Chapter 15 The statutory audit process Flashcards
1.1 Underlying concepts: quality management
This ensures that the audit firm adheres to ISAs and fundamental ethical principles which help to reduce audit risk. It includes:
- Having appropriate firm procedures in place and ensuring staff know about them and adhere to them
- Staff training and CPD
- Performance assessment and feedback/reward/discipline on a timely basis
- Delegation of work to those with appropriate seniority and competence
- Direction, supervision and review of work by a sufficiently senior staff member
1.2 Professional scepticism
An attitude that includes a questioning mind, being alert to conditions which may indicate possible misstatement due to error or fraud, and a critical assessment of audit evidence. Auditors must question who gave them information, be alert to conditions that indicate fraud, seek evidence for information, be alert to inconsistencies, question the reliability of documents and responses and keep sufficient documentation.
Areas of particular risk include cut-off (transactions recorded in wrong accounting period) and subjective areas (require judgement and open to manipulation).
2.1 Ethics, bribery and money laundering
Fundamental principles are integrity, objectivity, professional competence and due care, confidentiality and professional behaviour. The threats to objectivity and independence are self-interest, self-review, advocacy, familiarity, intimidation and management.
2.2 Actions/safeguards
- Section 1 – General requirements and guidance: ethics partner and threats
- Section 2 – Financial, business, employment and personal relationships: shareholdings and loans, business relationships, employment with client or vice-versa and family relationships
- Section 3 – Long association with engagements and with entities relevant to engagements: rotation of partners and staff
- Section 4 – Fees, remuneration and evaluation policies, gifts and hospitality, litigation
- Section 5 – Non-audit/additional services: audit related services, internal audit, IT, valuations, actuarial services, tax, litigation support, legal services, recruitment and remuneration, corporate finance, transaction services, restructuring and accounting services
- Section 6 – Provisions available for audits of small entities
2.3 Bribery act 2010
Penalties exist for individuals and organisations for offering a bribe, accepting a bribe or bribing a foreign public official. Organisations can be penalised for failing to prevent bribery by employees or agents. Organisations should focus on top level culture in which bribery is unacceptable, rusk assessment, due diligence procedures, tasking a risk based approach, communication to staff, including training and monitoring and review. The auditor should carry out procedures to identify misstatement caused by non-compliance with the Bribery Act, such as:
- Assess risk of non-compliance with the Bribery Act
- Exercise professional scepticism
- Assess bribery prevention policies of the client
The auditor should report suspicions of bribery to the national crime agency under Proceeds of Crime Act 2002.
2.4 Money laundering
Money laundering aims to disguise the origins of funds from criminal conduct so they can be used. It includes using, acquiring, retaining, controlling, concealing, disguising, converting, transferring and removing from the UK the proceeds of criminal conduct. The auditor should report actual knowledge, or reasonable grounds for suspicion, of money laundering:
- To the audit firm’s money laundering nominated officer
- The money laundering nominated officer will consider whether it is necessary to report to the NCA
Offences include failure to report, failure to provide suitable training for staff and tipping off the money launder. Penalties are up to imprisonment for up to 14 years.
3.1 Risk and materiality
Audit risk is the risk of the auditor giving an inappropriate opinion when the accounts are materially misstated. The audit must be planned and performed in a way to reduce audit risk so the auditor gives reasonable assurance. Business risk is the risk the company fails to meet its objectives.
3.2 Business risk approach
There are three principal areas of business risk:
- Financial risk: financial consequences of operating activity and risk associated with the company’s finance
- Operational risk: risks associated with the company’s trading activity
- Compliance risk: risks resulting from non-compliance with law and regulations
Business risk impacts on the audit in a number of ways, assisting the auditor to:
- Identify motives to deliberately manipulate the accounts
- Have a better understanding of the context of the accounts having performed analytical procedures
- Assess the going concern status of the company
- Understand the regulatory and legal environment in which the company operates to assess the risk of non-compliance
- Identify complex accounting issues for further evaluation
3.3 Audit risk approach
Audit risk is inherent risk x control risk x detection risk
Inherent risk: susceptibility of balances and transactions to material misstatement irrespective or related controls.
Control risk: the risk that the entity’s controls will not prevent or detect material error on a timely basis. Key issues are control environment and control activities/procedures.
Detection risk: the risk that the auditor’s procedures fail to detect material misstatement
3.4 Analytical procedures
These include: simple year-on-year comparisons, examining related accounts, reasonableness tests, comparing the actual value with a calculated expectation, trend analysis and ratio analysis. At the planning stage, the output of these procedures may identify areas with conflict with the understanding of the business, therefore highlighting risk areas for the audit. The procedures are most effective when:
- The underlying data used is reliable
- There are plausible relationships between the items being compared
3.5 Materiality
Misstatements including omissions, are considered material if they, individually or in the aggregate could reasonably be expected to influence the economic decisions of users taken on the basis of the accounts. The size thresholds are 1% of revenue, 1-2% of total assets and 5% of PBT.
Performance materiality: a lower materiality threshold during the performance of the audit.
4.1 Responding to audit risks
The nature of audit testing includes substantive vs tests of control, detailed audit procedures focussing on the risk area, seek evidence from a more reliable source and seek corroborative evidence from an alternative source.
