the user auditor’s further audit procedures, including the effect on the user auditor’s conclusions and user auditor’s report. (Ref: Para. A41) |
In responding to the assessed risks, the auditor would consider the following matters.
Exhibit 15.3-3
Address | Descriptions |
|---|---|
| Can Necessary Evidence Be Obtained from within Entity? | If yes, obtain sufficient appropriate audit evidence concerning the relevant financial statement assertions involved. If no, perform additional procedures to obtain evidence, such as using another auditor to perform procedures at the service organization on the user auditor’s behalf. |
| Determine Extent of Reliance That Can Be Placed on the Type 1 or Type 2 Report |
Note that a type 1 report provides no evidence that the internal controls at the service organization operated effectively over a period of time. If a type 2 report is not available, it may be necessary for the auditor to perform tests of controls at the service organization, or use another auditor to perform such tests. |
Testing User Records and Controls | Where possible, obtain sufficient appropriate audit evidence concerning the relevant financial statement assertions from the records held by the user entity. |
| Obtaining Audit Evidence from the Service Organization | If user records are not sufficient, obtain audit evidence about the operating effectiveness of controls at the service organization by:
|
| Making Inquiries about Significant Events (Fraud, etc.) | Inquire of management whether they have become aware (or received notice from the service organization) of any fraud, non-compliance with laws and regulations, or uncorrected misstatements that could affect the financial statements. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 402.20 | The user auditor shall modify the opinion in the user auditor’s report in accordance with ISA 705 (Revised) if the user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organization relevant to the audit of the user entity’s financial statements. (Ref: Para. A42) |
| 402.21 | The user auditor shall not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the user auditor’s report shall indicate that the reference does not diminish the user auditor’s responsibility for the audit opinion. (Ref: Para. A43) |
| 402.22 | If reference to the work of a service auditor is relevant to an understanding of a modification to the user auditor’s opinion, the user auditor’s report shall indicate that such reference does not diminish the user auditor’s responsibility for that opinion. (Ref: Para. A44) |
When a type 1 or 2 report from a service organization is used, the auditor’s report on the entity would not make reference to the service organization’s report unless required by law.
However, when the user auditor proposes a modified auditor’s report because of a modified opinion in a service auditor’s report, the user auditor is not precluded from referring to the service auditor’s report if doing so helps to explain the reason for the user auditor’s modified opinion. In such cases, the user auditor is required to note within their audit report that the reference to the service auditor does not diminish the user auditor’s own responsibility for the opinion.
| Paragraph # | ISA Objective(s) |
|---|---|
| 501.3 | The objective of the auditor is to obtain sufficient appropriate audit evidence regarding the:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 501.4 | If inventory is material to the financial statements, the auditor shall obtain sufficient appropriate audit evidence regarding the existence and condition of inventory by:
|
| 501.5 | If physical inventory counting is conducted at a date other than the date of the financial statements, the auditor shall, in addition to the procedures required by paragraph 4, perform audit procedures to obtain audit evidence about whether changes in inventory between the count date and the date of the financial statements are properly recorded. (Ref: Para. A9–A11) |
| 501.6 | If the auditor is unable to attend physical inventory counting due to unforeseen circumstances, the auditor shall make or observe some physical counts on an alternative date, and perform audit procedures on intervening transactions. |
| 501.7 | If attendance at physical inventory counting is impracticable, the auditor shall perform alternative audit procedures to obtain sufficient appropriate audit evidence regarding the existence and condition of inventory. If it is not possible to do so, the auditor shall modify the opinion in the auditor’s report in accordance with ISA 705 (Revised). (Ref: Para. A12–A14) |
| 501.8 | If inventory under the custody and control of a third party is material to the financial statements, the auditor shall obtain sufficient appropriate audit evidence regarding the existence and condition of that inventory by performing one or both of the following:
|
Where inventory is material to the financial statements, the auditor would address its existence and condition as set out below.
Exhibit 15.4-1
Procedure | Descriptions |
|---|---|
| Attend the Physical Count |
|
| Confirm/Inspect Inventory Held by Others |
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 501.9 | The auditor shall design and perform audit procedures in order to identify litigation and claims involving the entity which may give rise to a risk of material misstatement, including: (Ref: Para. A17-A19)
|
| 501.10 | If the auditor assesses a risk of material misstatement regarding litigation or claims that have been identified, or when audit procedures performed indicate that other material litigation or claims may exist, the auditor shall, in addition to the procedures required by other ISAs, seek direct communication with the entity’s external legal counsel. The auditor shall do so through a letter of inquiry, prepared by management and sent by the auditor, requesting the entity’s external legal counsel to communicate directly with the auditor. If law, regulation or the respective legal professional body prohibits the entity’s external legal counsel from communicating directly with the auditor, the auditor shall perform alternative audit procedures. (Ref: Para. A21–A25) |
| 501.11 | If:
the auditor shall modify the opinion in the auditor’s report in accordance with ISA 705 (Revised). |
| 501.12 | The auditor shall request management and, where appropriate, those charged with governance to provide written representations that all known actual or possible litigation and claims whose effects should be considered when preparing the financial statements have been disclosed to the auditor and accounted for and disclosed in accordance with the applicable financial reporting framework. |
To identify litigation and claims which may give rise to a risk of material misstatement, the auditor would perform the procedures set out in the following table.
Exhibit 15.4-2
Procedure | Descriptions |
|---|---|
| Make Inquiries and Review Relevant Documents |
|
| Communicate with External Legal Counsel | Where litigation or claims are identified or suspected, the auditor would request a letter of inquiry, prepared by management and sent by the auditor, requesting external legal counsel to communicate details of claims, etc. directly with the auditor. If this procedure is prohibited, or where management refuses permission to contact external counsel, alternative procedures would be performed, such as reviewing all the available documentation and making additional inquiries. If alternate procedures are insufficient, then the auditor’s opinion would be modified. |
| Obtain Management Representation | Request a written representation from management and those charged with governance that all known actual or possible litigation and claims have been disclosed and properly accounted for in the financial statements. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 501.13 | The auditor shall obtain sufficient appropriate audit evidence regarding the presentation and disclosure of segment information in accordance with the applicable financial reporting framework by: (Ref: Para. A26)
|
As segment information is often not applicable in the audit of SMEs, they have not been addressed any further in this Guide.
| Paragraph # | ISA Objective(s) |
|---|---|
| 510.3 | In conducting an initial audit engagement, the objective of the auditor with respect to opening balances is to obtain sufficient appropriate audit evidence about whether:
in accordance with the applicable financial reporting framework. |
This standard provides guidance regarding opening balances when the financial statements are audited for the first time, or when the financial statements for the prior period were audited by another auditor.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 510.5 | The auditor shall read the most recent financial statements, if any, and the predecessor auditor’s report thereon, if any, for information relevant to opening balances, including disclosures. |
| 510.6 | The auditor shall obtain sufficient appropriate audit evidence about whether the opening balances contain misstatements that materially affect the current period’s financial statements by: (Ref: Para. A1–A2)
|
| 510.7 | If the auditor obtains audit evidence that the opening balances contain misstatements that could materially affect the current period’s financial statements, the auditor shall perform such additional audit procedures as are appropriate in the circumstances to determine the effect on the current period’s financial statements. If the auditor concludes that such misstatements exist in the current period’s financial statements, the auditor shall communicate the misstatements with the appropriate level of management and those charged with governance in accordance with ISA 450. |
| 510.8 | The auditor shall obtain sufficient appropriate audit evidence about whether the accounting policies reflected in the opening balances have been consistently applied in the current period’s financial statements, and whether changes in the accounting policies have been appropriately accounted for and adequately presented and disclosed in accordance with the applicable financial reporting framework. |
| 510.9 | If the prior period’s financial statements were audited by a predecessor auditor and there was a modification to the opinion, the auditor shall evaluate the effect of the matter giving rise to the modification in assessing the risks of material misstatement in the current period’s financial statements in accordance with ISA 315 (Revised). |
| 510.10 | If the auditor is unable to obtain sufficient appropriate audit evidence regarding the opening balances, the auditor shall express a qualified opinion or disclaim an opinion on the financial statements, as appropriate, in accordance with ISA 705 (Revised). (Ref: Para. A8) |
| 510.11 | If the auditor concludes that the opening balances contain a misstatement that materially affects the current period’s financial statements, and the effect of the misstatement is not appropriately accounted for or not adequately presented or disclosed, the auditor shall express a qualified opinion or an adverse opinion, as appropriate, in accordance with ISA 705 (Revised). |
| 510.12 | If the auditor concludes that:
the auditor shall express a qualified opinion or an adverse opinion as appropriate in accordance with ISA 705 (Revised). |
| 510.13 | If the predecessor auditor’s opinion regarding the prior period’s financial statements included a modification to the auditor’s opinion that remains relevant and material to the current period’s financial statements, the auditor shall modify the auditor’s opinion on the current period’s financial statements in accordance with ISA 705 (Revised) and ISA 710. (Ref: Para. A9) |
The requirements are summarized below.
Exhibit 15.5-1
Address | Descriptions |
|---|---|
| Do Opening Balances Contain Misstatements That Could Affect the Current Period? |
|
| Determine Impact on Current Period of Identified Misstatements |
|
| Determine Impact on Audit Opinion | If the predecessor auditor’s modified audit opinion remains relevant or the opening balances contain a misstatement that materially affects the current period’s financial statements (the effect of which was not appropriately accounted for, presented, or disclosed), a qualified opinion or an adverse opinion would be necessary. The need for an “other matters” paragraph should also be considered. |
| Paragraph # | ISA Objective(s) |
|---|---|
| 600.8 | The objectives of the auditor are:
of their work on financial information related to components and their findings; and
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 600.9 | For purposes of the ISAs, the following terms have the meanings attributed below:
(i) that is of individual financial significance to the group, or (ii) that, due to its specific nature or circumstances, is likely to include significant risks of material misstatement of the group financial statements. (Ref: Para. A5–A6) |
This standard provides guidance on the special considerations that apply to group audits. It outlines responsibilities, communications and requirements for and between the:
- Group engagement partners, group engagement teams; and
- Component auditors who perform work (such as auditing a division, branch, or subsidiary of the group) on behalf of the group engagement team and then report on the results.
The requirements outlined may also be useful for other situations where an auditor involves another auditor in some part of the audit of financial statements. (This could include observing an inventory count or performing specific procedures at a remote location.)
CONSIDER POINT The definition of a group component is broad. Before concluding that this standard is not applicable, ensure that a significant component does not in fact exist. A component could result from the entity’s organizational structure (such as subsidiaries, divisions, branches, joint ventures, or investees accounted for by the equity or cost methods of accounting) or financial reporting systems organized by function, product, service, or geographical location. If a significant component exists, this standard outlines a number of requirements relating to:
|
|---|
Note: On the assumption that group audits are not that common in the audit of SMEs, the following exhibit contains only extracts from the many requirements contained in the standard.
