28 February 2024

Many firms using Audit Assistant also have specific document management systems for their wider document management and cloud storage requirements. Users have asked us what we support, and what we suggest that they use.

A recent survey of our users found an almost even split of Microsoft SharePoint, Google Workspace, FYI, Dropbox and OneDrive, with some users still just using their local server (presumably backed up). We have also noticed an upsurge in interest in SuiteFiles. Following is a quick comparison and assessment of what is out there for SME-type audit firms:

The basic tools

Many will be familiar with SharePoint. It is Microsoft’s document management and storage system. The version we generally talk about – SharePoint Online – bundles with their 365 Platform. SharePoint has been around in the cloud version of Office 365 since 2012, so it was one of the early options for storage and document management. It can be purchased for $8.10NZ /user/month and includes OneDrive file storage. Or for a little more (NZ$20.20/user/month) Microsoft 365 Business Basic also includes desktop versions of all the normal Microsoft applications plus SharePoint and Teams. Most CA firms already likely have this subscription.

While SharePoint is predominantly an online document management system and communication site, OneDrive is another Microsoft product that is commonly used for seamless online backup. Its Mac equivalent is iCloud Drive. Files saved on your OneDrive or iCloud Drive are saved both on your device and seamlessly backed up in the cloud. This is very useful if you are accessing files from more than one device and takes the drama out of remembering to do backups. As predominantly Mac users we utilise iCloud for our general document backups.

Google Workspace evolved out of Gmail, and Google’s Chrome browser which added a suite of free add-ons for document storage and collaboration. The heart of document storage and exchange was Google Drive, launched in 2012. which was then rolled in with Google Docs, Google Calendar, Google Meet, and other products to first form G-Suite now renamed Google Workspace. There are free versions – but the basic paid version ($9.00NZ/user/month) actually provides quite a lot. We use Workspace for our email management and online video meetings.

Dropbox is the go-to for large file exchange. When we were looking for something to share raw video footage with our team, we added Dropbox to our toolkit. In many ways like Google Drive, its basic plans are all about storing and exchanging large files simply.

It is worth mentioning Adobe Acrobat as an option for managing PDFs. Their digital signing and PDF manipulation tools are easy to use and industry standard. It also easily integrates with the solutions above. Cloud storage is also included. Many firms use it for annotating PDFs before attaching to Audit Assistant, and for converting PDFs to Word or Excel files if required. It starts at $30.30AU/month

Dropbox, Google Drive, iCloud Drive or OneDrive are suited to smaller businesses with limited complexity and offer simple workflows for processing day-to-day jobs. What if you need more than just storage and want to move to document and workflow management that is more specific for a professional firm?

Document management systems for Accountants

Specific document management tools aimed at Accountants and other professional firms include SuiteFiles, FYI Docs and Karbon. These all integrate with Microsoft 365. SuiteFiles and FYI Docs both also require a Microsoft Business subscription, which starts at $20.20NZ/user/month.

SuiteFiles, like Audit Assistant, is a NZ-based company. The product is designed for small and medium businesses and includes document management, a client portal, task and email management, digital signing, and full-text search for locating documents. They say that “What separates SuiteFiles from SharePoint is our easy-to-navigate interface and in-built features such as digital signing, client portals, and PDF functionality which cut out extra software subscriptions.” SuiteFiles starts at $25NZ/user/month for file storage, PDF annotation, and email integration. A downside is that there is a minimum requirement of 10 users – unnecessarily large for many small firms. The “Super Suite” includes full PDF merging and manipulation, a client portal, and digital signing. It costs $45NZ/user/month and has a minimum sign-up of 5 users. So for a smaller firm, the larger plan has more useful features and represents better value.

FYI Docs is an Australian-based document management system that also includes a practice management platform. It seems to be more client-focused – more like a CRM tool. It integrates with Xero (and requires a Xero subscription). Subscriptions start at $30NZ/user/month. The Pro version, at $50NZ/user/month, includes collaboration tools, timesheets into Xero, and some custom automation. Their Elite version, at $70NZ/user/month, includes time and billing, employee management, automatic time tracking, capacity planning and reports. All plans have a minimum of 5 users. The Elite version seems to provide a comprehensive practice management system but is marked as “coming soon” – so not available as yet.

Karbon is also worth considering. Also originating in Australasia, it is an even more comprehensive offering. It seeks to be a full practice management solution and includes a phone app. Instead of being restricted to Microsoft and Xero, it integrates with a wider variety of platforms. It contains most of the features of the tools above however it costs a bit more – $59NZ/user/month for the basic “team” plan, and $89NZ/user/month for the “business” plan.

