Audit and Risk (Charactered Accountant Unit) CHAPTER 1 Plan the audit Chapter introduction This chapter begins by providing an overview of some key concepts associated with audits. Topic 1.1 outlines the auditor's objectives, illustrates the audit process and highlights some topical issues. Audit quality and independence are discussed in Topic 1.2 as we begin to step through the stages of the audit process, starting with pre-engagement activities. The remainder of the chapter continues through the early stages of the audit process, discussing risk assessment procedures (Topic 1.3), development of the audit plan (Topic 1.4) and procedures for understanding and assessing internal controls (Topic 1.5). 1.1 Audit overview The term ‘audit’ is used to indicate confidence in financial information. Businesses, public and voluntary organisations, investors, governments, market regulators, policymakers and other interest groups need to rely on credible information to make effective economic decisions and formulate policy. Trust and integrity are important attributes that underpin credible information flows. The auditor helps to build that trust. The skills learned in auditing are not limited to the audit field in their usefulness. The ability to quickly understand how a client’s business works, to determine what its weak points are and what risks it faces are useful in all aspects of business. Similarly, the critical thinking and evaluation of evidence applied in exercising professional judgement – skills honed while auditing – are vital in any business career. Assurance, a term commonly used to instil confidence in information, can be given over any kind of information, not just financial information, but the provision of assurance over non-financial information is covered in the Assurance Elective subject. This study guide takes students through how the audit process works from deciding whether to accept the client in the first place through to forming the audit opinion and reporting. The following table outlines the readings required for this topic: Relevant international assurance pronouncements and local equivalents (where applicable) International Australia New Zealand Preface to the International Quality Control, Auditing, Review, Other Assurance, and Related Services Pronouncements Foreword to AUASB Pronouncements ASA 100 Preamble to AUASB Standards (ASA 100) ASA 101 Preamble to Australian Auditing Standards (ASA 101) APES 210 Conformity with Auditing and Assurance Standards (APES 210) XRB Standard Au1 Application of Auditing and Assurance Standards (XRB Au1) ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Auditing Standards ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standards (ASA 200) ISA (NZ) 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Auditing Standards (New Zealand)(ISA (NZ) 200) 1.1.1 Auditor’s objectives and responsibilities in conducting an audit This topic looks at an auditor’s overall objectives and responsibilities in conducting an audit under the ISAs. This subtopic begins a more comprehensive examination of the practical application of auditing standards that will continue throughout the other topics in this study guide. Auditor’s overall objectives The purpose of an audit is to enhance the degree of confidence intended users have in financial statements by providing reasonable assurance about whether the financial statements are prepared, in all material respects, in line with the applicable financial reporting framework. This purpose can only be achieved if users of audited financial statements understand the auditor’s role and have confidence in the quality of the audit process. Today, there is intense global debate over the degree of confidence in audit quality, and auditors are experiencing a high degree of scrutiny from the media and regulators. Audit risk model Regardless of current debates on audit quality, an auditor cannot provide absolute assurance that the financial statements are materially correct. This is because there are inherent limitations in an audit, which cannot be overcome: Limitation Explanation The nature of financial reporting Management are required to make estimates and judgements in the process of preparing the financial statements. However diligently estimates are prepared, they rely on assumptions and from time to time something unexpected happens that undermines those assumptions. The need for audits to be conducted within a reasonable time frame at a reasonable cost Auditors are required to: • take a ‘risk-based approach’, where the level of audit effort spent on a given area depends directly on the risk of material misstatement in that area • perform audit procedures on a test basis and/or use sampling methods rather than testing the entire population. The use of automated tools and techniques to examine 100 per cent of a population is becoming more common and will eventually call into question the need for sampling in many areas. Formation of an auditor’s opinion based on the audit evidence gathered as a result of audit procedures Audit evidence is often persuasive rather than conclusive, requiring the auditor to exercise judgement when evaluating it. These inherent limitations are captured in the framework provided by ISA 200, commonly known as the ‘audit risk model’, which describes the three different components of audit risk and their interrelationships: In summary, the addition of each element of risk multiplies the risk presented by the other components, generating the overall audit risk. In order to provide reasonable assurance, the auditor must reduce audit risk to an acceptably low level by applying the audit risk model to the audit process. The audit strategy is based on the auditor’s assessment of how these components of audit risk should be addressed. Requirements in conducting an audit under ISAs ISA 200 contains five key requirements for an auditor in the conduct of an audit: Ethics. Professional scepticism. Professional judgement. Sufficient appropriate audit evidence and audit risk. Conduct of an audit in line with ISAs. 1. Ethics When conducting an audit, the auditor must comply with relevant ethical requirements, including those that relate to independence. (The audit independence requirements are dealt with in Topic 1.2.) 2. Professional scepticism The auditor must plan and perform an audit with professional scepticism. Professional scepticism is an attitude that includes having a questioning mind, being alert to conditions that may indicate possible misstatement due to error or fraud, and critically assessing audit evidence. Professional scepticism includes being alert to the following: Professional scepticism – areas in which the auditor should remain alert Area Example Audit evidence that contradicts other audit evidence obtained Management may have given the auditor verbal assurances that an entity has no obsolete inventory. However, the auditor notices boxes of goods in the warehouse that were there the previous year. Information that brings into question the reliability of documents and responses to enquiries Management may claim to have increased profit margins during the period, but media reports consistently convey falling margins in that sector. Electronic evidence obtained in an unsecured manner may have been tampered with. Conditions that may indicate possible fraud A senior staff member of the entity being audited appears to have a lifestyle beyond their earnings. Since professional scepticism is an attitude, it is influenced by many factors, such as the auditor’s personal traits, motivation, competencies, education and experience. 3. Professional judgement The auditor needs to exercise professional judgement in planning and performing an audit. Interpreting the requirements of the ISAs and making informed decisions throughout an audit can only be done with the application of relevant knowledge and experience. Therefore, the areas of the audit that are more risky and complicated, and require most judgement, are generally assigned to more experienced staff. Professional judgement is particularly important for decisions that involve the following: • Assessing materiality and audit risk. • Determining the nature, timing and extent of audit procedures to gather audit evidence – advances in technology and automated tools and techniques give auditors new tools for designing testing. • Evaluating whether sufficient appropriate audit evidence has been obtained. • Evaluating management’s judgements in applying the entity’s financial reporting framework. • Drawing conclusions based on evidence obtained – for example, assessing the reasonableness of the estimates made by management in preparing the financial statements in the context of the totality of audit evidence. • Forming an audit opinion. With the increasing complexity of financial reporting standards comes an increasing use of estimates based on valuation techniques. Consequently, the application of professional judgement is vital in assessing the assumptions on which these estimates are based. The Professional judgment resource, published by the Center for Audit Quality (CAQ), includes the following diagram, which illustrates an effective professional judgement process: Source: Adapted from Professional Judgment Resource. 2014. Center for Audit Quality. Accessed on 17 November 2020, www.thecaq.org/wp-content/uploads/2019/03/professional-judgment-resource.pdf, p. 3. The elements of the professional judgement process are further explored here. Identify and define the issue The ability to identify the issue, including identifying relevant facts and circumstances available at the time when judgement is made, is critical for the auditor. Identification of the issue involves careful analysis of the situation and often involves discussions with others. The auditor may enhance their ability to define the issue by considering the perspective of others, such as investors or the regulator. In order to identify and define the issue, the CAQ resource includes the following practical considerations for the auditor: • What is the impact on the financial statements? • What is the level of complexity inherent in the issue? • What is the level of uncertainty that impacts the outcome? • What is the impact on the planned audit procedures? • Are there any related issues that may need to be considered? Source: Professional Judgement Resource. Audit Quality 2014. Accessed on 17 November 2020, www.thecaq.org/wp-content/uploads/2019/03/professional-judgment-resource.pdf, pg. 5 These questions will recur throughout the audit process. Gather the facts and information and identify the relevant literature This phase in the judgement process involves obtaining and evaluating information. This includes discussions with the client and reviewing documentation, such as relevant contracts and minutes of meetings. Relevant literature the auditor considers includes, for example, financial reporting Standards, the audit firm’s internal guidance and industry-specific material from regulators. In certain instances, a consultation with a subject matter expert may be required. Throughout this process, the auditor critically assesses the evidence they have gathered. The auditor exercises professional scepticism in evaluating the evidence, in particular evidence that potentially conflicts with information given by management. Perform the analysis and identify potential alternatives Once the auditor has obtained the necessary information, they analyse it. This includes considering the relevant literature and technical advice on the matter. It is also important for the auditor to consider potential alternatives and evaluate the outcome of each alternative. In analysing the information and considering the alternatives, the auditor should avoid common judgement tendencies, traps and biases that may impair their decision. These could include solving the wrong problem by not identifying the core issue; considering alternatives that are not feasible; or ‘jumping to a conclusion’ by considering only the first option that comes to mind. Make the decision After analysing the information, the auditor reaches a conclusion. In reaching a conclusion, the auditor should assess whether they have followed the judgement process and adequately considered all the information, including the alternatives. Review and complete the documentation and rationale for the conclusion It is important for the auditor to document the conclusion reached and the rationale for the conclusion, including the alternatives considered so that the reasons for the judgement made are apparent if it is queried later, perhaps in a review by a regulator. Documentation helps to clarify the thought process so that the judgement can be explained in the closing report to those charged with governance and, if necessary, described in the audit report as a key audit matter under ISA 701. 4. Sufficient appropriate audit evidence An audit is all about obtaining evidence that supports the auditor’s opinion on the financial statements. It is therefore crucial for an auditor to have a good understanding of what constitutes sufficient appropriate audit evidence. The auditor must obtain sufficient appropriate audit evidence to reduce audit risk – that is the risk of giving an inappropriate audit opinion – to an acceptably low level. Audit evidence is information used by the auditor to arrive at the conclusions on which the auditor’s opinion is based. The following diagram illustrates what sufficient appropriate audit evidence means: Relevance and reliability are considered together because appropriate evidence must be both relevant and reliable. For example, discussions with management may provide evidence that is highly relevant to the matter being examined, but verbal evidence is not particularly reliable. As the risk of material misstatement increases, the auditor needs to obtain more, and better quality, audit evidence: Professional judgement is needed to determine the required balance between quality (appropriateness) and quantity (sufficiency). By increasing the quality of evidence, the auditor will often be able to reduce the quantity. However, if the quality is poor, increasing the quantity will not necessarily compensate for this. Audit procedures and reliability of audit evidence The auditor obtains audit evidence by performing audit procedures during the audit. Audit procedures are applied initially during the risk assessment process and later to test the operation of systems and controls and to verify account balances. The auditor may employ a variety of methods to gather audit evidence when performing audit procedures. Common methods of obtaining audit evidence are discussed in ISA 500 Audit Evidence. The nature of audit evidence has evolved with developments in technology and the IAASB has a project underway to revise ISA 500 to reflect the impact of new technology on the evaluation of the sufficiency and appropriateness of audit evidence.1 5. Conduct of an audit in accordance with ISAs The auditor must comply with all ISAs that are relevant to the audit, unless the entire ISA is not relevant. For example, ISA 610 (Revised 2013) Using the Work of Internal Auditors contains requirements applicable to the auditor’s use of the work of internal auditors. If the entity being audited has no internal auditors, then the Standard is not relevant. Alternatively, requirements within an ISA may not be relevant because they are conditional and the condition does not exist in the entity being audited. ISAs have two sections, the core standards (numbered paragraphs) and the ‘Application and other explanatory material’ (paragraphs starting with A) and the two parts must be read together. To properly apply ISAs, an auditor needs to understand their entire text, not just the mandatory components. The audit process From the outset is it important to recognise that an audit is a process. Although different engagements may apply the same Auditing Standards and follow the same audit process, each engagement is different. This is because the entities being audited are different. In each audit engagement, the auditor identifies different risks that would drive different responses to those risks. It is important to remember that the audit is an iterative process. As the audit progresses, findings can affect initial views on risk assessment and the audit strategy, causing early work to be refined and reassessed. The following diagram is a summary of the overall process of the audit of financial statements: The pre-engagement and planning phases are covered over the remainder of this chapter. Chapters 2 and 3 will address the rest of the audit process. 1.2 Audit quality and pre-engagement activities This topic explores the concept of audit quality. Recent regulator findings and activities that the auditor must perform before accepting, continuing and commencing an audit engagement are outlined. The topic then moves into pre-engagement activities. The following table outlines the readings required for this topic: Relevant international assurance pronouncements and local equivalents (where applicable) International Australia New Zealand ISQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (ISQM 1) ASQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements (ASQM 1) PES 3 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements (PES 3) ISQM 2 Engagement Quality Reviews (ISQM 2) ASQM 2 Engagement Quality Reviews (ASQM 2) PES 4 Engagement Quality Reviews (PES 4) ISA 210 Agreeing the Terms of Audit Engagements (ISA 210) ASA 210 Agreeing the Terms of Audit Engagements (ASA 210) ISA (NZ) 210 Agreeing the Terms of Audit Engagements (ISA (NZ) 210) ISA 220 (Revised) Quality Management for an Audit of Financial Statements (ISA 220 (Revised)) ASA 220 Quality Management for an Audit of a Financial Report and Other Historical Financial Information (ASA 220) ISA (NZ) 220 (Revised) Quality Management for an Audit of Financial Statements (ISA NZ 220 (Revised)) ISA 260 (Revised) Communication with Those Charged with Governance (ISA 260 (Revised)) ASA 260 Communication with Those Charged with Governance (ASA 260) ISA (NZ) 260 (Revised) Communication with Those Charged with Governance (ISA (NZ) 260 (Revised)) International Code of Ethics for Professional Accountants (Including Independence Standards) (IESBA Code) (2018) APES 110 Code of Ethics for Professional Accountants (Including Independence Standards) (APES 110) PES 1 International Code of Ethics for Assurance Practitioners (Including Independence Standards) (New Zealand) (PES 1) Parts 1, 3 and 4A Parts 1, 3 and 4A Parts 1, 3 and 4A ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assurance Engagements (ASA 102) Corporations Act 2001 (Cth) (Corporations Act) s 307C and Divisions 3, 4 and 5 of Part 2M.4 1.2.1 Audit quality The quality and integrity of financial statements is key for confident and informed markets and investors. The objective of the independent audit is to provide confidence in the financial statements; improving audit quality is, therefore, essential for continued confidence in the independent assurance provided by auditors. Professional bodies around the world are still debating how to define audit quality. IAASB’s A framework for audit quality: Key elements that create an environment for audit quality (the Framework), released in 2014, brought the auditing profession further towards defining audit quality by mapping five elements that contribute to maximising the likelihood that quality audits are performed on a consistent basis (IAASB 2014, p 4). A quality audit is likely to be achieved by an engagement team that: • exhibits appropriate values, ethics and attitudes • is sufficiently knowledgeable, skilled and experienced • is given enough time to perform the audit work • applies a rigorous audit process and quality control procedures that comply with law, regulation and applicable standards • provides useful and timely reports • interacts appropriately with relevant stakeholders. ASIC’s view is that:2 Audit quality refers to matters that contribute to the likelihood the auditor will: • achieve the fundamental objective of obtaining reasonable assurance that the financial report as a whole is free of material misstatement; and • ensure material deficiencies detected are addressed or communicated through the audit report. CA ANZ has summarised the situation as follows:3 • There is no set definition of a quality audit, and many factors influence audit quality. • As a result, judging audit quality can be challenging and subjective. • But there are steps all firms can take to create an environment that supports high-quality auditing. Commentators agree, however, that a high-quality audit is more likely to be carried out when auditors display appropriate values, ethics and attitudes, are knowledgeable, skilled and experienced, and have enough time to perform the audit. Audit quality is, therefore, the result of a variety of attributes working together to create the right environment to do good quality work. It is driven by firm culture and the personal qualities of the members of the audit team. Further reading International Auditing and Assurance Standards Board 2014, Framework for audit quality: Key elements that create an environment of audit quality, International Auditing and Assurance Standards Board. Enforcing audit quality Audit firms are overseen by the regulators responsible for enforcing audit quality. As high-quality audits are integral to the proper functioning of the financial markets, the same regulatory body that oversees the financial markets in its country of jurisdiction is also typically responsible for regulating auditors. Regulators you should be aware of include: • The Australian Securities and Investments Commission (ASIC), which regulates the corporate, market and financial services in Australia. Auditors in Australia are subject to oversight by ASIC. • The Financial Markets Authority in New Zealand (FMA NZ), the body regulating capital markets and financial services in New Zealand. Auditors in New Zealand are subject to oversight by FMA NZ. • The Public Company Accounting Oversight Board (PCAOB) in the United States, which is responsible for overseeing the audits of US public companies. While US audits are beyond the scope of this program, the PCAOB has the power to inspect the audits of subsidiaries of US companies wherever they are situated. This has led to sanctions against firms in Australia. ASIC, FMA NZ and PCAOB are all members of the International Forum of Independent Audit Regulators (IFIAR). The IFIAR was formed to enable regulators around the world to share their knowledge about the regulation of audits and to promote collaboration and consistency in the approach of regulators to regulating audits. IFIAR publishes an annual survey that consolidates the inspection results of member regulators’ inspections of the six largest global audit firm networks. Regulators monitor audit quality by conducting periodic inspections (audit inspections) of a sample of completed audit engagements during a given inspection cycle. The inspection cycle is typically a period of 12 to 18 months, depending on the jurisdiction. The approach to audit inspections is similar in many respects to the approach taken to an audit itself. In fact, audit inspections could be considered as ‘audits of an audit’, where the regulator’s objective is to determine whether the auditor has met the requirements of the Auditing Standards and achieved the overall objectives for an independent auditor. Once the audit inspection is complete, the regulator issues an ‘inspection findings report’ to the auditor of each engagement inspected. Possible outcomes of an audit inspection range from requiring the auditor to perform relatively minor remediation of the audit documentation to requiring additional audit procedures to be performed. In some cases, it could result in the need for a restatement of previously issued financial statements and a new audit report being issued. In addition, the regulator publishes a report summarising the findings from all its audit inspections over the inspection cycle. These reports often provide interesting insight into how auditors are (or are not) meeting the requirements for audit quality. Some regulators release their findings without naming the firms concerned; others, such as the PCAOB, name the firms. Promoting audit quality Given the severe consequences of audit failure – both reputational and financial – promoting audit quality is in everyone’s interest, from participants in financial markets (large and small) to auditors and regulators. The most severe impact of audit failure is the total demise of a global accounting firm, which happened to Arthur Andersen, the fifth largest global accounting firm, following the sudden collapse of Enron in 2001. At the macro level, high-quality auditing enables stakeholders to rely on financial information. This in turn leads to a lower cost of capital and less regulatory intervention. At the personal level, audit failure at a deposit-taking institution can lead to the loss of an individual’s savings. Class action settlements can cost firms in the tens of millions of dollars and all the major firms are, or have been, on the receiving end of audit negligence litigation in recent times.4 Dealing with litigation is costly, not just in terms of legal fees and damages, but also the time spent by senior staff on the defence and the impact on morale as the firm’s practices come under public scrutiny. There are a number of different mechanisms and ongoing efforts to promote audit quality, including: • voluntary auditor-led and legislative initiatives to increase reporting on audit quality and transparency • pronouncements from standard-setting bodies • technology-enabled transformation of the audit process, as discussed in Topic 1.1. Audit technology is radically changing the way audits are done; for example, the use of data analytics tools to review an entire population of transactions rather than using sampling, and technology is now being embedded in revisions to core auditing standards, such as ISA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement and the project to update ISA 500 Audit Evidence. Audit quality and transparency reporting Transparency reports published by major audit firms in Australia and internationally help to inform the market about audit firms and audit quality. Transparency about indicators of audit quality encourages audit firms to increase their focus on audit quality and may provide information to assist those responsible for selecting an audit firm. Examples of transparency reports can be found on the websites of major accounting firms. Regulatory initiatives In April 2019, Australia’s Financial Reporting Council (FRC), published a report, Auditor Disciplinary processes: Review, about the penalising of auditors who do not meet the standards expected of them. One of the recommendations was that ASIC should publish the names of audit firms and their audit results as part of its audit inspection program to improve transparency and push audit firms to improve the quality of their audits. The report was partly in response to a recommendation by the Parliamentary Joint Committee on Corporations and Financial Services for a review of ASIC’s enforcement power in relation to auditors. As a result, some of the largest audit firms have voluntarily disclosed their own individual firm’s audit results in response to ASIC’s audit inspection findings. In April 2020 the FRC updated their Audit Quality Action Plan, which notes that the government supported all except one of their recommendations for strengthening auditor disciplinary processes. On a more positive note, the FRC have also conducted a user survey of ASX 300 audit committee chairs, of whom 35 per cent considered their auditors excellent and 54 per cent above average.5 Enquiries into audit quality In November 2020 Australia’s Parliamentary Joint Committee on Corporations and Financial Services published its final report on the regulation of auditing in Australia, which developed the policy recommendations of the February 2020 interim report.6 Key recommendations in these reports for audit inspections were:7 • ASIC is to review the way in which it reports its audit inspection findings and, based on this review, develop and implement, by the end of the 2020–21 reporting period for its audit inspection program, a revised framework for reporting inspection findings, with a focus on the transparency and relative severity of identified audit deficiencies. • Legislation will be passed to require ASIC to publish individual audit firm inspection reports on its website, once ASIC has adopted a revised reporting framework. Key recommendations for audit independence were: • The FRC and ASIC are to oversee the development and introduction within Australian standards of – defined categories for audit and non-audit services and associated fee disclosure requirements – a list of non-audit services that audit firms are explicitly prohibited from providing to an audited entity. • The Accounting Professional and Ethics Standards Board (APESB) should consider revising the APES 110 Code of Ethics to include a safeguard that no audit partner can be incentivised, through remuneration advancement or any other means or practice, for selling non-audit services to an audited entity. • The Corporations Act 2001 should be amended so that the auditor’s independence declaration specifically confirms that no prohibited non-audit services have been provided. • The FRC should oversee the revision and implementation of Australian Standards to require audited entities to disclose audit or tenure in annual financial reports, including both the length of tenure of the entity's external auditor and of the lead audit partner. • An audit tendering process every 10 years for entities requiring an audit under the Act will be introduced. • A formal review is to be undertaken by the FRC of reporting requirements under Australian standards for – the prevention and detection of fraud – management's assessment of going concern. • The Corporations Act should be amended so that, similar to SOX in the United States, companies requiring an audit under the Act will have to establish and maintain an internal controls framework for financial reporting. Management will evaluate and annually report on the effectiveness of the entity’s internal control framework and the external auditor will report on management’s assessment of the entity’s internal control framework. • The Australian government should take action to make digital financial reporting standard practice in Australia. Australian regulators are also monitoring developments overseas, such as the Brydon Report in the United Kingdom, officially titled Assess, assure and inform: Improving audit quality and effectiveness, the report of the independent review into the quality and effectiveness of audit. This review was more wide ranging than the Australian enquiry and the report includes recommendations for improvements in corporate governance, including the roles of directors, audit committees and shareholders as well as regulators and auditors. The report highlights the changing public-interest responsibilities of businesses and recognises that society expects corporate reporting to be broader and more relevant than it currently is. To that end, Brydon challenges auditors to play their part in making audits more informative for a broader group of stakeholders. It recognises that all stakeholders bear some responsibility for the audit process and have a role to play in bringing about an environment that will permit better and more effective audits.8 Particular recommendations of interest to the auditing profession include:9 • Introduction of a UK version of SOX, whereby the CEO and CFO make a controls attestation to the board. • Creation of a new ‘corporate auditing’ profession governed by principles, including the development of a specific auditor qualification and subject-specific auditors based on achievements from tailored education and training. • Development of a package of measures around fraud detection and prevention. Pronouncements from standard-setting bodies • Standard-setting bodies have made it clear that, first and foremost, professional judgement and professional scepticism are the principles on which audit quality is built. • It is impossible to create rules that anticipate and function effectively in all circumstances in today’s increasingly complex business environment. This is why the principles-based approach of the Framework and the Auditing Standards establishes a baseline for audit quality and is not intended to be prescriptive or exhaustive. • Considering this, auditors must always think about the specific facts and circumstances of each situation and use their professional judgement in applying the Framework and the Standards while maintaining their professional scepticism. Quality management standards The IAASB has recently released new quality management standards to replace the previous ISQC 1 standard on quality control and has also made a number of related revisions to ISA 220. The changes are intended to move from a compliance-based approach to a much more proactive, risk-based approach to managing the quality of audits at both the firm level and at the engagement level. The following new and revised standards are effective for audits and reviews of financial statements for periods beginning on or after December 15 2022. ISQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements Firm level ISQM 2 Engagement Quality Reviews Firm and engagement level ISA 220 (Revised) Quality Management for an Audit of Financial Statements Engagement level These standards will be covered in more detail in the next section. 1.2.2 Quality control Quality control at the audit firm level As noted in the previous section, the IAASB has recently released new quality management standards. The standards are relevant to audit firms performing the following types of engagements under the IAASB’s Standards: • Audits or reviews of financial statements performed under the ISAs and ISREs • Assurance engagements other than audits or reviews of historical financial information performed under the ISAEs (ie assurance on GHG statements) • Related services engagements performed under the ISRSs (ie agreed-upon procedures and compilation engagements). The above IAASB Standards deal with the performance of these engagements, including the responsibilities of the engagement partner and engagement team. These standards are premised on the basis that the firm establishes the appropriate firm level quality management processes required by ISQM 1 and ISQM 2. ISQM 1 deals with the firm’s responsibility for having a system of quality management (SOQM). The SOQM is the mechanism that creates an environment that enables and supports engagement teams in performing quality engagements. It helps the firm in achieving consistent engagement quality because it is focused on how the firm manages the quality of engagements performed. ISQM 2 deals with engagement quality reviews as a specified response to achieving the firms audit quality objectives. ISQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements ISQM 1 replaces ISQC 1 and requires firms to design a system of quality management to manage the quality of engagements performed by the firm. Firms were required to have their system of quality management designed by 15 December 2022. ISQM 1 comprises: • Eight interrelated components that deal with the key aspects of the SOQM • Other requirements that address specific topics. An overview of the eight components is as follows. Component Description The firm’s risk assessment process • Prescribes the process the firm is required to follow in implementing the risk-based approach to quality management. • Consists of establishing quality objectives, identifying and assessing quality risks to the achievement of the quality objectives and designing and implementing responses to address the quality risks. Governance and leadership • Deals with matters such as the firm’s culture, leadership responsibility and accountability, the firm’s organisational structure, assignment of roles and responsibilities, resource planning and allocation. Relevant ethical requirements • Focuses on fulfiling relevant ethical requirements by the firm and its personnel including the extent that they apply to others external to the firm. Acceptance and continuance of client relationships and specific engagements • Deals with the firm’s judgements about whether to accept or continue a client relationship or specific engagement. Engagement performance • Deals with the firm’s actions to promote and support the consistent performance of quality engagements, including through direction, supervision and review, consultation and differences of opinion. • Includes how the firm supports engagement teams in exercising professional judgement and, when applicable to the nature and circumstances of the engagement, exercising professional scepticism. Resources • Deals with obtaining, developing, using, maintaining, allocating and assigning resources in a timely manner to enable the design, implementation and operation of the SOQM. • Includes technological, intellectual and human resources, and addresses service providers. Information and communication • Deals with obtaining, generating or using information regarding the SOQM, and communicating information within the firm and to external parties on a timely basis to enable the design, implementation and operation of the SOQM. Monitoring and remediation process • Provides the firm with relevant, reliable and timely information about the design, implementation and operation of the SOQM. • Addresses taking appropriate actions to respond to deficiencies such that deficiencies are remediated on a timely basis. ISQM 1 introduces a risk-based approach focused on achieving the firm’s quality objectives. The standard requires the firm to establish a system of quality management (SOQM). The SOQM comprises the following. Establish quality objectives Identify and assess quality risks Design and implement responses ISQM 1 prescribes certain quality objectives for each component. Establishes additional quality objectives the firm considers necessary to achieve the objectives of the SOQM. Identifies conditions, events, circumstances, actions or inactions that could adversely affect the achievement of the quality objectives Focuses on the nature and circumstances of the firm and the engagements it performs. ISQM 1 includes certain specified responses. Designs and implements responses that address quality risks. Reassess objectives, risks and responses if there are changes in the nature and circumstances of the firm or the engagements it performs, or as a result of information from the firm’s monitoring or remediation process. ISQM 1 requires an evaluation of the SOQM on an annual basis. This involves leadership evaluating and concluding whether the SOQM is achieving its objectives. Where the conclusion is unsatisfactory, the firm is required to take further action to respond to the identified deficiencies. ISQM 2 Engagement Quality Reviews This new standard replaces the provisions relating to engagement quality control reviews previously contained in ISQC 1 and ISA 220. The performance of engagement quality reviews in accordance with ISQM 2 is one of an audit firm’s specified responses designed to support it achieving the quality objectives in its SOQM, developed in accordance with ISQM 1. The standard addresses: • engagements requiring an engagement quality review: – audits of financial statements of listed entities – audits or other engagements for which an engagement quality review is required by law or regulation – audits or other engagements for which the firm determines an engagement quality review is an appropriate response to address one or more quality risks • appointment and eligibility of the engagement quality reviewer: – having appropriate competence and capabilities, including sufficient time and appropriate authority – complying with relevant ethical requirements including objectivity and independence. This includes a two-year cooling off period before the engagement partner can assume the role of engagement quality reviewer – complying with provisions of law and regulation relevant to the eligibility of engagement quality reviewers • performance of the engagement quality review: – the review is to be performed at appropriate points during the engagement – the review includes: ○ discussing significant matters with the engagement partner ○ review of documentation relating to significant judgements and conclusions ○ evaluating the conclusions reached in forming the audit opinion and whether the proposed auditors’ report is appropriate ○ evaluating the exercise of professional scepticism by the engagement team ○ evaluating the basis for the engagement partner’s determination that relevant ethical requirements relating to independence have been fulfilled ○ evaluating whether appropriate consultation has taken place on difficult or contentious matters or matters involving differences of opinion ○ evaluating whether the engagement partner’s involvement has been sufficient and appropriate throughout the audit ○ stand back requirement for the engagement quality reviewer to determine whether the requirements of ISQM 2 for the performance of the review have been fulfilled • documentation of the engagement quality review: – the engagement quality reviewer is responsible for documenting the performance of the review, and the documentation being filed with the engagement documentation – the documentation is to be sufficient to enable an experienced practitioner, having no previous connection to the engagement, to understand the nature, timing and extent of the engagement quality review procedures performed. Quality management at the engagement level ISA 220 (Revised) Quality Management for an Audit of Financial Statements ISA 220 (Revised) deals with quality management at the engagement level. The standard focuses on the important role of the engagement partner in managing and achieving quality on the audit and reinforcing the importance of quality to all members of the engagement team. In addition to the overall leadership responsibility and for demonstrating clear, consistent and effective actions that reflect a commitment to managing the quality of the audit, the standard specifically requires the engagement partner to be responsible for: • communicating the expected behaviour of engagement team members, including each engagement team member exercising professional scepticism • considering relevant ethical requirements, including those related to independence • determining that the firm’s acceptance and continuance policies and procedures have been followed • determining that sufficient and appropriate resources have been assigned to the engagement • determining the direction, supervision and review across the engagement • performing a review of audit documentation relating to: – significant matters and significant judgments – other matters that, in the engagement partner's judgement, are relevant to the engagement partner's responsibilities • any required consultations, engagement quality reviews and differences of opinion • considering the impact of the results of the firm’s monitoring and remediation process • prior to dating the auditor’s report, determining that he or she has taken overall responsibility for managing and achieving quality on the audit. Example 1.1 – Supervision and review of work performed by audit analyst Greg, the engagement partner on the audit of Peacock Ltd is using Dana, an audit analyst on the engagement team. To satisfy the requirement in ISA 200 (Revised) Greg is considering the appropriate direction, supervision and review of the audit procedures to be performed and documentation by Dana. At the beginning of the engagement, Greg considers Dana’s level of experience, knowledge and competence. He does this by speaking with Dana, as well as with colleagues who have worked with Dana previously. Greg then considers this information when allocating work to Dana and the extent of supervision by Lindsey, the audit manager. For each task allocated, Greg establishes that Lindsey is to support Dana by ensuring she understands the task, its purpose and how to perform it. Depending on whether Dana has performed the task before, Lindsey is to provide a more detailed explanation including the purpose of the task and how it fits into the overall audit strategy, so that Dana understands why she is performing the task. For example, if Dana is assigned to perform unrecorded liabilities testing and 65 items have been selected for testing, Lindsey might show her how she would test the first three items. Greg requests that Lindsey monitors Dana’s progress and periodically checks in with her to ensure she is on track and to determine if she has identified any issues during her testing that might require his assistance to investigate and resolve. In some cases, Lindsey may escalate the issue to Greg for further action. Once Dana completes and documents her work, as Lindsey is the detailed reviewer, Greg asks her to reperform certain parts of Dana’s work to ensure she has performed it correctly. She identifies review points that Dana needs to rectify, for example, by investigating a particular invoice further or rewriting part of the documentation. Example 1.2 – Considering the impact of the results of the firm’s monitoring and remediation process Decimal Partners (Decimal) has established an annual audit quality review (AQR) process in line within its SOQM. Decimal’s latest AQR results identify the need for Decimal’s audit teams to improve their documentation of audit procedures for impairment calculations. Under ISA 220 (Revised), the engagement partner on the audit of Cradle Ltd needs to consider whether this AQR result is relevant to the Cradle Ltd audit engagement. The engagement partner might decide this means the team needs to prepare an additional covering memo summarising the detailed audit approach to impairment to bridge any gap between the overall audit strategy documented in the audit plan and the detailed controls and substantive testing audit workpapers. The revised standard includes a revised definition of an engagement team. An engagement team includes partners and staff performing the audit engagement, and any other individuals who perform audit procedures on the engagement, excluding an auditor’s external expert and internal auditors who provide direct assistance on an engagement. The change to the definition recognises that, in a group audit, component auditors may be from the firm, a network firm or a firm that is not a network firm. Accordingly, in a group audit the engagement team will include component auditors that perform audit work for purposes of the group audit. The revised standard also provides enhanced guidance on professional scepticism. It recognises that conditions inherent in some audits can create pressures on the engagement team that may impede the appropriate exercise of professional scepticism when designing and performing audit procedures and evaluating audit evidence and includes material to explain: • how impediments to professional scepticism (such as budget constraints, tight deadlines, lack of cooperation by management, or overreliance on automated tools and techniques) can affect the performance of the audit • unconscious or conscious biases that may impede the exercise of professional scepticism • possible actions that the engagement team may take to mitigate impediments to professional scepticism, such as: – remaining alert to changes in engagement circumstances that necessitate additional or different resources for the engagement – alerting the team when there is heightened vulnerability to biases – involving more experienced members of the engagement team in certain activities. Australia specific As a result of the quality management standards issued by the IAASB, the Australian Auditing and Assurance Standards Board has issued the following: • ASQM 1 Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements – This standard supersedes ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Services Engagements. – The standard is equivalent to ISQM 1 with the only differences being to incorporate terminology, definitions and conforming amendments that are necessary in the Australian environment. – The standard is legally enforceable under the Corporations Act for engagements governed by that Act and is effective for audits of financial statements for periods beginning on or after 15 December 2022. • ASQM 2 Engagement Quality Reviews – This is a new standard and is equivalent to ISQM 2 with the only differences being to incorporate terminology, definitions and conforming amendments that are necessary in the Australian environment. – The standard is legally enforceable under the Corporations Act for engagements governed by that Act and is effective for audits of financial statements for periods beginning on or after 15 December 2022. • ASA 220 Quality Management for an Audit of a Financial Report and Other Historical Financial Information – This revised standard is equivalent to ISA 220 (Revised) with the only differences being to incorporate terminology, definitions and conforming amendments that are necessary in the Australian environment. – The standard is legally enforceable under the Corporations Act for engagements governed by that Act and is effective for audits of financial statements for periods beginning on or after 15 December 2022. New Zealand specific As a result of the quality management standards issued by the IAASB, the New Zealand Auditing and Assurance Standards Board has issued the following: • PES 3 Quality Management for Firms that Perform Audits or Reviews of Financial Statements, or Other Assurance or Related Services Engagements – This standard supersedes PES 3 (Amended) Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance Engagements. – The standard is equivalent to ISQM 1 with the only differences being to incorporate terminology, definitions and conforming amendments that are necessary in the New Zealand environment. – The standard is effective for audits of financial statements for periods beginning on or after 15 December 2022. • PES 4 Engagement Quality Reviews – This is a new standard and is equivalent to ISQM 2 with the only differences being to incorporate terminology, definitions and conforming amendments that are necessary in the New Zealand environment. – The standard is effective for audits of financial statements for periods beginning on or after 15 December 2022. • ISA (NZ) 220 (Revised) Quality Management for an Audit of Financial Statements – This revised standard is equivalent to ISA 220 (Revised) with the only differences being to incorporate terminology, definitions and conforming amendments that are necessary in the New Zealand environment. – The standard is effective for audits of financial statements for periods beginning on or after 15 December 2022. Whistleblowing reforms Part of creating an ethical culture within an organisation is fostering an environment where employees can come forward with concerns they may have about what is happening within the organisation. A whistleblower is someone with a connection to a company or organisation who may be in a position to observe or be affected by misconduct and may face reprisals for reporting it. Whistleblowers play an important role in identifying and calling out misconduct that may harm consumers and the community. To encourage whistleblowers to come forward and protect them when they do, in Australia the Corporations Act gives them legal rights and protections. To receive protection under the legislation, the whistleblower must make their disclosure to one of a number of parties involved in the corporate governance or regulation of the entity. One of the permitted recipients of a whistleblower report is ‘an auditor, or a member of the audit team, of the company or organisation, or a related company or organisation’.10 New Zealand has similar protections for whistleblowers under the Protected Disclosures Act 2000. More information can be found on the NZ government’s Serious Fraud Office website at www.sfo.govt.nz/whistleblowing. 1.2.3 Auditor independence Financial information is used by a range of stakeholders: shareholders, banks, government, management, employees and many others. To enable these stakeholders to make decisions this information must be reliable. Therefore, it is vital that stakeholders can trust auditors to carry out their role with integrity and objectivity. Consequently, auditor independence is compulsory under both the IESBA Code of Ethics (the Code) and corporations legislation in many countries, including Australia and New Zealand.11 A distinguishing feature of the accountancy profession is its acceptance of the responsibility to act in the public interest. A professional accountant’s responsibility is not solely to satisfy the needs of an individual client or employing organisation. This obligation is particularly relevant in the context of audit, where the audit is for the shareholders as much as for the company that is paying the audit fees. It is not enough merely to be independent; an auditor must also be seen to be independent. The auditor must avoid facts and circumstances that are so significant that a reasonable and informed third party would be likely to conclude a firm’s, or an audit team member’s, integrity, objectivity or professional scepticism has been compromised. The two sides of independence are shown in the following diagram: The IESBA Code The IESBA Code of Ethics is dealt with in detail in the Ethics and Business subject. This topic focuses only on the ethical guidelines and the legislative obligations an auditor must comply with, but includes a high-level summary of the way the Code works as this underlies the assessment of audit independence. The Code lists five fundamental ethical principles that apply to all professional accountants, whatever their role: Integrity. Be straightforward and honest in all professional and business relationships. Objectivity. Exercise professional or business judgement without being compromised by bias, conflict of interest or undue influence or undue reliance on individuals, organisations, technology or other factors. Professional competence and due care. (a) Attain and maintain professional knowledge and skill at the level required to ensure a client or employing organisation receives competent professional activities, based on current technical and professional standards and relevant legislation. (b) Act diligently and in line with applicable technical and professional standards. Confidentiality. Respect the confidentiality of information obtained as a result of professional and business relationships. Professional behaviour. Comply with relevant laws and regulations, behave in a manner consistent with the profession’s responsibility to act in the public interest in all professional activities and business relationships, and avoid any conduct that discredits the profession. Objectivity is integral to the audit process and the Code devotes Parts 4A and 4B to the independence requirements of audit and assurance practitioners. Conceptual framework The Code adopts a three-step conceptual framework approach. The auditor must: • Identify threats to the ability to comply with the five fundamental principles. • Evaluate the seriousness of those threats: would a reasonable and informed third party conclude that the accountant complies with the fundamental principles? • Address those threats — either by eliminating the cause of the threat or by putting in place safeguards that reduce the threat to an acceptable level. Safeguards can come from a variety of sources, such as: • the accounting profession or legislation — eg auditor rotation requirements, CPD requirements, education and training, monitoring of the profession • the workplace — eg independence compliance procedures, supervision and review procedures, rotation of audit team members, policies on financial, personal and business relationships with audit clients. There are some situations in which threats can be addressed only by declining or ending the specific professional activity. This is because the circumstances that created the threats cannot be eliminated and safeguards cannot be applied to reduce the threat to an acceptable level. Application of the Code to audit and assurance engagements Part 3 of the IESBA Code sets out requirements and application material for professional accountants in public practice (ie firms providing professional services, such as audit services) when applying the conceptual framework. Part 4 of the Code further refines the application of the framework to independence for assurance practices: • Part 4A is relevant to audit and review engagements only (ss 400–800). • Part 4B is relevant to any other assurance engagements –eg audit of specific elements, accounts or items of the financial statements (ss 900–990). How this approach operates in assessing audit independence in practice is explored through examples that address specific independence threats. Revisions to the IESBA Code The IESBA has recently updated its Code of Ethics in relation to non-assurance services and fee-related provisions to address potential impairment to audit quality through the provision of other services to audit clients. Non-assurance services to audit clients The key revisions to the non-assurance services provisions are as follows. • Introduction of a new self-review threat prohibition for PIE audit clients. Before providing a non-assurance service, a firm must determine whether the service might create a self-review threat. If a threat cannot be eliminated or reduced to an acceptable level, the service is prohibited. • New requirement for firm communication with those charged with governance for PIE audit clients. Prior to the provision of a non-assurance service to an audit client PIE, the PIE’s parent or subsidiaries, there must be concurrence of Those Charged with Governance for the provision of the service. • Tightened non-assurance restrictions for specific non-assurance services. The Code identifies prohibitions on certain specific non-assurance services. For example, for all audit clients, there are prohibitions around certain recruiting services and tax services. For PIEs, there are prohibitions around certain accounting and bookkeeping services, valuation services and legal advice. Section 600 of the Code of Ethics has been significantly revised and introduces new provisions to assist firms and network firms in consistently identifying and evaluating threats to independence that might be created by providing a non-assurance service to an audit client. Specifically, the Code now provides examples of: • factors that are relevant in identifying the different threats to independence that might be created by providing a non-assurance service to an audit client and evaluating the level of such threats • factors to assist in identifying threats to independence from the provision of specific types of services and in evaluating the level of such threats • additional factors that are relevant in evaluating threats arising from the provision of multiple non-assurance services to the same audit client. Fee-related provisions The key revisions to the Code of Ethics relate to the following. • Threats created by fees paid by the audit client. There is an inherent self-interest threat created by fees paid by an audit client. Guidance is provided for firms to determine whether the level of such threats is at an acceptable level. • New provisions related to the level of audit fees. The audit fee should be a stand-alone fee and should not be influenced by other services provided to the audit client. • Proportion of fees paid for services other than audit to audit fees. No specific threshold is established, but guidance is provided for firms to evaluate and address threats created when a large proportion of fees charged by the firm or network firms are for services other than audit. • Enhanced existing provisions related to fee dependency for all audit clients. Fee-dependency thresholds have been established as 15 per cent of total fees for a PIE and 30 per cent of total fees for a non-PIE. Where there is fee dependency, appropriate safeguards need to be applied. For a PIE where there is fee dependency this includes the firm to cease being the auditor if the dependency continues for more than 5 years. • Promote transparency of fee-related information for PIE audit clients. There are enhanced requirements for communication with those charged with governance about fee-related matters as well as promoting the public disclosure of fee-related information. Australia specific APES 110 The restructured APES 110 Code of Ethics for Professional Accountants (including Independence Standards) (APES 110) issued in November 2018 is the Australian equivalent of the IESBA Code. It came into effect on 1 January 2020 . APES 110 is generally consistent with the IESBA Code apart from changes in terminology to tailor the requirements to the Australian environment and some exceptions including: • Additional paragraphs are prefixed with AUST to comply with Australian laws and regulations, Australian Accounting Standards, Auditing and Assurance Standards, Accounting Professional and ethical standards or to address matters in the Australian environment. • The definition of engagement team in APES 110 does not exclude individuals within the client’s internal audit function who provide direct assistance on an audit engagement, as the AUASB has prohibited the use of direct assistance in ASA 610 Using the Work of Internal Auditors. ASA 102 ASA 102 requires auditors, assurance practitioners, engagement quality control reviewers and firms to comply with relevant ethical requirements, including those concerning independence, audits, reviews and other assurance engagements. While it does not add to the sum of ethical requirements, because it is a legally binding Standard issued under the Corporations Act, it brings compliance with APES 110 within the scope of the Act. Independence requirements of the Corporations Act Members of Chartered Accountants Australia and New Zealand, CPA Australia and the Institute of Public Accountants who carry out audits under the Corporations Act must comply with the independence requirements of both the Corporations Act and APES 110. The auditor independence requirements are contained in s307C and Divisions 3, 4 and 5 of Part 2M.4 of the Corporations Act. Auditor rotation requirements for listed companies are contained in Division 5 of Part 2M.4 of the Corporations Act. Generally, an auditor or an authorised audit company must not play a significant role (such as the lead auditor or the review auditor) in the audit of a listed company or listed registered scheme for more than five successive financial years. The auditor must then have a break of at least two successive financial years. However, the Corporations Act allows ASIC to exercise relief power to modify the auditor rotation requirements in certain circumstances. ASIC Regulatory Guide 187 (RG 187) ‘Auditor rotation’ provides further guidance relating to modifications to the auditor rotation requirements. New Zealand specific PES 1 PES 1 International Code of Ethics for Assurance Practitioners (including Independence Standards) (PES 1) issued under the Financial Reporting Act 2013 is the New Zealand equivalent of the IESBA Code. PES 1 is applicable to all assurance practitioners even if they are not part of the accountancy profession. Partner rotation is addressed by Section 540 of PES 1. While PES 1 does not include Part 2 of the International Code, it extends the scope of Part 4A to cover all assurance engagements in relation to an FMC reporting entity. Further Parts 4A and 4B emphasise that when an assurance practitioner identifies several threats to independence, which individually are not significant, they must evaluate the threats together and apply safeguards to eliminate or reduce the threats to an acceptable level. Finally, for the purposes of PES 1, ‘public interest entities’ includes any entity that meets the Tier 1 criteria under XRB A1 Application of the Accounting Standards Framework and is not eligible to report in line with the accounting requirements of another tier. Example 1.3 illustrates how to apply the Code to auditor independence. Example 1.3 – Applying the Code of Ethics to auditor independence Green and Co. audit EDF Limited, a mortgage lender. Mr Green is the audit partner. Historically EDF has run a profitable residential lending operation lending first mortgages to owner occupiers. Due to competitive pressure from other financial institutions it has had trouble meeting the level of interest payments it promised its depositors and has moved into lending for property developments in search of higher interest rates. Interest is being capitalised into development loans and the whole will be repaid from the development proceeds. One such development loan is to Builders Pty Ltd and accounts for 25 per cent of the client’s loan book. There were extensive delays on the project and Mr Blue, the sole shareholder/director of Builders Pty Ltd, is involved in litigation with the ATO over unpaid taxes. Mr Blue is married to the sister of the audit partner, Mr Green. Identify the threats to independence Intimidation threat or self-interest threat: Mr Green may be deterred from objectively assessing the recoverability of the loan balance and contemplating an impairment adjustment because he does not want to jeopardise the interests of his sister’s family. Evaluate the significance of the threats The severity of the threat is a matter of judgement as it depends how close Mr Green is to his sister and her family. However, it is important to bear in mind that the auditor has to be independent in appearance as well as independent of mind and this balance represents around one-quarter of EDF’s assets. Note that it is the borrower who is related to the audit partner and not the client lender. The borrower is not a member of the immediate family or close family of the audit partner as defined in APES 110, so the loan does not fall within APES 110 and Sections 511, 520 and 521 do not apply. However, the client is a mortgage lender so there is a public interest expectation that the client act in the best interests of the depositors. This would involve actively managing problem debts. If the client fails, there is a high likelihood the audit firm will be sued by depositors who have lost money. The relationship does not fall squarely into any of the relationships described in APES 110, but it has the potential to present dangers to the firm’s reputation. If the client fails in part as a result of Builders Pty Ltd defaulting, there could be a perception that Mr Green lacked objectivity, due to his relationship with the borrower. Apply safeguards This is a situation where the firm is looking at the spirit of the Code rather than its detailed prohibitions. Despite the fact that the relationship between Mr Blue and Mr Green does not fit squarely within the terms of the Code that would prevent Mr Green from being the auditor, it still poses challenges. The firm has to address the perception of independence as well as Mr Green’s independence of mind. The scale of Mr Blue’s indebtedness to the client increases the risk that he may try and put pressure on his brother-in-law not to advocate impairment of the debt. The firm would put in place an engagement quality control reviewer to objectively review professional judgements in respect of the loan book and the loan to Builders Pty Ltd in particular. 