AA - Audit and Assurance
Transcript of AA - Audit and Assurance
1
AA - Audit and Assurance
Contents
Laws and Regulations ............................................................................................................. 2
REGULATORY BODY ............................................................................................................ 2
REQUIREMENT OF EXTERNAL AUDIT .................................................................................. 2
THE RIGHTS AND DUTIES OF THE AUDITOR ....................................................................... 3
APPOINTMENT AND REMOVAL OF THE AUDITOR ............................................................. 4
Fraud ...................................................................................................................................... 5
AUDITOR'S RESPONSIBILITIES ............................................................................................. 5
FRAUD ................................................................................................................................. 6
The Planning Process .............................................................................................................. 7
THE PURPOSE OF THE PLAN ............................................................................................... 7
IDENTIFYING AUDIT RISKS .................................................................................................. 7
AUDIT STRATEGY ................................................................................................................ 8
MATERIALITY AND PERFORMANCE MATERIALITY ............................................................. 8
Audit Documentation ........................................................................................................... 10
AUDIT DOCUMENTATION ................................................................................................. 10
CURRENT AUDIT FILE ........................................................................................................ 11
ACCESS TO WORKING PAPERS .......................................................................................... 12
Quality Control (ISA 220) ...................................................................................................... 13
1. The H is for HUMAN RESOURCES: ................................................................................ 13
2. The E is for ETHICAL REQUIREMENTS: .......................................................................... 13
3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS: ....................................... 14
4. The R is for RESPONSIBILITIES OF LEADERSHIP: ........................................................... 14
5. The M is for MONITORING: .......................................................................................... 14
6. Finally, E is for ENGAGEMENT PERFORMANCE: ........................................................... 15
2
Laws and Regulations
REGULATORY BODY
External auditors must follow strict guidance to ensure their work is of the correct standard.
This includes:
– The code of ethics which is guidance on behaviour of the auditor;
– Auditing standards that must be followed; and
– Corporate law specific to where they are based and where the client operates.
The IFAC, International Federation of Accountants, is a global supervisory body.
The IAASB, International Auditing and Assurance Standards Board, is the group that looks
after the external auditor. They have 2 key outputs:
1. The development of international standards on auditing, or ISAs (currently 36); and
2. International standard on quality control, or ISQC (only 1).
ISAs are published in a book, regularly reviewed and periodically updated by the IAASB.
Each ISA gives the auditor specific guidance on elements of the audit process. For a new ISA
to be developed, there is a lengthy process, which includes:
– A debate within the IAASB on the issue;
– An issue of an exposure draft, which is a draft of the standard;
– Comments from external parties are taken on board and approval from the IAASB is
sought; and
– The new or adapted ISA is published.
Note: Many countries may have created their own version of auditing standards and choose
not to follow the international ones. This is permitted as the IFAC has no legal standing in
each country.
REQUIREMENT OF EXTERNAL AUDIT
Who needs an audit?
1. Registered companies are required to have an external audit.
2. In UK law there is an exemption which allows small companies (companies with
revenue not more than £6.5 million) to not appoint external auditors, but they can
still have an external audit if they wish.
3
Who is allowed to form an independent opinion?
– The practitioners (those responsible for the audit and decisions made on it) are
required to be a member of a recognised supervisory body or RSB (ACCA and ICAEW),
and be allowed to be a practitioner by their rules.
– Once a member, they are allowed to form an opinion on financial statements and sign
audit reports.
THE RIGHTS AND DUTIES OF THE AUDITOR
The key rights of an auditor are:
1. They must be allowed access to all relevant company books and records;
2. They must be given all information and explanations necessary to complete their
audit;
3. They must be allowed to attend any general meetings between the management
and the shareholders, including the AGM;
4. They are allowed to be heard at such meetings; and
5. They must be given copies of any written resolutions of the company.
The auditor's duties are:
1. To audit the financial statements and form an independent opinion on them, stating
whether or not they are true and fair;
2. To report on any specific legal requirements relevant to the company being audited;
and
3. To ensure they follow auditing standards and their ethical code while carrying out
the audit.
4
APPOINTMENT AND REMOVAL OF THE AUDITOR
Auditors are generally appointed by the shareholders. However there are some exceptions
to this rule:
If it is the first year that the audit has been required, or if it is the first year the
company has been set up, the directors are allowed to appoint the auditors initially.