What fits best with Audit Assistant?

Many of the features offered in these packages in terms of client collaboration and document exchange are already covered in Audit Assistant. Clients may upload documents and add information by way of shared pages and requests. This is being updated to a full client portal in our new platform currently under development.

In terms of PDF annotation, this is also currently under development and will soon be released within our existing platform. Digital signing is also in development within our new platform.

At present, some firms use our attachment link system to hyperlink from SharePoint, Google Workspace or similar so files are easily accessed during the audit work. Then at the end of the job, the files are bundled into a zip file and attached to the AA job. This will be unnecessary with the new platform where documents will be editable without downloading, utilising an integration between Audit Assistant and the firm’s Sharepoint. Our present platform can preview documents and spreadsheets, but the new version will also be able to open and update them seamlessley.

What about job management and time tracking? We currently can link our deadlines/milestones to an external calendar, which helps with managing workflow, but we do not have plans at this stage to add time tracking and budgeting tools. We have surveyed our users in the past, and this is not something that has been widely requested because of the use of standard practice management and billing systems in MYOB, Xero and similar.

In terms of team collaboration, this is already built into Audit Assistant. All work is carried out in real-time and follow-ups and review notes can be shared across the team, with instant notifications of changes. We do not add client emails to Audit Assistant because we encourage users to maintain all client interaction within the audit file by way of shared pages, requests, and documents, recognising that emails tend to be less secure. We will be developing this further in our new platform.

In addition, we will be adding more levels of reporting to show the progress of jobs by director/branch or staff member with various levels of filters. We will also be automating bulk client contacts – say sending out client information requests for a range of similar jobs.

In terms of integrations, we are working on single sign-on to simplify user management, and using Zapier to easily transfer data like contact details and milestones to and from other software, and also for pulling data from ledgers into Audit Assistant for analysis. And, as mentioned above, we will use a SharePoint integration for document editing. We are mindful however that an audit file must not have fuzzy boundaries – the final audit file must not be locked down and not able to be changed, so we keep very clear about what is inside and what is outside the audit file.

Our recommendations

Looking at external document management/practice management systems to complement Audit Assistant, we suggest that you consider the following:

  • Long-term storage – while we back up rolled-over files and attachments, our Terms of Use only guarantee three years of backups. We recommend that completed jobs are backed up onto your firm file storage system. Something like Dropbox, or even OneDrive would be fine for this purpose.
  • Word and Excel files used within your Audit Assistant file – Office 365/SharePoint will be our point of integration to enable live editing in our new platform. The completed file will then be automatically downloaded into the audit file upon completion of the job.
  • Other client documents and emails that are not part of the audit file – a client management system could be useful for this, for tracking client information and holding day-to-day interactions that are not specific to the audit documentation. Basic versions of FYI Docs or SuiteFiles would do this well.
  • Time tracking, budgeting, and billing – If you don’t already have this functionality then more advanced versions of FYI Docs, SuiteFiles, or Karbon would be suitable.

Please give us feedback on your experience with any of the products listed above, Which ones do you use? How do you find them?

31 October 2023

Many audit firms have their own internal policies and methodologies for setting materiality. However many of our smaller firms struggle with a consistent approach. What is best practice?

ISA 320 (para 2) describes materiality as follows:

Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.

This implies that we identify who are the likely users of the financial statements. In the case of Not-for-Profits (NPFs) this is likely to be the members of the organisation, recipients of the services provided, and those who are likely to be external funders: grant providers and perhaps lending institutions.

What will users be concerned about in NFPs?

Certainly the ongoing viability of the entity, perhaps risks around income understatement or expense overstatement. Retention of value for assets will also be important. What will not be so important? Profit may indicate the ability to continue and grow, but it is not the primary reason the entity exists. So what parts of the financial statements will most influence the economic decisions of the users?

The important element is likely to be the costs of operating the entity. If the entity is able to deliver its services in a cost-effective and sustainable manner then stakeholders will continue to support it through their membership, grants, and other investments of time and funds.

What benchmark?

This emphasis on expenditure is reflected in how, in NZ, our four-tier NFP framework is measured – based on expenditure from the prior two years. So it makes sense to use this as our benchmark. Examples of benchmarks in ISA 320 (A5) include profit before tax, total revenue, gross profit and total expenses, and total equity or net asset value. Note that some firms use an average of the benchmark over the last three years to smooth out variations. This is worth considering if there are in fact such variations.

What about a new entity?

If the entity is new, and the first period is less than twelve months, can the auditor gross up the benchmark to twelve months for the calculation? No, because materiality applies to the particular financial statements being audited – regardless of the period length. Paragraph A7 is explicit about this.

