1. Overview of audits and reviews of financial statements

Transcription

1 1. Overview of audits and reviews of financial statements 1. Overview of audits and reviews of financial statements 1:2 Introduction to the chapter 1:2 What is an audit? 1:2 What is a review? 1:3 Australian Auditing and Assurance Standards 1:3 Over-arching principles 1:3 Independence and ethical principles 1:3 Professional judgment and scepticism 1:4 Documentation 1:5 Quality control 1:5 Detailed methodology 1:6 Audit 1:6 Acceptance and continuance phase 1:8 Planning 1:9 Performing the audit 1:18 Evaluate, report and wrap-up 1:24 Review engagements 1:28 Over-arching principles 1:29 Acceptance and continuance 1:29 Planning 1:29 Performing 1:30 Evaluation, report and wrap-up 1:31 Appendices 1:33 Appendix 1A Ethical clearance letter 1:34 Appendix 1B Example consent to act letter 1:35 Appendix 1C Planning memorandum 1:36 Appendix 1D Fraud testing workpaper 1:42 Appendix 1E Completion memorandum 1:44 Appendix 1F Auditing standards relevant to the conduct of a financial report 1:48

2 Small entities audit manual Overview of audits and reviews of financial statements Introduction to the chapter This chapter is applicable for audits and reviews of financial statements, it provides an overview of the requirements of the Australian Auditing Standards and a methodology which can be followed in performing these engagements. In this guide, this chapter should be used as reference for the following engagements: Audit of a Self Managed Superannuation Fund (SMSF) audit of the financial report Chapter 2; Audit/review of an association Chapter 3; Audit/review of a company limited by guarantee Chapter 4. What is an audit? An audit is an independent examination of the financial statements to enhance the degree of confidence of intended users in the financial statements. This is achieved by the expression of an opinion by the auditor on whether the financial report is prepared, in all material respects, in accordance with an applicable financial reporting framework. An audit provides reasonable assurance. To be in a position to express an audit conclusion in the positive form required in a reasonable assurance engagement, it is necessary for the auditor to obtain sufficient appropriate evidence as part of a systematic engagement process involving the following: Obtaining an understanding of the subject matter and other engagement circumstances which, depending on the subject matter, includes obtaining an understanding of internal control. Based on that understanding, assessing the risks that the subject matter information may be materially misstated. Responding to assessed risks, including developing overall responses, and determining the nature, timing and extent of further procedures. Performing further procedures clearly linked to the identified risks, using a combination of inspection, observation, confirmation, re-calculation, re-performance, analytical procedures and enquiry. Such further procedures involve substantive procedures including, where applicable, obtaining corroborating information from sources independent of the responsible party, and depending on the nature of the subject matter, tests of the operating effectiveness of controls. Evaluating the sufficiency and appropriateness of evidence. The auditor obtains sufficient, appropriate audit evidence to ensure the risk of a material misstatement is reduced to an acceptably low level. All steps of the audit are linked together and are illustrated below: 1:2 Each of these phases, key tasks within each component and deliverable documents will be discussed in this chapter.

3 1. Overview of audits and reviews of financial statements What is a review? A review is designed to provide limited assurance (rather than the higher, reasonable assurance in an audit) that the financial report is free from material misstatement. A review consists of making enquiries, primarily of persons responsible for financial and accounting matters, and applying analytical and other review procedures. A review may bring significant matters affecting the financial report to the reviewer s attention, but it does not provide all of the evidence that would be required in an audit. Hence a review does not provide a basis for expressing an opinion whether the financial report is presented fairly, in all material respects, in accordance with the applicable financial reporting framework. The objective of the reviewer is to plan and perform the review to form a conclusion whether, on the basis of the review, anything has come to the reviewer s attention that causes the reviewer to believe that the financial report is not prepared, in all material respects, in accordance with the applicable financial reporting framework (i.e. a negative opinion is provided). Australian Auditing and Assurance Standards All audits and reviews of financial statements, regardless of size and nature, must be conducted in accordance with Australian Auditing Standards (ASAs) and Standards on Review Engagements (ASREs) as issued by the Auditing and Assurance Standards Board (AUASB). These standards are available on: < or in the CPA Australia Auditing, Assurance and Ethics Handbook. Appendix 1 to this guide includes a list of all Auditing and Assurance Standards which are current at the date of publication. Over-arching principles Prior to discussing the detailed phases of an audit and a review, we will cover the over-arching principles for both an audit and a review: Independence and ethical principles; Professional judgment and scepticism; Documentation; and Quality control. Independence and ethical principles ASA 102 Compliance with ethical requirements when performing audits, reviews and other assurance engagements provides that the auditor shall comply with relevant ethical requirements, including those pertaining to independence, when performing audits, reviews and other assurance engagements. ASA 102 defines relevant ethical requirements as including the applicable requirements of APES 110 Code of Ethics for Professional Accountants, the applicable provisions of the Corporations Act 2001 and other applicable law or regulation. APES 110 would be the guidance for the engagements covered in this publication with the Corporations Act 2001 also to be consulted where an audit/review of a Company Limited by Guarantee is being performed. APES 110 states that ethical principles governing the auditor s professional responsibilities include: integrity; objectivity; professional competence and due care; confidentiality; professional behaviour. The concepts of objectivity and independence are fundamental to auditing, since the auditor s objective is to enhance, through the expression of an independent opinion, the credibility of the reported financial information of an entity. The conceptual framework approach in APES 110 requires auditors to identify, evaluate and respond to any identified threats that may compromise compliance with the fundamental principles. If the identified threats 1:3

