International Auditing Standards (ISA)

ð INTERNATIONAL AUDITING STANDARDS

MINEURE ECR II 2013-‐2014 – ERIC VAN HOOF

MANON CUYLITS

Manon Cuylits International Standards on Audit 2013-‐2014 ECRII: Eric van Hoof

2

OBJECTIVE OF THIS COURSE

Ø Being able to understand the ISA framework and explain the broad content of the ISA standards (concept based understanding). è ISA = International Standards on Auditing

Ø Understanding the role of the auditor Ø Being able to judge the content and extent of an audit opinion for real life cases

o Critical reading of non-‐appropriate opinions: we will receive reports and will

have to say why it isn’t appropriate. o Critical judgment of what can and cannot be certified: there’s a need for a

reference point in order to be able to certify o Critical understanding of the work hiding being an opinion (understanding of

the audit methodology).

NEED FOR A REFERENCE POINT TO CERTIFY

Example of a lobbying company representing the timeshare industry (2 persons can buy a house together, ½ each). They represent the interest of this industry and want the auditor to certify that the claims they receive are not important. This is something the auditor can’t certify because there’s no reference point. You can’t certify something if there’s no reference point. They need to create a reference framework.

DIFFERENCE BETWEEN THE TIME BEFORE WE HAD THE ISA AND NOW WE HAVE IT

BEFORE TODAY What do we start with ?

We started with the first thing : tangible assets, etc. looking at the figures.

We start with the risk assessment, not with the figures; it’s a completely different way to look at things. Accumulation of a number of things è inherent risk, multiplied by the control risk (internal controls set up by the company could not …) multiplied by the non detection risk.

AR = IR x ICR x NDR

• Audit Risk (AR) • Inherent Risk (IR): it can’t be changed by the auditor, it’s inherent to transactions • Internal Control Risk (ICR): it can’t be changed by the auditor • Non-‐Detection Risk (NDR): The only thing that can be changed is the non-‐detection

risk.

The auditor usually says he accepts an audit risk of 5%. The IR and ICR can’t be changed; therefore, the auditor will determine the level of non-‐detection risk “needed” in order to have 5%. He does more or less audit procedures in order to work on the non-‐detection risk. The risk assessment is therefore really important.


3

è Why do we multiply the risks? Because they are dependent from each other, they influence each other. If there’s a very high Inherent Risk because there are many transactions, the Internal Control Risk might be high also because the internal controller might says he doesn’t understand all those transactions.

EVALUATION

Ø Written exam: Very practical exam 1. Concept based MCQ questions 2. Concept based open ended questions 3. Real life case study è Financial Statement of a real company + management

report that goes with it: we receive problems that we can see during an audit activity

Ø Will aim at showing that you master the concepts and conceptual framework Ø Will also aim at showing that you can apply the concepts to a real life case study Ø Will focus for the case study on the impact of risk assessment audit procedures on

the audit opinion

DOCUMENTATION

Ø Slides Ø Clarified ISA Standards, freely accessible on the following website www.ibr-‐ire.be or

on the IFAC website Ø Case studies Ø Additional non mandatory reading

o Handbook of International Standards on Auditing, Assurance and Ethics

Pronouncements, IFAC. Intern Federation of Accountants o List of key terms from ISA standards, refer to www.ibr-‐ire.be


4

OVERVIEW OF LECTURES

1. Introduction-‐ Assurance, roles, framework 2. Types of reports (ISA, ISRE, ISAE, ISRS) 3. Types of opinion based on standards 4. Code of Ethics and Quality Control (ISQC1) also an international standard 5. Audit methodology and linked ISA standards. Practical side 6. Special topics, such as:

a. Fraud b. Using work of others

Example: Actuaries: They are experts who help to determine the pensions provisions: they do mathematical calculus to determine the pension of the employees in the future. It’s a very technical calculation. Auditors might need to use their work, to rely on them. There’s a standard explaining how to do when you have to rely on the work of experts.

There are another standards for when you have to rely on the work of internal auditors, and what you should do before you agree to rely on their work.

c. Audit of the IT environment IT audits: there are no companies that don’t have an IT platform anymore. Most of them are using ERP. It’s important to assess the risks around and inside the machines in order to do well. You test the IT general control: who can access it, etc. è access control. You also check the program control, etc.

d. Going concern. This is very important because in this time of financial crisis, a lot of companies are going bankrupt and the owners, managers etc. are often the first blamed, but also the auditor. A standard gives the responsibilities of auditors. Fraud is a very important topic also, it’s important to talk about it and about responsibilities.

e. Belgian context We will have a look at the Belgian context in parallel with the International Standards. In Belgium ISA is applicable but it’s not the case in many countries yet.

7. Case studies

AUDIT METHODOLOGY

Ø The following aspects will be dealt with o Planning of audit o Risk identification and analysis (risk formula) o Materiality. o Auditing techniques and evidence

§ Analytical review (a) § Test of controls (b) § Test of transactions (c) Testing specific transaction § Substantive audit procedures (d)

o Conclusion and Audit reports


5

Audit methodology:

1. 1st step: Planning of the audit 2. 2nd step: Risk identification and analysis based on the risk formula: identify the risk

and then assess them 3. 3rd step: Materiality: calculation of the materiality: it’s linked to the concept that it’s

impossible for an auditor to assess every transaction. They do sampling: based on the risk assessment, they are going to test certain transactions. The materiality helps deciding from what level do we select a transaction etc. è Audit opinion: the auditor determines a certain level of error (in euros) that he agrees to tolerate. E.g.: “I can tolerate in terms of my risk of going in prison, a risk of 5 million”.

4. 4th step: Audit Technique and evidence: This step finalizes the risk assessment: it gives a toolbox of different procedures an auditor can apply.

a. Analytical review: this step is about comparing figures (non auditor figures) from now with the one already audited in the past. Ex: comparison of the rental income from this year with the one form last year, or the budget in the previous year and the budget now

b. Test of controls: testing the internal controls that management has put in place

c. Test of transactions: test of very specific transactions è on the basis of underlying evidences: contracts, invoices, etc.

d. Substantive audit procedures: done on bigger samples of transactions

Audit: you take the responsibility as an auditor. You are the one who determines what you need to do in order to give a non-‐qualified opinion. You don’t say that the numbers are right, you just say: “I reconcile this number with this one and it matches”. In an audit procedure, the risk is determined by the auditor himself, while in the case of the “agreed upon procedure”, the risk is determined by the client himself.

ISA STANDARDS – HISTORY

Ø ISA standards started as benchmarks and need to be implemented country by country in national law

IAS started as a benchmark. A number of years ago, the economy was getting more and more global è people wanted to be able to compare an audit report in the US, in Belgium, etc. That’s how International Standards on Audit came up. They have been set up by IFAAC as a standard. At that stage they were not mandatory; it was only a benchmark. They were not made mandatory because there was no stabilized framework for a number of years, but last 10 years it became very stable è many countries have made it mandatory. In Belgium it’s only mandatory since 2012 for listed companies (very recent), and it’s going to be made mandatory for non-‐listed company from 2014.


6

Ø In November 2003; reform for enhancing confidence on the profession è this reform was based on the program that came out of the Enron Fraud: especially in the US

o Additional transparency in how standards are established è additional transparency was wished

o Increased input from regulators and public o Monitoring from regulators o “Oversight” structure put in place

§ Public Interest oversight Board (Feb 2005, institutionals and regulators)

§ Monitoring Group (dialog and information vehicle for the PIOB) § IFAC Regulatory Liaison Group

Ø Standards were clarified in 2009: there’s been a clarification process in 2009: We now have new standard, revised standards and rephrased standards, with a certain structure put in it. (cf. schema “ISA clarification impact)

Ø ISA/ISRE standards are mandatory in Belgium from December 2012 (listed companies) and from 2014 (non-‐listed companies)

Ø ISAE/ISRS normally applicable as from reports emitted after 15 December 2014 Ø Specific standards applicable in Belgium on top of ISA/ISRE have been compiled

separately by IRE

ISA CLARIFICATION IMPACT (2009)

• ISAs from 755 pages to 855 pages: the number of pages increases. • Mandatory procedures: some mandatory procedures are put. Before those

procedures were called “deemed procedures”, which means those procedures were necessary. Deemed = +/-‐ mandatory.

o >520 mandatory procedures vs. 430 deemed procedures o Certain new obligations (in green) and changes in existing obligations (in

yellow and pink) o Obligations more explicit and applicable to all audits + more detailed. o Certain new obligations for group audits è comptes consolidés par rapport

aux comptes légaux statutaires. • Effective for audits of periods ending as from 14 December 2010 (IFAC – Internal

Federation of Accountants) è International Obligations effective from 2010. That doesn’t mean anything for countries because they decide themselves when ISAs become applicable in the country. ISA isn’t the only existing standard.

• In Belgium applicable from 2012 for the listed companies and from 2014 for the other companies


7

ISA General principles

Risk analisis and audit response

Audit evidence

Using the work of others

Conclusions and reporting

Specific matters

200 300 500 600 700 800 210 315 501 610 705 805 220 320 505 620 706 810 230 330 510 710 240 402 520 720 250 450 530

• NEW STANDARD • REVISED STANDARD • REPHRASED

STANDARD

260 540 was 540/545

265 550 560

570 580


8

INTRODUCT ION-‐ ASSURANCE , ROLES , FRAMEWORK

WHAT IS ASSURANCE?

Everywhere we talk about assurance è giving assurance is the job of the auditor. The outcome is the audit report where the auditor gives assurance.

Ø The assurance is “an engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria” (International audit and Assurance Standards Board HandBook)

Ø In simple terms, giving assurance means: offering an opinion about specific information so that the users of that information are able to make confident decisions.

o Specific information = reference framework

WHO ARE THE PARTIES INVOLVED?

The three parties involved:

Ø The practitioner: it’s the auditor, the reviewer of the information Ø The intended users of the information, of financial statements =

o Shareholders: you have to report to them o Banks, if you are indebted o Employees o Suppliers and clients potentially, especially regarding the going concern1

issue o Investors (// shareholders) o Tax authorities

The responsible party: the preparer of the financial information: as an auditor you can’t prepare that. The principle is that the people preparing the financial statements are the accountant basically, under the responsibility of the CEO and the board of directors. The auditor can’t assess and audit something that he prepared himself è independence problem! There are specific information that need a reference framework for the auditor to be able to give an opinion. If an error doesn’t change the decision of the auditor, then it is not material.

1 Going concern = continuité d’exploitation


9

Role of the parties involved:

Ø Be competent: the profession is regulated therefore. Ø Be objective and independent: that’s set in the law. Ex: the auditor can’t have

shares in its client because he would also be an intended user then. In Belgium, one to one rule is that you cannot do services that are not non-‐audit services for an amount higher than the one of the audit services. Ex: the amount for services at the level of tax transfers etc. can’t be higher than the amount for audit services. Only country where this strict rule is applicable. Regarding the independence problematic, some people say that auditors should not even be paid by their clients.

Ø Follow certain expected standards of performance:

THE PRACTITIONER (AUDITOR) AND ROLE

The role of the auditor has come under increased scrutiny over the last thirty years due to an increase in high profile, economically damaging fraud cases. The most high profile case, and the catalyst for regulatory change, was the collapse of Enron and its auditor Arthur Andersen. In order to try and regain trust in the auditing profession national and international standard setters and regulators have tried to introduce three initiatives:

1. Harmonization of auditing procedures, so that users of audit services are confident in the nature of audits being conducted around the world è harmonization of the auditing standards

2. A focus on audit quality, so that the expectations of users are met. In the US they have the SEC (= Stock Exchange Commission), which is the same as FSMA in Belgium but more powerful. In Belgium, the FSMA can’t come and look at the auditor’s files, it can only ask for a report.

3. Adherence to a strict ethical conduct, to try and improve the perception of auditors as independent, unbiased service providers. There’s a code of ethics that needs to be complied for the ISAs.

!!!FRAMEWORK OF THE ISA!!!


10

We can see that there are different layers.

• 1st layer: IFAC code of ethics for professional practitioners. They first created a code of ethics that applies to anyone

• 2nd layer: Services covered by the standards and recommendations. Those are the services that an auditor can perform: they are standardized.

o Structure of the Standards of Assurance Engagements: assurance engagement and other engagements è the auditor can give assurance or not (= agreed upon procedures). è 2 possible engagements/things to do:

§ Audit and review of historical financial information: there’s a need for historical financial information (it’s not about the forecasts: no prospective information). Here the standards are:

o ISA § IAPS: interpretation of ISAs

o ISRE: IS for Review Engagement (= revue limitée) è you can have an audit or a limited review, the difference between those 2 is the assurance you give. The review engagement gives a limited assurance. The difference between an audit and a limited review is the fact that an audit gives a positive conclusion. Ex: “This financial statements are true and fair view of reality”; however, the limited review gives a negative opinion: it doesn’t mean that it’s bad, but the auditor is going to phrase it in a negative sense.

§ IREPS: interpretation of ISRE § Assurance engagements other than audit and reviews of historical

financial information: o ISAE

§ IAEPS o Related services:

§ ISRS: agreed upon procedure è the auditor doesn’t give assurance: the client says what they are going to do. At the end of the report he gives conclusions but you don’t conclude on the global set of procedures.

• ISRSPS: box for recommendations that come on top of the standards

EXAM: QUESTION CHAQUE ANNEE: comparison between audit and limited review and about those subjects.

Ø Limited review: the auditor stops at the analytical review. He goes to the client and says; look at the figures… The limited Review consists in taking the figures, and compare them to something before, to the budget, and understanding the figures, etc. è based on that the auditor makes an opinion.

Ø Audit: in the audit the auditor doesn’t stop at comparison but he’s also going to check the evidences that are behind the figures (physical inventory take, look at the fixed assets, etc., underlying documents, contracts, etc.) the audit goes much further than the Limited Review.


11

Ex: mid size company: it takes 2-‐3 weeks for an audit but only 3 days for a limited review if the client is well known. The limited review is shorter but the auditor also gives limited assurance.

è It’s important to know this framework in order to know where you are in this chart. Limited Review or audit? The work behind it is really different.

You can give assurance on other things than historical financial information. è Statistics of claims for example. If there’s a reference framework behind it we can give assurance on it. èTrue and fair view.

Audit Limited Review The auditor gives a reasonable assurance The auditor does not give a reasonable

assurance è limited assurance Positive conclusion Negative conclusion The auditor checks further than in the case of the limited review

The limited review is not going as far as the audit is, it stops at the analytical review stage

More physical testing: checking invoices, inventories, etc.

