Audit Planning Takeaway

www.pwc.co.uk

Audit planningtakeaway

Time to Learn 2014

Audit planning takeaway

Time to Learn 2014PwC Page 2 of 40

Table of Contents

Independence ............................................................................................................................................... 4

New audit clients ..................................................................................................................................... 4

Managements processes around non-audit fees .................................................................................. 4

Required assessments and consultation................................................................................................ 4

Impact of non-audit services ...................................................................................................................5

Role of Service Delivery Centres in AFSs................................................................................................5

Communications with those charged with governance .........................................................................5

Rotation tracking..................................................................................................................................... 6

Consulting with independence ............................................................................................................... 6

Guidance .................................................................................................................................................. 8

Related parties .............................................................................................................................................. 9

Financial reporting framework requirements ....................................................................................... 9

Obtaining a list of related parties ........................................................................................................... 9

Completeness..........................................................................................................................................10

Our risk assessment ...............................................................................................................................10

Communications within the team ......................................................................................................... 11

Professional scepticism..........................................................................................................................12

Representation letter .............................................................................................................................12

Completion procedures..........................................................................................................................12

Communications with management and those charged with governance .........................................12

Updates to EGAs ....................................................................................................................................12

Fraud ............................................................................................................................................................13

Fraud discussions and risk assessment ................................................................................................13

Unpredictable procedures .....................................................................................................................14

Journals ..................................................................................................................................................16

Responding to identified fraud..............................................................................................................19

And finally .......................................................................................................................................... 20

Laws and regulations...................................................................................................................................21

ISA (UK&I) requirements ......................................................................................................................21

What does this mean in practice? .........................................................................................................21

Bribery Act 2010 and Transparency International ............................................................................. 22

Required communications.................................................................................................................... 23

Audit opinion......................................................................................................................................... 23



Materiality................................................................................................................................................... 24

Overall materiality ................................................................................................................................ 24

Performance materiality ....................................................................................................................... 25

De Minimis SUM posting level ..............................................................................................................27

Disaggregating materiality ....................................................................................................................27

Materiality in a group audit context..................................................................................................... 28

Reassessing materiality at the final audit ............................................................................................ 29

Reporting to those charged with governance ...................................................................................... 29

Other planning reminders.......................................................................................................................... 30

Planning top tips ................................................................................................................................... 30

Risk assessment..................................................................................................................................... 30

ISA (UK&I) 700..................................................................................................................................... 33

Internal audit......................................................................................................................................... 33

Use of ISAE 3402 controls reports on service organisations ............................................................. 34

Audit of tax ............................................................................................................................................ 34

Estimates ............................................................................................................................................... 34

Confirmations........................................................................................................................................ 35

Referred reporting audit engagements and letterbox audits ............................................................ 35

Group and component audits............................................................................................................... 36

Planning sign-off ................................................................................................................................... 38

Significant matters ................................................................................................................................ 38



Independence

New audit clientsAs a result of increased tendering activity in the marketplace, we are seeing a greater number ofproposals and first year audits. This brings about specific independence challenges, and independenceis also a hot topic with our regulators. Engagement teams need to consider non-audit servicespreviously provided to those entities for which we are proposing for the audit, to ensure that we canaccept the audit if we are appointed. As many are aware, another large audit firm accepted an auditappointment and had to decline after discovering what were now impermissible services beingprovided, causing embarrassment for the entity and the audit firm.

For new audit engagements, non-audit and audit related services are identified by the RelationshipChecking team.

The articulation of the rationale as to why non-audit services previously provided do not impair ourindependence, and what safeguards are in place, is absolutely critical and needs to be clearlydocumented on the audit file.

Managements processes around non-audit feesAs part of our consideration of independence, and where appropriate, we should understand thesystems and controls management have in place in order to monitor non-audit services provided.Engagement teams confirm that management have followed these procedures and seek evidence tocorroborate this. If management have robust procedures in place, then we may be able to place somereliance on these processes.

Required assessments and consultationEthical Standards state that a self-interest threat exists when the auditor has financial or otherinterests which might cause the auditor to be reluctant to take actions that would be adverse to theinterests of the audit firm or any individual in a position to influence the conduct or outcome of theaudit. In relation to non-audit services, the main self-interest threat concerns fees and economicdependence and these are addressed in APB Ethical Standard 4.

Where substantial fees are regularly generated from the provision of non-audit services, and the feesfor non-audit services are greater than the annual audit fees, it could be perceived as a loss of ourindependence. In these instances, the audit engagement partner considers whether the engagementsgiving rise to the substantial fees were:

audit related services; provided on a contingent fee basis; consistent with the engagements undertaken in previous years, and fees received on a

consistent basis to previous years; in the case of a group, disproportionate in relation to any individual group entity; unusual in size but unlikely to recur; and/or of such a size and nature that a reasonable and informed third party would be concerned at

the effect that such engagements would have on the objectivity and independence of theengagement team.

Having made that assessment, the audit engagement partner determines whether the threats toindependence from the level of non-audit fees are at an acceptable level (or can be reduced to anacceptable level by putting in place appropriate safeguards).

For listed entities, where the fees for non-audit services for a financial year are expected to be greaterthan the annual audit fee, the engagement team consults formally with the UK Ethics Partner(currently Bill Morgan) before the ratio has exceeded 1:1 and, as soon as he/she considers that theratio will be exceeded. As this is a consultation under ISA (UK&I) 230, it is required to beappropriately documented in the file.

For non-listed entities where the non-audit fees are expected to exceed the audit fees, the engagementleader may also consult with the Ethics Partner if they deem it necessary or useful, although this is notrequired.



Impact of non-audit servicesEngagement teams need to better assess the impact that non-audit services can have on theirindependence. This needs to be an ongoing exercise throughout the audit, and is not to be regardedsolely as a planning or completion activity.

Recent internal and external reviews have identified more complex independence issues that havedeveloped over a number of years. It is therefore critical that the engagement team understandenough about the nature of the services that are being performed to be able to make a properassessment of threats to their independence and whether the safeguards which have been put in placeremain adequate.

For example, consider the following set of circumstances:

before tendering for the audit, we assist management by building a model to forecast thecompanys business;

the auditors review the model as part of their normal audit procedures; having won the audit, we continue to support the client through its expansion, including

providing assistance to the client in updating the functionality of the forecasting model; the client encounters some financial difficulties and we are asked by management to update

the forecasting models functionality; and management use the forecasting model to support going concern, impairment and deferred

tax asset recovery calculations that we subsequently audit.

Does this cause an independence issue?

It is worth taking a step back and considering the non-audit services as a whole (especially those thatare delivered in different phases). Individually, these services might not present an issue, but whenconsidered as a whole, the team might come to a different conclusion and the threats and safeguardsapplicable might also differ.

Role of Service Delivery Centres in AFSsAn engagement team may request the Service Delivery Centre (SDC) to assist with monitoring andchecking the completeness of AFSs that are received from component or other teams. It is importantto note that when performing the completeness checks, the SDC solely checks that all boxes have beencompleted. In other words, they do not assess whether what has been written is correct, whether theright threats have been identified, or whether the right safeguards have been put in place. The SDCmay also prepare a fee summary report which reflects actual billings for services compared toestimated fees per the AFS request forms, if the engagement team requests this.

