Author: Clive McKegg

21 February 2023

Is this project that we have all eagerly anticipated actually going to happen? It appears so. I recently attended an IFAC webinar (recording is here) that explained the latest developments.

I wrote about this back in 2021 when the draft standard was released. It seems that there has been a bit more clarity as to the application of the standard.

Originally groups were to be excluded from the scope of the standard, however, common sense has now prevailed and groups that meet LCE criteria may now be included. Using component auditors will be acceptable, as components don’t necessarily equate to complexity. An additional section has been added to the original exposure draft discussing the application to components and groups.

The webinar participants reiterated that the standard does not give a lesser level of assurance than a full ISA audit, and audit reports will be essentially unchanged. The standard focuses on core procedures and does not include much explanatory information. It is designed to follow the flow of an audit. It also uses more direct language than the ISAs.

Concerns had been expressed that there seemed to be too much judgment required in whether the standard could be applied. To clarify the scope, the IAASB has agreed to enhance the description of the qualitative characteristics of an LCE and will include an expectation for jurisdictions to determine quantitative thresholds, I assume in terms of say turnover, assets, staffing, or ownership complexity.

Since the LCE standard was proposed, we have had the new ISA 315 (revised 2019). This focus on risk identification and assessment has also flowed through to the LCE standard, with some revision of Part 6 to make it align more with the approach of ISA 315 (revised 2019).

Finally, when can we expect to enter this audit utopia? The finalisation date for the international standard is December 2023. It is then just a matter of how proactive the XRB and other key NZ stakeholders will be in adding any quantitative thresholds and releasing it into the wilds of Aotearoa.

This is going to be a game changer for auditors in NZ, as most of the work we do should fall into the scope of the LCE standard, and most charities and not-for-profits will have fit-for-purpose standards and not have to use auditing standards designed for multinational corporates. Auditors will be partying in the streets when this new standard is released.

7 December 2022

We’ve talked about risk assessment, professional scepticism, responding to identified risks, and the business model in terms of ISA 315 (revised 2019). But the bulk of the actual requirements of the standard (paragraphs 19-27) relate to, as the heading puts it: ‘Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control’. This is the topic of this article.

The new approach to understanding the entity and environment – especially its controls – is fairly significant. The easiest way to express this is to compare the requirements of the old ISA 315 with the revised 2019 version.

Entity and Environment

Paragraphs 19-20 address Understanding the Entity and Its Environment, and the Applicable Financial Reporting Framework.

Paragraph 19(a)(i) specifies that we obtain an understanding of the entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT. Understanding the organisational structure, ownership and governance were previously required under ISA 315, 11(b)(ii). The requirement to understand the business model, and the extent to which this integrates the use of IT is new. We have discussed this at length in a previous article.

Paragraph 19(a)(ii) specifies that we obtain an understanding of industry, regulatory and external factors. This was required in the old standard under paragraph 11(a). The supporting information in paragraphs A68-A73 is worth a read to refresh yourself as to the scope of what is required here. Good general knowledge of the economy, the current issues with the specific industry and the inputs and outputs of the entity are likely to be extremely helpful, and points to be discussed and documented in the team meeting.

Paragraph 19(a)(ii) specifies that we obtain an understanding of the measures used, internally and externally, to assess the entity’s financial performance. This replaces the old paragraph 11(e) requirement to obtain an understanding of the measurement and review of the entity’s financial performance. The difference is specifying internally and externally. The supporting information in paragraph A74 explains that this helps us to consider whether such measures, whether used externally or internally, may create pressure on the entity to achieve performance targets, motivating management to take actions that increase the susceptibility to misstatement due to management bias or fraud. Again, something to discuss in the team meeting. Paragraphs A74-A77 are well worth reading.

Paragraph 19(b) states that we obtain an understanding of the applicable financial reporting framework, and the entity’s accounting policies and the reasons for any changes thereto. This was covered previously in paragraph 11(c). There are three parts to consider: the applicability of the framework, how this fits with the actual policies, whether there have been any changes, and if so, whether are these justified.

Paragraph 19(c) states that we must obtain an understanding of how inherent risk factors affect the susceptibility of assertions to misstatement and the degree to which they do so, in the preparation of the financial statements in accordance with the applicable financial reporting framework, based on the understanding obtained in (a) and (b). This is new. If follows the emphasis in the revised ISA 315 on inherent risks. In paragraphs A87-A89 the emphasis is on susceptibility to misstatement relating to complexity or subjectivity. The greater the complexity or subjectivity, the greater the risk, and the more professional scepticism is required.

Finally, paragraph 20 requires us to evaluate whether the entity’s accounting policies are appropriate and consistent with the applicable financial reporting framework. This was also covered in the old 11(c) paragraph.