4 Small entities audit manual 2013 are anything other than clearly insignificant, auditors are required to apply safeguards to eliminate such threats or reduce them to an acceptably low level so that compliance with the fundamental principles is no longer compromised. If appropriate safeguards cannot be implemented then the engagement should be declined or discontinued. ASA 220 Quality Control for an Audit of a Financial Report and Other Historical Financial Information requires the engagement partner on an audit to form a conclusion on compliance with the independence requirements applying to the audit engagement which are contained in the Code of Ethics this should be considered as part of the acceptance and continuance phase early in the audit cycle and the conclusion should be documented. Additional resources available on independence are: Independence guide (version 3, June 2008) issued by the Joint Accounting Bodies; APES 110 Code of Ethics published by the Accounting Professional and Ethical Standards Board; Guidance Statement GS009 Auditing Self-Managed Superannuation Funds (August 2011) published by the Auditing and Assurance Standards Board; Corporations Act 2001 section 324. Professional judgment and scepticism Professional judgment The auditor applies professional judgment to reach appropriate decisions concerning the engagement in the given situation. When exercising professional judgment, the auditor maintains independence and objectivity and adopts an attitude of professional scepticism in order to achieve the audit objectives. Professional judgment is necessary in particular regarding decisions about: Materiality and audit risk. The nature, timing and extent of audit procedures in accordance with auditing standards. Evaluating whether sufficient appropriate audit evidence has been obtained, or further procedures are required to meet the audit objectives and the requirements of standards. The evaluation of management s judgments in applying the entity s applicable financial reporting framework. The drawing of conclusions based on the audit evidence obtained. Professional scepticism The auditor is required to maintain an attitude of professional scepticism while planning and performing the audit engagement. Professional scepticism means: Not accepting the evidence you have gathered at face value. Continuing to pursue all avenues of inquiry on the topic at hand. Critically assessing evidence without being overly suspicious or cynical. Increasing your awareness of how supporting documentation is selected and the amount of documentation that is collected. Corroborating management explanations or representations concerning material matters. Professional scepticism does not mean placing doubt on the honesty of the management, if the auditor has previously found management honest and operating with integrity then this should be considered. Professional scepticism includes being alert to, for example: Audit evidence that contradicts other audit evidence obtained. Information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence. Conditions that may indicate possible fraud. Circumstances that suggest the need for audit procedures in addition to those required by the Australian Auditing Standards. 1:4

5 1. Overview of audits and reviews of financial statements Documentation Documentation is vital to understanding the auditor s process and conclusions, on smaller audits which are performed by a small team (or a sole practitioner), the documentation on an audit file is often insufficient, this is mainly because most of the knowledge is contained within the auditor s mind it is important to remember that an experienced auditor with practical audit experience should be able to reach the same conclusions as the auditor from reviewing the audit documentation. The detailed requirements and guidance for audit documentation are included in ASA 230 Audit documentation. Although in smaller audits the documentation may be limited, the auditor is required to document matters which are important to support the audit opinion and provide evidence that the audit was carried out in accordance with Australian Auditing Standards. On a timely basis, the auditor will prepare audit documentation that provides: A sufficient and appropriate record of the basis for the audit report; and Evidence that the audit was performed in accordance with Auditing Standards and applicable legal and regulatory requirements. The audit documentation will be prepared to allow an experienced auditor, having no previous connection with the audit, to understand: The nature, timing and extent of the audit procedures performed to comply with Auditing Standards and applicable legal and regulatory requirements; The results of the audit procedures and the audit evidence obtained; and Significant matters arising during the audit and the conclusion reached thereon. The audit workpapers should record: The identifying characteristics of the specific items or matters tested (i.e. receivables greater than 60 days); Who performed the audit work and the date such work was completed; and Who reviewed the audit work performed and the date and extent of such review. The current years working paper files document the planning, execution and results of the audit procedures supporting the audit reports for that financial year: the files should stand alone in providing sufficient appropriate audit evidence unless they are appropriately referenced to other files. Procedures for maintaining the confidentiality, safe custody, integrity, accessibility and retrievability of audit documentation should be established and documented as part of the auditor s quality control processes. Quality control The relevant standards for an auditor to consider with respect to quality control are: ASA 220 Quality Control for an Audit of a Financial Report and Other Historical Financial Information; ASQC 1 Quality Controls for Firms that Perform Audits and Reviews of Financial Reports, Other Financial Information and other Assurance Engagements; and APES 320 Quality Control for Firms. These standards deal with the auditor s responsibilities for its system of quality control for audits and reviews of financial reports, other financial information, and other assurance engagement, i.e. they are relevant for all engagements covered by this guide. The auditor has an obligation to establish and maintain a system of quality control to provide it with reasonable assurance that: a) The firm and its personnel comply with Australian Auditing Standards, relevant ethical requirements, and applicable legal and regulatory requirements; and b) The Reports issued by the firm or engagement partners are appropriate in the circumstances. The engagement partner is responsible for implementing procedures to ensure quality control systems are applied to both the financial audit and compliance engagements including: Taking responsibility for overall quality on the financial audit and compliance engagement. Considering whether members of the engagement team have complied with relevant ethical requirements. 1:5

