31 March 2023

In assisting a range of Audit firms with their Quality Control I get to see quite a few files for review, mostly Tier 3 charities. There are a number of common areas where improvements could be made. We explore some of these below:

Identification of Key Personnel

There is a question early in the workflow that asks the user to identify key personnel (directors/trustees and management people and anyone else with significant influence over the entity) – to be referred to when assessing independence, in related parties’ work and for identifying key contacts. It is common to just see the name of one key contact person here.

In order to be familiar with the client and be alert to potentially related parties or conflicts of interest all people involved in management and governance should be listed here, along with their roles. The names may be added to contacts in the sidebar.

Enquiries directed at a limited range of people

Some questionnaires are designed to be answered by someone from management, and some from governance. The fraud questionnaires are a good example. However, in small entities, I commonly see all enquiries directed to one person.

While this reflects something of the reality of small entities, it is an important control that governance is aware of and oversees what is happening at a managerial level. Gaining perspective from different people – as well as being requirements of the standards – helps build a wider ‘3D’ view of the entity.

Verbal enquiries neglecting to identify the entity contact

Sometimes instead of having an entity contact complete a checklist or answer a question online, it is more convenient to interview them and record their responses.

In these cases, it is essential to record the name of the person and the date of the interview.

Budget testing as an analytical review tool

It is common to have a client respond to the questionnaire that they do indeed prepare budgets. But it is uncommon to see these budget figures used in an Analytical Review test. Many times I see the Analytical Review option for budgets marked “no Budget.”

Comparing budgets to actual results can be a powerful analytical and risk identification tool in SME audits, where budgets define the expectation of governance. Even if budgets are not prepared for all the figures reflected in the TB, the budget column for key figures can be manually completed on the TB page, to flow through to the analysis pages.

Lack of follow-up on issues identified in the planning phase

Often I see key items or risks that are mentioned at the staff planning meeting, in information gathered from the client, or when discussing rebuttable presumptions around fraud, understatement of income, or risks associated with journals, that are not flagged and addressed specifically later in the file.

In the current iteration of Audit Assistant, the risk flag tool should be used in these cases, as all comments may be flagged as risks. This will ensure that the issue is not dropped, but is appropriately brought to the foreground in the audit work. There is also the “Key Issue” option which may be used to flag very important items intended for partner attention.

Lack of identification of risks

Risk identification is a bit of a moving target as we all adapt to ISA 315 (revised 2019), however, even under the old standard there was a requirement to identify risks of material misstatement and form the focus of our testing primarily around the most significant risks. I see many good examples of risk assessment, but also many where material items in the financial statements are not assessed as risk, presumably because the auditor has looked at the item and assessed it as low risk – but not documented that decision.

In Tier 3 entities, where there are a limited number of categories in the Statement of Performance and Statement of Financial Position, I would expect to see each category subtotalled in the TB, and a risk assessment for each subtotal, unless it is clearly immaterial or has no prospect of being material.

Lack of identification of significant risks

Many audit files have all their identified risks assessed as very much the same risk profile. I recently heard a reviewer describe a good audit file as one that resembled the Andes rather than rolling green hills.

In other words, we are trying to find which risks are significant to the entity and highlight those rather than just saying all risks are on the same level. Even in a very low-risk job, there will be some inherent risks that the entity faces that will stand out as the main threats to the entity – and these are where we need to focus our work. This will produce not only better audit work but more efficient work because we are putting our resources into the right areas. If we view “Significant” as a relative term rather than absolute, we will start to identify risks that are significant in the context of the job. This is especially important in complying with ISA 315 (revised 2019).

Materiality assessments for service performance

I often see files where the materiality assessment in the Service Performance area is regarded as “not applicable.” NZ AS1 requires us to assess Service Performance materiality, which in terms of ISA 320 is described as: “Misstatements, including omissions, if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.”

In the context of service performance, small misstatements or omissions will probably not influence the decision of the users, but a larger discrepancy may well do. It is up to us to identify where this level lies in terms of what is being measured by the service performance output we are considering. This might be in terms of say a 5% variance in a reported result.

