Author: Clive McKegg

5 August 2022

Remember CAATs? This was an acronym for Computer Assisted Audit Tools – a general category for all things computery that helped us work with more efficiency and power.

Now that virtually all we do uses a computer, ISA 315 (Revised 2019) does not refer to CAATs but to Automated Tools and Techniques (ATTs).

This kind of thing gets audit software developers like us salivating like Fluffy when the fridge door opens. But let’s stay calm and examine what the standard says first.

So what do we know about ATTs?

The standard doesn’t define ATTs, however the recently issued IAASB First Time Implementation Guide simply calls them “procedures performed leveraging the use of technology”. These may be used for risk assessment procedures, and also for obtaining audit evidence. The IAASB points out that:

The procedures for obtaining audit evidence as set out in ISA 500, Audit Evidence, i.e., inspection, observation, external confirmation, recalculation, reperformance, analytical procedures and inquiry, continue to apply, regardless of whether those procedures are performed manually or using technology.

In matters like this, the new standard helpfully acknowledges that we may be auditing vastly divergent entities. Paragraph 9, titled ‘Scalability’, states:

This ISA (NZ) is intended for audits of all entities, regardless of size or complexity and the application material therefore incorporates specific considerations specific to both less and more complex entities, where appropriate.

It is up to the auditor’s judgement to determine whether to use an ATT or some more manual procedure. For instance, there would be no point in carrying out fancy data analytics for fixed assets additions where there are only a few items. Better to just use judgement. ATTs come into their own where there is so much data, or a level of opaqueness, such that the auditor cannot possibly just ‘eyeball’ the content.

Examples from the standard

Looking at some of the suggestions for the use of ATTs in the explanatory material, paragraph A21 suggests performing “risk assessment procedures on large volumes of data (from the general ledger, sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations.”

Most of our users tend to do this by entering the trial balance data for up to four years, and then populating analytical review pages that show current to prior year movements, deviations from the budget if required and various key ratios over time. Identified risks may then be flagged and analysed as required directly from the TB or AR pages. Detailed recalculations, reperformance or reconciliations tend to be best done using a spreadsheet and adding to the file as an attachment.

Paragraph A57 suggests that the auditor use ATTs “to understand flows of transactions and processing as part of the auditor’s procedures to understand the information system.” This may provide insight into vendors, customers, and related parties, simply by sorting say a purchases ledger in a spreadsheet by supplier name, or using a search function to look for known related parties.

Paragraph A137 suggests using direct access to the entity’s database “by tracing journal entries, or other digital records related to a particular transaction, or an entire population of transactions, from initiation in the accounting records through to recording in the general ledger.” Typically an auditor is given access to say the Xero ledger and may use the built-in search functions there to drill down into the data for this purpose.

Paragraph A161 suggests that when reviewing journals or ledger accounts in less complex entities inspection of all the entries within a particular account, or all journals may well be possible. But in a more complex entity downloading to a spreadsheet and applying filters and sorting may give a good result.

In Audit Assistant, we provide a built-in sampling tool. A large dataset is extracted out of the client software and then uploaded. A sampling interval based on performance materiality (or adjusted performance materiality) is added. This generates a randomised CMA sample. Appropriate tests are then added to a generated table of results. Alternatively, a random sample of a specified number of samples may be generated, or the auditor may carry out their own sample in the spreadsheet first and then upload it for testing.

The auditor is encouraged to use automated techniques to assist in the identification of significant classes of transactions, account balances and disclosures in paragraph A203. This would typically only be helpful in complex entities. In less complex entities these become fairly obvious by reviewing trail balance and analytical review data as described above.

CAATs are our friends

So CAATS and ATTs are really not some big scary monsters that need to intimidate us. They are our servants – power tools that we pull out when a normal auditing screwdriver or hammer is too slow or not forceful enough. They become dangerous when the auditor uses them ‘just because they can’ without understanding what they are trying to achieve and why.

There is no substitute for learning to do the basics well and always working from first principles, and choosing a tool that we understand and can explain that will achieve our objectives most efficiently.

<<previous article next article>>

26 July 2022

There’s a new Act in town. And some people aren’t happy, claiming that this could be an ‘extinction event’ for many small clubs. The 1908 Act was predictably relaxed, out of step with modern regulation and reporting, so an update was needed.

So what does the new Incorporated Societies Act entail for these entities, and for those who prepare and audit the financial statements? Is the fear justified?

