9 March 2023

Audit Assistant has been making online collaboration tools for auditors for many years, so we thought why not use this incredible functionality to help accountants who prepare financial statements as well?

If you carry out the preparation of financial statements for audit, or review, or just want to have a great paperless compilation process to streamline your business advisory services practice, we have the tool for you.

The annual compilation file meets the need for a central digital repository for annual compilation work. It includes financial reporting checklists for:

  • Tier 1 and 2 Public Benefit Entities
  • Tier 1 and 2 For-Profit Entities
  • Tier 3 Public Benefit Entities
  • Special Purpose (SPFR for FPE) Companies

The output is a PDF that can then be sent directly to your auditor or reviewer, which contains most of what they will need for their work. Alternatively, you can give them direct access to the file so they can pull the data they need for their audit or review file.

Other great features include:

  • Checklists to gather data from your clients via the internet
  • Checklists for confirming compliance with SES-2 and Code of Ethics requirements
  • Standard engagement letters and completion letters including suggestions generated during the work
  • A requests feature whereby client queries are responded to directly into the file
  • Trial balance upload from Xero and other common software that populates ‘lead schedules’ for sections (income, expenditure, bank, debtors etc.)
  • PDFs or spreadsheets can then be added to the correct part of the file supporting the different items in the financial statements
  • External links may be added to say the business website, online repository or client online software
  • Journals may be created from the system that updates the trial balance and form source documents for posting to the client ledger
  • Key Documents such as minutes, constitutions, contracts etc may be uploaded and brought forward each year for reference
  • At completion, the job is rolled over, and ready for the next year, with much of the work just needing to be brought forward and updated for the new year
  • Rollover produces a PDF of the whole job plus attachments for archiving

More than 40% of NZ audit firms use our auditing software, so it makes sense to use our proven and familiar tools to prepare data for your auditor, saving time and hassle.

The Accountants Tool package is designed primarily for CA firms preparing multiple jobs but is also suitable for entities that prepare their performance reports and financial statements in-house. We provide special discount pricing packages in these cases.

Contact us to find out more or for a free demonstration.

21 February 2023

Is this project that we have all eagerly anticipated actually going to happen? It appears so. I recently attended an IFAC webinar (recording is here) that explained the latest developments.

I wrote about this back in 2021 when the draft standard was released. It seems that there has been a bit more clarity as to the application of the standard.

Originally groups were to be excluded from the scope of the standard, however, common sense has now prevailed and groups that meet LCE criteria may now be included. Using component auditors will be acceptable, as components don’t necessarily equate to complexity. An additional section has been added to the original exposure draft discussing the application to components and groups.

The webinar participants reiterated that the standard does not give a lesser level of assurance than a full ISA audit, and audit reports will be essentially unchanged. The standard focuses on core procedures and does not include much explanatory information. It is designed to follow the flow of an audit. It also uses more direct language than the ISAs.

Concerns had been expressed that there seemed to be too much judgment required in whether the standard could be applied. To clarify the scope, the IAASB has agreed to enhance the description of the qualitative characteristics of an LCE and will include an expectation for jurisdictions to determine quantitative thresholds, I assume in terms of say turnover, assets, staffing, or ownership complexity.

Since the LCE standard was proposed, we have had the new ISA 315 (revised 2019). This focus on risk identification and assessment has also flowed through to the LCE standard, with some revision of Part 6 to make it align more with the approach of ISA 315 (revised 2019).

Finally, when can we expect to enter this audit utopia? The finalisation date for the international standard is December 2023. It is then just a matter of how proactive the XRB and other key NZ stakeholders will be in adding any quantitative thresholds and releasing it into the wilds of Aotearoa.

This is going to be a game changer for auditors in NZ, as most of the work we do should fall into the scope of the LCE standard, and most charities and not-for-profits will have fit-for-purpose standards and not have to use auditing standards designed for multinational corporates. Auditors will be partying in the streets when this new standard is released.

7 December 2022

We’ve talked about risk assessment, professional scepticism, responding to identified risks, and the business model in terms of ISA 315 (revised 2019). But the bulk of the actual requirements of the standard (paragraphs 19-27) relate to, as the heading puts it: ‘Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control’. This is the topic of this article.

The new approach to understanding the entity and environment – especially its controls – is fairly significant. The easiest way to express this is to compare the requirements of the old ISA 315 with the revised 2019 version.