It is also interesting to note what has been dropped out. The old ISA 315 11(b) specified that we understand the operations of the entity, the types of investments that the entity is making and plans to make including investments in special-purpose entities, and how the entity is financed. These are all now covered in Appendix 1, which includes these and many more examples of matters to consider when understanding the entity.

Controls

The new standard splits the analysis of controls into:

  • the control environment (paragraph 21),
  • the risk assessment process (paragraphs 22-23),
  • the entity’s process to monitor the system of internal control (paragraph 24),
  • the information system and communication (paragraph 25) and
  • control activities (paragraph 26).

These components were previously covered in general terms in paragraphs 12-23 of the old standard, but the new standard is more specific and detailed and will require more work to provide the detail required. Each element must be separately assessed, even though there will be significant common ground. Note too that this work is required whether or not there is any reliance to be placed on controls. This is a risk assessment exercise.

For instance, we must now identify what controls, processes and structures address how management’s oversight responsibilities are carried out, such as the entity’s culture and management’s commitment to integrity and ethical values. (Paragraph 21(a)(i))

This seems a bit over the top for a smaller entity. This is where the scalability provisions can help. Paragraph A16 says: The nature and extent of risk assessment procedures will vary based on the nature and circumstances of the entity (e.g., the formality of the entity’s policies and procedures, and processes and systems). The auditor uses professional judgement to determine the nature and extent of the risk assessment procedures to be performed to meet the requirements of this ISA (NZ).

Paragraph A17 further states: Although the extent to which an entity’s policies and procedures, and processes and systems are formalized may vary, the auditor is still required to obtain the understanding in accordance with paragraphs 19,21,22, 24, 25 and 26.

It continues with an example: Some entities, including less complex entities, and particularly owner-managed entities, may not have established structured processes and systems (e.g., a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken. When such systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through observation and enquiry.

So we still need to ask the questions, but in the light of the small scale of the entity, on enquiry, the answer might be ‘no formal system, however, ethics are emphasised by example and in staff and board meetings.’

For smaller and less complex entities. meeting all the specific requirements of this part of ISA 315 (revised 2019) may seem tedious, but until we get a standard for LCEs it is, unfortunately, unavoidable.

<< previous article

21 October 2022

Ever wish you could take your current complex review and documentation processes and put them into one bespoke, secure, elegant online solution without spending hundreds of thousands of dollars? Now you can.

Or go next level and become a provider of that content, reselling it to other firms in your industry? This is what ReviewTools from Audit Assistant offers.  

Audit Assistant has been the online tool of choice for the majority of New Zealand SME financial auditors for over ten years. We have now taken this experience and applied it to building ReviewTools  – a secure platform for complex process and assurance work for a wider range of applications.

ReviewTools offers a flexible and powerful base with numerous built-in features that can be flexibly configured for all sorts of diverse, complex review applications.

ReviewTools is an ideal platform for small team collaboration in real-time in complex risk-based and standards-driven processes – perfect for industries and professions where documentation is critical, and evidence gathering and client interaction must be tracked within the application.

ReviewTools includes:

  • Integrated signup, customer management, billing and reports.
  • Built-in two-factor authentication,
  • Encrypted file storage,
  • A professionally hosted and maintained database,
  • Backup and restore service,
  • Risk assessment processes,
  • Customisable team roles,
  • Real-time team interaction,
  • Multi-level review processes,
  • Sampling and analytics tools,
  • Integrated letter and report creation,
  • Uploadable file attachment,
  • Annual rollover if required,
  • Client query tool
  • Invitation for client access to individual pages for data gathering,
  • Hyperlinks to online standards,
  • Dynamic job creation,
  • Export of completed work to PDF,
  • Full dashboard for work tracking and milestones,
  • Ability to customise structure and content as required,
  • Help from our staff with building your application as required,
  • Access from multiple devices.

Let us help take your current workflows and build them into a tight, secure, integrated package – or develop a professional-grade cloud-based product with basic skills using the ReviewTools platform. Leverage your product on our reputation of delivering professional cloud services for over ten years.

Our team can also provide:

  • Help with marketing via our existing networks,
  • Additional custom features if required,
  • Legendary personal support to get you up and running.

What could cost hundreds of thousands of dollars to build from scratch will soon be available to you on a PaaS (Platform as a Service) basis for a monthly subscription.

Contact us to talk about your idea, and how ReviewTools can get your application up and running fast.

26 August 2022

Kaizen, also known as continuous improvement, is a long-term approach to work that systematically seeks to achieve small, incremental changes in processes in order to improve efficiency and quality.

Kaizen can be applied to any kind of work, but it is perhaps best known for being used in lean manufacturing and lean programming. If a work environment practices kaizen, continuous improvement is the responsibility of every worker, not just a selected few.