Communications with those charged with governance

Communications required by ISAs (UK&I) and UK Ethical StandardsISAs (UK&I) state that:

In the case of listed entities, the auditor shall communicate to those charged with governance:

(a) A statement that the engagement team and others in the firm as appropriate, the firm and,when applicable, network firms have complied with relevant ethical requirements regardingindependence; and

(b) (i) All relationships and other matters between the firm, network firms, and the entity that, inthe auditor's professional judgement, may reasonably be thought to bear on independence.This shall include total fees charged during the period covered by the financial statements foraudit and non-audit services provided by the firm and network firms to the entity andcomponents controlled by the entity. These fees shall be allocated to categories that areappropriate to assist those charged with governance in assessing the effect of services on theindependence of the auditor; and(ii) The related safeguards that have been applied to eliminate identified threats toindependence or reduce them to an acceptable level.



In the case of listed entities, UK Ethical Standards require that:

'The audit engagement partner shall ensure that those charged with the governance of the audit clientare appropriately informed on a timely basis of all significant facts and matters that bear upon theauditors objectivity and independence.'

The audit engagement partner shall ensure that the audit committee, or those charged withgovernance, of a listed entity is provided with:

a written disclosure of relationships that bear on the auditors objectivity and independence,any safeguards that are in place and details of non-audit services provided to the auditedentity and the fees charged in relation thereto;

written confirmation that the auditor is independent; details of any inconsistencies between UK Ethical Standards and the companys policy for the

supply of non-audit services by the audit firm and any apparent breach of that policy; and an opportunity to discuss auditor independence issues.

For all unlisted entities, written communication of these matters is considered best practice, but is notrequired. Reporting to an unlisted entity can be done either in writing or verbally providing that if thelatter option is chosen then full details of the conversation with those charged with governance (i.e.when, with whom and what was discussed) is documented on the audit file.

Communication required by change to International Ethics Standards Board forAccountants Code of EthicsThe International Ethics Standards Board for Accountants (IESBA) have made changes to their Codeof Ethics which has an impact on the way we respond to breaches of external independencerequirements. The change came into effect on 1 April 2014. This change impacts PwC because of thenetworks commitment to follow the IESBA Code of Ethics even though these changes have yet to beincorporated into the UK Ethical Standards.

The change to the IESBA Code of Ethics now requires the auditor to report all breaches of externalindependence rules (i.e. any breaches of UK Ethical Standards, SEC and PCAOB rules, or the IESBACode of Ethics) to those charged with governance as soon as possible, unless the firm has agreed aprotocol with those charged with governance in respect of less significant breaches.

As soon as possible is intended to allow the firm reasonable time to investigate the matter andconduct an evaluation of the significance of the breach but also means without undue delay. It is notintended to mean immediately. Therefore, audit teams are strongly recommended to engage withtheir clients to establish whether they will require all breaches to be reported as soon as possible, orwhether less significant breaches, such as personal independence breaches not relating to members ofthe audit team, can be reported on a periodic basis.

Rotation trackingRemember to keep rotation tracking up to date and reflective of the current team. HPC and otherinternal reviews regularly find inaccuracies and/or omissions. Remember to also include Key AuditPartners, which needs to include overseas engagement leaders of subsidiary entities if they relate to asignificant component.

Consulting with independence

Taking on a new PIE client, or a non-PIE client becomes a PIETaking on a new PIE client, or an existing client becoming a PIE are only two situations whenconsultation is required. You also need to consult in the following situations (amongst others):

contingent fee arrangements; significant unpaid fees; non-audit fees exceed (or are likely to exceed) the audit fee for listed companies; independence breaches have been identified; when the Assurance engagement partner or member of the chain of command is considering

employment with the Assurance client where a listed company is in distress and restructuring services are proposed to be provided.



Contingent feesWhere a contingent fee arrangement exists, the non-audit service team is required to includeCompliance Independence as an approver on the AFS form, as well as the engagement leader. Ifengagement teams receive an AFS for a contingent fee arrangement and Compliance Independencehasnt been included as an approver, the AFS should be sent back to the non-audit service team to beamended.

The Independence team will feed back the outcome of the independence analysis to the audit teamand the team carrying out the work. This may include details of the safeguards required to maintainour independence, which may include review of key audit judgements and work by ARQ whereappropriate.

Unpaid fees

Audit feesPrior year audit fees should be agreed before the appointment for the next year is accepted. This feeshould have been paid before any significant work is done in the current year.

Non-audit feesWhere fees for professional services are overdue, and the amount cant be regarded as trivial, consultwith the Independence and Ethics Team. Theres currently no definition of trivial in this context. Theengagement team will use their judgement to decide the level of unpaid fees that are deemedacceptable based on the individual circumstances. The team needs to be satisfied that the client willeventually pay and to consider whether theres a legitimate reason fees have not yet been received.

Independence breachesFor all clients in the UK, the Independence and Ethics Team will provide details to the UK auditengagement leader of all personal independence breaches of Ethical Standards and SEC rules inrespect of:

members of the UK audit engagement team; any other partner in the firm; the UK firm; those in the UK who are in a position to influence the conduct and outcome of the audit; and for SEC audit clients in the UK, those individuals who are covered persons for the client,

which the Independence and Ethics team are aware of as a result of the annual independenceconfirmation process or through other matters reported to them. If the Independence andEthics Team does not contact the team, then there are no matters to report.

If the Independence and Ethics Team becomes aware of a significant independence breach during theyear, then the engagement leader will be informed immediately.

Considering employment with an Assurance clientIf the Assurance engagement partner or member of the Assurance engagement team is consideringemployment with the Assurance client, then they are removed from the engagement immediately.They do not re-join the engagement until any negotiations have come to an end.

If a member of the chain of command is considering employment with the Assurance client, then theIndependence and Ethics Team would inform the Assurance engagement team, as needed, anddiscussions would take place before considering whether this could be accepted.

In all the above instances, consultation with the Independence and Ethics Team is stronglyrecommended.

Please refer to section 5.18 of the UK Independence Policy for further guidance.



Entities in distressThere is a partial prohibition on restructuring services for listed clients and their significant affiliateswhere the company is in distress. The permissible services are limited to:

preliminary general advice; assistance with immaterial elements of the overall restructuring plan; challenging, but not developing, the projections and assumptions used in a financial model; reporting on a restructuring plan in connection with an investment circular; and any service specifically permitted by a regulatory body with oversight of the audit client.

Due to the complexities involved, a xLoS acceptance panel is required. This includes representativesfrom Consulting Risk and Quality and Assurance Risk and Quality, as well as from Compliance.

Compliance Consultation System (CCS)CCS is a tool that helps you to consult with, or make enquiries to, the Independence and Ethics Teamon all matters affecting independence. The system acts as a repository for all independence enquiriesand consultations.

A consultation is a query which needs to be agreed and documented with the Independence and EthicsTeam in respect of a client specific set of facts and circumstances.

Remember that if you submit an independence query to Assurance Risk and Quality using IGLO, thenyou will be directed to re-log the query on CCS.

GuidanceGAAS requirements:

ISA (UK&I) 220.11 Engagement partner conclusion on compliance with independencerequirements

ISA (UK&I) 260.17 Communication with those charged with governance AuditorIndependence

PwC UK Independence Policy:

PwC UKIP Section 4 Engagement Management and Engagement Team Responsibilities:o 4.9 Accepting a Non-Audit Engagement for an Existing Audit Client

PwC UKIP Section 5 Individual Financial Interests and Relationships PwC UKIP Section 6 Member Firm Financial and Business Relationships:

o 6.8 Contingent Fees and Related Matterso 6.9 Commissions and Fees for Referrals

PwC UKIP Section 7 Non-Assurance Services PwC UKIP Section 9 Member Firm Processes and Controls

APB Ethical Standards:

ES 1 Integrity, objectivity and independence ES 4 Fees, remuneration and evaluation policies, litigation, gifts and hospitality Fees (para.

