Embed Size (px)
Citation preview
1 Updated May 2012
KAMPUCHEA INSTITUTE OF CERTIFIED
PUBLIC ACCOUNTANTS AND AUDITORS
Audit Engagement Review Questionnaire
Review Code: _______________________________________
Engagement Reference Code: _________________________
Engagement year end: ________________________________
Type of entity that was audited:
Entity listed on the Cambodian Stock Exchange
Other Public Interest Entity Foreign owned Entity – Part of overseas listed group or other public
interest group Foreign owned Entity – Part of overseas privately owned group Locally owned private entity NGO
Other (Specify)
Size of audited entity: Revenue: USD _________
Total Assets: USD ___________
2 Updated May 2012
Guidance for reviewers The review of a member firm should normally commence with the reviewer discussing with the person responsible for quality control in the firm the firms the answers the firm should already have provided to the questions contained in the firm wide (or general) review questionnaire. Following this meeting/discussion the reviewer should then confirm to the extent deemed necessary the firm’s responses against their quality control manual (or equivalent) etc. During (or shortly after) this initial meeting/discussion the reviewer should also select specific audit engagement(s) to be reviewed according to this questionnaire. This questionnaire is designed to assist a reviewer to assess whether the audit of such specific engagement(s) being reviewed have been carried out in accordance with Cambodian International Standards on Auditing (CISA) which correspond to the International Standards on Auditing issued by the International Federation of Accountants (IFAC) and other professional standards. The reviewer must answer yes or no to these questions and provide appropriate supporting commentary in order for a peer reviewer (where utilised) to determine the basis for the conclusions made or, if a particular question is not relevant answer not applicable (NA) with explanation where necessary as to why the question is not relevant to the engagement. The questionnaire contains references to the paragraph numbers of the source documents (CISA, CE etc) that detail the mandatory requirements that questions address. It also contains references to those application and explanatory material contained in standards that deal with the application of particular requirements to the audit of smaller entities. It is suggested that the reviewer should start the review of engagement process by conducting an overall review of the whole audit, which should provide answers to most of the questions. During this overall review the reviewer should identify one significant audit risk (or if none exist a material account) and examine this area in detail. This process should provide the reviewer sufficient information to make an overall assessment of the audit.
At the conclusion of the review the reviewer should conduct an exit interview with the person responsible for quality control in the firm. At this meeting the reviewer should advise in general terms the results of the review and, providing the results of the review are generally satisfactory, seek an undertaking that the firm will take steps to correct any minor issues identified. The reviewer should then complete the report on the findings of the review and forward it to KICPAA
Legend:
CISA Cambodian International Standard on Audit CE Code of Ethics for Professional Accountants SMO1 Statement of Member Obligations issued by the International Federation of
Accountants (IFAC) LCA The Law on Corporate Accounts, Their Audit and The Accounting Profession
LCA The Law on Corporate Accounts, Their Audit and The Accounting Profession
3 Updated May 2012
A. AUDIT INDEPENDENCE
No. Reference Question Small Entities Reviewers comments 1. CISA220.8to
CISA220.11& CISA220.24
Did the engagement partner form and document a conclusion on compliance with independence requirements that applied to this audit engagement?
2. In forming the conclusion referred to above, did the engagement partner: (a) Obtain relevant information from the firm
and, where applicable, network firms, to identify and evaluate circumstances and relationships that create threats to independence?
(b) Evaluate information on identified breaches, if any, of the firm’s independence policies and procedures to determine whether they create a threat to independence for the audit engagement?
Were any significant threats to independence identified for this engagement? If yes did the engagement partner: (c) Take appropriate action to eliminate such
threats or reduce them to an acceptable level by applying safeguards, or, if considered appropriate, to withdraw from the audit engagement, where withdrawal is possible under applicable law or regulation. The engagement partner shall promptly
4 Updated May 2012
No. Reference Question Small Entities Reviewers comments report to the firm any inability to resolve the matter for appropriate action
CISA220.24 & CE.290.40
When threats to independence that are not clearly insignificant are identified, and the firm decides to accept or continue the assurance engagement, the decision should be documented. The documentation should include a description of the threats identified and the safeguards applied to eliminate or reduce the threats to an acceptable level.
3. CISA300.6 Did the evaluation of independence consider:
CE.290.102 to CE.290.117
(a) Financial Interests – Self Interest Threat Holding a financial interest in an audit client may create a self-interest threat. The existence and significance of any threat created depends on:
The role of the person holding the financial interest, Whether the financial interest is direct or indirect, and The materiality of the financial interest.
Financial interests may be held through an intermediary (for example, a collective investment vehicle, estate or trust). The determination of whether such financial interests are direct or indirect will depend upon whether the beneficial owner has control over the investment vehicle or the ability to influence its investment decisions. When control over the investment vehicle or the ability to influence investment decisions exists, this Code defines that financial interest to be a direct financial interest. Conversely, when the beneficial owner of the financial interest has no control over the investment vehicle or ability to influence its investment decisions, this Code defines that financial interest to be an indirect financial interest. If a member of the audit team, a member of that individual’s immediate family, or a firm has a direct financial interest or a material indirect financial interest in the audit client, the self-interest threat created would be so significant that no safeguards could reduce the threat to an acceptable level.
5 Updated May 2012
No. Reference Question Small Entities Reviewers comments Therefore, none of the following shall have a direct financial interest 5or a material indirect financial interest in the client: a member of the audit team; a member of that individual’s immediate family; or the firm.
Did the engagement partner consider whether: The Firm; or a member of the assurance team, or
their immediate family member; or A partner in the office in which the
engagement partner practices in connection with the audit; or
Other partners and managerial employees who provide non-assurance services to the audit client, except those whose involvement is minimal;
hold a direct financial interest or a material indirect financial interest in the audit client?
CE.290.118 to CE.290.123
(b) Loans and Guarantees – Self Interest Threat A loan, or a guarantee of a loan, to:
a member of the audit team, or a member of that individual’s immediate family, or the firm
from an audit client that is a bank or a similar institution may create a threat to independence. If the loan or guarantee is not made under normal lending procedures, terms and conditions, a self-interest threat would be created that would be so significant that no safeguards could reduce the threat to an acceptable level. Accordingly, neither a member of the audit team, a member of that individual’s immediate family, nor a firm shall accept such a loan or guarantee. A loan, or a guarantee of a loan, from an audit client that is a bank or a similar institution to a member of the audit
6 Updated May 2012
No. Reference Question Small Entities Reviewers comments team, or a member of that individual’s immediate family, does not create a threat to independence if the loan or guarantee is made under normal lending procedures, terms and conditions. Examples of such loans include home mortgages, bank overdrafts, car loans and credit card balances
Did the engagement partner consider whether a loan or a guarantee of a loan, not at commercial terms or in the normal under normal terms and conditions, been made by the audit client to:
a member of the audit team; or a member of that individual’s
immediate family; or the firm; or whether any of the above have made a
loan or guarantee to the audit client? If any have been identified, has the Engagement Partner taken steps to apply safeguards that reduce the self interest threat to an acceptable level?
CE.290.124 to CE.290.126
(c) Business Relationships – Self Interest or Intimidation Threats A close business relationship between a firm, or a member of the audit team, or a member of that individual’s immediate family, and the audit client or its management, arises from a commercial relationship or common financial interest and may create self-interest or intimidation threats. Examples of such relationships include:
Having a financial interest in a joint venture with either the client or a controlling owner, director, officer or other individual who performs senior managerial activities for that client.
Arrangements to combine one or more services or products of the firm with one or more services or products of the client and to market the package with reference to both parties.
Distribution or marketing arrangements under which the firm distributes or markets the client’s products or services, or the client distributes or markets the firm’s products or services.
7 Updated May 2012
No. Reference Question Small Entities Reviewers comments Unless any financial interest is immaterial and the business relationship is insignificant to the firm and the client or its management, the threat created would be so significant that no safeguards could reduce the threat to an acceptable level. Therefore, unless the financial interest is immaterial and the business relationship is insignificant, the business relationship shall not be entered into, or it shall be reduced to an insignificant level or terminated.
Did the engagement partner consider whether a business relationship exists between the audit client or its management and
the firm; or a member of the audit team or a member of that individual’s
immediate family? If any such relationships have been identified, has the Engagement Partner assessed the significance of any threat and apploed safeguards where necessary to eliminate the threat or reduce it to an acceptable level?
CE.290.127 to CE.290.133
(d) Family and Personal Relationships – Self Interest, Familiarity or Intimidation Threats Family and personal relationships between a member of the audit team and a director or officer or certain employees (depending on their role) of the audit client may create self-interest, familiarity or intimidation threats. The existence and significance of any threats will depend on a number of factors, including the individual’s responsibilities on the audit team, the role of the family member or other individual within the client and the closeness of the relationship. When an immediate family member of a member of the audit team is:
a director or officer of the audit client; or an employee in a position to exert significant influence over the preparation of the client’s accounting
records or the financial statements on which the firm will express an opinion, or was in such a position during any period covered by the engagement or the financial statements,
8 Updated May 2012
No. Reference Question Small Entities Reviewers comments the threats to independence can only be reduced to an acceptable level by removing the individual from the audit team. The closeness of the relationship is such that no other safeguards could reduce the threat to an acceptable level. Accordingly, no individual who has such a relationship shall be a member of the audit team.
Did the Engagement Partner consider whether any family or personal relationship exists between
an immediate family member of a member of the audit team; or
A close family member of a member of the audit team; or
a partner or employee of the firm who is not a member of the audit team
and a director or officer of the audit client or an employee in a position to exert significant influence over the preparation of the client’s accounting records or the financial statements? If any such relationships have been identified then the Engagement Partner must assess the significance of the threat and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level. Additionally, the Firm should determine whether to discuss the matter with those charged with Governance.
CE.290.134 to CE.290.141
(e) Employment with Audit Clients – Familiarity, Intimidation or Self Interest Threats Familiarity or intimidation threats may be created if a director or officer of the audit client, or an employee in a position to exert significant influence over the preparation of the client’s accounting records or the financial statements on which the firm will express an opinion, has been a member of the audit team or partner of the firm.
9 Updated May 2012
No. Reference Question Small Entities Reviewers comments If a former member of the audit team or partner of the firm has joined the audit client in such a position and a significant connection remains between the firm and the individual, the threat would be so significant that no safeguards could reduce the threat to an acceptable level. Therefore, independence would be deemed to be compromised if a former member of the audit team or partner joins the audit client as a director or officer, or as an employee in a position to exert significant influence over the preparation of the client’s accounting records or the financial statements on which the firm will express an opinion, unless:
The individual is not entitled to any benefits or payments from the firm, unless made in accordance with fixed pre-determined arrangements, and any amount owed to the individual is not material to the firm; and
The individual does not continue to participate or appear to participate in the firm’s business or professional activities.
Additionally, a self-interest threat is created when a member of the audit team participates in the audit engagement while knowing that the member of the audit team will, or may, join the client some time in the future. Firm policies and procedures shall require members of an audit team to notify the firm when entering employment negotiations with the client. Audit Clients that are Public Interest Entities Familiarity or intimidation threats are created when a key audit partner joins the audit client that is a public interest entity as:
A director or officer of the entity; or An employee in a position to exert significant influence over the preparation of the client’s accounting
records or the financial statements on which the firm will express an opinion. Independence would be deemed to be compromised unless, subsequent to the partner ceasing to be a key audit partner, the public interest entity had issued audited financial statements covering a period of not less than twelve months and the partner was not a member of the audit team with respect to the audit of those financial statements.
