8 December 2023

If you are preparing engagement letters for assurance engagements, there are some changes of which you should be aware. These are contained in PS 3: Terms of Engagement, issued by CAANZ. This applies to professional services entered into after 1 January 2024 (early adoption permitted).

What is different about the new standard to what auditors have commonly included in their engagement letters, and what updates have been made in the standard Audit Assistant templates?

The basic requirements for engagement letters are included in ISA 210 – Agreeing the Terms of Audit Engagements. Our standard built-in Audit Assistant engagement letters are based on the ISA 210 examples with some additional content (such as optional Bannerman clauses). Most of the requirements in PS 3 that pertain to audits are already covered in ISA 210, however, there are a couple of important additional pieces of information required as follows:

Basis of Fees

The letter is to identify “the basis on which fees will be calculated and clearly define the billing arrangements including specifying any consequences of nonpayment.” (para R2.4) Many firms currently include this detail in their annual Audit Planning Letter (also known as an Arrangement Letter). It now must be in the Engagement Letter and include (from Appendix 2) such things as:

  • What is the method and basis of billing (time and cost including rates, fixed fee including the scope of services covered and what services would result in additional charge, etc.).
  • When will bills be rendered (frequency and estimated timing).
  • What the payment terms are, including what happens if the client does not pay by the agreed date (i.e. whether interest and/or penalties will be charged and/or whether a lien will be asserted)
  • Whether the member will progress bill for the engagement.
  • How the member will price a change in scope.

The Appendix also states that “The member should also consider including an initial fee estimate, if possible.” If a fixed fee is being used this amount would be included. One of the implications of this change is that a fresh engagement letter may need to be issued annually. As this will depend largely on the individual firm policy and possibly be different for various clients these details may need to be added on a case-by-case basis.

We have added a standard paragraph to our latest engagement letters, (based on what is in our annual planning letters) which may be edited as required.

Services from a Service Provider

Where a member uses services from a service provider to perform their professional services for a client and the member will disclose the client’s confidential information to that service provider, the disclosure permissions required must include disclosure of (per para R2.7):

  • the identity of the service provider;
  • the service used;
  • how and where the client’s confidential information will be used and/or stored (including geographical location, where identifiable, or a statement that this geographical location cannot be identified and the reason(s) why not); and
  • any other information that is required to comply with applicable technical and professional standards. and laws and regulations.

This includes contractors and cloud-based processing or data storage services. A service provider is defined as “an individual or organisation external to the firm that provides a human, technological, or intellectual resource that is used in the performance of engagements.”

Fortunately, if you use Audit Assistant this is straightforward. All the client data is encrypted – including transfers – and maintained within Australia and NZ. No client data needs to be transferred outside of the software if the ‘sharing‘ and ‘requests‘ features are used.

We have added a paragraph to this effect under the “Ownership of and access to audit file” paragraph in our standard Engagement Letters.

Complaints policy

The engagement letter is to “… include a description of the firm’s complaints policy.” This should mirror how the firm handles complaints as per their Quality Management policies and procedures. This may include the use of mediation services. Again, this will depend largely on the individual firm policy.

We have added a basic response to our standard engagement letters as follows:

“If you have any concerns about our costs or services, please speak to the person responsible for this engagement (signed below). We have policies and procedures in place to deal appropriately with any complaints and we will do our best to resolve any issues that may arise. We suggest that any such complaint be made in writing to allow us to investigate the issue raised.”

You may edit this if you require something more bespoke.

Use and distribution of the report

If there are any restrictions on who should have access to the audit report or other outputs of the engagement, these restrictions should be clearly stated in the terms of engagement. An appropriate disclaimer should also be included. (para 11)

This is normally specified in the audit report itself, an example of which is normally attached to or quoted within the engagement letter. PS 3 states that this should be included in the letter, along with a suitable disclaimer.

We have added space into the Reporting section of our standard engagement letters for the manual insertion of any such restrictions.

Other matters

Ownership of documents and Confidentiality:

This is already included in our audit templates.

Period of application:

The period of the first financial statement is stated. Ongoing application is covered in broad terms to the effect that, “This letter will be effective for future years unless it is terminated, amended, or superseded by either ourselves or the (governing body).”

Identity of client:

The full legal name of the client and the kind of governing body should be used when setting up the audit file, so it is very clear who the legal body is that the firm is contracting with. These details carry automatically into the engagement letter within Audit Assistant. If the entity is a group the group’s legal name should be used or (and Group) be added to the client name.

Description of services:

Audit engagements are usually very clear, and this is explicit in the Objective and Scope paragraph. However, if any additional services are being provided – such as the completion of any additional reports – these should be added manually to the letter.

Client responsibilities:

Again, this is generally spelled out fairly clearly in the standard audit engagement letters, but PS 3 does recommend that if there are any critical deadlines for the supply of information this should be identified, and if there is any specific access to data permissions required that this also be included. These issues are currently covered in our annual audit planning letter, however, you may wish to manually add them in the engagement letter as well if they are critical to the work.


This is covered in current templates.


PS 3 points out that the client’s acceptance (signed and dated) is essential. This is covered in the current templates, however, firms must ensure that this is done and the signed version is attached to the audit file.

Additional recent updates to engagement letters and audit reports

In addition to the above, there has been a small update made to the wording of engagement letters and audit reports for IFRS entities due to an update in NZ IAS1 – Presentation of Financial Statements.

The wording “including a summary of significant accounting policies” must now read “including material accounting policy information.” We have updated this in relevant engagement letters and audit reports.

We have also updated our NFP engagement letters and audit reports to reference NZ AS1 (Revised) with appropriate language to reflect some terminology changes in the new Tier 3 and 4 NFP standards.