No physical testing, you check the known figures of the company and compare it to other figures

It lasts 2-‐3 weeks It lasts 3 days +/-‐


12

THE REGULATORY GUIDANCE TO BE FOLLOWED

The practitioners now have to follow four sets of regulatory guidance:

1. Auditing Standards a. Setting auditing standards b. International standards Issued by IAASB: the Framework

2. The Code of Ethics a. Part A b. Part B

3. National corporate law a. Example of national laws. Company Act, IRE b. National Regulatory bodies role

4. International Standards on Quality Control (ISQCs)

1. AUDITING STANDARDS

The IFAC is setting the auditing standards. They are issuing international standards on auditing, other assurance, etc. The next step is that standards need to be made mandatory by the country itself

A. SETTING AUDITING STANDARDS

IFAC :

Ø The International federation of Accountants (IFAc) is the global organization for the accountancy profession. It was formed in 1977 and is based in New York. IFAC has more than 163 member bodies of accountants, representing 2,5 million of accountants from 123 separate countries.

Ø IFAC’s overall mission to serve the public interest, strengthen the worldwide accountancy profession, and contribute to the development of strong international economies by establishing and promoting adherence to high-‐quality professional standards.

Ø One of the subsidiary boards of IFAC is the International Audit and assurance Standard Board (IAASB). It is their responsibility to develop and promote

IAASB (International Auditing and Assurance Standard Board)

IFAC (International Federation of Accountants)

ISQCSs ISA, ISREs, ISAEs


13

International Standards of Auditing (ISA’s). There are currently 36 ISA’s and one International Standard of Quality Control.

Ø IRE: Belgian representative part of IFAC.

B. ISA ISSUED BY IAASB: THE FRAMEWORK

1. International standards on Auditing (ISAs) are to be applied in the audit of historical financial information

2. International Standards on Review Engagements (ISREs) are to be applied in the review of historical financial information

3. International Standards on Assurance Engagement (ISAEs) are to be applied in assurance engagements other than audits or reviews of historical financial information

4. International Standards on Related services (ISRSs) are to be applied to compilation engagements, engagements to apply agreed upon procedures to information and other related services engagements as specified by the IAASB.

2. THE IFAC CODE OF ETHICS FOR PROFESSIONAL ACCOUNTANTS

The code of Ethics, which establishes fundamentals ethical principles for professional accountants.

Ø Part A of the code sets out the fundamental ethical principles that all professional accountants are required to observe, including: 1. Integrity of the auditor 2. Objectivity of the auditor 3. Professional competence and due care of the auditor 4. Confidentiality of the auditor 5. Professional behavior of the auditor

Ø Part B of the code which applies only to professional accountants in public practice (“practitioners”), includes a conceptual approach to independence. è not applicable to an internal auditor (while part A is)

3. NATIONAL CORPORATE LAW

a. Example of national laws/ guidance include

a. The companies Act 2006 in the UK b. The Sarbanes Oxley Act in the US (enforcing standards of corporate internal

controls)

b. National Regulatory bodies role

Ø Enforce the implementation of auditing standards Ø Have disciplinary powers to enforce quality of audit work Ø Have rights to inspect audit files to monitor audit quality


14

Note: Most audits carried out in EU member states are now carried out in accordance with ISA’s.

THE IAASB INTERNATIONAL FRAMEWORK: TWO TYPES OF ASSURANCE ENGAGEMENT

4000-‐4699 INTERNATIONAL STANDARDS ON RELATED SERVICES (ISRSS)

Objective of an Agreed-‐Upon Procedures Engagement Ø The objective of an agreed-‐upon procedures engagement is for the auditor to carry

out procedures of an audit nature to which the auditor and the entity and any appropriate third parties have agreed and to report on factual findings

Ø As the auditor simply provides a report of the factual findings of agreed-‐upon procedures, no assurance is expressed. Instead, users of the report assess for themselves the procedures and findings reported by the auditor and draw their own conclusions from the auditor’s work.

Ø The report is restricted to those parties that have agreed to the procedures to be performed since others, unaware of the reasons for the procedures, may misinterpret the results.


15

TYPES OF REPORTS ( I SA , I SRE , I SAE , I SRS )

AUDIT PROCESS: DIFFERENT STEPS

WHICH ARE THE DIFFERENT TASKS PERFORMED BY AN AUDITOR WHEN PERFORMING AN AUDIT OF EXTERNAL OPERATIONS?

(From signature of the engagement letter until submission of final report)

PREPARATION OF THE MISSION

1. Reception of the engagement letter2 (before you start the job) 2. Confirm the date of performance of the audit with the audited entity 3. Secure logistics and make practical arrangements 4. Starting date of the fieldwork (including opening meeting)

Engagement letter = It’s a contract between the auditor and the client. It includes :

• The fees: how much you are going to charge the client. In Belgium it needs to be a fixed fee for 3 years.

• The number of hours you are going to spend on the audit: the estimation at the beginning is very important: if you estimate that you are going to spend 200 hours on the audit and you spend 500 instead, it is problematic.

• How you are going to be doing your audit. • What are the responsibilities of the management, the board of director and the

auditor • The applicable laws • The general terms and conditions • The time of the audit: when you are going to do it. • The output of the auditor’s work: an audit report. An audit report is based on the

ISA, but you can say to your client that you are going to give a management letter… • The standards of auditing that you are going to use but also the framework. In

Belgium the framework normally is BGaap for non listed companies and IFRS for listed companies.

Before the start of the audit, the engagement letter has to be signed.

2 Engagement letter = lettre de mission è concept important (EXAM)


16

EXECUTION OF THE AUDIT

Starting date of the fieldwork

1. Step 1: Planning the audit 2. Step 2: Assessment of the activity and its risks

& Determination of the audit strategy 3. Step 3: Performance of the audit procedures (once you have your

strategy: link with the audit risk formula) 4. Step 4: Assessment of the results and conclusion on the audit.

Closing meeting and submission of Debriefing memorandum

Client acceptance procedure: “can we accept the client as ours?” We check if the client isn’t too risky, through databases.

STEP 1: PLANNING THE AUDIT

OBJECTIVES

Ø Obtain a clear understanding of the requirements Ø Understand the specific contractual documents3 Ø Identify potential risky areas Ø Identify specific aspects relevant for the audit Ø Preparation of the audit strategy

UNDERSTAND THE AUDITEE’S ACTIVITIES

Objective = Identify main risk areas

When you start to understand the activity, there are internal and external factors of risk:

Ø External factors: statutory duties, regulations, the economic situation of the country, etc.

Ø Internal factors: existence of an internal audit department within the audited entity, the governance, etc.

3 permanent file: there are permanent things (statuts de la société, its biggest contracts, etc.)

Tasks of the auditor

Variable duration

Generally performed before and at the beginning of the audit fieldwork (or during identification visit)


17

Type of questions to look at:

Ø What are the activities and connected risks? Ø What is the type of organisation to be audited? Ø What are the main accounting policies? Ø Are there potential issues about certain aspects? Ø Industry requirements? Ø ...

ASSESS THE CONTROL ENVIRONMENT

It’s good to have a good internal control but it is not enough è you have to test if that control is working. Throughout the years the control must have worked. Based on that, you determine your Inherent Risk on existent fixed asset, etc., you check that the control is working.

Objectives =

Ø Understand the structure of the company to be audited Ø Identify elements of risks linked to the internal control structure

Sources:

Ø Interviews with people in charge of the audited entity Ø Interviews with operational and financial managers Ø Reading reports and minutes (financial, activity reports, previous audit reports, etc.)

Control environment is characterised by a combination of:

Ø Management style of the people in charge Ø Sensitivity of the people in charge to internal control Ø Internal control system adopted by people in charge Ø Other influences

DETERMINE THE MATERIALITY

We determine a materiality level because we cannot audit every single transaction obviously. Furthermore, we can still live with a certain number of (small) errors.

The materiality is the level of error/change under which a user of the financial statement is not going to change his opinion, his decision making.

Objectives =

Ø Connected to the principle of "true and fair view"; Ø Determine the sample size for substantive testing Ø Basis for interpretation of audit results

"An error may be judged material if knowledge of it would influence the user of the financial information"


18

Calculation:

The way materiality is calculated is judgemental. Here we have two ideas, but how materiality is going to be calculated depends on the auditor. We take a range because depending on the company’s level of risk we’ll choose a lower or higher materiality. If the company’s very risky, we’ll tend to choose a lower materiality (example: 5% of the pretax income)

Ø Between 5% and 10% of pretax income Ø Between 0,5% and 1% of turnover

We can choose to determine the materiality through the pretax income or the turnover for example.

Once you have the materiality it allows you to know on which accounts you are going to work etc. It will help you to determine your vouching limit4: the level of materiality you are going to apply to a specific invoice, a specific transaction.

There are 3 levels existing: (see later)

1. The materiality = global error in the Financial Statements. 2. The tolerable error = the materiality is determined depending on the full Financial

Statements, while the tolerable error is defined depending on the significant accounts. It’s calculated by taking 50% of the materiality. We calculate it because we know that we could have many errors that accumulated together would reach an amount higher than the materiality. That’s the reason why we always have to determine different levels of materiality.

3. The adjustment level: it’s the amount as from which you are going to be accumulating errors è adjustment list. ACD level

(Time of the procedure è transactions of the month of December? March? …? When are you going to do the procedures?)

DETERMINATE THE SIGNIGICANT ACCOUNTS

Objective = Determine whether some specific procedures should be applied for "significant" accounts

Criteria:

Ø Amount Ø Nature of the account(depending on the objectives); Ø Complexity and homogeneity; Ø Predisposition to manipulations or proneness to losses; Ø Problems or errors identified in previous audits

4 Within the audit program there’s a need to describe the nature but also the extent of the procedure (we’ll see that later) = the vouching limit (it is the extent of the procedure)


19

PREPARE THE AUDIT PROGRAMME

Objectives =

Ø Complete description of the work that is to be performed; Ø Justification of the appropriateness of the auditor's work with requirements of the

ToR's

Ø Prepared by audit team based on info collected during planning phase + requirements of the client

Ø Approved by Audit Partner

Per account, there are a number of assertions (= audit objectives). è Audit procedures will be designed to respond to specific audit objectives:

Assertion Existence Each and every transaction is real

Here we check the fact that it exists. If a machinery or plant is worth 3 millions, we have to check there physically are machinery and plants existing for that amount.

Valuation Each and every transaction is correctly valued The fact that it physically exists is not sufficient; it also has to be well

valued. The amount has to be well valued in books Cut-‐off Each and every transaction is recorded in the proper period “Are the accounting transactions written in the good period?” Classification Each and every transaction is correctly classified “Has it been accounted in the right account?” Completeness All the transactions that should be recorded have been recorded Verify that all the transactions have been accounted for

How do we check that?

Check Existence If we check the Financial Statements once a year (31 December), we are

going to do a physical observation è we send someone to see if the machinery etc. really exists.

Valuation We see the value of that machine on invoice. Is the invoice also a good document to look at for checking at the existence? No because the timing, classification etc. can be wrong. After the invoice, there’s depreciation so we need to analyze the depreciation to see if it works correctly.

Cut-‐off The machine has to be accounted for when it has been delivered Classification The auditor can check on the delivery note, the invoice, purchase order,…

to know exactly what asset it is Completeness Most difficult one è physical existence is one of the possible test +

sequence of deliveries (everything delivered is in the book, etc.) è BUT they might be hiding something from you.


20

BALANCE SHEET ACTIFS PASSIFS

We are more concerned about existence than about completeness, for the left hand side of the Balance Sheet

For the right hand side of the Balance Sheet it’s the opposite, we are more concerned about completeness!

It’s more problematic if we forget a liability than if we forget an asset

AUDIT TECHNIQUES – SUMMARY

Key words for the auditor – Step 1:

STEP 2: ASSESSMENT OF THE ACTIVITY AND ITS RISKS AND DETERMINATION OF THE AUDIT STRATEGY

Objectives:

Ø Understand and evaluate internal control risks Ø Determine inherent risks Ø Determine internal control risks

o Determine final Audit strategy o Decide on extent of audit procedures

AUDIT RISK

AR = IR x ICR x NDR

è Everything is going to be based on that formula. AR = IR x ICR x NDR is the formula you apply to each significant account.

Audit risk = “risk that the auditor concludes that the financial statements he has audited contain no significant errors, although they do contain such errors”.

Performed during the first two days of the audit fieldwork


21

Audit Risk = something that we will be fixing ourselves. We usually accept an Audit Risk (AR) of 5%. We need to go further.

1ST THING TO DO: DETERMINE THE INHERENT RISK (IR)

Inherent Risk = "Likelihood of significant inaccuracies due to a fraud or error, independently of the existing specific internal control procedures"

Depends on:

Ø Quality of the personnel responsible Ø General internal organisation Ø Economic & financial situation of the country Ø General risk linked to the type of transaction

The inherent risk will always be assessed as higher or lower

Example: tangible fixed assets: è We audit a company: Spadel (making water bottles). The tangible fixed assets represent an important amount. How do we determine the inherent risk of the tangible fixed assets? Based on feeling, professional judgment, the number of transactions going through that account and their complexity, etc. we are going to determine whether the risk is high or low.

2ND THING TO DETERMINE: DETERMINE THE INTERNAL CONTROL RISK (ICR)

Internal Control Risk = "likelihood that the internal control system does not prevent or detect significant inaccuracies due to a fraud or error"

Depends on:

Ø Organisational structure followed for project management and connected potential risks;

Ø Main aspects related to personnel management Ø Accounting system used to record and report the expenses and revenues. Ø Supervision/governance measures Ø Prevention >< Detection internal controls put in place

The Internal Control Risk will always be assessed as minimum, moderate or maximum.


22

PRELIMINARY ASSESSMENT OF THE INTERNAL CONTROL RISK

Internal Control Risk = Risk that the internal controls of the company are not picking up the materiality of the account. è “What’s the risk that the umbrella is not stopping the rain? How do we determine the ICR?”

There are shortcuts possible in assessing the internal control risk: if a few people are doing everything, you can choose to not test internal controls è you determine your ICR as being at its maximum. We’re not going to test all the controls because they are not working properly anyway. è The auditor goes straight on executing his audit program.

There are 2 options when one are trying to assess internal controllers:

-‐ Test of the controls: end up with an assessment of internal control being low or high è you spend time on testing the controls, hoping that its going to lower your risk etc. You might not be allowed to lower the risk and then you have to do twice more work

-‐ Final assessment: you can skip the control and decide to not test the Internal Control, and go straight to the audit.