10 Updated May 2012
No. Reference Question Small Entities Reviewers comments Did the Engagement Partner consider whether any
former member of the audit team or partner of the firm is
a director or officer of the audit client; or
an employee in a position to exert significant influence over the preparation of the audit client’s accounting records or financial statements on which the firm will express an opinion;
Additionally, is the Engagement Partner aware of any circumstances where a member of the audit team, will (or may) join the audit client at some time in the future? If any such threats have been identified then the Engagement Partner must assess the significance of the threat and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level.
CE.290.142 (f) Temporary Staff Assignments – Self Review Threat The lending of staff by a firm to an audit client may create a self-review threat. Such assistance may be given, but only for a short period of time and the firm’s personnel shall not be involved in:
Providing non-assurance services that would not be permitted under this section; or Assuming management responsibilities.
In all circumstances, the audit client shall be responsible for directing and supervising the activities of the loaned staff. The significance of any threat shall be evaluated and safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level. Examples of such safeguards include:
11 Updated May 2012
No. Reference Question Small Entities Reviewers comments
Conducting an additional review of the work performed by the loaned staff; Not giving the loaned staff audit responsibility for any function or activity that the staff performed during
the temporary staff assignment; or Not including the loaned staff as a member of the audit team.
Have any employees have been lent by the firm to
the audit client? If any such instances have been identified then the Engagement Partner must assess the significance of the threats and apply safeguards when necessary to eliminate the threat or reduce it to an acceptable level.
CE.290.143 to CE.290.145
(g) Recent Service with an Audit Client – Self Interest, Self Review or Familiarity Risk Self-interest, self-review or familiarity threats may be created if a member of the audit team has recently served as a director, officer, or employee of the audit client. This would be the case when, for example, a member of the audit team has to evaluate elements of the financial statements for which the member of the audit team had prepared the accounting records while with the client. Additionally, Self-interest, self-review or familiarity threats may be created if, before the period covered by the audit report, a member of the audit team had served as a director or officer of the audit client, or was an employee in a position to exert significant influence over the preparation of the client’s accounting records or financial statements on which the firm will express an opinion. Have any members of the audit team served as a director or officer of the audit client, or been an employee in a position to exert significant influence over the preparation of the client’s accounting records or the financial statements on which the firm will express an opinion?
12 Updated May 2012
No. Reference Question Small Entities Reviewers comments If so, has the Engagement Partner assessed the significance of the threat and applied safeguards when necessary to eliminate the threat or reduce it to an acceptable level?
CE.290.146 to CE.290.149
(h) Serving as a Director or officer of an Audit client – Self Review or Self Interest Risks If a partner or employee of the firm serves as a director or officer of an audit client, the self-review and self-interest threats created would be so significant that no safeguards could reduce the threats to an acceptable level. Accordingly, no partner or employee shall serve as a director or officer of an audit client. Performing routine administrative services to support a company secretarial function or providing advice in relation to company secretarial administration matters does not generally create threats to independence, as long as client management makes all relevant decisions. Has any partner or employee of the firm served as a director or officer of the audit client? If so, has the Engagement Partner assessed the significance of the threat and applied safeguards when necessary to eliminate the threat or reduce it to an acceptable level?
CE.290.150 to CE.290.155
(i) Long Association of Senior Personnel (Including Partner Rotation) with an Audit Client – Familiarity or Self interest Threat General Provisions: Familiarity and self-interest threats are created by using the same senior personnel on an audit engagement over a long period of time. The significance of the threats will depend on factors such as:
How long the individual has been a member of the audit team; The role of the individual on the audit team;
13 Updated May 2012
No. Reference Question Small Entities Reviewers comments
The structure of the firm; The nature of the audit engagement; Whether the client’s management team has changed; and Whether the nature or comple exity of the client’s accounting and reporting issues has changed.
Public Interest Entity In respect of an audit of a public interest entity, an individual shall not be a key audit partner for more than seven years. After such time, the individual shall not be a member of the engagement team or be a key audit partner for 13 the client for two years. During that period, the individual shall not participate in the audit of the entity, provide quality control for the engagement, consult with the engagement team or the client regarding technical or industry-specific issues, transactions or events or otherwise directly influence the outcome of the engagement. Key audit partners whose continuity is especially important to audit quality may, in rare cases due to unforeseen circumstances outside the firm’s control, be permitted an additional year on the audit team as long as the threat to independence can be eliminated or reduced to an acceptable level by applying safeguards.
If the client is a Public Interest Entity, is there:
a policy in place that requires key audit partner (e.g. engagement partner and review partner) to be rotated after a pre-determined period (of no longer than seven years)?
A policy that addresses risks assofiated with other partners of the firm have a long association with the audit client?
If there is no policy or if any threats have been identified, has the Engagement Partner assessed the significance of the threat and applied
14 Updated May 2012
No. Reference Question Small Entities Reviewers comments safeguards when necessary to eliminate the threat or reduce it to an acceptable level?
CE290.156 to CE290.219
(j) Provision of Non-assurance Services to Audit Clients – Self Review, Self Interest or Advocacy Threats Providing non-assurance services maycreate threats to the independence of the firm or members of the audit team. The threats created are most often self-review, self-interest and advocacy threats Before the firm accepts an engagement to provide a non-assurance service to an audit client, a determination shall be made as to whether providing such a service would create a threat to independence. In evaluating the significance of any threat created by a particular non-assurance service, consideration shall be given to any threat that the audit team has reason to believe is created by providing other related non-assurance services. If a threat is created that cannot be reduced to an acceptable level by the application of safeguards, the non-assurance service shall not be provided. Has the firm performed any of the following for an audit client:
CE.290.162 to CE.290.166
1. Assumed Management Responsibility? If a firm were to assume a management responsibility for an audit client, the threats created would be so significant that no safeguards could reduce the threats to an acceptable level. Activities that are routine and administrative, or involve matters that are insignificant, generally be deemed not to be a management responsibility
CE.290.167 to CE.290.174
2. Accounting or bookkeeping services? Management is responsible for the preparation and fair presentation of the financial statements. Providing an audit client with accounting and bookkeeping services, such as preparing
15 Updated May 2012
No. Reference Question Small Entities Reviewers comments accounting records or financial statements, generally creates a self-review threat when the firm subsequently audits the financial statements.
CE.290.175 to CE.290.180
3. Valuation Services A valuation comprises the making of assumptions with regard to future developments, the application of appropriate methodologies and techniques, and the combination of both to compute a certain value, or range of values, for an asset, a liability or for a business as a whole. Performing valuation services for an audit client may create a self-review threat where the valuation service that has a material effect on the financial statements on which the firm will express an opinion.
CE.290.181 to CE.290.194
4. Taxation Services Taxation services comprise a broad range of services, including:
Tax return preparation; Tax calculations for the purpose of
preparing the accounting entries; Tax planning and other tax advisory
services; and Assistance in the resolution of tax disputes
Performing certain tax services can create self-
16 Updated May 2012
No. Reference Question Small Entities Reviewers comments review and advocacy threats that should be addressed.
CE:290.195 to CE.290.200
5. Internal audit services The scope and objectives of internal audit activities vary widely and depend on the size and structure of the entity and the requirements of management and those charged with governance. Internal audit services involve assisting the audit client in the performance of its internal audit activities. The provision of internal audit services to an audit client creates a self-review threat to independence if the firm uses the internal audit work in the course of a subsequent external audit. Performing a significant part of the client’s internal audit activities increases the possibility that firm personnel providing internal audit services will assume a management responsibility.
CE.290.201 to CE.290.206
6. IT Systems Services Services related to information technology (IT) systems include the design or implementation of hardware or software systems. The systems may aggregate source data, form part of the internal control over financial reporting or generate information that affects the accounting records or financial statements, or the systems may be unrelated to the audit client’s accounting
17 Updated May 2012
No. Reference Question Small Entities Reviewers comments records, the internal control over financial reporting or financial statements. Providing systems services may create a self-review threat depending on the nature of the services and the IT systems In particular IT Systems Services that involved the design or implementation of IT systems that:
Form a significant part of the internal control over financial reporting? or
Generate information that is significant to the client’s accounting records or financial statements on which the firm will express an opinion?
May indicate that a self review threat exists.
CE.290.207 & CE.290.208
7. Litigation support services Litigation support services may include activities such as acting as an expert witness, calculating estimated damages or other amounts that might become receivable or payable as the result of litigation or other legal dispute, and assistance with document management and retrieval. These services may create a self-review or advocacy threat.
18 Updated May 2012
No. Reference Question Small Entities Reviewers comments CE.290.209 & CE.290.213
8. Legal services legal services are defined as any services for which the person providing the services must either be admitted to practice law before the courts of the jurisdiction in which such services are to be provided or have the required legal training to practice law. Such legal services may include, depending on the jurisdiction, a wide and diversified range of areas including both corporate and commercial services to clients, such as contract support, litigation, mergers and acquisition legal advice and support and assistance to clients’ internal legal departments. Providing legal services to an entity that is an audit client may create both self-review and advocacy threats.
CE.290.214& CE.290.215
9. Recruiting services Providing recruiting services to an audit client may create self-interest, familiarity or intimidation threats. The existence and significance of any threat will depend on factors such as:
The nature of the requested assistance; and The role of the person to be recruited.
19 Updated May 2012
No. Reference Question Small Entities Reviewers comments CE290.216 to CE.290.219
10. Corporate finance services Providing corporate finance services such as:
assisting an audit client in developing corporate strategies;
identifying possible targets for the audit client to acquire;
advising on disposal transactions; assisting finance raising transactions; and providing structuring advice,
may create advocacy and self-review threats.
CISA220.24 & CE.290.29
If any of the above services were provided to the client has the Engagement Partner ensured that:
(a) The significance of any threat to independence evaluated and safeguards applied when necessary?
(b) The nature of the threat and the safeguards in place or applied that reduce the threat to an acceptable level documented?
4. CE290.220&
CE290.222
Fees – Self Interest or Intimidation Threat Relative Size When the total fees from an audit client represent a large proportion of the total fees of the firm expressing the audit opinion, the dependence on that client and concern about losing the client creates a self-interest or intimidation threat. The significance of the threat will depend on factors such as:
The operating structure of the firm;
20 Updated May 2012
No. Reference Question Small Entities Reviewers comments
Whether the firm is well established or new; and The significance of the client qualitatively and/or quantitatively to the firm.
A self-interest or intimidation threat is also created when the fees generated from an audit client represent a large proportion of the revenue from an individual partner’s clients or a large proportion of the revenue of an individual office of the firm.
Consider: (a) Do the total fees generated by a particular client represent a large proportion of the revenue of the firm, an individual office of the firm or an individual partner?
(b) If you answered yes to the above question, were the threats evaluated and safeguards applied when necessary?
CE290.222 (c) If the client is a public interest audit entity, have the total fees generated by the client and its related entities represented more than 15% of the total fees received by the firm for two consecutive years?
If yes did the firm: (a) disclose to those charged with governance of the client the fact that the total of such fees represents more than 15% of the total fees received by the firm, and discussed which of the safeguards (a pre or post issue review) it will apply to reduce the threat to an acceptable level?
(b) apply the agreed safeguards?
21 Updated May 2012
No. Reference Question Small Entities Reviewers comments
CE290.223 Also consider: (a) Did the fees charged to this client for the previous year, or a significant part thereof, remained unpaid at the time of issuing the current years audit report?
