21 October 2022

Ever wish you could take your current complex review and documentation processes and put them into one bespoke, secure, elegant online solution without spending hundreds of thousands of dollars? Now you can.

Or go next level and become a provider of that content, reselling it to other firms in your industry? This is what ReviewTools from Audit Assistant offers.  

Audit Assistant has been the online tool of choice for the majority of New Zealand SME financial auditors for over ten years. We have now taken this experience and applied it to building ReviewTools  – a secure platform for complex process and assurance work for a wider range of applications.

ReviewTools offers a flexible and powerful base with numerous built-in features that can be flexibly configured for all sorts of diverse, complex review applications.

ReviewTools is an ideal platform for small team collaboration in real-time in complex risk-based and standards-driven processes – perfect for industries and professions where documentation is critical, and evidence gathering and client interaction must be tracked within the application.

ReviewTools includes:

  • Integrated signup, customer management, billing and reports.
  • Built-in two-factor authentication,
  • Encrypted file storage,
  • A professionally hosted and maintained database,
  • Backup and restore service,
  • Risk assessment processes,
  • Customisable team roles,
  • Real-time team interaction,
  • Multi-level review processes,
  • Sampling and analytics tools,
  • Integrated letter and report creation,
  • Uploadable file attachment,
  • Annual rollover if required,
  • Client query tool
  • Invitation for client access to individual pages for data gathering,
  • Hyperlinks to online standards,
  • Dynamic job creation,
  • Export of completed work to PDF,
  • Full dashboard for work tracking and milestones,
  • Ability to customise structure and content as required,
  • Help from our staff with building your application as required,
  • Access from multiple devices.

Let us help take your current workflows and build them into a tight, secure, integrated package – or develop a professional-grade cloud-based product with basic skills using the ReviewTools platform. Leverage your product on our reputation of delivering professional cloud services for over ten years.

Our team can also provide:

  • Help with marketing via our existing networks,
  • Additional custom features if required,
  • Legendary personal support to get you up and running.

What could cost hundreds of thousands of dollars to build from scratch will soon be available to you on a PaaS (Platform as a Service) basis for a monthly subscription.

Contact us to talk about your idea, and how ReviewTools can get your application up and running fast.

28 September 2022

For those who prepare and audit financial statements for “small” (under $2m expenditure) charities and other not-for-profits, there are some important changes coming up. We have made a summary with some commentary about how we think this will impact the sector.

In New Zealand, these smaller entities are very common – there are about 30,000 of them including some soon to be included in this reporting under the Incorporated Societies Act 2022.

The Tier 3 standard continues to be accrual-based, and Tier 4 is a cash-based alternative for smaller entities (under $140k expenditure). This article focuses on Tier 3, which tends to be used much more than the cash-based standard even for many smaller entities as it is much more like traditional reporting. We will look briefly at the Tier 4 proposals at the end.

Service performance

When the standard was introduced there were no NZ reporting or auditing standards for Service Performance Information (SPI). Now we have PBE FRS 48 for Tier 1 and 2 entities, and NZ AS-1 for the audit of Service Performance Information across all the tiers.

In a way, the proposed changes in Tier 3 are simply following the direction set by PBE FRS 48 and NZ AS-1. The terms Outcome and Output were always confusing, so these are being replaced with more descriptive terminology as per PBE FRS 48. Entity Information is no longer a prescribed report, although the information is still expected to be included somewhere.

There is also some helpful guidance provided about what to report as SPI, and how to report it. Reporting must be:

  • Relevant and faithfully represented
  • Understandable
  • Timely and comparable
  • Verifiable

As such, any changes in reporting from the prior year must be explained, so there is consistency in reporting.

In our opinion, these changes are welcome and it makes sense to align SPI reporting with the other standards, as it should be more efficient for preparers and auditors, and more understandable to users.

From an audit perspective, NZ AS-1 is a complex standard that feels like overkill for auditors of smaller entities. Perhaps when the NZ version of the LCE auditing standard is released there may be something size-appropriate for auditing SPI.

Changes to standard revenue and expenditure categories

A common criticism of reporting under the existing Tier 3 standard is that the reporting categories are so broad as to be almost meaningless in some cases. The proposed changes split some of the categories into smaller classifications. For instance,

  • Commercial activities are split out;
  • Grants for capital projects are split from other grants;
  • Government funding is split from non-governmental funding;
  • Donations are now clearly differentiated from membership fees and subscriptions;
  • Employee remuneration (apparently including those paid as contractors) is to be split out from volunteer and other employee expenses.