The extent is to take bigger samples and consider 100% testing.
Timing includes interim audit, continuous use of data analytic software and longer period between the year-end date and final audit to allow more use of subsequent events.
5.1 Designing audit procedures to collect audit evidence
Audit evidence must be:
- Sufficient: covering all aspects, sample sizes should be adequate and samples taken from appropriate populations
- Reliable: 3rd party evidence is better than internally generated, original documents better than copies, written/printed evidence better than oral and triangulation (auditors obtain complimentary evidence from different sources)
- Relevant: consider the assertion being tested and directional testing (overstatement/understatement)
5.2 Types of audit procedure
The two types of audit procedures are tests of control (designated to evaluate the operating effectiveness of controls) and substantive procedures (audit procedure designed to detect material misstatement at the assertion level, these includes tests of detail and analytical procedures).
5.3 Tests of controls
These include inspection of documents for evidence of internal controls, enquiries, re-performance of control procedures, examine evidence of management attitude, observation and test computer controls. Consider issues such as how the controls were applied, consistency of the application of controls and who applied the controls.
5.4 Analytical procedures
Planning stage: use analytical procedures to identify audit risks and to concentrate work on key areas.
Substantive testing stage: used to test an account balance for reasonableness. The approach is to set expectations, compare actual with expected, obtain possible reasons for variances, evaluate the impact of any unresolved differences between expected and recorded amounts.
5.5 Tests of detail
A test of detail is any substantive procedure other than analytical procedures. Audit procedures have three elements:
- Verb/action: inquire, observe, inspect and reperform etc
- Object/source: asset, document, entity and person
- Objective: financial statement assertions
5.6 Financial statement assertions
Transactions Account balances
Occurrence, completeness, accuracy,
cut-off, classification and presentation
Existence, rights and obligations,
completeness, accuracy, valuation and
allocation, classification and presentation
6.1 Audit evidence – use of experts
- Steps 1: Consider whether it is appropriate to rely on the expert. Consider qualifications, competence, experience, objectivity and reputation
- Step 2: Contract. Need to agree in writing, nature, scope and objective of expert’s work. Roles and responsibilities. Nature, timing and extent of communications and reports. Confidentiality
- Step 3: Assess the expert’s work. Consistency of findings with other audit evidence. Underlying assumptions and source data
6.2 Reliance on internal auditors
- How much should the external auditor rely on the internal auditors’ work? This depends on nature and scope of work, risk and degree of subjectivity
- Assess internal audit function: Organisational status, scope of function, technical competence and due professional care
- Evaluate IA work on which the external auditor wants to place reliance. Adequate training, sufficient appropriate evidence, conclusions appropriate and exceptions are resolved.
6.3 Reliance on component auditors
- Understand the component auditor: independence, professional competence, ethical considerations. Whether the group audit engagement team will be involved in their work. The results of any regulatory monitoring or inspection of the component auditor. Obtain confirmation that the component auditor will cooperate with the group auditor
- Materiality: group audit team set materiality level for group accounts. Materiality should be set for components which are individually significant
- Extent of work required: significant components require full audit based on component materiality level. If a component includes significant risks of material misstatement of the group accounts a full audit using component materiality is needed.
- Communication: group auditors must communicate the work to be performed, materiality, list of significant risks and list of related parties. Component auditor must communicate the matters relevant to the group team’s conclusion regarding the group audit
- Evaluation: has component auditor performed the worm requested. Identify instances of non-compliance with law and regulations, indicators of management bias or fraud and ging concern threats to the group as a whole. Obtain a schedule of corrected and uncorrected misstatement and a summary of control deficiencies. Review component auditor’s findings and conclusions.
6.4 Service organisations
Service organisations can be part of an entity’s information systems. If the organisation provides a service that relates to an item that is material in the context of the accounts then the auditor will need to obtain sufficient, appropriate evidence relating to that area.
Gain an understanding of the nature of the services provided by the service organisation, the impact on the accounts and whether the client or service organisation keeps sufficient records for the auditor’s use. Assess the controls over the affected areas at the entity and at the service organisation.
Gain evidence over the relevant assertions. May rely on a service auditor to confirm and test controls of the service organisation. Consider the implications for the audit report – do not refer to the service organisation or the service auditors in the report.
7.1 Information technology and internal controls
Computer controls fall into two categories. The first is general controls over the computer system and the second is application controls over a specific programme.
7.2 Cyber security
A business needs to address cyber threats as part of its internal controls. Cyber threats include cyber criminals, hacktivists, nation states, insiders/partners, competitors and skilled individual hackers. The different threats can lead to a number of different risks to the business, which could lead to a misstatement in the accounts.
- Theft of intellectual property/strategic plans
- Financial fraud
- Reputational damage
- Business disruption
- Destruction of critical infrastructure
- Threats to health and safety
- Breach of data protection regulations such as GDPR
Cyber security should become the responsibility of a board member. As part of the business’s risk assessment, critical business data and associated risks should be identified. Ensure that NEDs and audit committee have knowledge and training to hold management to account in a meaningful way. Introduce monitoring mechanisms to identify suspect behaviour by disgruntled staff. Develop incident response procedures and procedures for business continuity/disaster recovery. Ensure standard IT controls are implemented, enforced and reviewed.