6 Small entities audit manual 2013 Forming a conclusion on compliance with relevant independence requirements. Ensuring that requirements in relation to acceptance and continuance of client relationships and specific audit engagements have been followed and that conclusions reached are appropriate and have been adequately documented. Assigning audit engagement teams which possess collectively the appropriate capabilities, competence and time to perform the engagements in accordance with AUASB Standards and regulatory and legal requirements. Directing, supervising and performing the audit engagement in accordance with AUASB Standards and regulatory and legal requirements. Issuing an auditor s report that is appropriate in the circumstances and supported by sufficient appropriate audit evidence. Consulting appropriately on difficult or contentious matters both within the engagement team and with others within or outside the firm, and documenting and implementing agreed conclusions. Monitoring quality adequately against firm and professional standards, including the ASAs and ASAEs. Further information on the Quality Control Manual and relevant standards does not form part of this guide, however CPA Australia has the following resources available to assist in the development and maintenance of the manual. Quality Control Manual Published by CPA Australia Revised October Quality Control A Short-Form Guide Published by CPA Australia December Detailed methodology This section provides an overview of a methodology for: The audit of financial statements; and The review of financial statements. The methodology is written for a generic small entity and specific requirements for the entities covered in this guide, SMSFs, Incorporated Associations and Companies Limited by Guarantee, can be found in the relevant chapter. This methodology is a guide only and is not a substitute for reading the Australian Auditing Standards. Auditors need to satisfy themselves that their audits are in compliance with all relevant requirements of the Auditing Standards. Audit The audit approach is risk-based with a focus on understanding each client s business and identifying risks associated with the client, the audit engagement and financial statements. The audit is split into different phases as illustrated and the purpose of each summary phase of the audit is shown below: Acceptance and continuance to ensure that the audits undertaken by the auditor are appropriate. Planning to obtain an understanding of the entity and its environment, including its internal control and the risks of material misstatement, to allow the audit approach to be set. Performance and review to obtain sufficient, appropriate audit evidence which reduces the risk of material misstatement to an acceptably low level. Evaluation, report and wrap-up to ensure that the final audit file supports the audit opinion and the deliverables as set out in the engagement letter are provided. The diagram shows an overview of the methodology and each phase is discussed further. 1:6

7 1. Overview of audits and reviews of financial statements 1:7

8 Small entities audit manual 2013 Acceptance and continuance phase Client acceptance and continuance evaluation process An evaluation process shall take place for both new clients/engagements and on an ongoing basis to ensure that the auditor is not performing an audit or review that: he or she is not sufficiently experienced or resourced to perform; has an unacceptably high risk level or; would cause a breach of independence requirements. This process is required to be documented and updated throughout the engagement, as appropriate. The factors to consider during this process include: conflicts of interest/independence issues; known or suspected breaches of legislation; use of experts or the need for specialist skills; reputation of those charged with governance; appropriateness of the fees based on the work to be performed; ethical issues arising, i.e. could the business sector cause any reputational risk for the auditor; reporting requirements of the entity; whether the auditor has appropriate resources. For an existing client, the auditor should consider whether there has been any change in circumstances, for example: new business activities; changes in key personnel; ownership changes. Appointment and resignation of auditors Once the auditor has completed the acceptance procedures and consents to act as auditor then ethical clearance should be requested from the existing auditor (see Appendix 1A) and if this is satisfactory then a consent to act letter is issued to the client (see Appendix 1B). Australian Securities and Investments Commission (ASIC) permission for resignation is not required for any of the entities covered in this guide. Agreeing the terms of an audit engagement (ASA 210) Once the evaluation process described above has been undertaken then the auditor needs to: a) Establish whether the preconditions for an audit are present (see below); and b) Confirm that there is a common understanding between the auditor and management and, where appropriate, those charged with governance of the terms of the audit engagement. Preconditions for an audit The preconditions require an auditor to: Determine whether the financial reporting framework to be applied in the preparation of the financial report is acceptable where special purpose financial statements are being prepared then the auditor needs to understand the compliance with Australian Accounting Standards and form a view on whether this is an acceptable framework; 1:8

9 1. Overview of audits and reviews of financial statements Obtain the agreement of client management that it acknowledges and understands its responsibility: + For the preparation of the financial report in accordance with the applicable financial reporting framework, including where relevant their fair presentation; + For such internal control as management determines is necessary to enable the preparation of the financial report that is free from material misstatement, whether due to fraud or error; and + To provide the auditor with: a) Access to all information of which management is aware that is relevant to the preparation of the financial report such as records, documentation and other matters; b) Additional information that the auditor may request from management for the purpose of the audit; and c) Unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence. Engagement letter The engagement letter provides the means of agreeing the terms of the engagement with the client and should include at least the following: a) The objective and scope of the audit of the financial statements; b) The responsibilities of the auditor; c) The responsibilities of management; d) Identification of the applicable financial reporting framework for the preparation of the financial report; and e) Reference to the expected form and content of any reports to be issued by the auditor and a statement that there may be circumstances in which a report may differ from its expected form and content. The letter should also outline the general audit procedures to be performed, including a review of internal controls over accounting information. An engagement letter does not need to be issued each year, unless there is a change in the terms of the engagement, however best practice is that that letter is reissued at least every 3 years. An example of an engagement letter is included in Appendix 1 of ASA 210 and example letters have been included in the relevant chapters of this guide. Planning In this phase of the audit, the auditor needs to: obtain sufficient knowledge of the client to identify and understand the events, transactions and practices, that in their judgement, may have a significant impact on the financial statements or audit reports, to enable them to plan the audits and design effective audit strategies; document and perform an initial design assessment of systems and key controls in place to assess the financial statement assertions; gain an understanding of the risks in the business and assess the risk of misstatement of each account balance at the assertion level; 1:9