Preparers of performance reports will be able to tweak the names of the categories, but will not be allowed to add additional categories as before. This is probably for aggregation and analysis purposes.

We think these changes generally make sense. They should make the statement of financial performance more meaningful and reduce the need for extensive notes breaking down the categories.

Revenue recognition changes

The existing standard is fairly inflexible in matching revenue from grants and other bequests and gifts with the use of that money. Donations with a use or return condition are recognised as the condition is fulfilled. Any income without such a condition is currently recognised in the period it was received.

Under the new proposals, if there is a clear expectation of when funds are to be used in terms of an agreed expectation from the grantor, the revenue may be recognised as or when the conditions are satisfied.

This seems like a clear, common-sense response, more in line with the commonly accepted matching principle of accrual accounting.

Alternative measurement for assets

Under the current standard, if fixed assets are revalued, the Tier 2 standard must be used. The proposal is to allow revaluation based on say, RV (rateable value) for land and buildings, or valuation by an independent qualified valuer. Changes are to be made straight to a revaluation reserve. The whole class of assets must be revalued. Once a revaluation is made there must be consistency going forward, with no changing back to other methods, and revaluation updates made on a regular schedule. Depreciation must still be calculated on revalued assets.

The rules are to be applied to assets that do not require significant judgement or complex estimates. Investment property may also be included as their own category under fixed assets and revalued in the same way. It is proposed that financial assets (shares etc.) be measured at their current value, with changes in value put through the statement of financial performance.

This all seems sensible and familiar to us, and simple enough for preparers and auditors.

Including a note on accumulated funds

At present, there are no requirements to disclose any details of accumulated funds. The proposal is that for transparency there be a note that discloses objectives and policies for managing accumulated funds, and any plans for applying accumulated funds to meet the entity objectives. The proposal is for this to be a high-level informational view and not a binding commitment.

We can see some advantages to this disclosure. First, it will make entities think about why they have significant reserves (if in fact, they do) and perhaps how they could be better using these to meet their objectives. If they view their reserves as investments, are they making the best use of their capital? Could they be meeting their objectives in more efficient ways with a redeployment of their equity?

On the other hand, many charities certainly don’t have excess cash or investments and their equity simply represents assets such as land and buildings that are essential to their service delivery. Having to make up a nice story to put into a note in these cases seems like a pointless exercise. This could also be difficult to audit.

Simplification to the statement of cash flows

Cash flow statements are typically a headache for both preparers of financial statements and auditors. Accounting software often struggles and the results are hard to audit and hard for users to understand.

The proposal is that the categories in the statement of cash flows match the categories in the statement of financial performance. It seems to be that the statement of cash flows is to be essentially a statement of receipts and payments.

We think this is a brilliant idea. It will be easier to prepare (just based on the cash report in Xero say), easier to audit, and probably more useful to users.

Change of name

The new standard is to be called Reporting Requirements for Tier 3 Not-For-Profit Entities. This is a welcome improvement from the old tongue twister.

Tier 4 proposed changes

There are a couple of changes proposed for Tier 4. These reflect the changes in categories proposed for Tier 3, some simplified requirements for really small entities (under $10k expenditure), changing the language around outcomes and outputs, removing the need for a statement of resources and commitment and replacing this with a note, and changing the name of Statement of Receipts and Payments to Statement of Cash Received and Cash Paid.

In general, these changes seem fairly trivial. The only comment I have is that the name change to Statement of Cash Received and Cash Paid could actually be confusing. Most non-accountants think of cash as the paper money we get out of ATMs, as opposed to direct payments and EFTPOS. A backwards and unnecessary step in my opinion. Perhaps Statement of Money Received and Money Paid would be clearer?

Overall marks

It seems as if the drafters of the proposed changes to the Tier 3 and 4 standards have taken time to test the wind well. They have listened to users, preparers and auditors alike and come up with a sensible result. Of course, there will always be details to iron out in the execution, and the submissions (ending 30 September) may encourage further changes. Overall we rate the proposals at a solid 9/10.

See the XRB page for links to the consultation documents and drafts.

24 August 2022

The concept of understanding an entity’s business model, including how it uses Information Technology (IT) is new in ISA 315 (Revised 2019).

Understanding the business model sounds like child’s play, but in the context of exploring inherent risks, it presents a powerful tool to understand the entity.

Paragraph 19(a)(i) tells us that:

The auditor shall perform risk assessment procedures to obtain an understanding of… The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT.