Changes for entities

No Incorporated Societies can just carry on as normal. All will need to update their constitutions and re-register. Companies Office guidance suggests the final date to transition will be April 2026. They also provide a handy Constitution Building tool.

Regulations are currently being developed to support the new Act. These should be completed by September 2023 so that entities can start to transition.

What we do know from the Act, however, is that under section 74 a society must have at least 10 members to register. This is a decrease from the 15 members required under the old Act. Under section 45 of the new Act, a society must have a committee, but this only needs to comprise 3 or more qualified officers. This committee is the ”governing body of the society” – the responsible parties.

There is concern that the extra responsibility being laid upon mostly voluntary committee members may make the slots hard to fill. The obligations are much closer to a company director than the casual committee member of the past. Under section 51 an officer remains specifically liable for acts and omissions and decisions made while they were an officer even after they have resigned.

The Act takes into account that many small entities may not want to re-register, so it provides an amalgamation process to enable groups of small, similar entities to amalgamate under one umbrella. Whether this will be used much, we shall see.

How to report?

Charities Services report that “there are about 24,000 incorporated societies in New Zealand, and about 7,000 of those are registered as charities.” These 7,000, like all charities, will be reporting under the Public Benefit Entity (PBE) reporting regime, which is now well established.

For the other 17,000, reporting will depend mainly on size. At present these entities may be using special purpose reporting or generally accepted accounting practices (GAAP). Section 102 provides three categories:

  • specified not-for-profit entity
  • small society
  • other

An entity is defined as a specified not-for-profit entity in the Financial Reporting Act 2013 S46  if, in each of the 2 preceding accounting periods of the entity, the total operating payments of the entity are $140,000 or more. These are required to prepare financial statements that comply with GAAP. Our Tier 1 and 2 standards plus our Tier 3 PBE standard are GAAP. Tier 4 and Special Purpose are not GAAP.

A small society has total operating payments and total current assets of less than $50,000 in each of the 2 preceding accounting periods. It also may not be a donee organisation under section LD 3(2) of the Income Tax Act 2007. These include charitable entities entitled to issue tax-deductible receipts for donations received. Many small clubs would fall into the small category. These may choose to prepare either GAAP-compliant financial statements or a non-GAAP standard or the minimum requirements as set out in section 104 of the 2022 Act. The minimum requirements statements must contain the following information:

(i) the income and expenditure, or receipts and payments, of the society during the accounting period; and

(ii) the assets and liabilities of the society at the close of the accounting period; and

(iii) all mortgages, charges, and other security interests of any description affecting any of the property of the society at the close of the accounting period

Associations that don’t fit into either category – the “others” – will generally be those with expenditure over $50,000 and under $140,000 in the previous two periods. They may choose whether to apply GAAP or non-GAAP.

What about the requirement for audit?

Of course, any Incorporated Society may opt to be audited, but some must be audited under the Act.

These are classed as “large” (as defined by S45 of the Financial Reporting Act 2013) if as at the balance date of each of the 2 preceding accounting periods, the total assets of the entity and its subsidiaries (if any) exceed $66 million or in each of the 2 preceding accounting periods, the total revenue of the entity and its subsidiaries (if any) exceeds $33 million.

The end of Society?

So will this be an ‘extinction’ event for societies or provide momentum for a new burst of energy? Both outcomes are likely, depending on the state of the society. It will certainly drain the limited resources of struggling clubs to have to lift their game to a new level.

In this age of declining volunteerism and reliance on sponsorship, the change may lead to fewer societies, but adaptations will be made for more efficient operations and more professional style management in those who survive.

25 July 2022

Does your firm administer any family trusts? Then you will no doubt be aware of the increased requirements under the Trusts Act 2019 for ensuring all the data about the Trust is up to date.

To help achieve this, we have, in collaboration with a large local Accountancy firm, developed a simple questionnaire to be shared annually with the trustee contact, that asks all the relevant questions to make sure that the accountant’s records are correct.

There are four actions required:

STEP 1: Set up the Trust using the Annual Trust Review Questionnaire template. Add the name of the trust, appointment date and save (the questionnaire itself is undated – the important date is when it is signed off).

Screen_Shot_2022-07-25_at_2.00.42_PM.png

STEP 2: Add the current trustees and beneficiaries as contacts. These can be imported using a special .CSV template that we have attached to the A1 page, from data obtained from your records (or the details may be added one at a time if there are only a few).

Screen_Shot_2022-07-25_at_1.56.51_PM.png

Note that the Role column should specify whether the person or entity is a Trustee, Beneficiary or both  – note format for both uses the vertical line or “pipe” character (|).