5-43) ES 5 Non-audit services provided to audit entities

Audit Guide:

2500 Use of a Service Delivery Centre (SDC) 3030 Independence 3060 Engagement team

UK guidance documents from the Independence site



Related parties

Financial reporting framework requirementsIn the UK, most of the entities we audit have a legal obligation to prepare financial statements inaccordance with an accounting framework, the most common being IFRS as adopted by the EuropeanUnion, UK GAAP and US GAAP. All these accounting frameworks establish related partyrequirements. If the entity does not identify its related parties, then it is unable to identify relatedparty transactions and assess whether disclosure is required. Consequently, the financial statementsmay not comply with the relevant accounting framework or legal requirements.

We have a responsibility to perform audit procedures to identify, assess and respond to the risk ofmaterial misstatement arising from the entitys failure to appropriately account for, or disclose,related party relationships, transactions or balances in accordance with the requirements of theframework to be able to conclude whether the financial statements achieve a fair presentation (for fairpresentation frameworks) or are not misleading (for compliance frameworks). If we do not have a listof related parties, then it is difficult to meet the requirements of ISAs (UK&I).

Therefore, in order to meet our responsibilities as auditors, we need to obtain a comprehensive list ofrelated parties, and related party transactions from management.

Obtaining a list of related partiesISA (UK&I) 550 requires the auditor to enquire of management regarding:

(a) the identity of the entity's related parties, including changes from the prior period;(b) the nature of the relationships between the entity and these related parties; and(c) whether the entity entered into any transactions with these related parties during the period

and, if so, the type and purpose of the transactions.

Some entities, particularly the larger more sophisticated entities, may have systems to record, processand summarise related party relationships and transactions to enable the entity to meet theaccounting and disclosure requirements of the framework and, hence, management is therefore likelyto have a comprehensive list of related parties and changes from the prior period.

Where this is not the case, which will be the case for the majority of entities, we consider the followingpoints:

the entitys ownership and governance structures; types of investment that the entity is making, and plans to make; the way in which the entity is structured and how it is financed; and the individuals that constitute key management.

Discussing who the related parties of the entity are is often a sensitive matter with management beingreluctant to provide, sometimes for understandable reasons, details of who the related parties are(especially in the area of connected persons, which could include the names of children and otherclose relatives). We have therefore developed a new pro forma letter on related parties to assist teams.The letter, which is intended to be sent to the entity at the planning phase of the audit, will:

explain why we have sent the letter; explain what related parties are under the entitys accounting framework (e.g. IFRS as

adopted by the European Union, UK GAAP, US GAAP); and clarify the auditors responsibilities around related parties.

We should include a list of all potential categories of related parties under the reporting framework toassist the entity in identifying related parties in the entity or group. The list will be signed off by adirector as being complete to the best of their knowledge and provided to us for the purpose of theaudit at the planning stage.



We need to be mindful of concerns the entity may have in disclosing some information such as thenames of directors children. We have had situations where a 16 year-old child has been working forthe entity as their sole source of income, which has meant that the transaction has becomedisclosable, or where the wife has provided all the catering for business meetings. Conversely, it ishighly unlikely that a three month old baby is going to be transacting with the entity, or in control ofan entity which is a related party. The letter will help to deal with such concerns.

Our discussions with management and those charged with governance in respect of related partiesand related party transactions are documented in full on the audit file.

CompletenessOnce we have a list of related parties we need to perform procedures to identify whether that list iscomplete. During the planning phase of the audit, we inspect a number of documents as part of ourrisk assessment procedures. Reviewing such documents will act as a test for completeness over therelated parties' listing. ISAs (UK&I) require us to look at the following documents:

bank and legal confirmations; minutes of the meetings of shareholders, and those charged with governance; and such other records or documents as we consider necessary.

Such other records/documents could include:

payroll listings, accounts receivable and accounts payable listings for similarly namedindividuals and entities;

other relevant statutory records such as the register of directors' interests (for informationabout material transactions authorised or discussed at their meetings);

filings with, and other information supplied to, the relevant authorities/regulatory agencies(including tax returns);

prior year working papers; correspondence and invoices from law firms; and documents detailing the names of officers and trustees of pension or similar plans.

In addition, other available sources of information, including external data and internet searches,such as Google, can be used to identify the names of related parties and other businesses in whichofficers and directors have ownership interests or hold directorship or management positions (e.g.Boardex reports).

We also consider the extent and nature of business transacted with major customers, suppliers,borrowers and lenders.

Our risk assessmentMany related party transactions are in the normal course of business. In such circumstances, they maycarry no higher risk of material misstatement to the financial statements than similar transactionswith unrelated parties. However, the nature of related party relationships and transactions may, insome circumstances, give rise to higher risks of material misstatement to the financial statements thantransactions with unrelated parties. For example:

Related parties may operate through an extensive and complex range of relationships andstructures, with a corresponding increase in the complexity of related party transactions.

Information systems may be ineffective at identifying or summarising transactions andoutstanding balances between an entity and its related parties.

Related party transactions may not be conducted under normal market terms and conditions;for example, some related party transactions may be conducted with no exchange ofconsideration.

Significant related party transactions outside the entitys normal course of the business give rise to asignificant risk.

During the audit, we also need to remain alert when inspecting records and documents forarrangements, or other information, that may indicate the existence of related party relationships ortransactions that management has not previously identified or disclosed to us.



If we identify fraud risk factors when performing the risk assessment procedures on related parties,including circumstances relating to the existence of a related party with dominant influence, we linkthis to the appropriate fraud risk and appropriately articulate the rationale on the file together withdocumenting our response to that fraud risk.

All the discussions around related parties with management, those charged with governance andinternally amongst the team and with component auditors (in group situations) are documented infull on the audit file. Sufficient involvement from the engagement leader is expected in this area.

Be aware of the possibility that transactions with related parties may have been motivated solely, or inlarge measure, by conditions similar to the following:

lack of sufficient working capital or credit to continue the business; an urgent desire for a continued favourable earnings record in the hope of supporting the

price of the company's stock; an overly optimistic earnings forecast; dependence on one, or relatively few, products, customers, or transactions for the continuing

success of the venture; a declining industry characterised by a large number of business failures; excess capacity; significant litigation, especially litigation between stockholders and management; and significant obsolescence dangers because the company is in a high-tech industry.

Transactions that because of their nature may be indicative of the existence of related parties include:

borrowing or lending on an interest-free basis or at a rate of interest significantly above orbelow market rates prevailing at the time of the transaction;

selling real estate at a price that differs significantly from its appraised value; exchanging property for similar property in a nonmonetary transaction; and making loans with no scheduled terms for when, or how, the funds will be repaid.

Finally, if management has made an assertion in the financial statements to the effect that a relatedparty transaction was made on an arms length basis, then we need to obtain sufficient audit evidencethat this is the case. This is because management need to substantiate that assertion. Management'ssupport for the assertion may include:

comparing the terms of the related party transaction to those of an identical or similartransaction with one or more unrelated parties;

engaging an external expert to determine a market value and to confirm market terms andconditions for the transaction; and/or

comparing the terms of the transaction to known market terms for broadly similartransactions on an open market.

As ever, remain professionally sceptical when auditing this information, utilising industry knowledgeand verifying the source of the data used in their assertion. Also, evaluate the reasonableness ofsignificant assumptions on which the assertion has been based.