Paragraph A61 explains why this is necessary.

Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.

Organisational structure, ownership and governance are generally simple enough to understand and document, but ‘business model’ is a more nebulous term. Looking at every business risk could be a rabbit hole that swallows a lot of audit time.

However, business risk itself is not a new concept. The old standard defined it as:

A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

What actually is a business model?

Wikipedia defines a business model as follows:

In theory and practice, the term business model is used for a broad range of informal and formal descriptions to represent core aspects of an organization or business, including purpose, business process, target customers, offerings, strategies, infrastructure, organizational structures, sourcing, trading practices, and operational processes and policies including culture.

So our client may have adopted one of the following business models:

  • Bricks and mortar retail model
  • Value-added reseller model
  • Franchise model
  • Subscription model
  • Online sales retail model
  • B2B model – etc.

These are useful to identify and document in our file, but that is still very broad. Paragraph A62 tells us that ‘Not all aspects of the business model are relevant to the auditor’s understanding.’ We need only concern ourselves with those that give rise to the risk of material misstatement.

The standard itself, in Appendix 1(1), says:

The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders.

This is all-encompassing but lacking in specifics. Appendix 1(3) tells us that a description of a business model typically includes:

  • The scope of the entity’s activities, and why it does them.
  • The entity’s structure and scale of its operations.
  • The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.
  • The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.
  • The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.
  • How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.

These are all helpful points to consider and document in our audit work and to flag and analyse the inherent and control risk that we identify.

A 2014 paper by the UK and French standard setters discussing the role of the business model in financial statements state that the first time the term ‘business model’ appeared in the IFRS literature was in 2009 when IFRS 9 (Financial Instruments) was issued. In defining the term business model for use in reporting standards they say:

…there is overall agreement, as evidenced by the responses received, that if the term business model is used in financial reporting, it focuses on the value creation process of an entity, i.e. how the entity generates cash flows.

So moving in from the broad description, we need to start to identify how the entity generates cash flows. In a 2014 paper on Business Models in Integrated Reporting, IFAC state that:

An organization’s business model is its system of transforming inputs, through its business activities, into outputs and outcomes that aim to fulfil the organization’s strategic purposes and create value over the short, medium and long term.

Application to audit work

Cash flows are generated and value is added by a cycle of inputs and outputs. From a risk identification auditing perspective, this is a helpful paradigm, especially in our current climate. Continuing inputs of raw materials, labour, land and capital are no longer a given with complex regulation, supply chain issues, labour shortages, restrictions on land use, and the spectre of inflation.

Similarly, the ability to continue to assume a market based on these disruptions is not as certain as it was a few years ago. We live in uncertain times.

Paragraph A63 acknowledges this by giving the following examples of possible risks:

  • Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.
  • A failure to recognise the need for change may also give rise to business risk, for example, from:
    • The development of new products or services that may fail;
    • A market which, even if successfully developed, is inadequate to support a product or service; or
    • Flaws in a product or service that may result in legal liability and reputational risk.
  • Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.

All these potential risks are exacerbated in uncertain times. Paragraph A64 lists specific matters we should consider:

  • Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;
  • New products and services that may lead to increased product liability;
  • Expansion of the entity’s business, and demand has not been accurately estimated;
  • New accounting requirements where there has been incomplete or improper implementation;
  • Regulatory requirements resulting in increased legal exposure;
  • Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;
  • Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or
  • The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.

Paragraph A65 points out that ‘Ordinarily, management identifies business risks and develops approaches to address them.’ so our risk assessment process should include assessing this as part of reviewing the internal controls, as under the old standard.

Appendix A(4) concludes:

A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial statement level.

So to sum up, understand the business, think outside the square in terms of how inputs and outputs work, and what the associated risks might be. Then stay focussed on those things that actually represent a risk of material misstatement.

<< previous article

5 August 2022

Remember CAATs? This was an acronym for Computer Assisted Audit Tools – a general category for all things computery that helped us work with more efficiency and power.

Now that virtually all we do uses a computer, ISA 315 (Revised 2019) does not refer to CAATs but to Automated Tools and Techniques (ATTs).

This kind of thing gets audit software developers like us salivating like Fluffy when the fridge door opens. But let’s stay calm and examine what the standard says first.

So what do we know about ATTs?

The standard doesn’t define ATTs, however the recently issued IAASB First Time Implementation Guide simply calls them “procedures performed leveraging the use of technology”. These may be used for risk assessment procedures, and also for obtaining audit evidence. The IAASB points out that:

The procedures for obtaining audit evidence as set out in ISA 500, Audit Evidence, i.e., inspection, observation, external confirmation, recalculation, reperformance, analytical procedures and inquiry, continue to apply, regardless of whether those procedures are performed manually or using technology.