Screen_Shot_2022-07-25_at_2.07.07_PM.png

The contacts will then be added to the file so that they will appear on the questionnaire.

Screen_Shot_2022-07-25_at_2.10.37_PM.png

STEP 3: Then share the questionnaire page with the relevant contact. Select the name from the dropdown and click add – this will generate a link to be emailed to the client. Alternatively use the tick-box “Automatically send link to user” to generate an email directly off the system.

Screen_Shot_2022-07-25_at_2.12.40_PM.png

They receive an email from your firms asking them to follow the link and complete the details. Following the link they are asked to confirm their identity:

Screen_Shot_2022-07-25_at_2.17.57_PM.png

Then they see the existing trustee and beneficiary contact details and are asked if any changes have been made.

Screen_Shot_2022-07-25_at_2.25.57_PM.png

If so a dialogue box asks them to type in the new details. There are also questions for all the other information that needs to be asked under the Act. Once complete the accountant is notified.

Screen_Shot_2022-07-25_at_2.29.56_PM.png

STEP 4: The accountant then updates the records held by their firm, and takes any further actions required. 

Once complete the jobs may be saved to PDF then deleted off the system, or rolled over and reused in the subsequent year.

Note: We can assist with bulk client creation, contact data import, and even bulk sharing if required, as we do for normal client annual data collection questionnaires

This content is accessible in our Tools for Accountants packages, along with financial reporting checklists and other compilation tools. Contact us for more details.

1 July 2022

The next concept, expressed in paragraph 8 of ISA 315, is a reminder that our audit work must be framed in terms of responses to risks of material misstatement (RoMM). This is not new, but it is critical to making our audit file “sing”.

The first part of paragraph 8 states that “ISA 330 requires the auditor to design and implement overall responses to address the assessed risks of material misstatement at the financial statement level.” Remember that risks at the financial statement level affect the financial statements as a whole and so potentially affect many assertions. So, these are major issues but hopefully rare. It makes sense that if say, there is a major fraud that impacts going concern then we would send most of our auditing fire engines to that particular fire.

The second part of the paragraph states that “the auditor’s assessment of the risks of material misstatement at the financial statement level, and the auditor’s overall responses, is affected by the auditor’s understanding of the control environment.” Paragraph A2 of ISA 330 says: “An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and thus, for example, allow the auditor to conduct some audit procedures at an interim date rather than at the period end.”

This is a standard practice of course. We consider the control environment, assess whether it is robust enough for us to consider relying upon it and if we think it might be we test the key controls. If all is well, we can reduce our reliance on substantive testing.

The third part quotes ISA 330 paragraph 6 which requires the auditor to also “…design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.” Note we are talking about assertion level (granular) risks here. In most jobs, this will be where our focus rests – assertion level RoMM.

Just like striking one string in a piano sets off harmonics in other strings, so should the identification of a RoMM set off harmonic thoughts in the auditor’s brain. The risks that we assess as of potential magnitude and the likelihood of occurrence should resonate throughout the whole audit file.

Para 13 (b) sums it up succinctly: “The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for… The design of further audit procedures in accordance with ISA 330.”

What are these risk assessment procedures?

Paragraph 14 summarises these as enquiry, analytical procedures, and observation and inspection. This evidence may also be gathered during the acceptance and continuance process, from other engagements performed for the entity (para 15), or from previous audit experience (para 16). This must of course be evaluated for relevance and reliability. The audit team meeting will also be a source of information about potential risks (para 17).

Of course, a thorough understanding of the entity and environment will alert us to inherent risks, and understanding the entity’s use of IT is essential to assessing possible control risks, plus consideration of reporting framework and accounting policies (para 19-20).

Understanding the components of the control system and how that is monitored will be required to identify control risks (para 21-26).

At the end of this process we will have a clear description of the risk:

  • whether it is at the assertion or financial statement level;
  • if at the assertion level, what assertions it relates to;
  • whether it is an inherent, control or audit risk;
  • the potential financial impact;
  • the likelihood of occurrence;
  • any related controls;
  • from this an assessment of how significant the risk is.

Once we have done a good analysis the response should be obvious. A significant risk will demand higher audit resources. Our toolkit of audit responses will depend on the assertion and level of risk.