Entity and Environment

Paragraphs 19-20 address Understanding the Entity and Its Environment, and the Applicable Financial Reporting Framework.

Paragraph 19(a)(i) specifies that we obtain an understanding of the entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT. Understanding the organisational structure, ownership and governance were previously required under ISA 315, 11(b)(ii). The requirement to understand the business model, and the extent to which this integrates the use of IT is new. We have discussed this at length in a previous article.

Paragraph 19(a)(ii) specifies that we obtain an understanding of industry, regulatory and external factors. This was required in the old standard under paragraph 11(a). The supporting information in paragraphs A68-A73 is worth a read to refresh yourself as to the scope of what is required here. Good general knowledge of the economy, the current issues with the specific industry and the inputs and outputs of the entity are likely to be extremely helpful, and points to be discussed and documented in the team meeting.

Paragraph 19(a)(ii) specifies that we obtain an understanding of the measures used, internally and externally, to assess the entity’s financial performance. This replaces the old paragraph 11(e) requirement to obtain an understanding of the measurement and review of the entity’s financial performance. The difference is specifying internally and externally. The supporting information in paragraph A74 explains that this helps us to consider whether such measures, whether used externally or internally, may create pressure on the entity to achieve performance targets, motivating management to take actions that increase the susceptibility to misstatement due to management bias or fraud. Again, something to discuss in the team meeting. Paragraphs A74-A77 are well worth reading.

Paragraph 19(b) states that we obtain an understanding of the applicable financial reporting framework, and the entity’s accounting policies and the reasons for any changes thereto. This was covered previously in paragraph 11(c). There are three parts to consider: the applicability of the framework, how this fits with the actual policies, whether there have been any changes, and if so, whether are these justified.

Paragraph 19(c) states that we must obtain an understanding of how inherent risk factors affect the susceptibility of assertions to misstatement and the degree to which they do so, in the preparation of the financial statements in accordance with the applicable financial reporting framework, based on the understanding obtained in (a) and (b). This is new. If follows the emphasis in the revised ISA 315 on inherent risks. In paragraphs A87-A89 the emphasis is on susceptibility to misstatement relating to complexity or subjectivity. The greater the complexity or subjectivity, the greater the risk, and the more professional scepticism is required.

Finally, paragraph 20 requires us to evaluate whether the entity’s accounting policies are appropriate and consistent with the applicable financial reporting framework. This was also covered in the old 11(c) paragraph.

It is also interesting to note what has been dropped out. The old ISA 315 11(b) specified that we understand the operations of the entity, the types of investments that the entity is making and plans to make including investments in special-purpose entities, and how the entity is financed. These are all now covered in Appendix 1, which includes these and many more examples of matters to consider when understanding the entity.


The new standard splits the analysis of controls into:

  • the control environment (paragraph 21),
  • the risk assessment process (paragraphs 22-23),
  • the entity’s process to monitor the system of internal control (paragraph 24),
  • the information system and communication (paragraph 25) and
  • control activities (paragraph 26).

These components were previously covered in general terms in paragraphs 12-23 of the old standard, but the new standard is more specific and detailed and will require more work to provide the detail required. Each element must be separately assessed, even though there will be significant common ground. Note too that this work is required whether or not there is any reliance to be placed on controls. This is a risk assessment exercise.

For instance, we must now identify what controls, processes and structures address how management’s oversight responsibilities are carried out, such as the entity’s culture and management’s commitment to integrity and ethical values. (Paragraph 21(a)(i))

This seems a bit over the top for a smaller entity. This is where the scalability provisions can help. Paragraph A16 says: The nature and extent of risk assessment procedures will vary based on the nature and circumstances of the entity (e.g., the formality of the entity’s policies and procedures, and processes and systems). The auditor uses professional judgement to determine the nature and extent of the risk assessment procedures to be performed to meet the requirements of this ISA (NZ).

Paragraph A17 further states: Although the extent to which an entity’s policies and procedures, and processes and systems are formalized may vary, the auditor is still required to obtain the understanding in accordance with paragraphs 19,21,22, 24, 25 and 26.

It continues with an example: Some entities, including less complex entities, and particularly owner-managed entities, may not have established structured processes and systems (e.g., a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken. When such systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through observation and enquiry.

So we still need to ask the questions, but in the light of the small scale of the entity, on enquiry, the answer might be ‘no formal system, however, ethics are emphasised by example and in staff and board meetings.’

