AUDIT RELATED SERVICES
The objective of a review is to enable an auditor to state whether (on the basis of procedures which do not provide all the evidence that would be required in an audit), anything has come to his attention that causes him to believe that the financial statements are not prepared, in all material respects, in accordance with an identified financial reporting framework.
Two types of review assignments:
- An attestation engagement where a given assertion is either correct or not e.g. a review of interim financial information. In such an engagement, the auditor is being asked to attest assertions made such as whether the accounting policies used are consistent with those used in prior years or whether there are material modifications necessary to the interim financial information.
- A direct reporting engagement where an accountant reports on issues that have come to his attention during the course of his review e.g. due diligence engagement. This is a review of the accounts and systems of a target company in the event of a prospective business purchase.
In a review engagement, the auditor relies more heavily on procedures such as enquiry and analytical review than on detailed substantive testing.
- Lower level of assurance than for an audit so these tests are sufficient due to lower risk.
- Such techniques provide indicators to direct work to risk areas and from which to draw conclusions and they are quick and therefore cost effective.
Many of the requirements for reviews are similar to the requirements of an audit because a review is similar to an audit; such as the need to plan, obtain knowledge of the business, materiality requirements, using the work of others, document important matters, apply judgments and extend procedures if material misstatements are suspected.
Negative assurance is given on review assignments. The auditor assesses the conclusions drawn from the evidence obtained as the basis for the expression. In effect, the auditor is saying that something is reasonable because there is no reason to believe otherwise.
When no matters have come to the attention of the auditor, he should give a clear expression of negative assurance in his reports.
If matters have come to his attention, he should describe those matters. They may be material. In this case the auditor should express a qualified opinion of negative assurance. If the matter is pervasive, he should express an adverse opinion that the financial statements do not give a true and fair view.
If the auditor feels there is a limitation in the scope of the work he intended to carry out for the review, he should describe the limitation in his report. If it is material to one area, the auditor should express a qualified opinion of negative assurance due to amendments which might be required if the limitation did not exist. If it is pervasive, the auditor should not provide any assurance at all.
Agreed upon procedures
An agreed upon procedures engagement is where an auditor is engaged to carry out procedures of an audit nature and to report on factual findings. The procedures are agreed between the auditor and the entity and any appropriate third parties. The readers of the report must form their own conclusions, but it is restricted to those parties that have agreed to the procedures to be performed. Other readers unaware of the agreed procedures may draw incorrect conclusions from the results.
The auditor should ensure that those who will receive copies of the report of factual findings have a clear understanding of the agreed procedures and the conditions of the engagement.
Carrying out procedure
As in the case of reviews, the auditor should plan the assignment and should carry out the agreed procedures. He should document the process and all findings.
The report of factual findings should contain:
- Title and address, ordinarily the client who engaged the auditor,
- Identification of specific information to which the agreed procedures have been applied,
- A statement that procedures performed were those agreed upon with the recipient,
- A statement that the engagement was performed in accordance with the international standards on auditing applicable to agreed procedures engagements, or with relevant national standards or practices,
- Where relevant, a statement that the auditor is not independent of the entity,
- Identification of the purpose for which the agreed upon procedures were performed,
- A listing of the specific procedures performed,
- A description of the factual findings including sufficient detail of errors and exceptions,
- A Statement that the procedures performed do not constitute either an audit or a review and as such no assurance is expressed,
- A statement that if the auditor performed additional procedures like an audit or a review other matters might have come to light that would have been reported,
- A statement that the report is restricted to those parties that have agreed to the procedures to be performed,
- Date of the report, auditors address and auditors signature.
In a compilation engagement the accountant is engaged to use his accounting expertise rather than his auditing skill such as preparing accounts and tax returns.
The contents of such a report are similar to those points listed above.
B. ASSURANCE ENGAGEMENTS
Elements of an assurance engagement
An assurance engagement is one where an accountant evaluates a subject matter that is the responsibility of another party against suitable criteria and expresses an opinion that provides the intended user with a level of assurance about the subject matter.