Kaizen can be roughly translated from Japanese to mean ‘good change.‘ The philosophy behind kaizen is often credited to Dr W. Edwards Deming. Dr Deming was invited by Japanese industrial leaders and engineers to help rebuild Japan after World War II. He was honoured for his contributions by Emperor Hirohito and the Japanese Union of Scientists and Engineers.

One version of the ten basic Kaizen principles is as follows (my comments are added in italics):

  1. Throw out all your old fixed ideas on how to do things. Start with a clean slate every day, don’t get stuck in your old assumptions.
  2. No blame – treat others as you want to be treated. Encourage and affirm others in the team including yourself.
  3. Think positive – don’t say can’t. Lean into grace – there is always a way forward.
  4. Don’t wait for perfection – 50% improvement now is fine. Don’t get stuck waiting for perfection, keep moving forward and over time results will come. A few mistakes show that you are taking risks and that’s okay.
  5. Correct mistakes as soon as they are found. Be willing to admit mistakes and fix them in a timely way. It keeps your clients happy, encourages feedback and makes a better product.
  6. Don’t substitute money for thinking – Creativity before Capital. When you have the money you may not be more creative. Limits are great for new ideas.
  7. Keep asking “why?” until you get to the root cause. Don’t settle for overly simplistic solutions, or you will be treating the fruit instead of the root.
  8. Better the wisdom of 5 people than the expertise of 1. Group wisdom will see through the simplistic answers – you can’t beat the wisdom of experience.
  9. Base decisions on data not opinions. Make sure you have real evidence not just hearsay or guesses – check out your hunches and feelings against reality.
  10. Improvement is not made from a conference room! Be out there among the people – staff and clients asking them where improvement can be made. Test theory in the real world.

Dr Deming was one of the key originators of these principles, and reading his original ideas is refreshing and somewhat surprising in their timelessness, bluntness and practicality – and also in their wide application to almost any kind of business enterprise. 

In his book Out of the Crisis, Dr Deming shared his philosophy of continuous improvement (again my comments are added in italics):

  1. Create constancy of purpose toward improvement of product and service, with the aim to become competitive and to stay in business and to provide jobs. Have a clear philosophy – not just about money but about sustainability and job creation.
  2. Adopt the new philosophy. We are in a new economic age. Western management must awaken to the challenge, must learn their responsibilities, and take on leadership for change. Just do it – keep revisiting.
  3. Eliminate the need for inspection on a mass basis by building quality into the product in the first place. Do it the right first time as much as possible.
  4. End the practice of awarding business on the basis of price tag. Instead, minimise total cost. Move towards a single supplier for any one item, on a long-term relationship of loyalty and trust. Use local firms where possible, and use organisations and people that fit well – the overall result will be lower cost.
  5. Improve constantly and forever the system of production and service to improve quality and productivity and thus constantly decrease costs. Be constantly aware of how processes and systems may be improved and write these things down.
  6. Institute training on the job. Give time to this – don’t rely on external training, learning on the job will give greater satisfaction to staff as their skills increase. Don’t expect them to ‘just know’.
  7. Institute leadership. The aim of supervision should be to help people and machines and gadgets to do a better job. Be present and give and receive feedback on a regular basis.
  8. Drive out fear so that everyone may work effectively for the company. Be approachable, admit fault, be fair and empower others – it will win respect.
  9. Break down barriers between departments. People in research, design, sales and production must work as a team to foresee problems of production and use of the product or service. Communicate with co-workers, and treat everyone as of equal value. It will encourage work satisfaction, and team cohesion and so honesty and creativity will increase.
  10. Eliminate slogans, exhortations, and targets for the work force asking for zero defects and new levels of productivity. Such exhortations only create adversarial relationships, as the bulk of the causes of low quality and low productivity belong to the system and thus lie beyond the power of the work force.
    • Eliminate work standards (quotas) on the factory floor. Substitute with leadership.
    • Eliminate management by objective. Eliminate management by numbers and numerical goals. Instead substitute with leadership.
    • Encourage one another and accept mistakes as normal to learning and developing new, good things.
  11. Remove barriers that rob the hourly worker of his right to pride of workmanship. The responsibility of supervisors must be changed from sheer numbers to quality. Quality comes from focus and teamwork, not just pumping out work.
  12. Remove barriers that rob people in management and in engineering of their right to pride of workmanship. This means, inter alia, abolishment of the annual or merit rating and of management by objectives. Let people enjoy coming up with their own solutions, and taking responsibility for projects themselves.
  13. Institute a vigorous program of education and self-improvement. Encourage everyone to take time to ‘sharpen their saw.’
  14. Put everybody in the company to work to accomplish the transformation. The transformation is everybody’s job. Involve everyone, as much as possible in the wide view – talk about sales and marketing with engineering people, and help salespeople understand the technical challenges.

