31 March 2023

In assisting a range of Audit firms with their Quality Control I get to see quite a few files for review, mostly Tier 3 charities. There are a number of common areas where improvements could be made. We explore some of these below:

Qualification for cash income

It is still common for audit reports for charities and clubs to qualify for cash income. However, with the reduction in the use of cash, this may not be given. In many jobs, I see this unquestioningly adopted, without an attempt to quantify just how much of the income of donations say is actually represented by cash so subject to that risk. The audit report then may lead a reader to the conclusion that the potential understatement is much larger than it actually is.

When considering the risk of understatement of cash income and subsequent qualification, I suggest that work be documented to quantify the total amount represented by cash and the potential understatement. this may not be material, in which case a qualification will not be necessary. It may be material and subject to qualification, but the audit report should identify the particular items where there may be an understatement instead of just a blanket statement. Also, rather than a qualified opinion, an “emphasis of matter” paragraph may be appropriate, as is more common in Australia.

There is also the opportunity to assist the client with advice on how to implement controls or update their current internal controls so that the qualification may not be required in the future.

Inconsistency between engagement letters, work done and audit reports

It is vital that what we have agreed we will do in the engagement letter is what we actually do, and our audit reports actually reflect this. Does the testing regime for service performance correspond with the testing we have done? Have we properly identified the reporting regime used by the entity and used the correct template that reflects that regime? This will be a big issue as clients update to the new Tier 3 and 4 reporting standards.

If there is inconsistency and the job is subsequently subject to a dispute, this will be an immediate black mark against the quality of your work.

Risks at the Financial Statement and Assertion level confused

I see many cases where assertion level risks are identified as financial statement level. All risks will potentially affect the financial statements, but most only relate to a few balances, disclosures or assertions. These are described therefore as risks at the assertion level. Risks at the financial statement level are risks that are pervasive to the whole of the financial statements and potentially affect many assertions (see ISA 315 (Revised 2019), para 4).

So risks at the financial statement level are ‘top level’ risks, which will likely have related risks at the assertion level, so they will be rarer than assertion level risks. An example of a financial statement level risk is given in ISA 315 (Revised 2019), A195: An entity faces operating losses and liquidity issues and is reliant on funding that has not yet been secured. In such a circumstance, the auditor may determine that the going concern basis of accounting gives rise to a risk of material misstatement at the financial statement level.

Lack of walk-through testing

When controls are not to be tested there is a common assumption that walk-through tests are not required. However, even if not testing or relying on controls we are required to document the identified controls that are relevant to inherent risks that we have identified. And we must somehow confirm that we have documented the controls correctly, implying some sort of walk-through test. This need not be in as much detail as a complex system requires, but we should add some level of documentation.

We have a full article discussing this in detail. And we have updated our latest templates to remove the ‘walkthrough tests not required’ option.

Enquiries directed at a limited range of people

Some questionnaires are designed to be answered by someone from management, and some from governance. The fraud questionnaires are a good example. However, in small entities, I commonly see all enquiries directed to one person.

While this reflects something of the reality of small entities, it is an important control that governance is aware of and oversees what is happening at a managerial level. Gaining perspective from different people – as well as being requirements of the standards – helps build a wider ‘3D’ view of the entity.

Verbal enquiries neglecting to identify the entity contact

Sometimes instead of having an entity contact complete a checklist or answer a question online, it is more convenient to interview them and record their responses.

In these cases, it is essential to record the name of the person and the date of the interview.

Budget testing as an analytical review tool

It is common to have a client respond to the questionnaire that they do indeed prepare budgets. However, it is uncommon to see these budget figures used in an Analytical Review test. Many times I see the Analytical Review option for budgets marked “no Budget.”

Comparing budgets to actual results can be a powerful analytical and risk identification tool in SME audits, where budgets define the expectation of governance. Even if budgets are not prepared for all the figures reflected in the TB, the budget column for key figures can be manually completed on the TB page, to flow through to the analysis pages.

Lack of follow-up on issues identified in the planning phase

Often I see key items or risks that are mentioned at the staff planning meeting, in information gathered from the client, or when discussing rebuttable presumptions around fraud, understatement of income, or risks associated with journals, that are not flagged and addressed specifically later in the file.

In the current iteration of Audit Assistant, the risk flag tool should be used in these cases, as all comments may be flagged as risks. This will ensure that the issue is not dropped, but is appropriately brought to the foreground in the audit work. There is also the “Key Issue” option which may be used to flag important items intended for partner attention.

Lack of identification of risks

Risk identification is a bit of a moving target as we all adapt to ISA 315 (revised 2019), however, even under the old standard there was a requirement to identify risks of material misstatement and form the focus of our testing primarily around the most significant risks. I see many good examples of risk assessment, but also many where material items in the financial statements are not assessed as risk, presumably because the auditor has looked at the item and assessed it as low risk – but not documented that decision.

In Tier 3 entities, where there are a limited number of categories in the Statement of Performance and Statement of Financial Position, I would expect to see each category subtotalled in the TB, and a risk assessment for each subtotal, unless it is clearly immaterial or has no prospect of being material.

Lack of identification of significant risks

Many audit files have all their identified risks assessed as very much the same risk profile. I recently heard a reviewer describe a good audit file as one that resembled the Andes rather than rolling green hills.

In other words, we are trying to find which risks are significant to the entity and highlight those rather than just saying all risks are on the same level. Even in a very low-risk job, there will be some inherent risks that the entity faces that will stand out as the main threats to the entity – and these are where we need to focus our work. This will produce not only better audit work but also more efficient work because we are putting our resources into the right areas. If we view “Significant” as a relative term rather than absolute, we will start to identify risks that are significant in the context of the job. This is especially important in complying with ISA 315 (revised 2019).

Note that anything that will result in a modification to the audit report should be identified as significant. Many firms use the “Key Issues” flag to help clearly identify these risks – which is a great idea.

Fixed asset valuation methods

When a Tier 3 entity opts to revalue their land and buildings – as many do – leaving behind the safe harbour of the Tier 3 standards and ventures into the deep waters of PBE IPSAS 17 there are many potential snares, as I discovered recently.

Don’t assume that the CA who prepared the financial statements got it right, and read the standard well. I would assume that any revaluation of this sort is a significant risk as it will likely be highly material. Also, remember to check the disclosures in the Performance Report – that they reference the standard – and include a mention of the use of PBE IPSAS 17 in the preparation of the financial statements in your audit report just to be safe. Finally, be aware that the new Tier 3 standard allows changes in the treatment of revaluations, so be aware of what is changing.

Do you agree? Any comments or suggestions? Contact me here.