Communications within the teamRemember that as part of our team fraud discussions, we discuss the risks associated with relatedparties, and related party transactions, and specifically whether any fraud risks exist. This discussionprovides the opportunity to communicate the details of who the related parties are and any relatedparty transactions of which we are already aware. Any team member who could not attend themeeting is briefed separately and that briefing evidenced on the audit file.

In the context of a group audit, ISA (UK&I) 600 requires the group engagement team to provide eachcomponent auditor with a list of related parties prepared by group management and any other relatedparties of which the group engagement team is aware. Obtaining the list from the client andundertaking completeness procedures will enable a list to be provided to component auditors.



Professional scepticismBeing sceptical and thinking about fraud risks is essential in auditing related parties and related partytransactions. For example, team members need to take a wider view and consider the commercialrationale for any transactions (i.e. Why is this transaction taking place? What is the purpose of thetransaction? Why has it been structured in the way it has? Does the transaction make sense?) andwhether they have been conducted at arm's length. It is important to have an understanding of theindustry so as to be able to identify any unusual transactions, based on price, nature, terms, etc.

Have any team members identified transactions during their audit work which indicate that relatedparties might be involved that are not on the list? Are the entitys controls sufficient to identify andmonitor relationships and transactions?

Representation letterWe have updated the representation letter in respect of related parties such that the list of relatedparties provided by the client at planning, plus any subsequent updates, is attached to the letter andthose charged with governance confirm that it is a complete list in respect of the period audited.

Completion proceduresThe following procedures are performed upon completion:

obtain a representation that management has disclosed the identity of related parties,relationships and transactions of which they are aware and that related parties andtransactions have been appropriately accounted for and disclosed this representationincorporates the list of related parties provided by the client;

communicate significant related party matters arising during the audit to those charged withgovernance unless all of them are involved in its management;

check that the accounting for, and disclosure of, related parties and related party transactionsare appropriate.

consider the implications of the findings from work performed on related parties and relatedparty transactions for the audit opinion.

Communications with management and those charged with governanceWe may identify a number of matters that we want to communicate to management. For example, alack of controls to monitor related parties, or transactions with related parties that have not beenappropriately authorised.

There are a number of matters that, if identified, we are required to communicate to those chargedwith governance. These include, but are not limited to:

non-disclosure of related parties by management; significant related party transactions that have not been appropriately authorised and

approved; disagreements with management regarding accounting and disclosure of related party

transactions; non-compliance with applicable law or regulations; and difficulties in identifying related parties.

Updates to EGAsWe have enhanced the planning EGA Understand related parties to include:

sending the letter to the client to obtain a list of related parties; performing completeness procedures over that list; and documenting procedures you will take to refresh the list throughout the audit

We have also enhanced the related parties procedure in the completion activities EGA Updatepreliminary assessment of fraud, going concern, laws and regulations, related parties, accountingestimates and other assertion level risks to confirm that the list of related parties has been updated.



Fraud

Fraud discussions and risk assessmentPwC Audit 5503 states that the engagement leader (i.e. the individual who is the signing engagementleader if aspects of the engagement leader role have been delegated) uses professional judgement,prior experience with the entity, and knowledge of current developments to determine which othermembers of the engagement team are included in the fraud discussion. The discussion will includeparticipation by most, if not all, engagement team members including:

the engagement leader; all other engagement and quality review partners (if applicable); other members of the engagement team, including managers and staff; any forensic specialists, where heightened risk exists; and key members from other relevant lines of service (Tax, Risk Assurance, Consulting, Deals,

etc.).

The engagement leader will need to ensure that any members of the team who could not attend theteam fraud discussion are appropriately briefed and that evidence of those briefings is also retained onthe audit file.

The team fraud discussion includes, as a minimum, the following:

the identification and assessment of fraud risk factors, examples of which can be found atPwC Audit 5502;

the identification of the potential risks of material misstatement due to fraud (which includesboth the misappropriation of assets and fraudulent financial reporting); and

the planned audit approach in response to the risks identified, including the plannedapproach to journals testing and unpredictable procedures and how both of these proceduresaddress the fraud risks identified.

The discussion may include such matters as:

an exchange of ideas amongst engagement team members about how and where they believethe entitys financial statements may be susceptible to material misstatement due to fraud,how management could perpetrate and conceal fraudulent financial reporting, and how assetsof the entity could be misappropriated;

a consideration of circumstances that might be indicative of earnings management and thepractices that might be followed by management to manage earnings that could lead tofraudulent financial reporting;

a consideration of the known external and internal factors affecting the entity that may createan incentive or pressure for management or others to commit fraud, provide the opportunityfor fraud to be perpetrated, and indicate a culture or environment that enables managementor others to rationalise committing fraud;

a consideration of managements involvement in overseeing employees with access to cash orother assets susceptible to misappropriation;

a consideration of any unusual or unexplained changes in behaviour or lifestyle ofmanagement or employees which have come to the attention of the engagement team;

an emphasis on the importance of maintaining a proper state of mind throughout the auditregarding the potential for material misstatement due to fraud;

a consideration of the types of circumstances that, if encountered, might indicate thepossibility of fraud;

a consideration of how an element of unpredictability will be incorporated into the nature,timing and extent of the audit procedures to be performed;

a consideration of the audit procedures that might be selected to respond to the susceptibilityof the entitys financial statements to material misstatement due to fraud and whether certaintypes of audit procedures are more effective than others;

a consideration of any allegations of fraud that have come to the auditors attention; and a consideration of the risk of management override of controls.



But the discussion would ordinarily also cover:

review with the entire team of any fraud risk conditions identified in the acceptance andcontinuance process;

qualitative and quantitative factors to be considered in assessing risk of fraud; the need for professional scepticism at all times and sufficient appropriate audit evidence to

support the audit opinion; determination of specific procedures to be conducted as part of the audit to address any fraud

risks identified in this meeting, including determination of the use of fraud experts, and theplan for reviewing results with engagement leadership;

discussion of evidential fraud risk factors to be aware of at all times during the audit (forexamples of evidential risk factors see PwC Audit 5502);

the importance of the tone at the top; the need to assess the risk of fraud at each stage of the audit and for engagement team

members to communicate about the risks of material misstatement due to fraud; a discussion regarding fraud and new issues arising since the date of the last audit that may

potentially affect the entity (such discussion may include recent frauds in the industry inwhich the company operates).

Our fraud discussions may also usefully consider fraud schemes that could occur given the entityscontrol system. Fraud schemes are numerous and will vary from industry to industry. However,thinking about potential schemes will put us in the best position to design audit procedures. See PwCAudit 5504 for related guidance.

The Aura file clearly evidences that the engagement leader led the team discussions on fraud.

It is expected that teams are specific with their fraud discussions and identify where, and how, a fraudcould be perpetrated. As noted earlier, teams consider both misappropriation of assets and fraudulentfinancial reporting at the FSLI or even transaction level.

To date we have focussed on fraud discussions within the team but remember to also hold frauddiscussions with:

management and those charged with governance, including the audit committee where oneexists; and

internal audit, where such a function exists (including where the function is outsourced by theentity).

These discussions also need to be documented together with how any fraud risks identified have beenresponded to.

Finally, it is important that the various discussions lead to action on our part and that this isevidenced. ARQ see files where the discussion has happened, but there is no linkage to what wasagreed as needing to be done to address the fraud risks identified. Therefore, it is critical to link thefraud risks identified from our discussions to the procedures to be performed which address them.