The templates in the 2024 series audit templates have been updated for the new content. Some areas need to be manually completed (marked yellow) for fee estimates and restrictions on use and distribution. The letters may also be customised on a job-by-job basis by clicking the customise button in the bottom right. You should read through the letter to make sure it is appropriate, but there should be nothing further required if you have selected the correct options where there are potential reporting variations etc.

If you are updating from an earlier template and you have used the previous engagement letter and this has been rolled forward this should be deleted and then the new version will be able to be selected.

5 September 2023

For those who prepare and audit financial statements for “small” (under $2m expenditure) charities and other not-for-profits, there are some important changes coming up.

In New Zealand, these smaller entities are very common – there are about 30,000 of them including some soon to be included in this reporting under the Incorporated Societies Act 2022.

The Standards have a mandatory date of 1 April 2024, meaning they must be applied for accounting periods that begin on or after 1 April 2024. A Tier 3 or 4 entity may choose to apply the Standard before the mandatory date for accounting periods that end after the Standard takes effect on 15 June 2023. 

The Tier 3 standard – now called  “Tier 3 (NFP) Standard –  Reporting Requirements for Tier 3 Not-for-Profit Entities” – continues to be accrual-based. And Tier 4 – now called  “Tier 4 (NFP) Standard – Reporting Requirements for Tier 4 Not-for-Profit Entities” – is a cash-based alternative for smaller entities (under $140k expenditure).

This article focuses on the Tier 3 (NFP) standard, which tends to be much more commonly used than the cash-based standard even for many smaller entities – as it is much more like traditional reporting. We will look briefly at the Tier 4 changes at the end.

Service performance

When the standards were introduced there were no NZ reporting or auditing standards for Service Performance Information (SPI). Now we have PBE FRS 48 for Tier 1 and 2 entities, and NZ AS-1 (shortly to be NZ AS1 (Revised)) for the audit of Service Performance Information (SPI) across all the tiers.

In a way, the changes in Tier 3 are simply following the direction set by PBE FRS 48 and NZ AS-1. The terms Outcome and Output were always confusing, so these are being replaced with more descriptive terminology as per PBE FRS 48.

There is also some helpful guidance provided about what to report as SPI, and how to report it. Reporting must be (as per para A14):

  • Relevant and faithfully represented
  • Understandable
  • Timely and comparable
  • Verifiable

As such, any changes in reporting from the prior year must be explained, so there is consistency in reporting.

From an audit perspective, NZ AS-1 (Revised) is a great improvement on the previous more complex standard that now feels like a better fit for smaller entities.

Changes to standard revenue and expenditure categories

A common criticism of reporting under the existing Tier 3 standard was that the reporting categories were so broad as to be almost meaningless in some cases. The new standard splits some of the categories into smaller classifications. For instance,

  • Commercial activities are split out;
  • Grants for capital projects are split from other grants;
  • Government funding is split from non-governmental funding;
  • Donations are now clearly differentiated from membership fees and subscriptions;
  • Employee remuneration (apparently including those paid as contractors) is to be split out from volunteer and other employee expenses.

Preparers of performance reports will be able to tweak the names of the categories, but will not be allowed to add additional categories as before. (para A68) This is probably for aggregation and analysis purposes. This will make the Statement of Financial Performance more meaningful and reduce the need for extensive notes breaking down the categories.

Revenue recognition changes

The old standard was fairly inflexible in matching revenue from grants and other bequests and gifts with the use of that money. Donations with a use or return condition were recognised as the condition was fulfilled. Any income without such a condition was recognised in the period it was received.

Under the new standard, if there is a clear expectation of when funds are to be used in terms of an agreed expectation from the grantor, the revenue may be recognised as or when the conditions are satisfied. See the decision tree below which is from the standard:

This seems like a clear, common-sense response, more in line with the commonly accepted matching principle of accrual accounting.

Alternative measurement for assets

Under the old standard, if fixed assets are revalued, the Tier 2 standard must be used. The new standard allows revaluation based on say, RV (rateable value) for land and buildings, or valuation by an independent qualified valuer. (para A133) Depreciation must still be calculated on revalued assets. (para A134)

Changes are made straight to a separate property, plant and equipment revaluation reserve within accumulated funds in the Statement of Financial Position. The whole class of assets must be revalued. Once a revaluation is made there must be consistency going forward, with no changing back to other methods, and revaluation updates made on a regular schedule. (para A139)

Assets classed as investment properties may be accounted for in the same way. (para A144) Where an entity holds investments that are publicly traded, it may elect to measure that class of investment at its current market value. (para A145) It may elect to recognise gains/losses on revaluation of publicly traded investments either in revenue or expenses in the statement of financial performance, or in accumulated funds in a separate investment revaluation reserve. (para A148) 

Accumulated funds

In the old standard, there was no requirement to disclose any details of accumulated funds. The new standard says that to make information understandable to users, the balance of accumulated funds is to be aggregated and presented separately in categories, as applicable. These include any capital contributed by owners, accumulated surpluses or deficits, revaluation reserves (as above), restricted and discretionary reserves, and any other reserves. (para A175)  

For transparency, there is to be a note that discloses objectives and policies for managing accumulated funds and any plans for applying accumulated funds to meet the entity’s objectives. (para A231-A235)

This seems to be designed to make entities think about why they have significant reserves (if in fact, they do) and perhaps how they could be better using these to meet their objectives. If they view their reserves as investments, are they making the best use of their capital? Could they be meeting their objectives in more efficient ways with a redeployment of their equity?