1.2.4 Acceptance and continuance and the preconditions for an audit Acceptance and continuance is one of the components in the system of quality management required by ISQM 1. In today’s era of anti-money laundering and counter terrorist legislation an audit firm has to be careful which businesses it chooses to be associated with. Being associated with the wrong client can lead to reputational damage, and in some cases criminal prosecution. A prime example was the Enron scandal that led to the disintegration of one of the world’s largest accounting firms, Arthur Andersen in 2001. To achieve a quality audit, the auditor must ask themselves two questions at the start: • Has the auditor got the knowledge, experience and time to perform the audit properly? • Does working with this client present a threat to the firm’s ethical and professional standards? The activities and processes an auditor must undertake before commencing an engagement are collectively known as the pre-engagement activities. The major steps in the pre-engagement process are shownin the following diagram: Note: The preconditions for an audit are the steps set out in the top two boxes of the diagram. Source: Adapted from Glynn, K and Bester, B 2017, Australian audit manual and toolkit 2017: for small and medium sized entities, 7th edn, vol 2, Exhibit 4.0-2, p 27. For a new client the auditor normally also communicates with the previous auditor as part of the acceptance process to find out whether there is any information they need to be aware of before deciding whether to accept the engagement. Example 1.4 – Interview with Dr Margaret Salter FCA, Director MMS Consulting As an auditor, have you ever chosen not to accept a client? Dr Salter: Under APES 110 Code of Ethics for Professional Accountants incoming auditors are required to communicate with the outgoing auditor. I’ve had a situation where the outgoing auditor pointed out a whole range of issues that made me decide not to take on the client. An outgoing auditor’s report can be a good source of information when you’re weighing up whether or not to take on a client. What were the issues raised in that report? Dr Salter: There were a lot of warning signs. The company in question had refused to make any of the auditor’s recommended changes, and their corporate governance was poor. They’d also failed to pay the outgoing auditor’s bill. If there’s ever any doubt about the integrity of an organisation then I’d be very wary about accepting them as a client. What about existing clients? Have you ever discontinued a relationship? Dr Salter: I had a situation where I decided not to continue with a client I’d been working with for almost four years. As a client, they hadn’t shown any interest in my recommendations as auditor, and their records were a total mess. You don’t want to deal with an organisation that has an audit just for the sake of it but then doesn’t act on your recommendations. The final straw came when the entity failed to replace its outgoing CFO. I took this as a sign that those charged with governance weren’t interested in fulfilling their roles and responsibilities when it came to financial management. Are there any other red flags people should look out for? Dr Salter: If you ever feel there are threats to your independence as auditor, you should revisit the situation, reconsider your position and quite possibly resign. Example 1.5 – Implementing quality control procedures in accepting an audit engagement Smith & Co., a small chartered accounting firm in Sydney, audits a small mining company also based in Sydney. During the year, the company was bought by a Perth based-mining company and all its senior personnel and operating, geological and accounting records have been moved to Perth. The client is reluctant for the audit team to go to Perth to do the audit. In assessing whether to continue with the audit, Smith & Co. have to consider whether the changes occurred at the client make it impossible for them to continue with the audit, subject to regulator approval to resign. Visiting Perth is essential for Smith & Co. to sight sufficient appropriate audit evidence to support the company’s major assets, mining tenements and exploration expenditure. Considerations include: Smith & Co. does not have an agent or network firm in Perth. They need to consider whether they have personnel with the time, subject matter experience and resources to go to Perth to audit the records. Management does not seem to understand its responsibility to provide the auditor with access to information and persons within the entity from whom they can get audit evidence. Lack of access to this information could limit the audit scope, meaning the auditor would have to issue a disclaimer of opinion. Because of these considerations Smith & Co. decide not to continue with the audit and send their resignation letter to the company to begin the removal proceedings. Example 1.6 – Implementing quality control procedures in accepting an audit engagement Brown & Co. is an office of a mid-tier networked practice with some experience in small listed companies. They have been approached to be appointed as auditors by a technology startup that will be listed on the ASX. The head office is in Silicon Valley, California, and they have production facilities in China. Bookkeeping and company secretarial is done by a small firm of chartered accountants in Australia. However, the audit evidence to support significant transactions and balances is located in Silicon Valley and China. Considerations include: Brown & Co. will need to consider how they are going to audit the head office in the United States and the production facility in China as these are the sources of the material figures in the financial statements. Do they have the resources in their own firm or within their network, in terms of locations covered and language skills? Brown & Co. must be satisfied that management understands its responsibility to provide the auditor with access to information and persons within the entity from whom they can obtain audit evidence. In this instance, Brown & Co. accept the appointment as they conclude they have sufficient resources in network firms in the United States and China to access audit evidence for significant transactions. 1.2.5 Agreeing the terms of audit engagements After evaluating any prospective new client or an existing client as part of the pre-engagement activities, and deciding whether to accept a new engagement or continue with an existing one, the auditor must agree on the terms of the engagement (ie what is to be done, by whom and when) with the client. This is done by sending the client an engagement letter. The engagement letter is sent before the beginning of the audit to help avoid misunderstandings about the engagement. Typically the client acknowledges the terms and conditions of the engagement and their responsibilities in writing. The engagement letter documents and confirms the following at a minimum: • Auditor’s acceptance of the appointment. • Objective and scope of the audit. • Extent of the auditor’s responsibilities to the entity. • Form of any reports. ISA 210 deals with the auditor’s responsibilities in agreeing the terms of the engagement with the client’s management. This includes establishing that certain preconditions (which are the responsibility of management) are present. New Zealand specific In New Zealand, the auditor agrees the terms of the audit engagement with those charged with governance (ISA (NZ) 210). Contents of an audit engagement letter The auditor agrees on the terms of the audit engagement with either the client’s management or those charged with governance, depending on who is more appropriate. The roles taken by management and those charged with governance depend on the governance structure of the entity and relevant law or regulation. Paragraph 10 of ISA 210 sets out the minimum terms that must be agreed up and detailed in the audit engagement letter, but the letter may also refer to a number of other issues. In adding to the engagement letter, the auditor must be careful to ensure they do not overpromise and that the engagement letter reflects the work they intend to do. An example engagement letter is included in Appendix 1 of ISA 210. The Australian and New Zealand equivalents, ASA 210/ISA (NZ) 210 Appendix 1, contain the example engagement letter, which has been drafted taking local legislative requirements into account. Recurring engagements Where the auditor is engaged to work on a recurring engagement, they may decide not to send a new audit engagement letter for every period. However, they must assess if it would be appropriate to revise the terms of the audit engagement, or remind the entity of the existing terms. Circumstances that might lead the auditor to reissue the letter on a recurring engagement include: a change in the entity’s management or ownership, a change in the nature of its operations, or a change in the legal or regulatory framework. Even if the auditor does not send a new engagement letter for each period, they would normally communicate the current year’s arrangements in writing to the client, including the scope of the audit, timetable and fees. 1.2.6 Communication with those charged with governance It is important for the auditor to develop a constructive working relationship with the audit client in a financial statements audit by having effective two-way communication with management and those charged with governance. Being able to have honest communication with the client in a relationship of mutual respect enables the auditor and the client to work through difficult issues, even those surrounding a potential qualified audit report. An example of this relationship can be seen in the story of a junior partner at a particularly difficult client meeting where an audit qualification was looking likely. They argued late into the night, with the client adamant that the auditors wanted to ruin him; eventually the client made an adjustment to avoid the qualification. The client survived and a couple of years later when it was time for that junior partner to rotate off the job, the client argued equally trenchantly to keep her as his auditor. After she stood her ground, the client gained great respect for her ability and judgement. ISA 260 (Revised) establishes mandatory requirements and provides guidance on communication between the auditor and those charged with governance. As with mandatory requirements for documentation, the communication of audit matters of interest to those charged with governance must happen at all stages of the audit. Who the auditor should communicate with The auditor is required to determine who, within an entity’s governance structure, is the most appropriate person(s) to communicate with. ‘Those charged with governance’ are the people within the organisation responsible for the strategic direction and obligations relating to the accountability of the entity. This includes overseeing the financial reporting process. Depending on the size of the entity and its governance structure, they may or may not be directly involved in management. Usually, those charged with governance include the board of directors. Where the appropriate person(s) is not clearly identifiable from the applicable legal framework or other engagement circumstances, the auditor needs to discuss and agree this with the engaging party. In deciding this, the auditor considers the entity’s governance structure and processes. The appropriate person(s) with whom the auditor should communicate may also vary depending on the matter to be communicated. Audit committees Larger entities typically have an audit committee, which is a subcommittee of the main board. When the auditor communicates with the audit committee, they would determine whether there is also a need to communicate with the main board. An audit committee (or similar subgroup with a different name such as audit and risk committee) is charged with the task of assisting the directors to meet their responsibilities relating to the integrity of financial reporting. While the existence of an audit committee does not change the directors’ responsibility for the financial statements, audit committees have an important role in overseeing the financial reporting and external audit. Audit committees, therefore, play an important role in contributing to audit quality. Where an audit committee exists, it is best practice to have a standing invitation for the auditor to attend the meetings of the audit committee and for the chair of the committee to liaise with the auditor periodically. The auditor also generally presents the annual ‘audit plan’ to the audit committee before the start of the audit. This details the auditor’s plan to address the risk of material misstatement, the auditor’s response to significant risks, the materiality thresholds and benchmarks applied, as well as other key information relevant to the audit that the auditor wishes to bring to the attention of the audit committee. The audit committee should also meet the auditor without management being present at least once a year. Typical areas of responsibility of an audit committee are illustrated in the following table: Area of responsibility Example Financial reporting Determining the appropriateness of accounting policies External audit Appointment and remuneration of auditors Risk management Identification of risks and oversight of the monitoring of risk treatment plans and maintenance of the risk register Internal control Ensuring effective controls are maintained Internal audit Overseeing the response to internal audit’s recommendations Compliance with laws and regulations Monitoring compliance with financial reporting regulations Ethics Implementing and maintaining whistleblower hotline Australia specific In Australia, the Listing Rules of the Australian Securities Exchange (ASX) require that companies of a certain size have a properly constituted audit committee. The committee should have enough members who are independent and have sufficient technical expertise in financial reporting to be able to perform their roles effectively. Companies included in the S&P All Ordinaries Index must have an audit committee that complies with the recommendations set by the ASX Corporate Governance Council about the composition and operation of the audit committee. An audit committee of these companies must consist of at least three members, all of whom are non-executive directors and a majority of whom are independent directors. It must be chaired by an independent director who is not the chair of the board. These companies also have disclosure requirements relating to the audit committee. New Zealand specific In New Zealand, the Listing Rules of the New Zealand Stock Exchange (NZX) require the issuer to have a properly constituted audit committee. The committee must consist of directors of the issuer, have a minimum of three members, a majority of members that are independent directors and at least one member with an accounting or financial background. What should be communicated ISA 260 (Revised) details issues that should be communicated to those charged with governance. At the planning stage of the audit, the auditor would communicate the following: • The auditor’s responsibilities for the financial statements audit including their responsibility for forming and expressing an opinion on the financial statements that have been prepared by management. Auditor’s responsibilities are typically included in the engagement letter or an annual arrangements letter in situations where a new engagement letter is not issued annually. • The fact that the audit of financial statements does not relieve management or those charged with governance of their responsibilities. • The planned scope and timing of the audit. This assists those charged with governance to better understand the auditor’s work and discuss potential risks with the auditor. Matters communicated may include: – auditor’s plan to address risks of material misstatement – auditor’s approach to internal controls – the application and concept of materiality in the audit – the nature of and need for the use of experts – for listed entities where ISA 701 applies, the auditor’s preliminary views of areas of significantauditor attention – implications of significant changes to the entity’s financial statements. Communicating as the audit is progressing ISA 260 (Revised) requires the auditor to communicate their significant findings and observations in a timely basis. This assists management and those charged with governance to fulfil their oversight obligations, and allows the opportunity for the financial statements to be adjusted before being finalised. Communication takes place throughout the audit. If the auditor has encountered a significant irregularity they would not wait until the end of the audit to communicate with those charged with governance. 1.3 Risk assessment Topic 1.1 explored that auditors must take a risk-based approach because of the inherent limitations of conducting an audit and introduced the concept of the audit risk model. Auditors are guided by the following questions: • What are the risks of material misstatement in the financial statements? • How have management addressed these risks? • How should the auditor respond to reduce the risk of material misstatement to an acceptable level? This topic focuses on how auditors perform risk assessment by using procedures and other related activities to gain an understanding of the entity and its environment. This understanding is used by the auditor to identify the risks of material misstatement in the financial statements and is important to enable the auditor to conduct a high-quality audit. The appropriateness and sufficiency of audit evidence depend on the auditor’s ability to identify and assess the relevant risks of material misstatement. The main Auditing Standard that addresses risk assessment is ISA 315 (Revised 2019). However, certain other standards are also relevant for risk assessment. These include ISA 240 on fraud, ISA 250 (Revised) on laws and regulations, ISA 540 (Revised) on accounting estimates, ISA 550 on related parties and ISA 570 (Revised) on going concern. The following table outlines the readings required for this topic: Relevant international Standards on auditing and local equivalents International Australia New Zealand ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements (ISA 240) ASA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report (ASA 240) ISA (NZ) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements (ISA (NZ) 240) ISA 250 (Revised) Consideration of Laws and Regulations in an Audit of Financial Statements (ISA 250 (Revised)) ASA 250 Consideration of Laws and Regulations in an Audit of a Financial Report (ASA 250 (Revised)) ISA (NZ) 250 (Revised) Consideration of Laws and Regulations in an Audit of Financial Statements (ISA (NZ) 250 (Revised)) ISA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA 315 (Revised 2019)) ASA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ASA 315 (Revised 2019)) ISA (NZ) 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA (NZ) 315 (Revised 2019)) ISA 320 Materiality in Planning and Performing an Audit (ISA 320) ASA 320 Materiality in Planning and Performing an Audit (ASA 320) ISA (NZ) 320 Materiality in Planning and Performing an Audit (ISA (NZ) 320) ISA 540 (Revised) Auditing Accounting Estimates and Related Disclosures (ISA 540 (Revised)) ASA 540 Auditing Accounting Estimates and Related Disclosures (ASA 540 (Revised)) ISA (NZ) 540 (Revised) Auditing Accounting Estimates and Related Disclosures (ISA (NZ) 540 (Revised)) ISA 550 Related Parties (ISA 550) ASA 550 Related Parties (ASA 550) ISA (NZ) 550 Related Parties (ISA (NZ) 550) ISA 570 (Revised) Going Concern (ISA 570 (Revised)) ASA 570 Going Concern (ASA 570 (Revised)) ISA (NZ) 570 (Revised) Going Concern (ISA (NZ) 570 (Revised)) Risk in an audit context Risk is commonly defined as the ‘effect of uncertainty on objectives’, both positive and negative. In the context of a financial statement audit, auditors focus on a subset of risks relevant to the audit – the risks of material misstatement. A risk of material misstatement is a risk that could result in a material misstatement in the financial statements. In simple terms, auditors focus on those areas that could go wrong in the preparation of financial statements in line with the applicable financial reporting framework (eg IFRS). Business risks are those that may prevent an entity from achieving its objectives or executing its strategies. Business risks can result from external circumstances beyond an entity’s control – for example, a new competitor entering the market – or from an entity’s own actions and significant events or circumstances – for example, research and development of a new product line. A subset of business risks – those with potential financial implications that may result in the material misstatement of the financial statements – are relevant to the audit. The following diagram illustrates how auditors identify risks in a financial statement audit: 1.3.1 Risk assessment procedures and related activities Risk assessment procedures are designed and performed to identify and assess the risks of material misstatement. While this is a broad definition, the ISA 315 (Revised 2019) recognises the following specific methods. In practice, the auditor uses a combination of each of these methods when performing risk assessment procedures: Method Examples of what the auditor does Why does the auditor do this? Specific examples of risk assessment procedures Enquiries of management and others as appropriate, including internal audit (if the function exists) Verbal and/or written enquiries of management and others within the entity that are likely to have information relevant to the audit This helps the auditor to: • identify any additional risks not yet considered • confirm the understanding of risks that have been identified. Discussions with the CEO and CFO as part of a client audit planning meeting Enquiries of the audit committee during the auditor’s presentation of the client audit strategy Enquires of appropriate individuals within the internal audit function, if relevant Enquiries of those charged with governance, management and others within the entity about whether they know of any actual, suspected or alleged instances of fraud, as required by ISA 240 Interviewing personnel other than management (eg sales representatives, warehouse staff, junior members of the finance team, internal auditors) to corroborate discussions with management and information from other risk assessment procedures Analytical procedures (also known as ‘preliminary’ or ‘planning analytical procedures’) Evaluation of the entity’s available financial information against the auditor’s expectations by analysing plausible relationships between financial and non-financial data Identifying significant, unusual or unexpected items/amounts that may indicate risks of material misstatement warranting further investigation This allows the auditor to: • assess relationships between financial and non-financial data • understand the entity's business and significant transactions • identify additional risks of material misstatement. Comparing the dollar and percentage movement in current year-to-date versus prior year-to-date financial information and/or against budget/forecast Analysing directions or trends in key ratios over a period of time (eg monthly) Benchmarking an entity’s key financial measures and performance indicators against competitors or industry averages Using automated tools and techniques to analyse an entity’s transaction data set for an interim period to identify transactions with high-risk characteristics or to help identify the existence of unusual or unexpected relationships between accounts Performing analytical procedures over revenue accounts, as revenue recognition is a presumed fraud risk Observation and inspection Directly observing an entity’s personnel performing a process or procedure Looking at records and/or documents or sighting a physical asset This helps the auditor to: • identify any additional risks not yet considered • confirm the auditors understanding of risks that have been identified. Observing how senior management acts and conducts business Reading industry publications and media reports about the entity Reviewing minutes of management meetings and/or those charged with governance Inspecting an entity’s plant and equipment Reading correspondence with regulators, lawyers, lenders, external advisers and other stakeholders The auditor may already know quite a lot about the entity before the audit team performs any risk assessment procedures for the current year audit. This knowledge may come from: • considering client acceptance and continuance; for example, the auditor may be aware of the entity taking on new debt with restrictive covenants • the audit firm having audited the client for many years. The audit team would have documented this information in the audit file. For example, the auditor may be aware that there were a number of significant control deficiencies identified in the prior year • the audit firm having performed other engagements with the same client, such as other assurance or non-assurance engagements • some of the audit firm’s partners and staff having previously worked with members of the entity’s management team or those charged with governance through other engagements or in other roles • the audit firm having acquired information about the entity from external sources such as the regulators or the media. 1.3.2 Obtaining an understanding of the entity and its environment Understanding the entity and its environment is an important first step in performing a high-quality audit. As such, this is an area of focus for both the Australian Securities and Investments Commission and the New Zealand Financial Markets Authority when these regulators perform audit quality inspections. An auditor who lacks a proper understanding of the entity and its environment is unlikely to have appropriately identified and assessed the risks of material misstatement in the entity’s financial statements. The framework that ISA 315 (Revised 2019) presents for understanding an entity and its environment distinguishes between internal factors in the entity and external factors in the environment in which the entity operates. The following diagram summarises what the auditor needs to consider when performing risk assessment procedures: Understand internal factors at the entity Risks can arise from not only external factors, but also internal factors. Understanding internal factors such as the entity’s organisational structure, ownership and governance and business model, including the extent the business model integrates the use of IT helps the auditor identify potential risks of material misstatement. The following table shows how the nature of the entity can give rise to potential risks of material misstatement in the financial statements: Factor Examples of matters to consider Example Potential risks of material misstatement Organisational structure Is there a documented organisational chart? Is there a clear reporting structure? Do all employees have clearly defined job descriptions that have been communicated to them? An entity does not have a documented organisational structure and there is an unclear reporting structure and undefined roles. There could be a risk of fraud or error due to lack of review and governance controls. Ownership and governance Who owns the business? Is it publicly traded, few owners with significant interests, subsidiary of an overseas group? Who is charged with governance? Are there significant related parties? A single investment bank owns 40 per cent of the shares in a listed company. Two of the investment bank’s executives have been appointed to the company’s board of directors. Transactions with related parties may not be properly identified, recorded and disclosed. There could also be a risk of fraud due to unauthorised or non–arm’s length transactions with related parties. Business model, including the use of IT Is the entity reliant on a few key customers or suppliers? Is the entity reliant on a few key products or services? A key customer has gone into administration and is unlikely to be able to pay the amounts owing. The accounts receivable balance may be overstated and subject to impairment. In addition, the loss of a key customer may affect the entity’s ability to generate profits. The loss of a key customer may pose a going concern risk. Does the entity use commercially available accounting software or does it have a complex IT environment with highly customised IT applications? The entity has implemented a customised inventory management IT application. Risk of misstatement associated with inventory balances may be affected by weaknesses in either the general IT controls or application level controls over the new system. Is the entity using emerging technologies? The entity has commenced using robotics to automate a number of routine transactions processing. Risks for the financial statement may result from weaknesses in general IT controls. How is the business financed (eg equity, debt arrangements with complex covenants, working capital facilities such as factoring arrangements, leases, convertible notes, loan facilities)? A company has recently obtained new funding by issuing convertible notes. The classification of debt versus equity and current versus non-current liabilities may be difficult to determine and therefore recorded and disclosed incorrectly. Understand relevant industry, regulatory and other external factors Risks can arise from the entity’s industry, regulatory environment or economic conditions. Understanding these can help the auditor identify risks of material misstatement. Industry factors The following table outlines various industry factors, including the competitive environment and technological developments, that may be relevant to the audit: Factor Example Potential business risk Examples of potential risk of material misstatement Competition A clothes retailer operates in a highly price-competitive industry. Price competition may have an adverse effect on operating margins. Inventory may be overvalued. Demand Greater consumer awareness of the impacts of conventional farming practices has increased demand for products from a small organic dairy farm. Existing processes and controls may not be adequately designed and implemented for the higher volume of transactions resulting from increased demand. There may be an increase in potential for fraud risks. Seasonality A ski resort in Queenstown, New Zealand experiences seasonal demand as tourists visit during the winter ski season. Fluctuations in demand may have a negative impact on cash flows. Breaches of debt covenants may lead to misclassification of borrowings. Commodity prices Airline companies are highly dependent on jet fuel commodity prices, which are subject to volatility. Fluctuations in commodity prices may affect results, including cash flows. Financial instrument disclosures may be misstated. Technological developments Camera manufacturers need to transition to respond to increased demand for mirrorless cameras. Rapid technological changes may make the entity’s products obsolete. Inventory may be overvalued. Regulatory factors ISA 315 (Revised 2019) requires the auditor to understand the entity’s regulatory environment and ISA 250 (Revised) sets out the auditor’s responsibilities in relation to identifying material misstatement of the financial statements due to non-compliance with laws and regulations. Examples of understanding the regulatory environment include: • Regulatory framework for a regulated industry – for example, prudential requirements, including related disclosures. • Legislation and regulation that significantly affect the entity’s operations – for example, labour laws and regulations. • Taxation legislation and regulations. • Government policies currently affecting the conduct of the entity’s business, such as monetary, including foreign exchange controls, fiscal, financial incentives (eg government aid programs), and tariffs or trade restriction policies. • Environmental requirements affecting the industry and the entity’s business. The requirements of ISA 250 (Revised) can be summarised as follows: Laws and regulations that have a direct impact on the financial statements ISA 250 (Revised) requires the auditor to obtain sufficient appropriate evidence for compliance with laws and regulations that have a direct impact on the financial statements (ie laws or regulations affecting the determination of assets, liabilities and/or disclosures): Example Impact on financial statements Company law, such as the Corporations Act 2001 in Australia, or the Financial Markets Conduct Act 2013, the Financial Reporting Act 2013 and the Companies Act 1993 in New Zealand Sets the legislative criteria for determining whether an entity has statutory financial reporting requirements. In addition, company law often specifies the applicable financial reporting framework in that jurisdiction. There is a risk that the financial reporting framework may not be applied properly, resulting in material misstatement because of inaccurate or incomplete disclosures. Laws and regulations fundamental to the business, such as Australian financial services licence (AFSL) regulations, or the Reserve Bank of New Zealand (RBNZ) regulations for banks and insurance companies Additional operating and reporting obligations may be imposed. Non-compliance may result in material penalties that may require recording and/or disclosure in the financial statements. Income tax legislation, such as the Income Tax Assessment Act 1997 and Income Tax Assessment Act 1936 in Australia, or the Income Tax Act 2007 and the Tax Administration Act 1994 in New Zealand There is a risk that current tax expense and tax provision could be materially misstated. Other taxes applicable to the business, such as goods and services tax (GST), payroll tax, customs or import duties. These taxes may not be correctly accounted for and disclosed in the financial statements. For example, GST charged to customers and paid to suppliers is typically disclosed as part of sales and purchases in the statement of cash flows. The net amount of GST receivable from or payable to the tax authority is disclosed as part of receivables or payables in the statement of financial position. Laws and regulations that do not have a direct impact on the financial statements Where laws and regulations do not have a direct effect on the financial statements, the auditor is still required to make enquiries of management and inspect relevant correspondence with authorities to help identify non-compliance with laws and regulations. Examples of laws and regulations that may not have a direct impact on financial statements include workplace safety laws or environmental regulations. Other external factors Examples of other external factors that may be relevant to the auditors understanding include: • Changes in general economic conditions or interest rates, for example, an economy in recession. • Volatility in commodity prices or foreign exchange rates, for example, fluctuating gold prices for a gold mining company. • Lack of access to capital, for example, an entity needing to refinance debt in the next 12 months in an illiquid market. Risks arising from IT IT is a continually evolving area and is therefore an important element of understanding the internal environment at the entity. Risks arising from IT that are relevant to the audit can be broadly categorised into two types: • Data loss (including data corruption). • Unauthorised access to data. Example 1.7 discusses factors to consider in obtaining an understanding of the IT environment. Example 1.7 – Factors to consider in obtaining an understanding of the IT environment Non-complex Moderately complex Highly complex Type of entity A local catering business with fewer than 20 employees A small listed retail company with 30 stores across multiple states A listed multinational manufacturer IT infrastructure A single file server connected to a local area network of desktop computers Multiple dedicated servers in a single data centre located at head office Use of cloud-based ‘software as a service’ external provider for point-of-sales system End-user devices limited to desktop and laptop computers at head office (connected via a local area network with no VPN access) and internet-connected tablets at retail stores Multiple data centres located in different countries Heavy use of cloud-based technologies Remote network access using VPN technology Numerous end-user devices ranging from desktop computers to ‘BYO’ mobile devices Machines running both standard and non-standard installations of a variety of different operating systems Software applications All machines using standard installations of popular operating systems (eg Linux, Windows) Programs limited to standard installations of commercial off-the-shelf software (eg Microsoft Office, QuickBooks) and end-user developed applications (eg Excel spreadsheets) All machines using standard installations of popular operating systems Programs consisting of commercial off-the-shelf software with some customisation and end-user developed applications Interfaces between different software applications not automated, requiring manual steps to transfer data between applications A combination of proprietary and highly customised commercial off-the-shelf software applications and systems Transactions recorded in real time through online interfaces between numerous different software applications, including direct electronic data interchanges with customers and suppliers IT department One IT manager to administer all aspects of the IT environment IT budget is limited and not material as a proportion of the entity’s total expenses Outsourced support function for specialised software (eg QuickBooks) to software vendor Small number of IT staff organised into a simple team structure IT budget, as a proportion of the entity’s total expenses, not insignificant Outsourced support function for specialised software Simple applications or changes developed in-house, outsourced larger projects Large number of IT staff organised into many different divisions/sections IT budget significant proportion of the entity’s total expenses In-house support and maintenance of IT operations and infrastructure and development of applications Risks arising from IT often result from a change in the IT environment. Incomplete or inaccurate data can result in errors in financial information, which causes the financial statements to be materially misstated. Therefore, the objective of controls within the information system is to safeguard the entity’s data and ensure that data used to produce the financial statements is accurate and complete. To identify and assess risks due to data loss and unauthorised access to data, the auditor must understand how the entity stores data and the nature of the data. For example, data may exist as: • individual files generated by the user (eg Microsoft Excel spreadsheet) or a software application (eg an end-of-day batch file from a point-of-sale accounting system) • individual records within a data table as part of an application database (eg the selling price and quantity on hand of an individual stock item that is stored within a data table as part of the inventory module of an accounting system). Data may be stored in many different ways – for example, on the local hard drive of an employee, on the entity’s file server in the local area network or in the cloud, using a cloud-based service provider. How data is stored presents different risks. Consider, for example, the consequences of a situation where critical financial data is stored on an individual’s laptop computer, the data is not backed up and the laptop gets stolen. Example 1.8 – Risks arising from IT Situation Potential impact on the entity Unauthorised access to the entity’s IT system due to a security breach by hackers results in a loss of confidential customer data. Use of confidential customer data by hackers may pose a broader reputational risk. Financial implications may arise because of loss of customers or potential litigation costs. The entity has started to migrate its existing financial data to a cloud-based solution. Financial data migrated to the cloud could be inaccurate or incomplete, having an impact on the integrity of the entity’s financial statements. Cybersecurity risks Awareness of cybersecurity risks is growing and entities are placing increased emphasis on managing cybersecurity risks. As a result, the auditor’s role in the identification and assessment of these risks is also increasing. Effective entity level controls together with effective general IT controls (GITCs) contribute to protecting entities against cybersecurity threats. From the point of view of an auditor’s risk assessment, cybersecurity incidents could damage the reputation of an entity, result in the loss of data or in financial penalties. Cybersecurity incidents could directly affect the financial statements – for example, in a situation where an entity has disclosed a material contingent liability relating to a cybersecurity incident. Example 1.9 illustrates the impact of a complex organisational structure on the entity and takes a more detailed look at how a complex organisational structure can increase the risks of material misstatement. Example 1.9 – International Cookie International Cookie is a large multinational organisation with multiple subsidiaries, joint ventures and associates, and foreign operations. International Cookie has made a number of acquisitions and disposals over the last five years in response to increased competition in its industry. As a result of these acquisitions, International Cookie has recognised goodwill and other intangible assets that are material to the entity’s financial statements. International Cookie also uses foreign currency forward contracts to hedge its exposure to foreign currency risk. Potential risks of material misstatement in the consolidated financial statements of International Cookie that are associated with the entity’s complex multinational structure include: Not correctly identifying special purpose entities for consolidation, not correctly consolidating the subsidiaries or not correctly applying equity accounting for joint ventures and associates in line with the relevant Accounting Standards. Significant judgement being required in assessing whether goodwill or other assets are impaired in line with IAS 36 Impairment of Assets. Incorrectly translating foreign subsidiaries and operations in line with IAS 21 The Effects of Changes in Foreign Exchange Rates. Hedge accounting requirements being inherently complex. Not identifying and disclosing related parties and related party transactions in line with IAS 24 Related Party Transactions. Measurement and review of financial performance An auditor can gain valuable insight into the risks of an entity by understanding how its management and external stakeholders measure the entity’s financial performance. Both the internal measures used by management and the measures used by external stakeholders are likely to be important to the entity. These measures could motivate management to actively improve performance, or intentionally misstate the financial statements. In addition, the performance results themselves, such as trends in KPIs, may help the auditor identify potential risks. Similar to the selection and application of accounting policies, there are often industry-specific measures of financial performance that may be relevant to the entity. When the performance measures have been identified, the auditor may seek to understand: • how aggressively the targets are set and measured • whether the entity has a history of achieving targets • whether management's compensation is linked to performance measures. • This understanding may assist in the identification of risks of material misstatement. Factor Matters to consider Example Potential risks of material misstatement Internal performance measures KPIs, including key ratios, trends and operating statistics Period-on-period actual financial performance analyses (including against budgets, forecasts) Disaggregated financial information (eg by segment, product or other levels) Employee performance measures and incentive compensation policies Benchmarking against competitors An entity has decided to implement a cost-cutting initiative. Each manager is eligible to receive up to 50 per cent of their base pay as a bonus if they can reduce the operating expenses of their department by 20 per cent. Managers have an incentive to under-report expenses. There is a risk that expenses may be understated, as well as a risk that expenses are not complete. External performance measures Investment analyst reports Credit rating agency reports Industry research reports Investment analysts consistently focus on revenue targets for an entity experiencing rapid growth. There is a risk of improper revenue recognition to overstate revenues because of the pressure to meet revenue growth expectations. Applicable financial reporting framework and the entity’s accounting policies Many accounting policies set out in financial reporting frameworks are complex and involve considerable judgement. The auditor should understand the accounting policies the entity has selected and applied to help identify risks of material misstatement. The following table illustrates how an understanding of the applicable financial reporting framework and management’s selection and application of accounting policies can give rise to potential risks of material misstatement: Factor Example Potential risk of material misstatement Methods used to account for significant and unusual transactions An entity has acquired a new subsidiary and must account for the acquisition in line with IFRS 3 Business Combinations. In determining the fair values of the identifiable assets acquired and liabilities assumed, management has elected to estimate the fair value of a potential liability arising from an ongoing lawsuit by using a method that differs from normal practice. The liabilities assumed in the business combination may be understated, resulting in a potential overstatement of net assets and understatement of goodwill. Changes in accounting policies and the reasons for those changes An entity decides to measure its land and buildings at fair value in the current year. Previously, these assets were held at cost. Management has stated the reason for the change because of the significant appreciation in land value due to the current boom in the industrial real estate market. From other risk assessment procedures performed, the auditor notes the entity is subject to loan covenants, including a maximum debt-to-assets ratio. There may be a potential risk of material misstatement due to fraud as a result of fraudulent financial reporting. Management may have an incentive to overstate the value of land and buildings to remain compliant with loan covenants. Accounting principles and industry specific practices An entity purchases the rights to television programs for its television broadcasting business. In the television industry, program rights are accounted for as inventory under IAS 2 Inventories instead of IAS 38 Intangible Assets. Program rights may not be accounted for appropriately. The auditor also evaluates whether the selection of accounting policies is appropriate. The following are examples of considerations that may be relevant to this evaluation. • Is the accounting policy appropriate for the entity’s business? For example, a depreciation method that is not aligned to an asset’s expected use may not be appropriate. • Is the accounting policy consistent with the applicable financial reporting framework? For example, using an accelerated tax depreciation method for an asset may not be consistent with the financial reporting framework. • Is the accounting policy consistent with industry norms? For example, it may not be appropriate for an entity that is not a retailer to use the retail method for inventory. How inherent risk factors affect susceptibility of assertions to misstatement of the financial statements Understanding the entity and its environment, and the applicable financial reporting framework, helps to identify events or conditions that may affect the susceptibility of assertions about disclosures of misstatement. The characteristics of these events or conditions are known inherent risk factors; for example, significant uncertainties are associated with the assumptions used in determining a mine site rehabilitation provision. The effect of these inherent risk factors can influence the: • extent of susceptibility of a class of transaction, account balance or disclosure to misstatement • need to apply greater professional scepticism • opportunity for management bias. Example 1.10 – Impact of COVID-19 on auditor’s risk assessment COVID-19 had a profound impact on the way people conceive risk, according to Fiona Campbell, FCA, EY Oceania Audit Partner, and this will unavoidably affect the way auditors perform risk assessments. ‘Auditors will think differently from now on’, says Campbell. This COVID-effect will have an impact on every audit, from large corporations through to SMEs. ‘Before 9/11 no-one ever imagined an airplane flying into a building. In the same way, pre-COVID-19 no-one ever imagined a pandemic could have such a profound global effect’, says Campbell. ‘Everyone will reconsider what’s possible, and what has a reasonable likelihood of happening.’ 1.3.3 Materiality In auditing, the concept of materiality recognises that some matters, either individually or in aggregate, are important to users making economic decisions based on an entity’s financial statements. This could include decisions about investing in, purchasing from, doing business with or lending money to, an entity. When a misstatement or omission of information in the financial statements is significant enough to change or influence these decisions, a material misstatement has occurred. Determining materiality requires the auditor to consider both quantitative and qualitative aspects of the financial statements. It requires judgement based on the facts and circumstances of each particular audit – including understanding the needs of the users of the financial statements – and should not be seen as a basic calculation. How materiality is used throughout the audit Applying the concept of materiality appropriately enables the auditor to focus their attention and effort on the high-risk areas of the entity’s financial statements. Specifically an auditor applies the concept of materiality throughout the audit process as follows: Source: Adapted from IFAC 2011, Guide to using ISAs in the audits of small- and medium-sized entities, 3rd edn, vol 1, Exhibit 7.0-1, p 87 Note: This chapter does not cover the consideration of materiality in the reporting phase. This will be discussed in Topic 3.1. Materiality levels As part of planning the audit, an auditor uses professional judgement to determine materiality. This includes establishing various materiality levels. These can be described as: • Overall materiality – materiality for the financial statements as a whole. • Performance materiality – lower level than overall materiality to address the risk associated with the aggregation of individually immaterial items. • Lower materiality for particular accounts or disclosures – may be classes of transactions, account balances or disclosures where lesser amounts than overall materiality could influence the economic decisions of users. • Clearly trivial – threshold below which the auditor does not accumulate misstatements. As materiality is based on the auditor’s professional judgement and is used by all members of the audit team throughout the audit, it is important the amounts determined for the various levels of materiality are documented in the audit file, along with the rationale supporting the significant judgements made in determining each amount. Overall materiality Overall materiality refers to materiality for the financial statements as a whole. It is the dollar amount the auditor sets for the financial statements, above which any misstatement (individually or in aggregate) would result in the financial statements being materially misstated. Audit firms have specific methodologies to assist the auditor in determining overall materiality based on the facts and circumstances of the audit. When applying these methodologies, it is important to keep in mind the objective for determining materiality – the threshold of what would change the economic decisions of users, rather than a calculation to arrive at a number. It is also important to consider the qualitative aspect of material misstatements and to consider misstatements or omissions of facts in disclosures. Determining overall materiality A numerical threshold (benchmark) is used as a starting point. A percentage is then applied to the chosen benchmark to determine overall materiality. The benchmark and the percentage to be applied are both based on the auditor’s professional judgement in light of the understanding of the entity and its environment. Selecting an appropriate benchmark The benchmark selected should be appropriate for the circumstances of the entity. Examples of potential benchmarks include the following: • Profit before tax. • Total revenue. • Gross profit. • Total expenses. • Net assets. When identifying an appropriate benchmark to use, an auditor would determine who the likely users of the financial statements are and consider matters such as those outlined in the following table: Factors to consider when identifying an appropriate benchmark Factors Considerations Users’ primary focus Information in the financial statements that is of the most interest to users. For example: • Users interested in evaluating financial performance will focus on profits, revenues or net assets. Profit before tax from continuing operations is commonly used as a benchmark for profit-focused entities. • Users interested in the resources used to achieve certain goals will focus on the nature and extent of revenues and expenditures, for example, in not-for-profit entities. Relevant elements of financial statements The major elements of the financial statements that will be of interest to users of the financial statements (eg assets, liabilities, equity, income and expenses) Nature of the entity The nature of the entity, where it fits in the life cycle (ie whether it is growing, mature, declining, etc) and the industry and economic environment in which the entity operates Financing How the entity is financed If financed solely by debt (rather than equity capital), users of the financial statements may put more emphasis on the pledged assets, cash flows and any claims rather than on the entity’s earnings. Volatility The volatility of the proposed benchmark A benchmark based on profit before tax might normally be an appropriate choice, but if the entity is operating close to its break-even point each period (eg making small profits or losses) or its results fluctuate widely (eg is volatile), this benchmark may not be an appropriate base for determining materiality. In this case, revenue may be a more appropriate benchmark if an earnings benchmark is still relevant. Alternatives Whether an alternative benchmark is necessary to address special circumstances Alternative benchmarks could include current assets, net working capital, total assets, total equity and cash flow from operations. Source: Adapted from Glynn, K and Bester, B 2017, Australian audit manual and toolkit 2017: For small and medium sized entities, 7th edn, Thomson Reuters, Australia, Exhibit 21.2–2, pp 363–5 Once an appropriate benchmark is identified, relevant financial data is used to calculate that benchmark amount for the audit client. With much of the planning procedures performed before the entity’s year end, it is common practice for the auditor to calculate base materiality on prior period financial results, forecast for the current period or an extrapolation of period-to-date results. Materiality may need to be revised, once actual annual results are available. Example 1.11 – Financial information for the materiality benchmark It is 15 May 20X3, AuditAU is determining materiality for the audit of an entity with a 30 June 20X3 year end. Net profit before tax has been selected as the benchmark. The following financial information is available: Actual for the 10 months to 30 April 20X3: $2.5 million – the auditor extrapolates this to $3.0 million for 12 months to 30 June 20X3 ($2.5 million /10) x 12. Actual for the year ended 30 June 20X2: $2.1 million, from the prior year financial statements. Forecast prepared by the entity as at 31 March 20X3 for year to 30 June 20X3: $2.9 million – AuditAU compares the amount for April 20X3 included in the forecast to the actual result for April 20X3 and notes there was very little difference between them. AuditAU determines that even though all three amounts could be used as the basis for net profit before tax in the determination of overall materiality, in their judgement the most appropriate amount to use is $2.9 million. In July 20X3, the actual net profit before tax for the year to 30 June 20X3 in the draft financial statements prepared by the entity was $3.1 million. AuditAU is satisfied that no revision to the overall materiality amount that had been initially determined at planning is necessary as a result of the actual net profit before tax. The rationale for this is that the difference between the $2.9 million used at planning and the actual of $3.1 million was not significant enough in accordance with Audit AU audit methodology to warrant a change as this is an area of professional judgement and the materiality amount used for the audit was a lower amount anyway. There may be certain circumstances that may lead the auditor to conclude that they should use a ‘normalised’ benchmark base where this is considered a more appropriate representation of ‘continuing operations’ for the entity. For example, net profit before tax could be adjusted for: • any significant unusual or non-recurring revenue/expense items • items such as management bonuses, which may be based on profits before the bonuses or simply paid out to reduce any income left in the company. Example 1.12 – Materiality and ‘one-off’ expenses MyMine Ltd has been affected by a significant environmental issue at one of its mine sites and has incurred a one-off impairment charge of $4 million during the year. This resulted in a profit before tax of $6 million. The audit partner has adjusted the profit before tax upwards by $4 million, resulting in a profit before tax of $10 million being used as the benchmark in determining overall materiality. The audit partner believes this is a one-off cost to the business and adjusting for the impairment gives a more appropriate representation of the continuing performance of MyMine Ltd to be used in the determination of overall materiality. Selecting an appropriate percentage The selection of an appropriate percentage to be applied to the nominated benchmark also requires professional judgement. The following table sets out the benchmarks and percentages commonly used in practice to determine overall materiality: Benchmarks and percentages commonly used to determine materiality Type of entity Possible benchmarks Typical range for percentage to apply to overall materiality Publicly listed entities Profit before tax from continuing activities 3–10% Privately owned entities Total revenue or Profit before tax 0.5–2%  3–10% Not-for-profit entities Income or Total expenses 0.5–2% 0.5–2% Owner-managed entities Profit before owner remuneration and tax 3–10% Asset/investment-based