If there is material inventory for instance, and we have assessed controls as poor, we have a higher likelihood of overstatement with high potential impact. Assertions like existence, accuracy, valuation, ownership, and cut-off all become relevant. We likely have a significant control risk at the assertion level. What do we do? We design tests like stocktake attendance, review for redundant goods, valuation tests, ownership testing and cut-off testing back to accounts receivable and payable, obtaining representations from management and enquiry and observation.

In the end, we have an Audit file that plays a clear song without discordant notes. Like a good piece of music, it is concise, focused, clear and internally consistent.

<<previous article next article>>

30 May 2022

Let’s face it, auditing can be like herding cats.

There are so many factors that must be considered simultaneously that it’s really impossible to proceed through anything but the most basic job without new facts emerging, new risks surfacing, and expectations changing. We try to nail this down and not miss anything, with our programmes and engagement letters, but it’s still easy for something to slip through in the busyness.

The new ISA 315 standard addresses this using the language of “iterative and dynamic”. It says: “The auditor’s understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control are interdependent with concepts within the requirements to identify and assess the risks of material misstatement” (paragraph 7).

Consider what we are asked to simultaneously evaluate:

  • The entity itself – history, structure, goals. funding etc.
  • The environment in which it exists – legislation, competitors, industry trends etc.
  • The reporting framework under which it is required to or chooses to report.
  • The inherent risks associated with the above.
  • The control systems used to assist the entity to fulfill its business and reporting responsibilities.
  • The risks associated with those activities and their exposure to both error and fraud.
  • How risk relates to different classes of transactions, different account balances, or disclosures.
  • How risk relates to the assertions made by the client regarding the different classes of transactions, different account balances, or disclosures.
  • The materiality of risks and errors found.
  • Responses and how to address the risks identified.
  • How these responses relate to each other and combine to give an overall level of comfort to the auditor.
  • And much more!

IFAC diagram it like this:

see https://www.ifac.org/system/files/publications/files/ISA-315-Revised-EM-Overall-risk-assessment-flowchart-July-6_0.pdf

So the new standard helpfully informs us that the process is regarded as iterative and dynamic. In other words, it is okay to jiggle our thoughts and responses around until we arrive at the best approach. Auditing is perhaps best regarded as an art more than a science at this level of complexity. Hence the emphasis on exercising professional judgement.

In practical terms, this approach means that we make our preliminary assessments of risk right from our first conversation with the client. We note these down. Then we do some more background research, and we note down our understanding of the client. This may unearth more possible risks. We gain access to client documents, minutes, legal documents and agreements, and past financial reports, and the bigger picture begins to form. We update some of our earlier impressions and go back with more questions.

Then we meet with our team and brainstorm about what they perceive as the risks (especially the inherent risks as we have already noted). We update our assessment of risk. We move identified items around the spectrum of inherent risk as we seek to bring the focus on what is significant.

Paragraph A48 points out the obvious: “…the auditor’s expectations may change as new information is obtained.” We draw initial conclusions, but we update these as our understanding of the client grows. Finally (?) we have a plan that has identified the significant risks and what are the most efficient ways to reduce audit risk to an acceptable level.

Then we start carrying out the work we have decided is required to respond to the risks identified. But (who knew?) more issues surface as we start digging, so we go back and revise our plan accordingly.

Paragraph 7 concludes: “In addition, this ISA (NZ) and ISA (NZ) 330 require the auditor to revise the risk assessments, and modify further overall responses and further audit procedures, based on audit evidence obtained from performing further audit procedures in accordance with ISA (NZ) 330, or if new information is obtained.

This has always been what good auditors do intuitively and was inferred by the old standard. Practical wisdom would suggest taking the time to revisit our plans, not rushing ahead without being really clear on what the risks are and whether our responses are actually addressing those risks, and being flexible enough to adapt to new information as we go.

Who said herding cats isn’t fun?

<< previous article next article>>

17 May 2022

The fourth concept recognised in the new ISA 315 (paragraph 5) builds on the emphasis on inherent risk (IR) discussed in the last article and the need for a separate assessment of inherent risk and control risk.

ISA 200 tells us that inherent risk is higher for some assertions and related classes of transactions, account balances and disclosures than for others. The degree to which inherent risk varies is referred to in ISA 315 as the ‘spectrum of inherent risk.’ The concepts of the spectrum of risk and separate assessment of inherent and control risks were introduced in the ISA 540 standard on the audit of estimates. It is now to be applied across the board in this updated standard.

