31 March 2023

In assisting a range of Audit firms with their Quality Control I get to see quite a few files for review, mostly Tier 3 charities. There are a number of common areas where improvements could be made. We explore some of these below:

Qualification for cash income

It is still common for audit reports for charities and clubs to qualify for cash income. However, with the reduction in the use of cash, this may not be given. In many jobs, I see this unquestioningly adopted, without an attempt to quantify just how much of the income of donations say is actually represented by cash so subject to that risk. The audit report then may lead a reader to the conclusion that the potential understatement is much larger than it actually is.

When considering the risk of understatement of cash income and subsequent qualification, I suggest that work be documented to quantify the total amount represented by cash and the potential understatement. this may not be material, in which case a qualification will not be necessary. It may be material and subject to qualification, but the audit report should identify the particular items where there may be an understatement instead of just a blanket statement. Also, rather than a qualified opinion, an “emphasis of matter” paragraph may be appropriate, as is more common in Australia.

There is also the opportunity to assist the client with advice on how to implement controls or update their current internal controls so that the qualification may not be required in the future.

Inconsistency between engagement letters, work done and audit reports

It is vital that what we have agreed we will do in the engagement letter is what we actually do, and our audit reports actually reflect this. Does the testing regime for service performance correspond with the testing we have done? Have we properly identified the reporting regime used by the entity and used the correct template that reflects that regime? This will be a big issue as clients update to the new Tier 3 and 4 reporting standards.

If there is inconsistency and the job is subsequently subject to a dispute, this will be an immediate black mark against the quality of your work.

Risks at the Financial Statement and Assertion level confused

I see many cases where assertion level risks are identified as financial statement level. All risks will potentially affect the financial statements, but most only relate to a few balances, disclosures or assertions. These are described therefore as risks at the assertion level. Risks at the financial statement level are risks that are pervasive to the whole of the financial statements and potentially affect many assertions (see ISA 315 (Revised 2019), para 4).

So risks at the financial statement level are ‘top level’ risks, which will likely have related risks at the assertion level, so they will be rarer than assertion level risks. An example of a financial statement level risk is given in ISA 315 (Revised 2019), A195: An entity faces operating losses and liquidity issues and is reliant on funding that has not yet been secured. In such a circumstance, the auditor may determine that the going concern basis of accounting gives rise to a risk of material misstatement at the financial statement level.

Lack of walk-through testing

When controls are not to be tested there is a common assumption that walk-through tests are not required. However, even if not testing or relying on controls we are required to document the identified controls that are relevant to inherent risks that we have identified. And we must somehow confirm that we have documented the controls correctly, implying some sort of walk-through test. This need not be in as much detail as a complex system requires, but we should add some level of documentation.

We have a full article discussing this in detail. And we have updated our latest templates to remove the ‘walkthrough tests not required’ option.

Enquiries directed at a limited range of people

Some questionnaires are designed to be answered by someone from management, and some from governance. The fraud questionnaires are a good example. However, in small entities, I commonly see all enquiries directed to one person.

While this reflects something of the reality of small entities, it is an important control that governance is aware of and oversees what is happening at a managerial level. Gaining perspective from different people – as well as being requirements of the standards – helps build a wider ‘3D’ view of the entity.

Verbal enquiries neglecting to identify the entity contact

Sometimes instead of having an entity contact complete a checklist or answer a question online, it is more convenient to interview them and record their responses.

In these cases, it is essential to record the name of the person and the date of the interview.

Budget testing as an analytical review tool

It is common to have a client respond to the questionnaire that they do indeed prepare budgets. However, it is uncommon to see these budget figures used in an Analytical Review test. Many times I see the Analytical Review option for budgets marked “no Budget.”

Comparing budgets to actual results can be a powerful analytical and risk identification tool in SME audits, where budgets define the expectation of governance. Even if budgets are not prepared for all the figures reflected in the TB, the budget column for key figures can be manually completed on the TB page, to flow through to the analysis pages.

Lack of follow-up on issues identified in the planning phase

Often I see key items or risks that are mentioned at the staff planning meeting, in information gathered from the client, or when discussing rebuttable presumptions around fraud, understatement of income, or risks associated with journals, that are not flagged and addressed specifically later in the file.

In the current iteration of Audit Assistant, the risk flag tool should be used in these cases, as all comments may be flagged as risks. This will ensure that the issue is not dropped, but is appropriately brought to the foreground in the audit work. There is also the “Key Issue” option which may be used to flag important items intended for partner attention.

Lack of identification of risks

Risk identification is a bit of a moving target as we all adapt to ISA 315 (revised 2019), however, even under the old standard there was a requirement to identify risks of material misstatement and form the focus of our testing primarily around the most significant risks. I see many good examples of risk assessment, but also many where material items in the financial statements are not assessed as risk, presumably because the auditor has looked at the item and assessed it as low risk – but not documented that decision.

In Tier 3 entities, where there are a limited number of categories in the Statement of Performance and Statement of Financial Position, I would expect to see each category subtotalled in the TB, and a risk assessment for each subtotal, unless it is clearly immaterial or has no prospect of being material.

Lack of identification of significant risks

Many audit files have all their identified risks assessed as very much the same risk profile. I recently heard a reviewer describe a good audit file as one that resembled the Andes rather than rolling green hills.