CE290.224 to CE290.227
Contingent Fees – Self Interest Threat Contingent fees are fees calculated on a predetermined basis relating to the outcome of a transaction or the result of the services performed by the firm. A contingent fee charged directly or indirectly, for example through an intermediary, by a firm in respect of an audit engagement creates a selfinterest threat that is so significant that no safeguards could reduce the threat to an acceptable level. Additionally, a contingent fee charged directly or indirectly, for example through an intermediary, by a firm in respect of a non-assurance service provided to an audit client may also create a self-interest threat. For other contingent fee arrangements charged by a firm for a nonassurance service to an audit client, the existence and significance of any threats will depend on factors such as:
The range of possible fee amounts; Whether an appropriate authority determines the outcome of the matter upon which the contingent fee will be
determined; The nature of the service; and The effect of the event or transaction on the financial statements
Consider: (a) has the Firm entered into any arrangements for the provision of Audit services?
22 Updated May 2012
No. Reference Question Small Entities Reviewers comments (b) Is the fee charged by the firm expressing the opinion on the financial statements material or expected to be material to that firm?
(c) Is the fee charged by a network firm that participates in a significant part of the audit and the fee is material or expected to be material to that firm; or (d) Is the outcome of the non-assurance service, and therefore the amount of the fee, dependent on a future or contemporary judgment related to the audit of a material amount in the financial statements?
23 Updated May 2012
B. PLANNING
No. Reference Question Small Entities Reviewers comments 5. QS26 &
CISA220.24 & CISA300.6
Is there written evidence that auditor has undertaken the following activities at the beginning of the current audit engagement:
(a) Performed procedures required by ISA 220 regarding the continuance of the client relationship and the specific audit engagement including:
The engagement partner shall be
satisfied that appropriate procedures regarding the acceptance and continuance of client relationships and audit engagements have been followed, and shall determine that conclusions reached in this regard are appropriate.
If the engagement partner obtains
information that would have caused the firm to decline the audit engagement had that information been available earlier, the engagement partner shall communicate that information promptly to the firm, so that the firm and the engagement partner can take the necessary action.
(b) Evaluated compliance with relevant ethical requirements, including independence, in accordance with ISA 220:9-11;
24 Updated May 2012
No. Reference Question Small Entities Reviewers comments (c) Established an understanding of the terms
of the engagement, as required by ISA 210. “Agreeing the Terms of Audit Engagements,” paragraphs 9–13
6. CISA210.10 Were the agreed terms of the audit engagement recorded in an audit engagement letter or other suitable form of written agreement and include: (a) The objective and scope of the audit of the
financial statements; (b) The responsibilities of the auditor; (c) The responsibilities of management; (d) Identification of the applicable financial
reporting framework for the preparation of the financial statements; and
(e) Reference to the expected form and content of any reports to be issued by the auditor and a statement that there may be circumstances in which a report may differ from its expected for and content
7. CISA260.11 to CISA260.13
Has the auditor determined the appropriate person(s) within the entity’s governance structure with whom to communicate? If the auditor has determined that they communicate with a subgroup of those charged with governance, for example, an audit committee, or an individual, has the auditor determined whether they also needs to communicate with the governing body?
CISA260.A2
25 Updated May 2012
No. Reference Question Small Entities Reviewers comments 8. CISA260.14 Has the auditor communicated to those charged
with governance the responsibilities of the auditor in relation to the financial statement audit, including that:
(a) That the auditor is responsible for forming and expressing an opinion on the financial statements that have been prepared by management with the oversight of those charged with governance?
(b) That the audit of the financial statements does not relieve management or those charged with governance of their responsibilities?
9. CISA260.15 Did the Auditor provide those charged with Governance with an overview of the planned scope and timing of the audit?
10. CISA260.18 Did the Auditor provide those charged with Governance information on the form, timing and expected general content of communications?
CISA260.A31
11. CISA220.14 Has the Engagement Partner demonstrated that they are satisfied that the engagement team, and any auditor’s experts who are not part of the engagement team, collectively have the appropriate competence and capabilities to:
(a) Perform the audit engagement in
accordance with professional standards and applicable legal and regulatory
26 Updated May 2012
No. Reference Question Small Entities Reviewers comments requirements; and
(b) Enable an auditor’s report that is appropriate in the circumstances to be issued.
12. CISA240.22 Has the Engagement Partner evaluated whether
unusual or unexpected relationships that have been identified in performing analytical procedures, including those related to revenue accounts, may indicate risks of material misstatement due to fraud?
13. CISA300.7 Has the auditor established an overall documented audit strategy that sets the scope, timing and direction of the audit, and that guides the development of the audit plan?
CISA300.A11& CISA300.A19
14. CISA300.8 Does the above audit strategy:
CISA300A11
(a) Identify the characteristics of the engagement that define its scope?
(b) Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required?
(c) Consider the factors that, in the auditor’s professional judgment, are significant in directing the engagement team’s efforts?
(d) Consider the results of preliminary engagement activities and, where applicable, whether knowledge gained on other engagements
27 Updated May 2012
No. Reference Question Small Entities Reviewers comments performed by the engagement partner for the entity is relevant?
(e) Ascertain the nature, timing and extent of resources necessary to perform the engagement?
15. CISA300.12 The auditor shall include in the audit documentation: (a) The overall audit strategy; (b) The audit plan; and (c) Any significant changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changesIndicate reasons for any significant changes made during the audit engagement?
16. CISA320.10 When establishing the overall audit strategy, did the Engagement Partner determine materiality for the financial statements as a whole? If, in the specific circumstances of the entity, there is one or more particular classes of transactions, account balances or disclosures for which misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements, has the Engagement Partner also determined the materiality level or levels to be applied to those particular classes of transactions, account balances or disclosures?
CISA320.A8
28 Updated May 2012
No. Reference Question Small Entities Reviewers comments 17. CISA320.11 Has the Engagement Partner determined
performance materiality for purposes of assessing the risks of material misstatement and determining the nature, timing and extent of further audit procedures?
18. CISA320.14 Does the audit documentation include the following amounts and the factors considered in their determination:
(a) Materiality for the financial statements as a whole?
(b) If applicable, the materiality level or levels for particular classes of transactions, account balances or disclosures?
(c) Performance materiality?
(d) Any revision of (a) to (c) above as the audit progressed?
19 CISA300.9 Has the auditor developed a documented audit plan that includes a description of:
CISA300.A19
(a) The nature, timing and extent of planned risk assessment procedures, as determined under ISA 315: Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment.
(b) The nature, timing and extent of planned further audit procedures at the assertion level, as determined under ISA 330: The Auditor’s Responses to Assessed Risks
29 Updated May 2012
No. Reference Question Small Entities Reviewers comments (c) Other planned audit procedures that are required to be carried out so that the engagement complies with ISAs.
CISA330.5 Has the Engagement Partner designed and implemented overall responses to address the assessed risks of material misstatement at the financial statement level?
CISA330.6 Has the Enagement Partner designed and performed further audit procedures whose nature, timing and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level?
CISA330.A18
CISA330.7 In designing the further audit procedures to be performed, has the Engagement Partner: (a) Considered the reasons for the assessment given to the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure, including
(i) The likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance, or disclosure (that is, the inherent risk); and
(ii) Whether the risk assessment takes account of relevant controls (that is, the control risk), thereby requiring the auditor to obtain audit evidence to determine
30 Updated May 2012
No. Reference Question Small Entities Reviewers comments whether the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); and
(b) Obtain more persuasive audit evidence the higher the auditor’s assessment of risk.
CISA300.11 Has the Engagemeng Partner determined the nature, timing and extent of direction and supervision of engagement team members and the review of their work?
CISA300.A15
20. CISA315.10 & CISA240.15 & CISA240.44
Is there documented evidence that the engagement partner and other key engagement team members discussed the susceptibility of the entity’s financial statements to material misstatement (including misstatement due to fraud), and the application of the applicable financial reporting framework to the entity’s facts and circumstances? Additionally has the Engagement Partner determined which matters are to be communicated to engagement team members not involved in the discussion and documented this?
CISA315A16
31 Updated May 2012
C. RISK ASSESSMENT AND INTERNAL CONTROLS
No. Reference Question Small Entities Reviewers comments 21. CISA315.11 &
CISA250.12 Has the firm documented its understanding of the following:
(a) Relevant industry, regulatory, and other external factors including the applicable financial reporting framework and how the entity is complying with those requirements?
(b) The nature of the entity, including: its operations; its ownership and governance structures; the types of investments that the entity is
making and plans to make, including investments in special-purpose entities; and
the way that the entity is structured and how it is financed
to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements?
(c) The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry
(d) The entity’s objectives and strategies, and those related business risks that may result in risks of
32 Updated May 2012
material misstatement? (e) The measurement and review of the entity’s financial performance?
CISA315.A41
22. CISA402.9 to CISA402.22
Many entities outsource aspects of their business to organizations that provide services ranging from performing a specific task under the direction of an entity to replacing an entity’s entire business units or functions, such as the tax compliance function. Many of the services provided by such organizations are integral to the entity’s business operations; however, not all those services are relevant to the audit. When obtaining an understanding of the user entity in accordance with ISA has the Engagement Partnergained an understanding of how the Audit Client uses the services of a service organization in the user entity’s operations, including:
CISA402.A5
(a) The nature of the services provided by the service organization and the significance of those services to the user entity, including the effect thereof on the user entity’s internal control;
(b) The nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organization;
(c) The degree of interaction between the activities of the service organization and those of the user entity; and
33 Updated May 2012
(d) The nature of the relationship between the user entity and the service organization, including the relevant contractual terms for the activities undertaken by the service organization.
Has the Engagement Partner evaluated the design and implementation of relevant controls at the user entity that relate to the services provided by the service organization, including those that are applied to the transactions processed by the service organization?
23 CISA315.9 Where the Engagement Partner intends to use information obtained from previous experience with the entity and from audit procedures performed in previous audits, have they determined whether changes have occurred since the previous audit that may affect its relevance to the current audit?
24 Has the Engagement Partner demonstrably:
CISA240.23 (a) Considered whether any information obtained about the entity indicates risks of material misstatement due to fraud?
CISA240.24 (b) Evaluated whether the information obtained from the other risk assessment procedures and related activities performed, indicates that one or more fraud risk factors are present? Note: While fraud risk factors may not necessarily indicate the existence of fraud, they have often been present in circumstances where frauds have
CISA240.A27
34 Updated May 2012
occurred and therefore may indicate risks of material misstatement due to fraud.
25. To the extent appropriate for this client,:
CISA315.12 (a) Has the Engagement Partner obtained an understanding of internal control relevant to the audit? Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit.
CISA315.A45& CISA315.A49
CISA315.13 When obtaining an understanding of controls that are relevant to the audit, did the auditor evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel?
26.
CISA315.14 The Engagement Partner shall obtain an understanding of the control environment. As part of obtaining this understanding, has the auditor evaluated whether:
(a) Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behaviour?
(b) The strengths in the control environment elements collectively provide an appropriate
35 Updated May 2012
foundation for the other components of internal control, and whether those other components are not undermined by deficiencies in the control environment?