For smaller and less complex entities. meeting all the specific requirements of this part of ISA 315 (revised 2019) may seem tedious, but until we get a standard for LCEs it is, unfortunately, unavoidable.

<< previous article

21 October 2022

Ever wish you could take your current complex review and documentation processes and put them into one bespoke, secure, elegant online solution without spending hundreds of thousands of dollars? Now you can.

Or go next level and become a provider of that content, reselling it to other firms in your industry? This is what ReviewTools from Audit Assistant offers.  

Audit Assistant has been the online tool of choice for the majority of New Zealand SME financial auditors for over ten years. We have now taken this experience and applied it to building ReviewTools  – a secure platform for complex process and assurance work for a wider range of applications.

ReviewTools offers a flexible and powerful base with numerous built-in features that can be flexibly configured for all sorts of diverse, complex review applications.

ReviewTools is an ideal platform for small team collaboration in real-time in complex risk-based and standards-driven processes – perfect for industries and professions where documentation is critical, and evidence gathering and client interaction must be tracked within the application.

ReviewTools includes:

  • Integrated signup, customer management, billing and reports.
  • Built-in two-factor authentication,
  • Encrypted file storage,
  • A professionally hosted and maintained database,
  • Backup and restore service,
  • Risk assessment processes,
  • Customisable team roles,
  • Real-time team interaction,
  • Multi-level review processes,
  • Sampling and analytics tools,
  • Integrated letter and report creation,
  • Uploadable file attachment,
  • Annual rollover if required,
  • Client query tool
  • Invitation for client access to individual pages for data gathering,
  • Hyperlinks to online standards,
  • Dynamic job creation,
  • Export of completed work to PDF,
  • Full dashboard for work tracking and milestones,
  • Ability to customise structure and content as required,
  • Help from our staff with building your application as required,
  • Access from multiple devices.

Let us help take your current workflows and build them into a tight, secure, integrated package – or develop a professional-grade cloud-based product with basic skills using the ReviewTools platform. Leverage your product on our reputation of delivering professional cloud services for over ten years.

Our team can also provide:

  • Help with marketing via our existing networks,
  • Additional custom features if required,
  • Legendary personal support to get you up and running.

What could cost hundreds of thousands of dollars to build from scratch will soon be available to you on a PaaS (Platform as a Service) basis for a monthly subscription.

Contact us to talk about your idea, and how ReviewTools can get your application up and running fast.

28 September 2022

For those who prepare and audit financial statements for “small” (under $2m expenditure) charities and other not-for-profits, there are some important changes coming up. We have made a summary with some commentary about how we think this will impact the sector.

In New Zealand, these smaller entities are very common – there are about 30,000 of them including some soon to be included in this reporting under the Incorporated Societies Act 2022.

The Tier 3 standard continues to be accrual-based, and Tier 4 is a cash-based alternative for smaller entities (under $140k expenditure). This article focuses on Tier 3, which tends to be used much more than the cash-based standard even for many smaller entities as it is much more like traditional reporting. We will look briefly at the Tier 4 proposals at the end.

Service performance

When the standard was introduced there were no NZ reporting or auditing standards for Service Performance Information (SPI). Now we have PBE FRS 48 for Tier 1 and 2 entities, and NZ AS-1 for the audit of Service Performance Information across all the tiers.

In a way, the proposed changes in Tier 3 are simply following the direction set by PBE FRS 48 and NZ AS-1. The terms Outcome and Output were always confusing, so these are being replaced with more descriptive terminology as per PBE FRS 48. Entity Information is no longer a prescribed report, although the information is still expected to be included somewhere.

There is also some helpful guidance provided about what to report as SPI, and how to report it. Reporting must be:

  • Relevant and faithfully represented
  • Understandable
  • Timely and comparable
  • Verifiable

As such, any changes in reporting from the prior year must be explained, so there is consistency in reporting.

In our opinion, these changes are welcome and it makes sense to align SPI reporting with the other standards, as it should be more efficient for preparers and auditors, and more understandable to users.

From an audit perspective, NZ AS-1 is a complex standard that feels like overkill for auditors of smaller entities. Perhaps when the NZ version of the LCE auditing standard is released there may be something size-appropriate for auditing SPI.