Unpredictable proceduresWe need to incorporate an element of unpredictability in the nature, timing and extent of auditprocedures in order to respond to an assessed risk of material misstatement due to fraud at thefinancial statement level. It is this connection between a specific fraud risk and an unpredictableprocedure that teams often omit and simply perform an unpredictable procedure for the sake of it.Remember that the whole point of performing such procedures is to address a specific fraud risk.

Unpredictable procedures are important, because management may be familiar with audit proceduresnormally performed by us and hence they may be more able to conceal fraud in the areas which theythink would not be tested by us, either in the way we test them, or when we test them. Incorporatingunpredictability throughout the course of the audit helps us to address the risk of fraud.

No specific level of unpredictability is required; however, engagement teams document thoseprocedures that are deemed to be unpredictable in nature.



The engagement team discusses how to incorporate unpredictability into the audit during the frauddiscussion. Remember that an unpredictable procedure is one where the nature and/or timing and/orextent of the test varies from what we have historically performed.

Some examples of unpredictable procedures which may address specific fraud risks are as follows:

Audit area Examples of unpredictable procedures that might be appropriateInventory Conduct meetings and enquiries with client staff with whom we

have not had much previous contact (e.g. key personnel in thepurchasing department, quality control managers).

Attend inventory counts performed at locations not attended in thepast, and without advance notice at the planning phase.

Work in progress or recording of transit items: we may considertesting at a more detailed level.

Sales / Accountsreceivable

Conduct meetings with client staff with whom we have not hadmuch previous contact (e.g. sales staff responsible for handlingmajor customer accounts).

Change the nature of substantive analytical procedures (e.g. usedifferent basis for disaggregating revenue).

Extend cut-off testing beyond the periods normally covered,including sales and sales returns.

Accounts receivable confirmations: we may alter the selectioncriteria for the sample of accounts receivable balances to confirm.

Perform other procedures which were not previously considered.For example:

o Confirm sales terms and/or amounts for a selection ofcustomers.

o Test classes of sales transactions not previously tested (e.g.export sales).

o Perform more detailed analytical procedures (e.g. by usingCAATs to scan sales accounts or customer accounts).

o Change the date used for confirmations (i.e. confirm as ofan earlier or later date).

o Perform work to verify intercompany sales and relatedbalances beyond confirming details with componentauditors.

Purchases /Accounts payable

If not normally performed, obtain confirmations of outstandingamounts directly from suppliers. If this is already performed, varythe scope and/or timing of the confirmation process.

Test areas of expense not previously tested in detail. Use CAATs to scan purchase accounts/payments to look for

unusual items (e.g. suppliers with similar bank details).

Cash Select additional month(s) to perform work on bankreconciliations.

Where there are large numbers of bank accounts and selectivetesting is performed, change the basis of selection.

Property, plantand equipment

Perform work on property, plant and equipment not previouslyconsidered (e.g. consider inspecting existence of lower value assetssuch as company cars and equipment).

We may alter the extent of physical verification procedures.

Multi-locationaudits

Change scope or locations of overseas work (e.g. more work insmaller locations, visiting overseas locations).



Finally, for the avoidance of doubt, sampling is not an unpredictable procedure; just because we donot know which invoices we will select for testing does not make it an unpredictable procedure.

JournalsWe have made considerable progress over the years with regards to journals testing, but a few areascontinue to be identified for improvement. These are documenting how we obtained evidence as to thecompleteness of the population, why we are selecting the journals we have selected and, in situationswhere Computer Assisted Audit Techniques (CAATs) have been used, how we rationalised testing onlya proportion of those which the CAAT identified.

Remember that we test journals to respond to a specific risk, or risks, of fraud. As such, we need toclearly link our journals testing to the risk of fraud identified.

To effectively plan and perform testing over journal entries, we need to:

understand and evaluate the entity's financial reporting process and the controls over journalentries and other adjustments, which includes evaluating the design of controls anddetermining whether they have been implemented. Without an understanding of how theentity uses journals, we cannot effectively design our journals testing;

use professional judgement in determining the nature, timing and extent of testing of journalentries and other adjustments and assess completeness of the populations of entries subject totesting. Consider our fraud risk assessment in our analysis, in particular regarding the risk ofmanagement override of internal controls and place additional emphasis on identifying andtesting items processed outside of the normal course of business; and

document our rationale for what we are doing.

In audits of entities with complex IT systems, Risk Assurance involvement is likely to be needed, inwhich case the approach to journal entries will be discussed with them. In addition, the use of DataAssurance has greatly enhanced our work on journals enabling us to deal with a number of the issueswe face.

We may consider the following procedures related to journal entry testing as part of planning ourapproach:

In order to obtain an understanding of the entity's financial reporting process and controlsover journal entries and other adjustments, consider the following:

o the entitys written, and unwritten, policies and procedures regarding the initiation,recording and processing of standard, and non-standard, journal entries and otheradjustments;

o the sources of significant debits and credits to an account;o individuals responsible for initiating entries to the general ledger, transaction

processing systems, or consolidation;o approvals and reviews required for such entries and other adjustments;o how journal entries and other adjustments are recorded (e.g. whether entries are

initiated and recorded online with no physical evidence, or created in paper form andentered in batch mode);

o controls, if any, designed to prevent and detect fictitious entries and unauthorisedchanges to journals and ledgers; and

o controls over the integrity of the process used to generate journals reports which weuse for audit purposes.

If not already doing so, determine whether you can use journals CAATs. During planning, consider performing enquiry of individuals involved in the financial

reporting process about inappropriate or unusual activity related to the processing of journalentries and other adjustments to provide input into determining the timing, nature and extentof testing, and then update enquiries at year end. This is documented in the EGA Respond tothe risk of material misstatement involving management override of controls.

Consider including an element of unpredictability regarding the value, amount and types ofjournal entries and other adjustments tested.



Manage multilocation audit planning, if applicable, for the testing of journal entries and otheradjustments by including the following in instruction letters:

o the group engagement teams assessment of the risk of material misstatement due tofraud;

o if appropriate, identification of any specific classes of journal entries for testing andthe extent of testing (or provide a list of journal entries to test if selections are madeby the group engagement team); and

o a contact for fraud related questions on the group engagement team.

Controls over journalsEffective controls over the preparation and posting of journal entries and other adjustments mayreduce the extent of substantive testing necessary, provided that we have tested the operatingeffectiveness of the controls and consider that they are effective. However, even though controls mightbe implemented and operating effectively, our procedures for testing journal entries and otheradjustments include the identification and testing of specific items. In other words, we may be able tojustify obtaining partial reliance on controls over journals, but, due to the risk of managementoverride of controls, we do not seek high controls reliance in respect of journal entries. Where controlsover journal entries and other adjustments, including segregation of duties (restricted access), aredependent on automated controls, we also need to test the relevant ITGCs.

Completeness of the populationBefore we begin to test a sample of journals, we need to ensure that we are selecting from a completepopulation. Ordinarily, we are now utilising Risk Assurance to use CAATs to assist us in our testing ofjournals. CAATs enable a complete output of journals to be populated through extraction from atransactional listing which is reconciled to the trial balance. While obtaining the population of journalentries electronically is the preferred method of ascertaining completeness when auditing journalentries, it is also acceptable to use other manual auditing procedures. This can be done by, forexample, using accept-reject testing (agreeing balances from a detailed account breakdown reconciledto the general ledger, to the journals listing).

Further guidance with regards to obtaining evidence as to the completeness of the population can befound in PwC Audit 5509.

Substantive testingSubstantive testing can include scanning analytics and tests of details.