27. CISA315.15to
CISA315.17
Risk Assessment Process If the entity has established such a process (referred to hereafter as the “entity’s risk assessment process”), the auditor shall obtain an understanding of it, and the results thereof. If the auditor identifies risks of material misstatement that management failed to identify, the auditor shall evaluate whether there was an underlying risk of a kind that the auditor expects would have been identified by the entity’s risk assessment process. If there is such a risk, the auditor shall obtain an understanding of why that process failed to identify it, and evaluate whether the process is appropriate to its circumstances or determine if there is a significant deficiency in internal control with regard to the entity’s risk assessment process. If the entity has not established such a process or has an ad hoc process, the auditor shall discuss with management whether business risks relevant to financial reporting objectives have been identified and how they have been addressed. The auditor shall evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances, or determine whether it represents a significant deficiency in internal control. As par of the evaluation process, has the Engagement Partner:
Obtained an understanding of the entity’s processes for:
CISA315.A80
(a) Identifying business risks relevant to financial reporting objectives?
(b) Estimating the significance of the risks?
(c) Assessing the likelihood of their occurrence?
(d) Deciding about actions to address those risks?
36 Updated May 2012
28. CISA315.18 Obtained an understanding of the information
system, including the related business processes, relevant to financial reporting, including the following areas:
CISA315.A85
(a) The classes of transactions in the entity’s operations that are significant to the financial statements?
(b) The procedures, within both information technology (IT) and manual systems, by which those transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements?
(c) The related accounting records, supporting information and specific accounts in the financial statements that are used to initiate, record, process and report transactions, including the correction of incorrect information and how information is transferred to the general ledger?
(d) How the information system captures events and conditions, other than transactions, that are significant to the financial statements (e.g. impairment of assets)?
(e) The financial reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures?
37 Updated May 2012
(f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual transactions or adjustments?
29. CISA315.19 Has the auditor documented its understanding of how the entity communicates financial reporting roles and responsibilities and significant matters relating to financial reporting, including; (a) communications between management and those charged with governance; and (b) external communications, such as those with regulatory authorities?
CISA315.A87
30. Control activities relevant to the audit Has the auditor:
CISA315.20 Obtained and documented an understanding of control activities (policies and procedures that help ensure that management directives are carried out) relevant to the audit, being those the auditor judges it necessary to understand in order to assess the risks of material misstatement at the assertion level and if necessary designed further audit procedures responsive to assessed risks?
CISA315.A93& CISA315.94
CISA315.21 In understanding the entity’s control activities, obtained an understanding of how the entity has responded to risks arising from IT?
31 CISA315.22 Has the auditor obtained (and documented) an understanding of the major activities that the entity uses to monitor internal control over financial reporting, including those related to those control
CISA315.100
38 Updated May 2012
activities relevant to the audit, and how the entity initiates remedial actions to deficiencies in its controls?
32. CISA315.24 Did the auditor obtain an understanding of the sources of the information used in the entity’s monitoring activities, and the basis upon which management considers the information to be sufficiently reliable for the purpose?
33. CISA240.17 Has the auditor documented the inquiries made of management regarding:
(a) Management’s assessment of the risk that the financial statements may be materially misstated due to fraud, including the nature, extent and frequency of such assessments?
CISA240.A13
(b) Management’s process for identifying and responding to the risks of fraud in the entity, including any specific risks of fraud that management has identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of fraud is likely to exist?
(c) Management’s communication, if any, to those charged with governance regarding its processes for identifying and responding to the risks of fraud in the entity?
(d) Management’s communication, if any, to employees regarding its views on business practices and ethical behaviour?
39 Updated May 2012
34. CISA240.18 Has the auditor made inquiries of management, and others within the entity as appropriate, to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity?
35. CISA240.19 If the entity has an internal audit function, has the auditor made inquiries of internal audit to determine whether it has knowledge of any actual, suspected or alleged fraud affecting the entity, and to obtain its views about the risks of fraud?
CISA315.23 If the entity has an internal audit function, has the auditor obtained an understanding of the following in order to determine whether the internal audit function is likely to be relevant to the audit:
(a) The nature of the internal audit function’s responsibilities and how the internal audit function fits in the entity’s organizational structure
(b) The activities performed, or to be performed, by the internal audit function.
36. CISA240.20 Unless all of those charged with governance are involved in managing the entity, has the auditor:
CISA240.A21
(a) Obtained an understanding of how those charged with governance exercise oversight of management’s processes for identifying and responding to the risks of fraud in the entity and the internal control that management has established to mitigate these risks?
40 Updated May 2012
CISA240.21 (b) Made inquiries of those charged with governance to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity?
37. CISA315.25 Has the auditor identified and assessed the risks of material misstatement:
(a) At the financial statement level?
(b) At the assertion level for classes of transactions, account balances, and disclosures?
38. CISA550.18& CISA550.19
In performing the steps referred to in question 37 above, did the auditor include the risks of material misstatement associated with related party relationships and transactions and determine whether any of those risks are significant risks?
39. CISA315.6 Did the risk assessment procedures include:
(a) Inquiries of management and of others within the entity who in the auditor’s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error?
(b) Analytical procedures?
CISA315.A10
(c) Observation and inspection?
40. A315.7 Has the auditor considered whether information obtained from the clients acceptance or continuance process is relevant to identifying risks
41 Updated May 2012
of material misstatement?
41. CISA315.8 If the engagement partner has performed other engagements for the entity, has there been consideration of whether information obtained is relevant to identifying risks of material misstatement?
42. CISA540.8 to CISA540.11
Has the Engagement Parner considered the possibility of a material misstatement in an accounting estimate?
CISA540.A21& CISA540.A30
43. CISA315.26 & CISA240.25
For the purposes of the requirements of CISA315.25 did the Engagement Partner:
(a) Identify risks (including fraud) throughout the process of obtaining an understanding of the entity and its environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances, and disclosures in the financial statements?
(b) Assess the identified risks, and evaluate whether they relate more pervasively to the financial statements as a whole and potentially affect many assertions?
(c) Relate the identified risks to what can go wrong at the assertion level, taking account of relevant controls that the auditor intends to test?
(d) Consider the likelihood of misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that could result in a material
42 Updated May 2012
misstatement?
44. CISA240.26 Has the Engagement Partner when identifying and assessing the risks of material misstatement due to fraud, based on a presumption that there are risks of fraud in revenue recognition, evaluate which types of revenue, revenue transactions or assertions give rise to such risks?
45. CISA315.32 Were the matters detailed above documented?
CISA315.A131
46. CISA240.47 If the auditor concluded that the presumption that there is a risk of material misstatement due to fraud related to revenue recognition is not applicable in the circumstances of the engagement, were the reasons for that conclusion documented?
47. CISA315.27 & CISA315.28
Has the Engagement Partner, as part of the risk assessment as in CISA315.25, determined and documented whether any of the risks identified are, in the Partners judgment, a significant risk (excluding the effects of identified controls related to the risk)? In exercising judgment as to which risks are significant risks, the Engagement Partner should consider at least the following: (a) Whether the risk is a risk of fraud; (b) Whether the risk is related to recent significant economic, accounting or other developments and, therefore, requires specific attention; (c) The complexity of transactions;
43 Updated May 2012
(d) Whether the risk involves significant transactions with related parties; (e) The degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and (f) Whether the risk involves significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual.
48. CISA315.29 If the Engagement Partner has determined that a significant risk existed did the Partner obtain and document an understanding of the entity’s controls, including control activities, relevant to that risk?
49. CISA240.27 Did the auditor treat those assessed risks of material misstatement due to fraud as significant risks?
50. CISA315.30 In respect of some risks, the auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to the inaccurate or incomplete recording of routine and significant classes of transactions or account balances, the characteristics of which often permit highly automated processing with little or no manual intervention. In such cases, the entity’s controls over such risks are relevant to the audit. Has the Engagement Partner (in respect of the
44 Updated May 2012
above) obtained an understanding of them?
51. CISA315 & CISA240 &
As part of the risk assessment procedures have significant audit risks been identified and documented?
CISA330.15 If the Engagement Partner plans to rely on controls over a risk that has been determined to be a significant risk, has the Engagement Partner ensured that those controls have been tested in the current period? Or
CISA330.21 Planned substantive procedures that are specifically responsive to that risk?
45 Updated May 2012
D. AUDIT EVIDENCE No. Reference Question Small Entities Reviewer comments
52. CISA230.7 & CISA230.14 to CISA230.16
Was the engagement file(s) compiled on a timely basis (ordinarily completed not more than 60 days after the date of the auditor’s report)?
53. CISA230.8 Has the audit documentation that has been prepared sufficient to enable an experienced auditor, having no previous connection with the audit, to understand:
CISA230.A16&CISA230.A17
(a) The nature, timing and extent of the audit procedures performed to comply with the ISA’s and applicable legal and regulatory requirements?
(b) The results of the audit procedures performed, and the audit evidence obtained? and
(c) Significant matters arising during the audit, the conclusions reached thereon, and significant professional judgments made in reaching those conclusions?
54. Review a significant Audit Risk Select one significant audit risk (or if none, select a material account) and review this area in detail: Area Selected: (a) Was the audit conducted in accordance with
the audit strategy and the audit plan?
(b) Are the steps in the audit program signed off?
46 Updated May 2012
No. Reference Question Small Entities Reviewer comments (c) Does it appear that changes were made to
the audit strategy and/or audit plan during the audit where appropriate?
(d) Are working papers adequate? Consider the following:
Indexing Cross-referencing Initials Dating Sources of information indicated The meaning of tick marks included The purpose of client prepared schedules
indicated
(e) Can you trace the amounts from the audited lead schedules or equivalent to the financial report?
55. CISA560.6 & CISA560.7
Is there evidence that the auditor performed audit procedures designed to obtain sufficient and appropriate audit evidence that all events occurring between the date of the financial statements and the date of the auditor’s report that require adjustment of, or disclosure in, the financial statements were identified?
56. CISA500.6 The Enagement Partner shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence. In designing the audit procedures;
47 Updated May 2012
No. Reference Question Small Entities Reviewer comments CISA500.7 Did the auditor shall consider the relevance and
reliability of the information to be used as audit evidence?
CISA500.8 If information to be used as audit evidence has been prepared using the work of a management’s expert, did the auditor to the extent necessary, having regard to the significance of that expert’s work for the auditor’s purposes? And
(a) Evaluate the competence, capabilities and objectivity of that expert?
(b) Obtain an understanding of the work of that expert?
(c) Evaluate the appropriateness of that expert’s work as audit evidence for the relevant assertion?
CISA500.9 Where the firm has used information produced by the entity for performing audit procedures, did the auditor evaluate whether the information is sufficiently reliable for the auditor’s purposes, including as necessary in the circumstances:
(a) Obtaining audit evidence about the accuracy and completeness of the information? and
(b) Evaluating whether the information is sufficiently precise and detailed for the auditor’s purposes?
48 Updated May 2012
No. Reference Question Small Entities Reviewer comments 57 CISA610.8 to
CISA610.12
Internal Audit If the client has an internal audit function did the Engagement Partner: Consider whether the work of the internal auditors is likely to be adequate for purposes of the audit; and if so, the planned effect of the work of the internal auditors on the nature, timing or extent of the external auditor’s procedures? Also consider: (a) The objectivity of the internal audit function; (b) The technical competence of the internal auditors; (c) Whether the work of the internal auditors is likely to be carried out with due professional care; and (d) Whether there is likely to be effective communication between the internal auditors and the external auditor
CISA610.13 If the Engagement Partner used specific work of the internal auditors, does the audit documentation include the conclusions reached regarding the evaluation of the adequacy of the work of the internal auditors, and the audit procedures performed by the Firm on that work?
58. CISA620.7 Did the auditor use the work of expert in a field other than accounting or auditing is to obtain sufficient appropriate audit evidence?