entities Total assets 0.5–2% Example 1.13 – Determining overall materiality for a listed entity For listed for-profit entity Pareto Project Pty Ltd, the users of its financial statements are likely to be focused on profit. Therefore, ‘profit before tax from continuing activities’ is likely to be an appropriate benchmark to use. In deciding the percentage to be applied to this benchmark, because Pareto Project Pty Ltd is listed, the auditor would consider three factors: a larger volume of users (shareholders), more regulation and a higher pressure to meet financial expectations. These factors would typically result in the auditor choosing a lower percentage – for example, 3 per cent – to apply to the chosen benchmark. Example 1.14 – Overall materiality TRUEAudit’s audit methodology for determining materiality identified profit before tax as an appropriate benchmark and 7 per cent as an appropriate percentage to apply based on the nature of the entity and the relevant facts and circumstances. Forecast profit before tax was $3.2 million for the year, which was an increase from $2.5 million and $2.6 million from the two prior years. The audit partner determined that an overall materiality of $200,000 was appropriate. This was slightly lower than the $224,000 calculation of 7 per cent of $3.2 million, on the basis that the increased profit in the current year may not be representative and that $200,000 was an appropriate amount to reflect the economic decisions users of financial statements. Performance materiality The auditor uses performance materiality to: • assess risks of material misstatement • plan and perform audit procedures. Performance materiality is based on overall materiality but set at a lower amount to allow for aggregation risk. Aggregation risk is the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial report as a whole. Using this lower level of materiality instead of overall materiality reduces the probability that the total amount of uncorrected and undetected misstatements exceeds overall materiality, resulting in the financial statements being materially misstated. This can be illustrated as follows: Source: IFAC 2011, Guide to using ISAs in the audits of small- and medium-sized entities, 3rd edn, vol 1, Exhibit 7.5-3, p 95 Example 1.15 – Performance materiality Assume that overall materiality for an audit is set at $200,000. If audit procedures were planned to detect individual misstatements in excess of $200,000, it is possible that a misstatement of $160,000, for example, may go undetected. Assume that three misstatements exist of $160,000, $60,000 and $50,000 respectively (ie $270,000 in total). As each of these amounts individually is below $200,000, the auditor may not select them for testing and therefore there may be material misstatements of the financial statements that go undetected. However, if performance materiality is set at $150,000 (75% × $200,000), the audit procedures should detect the misstatement of $160,000. The total of the remaining misstatements that may be undetected of $110,000 is less than the overall materiality. Determining performance materiality ISA 320 gives no specific guidance on how to calculate performance materiality (ie the extent of this reduced amount). This is left to the auditor’s professional judgement and is affected by issues such as the: • auditor’s understanding of the entity, for example, deficiencies in the control environment • auditor’s experience in prior year audits, for example, deficiencies identified in control activities • nature and extent of misstatements identified in prior year audits • auditor’s expectations in the current year, for example, level of turnover of key financial reporting personnel. Based on an understanding of these points, the auditor can assess the level of aggregation risk. The following table gives some percentages that are commonly used in practice to determine performance materiality: Percentages commonly used to calculate performance materiality Level of aggregation risk Typical range of performance materiality as a percentage of overall materiality High 50–60% Medium 65–75% Low 75–90% These percentages are only guidelines, based on common practice. Different audit firms will have different percentages in their methodology. Lower materiality for particular accounts or disclosures There may be instances of misstatements where the amounts are less than the overall materiality that would affect the economic decisions of users of the financial statements. Such misstatements could relate to sensitive areas, such as particular note disclosures about senior executives’ remuneration. Examples of possible accounts or disclosures where a lower materiality amount may be considered appropriate are as follows: Factor Examples Laws, regulations and accounting framework requirements Sensitive financial statements disclosures, such as the remuneration of management and those charged with governance Related party transactions Non-compliance with loan covenants, contractual agreements, regulatory provisions and statutory/regulatory reporting requirements Certain types of expenditure, such as executives’ expenses Key industry disclosures Reserves and exploration costs for a mining entity Research and development costs for a pharmaceutical entity Disclosures of significant events and important changes in operations Newly acquired businesses or expansion of operations Discontinued operations Unusual events or contingencies (ie lawsuits) Introduction of new products or services Clearly trivial misstatements Misstatements that are clearly trivial will be of an insignificant dollar value. What is insignificant is determined by the audit partner using their professional judgement and the audit firm’s guidance. It is not necessary to record clearly trivial amounts on the summary of misstatements. They are not considered in the overall evaluation of whether the financial statements are free of material misstatements. Example 1.16 – Clearly trivial misstatements In line with TRUEAudit’s methodology, amounts below 10 per cent of overall materiality are considered ‘clearly trivial’. Overall materiality was determined to be $100,000. The clearly trivial amount was set at $10,000. The auditor identifies a misstatement of $6,000. The auditor considers the reasons for the misstatement to identify any possible control deficiency or whether the misstatement is a one-off, but as it is below the clearly trivial threshold, it is not included on the summary of audit misstatements. Revising materiality during an audit When the auditor establishes materiality as part of planning, it is done on the basis of information known at the time and considering events that are expected to occur. As the audit progresses: • Further information may come to light about the entity. • Changes may arise in the underlying amounts used to determine materiality. • Findings may emerge from performing audit procedures. In light of this, the auditor may consider it appropriate to revise the initial materiality levels. Example 1.17 – Materiality Manufacturall Pty Ltd, a listed for-profit entity in the manufacturing industry, which has a history of effective internal controls and unmodified auditor’s reports, has the following financial information for the year ended 30 June 20X3: Revenue = $120 million. Net profit before tax = $16.4 million. Total assets = $150 million. Net assets = $80 million. The current economic climate is stable and the entity’s results are comparable with its competitors in the industry. Manufacturall Pty Ltd is made up of four main divisions. Since the last reporting period, the entity has commenced restructuring one of these divisions and recognised a restructuring provision of $800,000, to take advantage of synergies within the group. Materiality levels determined by the auditor and rationale Overall materiality Benchmark selected: Net profit before tax – $16.4 million Rationale: As the entity is a listed for-profit entity, users of its financial statements were considered to be primarily focused on profit. The stable economic environment and the company’s results were comparable with its competitors. The benchmark is unlikely to be volatile. Percentage to apply: 5 per cent Rationale: Being a listed entity, there is a larger volume of users (shareholders), more regulation and a higher pressure to meet financial expectations. Overall materiality: $800,000 ($16.4 million × 5% = $820,000, judgementally set at $800,000) Rationale: The auditor is satisfied that this is a reasonable amount to use as overall materiality as a threshold for changing the economic decisions of users of the financial statements. The slightly lower amount of $800,000 has been determined to be appropriate as this is a judgemental area and a round sum amount is more reasonable to assess. Performance materiality Percentage to apply to overall materiality: 75 per cent Rationale: Factors leading to the low level of aggregation risk – Stable economic environment. – Entity’s effective internal controls. – History of unmodified auditor’s reports. Performance materiality: $600,000 ($800,000 x 75%) Lower materiality for a particular account balance The auditor determines that the restructuring of one of the entity’s main divisions is a significant operational change and, as such, is expected to be a key focus area for users of the financial statements. Therefore, the auditor considers that a materiality level lower than overall materiality of $800,000 is appropriate to apply to the restructuring provision. Using their professional judgement based on understanding the entity and its environment and the expectations of users, the auditor determines that a materiality level of $500,000 is appropriate to apply. Clearly trivial amount The audit firm’s methodology specifies that the clearly trivial amount should be no higher than 5 per cent of overall materiality. This would be $40,000 ($800,000 x 5%). This is also an area of professional judgement and the auditor determines that, in their judgement, a clearly trivial threshold of $25,000 is appropriate. 1.3.4 Identifying and assessing risk The first step in identifying and assessing risk, is to identify the population of risks of misstatement. Having identified risks of misstatement, the auditor identifies risks of material misstatement and then a further subset, significant risks. Identifying risks of misstatement Risks of misstatement are risks that could result in a misstatement in the financial statements. They could arise at: • financial statement level – for example, weakening economic conditions • assertion level – for example, revenue on a complex contract being inappropriately recognised. The auditor uses the understanding gained from risk assessment and related procedures to identify risks of misstatement. This includes significant classes of transactions, account balances and disclosures. Determine risks of material misstatement The auditor determines risks of material misstatement by considering the likelihood and magnitude of potential misstatements that could arise from each risk. This assessment is performed for significant classes of transactions, account balances and disclosures. The auditor uses professional judgement that involves considering qualities such as: • Size and/or volume. • Nature and composition. • Complexity. • Degree of judgement. Risk of misstatement Related account balance and assertion Considerations Assessment of risk of material misstatement Example 1 Prepaid expenses do not exist. Existence of prepaid expenses Account balance is below materiality, large volume of small routine items, little complexity or judgement. Not assessed as a risk of material misstatement based on the low value and large, routine volume of transactions and low level of complexity. Example 2 Indicators of events or conditions that may cast significant doubt about the entity continuing as a going concern are not completely identified. Pervasive impact to the going concern assumption for the preparation of the financial statements The entity is operating in depressed economic conditions for the first time in many years and the entity does not have a robust process in place to identify possible events or conditions. Assessed as a risk of material misstatement based on the potentially large and pervasive impact on the financial statements. Significant risks Once the auditor has identified the risks of material misstatement, ISA 315 (Revised 2019) requires the auditor to assess whether those identified risks are at the assertion level or at the financial statement level. Certain risks of material misstatement are identified as being significant risks. A significant risk is a risk of material misstatement the auditor gives special audit consideration to because of the nature of the risk or the likelihood and magnitude of misstatement related to the risk. Significant risks can result from a high degree of complexity, subjectivity and/or estimation uncertainty, or from fraud. Special audit considerations relate to designing the nature, extent and timing of audit procedures to obtain more persuasive audit evidence. Risks of material misstatement at the financial statement level Risks of material misstatement can be identified at either the financial statement level or the assertion level, depending on the nature and significance of the risk. For example: • Non-compliance with laws and regulations with regards to the form and contents of the financial statements (eg non-compliance with disclosure requirements under the applicable financial reporting framework) would be a risk at the financial statement level as it affects the whole of the financial statements. • Non-compliance with specific provisions of tax legislation could be a risk at the assertion level as it may affect only tax related balances. Risks of material misstatement at the financial statement level relate pervasively to the financial statements as a whole, and potentially affect many assertions. They can arise from issues such as a deficient control environment, fraud risks or external factors such as a declining economic environment. They are identified separately from risks at the assertion level, as the appropriate response to a risk at the financial statement level is typically an ‘overall response’ such as changing the composition of the engagement team to involve more experienced members. Risks of material misstatement at the assertion level Risks of material misstatement at the assertion level relate to specific classes of transactions, account balances and disclosures. They can arise from misstatements in the application of the financial reporting framework, for example, IFRS. For these risks the auditor identifies relevant assertions and the significant classes of transactions, account balances and disclosures that the risk may affect. Identifying relevant assertions Thinking about the types of potential misstatements in the financial statements enables the auditor to identify the risk at a more granular level. Assertions are used to classify these types of potential misstatements. Paragraph A190 of ISA 315 (Revised 2019) provides descriptions of assertions for classes of transactions, disclosures and account balances. Audit firm methodologies may describe and group assertions differently; this is permitted under ISA 315 (Revised 2019) as long as all the relevant characteristics of the financial information are covered. In Audit and Risk Candidates must use the ISA 315 (Revised 2019) assertions. When identifying risks of material misstatement at the assertion level, it is important to consider the specific assertion(s) relevant to the identified risk. By thinking about ‘what could go wrong’ in the financial statements because of the risk, the auditor can determine the specific accounts, disclosures and assertions that may be affected. Not all assertions will be relevant. For example, the auditor may determine there is no risk of material misstatement related to the completeness of revenue; however, there may be a risk of material misstatement for occurrence of revenue. Assertions help the auditor to develop an appropriate response by more narrowly defining the risk when designing audit procedures – for example, completeness of the provision for litigations and claims against the entity. Example 1.18 illustrates risks of material misstatement and relevant assertions for an audit of a not-for-profit entity. Example 1.18 – Relevant assertions Good Deeds is a charity that receives income from fundraising activities. A significant portion of its revenues consists of physical cash donations collected by casual volunteers. All donations are deposited into the same bank account. From time to time Good Deeds also receives donations of goods at significant discounts to market value or for free. Donated goods are initially recognised as part of inventories or prepayments, then included in program expenses when the donated good or service is used in a Good Deeds charity program. Some donors require their donations to be used for a specific Good Deeds program rather than to cover the charity’s general and administrative costs (however, there is no ‘use or return’ condition attached to these donations). These donations are recognised as revenue when received and transferred to a restricted donations reserve within equity. When the donations have been used for the specified purpose, the corresponding amount is disclosed as a reduction in the restricted donations reserve. As part of its financial reporting obligations, Good Deeds must disclose information about what percentage of its income goes towards the beneficiaries of its charity programs and what percentage of its income is used to cover overheads and other administrative costs. The following table gives an example of risks of material misstatement and the relevant assertion that has been identified for each risk: Risk of material misstatement Relevant assertion(s) Management has the incentive to report expenses as program expenses, rather than general and administrative expenses, to appear more efficient at using donor funds. Classification of expenses Management has the incentive to under-report revenues to create or enhance the impression of needing new/continued/greater financial support from donors. Completeness of revenues There is a lack of robust controls over the collection of physical donations by volunteers, which increases the risk of misappropriation of cash. Completeness of cash Completeness of revenues Donated goods or services received for nil or nominal consideration or at a significant discount are not accounted for in line with Accounting Standards. Accuracy of revenues and expenses Accuracy, valuation and allocation of inventories and prepayments The nature and purpose of the restricted donations reserve may be not be properly disclosed in the financial statements. Presentation of restricted donations reserve Assessing inherent risk While different audit firms use different terminology to assess inherent risk and ISA 315 (Revised 2019) discusses the degree of judgement involved and a spectrum of inherent risk, in this subject candidates should assess inherent risk as either ‘low’ or ‘high’. The following diagram identifies the considerations when assessing inherent risks: Use of data analytic techniques to assess the risk of material misstatement In addition to being used to perform substantive audit testing, data analytic techniques can be used to identify and assess risks of material misstatement. For example, data analytic techniques can be used to flag specific transactions for investigation, identify fraud, perform correlation analysis based on known patterns and trends. Example 1.19 illustrates using data analytic techniques to identify and assess risks of material misstatement and relevant assertions for an audit. Example 1.19 – Using data analytics in risk assessment Retail Co. is a for-profit entity in the retail industry with a 31 December 20X3 year end. Based on ACA’s understanding of the entity and its environment, Retail Co. has been in its mature stage of its life cycle for several years and the gross margin tends to range from 30 per cent to 35 per cent. As part of the planning and risk assessment phase of the audit, Adds Chex Accountants (ACA), obtained the monthly revenue and cost of sales data. ACA’s initial plan is to rely on controls for both revenue and cost of sales. Expectation ACA expects that gross margin will continue to range from 30 per cent to 35 per cent and the 20X3 monthly trend will largely follow the 20X2 monthly trend. Results Using the charts tools in Microsoft Excel, ACA prepared the monthly gross margin analysis. Observations The monthly trend and gross margin for the period January 20X3 to August 20X3 are in line with expectations. However, there appears to be significant fluctuation and unusual activity from September 20X3 to December 20X3, where the gross margin has dipped as low as 26 per cent in September 20X3 and has subsequently peaked as high as 39 per cent in October 20X3. This fluctuation continued during November 20X3 and December 20X3. These movements indicate a potential cut-off issue. Interpretation and investigation considerations Has there been a break-down in any controls that address the cut-off risk for revenue or cost of sales? Does this also indicate a break-down in any other controls? Is there any evidence of management override of controls? Were there any changes to the financial reporting process or personnel from September 20X3? Were there any changes to inventory cost or inventory costing methods used from September 20X3? What is the magnitude of the potential error on the 31 December 20X3 figures? Audit plan impact Subject to the outcome of further discussions with management and investigations, ACA may need to modify the audit plan. For example, if there is an expected break-down in the controls surrounding the cut-off assertion for revenue and/or cost of sales, ACA will not be able to rely on controls as initially planned and may therefore need to consider taking a substantive approach when addressing the cut-off assertion for revenue and cost of sales. 1.3.5 Specific topics important to risk assessment Certain Auditing Standards contain requirements and guidance that need to be specifically considered as part of risk assessment. These are given in the following table: Topic Why relevant for risk assessment Auditing Standard Fraud As fraud is an intentional act and may involve collusion with others, misstatements due to fraud are often harder for the auditor to detect than misstatements arising from errors. They may have a pervasive impact on the financial statements and may result in misstatements that are material to the financial statements. ISA 240 Accounting estimates These amounts that may need to be included in the financial statements cannot be precisely measured; they can only be estimated by management using selected methods, data and assumptions. As a result, accounting estimates are inherently susceptible to error and/or possible fraud, due to management bias. ISA 540 (Revised) Related parties Related party relationships and transactions involve control or significant influence by one party over another and, hence, present a greater opportunity for collusion, concealment or manipulation by management. There is an inherent limitation in the auditor’s ability to detect undisclosed related party transactions. ISA 550 Going concern Under the going concern basis of accounting, management prepares the financial statements based on the assumption that the entity will continue its operations for the foreseeable future. When an entity can no longer continue as a going concern, its stakeholders are likely to suffer a range of losses as a consequence. The impact of the going concern assumption being inappropriate is likely to be pervasive and significant. ISA 570 (Revised) Fraud Contrary to public perception, the primary responsibility for the prevention and detection of fraud rests with management and those charged with governance, not the auditor. Rather, the auditor’s responsibility is to obtain reasonable assurance that the financial statements are free from material misstatement, whether caused by fraud or error. As part of risk assessment procedures, the auditor identifies fraud risk factors based on an understanding of the entity and its environment. Appendix 1 of ISA 240 gives examples of fraud risk factors and guidance on the conditions, opportunities and attitudes that may lead to someone committing fraud. Certain areas are important to consider in risk assessment related to fraud. These are: • Revenue recognition. • Management override of controls. • Related parties. Risk of fraud in revenue recognition Fraudulent financial reporting often involves improper revenue recognition, as revenue is a common key financial performance indicator and has a significant impact on profitability. As a result, ISA 240 contains a presumption that there is a risk of fraud in revenue recognition by default. ISA 240 also requires the auditor to specifically evaluate how revenue may be misstated as a result of fraud given the specific facts and circumstances of the entity being audited. Note that the Standard does acknowledge that the auditor may be able to rebut the presumed risk of fraud relating to revenue recognition in some circumstances where this is supported by the facts. Risk of management override of controls The risk of an auditor not detecting a material misstatement due to fraud is even greater when the fraud is carried out by management rather than other employees. Management is in a unique position to manipulate accounting records and override controls procedures designed to prevent errors or fraud being made by other employees. Therefore, the auditor always considers the risk of fraudulent financial reporting due to potential management override of controls. Such a risk is considered a significant risk and the auditor performs further audit procedures to respond to the risk. Example 1.20 – Lehman Brothers Lehman Brothers was a global financial services firm based in New York. It was one of the largest investment banks in the United States. During the 2008 financial crisis, it was discovered that the company had hidden over US$50 billion in loans. These loans had been disguised as sales using accounting loopholes. According to an Securities and Exchange Commission investigation, the company had sold toxic assets to banks in the Cayman Islands on a short-term basis. It was understood that Lehman Brothers would buy back these assets. This gave the impression that the company had $50 billion more in cash and $50 billion less in toxic assets. In the aftermath of the scandal, Lehman Brothers went bankrupt. Accounting estimates By their nature, accounting estimates are subject to factors that inherently drive risks of misstatement, such as estimation uncertainty, complexity and subjectivity. The following diagram shows the steps involved when management makes an accounting estimate: The following table outlines the inherent risk factors an auditor considers when assessing the inherent risk of an accounting estimate: Inherent risk factor What it means Matters to consider Estimation uncertainty How difficult it is to measure or predict an estimate precisely Whether the inputs used for the estimate can be directly observed or whether there is a need to apply a method to determine the estimate Whether the outcome of the estimate can be observed after the date of the financial statements but before these are finalised and approved Whether reasonably accurate predictions can be made for each individual amount requiring estimation, or whether amounts can only be estimated as a collective group Complexity How difficult it is to obtain relevant and reliable data and/or to select and apply an appropriate method or model As complexity increases, so does the risk of material misstatement. The number of inputs used, including the proportion of assumptions versus data or derived data The nature of the interrelationship between inputs (eg linear or non-linear) How difficult it is to identify, capture, access or understand the data used for inputs, and whether multiple data sets are required The need for specialised skills and knowledge, or valuation concepts and techniques Whether the method and/or calculations used to determine the estimate can be easily understood Subjectivity Inherent limitations in the knowledge or data that is reasonably available when making the estimate As subjectivity increases, so does the risk of material misstatement. Whether or not the applicable financial reporting framework specifies a choice of measurement basis, methods or inputs Where inputs can be directly observed, the range of potential sources of data Where inputs are not observable, the range of assumptions that could be made using the best available data Where inputs include forward looking assumptions, the length of the forecast period in the assumptions The sensitivity of the estimate to changes in the input(s) used or methods applied, ie the range of reasonably possible outcomes from which management can select a point estimate consistent with the requirements of the applicable financial reporting framework The degree to which historical data and other knowledge is predictive of future events or conditions, taking into account changes in the entity and its environment Management bias Whether or not management is neutral when making the estimate Management bias can be intentional (fraud) or unintentional The degree of subjectivity inherent in the estimation process (eg assumptions not based on observable inputs) The consistency of inputs used in the estimate relative to the same factors observed or used in other areas of the entity (eg revenue growth in a discounted cash flow model compared to next year’s sales target) How management’s estimate in prior periods compare to actual outcomes Considered for each element (input) of the estimate, the estimate as a whole and estimates in aggregate Example 1.21 – Estimating the warranty provision for a technology company that manufactures and sells microphones Scenario 1 The warranty provision is calculated using a spreadsheet model developed by the CFO a number of years ago and has not changed. The model is reasonably basic with few inputs that are updated manually by the CFO on a quarterly basis. The model has separate calculations and uses different assumptions based on the different microphone ranges. The key assumptions used in the model are the percentage return rate and the estimated repair/refund cost. The key data input to the model is the prior quarter’s sales by product range. The warranty provision is approximately two times materiality. There have been no changes in the key assumptions from the prior period, the level of sales has remained relatively consistent and historically the provision has been in line with the actual warranty expense. Based on these factors, the inherent risk for estimating the warranty provision is likely to be assessed as low. Scenario 2 The warranty provision is calculated using a spreadsheet model developed by the CFO a number of years ago and has not changed. The model is reasonably basic with few inputs that are updated manually by the CFO on an annual basis. The model uses the same assumptions for all products. The key assumptions used in the model are the percentage return rate and the estimated repair/refund cost. The key data input to the model is the last 12 months’ sales. The warranty provision is approximately five times materiality. The key assumptions are revised each year based on the CFO’s expectation of the likely future levels of warranty claims. A new product was released towards the end of the period using a new technology. Historically the warranty expense has varied significantly each period. Based on these factors, the inherent risk for estimating the warranty provision is likely to be assessed as high. Related party relationships and transactions As related parties are not independent of each other, and often have control or significant influence over each other, related party transactions often present a higher risk of material misstatement due to fraud than transactions with unrelated parties. For example, there may be complex legal structures established or transactions may not be under normal market terms and conditions. In addition, most financial reporting frameworks require specific disclosures for related party relationships and transactions to enable the users of financial statements to understand the nature of related parties and related party transactions and the actual and potential effects on the financial statements. When performing risk assessment procedures, the auditor obtains an understanding of the related party relationships and transactions and assesses the risk of material misstatement, including any potential fraud risks. Examples of fraud perpetrated though related parties include the following: • Directing the entity to settle transactions for the benefit of the related party entities in which the perpetrator has a financial interest. • Disposing of unwanted liabilities and poor-quality assets from the statement of financial position to a related party. • Misrepresenting transactions as revenue from related parties, when side agreements state the reporting entity is obliged to repay the money to the lending related party or the transaction is actually an injection of capital. • Creating fictitious terms of trade with the related party in order to misrepresent the business rationale behind the transactions. • Using the reporting entity to pay for goods and services not received by raising fictitious invoices from an unconsolidated related party. • Transferring assets to or from management, or others, at amounts that are not commercially viable. Going concern ISA 570 (Revised) sets out an auditor’s responsibilities in relation to assessing whether management’s use of the going concern basis of accounting in preparing the financial statements is appropriate. This is a fundamental assumption in the preparation of the financial statements that should be considered at an early stage in the audit. During risk assessment, the auditor should: • Identify any events or conditions that exist which may cast significant doubt on the entity’s ability to continue as a going concern, based on the understanding of the entity and its environment gained from performing the risk assessment procedures. For example, analytical procedures may have identified the entity has operated in a net current liability position at points during the year. • Review management’s going concern assessment, including management's identification of possible events or conditions and any response or plans in place to alleviate any significant doubt. For example, management may have prepared a cash flow forecast to demonstrate that the entity can pay its debts as they fall due over the next 12 months. • Determine whether there are any risks of material misstatement in relation to going concern. For example, there is a risk that management may not include necessary going concern disclosures in the financial statements as required by the applicable financial reporting framework. ISA 570 paragraph A3 gives examples of potential indicators of going concern issues across the following categories: • Financial – for example, the entity being in a net liability or net current liability position. • Operating – for example, loss of a major market, key customer(s), franchise, licence or principal supplier(s). • Other – for example, changes in law or regulation or government policy expected to adversely affect the entity. 1.3.6 Engagement team discussion One of the specific planning procedures mandated by ISA 315 (Revised 2019) and ISA 240 is an engagement team discussion that emphasises how and where the audit client’s financial statements might be susceptible to material misstatement due to error or fraud. In practice, all the information gathered from performing risk assessment procedures is presented to and discussed among the entire audit team (including the auditor’s specialists where applicable). This discussion is led by the audit partner and it: • Allows audit team members to discuss the risks of material misstatement and share insights about how and where financial statements may be susceptible to error or fraud, and how professional scepticism can be applied in specific and practical terms during the audit. • Enables the audit partner to consider appropriate responses to areas of susceptibility, and which team members should perform certain audit procedures. • Helps the audit partner determine how the results of the audit procedures are to be communicated among the team and how to address any allegations of fraud that may arise. The following diagram gives examples of possible insights about an audit client that different team members may share in the engagement team discussion: Source: Adapted from K Glynn and B Bester 2017, Australian audit manual and toolkit 2017: for small and medium sized entities, 7th edn, vol 2, Exhibit 4.0-2, p 27 ISA 240 and ISA 550 list matters that may be included in the engagement team discussion to specifically consider the risk of fraud and the risks arising from related party relationships and transactions. In practice, audit firms typically have standard agendas for this audit planning meeting that enable audit teams to discuss and document relevant issues. 1.3.7 Revising risk assessment An audit is an iterative process and auditors need to update their initial risk assessment during the audit whenever new information or findings, including inconsistencies in evidence obtained, are identified that change the initial risk assessment. For example, an entity entering into a new equity accounted investment just prior to the period end that was not factored into the initial risk assessment. Additional risk(s) of material misstatement would need to be assessed as a result of the investment. 1.4 Audit plan This topic considers how the auditor plans the audit in response to what they have learned about the entity so far. Taking the results of pre-engagement activities, risk assessment procedures and determination of materiality into consideration, the auditor establishes an overall audit strategy and develops a tailored audit plan for the engagement. ISA 300 sets out the requirements for audit planning. Importance of audit planning Audit planning is critical as it ensures the audit engagement is performed efficiently and effectively, in line with the ISAs, and that audit risk has been reduced to an acceptably low level. While an audit is an iterative process, the planning stage of an engagement is arguably the most important phase in ensuring an efficient, effective audit. Having an adequate, well-documented plan benefits the audit in many ways, ensuring that: • The audit effort is directed at high-risk areas. • Audit procedures performed are relevant in addressing the identified risks. • Audit staff are well-informed and know what is expected of them. In practice, the audit partner and other senior members of the engagement take an active role in planning the audit and perform a detailed review of specific areas of the planning section of the audit file. The following table outlines the readings required for this topic: Relevant international Standards on auditing and local equivalents International Australia New Zealand ISA 300 Planning an Audit of Financial Statements (ISA 300) ASA 300 Planning an Audit of a Financial Report (ASA 300) ISA (NZ) 300 Planning an Audit of Financial Statements (ISA (NZ) 300) 1.4.1 Overall audit strategy The overall audit strategy presented in an audit plan is a record of the key decisions considered necessary to properly plan the audit and communicate significant matters to the engagement team. The main purpose of the audit strategy is to set the scope, timing and direction of the audit engagement and guide the development of the audit program. In establishing the audit strategy, the auditor considers the following: Type of consideration Examples of matters that may be considered The characteristics and scope of the engagement What is the applicable financial reporting framework? What are the relevant Auditing Standards? Is it a statutory audit of stand-alone financial statements? Are there any industry-specific reporting requirements? Reporting objectives and timetable What is the entity’s timetable for reporting? What is the timing and nature of communications with those charged with governance? Are any communications with component or other auditor’s necessary? When will information be available from the entity for audit procedures to be performed? Factors that are significant in directing the audit team’s efforts Have any significant risk areas been initially identified? Have any risks of material misstatement been identified that have an impact on the direction, supervision or review of the audit? The results of the initial engagement activities Have any risks been identified through the client and engagement acceptance process? What is their initial determination of materiality? Were material misstatements or significant deficiencies in controls identified in the prior year’s audit? Are there any significant business developments affecting the entity? The nature, timing and extent of resources needed Is it necessary to involve any internal specialists, for example IT or tax? Does an engagement quality control reviewer need to be appointed? Are there locations and business units for which other auditors may be needed? What is the engagement budget? In practice, the auditor typically presents to the client the audit strategy in a summary client audit plan. Most audit firms have templates for audit planning that are tailored to each client. A typical summary client audit plan includes the following: • Details of the key audit team members. • Brief introduction to the audit firm’s methodology. • Materiality. • Significant risks identified and audit focus areas for the current year. • Audit approach for key audit areas. • Auditor independence. • Timing and deliverables. Other components, such as group scoping or working with internal audit, would be included in the summary strategy where relevant. 1.4.2 Audit program The audit program is more detailed than the audit strategy and contains all the audit procedures to be performed by engagement team members in response to the identified risks of material misstatement. The audit program is developed based on the overall audit strategy and includes a description of: • the nature, timing and extent of planned audit procedures • other planned audit procedures that are required to be carried out so the engagement complies with the relevant ISAs. The auditor usually documents this information in the relevant screens of their audit software or in an ‘audit planning document’ and in the relevant audit programs for material classes of transactions and account balances. Responding to risks of material misstatement Responses to risks of material misstatement provide the auditor with enough appropriate audit evidence to reduce audit risk to an appropriately low level. There are two types of response: • Overall responses to risks of material misstatement at the financial statement level. These have an overall effect on how the audit is conducted. • Assertion level responses to risks of material misstatement at the assertion level. These influence the nature, timing and extent of audit procedures. Overall response to risks at the financial statement level The auditor’s overall responses to risks of material misstatement at the financial statement level may include the following: • Assigning more experienced staff to the complex areas of an audit, or assigning specialists or experts. • Emphasising the need to apply a high level of professional scepticism. • Providing more supervision to staff. • Evaluating accounting policies selected by management, particularly those that relate to subjective measurements or complex transactions, which may indicate management’s attempt to manage earnings. • Incorporating unpredictability in the selection of nature, timing and extent of audit procedures. • Conducting more procedures at period end instead of at interim periods, or planning audit procedures that provide more persuasive audit evidence. Assertion level response to risks at the assertion level One of the audit strategy decisions is determining the appropriate audit approach to respond to the risks of material misstatement. This essentially means making a decision on whether the auditor will take a controls-based approach or perform substantive procedures only. The following figure summarises the auditor’s evaluation about which audit approach to take: Source: Adapted from IFAC 2011, Guide to using ISAs in the audits of small- and medium-sized entities, 3rd edn, vol 2, p 116 In practice, for audits of smaller and less complex entities, it is more likely that the auditor may decide on an audit approach that includes performing substantive procedures only. This is because it is less likely that smaller entities have formalised controls that are operating effectively and there may be a lack of segregation of duties, which undermines the effectiveness of controls, and the lower complexity of business transactions may mean it is more efficient to perform substantive procedures only. Designing audit procedures Auditors consider several factors and apply guidance included in many different Auditing Standards when designing individual audit procedures. In practice a combination of audit procedures are necessary to obtain enough appropriate audit evidence to respond to risks of material misstatement. In designing audit procedures, the following factors should be considered: Consideration Explanation Example Reason (objective) An audit procedure is designed to respond to an identified risk of material misstatement and must therefore address that specific risk. If there is a risk of material misstatement of PPE associated with the existence assertion, the audit procedure should be designed to address this specific risk. Nature The nature of an audit procedure refers to its purpose (test of control or substantive procedure) and its method (inspection, observation, enquiry, confirmation, recalculation, reperformance or analytical procedure). Certain types of audit evidence can provide more persuasive evidence. A substantive analytical procedure may be performed over disaggregated revenue streams. Querying the CFO yields less persuasive evidence than inspecting the specific external document that the inquiry relates to. Timing The timing of an audit procedure has two aspects: • The time at which the procedure is performed (at planning, at interim periods, close to period end or after period end). • The period to which the audit evidence applies. Obtain confirmation of inventory being held at third parties at the end of period 11. Rollforward test of details may be performed from period 11 to the year end. Extent The extent of an audit procedure has two aspects: • When designing individual procedures, the number of items selected for testing. • When designing an audit program, the number of audit procedures to be performed. Determine the number of items for performing a cut-off test for expenses and payables. Change the precision of a substantive analytical procedure. Source An audit procedure must specify the information to be used. If a sales forecast is being used as a source of input to an audit procedure over inventory valuation, the specific details of the sales forecast should be specified. Documentation When designing an audit procedure, the documented procedure must be clear enough that someone else could reperform the procedure. Describing an audit procedure as—‘test the valuation of receivables’ is not clear enough for it be reperformed in a consistent way. Auditors need to take many issues and developments into consideration when choosing their audit strategy, as explained in the Example 1.22. Example 1.22 – Impact of COVID-19 on audit strategy COVID-19 placed immense pressure on supermarket chains to meet increasing and changing consumer demands. According to Trent Duvall, National Industry Leader, Corporates, KPMG Australia, online retailers alone were forced to respond to a 5 per cent increase in sales. Adding context, he explains ‘That’s five years’ worth of change in just five months’. Fiona Campbell, FCA, Audit Partner, EY Ocenia, says retailers responded rapidly by instituting pop-up distribution centres and implementing continuous delivery schedules. Major grocery retailers are now offering their customers COVID-safe ‘click ‘n collect’ options and touchless delivery to their vehicles. ‘There’s been some interesting innovations’, Campbell says, ‘but supply chains have been really difficult to predict, not least because each state has its own social distancing and lockdown rules’. Duval notes that further along the supply chain businesses are also considering what off-shored processes can be brought back onshore. Internal controls ‘Often, whenever there’s an issue within an organisation, people just automatically add another control or another review process, or another reconciliation. It’s like the Sara Lee of controls – layer upon layer upon layer’, says Campbell. ‘People rarely look back and ask: “Do we need all of these controls in place? Are they still important?” Now is the perfect opportunity for organisations to reflect on which internal controls really work, and which don’t; it’s an opportunity to take stock.’ ‘It’s quite easy to do an end-of-day cash reconciliation to know what was sold during the day by in-store shoppers. For online businesses, however, you’ve got to actually prove the stock entered the customer’s hands’, says Duvall. ‘Every transaction goes back to a transaction of one. What could previously be tested as a daily control is now fragmented back to individual transaction levels.’ This requires a doubling down on diligence. ‘During COVID-19, I haven’t seen any diminution in quality of controls,’ Duvall says. ‘People have been operating a crisis-management level of rigour in terms of review and analysis, over an extended period of time, as opposed to a business-as-usual level of rigour.’ Nevertheless, Campbell notes, because retailers are making changes to their processes and internal controls at pace, there is a higher risk of material misstatement. ‘When thinking about ISA 315, auditors need to understand changes to the supply chain to consider where things could go wrong and whether the changes are material to the business or audit. What controls are still operating effectively, and what new controls have been put in place? What critical controls may have been discontinued to get toilet paper on shelves? Are these changes creating risks of material misstatement?’ Campbell clarifies that the next step to consider is whether there are inherent risks coming associated with the supply chain changes, and what controls the client put in place to respond to these risks. Auditor’s response Once they have a complete understanding of these considerations, Campbell explains, the auditor can choose their strategy. ‘Are we just expanding the testing to what we are already testing? A fully substantive audit typically means you have to test more. Or can we confirm controls still operated in the crisis period? If so, then we can pursue a controls-based audit and we may not need to do additional testing.’ ‘Changes to the supply chain and internal controls doesn’t automatically mean we need to do more testing. It just means you need to consider and identify more risks and determine whether they are risks of material misstatement. If they are, then you need to consider where they fall on the spectrum of risk, and accordingly, what we’re going to do to respond to those risks. We may decide to test some compensating or additional controls. We would still do the same controls-based audit we have always done, but for newer areas, because of changes to supply chain, we will spend more time testing controls around pop-up distribution centres or controls around a new distribution network they’ve created.’ Enhanced audit procedures One of the first audit procedures to be affected by the pandemic was stocktakes. Campbell explains that shifting to virtual stocktakes, where the client shows auditors around their warehouse via iPhone, inevitably involves a certain level of risk. ‘We had to shift very quickly to virtual stocktakes, and obviously we had to do some procedures around that to combat the unpredictability of these. We’ve seen some enhanced controls introduced’, says Campbell. And, while she doesn’t think virtual stocktakes will become the norm in all situations, Campbell can see that they bring benefits to certain audits. ‘In remote locations, virtual stocktakes lead to better audits’, Campbell says. ‘Historically, we couldn’t spend two days travelling to, say, Alice Springs to carry out an audit, at least, not every year. There’ll be enhanced audit procedures in remote locations now as a result.’ The future, Campbell says, lies in finding a happy medium, where virtual stocktakes add value but don’t replace in-person audit procedures entirely. ‘Audit is a team sport’, she says. ‘And we need to make sure that all our controls are operating effectively.’ Sufficient appropriate audit evidence For most of her clients, if the business was still operating and highly automated, Campbell has been able to secure appropriate evidence for 30 June audits, even if the company is trading remotely. However, where a company ceased trading or was significantly affected, Campbell says that the going concern assumption is very difficult to assess. ‘For industries such as tourism, airlines, and so on it’s impossible to predict. We could still audit the numbers, but we couldn’t audit what the future looked like for them. Lots of audit reports at 30 June included disclosure about the level of uncertainty around the client’s ability to operate as a going concern. We’re starting to see a few more liquidation basis of preparation of accounts etcetera, but I expect we will see more going concern emphasis of matter and more liquidation basis of preparation of accounts because the businesses won’t bounce back unfortunately.' Updating the overall audit strategy and audit programs ISA 300 requires the auditor to update and change the overall audit strategy and audit programs as necessary during the course of the audit. As discussed in earlier topics, the initial risk assessment is completed at the planning stage of the audit, before most audit procedures are performed. However, risk assessment is a continuous activity throughout the audit. As the auditor obtains new information and audit evidence during the audit, the initial risk assessment may change. The auditor may uncover identified risks or information that lead them to reassess the risks they identified during audit planning. In these instances, the audit strategy and audit programs should be amended appropriately. The following table lists issues that could cause the auditor to reassess risks during an audit: Issue Reassessment of risk The number of errors when testing controls may be higher than expected; the controls cannot be relied on. The auditor may: • assess control risk as high • plan additional substantive audit procedures. While attending a stock count, the auditor may discover material obsolete inventory that management had not identified. The auditor may: • increase the assessment of the risk of material misstatement inventory for inventory valuation • perform additional audit procedures regarding inventory valuation. The auditor may discover material liabilities that have not been recorded, due to a weakness in management’s process for identifying accrued expenses. The auditor may: • increase the assessment of risk of material misstatement associated with unrecorded liabilities • plan additional audit procedures designed to address the completeness of liabilities. Example 1.23 illustrates how an audit strategy is established. This example incorporates the concepts already covered in this chapter and the concept of evaluating internal control, covered next in Topic 1.5. Example 1.23 – Audit strategy development XYZ Partners carries out an audit of the financial reports of Digital Eye Limited (Digital Eye) for the year ended 30 June 20X3. Digital Eye is a company listed on the Australian Stock Exchange (ASX) and operates as a manufacturer and distributor of photographic equipment and accessories. XYZ Partners has been the auditor for the last three years. The planning phase of the engagement is carried out pre-balance date (i.e. before 30 June 20X3). The audit strategy is then presented to the audit committee before the year-end audit procedures are performed. Remember, in reality, there will be a number of steps in the planning section of an audit file; however, to explain how an audit strategy is developed, it should be assumed that all pre-engagement considerations (as discussed in Topic 1.2) and general risk assessment procedures have been performed and documented in the audit file. This includes each of the following: Obtaining an understanding of the entity and its environment. Obtaining an understanding of entity level controls (ELCs), general IT controls (GITCs) and process level controls. Identifying and assessing risks at the financial statement level. Determining materiality. Identifying and assessing risks of material misstatement at the assertion level. Identifying and assessing significant risks and other risks. Determining an overall audit approach to respond to the identified risks. This example provides an illustration of an audit strategy covering: Materiality. Significant risks identified and high-level audit approach. Other risk areas identified and high-level audit approach. As noted earlier in this chapter, the overall audit plan would also typically include the following: Details of the key audit team members. Brief introduction to the audit firm’s methodology. Auditor independence. Timing and deliverables. Digital Eye Limited Audit for the year ended 30 June 20X3 Audit strategy Materiality Overall materiality for the audit has been set at $123,000. This is based on 1 per cent of estimated total revenue for the year. Revenue for 11 months: $11,303,000 Extrapolated for 12 months: $12,330,550 Overall materiality: $123,000 Significant risks identified and high-level audit approach Based on the pre-engagement activities and general risk assessment procedures, the following key risks have been identified for the audit. Going concern There are conditions existing, such as decreasing cash reserves and declining profits, that are indicators of doubt about the entity’s ability to continue as a going concern. Audit approach Management’s plans to alleviate this doubt will be evaluated. This will include assessing whether the plans are suitable to address the doubt and the ability of management to actually implement the plans. Warehouse revaluation A significant accounting estimate is the warehouse revaluation. Management has historically used third-party experts to value the property. However, to reduce costs, management has performed an internal valuation this year. This resulted in a material upward revaluation of $1.1 million. Audit approach A detailed evaluation of the management approach will be performed. This will include an assessment of the experience, objectivity and capability of those involved in determining the valuation of the warehouse, and evaluating the appropriateness of the method used, the underlying assumptions and the data sources. An auditor’s expert will also be engaged to help with the assessment of the appropriateness of the revaluation. Capitalised research and development costs A significant asset on the balance sheet is capitalised research and development costs. Audit approach An assessment will be performed over management’s analysis to support the appropriateness of carrying these costs on the balance sheet. Historically there have been effectively designed controls operating to capture the allocation of these expenses to costs to capitalise and costs to expense. Testing the continued operating effectiveness of these controls is an important audit procedure. Risk of fraud There is a presumed risk of fraud in all audits relating to: revenue recognition management override of controls. Audit approach Specific audit procedures will be performed to respond to these presumed fraud risks in the audit. Other audit risk areas identified Account High-level audit approach Payroll Perform tests of controls over completeness and accuracy of the payroll expense. Perform substantive analytical procedures over the annual payroll expense. Inventory Perform tests of controls, including observation of the stock count that will take place on 30 June 20X3. Perform tests of details to address accuracy, valuation and allocation as at balance date. Accounts payable Perform tests of details over the completeness of accounts payable. 