On the other hand, many charities certainly don’t have excess cash or investments and their equity simply represents assets such as land and buildings that are essential to their service delivery. Having to make up a nice story to put into a note in these cases seems a bit pointless – and could be difficult to audit.

Simplification to the statement of cash flows

Cash flow statements are typically a headache for both preparers of financial statements and auditors. Accounting software often struggles and the results are hard to audit and hard for users to understand.

The new standard aligns the categories in the Statement of Cash Flows with the categories in the Statement of Financial Performance. The Statement of Cash Flows is to be essentially a statement of receipts and payments.

Tier 4 changes

There are a couple of changes for Tier 4 (NFP) reporting. These reflect the changes in categories for Tier 3, changing the language around outcomes and outputs, removing the need for a “Statement of Resources and Commitments” and replacing this with significant assets and significant liabilities listed in the notes. The name of “Statement of Receipts and Payments” is changed to “Statement of Cash Received and Cash Paid.”

Transition to the new standards

The changes currently being adopted to reporting for small charities (Tier 3 and 4) have been largely welcomed as positive and sensible. However, there will be some transitional issues that will present challenges to preparers and auditors, for the first year of adoption when the old standard was previously used.

Some of the key items to keep in mind are as follows:

  • Comparatives will need to be restated to line up with the new categories (unless it is impractical to do so). (para C14)
  • Revenue recognition changes will be treated as changes in accounting policy with an appropriate note. (para C15)
  • Adopting the revaluation provisions will need to be acknowledged as a change in accounting policy. (para C18)
  • An entity previously using a Tier 2 standard may continue to do so, or change to the new option, however, this will be a change of accounting policy. (para C21)

Note that there may still be the requirement to use Tier 2 standards where consolidated financial statements, investments in associates or joint ventures, or joint arrangements are involved. (para D1) It may also apply other specific standards to specific transactions. (para D2)

We have included checklists for the new standards, including transitional requirements, in our new Tier 3 and 4 (NFP) Review (2023) templates, our new Tier 3 and 4 (NFP) Audit (2023) templates, plus we have stand-alone checklists for preparers of financial statements to use.

4 September 2023

I have good news and bad news.

The good news is that the new standard for the audit of service performance (NZ AS1 (Revised)) is actually much simpler than the original standard released three years ago. The bad news is the shambles created by rushing through the original standard without proper consultation, deferring it twice, and then effectively cancelling it altogether.

Diligent auditors (and software/content developers) front-footed it and adopted NZ AS1 anyway, thinking we were doing a good thing – despite complaints from our customers about how complex it was – only for it to be deferred.

We had updated our templates and encouraged auditors that this was the way to go, knowing that it would apply sooner or later, and although the standard was a bit of an overkill for smaller entities, it seemed to fit well with its sister reporting standard for Tier 1 and 2 PBE’s – PBE FRS-48.

Those firms that muddled along using bits and pieces from ISAE (NZ) 3000 (Revised) and EG Au9 can now go straight to the new standard, without the pain of having to do that hard work. One up for procrastination!

Anyway, now that I’ve got that off my chest, what about the new standard? And why was it changed?

The XRB issued a statement in July 2023 explaining the rationale for the changes. One major issue was that the Office of the Auditor-General raised concerns regarding the suitability of NZ AS 1 for the public sector.

So the standard, while already released, was at the last minute deferred to allow time for the XRB to work with the OAG to address these concerns and consider the future application of NZ AS 1. This was after the original 12-month deferral due to COVID – which also reflected the deferral of PBE FRS-48.

PBR FRS 48 was released at a similar time to the original NZ AS1. The language was aligned – in that “service performance information” was used instead of the “outcomes” and “outputs” language of the old Tier 3 and 4 standards. I get the feeling that the original NZ AS1 was really made for large Tier 1 and 2 PBE entities without a lot of thought given to small charities.

The new standard changes the language from the complex audit-speak to friendly terms like “appropriate and meaningful.” (Para 25 describes what this means.) This is to be applied as follows:

• Are the elements/aspects of service performance that the entity has selected to report on appropriate and meaningful?
• Are the performance measures and/or descriptions the entity has used to report on what it has done in relation to those elements/aspects of service performance during the reporting period appropriate and meaningful?
• Is the measurement basis or evaluation method used to measure or evaluate the performance measure and/or description appropriate and meaningful? (para 7(a))

The questions above form the first step of the two-step process.

The second part is to assess whether the reported service performance information fairly reflects the actual service performance and is not materially misstated. (para 7(b))

To carry out this part, we need to apply our risk identification skills. The standard echoes the emphasis of ISA 315 (Revised 2019) focusing first on Inherent Risk (risk before consideration of any related controls), then Control Risk.

Then we basically just follow normal audit procedures, but include consideration of service performance information and controls when we look at things like entity and environment, regulatory framework, control systems, materiality, analytical review, and deciding how much reliance to place on controls testing, analytical review and substantive testing.

This will of course impact our documentation and the content of our engagement letters, representation letters, and audit reports, as they relate to responsibilities of governance and the auditor’s responsibilities. Our updated templates have taken all this into account.

The standard emphasises that we “…develop an audit plan with a single audit approach to concurrently cover the service performance information and the financial statements.” (para 20)

Part of the reason for this change is that since the original standard there have been a couple of other major standards released.

It seems that ISA 315 (Revised 2019) has mainly influenced the changes. Much of the language of (NZ AS1 (Revised)) is directly parallel to ISA 315 (Revised 2019) – which is a good thing.

The other influence is the new Tier 3 and 4 NFP Standards. Again they have taken out the “outcomes” and “outputs” language (which very few people actually followed or understood), and replaced it with the nice broad term “service performance information.”