Exhibit 15.6-1
Summarized Extracts from the Requirements Section | |
|---|---|
| Responsibility 600.11 |
|
Acceptance/ Continuance and Planning 600.12-16 |
|
| Understanding the Group, Its Components and Their Environments 600.17-18 | The group engagement team shall obtain an understanding that is sufficient to:
|
| Understanding the Component Auditor 600.19-20 | If the group engagement team plans to request a component auditor to perform work on the financial information of a component, the group engagement team shall obtain an understanding of:
|
| Materiality 600.21-23 | The group engagement team shall determine:
The group team shall also evaluate the appropriateness of performance materiality determined by the component auditor at the component level. |
| Responding to Assessed Risks 600.24-31 | The auditor is required to design and implement appropriate responses to address the assessed risks of material misstatement of the financial statements. The group engagement team shall:
For a component that is significant due to its individual financial significance to the group, the group engagement team, or a component auditor on its behalf, shall perform an audit of the financial information of the component using component materiality. |
| Consolidation Process 600.32-37 | The group engagement team shall design and perform further audit procedures on the consolidation process to respond to the assessed risks of material misstatement of the group financial statements arising from the consolidation process. This shall include evaluating whether all components have been included in the group financial statements. If the group financial statements include the financial statements of a component with a financial reporting period end that differs from that of the group, the group engagement team shall evaluate whether appropriate adjustments have been made to those financial statements in accordance with the applicable financial reporting framework. |
| Subsequent Events 600.38-39 | The group engagement team or the component auditors shall perform procedures designed to identify subsequent events that may require adjustment to or disclosure in the group financial statements. The group engagement team shall request the component auditors to notify the group engagement team if they become aware of subsequent events. |
| Communication with the Component Auditor 600.40-41 | The group engagement team shall communicate its requirements to the component auditor on a timely basis. This communication shall set out the work to be performed, the use to be made of that work, and the form and content of the component auditor’s communication with the group engagement team. This would include:
The group engagement team shall request the component auditor to communicate matters relevant to the group engagement team’s conclusion with regard to the group audit. For example:
|
Evaluating the Sufficiency and Appropriateness of Audit Evidence Obtained 600.42-45 | The group engagement team shall:
If the work of the component auditor is insufficient, the group engagement team shall determine what additional procedures are to be performed, and whether they are to be performed by the component auditor or by the group engagement team. The group engagement team shall evaluate whether sufficient appropriate audit evidence has been obtained from the audit procedures performed. The group engagement partner shall evaluate the effect on the group audit opinion of any uncorrected misstatements, and any instances where there has been an inability to obtain sufficient appropriate audit evidence. |
Communication with Group Management and Those Charged with Governance of the Group 600.46-49 | The group engagement team shall determine which identified deficiencies in internal control to communicate to group management and those charged with governance. If fraud has been identified, the group engagement team shall communicate this on a timely basis to the appropriate level of group management. The group engagement team shall communicate the following matters:
|
| Documentation 600.50 | The group engagement team shall include in the audit documentation the following matters:
the work performed by the component auditors on significant components, including, where applicable, the group engagement team’s review of relevant parts of the component auditors’ audit documentation and conclusions thereon; and
|
| Paragraph # | ISA Objective(s) |
|---|---|
| 610.13 | The objectives of the external auditor, where the entity has an internal audit function and the external auditor expects to use the work of the function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the external auditor, or to use internal auditors to provide direct assistance, are:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 315.6 | The risk assessment procedures shall include the following:
|
| 610.14 | For purposes of the ISAs, the following terms have the meanings attributed below:
|
Some (mostly larger) entities have an internal audit function with a mandate to review governance and risk management practices, monitor the operation of internal controls and provide reports on their findings, along with recommendations, for senior management and those charged with governance.
Note: Because the likelihood of an SME having an internal audit function is much lower than for listed or larger entities, this Guide does not cover ISA 610 (Revised 2013) in detail.
Exhibit 15.7-1
Loading...
Whenever an internal audit function exists within an entity, the auditor is required by paragraph 6 in ISA 315 (Revised) to obtain an understanding of the work of the internal audit function. This understanding will enable the auditor to determine whether to use the work of the internal audit function to either:
- Modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the external auditor; or
- Use internal auditors to provide direct assistance, in obtaining audit evidence.
Note: In some jurisdictions the external auditor may be prohibited by law or regulation from obtaining direct assistance from internal auditors.
Where the auditor decides to use the work of the internal auditor, the requirements of ISA 610 (Revised 2013) as summarized below are to be followed.
CONSIDER POINT Always take the time to understand the work of the internal audit function and review their findings. This applies even where the auditor ultimately decides not to rely on the work performed by internal audit. Without making inquiries about what internal audit does, as required by ISA 315.6 (Revised), it is possible that significant weaknesses in control or some other negative findings, reported upon by internal audit, could be missed. |
|---|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 610.15 | The external auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by evaluating the following:
(Ref: Para. A5–A9)
|
| 610.16 | The external auditor shall not use the work of the internal audit function if the external auditor determines that:
|
| 610.17 | As a basis for determining the areas and the extent to which the work of the internal audit function can be used, the external auditor shall consider the nature and scope of the work that has been performed, or is planned to be performed, by the internal audit function and its relevance to the external auditor's overall audit strategy and audit plan. (Ref: Para. A15–A17) |
| 610.18 | The external auditor shall make all significant judgments in the audit engagement and, to prevent undue use of the work of the internal audit function, shall plan to use less of the work of the function and perform more of the work directly: (Ref: Para. A15–A17)
|
| 610.19 | The external auditor shall also evaluate whether, in aggregate, using the work of the internal audit function to the extent planned would still result in the external auditor being sufficiently involved in the audit, given the external auditor's sole responsibility for the audit opinion expressed. (Ref: Para. A15–A22) |
| 610.20 | The external auditor shall, in communicating with those charged with governance an overview of the planned scope and timing of the audit in accordance with ISA 260 (Revised), communicate how the external auditor has planned to use the work of the internal audit function. (Ref: Para. A23) |
| Using the Work of the Internal Audit Function | |
| 610.21 | If the external auditor plans to use the work of the internal audit function, the external auditor shall discuss the planned use of its work with the function as a basis for coordinating their respective activities. (Ref: Para. A24–A26) |
| 610.22 | The external auditor shall read the reports of the internal audit function relating to the work of the function that the external auditor plans to use to obtain an understanding of the nature and extent of audit procedures it performed and the related findings. |
| 610.23 | The external auditor shall perform sufficient audit procedures on the body of work of the internal audit function as a whole that the external auditor plans to use to determine its adequacy for purposes of the audit, including evaluating whether:
(Ref: Para. A27–A30) |
| 610.24 | The nature and extent of the external auditor's audit procedures shall be responsive to the external auditor's evaluation of:
and shall include reperformance of some of the work. (Ref: Para. A30) |
| 610.25 | The external auditor shall also evaluate whether the external auditor’s conclusions regarding the internal audit function in paragraph 15 of this ISA and the determination of the nature and extent of use of the work of the function for purposes of the audit in paragraphs 18-19 of this ISA remain appropriate. |
| Determining Whether, in Which Areas, and to What Extent Internal Auditors Can be Used to Provide Direct Assistance | |
| 610.26 | The external auditor may be prohibited by law or regulation from obtaining direct assistance from internal auditors. If so, paragraphs 27–35 and 37 do not apply. (Ref: Para. A31) |
| 610.27 | If using internal auditors to provide direct assistance is not prohibited by law or regulation, and the external auditor plans to use internal auditors to provide direct assistance on the audit, the external auditor shall evaluate the existence and significance of threats to objectivity and the level of competence of the internal auditors who will be providing such assistance. The external auditor's evaluation of the existence and significance of threats to the internal auditors' objectivity shall include inquiry of the internal auditors regarding interests and relationships that may create a threat to their objectivity. (Ref: Para. A32–A34) |
| 610.28 | The external auditor shall not use an internal auditor to provide direct assistance if:
|
| Determining the Nature and Extent of Work that Can Be Assigned to Internal Auditors Providing Direct Assistance | |
| 610.29 | In determining the nature and extent of work that may be assigned to internal auditors and the nature, timing and extent of direction, supervision and review that is appropriate in the circumstances, the external auditor shall consider:
|
| 610.30 | The external auditor shall not use internal auditors to provide direct assistance to perform procedures that:
|
| 610.31 | Having appropriately evaluated whether and, if so, to what extent internal auditors can be used to provide direct assistance on the audit, the external auditor shall, in communicating with those charged with governance an overview of the planned scope and timing of the audit in accordance with ISA 260 (Revised), communicate the nature and extent of the planned use of internal auditors to provide direct assistance so as to reach a mutual understanding that such use is not excessive in the circumstances of the engagement. (Ref: Para. A39) |
| 610.32 | The external auditor shall evaluate whether, in aggregate, using internal auditors to provide direct assistance to the extent planned, together with the planned use of the work of the internal audit function, would still result in the external auditor being sufficiently involved in the audit, given the external auditor's sole responsibility for the audit opinion expressed. |
| Using Internal Auditors to Provide Direct Assistance | |
| 610.33 | Prior to using internal auditors to provide direct assistance for purposes of the audit, the external auditor shall:
|
| 610.34 | The external auditor shall direct, supervise and review the work performed by internal auditors on the engagement in accordance with ISA 220. In so doing:
The direction, supervision and review by the external auditor of the work performed by the internal auditors shall be sufficient in order for the external auditor to be satisfied that the internal auditors have obtained sufficient appropriate audit evidence to support the conclusions based on that work. (Ref: Para. A40–A41) |
| 610.35 | In directing, supervising and reviewing the work performed by internal auditors, the external auditor shall remain alert for indications that the external auditor's evaluations in paragraph 27 are no longer appropriate. |
| Documentation | |
| 610.36 | If the external auditor uses the work of the internal audit function, the external auditor shall include in the audit documentation:
|
| 610.37 | If the external auditor uses internal auditors to provide direct assistance on the audit, the external auditor shall include in the audit documentation:
|
In larger entities, an internal audit department is often established to monitor the effectiveness of various aspects of internal control. The scope of internal audit activities could include:
- Monitoring of certain elements of internal control;
- Examination of financial and operating information;
- Review of operating activities;
- Review of compliance with laws and regulations;
- Risk management; and/or
- Governance.
Wherever an internal audit function exists ISA 315 (Revised), requires the auditor to understand the role and work performed by internal audit. This includes:
- the nature of the internal audit function’s responsibilities;
- its organizational status; and
- the activities performed, or to be performed.
Based on the auditor’s understanding of the internal audit function, they can now decide on whether to:
- Use the work of the internal audit function to modify the nature or timing, or extent, of audit procedures that the external auditor will directly perform. For example, if the scope of internal audit work includes a review of internal controls over financial reporting, the external auditor may rely on the work of the internal auditor (subject to its adequacy) to modify the nature and extent of the external auditor’s procedures; or
- Use internal auditors to provide direct assistance (where it is not prohibited by law or regulation). The internal auditors would be asked to perform audit procedures under the direction, supervision and review of the external auditor.
This decision is summarized in the following exhibit:
Exhibit 15.7-2
Loading...
Once it is decided to use the work of internal audit, the next question is to determine in which areas to use their work, and to what extent. Such planning decisions can usefully be addressed during the discussions among engagement team members. Refer to ISA 320.5 and chapter 7 of this guide.
Notes:
(a) In some jurisdictions, it is prohibited to use the direct assistance of the internal audit function.
(b) Because internal auditors are hired by the entity and form part of its internal control, they are not completely independent. Consequently, their work should not be relied upon to the same extent as that performed by the external audit team.
CONSIDER POINT The external auditor should be careful in deciding on the type/nature of work to be delegated to internal auditors. For example, internal auditors should not be used to provide direct assistance to perform certain procedures, including those that:
|
|---|
The following exhibit outlines a summary of the requirements.
Exhibit 15.7-3
Task | Considerations |
|---|---|
| Obtain an Understanding of the Nature of the Internal Audit Function’s Responsibilities |
|
| Will Internal Audit Work Be Appropriate for External Audit Purposes? |
|
| What Effect Will Reliance on Internal Audit Work Have on the External Audit? | Consider:
|
| Evaluate the Adequacy of Internal Work for External Audit Reliance |
|
| Document Results |
|
The following exhibit outlines matters to be addressed when obtaining direct Assistance from an Internal Auditor.
Exhibit 15.7-4
Address… | Comments |
|---|---|
| Objectivity | Are there significant threats to the objectivity of the internal auditors? |
| Competence | Are the internal auditors competent to perform the required work? |
| Terms of Agreement | Obtain written agreements from an authorized representative of the entity stating that:
|
| Confidentiality | Obtain written agreement from the internal auditors that they will keep confidential specific matters as instructed by the external auditor, and immediately inform the external auditor of any threat to their objectivity. |
| Work to be Performed | Ensure a clear understanding exists about the nature and extent of the work performed by the internal auditors. Ensure procedures are not prohibited in accordance with ISA 610 (Revised 2013) para. 30. |
| Communication and Working Papers | Agree on what needs to be communicated as work progresses and the form and content of working papers to be prepared. |
The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor’s use of the work or direct assistance of the internal auditors. Consequently, no reference would be made in the external auditor’s report to the work of the internal auditors.
| Paragraph # | ISA Objective(s) |
|---|---|
| 620.5 | Objectives of the auditor are:
|
Exhibit 15.8-1
Loading...
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 620.6 | For purposes of the ISAs, the following terms have the meanings attributed below:
|
In some situations, the auditor may require expertise (other than accounting or auditing) to obtain sufficient appropriate audit evidence. This could involve using the work of an auditor’s expert who would provide audit evidence in the form of reports, opinions, valuations, and statements. Some examples are included in the exhibit below.