1.5 Internal controls As discussed in the Risk and technology subject, an entity’s management and those charged with governance are responsible for implementing a system of internal control to appropriately address a range of risks, including risks relating to the preparation of its financial statements. If an entity’s system of internal control is effectively designed, has been implemented and is operating effectively, auditors can choose to rely on the entity’s internal controls to reduce audit risk as part of the audit strategy (see subtopic 1.4.1). As a result, the auditor is required under the Auditing Standards to: • Understand and assess the design and implementation of controls at the entity level and process level (including automated controls). • Evaluate the effectiveness of an entity’s system of internal control. Areas requiring special audit consideration have additional specific requirements, which are summarised in the following table: Area Additional specific requirements Fraud (ISA 240) Ask management about their process for identifying and responding to the risks of fraud in the entity. Understand the entity’s internal controls over risks of material misstatement due to fraud. Accounting estimates (ISA 540 (Revised)) Understand the entity’s estimation processes, including: • the nature and extent of oversight and governance over accounting estimates • use of experts and/or specialised skills in making accounting estimates • the methods, assumptions and data used in making the accounting estimates (including how management deals with the degree of estimation uncertainty inherent in each accounting estimate). Separately assess inherent risk and control risk at the assertion level for accounting estimates. Related parties (ISA 550) Understand the entity’s process over the accounting for and disclosure of related party relationships and transactions in line with the applicable financial reporting framework. Understand the entity’s internal controls over how related party relationships and transactions are identified, authorised and approved. Going concern (ISA 570 Revised) Be alert to circumstances that could affect the entity’s ability to continue as a going concern. Ask management about any conditions that might hinder the entity’s ability to continue as a going concern. Finally, ISA 315 (Revised 2019) specifically requires the auditor to evaluate the design and implementation of controls over risks of material misstatement assessed as significant risks. This topic will focus on the application of the general requirements of ISA 315 (Revised 2019) in relation to understanding and evaluating the design and implementation of an entity’s system of internal control. The following table outlines the readings required for this topic: Relevant international assurance pronouncements and local equivalents (where applicable) International Australia New Zealand ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (ISA 265) ASA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (ASA 265) ISA (NZ) 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (ISA (NZ) 265) ISA 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA 315 (Revised 2019)) ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ASA 315) ISA (NZ) 315 (Revised 2019) Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA (NZ) 315 (Revised 2019)) 1.5.1 Understanding an entity’s system of internal control The components of internal control under ISA 315 (Revised 2019) are based on the COSO Internal control – integrated framework, shown in the following diagram: Source: Internal Control - Integrated Framework: Executive Summary. Committee of Sponsoring Organizations of the Treadway Commission. May 2013. Retrieved online: www.coso.org/Documents/990025P-Executive-Summary-final-may20.pdf, pg. 6 Auditors need to obtain an understanding of the entity’s system of internal control only to the extent it is relevant to the entity’s preparation of its financial statements. Note that an entity’s system of internal control cannot eliminate risks of material misstatement entirely due to the following limitations: • If management has a high appetite for risk, some risks of material misstatement will be deemed acceptable and no controls will be designed and implemented to address them. • Controls activities are susceptible to human error – both in their design and operation – due to a lack of competence or oversight. – Manual control activities may be performed incorrectly. – Automated control activities may be programmed or configured incorrectly. • Management or other individuals may be capable of overriding or circumventing controls, either individually or through collusion. Components in a system of internal control The following table presents examples of each component of the entity’s system of internal control in order of how directly they act to prevent, or to detect and correct, risks of material misstatement in the financial statement: Component per ISA 315 (Revised 2019) How it applies in the context of financial reporting Why it’s important for auditors to consider Control environment The entity’s approach to governing its financial accounting and reporting, including how: • roles and reporting lines are structured • authority is delegated • individuals at all levels (including those charged with governance) are held accountable for the proper discharge of their responsibilities Whether the entity’s stated values (explicit culture) and actual behaviour of those charged with governance, management and personnel (implicit culture) are consistent and promote ethical conduct in relation to financial accounting and reporting The competence of the individuals involved in processes that affect financial accounting and reporting Effective oversight and an ethical attitude, from both an entity’s management and those charged with governance, is foundational to the other components of internal control and sound financial reporting. A weak control environment increases the risk that employees will bypass, override or breach controls that have been implemented. In contrast, a strong control environment and ethical culture is a contributing factor to preventing fraud. Risk assessment Management’s approach to identifying, assessing and managing financial reporting risks (including fraud risks) Management’s assessment and response to identified risks (including fraud risks), including documentation such as risk appetite statements and risk registers discussed in the Risk and technology subject Understanding how management assesses and manages risk gives the auditor insight into management’s risk appetite and enables the auditor to assess whether there are potential risks of material misstatement management have failed to identify. Monitoring activities Management’s process to monitor whether internal controls over financial reporting are operating effectively and how any identified deficiencies in internal control are remediated Sources of information used by management for monitoring internal controls (and how management ensures the information is reliable) The entity’s use of an internal audit function (refer to Topic 2.2.6) Effective monitoring activities increase the overall strength of the entity’s system of internal control. Understanding the results from the entity’s monitoring activities gives the auditor insight into whether internal controls are effectively designed, implemented and operating effectively, before considering the results from the auditor’s own risk assessment procedures. Information system and communication How the entity initiates, processes, records and reports transactions and stores information relevant to financial reporting (ie the entity’s flows of transactions or processes) System of IT applications used by the entity to process information and transactions and the entity’s general IT environment How external parties (including regulatory authorities), those charged with governance, management and others within the entity communicate significant matters relevant to financial reporting Understanding an entity’s processes (also known as ‘transaction cycles’) and systems enables an auditor to more accurately assess the risks of material misstatement at the assertion level, as well as identify control activities that have been designed to address those risks of material misstatement. Control activities (most direct/least indirect) Manual activities performed by individuals to prevent, or to detect and correct, misstatements (which may be dependent on information from IT systems) Automated activities embedded or configured in IT systems to prevent, or to detect and correct, misstatements General IT controls (GITCs) over access and managing changes to IT systems Understanding the attributes of control activities allows the auditor to assess the design and implementation of each control activity and to determine whether there are any risks of material misstatement that have not been appropriately addressed by controls (either individually in combination). In Audit and Risk In this subject, controls are considered to exist either at the entity level or at the process level: Characteristic Entity level controls (ELCs) Process level controls (PLCs) Impact Organisation-wide Limited to a specific process Type of risk addressed Pervasive risks (ie risks at the financial statement level) Specific risks (ie risks at the assertion level) How the risk is addressed Generally indirectly, by supporting the other controls Directly or indirectly, depending on the control’s design Precision Imprecise Varies according to the control’s design (but more precise than ELCs) GITCs are policies, procedures and control activities specific to general IT processes. GITCs fall somewhere in between ELCs and process level controls: the relationship between GITCs and automated controls is equivalent to the relationship between ELCs and process level control. Together, the entity’s processes, IT applications and IT environment make up an entity’s information system. The entity’s information system captures, processes and stores the data generated by the entity (its transactions as well as other events and conditions); these data are later used to prepare the entity’s financial statements (through the financial statement close processes). The following diagram illustrates how the different parts of an entity’s information system generally relate to each other at a high level: Things to note: • Transactions that flow through routine processes in the entity’s cash-to-cash lifecycle (purchases, inventory & COGS, payroll, cash disbursements, revenue, cash receipts) are generally recorded in subledgers. • Data accumulated in the subledgers from routine processes are reported in the general ledger, which is the basis of the data used to prepare the entity’s financial statements in the financial statement close process. • More complex disclosures (such as those required by IAS 7 Statement of Cash Flows, IAS 36 Impairment of Assets, IFRS 2 Share-based Payment or IFRS 7 Financial Instruments: Disclosures) must be prepared using both general ledger data and data from outside the accounting system prepared using spreadsheets. These data may be sourced from the entity’s other systems and undergo a number of extract transform load (ETL) operations as part of the financial statement close process, or they may need to be manually collated. • Entities are likely to use a combination of IT applications and may use a combination of networking environments. These may be managed in-house or outsourced. • General IT processes function across the IT environment to control access security and program changes. End-user applications (such as spreadsheets) are not typically covered by general IT processes. Although an entity’s processes are unique to its specific circumstances and environment, most entities will have some form of the following processes: Process What the process covers Revenue (sales) How the entity sells its products (or services) Often split into several sub-processes, depending on the complexity of the entity’s business model and the number of revenue streams Cash receipts How the entity collects money from its customers Often combined with the sales process as a single ‘sales to cash’ process in non-complex businesses Inventory and cost of goods sold (COGS) (non-service businesses only) How the entity produces products for sale Often split into several sub-processes covering purchasing and/or manufacturing (goods in/costing), distribution (goods out) and inventory control (stocktake) Capital expenditure (capex)/other purchases How the entity procures non-inventory related goods or services necessary for doing business; includes property, plant and equipment, rent, utilities, marketing, and other general and administrative expenses Payroll How the entity hires, pays and dismisses its employees Often split into several sub-processes, depending on the complexity of the entity’s staffing model, for example, new hires, terminations, changes in pay rates, payrun processing (including timesheets and leave applications) Cash disbursements How the entity pays for its purchases Often combined with the inventory purchases/procurement process as a single ‘purchase to pay’ process in non-complex businesses Financial statement close process (FSCP) How the entity prepares its financial statements A ‘catch-all’ process that starts from the end point of every single other process and ends when the financial statements have been issued; typically includes the posting of standard and non-standard closing journal entries (eg non-recurring entries, unusual transactions or adjustments, consolidation adjustments and post-closing adjustments) May include key accounting estimates; with implementation of ISA 540 (Revised), increasingly common to consider the entity’s processes for initiating, processing, recording and reporting accounting estimates separately to the financial statement close process Access security (general IT process) How the entity manages access to its IT environment, systems, applications and data Includes managing user privileges and ensuring the level of access each user has is appropriate for their role Program change (general IT process) How the entity manages changes to its IT environment, systems and applications (including new implementations, upgrades and updates) Typically covers IT applications purchased from an external vendor and IT applications that are developed internally and maintained by an entity’s IT department, but not end-user applications such as spreadsheet models and macros Control activities are embedded throughout an entity’s processes and can be categorised in many ways: Method Category Description By control objective Prevent Eliminates potential misstatements before they can occur. Detect and correct Identifies instances of misstatement and ensures they are corrected. By nature Authorisation Prevents a transaction from proceeding further in a process without approval from an authorised individual. Performance review Detects and corrects errors in the initiation, processing and recording of transactions during earlier steps in the process. Reconciliation Matches transactions across two or more sources of information to identify, investigate and resolve differences in the transaction’s attributes caused by errors in the initiation, processing and recording of the transaction. Physical Tangibly controls access to physical assets. Segregation of duties Incompatible tasks are allocated to different individuals to prevent error and fraud. By degree of automation Manual Does not require the use of IT for its operation. IT-dependent manual Uses information produced by the entity’s IT systems. Configurable automated Users can modify the control’s operation by specifying parameters within the IT application. Embedded automated The control’s operation is determined by the IT application’s programming and cannot be changed by users. By IT process Access security User access is restricted to the data, system privileges and IT applications necessary for that user to perform their role. Program change Ensure that program changes are appropriately identified, authorised, tested, implemented and documented Segregation of duties exists between the individuals developing, testing and deploying the change. Stepped through different software environments to minimise corruption, loss or unauthorised access to data. Automated controls can be further categorised as follows: Automated controls category Description Examples Authorisation Automated version of manual authorisation Built-in authorisation limits for each user Ability to set up new suppliers being restricted to the accounts payable team Calculation Automatic calculation of a result according to a specified formula Ageing of invoices in an aged debtors trial balance Calculation of the amount of goods and services tax (GST) on a sale Digit checks Automated numerical based check (often using algorithms to generate and link to a unique set of digits) to ensure the data input is accurate Remote access login where a unique numerical code is needed to enable user access, typically generated by a digital access key or a linked software application available on a phone Edit check Automated check on whether data is in the correct format or incomplete Required fields in forms that must all be completed Field requiring a date to be input in a certain way (eg ‘dd/mm/yyyy’) Screen warning if a journal entry is incomplete Interface Automated check to ensure data is correctly and completely transferred from one system to another Upload of a report generated after the sales system has uploaded the end-of-day file to the server; generated report containing the number of data records successfully uploaded and the number of data records that were rejected Range/reasonableness/limit checks Automated check ensuring the data is within a specific range Checking timesheets with more hours recorded than the normal working hours Validation Automated check on whether the data meets specific criteria Checking supplier number input in the system against the supplier masterfile Checking suppliers’ ABN on purchase invoice against supplier masterfile Access security controls exist at multiple levels of the entity’s IT environment: Element of IT environment Examples IT Infrastructure Physical location or environment Access to physical location is controlled by swipe card. Entry and departure of staff and visitors is monitored by security personnel. Servers are stored in a secure, tamper-proof physical location. Closed circuit cameras are used to monitor the physical premises. Hardware Custody of laptop computers and mobile devices is restricted to approved personnel. Machines are secured with physical locks. Hard drives are encrypted and require valid usernames and passwords to be unlocked. Network Network access is available only through wired connection or secure wireless network at the entity’s physical premises. Remote access to the network is available only to authorised users, requiring username, password and remote access token code. IT application (eg accounting system) Operating system Username and password needed to log on to operating system on starting up. Programs Access to programs is configured using operating system user access profiles based on user department, role and job function. Programs access requires a valid username and password (eg password-protected files or login required for an accounting system). Minimum length and complexity requirements for passwords are enforced. Passwords must be changed on a periodic basis. User access is reviewed and updated on a regular and timely basis. Audit trail logs documenting user access and user activity are kept and reviewed on a regular basis. Data Confidential and sensitive data is stored in a secure, encrypted location. User privilege (eg read-only versus read-and-write access) is configured based on user department, role and job function. Risk assessment procedures The following table illustrates how an auditor performs risk assessment procedures in the context of understanding an entity’s system of internal control: Method Example risk assessment procedure in the context of internal controls Component of internal control Analytical procedures Use automated techniques to obtain a dataset containing journal entries and other records from the entity’s general ledger and subledgers. Confirm the auditor’s understanding of the entity’s information system by using automated tools to analyse the dataset. Verify the flow of transactions in the journal entries of the dataset are consistent with the auditor’s understanding of the entity’s processes. Information system & communication Enquiries of management and others within the entity Interview the CFO about the entity’s risk assessment process, how senior management monitors the effectiveness of the entity’s system of internal control, the information they use to perform the monitoring, the results of recent monitoring activities and how senior management plans to address any deficiencies identified as a result of the monitoring activities. Ask staff about senior management’s commitment to integrity and ethical values, including whether the entity’s stated values and code of conduct are consistent with the entity’s culture and senior management’s philosophy and operating style. Risk assessment process Monitoring activities Control environment Observation Watch how senior management and staff interact with each other and make note of whether their behaviours are consistent with the entity’s stated values, code of conduct, operating procedures and the results of other risk assessment procedures performed. Control environment Control activities Inspection Review an individual’s resume, LinkedIn profile, biography or other sources of information (such as the entity’s training records or a register of continuing professional development activities) to assess their competence at performing a particular control activity. Control activities Obtain and read policy documents and financial reporting manuals designed to communicate significant matters about financial reporting to individuals within the entity. Information system & communication Example 1.24 demonstrates how auditors use a combination of risk assessment procedures as well as information obtained by other means to understand the entity’s system of internal control. Example 1.24 – Obtaining an understanding of the entity’s system of internal control Shelley, an audit senior at XYZ Partners, has recently been assigned to the current year audit of Bespoke Rugs Limited (Bespoke Rugs), a family-owned and operated importer of handmade rugs. XYZ Partners has been the auditor for the past three years. Control environment, risk assessment and monitoring activities The audit manager has documented the results of the audit partner’s enquiries of the managing director and finance manager during the audit planning meeting, as well as the audit manager’s own observations of how senior management and Bespoke Rugs employees interact among themselves and with the audit team on a day-to-day basis. Shelley corroborates the results of these enquiries and observations by making additional enquiries with lower level client personnel. She also inspects documents available on the Bespoke Rugs intranet, such as the code of conduct and whistleblowing policy, noting that the documents are easily accessible to all staff. Information system and communication, and control activities Shelley begins by reviewing the relevant documentation in last year’s audit file. She identifies the relevant process owners and arranges meetings with each of them individually. Jamis, the Bespoke Rugs payroll manager, provided Shelley with a copy of the company’s internal payroll process documentation: At her interview with Jamis, Shelley takes notes as he explains his understanding of how payroll transactions flow through Bespoke Rugs’ information system. Shelley compares his explanations to the audit team’s notes from the previous year and highlights changes in the process. Shelley clarifies gaps in her understanding by asking Jamis questions throughout the interview: The flowchart stops when a payrun is completed, what happens afterwards to report the transactions in the general ledger? What is the process around payroll-related disclosures in the financial statements? How are changes to the employee masterfile authorised? I’m not sure I understand exactly how new hires, terminations and pay rate changes are approved and by whom. The flowchart primarily describes the process for changes to the employee masterfile and payruns, but doesn’t cover how other payroll balances, for example provisions for employee entitlements, are handled? The payroll system and the online banking system do not appear to be interfaced. What controls does Bespoke Rugs have in place to ensure the data in the payroll file is not compromised or corrupted? I don’t fully understand each control’s attributes, particularly the review controls, based on the information in the flowchart. Can you elaborate? Finally, Shelley writes down the additional explanations from Jamis: Provisions for employee entitlements and any payroll-related disclosures are considered part of the financial statement close process. All financial statement disclosures are reviewed by the finance manager. Payroll journal entries are automatically recorded in the appropriate general ledger accounts using the subtotals by department once the payroll file is generated from the payroll system. Changes to the employee master file (new hires and terminations) must be appropriately authorised by the relevant employees’ department heads and documented. Payroll disbursements follow the same process as other cash disbursements and are covered as part of the purchase-to-pay process – the only difference is that the batch payment file is generated by the payroll system and uploaded by Jamis instead of the accounts payable officer. Jamis is not an authorised signatory and his online banking system login cannot approve batch payments. The payroll system generates a read-only payroll file in a secure network location only accessible to Jamis and other payroll personnel. After Jamis uploads the payroll file to the online banking system he deletes the copy in the network folder immediately. Jamis’ review of the payroll report includes agreeing the details of all new hires, terminations and pay rate changes to original documents from employee files, and recalculating gross and net pay for a sample of employees. The finance manager’s review of the payroll report is done on Jamis’ copy of the draft payroll report. It includes looking for evidence of review from Jamis and comparing summary statistics of new hires, terminations, department totals and average gross pay per head against budget. In practice, it is common for auditors to perform risk assessment procedures for internal controls at the same time as performing walk-throughs (see Topic 1.5.3). Documenting the auditor’s understanding of the entity’s processes Auditors document their understanding of the entity’s information system in a variety of ways, as summarised in the following table: Format Contents Process narratives (process notes) Written description of the steps involved in the process, who performs each step, the IT systems involved and the inputs and outputs for each step of the process Generally, will also identify the process owner and the key accounts and assertions affected by the process. Process maps A graphical depiction of how the transaction flows through the entity’s information system Flowcharting symbols and conventions are often used to indicate the presence of sub-processes, automated operations, separation of duties between individuals and/or departments, the flow of data and how data is stored. Risk and control matrix (RACM) A tabular grid that maps the relationships between the controls, the identified risks and related assertion(s) in a process Risks (and related assertion/s) are set out along one axis and relevant controls (often in order of where they are performed in the process) along the other axis. ‘X’s or other marks are used at the intersections of rows and columns to indicate where a risk of material misstatement is addressed by a control. When preparing an RACM, the auditor begins by identifying risks in the process. Next, the relevant assertion(s) are identified for each risk. Finally, the auditor identifies controls that management has designed and implemented for each risk in the process and marks the relationship with an ‘X’ in the matrix. Walk-through documents/exhibits Review of controls that have been designed and implemented, through which an auditor can obtain an understanding of an entity’s internal controls. Documents about the transaction selected for walk-through may be included in the audit file as exhibits attached to the auditor’s process notes. Example 1.25 is about how an auditor documents their understanding of the entity’s process. Example 1.25 – Documenting the auditor’s understanding of the entity’s process Shelley includes the process map provided by Jamis in the audit file as the primary reference point for understanding the Bespoke Rugs payroll process. As the client’s process map lacked some critical details, she cross-references key points in the process map to a more detailed process narrative compiled from her interview notes. Next, Shelley updates the RACM (see ‘Evaluating controls in combination’) for the payroll process. 1.5.2 Evaluating the design of internal controls A control deficiency may relate to a control’s design or its operating effectiveness. A control deficiency in a control’s design exists when the control does not achieve its objective. Deficiencies in the operating effectiveness of controls, or deviations, are discussed later in Topic 2.1. The auditor must make the following evaluations about the design and implementation of each component of an entity’s system of internal control: Component Evaluation Control environment Does it support or undermine the other components of internal control? Risk assessment process Is it appropriate given the nature of the entity and its environment? Monitoring activities Is it appropriate given the nature of the entity and its environment? Information system & communication Does it appropriately support the preparation of the entity’s financial statements in line with the applicable financial reporting framework? Control activities Has it been effectively designed (ie capable of preventing, or detecting and correcting, a material misstatement) and implemented (ie exists and is in use by the entity)? The following diagram illustrates how auditors identify and evaluate the design and implementation of internal controls: In assessing the appropriateness of internal controls, the auditor takes into account the size and complexity of the entity; for example, more complex or larger entities tend to have formal structures and well-documented internal controls, while less complex or smaller entities tend to rely on informal implementations of internal controls or have practical limitations on the type and extent of internal controls they can implement. Evaluating individual controls Individual controls (whether at the entity or process level) can be analysed according to their attributes. This enables auditors to consider how those attributes affect the ability of the control to achieve its objective and therefore whether there are any deficiencies in the control’s design. Common control attributes considered include the following: Control attribute Description Control objective (its purpose) What is the control trying to achieve? (What risk is the control designed to address?) Steps involved in performing the control activity What are the steps involved in identifying, investigating and resolving discrepancies? The more comprehensive the steps, the more likely the control will be robust. Information used in performing the control activity What data are used to perform the control activity? Are they manually compiled or generated from the entity’s IT systems? The relevance and integrity of the data used affects the robustness of the control. Competence, experience and authority of person performing the control activity Who is performing the control activity? Are they capable of performing the control activity as designed? Relationship to other controls Does the control address a risk directly or indirectly? Specifically: • Does it support the effective operation of other controls? • Does it depend on other controls to work? Frequency How often is the control performed? A higher frequency generally increases the robustness of the control, but often at the expense of efficiency. In practice, controls are performed frequently enough to prevent, or detect and correct, errors on a timely basis, but not so frequently that they interfere with the day-to-day operations of the business. Precision How precise is the control activity? Precision is the threshold used to identify discrepancies. The lower the threshold used, the higher the level of precision. A more precise control is considered to be more robust. Example 1.26 analyses an ELC according to its attributes. Example 1.26 – Evaluating the design effectiveness of an ELC Shelley refers to her documentation of the following ELC at Bespoke Rugs to evaluate whether the ELC is effectively designed: ELC 1: Senior management provides active oversight of Bespoke Rugs’ business operations via regular senior management meetings. Control attribute Description Control objective To monitor the financial and operating results of the business, and to identify, assess and respond to new risks affecting the business Steps involved in performing the control activity The agenda is determined by the managing director and is adapted from the standing agenda template (refer B001/1 on file). The agenda and papers are available two weeks in advance of the meeting, with comments and queries due one week in advance of the meeting. At the meeting, presenters address the comments and queries received from members, and respond to any additional queries. Where decisions are needed, members discuss and debate alternatives extensively prior to voting. The minutes of each meeting are succinct and include a clear list of action items and the status of each item. Information used in performing the control activity Year-to-date management accounts (profit & loss, balance sheet, cash flows with accompanying management commentary on actual versus budget/prior period variances) are used. Dashboards on key financial and operational metrics are included. Verbal reports from each department head and the managing director are given. Competence, experience and authority of person performing the control activity Senior management meetings are attended by every department head and the managing director. Each department head has full authority over their department and reports to the managing director, who is answerable to the board of directors. All members of senior management are family members who have held their positions for at least five years. Most hold tertiary qualifications relevant to their roles; members without tertiary qualifications have at least 10 years relevant job experience for their role. Relationship to other controls The relationship to other controls is indirect as this ELC is relevant to establishing the overall control environment, risk assessment and monitoring activities. Frequency Senior management meet twice a month; the first meeting is devoted to reviewing monthly financial results and day-to-day operational matters while the second meeting is devoted to strategic initiatives. Precision Precision is low; the threshold used in monthly management accounts is +/–10% from budget or previous year at the financial statement line level. Shelley follows the process for analysing control outlined above to evaluate the design of the ELC: The steps make sense given the ELC’s objective: members of senior management are presented with information on how the business is performing to identify and assess new risks that are affecting the results; then they meet to discuss and agree on the necessary courses of action to respond to the risks. Data used includes both information from the enterprise resource planning (ERP) system (refer to the financial statement close process notes for details regarding the compilation of the monthly management report and dashboards), as well as operational data from other IT applications outside the financial reporting system and the personal observations and knowledge of senior management for the most recent month (which covers a sufficient and appropriate timeframe). As the ELC’s objective is quite high level, it is appropriately performed by members of senior management who individually and collectively have the authority to do so. Additionally, all members of senior management hold either appropriate qualifications or have relevant experience for their roles and so are appropriately competent. Senior management meetings occur twice a month, which is frequent enough to monitor the business’s performance and respond to any new risks, while not being so frequent that it is inefficient. This ELC is reliant on GITCs and lower level controls across all financial reporting processes to ensure the integrity of the data used. Based on previous year testing and current year walk-throughs performed, GITCs and PLCs are expected to operate effectively for the current year. Based on these factors, Shelley determines that the ELC is effectively designed. Example 1.27 analyses a process level control according to its attributes. Example 1.27 – Evaluating the design effectiveness of a process level control Shelley refers to her documentation of the following review control in Bespoke Rugs’ payroll process order to evaluate whether the control is effectively designed: PAY-C7: The payroll report is reviewed and approved by the finance manager Control attribute Description Control objective To detect and correct errors in the processing of pay runs Steps involved in performing the control activity Gabrielle Petrovska, finance manager, receives the payroll folder directly from Jamis who also provides a verbal summary of payroll activity for the month before she begins her review. Her main focus is to ensure payroll expenses are reasonable and within her expectations at a high level. Gabrielle will compare the following against budget: Total gross pay by department and branch. Average gross pay per head. Summary statistics of number of new hires and terminations by department and branch. Next, Gabrielle will do a page turn of the draft payroll report. She checks if names she does not recognise are new hires, whether gross pay for each employee seems reasonable based on their role and department, and for evidence that Jamis has performed his detailed checks. In her first year, Gabrielle would reperform some of Jamis’s work. As Gabrielle has never found any errors, she no longer reperforms his work and does not always look at the supporting documents attached to the draft payroll report. Finally, Gabrielle considers if Jamis’s verbal summary is consistent with her own observations from her review. If it is consistent, she will provide evidence of her review by signing off on the final page of the payroll report. Otherwise, she will note her questions on the draft payroll report and return it – along with the payroll folder – to Jamis for investigation. Information used in performing the control activity Hardcopy draft payroll report, checked and signed off by Jamis Monthly budget by department, generated electronically from Bespoke Rugs’ ERP system Competence, experience and authority of person performing the control activity Gabrielle Petrovska is a Chartered Accountant and has been the finance manager of Bespoke Rugs for two years. Prior to her appointment, Gabrielle was the financial controller at Zizzling for 10 years. She also worked at a boutique consulting firm. Gabrielle has a Bachelor’s degree in finance and accounting and a Master of Business Administration degree. Jamis is part of the finance team and reports directly to Gabrielle. Relationship to other controls This is a direct control designed to detect and correct specific misstatements in the payroll process. However, this is a high-level review control occurring late in the payroll process, so there is a degree of reliance on the proper operation of earlier controls over payroll (including GITCs and automated controls) as it is not precise enough to detect individual errors in the operation of earlier controls. Frequency Monthly Precision Low. Total payroll expense – within +/–10% of budget for the month Payroll expense by department – within +/–5% of a department’s budget for the month Shelley follows the process outlined above to evaluate the design of the PLC: The steps make sense given the control’s objective: Gabrielle is performing a high-level review to ensure the pay run amounts (including who is on the payroll) are consistent with her expectations and the budget. The control’s robustness could be increased if Gabrielle performed more detailed procedures, such as rechecking Jamis’s work in detail (including reperforming some of his work) and consistently examining the supporting documents attached to the draft payroll report. This would reduce the opportunity for potential fraud as the lack of segregation of duties can go undetected. No issues are noted related to the relevance, accuracy, completeness, timeliness or reliability of information used to perform this control as GITCs over the ERP system are expected to be effective. As Jamis’s manager, it is appropriate for Gabrielle to review his work. As a Chartered Accountant with extensive relevant experience, she is appropriately qualified and competent to perform the review. As Gabrielle reviews each pay run once, the control is operating at an appropriate frequency. The robustness of this control could be improved if Gabrielle used lower thresholds of +/–5% and +/–2%, respectively, to detect smaller errors. Based on the above factors, Shelley determines that the control is effectively designed; however, she notes there is scope for improving the robustness of the control. She makes a note of the potential improvements for possible inclusion in XYZ Partners’ management letter to Bespoke Rugs. Evaluating controls in combination A design deficiency can also exist at the process level since controls generally work in combination to reduce risks of material misstatement in a process. In addition, it is necessary to have effective ELCs to support the effective design and operation of process level controls. As dependencies and interactions between risks and controls are numerous and can be complex, auditors use tools such as the RACM to evaluate whether controls are effectively designed at the process level. ELCs are generally not reflected in RACMs as they apply across all processes; rather the auditor’s evaluation of ELCs are separately documented. Assessing the design effectiveness of controls at the process level is a matter of professional judgement. Factors that are considered include the following: Factor Why relevant to consider Whether there are any identified risks that have not been addressed by a control This may indicate a risk that management has chosen to accept and therefore has not implemented a control in response. It may alternatively indicate that the auditor’s understanding of the process or identification of controls is incomplete. Whether the identified risk is adequately addressed by the related controls in combination Management may have chosen to implement a limited number of controls (either due to their risk appetite or practical considerations) and thus the risk of material misstatement is reduced but not to an appropriately low level. How many of the controls addressing a particular risk have been effectively designed An ineffectively designed control will not achieve its control objective of reducing the risk of material misstatement and thus has the potential to undermine the effectiveness of other controls that depend on its operation. Example 1.28 analyses controls in combination. Example 1.28 – Evaluating controls in combination in Bespoke Rugs’ payroll process Shelley refers to the RACM she prepared as part of her documentation of the audit team’s understanding of the payroll process (an Excel copy of this RACM is provided on D2L in Topic 1.5): She notes the following: All identified risks have been addressed by at least one control. Based on her evaluation of each individual control activity, all of the controls in the payroll process are effectively designed. Each identified risk is addressed by an appropriate number of controls given the likelihood of its occurrence and the magnitude of any potential misstatements. A mixture of control activities (ranging from IT-dependent manual controls to fully automated controls) occur throughout the process, right from initiation through to reporting of payroll transactions. Control 6 also incorporates a reperformance of controls 2 and 3, and represents a duplication of work in the payroll process. Shelley adds this observation to her list of potential control recommendations to be communicated to either management or those charged with governance. 1.5.3 Evaluating the implementation of internal controls Auditors test whether effectively designed controls have been implemented by conducting walk-throughs. A walk-through uses a combination of methods (primarily enquiry, observation and inspection, and, at times, reperformance) to follow the flow of a single transaction through the entirety of an entity’s process to obtain evidence that controls have been implemented at a given point in time. Example 1.29 demonstrates the method of evaluating the implementation of internal controls. Example 1.29 – Evaluating the implementation of internal controls at Bespoke Rugs At the same time as obtaining and documenting her understanding of the payroll process, Shelley meets with Jamis to obtain evidence about the implementation of the controls over payroll transactions. She haphazardly selects a transaction for the walk-through from initiation through to reporting and documents the results as follows: Walk-through transaction selected: Employee name: Genevieve Martin Employee ID: EMP316 Hire date: 15 May 20X5 Walk-through exhibits for new hire sub-process: Letter of offer (B03.1a): New Starter Employment Form (B03.1b): Employee details screen in payroll system (B03.1c): Walk-through procedures performed: Obtained employee file and inspected for documentary evidence supporting the implementation and operating effectiveness of controls over new hires. Sighted and obtained copies of the letter of offer (signed by Bespoke Rugs and employee), completed New Starter Employment Form (signed by Bespoke Rugs and employee) and agreed details per the letter of offer to the New Starter Employment Form (controls 1 and 2). Sighted passport retained on file as proof of identification (copy not retained on audit file) (control 1). Obtained a screenshot of the Employee Details screen in the payroll system and agreed details to the New Starter Employment Form (control 2). Reperformed calculation of hourly rate used in processing payroll in payroll system without exception (control 4). Based on walk-through procedures performed, the controls over new hires have been implemented and are operating effectively. 1.5.4 Assessing control risk Once the walk-through has been completed, the auditor can make a preliminary assessment of control risk (both for individual controls and controls in combination) based on the evidence obtained when performing the walk-through. The auditor’s preliminary assessment will inform decisions about the audit strategy, such as whether a controls-based approach should be taken for a process and, if so, which controls should be selected for testing. In Audit and Risk While in practice there is variety in how audit firms assess control risk, candidates should assess control risk at the assertion level as either low or high. The preliminary control risk at the assertion level is assessed as low when the auditor has: • determined controls are effectively designed based on an evaluation of individual control attributes • determined controls are effectively designed to work in combination to adequately address risks of material misstatement related to that assertion • obtained evidence that controls have been implemented by performing a walk-through • obtained an expectation that the controls will operate effectively throughout the audit period • planned to rely on the operating effectiveness of controls to reduce the risks of material misstatement related to that assertion. If any of the above conditions are not met, the auditor assesses control risk as high. The auditor must confirm their initial assessment of control risk by performing tests of controls (discussed in Topic 2.1) before they can conclude that controls can be relied on to reduce risks of material misstatement to an acceptably low level. Specific considerations relevant to automated controls GITCs are becoming increasingly important as entities adopt higher levels of automation in their processes and controls. Effective GITCs greatly improve the reliability of automated controls and information produced by the entity as they ensure automated controls behave consistently with their programming and configuration and that any changes to the programming and configuration of automated controls are appropriately authorised. In addition, where an auditor can obtain evidence there has been no instances of inappropriate access or program changes by performing direct testing of GITCs, they may still conclude that GITCs support the effective functioning of automated controls. Direct testing of GITCs involves obtaining a list of all instances where the GITC operated during the period (eg a list of all program changes or changes to user access) and obtaining evidence about whether the GITC operated effectively in a sample of those instances. It is possible that the assessment of different categories of GITCs will result in different conclusions; for example, access security may be assessed as operating effectively while program change assessed as operating ineffectively but determined to support application controls through direct testing of GITCs. The following flow chart summarises the impact of GITC effectiveness on automated controls and information produced by the entity: Communicating control deficiencies and recommendations As discussed in Topic 1.2.5, ISA 260 (Revised) Communication with Those Charged with Governance provides the overarching framework for the communication between the auditor, management and those charged with governance. ISA 265 expands on the requirements of ISA 260 (Revised) by providing specific guidance for deficiencies in internal control: • Identified deficiencies in either the design, implementation or operating effectiveness of controls, must be communicated in a timely manner to management and those charged with governance. • All significant internal control deficiencies must be communicated in writing to those charged with governance and, where appropriate, to management. A deficiency in internal control is considered ‘significant’ when it, or a number of control deficiencies considered together, is important enough to warrant the attention of those charged with governance. Sometimes, auditors may identify areas where a control deficiency does not exist but the control’s design could be improved. In practice, auditors may recommend control improvements in order to provide a ‘value add’ as part of the financial statement audit. Written communications to those charged with governance regarding the entity’s system of internal control is either included as part of or as an attachment to the client audit plan or audit results presentation. Internal control matters that do not warrant the attention of those charged with governance are either communicated verbally to management or in a written management letter. Example 1.30 outlines the communication of control deficiencies and recommendations as part of the audit. Example 1.30 – Communicating control deficiencies and recommendations at Bespoke Rugs Following from her earlier notes, Shelley adds the following items to the audit team’s draft management letter: Observation Associated risk(s) Recommendation The payroll manager checks the processing of new hires, terminations and pay rate changes twice. Duplication of effort exists in the payroll process. Eliminate the duplication of effort by performing only the checks over new hires, terminations and pay rate changes once during the month as the changes occur, rather than during the monthly pay run, to ensure errors are detected and corrected in a timely manner. The finance manager’s review is limited to enquiries, analytical review using thresholds of +/- 5–10% and a scan for unusual items. The finance manager’s review is the only control that addresses the lack of segregation of duties with respect to payroll. There is a risk that any potential fraud may not be detected by the CFO’s review as it may not be detailed enough. Consider whether the finance manager should perform more detailed procedures such as using a lower precision threshold (eg +/- 2–5%), checking the payroll manager’s work in detail (including reperforming some of his work) and consistently examining the supporting documents attached to the draft payroll report. The management letter will be updated throughout the course of the audit as any further control deficiencies or recommendations are discovered by the audit team. ​​​​​​​ Chapter summary This chapter provided an overview of the audit process and discussed key issues such as audit quality, independence and materiality. The audit process begins with pre-engagement activities. These include ensuring it is appropriate for the auditor to audit the entity. The auditor should not accept all potential new clients. Likewise, they should evaluate whether it is appropriate to continue to audit existing clients. Where potential ethical threats are identified, the auditor must consider whether safeguards are available to reduce or eliminate those threats. Quality control procedures should ensure that appropriate staff are assigned to the audit team, with monitoring processes in place to support audit quality. The planning phase of the audit includes risk assessment, developing the audit plan and assessing internal controls. The auditor considers the entity in terms of the audit risk model – assessing the risk of material misstatement (inherent risk and control risk) at the assertion level and the financial statement level – and prepares a detailed audit plan in response to the assessed risks for the entity. The audit process is iterative, so the auditor is likely to revisit much of this work later in the audit. Once the planning phase of the audit has been completed, the auditor can begin the performance phase of the audit. CHAPTER 2 Perform the audit Chapter introduction This chapter discusses the performance or ‘testing’ phase of the audit process. This is when the majority of the audit evidence is collected. The first part of the chapter discusses tests of controls. This is where the auditor assesses whether the entity’s controls operated effectively to prevent, or detect and correct, material misstatements in the financial statements. Substantive testing involves gathering direct evidence about assertions, and is covered in the second part of this chapter. 2.1 Tests of controls If an entity’s controls are effectively designed and have been implemented, the auditor may choose to take a controls-based approach to the audit. This involves getting audit evidence about the operating effectiveness of the controls through testing them. Testing controls confirms the auditor’s assessment of control risk as determined in the overall audit strategy. While it is generally easy to draw a direct relationship between risks and financial statement assertions (see Topic 1.3), an entity uses a system of internal controls in order to manage risk. This includes risks relevant to financial reporting. The relationship between the internal controls, the risks addressed by each of those controls and the relevant assertion(s) for each risk can be mapped using a risk and control matrix (RACM) (see Topic 1.5). The examples in Topic 1.5 illustrated how a single control may address multiple risks. It also illustrates how a single risk may need multiple controls working together to reduce the risk to an acceptable level. As a result, auditors must successfully complete a four-step process in order to rely on controls over a particular assertion for each class of transaction and/or account balance and related financial statement disclosures: Select the controls to be tested in each relevant process having regard as to the relevant assertions at risk in a class of transaction and/or account balance and related financial statement disclosures. For each selected control, design test of control procedures to obtain sufficient appropriate audit evidence for the operating effectiveness of the control. Perform each test of control procedure for all items in the sample. Evaluate the results from performing the test of control procedure for each item in the sample and for the sample overall to determine whether there is sufficient evidence of the control’s effective operation for each assertion. This topic will focus on the practical considerations of applying the four-step process outlined above, which is also summarised in the following diagram: The following table outlines the readings required for this topic: Relevant international assurance pronouncements and local equivalents (where applicable) International Australia New Zealand ISA 330 The Auditor’s Responses to Assessed Risks (ISA 330) ASA 330 The Auditor’s Responses to Assessed Risks (ASA 330) ISA (NZ) 330 The Auditor’s Responses to Assessed Risks (ISA (NZ) 330) 2.1.1 Selecting controls to test Determining which controls to test is a matter of professional judgement. The following table sets out common factors that auditors take into consideration when making this determination: Factor Why relevant to consider Is the control expected to operate effectively throughout the period of intended reliance? If the auditor selects and tests the control only to find it has not been operating effectively, the control cannot be relied. In this case the auditor must either identify, select and test compensating controls or design and perform substantive procedures. How well is the control designed? A more robust control is more likely to be successful in reducing risks of material misstatement. Has the control been implemented throughout the period of intended reliance? A control can only be relied on and tested for operating effectiveness for the period in which it is implemented. Selecting a control that has not been implemented throughout the audit period may mean the auditor needs to select additional controls to rely on and test. What is the risk of material misstatement? A risk of material misstatement that has potential to occur at multiple points in a process may mean the auditor needs to select more than one control for testing (where such controls exist). Where the entity has a limited number of controls in place to address a particular risk of material misstatement, the auditor may increase the extent of testing for the selected control(s) and/or obtain more relevant and reliable audit evidence about the effective operation of the control. How many risks of material misstatement does the control address? A control that addresses more risks of material misstatement is more likely to be a key control. Selecting a key control to rely on and test can reduce the amount of audit work required to determine the operating effectiveness of controls. What is the degree of reliance that the auditor intends to place on the control? Where a high degree of reliance is planned (i.e. the auditor does not plan to perform any other audit procedures to address the related risk of misstatement), the auditor will need to increase the quantity and/or quality of the audit evidence obtained for the effective operation of the control. Does the control rely on other controls to be effective? If a control is dependent on other controls to address the risk of material misstatement or for its effective operation, the auditor may need to also select and test those other controls to evaluate operating effectiveness. What audit evidence is available to demonstrate the control’s effective operation? Limited or less reliable evidence reduces the level of reliance the auditor can place on the control, even if it is operating effectively. Are there plans to rely on audit evidence on controls from the prior year? If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor must determine whether significant changes in those controls have occurred subsequent to the previous audit. If there have been changes that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit. If there have not been such changes, the auditor shall test the controls at least once in every third audit. However, if the controls cover a significant risk, the auditor shall test those controls in the current period. Auditors need to select and test only the controls they intend to rely on to reduce risks of material misstatement. In practice, this means selecting and testing only those controls necessary to address all the risks in a given process, in the following order: • Identify and select key controls. Key controls are controls that address the largest number of risks and/or significant or fraud risks in the process. • Identify whether there are any risks not sufficiently addressed by key controls and then select controls that address those risks. • If any of the selected controls are dependent on the effective operation of other controls, those other controls will also be selected. Auditors use RACMs they have prepared while developing an understanding of the entity’s processes and performing walk-throughs to identify and select the necessary controls. Example 2.1 illustrates how an auditor selects which controls to test. Example 2.1 – Selecting controls to test in the Bespoke Rugs payroll process Shelley refers to the RACM in order to determine which controls to select for testing (an Excel copy of this RACM is provided on D2L in Topic 1.5). Identifying and selecting key controls After reviewing the RACM, Shelley determines that controls 6 and 7 are key controls in the payroll process, as each control addresses six out of the nine risks in the payroll process. Since controls 6 and 7 address the same risks, Shelley considers whether it is necessary to select both controls for testing. Given there is a risk of fraud due to Jamis’s high degree of involvement at all stages of the payroll process, Shelley selects control 7 (but not control 6) for testing. This is because the finance manager’s review is the only control that adequately addresses the fraud risk arising from the lack of segregation of duties. Shelley also identified controls 1 and 8 as key controls since these controls address the risk of unauthorised changes to the employee master file – a risk that the audit team has assessed as high. Control 1 addresses only changes due to new hires and terminations, while control 8 addresses only those changes due to pay rate changes. Therefore, Shelley determines both controls must be tested as they work in combination to address risk 1. Selecting further controls to address remaining risks Next, Shelley considered whether all the risks in the payroll process are addressed by the key controls: Control 1 7 8 Risk Description of risk Assertions Changes to the employee master file must be appropriately authorised and documented. The payroll report is reviewed and approved by the finance manager. Changes in pay rates are approved by relevant department head of board. 1 Unauthorised changes are made to the employee master file. A, O X X 2 Changes to the employee master file are processed incorrectly. A X 3 Changes to the employee master file are not recorded. C X 4 Salaries are paid at incorrect amounts. A X 5 Salaries are paid to employees for work not performed. O X 6 Employees are not paid for work they have performed. C X 7 Salaries are paid in the wrong period. C/O X 8 Salaries and other payroll amounts are recorded incorrectly in the general ledger. CI 9 Salaries and other payroll amounts are not correctly presented and disclosed in the financial statements. P Using this method, Shelley identifies that risks 8 and 9 are not addressed by the key controls. She considers each risk in turn: Risk 8: Since risk 8 is not addressed by any other control selected for testing so far, Shelley refers to the full RACM and determines control 9 also needs to be selected for testing. Risk 9: Risk 9 and its associated control, control 11, are part of the financial statement close process. As the audit team has decided to not rely on controls over the financial statement close process, Shelley does not select control 11 for testing. Finally, Shelley considers whether any of the controls selected so far depend on the proper operation of other controls: Control Description Dependent on other controls? Explanation 1 Changes to the employee master file (new hires and terminations) must be appropriately authorised by the relevant employees’ department heads and documented. No This is a manual prevent control activity that is performed during the initiation phase of the payroll process. It is the first control activity in the transaction flow for new hires and terminations and therefore does not rely on the output of any other control to function. 7 The payroll report is reviewed and approved by the finance manager. Yes This is a manual detect and correct control activity performed during the processing phase of the payroll process. The finance manager’s review consists of a high-level sense check as she relies on the outputs of controls 1, 4, 6 and 8 to be correct. Control 7 has not been designed to be precise enough to detect individual errors if earlier controls are not operating properly. 8 Changes in pay rates are approved by the relevant department heads or board. No This is a manual prevent control activity that is performed during the initiation phase of the payroll process. It is the first control activity in the transaction flow over changes in pay rates and therefore does not rely on the output of any other control to function. 