If neither the directors or shareholders have appointed the auditors, and deadlines
for submission of an audit report have passed, then the government would usually
step in.
There are two main situations where auditors would no longer act for a company:
1. They are no longer able to act for the company and resign as auditors. Auditors issue
a statement of circumstances which gives the reasons for the resignation, and would
then be available to assist with a handover to the next audit firm appointed; or
2. They are sacked or removed.
Notes:
– The shareholders are responsible for removing the auditors;
– Notice is given to both the directors and auditors;
– If auditors feel the decision is unjust, they have the right to send a response to all
parties explaining why they should not be removed.
5
Fraud
AUDITOR'S RESPONSIBILITIES
ISA 240 Auditor’s responsibilities relating to fraud: The auditors have a duty to identify and
communicate any evidence found that fraud is present.
Auditor’s responsibility: To obtain reasonable assurance that the financial statements as a
whole are free from material misstatements, whether they arise from fraud or error.
Note: The key difference between fraud and error is whether the misstatement was
intentional or not.
The primary responsibility towards fraud (remains with directors) is to ensure that fraud is
not present in the financial statements and the company as a whole.
The secondary responsibility towards fraud (auditor’s responsibility) is to identify
misstatements during the audit process and assess whether they are as a result of fraud or
error.
In order to maintain responsibility, the auditor must:
– Maintain professional scepticism throughout the audit process;
– Assess any audit risks that could lead to fraud;
– Generally assess the risk of material misstatements for the entity;
– Review how management react and manage fraud;
– Talk to management to see if they are aware of any instances of fraud; and
– Gather sufficient appropriate evidence from audit procedures designed to assess the
risk of fraud.
6
FRAUD
Fraud is criminal activity. There are two types of fraud:
1. Fraudulent financial reporting; and
2. Misappropriation of assets.
A high risk of fraud requires:
1. Planning of appropriate procedures to ensure auditors are in the best position to
detect fraud;
2. Ensuring that more experienced audit staff is available for the audit team;
3. Changing audit procedures from what auditors would normally do, as being less
predictable could catch out anyone trying to conceal fraud;
4. Focusing on balances containing estimates from management as this would be a
popular area to manipulate figures; and
5. Focusing on the transactions posted around the year end, as cut-off errors are often
an intentional way of increasing or reducing balances.
If fraud is found by the auditor, the following steps must be followed:
1. Report it to those responsible for the audit team, for example, the audit manager
and audit partner;
2. They should then consider the evidence obtained and report this to the highest level
of management at the client;
3. If the auditor is suspicious that the management are involved, they should seek legal
advice and consider whether they should report externally;
4. Caution should be taken when reporting externally as the auditor has a duty to
maintain confidentiality;
5. If the fraud detected is material to the users of the financial information, then the
auditor would need to modify the audit report to make the shareholders aware of
the issue.
7
The Planning Process
THE PURPOSE OF THE PLAN
ISA 300: The objective of planning the audit is to ensure it is performed in an effective
manner. There are some key reasons why a plan is important for an audit:
– It will ensure the auditor can give enough attention to more problematic areas;
– It gives auditors time to assess the risks associated with the audit before they start the
audit work;
– They are able to plan appropriate audit procedures in relation to these risks;
– They can select the right level of experience needed on the audit team; and
– They can consider the need for experts and assistance from internal auditors which can
then be planned properly.
IDENTIFYING AUDIT RISKS
The audit plan begins with identifying potential audit risks. An audit risk is the risk of the
auditor providing an inappropriate opinion, for example, reporting that the financial
statements are true and fair when they are not. The auditor must assess risks using the
audit risk model:
AR = IR x CR x DR, where
IR = Inherent risk - the risk of material misstatement due to the nature of the entity;
CR = Control risk - the risk of material misstatement due to poor controls; and
DR = Detection risk - the risk of material misstatement due to the auditor not spotting
errors.
There are two main pieces of work that assist auditors in identifying these risks:
1. Analytical procedures: These are comparisons of financial and non-financial data to help
the auditor understand material changes in the financial statements. With the use of ratios,
auditors can identify changes in balances which may then need to be investigated when
carrying out their audit procedures later on.
2. Understanding the entity and its environment: This is an important procedure because if
the auditor lacks a fundamental understanding of what the client does, there is a real risk
they may make poor decisions and issue an inappropriate opinion.