Also, as we have seen, RoMM at the assertion level for inherent risk is assessed in terms of likelihood of occurrence and magnitude of potential impact. These two factors are always to be considered in tandem, and the combination of a higher likelihood of occurrence and high magnitude creates a significant risk – like nitro-meets-glycerine!

Explosive risks – handle with care

As in the case of handling something explosive, much more care is needed for significant risks. Paragraph A12 states that “The higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.” Thus we are to focus our time and energy on the potentially explosive risks.

In discussing the magnitude of a risk, paragraph A211 states that we are to consider “…the qualitative and quantitative aspects of the possible misstatement…” That is, more than just the dollars, but including the nature and circumstances of the risk.

Paragraph A214 state that the auditor may use different scales or ways of categorising the elements of inherent risk, however, the important thing is that the result will ensure that “…the design and implementation of further audit procedures to address the identified risks of material misstatement at the assertion level is appropriately responsive to the assessment of inherent risk and the reasons for that assessment.”

What about a low-risk audit?

What if the client has no items towards the higher end of the spectrum? What work is then required? The standard does not give much guidance in these cases, although A219 says: “Being close to the upper end of the spectrum of inherent risk will differ from entity to entity, and will not necessarily be the same for an entity period on period. It may depend on the nature and circumstances of the entity for which the risk is being assessed.”

A sensible approach is to assume that while an entity may have few or no significant risks, the risks that rank highest should be where the bulk of the work should be focussed.

<< previous article next article >>

28 April 2022

The third key concept in ISA 315 (Revised 2019), summarised in paragraph 4, relates to understanding Inherent Risk (IR) and Control Risk (CR).

We discussed that risk at the financial statement level relates to the financial statements as a whole. It may potentially affect many assertions and may not affect one account more than another. For example, if the management of the company is involved in fraud, or if the overall level of competence is such that controls are ineffective, this will be a Risk of Material Misstatement (RoMM) at the more global level (i.e. the financial statement level).

RoMM at the more granular (assertion) level may be split into Inherent Risk (IR) and Control Risk (CR). These are familiar concepts but the new standard formulates these and makes them much more specific, which is a good thing. We are explicitly required to consider inherent risk and control risk separately.

Inherent risk

Inherent risk (IR) is a central concept of the standard, mentioned in 109 places, as compared to control risk, mentioned only 16 times.

IR focuses on the raw reality of the entity before we consider any controls. What would the susceptibility of an assertion to material misstatement be if there were no controls? This is to be considered individually or when aggregated with other misstatements.

The standard now requires IR is to be assessed on a spectrum. This spectrum is to be considered in terms of the likelihood of occurrence and the magnitude of the potential misstatement. These are to be considered in tandem.

For instance, it may be quite likely that a few pens may be taken from the stationery cupboard for private use, but the magnitude of misstatement should this occur is very low. Or there might be a volcano that destroys the city, which would be a high magnitude loss, but the likelihood of occurrence is low. In either case, these would not represent significant risks. The ideal way to display these IRs is graphically. For instance:

Any IR that is both likely to occur and with potential for high-magnitude impact must be regarded as a significant risk (para 12(l)). In the case above, we may identify the top five (circled) items as significant. This reflects good practice, but in the new standard, it is made crystal clear.

There is a new definition of Inherent risk factors in the standard (para 12(f)). This speaks of events or conditions that affect susceptibility to misstatement, whether due to fraud or error.

These may impact on an assertion about a class of transactions, an account balance or a disclosure. Such factors may be qualitative or quantitative and include considerations such as complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors. All should be considered – generally just following common sense.

Why this emphasis on IR? It makes sense that we start with inherent risks, as these represent the fundamental potential for misstatement. Then considering these we may only really concern ourselves with controls that address those risks.

For instance, if we instead started with control risk, we may identify poor controls over cash. But cash does not represent a material part of the business. So if cash is not inherently a material risk is there any point concerning ourselves with the related controls? If we start with IR we will know this.

Control risk

Control risk (CR) describes a risk that a possible material misstatement (either individually or when aggregated with other misstatements) that could occur in an assertion, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.

Paragraph 33 states: “If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk.”

So, we are required to assess control risk (CR) only if we plan to test the operating effectiveness of controls or when substantive procedures alone will not provide sufficient appropriate audit evidence at the assertion level. Therefore, if we do not intend to rely on controls we do not need to test them, so CR effectively defaults back to our IR assessments.

This is a new concept. And it opens questions about how to respond in small entities that do not have many formal controls that we can test, but nevertheless, have a robust system of management and governance oversight which gives us considerable comfort. We shall return to these questions in a later post.