I like to review these steps periodically. Adding my own twist on the basic principles helps me stick with my “why” – the values that define my personal business philosophy.

When we start losing our “why” we start feeling uncomfortable in our work. Reviewing this helps us see where we are perhaps getting pulled off the track and what we have been neglecting. I can see a couple right now I need to work on. A great reality check!

24 August 2022

The concept of understanding an entity’s business model, including how it uses Information Technology (IT) is new in ISA 315 (Revised 2019).

Understanding the business model sounds like child’s play, but in the context of exploring inherent risks, it presents a powerful tool to understand the entity.

Paragraph 19(a)(i) tells us that:

The auditor shall perform risk assessment procedures to obtain an understanding of… The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT.

Paragraph A61 explains why this is necessary.

Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.

Organisational structure, ownership and governance are generally simple enough to understand and document, but ‘business model’ is a more nebulous term. Looking at every business risk could be a rabbit hole that swallows a lot of audit time.

However, business risk itself is not a new concept. The old standard defined it as:

A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

What actually is a business model?

Wikipedia defines a business model as follows:

In theory and practice, the term business model is used for a broad range of informal and formal descriptions to represent core aspects of an organization or business, including purpose, business process, target customers, offerings, strategies, infrastructure, organizational structures, sourcing, trading practices, and operational processes and policies including culture.

So our client may have adopted one of the following business models:

  • Bricks and mortar retail model
  • Value-added reseller model
  • Franchise model
  • Subscription model
  • Online sales retail model
  • B2B model – etc.

These are useful to identify and document in our file, but that is still very broad. Paragraph A62 tells us that ‘Not all aspects of the business model are relevant to the auditor’s understanding.’ We need only concern ourselves with those that give rise to the risk of material misstatement.

The standard itself, in Appendix 1(1), says:

The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders.

This is all-encompassing but lacking in specifics. Appendix 1(3) tells us that a description of a business model typically includes:

  • The scope of the entity’s activities, and why it does them.
  • The entity’s structure and scale of its operations.
  • The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.
  • The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.
  • The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.
  • How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.

These are all helpful points to consider and document in our audit work and to flag and analyse the inherent and control risk that we identify.

A 2014 paper by the UK and French standard setters discussing the role of the business model in financial statements state that the first time the term ‘business model’ appeared in the IFRS literature was in 2009 when IFRS 9 (Financial Instruments) was issued. In defining the term business model for use in reporting standards they say:

…there is overall agreement, as evidenced by the responses received, that if the term business model is used in financial reporting, it focuses on the value creation process of an entity, i.e. how the entity generates cash flows.

So moving in from the broad description, we need to start to identify how the entity generates cash flows. In a 2014 paper on Business Models in Integrated Reporting, IFAC state that:

An organization’s business model is its system of transforming inputs, through its business activities, into outputs and outcomes that aim to fulfil the organization’s strategic purposes and create value over the short, medium and long term.

Application to audit work

Cash flows are generated and value is added by a cycle of inputs and outputs. From a risk identification auditing perspective, this is a helpful paradigm, especially in our current climate. Continuing inputs of raw materials, labour, land and capital are no longer a given with complex regulation, supply chain issues, labour shortages, restrictions on land use, and the spectre of inflation.

Similarly, the ability to continue to assume a market based on these disruptions is not as certain as it was a few years ago. We live in uncertain times.

Paragraph A63 acknowledges this by giving the following examples of possible risks:

  • Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.
  • A failure to recognise the need for change may also give rise to business risk, for example, from:
    • The development of new products or services that may fail;
    • A market which, even if successfully developed, is inadequate to support a product or service; or
    • Flaws in a product or service that may result in legal liability and reputational risk.
  • Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.

All these potential risks are exacerbated in uncertain times. Paragraph A64 lists specific matters we should consider:

  • Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;
  • New products and services that may lead to increased product liability;
  • Expansion of the entity’s business, and demand has not been accurately estimated;
  • New accounting requirements where there has been incomplete or improper implementation;
  • Regulatory requirements resulting in increased legal exposure;
  • Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;
  • Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or
  • The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.

Paragraph A65 points out that ‘Ordinarily, management identifies business risks and develops approaches to address them.’ so our risk assessment process should include assessing this as part of reviewing the internal controls, as under the old standard.

Appendix A(4) concludes:

A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial statement level.

So to sum up, understand the business, think outside the square in terms of how inputs and outputs work, and what the associated risks might be. Then stay focussed on those things that actually represent a risk of material misstatement.

<< previous article next article >>

5 August 2022

Remember CAATs? This was an acronym for Computer Assisted Audit Tools – a general category for all things computery that helped us work with more efficiency and power.