10 Small entities audit manual 2013 establish an audit approach and procedures which reflects the results of the initial systems and controls assessment, risk assessment and understanding of the business and will ensure that the risk of a material misstatement is reduced to an acceptably low level. Audit plan The auditor plans an audit in accordance with ASA 300 Planning an audit of a financial report and set out how the audit will be conducted. It is essential that all audit planning is documented, the level of documentation will vary based on the size and complexity of the audit. Small, simple engagements may cover the planning phase of an audit in just a few pages, whereas larger or more complex audits may have substantial audit plans. In determining whether the documentation is appropriate, consider the experienced auditor with practical audit experience and whether he or she would be able to come to the same planning decisions as you. The key outcome from the planning phase of the audit is the proposed audit plan which is compiled using various sources of information available to the auditor. Planning should be continuous throughout the engagement and the audit plan should be updated during the course of the audit, as necessary. The plan should be based on the auditor s knowledge of the business, including a thorough knowledge of all legislative, accounting and auditing requirements. The auditor should also understand the process for the preparation of financial information and deadlines. ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment emphasises the importance of such knowledge in identifying where the risks of material misstatement are likely to occur. This information, together with background knowledge of the client, should be documented and included in the planning memorandum. As well as the above, the planning memorandum should cover a number of areas including: understanding the client e.g. industry, regulatory and other external factors (nature of the entity, including accounting policies; objectives, strategies and related business risks; measurement and review of performance; control environment; identification of critical audit objectives; reporting deadlines; materiality; budgets and staffing; items noted from prior years; preliminary analytical reviews; overall intended approach. Using information obtained in prior audits When the auditor intends to use information about the client and its environment obtained in prior periods, they need to determine whether changes have occurred that may affect the relevance of such information in the current audit. Superseding another auditor A new auditor is required to consider the opening balances of the financial statements for the year in which the auditor was appointed, in accordance with ASA 510 Initial audit engagements opening balances. ASA 510 requires the auditor to obtain sufficient appropriate evidence that: the opening balances do not contain misstatements that could materially affect the current year s financial statements; the prior year s closing balances were correctly brought forward to the current year or, when appropriate, were restated; appropriate accounting policies were consistently applied or changes to accounting policies have been adequately presented and disclosed. 1:10

11 1. Overview of audits and reviews of financial statements To obtain the required evidence, the auditor may need to inspect the previous auditor s work papers to gain comfort over the prior year financial statements and audit. The auditor should liaise with the other auditor during the planning stage to arrange access to the prior year audit file and other relevant documentation (if required). Where the auditor is unable to review the previous auditor s work, or has decided not to rely on such work, then additional audit procedures should be performed. Other suggested procedures are contained in ASA 510 (paragraph 7 and A6-A7) and the auditor should plan the extent and timing of these to ensure that the audit or review of the financial report will be completed efficiently and on time. Business understanding Significant effort is spent in understanding the business, performing risk assessments and understanding systems and controls to plan better focused and more efficient substantive audit procedures, which should mean that the auditor is better able to identify relevant risks, understand their true impact, and design the most effective way of obtaining the necessary audit evidence as well as providing better management of the auditors professional risk and management of the client relationship. Under ASA 315, the auditor must understand the following aspects of the client s business on all engagements. The specific considerations under each aspect should be documented in the audit plan. Industry, regulatory and other external factors, i.e. understanding of: + Industry conditions including: Competitive environment. Supplier and customer relationships. Technological developments. + Regulatory environment including: Applicable financial reporting framework. The legal and political environment and environmental requirements. + General economic conditions. Nature of the entity (including accounting policies), i.e. understanding of: + Business operations. + Ownership and governance arrangements. + Investments and investment activities. + Structure and financing. + Financial reporting: Appropriate for the business? Consistent with the applicable financial reporting framework? Consistent with policies adopted by the relevant industry? Entity s selection and application of accounting policies, i.e. understanding of: + Methods used to account for significant and unusual transactions. + Effect of significant accounting policies in controversial or emerging areas. + Changes in the entity s accounting policies. + Financial reporting standards and laws and regulations that are new to the entity. Objectives, strategies and related business risks, i.e. understanding of: + Future direction of the business. + Risks which may prevent the business achieving its objectives. Measurement and review of performance, e.g. understanding of: + Key performance indicators. 1:11