<< previous article next article >>

20 April 2022

The second key concept in ISA 315 relates to the requirement in ISA 200 para 15 to “…plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the financial statements to be materially misstated” and para 16 to “exercise professional judgement in planning and performing an audit of financial statements.”

These should be familiar concepts to auditors, however, familiarity does not mean that the concepts are easy to learn or maintain.

Scepticism

An easy way to explain scepticism is from our NZ popular culture – the famous Tui billboards. They were generally based on an assertion made by someone – then mocked with a sceptical “yeah right” – a good concept to keep in mind when the client is telling us a story (though probably unwise to verbalise):

Like a good journalist interviewing a politician, we cannot take claims at face value without evidence, especially if there is a reason why it might be beneficial for the interviewee to present a biased slant on the truth.

The standard gives some helpful tips for applying professional scepticism in para A13, including encouraging the auditor to:

  • Question contradictory information and the reliability of documents;
  • Consider responses to enquiries and other information obtained from the client;
  • Remain alert to conditions that may indicate possible misstatement due to fraud or error; and
  • Consider how the audit evidence obtained supports our identification and assessment of RoMM.

Confirmation bias

Paragraph 13 reminds us that when designing and performing risk assessment procedures we must not bias our work toward obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory. This takes some thought, as we are caught between time constraints (pushing us towards getting the answer quickly) vs. professional curiosity and thoroughness which may be necessary if something doesn’t quite sit right.

Many audit failures are the result of falling for confirmation bias. As per the American Psychological Association, Confirmation Bias is the tendency to look for information that supports, rather than rejects, one’s preconceptions, typically by interpreting evidence to confirm existing beliefs while rejecting or ignoring any conflicting data.

We mostly instinctively see the evidence that supports our presuppositions about the client, and ignore evidence that falls outside of our existing beliefs about them. In fact, it is very difficult not to do this when we are close to the client and involved in the details of the job. It is the reason we have auditor rotation and review of our work.

To counter bias the standard recommends comparing evidence from multiple sources. Para A15 lists these as:

  • Interactions with management, those charged with governance, and other key entity personnel.
  • External parties such as regulators.
  • Publicly available information about the entity.

Professional judgement

ISA 200 para A26 tells us that: “The distinguishing feature of the professional judgement expected of an auditor is that it is exercised by an auditor whose training, knowledge and experience have assisted in developing the necessary competencies to achieve reasonable judgements.”

The experienced auditor will develop a nose for things that don’t add up, just like the good investigative journalist. I have confirmed with many auditors the immense value of just sitting in the client’s tea-room and chatting with the staff (not so easy during COVID restrictions). This isn’t just about finding out surprising facts but assessing the tone of the client.

Brain science confirms that having a ‘hunch’ or a ‘bad feeling’ is often a reliable indicator that we should investigate a bit deeper. Our right-brain function is constantly scanning our environment and we pick up complex patterns and human interactions that alert us that something isn’t quite right. The right brain works much faster than the more cognitive left brain, so we are aware of things emotionally and physically before we really have time to think about them and process them cognitively. So a good auditor learns to use all of their brain.

ISA 315 para 17 also emphasises the importance of the whole team being involved in planning and looking for risks. In a team, even the newest member may think of something that the more experienced have missed. Everybody has different experiences, skills and perceptions to bring to the table. So a good auditor also uses the brains of all their team!

<< previous article next article >>

11 April 2022

ISA (NZ) 315 (Revised 2019) applies for audits of financial statements for periods beginning on or after 15 December 2021. To prepare for it we are producing a series of articles, and we are updating our content and our risk identification and assessment process to better suit the new standard.

The standard starts with a series of key concepts. These are useful to get the drift of the standard. Most of these are basic auditing but they provide great revision and help to break risk assessment down in a way that hopefully makes sense.

Key Concept 1 – Audit Risk

Paragraph 2 of the new standard references the requirement in ISA (NZ) 200 that audit risk be reduced to an acceptably low level by obtaining sufficient appropriate audit evidence.

Audit risk sounds simple at first glance but can quickly turn nasty once we start trying to define and understand how it actually works. This is where we must start using some acronyms and abbreviations (much as I hate them).

Audit Risk (AR) is described as a function of Risk of Material Misstatement (RoMM) and Detection Risk (DR). RoMM may exist on two levels – the financial statement level and the assertion level. RoMM consists of two components: Inherent Risk and Control Risk (para 4). The whole objective of the audit (per para 11) is to identify and assess the RoMM, so that we can use this as a basis for designing and implementing responses to the assessed RoMM.