Now that virtually all we do uses a computer, ISA 315 (Revised 2019) does not refer to CAATs but to Automated Tools and Techniques (ATTs).

This kind of thing gets audit software developers like us salivating like Fluffy when the fridge door opens. But let’s stay calm and examine what the standard says first.

So what do we know about ATTs?

The standard doesn’t define ATTs, however the recently issued IAASB First Time Implementation Guide simply calls them “procedures performed leveraging the use of technology”. These may be used for risk assessment procedures, and also for obtaining audit evidence. The IAASB points out that:

The procedures for obtaining audit evidence as set out in ISA 500, Audit Evidence, i.e., inspection, observation, external confirmation, recalculation, reperformance, analytical procedures and inquiry, continue to apply, regardless of whether those procedures are performed manually or using technology.

In matters like this, the new standard helpfully acknowledges that we may be auditing vastly divergent entities. Paragraph 9, titled ‘Scalability’, states:

This ISA (NZ) is intended for audits of all entities, regardless of size or complexity and the application material therefore incorporates specific considerations specific to both less and more complex entities, where appropriate.

It is up to the auditor’s judgement to determine whether to use an ATT or some more manual procedure. For instance, there would be no point in carrying out fancy data analytics for fixed assets additions where there are only a few items. Better to just use judgement. ATTs come into their own where there is so much data, or a level of opaqueness, such that the auditor cannot possibly just ‘eyeball’ the content.

Examples from the standard

Looking at some of the suggestions for the use of ATTs in the explanatory material, paragraph A21 suggests performing “risk assessment procedures on large volumes of data (from the general ledger, sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations.”

Most of our users tend to do this by entering the trial balance data for up to four years, and then populating analytical review pages that show current to prior year movements, deviations from the budget if required and various key ratios over time. Identified risks may then be flagged and analysed as required directly from the TB or AR pages. Detailed recalculations, reperformance or reconciliations tend to be best done using a spreadsheet and adding to the file as an attachment.

Paragraph A57 suggests that the auditor use ATTs “to understand flows of transactions and processing as part of the auditor’s procedures to understand the information system.” This may provide insight into vendors, customers, and related parties, simply by sorting say a purchases ledger in a spreadsheet by supplier name, or using a search function to look for known related parties.

Paragraph A137 suggests using direct access to the entity’s database “by tracing journal entries, or other digital records related to a particular transaction, or an entire population of transactions, from initiation in the accounting records through to recording in the general ledger.” Typically an auditor is given access to say the Xero ledger and may use the built-in search functions there to drill down into the data for this purpose.

Paragraph A161 suggests that when reviewing journals or ledger accounts in less complex entities inspection of all the entries within a particular account, or all journals may well be possible. But in a more complex entity downloading to a spreadsheet and applying filters and sorting may give a good result.

In Audit Assistant, we provide a built-in sampling tool. A large dataset is extracted out of the client software and then uploaded. A sampling interval based on performance materiality (or adjusted performance materiality) is added. This generates a randomised CMA sample. Appropriate tests are then added to a generated table of results. Alternatively, a random sample of a specified number of samples may be generated, or the auditor may carry out their own sample in the spreadsheet first and then upload it for testing.

The auditor is encouraged to use automated techniques to assist in the identification of significant classes of transactions, account balances and disclosures in paragraph A203. This would typically only be helpful in complex entities. In less complex entities these become fairly obvious by reviewing trail balance and analytical review data as described above.

CAATs are our friends

So CAATS and ATTs are really not some big scary monsters that need to intimidate us. They are our servants – power tools that we pull out when a normal auditing screwdriver or hammer is too slow or not forceful enough. They become dangerous when the auditor uses them ‘just because they can’ without understanding what they are trying to achieve and why.

There is no substitute for learning to do the basics well and always working from first principles, and choosing a tool that we understand and can explain that will achieve our objectives most efficiently.

<<previous article next article>>

26 July 2022

There’s a new Act in town. And some people aren’t happy, claiming that this could be an ‘extinction event’ for many small clubs. The 1908 Act was predictably relaxed, out of step with modern regulation and reporting, so an update was needed.

So what does the new Incorporated Societies Act entail for these entities, and for those who prepare and audit the financial statements? Is the fear justified?

Changes for entities

No Incorporated Societies can just carry on as normal. All will need to update their constitutions and re-register. Companies Office guidance suggests the final date to transition will be April 2026. They also provide a handy Constitution Building tool.

Regulations are currently being developed to support the new Act. These should be completed by September 2023 so that entities can start to transition.

What we do know from the Act, however, is that under section 74 a society must have at least 10 members to register. This is a decrease from the 15 members required under the old Act. Under section 45 of the new Act, a society must have a committee, but this only needs to comprise 3 or more qualified officers. This committee is the ”governing body of the society” – the responsible parties.