12 Small entities audit manual 2013 Components of internal control entity level In addition, the auditor needs to gain an understanding of the five components of internal control, i.e. understanding of: Control environment: this refers to the attitude of the company, management, and staff regarding internal controls. Do they take internal controls seriously, or do they ignore them? Risk assessment: the auditor needs to evaluate whether management has identified its riskiest areas and implemented controls to prevent or detect errors or fraud that could result in material misstatements. For example, has management considered the risk of unrecorded revenue or expense transactions? Control activities: These are the policies and procedures that help ensure that management s directives are carried out. For example, is there a policy that all company cheques for amounts more than $5,000 require two signatures? Information and communication: The auditor has to understand management s information technology, accounting, and communication systems and processes. This includes internal controls to safeguard assets, maintain accounting records, and back up data. Monitoring: This component involves understanding how management monitors its controls and how effective the monitoring is. The best internal controls are worthless if the company doesn t monitor them and make changes when they aren t working. Analytical procedures Auditors also perform analytical procedures during this phase to obtain an initial understanding of what the financial statements reflect, (e.g. what has changed, what has not, in what direction and by how much). They also help to identify relevant financial information and trends to see areas in which audit effort needs to be focussed which may assist to identify possible areas of audit risk, e.g. new finance obtained which has covenants attached. The analytical procedures within this phase are high-level procedures using review of management accounts/trial balance and key ratios for the client, for example current ratio, interest cover to add to the understanding of the business. The Auditor does not need to corroborate figures at this time. Trends that are inconsistent with the auditor s knowledge of the activities of the entity during the year may indicate areas of increased risk of error or misstatement. Audit risk Audit risk is the risk that the auditor expresses an inappropriate opinion when the financial report is materially misstated. In an audit engagement where the auditor provides reasonable assurance, the auditor reduces audit risk to an acceptably low level as the basis for a positive form of expression of the auditor s opinion. Audit risk is comprised of the following components: i. Inherent risk: the susceptibility of the subject matter information to a material misstatement, assuming that there are no related controls (i.e. ignore the existence of controls in place); ii. Control risk: the risk that a material misstatement that could occur will not be prevented, or detected and corrected, on a timely basis by related internal controls. When control risk is relevant to the subject matter, some control risk will always exist because of the inherent limitations of the design and operation of internal control (i.e. consider the strength of controls put in place by the client); and iii. Detection risk: the risk that the auditor will not detect a material misstatement that exists. 1:12

13 1. Overview of audits and reviews of financial statements Inherent risk There are a number of factors which can increase inherent risk, some of these have been described below Environment and external factors: + State of the economy: The general level of economic growth is affects all businesses. + Availability of financing: Another external factor is interest rates and the associated availability of financing. Prior-period misstatements: If a company has made mistakes in prior years that weren t material, those errors still exist in the financial statements. The Auditor has to aggregate prior-period misstatements with current year misstatements to see if they need to ask the client to adjust the account for the total misstatement. Susceptibility to theft or fraud: If a certain asset is susceptible to theft or fraud, the account or balance level may be considered inherently risky. For example, if a client has a lot of customers who pay in cash, the cash account is going to have risk associated with theft or fraud because of the fact that cash is more easily diverted than customer cheques or credit card payments. Looking at industry statistics relating to inventory theft, the Auditor may also decide to consider the inventory account as inherently risky. Small inventory items can further increase the risk of this account valuation being incorrect because those items are easier to conceal (and therefore easier to steal). Items which have a high inherent risk are significant risks and subject to additional procedures as discussed below. Significant risks When considering the inherent risks faced by the entity, the auditor determines whether any of the risks identified are, in the auditor s judgement, a significant risk. In exercising this judgement, the auditor shall exclude the effects of identified controls related to the risk (i.e. the assessment should be based on inherent risk only). Significant risk means an identified and assessed risk of material misstatement that, in the auditor s judgement, requires special audit consideration. In exercising judgement as to which risks are significant risks, the auditor shall consider at least the following: a) Whether the risk is a risk of fraud; b) Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention; c) The complexity of transactions; d) Whether the risk involves significant transactions with related parties; e) The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and f) Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual. If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the entity s controls, including control activities, relevant to that risk. The audit tests should also cover this specific risk. Control risk The internal controls put in place by the entity have the goal of producing accurate and effective reporting. Some examples of control activities and the specific procedures that should be in place in an adequate control environment: Segregation of duties: In particular, this applies to authorisation, custody, and recordkeeping. For example, the person who requests an order of computer components shouldn t be the person who authorizes the request. The physical custody of the computer components after receipt should be the task of a third employee. The business should also have yet another employee keeping files of the related purchase orders and paid invoices. Adequate documents and records: The entity must maintain source documents like purchase orders, paid invoices, and customer invoices in a proper filing system. A classic documentation control is using prenumbered documents and saving voided documents. If the Auditors sees a missing invoice number with no void information, they know that the entity may have sales that haven t hit its financial records. 1:13