Changes to standard revenue and expenditure categories

A common criticism of reporting under the existing Tier 3 standard is that the reporting categories are so broad as to be almost meaningless in some cases. The proposed changes split some of the categories into smaller classifications. For instance,

  • Commercial activities are split out;
  • Grants for capital projects are split from other grants;
  • Government funding is split from non-governmental funding;
  • Donations are now clearly differentiated from membership fees and subscriptions;
  • Employee remuneration (apparently including those paid as contractors) is to be split out from volunteer and other employee expenses.

Preparers of performance reports will be able to tweak the names of the categories, but will not be allowed to add additional categories as before. This is probably for aggregation and analysis purposes.

We think these changes generally make sense. They should make the statement of financial performance more meaningful and reduce the need for extensive notes breaking down the categories.

Revenue recognition changes

The existing standard is fairly inflexible in matching revenue from grants and other bequests and gifts with the use of that money. Donations with a use or return condition are recognised as the condition is fulfilled. Any income without such a condition is currently recognised in the period it was received.

Under the new proposals, if there is a clear expectation of when funds are to be used in terms of an agreed expectation from the grantor, the revenue may be recognised as or when the conditions are satisfied.

This seems like a clear, common-sense response, more in line with the commonly accepted matching principle of accrual accounting.

Alternative measurement for assets

Under the current standard, if fixed assets are revalued, the Tier 2 standard must be used. The proposal is to allow revaluation based on say, RV (rateable value) for land and buildings, or valuation by an independent qualified valuer. Changes are to be made straight to a revaluation reserve. The whole class of assets must be revalued. Once a revaluation is made there must be consistency going forward, with no changing back to other methods, and revaluation updates made on a regular schedule. Depreciation must still be calculated on revalued assets.

The rules are to be applied to assets that do not require significant judgement or complex estimates. Investment property may also be included as their own category under fixed assets and revalued in the same way. It is proposed that financial assets (shares etc.) be measured at their current value, with changes in value put through the statement of financial performance.

This all seems sensible and familiar to us, and simple enough for preparers and auditors.

Including a note on accumulated funds

At present, there are no requirements to disclose any details of accumulated funds. The proposal is that for transparency there be a note that discloses objectives and policies for managing accumulated funds, and any plans for applying accumulated funds to meet the entity objectives. The proposal is for this to be a high-level informational view and not a binding commitment.

We can see some advantages to this disclosure. First, it will make entities think about why they have significant reserves (if in fact, they do) and perhaps how they could be better using these to meet their objectives. If they view their reserves as investments, are they making the best use of their capital? Could they be meeting their objectives in more efficient ways with a redeployment of their equity?

On the other hand, many charities certainly don’t have excess cash or investments and their equity simply represents assets such as land and buildings that are essential to their service delivery. Having to make up a nice story to put into a note in these cases seems like a pointless exercise. This could also be difficult to audit.

Simplification to the statement of cash flows

Cash flow statements are typically a headache for both preparers of financial statements and auditors. Accounting software often struggles and the results are hard to audit and hard for users to understand.

The proposal is that the categories in the statement of cash flows match the categories in the statement of financial performance. It seems to be that the statement of cash flows is to be essentially a statement of receipts and payments.

We think this is a brilliant idea. It will be easier to prepare (just based on the cash report in Xero say), easier to audit, and probably more useful to users.

Change of name

The new standard is to be called Reporting Requirements for Tier 3 Not-For-Profit Entities. This is a welcome improvement from the old tongue twister.

Tier 4 proposed changes

There are a couple of changes proposed for Tier 4. These reflect the changes in categories proposed for Tier 3, some simplified requirements for really small entities (under $10k expenditure), changing the language around outcomes and outputs, removing the need for a statement of resources and commitment and replacing this with a note, and changing the name of Statement of Receipts and Payments to Statement of Cash Received and Cash Paid.

In general, these changes seem fairly trivial. The only comment I have is that the name change to Statement of Cash Received and Cash Paid could actually be confusing. Most non-accountants think of cash as the paper money we get out of ATMs, as opposed to direct payments and EFTPOS. A backwards and unnecessary step in my opinion. Perhaps Statement of Money Received and Money Paid would be clearer?

Overall marks

It seems as if the drafters of the proposed changes to the Tier 3 and 4 standards have taken time to test the wind well. They have listened to users, preparers and auditors alike and come up with a sensible result. Of course, there will always be details to iron out in the execution, and the submissions (ending 30 September) may encourage further changes. Overall we rate the proposals at a solid 9/10.