Scanning analytics can be performed on detailed lists of journal entries to identify unusual orunexpected entries (e.g. accounts, amounts, individuals approving the entry, times of day, dates theentry was recorded). The unusual or unexpected entries are identified and then tested substantively,for example by agreement to source documentation.

Substantive tests of details are the typical means of testing journal entries or other adjustments. Sincewe are testing entries which represent a fraud risk, target testing (manual or CAATs) based on fraudrisk is the appropriate approach for selecting items which are then substantively tested, again byagreement to source documentation for example.

Remember that, in addition to agreeing journal entries to supporting documentation, part of ourevidence is understanding the purpose and appropriateness of the journal and documenting that onthe audit file.

Sorting down large populationsWe will often provide Data Assurance with a list of risk-based criteria and ask that they isolate asubset of non-standard journal entries based on, for example, unusual general ledger accountcombinations (this example demonstrates only one risk-based criteria, but consider other criteriawhen testing).This may identify a total population of 1,000 journal entries for example.

In identifying this population of 1,000 journal entries that potentially require 100 per centexamination, we may, after additional analysis, be able to further refine our initial definition of'unusual account combinations' or other criteria used in selecting journal entries. This process mightbe thought of as an iterative 'sorting down' until we conclude we have the remaining population thatin our judgement represents the risk of material misstatement due to fraud and has to be examined100 per cent.



It would be rare that we have to test each of the 1,000 items initially identified in this example. Thefact that the 1,000 items were identified is more likely indicative that certain account combinationsare not, in fact, unusual and may be valid in certain circumstances (i.e. they do not represent asignificant risk of material fraud).

Sorting down the 1,000 items by account combination and then researching the reasons forcombinations of a significant number of items or monetary value may lead to a conclusion based onour knowledge and existing audit evidence that no further testing of a particular combination isnecessary (i.e. the account combination is not unusual).

Alternatively, the client may provide a plausible explanation why the classes of entries or otheradjustments do not represent a risk of fraud, We need to obtain additional evidence to support thisexplanation, and could perform this testing on a targeted basis (based on monetary amount or someother criteria). In situations where the client is providing a plausible explanation for a large number ofsimilar items, use accept-reject testing on the attributes of the journal entries and underlyingtransactions to support the clients explanation and the appropriateness of the entry. If accept-rejecttest results corroborate the client's explanation that the entries do not represent risk of fraud, then theentries can be filtered out of our selection for testing. Accept-reject testing would only be used tofurther 'sort down' the population to better identify the targets that represent the risk of materialmisstatement. Once identified, those entries that represent the risk of material misstatement wouldthen be tested 100 per cent.

Finally, the team document clearly their rationale for how they got from 1,000 possible items down tothe number actually tested.

Criteria for journal selectionAt the planning stage, once we have a detailed understanding of how and why the entity uses journalentries, we need to agree the criteria we will use to select journal entries for substantive testing. Beloware examples of the criteria which could be used to select journals for substantive testing. It isimportant to remember that each entity is different and requires some combination of the examplesbelow:

largest journal entries (manual and/or automated); unusual general ledger account combinations (e.g. entries to revenue that do not impact cash,

accounts receivable, or deferred revenue); journal entry activity that is reversed in a subsequent period (e.g. month end, quarter end);

this test will identify whether one or both sides of the journal entry are reversed in thesubsequent period;

unusual intercompany and/or related party transactions; unusual ratios and changes for sales/assets, debt/equity, etc., including those that are too

consistent, or conflict with our knowledge of the business; journal entries not documented in the general ledger (such as reclassification made to a

reporting system, where general controls over the general ledger may not apply); journal entries with a net P&L impact over a certain amount; items just under a threshold (e.g. if any posting over 10,000 required an approval process,

entries in the amount of 9,999.99 or 9,999.00); infrequently used general ledger accounts; missing or duplicate journal numbers (where the general ledger system has logical numbering

system); entries made at unusual times (e.g. off-peak/overnight) or days (e.g. weekends/holidays); large volume of non-standard entries in accounts where there are likely primarily standard

entries; unusual volume of entries at certain times of the month (last 5 days, first 5 days), quarter, or

year; and unexpected individuals posting entries (e.g. IT staff, senior management or non-finance

personnel).



When determining the appropriate journals to test, engagement teams need to consider the specificrisk conditions/factors identified at the entity. What may be an appropriate approach for one entitymight not be appropriate for another. Consider carefully whether the risk conditions/factors youidentify are genuinely the risky ones (e.g. do you really think the fraud risk lies with round sumjournals posted out of hours?).

The criteria applied for selecting journals have to be at a level such that potentially fraudulent journalswould be tested. However, clearly there is a balance to be sought and this remains a matter ofsignificant professional judgement. Once we have identified our risk criteria, we are required to testall journals that fall within those criteria.

Year end testing or testing journals throughout the periodISAs (UK&I) require that we test journal entries at the end of the reporting period, includingconsolidation journals, because fraudulent journal entries are often made at that time. However,fraudulent adjustments could arise during the period. Therefore we need to consider whether to testjournals throughout the period (e.g. if our journal testing is a response to the risk of fraud in revenuerecognition, then we test journals posted to revenue throughout the period).

Responding to identified fraudWhen our work indicates that fraud has or may have taken place:

the engagement leader calls OGC to discuss the matter; any advice provided by OGC is followed; and the engagement team will also need to complete a suspicious activity report and submit the

report to Compliance.

Further consultations may then be required (e.g. with ARQ).

The engagement leader and team then discuss and agree a course of action. This may include seekingthe advice or involvement of a forensic specialist, for example with regard to:

the most appropriate approach to determine the full facts and extent of the fraud and itsimpact on the financial statements;

the communication of the problem and of recommendations for dealing with it to the client; wider legal and regulatory issues; and remedial and asset recovery options.

The engagement leader will assess whether sufficient additional work has been performed either toascertain the impact of the fraud on the financial statements, or to gain reasonable assurance thatthere is no material impact.

The actual and potential magnitude of the fraud, its nature, the extent of concealment, and the staffinvolved are all factors to consider when determining the appropriate course of action.

In situations where adequate information about a suspected act of fraud cannot be obtained, considerthe effect of the lack of evidence on our audit report. If we conclude that the effect of the suspected actof fraud on the financial statements might be material, then consider expressing a qualified, oradverse, opinion. If we are precluded by the entity from obtaining sufficient appropriate auditevidence to evaluate whether fraud that may be material to the financial statements has occurred, thenconsider qualifying our opinion on the basis of a scope limitation, or deny any opinion on the financialstatements, following the necessary consultation procedures with ARQ.

Teams often struggle to identify and articulate the impact of an actual fraud on our audit strategy andplan. Have we considered whether the fraud is isolated to a specific transaction or process? Have weadequately designed procedures to mitigate the risks that have arisen? Does this yield wider concernsaround the control environment and managements integrity?

Consider whether the circumstances surrounding the fraudulent act affect our ability to rely onmanagement's representations or suggest that we should not continue our association with the entity.In reaching decisions on these matters, carefully evaluate whether top management, including theboard of directors or its audit committee, gives appropriate consideration to the act after it has beenbrought to their attention. As ever, consultation is critical in such situations.



And finallyRemember that our assessment of the risk of fraud does not stop at the planning phase of the audit,but continues throughout the audit process until we sign. Consider whether any:

fraud risk factors changed or whether there are new risk factors which have arisen; of the uncorrected misstatements are indicative of fraud, or fraud risks; and of the control deficiencies identified are indicative of fraud, or fraud risks.