There is concern that the extra responsibility being laid upon mostly voluntary committee members may make the slots hard to fill. The obligations are much closer to a company director than the casual committee member of the past. Under section 51 an officer remains specifically liable for acts and omissions and decisions made while they were an officer even after they have resigned.

The Act takes into account that many small entities may not want to re-register, so it provides an amalgamation process to enable groups of small, similar entities to amalgamate under one umbrella. Whether this will be used much, we shall see.

How to report?

Charities Services report that “there are about 24,000 incorporated societies in New Zealand, and about 7,000 of those are registered as charities.” These 7,000, like all charities, will be reporting under the Public Benefit Entity (PBE) reporting regime, which is now well established.

For the other 17,000, reporting will depend mainly on size. At present these entities may be using special purpose reporting or generally accepted accounting practices (GAAP). Section 102 provides three categories:

  • specified not-for-profit entity
  • small society
  • other

An entity is defined as a specified not-for-profit entity in the Financial Reporting Act 2013 S46  if, in each of the 2 preceding accounting periods of the entity, the total operating payments of the entity are $140,000 or more. These are required to prepare financial statements that comply with GAAP. Our Tier 1 and 2 standards plus our Tier 3 PBE standard are GAAP. Tier 4 and Special Purpose are not GAAP.

A small society has total operating payments and total current assets of less than $50,000 in each of the 2 preceding accounting periods. It also may not be a donee organisation under section LD 3(2) of the Income Tax Act 2007. These include charitable entities entitled to issue tax-deductible receipts for donations received. Many small clubs would fall into the small category. These may choose to prepare either GAAP-compliant financial statements or a non-GAAP standard or the minimum requirements as set out in section 104 of the 2022 Act. The minimum requirements statements must contain the following information:

(i) the income and expenditure, or receipts and payments, of the society during the accounting period; and

(ii) the assets and liabilities of the society at the close of the accounting period; and

(iii) all mortgages, charges, and other security interests of any description affecting any of the property of the society at the close of the accounting period

Associations that don’t fit into either category – the “others” – will generally be those with expenditure over $50,000 and under $140,000 in the previous two periods. They may choose whether to apply GAAP or non-GAAP.

What about the requirement for audit?

Of course, any Incorporated Society may opt to be audited, but some must be audited under the Act.

These are classed as “large” (as defined by S45 of the Financial Reporting Act 2013) if as at the balance date of each of the 2 preceding accounting periods, the total assets of the entity and its subsidiaries (if any) exceed $66 million or in each of the 2 preceding accounting periods, the total revenue of the entity and its subsidiaries (if any) exceeds $33 million.

The end of Society?

So will this be an ‘extinction’ event for societies or provide momentum for a new burst of energy? Both outcomes are likely, depending on the state of the society. It will certainly drain the limited resources of struggling clubs to have to lift their game to a new level.

In this age of declining volunteerism and reliance on sponsorship, the change may lead to fewer societies, but adaptations will be made for more efficient operations and more professional style management in those who survive.

25 July 2022

Does your firm administer any family trusts? Then you will no doubt be aware of the increased requirements under the Trusts Act 2019 for ensuring all the data about the Trust is up to date.

To help achieve this, we have, in collaboration with a large local Accountancy firm, developed a simple questionnaire to be shared annually with the trustee contact, that asks all the relevant questions to make sure that the accountant’s records are correct.

There are four actions required:

STEP 1: Set up the Trust using the Annual Trust Review Questionnaire template. Add the name of the trust, appointment date and save (the questionnaire itself is undated – the important date is when it is signed off).

Screen_Shot_2022-07-25_at_2.00.42_PM.png

STEP 2: Add the current trustees and beneficiaries as contacts. These can be imported using a special .CSV template that we have attached to the A1 page, from data obtained from your records (or the details may be added one at a time if there are only a few).

Screen_Shot_2022-07-25_at_1.56.51_PM.png

Note that the Role column should specify whether the person or entity is a Trustee, Beneficiary or both  – note format for both uses the vertical line or “pipe” character (|).

Screen_Shot_2022-07-25_at_2.07.07_PM.png

The contacts will then be added to the file so that they will appear on the questionnaire.

Screen_Shot_2022-07-25_at_2.10.37_PM.png

STEP 3: Then share the questionnaire page with the relevant contact. Select the name from the dropdown and click add – this will generate a link to be emailed to the client. Alternatively use the tick-box “Automatically send link to user” to generate an email directly off the system.

Screen_Shot_2022-07-25_at_2.12.40_PM.png

They receive an email from your firms asking them to follow the link and complete the details. Following the link they are asked to confirm their identity:

Screen_Shot_2022-07-25_at_2.17.57_PM.png

Then they see the existing trustee and beneficiary contact details and are asked if any changes have been made.

