31 March 2023
In assisting a range of Audit firms with their Quality Control I get to see quite a few files for review, mostly Tier 3 charities. There are a number of common areas where improvements could be made. We explore some of these below:
Identification of Key Personnel
There is a question early in the workflow that asks the user to identify key personnel (directors/trustees and management people and anyone else with significant influence over the entity) – to be referred to when assessing independence, in related parties’ work and for identifying key contacts. It is common to just see the name of one key contact person here.
In order to be familiar with the client and be alert to potentially related parties or conflicts of interest all people involved in management and governance should be listed here, along with their roles. The names may be added to contacts in the sidebar.
Enquiries directed at a limited range of people
Some questionnaires are designed to be answered by someone from management, and some from governance. The fraud questionnaires are a good example. However, in small entities, I commonly see all enquiries directed to one person.
While this reflects something of the reality of small entities, it is an important control that governance is aware of and oversees what is happening at a managerial level. Gaining perspective from different people – as well as being requirements of the standards – helps build a wider ‘3D’ view of the entity.
Verbal enquiries neglecting to identify the entity contact
Sometimes instead of having an entity contact complete a checklist or answer a question online, it is more convenient to interview them and record their responses.
In these cases, it is essential to record the name of the person and the date of the interview.
Budget testing as an analytical review tool
It is common to have a client respond to the questionnaire that they do indeed prepare budgets. But it is uncommon to see these budget figures used in an Analytical Review test. Many times I see the Analytical Review option for budgets marked “no Budget.”
Comparing budgets to actual results can be a powerful analytical and risk identification tool in SME audits, where budgets define the expectation of governance. Even if budgets are not prepared for all the figures reflected in the TB, the budget column for key figures can be manually completed on the TB page, to flow through to the analysis pages.
Lack of follow-up on issues identified in the planning phase
Often I see key items or risks that are mentioned at the staff planning meeting, in information gathered from the client, or when discussing rebuttable presumptions around fraud, understatement of income, or risks associated with journals, that are not flagged and addressed specifically later in the file.
In the current iteration of Audit Assistant, the risk flag tool should be used in these cases, as all comments may be flagged as risks. This will ensure that the issue is not dropped, but is appropriately brought to the foreground in the audit work. There is also the “Key Issue” option which may be used to flag very important items intended for partner attention.
Lack of identification of risks
Risk identification is a bit of a moving target as we all adapt to ISA 315 (revised 2019), however, even under the old standard there was a requirement to identify risks of material misstatement and form the focus of our testing primarily around the most significant risks. I see many good examples of risk assessment, but also many where material items in the financial statements are not assessed as risk, presumably because the auditor has looked at the item and assessed it as low risk – but not documented that decision.
In Tier 3 entities, where there are a limited number of categories in the Statement of Performance and Statement of Financial Position, I would expect to see each category subtotalled in the TB, and a risk assessment for each subtotal, unless it is clearly immaterial or has no prospect of being material.
Lack of identification of significant risks
Many audit files have all their identified risks assessed as very much the same risk profile. I recently heard a reviewer describe a good audit file as one that resembled the Andes rather than rolling green hills.
In other words, we are trying to find which risks are significant to the entity and highlight those rather than just saying all risks are on the same level. Even in a very low-risk job, there will be some inherent risks that the entity faces that will stand out as the main threats to the entity – and these are where we need to focus our work. This will produce not only better audit work but more efficient work because we are putting our resources into the right areas. If we view “Significant” as a relative term rather than absolute, we will start to identify risks that are significant in the context of the job. This is especially important in complying with ISA 315 (revised 2019).
Materiality assessments for service performance
I often see files where the materiality assessment in the Service Performance area is regarded as “not applicable.” NZ AS1 requires us to assess Service Performance materiality, which in terms of ISA 320 is described as: “Misstatements, including omissions, … if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.”
In the context of service performance, small misstatements or omissions will probably not influence the decision of the users, but a larger discrepancy may well do. It is up to us to identify where this level lies in terms of what is being measured by the service performance output we are considering. This might be in terms of say a 5% variance in a reported result.
Qualification for cash income
It is still common for audit reports for charities and clubs to qualify for cash income. However, with the reduction in the use of cash, this may not be given. In many jobs I see this unquestioningly adopted, without an attempt to quantify just how much of the income of donations say is actually represented by cash so subject to that risk. The audit report then may lead a reader to the conclusion that the potential understatement is much larger than it actually is.
When considering the risk of understatement of cash income and subsequent qualification, I suggest that work be documented to quantify the total amount represented by cash, and the potential understatement. this may not be material, in which case a qualification will not be necessary. Or it may be material and subject to qualification, but the audit report identifies the particular items where there may be an understatement instead of just a blanket statement.
Fixed asset valuation methods
When a Tier 3 entity opts to revalue their land and buildings – as many do – leaving behind the safe harbour of the Tier 3 standards and ventures into the deep waters of PBE IPSAS 17 there are many potential snares, as I discovered recently.
Don’t assume that the CA who prepared the financial statements got it right, and read the standard well. I would assume that any revaluation of this sort is a significant risk as it will likely be highly material. Also, remember to check the disclosures in the Performance Report – that they reference the standard – and include a mention of the use of PBE IPSAS 17 in the preparation of the financial statements in your audit report just to be safe.
Do you agree? Any comments or suggestions? Contact me here.