Exhibit 15.8-2
| Need for an Auditor’s Expert? |
|
This standard provides guidance on how the work of an auditor’s expert can be used as appropriate audit evidence. In some cases, an auditor who is not an expert in a relevant field other than accounting or auditing may be able to obtain a sufficient understanding of that field to perform the audit without an auditor’s expert. Such an understanding may be obtained through:
- Experience in auditing entities requiring similar expertise.
- Education or professional development in the particular field. This may include formal courses or discussion (but not consultation where all the relevant facts are provided) with experts in the relevant field.
- Discussion with auditors who have performed similar engagements.
Note: Regardless of whether the work of an expert is used or not, the auditor maintains sole responsibility for the audit opinion expressed.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 620.7 | If expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence, the auditor shall determine whether to use the work of an auditor’s expert. (Ref: Para. A4–A9) |
| 620.8 | The nature, timing and extent of the auditor's procedures with respect to the requirements in paragraphs 9-13 of this ISA will vary depending on the circumstances. In determining the nature, timing and extent of those procedures, the auditor shall consider matters including: (Ref: Para. A10)
|
| 620.9 | The auditor shall evaluate whether the auditor’s expert has the necessary competence, capabilities and objectivity for the auditor’s purposes. In the case of an auditor’s external expert, the evaluation of objectivity shall include inquiry regarding interests and relationships that may create a threat to that expert’s objectivity. (Ref: Para. A14–A20) |
| 620.10 | The auditor shall obtain a sufficient understanding of the field of expertise of the auditor’s expert to enable the auditor to: (Ref: Para. A21–A22)
|
| 620.11 | The auditor shall agree, in writing when appropriate, on the following matters with the auditor’s expert: (Ref: Para. A23–A26)
|
The exhibit below summarizes the considerations relating to engaging an auditor’s expert.
Exhibit 15.8-3
Loading...
Exhibit 15.8-4
Consider | Discussion |
|---|---|
| Is an Auditor’s Expert Needed to Obtain Audit Evidence? | Consider need in relation to:
|
| What Audit Procedures are Required? | Consider:
|
| Is Chosen Auditor’s Expert Competent, Capable, and Objective? |
in the circumstances of the engagement (e.g. geographic location and the availability of time and resources).
Other factors to consider include:
|
| Do We (Auditor) Understand Expert’s Field of Expertise? | Is there sufficient understanding of the auditor’s expert’s field of work to:
|
| Agree on Terms of Engagement | In establishing the terms of engagement, consider factors such as the following:
The written agreement would address:
Appendix to ISA 620 sets out matters that the auditor may consider for inclusion in any written agreement with an auditor’s external expert. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 620.12 | The auditor shall evaluate the adequacy of the auditor’s expert’s work for the auditor’s purposes, including: (Ref: Para. A32)
|
| 620.13 | If the auditor determines that the work of the auditor’s expert is not adequate for the auditor’s purposes, the auditor shall: (Ref: Para. A40)
|
Exhibit 15.8-5
Loading...
If the results of the expert’s work are unsatisfactory or inconsistent with other evidence, the auditor should resolve the matter. This may involve:
- Discussions with the entity and the expert;
- Applying additional audit procedures;
- Possibly engaging another expert; or
- Modifying the auditor’s report.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 620.14 | The auditor shall not refer to the work of an auditor’s expert in an auditor’s report containing an unmodified opinion unless required by law or regulation to do so. If such reference is required by law or regulation, the auditor shall indicate in the auditor’s report that the reference does not reduce the auditor’s responsibility for the auditor’s opinion. (Ref: Para. A41) |
| 620.15 | If the auditor makes reference to the work of an auditor’s expert in the auditor’s report because such reference is relevant to an understanding of a modification to the auditor’s opinion, the auditor shall indicate in the auditor’s report that such reference does not reduce the auditor’s responsibility for that opinion. (Ref: Para. A42) |
The auditor’s report would not refer to the work of an expert. Such a reference might be misunderstood to be a modification of the auditor’s opinion or a division of responsibility, neither of which is intended. However, if the auditor decides to issue a modified auditor’s report as a result of the expert’s involvement, it may be appropriate, in explaining the nature of the modification, to refer to or describe the work of the expert, including the identity of the expert and the extent of the expert’s involvement. In these circumstances, the auditor would obtain the permission of the expert before making such a reference. If permission is refused and the auditor believes a reference is necessary, the auditor may need to seek legal advice.
| Paragraph # | ISA Objective(s) |
|---|---|
| 720.11 | The objectives of the auditor, having read the other information, are:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 720.13 | The auditor shall: (Ref: Para. A11–A22)
|
| 720.14 | The auditor shall read the other information and, in doing so shall: (Ref: Para. A23–A24)
information (that are intended to be the same as, to summarize, or to provide greater detail about, the amounts or other items in the financial statements) with such amounts or other items in the financial statements; and (Ref: Para. A25–A29)
|
| 720.15 | While reading the other information in accordance with paragraph 14, the auditor shall remain alert for indications that the other information not related to the financial statements or the auditor’s knowledge obtained in the audit appears to be materially misstated. (Ref: Para. A24, A37–A38) |
| 720.16 | If the auditor identifies that a material inconsistency appears to exist (or becomes aware that the other information appears to be materially misstated), the auditor shall discuss the matter with management and, if necessary, perform other procedures to conclude whether: (Ref: Para. A39–A43)
|
| 720.17 | If the auditor concludes that a material misstatement of the other information exists, the auditor shall request management to correct the other information. If management:
|
| 720.18 | If the auditor concludes that a material misstatement exists in other information obtained prior to the date of the auditor’s report, and the other information is not corrected after communicating with those charged with governance, the auditor shall take appropriate action, including: (Ref: Para. A44)
|
| 720.19 | If the auditor concludes that a material misstatement exists in other information obtained after the date of the auditor’s report, the auditor shall:
(Ref: Para. A49–A50) |
| 720.20 | If, as a result of performing the procedures in paragraphs 14–15, the auditor concludes that a material misstatement in the financial statements exists or the auditor’s understanding of the entity and its environment needs to be updated, the auditor shall respond appropriately in accordance with the other ISAs. (Ref: Para. A51) |
| 720.21 | The auditor’s report shall include a separate section with a heading “Other Information,” or other appropriate heading, when, at the date of the auditor’s report:
|
| 720.22 | When the auditor’s report is required to include an Other Information section in accordance with paragraph 21, this section shall include: (Ref: Para. A53)
|
| 720.23 | When the auditor expresses a qualified or adverse opinion in accordance with ISA 705 (Revised), the auditor shall consider the implications of the matter giving rise to the modification of opinion for the statement required in paragraph 22(e). (Ref: Para. A54–A58) |
| 720.24 | If the auditor is required by law or regulation of a specific jurisdiction to refer to the other information in the auditor’s report using a specific layout or wording, the auditor’s report shall refer to International Standards on Auditing only if the auditor’s report includes, at a minimum: (Ref: Para. A59)
|
| 720.25 | In addressing the requirements of ISA 230 as it applies to this ISA, the auditor shall include in the audit documentation:
|
Management and those charged with governance (TCWG) may decide — or be required by law and regulation — to issue a report (typically annually) that contains or accompanies the financial statements and the auditor’s report thereon. Such paper or electronic reports provide owners or similar stakeholders with information on the entity’s developments, its future outlook and risks and uncertainties, a statement by the entity’s governing body, and reports covering governance matters (see definition in ISA 720 (Revised)).
Where other information is involved, the auditor has a responsibility to read and to consider whether the other information is materially inconsistent with the financial statements. The auditor’s knowledge obtained in the audit may indicate that there is a material misstatement in the financial statements or that a material misstatement of the other information exists. Any such misstatements may undermine the credibility of the financial statements and the auditor’s report. If an inconsistency is found, the auditor needs to take appropriate steps to respond.
CONSIDER POINT Do not assume (often based on past experience) that management has not prepared ‘other information’. Make inquiries each period to ensure that indeed no ‘other information’ is being presented before dismissing the requirements of ISA 720 (Revised). |
|---|
The auditor’s opinion on the financial statements does not cover the other information, nor is the auditor required to obtain audit evidence beyond that required to form an opinion on the financial statements in relation to the other information. However, the auditor may need to refer to other information in the auditor’s report in certain circumstances (See Chapter 17). ISA 720 (Revised) includes the following definitions for the annual report and other information:
Exhibit 15.9-1
Annual Report (ISA 720 Revised par. 12(a)) | Other Information (ISA 720 Revised par. 12(c)) |
|---|---|
A document, or combination of documents, prepared typically on an annual basis by management or those charged with governance in accordance with law, regulation or custom, the purpose of which is to provide owners (or similar stakeholders) with information on the entity’s operations and the entity’s financial results and financial position as set out in the financial statements. An annual report contains or accompanies the financial statements and the auditor’s report thereon and usually includes information about the entity’s developments, its future outlook and risks and uncertainties, a statement by the entity’s governing body, and reports covering governance matters. (Ref: Para. A1–A5) | Other information — Financial or non-financial information (other than financial statements and the auditor’s report thereon) included in an entity’s annual report. (Ref: Para. A8–A10) |
A misstatement of other information may be in quantitative or qualitative information. A misstatement is a matter of judgment about whether it could undermine the credibility of the financial statements by inappropriately influencing the economic decisions of users of the financial statements. Judgments about whether misstatements in the other information could impact the economic decisions of users is in context of the financial statements and takes into account the specific circumstances of the misstatement.
Consideration also needs to be given to whether users (as a group) could be influenced by the effect of the uncorrected misstatement. Not all misstatements will affect the economic decisions of the users. For example, if the other information purports to address key performance indicators used by management, then the omission of a key performance indicator could indicate that the other information is misleading.
Maintaining professional skepticism when reading the other information is also important. For example, the auditor should remain alert to management being overly optimistic in the other information, and look for inconsistencies with information in the financial statements with knowledge obtained during the audit.
Where other information, whether financial or non-financial information (other than the financial statements and the auditor’s report) are included in an entity’s annual report ISA 720 (Revised) outlines the auditor’s responsibilities in relation to this other information, including the following considerations:
Exhibit 15.9-2
Auditor’s responsibility | Considerations |
|---|---|
| Obtain the information | In obtaining and considering the nature of the other information, the auditor should determine, through discussion with management, which document(s) comprises the annual report (or other information to be presented with the financial statements) and planned manner and timing of its issuance. Ideally, the auditor would obtain this information before the date of the auditor’s report. |
| Read and consider the other information |
|
Respond when a material inconsistency appears to exist or the other information appears to be materially misstated | If other information appears to be materially misstated, the auditor’s discussions with management may include requesting support for the basis of the statements or amounts in the other information, which may help the auditor to conclude that the information is not misstated, because, for example, there may be a difference of judgment that is valid. The more subjective the other information is, the more difficult it may be for management to provide additional support. The auditor uses professional judgment to determine whether the additional support is sufficient to satisfy themselves that a material misstatement does not exist, or whether further action is required because a material misstatement does exist. |
Respond when the auditor concludes that a material misstatement of the other information exists | If it is concluded that a material misstatement exists and it has not been corrected, professional judgment is used to determine what further actions are required. This includes:
|
Respond when a material misstatement in the financial statements exists or the auditor’s understanding of the entity and its environment needs to be updated | The impact on the rest of the audit (e.g., the auditor’s understanding of the entity and its environment may need to be updated and that may have a further impact on the auditor’s assessment to the risks of material misstatement and subsequent work effort). |
| Report on the other information | The auditor’s report must include a separate section with a heading “Other Information” (or other appropriate heading), when, at the date of the auditor’s report:
|
An appropriate member of the engagement team means someone who has sufficient experience and knowledge of the audit and the financial statements to be able to identify inconsistencies between the other information and the information in the financial statements.
CONSIDER POINT Where some documents will not be available until after the date of the auditor's report, request management to provide a written representation that the final version of the document(s) will be provided prior to its issuance by entity. This will enable the auditor to complete the required procedures. In addition, a written management representation relating to the completeness of the information, as well as consistency with the information in the financial statements should be considered. |
|---|
Where other information is intended to be the same as, to summarize, or to provide greater detail about the amounts or other items in the financial statements, the auditor is not required to compare all amounts or other items in other information with those in the financial statements. The auditor uses their professional judgment as to which amounts or items to compare, taking into account the significance of the item or amount, the relative size (if quantitative), or the sensitivity of the amount or other item in the other information (for example, share-based payments to management may be particularly sensitive).