What percentage should be applied to the benchmark?

ISA 320 (A4) states that “A percentage is often applied to a chosen benchmark as a starting point in determining materiality for the financial statements as a whole.”

This is where judgment must be applied. What percentage should we use? Commonly auditors choose between 0.5% and 3.0% of revenue or expenditure for overall materiality. However, the standard makes it clear that it is a matter of professional judgement and the auditor should not be confined to specific limits.

What is performance materiality?

Paragraph A13 tells us that “Performance materiality (which, as defined, is one or more amounts) is set to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in the financial statements exceeds materiality for the financial statements as a whole.

Some firms refer to this as giving materiality a “haircut.” The theory is that pure materiality is what would influence the economic decisions of the users, but what if we miss something close to materiality, or a combination of factors tips us over into materiality? So performance materiality (PM) gives us some headroom for this – providing a buffer between our theoretical critical value and working materiality so some slack is built in.

Typically firms use 75-80% of overall materiality, but the standard suggests that the auditor considers that this may be assessed on a class, balance and disclosure basis, as related to risk, previous experience, and our understanding of the entity. Commonly related parties will need to be considered with a lower PM given this disclosure is generally regarded as being qualitatively material.

How about relating to audit risk?

There is a relationship between materiality and the level of audit risk. Simply put, the higher the audit risk, the lower the materiality level that should be applied. When there is a higher risk we should be turning the magnitude of our microscope up to a higher level i.e. reducing materiality.

Risk can be different for different elements of the financial statements, so how can our materiality levels reflect this? We can do this by applying different performance materiality as above. This can also be achieved by using separate benchmarks.

For instance, an NPF has relatively low income and expenditure but high-value land and buildings. Risk is assessed as low for the assets as they do not change and are valued at cost, but expenditure has a higher risk profile. It may be appropriate to use 5% of fixed assets for those balances but 1% of expenditure for everything else.

Another method of recognising different levels of risk on different balances is applying confidence levels to testing. So for instance, the overall risk is set at 2% of expenditure, but when testing revenue and expenditure a confidence level of 0.5 is applied to reduce the sampling interval to half of PM, doubling the sample size. Conversely, a confidence level of 2.0 is applied to increase the sampling interval to twice PM to look at fewer items, because there is less perceived risk. Or we could create a combination of all of the above in a more complex job.

How is materiality applied?

There are three areas where materiality is applied as per paragraph A1.

Firstly, identifying and assessing risks of material misstatement. This involves what we look at in terms of risk. This ties into the discussion of inherent risk and control risk. We only need to consider risks that affect the financial statements, not all business risks. Then we don’t need to consider all classes, balances and disclosures, just those with a risk of material misstatement.

So when we are considering risk we should have materiality in mind. For instance, it was traditional to qualify for cash income, however with less use of cash this qualification may not be automatic. Yes, there is still a risk, but if cash receipts only. make up a tiny proportion of income, it is probably not material.

When identifying classes of transactions, a group of balances may be material in total, but not individually – for instance a series of grants. It makes sense to group these items and apply risk assessment to the group. By definition, all material balances or classes form a risk, so these should be identified and their risk profiles assessed. Even if they are low risk, if they are material they should be flagged and considered.

Don’t forget about balances or classes that are not presenting as material but have the potential to be material – understated accruals or creditors are the common examples.

Secondly, materiality is applied when determining the nature, timing and extent of further audit procedures. This is most likely to be applied when selecting a sample for testing. Again, the microscope metaphor works well. We look at a dataset through a microscope, but if that is set too low at 40x we may miss potentially material items. If it is set too high at 1000x we will be looking in too much detail – getting lost in the job and spending way too much time.

Some firms will consider all transactions over performance materiality, however, a better application of materiality to sampling is using a cumulative sampling tool with an interval based on performance materiality (adjusted for confidence level if required) to arrive at a sensible, statistically robust sample size for detailed substantive testing. Note too that the sampling interval may be adjusted if reliance is being placed on controls that have been tested, or on analytical procedures. These decisions should all be documented.

Thirdly, materiality is to be considered when evaluating the effect of misstatements on the financial statements and in forming the opinion in the auditor’s report. When we have done our testing and accumulated our audit adjustments and disclosure errors, we assess these for their materiality. If there are misstatements that the client will not adjust, then we use materiality to assess whether we need to modify our opinion in some way.