49 Updated May 2012
No. Reference Question Small Entities Reviewer comments CISA620.8 to CISA620.15
If you answered yes to the question in the above, did the auditor comply with the requirements of CISA620.8 to CISA620.15
Specific areas
59. CISA505.7 to CISA505.16
Have external confirmations been used by the auditor to verify relevant balances (e.g. receivables)? If yes, has the Engagement Partner maintained control over the external confirmation process?
If not was the auditor able to obtain sufficient relevant and reliable audit evidence from alternative audit procedures?
60. Inventory If inventory is material to the financial statements, did the auditor:
CISA501.4 (a) Obtain sufficient appropriate audit evidence regarding the existence and condition of inventory by attending at physical inventory counting?
(b) Perform audit procedures over the entity’s final inventory records to determine whether they accurately reflect actual inventory count results?
CISA501.5 If physical inventory counting was conducted at a date other than the date of the financial statements, did the auditor in addition to the procedures in question (a) above perform audit procedures to obtain audit evidence about whether changes in inventory between the count date and the date of
50 Updated May 2012
No. Reference Question Small Entities Reviewer comments the financial statements are properly recorded?
CISA501.6 & CISA501.7
If the auditor was unable to attend physical inventory counting, did the auditor make or observe some physical counts on an alternative date, and perform audit procedures on intervening transactions? If attendance at physical inventory counting is impracticable, the auditor shall perform alternative audit procedures to obtain sufficient appropriate audit evidence regarding the existence and condition of inventory. Note: If it is not possible to do so, the auditor shall modify the opinion in the auditor’s report in accordance with ISA 705.
CISA501.8 If inventory under the custody and control of a third party is material to the financial statements, did the auditor obtain sufficient appropriate audit evidence regarding the existence and condition of that inventory by performing one or both of the following:
i. Request confirmation from the third party as to the quantities and condition of inventory held on behalf of the entity
ii. Perform inspection or other audit procedures appropriate in the circumstances?
51 Updated May 2012
No. Reference Question Small Entities Reviewer comments 61. CISA250.18 to
CISA250.28 Laws & Regulations Did the auditor:
CISA250.13 Obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements?
CISA250.14 Perform the following audit procedures to help identify instances of non-compliance with other laws and regulations that may have a material effect on the financial statements:
(a) Inquire of management and, where appropriate, those charged with governance, as to whether the entity complied with such laws and regulations
(b) Inspect correspondence, if any, with the relevant licensing or regulatory authorities?
62. CISA501.9 Did the auditor design and perform audit procedures in order to identify litigation and claims involving the entity which may give rise to a risk of material misstatement, including:
(a) Inquiry of management and, where applicable, others within the entity, including in-house legal counsel;
(b) Reviewing minutes of meetings of those charged with governance and correspondence between the
52 Updated May 2012
No. Reference Question Small Entities Reviewer comments entity and its external legal counsel; and (c) Reviewing legal expense accounts?
CISA501.10 If the auditor assessed a risk of material misstatement regarding litigation or claims that have been identified, or when audit procedures performed indicate that other material litigation or claims may exist, did the auditor seek direct communication with the entity’s external legal counsel through a letter of inquiry, prepared by management and sent by the auditor, requesting the entity’s external legal counsel to communicate directly with the auditor? Note: If law, regulation or the respective legal professional body prohibits the entity’s external legal counsel from communicating directly with the auditor, the auditor shall perform alternative audit procedures.
CISA501.12 Did the auditor request management and, if appropriate, those charged with governance to provide written representations that all known actual or possible litigation and claims whose effects should be considered when preparing the financial statements have been disclosed to the auditor and accounted for and disclosed in accordance with the applicable financial reporting framework?
53 Updated May 2012
No. Reference Question Small Entities Reviewer comments 63. CISA501.13 Did the auditor obtain sufficient appropriate audit evidence regarding the presentation and disclosure of segment
information in accordance with the applicable financial reporting framework by: (a) Obtaining an understanding of the methods used by management in determining segment information, and:
i) Evaluating whether such methods are likely to result in disclosure in accordance with the applicable financial reporting framework; and
ii) Where appropriate, testing the application of such methods; and
(b) Performing analytical procedures or other audit procedures appropriate in the circumstances?
64. CISA550.11 Has the auditor performed the audit procedures and related activities set out below to obtain information relevant to identifying the risks of material misstatement associated with related party relationships and transactions:
CISA550.12 The engagement team discussion that CISA 315 and CISA 240 required (question 15) included specific consideration of the susceptibility of the financial statements to material misstatement due to fraud or error that could result from the entity’s related party relationships and transactions?
CISA550.13 Inquiries of management regarding:
i) The identity of the entity’s related parties, including changes from the prior period;
ii) The nature of the relationships between the entity and these related parties; and
54 Updated May 2012
No. Reference Question Small Entities Reviewer comments iii) Whether the entity entered into any
transactions with these related parties during the period and, if so, the type and purpose of the transactions?
CISA550.14 Inquire of management and others within the
entity, and perform other risk assessment procedures considered appropriate, to obtain an understanding of the controls, if any, that management has established to
i) Identify, account for, and disclose related party relationships and transactions in accordance with the applicable financial reporting framework;
ii) Authorize and approve significant transactions and arrangements with related parties; and
iii) Authorize and approve significant transactions and arrangements outside the normal course of business.
CISA550.A20
CISA550.15 Inspected the following for indications of the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor:
i) Bank and legal confirmations obtained as part of the auditor’s procedures;
ii) Minutes of meetings of shareholders and of those charged with governance; and
iii) Such other records or documents as the auditor considers necessary in the
55 Updated May 2012
No. Reference Question Small Entities Reviewer comments circumstances of the entity?
CISA550.16 If the auditor identified significant transactions
outside the entity’s normal course of business when performing the audit procedures referred to in the previous question or through other audit procedures, inquiries of management about:
i) The nature of these transactions; and ii) Whether related parties could be involved?
CISA550.17 Shared relevant information obtained about the entity’s related parties with the other members of the engagement team?
65. Representations Did the auditor request written representations from management with appropriate responsibilities for the financial statements and knowledge of the matters concerned that:
CISA580.10 They have fulfilled its responsibility for the preparation of the financial statements in accordance with the applicable financial reporting framework, including where relevant their fair presentation, as set out in the terms of the audit engagement?
CISA580.11 The auditor shall request management to provide a written representation that:
(a) They have provided the auditor with all relevant information and access as agreed in the terms of the audit engagement?
56 Updated May 2012
No. Reference Question Small Entities Reviewer comments (b) All transactions have been recorded and are
reflected in the financial statements?
(c) All transactions have been recorded and are reflected in the financial statements
CISA240.39 The auditor shall obtain written representations from management and, where appropriate, those charged with governance that they; (a) acknowledge their responsibility for the
design, implementation and maintenance of internal control to prevent and detect fraud;
(b) have disclosed to the auditor the results of management’s assessment of the risk that the financial statements may be materially misstated as a result of fraud;
(c) have disclosed to the auditor their knowledge of fraud or suspected fraud affecting the entity involving: Management; Employees who have significant roles in internal control; or Others where the fraud could have a material effect on the financial statements; and
(d) They have disclosed to the auditor their knowledge of any allegations of fraud, or suspected fraud, affecting the entity’s financial statements communicated by employees, former employees, analysts, regulators or others?
CISA250.16 All known instances of non-compliance or suspected non-compliance with laws and regulations whose effects should be considered
57 Updated May 2012
No. Reference Question Small Entities Reviewer comments when preparing financial statements have been disclosed to the auditor?
CISA540.22 They believe significant assumptions used in making accounting estimates are reasonable?
CISA550.26 If the applicable financial reporting framework established related party requirements, that (a) They have disclosed to the auditor the
identity of the entity’s related parties and all the related party relationships and transactions of which they are aware; and
(b) They have appropriately accounted for and disclosed such relationships and transactions in accordance with the requirements of the framework?
CISA560.9 All events occurring subsequent to the date of the financial statements and for which the applicable financial reporting framework requires adjustment or disclosure have been adjusted or disclosed?
66. Audit Documentation Has the Engagement Partner as part of the Audit programme:
CISA540.12 to CISA540.17 & CISA540.21
Evaluate, based on the audit evidence, whether the accounting estimates in the financial statements are either reasonable in the context of the applicable financial reporting framework, or are misstated?
CISA540.19 & CISA540.20
Obtain sufficient appropriate audit evidence about whether the disclosures in the financial statements
58 Updated May 2012
No. Reference Question Small Entities Reviewer comments related to accounting estimates are in accordance with the requirements of the applicable financial reporting framework?
CISA540.23 Document the basis for conclusions about the reasonableness of accounting estimates and their disclosure that give rise to significant risks and indicators of possible management bias?
67. CISA540.13 to CISA540.15
Did the auditor test how management made fair value accounting estimates and the data on which it is based?
CISA540.A67&CISA540.A70&CISA540.A86&CISA540.A106&CISA540.A108
68. Material Misstatements Has the Engagement Partner:
CISA330.5 & CISA240.45 & CISA550.20 to CISA550.24
Designed and implemented overall responses to address the assessed risks of material misstatement at the financial statement level?
CISA540.A41
CISA330.6 & CISA240.30 & CISA550.20 to CISA550.24
Design and perform further audit procedures whose nature, timing, and extent are based on and are responsive to the assessed risks of material misstatement at the assertion level?
CISA540.A41
69. CISA240.32 Irrespective of the auditor’s assessment of the risks of management override of controls, did the auditor design and perform audit procedures to test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements
59 Updated May 2012
No. Reference Question Small Entities Reviewer comments If the auditor identified significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual given the auditor’s understanding of the entity and its environment and other information obtained during the audit, did the auditor evaluate whether the business rationale (or the lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets?
70. CISA330.18 & CISA330.19 & CISA520.5
Irrespective of the assessed risks of material misstatement, did the auditor design and perform substantive procedures for each material class of transactions, account balance, and disclosure?
71. CISA330.22 If substantive procedures were performed at an interim date, did the auditor cover the remaining period by performing:
substantive procedures, combined with tests of controls for the intervening period; or
if the auditor determined that it was sufficient, further substantive procedures only,
that provide a reasonable basis for extending the audit conclusions from the interim date to the period end?
72. CISA330.8 Has the auditor designed and performed tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls where:
60 Updated May 2012
No. Reference Question Small Entities Reviewer comments (a) The auditor’s assessment of risks of
material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures); or
(b) Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level.
CISA330.10 In designing and performing tests of controls, did the auditor perform other audit procedures in combination with inquiry to obtain audit evidence about the operating effectiveness of the controls, including:
(i) How the controls were applied at relevant times during the period under audit?
(ii) The consistency with which they were applied?
(iii) By whom or by what means they were applied?
Did the Engagement Partner determine whether the controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain audit evidence supporting the effective operation of those indirect controls?
73 CISA330.12 If the auditor obtained audit evidence about the operating effectiveness of controls during an interim period, did the auditor: (a) Obtain audit evidence about significant
61 Updated May 2012
No. Reference Question Small Entities Reviewer comments changes to those controls subsequent to the interim period; and
(b) Determine the additional audit evidence to be obtained for the remaining period?
74 CISA330.13 Has the Engagement Partner in determining whether it is appropriate to rely on audit evidence about the operating
effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control considered:
(a) The effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of controls, and the entity’s risk assessment process;
(b) The risks arising from the characteristics of the control, including whether it is manual or automated;
(c) The effectiveness of general IT controls; (d) The effectiveness of the control and its
application by the entity, including the nature and extent of deviations in the application of the control noted in previous audits, and whether there have been personnel changes that significantly affect the application of the control;
(e) Whether the lack of a change in a particular control poses a risk due to changing circumstances; and
(f) The risks of material misstatement and the extent of reliance on the control.