During the course of the audit, the auditor obtains knowledge about the entity, including about matters that are prospective in nature (such as future cash flows). This knowledge is gained through discussions, obtaining audit evidence and other related activities to obtain the audit evidence. For parts of the other information that, in the auditor’s determination, are of sufficient importance that the auditor has determined needs to be considered, the auditor considers whether there is a material inconsistency between the knowledge they have gained during the audit (for example by recalling the discussions and audit evidence gained and the conclusions reached) and that other information.
There may be information relating to other information that has not been discussed during the audit or may extend beyond the auditor’s knowledge obtained during the audit (for example sustainability information may be disclosed). The auditor also considers this information, as appropriate, bearing in mind relevant ethical requirements that require the auditor to avoid being knowingly associated with other information that they believe contains a materially false or misleading statement, or that omits or obscures necessary information such that the other information is misleading.
The nature and extent of work to be done on the other information is also a matter of professional judgment. The auditor’s responsibilities in relation to other information does not obligate the auditor to obtain evidence to be able to issue an assurance opinion on that information.
The following exhibit outlines the requirements when the auditor’s report is required to include other information:
Exhibit 15.9-3
| Reporting on Other Information | Requirements |
|---|---|
| A statement that management is responsible for the other information. | |
An identification of:
| |
| A statement that the auditor’s opinion does not cover the other information and that the auditor does not express (or will not express) an audit opinion or any form of assurance conclusion on the other information. | |
| A description of the auditor’s responsibilities relating to reading, considering and reporting on other information. | |
When other information has been obtained prior to the date of the auditor’s report, either:
|
When the auditor expresses a qualified or adverse opinion in accordance with ISA 705 (Revised), the auditor must consider the implications of the matter giving rise to the modification of opinion. If the auditor is required by law or regulation of a specific jurisdiction to refer to the other information in the auditor’s report using a specific layout or wording, the auditor’s report must refer to the ISAs only if the auditor’s report includes, at a minimum:
- Identification of the other information obtained by the auditor prior to the date of the auditor’s report;
- A description of the auditor’s responsibilities with respect to the other information; and
- An explicit statement addressing the outcome of the auditor’s work for this purpose.
The reporting implications related to other information are relevant to the reporting discussed in Chapter 17 of this Guide.
The auditor is required to document the procedures that have been performed in relation to the other information.
In addition, a copy of the final other information on which work has been performed should be included in the audit documentation.
A summary of some of the key requirements is outlined in the exhibit below.
Exhibit 15.9-1-4
Loading...
Chapter Content | Relevant ISAs |
|---|---|
The various requirements associated with the documentation of audit planning, audit evidence obtained, and its ultimate storage. | ISQC 1, 220, 230, 240, 300, 315 (Revised), 330 |
| Paragraph # | ISA Objective(s) |
|---|---|
| 230.5 | The objective of the auditor is to prepare documentation that provides:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 230.6 | For purposes of the ISAs, the following terms have the meanings attributed below:
|
| 230.7 | The auditor shall prepare audit documentation on a timely basis. (Ref: Para. A1) |
Audit file documentation (whether maintained on paper or electronically) plays a critical role in:
- Assisting the engagement team in planning and performing the audit;
- Providing evidence to demonstrate that the planned audit procedures were in fact performed;
- Assisting engagement reviewers (including engagement quality control reviewers) in carrying out their responsibilities in accordance with professional standards;
- Recording the judgments involved in forming the audit opinion; and
- Recording matters of continuing significance for future audits of the entity.
CONSIDER POINT There is no need to provide documentation about ISA requirements that are not relevant in the circumstances. This would apply where the entire ISA is not relevant (such as ISA 610 (Revised 2013), when the entity has no internal audit function), or where the ISA requirement is conditional and the condition does not exist. |
|---|
Good audit documentation is appropriately organized, and provides a record of the work done, the audit evidence obtained, the significant professional judgments applied, and the conclusions reached.
Exhibit 16.1-1
| The Need for Audit File Documentation |
|
Audit documentation for smaller entities will generally be less extensive than for larger entities. This particularly applies where:
- The engagement partner performs all the audit work. Documentation would not include matters related to team discussions, allocation of responsibilities, or supervision; and
- Some matters are so straightforward that they can be more conveniently addressed in a single document with cross-references to supporting working papers. This could include one or more of the areas such as the understanding of the entity and its internal control, the overall audit strategy and audit plan, materiality, assessed risks, significant matters noted, and the conclusions reached.
CONSIDER POINT Security and confidentiality of client data Accountants are seen as trusted advisers by their clients. This trust requires accounting firms to implement and maintain sufficient controls to protect client information contained in their engagement and other client information files. This issue is becoming ever more important where client data is being stored with third parties such as in the cloud. You can imagine how disgruntled clients would be if they found out that their information was stored without password protection or encryption, or on computer equipment that was stolen. In many jurisdictions there are now legal requirements that specifically address data security and confidentiality. Such requirements need to be understood and the necessary actions taken to ensure compliance. |
|---|
ISA 701 Communicating Key Audit Matters in the Independent Auditor’s Report addresses the key audit matters (KAM) to be included in the auditor’s report. This is required for listed entities but may also be applied as required by local law, regulation such as for “public interest entities,” or public sector entities. In addition, auditors may voluntarily, or at the request of management or TCWG, communicate KAM in the auditor’s report.
Where ISA 701 is applied, the determination of whether key audit matters exist or not is a matter of professional judgment. Such judgments need to be documented. (See ISA 230.8 and 230.A10).
This includes:
- The matters that required significant auditor attention in performing the audit;
- The rationale for the auditor’s determination as to whether or not each of these matters is a key audit matter to be communicated in the auditor’s report; and
- Where applicable, the rationale when:
+ There are no key audit matters to communicate in the auditor’s report.
+ The auditor does not communicate in the auditor’s report a matter determined to be a key audit matter.
Additional guidance on key audit matters is included in Chapter 17 of this Guide.
Section 15.9 of this guide addresses the requirements of ISA 720 (Revised) related to other information included in an entity’s annual report or published with the financial statements.
Where ISA 720 (Revised) is applied, the audit documentation should include the following:
- Documentation of the procedures performed under ISA 720 (Revised) related to the other information, and
- The final version of the other information on which the auditor has performed the work.
Many ISAs contain specific documentation requirements that serve to clarify the requirements of ISA 230. The following table provides a reference to the paragraphs in ISAs that outline specific documentation requirements. This does not imply that there are no documentation requirements in the ISAs that are not included in the following list.
Exhibit 16.1-2
ISA | Title | Paragraphs |
|---|---|---|
| 210 | Agreeing the Terms of Audit Engagements | 10-12 |
| 220 | Quality Control for an Audit of Financial Statements | 24-25 |
| 230 | Audit Documentation | All |
| 240 | The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements | 44-47 |
| 250 (Revised) | Consideration of Laws and Regulations in an Audit of Financial Statements | 29 |
| 260 (Revised) | Communication with Those Charged with Governance | 23 |
| 300 | Planning an Audit of Financial Statements | 12 |
| 315 (Revised) | Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment | 32 |
| 320 | Materiality in Planning and Performing an Audit | 14 |
| 330 | The Auditor’s Responses to Assessed Risks | 28-30 |
| 450 | Evaluation of Misstatements Identified During the Audit | 15 |
| 540 | Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures | 23 |
| 550 | Related Parties | 28 |
| 600 | Special Considerations — Audits of Group Financial Statements (Including the Work of Component Auditors) | 50 |
610 (Revised 2013) | Using the Work of Internal Auditors | 36-37 |
| 701 | Communicating Key Audit Matters in the Independent Auditor’s Report | 18 |
| 720 (Revised) | The Auditor’s Responsibility Relating to Other Information | 21-24 |
An area to be addressed by firm-wide policies is audit file organization and indexing. A consistent approach using a standard index has a number of advantages, such as the following:
- Enables specific working papers to be easily located and shared among audit team members;
- Facilitates file review by the various reviewers such as the manager, engagement partner, engagement quality control reviewer, and quality control monitors;
- Provides consistency between audit files in the firm; and
- Assists with quality control functions such as checking for missing sign-offs, invalid cross-references, and unclear review notes.
Audit documentation is usually organized into logical divisions of work using an indexing system. If the file is electronic, the indexing can be in the form of folders and sub-folders. As each piece of audit documentation is created, it will be given a unique reference that ties directly into the overall file index.
Two examples of possible audit file indices are summarized in the following exhibit. The first example groups documents according to the stage when documents are prepared in the audit process. Note that completion documents (on paper files) are usually filed near the top of the file for easy reference. The second index groups documents by the financial statement area such as payables, receivables, sales, etc. In this file, all the documents relating to risk assessment and risk response for inventory would be maintained under the inventory chapter. A third alternative would be to combine the two approaches with some documents organized by the stage in the audit process, and others by the financial statement area.
Exhibit 16.2-1
Index by Audit Phase (extracts from an index) | Index by Financial Statement Area (extracts from an index) | ||
|---|---|---|---|
| 100-200 | Financial statements and auditor’s report | 10 | Financial statements and auditor’s report |
| 201-300 | Tax returns, etc. | 11 | File completion memos, checklists, etc. |
| 301-400 | File completion such as memos on significant decisions, checklists and management representation letters | 12 | Overall audit strategy |
| 15 | Materiality | ||
| 401-500 | Audit planning, including audit strategy and materiality | A | Cash |
| C | Receivables | ||
| 501-600 | Risk assessment, including understanding the entity and internal control | D | Inventory |
| BB | Payables | ||
| 601-700 | Risk response, including detailed audit plans by financial statement area | DD | Long-term debt |
| 20 | Revenues | ||
| 701-799 | Other supporting documents such as trial balances and reports | 30 | Purchases |
| 40 | Payroll | ||
| 800 | Financial reporting frameworks | 50 | Taxation |
| 100 | Subsequent events | ||
| 120 | Contingencies | ||
| 150 | Other supporting documents such as trial balances and reports | ||
Common questions about audit documentation include the following.
Exhibit 16.3-1
Question | Response |
|---|---|
| Who Owns the Audit File? | Unless otherwise specified by legislation or regulation, audit documentation is the property of the audit firm. |
| Are Copies of Entity Records Examined Required to Be Kept on the Audit File? | No. All that is required is some identifying characteristics of the transactions/procedure being examined, so that the work could be replicated or exceptions investigated as necessary. Identifying characteristics include:
their respective responsibilities, and where/when the observation was carried out. However, abstracts or copies of the entity’s records (such as significant contracts and agreements) may be included if considered appropriate. |
| Does Each Page of the Audit File Need To Be Initialled and Dated by the Preparer and Then by the Reviewer? | No. The discipline of initialling working papers (as to who performed and who reviewed the audit work) has the effect of holding the engagement team accountable. However, this does not mean that each page of the working paper file needs to be initialled and dated. For example, the evidence of preparation and review could be indicated for each section, module or unit in the file rather than the individual pages. The preparation of working papers (typically at assistant level) and their detailed review (typically at the manager level) would involve initialling every working paper section, module or unit, whereas a general review (at the partner level) might involve only looking at key sections of the file where significant risks were addressed or significant professional judgments were made. |
| Should ALL Considerations and Use of Professional Judgments Be Documented? | No. It is neither necessary nor practicable for the auditor to document every matter considered, or professional judgment made. It is the significant matters and significant judgments made on those matters during the audit that need to be documented. Documentation of significant matters and judgments explains the auditor’s conclusions, and reinforces the quality of the judgments. This can often be achieved through the preparation of the significant issues memorandum at the completion of the audit. |
| Are Preliminary Drafts of Financial Statements Required To Be Kept if Materially Inconsistent with the Final Financial Statements? | No. There is no requirement to retain documentation that was incorrect or superseded. |
| Is It Necessary to Document Non- Compliance with ISA Requirements that Are Really Not Applicable to the Audit? | No. Other than in exceptional circumstances, compliance is required with each ISA requirement that is “relevant.” An ISA is clearly not relevant when the entire ISA is not applicable, or when an ISA requirement is conditional and the condition does not exist. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 240.44 | The auditor shall include the following in the audit documentation of the auditor’s understanding of the entity and its environment and the assessment of the risks of material misstatement required by ISA 315 (Revised):
|
| 240.47 | If the auditor has concluded that the presumption that there is a risk of material misstatement due to fraud related to revenue recognition is not applicable in the circumstances of the engagement, the auditor shall include in the audit documentation the reasons for that conclusion. |
| 300.12 | The auditor shall include in the audit documentation:
|
| 315.32 | The auditor shall include in the audit documentation:
(Ref: Para. A153–A156) |
Typical audit documentation would include the items listed below.