See the XRB page for links to the consultation documents and drafts.

24 August 2022

The concept of understanding an entity’s business model, including how it uses Information Technology (IT) is new in ISA 315 (Revised 2019).

Understanding the business model sounds like child’s play, but in the context of exploring inherent risks, it presents a powerful tool to understand the entity.

Paragraph 19(a)(i) tells us that:

The auditor shall perform risk assessment procedures to obtain an understanding of… The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT.

Paragraph A61 explains why this is necessary.

Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.

Organisational structure, ownership and governance are generally simple enough to understand and document, but ‘business model’ is a more nebulous term. Looking at every business risk could be a rabbit hole that swallows a lot of audit time.

However, business risk itself is not a new concept. The old standard defined it as:

A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

What actually is a business model?

Wikipedia defines a business model as follows:

In theory and practice, the term business model is used for a broad range of informal and formal descriptions to represent core aspects of an organization or business, including purpose, business process, target customers, offerings, strategies, infrastructure, organizational structures, sourcing, trading practices, and operational processes and policies including culture.

So our client may have adopted one of the following business models:

  • Bricks and mortar retail model
  • Value-added reseller model
  • Franchise model
  • Subscription model
  • Online sales retail model
  • B2B model – etc.

These are useful to identify and document in our file, but that is still very broad. Paragraph A62 tells us that ‘Not all aspects of the business model are relevant to the auditor’s understanding.’ We need only concern ourselves with those that give rise to the risk of material misstatement.

The standard itself, in Appendix 1(1), says:

The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders.

This is all-encompassing but lacking in specifics. Appendix 1(3) tells us that a description of a business model typically includes:

  • The scope of the entity’s activities, and why it does them.
  • The entity’s structure and scale of its operations.
  • The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.
  • The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.
  • The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.
  • How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.

These are all helpful points to consider and document in our audit work and to flag and analyse the inherent and control risk that we identify.

A 2014 paper by the UK and French standard setters discussing the role of the business model in financial statements state that the first time the term ‘business model’ appeared in the IFRS literature was in 2009 when IFRS 9 (Financial Instruments) was issued. In defining the term business model for use in reporting standards they say:

…there is overall agreement, as evidenced by the responses received, that if the term business model is used in financial reporting, it focuses on the value creation process of an entity, i.e. how the entity generates cash flows.

So moving in from the broad description, we need to start to identify how the entity generates cash flows. In a 2014 paper on Business Models in Integrated Reporting, IFAC state that:

An organization’s business model is its system of transforming inputs, through its business activities, into outputs and outcomes that aim to fulfil the organization’s strategic purposes and create value over the short, medium and long term.

Application to audit work

Cash flows are generated and value is added by a cycle of inputs and outputs. From a risk identification auditing perspective, this is a helpful paradigm, especially in our current climate. Continuing inputs of raw materials, labour, land and capital are no longer a given with complex regulation, supply chain issues, labour shortages, restrictions on land use, and the spectre of inflation.

Similarly, the ability to continue to assume a market based on these disruptions is not as certain as it was a few years ago. We live in uncertain times.

Paragraph A63 acknowledges this by giving the following examples of possible risks:

  • Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.
  • A failure to recognise the need for change may also give rise to business risk, for example, from:
    • The development of new products or services that may fail;
    • A market which, even if successfully developed, is inadequate to support a product or service; or
    • Flaws in a product or service that may result in legal liability and reputational risk.
  • Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.

All these potential risks are exacerbated in uncertain times. Paragraph A64 lists specific matters we should consider:

  • Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;
  • New products and services that may lead to increased product liability;
  • Expansion of the entity’s business, and demand has not been accurately estimated;
  • New accounting requirements where there has been incomplete or improper implementation;
  • Regulatory requirements resulting in increased legal exposure;
  • Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;
  • Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or
  • The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.

Paragraph A65 points out that ‘Ordinarily, management identifies business risks and develops approaches to address them.’ so our risk assessment process should include assessing this as part of reviewing the internal controls, as under the old standard.

Appendix A(4) concludes:

A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial statement level.

So to sum up, understand the business, think outside the square in terms of how inputs and outputs work, and what the associated risks might be. Then stay focussed on those things that actually represent a risk of material misstatement.

<< previous article next article >>

5 August 2022

Remember CAATs? This was an acronym for Computer Assisted Audit Tools – a general category for all things computery that helped us work with more efficiency and power.