If you are like me, its easy to go a bit like this around this point:

The key is to understand the meaning behind AR = RoMM x DR.

AR must be reduced to an “acceptably low” level. So let’s break down the rest of this.

First, what is material misstatement? ISA (NZ) 320 (2) says: “Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.”

You could say in the context of the audit material things are what we care about; things that make the financial statements not just wrong but misleadingly so.

So, risk of material misstatement (RoMM) is a weak point that could lead to us missing something big and important in our work and so failing in our task.

We identify a weak point, we think about the likelihood of it being wrong or producing wrong results, and we consider the potential impact on the financial statements if the worst-case scenario were to emerge. We identify, describe and assess the RoMM.

Second, what about the Financial Statement level and Assertion level? This is easily enough understood as either that which will impact the financial statements as a whole (financial statement level) or that which is more granular, relating to classes of transactions, account balances and disclosures (assertion level).

In plain English an assertion is defined as: 

“A confident and forceful statement of fact or belief” (Oxford Dictionary).

The Collins English dictionary goes further and says:

“A positive statement, usually made without an attempt at furnishing evidence.”

Paragraph A190 lists assertions as things like Occurrence, Completeness, Accuracy, Cutoff, Classification, Presentation, Existence, Rights and Obligations, Valuation and Allocation.

Our job is to assess whether the assertion being made is important (i.e. material) enough for us to look for evidence that it is actually true.

For example, if the preparers of the financial statements are confidently and forcefully stating that say, certain inventory is owned by them, exists and is valued at a certain amount, we as auditors are required to assess whether the balance (or potential for error) is material and if it is, whether their confidence and force in making these claims are justified by looking for evidence using suitable procedures that respond to the risk.

We will consider how these responses work later.

Making Audit Risk (AR) acceptable is like us saying whether it is possible, given the RoMMs we have identified, to design suitable audit responses to be comfortable that we have found evidence to support the assertions.

If we can’t do that we should either not accept the engagement at all, disclaim the audit report if it is too late, or modify the report if we can ring-fence the uncertainty to certain categories.

next article >>

7 April 2022

From January 2022 the thresholds at which New Zealand financial reporting requirements are allowed, and to the levels under which audits and review engagements are required, have been updated. Let’s consider New Zealand’s reporting landscape while considering the changes.

A variety of reporting levels

Think of the reporting framework as a tree with two main branches – Public Benefit Entities (PBEs) and For-Profit Entities (FPEs), reflecting the reality that some entities operate in the public sector for public benefit and some operate at the for-profit end of the scale.

The needs of the readers of financial statements for for-profit entities and public-benefit entities will likely be somewhat different, so a distinction is made.

However, whether an entity is primarily for community and social benefit isn’t as clear-cut as it sounds, as most if not all entities have (hopefully) some kind of public benefit – the provision of healthy food for instance is part of the goal of an entity like Fonterra. But the type and purpose of transactions often make the distinction clearer – many transactions are non-exchange in nature, and specialised assets are often held for which there may be no commercial market.

Not all entities want or need to trade or invest internationally or even have much of a public face at all. The NZ XRB thankfully recognised this and drew some distinctions between outward-facing entities that require wide-scale credibility and smaller-scale local entities that will never have to be scrutinised on the international stage. Discussions of ownership, scale, public accountability, and purpose are factored into these distinctions. 

Public Benefit Entities

The Public Benefit Entities (PBE) branch of the reporting standards is somewhat easier to navigate than the For-Profit bough.

If, after looking at founding documents, beneficiaries, and issues of funding we decide that the entity is indeed a PBE there are four slots of financial reporting that we can choose from.

Tier 1 – The plumpest fruit

To whom is the entity accountable? Where is the funding for the entity derived? An entity may be for public benefit but not publicly accountable – for example, a charity for helping the homeless that is funded by support from corporate sponsors.

Or an entity may be publicly accountable but for-profit rather than for public benefit – for example, banks, insurance and superannuation providers, publicly listed companies and others that trade debt or equity instruments to the public. The specific criteria are provided by the Financial Markets Conduct Act 2013 (FMC Entities) and by the IASB definition of public accountability. 

Anything that is publicly accountable will fall into Tier 1 – full compliance with full PBE accounting standards. 

Also falling into that basket will be large entities – defined in this case by expenditure – over $30million over the last two periods (note this has not changed). This size is specified by the XRB A1 Accounting Standards Framework document. There are only about 60 charities in this category in New Zealand. 