9 Journal entries are automatically recorded to appropriate G/L accounts on upload of the payroll file using the subtotals by department. Yes This is an automated embedded control performed during the reporting phase of the payroll process. It depends on the proper operation of control 5 to generate an accurate and complete payroll file and on control 10 to ensure the data in the payroll file is not inappropriately modified. Based on this analysis, Shelley also selects controls 4, 5, 6 and 10 for testing. Using audit evidence obtained in previous audits In selecting which controls to test, the auditor may also be able to use audit evidence relating to the operating effectiveness of controls from previous years. This strategy of testing controls in one year and then relying on the same audit evidence in the following year is often referred to as ‘rotating tests of controls’ over that significant class of transaction. To be able to rely on prior period testing of either automated or manual controls, the auditor should establish the continuing relevance and reliability of that evidence, including obtaining evidence as to whether significant changes in the operation of those controls has occurred since the last audit. The auditor obtains this evidence through a combination of enquiries of management and observation or inspection to confirm the auditor’s understanding of those specific controls. When the relevant controls are manual, there is a greater risk that the manual control does not operate on a consistent basis. If there have been significant changes that affect the continuing relevance and reliability of the audit evidence from the previous audit, the auditor must test those controls again in the current year. Irrespective of any change in the operation of the controls, the auditor must test the operating effectiveness of the controls at least once every third audit. Note, the auditor must perform some tests of controls in the current year; that is, the auditor cannot choose to rotate all tests of controls in the same year. However, if the auditor plans to rely on controls for an assertion over a significant risk, the auditor must test those controls in the current year. 2.1.2 Designing tests of controls Each test of control procedure is designed to enable an auditor to determine whether a particular control operated effectively to either prevent, or detect and correct, material misstatements in the financial statements in a specific instance. When testing controls, auditors use a statistical process known as ‘attribute sampling’ to confirm whether a particular attribute – for example, whether the control worked as designed – is present or absent. The auditor draws on their understanding of the process and the control’s attributes to define what a control failure (deviation) looks like in relation to the presence or absence of a particular attribute of the control. Precisely defining what a deviation is allows the auditor to establish an expectation of the rate of deviation (expected deviation rate, or EDR) based on their understanding of the process. This will in turn affect the auditor’s design of the extent of test of control procedures. When an auditor has determined a controls-based audit approach is appropriate, they have formed a preliminary expectation that the EDR will not exceed the tolerable deviation rate (TDR) for controls in a given process. In practice, the TDR is specified within an audit firm’s methodology and auditors usually plan for an EDR of zero. Typically, a deviation is defined as any instance where the control did not achieve its objective to either prevent, or detect and correct, a misstatement. Example 2.2 demonstrates how the auditor defines deviations. Example 2.2 – Defining deviations for a control in Bespoke Rugs’ payroll process Shelley considers control 1 (‘Changes to the employee master file (new hires and terminations) must be appropriately authorised by the relevant employees’ department heads and documented’) and its objective of preventing unauthorised changes to the employee master file. She defines the following as deviations: Inability to obtain documentary evidence about the employee’s employment arrangement (signed employment contract dated prior to the employee’s start date). Employee’s employment not being appropriately authorised – for example, employment contract signed by an individual other than the employee’s department head. Documentary evidence for the employee’s employment arrangement contradicting the employee’s details on the payroll system. For example, pay rate not agreeing with salary or award rate in employment contract or most recent remuneration letter, termination date not agreeing with the effective end date in the employee’s resignation letter or notice of termination. Next, the auditor designs the tests of controls to be performed. This involves designing the overall audit program for testing controls over a given process as well as designing the individual test of control procedures. Elements of a test of control procedure An audit procedure comprises three elements – nature, timing and extent – as shown in the following table: Element What it is Nature The method used by the auditor to gather audit evidence about the control’s operating effectiveness. The nature of the test of control is influenced by the characteristics (attributes) of the control being tested and the risk the control is addressing. There are five methods relevant in testing controls, which are shown in order of the persuasiveness of the evidence obtained: Method Example Reperformance (most persuasive) The auditor reperforms a three-way match control activity performed by the accountant. This includes examining the same documents the accountant used (purchase invoice, purchase order and goods received note) and reperforming the steps to agree the respective details (date, customer, description, price, quantity). Recalculation The auditor recalculates a value automatically calculated by an automated information processing control to ensure the IT system is programmed correctly. Inspection The auditor inspects a sample of purchase orders to ensure they are supported by a purchase requisition form, which has been approved in line with the company’s purchasing policy. Observation The auditor watches the inventory count being performed by the company’s warehouse staff. Enquiry (least persuasive) The auditor asks the financial controller whether there have been any changes to the authorisation limits during the year. Timing The period of time over which the auditor intends to place reliance on the control’s effective operation, or when the auditor plans to perform the procedure. Meaning Example Period of intended reliance To obtain evidence that the control has operated effectively over the period of intended reliance, auditors must sample instances of the control’s operation throughout that period. This is usually the same as the audit period. Where there has been a change in the entity or its environment (including its information system) that resulted in a change in the controls partway through the period, the period of intended reliance is the period that the control was in operation. When the procedure is to be performed In practice, controls are commonly tested for the period of intended reliance either at: • an interim date (eg test controls over an interim period 1 July through 31 May in June) • year end (eg test controls for the full year 1 July through 30 June in July). If controls are tested at an interim date, the auditor will need to perform ‘update’ procedures to: • evaluate whether the controls (or their operational effectiveness) have changed significantly between the interim date and year end • determine whether further evidence needs to be obtained for the remaining period up to year end. The auditor may decide to evaluate the design and implementation of controls and test their operating effectiveness at the same time. This is because auditors will make enquiries and perform observations of the same entity personnel and inspect the same kinds of documentary evidence in both cases. Extent The number of instances of a control’s operation to be tested for operating effectiveness (ie sample size). This is driven by the frequency of the control activity and the tolerable rate of deviation (TDR) set by the auditor. In practice, audit firms provide detailed guidance in their audit manuals about the sample sizes to be used when testing controls. The International Federation of Accountants (IFAC) provides the following guidance in relation to minimum sample sizes for testing controls: Control operates Suggested minimum sample Coverage percentage of test Weekly 10 19% Monthly 2–4 25% Quarterly 2 50% Yearly 1 100%Source: International Federation of Accountants 2018, Guide to using ISAs in the audits of small- and medium-sized entities, 4th edn, IFAC, Exhibit 17.5–6, vol 2, p 200 Many firm methodologies permit auditors to count the item selected for walk-through (as discussed in Topic 1.5) as part of the total number of sampled items. In Audit and Risk Audit procedures must be both relevant and robust to be effective in obtaining sufficient appropriate audit evidence: • A relevant test of control provides evidence of whether the control operated as designed. • A robust test of control is specific enough about the nature, timing and extent of the procedure so that an audit analyst can perform the procedure without needing further clarification. Assessing relevance and robustness of a test of control is illustrated in Example 2.3 . Example 2.3 – Identifying whether a test of control is suitably relevant and robust for Bespoke Rugs This example continues on from the information provided in Examples 1.33 and 1.34 in Chapter 1. Shelley obtains a list of all new starters and terminations at Bespoke Rugs during the current year. The list provided by Jamis shows there were 25 new hires and 13 terminations (total of 38 employees), with approximately two to three new hires or terminations for each month. Shelley considers the following test of control procedure for control 1: Obtain employees’ files and agree each employee’s details per employment contract or remuneration letter (and letter of resignation or notice of termination where applicable) to the employee’s record in the payroll system. Investigate all discrepancies between the payroll system and the documentation in the employee’s file. She determines the test of control procedure is relevant since the documents inspected as part of performing the procedure (eg employment contracts) must exist if the control is operating effectively. However, the test of control is not robust, as Shelley is unsure of how many items to sample. Referring to the IFAC guide and the XYZ Partners audit methodology, Shelley determines that a sample size of eight is appropriate (being 20 per cent of the number of instances the control would have been confirmed in the current year), as control 1 is performed more frequently than monthly but less frequently than weekly. It is also unclear from the procedure what employee details should be agreed. Shelley amends the procedure by adding the following specifics: Select a sample of eight random new hires or terminations throughout the year. Obtain the employees’ files and agree each employee’s start date, termination date (where applicable), pay rate and job title per employment contract or remuneration letter (and letter of resignation or notice of termination where applicable) to the employee’s record in the payroll system. Investigate all discrepancies in start date, termination date (where applicable), pay rate and job title between the payroll system and the documentation in the employee’s file. Audit program considerations As discussed in subtopic 1.4.2, an audit program is made up of multiple audit procedures that enable an auditor to obtain sufficient appropriate evidence on a cumulative basis. When designing an audit program for controls testing, auditors are required by the Auditing Standards to incorporate test of control procedures that use methods other than enquiry. This is because enquiry alone does not provide sufficient evidence of the operating effectiveness of controls. Example 2.4 demonstrates the methods for controls testing that can be used by the auditor. Example 2.4 – Audit program considerations in testing payroll controls at Bespoke Rugs Shelley considers the following procedures she has performed over control 1 in the payroll process: Procedure performed Type of procedure Method used Level of evidence obtained Interview with Jamis (payroll manager) about the overall payroll process Risk assessment Enquiry Minimal Walk-through of controls in the payroll process Risk assessment Observation Inspection Low – evidence was obtained for one instance of the control’s operation when walk-through was performed. She notes that her process interview and walk-through provided a low level of evidence about the control’s operating effectiveness. In particular, Jamis may have only performed the control correctly during the walk-through because she was observing him. There is not enough evidence to conclude he has performed the control correctly throughout the year. Shelley considers the additional test of control planned over control 1: Procedure planned Type of procedure Method used Level of evidence obtained Select a sample of eight random new hires or terminations throughout the year. Obtain the employees’ files and agree each employee’s start date, termination date (where applicable), pay rate and job title per employment contract or remuneration letter (and letter of resignation or notice of termination where applicable) to the employee’s record in the payroll system. Investigate all discrepancies in start date, termination date (where applicable), pay rate and job title between the payroll system and the documentation in the employee’s file. Test of control Inspection Reperformance High – evidence will be obtained for 20 per cent of the instances of the control’s operation during the year via Shelley's independent reperformance of the control activity using the same documents available to Jamis when he performed the control. Shelley will use the understanding she gained from interviewing Jamis and performing the walk-through to reperform the control activity. Once the test of control has been performed, Shelley will have obtained sufficient evidence of control 1’s operation by using a combination of enquiry, observation, inspection and reperformance. 2.1.3 Performing tests of controls Auditors follow the process outlined in the flowchart in this topic’s introduction when performing tests of controls. Auditors begin by selecting a sample of items to be tested, as shown in Example 2.5 . Example 2.5 – Performing a test of control at Bespoke Rugs Shelley takes the personnel list of new hires and terminations during the year and assigns a unique identifier to each record in the listing from 1 through to 38. She uses XYZ Partners’ proprietary sampling tool to randomly generate two sets of numbers: XYZ PARTNERS – SAMPLE SELECTOR CLIENT: BESPOKE RUGS LIMITED YEAR END: 30 JUNE 20X5 TEST: PAYROLL CONTROL #1: CHANGES TO EMPLOYEE MASTER FILE SAMPLE SIZE: 8 SEQUENCES: 2 SEQUENCE 1: ASCENDING ORDER SEQUENCE 2: GENERATION ORDER OUTPUT USING RANDOM NUMBER SEED: 19287363492384619827364 SEQUENCE 1: SEQUENCE 2: 1 2 5 11 12 31 32 35 38 13 14 28 6 7 8 13 Shelley selects her sample using the random numbers generated in sequence 1 (sequence 2 will be used to select replacement items as and when needed later): Shelley sends the sample selection to Jamis and asks for the information she will need to perform the test of control procedure: Specific considerations when testing automated controls In addition to the impact of general IT controls (GITCs), discussed in subtopic 1.5.4, there are specific considerations for testing automated controls within a process: Characteristic Testing considerations Is the automated control embedded or configurable? Automated controls that are configurable are more susceptible to manipulation: • Who has the access to make changes to the configuration? • Are changes to the configuration of the control logged, monitored and/or approved? Does the automated control perform different activities depending on whether certain condition(s) are met? Automated controls with a larger number of dependent conditions, conditions that are complex to determine or with complicated logical rules are more susceptible to faulty programming: • How many inputs does the automated control rely on in order to function? • What are the sources of data for those inputs? • How complex are the inputs? Are the inputs discrete values or are all values within an accepted range? • How many different outcomes (cases) is the automated control capable of producing? Do these outcomes encompass all possible outcomes in the context of the entity’s processes, business and environment? • What kind of logical operations are performed by the automated control to determine how to function? Are there flaws or loopholes in the logic that have potential for a subset of transactions to bypass the automated control? Are dummy transactions necessary for testing? Not all conditions may be met during the period of intended reliance, thus, there may not be available evidence that the automated control is operating effectively in all possible cases. Where this is the case, the auditor may need to consider the use of dummy transactions to obtain sufficient evidence about the operating effectiveness of the automated control. What kind of environment is available for testing automated controls? Automated controls may be tested in either the production (live) environment or in a test (staging) environment. When choosing the environment, auditors consider whether: • Dummy transactions are necessary (the introduction of dummy transactions into a live environment may compromise the integrity of the underlying data used to prepare the financial statements). • The client and/or the auditor has the necessary skills, resources and expertise to faithfully reproduce the live environment in a test environment. • Differences between a test environment and the live environment have the potential to affect the way automated controls operate (and therefore render the results of the testing invalid). Example 2.6 illustrates how these characteristics of the automated systems are considered during an audit. Example 2.6 – Specific considerations when testing automated controls at Bespoke Rugs Shelley considers the following specifics for testing control 4 (‘Salaries and other payroll amounts are automatically calculated by the payroll system’): This is an embedded automated calculation control within the payroll system. The information used by the control is contained in the employee master file. The audit team intends to rely on control 1 to ensure the integrity of the data in the master file. A minor update to the payroll system was deployed in October 20X4. From her discussions with Jamis and the IT manager, this minor update changed how the payroll system was calculating withholding rates in line with newly passed legislation. The new legislation extended the concessional tax treatment of certain termination payments for employees aged 65 years or older. There were no other changes to the payroll system. A scan of the employee master file reveals that there were no transactions during the year that would meet the new case. Bespoke Rugs does not have a complex IT environment with most IT applications being either cloud-based or off-the-shelf products installed on local machines. As there is no separate staging environment, the IT manager created a dummy employee (John Smith) to test the update. The IT manager has retained screenshots of the testing performed and provided these to Shelley. The audit senior testing of GITCs is in progress – based on the results to date, Shelley expects GITCs to be effective. Based on these facts, Shelley concludes that the walk-through of control 4 is sufficient appropriate audit evidence for the effective operation of the control and no further tests are necessary. Use of automated tools and techniques Automated tools and techniques enable the auditor to perform audit procedures using the same methods as manual testing (as discussed in subtopic 2.1.2) but on a more economical and practical scale. However, automated tools and techniques are not in and of themselves a separate method of obtaining audit evidence. The extent to which auditors can use automated tools and techniques largely depends on factors at the audit client, as shown in the following table: Factor How it affects auditor’s ability to use automated tools and techniques The degree to which audit evidence is readily available in digital formats that meet minimum data quality benchmarks Current automated tools and techniques that are prevalent in practice today require auditors to make a considerable initial investment of time and effort on extract transform load (ETL) to ensure the data can be obtained in a usable format and can be relied on for audit purposes. The level of adoption of technology and digitisation of processes by the audit client, including the degree of reliance on automated controls Audit clients that have low levels of technology adoption rely on mainly manual processes. As a result, audit evidence related to the operating effectiveness of controls mostly exists in physical formats. Automated controls operate in a consistent fashion and therefore generate and capture data in a consistent way, resulting in more data of a higher quality. The sophistication of the audit client’s processes and IT systems Audit clients with sophisticated processes and IT systems generally have more data that is of a higher quality, due to the effective design and implementation of dedicated controls over data collection and ensuring data quality. More sophisticated IT systems often have built-in reports and data extraction functionality that are compatible with the requirements of the auditor’s automated tools and techniques. How knowledgeable the audit client’s personnel are about data and IT systems Without the assistance of adequately knowledgeable personnel at the audit client, the auditor must invest more time and effort in the ETL process. In addition, the audit client may not be able to provide the auditor with the requested data even if the processes and the IT systems are capable of capturing that data due to a lack of knowledgeable personnel. Whether GITCs are effective Effective GITCs are likely to improve data quality, as they support the effective functioning of automated controls. The decision to use automated tools and techniques is a matter of professional judgement. It often involves weighing the additional relative effort required to use automated tools and techniques against the additional relative effort required to manually test controls. As discussed in Topic 1.5, effective GITCs can reduce the sample size for testing an automated control to one instance and auditors may count their walk-through as one of the items sampled for controls testing purposes. In such a scenario, the relative effort required to manually test automated controls is effectively zero. Therefore, the auditor is not likely to use automated tools and techniques, unless the audit evidence provided from their use will address risks that are not otherwise sufficiently addressed by the planned audit procedures. The following table illustrates some of the most common applications of automated tools and techniques in the context of testing controls: Manual procedure Procedure performed using automated tools and techniques Obtain a physical listing of all instances of when a control has been performed. Manually apply a sampling technique to select items for testing. Obtain an electronic listing of all instances of when a control has been performed. Use Excel or a dedicated sampling tool to automatically select items for testing. Inspect a sample of sales invoices created during the audit period to determine whether there are duplicate sales invoices or gaps in the sequence of invoice numbers by examining whether the invoice number of the sampled items are in sequential order with the preceding and subsequent sales invoices. Obtain a listing of all sales invoices created during the audit period. Perform ETL operations to sort the sales invoices in ascending order by invoice number and calculate the increment in the invoice number between the current and preceding sales invoices to identify duplicate records (increment of 0) and gaps in sequences (increments greater than 1). Inspect physical or digital records of recorded journal entries for evidence the journal entries were appropriately prepared, authorised and posted to the correct accounts. Obtain the dataset of all journal entries recorded in the general ledger. Use Excel or dedicated journal entry testing tools to filter and analyse the dataset by journal entry type, preparer, approver and accounts. Inspect the results for evidence of journal entries that do not appear to be consistent with the auditor’s understanding of the related processes. The use of automated tools and techniques is necessarily limited in current practice as some audit clients are still at the early stages of digital transformation. Issues in data extraction and the cost of implementing automated tools and techniques continue to pose considerable challenges to widespread implementation (as discussed in subtopic 1.1.3). As more audit clients use more digital systems and processes, new opportunities for the use of automated tools and techniques will become available to the auditor. 2.1.4 Evaluating the results of controls testing Auditors are required to evaluate the results of control testing at several levels (as illustrated in the flowchart in this topic’s introduction): • For each sampled item (every instance of the control’s operation that was sampled). • For each test of control procedure (considering all sampled items as a whole). • For each assertion the auditor plans to rely on to test the effective operation of controls that reduce the risks of material misstatement to an acceptably low level (considering all test of control procedures collectively at the audit program level). At the sampled item level Materiality does not apply when the auditor is evaluating the result from performing the test of control procedure for a sampled item. This is because the auditor is looking to confirm whether the control operated effectively in a particular instance based on the presence or absence of a particular control attribute in the audit evidence obtained for the sampled item. An exception exists when the audit evidence shows a different result to the auditor’s expectations about the presence or absence of the control attribute. Where exceptions are detected, the auditor needs to investigate the nature and cause of the exception to determine whether the exception is an anomaly or a deviation. This is demonstrated in Example 2.7 . Example 2.7 – Evaluating the results of a test of control at the sampled item level Shelley receives the following email from Jamis: She determines both item 12 and item 35 are exceptions as the test of control could not be performed for these items. Shelley considers the explanations from Jamis and the control’s attributes to determine whether these two items are deviations: Item 12: This is a dummy employee and therefore not a valid payroll transaction. It is an anomaly in nature and its impact on the audit must be considered separately. Item 35: This is a real employee who did not provide a resignation letter. As the employee chose to end the employment arrangement rather than the employer, a notice of termination does not exist. However, a text message was received from this employee so a form of documentary evidence exists. Shelley excludes item 12 from the sample and selects item 38 as a replacement item, using the first number in sequence 2: She also determines that an alternative procedure can be designed for item 35: Obtain and inspect the text message Jamis received and match the sender’s phone number to the employee’s contact details in his employee record. Make corroborating enquiries of the employee’s manager to confirm the nature and manner of the employee’s resignation. Shelley asks Jamis to show her the text message on his phone: Shelley confirms the phone number +61491577644 matches Eryk’s mobile number in his employee records. Jamis also organises a quick phone call with Fatima, Eryk’s manager: Shelley: Hi Fatima. I’m one of the auditors and I’m in the process of testing the controls around payroll. One of the employees I’ve selected for testing doesn’t seem to have a resignation letter or a notice of termination on file. Fatima: Let me guess, Eryk Wright? Shelley: Yes, that’s right. Fatima: Good kid but he’s been struggling with a lot of personal issues. It became too much for him and he quit during one of our weekly catch ups. Shelley: Did you document that in an email or...? Fatima: Nah. Three other people heard him resign during the meeting – I can give you their names if you want. I did remind him of his notice period and other things, though he had enough leave that it didn’t matter. Soon as the meeting was over, I rang Jamis and gave him the heads up. Shelley: Thanks for your time, that’s all I needed. Based on the audit evidence obtained, Shelley concludes item 35 is not a deviation. Anomalies are excluded from the auditor’s evaluation of results at the test of control procedure level on the basis that they are not representative of the population. Consequently, the auditor must select and test another item from the population as a replacement for the anomaly to complete the test of the control. Anomalies must also be evaluated separately in terms of their standalone impact on the audit, as shown in Example 2.8 . Example 2.8 – Evaluating the standalone impact of an anomaly in Bespoke Rugs The anomaly (item 12) has a number of potential impacts on the audit: Item 12 may not be the only dummy employee record in the payroll system. Test transactions may be incorrectly included in payroll amounts in Bespoke Rugs’ financial statements. There was a change in the programming of an embedded automated calculation control that has been selected for testing. Shelley will need to take this into consideration when testing control 4. Shelley designs additional procedures to evaluate the standalone impact of the anomaly: Inspect the email correspondence between the IT manager, Jamis and managing director to understand the scope of the dummy testing approved in the payroll system. Make enquiries of the IT manager and Jamis about the testing performed in the payroll system, how dummy employees and transactions were identified and corroborate the results of these enquires to test documentation. Obtain a copy of the full employee master file and inspect the listing of employees for characteristics that might indicate these are dummy employees. Inspect activity logs for the payroll system, online banking system, general ledger and the secure payroll network folder for evidence that payroll files generated during the dummy testing were incorrectly processed. Shelley notes her observations as she performs the additional procedures: XYZ Partners Client Bespoke Rugs Year end 30 June 20X5 Subject Results of additional procedures performed over anomaly in testing payroll control 1 Memo The managing director only approved the creation of one dummy employee by Jamis (the IT manager does not have access to the payroll system) and required all test cases to be done using the same dummy employee by changing the dummy employee’s date of birth and pay rate. The IT manager designed the dummy data and test cases but Jamis was the one who put them through the payroll system while being observed by the IT manager. The finance manager was extra vigilant when performing her review of the October pay run to ensure the dummy employee was marked as terminated in the system, that the pay rate for the dummy employee was set to $0 and the bank account details entered for the dummy employee were set to the company’s bank account (as invalid bank details were rejected by the payroll system). Activity logs showed the payroll files generated for the test payruns were immediately deleted after the testing was completed and were not uploaded to either the online banking system or general ledger. Prepared: SC 9 July 20X5 Based on the evidence gathered, Shelley concludes there is no impact on the overall audit from the anomaly. At the test of control procedure level The auditor must determine whether the actual deviation rate (ADR) in the sample exceeds the TDR so they can determine the operating effectiveness of the control. Example 2.9 illustrates how an auditor can evaluate the results of controls testing at the procedure level. Example 2.9 – Evaluating the results from performing a test of control procedure at Bespoke Rugs At XYZ Partners, the firm’s practice is to set the TDR for all tests of controls to 0 per cent. After completing her testing of all sampled items, Shelley calculates the ADR for control 1 as follows (excluding the anomaly item 12 from consideration): ADR = Number of deviations/Number of items sampled = 0 deviations/8 items sampled = 0% Shelley concludes control 1 is operating effectively and completes the controls testing workpaper for control 1: Shelley has also completed testing of control 7 (‘The payroll report is reviewed and approved by the finance manager’) and noted 1 deviation in the 4 items sampled: ADR = Number of deviations/Number of items sampled = 1 deviations/4 items sampled = 25 per cent As this is greater than the TDR of 0 per cent, Shelley concludes control 7 did not operate effectively throughout the period. Where ADR exceeds TDR, the auditor may choose to increase the extent of the test of control procedure (ie extend the number of items sampled) if there is a reasonable expectation that after testing additional samples the ADR for all items sampled will be less than the TDR. This is rare in practice, as the relative incremental effort of testing the additional items required to be sampled is generally greater than the relative incremental effort of not relying on the ineffective control and increasing the number and extent of substantive procedures to be performed. For controls that are deemed to be ineffective in their operation, the auditor will need to consider whether there is a control deficiency that must be communicated to management and/or those charged with governance as per the requirements of ISA 265. The relevant considerations were discussed in Topic 1.5. At the audit program level Since controls work in combination to reduce risks of material misstatement to an acceptably low level, auditors must consider the cumulative impact of any controls deemed to be operating ineffectively in context of the whole process. The auditor considers which risks (and therefore which assertions) are affected by the ineffective control(s) in order to finalise their assessment of control risk at the assertion level. Since the auditor does not normally select all controls for testing, there may be other controls that have been effectively designed and implemented which could compensate for the ineffective control(s). When an auditor determines that control risk is high for a particular assertion after completing controls testing, and the planned audit approach was based on an initial assessment of low control risk, the audit strategy and the audit program need to be updated. The update should be to increase the number and extent of the substantive procedures to be performed over the assertion tested. Example 2.10 illustrates how an auditor can evaluate the results of controls testing at the audit program level. Example 2.10 – Evaluating the results of controls testing at the audit program level for Bespoke Rugs All tests of controls over payroll have now been completed with the following results: Control 1 4 5 6 7 8 9 10 Deviations 0 0 0 0 1 0 0 0 ADR 0% 0% 0% 0% 25% 0% 0% 0% Operating effectively? Yes Yes Yes Yes No Yes Yes Yes Shelley refers to the payroll RACM (an Excel copy of this RACM is provided on D2L in Topic 1.5) to determine whether there are compensating controls. She identifies control 6 (which has already been tested) as a potential compensating control as it addresses the same risks as control 7. However, Shelley notes that the risk of fraud arising from the lack of segregation of duties does not show up in the RACM format as it is broader than the payroll process. She therefore concludes that control 6 is not a compensating control with respect to this fraud risk. As there are no other controls designed and implemented to address this fraud risk, Shelley concludes that additional substantive procedures must be designed and performed around this fraud risk. Finally, Shelley considers the evidence obtained about the operating effectiveness of all controls tested over each relevant assertion and applies professional judgement to determine the overall control risk for each assertion: Assertion Controls tested Ineffective controls Control risk Occurrence 1, 5, 6, 7, 10 7 Low Accuracy 1, 4, 5, 6, 7, 8, 10 7 Low Completeness 6, 7 7 High * Cut-off 6, 7 7 High + Classification 9 NA Low Presentation NA NA High * Control 7 primarily addressed the risk of fraud due to the lack of segregation in duties; other controls tested and found to be operating effectively are highly precise and robust in either preventing, or detecting and correcting, misstatements relating to these assertions. + Control 6 is not considered enough on its own. Further substantive audit procedures will be designed to address risks of material misstatement relating to these assertions. Shelley updates the audit team’s overall risk assessment and audit strategy for payroll following the completion of controls testing: Payroll process Control risk assessment Assertion Initial Final Impact on overall audit strategy Occurrence Low Low Controls-based approach Accuracy Low Low Controls-based approach Completeness Low High Substantive approach ^ Cut-off Low High Substantive approach ^ Classification Low Low Controls-based approach Presentation High High Substantive approach ^ Additional substantive procedures to be designed and performed for these assertions and the risk of fraud due to the lack of segregation of duties. 2.2 Substantive testing Introduction This topic continues the testing phase of an audit by focusing on substantive procedures. Substantive procedures provide direct evidence about amounts in the financial statements by testing the underlying data. Auditors design substantive procedures to detect material misstatements at the assertion level. That is, auditors gather evidence about the underlying assertions in the account balances and transactions. Remember that in the audit risk model, detection risk is controlled by the auditor. If control risk is high for a specific account or assertion, the auditor relies more on substantive procedures to reduce detection risk and, therefore, audit risk to an acceptably low level. Accordingly, as discussed in Chapter 1, some audits predominantly use substantive procedures while others rely more on tests of controls and conduct a limited amount of substantive testing. This topic will cover the two types of substantive procedures: substantive analytical procedures and tests of details. We will focus on the auditor’s use of professional judgement and professional scepticism when designing, performing and evaluating these procedures. We will also discuss some specific areas the auditor needs to be attentive to and considerations about using the work of others as part of the audit. The following table outlines the readings required for this topic: Relevant international assurance pronouncements and local equivalents (where applicable) International Australia New Zealand ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements (ISA 240) ASA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report (ASA 240) ISA (NZ) 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements (ISA (NZ) 240) ISA 330 The Auditor’s Responses to Assessed Risks (ISA 330) ASA 330 The Auditor’s Responses to Assessed Risks (ASA 330) ISA (NZ) 330 The Auditor’s Responses to Assessed Risks (ISA (NZ) 330) ISA 500 Audit Evidence (ISA 500) ASA 500 Audit Evidence (ASA 500) ISA (NZ) 500 Audit Evidence (ISA (NZ) 500) ISA 501 Audit Evidence – Specific Considerations for Selected Items (ISA 501) ASA 501 Audit Evidence—Specific Considerations for Inventory and Segment Information (ASA 501) ASA 502 Audit Evidence—Specific Considerations for Litigation and Claims (ASA 502) ISA (NZ) 501 Audit Evidence – Specific Considerations for Selected Items (ISA (NZ) 501) ISA 505 External Confirmations (ISA 505) ASA 505 External Confirmations (ASA 505) ISA (NZ) 505 External Confirmations (ISA (NZ) 505) ISA 520 Analytical Procedures (ISA 520) ASA 520 Analytical Procedures (ASA 520) ISA (NZ) 520 Analytical Procedures (ISA (NZ) 520) ISA 530 Audit Sampling (ISA 530) ASA 530 Audit Sampling (ASA 530) ISA (NZ) 530 Audit Sampling (ISA (NZ) 530) ISA 540 (Revised) Auditing Accounting Estimates and Related Disclosures (ISA 540 (Revised)) ASA 540 Auditing Accounting Estimates and Related Disclosures (ASA 540) ISA (NZ) 540 (Revised) Auditing Accounting Estimates and Related Disclosures (ISA (NZ) 540 (Revised)) ISA 550 Related Parties (ISA 550) ASA 550 Related Parties (ASA 550) ISA (NZ) 550 Related Parties (ISA (NZ) 550) ISA 570 Going Concern (Revised) (ISA 570 (Revised))* ASA 570 Going Concern (ASA 570)* ISA (NZ) 570 (Revised) Going Concern (ISA (NZ) 570 (Revised))* ISA 600 Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors) (ISA 600)* ASA 600 Special Considerations – Audits of a Group Financial Report (Compiled) (ASA 600)* ISA (NZ) 600 Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors) (ISA (NZ) 600)* ISA 610 (Revised 2013) Using the Work of Internal Auditors (ISA 610 (Revised 2013)) ASA 610 Using the Work of Internal Auditors (ASA 610) ISA (NZ) 610 (Revised 2013) Using the Work of Internal Auditors (ISA (NZ) 610 (Revised) ISA 620 Using the Work of an Auditor’s Expert (ISA 620) ASA 620 Using the Work of an Auditor’s Expert (Compiled) (ASA 620) ISA (NZ) 620 Using the Work of an Auditor’s Expert (ISA (NZ) 620) * Only some paragraphs from these specific standards will be identified as required reading. The following table lists some key requirements from the Auditing Standards about substantive procedures: Requirement Substantive procedures (ie either tests of details or SAPs or both) must be performed for all material classes of transactions, accounts balances and disclosures (ISA 330). Where inventory is a material account, the auditor must attend an inventory count (ISA 501). The auditor must consider whether external confirmations are used as an audit procedure (ISA 330, ISA 505). Substantive procedures must include procedures relating to the financial reporting close process, such as agreeing or reconciling the financial statements with the underlying accounting records, and examining material journal entries and other adjustments made during the period of preparing the financial statements (ISA 330). Substantive procedures must include procedures responsive to the risk of management override of controls, such as testing the appropriateness of journal entries and reviewing accounting estimates for management bias (ISA 240). Substantive procedures must be specifically designed in response to a significant risk at the assertion level and further audit procedures must be performed to specifically respond to risk of fraud (ISA 240, ISA 330). If only substantive procedures are used to respond to a significant risk, those procedures must include tests of details (ISA 330). The auditor is required to identify whether there is a risk of material misstatement due to litigation and claims and, where a risk has been identified, the auditor must communicate with the entity’s external legal advisors (ISA 501). In auditing accounting estimates, the auditor must perform further procedures required by ISA 540 (Revised). 2.2.1 Substantive analytical procedures Like all forms of evidence gathering, substantive analytical procedures (SAPs) are a method the auditor can use to gather evidence about whether an account is materially misstated. For a SAP, the auditor uses plausible relationships among data to develop a reasonable expected value for an account. The auditor then compares the actual account balance to their independently calculated expected value. This type of procedure is used where the auditor perceives internal controls to be relatively strong and therefore control risk to be at a low level. SAPs should not be used where control risk has been assessed as high. This is because the data used for such procedures is likely to be inaccurate and more reliable forms of evidence are needed to lower detection risk. It is important to note that a SAP is different from an analytical procedure conducted during the planning and final stages of an audit (discussed in Chapters 1 and 3). Analytical procedures at the planning stage are used to identify potential risks of misstatements but do not help to substantiate specific accounts or assertions. Similarly, analytical procedures at the final stage are intended to identify whether there are any previously unrecognised risks of misstatement. These should be completed after the auditor believes sufficient substantive evidence has been obtained. Example 2.11 illustrates the difference between an analytical procedure and a SAP. Example 2.11 – Analytical procedures versus SAPs Andrew, an audit senior with AuditNow, is designing audit procedures for the client, Sunset Luau Limited. His current focus is the sales commission account. The main assertions identified as risks for the sales commission account are accuracy and occurrence. Andrew proposes the following procedure for sales commission expenses to his manager, Eva: Obtain a detailed listing of sales commission expenses and agree the totals to the general ledger. Obtain the prior year expense listings for the same expense accounts and compare the listings to the current year taking note of any unusual items, including significant omissions or additions. Discuss any unusual fluctuations with management. Eva explains to Andrew that the procedure he has designed is an analytical procedure, not a SAP. Eva also tells him that controls over revenue and management’s forecasting process have already been tested and are effective. To design a SAP, Andrew needs to develop a realistic expectation for the expenses and an acceptable variance, rather than simply comparing them to the previous financial year. This is because the actual expenses are dependent on more than just the previous financial year’s reported expenses. With Eva’s guidance, Andrew designs the following SAP: Develop an independent expectation of the sales commission expense using the sales commission agreements, actual sales for the year and the previous financial year’s sales commission expense. Compare this expectation to the recorded sales commission expense for the current financial year. Follow up any unexpected variances greater than performance materiality with management and obtain supporting documentation. Note that although SAPs provide a higher level of assurance than analytical procedures performed during the planning and final stages, they do not provide the type of direct evidence on individual items that tests of details provide. SAPs are generally considered to provide less assurance than tests of details. SAPs are often used: • as the only substantive procedures for specific account balances, where the risks of material misstatement are assessed as low and tests of controls have been performed and show that the controls are operating effectively • to support tests of details that address the same class of transactions and assertion • to test large volumes of transactions that are predictable over time. SAPs are often suitable for testing the completeness and accuracy assertions associated with certain low-risk classes of transactions. For example, for depreciation expenses, depreciation rates can be applied to depreciable asset balances, allowing for the effect of any disposals and additions. Designing, performing and evaluating substantive analytical procedures The following flowchart illustrates the steps involved in designing, performing and evaluating a SAP: Example 2.12 – Evaluating SAPs Andrew, in his audit of Sunset Luau, determines that an acceptable level of variance for the sales commission expense account would be $5,000 (this amount being equal to the performance materiality). Once the SAP has been completed, Andrew considers the results. The audit team was able to calculate an expected value for the account of $54,000. The balance of the account recorded in the Sunset Luau’s accounting system was $52,000. Andrew concludes that the variance ($2,000) is acceptable and no further investigation is required for the SAP. Note that this conclusion relates only to the SAP. Andrew and Eva had also planned to gather evidence for occurrence of the sales commission in combination with the tests of details for the sales account – these tests will still be required. Example 2.13 – Using a SAP Interview with Patrick Besson CA, Manager, EY When is a SAP more beneficial than a test of detail? Patrick Besson explains a SAP is beneficial for accounts with a lot of low-value, homogeneous transactions that are all individually immaterial. ‘Often, by setting an expectation across the whole balance, you achieve a more valuable piece of recorded evidence than you would by testing small samples based on individual dollar amounts that are, on their own, immaterial.’ That's the benefit of using a substantive analytical procedure. When designing a SAP, are you required to exercise professional judgement? Besson explains that professional judgement is absolutely essential when using a SAP. ‘When it comes to SAPs, there are two key things that determine what level of assurance you receive from the procedure, and both come down to professional judgement.’ Firstly: ‘How precise are your expectations? There’s no particular formula that says “If you use information from source X, source Y and source Z then you’ll get a highly precise expectation”. You need to exercise judgement, for instance, in determining what and how to combine external pieces of data (like analysts’ reports) with internal information (for example, internal reports and information gained from discussions with management). The accuracy of your expectations is only ever as good as your professional judgement.’ Secondly: ‘What’s the tolerable variance? You need to define your variance threshold for your procedure. Again, your judgement here will determine what level of assurance you derive from your SAP.’ Further, Besson explains that professional judgement also comes into play when deciding whether the SAP provides sufficient appropriate audit evidence on its own, or whether additional audit procedures are also required. 2.2.2 Designing substantive tests of details Tests of details involve obtaining direct evidence on items that comprise amounts in the financial statements. They are designed to detect misstatements at the assertion level and are performed on every audit engagement. Obtaining direct evidence for amounts in the financial statements can often mean significant work for the auditor (eg agreeing a large number of expense transactions to supplier invoices). Despite this, a test of details can sometimes be the most efficient way of addressing the risk of material misstatement (RMM) at the assertion level as seen in Example 2.14. Example 2.14 – A test of detail versus a SAP Tracey Klay is the audit partner responsible for the audit of Peripheral Trading. Peripheral Trading is a local subsidiary of a large multinational company. The only material expenses the local subsidiary incurs each year are recharges by the parent company, Fussionner Limited. These recharges are calculated as a percentage of sales and are charged to the subsidiary monthly. As part of the planning procedures, Tracey noted that while a SAP could possibly be designed to address the risks of material misstatement related to the completeness assertion over these expenses it was concluded that the 12 recharges could quickly be agreed directly to the 12 invoices and 12 respective payments on Peripheral Trading’s bank statements. Therefore, this test of details is the most efficient and effective procedure to address the risk of material misstatement in relation to the recharge expense. When designing tests of details, the auditor considers the nature, timing and extent of the procedure. Each of these aspects is discussed in this topic. Nature of tests of details The nature of tests of details refers to the method and the purpose of the tests. Methods for tests of details include external confirmation, reperformance, recalculation, inspection, observation and enquiry. Examples 2.15 to 2.17 provide insight into some of these methods. Example 2.15 – Confirmation of cash balances Cash balances are almost always a significant focus for the auditor – a misstatement of a business’s cash balances can grossly misrepresent the solvency of a business (eg the financial services business Wirecard). It is therefore crucial the auditor tests key assertions, like existence, for all material cash balances held by their clients. In addition to addressing assertions for account balances, performing audit testing on cash balances are relevant for testing the completeness and occurrence of an entity's transactions. Discrepancies with cash balances can be indicators of wider problems with how transactions are captured and reconciled within the accounting system. Lincoln Juan, an auditor for the firm Stabilize Assurance, wishes to design substantive procedures to test the cash balances of his client, Waver and Falter Limited. His particular focus is the assertion of existence. To address this assertion, he plans to request external confirmation from the bank to confirm the cash balances recorded in the trial balance. The confirmation request will include whether there are any new accounts, borrowings or similar facilities opened during the year, whether any accounts have been closed and who the authorised signatories to the accounts are. In addition to providing evidence about the existence of cash balances, this information will provide relevant evidence for the assertion of rights and obligations, for the completeness of borrowings and any associated interest expense. Lincoln knows that requesting external confirmations can be time consuming and a response is not guaranteed. For this reason he plans to use a third-party digital platform to submit the confirmation request.