Now that virtually all we do uses a computer, ISA 315 (Revised 2019) does not refer to CAATs but to Automated Tools and Techniques (ATTs).

This kind of thing gets audit software developers like us salivating like Fluffy when the fridge door opens. But let’s stay calm and examine what the standard says first.

So what do we know about ATTs?

The standard doesn’t define ATTs, however the recently issued IAASB First Time Implementation Guide simply calls them “procedures performed leveraging the use of technology”. These may be used for risk assessment procedures, and also for obtaining audit evidence. The IAASB points out that:

The procedures for obtaining audit evidence as set out in ISA 500, Audit Evidence, i.e., inspection, observation, external confirmation, recalculation, reperformance, analytical procedures and inquiry, continue to apply, regardless of whether those procedures are performed manually or using technology.

In matters like this, the new standard helpfully acknowledges that we may be auditing vastly divergent entities. Paragraph 9, titled ‘Scalability’, states:

This ISA (NZ) is intended for audits of all entities, regardless of size or complexity and the application material therefore incorporates specific considerations specific to both less and more complex entities, where appropriate.

It is up to the auditor’s judgement to determine whether to use an ATT or some more manual procedure. For instance, there would be no point in carrying out fancy data analytics for fixed assets additions where there are only a few items. Better to just use judgement. ATTs come into their own where there is so much data, or a level of opaqueness, such that the auditor cannot possibly just ‘eyeball’ the content.

Examples from the standard

Looking at some of the suggestions for the use of ATTs in the explanatory material, paragraph A21 suggests performing “risk assessment procedures on large volumes of data (from the general ledger, sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations.”

Most of our users tend to do this by entering the trial balance data for up to four years, and then populating analytical review pages that show current to prior year movements, deviations from the budget if required and various key ratios over time. Identified risks may then be flagged and analysed as required directly from the TB or AR pages. Detailed recalculations, reperformance or reconciliations tend to be best done using a spreadsheet and adding to the file as an attachment.

Paragraph A57 suggests that the auditor use ATTs “to understand flows of transactions and processing as part of the auditor’s procedures to understand the information system.” This may provide insight into vendors, customers, and related parties, simply by sorting say a purchases ledger in a spreadsheet by supplier name, or using a search function to look for known related parties.

Paragraph A137 suggests using direct access to the entity’s database “by tracing journal entries, or other digital records related to a particular transaction, or an entire population of transactions, from initiation in the accounting records through to recording in the general ledger.” Typically an auditor is given access to say the Xero ledger and may use the built-in search functions there to drill down into the data for this purpose.

Paragraph A161 suggests that when reviewing journals or ledger accounts in less complex entities inspection of all the entries within a particular account, or all journals may well be possible. But in a more complex entity downloading to a spreadsheet and applying filters and sorting may give a good result.

In Audit Assistant, we provide a built-in sampling tool. A large dataset is extracted out of the client software and then uploaded. A sampling interval based on performance materiality (or adjusted performance materiality) is added. This generates a randomised CMA sample. Appropriate tests are then added to a generated table of results. Alternatively, a random sample of a specified number of samples may be generated, or the auditor may carry out their own sample in the spreadsheet first and then upload it for testing.

The auditor is encouraged to use automated techniques to assist in the identification of significant classes of transactions, account balances and disclosures in paragraph A203. This would typically only be helpful in complex entities. In less complex entities these become fairly obvious by reviewing trail balance and analytical review data as described above.

CAATs are our friends

So CAATS and ATTs are really not some big scary monsters that need to intimidate us. They are our servants – power tools that we pull out when a normal auditing screwdriver or hammer is too slow or not forceful enough. They become dangerous when the auditor uses them ‘just because they can’ without understanding what they are trying to achieve and why.

There is no substitute for learning to do the basics well and always working from first principles, and choosing a tool that we understand and can explain that will achieve our objectives most efficiently.

<<previous article next article>>

26 July 2022

There’s a new Act in town. And some people aren’t happy, claiming that this could be an ‘extinction event’ for many small clubs. The 1908 Act was predictably relaxed, out of step with modern regulation and reporting, so an update was needed.

So what does the new Incorporated Societies Act entail for these entities, and for those who prepare and audit the financial statements? Is the fear justified?