CISA330.14 Did the auditor determine whether it was appropriate to use audit evidence about the
62 Updated May 2012
No. Reference Question Small Entities Reviewer comments operating effectiveness of controls obtained in previous audits, and, if so, the length of the time period that may elapse before retesting a control? If the auditor used audit evidence from a previous audit about the operating effectiveness of specific controls, did the auditor establish the continuing relevance of that evidence by obtaining audit evidence about whether significant changes in those controls have occurred subsequent to the previous audit?
75. Sample Design, Size, and Selection of Items for Testing Did the auditor:
CISA530.6 When designing audit samples, consider the purpose of the audit procedure and the characteristics of the population from which the sample will be drawn?
CISA530.7 In determining sample sizes consider whether sampling risk was reduced to an acceptably low level?
CISA530.8 Select items for the sample in such a way that each sampling unit in the population has a chance of selection?
CISA530.14 For tests of details, project misstatements found in the sample to the population?
63 Updated May 2012
No. Reference Question Small Entities Reviewer comments CISA530.15 Evaluate the results of the sample and whether the
use of audit sampling has provided a reasonable basis for conclusions about the population that has been tested?
76. ISA230.9 In documenting audit procedures performed, did the auditor record:
(a) The identifying characteristics of the specific items or matters tested (e.g. document numbers)?
(b) Who performed the audit work and the date such work was completed?
(c) Who reviewed the audit work performed and the date and extent of such review?
77. CISA510.5 to CISA510.13
If this was an initial audit engagement, did the auditor conduct the audit procedures in respect of opening balances, consistency of accounting policies and information included in predecessor auditor’s report as required by CISA510?
64 Updated May 2012
ASSESSMENT OF AUDIT EVIDENCE
No. Reference Question Small Entities Reviewers comments Audit Documentation Audit documentation serves a number of additional purposes, including the following: • Assisting the engagement team to plan and perform the audit. • Assisting members of the engagement team responsible for supervision to direct and supervise the audit work, and to discharge their review responsibilities in accordance with ISA 220. • Enabling the engagement team to be accountable for its work. • Retaining a record of matters of continuing significance to future audits. • Enabling the conduct of quality control reviews and inspections in accordance with ISQC 1 or national requirements that are at least as demanding. • Enabling the conduct of external inspections in accordance with applicable legal, regulatory or other requirements. The Engagement Partner in the audit process must prepare documentation that provides: (a) A sufficient and appropriate record of the basis for the auditor’s report; and (b) Evidence that the audit was planned and performed in accordance with ISAs and applicable legal and regulatory requirements. 78 CISA230.8 Is the audit documentation sufficient to enable an experienced auditor, having no previous connection with the audit,
to understand:
(a) The nature, timing and extent of the audit procedures performed to comply with the ISAs and applicable legal and regulatory requirements?
(b) The results of the audit procedures performed, and the audit evidence obtained?
65 Updated May 2012
No. Reference Question Small Entities Reviewers comments (c) Significant matters arising during the audit,
the conclusions reached thereon, and significant professional judgments made in reaching those conclusions?
79 CISA550.28 Does the audit documentation include the names of the identified related parties and the nature of the related party relationships?
80 CISA330.20 The auditor’s substantive procedures shall include audit procedures related to the financial statement closing process. Is there evidence that the auditor:
(a) Agreed or reconciled the financial statements with the underlying accounting records?
(b) Examined material journal entries and other adjustments made during the course of preparing the financial statements?
CISA240.32 (c) Review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud
81 CISA330.24 Did the auditor perform audit procedures to evaluate whether the overall presentation of the financial statements, including the related disclosures, is in accordance with the applicable financial reporting framework?
82 In assessing and addressing misstatements, did the Engagement Partner;
66 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA450.5 (a) Accumulate misstatements identified during
the audit, other than those that were clearly trivial (and document the amount which would be regarded as clearly trivial)?
CISA450.15 In determining these errors the auditor shall include in the audit documentation: (a) The amount below which misstatements
would be regarded as clearly trivial; (b) All misstatements accumulated during the
audit and whether they have been corrected; and
(c) The auditor’s conclusion as to whether uncorrected misstatements are material, individually or in aggregate, and the basis for that conclusion
Did the Engagement Partner ensure that the above were completed?
CISA450.6 & CISA450.7
Did the Engagement Partner determine whether the overall audit strategy and audit plan needed to be revised if: (a) The nature of identified misstatements and
the circumstances of their occurrence indicate that other misstatements may exist that, when aggregated with misstatements accumulated during the audit, could be material; or
(b) The aggregate of misstatements accumulated during the audit approaches materiality determined in accordance with ISA 320.
67 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA450.8 & CISA450.9
Did the Engagement Partner request management correct those misstatements? If management refuses to correct some or all of the misstatements, did the auditor obtain an understanding of management’s reasons for not making the corrections and take that understanding into account when evaluating whether the financial statements as a whole are free from material misstatement?
CISA450.10 CISA450.15
Prior to evaluating the effect of uncorrected misstatements, has the auditor reassessed materiality that was determined in accordance with ISA 320 to confirm that it remains appropriate in the context of the entity’s actual financial results?
83. CISA450.11 Following on from the reassessment, has the auditor determined whether uncorrected misstatements are material either individually or in aggregate and document the basis for that conclusion? In making this determination, the auditor should consider: (a) The size and nature of the misstatements,
both in relation to particular classes of transactions, account balances or disclosures and the financial statements as a whole, and the particular circumstances of their occurrence; and
(b) The effect of uncorrected misstatements related to prior periods on the relevant
68 Updated May 2012
No. Reference Question Small Entities Reviewers comments classes of transactions, account balances or disclosures, and the financial statements as a whole
84. CISA450.14 In assessing the overall impact misstatements on the financial statements, did the auditor:
Request a written representation from management as to whether they believe the effects of uncorrected misstatements are immaterial, individually and in aggregate, to the financial statements as a whole?
Note: A summary of such items shall be included in or attached to the written representation.
CISA240.35& CISA240.36
Consider whether circumstances or conditions indicate possible fraud, or collusion involving employees, management or third parties when reconsidering the reliability of evidence previously obtained?
CISA450.12 & CISA450.13
Communicate with those charged with governance uncorrected misstatements and the effect that they, individually or in aggregate, may have on the opinion in the auditor’s report and request they be corrected? Note: The auditor’s communication shall identify material uncorrected misstatements individually. Additionally, the auditor shall also communicate with those charged with governance the effect of uncorrected misstatements related to prior periods
69 Updated May 2012
No. Reference Question Small Entities Reviewers comments on the relevant classes of transactions, account balances or disclosures, and the financial statements as a whole
85. CISA570.10 to CISA570.12 & CISA570.24
Did the auditor evaluate (and document) management’s assessment of the entity’s ability to continue as a going concern?
CISA570.A4& CISA570.A5 CISA570.A11& CISA570.A12
86. Did the auditor:
CISA520.6 Perform analytical procedures near the end of the audit to assist when forming an overall conclusion as to whether the financial statements are consistent with the auditor’s understanding of the entity?
CISA240.34 Evaluate whether the analytical procedures referred to above indicate a previously unrecognized risk of material misstatement due to fraud?
87. CISA220.15 Does it appear that the engagement partner took responsibility for the direction, supervision and performance of the audit engagement in compliance with professional standards and applicable legal and regulatory requirements?
88 Select one significant audit risk (or if none, select a material account) and review this area in detail Audit area selected for detailed review:
(a) Were audit assertions at risk identified and were substantive procedures performed that were responsive to that risk?
70 Updated May 2012
No. Reference Question Small Entities Reviewers comments (b) Was there an appropriate review of the
information system and related internal controls?
(c) Were tests performed to ensure controls related to the significant audit risk had been implemented?
(d) Was the extent of reliance on controls to reduce substantive testing appropriate under the circumstances?
(e) Were the substantive audit procedures selected efficient?
(f) Was appropriate use made of computer audit specialists in the evaluation of controls?
(g) Were the results from computer audit testing incorporated into the audit files?
(h) Do the work papers adequately document the work performed and the conclusions reached?
(i) Do the work papers adequately document the resolution of all significant issues?
(j) Were any errors or weaknesses found dealt with appropriately, given their impact on
Audit strategy/plan and risk assessment?
Audit scope?
71 Updated May 2012
No. Reference Question Small Entities Reviewers comments
Extent of testing? Assessment of misstatements?
89 Internal Controls
The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control. The auditor may identify deficiencies in internal control not only during this risk assessment process but also at any other stage of the audit. ISA265 specifies which identified deficiencies the auditor is required to communicate to those charged with governance and management. The Engagement Partner should communicate appropriately to those charged with governance and management, deficiencies in internal control that have been identified during the audit and that, in the Partners professional judgment, are of sufficient importance to merit their respective attention.
CISA265.7 & CISA265.8
The auditor shall determine whether, on the basis of the audit work performed, one or more deficiencies in internal control exists. The auditor must then assess whether, on the basis of the audit work performed, individually or in combination, they constitute significant deficiencies.
CISA265.A3 & CISA265.A4
If any significant deficiencies in internal control were identified on the basis of the audit work performed, did the auditor:
CISA265.9 Communicate them in writing to those charged with governance on a timely basis?
CISA265.A18
72 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA265.10 Communicate to management at an appropriate
level of responsibility on a timely basis: (a) In writing, significant deficiencies in
internal control that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances; and
(b) Other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention?
CISA265.11 Did any written communication of significant deficiencies in internal control include:
(a) A description of the deficiencies and an
explanation of their potential effects; and (b) Sufficient information to enable those
charged with governance and management to understand the context of the communication including in particular, an explanation that:
The purpose of the audit was for the auditor to express an opinion on the financial statements;
The audit included consideration of internal control relevant to the preparation of the financial
73 Updated May 2012
No. Reference Question Small Entities Reviewers comments statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control; and
The matters being reported are limited to those deficiencies that the auditor has identified during the audit and that the auditor has concluded are of sufficient importance to merit being reported to those charged with governance?
74 Updated May 2012
E. REPORTING
No. Reference Question Small Entities Reviewers comments 90. Reporting
Is there evidence that on or before the date of the auditor’s report:
CISA220.16 to CISA220.17
That the engagement partner has performed a file review in accordance with the firm’s review policies and procedures? In performing the review of the audit documentation referred to above, and through discussion with the engagement team, is the Engagement Partner satisfied that sufficient appropriate audit evidence has been obtained to support the conclusions reached and for the auditor’s report to be issued?
CISA220.18 That the Engagement Partner has:
(a) Taken responsibility for the engagement team and undertaken appropriate consultation on difficult or contentious matters;
(b) Satisfied themselves that members of the engagement team have undertaken appropriate consultation during the course of the engagement, both within the engagement team and between the engagement team and others at the appropriate level within or outside the firm;
75 Updated May 2012
No. Reference Question Small Entities Reviewers comments (c) Is satisfied that the nature and scope of, and conclusions resulting from, such consultations are agreed with the party consulted; and
(d) Determined that conclusions resulting from such consultations have been implemented?
CISA220.19 If this engagement is an audit of the financial statements of a listed entity or another audit engagement for which the firm has determined that an engagement quality control review is required, that such a review occurred? Note: The audit report must not be dated prior to the engagement quality control review taking place.
