Embed Size (px)
Citation preview
1
AA - Audit evidence
Contents
The Financial Statement Assertions ....................................................................................... 2
TERMINOLOGY USED: ......................................................................................................... 2
ASSERTIONS: ....................................................................................................................... 2
Gathering Evidence ................................................................................................................ 4
AUDIT PROCEDURES: .......................................................................................................... 4
CRAVE COCA: ...................................................................................................................... 4
QUALITY OF EVIDENCE: .......................................................................................................... 5
METHODS OF GATHERING EVIDENCE: ................................................................................... 6
REVIEW THE RESULTS OF AUDIT PROCEDURES:................................................................. 7
Computer Assisted Audit Techniques (CAAT's) ...................................................................... 8
TEST DATA: ......................................................................................................................... 8
AUDIT SOFTWARE: .............................................................................................................. 9
Data Analytics in Audit ......................................................................................................... 10
What is Data Analytics? .................................................................................................... 10
Data Analytics and Audit .................................................................................................. 10
Benefits of Data Analytics ................................................................................................. 10
Challenges in Data Analytics ............................................................................................. 11
Relying on the Work of Others ............................................................................................. 13
KEY CONSIDERATIONS ...................................................................................................... 13
AUDITOR'S OWN EXPERT .................................................................................................. 14
EXTERNAL EXPERT - INTERNAL AUDIT .............................................................................. 14
EXTERNAL EXPERT - SERVICE ORGANISATION .................................................................. 15
Smaller Entities and Not-for-Profit Organisations ............................................................... 16
AUDIT OF SMALLER ENTITIES ........................................................................................... 16
AUDIT OF NOT-FOR-PROFIT ORGANISATIONS ................................................................. 17
2
The Financial Statement Assertions
TERMINOLOGY USED:
Financial statement assertions represent the key objectives of the substantive audit
procedures. If a substantive procedure does not address an assertion, it does not assist the
auditor in forming an audit opinion.
Overall objective of the external auditor is to decide whether the financial statements are
true and fair and properly prepared.
Financial statement assertions are given to assist the auditor in planning audit procedures to
decide whether the balance is free from material misstatement.
ASSERTIONS:
C - Completeness C - Cut-off
R - Rights and obligations O - Occurrence
A - Allocation C - Classification and understandability
V - Valuation
E - Existence A - Accuracy
Completeness ensures that all transaction and events recorded are present in the financial
statements. Rights and obligations ensures that ownership and responsibility of assets and
liabilities are reviewed. Accuracy ensures that all transactions, balances and other items
have been accurately recorded.
Valuation and allocation ensures that items in the statement of financial position are
presented correctly and at the correct values.
Existence ensures that items in the statement of financial position actually exist.
Presentation ensures all transactions events and disclosures are clearly described, relevant,
understandable
and applicable to the financial reporting framework.
Occurrence ensures that transactions and events actually happened.
Classification and understandability ensures that transactions are in the correct accounts
and items have been disclosed correctly.
3
Cut-off ensures that transactions are recorded in the correct financial period.
Note: CRAVE assertions are mainly used to test assets, liabilities and equity. POCC assertions
are mainly used to test income and expenses. The assertions which cover the whole
financial statements and can therefore be
used to test all balances and transactions are
COMPLETENESS ACCURACY PRESENTATION CLASSIFICATION
4
Gathering Evidence
AUDIT PROCEDURES:
- Controls procedures - procedures which identify whether the controls systems being
reviewed actually work;
- Substantive procedures - procedures which identify material misstatements present
in financial statements.
Control procedures include:
1) Assessing the internal control systems which relate to financial statements;
2) Identification whether the control system is strong or weak;
3) Testing by the auditor to gather evidence to back up a conclusion.
Note: Substantive testing is carried out after controls have been assessed.
Reliable controls ⟹ Lower risk of material misstatement
Financial statements assertions (e.g. objective of substantive procedures) -
CRAVE COCA:
C - Completeness C - Cut-off
R - Rights and obligations O - Occurrence
A
V - Allocation and valuation C - Classification and understandability
E - Existence A - Accuracy
Note: Every procedure must cover at least one assertion.
5
QUALITY OF EVIDENCE:
ISA 500 main requirement - Sufficient appropriate audit evidence
Sufficient = enough evidence.
Points for consideration when deciding if the evidence is sufficient:
1) Risk of material misstatement;
2) Materiality of balance/item;
3) Reliability of control systems;
4) Conclusions of control test performed previously;
5) Size of sample being tested;
6) Reliability of evidence that can be collected.