Exhibit 16.4-1
Risk Assessment Phase | Comments |
|---|---|
| Remember to update risk assessment documentation for:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 230.9 | In documenting the nature, timing and extent of audit procedures performed, the auditor shall record:
|
| 240.45 | The auditor shall include the following in the audit documentation of the auditor’s responses to the assessed risks of material misstatement required by ISA 330:
|
| 330.28 | The auditor shall include in the audit documentation:
|
| 330.30 | The auditor’s documentation shall demonstrate that information in the financial statements agree or reconcile with the underlying accounting records, including agreeing or reconciling disclosures, whether such information is obtained from within or outside of the general and subsidiary ledgers. |
Typical audit documentation would include the items below.
Exhibit 16.4-2
Risk Response Phase | Comments |
|---|---|
| Audit documentation should stand by itself and not need be supplemented by oral explanations. See experienced auditor discussion below. Take care in choosing the right population for the assertion being tested. Copies of client records inspected are not necessary on file, but some identifying characteristics(s), such as a number or date, etc., is required, so that a person could re-perform the test if necessary. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 230.10 | The auditor shall document discussions of significant matters with management, those charged with governance, and others, including the nature of the significant matters discussed and when and with whom the discussions took place. (Ref: Para. A14) |
| 230.11 | If the auditor identified information that is inconsistent with the auditor’s final conclusion regarding a significant matter, the auditor shall document how the auditor addressed the inconsistency. (Ref: Para. A15) |
| 230.12 | If, in exceptional circumstances, the auditor judges it necessary to depart from a relevant requirement in an ISA, the auditor shall document how the alternative audit procedures performed achieve the aim of that requirement, and the reasons for the departure. (Ref: Para. A18–A19) |
| 240.46 | The auditor shall include in the audit documentation communications about fraud made to management, those charged with governance, regulators and others. |
The following exhibit lists the typical audit documentation that addresses the reporting or file completion phase.
Exhibit 16.4-3
Reporting | Comments |
|---|---|
| Take notes of verbal discussions with management on significant matters and record their responses. This will help to ensure that audit documentation contains the reasoning for all significant decisions made. Include copies of relevant emails or text messages exchanged with the client that address significant matters. |
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 230.8 | The auditor shall prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand: (Ref: Para. A2–A5, A16–A17)
|
The audit documentation should be such that an experienced auditor, who has had no previous connection with the audit, is able to understand (i.e., without the need for verbal explanations):
- The nature, timing, and extent of the audit procedures performed to comply with the applicable legal, regulatory and professional requirements;
- The results of the audit procedures and the audit evidence obtained; and
- The nature of significant matters arising and the conclusions reached.
Many accounting firms have replaced (or are in the process of replacing) paper-based engagement files with electronic files. In some cases, even though the work was performed and reviewed electronically, paper files are maintained as the permanent record of work performed. Documents/forms are initiated in digital form, client records are scanned electronically, and all data is stored electronically. It is printed on paper only after all the work is completed and reviewed.
There are two types of electronic documents:
- Work-in-process; and
- Static information.
Work-in-process consists of dynamic information that is being developed and updated as the audit progresses. Examples include blank audit forms and letter templates, industry knowledge and key performance indicators, questionnaires, logic trees, the firm’s policies, diagnostics and the previous period’s financial data, information, assumptions, etc. that may be used in performing this period’s analytical procedures. This information is often contained within software applications and electronic audit tools.
Static information consists of final file documents, such as the financial statements and completed working papers, that will not change and may well be required for reference in future years. Final or static documents must be retained in a format where the information can be retrieved easily in later years.
Leaving the information in a format used by a software application can be problematic if the software application is updated with a new file format. The old file may not be capable of being opened unless a copy of the old software application is also maintained. To overcome this problem, many firms are now saving their final file documents in a medium called portable document format (PDF). PDF has been accepted and used by government agencies and accounting firms around the world. The firm’s policies should state that final documents are not to be edited.
Maintaining audit files in an electronic form enables some administrative functions to be automated, and provides additional flexibility for engagement team members. For example:
- Specific working papers can be accessed directly from the index;
- Files and documents can be easily shared or reviewed with others in distant locations;
- New audit folders and documents can be created, renamed, moved, copied, or deleted from the index;
- The detailed index can be collapsed to reveal its overall structure, or expanded as needed, making it easier to see the big picture and locate key documents;
- Customized names can be given to important documents. This can help other team members to interpret the contents of a document from its name;
- Review functions can be automated such as checking all or part of the audit file for exceptions, outstanding review notes, and preparer/reviewer sign-offs;
- Engagement team members can share file documents by using electronic check-in and check-out tools;
- Certain documents can be password-protected for enhanced security; and
- Access to files can be restricted to authorized personnel.
There are three important principles to note when using electronic tools in working-paper preparation:
- All the requirements of the ISAs still apply;
- Electronic files require electronic document management. This addresses matters such as accessibility (such as password access), data security, application management (including training), back-up routines, edit rights, storage locations, review procedures, and decisions on what changes to files will be tracked to provide the necessary audit trail; and
- Final documents (all documents that are required to be maintained to support the audit opinion) must be retained and be accessible in accordance with the firm’s file retention policies.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 230.13 | If, in exceptional circumstances, the auditor performs new or additional audit procedures or draws new conclusions after the date of the auditor’s report, the auditor shall document: (Ref: Para. A20)
|
| 230.14 | The auditor shall assemble the audit documentation in an audit file and complete the administrative process of assembling the final audit file on a timely basis after the date of the auditor’s report. (Ref: Para. A21–A22) |
| 230.15 | After the assembly of the final audit file has been completed, the auditor shall not delete or discard audit documentation of any nature before the end of its retention period. (Ref: Para. A23) |
| 230.16 | In circumstances other than those envisaged in paragraph 13 where the auditor finds it necessary to modify existing audit documentation or add new audit documentation after the assembly of the final audit file has been completed, the auditor shall, regardless of the nature of the modifications or additions, document: (Ref: Para. A24)
|
The dating of the auditor’s report signifies that the audit work is complete. After that date, there is no continuing responsibility to seek further audit evidence. After the audit report date, the final assembly of audit files should take place on a timely basis. An appropriate time limit within which to complete the assembly of the final audit file is ordinarily not more than 60 days after the date of the auditor’s report. This is illustrated in the following exhibit. Refer to ISQC 1 and ISA 230 for more details.
Exhibit 16.7-1
Loading...
The requirements when making changes to audit file are as follows.
Exhibit 16.7-2
Period | Dates | Requirements |
|---|---|---|
| 1 | BETWEEN the Audit Report Date and Documentation Completion Date | For administrative changes:
For changes in the audit evidence or conclusions reached, additional documentation should be prepared that addresses three key questions:
|
| 2 | AFTER the Documentation Completion Date | NO documentation should be deleted or discarded from the audit file until the firm’s file retention period has expired. Where it is necessary to make additions (including amendments) to audit documentation after the documentation completion date, the three key questions about changes in audit evidence, outlined in Period 1 above, should be answered, regardless of the nature of the additions. |
Chapter Content | Relevant ISAs |
|---|---|
Requirements and considerations related to:
| 700 (Revised), 701 |
Exhibit 17.0-1
Loading...
| Paragraph # | ISA Objective(s) |
|---|---|
| 700.6 | The objectives of the auditor are:
|
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 700.7 | For purposes of the ISAs, the following terms have the meanings attributed below:
The term “fair presentation framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework and:
The term “compliance framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework, but does not contain the acknowledgements in (i) or (ii) above.
|
| 700.8 | Reference to “financial statements” in this ISA means “a complete set of general purpose financial statements.” The requirements of the applicable financial reporting framework determine the presentation, structure, and content of the financial statements, and what constitutes a complete set of financial statements. |
| 700.9 | Reference to “International Financial Reporting Standards” in this ISA means the International Financial Reporting Standards (IFRSs) issued by the International Accounting Standards Board, and reference to “International Public Sector Accounting Standards” means the International Public Sector Accounting Standards (IPSASs) issued by the International Public Sector Accounting Standards Board. |
The final step in the audit process is to evaluate the audit evidence obtained, consider the impact of any misstatements identified, form an audit opinion, and prepare an appropriately worded audit report.
This chapter addresses:
- Financial statements prepared in accordance with one or both of the two types of general purpose framework designed to meet the common financial-information needs of a wide range of users;
- Forming an opinion on a complete set of general purpose financial statements. This is based on an evaluation of the conclusions drawn from the audit evidence obtained (See Section 17.3);
- Expressing clearly that opinion through a written report that also describes the basis for that opinion (See Section 17.3);
- A review of reporting requirements relating to key audit matters (See Section 17.5);
- Requirement for listed entities to disclose the name of the engagement partner (See Section 17.6);
- Other reporting requirements, including for example reporting on other legal and regulatory requirements (See Section 17.7);
- The reporting implications of supplementary information presented in the financial statements (See Section 17.8); and
- The reporting implications when the auditor is required to report on compliance with national auditing standards and the ISAs. (See Section 17.9).
The preparation of the appropriate report can be complex and involves many ISAs. The following diagram provides a summary of the overarching standards related to the audit report and also indicates where the matter is discussed in this Guide:
Exhibit 17.1-1
Loading...
Generally, for audits of financial statements of SMEs conducted in accordance with ISAs, where KAM is not presented or other information is not attached, the wording of the unmodified auditor’s report will be standard. Of course, there will be exceptions where additional paragraphs are added, for example, for an emphasis of a matter or other reporting matters.
Consistency in the auditor’s report helps:
- Promote credibility in the global marketplace by making more readily identifiable those audits that have been conducted in accordance with globally recognized standards; and
- Promote the user’s understanding and helps to identify unusual circumstances (such as modifications to the auditor’s report) when they occur.
In some jurisdictions, the laws or regulations governing the audit of financial statements may prescribe different wording for the auditor’s opinion. However, the auditor’s responsibilities for forming the opinion remain the same. Where the wording differs significantly from the standard international wording, the auditor would consider the risk that users might misunderstand the assurance obtained. If such a risk exists, further explanation could be added to the auditor’s report.
The auditor’s opinion on the financial statements will be made in the context of an applicable “general purpose” framework. This is a financial reporting framework designed to meet the common financial information needs of a wide range of users. Acceptable frameworks include:
- International Financial Reporting Standard for Small and Medium-sized Entities;
- International Financial Reporting Standards; and
- International Public Sector Accounting Standards.
There are two types of general purpose frameworks: the “fair presentation framework” and the “compliance” framework.” These frameworks are described in the following exhibit.
Exhibit 17.2-1
Frameworks | Description |
|---|---|
| Fair Presentation Framework | A financial reporting framework (such as International Financial Reporting Standards) that requires compliance with the requirements of the framework, and:
The auditor reports on whether the financial statements “present fairly, in all material respects” or “give a true and fair view of” the information that the financial statements are designed to present. |
| Compliance Framework | A financial reporting framework that requires compliance with the requirements of the framework, but does not contain the acknowledgements in (i) or (ii) above for “fair” presentation. The auditor is not required to evaluate whether the financial statements achieve fair presentation. An example would be a financial reporting framework stipulated by a law or regulation that is designed to meet the financial information needs of a wide range of users. The auditor reports on whether the financial statements are prepared, in all material respects, in accordance with, for example, “Jurisdiction X Corporations Act.” |
A decision tree for forming an opinion under the two general purpose frameworks is outlined below.
Exhibit 17.2-2
Loading...
In some cases, the auditor may be required to conduct an audit in accordance with both frameworks. In these situations, the auditor’s opinion would refer to both the fair presentation framework and the applicable legal or regulatory requirements.
A reference in the auditor’s report to both International Standards on Auditing and the national auditing standards is appropriate when no conflict exists between the requirements of both sets of standards. If a conflict exists, the auditor’s report would only refer to the auditing standards (either International Standards on Auditing or the national auditing standards) in accordance with which one the auditor’s report has been prepared.