In matters like this, the new standard helpfully acknowledges that we may be auditing vastly divergent entities. Paragraph 9, titled ‘Scalability’, states:

This ISA (NZ) is intended for audits of all entities, regardless of size or complexity and the application material therefore incorporates specific considerations specific to both less and more complex entities, where appropriate.

It is up to the auditor’s judgement to determine whether to use an ATT or some more manual procedure. For instance, there would be no point in carrying out fancy data analytics for fixed assets additions where there are only a few items. Better to just use judgement. ATTs come into their own where there is so much data, or a level of opaqueness, such that the auditor cannot possibly just ‘eyeball’ the content.

Examples from the standard

Looking at some of the suggestions for the use of ATTs in the explanatory material, paragraph A21 suggests performing “risk assessment procedures on large volumes of data (from the general ledger, sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations.”

Most of our users tend to do this by entering the trial balance data for up to four years, and then populating analytical review pages that show current to prior year movements, deviations from the budget if required and various key ratios over time. Identified risks may then be flagged and analysed as required directly from the TB or AR pages. Detailed recalculations, reperformance or reconciliations tend to be best done using a spreadsheet and adding to the file as an attachment.

Paragraph A57 suggests that the auditor use ATTs “to understand flows of transactions and processing as part of the auditor’s procedures to understand the information system.” This may provide insight into vendors, customers, and related parties, simply by sorting say a purchases ledger in a spreadsheet by supplier name, or using a search function to look for known related parties.

Paragraph A137 suggests using direct access to the entity’s database “by tracing journal entries, or other digital records related to a particular transaction, or an entire population of transactions, from initiation in the accounting records through to recording in the general ledger.” Typically an auditor is given access to say the Xero ledger and may use the built-in search functions there to drill down into the data for this purpose.

Paragraph A161 suggests that when reviewing journals or ledger accounts in less complex entities inspection of all the entries within a particular account, or all journals may well be possible. But in a more complex entity downloading to a spreadsheet and applying filters and sorting may give a good result.

In Audit Assistant, we provide a built-in sampling tool. A large dataset is extracted out of the client software and then uploaded. A sampling interval based on performance materiality (or adjusted performance materiality) is added. This generates a randomised CMA sample. Appropriate tests are then added to a generated table of results. Alternatively, a random sample of a specified number of samples may be generated, or the auditor may carry out their own sample in the spreadsheet first and then upload it for testing.

The auditor is encouraged to use automated techniques to assist in the identification of significant classes of transactions, account balances and disclosures in paragraph A203. This would typically only be helpful in complex entities. In less complex entities these become fairly obvious by reviewing trail balance and analytical review data as described above.

CAATs are our friends

So CAATS and ATTs are really not some big scary monsters that need to intimidate us. They are our servants – power tools that we pull out when a normal auditing screwdriver or hammer is too slow or not forceful enough. They become dangerous when the auditor uses them ‘just because they can’ without understanding what they are trying to achieve and why.

There is no substitute for learning to do the basics well and always working from first principles, and choosing a tool that we understand and can explain that will achieve our objectives most efficiently.

<<previous article next article>>

26 July 2022

There’s a new Act in town. And some people aren’t happy, claiming that this could be an ‘extinction event’ for many small clubs. The 1908 Act was predictably relaxed, out of step with modern regulation and reporting, so an update was needed.

So what does the new Incorporated Societies Act entail for these entities, and for those who prepare and audit the financial statements? Is the fear justified?

Changes for entities

No Incorporated Societies can just carry on as normal. All will need to update their constitutions and re-register. Companies Office guidance suggests the final date to transition will be April 2026. They also provide a handy Constitution Building tool.

Regulations are currently being developed to support the new Act. These should be completed by September 2023 so that entities can start to transition.

What we do know from the Act, however, is that under section 74 a society must have at least 10 members to register. This is a decrease from the 15 members required under the old Act. Under section 45 of the new Act, a society must have a committee, but this only needs to comprise 3 or more qualified officers. This committee is the ”governing body of the society” – the responsible parties.

There is concern that the extra responsibility being laid upon mostly voluntary committee members may make the slots hard to fill. The obligations are much closer to a company director than the casual committee member of the past. Under section 51 an officer remains specifically liable for acts and omissions and decisions made while they were an officer even after they have resigned.