Changes for entities

No Incorporated Societies can just carry on as normal. All will need to update their constitutions and re-register. Companies Office guidance suggests the final date to transition will be April 2026. They also provide a handy Constitution Building tool.

Regulations are currently being developed to support the new Act. These should be completed by September 2023 so that entities can start to transition.

What we do know from the Act, however, is that under section 74 a society must have at least 10 members to register. This is a decrease from the 15 members required under the old Act. Under section 45 of the new Act, a society must have a committee, but this only needs to comprise 3 or more qualified officers. This committee is the ”governing body of the society” – the responsible parties.

There is concern that the extra responsibility being laid upon mostly voluntary committee members may make the slots hard to fill. The obligations are much closer to a company director than the casual committee member of the past. Under section 51 an officer remains specifically liable for acts and omissions and decisions made while they were an officer even after they have resigned.

The Act takes into account that many small entities may not want to re-register, so it provides an amalgamation process to enable groups of small, similar entities to amalgamate under one umbrella. Whether this will be used much, we shall see.

How to report?

Charities Services report that “there are about 24,000 incorporated societies in New Zealand, and about 7,000 of those are registered as charities.” These 7,000, like all charities, will be reporting under the Public Benefit Entity (PBE) reporting regime, which is now well established.

For the other 17,000, reporting will depend mainly on size. At present these entities may be using special purpose reporting or generally accepted accounting practices (GAAP). Section 102 provides three categories:

  • specified not-for-profit entity
  • small society
  • other

An entity is defined as a specified not-for-profit entity in the Financial Reporting Act 2013 S46  if, in each of the 2 preceding accounting periods of the entity, the total operating payments of the entity are $140,000 or more. These are required to prepare financial statements that comply with GAAP. Our Tier 1 and 2 standards plus our Tier 3 PBE standard are GAAP. Tier 4 and Special Purpose are not GAAP.

A small society has total operating payments and total current assets of less than $50,000 in each of the 2 preceding accounting periods. It also may not be a donee organisation under section LD 3(2) of the Income Tax Act 2007. These include charitable entities entitled to issue tax-deductible receipts for donations received. Many small clubs would fall into the small category. These may choose to prepare either GAAP-compliant financial statements or a non-GAAP standard or the minimum requirements as set out in section 104 of the 2022 Act. The minimum requirements statements must contain the following information:

(i) the income and expenditure, or receipts and payments, of the society during the accounting period; and

(ii) the assets and liabilities of the society at the close of the accounting period; and

(iii) all mortgages, charges, and other security interests of any description affecting any of the property of the society at the close of the accounting period

Associations that don’t fit into either category – the “others” – will generally be those with expenditure over $50,000 and under $140,000 in the previous two periods. They may choose whether to apply GAAP or non-GAAP.

What about the requirement for audit?

Of course, any Incorporated Society may opt to be audited, but some must be audited under the Act.

These are classed as “large” (as defined by S45 of the Financial Reporting Act 2013) if as at the balance date of each of the 2 preceding accounting periods, the total assets of the entity and its subsidiaries (if any) exceed $66 million or in each of the 2 preceding accounting periods, the total revenue of the entity and its subsidiaries (if any) exceeds $33 million.

The end of Society?

So will this be an ‘extinction’ event for societies or provide momentum for a new burst of energy? Both outcomes are likely, depending on the state of the society. It will certainly drain the limited resources of struggling clubs to have to lift their game to a new level.

In this age of declining volunteerism and reliance on sponsorship, the change may lead to fewer societies, but adaptations will be made for more efficient operations and more professional style management in those who survive.

25 July 2022

Does your firm administer any family trusts? Then you will no doubt be aware of the increased requirements under the Trusts Act 2019 for ensuring all the data about the Trust is up to date.

To help achieve this, we have, in collaboration with a large local Accountancy firm, developed a simple questionnaire to be shared annually with the trustee contact, that asks all the relevant questions to make sure that the accountant’s records are correct.

There are four actions required:

STEP 1: Set up the Trust using the Annual Trust Review Questionnaire template. Add the name of the trust, appointment date and save (the questionnaire itself is undated – the important date is when it is signed off).


STEP 2: Add the current trustees and beneficiaries as contacts. These can be imported using a special .CSV template that we have attached to the A1 page, from data obtained from your records (or the details may be added one at a time if there are only a few).


Note that the Role column should specify whether the person or entity is a Trustee, Beneficiary or both  – note format for both uses the vertical line or “pipe” character (|).