Screen_Shot_2022-07-25_at_2.25.57_PM.png

If so a dialogue box asks them to type in the new details. There are also questions for all the other information that needs to be asked under the Act. Once complete the accountant is notified.

Screen_Shot_2022-07-25_at_2.29.56_PM.png

STEP 4: The accountant then updates the records held by their firm, and takes any further actions required. 

Once complete the jobs may be saved to PDF then deleted off the system, or rolled over and reused in the subsequent year.

Note: We can assist with bulk client creation, contact data import, and even bulk sharing if required, as we do for normal client annual data collection questionnaires

This content is accessible in our Tools for Accountants packages, along with financial reporting checklists and other compilation tools. Contact us for more details.

18 August 2021

The IAASB has now issued its proposed standard on less complex entities (ED-ISA for LCE) for feedback.

A standard around LCE’s is long overdue, and their proposal comes with the hope of easing unnecessary requirements placed on auditors.

The standard is expected to come into effect around 2024 and should be a game-changer for the audit of most of our client entities. This article follows on from prior commentary and summarises some of the critical changes the LCE standard will have on an audit engagement.

Relationship to ISAs

The IAASB has decided that the proposed standard is to be separate from the ISAs with no intended need to directly reference back to their requirements or application material. However, the proposed standard does not address complex matters or circumstances so is not permitted to be used for audits that are not audits of financial statements of LCEs.

As a consequence, when a firm is auditing an entity with transactions and accounts deemed less complex, it cannot supplement by using other auditing standards concerning a more complex account or transaction (like an accounting estimate calculated using a bespoke, complex model). In this instance, the auditor may not use ISA for LCE together with requirements from say ISA 540 (Revised) to supplement what may not be addressed in ISA for LCE when planning and performing the audit. They would need to carry out the whole audit using ISAs (see Explanatory Memorandum para 26-28).

Therefore, it will be critical in the planning stage to ensure the LCE standard is applicable to every aspect of the audit engagement. The standard provides good guidance around the applicability of LCE for an audit engagement. See the table below:

from Explanatory Memorandum para 50

What Qualitative Characteristics might make the standard inappropriate?

Outside of the specific prohibitions in the table above, an entity may be prohibited from using the LCE standard where an entity exhibits:

  • Complex matters or circumstances relating to the nature and extent of the entity’s business activities, operations and related transactions and events relevant to the preparation of the financial statements.
  • Topics, themes and matters that increase or indicate complexity, such as those relating to ownership, corporate governance arrangements, policies, procedures or processes established by the entity.
    (from Explanatory Memorandum para 67)

What about groups?

At this stage, the standard is unlikely to allow group audits; however, the board is open to changing their minds and has proposed options to incorporate group audits into the standard.

Flow of the proposed standard

The content of ED-ISA for LCE has been grouped into nine “Parts” that follow the flow of an audit engagement (rather than by subject matter or topic like the ISAs):

from Explanatory Memorandum para 92

Each part follows the same structure, a preface, authority (circumstances in which the standard is prohibited or limited), broad concepts, key requirements, and appendices.

Potential Grey areas in the application of the standard

Accounting estimates – Specific procedures concerning the use of complex modelling and detailed requirements to address situations where there is higher estimation uncertainty have not been included as they are not expected to be relevant for the types of accounting estimates in an audit of a typical LCE. While the presence of one complex characteristic exhibited by an entity does not necessarily exclude the use of ISA for LCE this is a tricky area that would lead to a judgement call for the auditor about whether it is still appropriate to continue performing the audit under the proposed standard. The auditor would need to determine if the complex matter or circumstance identified is not in the spirit of what standard is intended to be allowed as an accounting estimate.

Service Organisations – The standard is designed for the typical nature and circumstances of an LCE. The prime example is with LCEs that have payroll processed by a service organisation. However, situations deemed more complex relating to the entity’s use of a service organisation have not been addressed within the proposed standard. For example, requirements relating to an auditor’s ability to rely on reports on the operating effectiveness of controls from the entity providing the services (e.g., ‘Type 1’ and ‘Type 2’ reports) are not included as it is anticipated that where transactions are less complex, the auditor would be able to obtain the necessary audit evidence without difficulty from records available including, if applicable, in relation to controls at the service organisation.

Planning the Audit

One of the areas where the IAASB has modulated the proposed standard is to not distinguish between the overall audit strategy and the audit plan required by the ISAs. The auditor is still required to plan the audit in the same manner, however, the relevant outcomes of what the auditor would need to do about establishing the overall audit strategy and audit plan have been incorporated together (i.e., there is still a requirement to establish and plan the audit’s scope, timing, and direction).