CISA220.A29
CISA220.22 If differences of opinion arise within the engagement team, with those consulted or, where applicable, between the engagement partner and the engagement quality control reviewer, has the engagement team followed the firm’s policies and procedures for dealing with and resolving differences of opinion and is this documented appropriately?
CISA220.25 Has the Engagement Partner ensured that the audit documentation on file includes:
(a) Issues identified with respect to compliance with relevant ethical requirements and how they were resolved.
76 Updated May 2012
No. Reference Question Small Entities Reviewers comments (b) Conclusions on compliance with independence
requirements that apply to the audit engagement, and any relevant discussions with the firm that support these conclusions.
(c) Conclusions reached regarding the acceptance and continuance of client relationships and audit engagements.
(d) The nature and scope of, and conclusions resulting from, consultations undertaken during the course of the audit engagement.
91 SMO1.19 Other Regulatory Requirements
Did the financial statements comply with International Financial Reporting Standards?
If the type of entity being audited was subject to other mandatory reporting requirements (e.g. NBC requirements for banks), did those requirements impact on the answer to question (a) above?
LCA.9 Were the formal financial statements prepared in the Khmer language and Riels?
LCA.11 Were the financial statements prepared within 3 months following the close of the financial year?
If you answered no to the above question was authorisation received from MEF?
77 Updated May 2012
No. Reference Question Small Entities Reviewers comments 92 CISA700.10 The Engagement Partner must form an opinion on whether the financial statements are prepared, in all material
respects, in accordance with the applicable financial reporting framework In doing so did the auditor:
CISA700.11 & CISA700.26
(a) Base the audit report on audit evidence in the working papers?
CISA700.11 (b) conclude as to whether the audit obtained reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error taking into account: (i) A conclusion on whether sufficient
appropriate audit evidence has been obtained?
(ii) A conclusion on whether uncorrected misstatements are material, individually or in aggregate?
CISA700.12 Is there evidence that the Engagement Partner has performed an evaluation of whether the financial statements are prepared, in all material respects, in accordance with the requirements of the applicable financial reporting framework? Note: This evaluation shall include consideration of the qualitative aspects of the entity’s accounting practices, including indications of possible bias in management’s judgements
78 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA700.13 Specifically, the engagement partners shall evaluate whether, in view of the requirements of the applicable financial
reporting framework:
(a) The financial statements adequately disclose the significant accounting policies selected and applied;
(b) The accounting policies selected and applied are consistent with the applicable financial reporting framework and are appropriate;
(c) The accounting estimates made by management are reasonable;
(d) The information presented in the financial statements is relevant, reliable, comparable and understandable;
(e) The financial statements provide adequate disclosures to enable the intended users to understand the effect of material transactions and events on the information conveyed in the financial statements; and
(f) The terminology used in the financial statements, including the title of each financial statement, is appropriate?
CISA700.13 When the financial statements are prepared in accordance with a fair presentation framework, the evaluation required above shall also include whether the financial statements achieve fair presentation. The Engagement Partner’s evaluation as to whether the financial statements achieve fair presentation shall include consideration of:
79 Updated May 2012
No. Reference Question Small Entities Reviewers comments (a) The overall presentation, structure and
content of the financial statements; and
(b) Whether the financial statements, including the related notes, represent the underlying transactions and events in a manner that achieves fair presentation.
CISA700.15 & LCA.4
Does the audit file contain the Enagement Partners evaluation of whether the financial statements adequately refer to or describe the applicable financial reporting framework?
CISA710.7 to CISA710.19
Has the Engagement Partner determined whether the financial statements include the comparative information required by the applicable financial reporting framework and whether such information is appropriately classified? For this purpose, the auditor shall evaluate whether:
(a) The comparative information agrees with the amounts and other disclosures presented in the prior period or, when appropriate, have been restated; and
(b) The accounting policies reflected in the comparative information are consistent with those applied in the current period or, if there have been changes in accounting policies, whether those changes have been properly accounted for and adequately
80 Updated May 2012
No. Reference Question Small Entities Reviewers comments presented and disclosed.
CISA710.8 Has the Engagement Partner identified or become aware of a potential material misstatement in comparative information? If yes, has there been additional audit procedures performed as are necessary in 80 the circumstances to obtain sufficient appropriate audit evidence to determine whether a material misstatement exists and where necessary, make amendments to the prior periods financial statements?
CISA710.9 Was Representation gained from Management and those tasked with Governance for the restatements made?
CISA710.11
If the auditor’s report on the prior period, as previously issued, included a qualified opinion, a disclaimer of opinion, or an adverse opinion and the matter which gave rise to the modification is unresolved, the Engagement Partner shall modify the auditor’s opinion on the current period’s financial statements. In the Basis for Modification paragraph in the auditor’s report, has the Engagement Partner either:
(a) Refer to both the current period’s figures and the corresponding figures in the description of the matter giving rise to the modification when the effects or possible effects of the matter on the current period’s figures are material; or
81 Updated May 2012
No. Reference Question Small Entities Reviewers comments (b) In other cases, explain that the audit
opinion has been modified because of the effects or possible effects of the unresolved matter on the comparability of the current period’s figures and the corresponding figures?
CISA710.12
Has the Engagement Partner obtained any audit evidence that a material misstatement exists in the prior period financial statements on which an unmodified opinion has been previously issued, and the corresponding figures have not been properly restated or appropriate disclosures have not been made? If yes has the Enagement Partner expressed a qualified opinion or an adverse opinion in the auditor’s report on the current period financial statements, modified with respect to the corresponding figures included therein?
CISA710.14 If the prior period financial statements were not audited, has the Engagement Partner stated in an Other Matter paragraph in the auditor’s report that the corresponding figures are unaudited? Note: Such a statement does not, however, relieve the auditor of the requirement to obtain sufficient appropriate audit evidence that the opening balances do not contain misstatements that materially affect the current period’s financial statements.
82 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA550.25 Whether the identified related party relationships
and transactions have been appropriately accounted for and disclosed in accordance with the applicable financial reporting framework?
93. Audit Opinion/Report Does the audit report contain the following elements:
CISA700.21 A title that clearly indicates that it is the report of an independent auditor?
CISA700.22 Addressed as required by the circumstances of the engagement?
CISA700.23 An introductory paragraph that:
(a) Identifies the entity whose financial statements have been audited?
(b) States that the financial statements have been audited?
(c) Identifies the title of each statement that comprises the financial statements?
(d) Refers to the summary of significant accounting policies and other explanatory information? and
(e) Specifies the date or period covered by each financial statement comprising the financial statements?
CISA700.25 to CISA700.27
A section headed “Management (or Directors) Responsibility for the Financial Statements” that describes management’s responsibility for the preparation of the financial statements including an
83 Updated May 2012
No. Reference Question Small Entities Reviewers comments explanation that Management (or the Directors) are responsible for the preparation of the financial statements that give a true and fair view in accordance with the applicable financial reporting framework, and for such internal control as it determines is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error?
CISA700.28 A section headed “Auditor’s Responsibility” that:
CISA700.29 States that the responsibility of the auditor is to express an opinion on the financial statements based on the audit?
CISA700.30 States that the audit was conducted in accordance with International Standards on Auditing and explains that those standards require that the auditor comply with ethical requirements and that the auditor plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement?
CISA700.31 Has the Engagement Partner produced an audit report that describes an audit by stating that:
(a) An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements?
(b) The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements,
84 Updated May 2012
No. Reference Question Small Entities Reviewers comments whether due to fraud or error?
Note: In making those risk assessments, the auditor considers internal control relevant to the entity’s preparation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control?
(c) An audit also includes evaluating the appropriateness of the accounting policies used and the reasonableness of accounting estimates made by management, as well as the overall presentation of the financial statements?
CISA700.32 Refers to “the entity’s preparation of financial statements that give a true and fair view”?
CISA700.33 States whether the auditor believes that the audit evidence the auditor has obtained is sufficient and appropriate to provide a basis for the auditor’s opinion?
CISA700.34 & CISA700.35
A section headed “Opinion” that, in the case of an unmodified opinion states that “The financial statements give a true and fair view of (name of entity) in accordance with [the applicable financial reporting framework]?
CISA700.40 Contains the signature of the auditor
85 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA700.41 Dated (after the date of the audit working papers
and no earlier than the date on which the directors asserted that they have taken responsibility for those financial statements) appropriately?
CISA700.42 The location in the jurisdiction where the auditor practices?
94. CISA705 Did the auditor issue a modified opinion in the audit report?
(a) If you answered yes to the above question did the auditor comply with the requirements of CISA705
95. CISA706 Did the auditor include an “Emphasis of Matter” paragraph or an “Other Matter” paragraph in the audit report?
(a) If you answered yes to the above question did the auditor comply with the requirements of CISA706?
96. CISA720.6 to CISA720.8
If the document containing the containing the audited financial statements and the auditor’s report thereon also contains other information < Financial and non-financial information (other than the financial statements and the auditor’s report thereon)> did the auditor read that other information to identify material inconsistencies (if any) with the audited financial statements?
CISA720.A23
86 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA720.9 to CISA720.10
Material Inconsistencies Identified in Other Information Obtained Prior to the Date of the Auditor’s Report If a revision of the audited financial statements is necessary and management refuses to make the revision, has the Engagement Partner modified the opinion in the auditor’s report in accordance with ISA 705?
If revision of the other information is necessary and management refuses to make the revision, has the Engagement Partner communicated this to those charged with governance, unless all of those charged with governance are involved in managing the entity? and (a) Included in the auditor’s report an Other
Matter paragraph describing the material inconsistency in accordance with ISA 706; or
(b) Withheld the auditor’s report; or (c) Withdrawn from the engagement, where
withdrawal is possible under applicable law or regulation?
97 CISA720.11 to CISA720.13
Material Inconsistencies Identified in Other Information Obtained Subsequent to the Date of the Auditor’s Report If revision of the audited financial statements is necessary, has the Engagment Partner followed the relevant requirements in ISA 560?
If revision of the other information is necessary and management agrees to make the revision, has the Engagement Partner carried out the procedures
87 Updated May 2012
No. Reference Question Small Entities Reviewers comments necessary under the circumstances? Note: When management agrees to revise the other information, the auditor’s procedures should include reviewing the steps taken by management to ensure that individuals in receipt of the previously issued financial statements, and the associated auditor’s report, and the other information are informed of the revision. If revision of the other information is necessary, but management refuses to make the revision, has the Engagement Partner notified those charged with governance, unless all of those charged with governance are involved in managing the entity, of the concern regarding the other information and take any further appropriate action?
98. CISA720.14 to CISA720.16
Material Misstatements of Fact
If, on reading the other information for the purpose of identifying material inconsistencies, the auditor becomes aware of an apparent material misstatement of fact, this must be discussed with management. If, following such discussions, the auditor still considers that there is an apparent material misstatement of fact, the auditor shall request management to consult with a qualified third party, such as the entity’s legal counsel, and the auditor shall consider the advice received.
88 Updated May 2012
No. Reference Question Small Entities Reviewers comments If the auditor concludes that there is a material misstatement of fact in the other information which management refuses to correct, the auditor shall notify those charged with governance, unless all of those charged with governance are involved in managing the entity, of the auditor’s concern regarding the other information and take any further appropriate action.