When do we have to use the new NZ AS1 (Revised) standard?

NZ AS 1 (Revised) was approved for issue in July 2023. It is applicable for periods beginning on or after 1 January 2024. Note that it may be early-adopted for periods ending after 24 August 2023 – so essentially jobs ending from now. Auditors may use either the current NZ AS1 or ISAE (NZ) 3000 (Revised) until then. The following graphic is from the XRB:

To accommodate for the new standard we have (so far) reworked our latest Tier 3 and 4 (NFP) templates for both the change to the new Tier 3 and 4 (NFP) standards and also to NZ AS1 (Revised).

So, because it is not cost-effective to revise our current Tier 3 and 4 PBE templates from using NZ AS1 to NZ AS1 (Revised), then create a new set of templates for using the new Tier 3 and 4 (NFP) standards with NZ AS1 (Revised) we have added both updates into our Tier 3 (NFP) 2023 and Tier 4 (NFP) 2023 templates. Basically, if the client is using the new Tier 3 and 4 reporting, then use the new template, which will also give you NZ AS1 (Revised).

So we are suggesting that users step up to NZ AS1 (Revised) while also stepping up to the new Tier 3 and 4 (NFP) standards, by swapping to our 2023 NFP series templates (see flowchart below). Note that the new templates are marked NFP, while the existing ones are PBE. We did this to differentiate as they are all marked as 2023! We have not yet updated our Tier 1 and 2 templates for NZ AS1 (Revised). This will happen in the next month or two.

To treat this as a “…single audit approach to concurrently cover the service performance information and the financial statements…” we have integrated the service performance steps into existing pages – rather than treating them as separate pages as in the existing template. For instance Entity and Environment includes some questions related to Service Performance, as does materiality and internal control checklists. This should simplify the work considerably compared to our extant templates.

When do we get the new Tier 3 and 4 (NFP) templates?

The new Tier 3 and 4 NFP templates are up now (5 September 2023), but we are not flagging existing jobs to push to upgrade because there will still be jobs that use the old Tier 3 and 4 standards. So wait until the client adopts the new reporting standards, then update manually to the new template after rollover.

The Standards have a mandatory date of 1 April 2024, meaning the Standard must be applied for accounting periods that begin on or after 1 April 2024. However, these new standards may apply for accounting periods ending after 15 June 2023 – so any balance dates from 30 June this year may be using the new Tier 3 or 4 standards.  Hence the reason we have been pushing to update our Tier 3 and 4 audit and review templates.

We have reduced our current templates for the update to the new standards. Instead of two Tier 4 (one full ISA and one reduced for smaller entities that we call our ‘LCE’ versions), we now just have the compact version for the new NFP standard. For Tier 3, we will still have an LCE version for simpler entities and a full ISA version, but we have combined the ‘group’s’ content back into this one as well. So now there are two instead of three options.

To summarise:

9 March 2023

Audit Assistant has been making online collaboration tools for auditors for many years, so we thought why not use this incredible functionality to help accountants who prepare financial statements as well?

If you carry out the preparation of financial statements for audit, or review, or just want to have a great paperless compilation process to streamline your business advisory services practice, we have the tool for you.

The annual compilation file meets the need for a central digital repository for annual compilation work. It includes financial reporting checklists for:

  • Tier 1 and 2 Public Benefit Entities
  • Tier 1 and 2 For-Profit Entities
  • Tier 3 Public Benefit Entities
  • Special Purpose (SPFR for FPE) Companies

The output is a PDF that can then be sent directly to your auditor or reviewer, which contains most of what they will need for their work. Alternatively, you can give them direct access to the file so they can pull the data they need for their audit or review file.

Other great features include:

  • Checklists to gather data from your clients via the internet
  • Checklists for confirming compliance with SES-2 and Code of Ethics requirements
  • Standard engagement letters and completion letters including suggestions generated during the work
  • A requests feature whereby client queries are responded to directly into the file
  • Trial balance upload from Xero and other common software that populates ‘lead schedules’ for sections (income, expenditure, bank, debtors etc.)
  • PDFs or spreadsheets can then be added to the correct part of the file supporting the different items in the financial statements
  • External links may be added to say the business website, online repository or client online software
  • Journals may be created from the system that updates the trial balance and form source documents for posting to the client ledger
  • Key Documents such as minutes, constitutions, contracts etc may be uploaded and brought forward each year for reference
  • At completion, the job is rolled over, and ready for the next year, with much of the work just needing to be brought forward and updated for the new year
  • Rollover produces a PDF of the whole job plus attachments for archiving

More than 40% of NZ audit firms use our auditing software, so it makes sense to use our proven and familiar tools to prepare data for your auditor, saving time and hassle.

The Accountants Tool package is designed primarily for CA firms preparing multiple jobs but is also suitable for entities that prepare their performance reports and financial statements in-house. We provide special discount pricing packages in these cases.

Contact us to find out more or for a free demonstration.

21 February 2023

Is this project that we have all eagerly anticipated actually going to happen? It appears so. I recently attended an IFAC webinar (recording is here) that explained the latest developments.

I wrote about this back in 2021 when the draft standard was released. It seems that there has been a bit more clarity as to the application of the standard.

Originally groups were to be excluded from the scope of the standard, however, common sense has now prevailed and groups that meet LCE criteria may now be included. Using component auditors will be acceptable, as components don’t necessarily equate to complexity. An additional section has been added to the original exposure draft discussing the application to components and groups.

The webinar participants reiterated that the standard does not give a lesser level of assurance than a full ISA audit, and audit reports will be essentially unchanged. The standard focuses on core procedures and does not include much explanatory information. It is designed to follow the flow of an audit. It also uses more direct language than the ISAs.