23

3RD THING TO DO: COMBINED RISK ASSESSMENT (CRA)

Then you make a combined risk assessment (CRA) for each significant amount that we are looking at. è Combination of the inherent risk and internal control risk = colour in the box.

Evaluation du risque inhérent

(Inherent Risk) par l’auditeur

Evaluation du risque de contrôle interne (Internal Control Risk) par l’auditeur

Maximum Moderate Minimum

Low Minimum Faible Moyen

High Faible Moyen Elevé

Basically that’s how we determine the 2 first part of the formula (IR and ICR). Then we have to determine the NDR. Auditors can determine it themselves (it’s the only one they can). Depending on the IR and ICR being high or low, they have to reduce the NDR or accept a high NDR. If the Combined Risk Assessment (CRA) is very high we’ll have to reduce the NDR è by doing a lot of audit procedures. If the CRA is very low (very low risk for an error to appear in the financial statements) è accept a higher NDR: less audit procedures.

4TH THING TO DETERMINE: THE NON-‐DETECTION RISK

Non-‐detection risk = “Likelihood that the external auditor does not detect significant inaccuracies by means of his/her audit procedures”. è That’s how you determine your final audit program

Ø Only criteria that can be influenced by the auditor Ø Will be directly impacted by the extent of substantive procedures applied Ø Allows for a reduction of the audit Risk

Combined Risk Assessment

NDR should be

Scope of the substantive tests

Volume of proof needed

High Minimal Estimation High

Moderate Low Extended Average

Low Moderate Detection Low

Minimal High Minimal Minimal

The scope of our testing should be at the level of our estimations.

Ø If the CRA is high, we expect a very high probability that there are going to be errors in the accounts. è It means we’ll need a lot of procedures.

Ø If the CRA is moderate: it means the NDR is low o Audit procedures are going to be extended, o Low level of materiality and o The volume of proof needed will be average.

Testing is detective è trying to detect the errors.


24

DETERMINATION OF THE AUDIT STRATEGY

Sets:

-‐ Scope -‐ Timing -‐ Type of audit procedures -‐ Extent of substantive tests

è Documented in the final audit programme

AUDIT PROCESS – SUMMARY


STEP 3: PERFORMING THE AUDIT PROCEDURE

Objectives:

• Perform Audit procedures determined in Step 2. When performing the audit procedure, you are fully in the case of the Non-‐Detection Risk.

• Execute the procedures as per the audit program • Basis for formulation of the Audit Opinion

Ø Decrease the Non-‐Detection Risk Ø Hold the audit risk at a low level

Performed throughout the audit fieldwork


25

DIFFERENT TYPES OF AUDIT PROCEDURES

General Audit Procedures

= Audit procedures, general in nature and necessary to verify certain contractual aspects or to comply with professional standards

The general audit procedures are not specific to certain accounts. There are some ISA statements talking about those GAPs.

Ex: getting an engagement letter, a representation letter = GAP.

• Engagement letter5 = contract between auditor and client (before you start the audit)

• Representation letter = letter in which the company or management states they have not hidden anything from the auditor. This letter appears at the end of the audit and is always dated at the same date than the audit report. It states: “I confirm that I have given you everything I had, that I am not hiding anything from the auditor etc.” + all the adjustments

(Cours manquant 06/10)

Examples:

ü Review of the general & specific conditions of important contracts and legislation ü Review the bank statements in search of unusual items ü Check of proper reconciliation between financial reports and accounting ü Confirmations (bank, lawyers) ü Obtain the Representation letter from the Auditee ü Independence related procedures ü Etc.

Analytical and data analysis procedures

= Logical tests of relationships between numbers, aimed at reviewing whether the numbers reported in the financial statements are reasonable è Trends / ratios / examination of variations

3 levels of confidence: Minimal >< Corroborative >< Persuasive

5 EXAM: what is the difference between engagement and representation letter


26

Substantive tests applied on financial data

= Verification of the supporting documents

Examples:

• Physical observation (inspection of fixed assets), • Check of payments, • Review of the invoices, • Testing the respect of tendering and awarding procedures for a sample of contracts, • Testing the expenses to the invoices and bank documents, • Recalculation, etc.

Key items >< Representative sample

Key – items Representative sample = Items selected by the auditor on a judgmental basis because of:

• Significant amount • Risky transaction • Unusual transaction • Etc.

à No extrapolation allowed

= Items selected based on statistical sampling à Extrapolation allowed

INTRODUCTION TO STATISTICAL SAMPLING

OBJECTIVE

Non-‐Detection Risk can be reduced:

• By performing analytical review procedures • By performing substantive tests on key-‐items

AND must be completed by:

• Performing substantive tests on a representative sample


27

à Objectives of statistical sampling =

• Determine sample size • Further reduce Non-‐Detection Risk

DEFINITIONS

Population =

• All data • Basis for sampling

Stratification = division of the population into sub-‐population

SIZE OF THE SAMPLE

ART6 Multiplicator includes the following elements:

• Assessment of Inherent Risk (IR) • Assessment of Internal Control Risk (ICR) • Level of confidence reached through analytical review procedures • Type of sampling method • The statistical level of confidence (generally 95%)

6 ART = Audit Risk Table

E.g. for account receivable =

The full accounts receivable sub ledger at the of the period

E.g. for accounts receivable =

Intra-‐group transactions

(𝑃𝑜𝑝𝑢𝑙𝑎𝑡𝑖𝑜𝑛 € − 𝑘𝑒𝑦 𝑖𝑡𝑒𝑚𝑠 €)𝑀𝑎𝑡𝑒𝑟𝑖𝑎𝑙𝑖𝑡𝑦 €

∗ 𝐴𝑅𝑇 𝑚𝑢𝑙𝑡𝑖𝑝𝑙𝑖𝑐𝑎𝑡𝑜𝑟

IR & ICR = CRA


28

TWO METHODS OF SELECTION OF SAMPLE

1. Random Number Sampling = a. all items of a population have an equal probability of being selected b. often easier to carry out

2. Monetary Unit Sampling (MUS) = a. chance of one item to be selected is proportional to its monetary value b. maximises the coverage in terms of monetary value and allows a smaller

sample size

è Audit Risk Table and sample size will depend on the method chosen

RANDOM NUMBER SAMPLING VS. MONETARY UNIT SAMPLING

EXAMPLE

Calculate the sample size for overheads expenses for the period 2003-‐2004

Assumptions:

ü Materiality 2% of total expenditures = 200.000 € ü No analytical procedures possible à level of confidence = minimal ü 18 key items for a total of 425.689 € à 20% of the sub-‐population ü Random number sampling method ü IR and ICR regarded as high

(2.157.256€ − 425.689€)200.000€

∗ 3,6 = 32 𝑖𝑡𝑒𝑚𝑠


29

PERFORMING THE AUDIT PROCEDURE – SUMMARY


STEP 4: CONCLUSION OF THE AUDIT

Objectives:

• Summarise and quantify audit findings • Verification of general coherence of the audit • Preparation of the debriefing memorandum

è Basis for preparation of audit report

ANALYSIS AND QUANTIFICATION OF FINDINGS

QUANTIFICATION OF ERRORS

• Identified with analytical review procedures o Cannot be used to estimate the error o Further investigation / analysis needed

• Identified on key-‐items o Reported individually in the audit report

• Identified on representative sample o May be extrapolated to the sub-‐population

Extrapolation -‐ some rules

• Only on representative sample • Extrapolation method consistent with sampling method • Qualitative aspect of errors must be taken into account • Separate extrapolation for each sub-‐population

Performed at the end of the fieldwork


30

EXAMPLE OF EXTRAPOLATION – OVERHEAD EXPENSES

TYPE OF ERRORS AND THEIR CONSEQUENCES

Intentional errors vs. formal errors

• Intentional errors = cover potential fraud and/or irregularities à Should be reported to governance as soon as possible

• Formal errors = insufficient documentation, lack of clarity, incompliance with contractual basis, etc..

Recurring errors or not

Ø May be necessary to extend audit procedures in risky area Ø Risk assessment may need to be revised Ø Enlarge sample for risky sub-‐population

REASSESSMENT OF THE SAMPLE CONNECTED RISK

High error rate + recurrent errors = Sign of internal control weaknesses

Ø CRA must be reassessed Ø Calculation of revised sample size

Should the conclusions be inconsistent with preliminary assessment of internal control system, the auditor will have to recalculate his/her sample.

AUDIT REPORT

PROCEDURES & REQUIREMENTS

Reporting requirements:

Reminder: The objective of an audit is to enable the Auditor to express an opinion and issue a report in accordance with the requirements of the Commission

• In accordance with the ISA's

FORMAT & CONTENT

Different possible audit opinions:

Ø Unqualified (clean) opinion: It’s OK!

This is the most desirable opinion type. "…the Financial Report gives a true and fair view, in all material respects, of the results and financial position”

Basis Audited Errors identified

% Extrapolation

Key-items 425.689 € 425.689 € 156.335 € 36,7 % 156.335 € Representative sample

1.731.567 € 150.387 € 21.569 € 14,4 % 248.347 €

Total 2.157.256 € 576.076 € 177.904 € 404.682 €


31

Ø Qualified opinion: It’s OK except for…

This happens more than we expect! …the Financial Report gives a true and fair view, in all material respects, of the results and financial position

Except for an error on a specific account ... “

Ø Adverse opinion: It’s not OK!

Not desirable BUT not very frequent. "… the Financial Report does not give a true and fair view, in all material respects, of the results and financial position ... “

Ø Disclaimer of opinion: I don’t know!

Not desirable BUT occur sometimes. "…the Auditor is unable to express an opinion."

Significant scope limitation è the auditor cannot obtain sufficient audit evidence.

CONCLUSION OF THE AUDIT – SUMMARY



32

AUDIT PROCESS (ILLUSTRATIVE)

Planning and risk identification

Strategy and risk assessment

Execution Conclusion and reporting

Complete preliminary engagement activities

Identify SCOTs, significant disclosures processes & related IT applications

Execute tests of controls Prepare summary of audit differences

Understand the business Understand SCOTs & Sig disclosures processes

Understand and evaluate the FSCP

Execute tests of journal entries and perform other mandatory fraud procedures

Perform financial statement procedures

Determine the need for specialized skills on the team

Perform walkthrough

Understand entity-‐level controls

Select controls to test

Understand ITGCs

Update tests of controls

Update tests of ITGCs

Prepare the summary review memorandum

Design and execute tests of ITGCs Evaluate ITGCs

Identify risk of material misstatement due to fraud and determine responses

Make combined risk assessment (CRA)

Perform substantive procedures

Perform overall review and approval

Determine Performance Materiality (PM), Tolerable Error (TE) and SAD nominal amounts

Design tests of controls

Prepare and deliver client communication

Design test of journal entries and other mandatory fraud procedures

Identify significant accounts and disclosures and relevant assertions

Design substantive procedures

Plan general audit procedures

Perform General audit procedures

Complete documentation and archive engagement

Prepare audit and strategies memorandum

Und

erstan

d service requ

iremen

ts, d

etermine au

dit scope

and

estab

lish the team

Team

plann

ing even

t and

discussion of frau

d an

d error

Post-‐in

terim

event

Wrap-‐up

the en

gagemen

t

Reassess com

bine

d risk assessmen

ts


33

MATER IAL ITY

AGENDA

Ø Introduction Ø Definition – concepts Ø Determining overall materiality level Ø Assessing errors at the end of the audit Ø ISA 320 Ø Questions Ø Practical examples

INTRODUCTION

Ø Audit risk = risk that the auditor certifies financial statements that contains material errors due to fraud or errors

Ø “Risk of material misstatements” exists both on financial statements taken as a whole as at the level of significant accounts and disclosures => judgment needed (it’s not merely a mathematical exercise!)

DEFINITION

Ø Materiality is defined as “the size of an error in the financial statements which in all probability would influence the judgement of a reasonable user of these financial statements”.

Ø Errors include amongst others omissions and wrong presentations. Ø Reasonable users are people that are no specialists in accounting but have a basic

knowledge of the principles used to prepare financial statements: o A certain knowledge of accounting is needed; o They need to understand that materiality levels are used during an audit; o They need to acknowledge that a certain level of ‘judgement’ is used when

preparing financial statements.

Ø Materiality or “material importance” therefore has a direct impact on the auditor’s opinion on the financial statements. In case there are no material misstatements -‐> unqualified opinion. In case of material misstatements -‐> qualified opinion or negative opinion (depending on the number and size of the misstatements);

Ø Auditor needs to determine materiality levels for his audit and these levels will be used for testing purposes (determining the extent of testing) and for reporting purposes (accumulating the adjustments in a ”summary of unadjusted differences” and determining the type of opinion based on his professional judgement) ;

Ø Different levels of materiality (overall materiality, tolerable error, adjustment level)


34

DETERMINING THE MATERIALITY LEVEL

Ø Will be done during the planning phase; Ø Can and needs to be adjusted during the execution of testing based on results

obtained; Ø The lower the materiality, the more testing (cfr. risk formula); Ø Materiality is a relative concept. The importance of an error will depend on its

relative importance as compared to the financial statements taken as a whole. An error of 1 million will be material in an entity with a balance sheet of 20 million but not in an entity with a balance sheet of 20 billion;

Ø Different data can be used and audit firms generally use a different basis from other audit firms. There are no specific guidelines coming from professional organisations since there’s a risk that auditors would automatically use these guidelines rather then taking into account the specific sitauation of the audited entity;

Ø There are nevertheless some “rules of fist”: o Entities for profit: 5% to 10% of the pretax income, 0,5% to 1% of total sales,

5% of EBITDA,…; o Non for profit entities: 0,5% to 1% of revenues.

Ø Examples: o Non for profit organisations: rather use total revenue or total expense as a

benchmark; o You can exclude exceptional items out of the profit before taxes; o Insurance companies: use net assets as a benchmark; o Holdings: usually net assets or total assets

LEVELS

Ø Overal materiality or “planing materiality” – at level of financial statements (PM) Ø Tolerable error – at level of a significant account (for reporting) – TE (generally 50%

or 75% of PM) – used for testing and reporting Ø Adjusting difference – level as from which an error is taken to the summary of

unadjusted audit differences – SAD level (for example 5% of PM) – used for reporting only

Ø Takes into account that more than one error can appear and those errors can accumulate

3 levels of materiality:

Ø 1st level: Materiality Ø 2nd level: Tolerable error: 50% of materiality Ø 3rd level: ACD level


35

ASSESSING ERRORS

Ø After performing the audit procedures, the auditor will have a view of the individual and total errors in the financial statements taken as a whole but also per significant account;

Ø These errors are added up and compared to the overall materiality level determined at the start of the audit. Based on this exercise, the auditor will determine the impact of these errors on his opinion.