14 Small entities audit manual 2013 Physical control of assets and records: This includes providing safe and secure locations for the assets, tagging furniture and equipment, and having backup procedures for records should they be misplaced or lost in a fire or flood. If control risk is high, the Auditor has to perform increased substantive testing since they place a lot of trust in the information the client gives them. In many smaller entities, the controls in place over the key information systems are not adequate and therefore control risk is high. Detection risk Detection risk is the risk of the auditor not detecting an error in the financial statements and can occur when the auditor does not use the right audit procedures, doesn t use them correctly or as a result of an audit not testing every transaction. The auditor assesses inherent and control risk and then determines the appropriate detection risk to reduce your audit risk to an acceptable level. Detection risk can never be completely eliminated because the auditor will never look at each and every transaction. Good planning can assist with minimising detection risk which has three components: Incorrectly performing an audit test; Incorrectly interpreting results of an audit test; Choosing the incorrect audit test for the assertion. ASA 315 requires the auditor to identify and assess the risks of material misstatement at the financial report level and at the assertion level for classes of transactions, account balances and disclosure. The extent to which, in a small assignment, the auditor undertakes the risk assessment and audit work plan will, by its very nature, depend on the size of the entity. However, the auditor must be able to demonstrate that the assessment and resultant work plan have been done. The results of the risk assessment procedures enable the auditor to design and perform further audit procedures to respond to the assessed risks. Fraud risk assessment For all audits, ASA 240 The auditor s responsibilities relating to fraud in an audit of a financial report requires an auditor to assess the risk of fraud. ASA 240 distinguishes fraud from error by acknowledging that fraud is an intentional act of misstatement or omission. Fraud risk factors should be considered during the planning phase and documented in the audit plan as part of the team discussions. For the purposes of the audit opinion the auditor is concerned with fraud that causes a material misstatement in the financial report. ASA 240 provides some specific tests which are to be performed which have been reproduced in Appendix 1D. These procedures are to be performed whenever management has the ability to over-ride controls, which is likely to be the case for all entities covered by this guide. Internal control The auditor is required to develop an understanding of the entity s accounting systems and internal control structure to determine the risks of material misstatement at both the financial report level and the assertion level, including disclosures. ASA 315 requires an auditor to perform audit procedures to understand an entity s environment, including a specific requirement to evaluate the design and implementation of internal controls. In the case of entity covered by this guide, controls are often simple or non-existent, however an understanding of the internal control environment must be obtained and documented for the audit or review to comply with the applicable standards. Due to insufficient internal controls, a primarily substantive approach would normally be taken in an audit. Discussions with management to discuss how well they thinks their internal controls work during the initiating, authorizing, recording, and reporting of significant accounts can help to identify areas where material misstatements due to error (mistake) or fraud (intentional) could occur which can be used in planning the audit approach. 1:14

15 1. Overview of audits and reviews of financial statements In every audit, the Auditor must get at least a preliminary understanding of the client s internal controls that affect each business and financial process. But after gaining that preliminary understanding, they may decide not to conduct a full audit of internal controls. Materiality Materiality addresses the significance of financial report information to economic decisions of users taken on the basis of the financial statements. The concept of materiality recognizes that some matters, either individually or in the aggregate, are important to people making an economic decision based on the financial statements. This could include decisions such as whether to invest in, purchase, do business with, or lend money to an entity. A preliminary assessment of materiality should be made in the planning stage in accordance with ASA 320 Materiality in planning and performing an audit. The auditor s assessment of risk, based on his or her understanding of the business per ASA 315, also will have an impact on the proposed level of materiality. Materiality is determined by the auditor based on his or her perception of the needs of users. Misstatements may arise from a number of causes and can be based on the following: Size: the monetary amount involved (quantitative); Nature of the item (qualitative); and Circumstances surrounding the occurrence. Materiality is not an absolute number. It represents a grey area between what is very likely not material and what is very likely material. Consequently, the assessment of what Is material is always a matter of professional judgement. In some situations, a matter well below the quantitative materiality level may be determined as material based on the nature of the item or the circumstances related to the misstatement. For example, the information that there are a number of transactions with related parties may be very significant to a person making a decision based on the financial statements. Selecting an appropriate base is the starting point in determining materiality for the financial statements as a whole. Profit from continuing operations before tax is generally recognized as the quantitative measure of greatest significance to financial statement users of for-profit entities. Other bases may be deemed more appropriate for other entities and could include: Current assets; Net working capital; Gross assets; Total revenue; Gross profit; Total expenses; Net assets; Cash flows from operations. Determining a percentage to be applied to a chosen base involves the exercise of professional judgment. The percentages used may be for example: 5% of profit before tax from continuing operations; 1% of total revenues or total expenses. In certain circumstances, the auditor may deem higher or lower percentages than those shown above to be more appropriate in calculating materiality for the financial statements as a whole. In such instances, it is critical to document the reasons for selecting a percentage threshold outside of the guided range. Materiality must be evaluated for: The financial report as a whole (overall materiality); Particular classes of transactions, account balances or disclosures (where appropriate); and Performance materiality. 1:15