Assurance engagements may give reasonable assurance or limited assurance.
Accepting and continuing appointment
Assurance engagements should only be accepted if the firm meets the requirements of the code of ethics and ISQC1. The standard requires that accountants ensure that they comply with the code of ethics and the quality control standard with regard to the assignment.
The accountant should agree on the terms of the engagement with the engaging party and should have this confirmed in writing.
Planning and performing the engagement
The accountant should plan the engagement so that it will be performed effectively. This involves developing an overall strategy and a detailed engagement plan.
Matters to be considered will include the terms of the engagement, the characteristics of the subject matter and identified criteria, the engagement process and possible sources of evidence, understanding of the entity and its environment, risk of material misstatements, identification of intended users and their need, materiality, components of assurance engagement risk and personnel requirements including the potential use of experts.
Materiality and engagement risk
The accountant should consider materiality and assurance engagement risk when planning and performing an assurance engagement. He should reduce assurance engagement risk to an acceptably low level in the circumstances of the engagement such as the level of assurance that is anticipated that is reasonable assurance or limited assurance.
The accountant should obtain sufficient appropriate evidence, including written management representations, on which to base the conclusion.
The accountant should conclude whether sufficient appropriate evidence has been obtained to support the conclusion expressed in the assurance report. This report should be in writing and should have a clear expression of the accountant’s conclusion about the subject matter.
For a reasonable assurance engagement, an accountant should give a positive expression of this conclusion. This does not mean that the report should not be modified, it means the accountant should be able to draw a conclusion on the basis of the evidence gained. This is in contrast to a negative opinion, given in a limited assurance engagement, where an auditor gives an opinion as no evidence has been received to the contrary.
Risk assessment is important to investors and managers and therefore is an important area for assurance services.
Business risks incorporate financial risk, operational risk and compliance risk.
Need for assurance
The risk that the company enters into has a direct impact on the risk of the investment that anyone purchasing shares in a company or lending money to a company is making.
Interested stakeholders need assurance that the risk taken by the company is acceptable to them and that the returns that they receive are in accordance with that level of risk.
This has led to corporate governance and internal control effectiveness issues.
Other stakeholders, such as creditors and employees, will also be interested in the effectiveness of risk management in a company as the ultimate risk is that a business might fail and their livelihoods could be at risk.
Possible assurance criteria
The criteria by which risk assessment is evaluated will depend on the specific needs of the company and the user. There are no recognised criteria suitable for evaluation of the effectiveness of an entity’s risk evaluation. Assurance is likely to be limited to whether evaluation is carried out rather than the quality of that evaluation.
Responsibility for risk assessment
Directors/management, internal audit and external audit are involved in risk assessment.
It is vital to distinguish between the risk assessment carried out by the auditors and the directors. The directors are responsible for assessing and then managing the risks arising to the business, whereas the auditors assess audit risks. Audit risk is the risk that the auditors make an inappropriate opinion on financial statements. The auditors will consider business risk as part of their audit risk assessment. They are not responsible for risk management.
Methods can include SWOT analysis. In practice, risk identification is likely to be done in all departments of a business. The directors need to determine guidelines for assessing risk in terms of significance, likelihood of occurrence and capacity to be managed.
Responses to risk
There are several responses that management can take;
- Accept risk, especially if it is low likelihood, low impact.
- Reduce risk by setting up a system of internal control to prevent the risk arising.
- Avoid risk by not entering a market or not accepting certain contracts.
- Transfer risk by taking our appropriate insurance.
If management choose to accept risk, they must set risk thresholds i.e. determine the level of risk where they will stop accepting risk and choose one of the other strategies. These thresholds are important because if the directors or management are reckless with regard to risk they may be breaching their fiduciary duties.
Companies can gain assurance from performance measurement. It includes a series of measures within the company designed to ensure that employees are accountable to management for their performance.
There are benefits to performance measurement:
- It clarifies the objectives of the entity
- It develops agreed measures of activity
- It gives greater understanding of processes
- It facilitates the comparison of performances in different organisations
- It facilitates the setting of targets for the organisation and its managers
- It promotes the accountability of the organisation to its shareholders.