ISA 320 – AUDIT MATERIALITY

Ø Materiality: matter of professional judgement; Ø Both qualitative and quantitive misstatements; Ø Materiality to be determined at overall financial statement level and in relation to

classes of transactions, account balances and disclosures; Ø Inverse relationship between materiality and the level of audit risk; Ø Assessment required whether the aggregate of uncorrected misstatements that

have been identified during the audit is material; Ø If the aggregate of uncorrected misstatements approaches the materiality level, the

auditor must consider whether it is likely that undetected misstatements could lead to exceeding the materiality level;

è Audit risk can be reduced by performing additional procedures or by requesting management to adjust the financial statements

QUESTIONS

Ø Can we communicate our materiality levels to the auditee? Ø What about a condensed accounting year or quarterly reporting? Ø Why does the auditor determine materiality? Ø What about consolidated financial statements?

o Example: group with 20 subsidiaries in 20 different countries with sales of EUR 1 million each and a profit before taxes of EUR 100.000 each

o Consolidated revenue is EUR 20 million and consolidated profit before taxes is EUR 2 million

o Expected materiality based on consolidated figures is EUR 100.000 o Can this materiality level be used for each entity? o Allocation of materiality needed


36

PRACTICAL EXAMPLES

EXAMPLE 1

Given: Ø Sales: 10.000 € Ø Profit before taxes: 1.000€ Ø Net assets: 50 € Ø Accounts receivable: 1.500 € Ø Allowance for doubtful debt understated with: 40€

Is this material?

EXAMPLE 2

Given for Year 1 Given for Year 2 Ø Sales: EUR 10.000 Ø Pretax income: EUR 1.000 Ø Net assets: EUR 1.500 Ø Accounts receivable: EUR 1.500 Ø Allowance for doubtful debt understated

with EUR 40

Ø Sales: EUR 10.000 Ø Pretax income : EUR 100 Ø Net assets: EUR 1.600 Ø Accounts receivable: EUR 1.500 Ø Allowance for doubtful debt still

understated with EUR 40

Ø Material error in year 1 ? Ø Material error in year 2 ?

EXAMPLE 3

Given:

Ø Sales: EUR 10.000 Ø EBITDA: EUR 1.000 Ø Net debt: EUR 3.000 Ø Covenant: net debt/EBITDA max 3 Ø Allowance for doubtful debt understated with EUR 20

Material?

EXAMPLE 4

Given:

Ø Sales: EUR 10.000 Ø Operating profit: EUR 1.000 Ø Balance sheet total: EUR 5.000 Ø Leasingcontract signed for a new machine:

o Acquisition cost: EUR 2.500 o Yearly rent: EUR 300 in expense as rent (account 61) o Lifespan = duration of the contract= 10 years o Analysis shows that this is a finance lease and not an operational lease

Material ?


37

EXAMPLE 5

Given:

Ø Sales: EUR 10.000 Ø Operating profit: EUR 1.000 Ø Balance sheet total: EUR 5.000 Ø Audit fees amount to EUR 25 and are correctly accounted for but not disclosed in

the notes to the financials in Vol. 5.15

Material?7

Audit Fees are in the P&L but you don’t see it there. 25 euros not disclosed in an appendix is not going to change the true and fair view, the amount is too small.

We will try to push the client to change that, telling him that financials are not corrects, he has to give that information.

EXAMPLE 6

Given:

Ø Sales: EUR 10.000 Ø Operating profit: EUR 1.000 Ø Balance sheet total: EUR 5.000 Ø Depreciation: EUR 300 Ø Depreciation % used on buildings: 3% Ø In the disclosures (accounting policies) it says 5% is used as depreciation on

buildings

Material?

300 = 3% of the total value of the building è P&L. But in the disclosure it says it’s 5% that we are using è we are not using the percentage that we should be using, following the accounting policies 8 . There’s an issue, an error of 200. 200 is material because the materiality is between 5% & 10% of 1000, so between 50 and 100, and 200 is > than that. è 200 is in any case material.

EXAMPLE 7

Given:

Ø Sales: EUR 10.000 Ø Operating profit: EUR 1.000 Ø Balance sheet total: EUR 7.500 Ø Provisions (account 16): EUR 75 Ø Provisions for early retirement not accounted for in an amountof EUR 25

Material?

7 Dans les annexes au compte normalement il y a des honoraires d’audit (audit fees) pour donner des informations supplémentaires aux lecteurs. Dans une des annexes il manque cette information. Ici, les honoraires de 25 sont bien notes.

8 accounting policies = regles d’évaluation


38

Ø Liability side of the B/S: o Provisions for 75 euros. o Provisions that should have been booked but haven’t: error of 25.

è Not material

EXAMPLE 8

Given:

Ø Sales: EUR 10.000 Ø Operating profit: EUR 1.000 Ø Net assets: EUR 1.500 Ø Balance sheet total: EUR 7.500 Ø Intangible assets: EUR 0 Ø Tangible assets amount to EUR 2.000 of which EUR 1.500 relate to software

Material?

Normally softwares are intangible fixed assets è This error is on significant account intangible asset and tangible asset

è Material if you compare it to anything P&L driven but it’s only a balance sheet effect… would it change the view of a FS user? 2 solutions

-‐ It is important -‐ It is not

It depends on the context of the company but we will probably say that it’s material because we have big amounts here.

1500 è part of other audit procedures that we will do.

EXAMPLE 9

Given:

Ø Sales: EUR 10.000 Ø Operating profit: EUR 5.000 Ø Net assets: EUR 6.500 Ø Balance sheet total: EUR 8.000 Ø Credit note to be issued9 not accrued for in an amount of EUR 200

Material?

That’s equity

Credit note to be issued should have been put in the B/S but 200 euros doesn’t look material

Ø // Pretax income = one of the most important indicator è not material Ø // Total of the B/S è not material

9 = Note de crédit à établir


39

EXAMPLE 10

Given:

Ø Sales: EUR 10.000 Ø Operating profit: EUR 5.000 Ø Net assets: EUR 6.50 Ø Legal reserve: EUR 25 Ø Profit after taxes: 2.000 Ø Profit is fully distributed to the shareholders

Problem?

Ø Low equity value, & Ø Low net asset value Ø Legal Reserve = 25 euros Ø Profit fully distributed to the shareholders

Normally before we distribute net profit, net income, we have to put 5% in the legal reserve. Distributing everything is not correct.

Material? It might be. It’s difficult to determine without knowing how is the equity build up. Anyway in the second part of the audit opinion we’ll say that the company’s law has not been respected. We should qualify in that case è qualified opinion

EXAMPLE 11

Given:

Ø Sales: EUR 10.000 Ø Net assets: EUR 1.000 Ø Profit before taxes: EUR 1.500 Ø Account 61 includes EUR 50 of secret commissions. Tax risk: fine of 309%

Material?

Tax risk on the amount of 50 with a fine of 309 %. If the probability of the tax risk is > 50%, then you qualify. If we believe >50% chances that it materializes, then we qualify.


40

I SQC1 AND ISA200-‐260

ISQC1: International Standard Quality Control 1 è n°1 because there’s only one so far.

Ø The international Standard on Quality Control (ISQC) deals with a firm’s responsibilities for it’s system of quality control for audits and reviews of financial statements, and other assurance and related services engagements.

Ø This ISQC applies to all firms of professional accountants in respect of audits and reviews of financial statements, and other assurance and related services engagements. The nature and extent of the policies and procedures developed by an individual firm to comply with this ISQC will depend on various factors such as the size and operating characteristics of the firm, and whether it is part of a network.

è The ISQC1 applies to all engagements. It deals with the firms’ responsibility for quality control. One person must be responsible of this and has to put in place a system of quality control.

IFAC -‐ Code of ethics for professional practitioners

Services covered by the standards and recommendations

Structure of the Standards for Assurance Engagements

Audit and review of historical Qinancial information

ISA 100-‐999

IAPS 1000-‐1999

ISRE 2000-‐2699

IREPS 2700-‐2999

Assurance engagements other than audits and reviews of

historical Qinancial information

ISAE 3000-‐3699

IAEPS 3700-‐3999

Related Services

ISRS 4000-‐4699

ISRSPS 4700-‐4999

ISQC 1-‐99 International Standards on Quality Control


41

ELEMENTS OF A SYSTEM OF QUALITY CONTROL

The firm shall establish and maintain a system of quality control that includes policies and procedures that address each of the following elements:

Ø Leadership responsibilities for quality within the firm: responsible for the quality control at the top level

Ø Relevant ethical requirements: so that everybody have to have a set of values within the company

Ø Acceptance and continuance of client relationships and specific engagements: the first time the auditor accepts a client, he has to go through an acceptance procedure. Then every year he has to do a client continuance, to see if the client still complies with the criteria. è Continue engagement = a job. è Engagement acceptance: necessary, when you have accepted there are some services that you can’t do: for example you can’t be the accountant for a client where you are an auditor, you would be auditing what you do.

Ø Human resources: how do you make sure your people are trained on a continual basis, your people are ethical, etc.? What are your recruitment procedures? Are you recruiting the right persons? Etc.

Ø Monitoring: need to make sure that the quality get monitored on a regular basis

All that needs to be documented: The firm shall document its policies and procedures and communicate them to the firm’s personnel.

LEADERSHIP RESPONSIBILITIES FOR QUALITY WITHIN THE FIRM

The firm shall establish policies and procedures designed to promote an internal culture recognizing that quality is essential in performing engagement. Such policies and procedures shall require the firm’s chief executive officer (or equivalent) or, if appropriate, the firm’s managing board of partners (or equivalent) to assume ultimate responsibility for the firm’s system of quality control.

RELEVANT ETHICAL REQUIREMENTS

Independence

Ø The firm shall establish policies and procedures designed to provide it with reasonable assurance that the firm, its personnel and, where applicable, others subject to independence where required by relevant ethical requirements :

Ø Policies and procedures that are required to independence Ø Engagement partners to provide the firm with relevant information about client

engagements, including the scope of services, to enable the firm to evaluate the overall impact, if any, on independence requirements

Ø Personnel to promptly notify the firm of circumstances and relationships that create a threat to independence so that appropriate action can be taken

Ø The firm maintains and updates its records relating to independence Ø The firm takes appropriate action regarding identified threats to independence that

are not at an acceptable level.


42

ACCEPTANCE AND CONTINUANCE OF CLIENT RELATIONSHIP AND SPECIFIC ENGAGEMENT

Ø Competence, Capabilities and resources: An audit team that has never been auditing a bank should not be assigned totally alone è rather not accept the client.

Ø Integrity of client: Industry of pornography, you might not accept the client (integrity issue)

Ø Continuance of Client Relationship Ø Withdrawal: What do we do when withdrawal of the client? Ø Considerations Specific to Public Sector Audit Organizations

HUMAN RESOURCES

Ø Recruitment Ø Performance of the people evaluation: how is it done? We need to make sure that

in the performance review, quality is assessed and not only commercial etc. you can’t make an exception on quality.

Ø Capabilities, including time to perform assignments Ø Competence Ø Career development Ø Promotion Ø Compensation Ø The estimation of personnel needs

ENGAGEMENT PERFORMANCE

Ø Consistency in the Quality of Engagement Performance Ø Supervision: always reviewed by a second person Ø Review Ø Consultation: need to make sure that you address the possibility of consulting

MONITORING

Ø Monitoring the Firm’s Quality Control Policies and Procedures: make sure your Quality Control etc. are monitored on a regular basis è complaints or allegation, etc.

Ø Communicating Deficiencies Ø Complaints and Allegations

Example: GMS system (= software) è need to declare all the investments you have: database. The company can check and see we don’t have shares In our client’s company, etc.

ISQC1 applies to all engagements. Now: more specific


43

DOCUMENTATION OF THE SYSTEM OF QUALITY CONTROL

Ø The form and content of documentation evidencing the operation of each of the elements of the system of quality control is a matter of judgment and depends on a number of factors, including the following

o The size of the firm and the number of offices o The nature and complexity of the firm’s practice and organization

Ø For example, large firms may use electronic databases to document matters such as independence confirmations, performance evaluations and the results of monitoring inspections.

ISA 200: OVERALL OBJECTIVE OF THE INDEPENDENT AUDITOR AND THE CONDUCT OF AN AUDIT IN ACCORDANCE WITH INTERNATIONAL

STANDARDS ON AUDITING

This International standard on Auditing (ISA) deals with the Overall Objectives of the Auditor In conducting an audit of financial statements, the overall objectives of the auditor are:

Ø The obtain reasonable assurance (reasonable assurance is not an absolute level of assurance) about whether the financial statements as a whole are free from materiel misstatement, whether due to fraud or error, there by enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework

Ø To report on the financial statements, and communicate as required by the ISA’s, in accordance with the auditor’s findings.

Ø In all cases when reasonable assurance cannot be obtained and a qualified opinion in the auditor’s report is insufficient in the circumstances for purposes of reporting to the intended users of the financial statements, the ISAs require that the auditor disclaim an opinion or withdraw (or resign) from the engagement, where withdrawal is possible under applicable law or regulation.

ISA 200 REQUIREMENTS ESTABLISHING THE GENERAL RESPONSIBILITIES OF THE INDEPENDENT AUDITOR

Ø Ethical Requirements Relating to an audit of Financial statements Ø Professional Skepticism Ø Professional Judgment Ø Sufficient Appropriate Audit Evidence and Audit Risk Ø Conduct of an Audit in Accordance with ISAs

ISA 210: AGREEING THE TERMS OF AUDIT ENGAGEMENTS

Ø This International Standard on auditing (ISA) deals with the auditor’s responsibilities in agreeing the terms of the audit engagement with management and, where appropriate, those charged with governance. This includes establishing that certain preconditions for an audit, responsibility for which rests with management and, where appropriate, those charged with governance, are present.