The Act takes into account that many small entities may not want to re-register, so it provides an amalgamation process to enable groups of small, similar entities to amalgamate under one umbrella. Whether this will be used much, we shall see.

How to report?

Charities Services report that “there are about 24,000 incorporated societies in New Zealand, and about 7,000 of those are registered as charities.” These 7,000, like all charities, will be reporting under the Public Benefit Entity (PBE) reporting regime, which is now well established.

For the other 17,000, reporting will depend mainly on size. At present these entities may be using special purpose reporting or generally accepted accounting practices (GAAP). Section 102 provides three categories:

  • specified not-for-profit entity
  • small society
  • other

An entity is defined as a specified not-for-profit entity in the Financial Reporting Act 2013 S46  if, in each of the 2 preceding accounting periods of the entity, the total operating payments of the entity are $140,000 or more. These are required to prepare financial statements that comply with GAAP. Our Tier 1 and 2 standards plus our Tier 3 PBE standard are GAAP. Tier 4 and Special Purpose are not GAAP.

A small society has total operating payments and total current assets of less than $50,000 in each of the 2 preceding accounting periods. It also may not be a donee organisation under section LD 3(2) of the Income Tax Act 2007. These include charitable entities entitled to issue tax-deductible receipts for donations received. Many small clubs would fall into the small category. These may choose to prepare either GAAP-compliant financial statements or a non-GAAP standard or the minimum requirements as set out in section 104 of the 2022 Act. The minimum requirements statements must contain the following information:

(i) the income and expenditure, or receipts and payments, of the society during the accounting period; and

(ii) the assets and liabilities of the society at the close of the accounting period; and

(iii) all mortgages, charges, and other security interests of any description affecting any of the property of the society at the close of the accounting period

Associations that don’t fit into either category – the “others” – will generally be those with expenditure over $50,000 and under $140,000 in the previous two periods. They may choose whether to apply GAAP or non-GAAP.

What about the requirement for audit?

Of course, any Incorporated Society may opt to be audited, but some must be audited under the Act.

These are classed as “large” (as defined by S45 of the Financial Reporting Act 2013) if as at the balance date of each of the 2 preceding accounting periods, the total assets of the entity and its subsidiaries (if any) exceed $66 million or in each of the 2 preceding accounting periods, the total revenue of the entity and its subsidiaries (if any) exceeds $33 million.

The end of Society?

So will this be an ‘extinction’ event for societies or provide momentum for a new burst of energy? Both outcomes are likely, depending on the state of the society. It will certainly drain the limited resources of struggling clubs to have to lift their game to a new level.

In this age of declining volunteerism and reliance on sponsorship, the change may lead to fewer societies, but adaptations will be made for more efficient operations and more professional style management in those who survive.

25 July 2022

Does your firm administer any family trusts? Then you will no doubt be aware of the increased requirements under the Trusts Act 2019 for ensuring all the data about the Trust is up to date.

To help achieve this, we have, in collaboration with a large local Accountancy firm, developed a simple questionnaire to be shared annually with the trustee contact, that asks all the relevant questions to make sure that the accountant’s records are correct.

There are four actions required:

STEP 1: Set up the Trust using the Annual Trust Review Questionnaire template. Add the name of the trust, appointment date and save (the questionnaire itself is undated – the important date is when it is signed off).

Screen_Shot_2022-07-25_at_2.00.42_PM.png

STEP 2: Add the current trustees and beneficiaries as contacts. These can be imported using a special .CSV template that we have attached to the A1 page, from data obtained from your records (or the details may be added one at a time if there are only a few).

Screen_Shot_2022-07-25_at_1.56.51_PM.png

Note that the Role column should specify whether the person or entity is a Trustee, Beneficiary or both  – note format for both uses the vertical line or “pipe” character (|).

Screen_Shot_2022-07-25_at_2.07.07_PM.png

The contacts will then be added to the file so that they will appear on the questionnaire.

Screen_Shot_2022-07-25_at_2.10.37_PM.png

STEP 3: Then share the questionnaire page with the relevant contact. Select the name from the dropdown and click add – this will generate a link to be emailed to the client. Alternatively use the tick-box “Automatically send link to user” to generate an email directly off the system.

Screen_Shot_2022-07-25_at_2.12.40_PM.png

They receive an email from your firms asking them to follow the link and complete the details. Following the link they are asked to confirm their identity:

Screen_Shot_2022-07-25_at_2.17.57_PM.png

Then they see the existing trustee and beneficiary contact details and are asked if any changes have been made.