99 CISA260.16 Did the Engagement Partner ensure that there was communication with those charged with governance any matters in relation to:
(a) The auditor’s views about significant qualitative aspects of the entity’s accounting practices, including accounting policies, accounting estimates and financial statement disclosures. When applicable, the auditor shall explain to those charged with governance why the auditor considers a significant accounting practice that is acceptable under the applicable financial reporting framework, not to be most appropriate to the particular circumstances of the entity?
(b) Significant difficulties, if any, encountered during the audit?
(c) Unless all of those charged with governance are involved in managing the entity:
i. Significant matters, if any, arising from the audit that were discussed, or
89 Updated May 2012
No. Reference Question Small Entities Reviewers comments subject to correspondence with management? and
ii. Written representations the auditor is requesting?
(d) Other matters, if any, arising from the audit that, in the auditor’s professional judgment, are significant to the oversight of the financial reporting process?
100 CISA260.19 to CISA260.23
The auditor shall communicate in writing with those charged with governance regarding significant findings from the audit if, in the auditor’s professional judgment, oral communication would not be adequate. Written communications need not include all matters that arose during the course of the audit.
(a) If any of the above matters were communicated orally, was this documented?
Note: Where matters required by this ISA to be communicated are communicated orally, the auditor shall include them in the audit documentation, and when and to whom they were communicated. Where matters have been communicated in writing, the auditor shall retain a copy of the communication as part of the audit documentation.
90 Updated May 2012
F. GROUP ENGAGEMENTS
No. Reference Question Small Entities Reviewers comments 101 CISA600.12 &
CISA600.13 Acceptance and Continuance In applying ISA 220:
(a) Did the group engagement team obtain an understanding of the group, its components, and their environments that is sufficient to identify components that are likely to be significant components?
(b) Where component auditors will perform work on the financial information of such components, did the group engagement partner evaluate whether the group engagement team will be able to be involved in the work of those component auditors to the extent necessary to obtain sufficient appropriate audit evidence?
102 CISA600.14 Did the group engagement partner agree on the terms of the group audit engagement in accordance with CISA 210?
103 CISA600.15 Did the group engagement team establish an overall group audit strategy and develop a group audit plan in accordance with CISA 300?
104 CISA600.16 Did the group engagement partner review the overall group audit strategy and group audit plan?
105 CISA600.17 Did the group engagement team:
91 Updated May 2012
No. Reference Question Small Entities Reviewers comments (a) Demonstrate an understanding of the group, its
components, and their environments, including group-wide controls, obtained during the acceptance or continuance stage?
(b) Demonstrate and obtain an understanding of the consolidation process, including the instructions issued by group management to components?
Has the group engagement team obtained an understanding that is sufficient to:
(a) Confirm or revise its initial identification of components that are likely to be significant; and
(b) Assess the risks of material misstatement of the group financial statements, whether due to fraud or error?
CISA600.24 & CISA600.25
Did the Engagement Partner determine the type of work to be performed by the group engagement team, or the component auditors on its behalf, on the financial information of the components and the nature, timing and extent of its involvement in the work of the component auditors? Note: If the nature, timing and extent of the work to be performed on the consolidation process or the financial information of the components are based on an expectation that group-wide controls are operating effectively, or if substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level, the group engagement team shall test, or request a component auditor to test, the operating effectiveness of those controls
107 CISA600.26 If a component is significant:
92 Updated May 2012
No. Reference Question Small Entities Reviewers comments Due to its individual financial significance to the group, did the group engagement team, or a component auditor on its behalf, perform an audit of the financial information of the component using component materiality?
CISA600.27 Because it is likely to include significant risks of material misstatement of the group financial statements due to its specific nature or circumstances, did the group engagement team, or a component auditor on its behalf, perform one or more of the following:
(a) An audit of the financial information of the component using component materiality.
(b) An audit of one or more account balances, classes of transactions or disclosures relating to the likely significant risks of material misstatement of the group financial statements
(c) Specified audit procedures relating to the likely significant risks of material misstatement of the group financial statements?
108 CISA600.28 For components that are not significant components, did the group engagement team perform analytical procedures at group level?
109 CISA600.29 If the Engagement Partner of the group engagement team does not consider that sufficient appropriate audit evidence on which to base the group audit opinion will be obtained from:
(a) the work performed on the financial information of significant components;
(b) the work performed on group-wide controls and the consolidation process; and
(c) the analytical procedures performed at group level, then the group engagement team shall select components that are not significant
93 Updated May 2012
No. Reference Question Small Entities Reviewers comments components and shall perform, or request a component auditor to perform, one or more of the following on the financial information of the individual components selected:
• An audit of the financial information of the component using component materiality. • An audit of one or more account balances, classes of transactions or disclosures. • A review of the financial information of the component using component materiality. • Specified procedures.
110 CISA600.19 Did a component auditor perform work on the financial
information of a component of the group?
If you answered yes to the above did the group engagement team obtain an understanding of the following:
(a) Whether the component auditor understands and will comply with the ethical requirements that are relevant to the group audit and, in particular, is independent?
(b) The component auditor’s professional competence?
(c) Whether the group engagement team will be able to be involved in the work of the component auditor to the extent necessary to obtain sufficient appropriate audit evidence?
(d) Whether the component auditor operates in a regulatory environment that actively oversees auditors?
94 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA600.20 Are there any concerns raised by either the Group
Engagement team? Note: If a component auditor does not meet the independence requirements that are relevant to the group audit, or the group engagement team has serious concerns about the other matters listed above, the group engagement team shall obtain sufficient appropriate audit evidence relating to the financial information of the component without requesting that component auditor to perform work on the financial information of that component.
CISA600.22 Did the Group Engagement team evaluate the appropriateness of performance materiality determined at the component level?
CISA600.30 (b) If a component auditor performed an audit of the financial information of a significant component, was the group engagement team involved in the component auditor’s risk assessment to identify significant risks of material of the group financial statements?
CISA600.31 (c) If significant risks of material misstatement of the group financial statements were identified in a component on which a component auditor performs the work, evaluate the appropriateness of the further audit procedures to be performed to respond to the identified significant risks of material misstatement of the group financial statements and determine whether it is necessary to be involved in the further audit procedures?
CISA600.40 (d) Communicate its requirements to the component auditor on a timely basis setting out
95 Updated May 2012
No. Reference Question Small Entities Reviewers comments the work to be performed, the use to be made of that work, and the form and content of the component auditor’s communication with the group engagement team?
CISA600.41 Has the Group Engagement team requested that the component auditor communicate matters relevant to the group engagement team’s conclusion with regard to the group audit?
CISA600.42 & CISA600.43
Evaluate the component auditor’s communication in (g) above? And If the group engagement team concludes that the work of the component auditor is insufficient, then the group engagement team should determine what additional procedures are to be performed, and whether they are to be performed by the component auditor or by the group engagement team.
106. CISA600.21 Did the group engagement team determine the following:
(a) Materiality for the group financial statements as a whole when establishing the overall group audit strategy?
(b) If, in the specific circumstances of the group, there are particular classes of transactions, account balances or disclosures in the group financial statements for which misstatements of lesser amounts than materiality for the group financial statements as a whole could reasonably be expected to influence the economic decisions of users taken on the basis of the group financial statements, the materiality level or levels to be applied to those particular classes of transactions, account balances or disclosures?
96 Updated May 2012
No. Reference Question Small Entities Reviewers comments (c) Component materiality for those components
where component auditors will perform an audit or a review for purposes of the group audit?
(d) The threshold above which misstatements cannot be regarded as clearly trivial to the group financial statements?
107 Did the group engagement team:
CISA600.33 Design and perform further audit procedures on the consolidation process to respond to the assessed risks of material misstatement of the group financial statements arising from the consolidation process including evaluating whether all components were included in the group financial statements?
CISA600.34 evaluate the appropriateness, completeness and accuracy of consolidation adjustments and reclassifications, and evaluate whether any fraud risk factors or indicators of possible management bias exist?
CISA600.35 If the financial information of a component was not been prepared in accordance with the same accounting policies applied to the group financial statements, evaluate whether the financial information of that component has been appropriately adjusted for purposes of preparing and presenting the group financial statements?
CISA600.36 determine whether the financial information identified in the component auditor’s communication is the financial information that is incorporated in the group financial statements?
97 Updated May 2012
No. Reference Question Small Entities Reviewers comments CISA600.37 If the group financial statements include the financial
statements of a component with a financial reporting period-end that differs from that of the group, evaluate whether appropriate adjustments have been made to those financial statements in accordance with the applicable financial reporting framework?
108 CISA600.38 & CISA600.39
Where audits were performed on the financial information of components, did the group engagement team or the component auditors perform procedures designed to identify events at those components that occurred between the dates of the financial information of the components and the date of the auditor’s report on the group financial statements that may require adjustment to or disclosure in the group financial statements?
109 CISA600.44 Did the group engagement team obtain sufficient audit evidence to reduce the audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion? In order to do this the group engagement team must evaluate whether sufficient appropriate audit evidence was obtained from the audit procedures performed on the consolidation process and the work performed by the group engagement team and the component auditors on the financial information of the components, on which to base the group audit opinion?
110 CISA600.45 Did the group engagement partner evaluate the effect on the group audit opinion of any uncorrected misstatements (either identified by the group engagement team or communicated by component auditors) and any instances where there has been an inability to obtain sufficient appropriate audit evidence?
98 Updated May 2012
No. Reference Question Small Entities Reviewers comments 111 CISA600.46 Did the group engagement team determine which
identified deficiencies in internal control to communicate to those charged with governance and group management in accordance with CISA 265? In making this determination, the group engagement team shall consider:
(a) Deficiencies in group-wide internal control that the group engagement team has identified;
(b) Deficiencies in internal control that the group engagement team has identified in internal controls at components; and
(c) Deficiencies in internal control that component auditors have brought to the attention of the group engagement team.
112 CISA600.47 If fraud was identified by the group engagement team or brought to its attention by a component auditor or information indicates that a fraud may exist, did the group engagement team communicate this on a timely basis to the appropriate level of group management in order to inform those with primary responsibility for the prevention and detection of fraud of matters relevant to their responsibilities?
113 CISA600.49 Did the group engagement team communicate the following matters with those charged with governance of the group, in addition to those required by CISA 260 and other CISAs:
(a) An overview of the type of work to be performed on the financial information of the components.
(b) An overview of the nature of the group engagement team’s planned involvement in the work to be performed by the component auditors on the financial information of significant components
(c) Instances where the group engagement team’s
99 Updated May 2012
No. Reference Question Small Entities Reviewers comments evaluation of the work of a component auditor gave rise to a concern about the quality of that auditor’s work.
(d) Any limitations on the group audit, for example, where the group engagement team’s access to information may have been restricted.
(e) Fraud or suspected fraud involving group management, component management, employees who have significant roles in group-wide controls or others where the fraud resulted in a material misstatement of the group financial statements?
114 CISA600.50 Does the audit documentation include:
(a) An analysis of components, indicating those that are significant, and the type of work performed on the financial information of the components?
(b) The nature, timing and extent of the group engagement team’s involvement in the work performed by the component auditors on significant components including, where applicable, the group engagement team’s review of relevant parts of the component auditors’ audit documentation and conclusions thereon?
(c) Written communications between the group engagement team and the component auditors about the group engagement team’s requirements?
100 Updated May 2012
G. Overall assessment
No. Question Reviewers comments 115 Based on your review of the audit engagement is there any indication that:
(a) The audit was not conducted in accordance with CISA and other mandatory requirements?
(b) The audit opinion was not based on sufficient appropriate audit evidence?
(c) That an inappropriate audit opinion was issued?