Tier 2 – Not so large and not accountable

PBEs that are neither publicly accountable nor with expenses over $30million are graded based simply on their expenditure level over the last two periods.

Under $30million but over $2million drops into Tier 2 (again these thresholds are unchanged). These are subject to the same PBE accounting standards as the larger entities, but with some reduced disclosure requirements concessions (“RDR”).

There are about 900 NZ charities in this category. An important point to remember is that all PBE entities, regardless of size and type, will by default go into the Tier 1 unless they elect to adopt another category. 

Tier 3 and 4 – Small in value but large in number 

Dropping into Tier 3 will be entities under the $2million expenses mark, but over $140,000 (increased from $125k). Anything under that level may fall into Tier 4. Tier 3 uses what is known as “PBE Simple Format Reporting Standard – Accrual” (PBE SFR-A). Tier 4 uses “Public Benefit Entity Simple Format Reporting – Cash” (PBE SFR-C (“C” for “cash”)). 

Over 90% of the 27,000 NZ registered charities fall into Tier 3 and 4. The XRB has published extensive guides and Charities Services has downloadable Excel templates for completing these reports (follow the links above).

But will they need to be audited or reviewed?

Which of these entities will be required to be audited? Under the Accounting Infrastructure Reform Bill, entities with expenditures over $1.1million (previously $1m) for the two preceding accounting periods are required to be audited.

Entities with expenditures between $550,000 (previously $500,000) and $1.1million for the two preceding accounting periods may opt for a review engagement. This work must be performed by a “qualified auditor” in compliance with the appropriate assurance standards. 

Under $550,000 there is no statutory requirement for audit or review unless, of course, the founding documents or funding sources require this. 

For-Profit Entities

As noted, an entity may be publicly accountable and also for-profit rather than for public benefit – for example, banks, insurance and superannuation providers, publicly listed companies and others that trade debt or equity instruments to the public.

These entities are by default Tier 1 FPE, required to comply with full NZ IFRS standards. Also, as per the PBE rules, anything with a total expenditure of over $33 million (increased from $30million) in the two preceding periods will fall into this tier, whether publicly accountable or not, captured by their sheer economic weight.

Tier 2 – How large is large?

Similarly to the PBE branch, Tier 2 is only to be applied to non-publicly accountable entities, but the size criteria are a little more complex, and some other factors are considered.

For Tier 1 economic impact is measured in terms of expenditure, but Tier 2 uses a definition of size based on a combination of revenue and assets. Additionally, the thresholds for assets and revenue differ depending on whether the Company (and these are likely to be companies) are locally or overseas owned.

To be “large” in terms of Tier 2, a locally owned entity must have assets exceeding $66 million (increased from $60million) or revenue exceeding $33 million. These thresholds must be reached at the balance date of each of the two preceding accounting periods to apply.

The thresholds for an overseas-owned company are lower – presumably because there is perceived to be a higher risk. Assets exceeding $22 million (previously $20million) or revenue exceeding $11million (previously $10million) at the balance date of each of the two preceding accounting periods will trigger the “large” switch in this case.

That’s not all though… if the entity is not large in the terms above but has 10 or more shareholders it is also caught in Tier 2 – unless 95% of the shareholders agree to opt-out.

Remember that as with PBE entities, regardless of size and type, FPEs will by default go into the Tier 1 bin unless they elect to adopt another category.

The other 90%

After 1 April 2015, smaller for-profits could use NZ IFRS RDR, but so long as IRD and internal management requirements were met they were free to do what works best for them. 

In effect, this means that most small NZ companies, partnerships and sole traders do not need to prepare financial statements that comply with General Purpose Accounting Principles (GAAP).

Of course, governance, banks and other investors need helpful information. To meet this need NZICA/CAANZ issued some optional guidelines (the SPFR for FPE framework). Entities that do not use these guidelines must still comply with IRD minimum reporting requirements.

Is an audit required?

Tier 1 entities always require an audit, which makes sense, as do “large” overseas companies that are Tier 2. “Large” local companies may, in terms of Tier 2, opt-out of the requirement for audit, as may smaller entities with 10 or more shareholders.

NOTE: Audit Assistant has a Financial Reporting Regime Testing Tool which may be used stand-alone, but is also incorporated into the newer templates. This has now been updated to the new thresholds, however, users will need to be mindful of the period being audited, to make sure that the results are applicable.