Screen_Shot_2022-07-25_at_2.25.57_PM.png

If so a dialogue box asks them to type in the new details. There are also questions for all the other information that needs to be asked under the Act. Once complete the accountant is notified.

Screen_Shot_2022-07-25_at_2.29.56_PM.png

STEP 4: The accountant then updates the records held by their firm, and takes any further actions required. 

Once complete the jobs may be saved to PDF then deleted off the system, or rolled over and reused in the subsequent year.

Note: We can assist with bulk client creation, contact data import, and even bulk sharing if required, as we do for normal client annual data collection questionnaires

This content is accessible in our Tools for Accountants packages, along with financial reporting checklists and other compilation tools. Contact us for more details.

1 July 2022

The next concept, expressed in paragraph 8 of ISA 315, is a reminder that our audit work must be framed in terms of responses to risks of material misstatement (RoMM). This is not new, but it is critical to making our audit file “sing”.

The first part of paragraph 8 states that “ISA 330 requires the auditor to design and implement overall responses to address the assessed risks of material misstatement at the financial statement level.” Remember that risks at the financial statement level affect the financial statements as a whole and so potentially affect many assertions. So, these are major issues but hopefully rare. It makes sense that if say, there is a major fraud that impacts going concern then we would send most of our auditing fire engines to that particular fire.

The second part of the paragraph states that “the auditor’s assessment of the risks of material misstatement at the financial statement level, and the auditor’s overall responses, is affected by the auditor’s understanding of the control environment.” Paragraph A2 of ISA 330 says: “An effective control environment may allow the auditor to have more confidence in internal control and the reliability of audit evidence generated internally within the entity and thus, for example, allow the auditor to conduct some audit procedures at an interim date rather than at the period end.”

This is a standard practice of course. We consider the control environment, assess whether it is robust enough for us to consider relying upon it and if we think it might be we test the key controls. If all is well, we can reduce our reliance on substantive testing.

The third part quotes ISA 330 paragraph 6 which requires the auditor to also “…design and perform further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level.” Note we are talking about assertion level (granular) risks here. In most jobs, this will be where our focus rests – assertion level RoMM.

Just like striking one string in a piano sets off harmonics in other strings, so should the identification of a RoMM set off harmonic thoughts in the auditor’s brain. The risks that we assess as of potential magnitude and the likelihood of occurrence should resonate throughout the whole audit file.

Para 13 (b) sums it up succinctly: “The auditor shall design and perform risk assessment procedures to obtain audit evidence that provides an appropriate basis for… The design of further audit procedures in accordance with ISA 330.”

What are these risk assessment procedures?

Paragraph 14 summarises these as enquiry, analytical procedures, and observation and inspection. This evidence may also be gathered during the acceptance and continuance process, from other engagements performed for the entity (para 15), or from previous audit experience (para 16). This must of course be evaluated for relevance and reliability. The audit team meeting will also be a source of information about potential risks (para 17).

Of course, a thorough understanding of the entity and environment will alert us to inherent risks, and understanding the entity’s use of IT is essential to assessing possible control risks, plus consideration of reporting framework and accounting policies (para 19-20).

Understanding the components of the control system and how that is monitored will be required to identify control risks (para 21-26).

At the end of this process we will have a clear description of the risk:

  • whether it is at the assertion or financial statement level;
  • if at the assertion level, what assertions it relates to;
  • whether it is an inherent, control or audit risk;
  • the potential financial impact;
  • the likelihood of occurrence;
  • any related controls;
  • from this an assessment of how significant the risk is.

Once we have done a good analysis the response should be obvious. A significant risk will demand higher audit resources. Our toolkit of audit responses will depend on the assertion and level of risk.

If there is material inventory for instance, and we have assessed controls as poor, we have a higher likelihood of overstatement with high potential impact. Assertions like existence, accuracy, valuation, ownership, and cut-off all become relevant. We likely have a significant control risk at the assertion level. What do we do? We design tests like stocktake attendance, review for redundant goods, valuation tests, ownership testing and cut-off testing back to accounts receivable and payable, obtaining representations from management and enquiry and observation.

In the end, we have an Audit file that plays a clear song without discordant notes. Like a good piece of music, it is concise, focused, clear and internally consistent.

<<previous article next article>>

30 May 2022

Let’s face it, auditing can be like herding cats.