8
AUDIT STRATEGY
The audit strategy is produced to identify the overall plan for the audit. We can separate the
audit strategy into three components:
1. The scope: specific details relating to the audit for the client (inventory locations,
reporting systems, etc.);
2. The timing: Considers when areas of the audit process should be completed. The
audit may need to include an interim and a final audit; and
3. The overall direction of the audit: The auditor decides what style of procedures are
required and the volume of work needed. The auditor will be able to determine
whether control systems look reliable and decide whether direction will be controls
based (the level of substantive work can be reduced), or procedural (more detailed
audit testing, larger sample sizes, skilled staff and more time needed).
MATERIALITY AND PERFORMANCE MATERIALITY
At the planning stage, the auditor must decide what a material misstatement is, which
means that it can influence the users of the financial information. An item can be material
by:
1. Its size: If that is the case, the auditor would request that the client correct this in the
financial statements. If they don’t, the auditor would conclude that the financial statements
are not true and fair. The guidelines on materiality state that an item is material if it is
above:
a. 5-10% of profit;
b. 1/2 - 1% of revenue; or
c. 1-2% of total assets.
2. Its nature: A prime example is directors' transactions which must be transparent to the
users.
The auditor must also consider and set performance materiality. If any misstatements
identified while performing audit procedures are above performance materiality, they are
recorded and presented in the summary of unadjusted errors. The auditor would then
request the client to adjust these errors in the financial statements.
9
WRITTEN AUDIT PLAN
The audit planning document is a detailed document that proves whether the auditor has
planned the audit properly and includes all information needed to then carry out the rest of
the audit process. The planning document should include the following:
– Assessment of materiality and performance materiality;
– Details from the analytical review performed at the planning stage;
– Key audit risks;
– Background information regarding the client in understanding the entity;
– Any specific laws and regulations;
– Staff booked for the audit team and budgets set;
– The overall audit strategy; and
– Deadlines set to ensure the audit process is completed on time.
10
Audit Documentation
AUDIT DOCUMENTATION
ISA 230: The auditors must ensure they have written documentation that:
– Proves that the audit was planned and performed in accordance with auditing
standards;
– Helps the audit team plan and perform the audit;
– Helps more senior members of the audit team direct and supervise, as well as review
the work completed;
– Is a sufficient appropriate record of audit work completed to assist in forming the audit
opinion;
– Assists future audits; and
– Enables the audit team to prove they did the work.
For every client, the audit firm will keep files to organise documentation. There will be:
1. Current audit file: Stores all relevant evidence and documentation relating to the current
audit:
a. It should be completed in a timely manner;
b. Files must be retained by the audit firm for a minimum of 5 years; and
c. It enables the auditor to prove what they did (e.g., in case of legal action).
2. Permanent audit file: Stores all client-related documentation that would be useful for
current and future audits (previous years' financial statements, client organisation structure,
key personnel, contact details, etc.).
3. Correspondence: Evidence that proves that communication between the auditor and the
client is effective (may be electronic or physical).
11
CURRENT AUDIT FILE
The current audit file has three main sections:
1. The planning section: Includes all considerations made during the planning stage;
– Assessment of materiality and performance materiality;
– Details from the analytical review performed at the planning stage;
– Key audit risks;
– Background information regarding the client in understanding the entity;
– Any specific laws and regulations;
– Staff booked for the audit team and budgets set;
– The overall audit strategy; and
– Deadlines set to ensure the audit process is completed on time.
2. Audit performance:
Note: The audit performance section will include all documentation and evidence collected
that relates to the audit procedures carried out on the systems, transactions, balances and
disclosures relating to the financial statements. Without this work the auditor cannot form
an opinion on the financial statements.
For every test carried out, the auditor needs to prepare something called working papers.
The working papers will usually include:
i. Lead schedule: The first document for each balance that will show the total balance,
which will agree with the balance shown in the financial statements;
ii. Backup schedules: Individual schedules for each sub balance which makes up the total
balance in the financial statements;
iii. Audit programmes: Detailed documents which explain the audit procedures carried
out on the balance. Each audit programme must show the following:
– Objective of the test;
– Description of the audit work;
– How the sample was chosen to test;
– Outcome or conclusion from the work;
12
– Who did the work;
– Date it was completed; and
– Who reviewed the work at the completion stage.