Summary – practical applications for small NFPs

Typically, in a small non-complex NFP, audit firms set an overall materiality based on expenditure and apply a materiality percentage of 2-3% unless there are serious pervasive risks. A PM of 80% is used in most cases. Then they apply PM to their substantive testing using it for their sampling interval, unless there are good reasons to adjust it – say if reliance is being placed on controls testing or analytical procedures. Balances that are already ‘proved in total’ should be excluded from this kind of sampling. So to summarise:

  • Consider the users of the financial statements and what their motivations and interests are when setting materiality.
  • Use expenditure as your main benchmark for materiality in NFPs.
  • Consider benchmark averaging – including prior years – if there have been major changes.
  • Using standard percentages of the benchmark is okay, but make sure you relate this to assessed risk.
  • Use separate confidence levels or performance materiality to adjust testing when risk is assessed as lower or higher, or reliance is being placed on controls or analytical procedures.
  • Don’t forget to document your decisions and your rationale for those decisions.
  • Balances or classes that are material – or potentially material – represent risks, so make sure they are identified and addressed.
  • Don’t over-audit by choosing materiality that is so low that nothing is being proven by your extra work.
  • Don’t under-audit by setting materiality too high – or forgetting to apply it throughout the job – so that you miss important details.
  • Document.
  • Document.
  • Document.

30 May 2023

So we have a typical small not for profit: poor division of duties, no real controls apart from two signatories for payments, a review of financial results at irregular board meetings, and the annual Performance Report prepared by external accountants.

We know we are not relying on controls for our audit work, but that pesky ISA 315 tells us that we still have to document controls, such as they are. We must – according to paragraph 25 – obtain an understanding of the entity’s information system and communication relevant to the preparation of the financial statements, including:

  • how information flows through the entity’s information system, including how transactions are initiated, and how information about them is recorded, processed, corrected as necessary, incorporated in the general ledger and reported in the financial statements, and
  • how information about events and conditions, other than transactions, is captured, processed and disclosed in the financial statements;
  • understanding how the entity communicates significant matters that support the preparation of the financial statements and related reporting responsibilities in the information system and other components of the system of internal control so that we may
  • evaluate whether the entity’s information system and communication appropriately support the preparation of the entity’s financial statements.

How do we obtain this information? Para A136 tells us it is through various ways that may include:

  • enquiries of relevant personnel about the procedures used to initiate, record, process and report transactions or about the entity’s financial reporting process;
  • inspection of policy or process manuals or other documentation of the entity’s information system;
  • observation of the performance of the policies or procedures by the entity’s personnel; or
  • selecting transactions and tracing them through the applicable process in the information system (i.e., performing a walk-through).

Optional or required?

So does this mean that walk-through tests are one option among many? Yes and no. We are required to document the identified controls that are relevant to inherent risks that we have identified. Paragraph A125 states that we must “evaluate the design and determine whether the controls have been implemented.” Here is the catch. How can we assess whether the controls have been implemented unless we perform some sort of walk-through test?

The client may complete our internal controls checklist, send us their procedures manual, and tell us sweet stories, but as we all know, what they say they do or think they do may not be what they actually do. These procedures may have existed at some point in the past, but internal controls, like most systems, are subject to entropy over time.

Part of our work is therefore to look for changes. Paragraph A41 states that we are required to determine whether information obtained from our previous experience with the entity and from audit procedures performed in previous audits remains relevant and reliable. If circumstances have changed information from prior periods may no longer be relevant or reliable. The standard suggests that enquiries and other appropriate audit procedures, such as walk-throughs of relevant systems should be carried out.

What form can a walk-through take?

We document the system at a level appropriate to the entity, especially noting the controls. Then we check to see if the system as described is actually what they do. For instance, journals must always be given close attention. How are they initiated? Who can create journals? Who approves them? What reviews are carried out? What other means are there of making adjustments to the ledger – editing transactions say?

In this case, we would document the process, then follow one journal through from initiation to ledger, ensuring that all levels of approval and checking have in fact been followed and there is evidence of this.

This is different to a test of controls which would be spread across the period. The walk-through does not give us reliance that the controls are effective, just that we have documented them correctly. In a simple small entity, we could add this walk-through test as a narrative comment. In a more complex entity, it would make sense to create a diagram and then perhaps a spreadsheet following the transaction through the key steps and controls.

You may wish to carry out the walk-through as you have someone explaining the system and you are documenting it. For instance, you are visiting the client – a sports club say – and you ask them – show me the process for recording a bar sale? Using your phone camera you could record how a sale is initiated, how it is recorded and batched, banked, and reconciled back to the bank details in their software, and the checks and approvals required at each step. Then you could use the photos to build a visual record of how the revenue system works, with suitable narration and assessment, and attach that to your systems documentation page.