There are so many factors that must be considered simultaneously that it’s really impossible to proceed through anything but the most basic job without new facts emerging, new risks surfacing, and expectations changing. We try to nail this down and not miss anything, with our programmes and engagement letters, but it’s still easy for something to slip through in the busyness.

The new ISA 315 standard addresses this using the language of “iterative and dynamic”. It says: “The auditor’s understanding of the entity and its environment, the applicable financial reporting framework, and the entity’s system of internal control are interdependent with concepts within the requirements to identify and assess the risks of material misstatement” (paragraph 7).

Consider what we are asked to simultaneously evaluate:

  • The entity itself – history, structure, goals. funding etc.
  • The environment in which it exists – legislation, competitors, industry trends etc.
  • The reporting framework under which it is required to or chooses to report.
  • The inherent risks associated with the above.
  • The control systems used to assist the entity to fulfill its business and reporting responsibilities.
  • The risks associated with those activities and their exposure to both error and fraud.
  • How risk relates to different classes of transactions, different account balances, or disclosures.
  • How risk relates to the assertions made by the client regarding the different classes of transactions, different account balances, or disclosures.
  • The materiality of risks and errors found.
  • Responses and how to address the risks identified.
  • How these responses relate to each other and combine to give an overall level of comfort to the auditor.
  • And much more!

IFAC diagram it like this:

see https://www.ifac.org/system/files/publications/files/ISA-315-Revised-EM-Overall-risk-assessment-flowchart-July-6_0.pdf

So the new standard helpfully informs us that the process is regarded as iterative and dynamic. In other words, it is okay to jiggle our thoughts and responses around until we arrive at the best approach. Auditing is perhaps best regarded as an art more than a science at this level of complexity. Hence the emphasis on exercising professional judgement.

In practical terms, this approach means that we make our preliminary assessments of risk right from our first conversation with the client. We note these down. Then we do some more background research, and we note down our understanding of the client. This may unearth more possible risks. We gain access to client documents, minutes, legal documents and agreements, and past financial reports, and the bigger picture begins to form. We update some of our earlier impressions and go back with more questions.

Then we meet with our team and brainstorm about what they perceive as the risks (especially the inherent risks as we have already noted). We update our assessment of risk. We move identified items around the spectrum of inherent risk as we seek to bring the focus on what is significant.

Paragraph A48 points out the obvious: “…the auditor’s expectations may change as new information is obtained.” We draw initial conclusions, but we update these as our understanding of the client grows. Finally (?) we have a plan that has identified the significant risks and what are the most efficient ways to reduce audit risk to an acceptable level.

Then we start carrying out the work we have decided is required to respond to the risks identified. But (who knew?) more issues surface as we start digging, so we go back and revise our plan accordingly.

Paragraph 7 concludes: “In addition, this ISA (NZ) and ISA (NZ) 330 require the auditor to revise the risk assessments, and modify further overall responses and further audit procedures, based on audit evidence obtained from performing further audit procedures in accordance with ISA (NZ) 330, or if new information is obtained.

This has always been what good auditors do intuitively and was inferred by the old standard. Practical wisdom would suggest taking the time to revisit our plans, not rushing ahead without being really clear on what the risks are and whether our responses are actually addressing those risks, and being flexible enough to adapt to new information as we go.

Who said herding cats isn’t fun?

<< previous article next article>>

17 May 2022

The fourth concept recognised in the new ISA 315 (paragraph 5) builds on the emphasis on inherent risk (IR) discussed in the last article and the need for a separate assessment of inherent risk and control risk.

ISA 200 tells us that inherent risk is higher for some assertions and related classes of transactions, account balances and disclosures than for others. The degree to which inherent risk varies is referred to in ISA 315 as the ‘spectrum of inherent risk.’ The concepts of the spectrum of risk and separate assessment of inherent and control risks were introduced in the ISA 540 standard on the audit of estimates. It is now to be applied across the board in this updated standard.

Also, as we have seen, RoMM at the assertion level for inherent risk is assessed in terms of likelihood of occurrence and magnitude of potential impact. These two factors are always to be considered in tandem, and the combination of a higher likelihood of occurrence and high magnitude creates a significant risk – like nitro-meets-glycerine!

Explosive risks – handle with care

As in the case of handling something explosive, much more care is needed for significant risks. Paragraph A12 states that “The higher on the spectrum of inherent risk a risk is assessed, the more persuasive the audit evidence needs to be.” Thus we are to focus our time and energy on the potentially explosive risks.

In discussing the magnitude of a risk, paragraph A211 states that we are to consider “…the qualitative and quantitative aspects of the possible misstatement…” That is, more than just the dollars, but including the nature and circumstances of the risk.