Appropriate = relevant + reliable evidence
Relevant evidence in:
1) Control procedures - evidence should identify whether the control system operates
effectively;
2) Substantive procedures:
- Evidence must achieve at least one of the FS assertions;
- Evidence should help to conclude whether the FS are true and fair.
Reliable evidence should be (ideally):
- Independent;
- Obtained directly by the auditor;
- From strong control system;
- Written;
- In original form.
Less characteristics ⟹ More evidence to obtain
6
METHODS OF GATHERING EVIDENCE:
ISA 500 methods:
1) Analytical procedures - comparison of data in FS;
2) Enquiry - talking to client staff and management;
3) Inspection - inspecting documentation that confirms balances and transactions;
4) Observation - observing processes at the client to understand and review reliability;
5) Recalculation - recalculating transactions and balances for accuracy;
6) Confirmation - written confirmation of balances and transactions;
7) Reperformance - carrying out the procedure the client has performed.
Note: Most appropriate method should be selected.
Sampling (ISA 530 definition) - the application of audit procedures to less than 100% of
items within a population of audit relevance such that all sampling units have a chance of
selection in order to provide the auditor with a reasonable basis on which to draw
conclusions about the entire population.
Sampling risk - risk of not selecting transaction that contain a material misstatement.
Sampling considerations:
1) Sampling requires auditor judgement and skills;
2) Sample size should be sufficient to reduce sampling risk to the acceptable level;
3) Sample chosen should represent the whole population of transactions.
Sampling methods:
1) Statistical sampling - auditor has not influenced the selection the transaction
(random selection, probability theory);
2) Non-statistical sampling (any other method).
7
Commonly used methods:
- Random number tables;
- Systematic selection (for example every 10th transaction);
- Block selection (e.g. cut-off test);
- Monetary unit selection (largest items);
- Haphazard methods (no bias!).
REVIEW THE RESULTS OF AUDIT PROCEDURES:
Identified misstatements are material?
1) Yes ⟹ Misstatements are misleading to users ⟹ Amend FS;
2) No ⟹ Smaller errors could accumulate in material misstatement ⟹ Record on the
spreadsheet and review it at the end of the audit.
8
Computer Assisted Audit Techniques (CAAT's)
Two main areas where CAATs are widely used:
1) Controls - using test data;
2) Substantive testing - using audit software.
TEST DATA:
Test data is where the auditor will access the client’s computer controls. They will perform
audit tests on the system by entering dummy data into the system and monitoring how it
progresses through the control cycle. This method of testing will allow the auditor to see if
the control functions of the computer system perform properly.
There are several ways of data testing:
Narrative Live data tests Dead data tests
Definition
The auditor has access to the
computer systems during the
operating hours of the client.
The auditor can enter dummy data in a
batch after working hours.
Advantages
Demand has impact on
efficiency of the controls;
Detect that system does not
cope when there are multiple
users, all posting onto and
reviewing the data on the
system;
Easier to reverse;
Remove the risk of material misstatement;
Enabling test of the system by taking copy to
install on own computer;
Effective way of testing controls;
Disadvantages Dummy entries may be
forgotten and not reversed;
Auditor cannot assess whether the system
would have problems when busy;
9
AUDIT SOFTWARE:
Audit software - software assisting at substantive testing stage where the auditor is
performing audit procedures that help to detect potential material misstatements.
Audit procedures which may be performed using audit software:
1. Analytical procedures:
Calculate ratios;
Compare to previous year’s results, budgets and industry averages;
Investigate unusual results with client;
2. Selecting samples using systematic method;
3. Checking calculations:
4. Adding-up transactions to agree balances in the system;
Recalculating other transactions (for example VAT);
Reduces risk of human error;
Exceptions reporting:
5. Highlighting unusual trends;
Detect balances that look unusual;
Balances and transactions detected by the system can be investigated for potential
material misstatement;
Note: Auditor must be able to import all client transactions and balances onto the audit
software.
Benefits of audit software: Drawbacks of audit software:
It can save time due to automatic
procedure being carried out by software;
It can save on labour costs for audit
assignment;
It reduces the risk of human error.
Bespoke system can be very expensive;
Risk of data corruption when carrying out the
process;
Risk of data leak;
Confidentiality is a concern;
Strong security controls are required.