Qualification for cash income

It is still common for audit reports for charities and clubs to qualify for cash income. However, with the reduction in the use of cash, this may not be given. In many jobs I see this unquestioningly adopted, without an attempt to quantify just how much of the income of donations say is actually represented by cash so subject to that risk. The audit report then may lead a reader to the conclusion that the potential understatement is much larger than it actually is.

When considering the risk of understatement of cash income and subsequent qualification, I suggest that work be documented to quantify the total amount represented by cash, and the potential understatement. this may not be material, in which case a qualification will not be necessary. Or it may be material and subject to qualification, but the audit report identifies the particular items where there may be an understatement instead of just a blanket statement.

Fixed asset valuation methods

When a Tier 3 entity opts to revalue their land and buildings – as many do – leaving behind the safe harbour of the Tier 3 standards and ventures into the deep waters of PBE IPSAS 17 there are many potential snares, as I discovered recently.

Don’t assume that the CA who prepared the financial statements got it right, and read the standard well. I would assume that any revaluation of this sort is a significant risk as it will likely be highly material. Also, remember to check the disclosures in the Performance Report – that they reference the standard – and include a mention of the use of PBE IPSAS 17 in the preparation of the financial statements in your audit report just to be safe.

Do you agree? Any comments or suggestions? Contact me here.

20 April 2022

The second key concept in ISA 315 relates to the requirement in ISA 200 para 15 to “…plan and perform an audit with professional scepticism recognising that circumstances may exist that cause the financial statements to be materially misstated” and para 16 to “exercise professional judgement in planning and performing an audit of financial statements.”

These should be familiar concepts to auditors, however, familiarity does not mean that the concepts are easy to learn or maintain.


An easy way to explain scepticism is from our NZ popular culture – the famous Tui billboards. They were generally based on an assertion made by someone – then mocked with a sceptical “yeah right” – a good concept to keep in mind when the client is telling us a story (though probably unwise to verbalise):

Like a good journalist interviewing a politician, we cannot take claims at face value without evidence, especially if there is a reason why it might be beneficial for the interviewee to present a biased slant on the truth.

The standard gives some helpful tips for applying professional scepticism in para A13, including encouraging the auditor to:

  • Question contradictory information and the reliability of documents;
  • Consider responses to enquiries and other information obtained from the client;
  • Remain alert to conditions that may indicate possible misstatement due to fraud or error; and
  • Consider how the audit evidence obtained supports our identification and assessment of RoMM.

Confirmation bias

Paragraph 13 reminds us that when designing and performing risk assessment procedures we must not bias our work toward obtaining audit evidence that may be corroborative or towards excluding audit evidence that may be contradictory. This takes some thought, as we are caught between time constraints (pushing us towards getting the answer quickly) vs. professional curiosity and thoroughness which may be necessary if something doesn’t quite sit right.

Many audit failures are the result of falling for confirmation bias. As per the American Psychological Association, Confirmation Bias is the tendency to look for information that supports, rather than rejects, one’s preconceptions, typically by interpreting evidence to confirm existing beliefs while rejecting or ignoring any conflicting data.

We mostly instinctively see the evidence that supports our presuppositions about the client, and ignore evidence that falls outside of our existing beliefs about them. In fact, it is very difficult not to do this when we are close to the client and involved in the details of the job. It is the reason we have auditor rotation and review of our work.

To counter bias the standard recommends comparing evidence from multiple sources. Para A15 lists these as:

  • Interactions with management, those charged with governance, and other key entity personnel.
  • External parties such as regulators.
  • Publicly available information about the entity.

Professional judgement

ISA 200 para A26 tells us that: “The distinguishing feature of the professional judgement expected of an auditor is that it is exercised by an auditor whose training, knowledge and experience have assisted in developing the necessary competencies to achieve reasonable judgements.”

The experienced auditor will develop a nose for things that don’t add up, just like the good investigative journalist. I have confirmed with many auditors the immense value of just sitting in the client’s tea-room and chatting with the staff (not so easy during COVID restrictions). This isn’t just about finding out surprising facts but assessing the tone of the client.