Concerns had been expressed that there seemed to be too much judgment required in whether the standard could be applied. To clarify the scope, the IAASB has agreed to enhance the description of the qualitative characteristics of an LCE and will include an expectation for jurisdictions to determine quantitative thresholds, I assume in terms of say turnover, assets, staffing, or ownership complexity.

Since the LCE standard was proposed, we have had the new ISA 315 (revised 2019). This focus on risk identification and assessment has also flowed through to the LCE standard, with some revision of Part 6 to make it align more with the approach of ISA 315 (revised 2019).

Finally, when can we expect to enter this audit utopia? The finalisation date for the international standard is December 2023. It is then just a matter of how proactive the XRB and other key NZ stakeholders will be in adding any quantitative thresholds and releasing it into the wilds of Aotearoa.

This is going to be a game changer for auditors in NZ, as most of the work we do should fall into the scope of the LCE standard, and most charities and not-for-profits will have fit-for-purpose standards and not have to use auditing standards designed for multinational corporates. Auditors will be partying in the streets when this new standard is released.

7 December 2022

We’ve talked about risk assessment, professional scepticism, responding to identified risks, and the business model in terms of ISA 315 (revised 2019). But the bulk of the actual requirements of the standard (paragraphs 19-27) relate to, as the heading puts it: ‘Obtaining an Understanding of the Entity and Its Environment, the Applicable Financial Reporting Framework and the Entity’s System of Internal Control’. This is the topic of this article.

The new approach to understanding the entity and environment – especially its controls – is fairly significant. The easiest way to express this is to compare the requirements of the old ISA 315 with the revised 2019 version.

Entity and Environment

Paragraphs 19-20 address Understanding the Entity and Its Environment, and the Applicable Financial Reporting Framework.

Paragraph 19(a)(i) specifies that we obtain an understanding of the entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT. Understanding the organisational structure, ownership and governance were previously required under ISA 315, 11(b)(ii). The requirement to understand the business model, and the extent to which this integrates the use of IT is new. We have discussed this at length in a previous article.

Paragraph 19(a)(ii) specifies that we obtain an understanding of industry, regulatory and external factors. This was required in the old standard under paragraph 11(a). The supporting information in paragraphs A68-A73 is worth a read to refresh yourself as to the scope of what is required here. Good general knowledge of the economy, the current issues with the specific industry and the inputs and outputs of the entity are likely to be extremely helpful, and points to be discussed and documented in the team meeting.

Paragraph 19(a)(ii) specifies that we obtain an understanding of the measures used, internally and externally, to assess the entity’s financial performance. This replaces the old paragraph 11(e) requirement to obtain an understanding of the measurement and review of the entity’s financial performance. The difference is specifying internally and externally. The supporting information in paragraph A74 explains that this helps us to consider whether such measures, whether used externally or internally, may create pressure on the entity to achieve performance targets, motivating management to take actions that increase the susceptibility to misstatement due to management bias or fraud. Again, something to discuss in the team meeting. Paragraphs A74-A77 are well worth reading.

Paragraph 19(b) states that we obtain an understanding of the applicable financial reporting framework, and the entity’s accounting policies and the reasons for any changes thereto. This was covered previously in paragraph 11(c). There are three parts to consider: the applicability of the framework, how this fits with the actual policies, whether there have been any changes, and if so, whether are these justified.

Paragraph 19(c) states that we must obtain an understanding of how inherent risk factors affect the susceptibility of assertions to misstatement and the degree to which they do so, in the preparation of the financial statements in accordance with the applicable financial reporting framework, based on the understanding obtained in (a) and (b). This is new. If follows the emphasis in the revised ISA 315 on inherent risks. In paragraphs A87-A89 the emphasis is on susceptibility to misstatement relating to complexity or subjectivity. The greater the complexity or subjectivity, the greater the risk, and the more professional scepticism is required.

Finally, paragraph 20 requires us to evaluate whether the entity’s accounting policies are appropriate and consistent with the applicable financial reporting framework. This was also covered in the old 11(c) paragraph.

It is also interesting to note what has been dropped out. The old ISA 315 11(b) specified that we understand the operations of the entity, the types of investments that the entity is making and plans to make including investments in special-purpose entities, and how the entity is financed. These are all now covered in Appendix 1, which includes these and many more examples of matters to consider when understanding the entity.


The new standard splits the analysis of controls into:

  • the control environment (paragraph 21),
  • the risk assessment process (paragraphs 22-23),
  • the entity’s process to monitor the system of internal control (paragraph 24),
  • the information system and communication (paragraph 25) and
  • control activities (paragraph 26).

These components were previously covered in general terms in paragraphs 12-23 of the old standard, but the new standard is more specific and detailed and will require more work to provide the detail required. Each element must be separately assessed, even though there will be significant common ground. Note too that this work is required whether or not there is any reliance to be placed on controls. This is a risk assessment exercise.

For instance, we must now identify what controls, processes and structures address how management’s oversight responsibilities are carried out, such as the entity’s culture and management’s commitment to integrity and ethical values. (Paragraph 21(a)(i))

This seems a bit over the top for a smaller entity. This is where the scalability provisions can help. Paragraph A16 says: The nature and extent of risk assessment procedures will vary based on the nature and circumstances of the entity (e.g., the formality of the entity’s policies and procedures, and processes and systems). The auditor uses professional judgement to determine the nature and extent of the risk assessment procedures to be performed to meet the requirements of this ISA (NZ).

Paragraph A17 further states: Although the extent to which an entity’s policies and procedures, and processes and systems are formalized may vary, the auditor is still required to obtain the understanding in accordance with paragraphs 19,21,22, 24, 25 and 26.