44

ISA 210 REQUIREMENTS

Ø Preconditions for an Audit Ø Agreement on Audit Engagement Terms Ø Recurring Audits Ø Acceptance of a change in Term of the Audit Engagement Ø Additional Considerations in Engagement Acceptance

ISA 210: PRECONDITIONS FOR AN AUDIT

Ø Determining the Acceptability of the financial reporting framework Ø Financial reporting frameworks prescribed by law or regulation Ø Jurisdictions that do not have standards setting organizations or prescribed financial

reporting frameworks Ø Agreement of the Responsibilities of Management Ø Preparation of the Financial Statement and internal control

ISA 210: AGREEMENT ON AUDIT ENGAGEMENT TERMS

An audit engagement letter mentions the responsibility of the management & of the auditor

An Audit engagement letter may make reference to the following:

Ø The scope of the audit Ø The form of any other communication of results of the audit engagement Ø Because of inherent limitations of an audit and internal control, an unavoidable risk

that some material misstatements may not be detected exists. Ø The expectation that the management will provide written representations Ø The agreement of management to make available to the auditor draft financial

statements and any accompanying other information in time to allow the auditor to complete the audit in accordance with the proposed timetable

Ø The agreement of management to inform the auditor of facts that may affect the financial statements, of which management may become aware during the period from the date of the auditor’s report to the date the financial statements are issued

Ø The basis on which fees are computed and any billing arrangements Ø A request for management to acknowledge receipt of the audit engagement letter

and to agree to the terms of the engagement outlined therein.

AUDITS OF COMPONENTS

When the auditor of a parent entity is also the auditor of a component, the factors that may influence the decision whether to send a separate audit engagement letter to the component include the following:

Ø Who appoints the component auditor Ø Whether a separate auditor’s report is to be issued on the component Ø Legal requirements in relation to audit appointments Ø Degree of ownership by parent Ø Degree of independence of the component management from the parent entity


45

ISA 230 AUDIT DOCUMENTATION

Anything not documented is considered as not done: having it in your head is not sufficient. Everything has to be documented. The rule is that someone should be able to re-‐do what the auditor has done based on the audit documentation. Furthermore, the documentation has to be kept for 10 years. On top of ISAs, there are regulations.

This international Standard on Auditing (ISA) deals with the auditor’s responsibility to prepare audit documentation for an audit of financial statements. The appendix lists other ISAs that contain specific documentation requirements and guidance. The specific documentation requirements of other ISAs do not limit the application of this ISA. Law or regulation may establish additional documentation requirements.

ISA 230 REQUIREMENTS

Ø Timely Preparation of Audit Documentation Ø Documentation of the Audit procedures Performed and Audit Evidence obtained Ø Assembly of the Final Audit File

ISA 230 DOCUMENTATION OF THE AUDIT PROCEDURES PERFORMED AND AUDIT EVIDENCE OBTAINED

The auditor shall prepare audit documentation that enable an experienced auditor to understand the following:

Ø The nature, timing and extent of the audit procedures Ø The results of the audit procedures performed, and the audit evidence obtained Ø Significant matters arising during the audit, the conclusions reached thereon Ø In exceptional circumstances, why the auditor judges it necessary to depart from a

relevant requirement in an ISA Ø Matters Arising after the Date of the Auditor’s Report

ISA 230 ASSEMBLY OF THE FINAL AUDIT FILE

Ø The auditor shall assemble the audit documentation in an audit file and complete the administrative process of assembling the final audit file on a timely basis after the date of the auditor’s report

Ø After the assembly of the final audit file has been completed, the auditor shall not delete or discard audit documentation of any nature before the end of its retention period

Ø In circumstances where the auditor finds it necessary to modify existing audit documentation or add new audit documentation after the assembly of the final audit file has been completed, the auditor shall, regardless of the nature of the modifications or additions, document:

o The specific reasons for making them o When and by whom they were made and reviewed


46

ISA 240 THE AUDITOR’S RESPONSIBILITIES RELATING TO FRAUD IN AN AUDIT OF FINANCIAL STATEMENTS

This ISA is a very important one. We’ll see it later.

This ISA deals with the auditor’s responsibilities relating to fraud in an audit of financial statements. Specifically, it expands on how ISA 315 and ISA 330 are to be applied in relation to risks of material misstatement due to fraud

Ø Characteristics of Fraud Ø Responsibility for the prevention and detection of fraud Ø Responsibility of the auditor Ø Professional skepticism Ø Discussion among the engagement team Ø Risk assessment procedures and related activities Ø Management’s assessment of the risk Ø The auditor shall make inquiries of management Ø Unusual or unexpected relationship identified Ø Evaluation of fraud risk factors Ø Identification and assessment of the risk of material misstatement due to fraud Ø Responses to the assessed risks of material misstatement due to fraud

o Overall responses o Audit procedures responsive to assessed risks of material misstatement due

to fraud at the assertion level o Audit procedures responsive to risks related to management override of

controls

ISA 250 CONSIDERATION OF LAWS AND REGULATION IN AN AUDIT OF FINANCIAL STATEMENTS

There’s a specific ISA taking into consideration laws and regulations. Example: tax laws are important è which laws the company has to comply with? Etc. è it’s a checklist.

Tax = VAT, custom duties, company taxes

Ø Effect of laws and regulations Ø Responsibility for compliance with laws and regulations

o Management’s responsibility o Auditor’s responsibility

Ø The auditor’s consideration of compliance with laws and regulations Ø Audit procedures when Non-‐compliance is identified or suspected Ø Reporting of identified or suspected non-‐compliance Ø Documentation


47

ISA 260 COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE OF THE COMPANY

Ø Those charged with governance Ø Those charged with governance-‐The person or organization with responsibility for

overseeing the strategic direction of the entity and obligations related to the accountability of the entity.

Ø Matters to be communicated Ø Planned scope and timing of the audit Ø Significant findings from the audit Ø Auditor independence Ø The communication process Ø Establishing the communication process Ø Forms of communication Ø Timing of communication s Ø Adequacy of the communication process Ø Documentation


48

?????

≠ steps of the audit methodology (last time).

Yellow: first combined risk assessment (slide audit process)

Test of the controls to confirm that your risk assessment (preliminary) is valid.

Based on the combined risk assessment è substantive procedures + general audit procedures.

?????

CASE STUDY-‐ SERVIER BENELUX


49

I T SPEC IAL IST INVOLVEMENT IN THE AUDIT

Agenda:

Ø The IT Specialist Approach: we use IT specialists because most of the transactions are done through IT.

Ø IT Environment Checklist (ITEC) & Technology Summary (Techsum): o ITEC = a number of ways to document what auditors are doing o TECHSUM = what technology the client uses and how it’s affecting the

business Ø Application Control Review Ø IT General Controls (ITGC) Ø Data Analysis: electronic evidence obtained through the system Ø Summary

THE THREE MAIN AREAS OF FOCUS: THE IT PYRAMID

Integration of the IT audit team at three main levels:

Ø Obtaining an understanding of the IT environment (and changes to it) and assess the inherent risks attached

Ø Testing of the (semi-‐) automated application controls Ø Test IT General Controls over applications (and Operating Systems / Databases).

ISA 600 = making use of an expert if you don’t have your own IT specialist in the audit team

IT Environment (document)

Application controls (test1)

IT General Controls (test2)

2 types of control in the IT system:

1. Application controls 2. IT general controls (wider than application

controls and it affects it) Ex: change management è how do we do when we want to change something (process)?

STEPS:

1

2

3


50

THREE PARTS OF IT-‐RELATED WORK: THE BIG PICTURE

1. The IT Environment Ø Identify business and inherent risks:

o Risk formula – part 1 è IT = part of the inherent risks Ø Impact on internal control at entity level (not at a process level) è ex: if there’s

only one person in the IT department in a company with a complex system Ø Regulatory requirements: companies are part of an industry where IT has to

comply with regulatory requirements Ø To link the significant business processes with applications (Techsum)

o TechSum = document: Technology Summary. It says which software, platform is used for each process

2. Application controls

Those controls happen at the transaction level. They’re:

Ø Either manual controls, as for example comparing 2 things è you have to test it much more: if a machine does it right once, it will do it right all the time, which is not the case of a person

Ø Or manual controls depending on IT control, as for example reconciling a document from the IT system with another one è you do it by testing the IT system

Ø Or else, fully automated controls (made by the machine) è you do it by testing the IT system

Focus on controls (including IT-‐dependent manual controls) that deal with control risk for each relevant assertion relating to the significant accounts

3. IT General Controls

= Controls around the machine. Example: access rights test è if wrong, anybody can do anything and the situation is bad.

Focus on IT General Controls relating to application controls in order to attain reasonable assurance on them

è If change management is not done properly, application controls won’t be done properly because anybody can change it.

Combine

d risk assessmen

t

Value ob

servation


51

IT SPECIALIST APPROACH

LINK WITH SIGNIFICANT ACCOUNTS

è 1st part = INHERENT RISK: it gives indications about the IR

First Part:

Ø ITEC: how we document what we see in the IT environment è based on that you decide if you have a low or high IR

Ø Internal control and fraud (checklist): affected by the ITEC

è 2nd part + 3rd part = CONTROL RISK: we look at what control we have in place

Second Part:

Ø We start with significant accounts Ø è Each account is linked to a process (example: accounts receivable linked to the

sale process). Ø After, we look at what could go wrong (WCGW) Ø WCGW is linked with 3 types of controls

Third Part:

Ø IT General Control: documentation in the checklist DITGC Ø DITGC = Documentation of the IT General Control


52

IT SPECIALIST APPROACH IN THE AUDIT METHODOLOGY

Which are the audit activities where the IT specialist will be involved?

Ø 3. The IT specialist needs to understand the IT of the client. Ø 4. It is done by filling the ITEC and the TechSum Ø 5. Based on conclusions, we have to adapt the audit program Ø 7. è “Test of ones” = 1 test of automated Ø 6. But now from an IT general controls perspective

è At this stage, they are not looking at data yet: there are no data tests. There are only control environment and IR


53

THE PURPOSE OF ITGC WORK

Most companies are working with EAE now. As an auditor, you have to stay sceptical: you can’t rely on something coming directly from the system.

IT CONTROL TESTING AN OVERVIEW

See if application control work

Electronic Audit Evidence: Any document that comes out of the system & that you want to rely on. è pièce justificative éléctronique (that comes out of the system)


54

There are different control types:

Ø Detection controls Ex: print a list showing all the transactions > 10.000.000 € and then you check if it’s possible

Ø Prevention controls (better than detection controls) Ex: the system blocks if you try to put a transaction in it > 10.000.000 € (impossible)

è IT General Controls

It’s another way to classify manual controls/ IT dependent controls and fully automated controls.

EXAMPLE

Ø Balance Sheet & Income Statement = The Financial Statements the auditor tries to certify

Ø Account: Accounts Payable10 = significant accounts Ø Process: Purchasing = purchase process related to the accounts payable Ø WCGW: Invoice does not equal delivery does not equal order Ø Control: 3 ways match to control the WCGW: matching between:

o The purchase o The delivery note o The invoice

è It’s an application control

Application control IT General Control Ø SAP: the transactions happens in an

SAP Ø Oracle DB: it’s a database Ø UNIX

Ø Change management Ø Access management

If not right, you can’t extrapolate that the rest is right

Either you test manually, meaning you have to test a lot, or you ask the IT specialist to check the IT system. 10 Accounts payable = dettes commerciales


55

TOP OF THE PYRAMID: IT ENVIRONMENT

We have to check the IT environment and document it.

Applications and infrastructure:

What operating system? Database? Applications? Do they use?

ITEC – IT ENVIRONMENT CONSIDERATIONS

The auditor has to talk to the head of IT & ask him the IT strategy (are they plans to change the IT system, the software, etc.?)

Definition of the term IT environment:

Ø People and organization Ø Applications and infrastructure Ø IT processes

Understanding of the IT environment and its planned changes (IT strategies) is a key step of our audit approach

Extent of work relating to the IT environment is function of the likelihood of material business and audit risks and complexity of the IT environment è more complex so it will take more time because we’ll have to do more.

ITEC (IT Environment Considerations) form, will be used to document our work, covering:

Ø Complexity of IT environment (in addition to local guidance) è rating of the complexity

Ø Changes in the IT environment (IT strategies) è documentation Ø Organization of the IT function è documentation Ø Regulatory requirements


56

Other documentation enablers can be:

Ø Technology Summary è mostly needed for the other part of the prcesses

Conclusion (example

Conclude on ITEC results. I.e. are the basic IT management controls in place? E.g.:

Ø The IT environment is rather complex, however based on the responses we had to the questions in this ITEC form, it is reasonable to say that the basic IT management controls are in place. An exception needs to be made for security policies and procedures. These issues will be brought to management's attention.

Ø ABC is an SME with a small IT organisation and, as such, not all IT control objectives can be implemented according to best practice. As is common with small enterprises, we especially noticed a lack of formalisation. We do, however, advice the management of company ABC to formalise some procedures in order for them to be better controlled and to establish clear accountability.

AND also conclude on the audit approach. E.g.:

Ø Given the automation of some significant processes we would advise an approach in which the IT auditor is involved in the identification, walkthrough and testing of application and IT dependent controls -‐ especially for the significant processes supported by applications X and Y

Ø The IT complexity at ABC is considered as high. Because of software change in beginning of 2012 and weak implementation of the authorisation structure in this new application, we concluded that we can not rely on this application. For the other significant applications we will continue our audit approach of last year (i.e. identification, walkthrough and testing of application and IT dependent controls)


57

TECHSUM

“SIGNIFICANT PROCESSES”

è Link the process & transaction with the IT è what type of software?

Most important step in the TechSum: linking applications with ‘significant processes’:

Here there are several computers because there are several persons.

EXAMPLE

Ø Process owner = responsible department in the company for this process Ø Application(s) Supporting the Significant Process: software basically processing the

transactions o Navision // SAP: it’s an ERP system


58

APPLICATIONS

Significant

Processes

(there are 4)

Applications supporting the significant process

(Example 1)

Applications supporting the significant process

(Example 2)

A/P Purchase MS Access DB SAP MM (A/P)

Inventory Stock MS Access DB SAP MM

è material management module

A/R Different sales applications per distribution net & CRM application

Credit & Collection application

SAP SD

è SAP module sales & distribution

SAP FI (A/R)

FSCP SME G/L application SAP FI è Finance module

OTHER ASPECTS (TECHSUM)

Identifying the technology supporting the significant applications:

Ø Changes to application = latest changes to application Ø Shared processing with business partners? External companies doing that for us?

Ø Description of the IT organisation (and the position of the IT department within the overall organisation) including an organisation chart

Ø Network diagram


59

THE AUDIT PROCEDURES

Ø Help the auditor understand and document the automated processes/transactions Ø Identify WCGW in the automated processes and related application controls è not

in manual process since IT auditors Ø Walkthrough and potentially test application controls Ø Walkthrough and potentially test IT general controls Ø Conclude on effectiveness of application controls (considering effectiveness of IT

general controls) and identify compensating controls if necessary è you can always find them è Often ITGC are not working properly è so you can’t rely on your application control

UNDERSTAND/EVALUATE CONTROLS AT THE PROCESS, TRANSACTION, OR APPLICATION LEVEL (= HOW THE WHOLE PROCESS WORKS?)


