To recap from Part 1, we have set up the client in the appropriate template, and worked through the processes common to most audit jobs. Then we looked specifically at the page Statement of Service Performance and Entity Information (A11).
Most of the SSP and Entity Information is tested on this page - although there are mentions later when looking at presentation of financial statements, obtaining representations, and our final reporting.
Trial Balance and Risk Identification:
- Trial Balance data is loaded as per other audits, and subtotals are added to match the subheadings that relate to the reporting requirements e.g. “Costs relating to providing services”.
- Before identifying risks, I recommend setting materiality (the following page, which after loading and sorting the TB will provide some suggested ranges for materiality)
- Flag risks – the standard says we need to look at things that are both material and have potential for risk
- So we are not creating excessive work for ourselves I suggest where we can that we audit a group of similar things that together are material and/or risky treat as a group (a group of grants for instance) - may flag the subtotal in these cases rather than the individual accounts
Obtain a basic understanding of internal controls:
Although in a small job we will not be relying on controls to any great degree, we are still required to have an understanding of the control system.
- Share descriptive questionnaire with client – it is more suitable for smaller jobs are it does not assume any specific controls
- Auditor may go through and “n/a” any items that obviously don’t apply prior to sharing
- Key issues (as identified by ISA 315 task force) are controls over journals and control over access to software (which in most cases will be off the shelf or cloud based so are not easily subject to tampering with code)
- Once questionnaire completed flag any issues that represent risk that we should consider when designing tests – and also this is a great chance to value add and make suggestions for improvement via management letter points
- Documenting of internal controls may be simply a comment or series of comments rather than opening sub-page (say B4 concerning sales and income)
- Fuller documentation is required when substantive procedures are not possible or practicable – as in highly automated processing (ISA 315,30) – this is not likely to be the case in small entities
- There is a specific question about how the entity responds to risks arising from IT (per ISA 315,21) – this should have a fairly simple answer in most entities as they will most likely use an off the shelf system and they control access to it
- Evaluate the effectiveness of Internal control environment (B16):
- in fact, there is a lot in there worth thinking about as smaller entities do have a lot of indirect controls even though they may be light on direct controls
- they are small enough that the management and board can exercise fairly close supervision of all aspects of the entity by just being involved and maintaining a healthy culture
- this is worth documenting as we do rely on these intangible "good feelings" about the culture of the entity and the relationships within it quite a bit as auditors – and rightly so
- so, we should do our best to document these things
Carry out preliminary analytical review:
- Analytical review procedures pages are particularly useful to see movements from prior period
- Use to describe why changes have happened (significant in size and percentage change)
- Proof in total of amounts means that the work on those is complete and they don’t need to be considered in further substantive testing - documents or spreadsheets may be added in as attachments as required
- Any risks that were missed in the TB may be noted by way of comment and flagged as risk from there
- Relationships can be looked at using generic ratio “respawner” – say grants received to what those grants were used for
- A key control in small entities
- Does the board know what is really going on?
- Is the will of the board being carried out by management?
- Create testing page:
- May be more than one work-paper created if different relevant types of meetings – add name when creating
- Add tests to be applied: e.g. Signed by the chairperson
- Create testing table and before opening select edit to set up table headings (default Date, Type, Details) – may add more from standard choices (to ensure format is right), take away or change order by drag and drop
- Open and start adding lines
- Listing issues relevant to audit in details box – such as approval of staffing changes, sale or purchase of assets, change of strategy, changes in board etc.
- Multiple lines may be added by using shift+enter
- Copies of the minutes may be uploaded as attachments if desired
- Additional comments may be added
- Cross references may be made to comments – these form hyperlinks to target pages, or to attachments but nothing appears on the other page until a reference is created from there
- Click pending tests to run tests against minutes
- Comments may be added, and items are marked as Pass, Fail or n/a
- A summary is added to the parent page (D1) noting number of deviations
- If deviations are regarded as significant add a comment, and/or management point – the comment could be flagged as a risk if required
- Reference to the minutes is made from many of the lead schedules, as what happens in the minutes is supposed to reflect the activities of the entity and so is an important element of building confidence in a key control
- The minutes details may also be created in a Spreadsheet (.CSV works best) then imported (do not use headings but follow existing layout)
- All pending tests must be addressed before parent page may be concluded
These are particularly important to review in small entities:
- D3 looks at all potential sources to identify – ties in with key personnel identified earlier
- D3 has a testing table (like minutes) to copy related parties notes and test
- Again – columns and tests may be amended as required and import from .CSV is possible – or just copy and paste details
Fraud Considerations (D4):
- Includes fraud questionnaires to be shared with Management and Governance as required by ISA 240 18-22
- These are shared by email so ensure that person’s email address is entered in their contact details
Understanding of Entity and Environment:
This should be fairly easy to identify on one page (E1):
- If possible, use information supplied by the entity – from website, management reports, procedures and policies manual,
- Statement of service performance will have already provided a lot of helpful understanding
- When entities rely on Grant income, Going Concern is a big issue to pay close attention to as they may well depend on funding that could easily determine their ability to continue year to year
- And they may not be willing to admit this as there may well be a domino effect if funders or donors learn that a major funder is pulling back
- Use of service organisations may apply,
- Very unlikely that there will be an internal audit function
- Expert opinions probably not relevant either
- Estimates probably won’t be relevant
These notes are taken from a series of training sessions currently being developed looking at using Audit Assistant for different kinds of entities.