For example, ISA 570 (Revised) requires the auditor to add a separate section in the Auditor’s Report when a material uncertainty related to going concern exists whereas some national auditing standards prohibit such a paragraph.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| Forming an Opinion on the Financial Statements | |
| 700.10 | The auditor shall form an opinion on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. |
| 700.11 | In order to form that opinion, the auditor shall conclude as to whether the auditor has obtained reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. That conclusion shall take into account:
|
| 700.12 | The auditor shall evaluate whether the financial statements are prepared, in all material respects, in accordance with the requirements of the applicable financial reporting framework. This evaluation shall include consideration of the qualitative aspects of the entity’s accounting practices, including indicators of possible bias in management’s judgments. (Ref: Para. A1–A3) |
| 700.13 | In particular, the auditor shall evaluate whether, in view of the requirements of the applicable financial reporting framework:
|
| 700.14 | When the financial statements are prepared in accordance with a fair presentation framework, the evaluation required by paragraphs 12-13 shall also include whether the financial statements achieve fair presentation. The auditor’s evaluation as to whether the financial statements achieve fair presentation shall include consideration of: (Ref: Para A7–A9)
|
| 700.15 | The auditor shall evaluate whether the financial statements adequately refer to or describe the applicable financial reporting framework. (Ref: Para. A10–A15) |
| Form of Opinion | |
| 700.16 | The auditor shall express an unmodified opinion when the auditor concludes that the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. |
| 700.17 | If the auditor:
|
| 700.18 | If financial statements prepared in accordance with the requirements of a fair presentation framework do not achieve fair presentation, the auditor shall discuss the matter with management and, depending on the requirements of the applicable financial reporting framework and how the matter is resolved, shall determine whether it is necessary to modify the opinion in the auditor’s report in accordance with ISA 705 (Revised). (Ref: Para. A16) |
| 700.19 | When the financial statements are prepared in accordance with a compliance framework, the auditor is not required to evaluate whether the financial statements achieve fair presentation. However, if in extremely rare circumstances the auditor concludes that such financial statements are misleading, the auditor shall discuss the matter with management and, depending on how it is resolved, shall determine whether, and how, to communicate it in the auditor’s report. (Ref: Para. A17) |
When forming an opinion, the auditor needs to ensure that the statements are prepared in accordance with the applicable financial reporting framework, as shown in the exhibit below.
Exhibit 17.3-1
Considerations | |
|---|---|
| Forming an Audit Opinion | Materiality Conclude whether:
|
Audit Evidence
| |
Accounting Policies
| |
| Forming an Audit Opinion (continued) | Financial Statement Disclosures
|
Fair Presentation Frameworks
| |
Compliance Frameworks
| |
Based on the results of the evaluations outlined above, the auditor would determine what form of audit report (unmodified or modified) is appropriate in the circumstances.
Note: Where KAM are included in the audit report, it does not alter or act as a substitute for modifications to the opinion when required by the circumstances of the specific audit engagement.
The auditor is required to express an opinion based on the audit findings and the evaluation of the overall financial statement presentation, including disclosures.
An unmodified opinion is expressed when the auditor concludes that the financial statements are presented, in all material respects, (or give a true and fair view of …) in accordance with the applicable financial reporting framework. (The wording of the opinion will depend on whether the auditor is reporting in accordance with a fair presentation or compliance framework.)
A modified opinion (ISA 705 (Revised)) is expressed when the auditor concludes, based on the audit evidence obtained, that:
(a) The financial statements as a whole are not free from material misstatement; or
(b) Sufficient appropriate audit evidence is unable to be obtained to conclude that the financial statements as a whole are free from material misstatement.
There are three types of modified opinions:
1. Qualified opinion;
2. Adverse opinion; and
3. Disclaimer of opinion.
The following exhibit (reproduced from para A1 of ISA 705 (Revised)) illustrates how the type of opinion to be expressed is affected by the auditor’s judgment about:
- The nature of the matter giving rise to the modification; and
- The pervasiveness of its effects or possible effects on the financial statements.
Exhibit 17.3-2
Nature of Matter Giving Rise to the Modification | Auditor’s Judgment About the Pervasiveness of the Effects or Possible Effects on the Financial Statements | |
|---|---|---|
Material BUT NOT Pervasive | Material AND Pervasive | |
| Financial Statements Are Materially Misstated | Qualified opinion | Adverse opinion |
| Inability to Obtain Sufficient Appropriate Audit Evidence | Qualified opinion | Disclaimer of opinion |
The appropriate use of the three types of modifications is described in the following exhibit:
Exhibit 17.3-3
Type | Applicability | Wording |
|---|---|---|
| Qualified Opinion | When the effect is material but not pervasive to the financial statements. This applies where:
| “In our opinion, except for the effects (or the possible effects1) of the matter described in the Basis for Qualified Opinion section of our report, the accompanying financial statements present fairly ... ” |
| Adverse Opinion | When the effects of misstatements are both material and pervasive. This applies where sufficient appropriate audit evidence is obtained but the auditor concludes that misstatements, individually or in the aggregate, are both material and pervasive to the financial statements. | “In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion section of our report ... the accompanying financial statements do not present fairly ...” |
| Disclaimer of Opinion | When the possible effect of undetected misstatements, if any, could be both material and pervasive. This applies where the auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion and concludes that the possible effects of undetected misstatements, if any, could be both material and pervasive. This also applies to extremely rare circumstances where it is not possible to form an opinion due to the potential interaction of multiple uncertainties and their possible cumulative effect on the financial statements. This applies even where the auditor obtains sufficient audit evidence regarding each of the individual uncertainties. | “We do not express an opinion on the accompanying financial statement. Because of the significance of the matter described in the Basis for Disclaimer of Opinion section of our report, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion on these financial statements.” |
1 There would be a reference to “possible effects” only when:
- the auditor is unable to determine the effects, or
- it is not practicable to quantify the effects.
The only alternative to issuing an adverse opinion or disclaimer of opinion would be to withdraw from the audit altogether (where withdrawal is permissible) and not issuing an opinion. However, in certain cases, withdrawal would not be permissible under the laws and regulations of the jurisdiction.
When a modified opinion is required, the details would be provided in a Basis for Modification paragraph as described below.
Exhibit 17.3-4
| Basis for Modification Paragraph | Purpose Sets out details of the modification in a separate section directly following the opinion section of the auditor’s report. The section would be headed Basis for Qualified Opinion, Basis for Adverse Opinion, or Basis for Disclaimer of Opinion. Wording The section would include (as applicable):
amounts. This could include quantification of the effects on the account balances, classes of transactions and disclosures affected, plus the effect on income before taxes, net income, and equity;
|
| Notes to the Financial Statements | The auditor may make reference in the Basis for Modification section to a more extensive discussion in a note to the financial statements of the matter giving rise to the modification. |
Volume 2, Chapter 23 of this Guide addresses the subject of modifications to the auditor’s report.
In certain situations, the auditor may consider it necessary to add extra paragraphs to draw the user’s attention to certain matters in the auditor’s report.
The following exhibit outlines the two types of paragraphs that may be added to the auditor’s report.
Exhibit 17.3-5
Type of Paragraph | Applicability | Examples |
|---|---|---|
| Emphasis of Matter | Attention is drawn to important matters already PROPERLY disclosed in the financial statements. These are matters presented/disclosed in the financial statements that are of such importance that they are fundamental to the user’s understanding of the financial statements. |
and early application (where permitted) of a new accounting standard. |
| Other Matter | Matters relevant to the user’s understanding of the audit function but NOT disclosed in the financial statements. These are any matters (other than those presented or disclosed in the financial statements) that are relevant to the user’s understanding of the audit, the auditor’s responsibilities and/or the auditor’s report. |
audit evidence is because of a scope limitation imposed by management is pervasive.
|
An Emphasis of Matter paragraph is not a substitute for:
- Modifying the audit opinion when required; or
- Management making required disclosures in the financial statements.
When the auditor expects to include an Emphasis of Matter or Other Matter paragraph in the auditor’s report, the auditor should first communicate with management and those charged with governance regarding this expectation and the proposed wording of the paragraph.
Volume 2, Chapter 24 of this Guide provides more guidance on the possible inclusion of an Emphasis of (under “Other Matter) and/or an Other Matter paragraph in the auditor’s report.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| Auditor’s Report | |
| 700.20 | The auditor’s report shall be in writing. (Ref: Para. A18–A19) |
| Auditor’s Report for Audits Conducted in Accordance with International Standards on Auditing | |
| Title | |
| 700.21 | The auditor’s report shall have a title that clearly indicates that it is the report of an independent auditor. (Ref: Para. A20) |
| Addressee | |
| 700.22 | The auditor’s report shall be addressed as appropriated, based on the circumstances of the engagement. (Ref: Para. A21) |
| Auditor’s Opinion | |
| 700.23 | The first section of the auditor’s report shall include the auditor’s opinion, and shall have the heading “Opinion.” |
| 700.24 | The Opinion section of the auditor’s report shall also:
|
| 700.25 | When expressing an unmodified opinion on financial statements prepared in accordance with a fair presentation framework, the auditor’s opinion shall, unless otherwise required by law or regulation, use one of the following phrases, which are regarded as being equivalent:
|
| 700.26 | When expressing an unmodified opinion on financial statements prepared in accordance with a compliance framework, the auditor’s opinion shall be that the accompanying financial statements are prepared, in all material respects, in accordance with [the applicable financial reporting framework]. (Ref: Para. A26–A31) |
| 700.27 | If the reference to the applicable financial reporting framework in the auditor’s opinion is not to IFRSs issued by the International Accounting Standards Board or IPSASs issued by the International Public Sector Accounting Standards Board, the auditor’s opinion shall identify the jurisdiction of origin of the framework. |
| Basis for Opinion | |
| 700.28 | The auditor’s report shall include a section, directly following the Opinion section, with the heading “Basis for Opinion,” that: (Ref: Para. A32)
|
| Going Concern | |
| 700.29 | Where applicable, the auditor shall report in accordance with ISA 570 (Revised). |
| Note: Paragraphs .30 and .31 relate to KAM and are addressed in Section 17.5 of this Guide. | |
| Responsibilities for the Financial Statements | |
| 700.33 | The auditor’s report shall include a section with a heading “Responsibilities of Management for the Financial Statements.” The auditor’s report shall use the term that is appropriate in the context of the legal framework in the particular jurisdiction and need not refer specifically to “management.” In some jurisdictions, the appropriate reference may be to those charged with governance. (Ref: Para. A44) |
| 700.34 | This section of the auditor’s report shall describe management’s responsibility for: (Ref: Para. A45–A48)
|
| 700.35 | This section of the auditor’s report shall also identify those responsible for the oversight of the financial reporting process, when those responsible for such oversight are different from those who fulfill the responsibilities described in paragraph 34 above. In this case, the heading of this section shall also refer to “Those Charged with Governance” or such term that is appropriate in the context of the legal framework in the particular jurisdiction. (Ref: Para. A49) |
| 700.36 | When the financial statements are prepared in accordance with a fair presentation framework, the description of responsibilities for the financial statements in the auditor’s report shall refer to “the preparation and fair presentation of these financial statements” or “the preparation of financial statements that give a true and fair view,” as appropriate in the circumstances. |
| Auditor’s Responsibilities for the Audit of the Financial Statements | |
| 700.37 | The auditor’s report shall include a section with the heading “Auditor’s Responsibilities for the Audit of the Financial Statements.” |
| 700.38 | This section of the auditor’s report shall: (Ref: Para. A50)
|
| 700.39 | The Auditor’s Responsibilities for the Audit of the Financial Statements section of the auditor’s report shall further: (Ref: Para. A50)
an opinion on the effectiveness of internal control in conjunction with the audit of the financial statements, the auditor shall omit the phrase that the auditor’s consideration of internal control is not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control.
that a material uncertainty exists, the auditor is required to draw attention in the auditor’s report to the related disclosures in the financial statements or, if such disclosures are inadequate, to modify the opinion. The auditor’s conclusions are based on the audit evidence obtained up to the date of the auditor’s report. However, future events or conditions may cause an entity to cease to continue as a going concern.
a manner that achieves fair presentation.