16 Small entities audit manual 2013 The overall materiality level (the financial report as a whole) will be used by the auditor for: Determining the nature, timing and extent of risk assessment procedures; Identifying and assessing the risks of material misstatement; and Determining the nature, timing and extent of further audit procedures. Because the determination of materiality levels is based on the auditor s professional judgement, it is important that the considerations involved be properly documented at the planning stage of the engagement. This will include: The materiality level for the financial statements as a whole and the materiality level for a particular class of transaction, account balance or disclosure, if applicable; The amount(s) determined for purposes of assessing the risks of material misstatement and designing further audit procedures; and Any changes made to the above factors as the audit progresses. As the audit progresses, materiality should be revised for any new information gained during the engagement if such information would have caused a different amount to have been determined initially. At the conclusion of the audit, both the overall materiality and the amounts established for particular transactions, account balances or disclosures will be used for evaluating the effect of identified misstatements on the financial statements and the opinion in the auditor s report. When a misstatement (or the aggregate of all misstatements) is significant enough to change or influence the decision of an informed person, a material misstatement has occurred. Below this level, the misstatement is regarded as not material. For example, if it is determined that the decision of a financial report user group would be influenced by a misstatement of $10,000 in the financial statements, the auditor would plan the engagement to detect any misstatements in excess of this amount or a combination of smaller misstatements that would exceed that amount in total. Guidance Statement GS19 Auditing Fundraising Revenue of Not-for-Profit Entities Associations and Companies Limited by Guarantee may receive a significant amount of revenue from fundraising activities and therefore may form part of the business understanding and risk assessment during the planning phase of an audit/review. Unlike other types of revenue, the collection of fundraising revenue may not be supported by invoices or equivalent documents and therefore GS19 provides guidance to auditor when planning, performing and reporting on the completeness of fundraising revenue for not-for-profit entities such as cash donations, appeals, raffles and other fundraising activities. Based on the significance and materiality of the fundraising revenue, whether the not-for-profit entity has received all cash donations to which it has a right can be an audit risk/focus area as the controls in place over this revenue may not be adequate. This means that an auditor may find it difficult to perform tests of controls or substantive procedures that would reduce the risk of material misstatement in relation to completeness of cash donations to an acceptably low level. There are some instances where a scope of limitation for the audit exists and therefore a qualified opinion should be expressed, however this should not occur as a matter of course for all not-for-profit entities and the auditor needs to consider materiality and other mitigating factors. GS19 includes some example controls and audit procedures which can be used by an auditor in obtaining sufficient, appropriate audit evidence over completeness of fundraising revenue. Appendix 3F (Audit) and Appendix 3J (Review) provides example emphasis of matter paragraphs and qualified opinions/conclusions which can be used if sufficient, appropriate audit evidence is not able to be obtained whether there is significant revenue derived from fundraising sources. Audit assertions Financial statement assertions are the representations made by those charged with governance in compiling the numbers in the financial statements. The assertions are features relevant to the balances/transactions in the financial statements about which audit evidence is required. Assertions have varying risk profiles for different balances/transactions and therefore the assertions should be considered during the planning phase of the audit so that audit procedures are designed to ensure that the risk of material misstatements at for each balance/transaction assertion is at an acceptably low level. 1:16

17 1. Overview of audits and reviews of financial statements A description of each assertion is provided below: Assertion Explanation Balance sheet Income statement Classification Is the balance or transaction recorded in the proper account? Existence Does the asset, liability or equity interest exist? Accuracy Are the amounts recorded correctly? Occurrence Did the transaction actually occur? Rights and obligations Does the entity have the right or obligation associated with the balance? Valuation and allocation Is the balance correctly valued and any resulting valuation or allocation adjustments appropriately recorded? Cut-off Is the transaction recorded in the correct period? Completeness Have all assets, liabilities and equity interests, transactions and events been recorded? Presentation and dislosure Is the balance or transaction appropriately disclosed in terms of occurrence and rights and obligations, completeness, classification and understandability, and accuracy and valuation? The design of the audit tests take into account the assertion that is being confirmed. When testing existence or occurrence assertions the auditor tests for overstatement and therefore the testing should begin with the accounting records and progress toward the supporting evidence. When conducting tests to verify the completeness assertion, auditors search for understatements, this testing begins with the supporting source documents and progresses toward the accounting records. For example, an auditor may search for unrecorded purchases by selecting a sample of delivery notes and tracing the transactions to the purchases journal and the accounts payable records. Valuation often represents a high-risk assertion because of the wide variety of methods used to value assets and the estimates and judgements involved. Depending on the account tested, auditors may have to evaluate a host of estimates and assumptions, such as the useful life of fixed assets, the default rate on past due receivables and attrition rates/future payrises for long service leave calculations. Audit procedures designed to test rights and obligations assertions often involve reviewing documents such as deeds, contracts, and loan agreements to determine whether the entity has satisfactory title to its assets and whether the entity is obligated to pay the liabilities. Testing an account requires auditors to identify the specific assertions related to the account and design appropriate procedures to test each assertion. Once the auditor has obtained sufficient evidence to support each assertion, then the auditor has reasonable assurance that the account balance is fairly presented Client requirements schedule Given the volume of supporting documentation needed by auditors, it is advisable to provide the client with a list of audit requirements prior to the commencement of the audit. This can be in a separate list or incorporated in the engagement letter and can stipulate the timing of such requirements. This schedule can be a useful project management tool and to monitor over-runs/delays. Designing the audit approach Once the risks of material misstatement are identified and the planned control reliance is determined, an auditor must refer to ASA 330 which sets mandatory requirements and guidance in designing and performing audit procedures. Overall responses might include: determination of the general audit approach (i.e. substantive only versus a combination of substantive and controls testing); 1:17

18 Small entities audit manual 2013 use of experts for complex areas; and timing of audit procedures (i.e. year-end versus interim). The auditor must use professional judgement in determining the nature and extent of the work, but must document fully the linkage between the assessed risks and the audit program to support the audit opinion. If the Auditor s understanding of the key systems highlights that controls are weak and we are unable to rely upon any of them, then the fully substantive approach should be planned for that area and an management letter raised which highlights all significant control weaknesses noted. Most audits combine substantive and control testing strategies. For example, the same entity that has weak internal controls for cash payments may have very effective internal controls for cash receipts, such as separation of duties. This means that the approach could be substantive testing for cash disbursements and control testing for cash receipts. When designing transaction tests the nature and extent of balance sheet verification procedures should be considered so as to avoid excessive testing. For instance, if at year end a high percentage of debtors are confirmed, the Auditor may decide that limited transaction testing be conducted that are designed to identify an overstatement of sales. Specific responses will relate to the audit procedures performed and in particular: nature refers to purpose (i.e. test of controls or substantive) and type (i.e. inspection, observation, inquiry, confirmation, recalculation) of the audit procedure; timing when procedures are performed; extent quantity of audit procedures (e.g. sample size). Changes in conditions or unexpected results of audit procedures may cause revisions of the overall planned audit approach. The audit plan and audit programs would normally be completed at the end of this phase of the audit, however updates should be made, if necessary during the course of the audit. Performing the audit During this phase of the audit, the auditor needs to: determine whether systems and controls that are to be relied upon are operating as designed thus confirming the control risk assessment to justify the planned level of substantive testing; obtain audit evidence as to whether the financial statement assertions addressed by the audit procedures may include a significant misstatement by completing the planned substantive testing; collate any audit differences and management letter points; ensure workpapers have been independently reviewed. The specific audit procedures to be performed are documented in the audit programs which were completed during the planning phase. 1:18