As part of going through the system with a staff member remember to be curious and ask things like: What if the bar staff are away? Who does this approval when the manager is on holiday? Do those security cameras actually work? Why is the till left open? What is done when a transaction includes more than one revenue type?


ISA 315 (revised 2019) focuses first on inherent risk. However, control risk is also important, especially when it relates to journals and IT systems. These must be documented at an appropriate level for the entity whether we intend to rely on the controls or not. And describing controls is not enough – we must have confidence that we are describing what actually happens. In my view, walk-through tests are the only real way to achieve this, and many audit files are lacking this important element.

17 May 2023

So, you are preparing financial statements for a Tier 3 charity – or auditing them – and the board have come up with the bright idea that they will use a revalued amount for land and buildings. The financial position will look better, so funders and members will feel that the entity is secure. What could possibly go wrong?

Quite a bit, actually. I’ve been asked to review a few of these lately and there are a number of potential pitfalls to explore. If you are auditing these kinds of statements, I hope this is a helpful guide to what to look out for.

Tier 3 – the basic rules of engagement

Table 3 of PBE SFR-A (NFP) (the Tier 3 reporting standard) states that Property, Plant and Equipment are to be recorded when purchased or donated, at cost if purchased or at current value if donated. Impairment is to be recognised if the market price of the asset falls below its carrying (book) value, or when the value of the asset to the entity is less than its carrying value if the asset is to be retained.

It is anticipated that depreciation will be charged to spread the cost of the asset – we’re talking buildings – over its useful life. Land is not to be depreciated.

There is a common misconception that buildings are not required to be depreciated – probably a carry-over from tax accounting. But Charities don’t fall under tax rules. PBE SFR-A (NFP) assumes depreciation will be charged on buildings.

Tier 3 – what to do with revaluations

PBE SFR-A (NFP) Paragraph A113 says that ‘an entity may elect to revalue a class of property, plant and equipment.’ It suggests that this will be the case where there is the likelihood of increases in value over the asset’s life – i.e. for land and buildings. If this is to be done, PBE SFR-A (NFP) tells us that we must apply the relevant requirements of PBE IPSAS 17 Property, Plant and Equipment.

What is PBE IPSAS 17? It is an international standard that applies, in New Zealand, to Tier 1 and 2 entities. So we’re playing with the big boys now. We going to have to read a ‘proper’ accounting standard. The only slight exception from the full PBE allowed under PBE SFR-A (NFP) is that the entity may use the current rateable or government valuation rather than ‘fair value’ as required by PBE IPSAS 17 when revaluing.

What are the implications? Firstly that disclosure must be made that PBE IPSAS 17 has been adopted for land and buildings. There should also be a change in accounting policy note when first adopted. Auditors should also note in their report that the Performance Report is prepared using PBE SFR-A (NFP) with PBE IPSAS 17 applied to the revaluation of land and buildings.

PBE IPSAS 17 – what’s required?

Paragraph 44 tells us that the carrying value of a revalued asset shall be its revalued amount, less any subsequent depreciation and impairment losses. Revaluations are to be made ‘with sufficient regularity to ensure that the carrying amount does not differ materially from that which would be determined using fair value at the reporting date.’

As we have said, many Tier 3 charities will use current rateable or government valuation. This is fine. If not the standard allows market-based appraisals to be used. In some cases depreciated replacement cost may be appropriate – say where there is a building on leasehold land. Some additional points to note:

  • If an item of property is revalued, the entire class of property to which that asset belongs shall be revalued. (para 51)
  • Land is one class, and Buildings are another class. (para 52)
  • This means that you can’t just value one bit of land or one building – you have to revalue all land holdings or all buildings at the same time. (para 53)
  • The increase from the revaluation must be recognised in ‘other comprehensive revenue and expense’ and accumulated in ‘net assets/equity’ under the heading of revaluation surplus. (para 54)

Remember that land is not to be depreciated, but buildings are – including depreciating the revaluation of buildings. So you will need to identify which part of the revaluation relates to land and which part to buildings.

The accounting treatment of the revaluation

A couple of problems arise here for Tier 3 entities. One is that they do not have an ‘other comprehensive revenue and expense’ category. The other relates to revaluation reserves.

PBE SFR-A (NFP) A143 states that there are two kinds of reserves; ‘Restricted reserves’ which may be used only for a particular purpose such as terms agreed with a donor, and ‘Discretionary reserves’ created by a transfer from accumulated funds to set aside resources for a particular purpose. Neither of these could pass as revaluation reserves.