60

IDENTIFY WCGW IN THE AUTOMATED PROCESSES AND RELATED APPLICATION CONTROLS

Ø For each flow of transactions, we identify points where errors could occur along the critical path that could affect financial statement assertions. We define these potential failure points as "What Could Go Wrongs" (WCGWs).

Ø Using WCGW questions, we ensure that we properly address the risks related to significant misstatements, omissions, and discrepancies in the financial statements. We focus on the relevant assertions to identify our What Could Go Wrongs.

WHERE DOES IT AUDIT COME IN

Ø Goal = opinion on the internal control in business processes and related information systems based on business requirements and risk analysis

Ø Scope IT Audit = automated parts of business processes Ø Main steps

o process modelling o process & information systems analysis o identification of key controls o testing of key controls

Ø Purely Manual Controls = no need for IT auditors Ø IT-‐dependent Manual controls & Application controls = IT auditors’ help

needed


61

APPLICATIONS

Ø Process oriented approach

On any application, you always have an input and an output. If the input is wrong (example: wrong information), then the output will also be wrong.

Example: on a purchase application, the metadata (vendor data è name, etc. of the provider) going in the process are as important as the process itself: a well working process is not enough; you can’t just stop the audit because the process is ok.

PROCESS MODELLING

Schedule interviews with the following people :

Ø users of various business departments and support functions Ø business managers Ø IT people (e.g. information systems analysts)

The objective of these interviews is to :

Ø update/create the process flowchart Ø perform a process walkthrough Ø create a process narrative in order to gain an insight in the process and data

processing

Errors can occur within automated applications where the following types of events take place:

Ø Data Transformations Ø Data Creation Ø Data Change Ø Data Transfer

Typical areas covered while understanding processes and controls (and when concluding on the effectiveness of application controls):

Understand flow of transactions

Automation, while eliminating certain human errors, does not completely eliminate errors.


62

Ø Configuration settings11: example: if you deactivate some things in SAP, maybe some controls won’t be done anymore

Ø Segregation of duties: access management: they take metrics & look if they are making sense

Ø Overrides: has something been forced into the system? Ø Interfaces: in a company, there are a lot of interfaces between 2 different systems:

if something is going wrong in an interface, we’ll have the wrong output Ø Master files (access to, integrity of): databases

APPLICATION CONTROL CONSIDERATIONS

IT General Controls: affects all the WCGW

11 paramètrage


63

STANDARD APPLICATIONS VERSUS OTHER

Ø Standard applications: SAP, PeopleSoft, BAAN, JD Edwards, Oracle DB, … è you can spend most of the time on checking the configuration settings

Ø Non standard applications: 1. Less common applications 2. Self developed 3. Extensively customised

Approach for standard applications is standardised and relies on the well established, built in control parameters of these applications => our audit can focus on parameter settings

EXAMPLE PARAMETER SETTING

Gain of efficiency through both tests

Gain of time for application control BUT ITGC has to be done each year

If the whole logical part is covered by the “test of one”, you can test only one transaction.


64

ITGC – IT GENERAL CONTROL

There are a lot of ITGC. The main ones are “access management” and “change management”.

IMPACT OF THE ITGC

Application Control audit provides a “photo” of that moment => by auditing the ITGC we get more assurance on the continuity of this picture

LOGICAL ACCESS SECURITY

IT General controls over the access management process includes mainly:

Ø Request for access Ø Access granting documentation è needs to

be well documented Ø Periodic review of access rights Ø Timely revocation of access è when people

leave the company they don’t keep access to the system

Ø Limitation of ITGC work to the relevant controls that relate to the effectiveness of application controls

Ø Limitation of work to the IT general controls relevant to the audit o Defined as “logical access” and “program changes” o Focus on the IT general controls relating to application controls, IT-‐

dependent and manual controls on which the audit team is planning to rely

“NEED TO HAVE”

Instead of “nice to have”


65

THE ACCESS PATH

Ø Access security is complex – it is more than password length!!! Ø Access security is about identification, authentication, authorisation and

authorisation management. These aspects need to be analysed for the complete access path!

LOGICAL ACCESS SECURITY: IT GENERAL CONTROL OR APPLICATION CONTROL

Ø The actual authorisation settings which ensure segregation of duties, system enforced approvals and limit the access to critical data are application controls.

Ø These logical access application controls are only effective if their distribution and general set-‐up in the overall system is managed appropriately, i.e. by the IT general controls over access management

CHANGE MANAGEMENT

It’s the second part of the IT General Control.

IT General controls over the access management process include:

Ø What is change management? o The process of managing changes to information systems and applications

Ø When do we have changes to information systems? When: o New legal requirements (IAS, …) o Changes to automated controls (Based on IT audit report, …) o Changes in infrastructure (Migration to SAP, …) o Software upgrades (Windows2000, SAP R/3, …) o Changes to business processes (Enabling purchase orders via Internet, …) o New subsidiaries, because of mergers, that use the same application or

infrastructure Ø What are the risks of changes to infrastructure systems and applications?

o Likelihood of disruption o Unauthorised alterations o Improper functioning of application o Elimination of key controls o Errors.

Potential hacker

è = Potential access everywhere. It’s not just a question of password


66

Change management: we look at:

Ø Proper change requests Ø Testing & documentation Ø Release management Ø Version management

DATA ANALYSIS

It’s a new way of auditing.

Today, there are so many data to look at in companies & so many transactions. è We do more and more audit through data analysis.

ROLE OF THE IT SPECIALIST IN THE DATA ANALYSIS

IT Specialist’s role in data analysis è he may:

Ø Identify where data analysis can be used Ø Determine the type of procedures Ø Request and obtain the data è sometimes it’s difficult to obtain exactly what you

need from the client Ø Design, develop and execute procedures Ø Interpret results

The audit team should determine scope and objectives of the mission and communicate this to the IT auditor!

Ø Improve effectiveness & efficiency of the audit Ø Analyze each item within a large population

o Identify higher risk items (high-‐dollar, unusual items) è ex: purchase ledger: apply filters & check the most risky one: risk of fraud, errors, etc.

o Identify unusual patterns (sales transactions, AR details)

Ø Procedures may include: o Stratifying o Filtering o Exploring o Mining o Comparing period-‐end balances o Comparing transaction streams o Trend analysis

Ø May also be used to perform tests of controls


67

CASE STUDY: SNECMA SERVICES BRUSSELS


68

THE ROLE OF THE EXTERNAL AUDITOR IN RELAT ION WITH FRAUD

ISA standards are going to be applicable to all companies, listed and non-‐listed, from 2014!

At EY, a Fraud Survey is done +/-‐ every 2 years è they ask questions to CEOs, CFOs, etc. (anonymous) in order to know what they think about the risk of fraud.

Agenda:

Ø Example of fraud Ø Definition of fraud and the fraud triangle Ø Responsibilities: role of the auditor Ø The Belgian scene: the auditor’s responsibility in Belgium Ø Patterns and signs of fraud Ø How to react to potential fraud Ø Professional scepticism

Video: Fraud and the tone at the top

EXAM: the fraud triangle is important to understand è the 3 things needed to have a fraud

What do you know about fraud?

Ø How would you define fraud? Ø What are the different types of fraud? Ø Can you give an example?

FRAUD HAS MANY FACES

SCENARIO 1

Ø I was in charge of selling used cars (second-‐hand) for our sales agents Ø I made my superior believe it was an advantage to buy all new cars from, and sell all

used ones to, the same car dealer Ø The dealer then paid me a personal commission of 500 per unit (below the table) Ø The proceeds were individually well below the materiality thresholds of our

auditors, so these transactions were never tested è we have small amounts of money each time but the total amount is huge

This is a very common case of fraud è we see it often in really specific companies: they use the same suppliers for many years. The auditor has to ask questions if he sees that because the suppliers might receive money below the table.

Who’s responsible? Can the external auditor be suited?

Ø The management and the directors are responsible to put the internal control in place.

Ø The external auditors: even tough they applied ISA well, they should have asked questions if they had seen fraud was possible è if you see indicators of fraud, you have to do something (ISA240)


69

Difference between the internal control environment and the internal audit (EXAM):

è AR = IR*ICR*NDR

Ø Internal audit is a department; internal auditors are not part of the internal control environment. Here we try to focus on audit, on the Non Detection Risk. Intern Audit is not part of the control environment è not there to prevent errors & fraud: it must be done by the internal controls è the audit control is not there to enhance that but to CHECK.

Ø The internal control environment are all the measures/controls that management puts in place to manage and control the accounts è to make sure that the financial statements are ok, we put internal controls in place.

SCENARIO 2

Ø When our software company wanted to go public in 19X8, we had to show positive results

Ø We “closed” some large, fictitious deals through a subsidiary in another part of the world (seems to be a complex structure)

Ø We capitalized the “cash received” as part of the consideration paid for an acquisition

Ø Our auditors found the facts suspicious, but fortunately resigned once they had substantial doubt about our integrity

• When you do an IPO, you try to show very nice figures in order to attract shareholders è You set high risk when there’s an IPO because there’s a need to show good results: INDICATOR

• The more complex the structure or the transactions, the more you have to be careful: INDICATOR

SCENARIO 3

Ø The gold bars in the strong room of the bank I worked for were stacked in 5 layers of 10, in case of 50

Ø It was easy to replace the 40 bars in the 4 bottom layers with silver bars Ø The auditor only checked if the cases were not full Ø They did not look in the bottom of the cases during their inventory observations

Ex: it happens that companies try to make believe they have more inventories than they really do: some boxes placed high have to be checked.

SCENARIO 4

Ø The ERP system produced unreliable information Ø We have prepared a reconciliation for the accounts payable since 2001 Ø In 2003 we incurred significant losses, which we treated as a reconciling item Ø The fraud was detected after we were taken over by a competitor

IT system producing unreliable information è things should match: look at the reconciliation; if there’s a difference, one should be very careful.


70

WHAT IS FRAUD?

Fraud is an intentional act by one or more individuals among

Ø Management Ø Those charged with governance: the board of directors, the audit committee, the

top layers of management, etc. Ø Employees Ø Third parties è example: the warehouse holder steeling champagne bottles in the

warehouse = fraud

If it is unintentional, then it is not fraud but an error!

This act results in a misrepresentation of financial statements, violation of laws and/or other illegal acts.

There are 2 types of fraud relevant to external audits:

Ø Fraudulent financial reporting (management fraud): showing something not right in financial statements è example: showing expenses that did not really happen

Ø Misappropriation of assets (+ the steeling part: example: physical assets that disappear)

Non-‐qualified acts are qualified as “errors”

THE FRAUD TRIANGLE

We can find a lot of indicators of fraud, there’s a list available in ISA240 BUT they are always linked to the fraud triangle factors.

1. Incentive/pressure: somebody must have a good reason to commit fraud è example: in the case of an IPO, there’s a need to show good results, it could be a pressure for fraud. Someone could also commit fraud being driven by greed, greed can be an incentive.

2. Opportunity: most of the time, the opportunity is a weakness in the internal control: something not sufficiently controlled

3. Attitude/rationalization: the person committing fraud also needs to rationalize the things è “it’s ok for me to fraud for that reason …”: example: salary not high enough, etc. Example: Japanese companies: they have a model è CEOs, CFOs in subsidiaries are mostly coming from Japan, they stay there for 2 years and then change. We need to be careful with that.

Incentive/pressure

Opportunity Attitude/ rationalization

The Fraud Triangle:

There’s a need for those 3 factors to be there in order to have fraud. If we only have 2, there’s probably no fraud


71

DO YOU REMEMBER?

Enron, Global Crossing, Healthsouth, Equitable life, Worldcom, Parmalat, …

ENRON: misrepresentation of financial statements è some subsidiaries were not consolidated (missing), they were hiding losses

PARMALAT: financial instruments & cash “existing” in Asia but actually it didn’t exist + the confirmation letters from the bank, showing that this money was existing, were false.

è The auditor should have followed the confirmation letter process: they are supposed to put it themselves at the post, it’s not the client who does it normally.

WHAT HAPPENED TO THE ENTITIES DISCUSSED?

Ø Employees lost their jobs and their pension money Ø Investors lost their life savings Ø Billion in tax monies were wasted Ø People went to jail

è Fraud has a big impact

VIDEO: MCI – WALT PAVLO

Walt Pavlo was the one dealing with customers at MCI.

Ø Collecting the money = less easy than sending invoices Ø Accounts receivable couldn’t be paid by all the customers

So he set up a system by which he would go and partner up with someone in Europe for example (companies part of MCI). This person says he wants to invest in the companies not able to pay, so that they could pay their debt to MCI (+ client pays back to the fake investor later). è Fake revenue because clients are not able to pay, they are just putting the problem back to a later period. BUT they eliminate the doubtful receivables at MCI that they just can’t collect. è Misrepresentation of financial statements.

Fraud Triangle:

Pressure =

Ø Stock options paid by the results he made è the proportion of stock options was much higher than his normal salary and

Ø They always had to show good results in the process of becoming a public company

Incentives & Opportunity =

Ø The boss totally agreed: it was accepted by everybody & there were even incentives by the boss and rewards for what he was doing

Ø In charge of sending invoices to clients + collecting the money è there should be a difference between the person doing those tasks & the accounting of the invoices, it should be done by 3 different persons or departments

Attitude/Rationalization =

Ø Very progressive process: at first they were just changing some numbers, making sure some sales were coming in before others, etc. He had the feeling what he was


72

doing was not unethical. He rationalized, but then it became bigger and bigger and became a fraud.

WHAT HAPPENED WITH THE AUDITORS AND THE AUDIT ENVIRONMENT?

Ø A major accounting firm went out of business Ø Auditors lost their jobs… or their reputations Ø And it changed the audit industry, resulting in implementation of much more

government regulation!

RESPONSIBILITIES

There’s always a shared responsibility between a number of factors.

Ø The management:

They are responsible for the internal control environment (prevent and detect), complying with laws and regulations and preparing the financial, free of errors and fraud (includes the internal audit function)

The fact that there’s an opportunity existing is most of the time the responsibility of the management.

Ø Court and judges:

They are responsible fir qualifying the acts as fraud, illegal acts or errors

Ø External auditor:

He is responsible of taking fraud into consideration in his risk assessment (i.e. showing professional skepticism and being attentive to fraud indicators) and to evaluate the incidence of fraud but not to guarantee that fraud does not exist. è The external auditor has to make sure that he takes into account the risks of fraud when he’s doing his audit.