10
Data Analytics in Audit
What is Data Analytics?
Data analytics is the process of examining the available data in order to draw meaningful
conclusions. It enables the businesses to identify new opportunities, to harness costs
savings and to enable faster decision making, by drawing data from multiple sources to
inform decisions or draw conclusions. The data is often both internal and external and is
often aided by specialised software.
Data Analytics and Audit
Data analytics for audit involves discovering and analysing patterns, deviations and
inconsistencies, and extracting other useful information in the data related to the subject
matter of an audit. This can be done through analysis, modelling and visualisation for the
purpose of planning and performing the audit. The process can reduce the risk of error in
the audit as well as offering value to the client, as they often use visual methods such as
graphs to present data, helping to identify trends and correlations.
For auditors, the main driver of using data analytics is to improve audit quality. It allows
auditors to more effectively audit the large amounts of data held and processed in IT
systems in larger clients, and by doing so they can better understand the client’s
information and better identify the risks.
Data analytics tools have the power to turn all the data into an understandable presentation
for both the auditors and clients. Large firms often have the resources to create their own
data analytics platforms, whereas smaller firms may opt to acquire an off the shelf package.
Larger firms may also generate audit programmes tailored to client-specific risks or to
provide data directly into computerised audit procedures, allowing them to more efficiently
arrive at the result.
Benefits of Data Analytics
– Data analytics enable increased business understanding as you gain a more thorough
analysis of a client’s data.
– It gives auditors a better focus on risk. This increased understanding, aids the
identification of risks associated with a client, enabling testing to be better directed at
those areas.
– It results in increased consistency across group audits where all auditors are using the
same technology
11
– and process, enabling the group auditor to direct specific tools for use in component
audits and to execute testing across the group.
– There’s increased efficiency through the use of computer programmes to perform very
fast processing of large volumes of data and provide analysis to auditors, saving time
and focus for judgemental and risk areas.
– Data can be more easily manipulated by the auditor as part of audit testing, for example
performing sensitivity analysis on management assumptions.
– There is increased fraud detection through the ability to interrogate all data and to test
segregation of duties,
– The information obtained through data analytics can be shared with the client, adding
value to the audit and providing a real benefit to management in that they are provided
with useful information perhaps from a different perspective.
Challenges in Data Analytics
– There is a lack of consistency or a widely accepted standard across firms and even
within a firm often. Moreover, there is currently no specific regulation or guidance
which covers all the uses of data analytics within an audit, which can make quality
control guidelines difficult.
– Storing client data gives rise to the risk of breach of confidentiality and data protection.
This data could be misused or illegal access obtained if the firm’s data security is weak
or hacked, which may result in serious legal and reputational consequences.
– The completeness and integrity of the extracted client data may not be guaranteed.
Specialists are often required to perform the extraction and there may be limitations to
the data extraction where either the firm does not have the appropriate tools or
understanding of the client data to ensure that all data is collected.
– There may be compatibility issues with the client systems which may render standard
tests ineffective if data is not available in the expected formats.
– The audit staff may not be competent to understand the exact nature of the data and
output to draw appropriate conclusions. In this case training may need to be provided
which can be expensive.
– There could be insufficient or inappropriate evidence retained on file due to failure to
understand or
– document the procedures and inputs fully.
12
– Another issue arises relating to data storage and accessibility for the duration of the
required retention period for audit evidence. The data obtained must be held for
several years in a form which can be retested. As large volumes will be required firms
may need to invest in hardware to support such storage or outsource data storage
which compounds the risk of lost data or privacy issues.
– There can be an expectation gap among stakeholders who think that because the
auditor is testing 100% of transactions in a specific area, the client’s data must be 100%
correct, which may not be the case.
13
Relying on the Work of Others
KEY CONSIDERATIONS
Aim: To obtain sufficient and appropriate audit evidence.
Reasons to rely on the work of others:
1. Lack of technical knowledge.
2. This is the most efficient way of obtaining evidence.
Examples of work of others which may be relied upon:
Own Expert Client's Expert
1. Using a property valuer to verify
property figures;
2. Bringing in an inventory expert;
3. Experts to assist with progress values;
and
4. Legal advice on legal cases.
1. Client lawyers' documentation;
2. Relying on internal auditor’s work; and
3. Service organisations used by client.
Steps in relying on the work of others:
Decide if experts are needed
⇩
Plan work required of them
⇩
Reduce disruption to the audit
⇩
14
Form the audit opinion
AUDITOR'S OWN EXPERT
Assessment of competence and independence:
According to ISA 620 the auditor should determine whether the work of the expert is
adequate for the auditor’s purposes.