19 1. Overview of audits and reviews of financial statements In this phase, we complete the relevant tests during the final audit. The tests to be performed will be either: tests of control (if we have identified any controls we wish to place reliance on); substantive tests these are tests to corroborate the balances/transactions and are either: + tests of details agreeing balances to supporting documentation; + substantive analytical procedures using the auditors understanding of the business to predict a balance and comparing the actual figure to the expectation. Further information on each type of test has been provided below. Tests of control If an entity is small and has limited segregation of duties, it is unlikely that an auditor would plan to rely on controls and test them as an audit procedure. However, the auditor may be required to consider and in some circumstances test the effectiveness of controls when: the risk assessment includes an expectation of the operating effectiveness of controls; substantive procedures alone do not provide appropriate `audit evidence at the assertion level; or a significant risk has been identified which requires documentation of the auditors understanding of the controls. If a control relevant to the audit is identified as being in place then testing must be performed to confirm that the control is operating effectively. This is tested through documentation of the control and suitable audit testing, e.g. observation and enquiry, walkthrough, reperformance. Enquiry alone is not sufficient and must be supported by another testing method. The extent of controls testing depends upon the type of control, i.e. manual v automated and the frequency of the control. For controls which occur more frequently, the number tested will be higher than for those which are performed on a monthly basis. Automated controls may only need to be tested once depending on the information systems assessment. The table below provides some guidance about sample sizes for controls testing. Type Periodic or recurring manual control IT control Baseline Where a manual control is performed periodically or is recurring the following guidelines are utilised: Frequency of control activity Minimum sample size Monthly 2 Weekly 5 Daily 25 More than daily 25 Example: Monthly bank reconciliations, we would normally test an interim and year end reconciliation. In situations where an IT control exists and is applied to every transaction, then the systems query may be the most appropriate technique. In this technique, one query as a test is appropriate for an IT system that would be expected to operate consistently in a well-controlled environment (specific configuration, interfaces and system access are appropriately designed and subject to appropriate change control procedures). Reliance on controls work from prior period In some cases it may be possible for the auditor to use controls testing performed in a previous audit as part of the evidence for the current year audit. 1:19

20 Small entities audit manual 2013 Prior to using this testing, the auditor will need to confirm information as documented below. Work to be relied upon from prior year Audit evidence about the operating effectiveness of controls Controls testing, where controls have not changed since they were last tested. Evidence needed in current year Have changes in the controls occurred subsequent to prior audit? Evidence to be obtained via enquiry and observation/inspection. Confirmation of the continuing relevance of the audit evidence obtained in prior year. If controls have changed since they were last tested, the operating effectiveness of the controls should be tested in the current audit. Operating effectiveness of controls to be tested at least once in every third audit. Where there are a number of controls then the operating effectiveness of some controls should be tested in each audit. Substantive procedures Substantive procedures should be performed if tests of control determine that: the controls are not operating effectively; they do not exist; or the auditor has determined that a substantive approach is more effective or efficient. Substantive procedures comprise substantive analytical procedures or tests of details. They enable the auditor to assess whether the transactions are bona fide and have been properly classified and recorded in the general ledger. In most audits, it is not possible to undertake testing for every transaction and therefore the auditor has to select transactions to test. This selection process is discussed further in the sampling section below. Analytical procedures Analytical procedures are used in a number of stages of the audit, in accordance with ASA 520 Analytical procedures. During this phase of the audit, we use analytical procedures as a substantive test to assist in corroborating balances. Analytical procedures means the investigation and analysis of fluctuations and relationships to determine whether there are inconsistencies with other relevant information or deviations from predicted amounts. Through an understanding of the business, the auditor should form an expectation of the balance to compare with the actual balance. Since analytical procedures are generally at a higher level than tests of details, ASA 520 states that the extent of reliance on results from substantive analytical review procedures depends on the following: Source of the information available. For example, information is ordinarily more reliable when it is obtained from independent sources outside the entity. Comparability of the information available. For example, broad industry data may need to be supplemented to be comparable to that of an entity that produces and sells specialised products. Nature and relevance of the information available. For example, whether budgets have been established as results to be expected rather than as goals to be achieved. Controls over the preparation of the information. For example, controls over the preparation, review and maintenance of budgets. These factors should be considered by the auditor in determining the extent of other testing (refer to ASA 520 for requirements and guidance). There are a number of steps required to perform substantive analytical procedures in accordance with the Australian Auditing Standards which are shown below: 1. Identify relevant data and relationships (i.e. superannuation as % of payroll); 2. Determine an expectation; 1:20