There are two options. One is to bury the revaluation in accumulated funds. The second is to assume that if we are applying PBE IPSAS 17 it’s okay for us to break the letter of the Tier 3 law and make a revaluation reserve. I think this is the most sensible option, and the proposed changes to the Tier 3 standard obviously recognise the problem and assume the use of a revaluation reserve.

What about whether to record the revaluation through the Statement of Financial Performance or put it directly to Equity? Again I think that we are justified in adding to our Tier 3 rules by including an additional section in our Statement of Financial Performance – below the operating surplus or deficit – for the revaluation gain. Charities Services encourage this treatment. However, the updates to Tier 3 will allow the transfer of the surplus directly to reserves. So for now it is probably more correct to put through the Statement of Financial Performance – but ‘below the line.’

To revalue or not?

For entities who decide to use valuations for land and buildings, there will be some extra complexity and disclosure required. Extra notes will be needed, including details of the valuer, their qualifications, the date of valuation and the revaluation cycle. Depreciation will need to be calculated from the date of revaluation on the amount attributed to buildings. And auditors will need to assess all these things.

Note that there are proposed changes to the Tier 3 standard that do allow for revaluation to be done without having to move to PBE IPSAS 17. These are not far away.* See our commentary here. So if you are preparing financial statements for a Tier 3 entity you might want to consider waiting a while before revaluing, and just disclose the latest valuation by way of note.

*The new Tier 3 (NFP) Standard sets out the requirements that Tier 3 NFP entities are required to follow when preparing their annual performance reports. This Standard is required to be applied for accounting periods that begin on or after 1 April 2024. Earlier application is permitted for accounting periods that end after the Standard takes effect on 15 June 2023.

31 March 2023

In assisting a range of Audit firms with their Quality Control I get to see quite a few files for review, mostly Tier 3 charities. There are a number of common areas where improvements could be made. We explore some of these below:

Qualification for cash income

It is still common for audit reports for charities and clubs to qualify for cash income. However, with the reduction in the use of cash, this may not be given. In many jobs, I see this unquestioningly adopted, without an attempt to quantify just how much of the income of donations say is actually represented by cash so subject to that risk. The audit report then may lead a reader to the conclusion that the potential understatement is much larger than it actually is.

When considering the risk of understatement of cash income and subsequent qualification, I suggest that work be documented to quantify the total amount represented by cash and the potential understatement. this may not be material, in which case a qualification will not be necessary. It may be material and subject to qualification, but the audit report should identify the particular items where there may be an understatement instead of just a blanket statement. Also, rather than a qualified opinion, an “emphasis of matter” paragraph may be appropriate, as is more common in Australia.

There is also the opportunity to assist the client with advice on how to implement controls or update their current internal controls so that the qualification may not be required in the future.

Inconsistency between engagement letters, work done and audit reports

It is vital that what we have agreed we will do in the engagement letter is what we actually do, and our audit reports actually reflect this. Does the testing regime for service performance correspond with the testing we have done? Have we properly identified the reporting regime used by the entity and used the correct template that reflects that regime? This will be a big issue as clients update to the new Tier 3 and 4 reporting standards.

If there is inconsistency and the job is subsequently subject to a dispute, this will be an immediate black mark against the quality of your work.

Risks at the Financial Statement and Assertion level confused

I see many cases where assertion level risks are identified as financial statement level. All risks will potentially affect the financial statements, but most only relate to a few balances, disclosures or assertions. These are described therefore as risks at the assertion level. Risks at the financial statement level are risks that are pervasive to the whole of the financial statements and potentially affect many assertions (see ISA 315 (Revised 2019), para 4).

So risks at the financial statement level are ‘top level’ risks, which will likely have related risks at the assertion level, so they will be rarer than assertion level risks. An example of a financial statement level risk is given in ISA 315 (Revised 2019), A195: An entity faces operating losses and liquidity issues and is reliant on funding that has not yet been secured. In such a circumstance, the auditor may determine that the going concern basis of accounting gives rise to a risk of material misstatement at the financial statement level.

Lack of walk-through testing

When controls are not to be tested there is a common assumption that walk-through tests are not required. However, even if not testing or relying on controls we are required to document the identified controls that are relevant to inherent risks that we have identified. And we must somehow confirm that we have documented the controls correctly, implying some sort of walk-through test. This need not be in as much detail as a complex system requires, but we should add some level of documentation.

We have a full article discussing this in detail. And we have updated our latest templates to remove the ‘walkthrough tests not required’ option.

Enquiries directed at a limited range of people

Some questionnaires are designed to be answered by someone from management, and some from governance. The fraud questionnaires are a good example. However, in small entities, I commonly see all enquiries directed to one person.