Paragraph A214 state that the auditor may use different scales or ways of categorising the elements of inherent risk, however, the important thing is that the result will ensure that “…the design and implementation of further audit procedures to address the identified risks of material misstatement at the assertion level is appropriately responsive to the assessment of inherent risk and the reasons for that assessment.”

What about a low-risk audit?

What if the client has no items towards the higher end of the spectrum? What work is then required? The standard does not give much guidance in these cases, although A219 says: “Being close to the upper end of the spectrum of inherent risk will differ from entity to entity, and will not necessarily be the same for an entity period on period. It may depend on the nature and circumstances of the entity for which the risk is being assessed.”

A sensible approach is to assume that while an entity may have few or no significant risks, the risks that rank highest should be where the bulk of the work should be focussed.

<< previous article next article >>

28 April 2022

The third key concept in ISA 315 (Revised 2019), summarised in paragraph 4, relates to understanding Inherent Risk (IR) and Control Risk (CR).

We discussed that risk at the financial statement level relates to the financial statements as a whole. It may potentially affect many assertions and may not affect one account more than another. For example, if the management of the company is involved in fraud, or if the overall level of competence is such that controls are ineffective, this will be a Risk of Material Misstatement (RoMM) at the more global level (i.e. the financial statement level).

RoMM at the more granular (assertion) level may be split into Inherent Risk (IR) and Control Risk (CR). These are familiar concepts but the new standard formulates these and makes them much more specific, which is a good thing. We are explicitly required to consider inherent risk and control risk separately.

Inherent risk

Inherent risk (IR) is a central concept of the standard, mentioned in 109 places, as compared to control risk, mentioned only 16 times.

IR focuses on the raw reality of the entity before we consider any controls. What would the susceptibility of an assertion to material misstatement be if there were no controls? This is to be considered individually or when aggregated with other misstatements.

The standard now requires IR is to be assessed on a spectrum. This spectrum is to be considered in terms of the likelihood of occurrence and the magnitude of the potential misstatement. These are to be considered in tandem.

For instance, it may be quite likely that a few pens may be taken from the stationery cupboard for private use, but the magnitude of misstatement should this occur is very low. Or there might be a volcano that destroys the city, which would be a high magnitude loss, but the likelihood of occurrence is low. In either case, these would not represent significant risks. The ideal way to display these IRs is graphically. For instance:

Any IR that is both likely to occur and with potential for high-magnitude impact must be regarded as a significant risk (para 12(l)). In the case above, we may identify the top five (circled) items as significant. This reflects good practice, but in the new standard, it is made crystal clear.

There is a new definition of Inherent risk factors in the standard (para 12(f)). This speaks of events or conditions that affect susceptibility to misstatement, whether due to fraud or error.

These may impact on an assertion about a class of transactions, an account balance or a disclosure. Such factors may be qualitative or quantitative and include considerations such as complexity, subjectivity, change, uncertainty or susceptibility to misstatement due to management bias or other fraud risk factors. All should be considered – generally just following common sense.

Why this emphasis on IR? It makes sense that we start with inherent risks, as these represent the fundamental potential for misstatement. Then considering these we may only really concern ourselves with controls that address those risks.

For instance, if we instead started with control risk, we may identify poor controls over cash. But cash does not represent a material part of the business. So if cash is not inherently a material risk is there any point concerning ourselves with the related controls? If we start with IR we will know this.

Control risk

Control risk (CR) describes a risk that a possible material misstatement (either individually or when aggregated with other misstatements) that could occur in an assertion, will not be prevented, or detected and corrected, on a timely basis by the entity’s system of internal control.

Paragraph 33 states: “If the auditor plans to test the operating effectiveness of controls, the auditor shall assess control risk. If the auditor does not plan to test the operating effectiveness of controls, the auditor’s assessment of control risk shall be such that the assessment of the risk of material misstatement is the same as the assessment of inherent risk.”

So, we are required to assess control risk (CR) only if we plan to test the operating effectiveness of controls or when substantive procedures alone will not provide sufficient appropriate audit evidence at the assertion level. Therefore, if we do not intend to rely on controls we do not need to test them, so CR effectively defaults back to our IR assessments.

This is a new concept. And it opens questions about how to respond in small entities that do not have many formal controls that we can test, but nevertheless, have a robust system of management and governance oversight which gives us considerable comfort. We shall return to these questions in a later post.

<< previous article next article >>