We need to be alert to the possibility of additional fraud risks being identified as the audit progressesas well as applying professional scepticism throughout the audit process. Where further risks of fraudare identified during the audit, we design an appropriate response to those fraud risks and documentfull details on the audit file.

At the end of the audit we need to step back and consider whether:

all fraud risks have been identified; fraud risks have been appropriately responded to; sufficient audit evidence has been obtained; and our work is fully documented on the audit file.



Laws and regulations

ISA (UK&I) requirementsThe requirements in ISA (UK&I) 250A are designed to assist the auditor in identifying materialmisstatement of the financial statements due to non-compliance with laws and regulations. However,the auditor is not responsible for preventing non-compliance and cannot be expected to detect non-compliance with all laws and regulations (i.e. the auditor is not meant to go hunting for non-compliance with laws and regulations but we are required to make an informed risk assessment anddesign a response to any risk of material misstatement of the financial statements due to non-compliance).

The auditor is responsible for obtaining reasonable assurance that the financial statements, taken as awhole, are free from material misstatement, whether caused by fraud or error. In conducting an auditof financial statements, the auditor takes into account the applicable legal and regulatory framework.Owing to the inherent limitations of an audit, there is an unavoidable risk that some materialmisstatements in the financial statements may not be detected, even though the audit is properlyplanned and performed in accordance with the ISAs (UK&I). In the context of laws and regulations,the potential effects of inherent limitations on the auditors ability to detect material misstatementsare greater for such reasons as the following:

there are many laws and regulations, relating principally to the operating aspects of an entitythat typically do not affect the financial statements and are not captured by the entitysinformation systems relevant to financial reporting;

non-compliance may involve conduct designed to conceal it, such as collusion, forgery,deliberate failure to record transactions, management override of controls or intentionalmisrepresentations being made to the auditor;

whether an act constitutes non-compliance is ultimately a matter for legal determination by acourt of law; and

ordinarily, the further removed non-compliance is from the events and transactions reflectedin the financial statements, the less likely the auditor is to become aware of it or to recognisethe non-compliance.

Engagement teams need to focus on the specific laws and regulations that have a direct impact on thefinancial statements. Further, where teams identify such applicable laws and regulations, they need toidentify how the entity has complied with those laws and regulations (e.g. the Companies Act); it is notsufficient just to say that nothing has come to their attention.

For other laws and regulations, we need to perform specific procedures to help identify instances ofnon-compliance which may have a material effect on the financial statements including, where anentity is regulated, inspecting any correspondence with the regulatory authorities and considering,and documenting, the impact, if any, on the audit strategy and plan.

What does this mean in practice?We need to have discussions within the team and with the management of the entity, including theaudit committee where one exists, as to what laws and regulations impact them, focussing on thosewhich, if there was non-compliance, could have a material impact on the financial statements. In ourteam discussions, this will utilise prior year knowledge and experience of similar entities within thesame industry.

We also discuss with the individuals at the entity responsible for compliance matters how they ensurethat the entity complies with relevant laws and regulations as well as enquiring whether there hasbeen any non-compliance and obtaining details. In larger clients, an in-house legal or compliancedepartment may be responsible for managing the entitys compliance with laws and regulations. Insmaller organisations, this is often more informal and may be performed by someone in the financeteam.

Consider disclosures made in the annual report such as in the principal risks and uncertaintiessection. Has the entity identified laws and regulations which we have not considered and, if so,document our consideration of these areas. Some areas which are often covered in the principal risksand uncertainties in annual reports include the Bribery Act, compliance with operating permits,health, safety, environmental and security risks and infringement of intellectual property of others.



As ever, document the team discussions as well as those with management.

We also consider correspondence with legal advisers and may also need to discuss issues arising withan entitys in-house and/or external legal counsel. If this happens after we have performed our initialassessment, then we need to update and revise our assessment of the risk of non-complianceaccordingly.

In regulated industries, we read correspondence with regulators; it is worth noting that regulators arebecoming more active. We also check whether there are press reports of regulatory action within theindustry to consider whether the same issues could impact our entity and discuss the matter withthose charged with governance.

The procedures below may help identify instances of non-compliance with other laws and regulationsthat may have a material effect on the financial statements:

use our existing understanding of the entitys industry, regulatory and other external factors; read board minutes; read last years annual report or the latest draft; review the whistleblowing log; enquire of management and the entitys in house legal counsel, or external legal counsel

regarding litigation claims and assessments; enquire of management as to other laws and regulations that may impact them; enquire of management as to the entitys policies and procedures regarding compliance with

laws and regulations; enquire of management as to the entitys policies for accounting for litigation claims; inspect correspondence, if any, with the relevant licensing or regulatory authorities; and perform internet searches on competitors to see if there have been any significant fines or

penalties enforced as a result of non-compliance with laws and regulations; determine andassess if similar situations could be applicable for your client.

The above procedures enable us to assess the risk of non-compliance with laws and regulations andmore effectively document our rationale in this area.

In addition, we document our evaluation of the design and implementation of controls at the entity inrespect of the risk of non-compliance with laws and regulations. We also clearly document ourresponses to identified risks of non-compliance with laws and regulations.

We also include in our representation letter a representation from those charged with governance thatall known instances of non-compliance or suspected non-compliance with laws and regulations whoseeffects should be considered when preparing the financial statements have been disclosed to us.

Finally, remember to consider the potential impact of the Bribery Act 2010 see below for moreinformation.

Written representations also provide audit evidence about managements knowledge of identified, orsuspected, non-compliance with laws and regulations, whose effects may have a material impact onthe financial statements.

Bribery Act 2010 and Transparency InternationalWe need to assess whether there is a risk of the financial statements being materiality misstated as aresult of the entity making questionable payments which might be deemed to be bribes, andconsequently result in non-compliance with the Bribery Act 2010; this could have significant financialconsequences for the entity. This means, for example, considering the culture and business practiceswith the industries and countries in which the entity operates, to understand the risks of suchpayments, and also the consequences to the entity in the event of non-compliance.



Transparency International has produced resources that can help in our audits. They are the UKsleading anti-corruption organisation and you might be aware of the Corruptions Perception Index andBribe Payers Index which they update periodically. These indices can help us identify countries wherethere may be a heightened risk, and these can be useful as part of our risk assessment:

the 2013 Corruptions Perception Index measures the perceived level of public sectorcorruption in 176 countries and territories around the world; and

the 2011 Bribe Payers Index ranks the likelihood of companies from 28 leading economieswinning business abroad by paying bribes.

These indices can be used to assess how the country that your entity is based in, or trades with, ranksin terms of public sector corruption and the likelihood that they might win business abroad by payingbribes.

In addition, if we use the work of auditors in countries with a low index (i.e. in a country where thereis a high risk of bribery and corruption), then we carefully consider what procedures we need toperform to satisfy ourselves about the quality of their work and document our considerations andfindings.

Please refer to the 2013 corruption perceptions index and bribery index for detailed information aboutdifferent countries and then document the impact on your audit.

Where we have assessed risks in the area of questionable payments being made, we understand howthe client has responded to the Bribery Act 2010 to enable us to complete our assessment of the risk ofnon-compliance with laws and regulations. Therefore, as part of our discussions with management,those charged with governance, etc., we discuss what processes and controls they have in place toensure compliance with the Bribery Act 2010, including the results of any whistle-blowing byemployees or others.

Required communicationsIt is likely we will identify matters that we want to communicate with management (e.g. deliberateinstances of non-compliance by management need to be communicated to the entitys legal counsel,the audit committee and the board of directors as appropriate).