|
| 700.40 | The Auditor’s Responsibilities for the Audit of the Financial Statements section of the auditor’s report also shall: (Ref: Para. A50)
|
| Location of the Description of the Auditor’s Responsibilities for the Audit of the Financial Statements | |
| 700.41 | The description of the auditor’s responsibilities for the audit of the financial statements required by paragraphs 39–40 shall be included: (Ref: Para. A54)
|
| 700.42 | When the auditor refers to a description of the auditor’s responsibilities on a website of an appropriate authority, the auditor shall determine that such description addresses, and is not inconsistent with, the requirements in paragraphs 39–40 of this ISA. (Ref: Para. A56) |
| Note: Paragraphs .43–.45 relate to other reporting matters and are discussed in Section 17.6 of this Guide. Paragraph .46 relates to the inclusion of the engagement partner’s name, as discussed in Section 17.5 of this Guide. | |
| Signature of the Auditor | |
| 700.47 | The auditor’s report shall be signed. (Ref: Para. A64–A65) |
| Auditor’s Address | |
| 700.48 | The auditor’s report shall name the location in the jurisdiction where the auditor practices. |
| Date of the Auditor’s Report | |
| 700.49 | The auditor’s report shall be dated no earlier than the date on which the auditor has obtained sufficient appropriate audit evidence on which to base the auditor’s opinion on the financial statements, including evidence that: (Ref: Para. A66-A69)
|
| Auditor’s Report Prescribed by Law or Regulation | |
| 700.50 | If the auditor is required by law or regulation of a specific jurisdiction to use a specific layout or wording of the auditor’s report, the auditor’s report shall refer to International Standards on Auditing only if the auditor’s report includes, at a minimum, each of the following elements: (Ref: Para. A70–71)
|
| For Audits Conducted in Accordance with Both Auditing Standards of a Specific Jurisdiction and ISAs | |
| 700.51 | An auditor may be required to conduct an audit in accordance with the auditing standards of a specific jurisdiction (the “national auditing standards”), and has additionally complied with the ISAs in the conduct of the audit. If this is the case, the auditor’s report may refer to International Standards on Auditing in addition to the national auditing standards, but the auditor shall do so only if: (Ref: Para. A76-A77)
to include an Emphasis of Matter paragraph or Other Matter paragraph that, in the particular circumstances, is required by ISAs; and
|
| 700.52 | When the auditor’s report refers to both the national auditing standards and International Standards on Auditing, the auditor’s report shall identify the jurisdiction of origin of the national auditing standards. |
The form of the auditor’s report will be affected by the financial reporting framework used, any additional requirements required by law or regulation, and the inclusion of any supplementary information. The auditor’s report is entitled the Independent Auditor’s Report, and for SMEs the following headings that would always be included:
- Opinion;
- Basis for Opinion;
- Responsibilities of Management and Those Charged with Governance for the Financial Statements; and
- Auditor’s Responsibility for the Audit of the Financial Statements.
Other headings for paragraphs that may be used, where applicable, are:
- Other Information (or another title if appropriate such as “Information Other than the Financial Statements and Auditor’s Report Thereon” [See Chapter 15, Section 15.9 of this Guide]);
- Going Concern (if there is material uncertainty, see ISA 570 (Revised));
- Emphasis of Matter;
- Other Matter;
- Key Audit Matters (See Section 17.5 of this Chapter); and
- Report on Other Legal and Regulatory Requirements.
The main components of the auditor’s report (which have to be in writing) are outlined in the following exhibit.
Exhibit 17.4-1
Component | Comments |
|---|---|
| Title | Independent Auditor’s Report Using the word “independent” distinguishes the independent auditor’s report from reports issued by others. |
| Addressee | Those for Whom the Report Is Prepared Typically shareholders or those charged with governance, This may also be dictated by the circumstances of the engagement or local regulations. |
| Auditor’s Opinion |
Fair Presentation Frameworks States whether the financial statements present fairly, in all material respects (or give a true and fair view of), in accordance with the applicable financial reporting framework, or such similar wording as required by law or regulation. Compliance Frameworks States whether the financial statements are prepared in all material respects in accordance with the applicable financial reporting framework. Note: When International Financial Reporting Standards are not used as the financial reporting framework, the wording of the opinion should identify the jurisdiction or country of origin of the financial reporting framework (e.g., in accordance with accounting principles generally accepted in country X …). |
| Basis for Opinion |
|
| Other | Paragraphs such as an Emphasis of Matter or inclusion of Key Audit Matters, where applicable. |
| Responsibilities of Management for the Financial Statements | Explains that management is responsible for the preparation of the financial statements in accordance with the applicable financial reporting framework. The report states that management are responsible for:
Management responsibility includes:
The auditor's report also identifies those responsible for the oversight of the financial reporting process (if different from management, e.g., TCWG). |
| Auditor’s Responsibilities | The report states that:
to draw attention in the auditor’s report to the related disclosures in the financial statements or, if such disclosures are inadequate, to modify the opinion. The auditor’s conclusions are based on the audit evidence obtained up to the date of the auditor’s report. However, future events or conditions may cause an entity to cease to continue as a going concern.
financial statements; that the auditor is responsible for the direction, supervision and performance of the group audit; and that the auditor remains solely responsible for the auditor’s opinion. |
| Auditor’s Responsibilities (continued) |
Note: As discussed later in this Chapter, ISA 700.41 indicates that it is possible to include some of the information related to the auditor’s responsibility for the audit of the financial statements either in the body of the auditor’s report, an appendix or even a website of an appropriate authority. It is expected that SME’s will include all matters in paragraphs ISA 700.39 to .40 in the body of the report. |
| Report on Other Legal and Regulatory Requirements | Certain standards, laws, or generally accepted practice in a jurisdiction may require or permit the auditor to report on other responsibilities.
|
| Auditor’s Signature | The auditor’s signature will be based on what is appropriate for the particular jurisdiction. It could be the firm name, personal name of the auditor, or both. It may also require the auditor’s professional accountancy designation or reference to the fact that the auditor/ firm has been recognized by the appropriate licensing authority. |
| Auditor’s Address | Indicate the name of the auditor’s location in the jurisdiction where the auditor practices. |
| Date of Report | This is no earlier than the date on which the auditor obtained sufficient appropriate audit evidence on which to base the opinion, including evidence that:
|
Paragraph 41(b) of ISA 700 (Revised) explains that the material below can be located in an Appendix to the auditor’s report. Paragraph 41(c) explains that, where law, regulation, or national auditing standards expressly permit, reference can be made to a website of an appropriate authority that contains the description of the auditor’s responsibilities, rather than including this material in the auditor’s report. This is provided that the description on the website addresses, and is not inconsistent with, the description of the auditor’s responsibilities below (from Illustration 1 in the Appendix of ISA 700 (Revised)):
The Appendix to ISA 700 (Revised) provides the following illustrations of Independent Auditor’s Reports on Financial Statements:
- Illustration 1: An auditor’s report on financial statements of a listed entity prepared in accordance with a fair presentation framework.
- Illustration 2: An auditor’s report on consolidated financial statements of a listed entity prepared in accordance with a fair presentation framework.
- Illustration 3: An auditor’s report on financial statements of an entity other than a listed entity prepared in accordance with a fair presentation framework (where reference is made to material that is located on a website of an appropriate authority).
- Illustration 4: An auditor’s report on financial statements of an entity other than a listed entity prepared in accordance with a general-purpose compliance framework.
SMEs are generally “other than a listed entity,” so Illustration 3 and 4 may be most relevant. However, it should be noted that Illustration 3 does not include all required descriptions of the auditor’s responsibility. The auditor’s report will vary based on the particular circumstances of the audit.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 700.30 | For audits of complete sets of general purpose financial statements of listed entities, the auditor shall communicate key audit matters in the auditor’s report in accordance with ISA 701. |
| 700.31 | When the auditor is otherwise required by law or regulation or decides to communicate key audit matters in the auditor’s report, the auditor shall do so in accordance with ISA 701. (Ref: Para. A40–A42) |
The purpose of communicating key audit matters is to:
- Enhance the communicative value of the auditor's report by providing greater transparency about the audit that was performed; and
- Provide additional entity-specific information to intended users of the financial statements to assist them in understanding those matters that, in the auditor's professional judgment, were of most significance in the audit of the financial statements of the current period.
KAM is defined as those matters that, in the auditor’s professional judgment, were of most significance in the audit of the financial statements of the current period. KAM are selected from matters communicated with TCWG.
The following exhibit outlines when communicating KAM is required, when voluntary and when not allowed:
Exhibit 17.5-1
Communicating KAM in complete sets of general purpose financial statements is… | |
|---|---|
| Mandatory for… | Listed entities. |
| Certain other entities as prescribed by local regulation such as public interest entities, or public-sector entities. | |
| Voluntary for… | Auditors who may voluntarily, or at the request of management or TCWG, communicate KAM in the auditor’s report for any type of entity. |
SMEs who want to be seen as similar to listed entities or are considering applying to be listed on a recognized exchange. As the public and other stakeholders becomes familiar with KAM disclosures, such as in the audit reports of listed entities, it may become expected in the audit reports of SMEs. | |
| Not permitted… | As a substitute for required disclosures in the financial statements. |
| As a substitute for reporting a material uncertainty in accordance with ISA 570 that may cast significant doubt on the entity's ability to continue as a going concern. | |
| As a separate audit opinion on individual matters. | |
| As a substitute for expressing a modified opinion required in accordance with ISA 705 (Revised). | |
| When the auditor disclaims an opinion on the financial statements. | |
Requirements for Communicating KAM
ISA 701 Communicating Key Audit Matters in the Independent Auditor’s Report, addresses both the auditor's judgment as to what to communicate in the auditor's report and the form and content of such communication.
The scope and requirements of ISA 701 are outlined below:
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 701.4 | Communicating key audit matters in the auditor’s report is in the context of the auditor having formed an opinion on the financial statements as a whole. Communicating key audit matters in the auditor’s report is not:
|
| 701.8 | For purposes of the ISAs, the following term has the meaning attributed below: Key audit matters — Those matters that, in the auditor’s professional judgment, were of most significance in the audit of the financial statements of the current period. Key audit matters are selected from matters communicated with those charged with governance. |
| 701.9 | The auditor shall determine, from the matters communicated with those charged with governance, those matters that required significant auditor attention in performing the audit. In making this determination, the auditor shall take into account the following: (Ref: Para. A9–A18)
|
| 701.10 | The auditor shall determine which of the matters determined in accordance with paragraph 9 were of most significance in the audit of the financial statements of the current period and therefore are the key audit matters. (Ref: Para. A9-A11, A27-A30) |
| 701.11 | The auditor shall describe each key audit matter, using an appropriate subheading, in a separate section of the auditor’s report under the heading “Key Audit Matters,” unless the circumstances in paragraphs 14 or 15 apply. The introductory language in this section of the auditor’s report shall state that:
|
The following exhibit provides a decision-making framework for KAM:
Exhibit 17.5-2
Loading...
Source: https://www.ifac.org/publications-resources/determining-and-communicating-key-audit-matters
The description of individual matters in the auditor’s report and how the matter was addressed in the audit includes the following:
Exhibit 17.5-3
KAM | The description of KAM is to include: |
|---|---|
| Describe each KAM | Why the matter was considered to be a KAM. |
| How the matter was addressed in the audit. | |
| Reference to the related financial statement disclosure(s), if any. | |
| Describe how each matter was addressed in the audit | Aspects of the auditor’s response or approach that were most relevant to the matter or specific to the assessed risk of material misstatement. |
| Brief overview of procedures performed. | |
| Indication of the outcome of the auditor’s procedures. | |
| Key observations with respect to the matter. |
KAM should be entity-specific and avoid standardized or overly-technical language.
The description of a KAM should not imply that the matter has not been appropriately resolved by the auditor in forming the opinion on the financial statements, nor should it contain or imply discrete opinions on separate elements of the financial statements (a “piecemeal opinion”).
When communicating KAM in accordance with ISA 230 and ISA 701 the auditor is required to document the professional judgments made about:
- why a matter that required significant auditor attention is or is not a KAM;
- if there are no KAM, the rationale as to why that is; and
- why a matter determined to be a KAM is not communicated.
However, there is no requirement to document the rationale for why matters communicated to TCWG were not matters that required significant auditor attention.
Sample KAM wording
Illustration 1 in the Appendix to ISA 700 (Revised) includes an audit report with a paragraph on key audit matters. The paragraph is placed after the Basis of Opinion section of the report. The suggested wording is as follows:
Key Audit Matters
Key audit matters are those matters that, in our professional judgment, were of most significance in our audit of the financial statements of the current period. These matters were addressed in the context of our audit of the financial statements as a whole, and in forming our opinion thereon, and we do not provide a separate opinion on these matters.
[Include a description of each key audit matter in accordance with ISA 701.]
For more information about KAM, see:
- The Auditor Reporting Toolkit at: www.iaasb.org/auditor-reporting.