* He has assessed the digital platform as a secure environment for executing the confirmation request and for receiving the response (ie there is negligible risk of inappropriate interception, alteration or fraud, as the client is not involved in the process). *Many banks are now using the online audit confirmation service, Confirmation (www.confirmation.com ). Note that in addition to confirming cash balances, confirmations are commonly used to confirm legal matters, property ownership and for investments or inventories held by third parties. Example 2.16 – Testing existence and valuation of inventory Lincoln Juan now wishes to confirm the existence and condition (ie accuracy, valuation and allocation assertion) of the inventory of his client, Waver and Falter Limited. For the previous year’s audit Lincoln attended Waver and Falter’s physical inventory count (ie stocktake). As the client’s inventory balance was material he was required to do so under ISA 501. To comply with ISA 501, he: Evaluated management’s stocktake instructions and procedures. Observed management’s inventory counts. Inspected inventory. Performed test counts. For the current year, Lincoln cannot physically attend the client’s premises because of travel restrictions. He must therefore design alternative procedures. He designs the following procedures: Use drone and AI-enabled image analysis to perform test counts of inventory and analyse the results. Review the client’s inventory listing to ensure it reflects the quantities from the test counts. Obtain explanations for any differences found. In documenting this procedure, he will need to identify steps used by the drone operator to ensure the drone was appropriately placed to obtain the best view of inventory being counted. He will also document how the AI was determined to be appropriate for analysing the images. Waver and Falter’s stocktake is scheduled to be performed one month before the end of their financial reporting period. Lincoln therefore also plans to complete roll-forward procedures to confirm the inventory balance at year end by: Using the information obtained from the inventory count procedure, plus evidence gathered during the testing of the sales and purchasing processes, to estimate the year-end balance of inventory. Comparing this estimate with the actual listed inventory balance at year-end. Investigating any differences found that are greater than performance materiality. Source: Adapted from IAASB 2020, Non-authoritative support material related to technology: Audit documentation when using automated tools and techniques, April, IFAC. Example 2.17 – Considering litigation and claims Litigation and claims involving a client may have a material effect on their financial statements, including required disclosures. Jordie Pickle, a senior auditor for the firm Chutney Consulting, is considering substantive procedures to respond to this risk for his client Paddleless Pursuits. He is concerned about completeness (ie that Paddleless Pursuits may not have included all relevant liabilities on their financial statements). With the intention of identifying whether there were any relevant litigation or claims (and in line with ISA 501), Jordie completes the following procedures: Review the minutes of the meetings of those charged with governance to identify any potential litigation or claims. Review correspondence between the client and their external legal counsel and any associated invoices. Ask management about their process for identifying and accounting for litigation and claims, and request details for any litigation or claims. He identifies that a legal claim has been filed against Paddleless Pursuits. Management tells him that it is a small claim that is unlikely to be successful. Having identified a risk (beyond what was previously identified in the risk assessment phase of the audit), Jordie now plans further procedures. He is required to communicate with the Paddleless Pursuits’ external legal counsel. He plans the following procedure: Prepare an enquiry letter to be sent to the client’s legal advisors by the client’s management, with responses to be returned directly to the auditor. This enquiry will help Jordie assess whether all litigation matters and claims are known to him and whether management’s estimates of the financial implications, including legal costs, are reasonable and appropriately accounted for. Australia specific In Australia, ASA 502 applies to the audit of litigation and claims. ASA 502 contains Australia-specific requirements and guidance, including a requirement to ask management about litigation and claims that arise after the initial external enquiry. In Australia, ASA 501 applies to the audit of inventory and segment information. The equivalent international standard (ISA 501) includes requirements about inventory and segment information, as well as litigation and claims. The purpose of tests of details is directly linked to the assertions at risk. This can often relate to the ‘direction’ of the procedure or starting point for the procedure. Examples 2.18 and 2.19 provide insight into the purpose of tests of details. Example 2.18 – Testing the completeness of accounts payable Jade Gray, a senior auditor for Amalgamer Assurance Partners, has identified a risk that the accounts payable for her client, Voluble Ventures Limited, may be understated at period end (the completeness assertion). The following test of details (commonly known as the ‘unrecorded liabilities test’) has been designed to respond to this risk: Review the bank statements and the cash payments journal after the period end and select all payments of $50,000 or more. Obtain supporting documentation in respect of these payments. Where the payments relate to liabilities that existed at the period end, ensure the transactions are recorded as liabilities in accounts payable or accruals. Jade can also gather evidence about accounts payable when testing Voluble Ventures’s expense accounts. This is because the risk of understated accounts payable also relates to the completeness assertion for expenses. Another tests of detail is also planned: Select a random sample of approved purchase requests from the client’s purchasing agent and trace them through to proof the goods were received, the invoice from the supplier and the journal entry recording the purchase. Note that the starting point of these procedures is the items outside of the financial records. This direction of testing is appropriate when testing the completeness assertion. Jade is concerned with whether transactions or balances that should have been recorded have been missed (ie risk of understatement). Therefore, she starts by examining evidence of items outside of the financial records, and then investigates whether these items have been appropriately included in the relevant account balance or class of transaction. Example 2.19 – Testing the existence of accounts receivable Sarina Carlisle, an auditor for Validate Chartered Accountants, has identified a risk for her client, Daring Derpy Limited. Sarina identifies that the assertion of existence is at risk for Daring Derpy’s accounts receivable balance – that is, accounts receivable may be overstated. The following test of details has been designed to respond to this risk: Obtain the accounts receivable subledger and select a random sample of customer balances for confirmation purposes. Email positive confirmation requests to the selected customers. After one week, where a request has not been received, send a second email requesting the positive confirmation be completed. Where the confirmed amount is different to the amount recorded in the subledger, investigate variances. If a response has not been received after a further week, follow up with subsequent receipts testing – the deposit of a payment by the customer after the end of the financial period will prove that the debt did exist. In this example, the starting point of the procedure is the amount recorded in the financial records (the accounts receivable balance in the accounts receivable subledger). Jade is obtaining evidence from direct written responses from third parties to verify the existence of the amounts. Note that this direction of testing is appropriate when testing the existence or occurrence assertions. Jade is interested in whether items that are recorded in the financial statements actually did occur during the period or do exist at period end (ie risk of overstatement). Therefore, a test of details will select a sample of items recorded in the financial statements (or financial records, such as subsidiary ledgers) and then seek to obtain evidence to verify them. Timing of tests of details The timing of a procedure has two aspects: • Time at which the procedure is performed. • Period to which the audit evidence applies. The timing of substantive procedures is affected by practical considerations, such as when reports are available, or the date on which stocktakes take place. Prior to year-end testing Performing procedures on the period-end balances, or classes of transactions for the full 12 months, provides the most direct evidence of amounts in the financial statements. However, for efficiency purposes, sometimes audit procedures are conducted on amounts at a date earlier than the period end. In such cases, additional procedures need to be performed on transactions that occur between that date and the period end (this is commonly referred to as a ‘roll forward’). Extent of tests of details The extent of tests of details concerns the quantity of testing (such as the number of items selected for testing). Auditors commonly use the following approaches to select items for testing: • Testing 100 per cent of items. This approach is usually only feasible when there is a relatively small number of high-value items in an account, but can also be used for large populations with the assistance of automated tools and techniques. Auditors are more likely to choose to examine all items in an account balance or class of transactions when inherent risk and control risk have been assessed as high. • Testing specific items. Auditors may select specific items based on certain characteristics (eg targeting those with high values, or high likelihood of misstatement). • Audit sampling (refer below). Audit sampling in tests of details Audit sampling is commonly used for tests of details where there is a large number of similar items in an account balance or class of transaction. Sampling is often used to test the occurrence and existence assertions. When sampling, the auditor examines a population of recorded items that are then verified to confirm the transactions occurred during the period or the account balances existed at period end. For example, when confirming accounts receivable, the population is the client’s listing of all debtors and the balances owed. On the other hand, sampling is typically not used to examine the completeness assertion because for this assertion the auditor is looking for items that are not included in the accounts but should have been. The auditor may have a range of tools to assist them in sampling. These could include data analysis and visualisation tools to help them understand the characteristics of the population and identify areas where they may wish to focus their sample selection. Audit technology can also help to produce exception reports, from which a sample of items could be selected (or 100 per cent of items, if sampling is not appropriate). In addition, many audit firms have programs to help extract client data, calculate appropriate sample sizes, and select samples from the population without bias. Factors influencing sample size when performing tests of details are set out in Appendix 3 of ISA 530. Specific methods for selecting samples are described in Appendix 4 of ISA 530 (including random, systematic, haphazard, block selection and monetary unit sampling). In practice, auditors follow their firm’s specific guidance for sample sizes and sampling methodology. The following diagram illustrates how automated tools and techniques can be used in audit testing to first analyse 100 per cent of the population and then perform further testing over unusual and unexpected transactions: 2.2.3 Performing substantive tests of details The audit program will contain a description of audit procedures the team is planning to perform with details of what evidence to collect. To perform tests of details, the auditor obtains the required information from the client and then performs the planned audit procedure in accordance with the audit program on each item selected for testing. Example 2.20 – Gathering evidence on the occurrence of sales Leilah James is gathering evidence on the occurrence of sales for her client, Fundere Pty Ltd. The audit program instructs her to: Obtain the general ledger detail for the sales revenue account and vouch a random sample of 45 sales journal entries to the invoices sent to the customer and to documentary proof that the customer received the goods. With the assistance of the firm’s sampling software, she randomly selects 45 of the entries from the client’s ledger account. For each of the selected items, she inspects the sales invoices prepared by Fundere (to confirm that an invoice is associated with the transaction and assess if they appear to be legitimate). She then vouches these entries to the respective delivery notes (confirming that a delivery did occur for each transaction). Documenting audit evidence The auditor gathering the evidence will complete an audit work paper – documentation that sets out, among other things, what the objective of the audit procedure was and what work was completed. ISA 230 provides guidance about the documentation of audit work. It is critical that all work used as a basis for the auditor’s conclusions be documented. The auditors should document their procedures and conclusions in a way that is clear, sets out any significant assumptions or judgements made and includes identifying characteristics for the specific items tested. This is important not only from the perspective of ensuring audit quality, but also provides evidence to support the auditor’s conclusions in the case of a legal dispute. Example 2.21 – Documenting evidence on the occurrence of sales Leilah documents the ID number, date, dollar amount and invoice number for each of the journal entries in the sample in an audit workpaper. She also records the dates that Fundere Pty Ltd’s customers received the goods according to the delivery notes. The following is an extract from her workpaper: Any instances where evidence cannot be obtained will be documented on the workpaper, as will the overall conclusion for the procedure – that is, whether sufficient appropriate evidence was obtained for the occurrence assertion or a misstatement was identified. Leilah may also suggest further testing be conducted. Alternative procedures Sometimes an auditor cannot perform the designed audit procedure on a particular item – for example, where documentation has been lost, or an external party does not respond to the auditor’s request for information. When this happens, an alternative procedure is performed. Refer to Example 2.19 . Note that in this example, the auditor planned to gather sufficient appropriate evidence for accounts receivable using external confirmations. However, she also planned an alternative procedure (subsequent receipts testing) to gather evidence for the existence of the receivables who do not respond to her confirmation requests. Information produced by the entity In line with ISA 500, when using information produced by the entity, the auditor will need to determine whether the information is sufficiently reliable by assessing the completeness and accuracy of the extracted information and evaluating whether the information is sufficiently precise and detailed for audit purposes; that is, the auditor will need to gather assurance that the data used is suitable for use in the audit procedure. As noted in ISA 500, the reliability of the information produced by the entity is affected by the client’s systems of internal control. Evidence generated by the client will be more reliable when internal control is effective than when internal control is ineffective. Completeness is often addressed by agreeing the total of the dataset to the trial balance; while accuracy is often addressed by selecting a sample to test the data. In practice, obtaining audit evidence about accuracy and completeness of such information is usually performed concurrently with the actual audit procedure applied to the information. Example 2.22 – Information produced by the entity: completeness and accuracy Jana Jacks, senior auditor at Folie and Jeds Chartered Accountants, is working on the audit of NewSneakers Limited. Jana has extracted a list of all the journal entries processed by NewSneakers throughout the period 1 January 20X3 to 31 December 20X3. Prior to analysis of this information, she will need to determine the completeness and accuracy of this information. To ensure completeness of the journal entries data, Jana may utilise data analytics tools to perform an automated reconciliation process for all general ledger accounts. She will import the opening trial balance (agreed to prior year audited financial statements), the journal entry listing and the closing trial balance into the data analytics tool to perform the following reconciliation: Statement of financial position accounts Opening balance as at 1 Jan 20X3 +/– Journal entries = Closing balance as at 31 Dec 20X3    Statement of profit or loss and other comprehensive income accounts Journal entries = Closing balance as at 31 Dec 20X3 For accuracy, Jana may select samples from the journal entry listing and request supporting documentation. This may be performed concurrently with the actual audit procedure (journal entry testing). Data analysis challenges Once quality data has been extracted, it is vital that the auditor has sufficient tools and expertise to perform the analysis and form conclusions. As mentioned in Chapter 1, many firms are investing heavily in the development of audit technologies to support advanced data analytics and automated audit processes. Firms are hiring and training experts in artificial intelligence, machine learning and robotics process automation. Chapter 1 identified some key challenges auditors face with data analysis, namely issues relating to data extraction and the costs associated with technology. Auditors also need to understand the challenge of ensuring their professional judgement dominates their use of technology. Audit technology can assist the auditor to quickly analyse large populations. However, the responsibility of determining what data is relevant from the information provided to the analysis, and the subsequent investigation of any irregularities in the data, lies with the auditor. For example, audit technology can be used to map 100 per cent of revenue transactions to their expected path (eg revenue to receivables and cash) to analyse correlations and identify outliers and exceptions for further testing. When analysing the mapping of revenue transactions to the expected path for an entity that invoices customers with 30-day terms, the auditor must recognise that it is necessary to include not only the revenue transaction listing and cash receipts but also the accounts receivables transactions. It is important to understand that while audit technology may assist in achieving audit efficiency, it should not be considered a replacement for professional judgement. Audit technology should be considered to take the role of supporting the auditor’s professional judgement, not replicating or replacing it. Example 2.23 – Using data analytics in performing tests of details Data analytics has the potential to revolutionise audit – from continuous auditing, to analysis of full data sets where previously only samples were audited. But, as Adam Naczyk CA, Manager, EY Australia, points out, your analysis is only ever as good as your data. ‘Everything is contingent on having complete, accurate and exhaustive data’, says Naczyk. ‘If you don’t, then your analysis is effectively meaningless. The biggest risk is investing a lot of time in the data extraction and reconciliation process, which can be time consuming when you have large volumes of data, only to discover that data is incomplete or inaccurate.’ Some of Naczyk’s clients have up to 30 million lines of journal data per month, posing a huge challenge for Naczyk and his team when it comes to manipulating, normalising and importing that data into something that can be analysed. So, what are his top tips for ensuring completeness and accuracy? ‘Up-front communication with client stakeholders to agree the process is really important’, Naczyk says. ‘For example, in my experience, many clients have month-end blackouts when you can’t run journal queries that have server constraints, meaning data can only be downloaded and stored for so long. You need to know about this.’ But most of all, Naczyk says it’s crucial to assess and validate your data before loading it into your data analytics tool. ‘This can save so much time and so many headaches later on.’ Cash correlation analysis Recently, Naczyk and his team have started using digital data analytics solution, ‘cash correlation analysis’ because it offers much greater coverage. ‘If cash correlation analysis tells us that 97 per cent of revenue is completely fine and we investigate the remaining 3 per cent manually, then we cover the whole population’, explains Naczyk. ‘In a traditional audit we might have checked 60 invoices, or 0.05 per cent of total revenue, which doesn’t even compare.’ ‘Statistically, digital solutions are a valid method of testing, and a much more powerful method of audit.’ And yet they’re still not a sure-fire solution. ‘There’s a risk that you’ll still have to revert to a traditional audit approach if your data inputs aren’t right’, says Naczyk. ‘For this reason, there’s a huge focus on standardising the way we normalise, import and transform data before we actually do any analysis.’ And you’ll still need a working knowledge of your client’s revenue accounts. For example, Naczyk recently had a client who is a travel retailer, and can’t recognise revenue until travel occurs. If the client receives cash six months in advance of travel, then cash correlation doesn’t equal revenue recognition. In response, Naczyk and his team used an Excel-based tool to prepare their cash correlations, however, they still had to designate which accounts they wanted included in the testing. ‘You really need to have an understanding of those revenue accounts in order to check if revenue correlates against cash and to validate that the cash balance is correct.’ And so, just as your digital data analysis is as good as your data, your data is only ever as good as the person managing the process. So what are the main steps of the data analytics process? Step 1: Data capture The biggest challenge in data analytics is the very first step: extracting the right data from your client. There’s a risk your data set will be incomplete, or that it will be an insufficient volume to carry out testing. Also, there’s a chance it could be inaccurate. For Naczyk and his team, data capture means getting into a client’s enterprise resource planning (ERP) system and extracting the data using structured query language (SQL) database script, similar to coding. At EY, this process is commonly used for journal entry testing – for example, when Naczyk and his team look at high-risk journal entries or entries that may be indicative of fraud or management override. Step 2: Validation The second step is to validate your data by making sure it’s complete and accurate. For Naczyk, this means ensuring the sum of all data equals the sums in the trial balance. Step 3: Reconciliation and data point testing Here, Naczyk and his team look at the effective date and entry date when examining journal entries. Step 4: Filtering From a planning perspective, filtering involves looking for high-risk characteristics among your data sets. For instance, was a journal entry posted at the weekend? Has a CEO or CFO posted manually? Any red flags should be examined more closely. What is high risk for one client, however, may be completely different for another. For example, if a client has particular revenue streams that attract shareholder or consumer attention, there may be an incentive to inflate that revenue stream. Similarly, a client under cost pressure has a reason to adjust manual journal entries to reduce costs. As Naczyk points out, it’s a matter of considering each client on a case-by-case basis. Step 5: Testing During the testing stage, you want to know that each of the journal entries you’ve tested is valid. Is the substance of the transaction reflected in the journal entry? Does the entry have a legitimate business purpose? Has the entry been approved in line with the journal processing and approval framework of the company? Step 6: Evaluation Lastly, you need to evaluate your findings and conclude on your testing. And, depending on what you’ve uncovered throughout the data analytics process, you may need to investigate further. 2.2.4 Evaluating the results of tests of details It is common to identify misstatements as a result of tests of details. Misstatements can arise due to error (eg data entry errors when recording a journal entry) or fraud (eg deliberately underestimating the amount of a provision). Other examples of common misstatements are discussed in Chapter 3. Evaluating and determining the significance of identified misstatements requires professional judgement. The auditor needs to determine whether the results of the tests provide sufficient evidence for the assertions that were targeted by the substantive procedure. If no misstatements are found as a result of performing the designed procedure, the testing is complete and the auditor documents their conclusions in the audit file. Where misstatements are identified, the evaluation of results depends on the nature of the test, the method chosen to select the items, and the nature, cause and extent of the misstatements identified. Evaluating the results of testing where audit sampling is used If the items tested were selected using audit sampling, and if misstatements have been identified, the next step is to project the sample results to the population. This is done to obtain a best estimate of the misstatement in the population. This projection excludes any anomalies, because these are ‘one-off’ events. In practice, true anomalies are rare. A common method of projection is to take the ratio of the value of misstatements in the sample to the sample value, and apply this ratio to the population value, as follows: Misstatements in the sample $ ÷ Sample value $ × Population value $ = Projected misstatement $ In practice, if sampling software is used, the software automatically calculates the projected misstatement amount. The auditor compares the projection to the tolerable level of misstatement allocated to the account. The tolerable level of misstatement is, in essence, the materiality level for this specific account or group of accounts. It may be equal to, or less than the performance materiality and is adjusted for the level of risk of material misstatement. For example, where the risk of material misstatement is higher, the tolerable level of misstatement is lower. Where a potentially material misstatement has been identified, the auditor may request management to investigate the extent of the identified misstatements. Alternatively, the auditor may design further audit procedures to assist with concluding on the balance being tested. Further audit procedures are more likely where the sample used is relatively small. Projected misstatements, and misstatements identified as anomalies, will be recorded on the summary of misstatements workpaper (the summary of misstatements workpaper is discussed in Chapter 3). Example 2.24 – Projecting the results of a sample to the population and making a conclusion Thomas Calcifer is auditing the inventory held by his client, Martius Lime Pty Ltd. The tolerable level of misstatement for the inventory account is $20,000. From an inventory population comprising 600 inventory lines with a total value of $500,000, Thomas selects a sample of 25 lines for testing, which have a total value of $100,000. One item is found to be misstated to the value of $5,000. The projected misstatement is calculated as: $5,000 ÷ $100,000 × $500,000 = $25,000 Thomas compares his projected misstatement of $25,000 with the tolerable level of misstatement of $20,000. The projection is greater than what was identified as tolerable. Therefore, his conclusion is that there is likely to be a material misstatement in the inventory account. Thomas emails the manager of Martius Lime Pty Ltd, Martin Roberts, asking him to investigatethe misstatement. Martin investigates and in his reply to Thomas explains that misstatements are present in five of the 600 inventory lines and total $25,500. He explains that the misstatements were due to the erroneous recording of consignment stock, of which Martius Lime Pty Ltd was not the legal owner. He explains that this will not affect the other inventory lines, as they do not have consignment stock arrangements for those lines. Thomas considers the reasonableness of Martin’s explanation. He reviews notes made earlier in the audit about the approximate type and quantity of consignment stock held by Martius Lime Pty Ltd. These notes confirm that consignment stock is held for five inventory lines, and usually equates to between $20,000 and $30,000 at a single point in time. To further corroborate Martin’s statement, Thomas selects an additional sample of five inventory lines from the inventory lines that Martin had indicated were not misstated. When he tests these, he finds no further misstatements. Thomas is satisfied with Martin’s explanation and notes the misstatement of $25,500 on the summary of misstatements workpaper. He had previously assessed internal controls for the client’s inventory count procedures as weak (ie high control risk) and so does not need to alter his assessment of control risk. Evaluating the results of specific items testing If the auditor tests specific items, this is not audit sampling and the results cannot be projected to the entire population as is the case with audit sampling. Instead of sampling, the auditor has used their professional judgement to select items. This is an appropriate audit strategy where the auditor believes they can select specific items that are more likely to contain misstatements, or where selecting specific transactions will provide sufficient coverage of the population. Example 2.25 – Testing specific items and evaluating the results Mauve’s list of prepaid expenses is as follows: Item Prepaid expenses $ 1 Building insurance  10,000 2 Workers’ compensation insurance  26,000 3 Advertising 110,000 4 Office rent  65,000 5 Motor vehicle insurance  14,000 6 Equipment rental  10,000 7 Sundry expenses  9,000 Total 244,000 Mauve’s auditor, Goodadds Chartered Accountants (Goodadds), has determined Mauve’s performance materiality to be $50,000. Goodadds has determined that specific high-value items with a value greater than $25,000 should be selected for testing. By performing testing on these items (ie 2, 3 and 4), Goodadds has tested $201,000 of the prepaid expenses’ population. The untested items (1 and 5–7) total $43,000, which is less than Mauve’s performance materiality. Therefore, if there are no misstatements noted from the test of details on items 2, 3 and 4, Goodadds can conclude that the prepaid expenses balance is not materially misstated and no further testing is necessary. If there are misstatements above the clearly trivial threshold, these will be reported on the summary of misstatements. As these are specific items, the misstatements will not be projected. Impact of misstatements on the audit As discussed in previous topics, auditing is a cumulative and iterative process. As a result of audit findings, the auditors may need to revise their initial risk assessment and modify the nature, timing and extent of the audit procedures that were originally planned. Before doing so, the auditor will seek to understand the nature and cause of the specific misstatement (qualitative considerations). For example, if the cause of a misstatement is identified as a specific control weakness, the audit strategy may be revised to include less reliance on internal controls. Examples 2.26 to 2.30 illustrate the impact of misstatements on the audit. Example 2.26 – Breakdown in controls Emilia Belle, an auditor for EBL Partners Chartered Accountants, planned to rely on controls over changes to employee pay rates for her client, Mixed Products Limited, as there were no deviations found in the previous year, and no significant changes were made to the pay rate change process in the current year. However, during substantive testing, she identifies a misstatement resulting from the use of incorrect pay rates following a pay rate change. On further investigation, it is found that the controls she was planning to rely on broke down over a three-month period during the financial year being audited, due to changes in Mixed Products human resources department. Emilia decides that the controls for the three-month period cannot be relied on and that additional substantive procedures should be performed for that period. Example 2.27 – Estimate based on incorrect data Mixed Products Limited has estimated its warranty provision using its historical records of sales and claims for each product that it sells. Their auditor, Emilia Belle, performs a test of details on the warranty provision, which includes verifying historical sales and claims for a sample of products. Emilia discovers a number of misstatements, which are due to the company drawing the data for the estimate from the wrong reports. She asks management to check the sales and claims reports that were used for each product’s warranty claims provision. She also increases the sample of product lines covered by the test of details. Example 2.28 – Inappropriate classification of employee provisions Reuben Ponyo, an auditor for Picasso and Partners Assurance, identifies the incorrect classification of long service leave for his client, Stonewashed Limited. Some of the long service leave liability that should be classified as a current liability, has been incorrectly classified as non-current. Although the liability in total is not materially misstated, the incorrect classification affects compliance with debt covenant requirements. Reuben increases work over all other liabilities to confirm the correct classification of liabilities between current and non-current. Example 2.29 – Increasing the extent of testing of unrecorded liabilities Reuben Ponyo is testing for unrecorded liabilities for his client Stonewashed Limited. Reuben reviews payments of $10,000 or more made in the two weeks immediately after balance date. This audit procedure identifies material unrecorded liabilities as at balance date. As a result, he decides to extend the audit procedures to review payments of $5,000 or more for the month immediately after balance date. Example 2.30 – Incorrect revenue recognition from the sale of inventory Loretta Mononoke, an auditor for Mabel Accountants, is testing the cut-off of sales for her client, Shredded Cheddar Limited. Shredded Cheddar sells a range of kitchen accessories, including containers, spice-racks, drinkware and table linen. They operate primarily online, with orders placed on their website and goods shipped to customers throughout Australia. Shredded Cheddar’s terms of sales state that goods are shipped FOB destination, with Shredded Cheddar retaining ownership and responsibility for goods until they are received by the customers. They use Australia Post to ship orders, with delivery taking anywhere from two days (express) to 10 days (regular). Shredded Cheddar’s revenue recognition policy specifies that revenue is to be recognised in full at the point in time when control of goods is transferred. For Shredded Cheddar’s usual sales, transfer of control will correspond with time of delivery. Loretta is testing a small sample of sales transactions and notes some instances where revenue was recognised prior to the delivery of goods. She enquires about Shredded Cheddar’s revenue recognition process and discovers that Shredded Cheddar records revenue when orders are shipped to customers. When the tracking information is entered into the sales system, a journal entry is automatically posted to record the sale. Loretta identifies that this process is not in accordance with their revenue recognition policy. Normally, this practice does not create any cut-off issues for revenue, except around the end of the financial year where orders may be shipped before year-end but not received by the customer until after year-end. Loretta obtains a report of all sales made in the last 20 days of the financial year and uses the tracking data to note the delivery status of each sale at year-end. She notes several additional instances where goods were still in transit at the end of the financial year. Loretta records all instances on the summary of misstatements, along with a proposed journal entry to re-classify the sales as contract liabilities. The following diagram summarises the process of evaluating misstatements, up to recording them on the summary of misstatements: Further considerations when evaluating misstatements and the process for communicating misstatements are discussed in Chapter 3. Example 2.31 – When a misstatement has been identified in a sample Interview with Patrick Besson CA, Manager, EY What do you do when a misstatement has been identified in a sample? Patrick Besson explains that you must first understand what the error relates to. ‘A projected misstatement generally occurs when you’re performing representative sample testing in a substantive test of detail procedure. Say, for example, that out of 20 samples selected for testing, one sample differed from the ledger. From our representative sample, we’d extrapolate that the remaining population also has a 5 per cent error. So the key thing I want to understand when discussing this error with management is whether or not they think this sample error is reflective of the remaining population and the way you do that is by determining what’s driving the error. If management believes the error is confined to only one type of transaction, then you should extend the sample size. If you find no further misstatements after topping up your sample size then this suggests that management is correct, and you may not have to project the error across the population. For example, the error may be confined to one month because the person carrying out that procedure temporarily changed. If management expect the error to be prevalent across the entire population, then I’d question whether extending your sample is going to be beneficial. You’ll likely just find more misstatements and still not know the exact extent of the error. Instead, a more practical approach is to ask management to try and quantify the extent of the total misstatement contained within the population, enabling you to perform more targeted and specific top up testing to validate management's error quantification.' 2.2.5 Specific audit areas As mentioned in Chapter 1, certain areas of an audit, such as fraud and accounting estimates, require special auditor attention. As a result, specific auditing standards provide further guidance on how to audit these areas. In recent years, many of these areas have been highlighted as risk areas from a regulatory perspective. Australia specific In Report 647: Audit inspection report for 2019–20, ASIC identified a number of areas where auditors did not have a sufficient basis for their conclusions. This does not mean that the financial statements were materially misstated, but indicates that some areas needed a greater level of audit attention. Many of the areas identified by ASIC were areas requiring significant use of professional judgement and scepticism (such as challenging client’s assumptions and judgements about impairment and asset values, and assessing recognition of revenue and receivables). These areas are among the specific audit areas discussed in this topic. To respond to the specific risks, auditors design specific procedures to address the risk of material misstatement. Many of the complex areas of an audit also affect the financial statements as a whole and require an overall response from the auditor. Fraud In line with ISA 240, an auditor will determine an overall response to address fraud risk at the financial statement level, incorporating a high level of professional scepticism. This may include assigning and supervising appropriately skilled personnel to perform the work and/or incorporating an element of unpredictability in the selection of the nature, timing and extent of audit procedures. This could involve: • Changing the nature of audit procedures to obtain more reliable audit evidence – for example, by obtaining more extensive corroborative evidence, such as obtaining third-party confirmations of account balances. • Modifying the timing of audit procedures – for example, by performing some substantive procedures at year end, rather than at the interim stage. • Changing the extent of the audit procedures – for example, increasing the sample sizes for accounts or transactions concerned. Having considered the overall response to risks of material misstatement due to fraud, the auditor is required to respond to assessed risks of material misstatement due to fraud at the assertion level. Appendix 2 of ISA 240 includes examples of responses and changes to audit procedures that the auditor can make where there are identified fraud risks relating to fraudulent financial reporting and misappropriation of assets. Transactions and balances that require the application of estimates and judgements may present a particular fraud risk, as management may be able to manipulate financial reporting by making subjective judgements and assumptions. Responding to risk of fraud in revenue recognition As discussed in Chapter 1, auditors are required to presume there is a risk of fraud in revenue recognition, unless the assumption can be rebutted. Revenue recognition is therefore considered a significant risk and tests of details are required to be performed. Due to revenue accounts typically having a high volume of transactions, automated tools and techniques can be useful for auditing these accounts. Example 2.32 – Responding to fraud risk in revenue using data analytics Jacob Belden is the senior auditor on the audit of Fire Crab Limited. He has identified a specific fraud risk relating to the overstatement of revenue arising from fictitious sales recorded during the year (he is concerned about the assertion of occurrence). The same risk was considered in the prior year’s audit of Fire Crab. The prior year’s audit team conducted the following procedure: Select a sample of revenue transactions from the sales transaction listing and agree the details to contracts of sales, invoices and cash receipts in the bank. Jacob notes that this procedure will only cover a portion of the total transactions during the year and may not pick up anomalies (if the anomalous transactions are not included in the audit sample). Instead, he plans to: Obtain a complete listing of revenue, receivables and cash transactions. Use data analytics tool to map 100 per cent of these transactions to the expected path for such transactions, that is – Dr Receivables, Cr Revenue – Dr Cash, Cr Receivables. Identify any exceptions journals and discuss these with management – for example, uncorrelated revenue transactions as a result of an unusual journal entry being recorded (eg Dr Intercompany loan, Cr Revenue). When testing revenue, auditors should be aware of the performance obligations in their client’s revenue contracts and how the performance obligations are tracked or captured within the client’s information systems. Example 2.33 – Revenue recognition Interview with Clare Wrigley ACA, Manager, PwC Australia and Shaleen Mahtani, Assurance Senior Manager, EY Australia Revenue recognition received a shake-up with the introduction of IFRS 15 Revenue from Contracts with Customers. And while the standard provides a broad comprehensive framework for determining when and how much revenue to recognise, Shaleen Mahtani, EY, says ‘the devil is in the detail’ when it comes to the new five-step program. So what are the key risks of material misstatement? Bundled products ‘The biggest misstatements we’ve seen are when you’ve got a bundled product’, says Mahtani. ‘For example, if a client is selling software but also providing a monthly service of maintaining that software, recognising revenue becomes complex’, Mahtani explains. That’s because you need to identify the performance obligations of the contract. Where the promise to transfer the good or service is separate from other promises in the contract, you’ll need to differentiate between the product elements (ie your standalone selling price) versus the ongoing service elements. Clare Wrigley, PwC Australia, agrees that bundling is the thing most likely to trip people up. ‘I work with a lot of construction clients who recognise revenue on a project basis’, Wrigley says. ‘Prior to IFRS 15, you might have viewed that as one contract and so recognised revenue at a single point in time or over time. Now, with performance obligations, there are different recognition patterns.’ As Wrigley explains, this generally means recognising the product element on delivery, and then recognising the service element over the lifetime of the service. The risks are a) failing to separate this ‘bundle’ correctly, and b) failing to pick up the amount of performance obligations your client has within an individual contract. ‘In order to address these risks, I like to sample several contracts and make sure my clients have appropriately recognised their performance obligations, and then dealt with the different recognition methods depending on what’s in their contracts’, says Wrigley. Discounts Another possible pitfall is determining the transaction price when discounted. Mahtani gives the example of one of her clients, a start-up, that offers a ‘buy one, get one free’ deal to customers. While this is a standard marketing tactic, it doesn’t qualify as a standard accounting transaction, and so should be recognised as revenue rather than an expense. ‘That’s where the complexity comes in’, explains Mahtani. ‘Initially, we were looking at this from an expense perspective but, after reviewing the contract and speaking with the sales managers, we realised it was a sales discount and so should be recognised as a debit to revenue.’ ‘If in doubt, go back to the five-step model. That’s your bible for revenue recognition and that’s how we determined that this discount was a performance obligation.’ Performance obligations When testing revenue, auditors need to be aware of the performance obligations in their client’s contracts, including how those obligations are tracked and captured within their client’s information systems. And the implications can be significant. ‘All of my clients have felt some impact or made some adjustment in respect to performance obligations’, says Wrigley. As Wrigley explains, revenue recognition is more complex where there are multiple contracts, and therefore multiple performance obligations to consider. This can change when you recognise revenue, pushing revenue into next year or bringing it forward into the current year, and it’s important to understand revenue cut-offs correctly. ‘We had a client that had two construction projects, at different locations, within a single contract’, Wrigley says. ‘We came to the conclusion that there were two purchase orders and, therefore, that the percentage of completion should not have been applied to the overall revenue of the contract. Instead, they should have been looking at the individual stage of completion of the two standalone projects.’ The client had inadvertently pushed revenue into the next year, which is, as Wrigley explains, ‘a bit of fraud indicator or a manipulation risk’. In response, Wrigley and her team conducted a sample and established a different view to the client. Because this difference materially affected financial statements, Wrigley raised an adjustment to revenue recognition, which went on the client’s summary of uncorrected misstatements. Mahtani cites a similar example of separate locations having implications for performance obligations – this time in export sales. ‘Your client’s performance obligation is obviously to deliver the product to the customer’, Mahtani says. ‘But if you break it down, is shipping a performance obligation under your contract? Is it part of your revenue? Or is it built into your pricing? And if it is a separate performance obligation, then how do you account for it?’ One of Mahtani’s clients manufactures in Australia and ships mostly to Europe. Historically, the client recognised revenue at the point of sale, even though there was a two-week lag time between sale and delivery. Under IFRS 15, however, the client hasn’t satisfied their performance agreement in their contract until delivery is received, meaning they have to adjust the cut-off in line with the terms and conditions of the contract. The issue of cut-offs became more complex during the COVID-19 pandemic due to delays and disruptions to supply chains. ‘During COVID-19, when everything was delayed, companies need(ed) to ask themselves whether they can recognise revenue at the same point they did previously’, says Mahtani. ‘And the answer depends on the facts and circumstances of their contract.’ The solution? Read the contract. ‘How do we address material misstatement in the five-step model for revenue? We read the contract’, says Mahtani. ‘The first step is always to undertake a detailed review of the contract’(ed). Next, Mahtani recommends having a brief 10-minute chat with your commercial manager or sales manager to understand the marketing implications of the contract, as these will have an accounting impact (eg if the organisation offers rebates to clients for sales above $10,000). As well as consulting with in-house experts, Mahtani suggests using data analytics; although she’s quick to point out that your greatest asset is your own professional judgement. ‘Data analytics and digital software can offer some efficiencies here’, Mahtani says. ‘But, at the end of the day, nothing beats understanding the intent of the contract.’ Responding to risks of management overriding controls A means of fraudulent financial reporting is for management to override internal controls by posting fraudulent general journal entries. To respond to this risk, the auditor is required under ISA 240 to perform specific audit procedures for journal entries. Selecting journal entries for testing When examining journal entries, the auditor considers the assessment of the risk of material misstatement due to fraud. This consideration helps to identify the specific classes of journal entries to be selected for testing (eg revenue where a specific fraud risk has been identified). The auditor will also consider selecting journal entries made at the end of the reporting period because this is often when fraudulent entries are made. Consideration will be given to the nature and complexity of the accounts. The auditor may select journals and adjustments from specific accounts that are complex or unusual, contain significant estimates, have been misstated in the past, or are not regularly reconciled. Journal entries or other adjustments processed outside the normal course of business will also be considered. The auditor also considers the controls that have been implemented for journals and adjustments, the financial reporting processes and nature of evidence that can be obtained – that is, whether the journals are automated or manual, the nature of controls and the audit trail. Data analytics tools are commonly used by auditors for testing journal entries. The auditor may use these tools to identify entries with specific characteristics, such as entries that are: • made to unrelated, unusual or seldom-used accounts • made or requested by those who do not usually post journal entries • posted around period end without adequate explanation • posted during unusual hours or on weekends • posted with unusual descriptions or unusual pairings (eg Dr Asset, Cr Liability) • made in preparing the financial statements, without identifying the relevant general ledger accounts. ISA 240 reminds us that perpetrators of fraud can make extensive efforts to conceal how fraud is accomplished, which may involve posting a series of entries across a number of months throughout the period. Therefore, where the risk of fraud arising from management override and the use of journal entries is high, the auditor should consider extending the journal entry testing procedures to journals posted throughout the period. Accounting estimates The auditor’s objective in auditing accounting estimates is to obtain evidence about whether the estimates are reasonable and related disclosures are adequate in the context of the applicable financial reporting framework. Chapter 1 illustrated how accounting estimates can be affected by estimation uncertainty, complexity, subjectivity and management bias. Obtaining sufficient appropriate audit evidence over accounting estimates involves further tests of details and it can sometimes be necessary to also test controls and engage specialists or experts. Throughout this process, auditors continue to apply professional scepticism and identify whether there are any indicators of management bias. How does an auditor apply professional scepticism? In line with ISA 540, when auditing accounting estimates, the auditor must evaluate the method used by the entity, any assumptions that go into the method and the data used. To exercise professional scepticism, the auditor must look critically at each element – method, assumptions and data – and compare what the client is proposing, to what is being used by other firms in the industry, what is considered best practice and what makes logical sense given the unique situation of the client. Is each element reasonable? Do the elements make sense when evaluated all together? For example, a method may be chosen that appears sensible, however, the assumptions used may not be reasonable or not likely to be met. Alternatively, the method and assumptions may be appropriate, but the data used unreliable. The following diagram summarises some relevant issues the auditor should address: Source: This image is an exhibit ISA 540 (Revised) – Three Testing Approaches from the ISA 540 (Revised) Implementation Support: Flow Charts and Diagram (April 2019), published by the International Federation of Accountants (IFAC) in 2019 and is used with permission of IFAC. Contact Permissions@ifac.org for permission to reproduce, store or transmit, or to make other similar uses of this document. The following flowchart can be helpful when considering the appropriateness of management’s procedures in relation to estimates: Source: This image is an exhibit ISA 540 (Revised) – Three Testing Approaches from the ISA 540 (Revised) Implementation Support: Flow Charts and Diagram (April 2019), published by the International Federation of Accountants (IFAC) in 2019 and is used with permission of IFAC. Contact Permissions@ifac.org for permission to reproduce, store or transmit, or to make other similar uses of this document. Example 2.34 – Auditing an accounting estimate HedUp specialises in the sale of wireless earbuds and has a 30 June 20X3 financial year end. In response to consumer demand, HedUp launched a new premium model on 1 September 20X0 that includes tracking technology to locate lost or stolen earbuds. This model is more expensive than older HedUp products, however, comes similarly packaged with 12 months warranty to repair or replace the earbuds for no fee. The warranty is considered assurance-type warranty under IFRS 15 Revenue from Contracts with Customer s and is therefore accounted for under IAS 37 Provisions, Contingent Liabilities and Contingent Assets. Extensive historical data and previous audits support management’s method of calculating the warranty provision at 6 per cent of sales price for all older models. Management is confident about the improved quality of the new model and has used 3 per cent of the sales price to calculate the warranty provision for the new model. The underlying risk is that management may understate the warranty provision to improve financial results. Therefore, HedUp’s auditors should: Design and test controls around management’s estimating process if their expectation is that controls are operating effectively. Obtain evidence to ensure the 6 per cent used for the older models remains appropriate. Understand and test management’s assumption of 3 per cent used for the new model by obtaining evidence of the actual claims made over the past 10 months since launch to year-end date to corroborate management’s assumption, or to develop an auditor’s point estimate or range for comparison with management’s 3 per cent. Note: For any data used to corroborate or develop an expectation, the auditors should ensure the data is complete and accurate. Be alert to any events that occur up to the date of the auditor’s report that may indicate the assumptions are no longer appropriate (eg significant claims made on the newer model after year end but prior to date of auditor’s report that indicate 3 per cent is no longer appropriate). When auditing accounting estimates, the auditor must document their consideration of management’s estimates in the audit workpapers. They will identify the method, assumptions and data used, and comment on each component’s suitability. The workpapers should detail any doubts the auditor had about the suitability of the components and what actions they took to resolve those doubts. This should include discussions with management and/or consultations with a specialist or an expert. Fair value and value in use assessments As with other accounting estimates, testing for asset valuation and associated impairment is a particular risk area for auditors due to significant uncertainty relating to estimating asset values. This uncertainty is intensified during a period of financial instability such as that caused by COVID-19. The AUASB and AASB issued a report on the impact of coronavirus on financial reporting and auditor’s considerations and raised specific concerns around the fair value of assets and the net realisable value of inventory. In a market full of fluctuations and uncertainty, determining fair value is complex. A common way of testing an asset’s fair value is by comparing the value to the sales proceeds of a similar or identical asset in an unbiased market place. Professional scepticism should still be applied in many instances of a fair value assessment. For example, if the client provides the auditor with a fair sales comparison then the auditor should verify this information externally, or independently seek information on other similar asset sales and respective costs of disposal. Large, multifaceted assets may be valued in a number of ways by companies but a common way is using models of future cash flows to determine an asset’s value in use. These models contain many assumptions such as discount rates, growth rates and forecast cash flows. The auditor must critically assess and test these assumptions through specifically designed tests of detail, incorporating a high level of professional scepticism. Australia specific Considering impairment In Report 648: Audit inspection report for 2018–19, ASIC identified specific concerns about inadequate audit testing relating to the impairment of assets such as property, plant and equipment. Auditors should be alert for indicators of impairment (eg when touring the client’s premises and considering changes in the client’s operations and cash flow projections), and respond appropriately to risks identified. ASIC noted instances where auditors did not: (a) appropriately assess impairment indicators or ask management to perform impairment testing where there were indicators of impairment (b) understand the nature of the impairment model used by management to support recoverable amounts and appropriately test the model (c) assess the impact of the change in accounting for leases on the impairment of assets (d) assess the appropriate identification of cash generating units (e) obtain the entity’s impairment calculation for each cash generating unit with goodwill or other indefinite life intangibles (f) adequately consider the reasonableness and/or reliability of forecast cash flows and key assumptions used in discounted cash flow models (eg adequate consideration was not given to situations where assumptions made by management were inconsistent with past actual outcomes) (g) use an auditor’s expert where the audit team did not have sufficient expertise (h) perform a valuation cross-check to assess the reasonableness of the assumptions used (i) adequately test an asset’s fair value (including considering the method, assumptions and data used to estimate the value). Source: Adapted from ASIC 2020, Report 677: Audit inspection report for 2019–20, Australian Government Example 2.35 – Advanced sensitivity analysis for impairment testing Interview with Shane O’Connor, Partner, Audit, Assurance and Risk Consulting, KPMG Australia Shane O’Connor explains that technology solutions are being developed for complex areas of audit, such as assessing impairment, using sensitivity analysis and discounted cash flows (DCFs). O’Connor explains that in the past, sensitivity analysis meant looking at one input at a time while laboriously running through various scenarios. Now, automation allows O’Connor to run sensitivity analyses on a range of key drivers simultaneously and to see the impacts in an instant. It also allows him to model historical information, and not just current year data. ‘Now, we can work with robust data to help inform our judgement decisions’, says O’Connor. Related party relationships and transactions As per ISA 550, the auditor has specific responsibilities for the risks of material misstatement arising from an entity’s related party relationships and transactions. While management is responsible for disclosing related party relationships and transactions, management may either intentionally withhold this information or may be unaware of all relationships and transactions, making this a difficult area to audit. Where management makes an assertion that a related party transaction is an arm’s-length transaction, the auditor is required to obtain evidence to assess whether this is correct. Example 2.36 – Auditing related party transactions Fresh Air Assurance Partners are auditing BrakeLight Limited, a car manufacturing company. BrakeLight purchases car parts from TailGate Limited, a fellow subsidiary of the same parent (RearVision Ventures). There is a written agreement between the two parties describing the terms of the arrangement and BrakeLight has asserted that the transactions are conducted at arm’s-length. The audit manager of Fresh Air Assurance Partners, Tina Turning, would like to assess whether the transactions are in fact at arm’s length. She has determined that the audit team needs to: Obtain a copy of the agreement between the two parties and identify the terms within it. Assess whether the terms within the agreement are at arm’s-length. This could involve a comparison of the pricing terms to those of similar transactions between unrelated parties. Select a sample of transactions that have occurred between the two parties, and verify whether the sampled transactions were conducted in line with the terms of the agreement. An entity may also fail to properly disclose related party relationships, transactions or balances in line with the accounting framework. Audit procedures will be performed to address this once the financial statements have been received. Going concern Chapter 1 explained that auditors must consider the risk of material misstatement in relation to going concern. If events or conditions that cast significant doubt over the entity’s ability to continue as a going concern have been identified during the audit, the auditor must obtain sufficient appropriate audit evidence to determine whether or not a material uncertainty exists. In performing these procedures, auditors must apply professional scepticism. Example 2.37 – Applying professional scepticism to management’s future plans Rex Spyri is auditing MugMaker Limited. Management of MugMaker have identified a material uncertainty that will affect their ability to remain a going concern. The entity’s major business is making mugs for corporations, events and conferences, and since COVID-19 and social distancing requirements has experienced a severe downturn in business. MugMaker has attempted to adapt their business to sell custom mugs to the general public and have been making some sales – approximately 10 per cent of their regular turnover. Management have presented their plan to Rex and this includes increasing sales revenue by 40 per cent by offering discount coupons, paid advertising on social media sites and giving away products to social media influencers who will promote the products freely on their social media platforms. Management also believe that large conferences will return in 2021 and their regular corporate business will return to 80 per cent of normal business volume. Rex feels that management’s plans are optimistic and are not sufficient to mitigate the going concern risk. In particular he is concerned that MugMaker will not be able to make its normal debt repayments. He discusses the issue further with management to see if there are other factors that can mitigate the going concern risk. They identify that MugMaker can obtain significant additional cash flows by disposing of some of their lesser used assets. Rex considers the potential asset sales sufficient to mitigate the going concern risk. He gathers external evidence to support the estimated realisable value of the assets, and confirms there is an active market for their sale. He also requests specific written representations from MugMaker’s management confirming their plans to undertake the asset sales and their assessment of the feasibility of those sales. Rex is now satisfied that sufficient appropriate evidence has been collected and that the going concern risk has been sufficiently addressed. The going concern basis should be used to prepare the financial statements, however, the material uncertainty should be disclosed. Rex will assess the adequacy of the disclosure. Auditors should evaluate management’s plans for future actions with a high level of professional scepticism. The process for considering going concern is summarised in the following diagram: Source: Adapted from IFAC 2018, Guide to using ISAs in the audits of small- and medium-sized entities, 4th edn, vol 1, Exhibit 14-2.1, p 136 Chapter 3 provides further discussion about going concern, including examples of factors to consider when making a going concern assessment and implications for the audit opinion and auditor’s report (see Topics 3.2.1 and 3.2.2, respectively). 2.2.6 Using the work of others Some audits are complex and often require the work of other teams and specialists. The final part of this chapter discusses engagements where the auditor uses the work of others in performing the audit. Group audits are first described and then the auditor’s responsibilities when using the work of internal audit and experts are discussed. Group engagements ISA 600 applies where an auditor is providing an opinion on the financial statements of a group, such as the consolidated financial statements of a parent entity. The standard provides guidance to both the group engagement team (group auditor) and the component engagement teams (component auditors, for example, the auditor of a subsidiary within the group). Group auditor’s responsibilities The group engagement partner is responsible for the group engagement, including the work of the component auditors. When the initial client acceptance and continuance decisions are made, the group auditor considers the firm’s capacity to undertake the audit and determines what proportion of the work needs to be assigned to component auditors. In practice, the group auditor generally audits the parent entity (which is also a component of the group) and may perform the work over some of the other components in the group (where appropriate). Understanding the group, its components and their environments The group auditor identifies and assesses the risks of material misstatement across the entire group. This requires obtaining an understanding of the group-wide controls (eg having consistent policies and procedures across the whole group) and the consolidation process. The group auditor develops the audit strategy and audit plan for the entire group, based on the assessed risks of material misstatement at the group level. Consolidation process The consolidation process determines how financial information from each component is included in the group financial statements. The group auditor must understand the client’s processes for consolidation including adjusting journal entries. They must evaluate the appropriateness, completeness and accuracy of consolidation adjustments, and evaluate whether there are fraud risk factors or indicators of possible management bias. Materiality The factors and judgements in setting materiality for a group audit are similar to those discussed in Chapter 1. The following table sets out the different materiality levels in a group audit: Materiality level Purpose Set by Overall materiality The materiality for the whole group; used by the group auditor to form an opinion on the group financial statements Group auditor Component materiality Must be less than overall materiality; used by the component auditor, when the component’s scope is an audit or a review, to evaluate whether misstatements are material to the component Group auditor Clearly trivial threshold Used by the component auditor to determine whether an identified misstatement needs to be reported to the group auditor Group auditor Scope of work In planning the group engagement, the group auditor determines the scope of work. They decide which components to ‘scope in’ and the extent of work to be performed. Inappropriate scoping decisions may lead to inefficiencies, if too much work is being performed, or, conversely, unacceptably high audit risk if the group auditor does not obtain sufficient appropriate evidence over the consolidated financial statements. In scoping the work, components are classified as significant or non-significant. Professional judgement is involved in determining which components are significant and non-significant. A component is considered to be significant if it is: • of individual financial significance to the group • likely to include significant risks of material misstatement for the group due to its specific nature or circumstances. A component that is significant due to its individual financial significance to the group must be audited. When a component is significant due to a significant risk to the consolidated financial statements, the group auditor determines the appropriate scope of work. This work could involve: • an audit of the component using component materiality • an audit of specified account balances, classes of transactions or disclosures • specified audit procedures relating to significant risks of material misstatement of the consolidated financial statements. Non-significant components require the group auditor to perform, at a minimum, analytical procedures at a group level. Further procedures may also be necessary – for example, if abnormal fluctuations are identified as a result of analytical procedures performed at a group level or other factors indicating a higher level of risk that come to the group auditor’s attention. Scoping decisions are typically documented in a ‘scoping memorandum’ in the group auditor’s audit file, as demonstrated in Example 2.38 ). Example 2.38 – Group scoping memorandum A1 Auditors (A1) is an international audit firm. The A1 office in London is the group auditor of a multinational shipping company, ShipMe Pty Ltd, for the year ending 30 June 20X3. ShipMe is listed on the London Stock Exchange and has six components (the parent entity and its five subsidiaries). Using their professional judgement and A1’s audit methodology, the A1 group auditor determines that components contributing more than 20 per cent of the group’s profit are individually financially significant. In scoping the audit, the group auditor also considers the coverage of the audit work performed across the group, including any statutory audits performed. The group auditor documents the scoping decisions for the ShipMe group audit in the following group scoping memorandum: Component Contribution to group’s profit Statutory audit Classification of component Scope of work London, UK (parent) 30% Yes Significant – individually financially significant Audit using component materiality of $1,600,000 Perth, Australia 30% Yes Significant – individually financially significant Audit using component materiality of $1,600,000 Singapore 21% Yes Significant – individually financially significant Audit using component materiality of $1,500,000 Tokyo, Japan1 10% No Non-significant component Review using component materiality of $500,000 Rotterdam, Netherlands 5% No Non-significant component Analytical procedures at a group level Hamburg, Germany 4% Yes Non-significant component Analytical procedures at a group level 1. There have been changes to management and operations in Tokyo. Therefore, the group auditor determines that a review should be performed instead of analytical procedures only. Understanding the component auditors When assigning work to component auditors, the group auditor remains responsible for the direction, supervision and performance of the group audit. The group auditor must gain an understanding of the component auditors and be satisfied that the component auditors are independent and competent, and comply with ethical requirements. The component auditors can be from the same audit firm as the group auditor, or from a different audit firm. If a component auditor is from the same audit firm as the group auditor, the procedures to obtain an understanding of the component auditor are, in practice, less extensive. This is because the group auditor can rely on common firm-wide audit methodology and quality control procedures. Group audit instructions Effective communication between the group auditor and the component auditors is critical to the success of a group engagement. The group auditor must communicate the audit requirements to the component auditors on a timely basis. The letter of instruction, typically referred to as ‘group audit instructions’, must set out the work to be performed and the form and content of the component auditors’ communication with the group auditor. Appendix 5 of ISA 600 contains both the required and additional matters that should be included in the group audit instructions provided by the group auditor. Audit of the consolidation process The first part of the group auditor’s work on consolidation includes checking that the consolidation schedule has been appropriately prepared by group management and that all routine consolidation adjustments have been made. This may involve procedures such as tracing items through the consolidation process, checking ongoing adjustments to prior year work papers and reconciling balances. The group auditor also checks that the information to be consolidated agrees with the information provided by the various component auditors. The second part involves addressing more complex matters. For example, where a component has been acquired, the group financial statements would usually record goodwill and other intangible assets in relation to the component. These assets are not recorded in the component’s financial statements. In the year of the acquisition, a valuation exercise should have been undertaken. In subsequent years, the group auditor considers whether consolidation adjustments are carried forward from previous periods. The group auditor also considers whether group management has properly addressed whether other changes are required, such as ensuring that impairment issues have been considered and dealt with appropriately. While there are consolidation software programs available, in practice many consolidations are undertaken on spreadsheets. When auditing a consolidation schedule, auditors also need to check that the consolidation spreadsheets are free from error. Example 2.39 – Auditing consolidated groups Interview with Clare Wrigley ACA, Manager, PwC Australia and Shaleen Mahtani, Assurance Senior Manager, EY Australia When it comes to consolidation, Shaleen Mahtani, EY, says the sheer number of transactions associated with any one client can be mind-boggling. ‘One of my clients is an ASX Top 20 company’, says Mahtani, ‘and the number of relationships they have runs to the thousands because they’ve got subsidiary companies around the globe.’ So what are the common types of misstatements Mahtani looks out for in this, and other, consolidation schedules? ‘Completeness is probably the key issue when it comes to consolidation entries’, Mahtani says. Non-routine transactions Clare Wrigley, PwC Australia, agrees that missing transactions are the biggest issue. ‘The problem is non-routine transactions. People tend to pick up standard inter-company transactions, such as getting rid of investments’, says Wrigley. ‘It’s those things that are a little more complicated (like unrealised profits) or don’t happen every year (such as the payment of dividends) that can get missed entirely. Anything that’s a bit ad hoc is generally not well spotted.’ Wrigley is quick to point out that most consolidation misstatements are simply human error rather than any deliberate attempt to mislead. ‘There’s not much fraud in consolidations’, she says. Automation versus manual spreadsheets Interestingly, given human error is the most likely cause of misstatement, consolidations remain largely manual rather than being automated. Mahtani works with clients ranging in size from start-ups to multinationals and most rely on Excel-style spreadsheets. Wrigley says 90 per cent of her clients do manual consolidations and even those using consolidation software supplement this with a topside journal or manual editing. In fact, Wrigley recalls an SME client whose consolidation software failed to correctly classify something as intercompany and their trial balance didn’t balance as a result. ‘Anything that’s manual is susceptible to error but automated things can go wrong, too’, says Wrigley. ‘At the end of the day, unless you’re a massive global company, you won’t have too many transactions with related parties’, Mahtani adds. ‘And even if you are a global company, Excel is still an efficient, effective approach, especially from a budget perspective.’ But if there’s no foolproof approach to consolidation, how can CAs minimise misstatements? Identifying misstatements ‘To be honest, consolidation is one of the most difficult things to audit’, says Mahtani, ‘because it’s not a one-size-fits-all type thing.’ Mahtani and Wrigley both agree the main approaches to identifying misstatements in consolidation schedules are: checklists and sense checks. Checklists can help to some extent, but they don’t replace the need for accountants to draw on their professional judgement and to consult with others in the business. ‘You can do general checks and keyword checks but that only gets you to 50 per cent to 60 per cent of it’, says Mahtani. ‘For the remaining 40 per cent you need to understand what’s happening within the business, and it’s useful to have monthly catch-ups with your clients. Even just talking through the trial balance, line by line, can help you identify if you have a transaction with a related party that hasn’t been eliminated.’ To this end, Mahtani suggests talking to your client’s finance managers and CFOs, as these are the people posting journals for each transaction. It also pays to carry out a high-level ‘sense check’ to identify if key adjustments have been missed. ‘The first thing I do whenever I get a consolidation from a client is to carry out a really high-level assessment of the balance sheet and P&L so I can automatically say if there’s stray investment still in there’, says Wrigley. ‘If your balance sheet doesn’t balance that’s an immediate red flag that something in your consolidation hasn’t worked.’ Again, it all comes back to completeness. ‘It’s an exercise in checking that every single entry that should be considered has been considered’, says Wrigley. ‘Check that the columns in your consolidation include all the entities that are in your group structure. It can help to have a checklist of standard entries you’d expect to see.’ Impairment of goodwill Finally, when it comes to consolidation, impairment of goodwill is a potential pitfall because it’s complex and requires judgement. It’s also a key area of focus for regulators. ‘I moved here five years ago from Indonesia and I was surprised to find impairment was such a big focus in Australia’, says Mahtani. ‘Impairment of goodwill is all about the budgeting accuracy of your cash flows and whether or not your cash flows can support the carrying amount of an investment.’ For this reason, Mahtani says that accurate cash flow budgeting is the most important step from an impairment perspective. Communication with group management and those charged with governance The group auditor is required to communicate any identified deficiencies in internal control and fraud at a group level to those charged with governance and group management. Additionally, the group auditor needs to consider whether any deficiencies in internal controls of the components that have been identified by component auditors, should be brought to the attention of those charged with governance or group management. Evaluate impact of findings on group and form group audit opinion The group auditor reviews the findings reported by the component auditors and evaluates whether sufficient appropriate audit evidence on the consolidation process and the parent entity has been obtained from the audit procedures performed. The group auditor will often supplement their review of the component auditors’ written communication with verbal discussions of significant matters. If the group auditor is concerned that a component auditor has not gathered sufficient appropriate audit evidence to support the group auditor’s opinion on the consolidated financial statements, the group auditor must determine what additional procedures are to be performed, and whether they should be performed by the component auditor or the group auditor. The group auditor is responsible for evaluating the effect of any uncorrected misstatements on the group audit opinion (whether identified by the group auditor or the component auditors). The group auditor will also consider the implications of instances where sufficient appropriate audit evidence has not been obtained. Component auditor’s additional considerations for local statutory audit purposes If the component auditor also needs to perform an audit for local statutory requirements, it is likely they will set a different figure for overall materiality and performance materiality for statutory audit purposes. Example 2.40 – Component materiality and local statutory materiality You are working for the A1 office in Perth and will be the component auditor of the ShipMe Perth subsidiary. Under the Corporations Act 2001 (Cth), ShipMe must also lodge audited financial statements in Australia. This audit is to be performed by the A1 office in Perth. The group auditor communicates to you that component materiality is $1,600,000 and performance materiality is $1,200,000. Applying A1’s firm methodology, and in line with Auditing Standards, you set local statutory materiality at $800,000 and performance materiality at $600,000. As you have already performed audit procedures for group audit purposes using a performance materiality level of $1,200,000, your audit team must now determine the nature and extent of additional procedures needed to meet the requirements of the lower local statutory materiality. This could result in, for example, additional samples needing to be tested. It may also require reassessing what constitutes a ‘clearly trivial’ misstatement for local statutory reporting purposes. Using the work of internal audit Some of the work performed by the internal audit team may be relevant to an entity’s external auditor. This may mean that the external auditor could modify the nature and timing of their own audit procedures, or reduce the extent of the audit procedures they plan to perform, if they decide to rely on the work of the internal audit. ISA 610 (Revised 2013) outlines when it is permissible to use the work of internal auditors and, if so, to what extent. The following diagram summarises the key requirements of ISA 610 (Revised 2013) and illustrates the audit procedures required by the external auditor when considering using the work of internal audit: Source: Adapted from IFAC 2018, Guide to using ISAs in the audits of small- and medium-sized entities, 4th edn, vol 1, Exhibit 15-7.1, p 166 Australia specific Note that ASA 610 does not allow external auditors to direct the internal auditors to provide assistance on the audit engagement. Thus, external auditors can use the work already conducted by internal auditors if that work was conducted under appropriate conditions. However, the auditor cannot direct them to gather evidence and have them act as de facto members of the audit team. Examples of testing that may be reduced due to the work of internal audit include: • Testing the operating effectiveness of the entity’s controls. • Conducting substantive procedures that involve the application of limited judgement. • Observing inventory counts. • Tracing transactions that are relevant to the entity’s financial reporting through its information system. • Testing the entity’s compliance with statutory and regulatory requirements. Even when using the work of internal audit, the external auditor remains solely responsible for the audit opinion that is expressed in the auditor’s report on the financial statements. Before performing any specific review of the internal audit’s work, the external auditor must determine whether the internal audit work can be used and, if so, in which areas and to what extent. This process requires exercising professional judgement and is summarised in the following diagram: Example 2.41 – Assessing the work of internal audit Sophie, the external audit manager at your firm, is talking with Dave, the internal audit manager of your audit client, Sweep Limited. Sweep is a manufacturer of household cleaning supplies and is a new client for your firm. Sophie is considering whether a review of bank reconciliations completed by the internal audit team will be suitable as evidence of the operation of internal controls around cash. Dave explains to Sophie ‘I give the accounting department a week’s notice that we are going to be auditing them. The instructions I give my team are to have a look over the bank reconciliations and see if anything looks amiss. They provide a verbal report to me and if they find any misstatements, they document them in a memo. Otherwise, we put a tick in the internal audit tracking spreadsheet’. Sophie enquires with human resources about Dave’s qualifications and discovers that he has been working in internal audit for Sweep since he graduated university 15 years ago; however, in that time, he has not obtained a professional qualification in accounting. Sophie determines that Sweep’s internal audit processes are not suitable and cannot be relied on by the external engagement team. Sophie makes a note for the audit partner, Merran, to talk to the audit committee about the role of internal audit and recommend they consider having a more qualified person as the internal audit manager. Using the work of an expert There has been an increase in the use and importance of specialists and experts (by management and by audit teams) due to the increasing complexity of business transactions reported in a company’s financial statements. The use of specialists and/or experts does not change management’s responsibility for the preparation of the financial statements and the auditor’s responsibility for the audit opinion expressed on those financial statements. It is important to understand the difference between specialists and experts as different auditing standards apply to each. The following matrix provides some examples of each type: AREA OF EXPERTISE IS IN: Accounting (or auditing) Other than accounting (or auditing) WORK IS USED BY: Auditor Specialist (ISA 220 (Revised)) Specialists (most commonly in tax and IT audit) are often members of the engagement team. Many audit firms also have formal consultation processes, as part of their system of quality management, which require audit teams to consult with dedicated specialists as needed. Auditor’s expert (ISA 620) An auditor may engage their own expert to assist the auditor in obtaining sufficient appropriate audit evidence. More commonly, auditors engage an auditor’s expert to assist them in evaluating the work of management’s expert, particularly in assessing the competence of management’s expert and the appropriateness of management’s expert’s work. Management Management’s specialist Management may engage specialists in areas when there is a lack of necessary knowledge and expertise, or resources. Common examples include: Obtaining external accounting advice on a non-routine transaction or accounting matter (eg first-time implementation of accounting standards, business combination). Engaging an accounting firm other than the audit firm to prepare the consolidation entries and statutory financial statements. As there is no specific Auditing Standard addressing the work of specialists engaged by management, the auditor would apply ISA 315 (Revised 2019) generally during the risk assessment phase of the audit and ISA 500 generally in evaluating the work of management’s specialist as audit evidence. Management’s expert (ISA 500) Management may use the work of experts in preparing the financial statements, particularly in areas subject to complexity, judgement and/or estimation, such as: valuations of assets determination of quantities or physical condition of assets application of specialised valuation techniques or methods (eg actuarial valuation) legal opinions concerning interpretations of agreements, statutes and regulations. Example 2.42 illustrates the difference between an expert and a specialist. Example 2.42 – Experts and specialists As part of the year-end audit, you engage two individuals to assist the audit team for deferred tax assets – they will help to check the deferred tax assets and liabilities recorded by the client, and to review legal cases about the valuation of deferred tax assets. The first individual has expertise in applying methods of accounting for deferred income tax and the second person has expertise in tax law. The first person is considered a specialist under ISA 220 (Revised) and the second person is considered an expert under ISA 620. There are a number of steps that an auditor must take before they can rely on the work of an expert. The following diagram summarises the key requirements of ISA 620 and illustrates how using the work of an expert is considered throughout the audit process: Source: Adapted from IFAC 2018, Guide to using ISAs in the audits of small- and medium-sized entities, 4th edn, vol 1, Exhibit 15.8-1, p 173 Engaging an expert When the auditor decides to engage an expert, the auditor prepares a planning memorandum to agree on the terms of the engagement. This includes the scope of work as well as the reporting format of the findings and conclusions required from the expert. Other audit considerations for engaging an auditor’s expert are summarised in the following diagram: Source: Adapted from IFAC 2018, Guide to using ISAs in the audits of small- and medium-sized entities, 4th edn, vol 1, Exhibit 15.8-4, pp 175–176 Evaluating the adequacy of the work performed by an expert When the auditor receives the expert’s report they must consider whether that work provides them with sufficient appropriate audit evidence. In doing so, the auditor considers: • The expert’s findings and whether they are consistent with other audit evidence. • The methods and assumptions used. • The source data used, and whether it is accurate. It is important for the auditor to follow up with the expert if they do not understand the findings or the processes followed by the expert. This is because they are responsible for the work of the expert, even though they did not conduct the work themselves. If the results of the expert’s work are unsatisfactory or inconsistent with other audit evidence, the auditor can resolve the matter through one or more of the following courses of action, as appropriate: • Having discussions with the entity and the expert. • Performing additional audit procedures. • Engaging another expert. • Modifying the auditor’s report. Example 2.43 – Using the work of an expert Interview with Patrick Besson CA, Manager, EY When do you engage an expert in an audit? ‘You generally know pretty quickly when you need to get an expert involved. We usually use an expert to assess the reasonableness of complex macroeconomic assumptions made within management’s forecast models or impairment models. Recently, we’ve also used experts to assist with macroeconomic factors included within a trade receivable expected credit loss (ECL) impairment model.’ What’s the process for engaging an expert? Besson explains that a lot of their experts sit in-house at EY. ‘For instance, I can call on specialty experts from our real estate advisory practice to assist with property valuations.’ But they also engage with external experts for less common situations. ‘You’ve got situations where an entity is facing something new or unprecedented. COVID-19 is a good example. Given the widespread economic uncertainty, it calls into question whether the historical approach an entity might have taken is still appropriate, and so companies might have engaged actuarial services in more detail to understand the macroeconomic assumptions that management have made.’ Clients can also engage their own experts. Besson stresses the importance of evaluating the competency of any experts on whose work the audit team is relying. ‘If management have engaged an expert, then you need to use your professional judgement in assessing the competency of that expert, and the validity of their report. Consider if they are appropriately qualified and how long they’ve been employed at their particular practice. Do some LinkedIn research. Ensure you’re comfortable with the competency of the person who is providing management with their expertise.’ Have you ever disagreed with an expert? ‘I don't know that “disagree” is the right word. An expert might be very factual in their report and not take into consideration the concept of materiality, for instance, which is important when looking at things from an audit perspective. You might need to apply an audit lens to an expert report to translate that factual piece of information into an audit evidence piece of information. And at the end of the day, the responsibility lies with the audit team and not with the expert.’ Chapter summary This chapter addressed the testing phase of the audit process, including tests of controls and substantive testing. Professional judgement and professional scepticism must be used throughout the testing phase. Tests of controls are designed to confirm the auditor’s assessment of control risk – that is, to confirm that internal controls were operating as intended throughout the period under audit. Issues relating to selecting controls to test were discussed (eg identifying which controls are key controls), as were considerations for the design of the tests (eg the importance of defining deviations). Practical considerations were also identified for performing the tests and evaluating the results of tests of controls. In contrast to tests of controls, substantive testing involves gathering evidence about the underlying assertions in the account balances and transactions. Conducting substantive procedures reduces detection risk (and therefore audit risk). This chapter described the use of substantive analytical procedures – procedures that provide substantive evidence for an account balance by comparing it to an independently estimated value. It also discussed substantive tests of details – procedures performed to gather evidence on individual items within an account balance or class of transactions. When designing tests of details, the auditor considers use of external confirmation, reperformance, recalculation, inspection, observation and enquiry. Tests of details are often performed on samples of items, but data analytic tools can support 100 per cent testing. This chapter addressed the use of technology, but emphasised the dominant role of professional judgement; that is, technology should support the auditor’s judgement, rather than replace it. The process of evaluating the results of tests of details was also described, including how to assess the impact of misstatements. Specific audit considerations were discussed, including those relating to fraud, accounting estimates, related party transactions and going concern. The chapter finished by identifying issues associated with using the work of others – the use of professional judgement was again emphasised, as was the use of professional scepticism. Having gathered the majority of their audit evidence, the auditor is now ready to move on to the final stages of the audit. CHAPTER 3 Finalise the audit Chapter introduction This chapter discusses the final stages of the audit process. These include the completion procedures, and the process of forming and communicating the audit opinion. As you will remember, the purpose of an audit is to enhance the degree of confidence intended users have in financial statements. This is done by providing reasonable assurance that the financial statements are prepared, in all material respects, in line with the applicable financial reporting framework. The ‘completion’ procedures allow the auditor to ensure they have sufficient appropriate evidence to provide that assurance. The first part of this chapter discusses these procedures. Having completed the audit procedures and evaluated the evidence obtained, the auditor can then form their opinion about whether the financial statements are fairly presented. The audit opinion is communicated to intended users through the auditor’s report. The second part of this chapter discusses considerations the auditor needs to make when forming this opinion, and how various factors affect what is included in the auditor’s report. 3.1 Completing the audit The auditor is now at the ‘completion’ stage of the audit. The audit is nearly finished – at least we think it is nearly finished. It’s time to revisit some of the judgements made earlier in the audit and ‘step back’ and assess how the audit has actually progressed. This topic explores the general procedures that have not been completed yet, such as considering events occurring after the end of the reporting period (‘subsequent events’), considering the financial statements close process and reviewing the full set of financial statements prepared by the client, including note disclosures and comparative information. The auditor reviews the procedures they had planned to do in the audit program and asks ‘Have we obtained all the evidence we intended to?’ They will determine whether they have in fact collected sufficient appropriate audit evidence. Analytical procedures will again prove useful – at this stage of the audit, the auditor will use them to make an overall assessment about whether the financial statements are consistent with their understanding of their client. This process can prompt them to conduct additional procedures, which were not originally planned. In evaluating their audit work for material misstatements, the auditor assesses the misstatements that have ‘accumulated’ throughout the audit and revisits their earlier judgements about materiality. They will consider the amount and the nature of the identified misstatements in determining whether they are material, and will consider the effect of misstatements carried forward from the prior year. Next, the auditor will consider the ‘other information’ that accompanies the client’s financial statements and how to address inconsistencies identified between this information and the audited financial statements. Lastly, it’s time to consider how to appropriately communicate the audit findings to those charged with governance of the client. The following table outlines the readings required for this topic: Relevant international assurance pronouncements and local equivalents (where applicable) International Australia New Zealand ISA 260 (Revised) Communication with Those Charged with Governance (ISA 260 (Revised)) ASA 260 Communication with Those Charged with Governance (ASA 260) ISA (NZ) 260 (Revised) Communication with Those Charged with Governance (ISA (NZ) 260 (Revised)) ISA 450 Evaluation of Misstatements Identified during the Audit (ISA 450) ASA 450 Evaluation of Misstatements Identified during the Audit (ASA 450) ISA (NZ) 450 Evaluation of Misstatements Identified during the Audit (ISA (NZ) 450) ISA 500 Audit Evidence (ISA 500) ASA 500 Audit Evidence (ASA 500) ISA (NZ) 500 Audit Evidence (ISA (NZ) 500) ISA 520 Analytical Procedures (ISA 520) ASA 520 Analytical Procedures (ASA 520) ISA (NZ) 520 Analytical Procedures (ISA (NZ) 520) ISA 560 Subsequent Events (ISA 560) ASA 560 Subsequent Events (ASA 560) ISA (NZ) 560 Subsequent Events (ISA (NZ) 560) ISA 570 (Revised) Going Concern (ISA 570 (Revised)) ASA 570 Going Concern (ASA 570) ISA (NZ) 570 (Revised) Going Concern (ISA (NZ) 570 (Revised)) ISA 580 Written R epresentations (ISA 580) ASA 580 Written R epresentations (ASA 580) ISA (NZ) 580 Written Representations (ISA (NZ) 580) ISA 710 Comparative Information – Corresponding Figures and Comparative Financial Statements (ISA 710) ASA 710 Comparative Information – Corresponding Figures and Comparative Financial Reports (ASA 710) ISA (NZ) 710 Comparative Information – Corresponding Figures and Comparative Financial Statements (ISA (NZ) 710) ISA 720 (Revised) The Auditor’s Responsibilities Relating to Other Information (ISA 720 (Revised)) ASA 720 The Auditor’s Responsibilities Relating to Other Information (ASA 720) ISA (NZ) 720 (Revised) The Auditor’s Responsibilities Relating to Other Information (ISA (NZ) 720 (Revised)) 3.1.1 Other general audit procedures There are some general audit procedures that, by their nature, need to wait until the final stages of the audit. These include the following: • Considering subsequent events. • Considering the financial statement close process. • Reviewing the full set of financial statements. • Considering the appropriateness of the client’s disclosures. • Reviewing the accuracy and presentation of comparative information. • Performing final analytical procedures. • Obtaining representations from management or those charged with governance. These procedures will be discussed in the topics that follow. Auditor’s responsibilities relating to subsequent events The directors of an entity have a responsibility to ensure the financial statements comply with IAS 10 Events after the Reporting Period. This responsibility is usually delegated to management. ISA 560 outlines the auditor’s responsibilities for subsequent events in an audit. The responsibilities vary depending on the timing of the event and the date of the auditor’s report. The following diagram shows three time periods and summarises the auditor’s responsibilities during each of these periods: *The auditor’s report cannot be signed until the financial statements have been authorised by the entity’s director (the date of the director’s declaration). In practice, the auditor’s report is typically signed and dated on the same day as the director’s declaration. ISA 560 does not deal with matters relating to the auditor’s responsibilities for ‘other information’ obtained after the date of the auditor’s report, which are addressed in ISA 720 (Revised) and discussed later in this chapter. It is important to note, however, that such ‘other information’ may bring to light subsequent events that are within the scope of ISA 560. Considering the financial statement close process The financial statement close process is where clients reconcile their accounts and make adjustments as required to ensure their financial statements reflect the correct period-end balances. Reconciliations will be completed for various accounts, with accruals and prepayments accounted for through adjusting entries. Allowances and provisions will be adjusted as needed. For some clients this process can be onerous and can include, for example, recognition of foreign currency exchange difference on monetary items, adjustments to the value of investments in associates and joint ventures, adjustments to deferred tax assets and liabilities, as well as multiple other complex adjustments. The intention is to ‘close’ the accounting period, ready to begin the new period afresh. The auditor has a responsibility to examine the financial close process under ISA 330. They must ensure the process has been completed correctly. As part of their substantive procedures, the auditor will: • agree or reconcile the financial statements with the underlying accounting records • examine material journal entries and other adjustments made during the financial close process. The extent of the substantive procedures will vary based on the nature and complexity of the financial close process of each specific client. Reviewing financial statements Up to this point, the auditor’s responsibilities have largely taken the form of audit procedures over specific internal controls, account balances and classes of transactions. A further critical part of the audit occurs towards the end of the engagement, where the auditor reviews the full set of financial statements (ie the complete set of general purpose financial statements). The auditor needs to make sure that the complete set of financial statements reflects the actual state of affairs of the client. The term ‘review’ in this context should not be confused with review engagements as prescribed by International Standards on Review Engagements (ISREs). In practice, auditors typically perform audit procedures based on a trial balance or general ledger. This is because the financial statements are still being prepared by the client at the time the audit work is carried out. Once the draft financial statements are available, the auditor ensures: • The numbers over which audit procedures have been performed are those actually included in the financial statements. • The numbers in the financial statements are mathematically accurate (eg rounding errors are identified and amended). • The financial statements are presented consistently throughout (eg an account balance in the statement of financial position is consistent with the respective note disclosure). • The financial statements, as a whole, give a true and fair view of the entity’s financial position and performance, and comply with relevant Accounting Standards and regulations. Although the classification and presentation assertions should be considered as part of normal audit procedures, the risks of material misstatement relating to these assertions are generally addressed during this late stage of the audit. Example 3.1 discusses the checking of financial statements at KPMG. Example 3.1 – Automated checking of financial statements KPMG has automated the checking of financial statements using their Financials Checker. Here, audit technology is used to ensure financial statements are mathematically correct, internally consistent and, where appropriate, agree to the prior year statements. Financials Checker is a digital solution that performs vertical and horizontal add checks throughout financial statements. It also automates notes tie through from primary statements where amounts are an exact match, as well as automatically checking amounts disclosed to the prior year signed financial statements. Shane O’Connor, Partner, Audit, Assurance and Risk Consulting, KPMG Australia explains ‘… We take that time-consuming, painful process away from our staff – let technology do it – and then our focus is on the exceptions that we’ve identified’. Disclosures As part of a financial statement audit, the auditor considers the relevance and clarity of disclosures, as well as completeness and accuracy. They must consider whether the terminology used and amount of detail provided in disclosures is reasonable. Such audit procedures often make use of disclosure checklists, which list common disclosures that may need to be considered. Client versions or internal audit versions of disclosure checklists may be completed when the financial statements are being prepared. The auditor can request the completed checklists from their client and consider the recorded responses when making their own assessment of disclosures. Significant professional judgement is also required when assessing disclosures. Example 3.2 demonstrates the auditor’s consideration of the appropriateness of disclosures for interest-bearing liabilities. Example 3.2 – Classification and presentation of interest-bearing liabilities Monica Parker is auditing the company Moppet & Fisher Limited. Moppet & Fisher Limited has an interest-bearing loan that matures in five years. Monica has gathered sufficient appropriate audit evidence for all key assertions related to the loan, with the exception of classification and presentation. An extract of Moppet & Fisher’s statement of financial position is shown below. Note that it discloses two line items for the loan: a current portion equal to $1,500,000 and a non-current portion equal to $1,000,000. Moppet & Fisher Limited Statement of financial position as at 30 June 20X3 Current liabilities Note 20X3 ($’000) Payables 2,220 Interest-bearing liabilities 10 1,500 Current tax liabilities 30 Provisions 250 Other 2,460 Total current liabilities 6,460 Non-current liabilities Interest-bearing liabilities 10 1,000 Other 2,470 Total non-current liabilities 3,470 Note 10 to the financial statements is as follows: 10 Interest-bearing liabilities ($’000) Current interest-bearing liabilities 1,500 Non-current Interest-bearing liabilities 1,000 Total interest-bearing liabilities 2,500 Interest-bearing liabilities are recognised at fair value, net of transaction costs. Interest-bearing liabilities are classified as current except where they are not due for settlement for at least 12 months after the end of the reporting period. Debt covenants associated with the interest-bearing liabilities require that the total tangible assets of the entity not fall below $10,000,000 at any point during the period. There have been no breaches of the debt covenants for the current or prior period. Once the draft financial statements are received, Monica agrees the respective amounts to the trial balance and audit workpapers, ensuring the current and non-current portions of the interest-bearing loan properly reflect the timing of when repayments are due under the loan agreement. She also reads the disclosures in Note 10 and ensures it is consistent with how the company has accounted for its interest-bearing liabilities and her understanding of how interest-bearing liabilities are accounted for. Inadequate or erroneous disclosures often give rise to material misstatements that are qualitative in nature, rather than quantitative. Examples of such misstatements are included in subtopic 3.1.3. ISA 570 (Revised) provides specific guidance for the consideration of appropriate disclosures when a material uncertainty related to going concern exists. It also discusses requirements for the auditor to evaluate the adequacy of disclosures in ‘close call’ situations. Close calls are events or conditions identified that may cast significant doubt over the ability of the entity to continue as a going concern, but for which, as a result of management’s plans and mitigating responses, no material uncertainty exists. Example 3.3 – Making decisions about disclosures in close call situations Making disclosures in close call situations is an area which attracts a high-level of expertise and is usually the role of the senior members of the audit team. Julian Bishop has one tip: seek out the expertise in your firm and learn from it. ‘In any audit team, regardless of size, there is a range of expertise levels for a reason’, Bishop says. ‘My advice for young CAs is: don’t be afraid to reach out.’ These close call decisions have become more frequent during the COVID-19 pandemic because of the increased uncertainty about the future. They have also become more challenging because there’s less interaction between audit team members and client management, due to social distancing restrictions. ‘You’ve got people doing remote audits now, where the level of interaction with other people is far less than it used to be’, says Bishop. ‘So it's more difficult to just overhear the conversations that might go on in an audit room, or to feel as though you can ask something that you think is a dumb question, but that you'll ask anyway because someone's sitting next to you, or just walk into the CFO’s office.’ ‘The more barriers you create between individuals the more difficult it becomes to achieve the underlying purpose of the audit.’ Bishop says this only reinforces the need for CAs to be proactive in seeking out know-how and asking for help. ‘It’s important that people really appreciate that you’re not expected to know all the answers and that you need to speak up, consult and draw on the experience of others around you.’ If there are indicators of doubts about the client continuing as a going concern how do you go about deciding if a client has sufficiently mitigated the risk? Bishop says there are several things you may want to consider: Have management thoroughly considered indicators of doubt and what their mitigation plan is for any risks that do exist? Are management alleviating doubt by preparing a cash flow forecast for the coming 12 months? Be sure to scrutinise all key assumptions and ensure the reliability of data sources. Where companies are subsidiaries of global organisation, and they are reliant on parent support, do they have documentation in place that demonstrates this? Is the parent company sufficiently financially solvent to be able to provide the support? Is there a good business rationale for why the parent company should support them? Where debts are up for renewal in the next year, have clients met their covenants? Where clients have overdraft facilities, do they have assurance that they’re going to continue? Ultimately, when making decisions about disclosures in close call situations, independence, integrity and making sound judgements are crucial. It’s during close call situations that auditors can be tempted to be subjective or sympathetic in their decision-making, so this is where objectivity, ethics and quality control become more important than ever. Act without fear or favour. ‘To be a great auditor it is not enough to just understanding how to audit, you also need a sound understanding of the accounting and disclosure requirements’, Bishop says. ‘What can often be overlooked is that you’re talking about misstatement of accounts being prepared in accordance with specific accounting standards. The accounting requirements can be complex, but if you know them well, then you can be more confident in your conclusions and can articulate why you believe your position is good.’ Comparative information Under ISA 710, the auditor is required to obtain sufficient appropriate audit evidence about whether the comparative information included in the financial statements has been presented in line with the applicable financial reporting framework. In Australia and New Zealand, prior period financial information is included as an integral part of the current period financial statements and is intended to be read only in relation to the current period. Auditor’s responsibilities relating to comparative information include evaluating whether: • the comparative information agrees with the amounts and other disclosures presented in the prior period financial statements • the accounting policies reflected in the comparative information are consistent with those applied in the current period, or, if there have been changes in accounting policies, whether those changes have been properly accounted for, presented and disclosed. When the auditor becomes aware of a potential misstatement in the comparative information during the current audit, they need to perform additional procedures to determine whether a material misstatement exists. Where the prior period financial statements have been amended, the auditor needs to confirm that the comparative information agrees with the amended financial statements. Note that ISA 710 includes two broad approaches for comparative information: corresponding figures and comparative financial statements. Given that in Australia and New Zealand, prior period financial information is intended to be read only in relation to the current period, this chapter focuses on corresponding figures. Example 3.4 – Corresponding figures Jeffrey Picoult, an auditor for Picoult Assurance, is auditing the ‘property, plant and equipment’ accounts of Twist Tie Trading. An extract of the statement of financial position for Twist Tie Trading is shown as follows: Twist Tie Trading Statement of financial position as at 30 June 20X3 Non-current assets Note 20X3 ($’000) 20X2 ($’000) ​Other receivables 50 110 ​Property, plant and equipment 5 3,500 2,750 ​Interest in joint venture 6 5,460 4,980 ​Intangible assets 7 30 30 Total non-current assets 9,040 7,870 Note that the ‘property, plant and equipment’ total of $3,500,000 at the end of the current year, reflects opening balances totalling $2,750,000, as well as the effect of current year additions, disposals and depreciation. An extract of the relevant note disclosure is as follows: 5. Property, plant and equipment 20X3 Buildings ($’000) Plant and equipment ($’000) Total ($’000) Carrying value at 1 July 20X2 2,030 720 2,750 Additions – 1,240 1,240 Disposals – (20) (20) Depreciation (210) (260) (470) Carrying value at 30 June 20X3 1,820 1,680 3,500 20X2 Buildings ($’000) Plant and equipment ($’000) Total ($’000) Carrying value at 1 July 20X1 2,240 990 3,230 Additions – 30 30 Disposals – – – Depreciation (210) (300) (510) Carrying value at 30 June 20X2 2,030 720 2,750 Jeffrey has obtained sufficient appropriate evidence for the opening balance of the property, plant and equipment accounts. He has also obtained sufficient appropriate evidence about the additions and disposals that occurred during the current period for those accounts and the current year depreciation allocation. Jeffrey is also satisfied with the adequacy of relevant note disclosures for property, plant and equipment for the current year. The financial statements and note disclosures show the corresponding figures for the prior year. While auditing the current year’s transactions and the opening balances, Jeffrey has not identified any misstatement relevant to the current or prior years. An unmodified auditor’s report was previously issued for the prior years. All items of property, plant and equipment were valued at cost for the current year. Buildings were depreciated using the straight-line method, and the reducing-balance method was applied for plant and equipment. Jeffrey confirms that these same methods were also used in the prior year. Jeffrey reconciles the prior year figures for property, plant and equipment and depreciation (shown in the prior year column of the current year financial statements) with the figures that were included in the prior year financial statements. Jeffrey provides an unmodified audit opinion for the current year. His opinion does not refer to the corresponding figures because his opinion is on the current period financial report as a whole, including the corresponding figures. 3.1.2 Evaluating audit evidence When evaluating audit evidence, the auditor will ask ‘Have we collected all the evidence we intended to?’ They need to make a conclusion about whether they have collected sufficient appropriate audit evidence on which to base their audit opinion, or whether additional audit procedures are necessary. Concluding whether sufficient appropriate evidence has been obtained When finalising the audit, the auditor considers all relevant audit evidence in concluding whether sufficient appropriate audit evidence on the financial statements has been obtained. Remember that the audit program outlines the nature, timing and extent of audit procedures to be performed by engagement team members. The auditor will revisit the planned audit procedures that were outlined in the audit program and assess if those procedures were completed as intended and to an appropriate standard. If the auditor concludes that sufficient appropriate audit evidence has not been obtained over a specific account balance or class of transaction, then the auditor would also assess evidence obtained from other areas of the audit. The auditor would also then, where necessary, revise the audit program to include additional procedures. In this way, the audit program can be considered a ‘living’ document, with a financial statement audit being an iterative process. The auditor may also revise the procedures identified in the audit program in circumstances where audit evidence from different procedures provides conflicting results, or where the auditor has doubts about the reliability of information to be used as audit evidence. In line with ISA 500, the auditor will modify the initial planned audit procedures, or perform additional procedures to resolve the issues. The auditor also needs to consider whether the inconsistent evidence and modification to procedures has any flow-on impacts on other aspects of the audit. The auditor needs to determine which evidence should be relied on and the reasons for any inconsistencies. They must document how they have addressed inconsistencies between information from different sources and how they have responded to doubts as to the reliability of evidence. In doing so, they will document the additional audit procedures performed and potential implications for the auditor’s report. This provides evidence of the auditor’s exercise of professional scepticism and professional judgement. Where changes to the planned procedures were made during the audit, the auditor will assess if the changes were appropriately enacted. The overall conclusion as to whether sufficient appropriate audit evidence has been obtained requires a high level of professional judgement. Therefore, it is the audit partner who makes this conclusion. Example 3.5 – Concluding on whether sufficient appropriate evidence has been obtained The audit partner at Melu Assurance Services has assessed there is a significant risk relating to the provision for litigation and claims recorded by their client BurroFury Limited. The key assertions at risk for the provision are completeness and accuracy, valuation and allocation. The following procedures have been performed to address the risk: The audit partner has made enquiries of Burro Fury’s management and Melu Assurance Services’ in-house legal counsel about legal matters to obtain an understanding of the nature of the matters and an estimate of their likely financial consequences. The audit manager, Beau, has obtained management’s calculation for the provision, including management’s assumptions. Beau has recalculated the provision and reviewed the reasonableness of management’s assumptions. The audit senior, Carly, has reviewed the legal expense accounts. Beau has inspected the board minutes to ensure that all significant legal matters have been identified. Beau has also inspected correspondence between Burro Fury and its external legal counsel. Carly has sent a letter of enquiry to the external legal counsel assisting Burro Fury. The reply was sent directly to Carly and confirmed the description of the legal matters and the estimated amount of legal claims. Beau reviewed the disclosures in the draft financial statements to determine that the amount and narrative disclosures relating to the provision were appropriately disclosed in line with the applicable Accounting Standard. The procedures performed addressed the two key assertions at risk, but also provided evidence relating to other assertions. As a result, after reviewing the audit documentation and conclusions reached with regards to each of the procedures, the audit partner concluded that sufficient appropriate audit evidence has been obtained over the provision for litigation and claims. Final analytical procedures Once all audit procedures have been performed and evidence evaluated, the auditor has a responsibility to design and perform final analytical procedures. These procedures are done in accordance with ISA 520, and assist the auditor in forming an overall conclusion as to whether or not the financial statements are consistent with their understanding of the entity. Final analytical procedures are intended to: • identify any previously unrecognised risks of material misstatement • corroborate conclusions formed during the audit on individual components or elements of the financial statements • help to arrive at a reasonable conclusion on which to base the auditor’s opinion. The analytical procedures performed at the final stage of the audit are similar to those used for risk assessment in the earlier stages of the audit process. These procedures commonly include: • comparing recorded amounts to expectations developed as a result of undertaking the audit • calculating ratios and assessing whether they are in line with the auditor’s understanding of the entity. If, in performing these procedures, new risks or unexpected relationships between data are identified, the auditor needs to investigate and assess if further audit work is required for those areas. 3.1.3 Evaluating misstatements Evaluating misstatements is a critical part of any audit. Misstatements can affect the planned audit procedures, communication with management and ultimately the audit opinion provided by the auditor. Remember that a ‘misstatement’ is the difference between: • the reported amount, classification, presentation, or disclosure of a reported financial statement item • the amount, classification, presentation of disclosure that is required for the item (ISA 450). It can be useful to consider misstatements in the following categories: Example 3.6 – Examples of misstatements Some examples of misstatements are as follows: When misstatements are identified, the auditor will record them on a ‘summary of misstatements’ workpaper. The auditor’s summary of misstatements is also commonly called ‘potential audit journal entries’ or ‘proposed audit differences’. The auditor will advise management of the misstatements and ask for them to be corrected in the underlying books and records. Management usually corrects the misstatements. However, the auditor must still consider the impact of the misstatements on the audit, and the impact of uncorrected misstatements when forming the audit opinion. Example 3.7 – Practice insights on common types of misstatements and the communication process Dr Margaret Salter will never forget one particular misstatement that came across her desk. The company in question had a related entity receivable of $1.2 million but when Dr Salter contacted the owing entity she discovered they had assets totalling only $200,000. They could never have paid the listed amount. The message, Dr Salter says, is to always do your homework. ‘I organise for the financial report to be sent directly to me from the related party’, says Dr Salter. ‘You have to actually see documentary evidence. Check the source document. Look at the assumptions. It’s about being alert and aware.’ Dr Salter says there are a number of common types of misstatement. Inadequate provisions for impairments. For example, recent reforms banning the grandfathering of conflicted remuneration paid to financial advisers means that Australian Financial Services (AFS) licensees can no longer carry, as an intangible asset, a book of trailing commissions. These amounts can no longer be amortised and must be written off before January 2021. Impairment in terms of deferred expenses for R&D. When a client has developed a prototype and gone to market but the projected income streams generated prove to be overstated, it’s time to discuss a provision for impairment or write-down of that R&D. Related parties. Where an entity holds an investment in a related party, or an amount receivable from a related party, and doesn’t consolidate that amount, they’re carrying that asset at inflated values. Review the financial report of the related party and assess the reasonableness or the fair value of the asset balance. Valuation of shares in unlisted companies and related companies. There’s a tendency for some clients to carry, at cost, their stake in unlisted and related companies. Always obtain a copy of the company’s financial report, examine net assets and their value, and the portion of shares held by your client to determine fair value. Once you’ve identified a misstatement, what’s the next step? As Dr Salter explains, there’s a detailed process to follow: Identify or document the issue on a summary of misstatements. This includes writing a detailed description of the misstatement and outlining the impact on assets, liabilities and equity. Communicate a list of matters to be addressed, including any misstatements, to the client during the course of the audit. Discuss any misstatements and recommendations for they should be rectified, as well as your rationale for these recommendations. Regardless of whether or not your client makes the recommended adjustments, bring all identified misstatements (and your recommendations) to the attention of those charged with governance, such as the audit and risk committee. Raise a letter to management regarding current processes and controls in order to prevent repeat occurrences of the misstatements. Accumulation of misstatements The auditor’s summary of misstatements workpaper is intended to facilitate the auditor’s evaluation of the impact of the misstatements on the financial statements, and the impact on communications with management and those charged with governance. The auditor documents all misstatements identified throughout the audit process on this workpaper, with the exception of those that are below the ‘clearly trivial’ threshold. The summary of misstatements typically lists the journal entries required to correct each misstatement, cross-referenced to the relevant sections of the audit file containing further details. Misstatements relating to presentation are generally discovered during the auditor’s review of the financial statement (discussed earlier). The corrections required for these types of misstatements typically cannot be reduced to a journal entry. Some audit firms include these items in a separate ‘presentation and disclosure’ section within the summary of misstatements while other firms track them through their disclosure checklists. Evaluating the materiality of uncorrected misstatements The auditor is required to determine whether uncorrected misstatements are material individually and in aggregate. This evaluation should consider both the size and nature of the misstatement. Remember that, in the early stages of the audit, the auditor estimated a threshold for quantitative materiality – amounts above this threshold are considered important, and amounts below it are immaterial. Remember also that, in response to issues identified during the audit, the materiality threshold may have been reassessed, or may still need to be reassessed. The materiality threshold for the financial statements as a whole should be reassessed before evaluating uncorrected misstatements. To evaluate the impact of uncorrected misstatements, individually and in aggregate, the auditor considers misstatements: • in relation to particular classes of transactions, account balances and disclosures • in the financial statements as a whole. In Audit and Risk To perform this evaluation, the misstatements are aggregated (ie added together). This aggregation can be done in different ways and many audit firms have specific requirements to address it. Example 3.8 illustrates the approach that will be taken in this subject – the misstatements are aggregated against the following elements of the financial statements: • Profit or loss. • Assets. • Liabilities. • Equity. Example 3.8 – Summary of misstatements The following is an example of a summary of misstatements and evaluation of whether the misstatements are material: Nature of misstatements In determining whether uncorrected misstatements are material by nature, the auditor considers both amounts and narrative disclosures. In some instances, misstatements can be material to the financial statements, even if the amount of a misstatement is less than the threshold amount set for materiality. ISA 450 lists a number of circumstances that the auditor would consider when evaluating whether misstatements are material. The auditor’s consideration of disclosures was discussed in subtopic 3.1.1. In the case of a misstatement within a disclosure, the auditor considers its effect on the relevant disclosure as well as its overall effect on the financial statements. For example, depending on the misstatements identified in disclosures, the auditor may consider whether: • the identified errors are persistent or pervasive • a number of identified misstatements are relevant to the same matter and, when considered in total, these may affect the users’ understanding of the matter. Examples of such misstatements and the entities for which they may be material include the following: • Insurance and banking entities – inaccurate or incomplete descriptions of information about the objectives, policies and processes to manage capital. • Mining entities – omission of information about the events or circumstances that have led to an impairment loss (eg significant long-term decline in the demand for a commodity). • Entities trading internationally – inadequate description of the sensitivity of an exchange rate. Misstatements in disclosures could also be an indicator of fraud and may arise because: • Misleading disclosures have resulted from bias in management’s judgement. • Extensive duplication or uninformative disclosures obscure an understanding of the financial statements. Misstatements from prior financial periods Misstatements identified in one financial period can affect the following financial period. Where misstatements in prior periods were not corrected, the auditor must take these into the consideration of the current period’s misstatements. This is illustrated in Example 3.9 . Example 3.9 – Previous period misstatements that affect the current financial period The auditor of Thyme Retailers Limited identified a material misstatement in the financial year ended 30 June 20X0. Thyme Retailers had not recorded an accrued liability for occupancy expenses. The journal required to correct the misstatement, which was not posted, was as follows: Dr $ Cr $ Occupancy expenses 200,000 Accrued liabilities (200,000) Without recognising this adjustment, both the profit for the 30 June 20X0 financial year and net assets as at 30 June 20X0 were overstated by $200,000. The auditor is now completing Thyme Retailers’ audit for the year ended 30 June 20X1. As Thyme Retailers would have recognised the occupancy expense incorrectly at 30 June 20X1 instead of 30 June 20X0, the occupancy expense in 20X1 is overstated by $200,000. As the profit for the 30 June 20X0 financial year was overstated, the opening retained earnings for the 30 June 20X1 financial year is also overstated by $200,000. The following journal would be required to correct the effect of the above misstatement on the 30 June 20X1 financial statements: Dr $ Cr $ Retained earnings 200,000 Occupancy expenses (200,000) Communicating misstatements The auditor should communicate misstatements to management during the audit in a timely manner. Timely communication of misstatements provides management with the opportunity to conduct its own investigation and to correct the misstatements before finalising the financial statements. As mentioned previously, in most cases, management corrects misstatements. However, if management refuses, the auditor must understand management’s reasons for not making a correction. Misstatements must also be communicated to those charged with governance during the final stage of the audit. This communication contains the uncorrected misstatements and the effect those misstatements may have on the auditor’s opinion. This formal communication will often also include any misstatements that management has corrected. In their communication with those charged with governance, the auditor requests that the misstatements be corrected. Communicating with those charged with governance is discussed further in subtopic 3.1.5. 