How to ensure that work is adequate:
1. Review qualifications, experience, memberships; and
2. Review any business or personal connections. Key tips:
1. Communicate to the client before audit work; and
2. Include in engagement letter.
EXTERNAL EXPERT - INTERNAL AUDIT
Importance and responsibilities of internal auditor:
1. Fundamental to control systems;
2. Carries out control procedures;
3. Identifies deficiencies and implements changes.
Auditor can rely on: Auditor should consider:
1 Control test; 1 Scope of work;
2 Risk assessment; and 2 Level of detail;
3 Special investigations (fraud).
3 Reasonability of assurance; and
4 Further work (if necessary).
15
Audit requirements:
Work adequacy considerations:
Independence considerations: Quality of report:
1. Assessment of technical competence; and
1. Internal auditors are employees – independence is unlikely;
1. Evidence collected is fundamental in forming an independent opinion;
2. Review of qualifications and experience.
2. Audit committee is formed of non-executive directors = Independence from board is improved; and
2. Ideally - written evidence; if no such evidence is available, auditor may still need some further work to be done.
3. Less independence the expert has from the entity = Less reliance can be placed on their work.
EXTERNAL EXPERT - SERVICE ORGANISATION
Service organisation - outsourced function used by client (for example payroll function).
Audit considerations:
1. Understand organisations and assess risk;
2. Decide testing level and assess procedures; and
3. Consider visit.
Advantages Disadvantages
1. Increased expertise and skills; 1. Obtaining information on a timely basis may be difficult;
2. Increased independence from directors.
2. May not be allowed to perform audit work; and
3. Not being able to obtain sufficient appropriate evidence.
16
Smaller Entities and Not-for-Profit Organisations
AUDIT OF SMALLER ENTITIES
Smaller entities may not require a statutory audit in some countries. The reasons for not
requiring a statutory audit are:
– The shareholders are often the directors of the entity;
– Companies may have only a few members of staff;
– Audits are expensive; and
– With fewer resources, the systems may be more straightforward, and not require expert
advice from the auditor.
Note: If a smaller entity requires an external audit, the auditors would ensure that they have an
experienced audit team.
The advantages of such an audit are:
1. It can be a relatively low risk audit;
2. With direct control, the management will have a full understanding and
responsibility for the organisation, and can assist the auditor effectively; and
3. The systems will often be straightforward and easier to understand.
The disadvantages of such an audit are:
1. Shareholders are in a position to manipulate the figures in the financial
statement or hide personal expenses;
2. There is an increased risk of human error which needs to be identified and
addressed by the auditor;
3. Having one staff member responsible for an entire control system can increase
the risk of fraud; and
4. There is limited amount of written evidence the auditor can obtain from the
client.
17
Summary:
– There may be elements of the audit that are far more straightforward than dealing with a
larger organisation; and
– There will possibly be less substantive testing. However, careful planning is still needed to
assess the risks and review the control systems and any limitations.
AUDIT OF NOT-FOR-PROFIT ORGANISATIONS
Not-for-profit organisations include charities and public sector entities. It is even more
important that specialised audit staff are involved in the audit process for this kind of entity.
The key differences we would see with a not-for-profit organisation are:
– They are not driven by profits;
– They will not have shareholders;
– There will be no dividend payments; and
– A charity would prepare a statement of financial activities which is formatted differently to
a statement of profit and loss.
Auditing not-for-profit organisations comes with its own audit risks and some of these are:
– There may be a lack of segregation of duties and simple systems may not be documented.
This could increase the risk of fraud and error;
– Entities may not have the expertise or time to make good strategic decisions;
– Volunteers are used to keep costs down. They may lack skills and make mistakes, but also,
they may not stay long and then not be available to assist the auditor with explanations;
– Income may depend on external factors (government grants and donations);
– Entities may have very complex regulations to follow. This increases the risk of disclosure
notes being inadequate; and
– Any sudden change in circumstances could affect the entity in the short term. The audit
approach for this type of entity should include:
1. Careful planning;
18
2. A specialised audit team;
3. Pure substantive testing if controls are not deemed effective; and
4. Analytical procedures.
Note: If there are any issues gathering the evidence needed to form an audit opinion, as always,
the auditor may need to modify their audit report.