- A non-authoritative publication by the IAASB Auditor Reporting Implementation Working Group that provides illustrative KAM “Auditor Reporting – Illustrative Key Audit Matters” from which the following table is extracted.
The following table is based on this IAASB document which provides some sample wording:
REFERENCE, TO DISCLOSURE, WHY HOW IF APPLICABLE | ||
|---|---|---|
| Why the Matter Was Determined to Be a KAM | How the Matter Was Addressed in the Audit | Reference to the Related Disclosure(s) in the Financial Statements |
The description of a KAM in the auditor’s report is intended to provide insight to intended users as to why the matter was determined to be a KAM (i.e., why it was a matter of most significance in the audit of the financial statements of the current period). ISA 701 also provides robust guidance to support the judgment- based decision-making framework in determining the relative significance of a matter communicated with those charged with governance and whether such a matter is a KAM. (ISA 701.A42-A46) | The description of a KAM in the auditor’s report is also intended to describe how the matter was addressed in the audit. The amount of detail to be provided in the auditor’s report to do so is a matter of professional judgment. ISA 701 explains that auditors may describe how a KAM was addressed in the audit by describing aspects of the auditor’s response or approach that were most relevant to the matter or specific to the assessed risk of material misstatement; a brief overview of procedures performed; an indication of the outcome of the auditor’s procedures; or key observations with respect to the matter; or some combination of these elements. If the auditor provides an indication of the outcome of the auditor’s procedures in the description of a KAM, care is needed to avoid the auditor giving the impression that the description is conveying a separate opinion on an individual KAM or that in any way may call into question the auditor’s opinion on the financial statements as a whole. (ISA 701.A46-A51) | The auditor’s communication of KAM in the auditor’s report is not intended to be a substitute for the inclusion of appropriate and relevant financial statement disclosures, because management is responsible for providing information about the financial statements and the entity. The description of a KAM in the auditor’s report will always refer to any related disclosures in the financial statements. (ISA 701.13 and .A40-A41) Reference to any related disclosures enables intended users to further understand how management has addressed the matter in preparing the financial statements. In addition to referring to related disclosure(s), the auditor’s description of a KAM may draw attention to key aspects of such disclosures. Therefore, the extent of disclosure by management about specific aspects of a particular matter in the financial statements may help the auditor in describing how those specific aspects were addressed in the audit such that intended users can understand why the matter is a KAM. |
| Goodwill | ||
Under IFRSs, the Group is required to annually test the amount of goodwill for impairment. This annual impairment test was significant to our audit because the balance of XX as of December 31, 20X1 is material to the financial statements. In addition, management’s assessment process is complex and highly judgmental and is based on assumptions, specifically [describe certain assumptions], which are affected by expected future market or economic conditions, particularly those in [name of country or geographic area]. | Our audit procedures included, among others, using a valuation expert to assist us in evaluating the assumptions and methodologies used by the Group, in particular those relating to the forecasted revenue growth and profit margins for [name of business line]. We also focused on the adequacy of the Group’s disclosures about those assumptions to which the outcome of the impairment test is most sensitive, that is, those that have the most significant effect on the determination of the recoverable amount of goodwill. | The Company’s disclosures about goodwill are included in Note 3, which specifically explains that small changes in the key assumptions used could give rise to an impairment of the goodwill balance in the future. |
REFERENCE, TO DISCLOSURE, WHY HOW IF APPLICABLE | ||
|---|---|---|
| Why the Matter Was Determined to Be a KAM | How the Matter Was Addressed in the Audit | Reference to the Related Disclosure(s) in the Financial Statements |
| Valuation of Financial Instruments | ||
| The Company’s investments in structured financial instruments represent [x%] of the total amount of its financial instruments. Due to their unique structure and terms, the valuation of these instruments are based on entity-developed internal models and not on quoted prices in active markets. Therefore, there is significant measurement uncertainty involved in this valuation. As a result, the valuation of these instruments was significant to our audit. | [Include how the matter was addressed in the audit, but not included in the example] | The Company’s disclosures about its structured financial instruments are included in Note 5. |
| Revenue Recognition | ||
The amount of revenue and profit recognized in the year on the sale of [name of product] and aftermarket services is dependent on the appropriate assessment of whether or not each long-term aftermarket contract for services is linked to or separate from the contract for sale of [name of product]. As the commercial arrangements can be complex, significant judgment is applied in selecting the accounting basis in each case. In our view, revenue recognition is significant to our audit as the Group might inappropriately account for sales of [name of product] and long- term service agreements as a single arrangement for accounting purposes and this would usually lead to revenue and profit being recognized too early because the margin in the long-term service agreement is usually higher than the margin in the [name of product] sale agreement. | Our audit procedures to address the risk of material misstatement relating to revenue recognition, which was considered to be a significant risk, included:
input of individual advertising campaigns’ terms and pricing; comparison of those terms and pricing data against the related overarching contracts with advertising agencies; and linkage to viewer data; and
| [Include any references to notes, if applicable] |
REFERENCE, TO DISCLOSURE, WHY HOW IF APPLICABLE | ||
|---|---|---|
| Why the Matter Was Determined to Be a KAM | How the Matter Was Addressed in the Audit | Reference to the Related Disclosure(s) in the Financial Statements |
| Going Concern Assessment | ||
As disclosed in Note 2, the Group is subject to a number of regulatory capital requirements, which are a key determinant of the Group’s ability to continue as a going concern. We identified that the most significant assumption in assessing the Group’s and [significant component’s] ability to continue as a going concern was the expected future profitability of the [significant component], as the key determinant of the forecasted capital position. The calculations supporting the assessment require management to make highly subjective judgments and also require adjustment to accounting figures to reflect regulatory requirements stipulated by the [name of applicable regulatory framework(s)]. The calculations are based on estimates of future performance, and are fundamental to assessing the suitability of the basis adopted for the preparation of the financial statements. We have therefore spent significant audit effort, including the time of senior members of our audit team, in assessing the appropriateness of this assumption. | [Note 2 is already referenced in the first column, and may be sufficient, but include reference to going concern note, and other relevant disclosures, if any] | |
| Other illustrations included in the IAASB publication but not reproduced here include: |
|---|
|
| Name of the Engagement Partner | |
|---|---|
700.46 | The name of the engagement partner shall be included in the auditor’s report for audits of complete sets of general purpose financial statements of listed entities unless, in rare circumstances, such disclosure is reasonably expected to lead to a significant personal security threat. In the rare circumstances that the auditor intends not to include the name of the engagement partner in the auditor’s report, the auditor shall discuss this intention with those charged with governance to inform the auditor’s assessment of the likelihood and severity of a significant personal security threat. (Ref: Para. A61–A63) |
Disclosing the name of the engagement partner is required in the auditor’s report:
- For listed entities; and
- Where required by law, regulation or national auditing standards.
In rare circumstances, the name of the auditor can be omitted. For example, they may omit their name in situations where such disclosure is reasonably expected to lead to a significant personal security threat or physical harm to the engagement partner, other engagement team members or other closely related individuals. However, threats of legal liability or legal, regulatory or professional sanctions against the partner are not among those that permit the auditor to omit their name.
Illustration 1 in the Appendix to ISA 700 (Revised) includes the following wording just above the signature on the audit report:
“The engagement partner on the audit resulting in this independent auditor’s report is [insert name].”
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| 700.32 | Where applicable, the auditor shall report in accordance with ISA 720 (Revised). |
| 700.43 | If the auditor addresses other reporting responsibilities in the auditor’s report on the financial statements that are in addition to the auditor’s responsibilities under the ISAs, these other reporting responsibilities shall be addressed in a separate section in the auditor’s report, with a heading titled “Report on Other Legal and Regulatory Requirements,” or otherwise as appropriate to the content of the section, unless these other reporting responsibilities address the same topics as those presented under the reporting responsibilities required by the ISAs, in which case the other reporting responsibilities may be presented in the same section as the related report elements required by the ISAs. (Ref: Para. A58–A60) |
| 700.44 | If other reporting responsibilities are presented in the same section as the related report elements required by the ISAs, the auditor’s report shall clearly differentiate the other reporting responsibilities from the reporting that is required by the ISAs. (Ref: Para. A60) |
| 700.45 | If the auditor’s report contains a separate section that addresses other reporting responsibilities, the requirements of paragraphs 21–40 of this ISA shall be included under a section with a heading “Report on the Audit of the Financial Statements.” The “Report on Other Legal and Regulatory Requirements” shall follow the “Report on the Audit of the Financial Statements.” (Ref: Para. A60) |
In some jurisdictions, the auditor may be required to report on matters in addition to the auditor’s responsibility under the ISAs, as discussed in the following exhibit.
Exhibit 17.7-1
Discussion | |
|---|---|
| Additional Reporting Requirements | The auditor may be required to comment on matters such as:
|
| Report Under Separate Heading | To ensure users understand these additional responsibilities, the auditor would report on them within a separate section in the auditor’s report (e.g., under a new subheading such as “Report on Other Legal and Regulatory Requirements”). |
Auditors are required to report on other information in accordance with ISA 720 (Revised), which is discussed in more detail in Chapter 15.9 of this Guide. ISA 720 (Revised) may require a specific heading related to Other Information in some circumstances.
Management and those charged with governance may be required (by law, regulation or national standards) or may voluntarily choose to include supplementary information with the financial statements that is not required by the applicable financial reporting framework. Such information is normally presented in either supplementary schedules or as additional notes. For example, additional information may include a schedule of manufacturing costs.
| Paragraph # | Relevant Extracts from ISAs |
|---|---|
| Supplementary Information Presented with the Financial Statements (Ref: Para. A78–A84) | |
| 700.53 | If supplementary information that is not required by the applicable financial reporting framework is presented with the audited financial statements, the auditor shall evaluate whether in the auditor’s professional judgment, supplementary information is nevertheless an integral part of the financial statements due to its nature or how it is presented. When it is an integral part of the financial statements, the supplementary information shall be covered by the auditor’s opinion. |
| 700.54 | If supplementary information that is not required by the applicable financial reporting framework is not considered an integral part of the audited financial statements, the auditor shall evaluate whether such supplementary information is presented in a way that sufficiently and clearly differentiates it from the audited financial statements. If this is not the case, then the auditor shall ask management to change how the unaudited supplementary information is presented. If management refuses to do so, the auditor shall identify the unaudited supplementary information and explain in the auditor’s report that such supplementary information has not been audited. |
Where supplementary information is presented, the auditor is required to evaluate, using professional judgment, whether such information is nevertheless an integral part of the financial statements due to its nature or how it is presented.
Exhibit 17.8-1
Is supplementary information: | Action required |
|---|---|
| Integral to F/S? | Supplementary information shall be covered by the auditor’s opinion. |
| NOT integral to F/S? | Evaluate whether such supplementary information is presented in a way that sufficiently and clearly differentiates it from the audited financial statements. If such information is not clearly differentiated, the auditor shall ask management to change how the unaudited supplementary information is presented. If management refuses to make changes, the auditor shall identify the unaudited supplementary information and explain in the auditor’s report that such supplementary information has not been audited. |
The fact that supplementary information is not audited does not relieve the auditor of the responsibility to ensure that the information is not misleading or inconsistent with the other information contained in audited financial statements.
Supplementary information is not to be confused with Other Information in ISA 720 (Revised), Other Information which is discussed in Chapter 15.9 of this Guide.
Where the auditor is required to report on compliance with national auditing standards and the ISAs, reference would be made to both sets of standards in the auditor’s report.
A reference to both International Standards on Auditing and the national auditing standards is appropriate when the following conditions are met.
Exhibit 17.9-1
Conditions | |
|---|---|
| Refer to Compliance with Both ISAs and National Standards |
|
A reference to both International Standards on Auditing and the national auditing standards is not appropriate where a conflict exists between the requirements in ISAs and those in the national auditing standards that would result in:
- The auditor forming a different opinion on the national standards than that appropriate for the ISAs; and
- Omission of additional information, such as an Emphasis of Matter paragraph, that is required by the ISAs but not permitted under national standards.
For more information please contact: Christopher Arnold
Head of SME/SMP and Research ChristopherArnold@ifac.org.
T +1 212 286 9344
| Legal document in English |
|---|
IFAC-Guide-to-Using-ISAs-Vol-I-4th-edition-1.pdf |
| Issued date | Effective date | Expired date |
|---|---|---|
| 13/11/2024 |