If we suspect that members of senior management are involved in the non-compliance, then you needto consult with ARQ and, where appropriate, OGC.

When we audit the parent company, and another office audits a component, matters related to thecomponent need to be communicated to the group engagement team, and vice versa.

Audit opinionWe need to consider the impact on the audit opinion of any non-compliance. What action we takedepends on the results of our work and whether sufficient audit evidence has been obtained, whatactions the entity has taken, what has been disclosed in the financial statements, and anyuncertainties.

For example, where the entity has paid an illegal dividend, if the entity has made appropriatedisclosures and taken action to recover, or has recovered, the dividends, then we may conclude thatthere is no impact on the audit report. If no disclosures are made and the matter is material, then wehave a disagreement with management and would issue a modified opinion.

Remember, if you are thinking about issuing an emphasis of matter or modified opinion, then you arerequired to consult with ARQ.



Materiality

Overall materialityOur assessment of materiality for the financial statements as a whole is termed overall materiality. Weapply professional judgement to determine overall materiality when establishing the overall strategyfor the audit based on the results of risk assessment analytical procedures, our understanding of theentity and its environment and discussions within the engagement team. Overall materiality is alsoconsidered in evaluating the effect of identified uncorrected misstatements on the financialstatements as a whole and the opinion in our audit report (PwC Audit 9015). When the determinationof materiality is particularly complex or judgemental, ARQ is consulted.

We determine a single quantitative level (that is, one number) of overall materiality based on aselected benchmark (e.g. profit before tax) that is relevant to users of the financial statements. Overallmateriality based on this benchmark is applied to the financial statements as a whole and forms thebasis for calculating performance materiality. Applying separate quantitative levels of overallmateriality (e.g. a certain materiality level for the profit and loss account and a different materialitylevel for the balance sheet) will not enable us to plan our audit effectively to detect materialmisstatements. See PwC Audit 2104 for further guidance on materiality for particular classes oftransactions, account balances or disclosures.

Professional judgementEngagement teams apply their professional judgement in determining materiality levels rather thandefaulting to a mechanical calculation based on PwC Audit 2102. Engagement leaders often know,based on their experience and knowledge of the entity, what an appropriate materiality level should beand are able to articulate their thought process in determining that materiality. In such instances,teams can use this as a starting point to fit it into the framework guidance in PwC Audit 2102. Weneed to balance the materiality framework set out in the Audit Guide with the application ofjudgement in light of the specific circumstances of the entity for the period being audited.

Total assetsWhere total assets is used as the benchmark in determining overall materiality, there is a distinctionbetween PIEs which are not-for-profit and those PIEs which are other than not-for-profit. For not-for-profit entities we can use up to 0.5% of total assets, whereas for other than not-for-profit entitieswe can use up to 1% of total assets for PIEs and up to 2% for non-PIEs.

Alternative benchmarksWhen alternative benchmarks are used (e.g. total revenue for a profit-oriented entity), it is normallyexpected that the alternative benchmark, together with the generally accepted benchmark, will beevaluated and materiality would be set using professional judgement and based on the mostappropriate benchmark in the circumstances of the entity being audited.

When using an adjusted profit-based benchmark, it is necessary to consider whether the benchmark isrelevant to the users of the financial statements and that the benchmark has been identified by thedirectors as a financial key performance indicator in the annual report. It is difficult to argue that abenchmark should be used on the basis that it is relevant to users of the financial statements if it is nottalked about in the annual report and does not appear in the financial statements in a prominentposition (e.g. on the face of the income statement). If you do consider a measure to be appropriatewhich has not been identified by the directors as a financial key performance indicator in the annualreport, then include a clear and robust rationalisation of your decision on the audit file. Consultationwith ARQ is also recommended in such situations.

Common adjustments to profit may include interest, tax, amortisation, depreciation and exceptionalitems or, in the context of owner-managed businesses, remuneration. In the case of exceptional items,exceptional credits, which are often ignored, as well as debits need to be taken into consideration.Whilst other adjustments may be made, they can only be regarded as appropriate if the adjusted-profit measure is demonstrably of interest to users as outlined above as may be the case indetermining an underlying profit measure. However, remember that in some cases we will need toexplain our benchmark in the audit report or to others. For example, do you think that using ameasure of PBT adding back x, y and z and averaging over three or five years would look sensible?



Where adjustments to profit other than those listed above are being considered, contact ARQ bylogging an enquiry on IGLO to discuss whether the proposed adjustments are appropriate in thecircumstances. Whatever adjustments are made to profit, the documentation in the audit file needs toclearly set out the factors considered in using that benchmark and hence why the adjustments wereconsidered to be appropriate adjusting items.

Once the benchmark has been determined, consideration of the appropriate rule of thumb is required.In the scenario of a profit-oriented PIE where 5% of PBT could be used, using 5% of an adjusted profitbenchmark may not always be appropriate. In considering whether the rule of thumb applied isappropriate, the proposed overall materiality as a percentage of PBT is calculated to assess whether itremains reasonable. In other words, taking 5% of an adjusted profit measure which equates to 30% ofPBT may not be a sensible option as we have to have regard to PBT as users will not ignore PBTtotally. The documentation will therefore include the rationale for the rule of thumb being applied.

In the situation where the adjustments to PBT represent genuinely one-off exceptional items (debitsand/or credits), a 5% rule of thumb is normally considered acceptable.

We also need to bear in mind situations where we are required to disclose the basis on which overallmateriality has been determined in the audit report. In such situations, consider how you will describeyour overall materiality to users of the financial statements.

Performance materialityThe AQR teams thematic review on materiality identified that auditors should demonstrateconsideration of risk in setting performance materiality and avoid, as a default, simply setting this atthe highest level allowed under the firms guidance.

The Audit Guide has been updated to provide three specific levels of haircut (10%, 25% and 50%)which can be applied as appropriate. Rather than using any haircut percentage within the range of10% to 50%, engagement teams are encouraged to choose between the three haircut percentagesbased on evaluating relevant risk factors, although we expect the 10% haircut to be used in rarecircumstances.

Engagement teams currently using other haircut percentages (e.g. 33%, 40%) need to consider theappropriateness of continuing to do so and are encouraged to select one of the specific percentagesabove to promote further consistency across our audit engagements and increase efficiency of ourdocumentation. Consider whether changing the haircut (e.g. from say 33% to 25%) is appropriate anddocument the rationale. However, it is generally not expected to result in significant changes in theaggregation risk, as long as the engagement team appropriately consider the related factors. Teamsmay consider consulting when the factors affecting the haircut percentage have changed significantly.



The following table summarises the factors supporting various haircut percentages:

Factors supporting the haircut*

10% 25% 50%

History ofmisstatements

History of limited, orno, booked or proposedaudit adjustments

History of limited, orno, booked or proposedaudit adjustments

History of frequentaudit adjustments.

Significantmanagement turnoverthat suggests apotential increase inthe frequency of auditadjustments

Risk assessmentand aggregationrisk

The characteristics ofthe company beingaudited result in lowaggregation risk relatedto potentialmisstatements arisingfrom environmentalfactors (e.g. sufficientqualified managementresources are present,there is low pressure toachieve targetedresults, the companydoes not operate in ahigh risk industry).

Aggregation risk is lowrelated to potentialmisstatements becausethere are a limitednumber of significantaccounts and a limitednumber of locations.

The characteristics ofthe company beingaudited result in low tomedium aggregationrisk related to potentialmisstatements arisingfrom environmentalfacto

Audit Planning Takeaway

Documents

Transcript of Audit Planning Takeaway