It continues with an example: Some entities, including less complex entities, and particularly owner-managed entities, may not have established structured processes and systems (e.g., a risk assessment process or a process to monitor the system of internal control) or may have established processes or systems with limited documentation or a lack of consistency in how they are undertaken. When such systems and processes lack formality, the auditor may still be able to perform risk assessment procedures through observation and enquiry.

So we still need to ask the questions, but in the light of the small scale of the entity, on enquiry, the answer might be ‘no formal system, however, ethics are emphasised by example and in staff and board meetings.’

For smaller and less complex entities. meeting all the specific requirements of this part of ISA 315 (revised 2019) may seem tedious, but until we get a standard for LCEs it is, unfortunately, unavoidable.

<< previous article

21 October 2022

Ever wish you could take your current complex review and documentation processes and put them into one bespoke, secure, elegant online solution without spending hundreds of thousands of dollars? Now you can.

Or go next level and become a provider of that content, reselling it to other firms in your industry? This is what ReviewTools from Audit Assistant offers.  

Audit Assistant has been the online tool of choice for the majority of New Zealand SME financial auditors for over ten years. We have now taken this experience and applied it to building ReviewTools  – a secure platform for complex process and assurance work for a wider range of applications.

ReviewTools offers a flexible and powerful base with numerous built-in features that can be flexibly configured for all sorts of diverse, complex review applications.

ReviewTools is an ideal platform for small team collaboration in real-time in complex risk-based and standards-driven processes – perfect for industries and professions where documentation is critical, and evidence gathering and client interaction must be tracked within the application.

ReviewTools includes:

  • Integrated signup, customer management, billing and reports.
  • Built-in two-factor authentication,
  • Encrypted file storage,
  • A professionally hosted and maintained database,
  • Backup and restore service,
  • Risk assessment processes,
  • Customisable team roles,
  • Real-time team interaction,
  • Multi-level review processes,
  • Sampling and analytics tools,
  • Integrated letter and report creation,
  • Uploadable file attachment,
  • Annual rollover if required,
  • Client query tool
  • Invitation for client access to individual pages for data gathering,
  • Hyperlinks to online standards,
  • Dynamic job creation,
  • Export of completed work to PDF,
  • Full dashboard for work tracking and milestones,
  • Ability to customise structure and content as required,
  • Help from our staff with building your application as required,
  • Access from multiple devices.

Let us help take your current workflows and build them into a tight, secure, integrated package – or develop a professional-grade cloud-based product with basic skills using the ReviewTools platform. Leverage your product on our reputation of delivering professional cloud services for over ten years.

Our team can also provide:

  • Help with marketing via our existing networks,
  • Additional custom features if required,
  • Legendary personal support to get you up and running.

What could cost hundreds of thousands of dollars to build from scratch will soon be available to you on a PaaS (Platform as a Service) basis for a monthly subscription.

Contact us to talk about your idea, and how ReviewTools can get your application up and running fast.

24 August 2022

The concept of understanding an entity’s business model, including how it uses Information Technology (IT) is new in ISA 315 (Revised 2019).

Understanding the business model sounds like child’s play, but in the context of exploring inherent risks, it presents a powerful tool to understand the entity.

Paragraph 19(a)(i) tells us that:

The auditor shall perform risk assessment procedures to obtain an understanding of… The entity’s organisational structure, ownership and governance, and its business model, including the extent to which the business model integrates the use of IT.

Paragraph A61 explains why this is necessary.

Understanding the entity’s objectives, strategy and business model helps the auditor to understand the entity at a strategic level, and to understand the business risks the entity takes and faces. An understanding of the business risks that have an effect on the financial statements assists the auditor in identifying risks of material misstatement, since most business risks will eventually have financial consequences and, therefore, an effect on the financial statements.

Organisational structure, ownership and governance are generally simple enough to understand and document, but ‘business model’ is a more nebulous term. Looking at every business risk could be a rabbit hole that swallows a lot of audit time.

However, business risk itself is not a new concept. The old standard defined it as:

A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies.

What actually is a business model?

Wikipedia defines a business model as follows:

In theory and practice, the term business model is used for a broad range of informal and formal descriptions to represent core aspects of an organization or business, including purpose, business process, target customers, offerings, strategies, infrastructure, organizational structures, sourcing, trading practices, and operational processes and policies including culture.

So our client may have adopted one of the following business models:

  • Bricks and mortar retail model
  • Value-added reseller model
  • Franchise model
  • Subscription model
  • Online sales retail model
  • B2B model – etc.

These are useful to identify and document in our file, but that is still very broad. Paragraph A62 tells us that ‘Not all aspects of the business model are relevant to the auditor’s understanding.’ We need only concern ourselves with those that give rise to the risk of material misstatement.

The standard itself, in Appendix 1(1), says:

The entity’s business model describes how the entity creates, preserves and captures financial or broader value, for its stakeholders.

This is all-encompassing but lacking in specifics. Appendix 1(3) tells us that a description of a business model typically includes:

  • The scope of the entity’s activities, and why it does them.
  • The entity’s structure and scale of its operations.
  • The markets or geographical or demographic spheres, and parts of the value chain, in which it operates, how it engages with those markets or spheres (main products, customer segments and distribution methods), and the basis on which it competes.
  • The entity’s business or operating processes (e.g., investment, financing and operating processes) employed in performing its activities, focusing on those parts of the business processes that are important in creating, preserving or capturing value.
  • The resources (e.g., financial, human, intellectual, environmental and technological) and other inputs and relationships (e.g., customers, competitors, suppliers and employees) that are necessary or important to its success.
  • How the entity’s business model integrates the use of IT in its interactions with customers, suppliers, lenders and other stakeholders through IT interfaces and other technologies.