Brain science confirms that having a ‘hunch’ or a ‘bad feeling’ is often a reliable indicator that we should investigate a bit deeper. Our right-brain function is constantly scanning our environment and we pick up complex patterns and human interactions that alert us that something isn’t quite right. The right brain works much faster than the more cognitive left brain, so we are aware of things emotionally and physically before we really have time to think about them and process them cognitively. So a good auditor learns to use all of their brain.

ISA 315 para 17 also emphasises the importance of the whole team being involved in planning and looking for risks. In a team, even the newest member may think of something that the more experienced have missed. Everybody has different experiences, skills and perceptions to bring to the table. So a good auditor also uses the brains of all their team!

<< previous article next article >>

11 April 2022

ISA (NZ) 315 (Revised 2019) applies for audits of financial statements for periods beginning on or after 15 December 2021. To prepare for it we are producing a series of articles, and we are updating our content and our risk identification and assessment process to better suit the new standard.

The standard starts with a series of key concepts. These are useful to get the drift of the standard. Most of these are basic auditing but they provide great revision and help to break risk assessment down in a way that hopefully makes sense.

Key Concept 1 – Audit Risk

Paragraph 2 of the new standard references the requirement in ISA (NZ) 200 that audit risk be reduced to an acceptably low level by obtaining sufficient appropriate audit evidence.

Audit risk sounds simple at first glance but can quickly turn nasty once we start trying to define and understand how it actually works. This is where we must start using some acronyms and abbreviations (much as I hate them).

Audit Risk (AR) is described as a function of Risk of Material Misstatement (RoMM) and Detection Risk (DR). RoMM may exist on two levels – the financial statement level and the assertion level. RoMM consists of two components: Inherent Risk and Control Risk (para 4). The whole objective of the audit (per para 11) is to identify and assess the RoMM, so that we can use this as a basis for designing and implementing responses to the assessed RoMM.

If you are like me, its easy to go a bit like this around this point:

The key is to understand the meaning behind AR = RoMM x DR.

AR must be reduced to an “acceptably low” level. So let’s break down the rest of this.

First, what is material misstatement? ISA (NZ) 320 (2) says: “Misstatements, including omissions, are considered to be material if they, individually or in the aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements.”

You could say in the context of the audit material things are what we care about; things that make the financial statements not just wrong but misleadingly so.

So, risk of material misstatement (RoMM) is a weak point that could lead to us missing something big and important in our work and so failing in our task.

We identify a weak point, we think about the likelihood of it being wrong or producing wrong results, and we consider the potential impact on the financial statements if the worst-case scenario were to emerge. We identify, describe and assess the RoMM.

Second, what about the Financial Statement level and Assertion level? This is easily enough understood as either that which will impact the financial statements as a whole (financial statement level) or that which is more granular, relating to classes of transactions, account balances and disclosures (assertion level).

In plain English an assertion is defined as: 

“A confident and forceful statement of fact or belief” (Oxford Dictionary).

The Collins English dictionary goes further and says:

“A positive statement, usually made without an attempt at furnishing evidence.”

Paragraph A190 lists assertions as things like Occurrence, Completeness, Accuracy, Cutoff, Classification, Presentation, Existence, Rights and Obligations, Valuation and Allocation.

Our job is to assess whether the assertion being made is important (i.e. material) enough for us to look for evidence that it is actually true.

For example, if the preparers of the financial statements are confidently and forcefully stating that say, certain inventory is owned by them, exists and is valued at a certain amount, we as auditors are required to assess whether the balance (or potential for error) is material and if it is, whether their confidence and force in making these claims are justified by looking for evidence using suitable procedures that respond to the risk.

We will consider how these responses work later.

Making Audit Risk (AR) acceptable is like us saying whether it is possible, given the RoMMs we have identified, to design suitable audit responses to be comfortable that we have found evidence to support the assertions.

If we can’t do that we should either not accept the engagement at all, disclaim the audit report if it is too late, or modify the report if we can ring-fence the uncertainty to certain categories.

next article >>