THE BELGIAN SCENE

ISA 240:

The ISA 240 contains an appendix with indicators of fraud. Example: somebody never taking leafs/vacation might have something to hide.

It is applicable in listed companies since 2012 and will be applicable in non-‐listed companies as from 2014.

ü Embedded in the audit strategy ü Indicators and circumstances are important to follow up on: 99% of fraud that came

up should have been seen if this had been respected!!! ü Professional skepticism


73

ü Team discussion and representations: different people are seeing different things during the audit process: there’s a need for them to discuss it

ü Evaluation of evidence and communications: when we get evidence of fraud, we need to evaluate it, and then there’s a process of communicating to the management etc.

ü Documentation of all this in the audit file

Anti-‐money laundering legislation:

It’s a number of indicators we have to be aware of.

ü It includes specific indicators and set-‐ups – no materiality applies èIn Belgium, no materiality applies

ü Obligation to communicate facts that could be indicative of serious fraud to the federal AML cell (CTIF). Very little communications so far from external auditors. è If we see that, we have to report it to the CTIF (they are doing a report each year) without the client knowing it è communication indicators seen

PATTERNS AND SIGNS OF FRAUD

EXAMPLES OF PATTERNS OF FRAUD RELATED TO FINANCIAL REPORTING

• Fictitious assets (e.g. receivable payments) è example: MCI: receivables that we can’t really collect

• Overvaluation of assets (e.g. inventories, investments, goodwill) è example: inventories that have lost value but we still show them for their initial value

• Fictitious turnover è example: over-‐valuated turnover in the case of the creation of a second company in order to sell things to it (no link showed with that company)

• Unbooked expenses and/or debts (ex: no consolidation) • Loans to related parties

HOW DO THEY “HIDE” THEI DISHONESTY FROM US?

• Leading us away from the real problems • Changing auditors, restricting scope of work • Exerting time pressure • Providing wrong and/or manipulated information • Overwhelming audit staff with information overflow • Having an attitude of “you negatively affect my business” • Knowing our procedures too well è example: ex-‐auditor knowing how it works

WHAT ARE THE WARNING SIGNS OF FRAUD?

• Arrogant (or even offensive) behavior of executives (clients) • Repressive leadership style è client (director) making all the decisions, repressive to

his people • Perpetrator will try and make YOU appear ridiculous • Unusual offers of generosity (invitations, fees)


74

WHY DO WE MISS THE FRAUD INDICATORS?

• “Believing” and “trusting” instead of auditing • Waiting desperately for “reasonable” answer • Being afraid of conflict with management and critical comment from superiors • Wanting to keep client happy

HOW TO REACT TO POTENTIAL FRAUD?

HOW CAN YOU FIND WHAT HAS BEEN HIDDEN?

• Apply professional skepticism. Challenge what is not reasonable in your opinion • Maintain your independence • Investigate the environment: open your eyes when you are at the client • Watch out for:

o New clients o Developmental-‐stage enterprise or fast growth entities

• Within the team, discuss any findings or clues regarding fraud (ISA240) • Follow up until the suspicion is eliminated • Apply the methodology strictly

FRAUD AND EY GAM

Illustrative audit process: The areas in yellow are the main ones, the steps of the process where there are risks of fraud.


75

HOW CAN WE IMPROVE?

• Do not limit your work è you can afford to lose a client or have a poor recovery, but it’s another thing to face litigation for overlooking fraud

• You are not required to find all fraud instances but you need to follow up where you have a suspicion of fraud

• Consult, consult, and consult.

PROFESSIONAL SKEPTICISM AND FRAUD

Our responsibility: plan and perform an audit to obtain reasonable assurance about whether the financial statements are free of material misstatements due to fraud or error. The external auditor’s goal is to obtain reasonable assurance.

We apply skepticism throughout the audit (it’s important when you hire an auditor) to identify fraud risks:

• A material misstatement due to fraud may exist, despite our past experience with the entity’s management. è Challenging things is an important skill! It’s important not to fall asleep when you have been auditing a company for many years. Barnier, the European Commissioner in charge of internal affairs within the EU, has an idea: it’s important to have an audit firms’ rotation because we tend to loose our skepticism after some years in the same company.

• We recognize that even honest individuals are capable of committing fraud from time to time è skepticism needed

Appropriate skepticism is essential to our assessment of the risk of management override of controls. è Management override of controls = when someone is misusing its power in a company. We have to be aware there’s a probability to have management overrides.

WHAT IS PROFESSIONAL SKEPTICISM?

It’s integral to conducting an audit with due professional care. Professional skepticism is basically an attitude.

Auditing standards define “professional skepticism” as an attitude that includes:

• A questioning mind and a critical assessment of audit evidence (= written or oral information)

• Being alert to conditions that may indicate possible misstatement due to error or fraud: in the ISA standards, regarding fraud, there’s a number of indicators of fraud

• Withholding judgment until sufficient appropriate evidence is gathered: you don’t accept an explanation just because it makes sense, there’s a need for evidence

• Recognizing that circumstances may exist that cause the financial statements to be materially misstated, whether due to error or fraud

• Gathering evidence and evaluating it objectively throughout the audit process using the knowledge, skill and ability required as an accounting professional

• Neither assuming that management is dishonest or assuming unquestioned honesty.


76

• The auditor cannot be satisfied with less than persuasive evidence because of a belief that management is honest è 4-‐5 types of evidence (see before): you always validate the things you have been taught by probing questions, critical assessment of evidence, attention to red flags or inconsistencies.

• Skepticism involves the validation of information through: o Probing questions o Critical assessment of evidence o Attention to red flags or inconsistencies

• Appropriate attitude: “I trust you, but my responsibilities require me to confirm what you and others tell me”

It’s a difficult balance, on the one hand trying to create a relationship with your client and on the other hand needing evidences, etc.

IMPORTANCE

Professional skepticism is both mindset and a behavior.

• Mindset: auditors should have a “trust but verify” approach to clients with whom they have a relationship (mindset = mentality)

• Behavior: an appropriate mindset impacts the behavior, including the validation and corroboration of client statements

Maintaining professional skepticism throughout the audit is important to reduce the risks of:

• Overlooking unusual circumstances • Over-‐generalizing when drawing conclusions from audit observations • Using inappropriate assumptions in determining the nature, timing and extent of

our audit procedures and evaluating the results thereof

What are some of the challenges to applying professional skepticism properly?

• Try to reduce the risk of overlooking unusual circumstances by being skeptical, etc.

Doing audit procedure: for each audit program step: there’s a need to define 3 things:

• The nature or your test: what type of procedure is going to be done • The timing of your test: when are you going to do this procedure (during the year)

è the better the audit environment is, the more you can go away from the 31/12 • The extent of the audit procedure: the sample you are going to test, the number of

transactions, etc.

CHALLENGE IN APPLYING PROFESSIONAL SKEPTICISM

1. Over-‐familiarity with the client and a presumption that they are trustworthy: you tend to become overfamiliar if you’ve build a relationship because of the fact you’re auditing the enterprise for a long time

2. Lack of sufficient supervision and “on-‐the-‐job” training è skepticism can only come with the years è the more you’ve seen, the more you know about fraud: need for experienced people.

3. Failure to corroborate results of inquiries with evidential support : things that don’t happen often


77

4. Failure to set appropriate expectations to support conclusions on analytical reviews. Example: good analytical review: before asking the question you try to find the answer yourself, you create an expectation

5. Lack of sufficient understanding of the business/industry or accounting standards 6. Fee and/or time pressures that may limit the amount of additional procedures

completed in response to identified risk or unusual analytics: hurry to finish your audit properly, or not enough fee…

7. Failure to recognize the consequence of not properly applying professional skepticism

EXAMPLES OF APPROPRIATE AUDITOR BEHAVIOUR

• Reinforce the importance of good interviewing skills • “Ask the next question” always • Use face-‐to-‐face meetings with the client whenever possible • Consider including brainstorming sessions with individuals outside of the

engagement team who have industry expertise • Corroborate results of inquiries with evidential support • Document, in detail, the additional evidence obtained related to identified fraud

risks or unusual analytical relationships • Identify and act on potential “root cause” (e.g. fraud) when analyzing the identified

audit differences posted to the summary of audit differences

In many cases of fraud, we can see that indicators were there but that the auditor had not been able to see them.

EXAM:

• The fraud triangle shows us the difference between error and fraud by telling us the 3 indicators needed to have fraud:

o Opportunity o Pressure o Rationalization

• Importance of the professional skepticism • Indicators in ISA240 • What do I do as an auditor when I see fraud


78

CASE STUDY SPA MONOPOLE


79

AUDIT EV IDENCE

Audit evidences are the evidences that you obtain throughout your audit procedure, and that you file/document.

INTRODUCTION

The auditor must collect an appropriate level of audit evidence in order to enable him to justify his opinion on the financial statements. è The external auditor does work on Inherent Risk (IR), internal control, risk assessment, etc. all that has to be documented in the audit file: justify the auditor’s opinion, what he has done, his conclusions, etc.

Audit evidence obtained from third parties is usually stronger than internal documents from the audit client. Internal documentation is stronger when the internal control environment is of a high quality. è Third parties: not people from the company we are auditing. What we get from them is from higher value because they are independent, etc.

Audit evidence coming from different sources and corroborating one another give a higher degree of certainty. If the information from different sources are contradicting, further analysis and other audit procedures are necessary. è The more you can corroborate information that come from different sources, the more persuasive you are. Example: our client and the client of our client says two different things (contradiction), we have to do more work to know who’s right.

GENERAL PRINCIPLES

Evidences obtained from someone independent (third party) from the audit client has a higher value than representations coming from the employees or management from the audit client.

Written documentation is more valuable than verbal representations.

The auditor always looks for a reasonable balance between the cost of an audit procedure and the level of efficiency of the audit procedure and the level of efficiency of the audit procedure but the cost of the procedure cannot in itself prevent the auditor from executing the audit procedure if there’s no cheaper alternative. è The auditor tries to find the audit procedure that’s going to cost the less with the same level of confidence.

è Based on the audit file, someone must be able to re-‐do the whole audit and reach the same conclusions than the auditor.


80

Different types of procedures (toolbox) and related evidence:

1. Analytical review: this one is always a good one to start with. It consists in comparing balances to prior year, month, etc. and see the evolution and the expectations + a comparison with the budget è you can do that at many levels: compare to the past and to the expectations

2. Substantive analytical review (data analysis): this is an analytical review at a very detailed level (this is the tendency in audit currently). The external auditor asks his client, if they have an IT system, to download all the details in the accounts: with software you can automatically generate reports that help you in your audit. It can easily become persuasive evidence because it is very detailed, so it’s a powerful tool.

3. Substantive procedures: test of details (e.g. confirmation requests): checking an invoice physically etc. è testing the details

4. Test of controls: linked with internal control risk. There are always 2 parts: a. Check the design of the control and once that’s done b. Control the operational effectiveness of the control

5. Test of transactions: it’s a procedure that you apply when you want to do some substantive testing but on a limited number of transactions: you choose a transaction and go through all the key controls that should be ok (+/-‐ // test of controls) Example: the 3 ways match: 3 documents that have to be linked together: comparison of the purchase order with the delivery note and the invoice.

6. Inquiries è example: interviews etc.: It leads to verbal audit evidence 7. General audit procedures: ask questions, etc. = all the rest of it

The 3 first procedures are mostly linked with the NDR.

The evidence can have a minimal, corroborative or persuasive value. è The substantive procedures (substantive analytical review AND substantive procedures) give the most persuasive evidence.

These procedures must be identified in terms of nature, timing and extent (see previous course)

They can be applied to key items (= big items in the population) and/or representative samples (mostly a combination)

Link with the assertions:

Collecting audit evidence through substantive testing enables the auditor to validate his audit objective or audit assertions:

• Existence • Completeness • Valuation • Cut-‐off • Rights and obligations • Presentation

Different audit evidence usually has to be obtained for different assertions.


81

The higher the inherent risk (IR) and the internal control risk (ICR), the more audit evidence (quantity) and the stronger audit evidence (quality) the auditor will have to collect for a given assertion.

è There’s always a link between the audit procedure and the assertions you are testing.

The auditor doesn’t have to examine all the information he has access to: in general he can come to a conclusion by applying sampling method.

• Statistical sampling • Sampling based on professional judgment

If the auditor has not been able to obtain sufficient audit evidence in order to draw conclusions on significant accounts or disclosures included in the financial statements, he has to explain this in the paragraph mentioning the way he has conducted his audit; in that case he can never issue an unqualified audit opinion, he will need to either qualify the accounts or issue a disclaimer.

è The auditor is never going to test all the transactions: he needs reasonable assurance, not total assurance. He is going to test a sample, either statistical or based on his professional judgment (statistical is less risky). If he can’t get enough audit evidences, he can ask third parties etc. He is always going to do everything that’s possible to get it, to come to a conclusion. If it is not possible, he is going to qualify if there are only 2 or 3 problematic things, or he is going to issue a disclaimer if there are many a lot of uncertain things.

THIRD PARTY CONFIRMATION

The third party confirmation is a specific type of test of details.

The third party confirmation is a response given by a third party to a request for confirmation sent in order to corroborate accounting entries.

There are 4 phases to a confirmation procedure:

1. Selection of the information to be confirmed 2. Preparation, sending or request and follow-‐up of answers from third parties 3. Evaluation of information received and missing answers 4. Alternative procedures in order to test alternatively when no answer is received

After those 4 steps you’ll be able to conclude

Advantage of this procedure:

♥ Easy to perform: most of the time we have templates ♥ Quick in most cases: except if people don’t answer ♥ Audit evidence that gives a high level of confidence: it comes from a third party, not

from the client

è It also gives an idea whether there are litigations.


82

The following elements of the financial statements can be subject to confirmation procedures at a certain date (= things we can cover through 3rd party confirmation):

ü Intangible fixed assets è example: patent, contracts, etc.: we can send a confirmation request to the person who signed the contracts with our client, to the authority who delivered the patent, etc.