These are all helpful points to consider and document in our audit work and to flag and analyse the inherent and control risk that we identify.

A 2014 paper by the UK and French standard setters discussing the role of the business model in financial statements state that the first time the term ‘business model’ appeared in the IFRS literature was in 2009 when IFRS 9 (Financial Instruments) was issued. In defining the term business model for use in reporting standards they say:

…there is overall agreement, as evidenced by the responses received, that if the term business model is used in financial reporting, it focuses on the value creation process of an entity, i.e. how the entity generates cash flows.

So moving in from the broad description, we need to start to identify how the entity generates cash flows. In a 2014 paper on Business Models in Integrated Reporting, IFAC state that:

An organization’s business model is its system of transforming inputs, through its business activities, into outputs and outcomes that aim to fulfil the organization’s strategic purposes and create value over the short, medium and long term.

Application to audit work

Cash flows are generated and value is added by a cycle of inputs and outputs. From a risk identification auditing perspective, this is a helpful paradigm, especially in our current climate. Continuing inputs of raw materials, labour, land and capital are no longer a given with complex regulation, supply chain issues, labour shortages, restrictions on land use, and the spectre of inflation.

Similarly, the ability to continue to assume a market based on these disruptions is not as certain as it was a few years ago. We live in uncertain times.

Paragraph A63 acknowledges this by giving the following examples of possible risks:

  • Inappropriate objectives or strategies, ineffective execution of strategies, or change or complexity.
  • A failure to recognise the need for change may also give rise to business risk, for example, from:
    • The development of new products or services that may fail;
    • A market which, even if successfully developed, is inadequate to support a product or service; or
    • Flaws in a product or service that may result in legal liability and reputational risk.
  • Incentives and pressures on management, which may result in intentional or unintentional management bias, and therefore affect the reasonableness of significant assumptions and the expectations of management or those charged with governance.

All these potential risks are exacerbated in uncertain times. Paragraph A64 lists specific matters we should consider:

  • Industry developments, such as the lack of personnel or expertise to deal with the changes in the industry;
  • New products and services that may lead to increased product liability;
  • Expansion of the entity’s business, and demand has not been accurately estimated;
  • New accounting requirements where there has been incomplete or improper implementation;
  • Regulatory requirements resulting in increased legal exposure;
  • Current and prospective financing requirements, such as loss of financing due to the entity’s inability to meet requirements;
  • Use of IT, such as the implementation of a new IT system that will affect both operations and financial reporting; or
  • The effects of implementing a strategy, particularly any effects that will lead to new accounting requirements.

Paragraph A65 points out that ‘Ordinarily, management identifies business risks and develops approaches to address them.’ so our risk assessment process should include assessing this as part of reviewing the internal controls, as under the old standard.

Appendix A(4) concludes:

A business risk may have an immediate consequence for the risk of material misstatement for classes of transactions, account balances, and disclosures at the assertion level or the financial statement level.

So to sum up, understand the business, think outside the square in terms of how inputs and outputs work, and what the associated risks might be. Then stay focussed on those things that actually represent a risk of material misstatement.

<< previous article next article >>

5 August 2022

Remember CAATs? This was an acronym for Computer Assisted Audit Tools – a general category for all things computery that helped us work with more efficiency and power.

Now that virtually all we do uses a computer, ISA 315 (Revised 2019) does not refer to CAATs but to Automated Tools and Techniques (ATTs).

This kind of thing gets audit software developers like us salivating like Fluffy when the fridge door opens. But let’s stay calm and examine what the standard says first.

So what do we know about ATTs?

The standard doesn’t define ATTs, however the recently issued IAASB First Time Implementation Guide simply calls them “procedures performed leveraging the use of technology”. These may be used for risk assessment procedures, and also for obtaining audit evidence. The IAASB points out that:

The procedures for obtaining audit evidence as set out in ISA 500, Audit Evidence, i.e., inspection, observation, external confirmation, recalculation, reperformance, analytical procedures and inquiry, continue to apply, regardless of whether those procedures are performed manually or using technology.

In matters like this, the new standard helpfully acknowledges that we may be auditing vastly divergent entities. Paragraph 9, titled ‘Scalability’, states:

This ISA (NZ) is intended for audits of all entities, regardless of size or complexity and the application material therefore incorporates specific considerations specific to both less and more complex entities, where appropriate.

It is up to the auditor’s judgement to determine whether to use an ATT or some more manual procedure. For instance, there would be no point in carrying out fancy data analytics for fixed assets additions where there are only a few items. Better to just use judgement. ATTs come into their own where there is so much data, or a level of opaqueness, such that the auditor cannot possibly just ‘eyeball’ the content.

Examples from the standard

Looking at some of the suggestions for the use of ATTs in the explanatory material, paragraph A21 suggests performing “risk assessment procedures on large volumes of data (from the general ledger, sub-ledgers or other operational data) including for analysis, recalculations, reperformance or reconciliations.”

Most of our users tend to do this by entering the trial balance data for up to four years, and then populating analytical review pages that show current to prior year movements, deviations from the budget if required and various key ratios over time. Identified risks may then be flagged and analysed as required directly from the TB or AR pages. Detailed recalculations, reperformance or reconciliations tend to be best done using a spreadsheet and adding to the file as an attachment.

Paragraph A57 suggests that the auditor use ATTs “to understand flows of transactions and processing as part of the auditor’s procedures to understand the information system.” This may provide insight into vendors, customers, and related parties, simply by sorting say a purchases ledger in a spreadsheet by supplier name, or using a search function to look for known related parties.