The contacts will then be added to the file so that they will appear on the questionnaire.


STEP 3: Then share the questionnaire page with the relevant contact. Select the name from the dropdown and click add – this will generate a link to be emailed to the client. Alternatively use the tick-box “Automatically send link to user” to generate an email directly off the system.


They receive an email from your firms asking them to follow the link and complete the details. Following the link they are asked to confirm their identity:


Then they see the existing trustee and beneficiary contact details and are asked if any changes have been made.


If so a dialogue box asks them to type in the new details. There are also questions for all the other information that needs to be asked under the Act. Once complete the accountant is notified.


STEP 4: The accountant then updates the records held by their firm, and takes any further actions required. 

Once complete the jobs may be saved to PDF then deleted off the system, or rolled over and reused in the subsequent year.

Note: We can assist with bulk client creation, contact data import, and even bulk sharing if required, as we do for normal client annual data collection questionnaires

This content is accessible in our Tools for Accountants packages, along with financial reporting checklists and other compilation tools. Contact us for more details.

1 July 2022

The next concept, expressed in paragraph 8 of ISA 315, is a reminder that our audit work must be framed in terms of responses to risks of material misstatement (RoMM). This is not new, but it is critical to making our audit file “sing”.

The first part of paragraph 8 states that “ISA 330 requires the auditor to design and implement overall responses to address the assessed risks of material misstatement at the financial statement level.” Remember that risks at the financial statement level affect the financial statements as a whole and so potentially affect many assertions. So, these are major issues but hopefully rare. It makes sense that if say, there is a major fraud that impacts going concern then we would send most of our auditing fire engines to that particular fire.

The second part of the paragraph states that “the auditor’s assessment of the risks of material misstatement at the financial statement level, and the auditor’s overall responses, is affected by the auditor’s understanding of the control environment.” Paragraph A2 of ISA 330 says: “An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and thus, for example, allow the auditor to conduct some audit procedures at an interim date rather than at the period end.”

This is a standard practice of course. We consider the control environment, assess whether it is robust enough for us to consider relying upon it and if we think it might be we test the key controls. If all is well, we can reduce our reliance on substantive testing.

The third part quotes ISA 330 paragraph 6 which requires the auditor to also “…design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.” Note we are talking about assertion level (granular) risks here. In most jobs, this will be where our focus rests – assertion level RoMM.

Just like striking one string in a piano sets off harmonics in other strings, so should the identification of a RoMM set off harmonic thoughts in the auditor’s brain. The risks that we assess as of potential magnitude and the likelihood of occurrence should resonate throughout the whole audit file.

Para 13 (b) sums it up succinctly: “The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for… The design of further audit procedures in accordance with ISA 330.”

What are these risk assessment procedures?

Paragraph 14 summarises these as enquiry, analytical procedures, and observation and inspection. This evidence may also be gathered during the acceptance and continuance process, from other engagements performed for the entity (para 15), or from previous audit experience (para 16). This must of course be evaluated for relevance and reliability. The audit team meeting will also be a source of information about potential risks (para 17).

Of course, a thorough understanding of the entity and environment will alert us to inherent risks, and understanding the entity’s use of IT is essential to assessing possible control risks, plus consideration of reporting framework and accounting policies (para 19-20).

Understanding the components of the control system and how that is monitored will be required to identify control risks (para 21-26).

At the end of this process we will have a clear description of the risk:

  • whether it is at the assertion or financial statement level;
  • if at the assertion level, what assertions it relates to;
  • whether it is an inherent, control or audit risk;
  • the potential financial impact;
  • the likelihood of occurrence;
  • any related controls;
  • from this an assessment of how significant the risk is.

Once we have done a good analysis the response should be obvious. A significant risk will demand higher audit resources. Our toolkit of audit responses will depend on the assertion and level of risk.

If there is material inventory for instance, and we have assessed controls as poor, we have a higher likelihood of overstatement with high potential impact. Assertions like existence, accuracy, valuation, ownership, and cut-off all become relevant. We likely have a significant control risk at the assertion level. What do we do? We design tests like stocktake attendance, review for redundant goods, valuation tests, ownership testing and cut-off testing back to accounts receivable and payable, obtaining representations from management and enquiry and observation.

In the end, we have an Audit file that plays a clear song without discordant notes. Like a good piece of music, it is concise, focused, clear and internally consistent.

<<previous article next article>>