3.1.4 Other information It is common for entities to publish additional information in documents that contain the audited financial statements (eg narrative reports from directors or analysts, charts, graphs and tables included in an annual report to shareholders). This inclusion of ‘other information’ places additional responsibilities on the auditor. Australia specific In Australia, the annual report contains or accompanies the financial report and the auditor’s report. It contains information and reports required by the Corporations Act 2001 (Cth) and the ASX listing rules, such as the directors’ report, which includes the operating and financial review, remuneration report and corporate governance report. It may also include additional non-compulsory reporting (eg sustainability reports, overview of strategy). Auditor’s responsibilities relating to other information It is in the public interest that an auditor reads the other information to check it makes sense. However, the other information is not subjected to the same procedures performed in the audit of the financial statements. The auditor does not provide assurance over the other information. The auditor must read the other information and consider whether there is a material inconsistency between the other information and the: • financial statements • auditor’s knowledge obtained during the audit. In performing an evaluation of consistency between the other information and the financial statements, the auditor is not required to compare all the amounts or items. This is a matter of professional judgement. The auditor would consider the significance of the amount or item (eg a key ratio), the relative size of the item compared to other items in the financial statements, or the sensitivity of a particular item (eg share-based payments to management). The auditor focuses on those matters in the other information which are important enough that a misstatement in that information may be considered material. Due to the nature of this work, the audit engagement partner should consider which team members are appropriate to perform this work. The more experienced and familiar the auditor is with the key aspects of the audit, the more likely it is that the auditor’s recollection of the relevant matters will be sufficient. Obtaining the other information The auditor’s responsibilities about other information apply regardless of whether that information is obtained before or after the date of the auditor’s report. The auditor should discuss with management the need for them to provide the final annual report before the date of the auditor’s report. If necessary, the auditor may decide that this requirement should be included in the audit engagement letter. If the other information is not made available at the requested time, the auditor would request a written representation from management about this matter. Auditor’s response when a material inconsistency or material misstatement exists If the auditor believes a material inconsistency or material misstatement exists between the other information and the financial statements, or between the other information and the auditor’s knowledge obtained in the audit, the auditor first needs to discuss the matter with the entity’s management. These discussions with management may include obtaining further information and explanations. Further audit procedures may also be performed. This allows the auditor to determine whether there is: • a material misstatement in the other information • a material misstatement in the financial statements • a need to update the auditor’s understanding of the entity. A misstatement in the other information exists when that information is incorrectly stated or otherwise misleading − for example, it omits or obscures information necessary for a proper understanding of a matter. Whether the misstatement is material is a matter of professional judgement taking the needs of the financial statement users into consideration. If the auditor concludes that a material misstatement in the other information exists, the auditor will request that management correct the other information and will monitor the correction to ensure it has been done appropriately. If management refuses to make the correction, the auditor must consider the impact on the auditor’s report and communicate the matter to those charged with governance. Subtopic 3.2.2 considers the impact of other information on the auditor’s report. Communicating with those charged with governance is discussed in the following topic. 3.1.5 Communicating with those charged with governance As discussed earlier, it is a requirement of ISA 260 (Revised) that the auditor communicate their findings and observations in a timely manner. The following table illustrates the communication requirements at the end of the audit: Nature of significant finding Example/description Qualitative aspects of the entity’s accounting practices, including accounting policies, estimates and disclosures The auditor communicates their views on accounting estimates, judgements and assumptions adopted by management in testing for impairment of property, plant and equipment (PPE). This is addressed in the report to the audit committee in a section titled ‘critical accounting estimates' (or a similarly titled section). Significant difficulties encountered The auditor communicates significant delays in management providing corroborating information and various deliverables, as agreed at the beginning of the audit. Circumstances affecting the form and content of auditor’s report When the auditor is required to issue a qualified audit opinion, they communicate why the opinion is a modified one and can also include a draft auditor’s report to further facilitate discussion. Any other matters relevant to the oversight of the financial reporting process As a result of unexpected audit evidence obtained from initial audit procedures, the auditor has to modify the overall audit strategy and audit plan with a revised risk assessment. This significant shift in audit approach is communicated to those charged with governance. In practice, auditors typically make a formal presentation to those charged with governance (eg the audit committee) at the conclusion of the audit work but prior to the signing of the financial statements and issuing the auditor’s report. Auditors often use the opportunity to provide valuable insights and commentary, in addition to the mandatory communications required by the Auditing Standards. In practice, the written form of the presentation is known by many terms, such as ‘audit closing report’, ‘audit committee presentation’ or ‘audit results report’. Example 3.10 illustrates how an auditor may communicate to a client the insights gained after using data analytics in the audit of payroll expenses. Communicating these insights extends beyond the requirements of the Auditing Standards but they are commonly used by auditors to add value to an audit. Example 3.10 – Communicating further insights to those charged with governance JIT’s payroll costs have grown significantly during the period, mainly because of the company’s Perth branch. By using data analytics over JIT’s payroll function, we can match all payments made through to the bank statement and accounting ledger. We can also focus our testing on unusual or unexpected payroll transactions. About the data How it works What we found 3.1.6 Written representations Verbal representations are made throughout the course of an audit. Towards the end of an audit these verbal representations, along with those specifically required by ISA 580 and other Auditing Standards, should be formally documented in a written letter from management. A written representation is a written statement by management to the auditor to confirm matters or to support audit evidence. While the representations in the letter constitute a form of audit evidence, they cannot be used as a substitute for performing other audit procedures or used as the sole source of evidence on significant audit matters. Appendix 2 of ISA 580 provides an example of a representation letter that includes representations required by ISA 580 and other Auditing Standards. 3.2 Audit opinion and auditor's report At the end of an audit, the auditor issues the auditor’s report to the client. For users of financial statements, the auditor’s report is the most important part of the audit. It is the only part of the audit they see and is used to gauge the reliability of the financial statements. Having completed and evaluated the audit work, the auditor can determine the appropriate audit opinion to communicate through the auditor’s report. Subtopic 3.2.1 describes issues that need to be considered when forming the audit opinion, including whether to ‘modify’ the opinion. Subtopic 3.2.2 outlines factors affecting the presentation of the auditor’s report. These include the applicable financial reporting framework, and circumstances where additional paragraphs need to be included in the report. It concludes by discussing the roles and responsibilities of audit team members in relation to the auditor’s report. The following table outlines the readings required for this topic: Relevant international assurance pronouncements and local equivalents (where applicable) International Australia New Zealand ISA 570 (Revised) Going Concern (ISA 570 (Revised)) ASA 570 Going Concern (ASA 570) ISA (NZ) 570 (Revised) Going Concern (ISA (NZ) 570 (Revised)) ISA 700 (Revised) Forming an Opinion and Reporting on Financial Statements (ISA 700 (Revised)) ASA 700 Forming an Opinion and Reporting on a Financial Report (ASA 700) ISA (NZ) 700 (Revised) Forming an Opinion and Reporting on Financial Statements (ISA (NZ) 700 (Revised)) ISA 701 Communicating Key Audit Matters in the Independent Auditor’s Report (ISA 701) ASA 701 Communicating Key Audit Matters in the Independent Auditor’s Report (ASA 701) ISA (NZ) 701 Communicating Key Audit Matters in the Independent Auditor’s Report (ISA (NZ) 701) ISA 705 (Revised) Modifications to the Opinion in the Independent Auditor’s Report (ISA 705 (Revised)) ASA 705 Modifications to the Opinion in the Independent Auditor’s Report (ASA 705) ISA (NZ) 705 (Revised) Modifications to the Opinion in the Independent Auditor’s Report (ISA (NZ) 705 (Revised)) ISA 706 (Revised) Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report (ISA 706 (Revised)) ASA 706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report (ASA 706) ISA (NZ) 706 (Revised) Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report (ISA (NZ) 706 (Revised)) ISA 720 (Revised) The Auditor’s Responsibilities Relating to Other Information (ISA 720 (Revised)) ASA 720 The Auditor’s Responsibilities Relating to Other Information (ASA 720) ISA (NZ) 720 (Revised) The Auditor’s Responsibilities Relating to Other Information (ISA (NZ) 720 (Revised)) Corporations Act 2001 (Cth) Sections 295(3)(c), 297, 300A, 307, 308 and 311 3.2.1 Form an audit opinion To form an opinion, the auditor must decide whether they have obtained reasonable assurance that the financial statements as a whole are free from material misstatement, whether due to fraud or error. There are multiple issues to consider and many different types of audit opinions. Matters to consider in forming an opinion To form an opinion, the auditor needs to consider the following: • Has sufficient appropriate audit evidence been obtained? • Are uncorrected misstatements material (individually or in aggregate)? Consider whether management was selective in correcting only certain misstatements brought to its attention during the audit. • Do the financial statements adequately disclose significant accounting policies? Consider if these policies are consistent with the applicable financial reporting framework. • Are the accounting estimates made by management reasonable? Consider whether the estimates indicate management bias. • Is the information presented in the financial statements relevant, reliable, comparable and understandable? • Have adequate disclosures been made to enable the intended users of the financial statements to understand the effect of material transactions and events on the information presented in the financial statements? • Is the terminology used in the financial statements, including the title of each financial statement, appropriate? • When the financial statements have been prepared in accordance with a fair presentation framework, do they achieve a fair presentation of underlying transactions and events? • Is the description of the applicable financial reporting framework appropriate and do the financial statements comply with all the requirements of that framework? Types of audit opinions The types of opinions expressed by the auditor, including the relevant standards, are illustrated in the following diagram: Most audit opinions are unmodified (or ‘clean’). An auditor expresses an unmodified opinion when they conclude that the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. The following table summarises the circumstances under which a modified opinion is issued: Effects or possible effects on the financial statements Material Material and pervasive Materially misstated financial statements Qualified opinion Adverse opinion Inability to obtain sufficient appropriate audit evidence Qualified opinion Disclaimer of opinion Source: Adapted from ISA 705 (Revised) Note that the term ‘pervasive’ describes effects on the financial statements that are: • not confined to specific elements, accounts or items of the financial statements; or • if so confined, represent or could represent a substantial proportion of the financial statements; or • in relation to disclosures, are fundamental to users’ understanding of the financial statements. There are no definitive guidelines (such as quantitative benchmarks) about what is and is not pervasive. The auditor must apply their professional judgement when relating the above three points to the specific issues identified for their client. Note that pervasive issues are very rare in practice and most commonly relate to inappropriate use of the going concern basis of accounting. Example 3.11 – Forming an audit opinion During the audit of Maidenhair Enterprises for the year ended 30 June 20X3, the following was noted: A large portion of Maidenhair Enterprises’ year-end inventory was affected by spoilage, resulting in a significant drop in its realisable value. Maidenhair Enterprises’ management has refused to write-down the inventory, which is currently recorded at cost. The auditor has determined that the inventory value on the statement of financial position is overstated by approximately $450,000. The auditor has assessed that amounts greater than $350,000 are considered material for the client. In this situation, the auditor has identified that the financial statements are materially misstated. The modified opinion decision table, therefore, provides two options: a qualified opinion or an adverse opinion. Effects or possible effects on the financial statements Material Material and pervasive Materially misstated financial statements Qualified opinion Adverse opinion Inability to obtain sufficient appropriate audit evidence Qualified opinion Disclaimer opinion To determine which option is appropriate the auditor needs to consider the ‘pervasiveness’ of the issue giving rise to the modification. Given that the misstatement is confined to specific accounts and does not represent a substantial proportion of the financial statements, the misstatement is not considered to be pervasive. Accordingly, a qualified opinion would be provided. Effects or possible effects on the financial statements Material Material and pervasive Materially misstated financial statements Qualified opinion Adverse opinion Inability to obtain sufficient appropriate audit evidence Qualified opinion Disclaimer opinion Source: This example was adapted from the Appendix to ISA 705 (Revised). Maidenhair Enterprises is a fictional company. Example 3.12 – Forming an audit opinion During the audit of 9 Spokes International Limited consolidated group for the year ended 31 March 2020, the following was noted: Net losses for the group total $4,900,000. Net operating cash outflows equate to $2,600,000. The cash balance of the group at year-end equates to $4,700,000. Management has prepared a forecast showing that it has enough funds to continue trading for approximately another five months. At which time, they will need to obtain additional funds. The auditor cannot determine if additional funds will be obtained when required. The consolidated financial statements have been prepared using the going concern basis of accounting. In this situation, the auditor cannot determine if the going concern basis of accounting is appropriate. This represents an inability to obtain sufficient appropriate audit evidence, which limits the scope of the audit. The modified opinion decision table, therefore, provides two options: a qualified opinion or a disclaimer of opinion. Effects or possible effects on the financial statements Material Material and pervasive Materially misstated financial statements Qualified opinion Adverse opinion Inability to obtain sufficient appropriate audit evidence Qualified opinion Disclaimer opinion To determine which option is appropriate the auditor needs to consider the ‘pervasiveness’ of the issue. If the going concern basis of accounting was deemed to be inappropriate, this could affect the value and classification of multiple material items in the group’s financial statements, as well as require additional note disclosures to be made. As the issue is not confined to specific elements of the financial statements, and it affects disclosures that are fundamental to users’ understanding of the financial statements, this issue is considered to be pervasive. Accordingly, a disclaimer of opinion would be provided. Effects or possible effects on the financial statements Material Material and pervasive Materially misstated financial statements Qualified opinion Adverse opinion Inability to obtain sufficient appropriate audit evidence Qualified opinion Disclaimer opinion Source: This example was adapted from the 2020 annual report for 9 Spokes International Limited (now superseded). Example 3.13 – Forming an audit opinion Continuing from Example 3.12 , following intervention by the Australian Securities and Investments Commission (ASIC), 9 Spokes International Limited provided the auditor with additional information: The board of the parent company has now advised the auditor of their plans to secure new revenue and raise additional cash that will provide enough funding for at least the next 12 months. The auditor has been able to obtain sufficient appropriate evidence that the board’s plans are feasible and realistic. Management has made adequate disclosure in the financial statements about the material uncertainty related to going concern. In this situation, the auditor no longer has an inability to obtain sufficient appropriate audit evidence. As the going concern uncertainty is adequately disclosed, the financial statements are not considered to be materially misstated. Accordingly, there is no reason to modify the audit opinion. An unmodified opinion would be appropriate. Source: This example was adapted from the revised 2020 annual report for 9 Spokes International Limited. Note that additional paragraphs were needed to accompany the unmodified opinion in the auditor’s report, including an ‘Other matter’ paragraph, and a ‘Material uncertainty related to going concern’ paragraph. These paragraphs are illustrated in subtopic 3.2.2. Considering going concern when forming an audit opinion Examples 3.12 and 3.13 demonstrate the complexity associated with considering going concern when forming an audit opinion. Initially it was considered appropriate to disclaim the audit opinion but subsequently an unmodified opinion was issued. There are also situations where a qualified or adverse opinion are appropriate in response to doubts about an entity’s ability to continue as a going concern. Australia specific ASA 570 Aus.A21.1 provides a useful decision tree linking going concern considerations with appropriate audit opinions. Subtopic 3.2.2 describes implications of going concern uncertainty for the auditor’s report, including the inclusion of a ‘Material uncertainty related to going concern’ paragraph, as mandated by ISA 570 (Revised). 3.2.2 The auditor’s report The audit opinion is presented in the auditor’s report, which is issued as the final step in the audit process. The contents of the auditor’s report is based on the applicable auditing standards and legal and regulatory requirements; as well as the applicable financial reporting framework. Applicable financial reporting framework In forming an opinion, the auditor needs to evaluate whether the financial statements are prepared in all material respects in accordance with the requirements of the financial reporting framework. The financial reporting framework can be classified as either a fair presentation or compliance framework. It is likely that most of the financial statements auditors will come across in their work will be based on a fair presentation framework. Australia specific For audits performed under the Corporations Act, both the Corporations Act (ss 295(3)(c) and 297) and Australian Accounting Standards require financial reports to be prepared based on a fair presentation framework (see AASB 101 Presentation of Financial Statements (AASB 101)). New Zealand specific In New Zealand, financial statements must be prepared in accordance with the applicable financial reporting framework (eg New Zealand equivalents to International Financial Reporting Standards (NZ IFRS)). The application of NZ IFRS results in financial statements achieving fair presentation. In the auditor’s report, the auditor must also identify to whom they are addressing the report and who is responsible for the preparation and fair presentation of the financial statements. These details in the auditor’s report should be the same as those included in the engagement letter. Australia specific Under the Corporations Act, the auditor’s primary reporting responsibility is to the company’s members (s308(1)). The auditor also has responsibilities under s311 of the Corporations Act to inform the Australian Securities and Investments Commission (ASIC) in writing if they have reasonable grounds to suspect there has been a significant contravention of, or failure to comply with, the provisions of the Corporations Act. These responsibilities are clarified in ASIC Regulatory Guide RG 34 ‘Auditor’s obligations: Reporting to ASIC’. Suspected contraventions that could be considered significant, include the following: • Insolvent trading by a company. • A breach of Accounting Standards or of the ‘true and fair’ view requirement, including a material misstatement relating to non-disclosure of required information. • Suspected dishonest or misleading and deceptive conduct. For entities reporting under the Corporations Act, management responsibilities refer to responsibilities of directors. Management’s responsibilities are reported under the heading ‘Responsibilities of management for the financial report’. New Zealand specific Reference in the auditor’s report to the responsibilities of management for the preparation of the financial statements have been amended to refer to the responsibilities of those charged with governance. This is because, in New Zealand, those charged with governance generally have the responsibility for ensuring that an entity meets its legal obligations in relation to the preparation of financial statements. This is reflected throughout ISA (NZ) 700 (Revised). Form and content of an auditor’s report An unmodified auditor’s report (ie an auditor’s report expressing an unmodified opinion) will include a statement akin to the following: In our opinion, the accompanying financial statements present fairly, in all material respects, the financial position of the Company as at 31 December 20X3 and of its financial performance and cash flows for the year then ended in accordance with International Financial Reporting Standards (IFRS). An unmodified auditor’s report will also include a section titled ‘Basis for opinion’. Refer to the appendix to ISA 700 (Revised) for a complete example of an unmodified auditor’s report. Australia specific When an entity is reporting under the Corporations Act, the auditor’s report refers to compliance with the Corporations Act and Corporations Regulations in addition to compliance with Australian Accounting Standards. Under the Corporations Act, the term ‘give a true and fair view’ must be used in the opinion. The ‘Basis for opinion’ section identifies the applicable Auditing Standards as Australian Auditing Standards and reflects additional requirements under ASA 700. ASA 700 requires the auditor to identify the relevant ethical requirements applicable in Australia (ie APES 110 Code of Ethics for Professional Accountants) when providing the basis for their opinion. The Basis for opinion also refers to the independence declaration required under the s307 of the Corporations Act. For audits performed under the Corporations Act, the auditor also has a responsibility to report under s308(3C) of the Corporations Act. For these audits, the auditor includes a ‘Report on the remuneration report’ section in the auditor’s report. In this section, the auditor expresses an opinion on the compliance of the remuneration report with s300A of the Corporations Act. New Zealand specific For an entity that is required to apply the New Zealand Accounting Standards Framework, the audit opinion should refer to the applicable financial reporting requirements issued by the New Zealand Accounting Standards Board that apply to the tier under which the entity is reporting. The ‘Basis for opinion’ section identifies the applicable Auditing Standards as International Standards on Auditing (New Zealand) and reflects additional requirements under ISA (NZ) 700 (Revised) to identify the relevant ethical requirements applicable in New Zealand (ie PES 1 Code of Ethics for Assurance Practitioners) when providing the basis for opinion. The ‘Basis for opinion’ section must also include a statement as to the existence of any relationship or interests (other than that of an auditor) that the auditor has with or in the entity. ISA 705 (Revised) provides detailed guidance about the modifications required for the auditor’s report in circumstances where a modified opinion is expressed. Examples 3.14, 3.15 and 3.16 show modified opinions from auditor’s reports. Example 3.14 – Auditor’s report with a qualified opinion The following auditor’s report extract shows how the opinion paragraph is presented when the auditor wishes to qualify their opinion. This example is from the auditor’s report issued by PricewaterhouseCoopers, which was included in the 2020 annual financial report for Fisher & Paykel Healthcare Corporations Limited. The audit opinion was qualified due to an inability to obtain sufficient appropriate audit evidence about the company’s inventory. QUALIFIED OPINION In our opinion, except for the possible effects of the matter described in the Basis for qualified opinion section of our report, the accompanying consolidated financial statements present fairly, in all material respects, the financial position of the Group as at 31 March 2020, and its financial performance and its cash flows for the year then ended in accordance with New Zealand Equivalents to International Financial Reporting Standards (NZ IFRS) and International Financial Reporting Standards (IFRS). BASIS FOR QUALIFIED OPINION As explained in Note 3, due to the COVID-19 pandemic, certain of the Group’s annual finished products inventory counts and materials cycle counts planned to be held on or close to 31 March 2020 did not occur. In planning and scoping our audit we intended to verify the quantities and condition of 100% of the Group’s materials and 80% of the Group’s finished products by value through physical inventory count procedures at 31 March 2020 and cycle count procedures across the financial year. We were able to verify 32% of the Group’s total materials and 62% of the Group’s total finished products but were unable to satisfy ourselves by alternative means as to the quantities and condition of the remaining materials and finished products planned to be verified. Consequently, we were unable to determine whether any adjustments to the materials balance of $50.3 million and finished products balance of $111.4 million at 31 March 2020 were necessary. Since closing inventories affect the determination of the results of operations, we were unable to determine whether adjustments to the results of operations might be necessary for the year ended 31 March 2020. Source: © Fisher & Paykel Healthcare Limited 2020, Annual report 2020, viewed February 2021, resources.fphcare.com/content/2020-fph-annual-report.pdf A qualified auditor’s report also includes all other required paragraphs and sections included in an unmodified auditor’s report, such as ‘Management’s and auditor’s responsibilities’ and ‘Key audit matters’ (discussed later). Example 3.15 – Auditor’s report with an adverse opinion This example shows an adverse opinion that was included in the auditor’s report issued by KPMG for the financial statements of Sky and Space Global Limited. An adverse opinion was issued due to the existence of onerous contracts for which no provision had been recorded. Note that this entity was not expected to continue as a going concern, but that this was not the reason for the adverse opinion. The financial statements were not prepared using the going concern basis of accounting and disclosures about this were made. Accordingly, they were not materially misstated in that respect and only an ‘Emphasis of matter’ paragraph was needed in relation to the going concern issue (‘Emphasis of matter’ paragraphs are discussed later in this chapter). Adverse Opinion We have audited the Financial Report of Sky and Space Global Ltd (the Company). In our opinion, because of the significance of the matter described in the Basis for Adverse Opinion section of this report, the accompanying Financial Report of the Company is not in accordance with the Corporations Act 2001, including: giving a true and fair view of the group’s financial position as at 30 June 2019 and of its financial performance for the year ended on that date; and complying with Australian Accounting Standards and Corporations Regulations 2001. The Financial Report comprises: Consolidated statement of financial position as at 30 June 2019 Consolidated statement of profit or loss and other comprehensive income, Consolidated statement of changes in equity, and Consolidated statement of cash flows for the year then ended Notes including a summary of significant accounting policies Director’s Declaration. The Group consists of Sky and Space Global Ltd (the Company) and the entities it controlled at the year end or from time to time during the financial year. Basis for adverse opinion As disclosed in note 20 Commitments, contingent assets and contingent liabilities the Group has entered into supplier and services contracts relating to its planned future nano-satellite construction and launch and include contract termination clauses that impose substantial costs on the Group should the contracts be terminated by the Group. Pursuant to Australian Accounting Standard 137 – Provisions, Contingent Liabilities and Contingent Assets (AASB 137) the contract termination clauses within the contracts represent onerous contracts. We consider the unavoidable costs of exiting the contracts exceed the future economic benefits expected to be derived under the contracts, given the Group’s assessment that the going concern basis of preparation is not appropriate, as stated in note 2 b) Basis of Preparation. In light of this, we consider the exit of the contracts prior to the intended completion of the contracts constitutes a provision pursuant to AASB 137. The Financial report does not include a provision for onerous contracts. Had the Group accounted for this provision in accordance with AASB 137, an expense would be recorded in the consolidated statement of profit or loss and other comprehensive income for approximately $118 million with the recognition of a decreasing shareholders’ equity by $118 million, and current and total liabilities would increase by $118 million. This matter results in further misstatements in the notes to the Financial Report as a result of the group referring to the incorrect annual result, such as in the tax expense reconciliation. Additionally, the disclosures in note 2 b) Basis of Preparation do note describe the impact of recognition of this provision on the Directors preparing the Financial Report on a basis other than going concern. As a result, the notes to the Financial Report currently omit this qualitative information. Source: KPMG 2019, Sky and Space Global Ltd: Annual financial report 2019, KPMG, pp 44–5, viewed 23 January 2021, asx.com.au/asxpdf/20191204/pdf/44c8s4vccrztf8.pdf An adverse auditor’s report also includes all other required paragraphs and sections included in an unmodified auditor’s report. Example 3.16 – Disclaimer of opinion This example shows a disclaimer of opinion that was included in the auditor’s report issued by PricewaterhouseCoopers for 9 Spokes International Limited. As described in Example 3.12 , this opinion was the result of an inability to obtain sufficient appropriate audit evidence about the company’s ability to continue as a going concern. Note that auditors must have very strong grounds for issuing a disclaimer of opinion (essentially, it involves conceding that you have exhausted all options and cannot do the job you committed to doing). In the case of 9 Spokes International Limited, the auditor’s report was subsequently reissued (see Examples 3.13 and 3.19 ). Disclaimer of opinion We were engaged to audit the consolidated financial statements of 9 Spokes International Limited (the Company), including its subsidiaries (the Group), which comprise the consolidated statement of financial position as at 31 March 2020, the consolidated statement of comprehensive income, consolidated statement of changes in equity, and consolidated statement of cash flows for the year then ended, and the notes to the consolidated financial statements, which include a summary of significant accounting policies. We do not express an opinion on the accompanying consolidated financial statements of the Group. Because of the significance of the matter described in the Basis for disclaimer of opinion section of our report, we have not been able to obtain sufficient appropriate audit evidence to provide a basis for an audit opinion on these consolidated financial statements. Basis for disclaimer of opinion As described in note 2(c) to the consolidated financial statements, the Group incurred a net loss of $4.9 million and had a net operating cash outflow of $2.6 million for the year ended 31 March 2020. The Group had available cash of $4.7 million as at 31 March 2020. The Group forecasts that it has sufficient funds available to continue operations for a five month period from the date these consolidated financial statements are authorised. The Group will need to secure either new revenue opportunities or raise additional capital to continue operations beyond this period. Due to the level of uncertainty associated with forecasting the Group’s future cash flows, especially relating to the securing of new revenue opportunities, and the absence of formal and advanced capital raising activity, we were unable to obtain sufficient appropriate audit evidence to enable us to form an opinion as to whether the use of going concern assumption in the preparation of the consolidated financial statements is appropriate. As a result of these matters, we were unable to determine whether any adjustments are necessary to the amounts recorded in the consolidated statement of financial position and the consequential impact on the consolidated statement of comprehensive income and the consolidated statement of changes in equity. Source: © 9 Spokes International Limited 2020, ‘Reissued annual report’, 31 March, viewed February 2021, cms.9spokes.com/assets/uploads/documents/20203031_ReissuedAnnualReport.pdf Note that the wording of the auditor’s report has been amended to state that the auditor was engaged to audit the financial statements (not that the financial statements were audited) due to the nature of a ‘disclaimer of opinion’. The auditor’s responsibilities referred to in the auditor’s report will also be modified to include a more limited description of the auditor’s responsibilities. Additional paragraphs in the auditor’s report In less extreme circumstances, it might not be necessary to modify the auditor’s opinion. Rather, it might be more appropriate to add an additional paragraph to the auditor’s report to highlight a key issue. In certain circumstances the auditor is required, under ISA 706 (Revised), to include an additional paragraph or paragraphs for: • ‘Emphasis of matter’ (EOM), and/or • ‘Other matter’ (OM). Similarly, in accordance with ISA 570 (Revised), ISA 701 and ISA 720 (Revised), respectively, an auditor may need to include sections titled: • ‘Material uncertainty related to going concern’ • ‘Key audit matters’, and/or • ‘Other information’. These paragraphs, and the matters they relate to, are not ‘modified’ auditor’s opinions. They are used by the auditor to draw users’ attention to particular matters, but do not affect whether the auditor’s opinion is unmodified or modified. Emphasis of matter (EOM) paragraph An EOM paragraph highlights a matter that is appropriately presented or disclosed in the financial statements, but which, in the auditor’s judgement, is of such importance that it is fundamental to users’ understanding of the financial statements. A matter can only be included in an EOM paragraph if the auditor has obtained sufficient appropriate audit evidence that the matter is not materially misstated in the financial statements. An EOM paragraph can be added to, but cannot replace, a qualified or adverse opinion or a disclaimer of opinion. If an auditor plans to include an EOM paragraph in the auditor’s report, they must communicate this to those charged with governance. Appendix 1 of ISA 706 (Revised) includes specific requirements for the auditor to include an EOM paragraph in certain situations. In addition, ISA 706 (Revised) includes examples of circumstances in which the auditor may consider it necessary to include an EOM paragraph. Example 3.17 – An EOM paragraph This example shows an EOM paragraph from the auditor’s report issued by KPMG in the 2020 annual report for Bathurst Resources (New Zealand) Limited. It identifies an uncertainly relating to litigation, which has been appropriately disclosed by the client as a contingent liability in the notes to the financial statements. Emphasis of matter – contingent liabilities We draw attention to note 23(c) to the consolidated financial statements which discloses that L&M Coal Holdings Limited has given notice to the Company that it intends to pursue further legal action under the terms of the Buller Coal project sale and purchase agreement. No liability has been recognised as at 30 June 2020 based on legal advice that it is more likely than not that the Company will successfully defend any claim. Source: © Bathurst Resources Limited 2020, ‘Financial statements for the year ended 30 June 2020’, p 43, viewed February 2020, https://bathurst.co.nz/assets/reports/2020-10-30-Annual-Report2.pdf. https://bathurst.co.nz/assets/reports/2020-30-June-signed-Financial-Statements-with-audit-report3.pdf Example 3.18 – An EOM paragraph This further example shows an EOM paragraph from the auditor’s report for Sky and Space Global Limited. This company was mentioned in Example 3.15. Remember that the audit opinion in this case was not modified due to the issue noted in the EOM; it was modified for a different reason and the EOM paragraph is in addition to that modification. Emphasis of matter – basis of preparation We draw attention to Note 2 b) to the Financial Report, which describes the basis of preparation. The Financial Report has been prepared on a basis other than going concern for the reasons described in Note 2 b). Our opinion is not further modified in respect of this matter. Source: 9 Spokes International Limited 2020, ‘ASX Release. 9 Spokes releases FY20 Annual report', 9 Spokes, p 45 The placement of an EOM paragraph in the auditor’s report depends on the nature of the information to be communicated and the auditor’s judgement about the relative significance of the information. Use of an EOM paragraph is not a substitute for individual key audit matters being included in the ‘Key audit matters’ section. Key audit matters are discussed later in this chapter. A matter that is included in the auditor’s report as a key audit matter is not included as an EOM paragraph. Other matter (OM) paragraph An OM paragraph is similar to an EOM paragraph. It is included in the auditor’s report to refer to a matter other than those presented or disclosed in the financial statements that, in the auditor’s judgement, is relevant to: • users’ understanding of the audit • the auditor’s responsibilities • the auditor’s report. As with EOM paragraphs: • If an auditor plans to include an OM paragraph in the auditor’s report, they must communicate this to those charged with governance. • The placement of an OM paragraph in the auditor’s report depends on the nature of the information to be communicated and the auditor’s judgement about the information’s relative significance. • Use of an OM paragraph is not a substitute for individual key audit matters. Where a matter is included in the auditor’s report as a key audit matter, it is not included as an OM paragraph. Key audit matters are discussed later in this chapter. Example 3.19 – An OM paragraph This example shows an OM paragraph for 9 Spokes International Limited. As described in Examples 3.12 and 3.13, the 2020 financial statements for this company were originally issued with a disclaimer of opinion and subsequently revised such that the audit opinion was unmodified. The revised auditor’s report included an OM paragraph as shown here. The OM paragraph helps financial report users to understand the circumstances around the re-issuing of the audit report. We will revisit this company one more time in this chapter. Other matter (reissue of the consolidated financial statements) Our audit report dated 29 June 2020 contained a Disclaimer of opinion due to our inability to obtain sufficient appropriate audit evidence to form an opinion as to whether the use of the going concern assumption in the preparation of the consolidated financial statements was appropriate. We have subsequently been provided with additional audit evidence relating to the Board’s plan to secure new revenue and raise additional cash to ensure sufficient funding beyond the forecasted four month period, for at least 12 months from the date of signing these financial statements, as disclosed in note 2(b). This evidence enabled us to form an opinion on the appropriateness of the use of the going concern basis in the preparation of the consolidated financial statements. This reissued opinion replaces the audit report issued on 29 June 2020. Source: © 9 Spokes International Limited 2020, ‘Reissued annual report 31 March 2020', viewed 23 January 2021, cms.9spokes.com/assets/uploads/documents/20203031_ReissuedAnnualReport.pdf Material uncertainty related to going concern All auditor’s reports include a statement that it is the auditor’s responsibility to determine the appropriateness of management’s use of the going concern basis of accounting and, based on the audit evidence obtained, whether a material uncertainty exists relating to events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern. If a material uncertainty exists, the appropriateness of its disclosure in the financial statements has implications for the auditor’s report. When management has made disclosures in the financial statements about the material uncertainty, the auditor’s report must include a separate section with a heading ‘Material uncertainty related to going concern’. Example 3.20 – ‘Material uncertainty related to going concern’ Referring again to the example of 9 Spokes International Limited; remember that the 2020 auditor’s report was originally issued with a disclaimer of opinion, and subsequently revised to include an unmodified opinion. The unmodified opinion was accompanied by the following paragraph. Material uncertainty related to going concern We draw attention to note 2(d) in the consolidated financial statements, which discloses that the Group has incurred a loss of $4.9 million and net cash outflows from operating activities of $2.6 million for the year ended 31 March 2020. At the current run rate the Group only has sufficient cash for a further four months from the date of signing these consolidated financial statements. In order to generate sufficient cash for at least the next 12 months from the date of signing of these consolidated financial statements, the Group needs to secure new revenue opportunities and raise additional capital. As stated in note 2(d), these events or conditions, along with other matters set forth in note 2(d), indicate that material uncertainty exists that may cast significant doubt on the Group’s ability to continue as a going concern. Our opinion is not modified in respect of this matter. Source: © 9 Spokes International Limited 2020, ‘Reissued annual report 31 March 2020', viewed 23 January 2021, cms.9spokes.com/assets/uploads/documents/20203031_ReissuedAnnualReport.pdf Key audit matters Another important part of the auditor’s report is the ‘Key audit matters’ section. This section is mandatory for listed entities preparing general purpose financial statements and voluntary for other entities. What are key audit matters? Key audit matters are the areas of an audit that the auditor views as being the most significant. In communicating key audit matters, the auditor gives the users of financial statements insight into which issues were considered to be most important to the audit, why those issues were considered important and how the auditor addressed them. In a way, the Key audit matters section tells a story about the main issues encountered by the auditor and highlights aspects of the financial statements without replicating management’s disclosures. The number and description of matters presented in this section varies between entities and between periods. Determining key audit matters In determining which issues from the audit represent the key audit matters, the auditor uses their professional judgement and considers multiple factors, such as the following: Factor Risk The auditor considers areas with higher risk of material misstatement and other significant risks for inclusion as key audit matters. In a risk-based audit, auditors do more work on the riskier areas of the audit. When auditing these areas, auditors use more professional judgement and obtain more persuasive audit evidence. Significance Matters requiring significant auditor attention can be significant due to their size or nature. Significance also depends on the importance of the matter to the users of financial statements (eg breach of loan covenants). Judgement Matters requiring special auditor attention often relate to areas of complexity and significant management judgement (eg consideration of impairment). Judgemental areas affect the audit strategy, allocation of resources and extent of audit effort. At the planning and risk assessment stage of the audit, the auditor develops a preliminary view of matters likely to require significant audit attention and that, therefore, may be key audit matters. The auditor communicates these to those charged with governance when discussing the scope and timing of the audit. The final determination of which matters will be communicated in the auditor’s report as key audit matters is based on the results of the audit. At the end of the audit, the auditor provides those charged with governance with a draft version of the auditor’s report and discusses it with them. This gives those charged with governance an opportunity to understand the basis for the auditor’s decisions. It also enables them to consider whether new or enhanced disclosures would be useful in light of the matters communicated in the auditor’s report. The decision-making framework for matters reported as a key audit matter can be illustrated as follows: Source: Adapted from International Federation of Accountants 2015, The new auditor’s report: Overview of the new and revised Auditor Reporting Standards and related conforming amendments, ifac.org/system/files/publications/files/Auditor-Reporting-Standards-Slides-for-Toolkit-2.pdf. Copyright © 2020 The International Federation of Accountants (IFAC). Given the level of judgement required, in practice the audit partner determines what the key audit matters are. Some audit firms have expert panels consisting of senior partners that review all ‘Key audit matters’ sections to ensure the quality and consistency of the auditor’s reports. Common matters that have been reported in practice relate to revenue recognition, asset valuations and impairment, provisions and contingencies, and the impact of COVID-19. The order in which individual matters are presented is also a matter of professional judgement. For example, information may be ordered by relative importance or it may correspond to the order in which matters are disclosed in the financial statements. Examples 3.21 and 3.22 are key audit matters that were included in the reissued auditor’s report for 9 Spokes International Limited. Example 3.21 – Key audit matter – revenue recognition Key audit matter Referring again to the example of 9 Spokes International Limited, the Group’s revenue is largely derived from system implementation fees and platform access fees charged to customers. Management has determined that contracts with Enterprise Channel Customers, including implementation fees and platform access fees, represent one performance obligation, which is to provide the platform services. This is because the customer could not benefit from the system on its own and separately from the platform access. The Group aggregates the fees received from system implementation and platform access and recognises revenue on a straight-line basis from the start of the hosting period until the expected end of the hosting services. Fees received which relate to the implementation phase are recognised on the statement of financial position as contract liabilities until hosting commences at the ‘Go live’ date. The Group’s revenue accounting policy is set out in note 3 of the consolidated financial statements. Given the significance of the balances and the judgements involved, this was considered to be a key audit matter. How our audit addressed the key audit matter To assess the appropriateness of management’s treatment of implementation fees and platform access fees as one performance obligation, we: recalculated the revenue recognised in the year. read management's assessment of the application of NZ IFRS 15 Revenue from Contracts with Customers on the Group's new revenue arrangement which went live during the year ended 31 March 2020. read the new material customer contract and analysed management’s assessment of the technical objectives, performance obligations and the commercial factors of this arrangement against the requirements of NZ IFRS 15. confirmed the date when the Group commenced hosting services with evidence. We considered alternative situations for the new revenue contract, including whether there were separate performance obligations for implementation and platform access services or other performance obligations that better reflected the terms of the Group's revenue arrangement. We have no matters to report. Source: © 9 Spokes International Limited 2020, ‘Reissued annual report 31 March 2020', viewed 23 January 2021, cms.9spokes.com/assets/uploads/documents/20203031_ReissuedAnnualReport.pdf Example 3.22 – Key audit matter – recognition of research and development costs Key audit matter Referring again to the example of 9 Spokes International Limited, the research and development accounting policy is contained in note 5(b) of the consolidated financial statements. The Group incurred $4.3 million of research and development costs (excluding capitalised implementation costs) during the year, which were all expensed. There were no development costs capitalised. There is judgement in determining whether particular activities meet the definition of “research” and/or “development” and then whether the costs should be expensed or capitalised as product development costs (an intangible asset) in accordance with accounting standards. All costs incurred as part of the research phase are expensed. Costs incurred in the development phase are only capitalised if they meet the capitalisation criteria. Management assess the capitalisation criteria for each project in accordance with the Group’s accounting policy. At 31 March 2020 they determined that there was no certainty of funding or future economic benefits from current development projects and therefore none of the costs should be capitalised. Given the significance of the balances and the judgements involved, this was considered to be a key audit matter. How our audit addressed the key audit matter Our audit procedures included obtaining an understanding of the processes and controls over the recognition of research and development costs. We discussed the nature of the research and development work undertaken during the year with the Chief Innovation Officer and other management staff. On a sample basis we validated these activities through discussions with individual team members. We discussed the nature of the work being undertaken and ensured that they met the definition of “research” and/or “development” as defined by the accounting standards. We considered management’s assessment that the capitalisation criteria had not been met, and therefore why it was appropriate to expense all development costs. Our consideration included challenging their assessment of the certainty of funding and the certainty of future economic benefits resulting in management’s conclusion to expense all development costs. We have no matters to report. Source: © 9 Spokes International Limited 2020, ‘Reissued annual report 31 March 2020', viewed 23 January 2021, cms.9spokes.com/assets/uploads/documents/20203031_ReissuedAnnualReport.pdf Key audit matters when the auditor’s opinion is modified If the auditor’s report includes a qualified or adverse opinion, the auditor’s report will still include a ‘Key audit matters’ section. These modifications do not affect the requirements of ISA 701. However, if an auditor disclaims an opinion, the ‘Key audit matters’ section is not included. This is because of concerns that communicating key audit matters would suggest the auditor was able to reach a conclusion about these matters. When key audit matters are not communicated As noted above, key audit matters are not reported in the case of a disclaimer of opinion. It is rare to find other instances were key audit matters are not reported. If the auditor determines that there are no key audit matters to be communicated in the auditor’s report, the auditor communicates this to those charged with governance. The issues considered by the auditor about whether to communicate matters are complex, involve significant auditor judgement, and may require the auditor to seek legal advice. The auditor would need to document in the audit file the rationale for their determination to not communicate key audit matters. New Zealand specific In New Zealand, audits of complete sets of general purpose financial statements of FMC reporting entities are considered to have a higher level of public accountability. For FMC reporting entities other than listed issuers, the auditor must communicate key audit matters. In New Zealand, law or regulation may require communication of key audit matters for entities other than FMC reporting entities considered to have a higher level of public accountability − for example, entities characterised in law or regulation as public interest entities. The auditor may also decide to communicate key audit matters for other entities that may be of significant public interest, such as banks, insurance companies and pension funds. Throughout ISA (NZ) 701, references to ‘listed entities’ appearing in the International Standard have been amended to ‘FMC entities considered to have a higher level of public accountability’ and the corresponding paragraphs have been labelled as NZ paragraphs. Similarly, references to ‘management’ have been amended to ‘those charged with governance’. Other information The auditor’s responsibilities relating to other information (eg information in an annual report) were discussed in Topic 3.1.4. This subtopic considers the impact of other information on the auditor’s report. The auditor must include a separate section with a heading ‘Other information’, or other appropriate heading, when, at the date of the auditor’s report: • The auditor has obtained or expects to obtain the other information (for an audit of a listed entity). • The auditor has obtained some or all of the other information (for an audit of non-listed entity). ISA 720 (revised) lists the information that must be included in the other information section. The following diagram summarises the requirements for an ‘Other information’ section: Source: Adapted from Auditing and Assurance Standards Board 2015, ASA 720 The Auditor's Responsibilities Relating to Other Information, viewed 23 January 2021, auasb.gov.au/admin/file/content102/c3/ASA_720_2015.pdf Impact on the ‘Other information’ section when the auditor’s opinion is modified If an auditor’s report is required to include an ‘Other information’ section under ISA 720 (Revised), the auditor must consider if the other information is also misstated because of the same matter that gave rise to the modification, or if the ‘Other information’ section must be otherwise modified (eg due to a limitation of scope). If an auditor disclaims an opinion, an ‘Other information’ section is not included in the auditor’s report Roles and responsibilities of audit team members in relation to the auditor’s report The auditing standards refer to ‘the auditor’ and the responsibilities of ‘the auditor’ with respect to the auditor’s report. In practice, this refers to the audit partner as they are the one responsible for the opinion. The consequences of the auditor issuing an inappropriate audit opinion can be significant. Therefore, it is likely that where a modification to an auditor’s opinion is necessary. The audit partner is likely to consult with an independent partner (or independent panel of technical specialists within the firm) in reaching this decision. In most cases, it is the responsibility of the audit team to draft the auditor’s report (or tailor the correct auditor’s report template). To do this, the audit team member responsible for drafting the report should, at a minimum, have an understanding of the following: • Whether the entity is listed. • Whether the audit is of a single entity or a group (eg if there are subsidiaries). • What the applicable financial reporting framework is (eg IFRS). • What the applicable laws and regulations are (eg the Corporations Act in Australia). • The responsibilities of management, those charged with governance and/or the directors for the financial statements and the oversight of the financial reporting process. • The type of opinion being issued and reasons why this opinion is being issued. • The conclusion reached on whether a material uncertainty exists related to going concern, and how this conclusion was reached. • Whether there are key audit matters and whether they have been appropriately communicated. • Whether the audit team obtained all other information before the date of the auditor’s report. • The relevant ethical principles and whether they have been adhered to. Australia specific The name of the engagement partner must be included in the auditor’s report under ASA 700. When an auditor’s report refers to a description of the auditor’s responsibilities on a website, ASA 700 identifies the AUASB and its website address as the appropriate reference. New Zealand specific The name of the engagement partner must be included in the auditor’s reports of all FMC reporting entities considered to have a higher level of public accountability. When an auditor’s report refers to a description of the auditor’s responsibilities on a website, ISA (NZ) 700 (Revised) identifies the External Reporting Board (XRB) and its website address as the appropriate reference. Chapter summary This chapter discussed the final stages of the audit process, including the ‘completion’ procedures, and the process of forming and communicating the audit opinion. Completion procedures included general audit procedures involving: • Considering subsequent events. • Considering the financial statement close process. • Reviewing the full set of financial statements. • Considering the appropriateness of the client’s disclosures. • Reviewing the accuracy and presentation of comparative information. • Per forming final analytical procedures. • Obtaining representations from management or those charged with govern ance. The auditor evaluates the evidence they have collected during their audit procedures and considers whether any additional procedures need to be performed. Analytical procedures help them to determine whether or not the financial statements were consistent with their understanding of their client. The auditor records misstatements identified during the audit in a ‘summary of misstatements’ workpaper and considers whether the aggregated uncorrected misstatements are material. Results from the audit must be communicated with management, those charged with governance and the intended users of the financial statements through the auditor’s report. The auditor’s report includes one of the following audit opinions: • Unmodified. • Qualified. • Adverse. • Disclaimer of opinion. It also describes the basis for the opinion and key matters considered during the audit (‘key audit matters’). In addition to key audit matters, the auditor’s report might include additional paragraphs in relation to the following: • Emphasis of matter. • Other matter. • Material uncertainty related to going concern. • Other information. Many of the procedures completed in the final stages of the audit involve high levels of professional judgement.