IAASB Video

The IAASB has released a video explaining the draft standard:

Audit Assistant response

Our goal is to make a new template from scratch incorporating the requirements of the new standard, in anticipation of its adoption. As a clean-slate build, we will be looking at ways to make this as efficient as possible, without having to retain backward compatibility. Please contact us if you would like to add to our submission on the ED, or make suggestions for the new template.

5 November 2020

Following on from the IAASB discussion paper on the audit of Less Complex Entities (that we have previously discussed), the IAASB recently released some good news – a new single standard is being developed for these entities.

The IAASB Glossary defines these as entities which typically possesses qualitative characteristics such as:

a. Concentration of ownership and management in a small number of individuals (often a single individual – either a natural person or another enterprise that owns the entity provided the owner exhibits the relevant qualitative characteristics); and

b. One or more of the following:

i. Straightforward or uncomplicated transactions;
ii. Simple record-keeping;
iii. Few lines of business and few products within business lines;
iv. Few internal controls;
v. Few levels of management with responsibility for a broad range of controls; or
vi. Few personnel, many having a wide range of duties.

In other words, this encompasses the majority of work carried out by our Charity and SME auditors. We made a submission to that discussion, back in August 2019 (remember 2019?)

In that submission I made the point that:

“…in New Zealand, we have had many provincial firms that carried out perfectly adequate audit work at a scale appropriate to LCEs drop out of auditing because they do not have the time, staff, or resources to carry out compliant ISA audits. In turn, the entities they previously audited have had to either pay much higher fees to large city firms, stop being audited voluntarily (if under the threshold for compulsory audit), or potentially close because they are already financially pressed and dependant on overstressed volunteers. So the social cost of inappropriate audit standards may well be an overlooked factor in this discussion. At a social level, it is critical that small charities and clubs and not-for-profits remain viable and accountable, as these entities create a disproportionate amount of social cohesion which flows down into all sorts of positive social outcomes.”

In the wake of the COVID-19 experience, it becomes even more important to find ways to help smaller businesses, charities, and other not for profits remain viable, and to address the growing time/cost of auditing using unnecessarily complex standards.

The IAASB approach

The approach that the IAASB is taking seems a sensible one. In fact, it is a two-pronged approach. On one hand, they are producing a more accessible and appropriate audit standard for LCEs. On the other hand, they are undertaking a review of the ISAs addressing Complexity, Understandability, Scalability, and Proportionality (CUSP for short).

The work on the ISAs themselves is welcome and sensible, and addresses issues around plain language, avoiding duplication, and so on. But the real good news to me is the development of a separate standard for LCEs. What might this standard be like?

In a worthwhile interview by Tom Ravlic, (the first 18 minutes) Professor Roger Simnett, the chairman of the Auditing and Assurance Standards Board, (as well as Chair and CEO Australian Auditing and Assurance Standards Board and Scientia Professor, UNSW Sydney) explains the key features:

  • This will be a new separate ISA for Less Complex Audits
  • It will maintain a “reasonable assurance” level (i.e. not be regarded as inferior quality to a full ISA audit)
  • There will be a draft of the new standard presented at the December 2020 meeting of the IAASB
  • It will contain chapters or sections that follow the process of the audit (acceptance, understanding the entity, gaining evidence, risk, reporting, etc.)
  • It acknowledges that the audit process is iterative and interrelated
  • The definition of LCE will be clarified, as it is essential that the reduced standard is only applied in appropriate cases
  • There will be little application material in the standard
  • This is not a “checklist” approach (shudder), but real auditing that requires professional judgement to be exercised
  • The standard will be framework-neutral and apply worldwide
  • It also must be broad enough to encompass changing technologies and innovative audit approaches
  • And of course, for us in NZ and Australia, adoption will require approval by the appropriate bodies.

Is this good for the profession?

The interviewer infers that this new standard could be a good “entry-level” teaching tool for those new to auditing. And this is a good point.

The bar is set so high academically in teaching auditing (even back in my experience at the University of Auckland in the late 1970s) that most graduates theoretical understanding of auditing standards and processes (or lack thereof) does not translate well into the actual auditing understanding needed in our average CA firms.

Maybe this standard will not only help LCE audits be more efficient but will actually help make the audit process more accessible and practical to new entrants into the world of audit?

Maybe they learn the basic patterns here then layer the deeper understanding that the ISAs require on top of these basics as their experience and exposure to more complex entities grows?

Finally, the issue is raised in the interview as to whether this could lead to another designation of audit practitioner? A two-tier profession.

This is open for discussion. I would argue that at least in NZ this is de facto what has emerged. We see quite a clear split in our Audit Assistant clientele between firms that carry out the full suite of work from large listed companies all the way down, and firms that just carry out work for charities and not-for-profits exclusively.

Effectively many of our user firms could probably carry out all their work under the new LCE standard. And in my opinion that specialisation is probably a good thing.