In other words, we are trying to find which risks are significant to the entity and highlight those rather than just saying all risks are on the same level. Even in a very low-risk job, there will be some inherent risks that the entity faces that will stand out as the main threats to the entity – and these are where we need to focus our work. This will produce not only better audit work but also more efficient work because we are putting our resources into the right areas. If we view “Significant” as a relative term rather than absolute, we will start to identify risks that are significant in the context of the job. This is especially important in complying with ISA 315 (revised 2019).

Note that anything that will result in a modification to the audit report should be identified as significant. Many firms use the “Key Issues” flag to help clearly identify these risks – which is a great idea.

Fixed asset valuation methods

When a Tier 3 entity opts to revalue their land and buildings – as many do – leaving behind the safe harbour of the Tier 3 standards and ventures into the deep waters of PBE IPSAS 17 there are many potential snares, as I discovered recently.

Don’t assume that the CA who prepared the financial statements got it right, and read the standard well. I would assume that any revaluation of this sort is a significant risk as it will likely be highly material. Also, remember to check the disclosures in the Performance Report – that they reference the standard – and include a mention of the use of PBE IPSAS 17 in the preparation of the financial statements in your audit report just to be safe. Finally, be aware that the new Tier 3 standard allows changes in the treatment of revaluations, so be aware of what is changing.

Do you agree? Any comments or suggestions? Contact me here.

18 August 2021

The IAASB has now issued its proposed standard on less complex entities (ED-ISA for LCE) for feedback.

A standard around LCE’s is long overdue, and their proposal comes with the hope of easing unnecessary requirements placed on auditors.

The standard is expected to come into effect around 2024 and should be a game-changer for the audit of most of our client entities. This article follows on from prior commentary and summarises some of the critical changes the LCE standard will have on an audit engagement.

Relationship to ISAs

The IAASB has decided that the proposed standard is to be separate from the ISAs with no intended need to directly reference back to their requirements or application material. However, the proposed standard does not address complex matters or circumstances so is not permitted to be used for audits that are not audits of financial statements of LCEs.

As a consequence, when a firm is auditing an entity with transactions and accounts deemed less complex, it cannot supplement by using other auditing standards concerning a more complex account or transaction (like an accounting estimate calculated using a bespoke, complex model). In this instance, the auditor may not use ISA for LCE together with requirements from say ISA 540 (Revised) to supplement what may not be addressed in ISA for LCE when planning and performing the audit. They would need to carry out the whole audit using ISAs (see Explanatory Memorandum para 26-28).

Therefore, it will be critical in the planning stage to ensure the LCE standard is applicable to every aspect of the audit engagement. The standard provides good guidance around the applicability of LCE for an audit engagement. See the table below:

from Explanatory Memorandum para 50

What Qualitative Characteristics might make the standard inappropriate?

Outside of the specific prohibitions in the table above, an entity may be prohibited from using the LCE standard where an entity exhibits:

  • Complex matters or circumstances relating to the nature and extent of the entity’s business activities, operations and related transactions and events relevant to the preparation of the financial statements.
  • Topics, themes and matters that increase or indicate complexity, such as those relating to ownership, corporate governance arrangements, policies, procedures or processes established by the entity.
    (from Explanatory Memorandum para 67)

What about groups?

At this stage, the standard is unlikely to allow group audits; however, the board is open to changing their minds and has proposed options to incorporate group audits into the standard.

Flow of the proposed standard

The content of ED-ISA for LCE has been grouped into nine “Parts” that follow the flow of an audit engagement (rather than by subject matter or topic like the ISAs):

from Explanatory Memorandum para 92

Each part follows the same structure, a preface, authority (circumstances in which the standard is prohibited or limited), broad concepts, key requirements, and appendices.

Potential Grey areas in the application of the standard

Accounting estimates – Specific procedures concerning the use of complex modelling and detailed requirements to address situations where there is higher estimation uncertainty have not been included as they are not expected to be relevant for the types of accounting estimates in an audit of a typical LCE. While the presence of one complex characteristic exhibited by an entity does not necessarily exclude the use of ISA for LCE this is a tricky area that would lead to a judgement call for the auditor about whether it is still appropriate to continue performing the audit under the proposed standard. The auditor would need to determine if the complex matter or circumstance identified is not in the spirit of what standard is intended to be allowed as an accounting estimate.

Service Organisations – The standard is designed for the typical nature and circumstances of an LCE. The prime example is with LCEs that have payroll processed by a service organisation. However, situations deemed more complex relating to the entity’s use of a service organisation have not been addressed within the proposed standard. For example, requirements relating to an auditor’s ability to rely on reports on the operating effectiveness of controls from the entity providing the services (e.g., ‘Type 1’ and ‘Type 2’ reports) are not included as it is anticipated that where transactions are less complex, the auditor would be able to obtain the necessary audit evidence without difficulty from records available including, if applicable, in relation to controls at the service organisation.

Planning the Audit

One of the areas where the IAASB has modulated the proposed standard is to not distinguish between the overall audit strategy and the audit plan required by the ISAs. The auditor is still required to plan the audit in the same manner, however, the relevant outcomes of what the auditor would need to do about establishing the overall audit strategy and audit plan have been incorporated together (i.e., there is still a requirement to establish and plan the audit’s scope, timing, and direction).


The IAASB has released a video explaining the draft standard:

Audit Assistant response

Our goal is to make a new template from scratch incorporating the requirements of the new standard, in anticipation of its adoption. As a clean-slate build, we will be looking at ways to make this as efficient as possible, without having to retain backward compatibility. Please contact us if you would like to add to our submission on the ED, or make suggestions for the new template.