While this reflects something of the reality of small entities, it is an important control that governance is aware of and oversees what is happening at a managerial level. Gaining perspective from different people – as well as being requirements of the standards – helps build a wider ‘3D’ view of the entity.

Verbal enquiries neglecting to identify the entity contact

Sometimes instead of having an entity contact complete a checklist or answer a question online, it is more convenient to interview them and record their responses.

In these cases, it is essential to record the name of the person and the date of the interview.

Budget testing as an analytical review tool

It is common to have a client respond to the questionnaire that they do indeed prepare budgets. However, it is uncommon to see these budget figures used in an Analytical Review test. Many times I see the Analytical Review option for budgets marked “no Budget.”

Comparing budgets to actual results can be a powerful analytical and risk identification tool in SME audits, where budgets define the expectation of governance. Even if budgets are not prepared for all the figures reflected in the TB, the budget column for key figures can be manually completed on the TB page, to flow through to the analysis pages.

Lack of follow-up on issues identified in the planning phase

Often I see key items or risks that are mentioned at the staff planning meeting, in information gathered from the client, or when discussing rebuttable presumptions around fraud, understatement of income, or risks associated with journals, that are not flagged and addressed specifically later in the file.

In the current iteration of Audit Assistant, the risk flag tool should be used in these cases, as all comments may be flagged as risks. This will ensure that the issue is not dropped, but is appropriately brought to the foreground in the audit work. There is also the “Key Issue” option which may be used to flag important items intended for partner attention.

Lack of identification of risks

Risk identification is a bit of a moving target as we all adapt to ISA 315 (revised 2019), however, even under the old standard there was a requirement to identify risks of material misstatement and form the focus of our testing primarily around the most significant risks. I see many good examples of risk assessment, but also many where material items in the financial statements are not assessed as risk, presumably because the auditor has looked at the item and assessed it as low risk – but not documented that decision.

In Tier 3 entities, where there are a limited number of categories in the Statement of Performance and Statement of Financial Position, I would expect to see each category subtotalled in the TB, and a risk assessment for each subtotal, unless it is clearly immaterial or has no prospect of being material.

Lack of identification of significant risks

Many audit files have all their identified risks assessed as very much the same risk profile. I recently heard a reviewer describe a good audit file as one that resembled the Andes rather than rolling green hills.

In other words, we are trying to find which risks are significant to the entity and highlight those rather than just saying all risks are on the same level. Even in a very low-risk job, there will be some inherent risks that the entity faces that will stand out as the main threats to the entity – and these are where we need to focus our work. This will produce not only better audit work but also more efficient work because we are putting our resources into the right areas. If we view “Significant” as a relative term rather than absolute, we will start to identify risks that are significant in the context of the job. This is especially important in complying with ISA 315 (revised 2019).

Note that anything that will result in a modification to the audit report should be identified as significant. Many firms use the “Key Issues” flag to help clearly identify these risks – which is a great idea.

Fixed asset valuation methods

When a Tier 3 entity opts to revalue their land and buildings – as many do – leaving behind the safe harbour of the Tier 3 standards and ventures into the deep waters of PBE IPSAS 17 there are many potential snares, as I discovered recently.

Don’t assume that the CA who prepared the financial statements got it right, and read the standard well. I would assume that any revaluation of this sort is a significant risk as it will likely be highly material. Also, remember to check the disclosures in the Performance Report – that they reference the standard – and include a mention of the use of PBE IPSAS 17 in the preparation of the financial statements in your audit report just to be safe. Finally, be aware that the new Tier 3 standard allows changes in the treatment of revaluations, so be aware of what is changing.

Do you agree? Any comments or suggestions? Contact me here.

26 August 2022

Kaizen, also known as continuous improvement, is a long-term approach to work that systematically seeks to achieve small, incremental changes in processes in order to improve efficiency and quality.

Kaizen can be applied to any kind of work, but it is perhaps best known for being used in lean manufacturing and lean programming. If a work environment practices kaizen, continuous improvement is the responsibility of every worker, not just a selected few.

Kaizen can be roughly translated from Japanese to mean ‘good change.‘ The philosophy behind kaizen is often credited to Dr W. Edwards Deming. Dr Deming was invited by Japanese industrial leaders and engineers to help rebuild Japan after World War II. He was honoured for his contributions by Emperor Hirohito and the Japanese Union of Scientists and Engineers.