3. Completion: The section where the final review is carried out and post year end audit
procedures are carried out. The key areas of the completion stage are:
– Final analytical procedures;
– Disclosure checklist for accounting standards;
– Summary of unadjusted errors;
– Record of adjustments made since the trial balance was produced;
– The subsequent event review;
– The going concern review;
– Written representations;
– Draft financial statements; and
– Draft management letter or report to those charged with governance.
ACCESS TO WORKING PAPERS
The audit file and all of the working papers produced by the audit team belong to the
auditor. Access to the working papers is only permitted if authorisation is given by the
auditor. The reasons for this are:
– The working papers will contain sensitive information about the client;
– If any of the work is lost or stolen, it would need to be recreated in order to form an
opinion; and
– There is a risk of evidence being tampered with.
13
Quality Control (ISA 220)
The topic of Quality Control directly relates to the auditing standard, ISA220 – Quality
Control for an Audit of Financial Statements. This auditing standard focuses on the audit
firm’s own quality control procedures.
Overall objective and importance of quality control:
The standard states that the objective of the auditor is to implement quality control
procedures at the
engagement level that provide the auditor with reasonable assurance that:
(a) The audit complies with professional standards and applicable legal and regulatory
requirements; and
(b) The auditor’s report issued is appropriate in the circumstances.
For this to happen, the standard gives a recommended set of policies and procedures that
should be carried out.
To help remember the key policies and procedures from the standard, you could use ‘HEAR
ME’.
1. The H is for HUMAN RESOURCES:
The audit firm, and in particular, the engagement partner who is responsible for the client,
should ensure that their audit team is capable.
– They should assess the competence of the team members to ensure that the audit is
performed at an appropriate standard.
– They should ensure that the audit team has sound knowledge of the client being
audited, and therefore understands the entity and its environment.
– However, they must also ensure the technical skills within the audit team are enough to
reach appropriate conclusions.
2. The E is for ETHICAL REQUIREMENTS:
Quite simply, the audit firm must ensure that they comply with the ACCA code of ethics.
– They must ensure the fundamental principles are followed, and;
– That they manage any ethical threats, conflicts of interest or other risks appropriately.
14
3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS:
The audit firm must consider whether they should accept every engagement.
– Once they have accepted the client engagement, they must then review every year to
ensure the entity should continue to be their client.
– The key issue is that the audit firm must only accept clients with an acceptable level of
risk.
4. The R is for RESPONSIBILITIES OF LEADERSHIP:
– The engagement partner must take overall responsibility for the audit team and the
audit process.
– This means they must also ensure the quality control procedures within the audit firm
are of a high standard so as to follow professional standards accordingly.
5. The M is for MONITORING:
We have already said that strong policies and procedures should be in place. However, to
ensure these are followed, there must be an element of review from the audit firm. The
standard recommends 2 types of monitoring:
– HOT review
– COLD review
An independent partner within the audit firm undertakes the hot review usually. They
review the audit work and conclusions reached. This is to ensure that the overall conclusion,
i.e. the opinion is appropriate. Hot reviews are usually carried out for listed clients or those
with significant audit risks. A hot review is carried out before the audit report is signed. It is
also known as an EQCR or engagement quality control review. A senior member of staff at
the audit firm performs a cold review. An external consultant can carry it out. They review
the work carried out for the client and the conclusions reached. The key difference is that
the review takes place after the audit has been completed and the audit report is signed. A
sample of clients is selected across the audit firm to review. This ensures consistency across
audit teams, and identifies if there is a risk of noncompliance of professional standards.
15
6. Finally, E is for ENGAGEMENT PERFORMANCE:
This looks at the overall performance of the audit assignments across the audit firm. This is
made up of 3
elements:
– Direction of audit:
The direction focuses on ensuring everyone is aware of the objectives of the audit,
knowledge of the client
business, the risks and any problems that may arise.
– Supervision of audit:
Supervision is looking to ensure that the audit is reviewed by someone senior who can
ensure the team is
competent and the deadlines are met to provide timely information for the client.
– Review of the audit:
The review is to ensure professional standards have been followed, that there is evidence to
back up conclusions made and that the evidence collected is sufficient and appropriate.
Each of these 6 components is explained in ISA220 to enable audit firms to ensure the
highest quality work is performed. This therefore ensures that an appropriate audit opinion
is formed on the financial statements for every client, which ties back to the obligation to
ensure they follow professional standards and that their reports are appropriate for the
client’s requirements.