Paragraph A137 suggests using direct access to the entity’s database “by tracing journal entries, or other digital records related to a particular transaction, or an entire population of transactions, from initiation in the accounting records through to recording in the general ledger.” Typically an auditor is given access to say the Xero ledger and may use the built-in search functions there to drill down into the data for this purpose.

Paragraph A161 suggests that when reviewing journals or ledger accounts in less complex entities inspection of all the entries within a particular account, or all journals may well be possible. But in a more complex entity downloading to a spreadsheet and applying filters and sorting may give a good result.

In Audit Assistant, we provide a built-in sampling tool. A large dataset is extracted out of the client software and then uploaded. A sampling interval based on performance materiality (or adjusted performance materiality) is added. This generates a randomised CMA sample. Appropriate tests are then added to a generated table of results. Alternatively, a random sample of a specified number of samples may be generated, or the auditor may carry out their own sample in the spreadsheet first and then upload it for testing.

The auditor is encouraged to use automated techniques to assist in the identification of significant classes of transactions, account balances and disclosures in paragraph A203. This would typically only be helpful in complex entities. In less complex entities these become fairly obvious by reviewing trail balance and analytical review data as described above.

CAATs are our friends

So CAATS and ATTs are really not some big scary monsters that need to intimidate us. They are our servants – power tools that we pull out when a normal auditing screwdriver or hammer is too slow or not forceful enough. They become dangerous when the auditor uses them ‘just because they can’ without understanding what they are trying to achieve and why.

There is no substitute for learning to do the basics well and always working from first principles, and choosing a tool that we understand and can explain that will achieve our objectives most efficiently.

<<previous article next article>>

26 July 2022

There’s a new Act in town. And some people aren’t happy, claiming that this could be an ‘extinction event’ for many small clubs. The 1908 Act was predictably relaxed, out of step with modern regulation and reporting, so an update was needed.

So what does the new Incorporated Societies Act entail for these entities, and for those who prepare and audit the financial statements? Is the fear justified?

Changes for entities

No Incorporated Societies can just carry on as normal. All will need to update their constitutions and re-register. Companies Office guidance suggests the final date to transition will be April 2026. They also provide a handy Constitution Building tool.

Regulations are currently being developed to support the new Act. These should be completed by September 2023 so that entities can start to transition.

What we do know from the Act, however, is that under section 74 a society must have at least 10 members to register. This is a decrease from the 15 members required under the old Act. Under section 45 of the new Act, a society must have a committee, but this only needs to comprise 3 or more qualified officers. This committee is the ”governing body of the society” – the responsible parties.

There is concern that the extra responsibility being laid upon mostly voluntary committee members may make the slots hard to fill. The obligations are much closer to a company director than the casual committee member of the past. Under section 51 an officer remains specifically liable for acts and omissions and decisions made while they were an officer even after they have resigned.

The Act takes into account that many small entities may not want to re-register, so it provides an amalgamation process to enable groups of small, similar entities to amalgamate under one umbrella. Whether this will be used much, we shall see.

How to report?

Charities Services report that “there are about 24,000 incorporated societies in New Zealand, and about 7,000 of those are registered as charities.” These 7,000, like all charities, will be reporting under the Public Benefit Entity (PBE) reporting regime, which is now well established.

For the other 17,000, reporting will depend mainly on size. At present these entities may be using special purpose reporting or generally accepted accounting practices (GAAP). Section 102 provides three categories:

  • specified not-for-profit entity
  • small society
  • other

An entity is defined as a specified not-for-profit entity in the Financial Reporting Act 2013 S46  if, in each of the 2 preceding accounting periods of the entity, the total operating payments of the entity are $140,000 or more. These are required to prepare financial statements that comply with GAAP. Our Tier 1 and 2 standards plus our Tier 3 PBE standard are GAAP. Tier 4 and Special Purpose are not GAAP.

A small society has total operating payments and total current assets of less than $50,000 in each of the 2 preceding accounting periods. It also may not be a donee organisation under section LD 3(2) of the Income Tax Act 2007. These include charitable entities entitled to issue tax-deductible receipts for donations received. Many small clubs would fall into the small category. These may choose to prepare either GAAP-compliant financial statements or a non-GAAP standard or the minimum requirements as set out in section 104 of the 2022 Act. The minimum requirements statements must contain the following information:

(i) the income and expenditure, or receipts and payments, of the society during the accounting period; and

(ii) the assets and liabilities of the society at the close of the accounting period; and

(iii) all mortgages, charges, and other security interests of any description affecting any of the property of the society at the close of the accounting period

Associations that don’t fit into either category – the “others” – will generally be those with expenditure over $50,000 and under $140,000 in the previous two periods. They may choose whether to apply GAAP or non-GAAP.

What about the requirement for audit?

Of course, any Incorporated Society may opt to be audited, but some must be audited under the Act.

These are classed as “large” (as defined by S45 of the Financial Reporting Act 2013) if as at the balance date of each of the 2 preceding accounting periods, the total assets of the entity and its subsidiaries (if any) exceed $66 million or in each of the 2 preceding accounting periods, the total revenue of the entity and its subsidiaries (if any) exceeds $33 million.

The end of Society?

So will this be an ‘extinction’ event for societies or provide momentum for a new burst of energy? Both outcomes are likely, depending on the state of the society. It will certainly drain the limited resources of struggling clubs to have to lift their game to a new level.

In this age of declining volunteerism and reliance on sponsorship, the change may lead to fewer societies, but adaptations will be made for more efficient operations and more professional style management in those who survive.