One version of the ten basic Kaizen principles is as follows (my comments are added in italics):

  1. Throw out all your old fixed ideas on how to do things. Start with a clean slate every day, don’t get stuck in your old assumptions.
  2. No blame – treat others as you want to be treated. Encourage and affirm others in the team including yourself.
  3. Think positive – don’t say can’t. Lean into grace – there is always a way forward.
  4. Don’t wait for perfection – 50% improvement now is fine. Don’t get stuck waiting for perfection, keep moving forward and over time results will come. A few mistakes show that you are taking risks and that’s okay.
  5. Correct mistakes as soon as they are found. Be willing to admit mistakes and fix them in a timely way. It keeps your clients happy, encourages feedback and makes a better product.
  6. Don’t substitute money for thinking – Creativity before Capital. When you have the money you may not be more creative. Limits are great for new ideas.
  7. Keep asking “why?” until you get to the root cause. Don’t settle for overly simplistic solutions, or you will be treating the fruit instead of the root.
  8. Better the wisdom of 5 people than the expertise of 1. Group wisdom will see through the simplistic answers – you can’t beat the wisdom of experience.
  9. Base decisions on data not opinions. Make sure you have real evidence not just hearsay or guesses – check out your hunches and feelings against reality.
  10. Improvement is not made from a conference room! Be out there among the people – staff and clients asking them where improvement can be made. Test theory in the real world.

Dr Deming was one of the key originators of these principles, and reading his original ideas is refreshing and somewhat surprising in their timelessness, bluntness and practicality – and also in their wide application to almost any kind of business enterprise. 

In his book Out of the Crisis, Dr Deming shared his philosophy of continuous improvement (again my comments are added in italics):

  1. Create constancy of purpose toward improvement of product and service, with the aim to become competitive and to stay in business and to provide jobs. Have a clear philosophy – not just about money but about sustainability and job creation.
  2. Adopt the new philosophy. We are in a new economic age. Western management must awaken to the challenge, must learn their responsibilities, and take on leadership for change. Just do it – keep revisiting.
  3. Eliminate the need for inspection on a mass basis by building quality into the product in the first place. Do it the right first time as much as possible.
  4. End the practice of awarding business on the basis of price tag. Instead, minimise total cost. Move towards a single supplier for any one item, on a long-term relationship of loyalty and trust. Use local firms where possible, and use organisations and people that fit well – the overall result will be lower cost.
  5. Improve constantly and forever the system of production and service to improve quality and productivity and thus constantly decrease costs. Be constantly aware of how processes and systems may be improved and write these things down.
  6. Institute training on the job. Give time to this – don’t rely on external training, learning on the job will give greater satisfaction to staff as their skills increase. Don’t expect them to ‘just know’.
  7. Institute leadership. The aim of supervision should be to help people and machines and gadgets to do a better job. Be present and give and receive feedback on a regular basis.
  8. Drive out fear so that everyone may work effectively for the company. Be approachable, admit fault, be fair and empower others – it will win respect.
  9. Break down barriers between departments. People in research, design, sales and production must work as a team to foresee problems of production and use of the product or service. Communicate with co-workers, and treat everyone as of equal value. It will encourage work satisfaction, and team cohesion and so honesty and creativity will increase.
  10. Eliminate slogans, exhortations, and targets for the work force asking for zero defects and new levels of productivity. Such exhortations only create adversarial relationships, as the bulk of the causes of low quality and low productivity belong to the system and thus lie beyond the power of the work force.
    • Eliminate work standards (quotas) on the factory floor. Substitute with leadership.
    • Eliminate management by objective. Eliminate management by numbers and numerical goals. Instead substitute with leadership.
    • Encourage one another and accept mistakes as normal to learning and developing new, good things.
  11. Remove barriers that rob the hourly worker of his right to pride of workmanship. The responsibility of supervisors must be changed from sheer numbers to quality. Quality comes from focus and teamwork, not just pumping out work.
  12. Remove barriers that rob people in management and in engineering of their right to pride of workmanship. This means, inter alia, abolishment of the annual or merit rating and of management by objectives. Let people enjoy coming up with their own solutions, and taking responsibility for projects themselves.
  13. Institute a vigorous program of education and self-improvement. Encourage everyone to take time to ‘sharpen their saw.’
  14. Put everybody in the company to work to accomplish the transformation. The transformation is everybody’s job. Involve everyone, as much as possible in the wide view – talk about sales and marketing with engineering people, and help salespeople understand the technical challenges.

I like to review these steps periodically. Adding my own twist on the basic principles helps me stick with my “why” – the values that define my personal business philosophy.

When we start losing our “why” we start feeling uncomfortable in our work. Reviewing this helps us see where we are perhaps getting pulled off the track and what we have been neglecting. I can see a couple right now I need to work on. A great reality check!