ü Tangible fixed assets è example: mortgage, cadaster, existence, etc.: ask a confirmation letter to the cadaster for example

ü Leased assets (financial and operating lease) è ask the bank that has signed the lease contracts:

o Ask for 1 contract to test existence o Ask for all the contracts to test completeness

ü Advances paid / received ü Financial fixed assets and investments ü Consignment stock ü Accounts receivable è ask the client of our client to confirm he owes xxx€ to our

client ü Deposits ü Bank accounts / Financial debts ü Accounts payable ü Rights and obligation

There are different types of conformation requests:

ü Open confirmation: no given amount è test completeness: you give no amount, for example you just ask (mostly to test completeness) to know the amount of purchase transactions the client owes someone (ex: 100.000€)

ü Closed confirmation: given amount that needs to be confirmed è test existence: you want to know if the client has to receive 100.000€ from his client

ü Positive confirmation: a response is requested whatever the case è he can agree or not but there’s a need for an answer

ü Negative confirmation: response requested only in case of disagreement

The choice of which method to use depends o the risk analysis and the audit assertion to be covered.

Confirmations can be asked on a balance or at invoice level. è You can ask for a confirmation at a balance level (au niveau du solde du bilan), or at the invoice level: you can ask him for only 5 invoices and not for the whole balance (much easier).

The confirmation request will be printed on the client’s letterhead and signed by an authorized person from management of the company.

You select the number of confirmations you want to send out. Once you know which one you want to have, you will ask the client to prepare the letters, sign them è they also need to be signed by authorized person. Then the auditors send them.

The auditor sends the confirmation requests himself and the answers must be directed directly to the auditor with a copy to the client è to be sure the letters are sent; otherwise, the client could not send them and prepare false answers.


83

What happens when the auditor doesn’t receive all the answers?

The auditor must analyze the difference between answer and the accounting records when an answer is obtained.

For positive confirmation requests, the auditor must perform alternative procedures for unanswered confirmation requests in order to be able to conclude è he has to do this alternative procedure to test in another way; it HAS to be made until the end.

In his selection, the auditor has already applied materiality, he can’t do it twice, so, the things he had decided to test, he has to do it fully.

A bank confirmation is usually an open request: the request normally entails the following information:

ü List and balance of bank accounts and deposits ü Financial debt, reimbursement status and terms/conditions ü Credit lines, usage and terms/conditions: credit lines are no debts but open lines,

their usage is a debt ü Forex term contracts, other financial instruments ü Existence of a safe ü List of authorized persons: you want to know if there are no people that have left

the company, etc.

The bank receives many requests; they can’t answer it for free.

EXAM: remember the concepts: open/close/positive/negative confirmation requests and what it is, why do we use them, etc.

WORKING PAPERS

What does it have to look like and how do we keep them?

All the audit evidences are consigned in audit files & working papers. It clearly illustrates the results of our audit procedure. We click on an audit step and there’s a screen with all the documents, etc.

The auditor must prepare and audit file which:

ü Clearly illustrates the results of performing the audit procedures mentioned in the audit program

ü Shows the performed procedures as well as a motivation of the opinion based on a solid reasoning

ü Systematic, clear and complete: o Systematic: reference system needed. Example: big contracts, list of

products, etc. o Clear: organized in a way that if somebody look at your audit file, he should

be able to re-‐do what you’ve done. He can select the same invoices and do the same things that you’ve done


84

Normally, and auditor has:

1. A permanent file (electronic or physical) documenting information that can be used over a number of years (bylaws, contracts, regulation): it is not specific to a certain period of audit

2. A file documenting the internal control review: that one will show conclusions and testing of the design and operational effectiveness if internal controls

3. An audit file for the year under review

Nowadays software can be purchased off the shelve for audit documentation. Bigger firms have their own software.

Before, we had a number of physical files (classeurs), but today, most of the companies have software that are either developed by the company itself (example: Big 4) or bought in specialized shops (for smaller audit firms).

Each working paper must:

ü Mention: o The name of the audited company, o The name of the auditor (this person has to be made accountable), o The name of the reviewer (2nd step: he will review the work of the auditor), o The date of performance of the procedure (date of the audit procedure), o The audit procedure and o The year-‐end that is being audited

ü Be clearly referenced ü Mention where the information comes from, the nature of the test (+ timing and

extent), the results of the work performed (findings) and the conclusions of these findings.

Archiving (electronically and physically) with measures that make sure no changes can be made after sign-‐off date. è Need to know that the review has been done before we sign off. You can’t change your audit file afterwards. After the opinion, nothing can be changed, destroyed, etc.

Working papers must be kept for a period of 10 years.

The access to the working papers must be limited in order to comply with professional secrecy (only for consolidation or successor + hold harmless letter).

v 1st exception: If a judge asks for our file we have to open it, that’s one of the few exceptions that are made.

v 2nd exception: In case of consolidation, we can also open our files v 3rd exception: There’s an obligation in Belgium to open our audit files to successors

o Example: if we don’t renew our mandate, the successor needs to be allowed to come and look at our files. He has to sign a “hold harmless letter”. It’s a letter that’s going to hold the previous auditor harmless.


85

I SA 500 – 580

ISAs Comment ISA 500 Audit evidence Refers to separate lecture ISA 501 Audit evidence – specific considerations ISA 505 External confirmations Refers to separate lecture ISA 510 Initial audit engagements – opening balances ISA 520 Analytical procedures Refers to slides on risk

analysis and response to risk ISA 530 Audit sampling Refers to slides on risk

analysis and response to risk ISA 540 Audit of accounting estimates* including fair value

measurements and disclosures * Refers to slides on risk analysis and response to risk

ISA 550 Related parties ISA 560 Subsequent events ISA 570 Going concern Refers to separate lecture ISA 580 Management representations

ISA 501 – AUDIT EVIDENCE, SPECIFIC CONSIDERATIONS

Physical inventory counting: The auditor has to see the inventory because otherwise, he can’t certify it is there: it needs to be there physically.

v Attendance unless impracticable – possible at alternative dates v Evaluate internal controls, observe, inspect, perform testcounts and perform audit

procedures over final records afterwards v If at alternative date: rollforward or rollback v If impracticable: alternative procedures è you always have to do as much as you

can è if these cannot be performed: modified opinion. If you could not perform the inventory counting or alternative procedures, you issue a modified opinion or you disclaim if the inventory is too big.

v Inventory under custody of third party: confirmation or alternative procedures (only if under control of a third party è when the inventory is located at a third party’s place, and under his responsibility.

Litigation and claims:

This is often a very risky area, it’s linked to the provision accounts, so there’s a need to test them: test that these accounts are complete = completeness test.

Procedures to be performed regarding litigations and claims:

ü Inquiry of management, in-‐house counsel: separate party from financial statements: asking them questions gives even more information.

ü Reviewing minutes of governance meetings and correspondence with external counsel (minutes of the shareholders meetings, board of directors, etc. è meetings of the whole year). You can also ask the correspondence they have with external parties if you see claims etc.


86

ü Reviewing legal expense accounts: what expenses came during the year, etc. è it makes you able to ask more questions. It gives a better idea of the completeness of the claims they have been talking about

ü When risk of material misstatement or when indications that material litigation exists: confirmation from external counsel (general or if not possible for legal reasons, specific) + potentially meeting

ü Written representations from management

EXAM: Remember the 2 last ones!!!

Segregation of duties: the person who counts can’t be the person who does the inventory.

You also observe things that are strange. Example: things in the inventory can be damaged, it’s not because the goods are physically there that they are worth the amounts in the books. Sometimes they test goods, they take a sample and make a testcount.

Segment information: 3rd one (too technical, no question at the exam)

ü Obtain understanding of methods used by management to determine segment information

ü Test application of these methods ü Perform analytical procedures or other procedures as appropriate

ISA 510 – INITIAL AUDITS – OPENING BALANCES

ISA 510 says what you have to do on opening balances è specific standard about that

Definition: audit engagements in which:

ü Previous period was not audited ü Previous period was audited by a predecessor auditor

When you sign financial statements, you sign both columns: this year and previous year

Objective: obtain sufficient appropriate audit evidence about whether:

1. Opening balances contain misstatements that materially affect the current period’s financial statements; and

2. Appropriate accounting policies reflected in the opening balances have been consistently applied in the current period’s financial statements, or changes thereto are appropriately accounted for and adequately presented and disclosed in accordance with the applicable financial reporting framework.


87

AUDIT PROCEDURES

1. Examine opening balances when material (correctly brought forward, appropriate accounting policies, changes are justified and appropriate information is included) è if no previous auditor: doing an audit of previous year balance BUT not always possible for all the accounts (ex: inventories è you have to disclaim on last year inventories + P&L).

2. Contact predecessor and review the previous auditor’s file (audit evidence) + competence è look what he did, his conclusions, if it is right, etc.

3. Audit evidence can also be obtained through subsequent events review or performing specific audit procedures (when no predecessor exists or work not sufficient in previous year)

4. When no evidence can be obtained or evidence is not sufficient: a. Qualified audit opinion (sometimes only P&L) b. Disclaimer or adverse opinion

5. Qualification/disclaimer can subsist for 2 years

We audit 2013: we are in January 2014. Nobody made an audit in 2013 for 2012 è situation of ISA 510.

We audit then 2012:

ü If we have an account receivable (200), it is easy to see if it’s ok, we look whether is has been paid.

ü BUT we can’t go back and for example count the inventory in 2012 (31/12), it’s too late. We can test the valuation* but not the fact that the quantities were there è we are going to disclaim.

A movement in the 2012 B/S can go through an account of I/S in 2013 è example: cost of sales.

Balance Sheet 31/12/2012

Income Statement 31/12/2013

WE ARE HERE 31/12/2013



Correction here

31/12/2012 31/12/2014



Qualified opinion: B/S 2012 and I/S 2013

Qualified opinion: I/S 2013

* 10x10 = 100 * 10x10

= 100


88

AUDITING FAIR VALUE12 MEASUREMENTS AND DISCLOSURES (NOW INCLUDED IN ISA 540)

Before ISA 540, there was a specific standard. Auditing fair value measurements and disclosures is always very risky. There are so many models to determine fair value è it is difficult to audit it.

NB: Fair value >< Historical value. The historical value is easy to calculate, and to audit. It is the value of acquisition – amortization/depreciation.

If you want to fair value an asset, you need an expert: most of the time, the fair value is higher than the historical value.

ü Understanding of the entity’s process for determining fair value measurement and disclosure (relevant controls activities and assessing risk)

ü Evaluating the appropriateness of fair value measurements and disclosures ü Using the work of an expert, rely on his opinion ü Audit procedures responsive to risk of material misstatement of the fair value

measurements è additional procedures to make sure the way the fair value was measured is trustworthy

ü Disclosures about fair values è need for the people to be able to understand how the fair value has been decided

o Assumptions o Calculations o Hypothesis

ü Evaluation of the results of audit procedures ü Management representations è ask the management to confirm that they think

their fair value assumption & measurements are reasonable etc.

Belgium: mainly based on historical value è The ISA 540 is mainly used for IFRS.

ISA 550 – RELATED PARTIES

Definition:

♥ Based on applicable financial framework or ♥ Up: a party (person, entity) that has control or significant influence over the entity

(directly or indirectly, through one or more intermediaries) è person, entity, which has the control (>50% of the shares) or a significant influence (20%-‐50% of the shares or voting rights or…) over the entity we are auditing.

♥ Down: another entity over which the entity has control or significant influence ♥ Sideways: another entity that is under common control through:

o Common controlling ownership o Owners who are close family members o Common key management

è People are not be the shareholders, they can be part of the management, common control

Exception: entities under common control by a state (government) 12 fair value = valeur de marché


89

Related parties transactions are more risky normally. The main risk is that it wouldn’t be done at arm’s length: tax problem.

Nature of related party relationships and transactions:

v Complexity and opportunity for collusion, concealment, manipulation v Ineffective systems and controls (identify, assess, disclose) è high inherent risk.

Internal Control: risk to be less efficient, not a lot made because since it’s a third party they tend to think it’s not a big matter

v Arm’s length principle

Responsibilities of the auditor: make sure there’s enough disclosures regarding the related parties transactions AND make sure the client has control in place to identify/ assess/ disclose these transactions

Requirements:

ü Risk assessment procedures and related activities (see the point before) ü Identification and assessment of the risk of misstatement ü Responses to these risks ü Evaluation to these risks ü Evaluation of the accounting and disclosures ü Written representation ü Communication with those charged of the governance

EXAMPLE: SPADEL (SEE SLIDES)

ISA 560 – SUBSEQUENT EVENTS

Definitions: two types of subsequent events:

ü Conditions existed at the date of financial statements (adjusting) (BUT events happens after)

ü Conditions arose after the date of financial statements

Type of event and facts:

Ø Events occurring between the date of the Financial Statements and the date of the auditor’s report

Ø Facts which become known to the auditor after the date of the auditor’s report but before the date of the Financial Statements are issued

Ø Facts which become known to the auditor after the Financial Statements have been issued


90

The events are happening here The events are happening here = Subsequent event = Subsequent event Adjusting subsequent event The report has already been

issued so the subsequent event will be treated differently

Example: SPADEL buys Colruyt before the 31/12/13 and Colruyt goes bankrupt after the 31/12/13. There was a position in the F/S linked to that (accounts receivable of 100) Non-‐adjusting subsequent event The condition arose after the 31/12/13 Example: big litigation came up after the year end but the cause wasn’t there last year (ex: you fire someone in January & he decides to suit you) è you don’t have to adjust you accounts BUT you will probably put information in the Board or Report or somewhere else

Requirements:

Ø Cover period from the date of financial statements up until audit report date Ø Obtain understanding of management procedures Ø Inquiry = poser des questions au management = type of audit procedure Ø Reading minutes Ø Reading subsequent financial statements Ø Written representations

New audit report when amendments made including emphasis of matter referring to first report (not in Belgium)

Audit happens here

Year audited 31/12/ 2013

AG

Audit Report signed 01/05/ 2014

Shareholders meeting

F/S made public 30/06/ 2014


91

ISA 580 – MANAGEMENT REPRESENTATIONS

2 signatures:

-‐ The managing director (if he has the power) OR -‐ 2 directors

3 general things:

Ø Not sufficient on their own Ø Who in management: appropriate responsibilities Ø Written representations about management’s responsibilities

o Preparation of financials according to framework o Information provided and completeness of transactions o Description of responsibilities

Specific representation:

Ø Other written representations (other ISA’s, specific circumstances) Ø Date of and period(s) covered by written representations: until report date Ø Form of written representations: representation letter addressed to auditor Ø Doubt as to the reliability of written representations and requested written

representations not provided: more work or scope limitation and possibly qualification or disclaimer è disclaim if they refuse to give the representation letter for example: limitation to your audit scope. If you disclaim: no responsibility so you can’t be suited.

International Auditing Standards (ISA)

Economy & Finance

Transcript of International Auditing Standards (ISA)