The traditional performance measures can be analysed over financial and operational areas:
The key financial ratios used to measure performance cover profitability, liquidity, gearing and investment. While relevant to shareholders, they are measures which investors would expect companies to calculate as a matter of course and also calculate them correctly. Financial performance could be assessed in further detail for example, by analysis of sales by product, region, division and assessing timeliness of information, comparisons between the performance of the company and its competitors or its budget.
Indicators of operational performance will vary with different businesses. Measures could include data such as sales per sales person and number of new products launched each year.
Value for money audits
Value for money audits have the following key characteristics:
The assessment of economy, efficiency and effectiveness should be part of the normal process of any organisation, whether public or private. Management should carry out performance reviews as a regular feature of their control responsibilities. The objectives of a particular programme or activity need to be specified and understood in order for a proper assessment of whether value for money has been achieved.
In a profit seeking organisation, objectives can be expressed financially in terms of target profit or return.
In non-profit seeking organisation, effectiveness cannot be measured this way as the organisation has non-financial objectives. The effectiveness of performance needs to be measured in terms of whether targeted non-financial objectives have been achieved.
Public sector organisations are under considerable pressure to prove that they operate economically, efficiently and effectively and are encouraged to draw up action plans to achieve value for money as part of the continuing process of good management. Value for money is important whatever level of expenditure is being considered.
Economy is concerned with the cost of inputs and it is achieved by obtaining those inputs at the lowest acceptable cost. It does not mean straightforward cost-cutting because resources must be acquired which are of a suitable quality to provide services to the desired standard. Cost cutting should not sacrifice quality to the extent that service standards fall to an unacceptable level. Economising by buying poor quality materials, labour or equipment is a false economy and doesn’t lend itself to value for money.
Efficiency means maximising the output for a given input such as maximising the number of transactions handled per employee. It also can mean achieving the minimum input for a given output. For example, a department required to pay unemployment benefit will achieve efficiency by making these payments with the minimum labour and computer time.
Effectiveness means ensuring that outputs of a service have the desired impacts.
Economy, efficiency and effectiveness can be measured with reference to inputs, money and resources (labour, materials, time) and their cost.
The key stakeholders, shareholders, are likely to be interested in financial information as they need to know the return they get from their investment. They would be interested in industry averages and percentages of historic performance.
Shareholders would also be interested in operational ratios. However, customers would be very interested in such operational information as they demand a quality service. They would be interested in comparisons with competitors and industry averages.
Company shareholders might be interested in value for money data whereas, in a non-profit targeted company value for money will be extremely important for interested parties such as trustees and donors.
The reliability of systems of internal control is important for both financial statements and in general business operations.
The requirement for assurance services in this regard is driven by a requirement for reliable information for presentation and decision making purposes.
A fundamental stage of the traditional audit is the assessment of financial systems to ensure that they are capable of producing quality financial statements. Therefore anyone interested in information from a business will have an implied interest in assurance on all business systems and that this is an area which businesses are keen to engage accountants.
Business systems fall into two categories mainly manual and computerised. In the modern era computerised systems are increasingly important.
Internal control systems
There is a clear distinction between assurance on the design of internal control systems, and assurance on the operation of the internal control system in accordance with the design.
The process of internal control would include:
- Identify business objectives,
- Assess risks that will threaten those objectives,
- Design internal controls to manage those risks,
- Operate the internal controls in accordance with the design,
- Providing assurance on the operation of the system.
The report arising from such an assignment need not be extensive but it is likely to be narrative as the accountant would probably include issues such as:
- Isolated control failures,
- Observation about the abilities of staff involved in operating the system of control,
- Potential weaknesses observed which were not contemplated within the design or relating to the operation of controls.
In providing assurance on the design and operation of the system, the accountant should consider the design of the system in addressing a set of identified risks and the operation of the system. Such an engagement will involve significant discussion with management to establish the desired balance between prevention and detection controls, the balance between costs and benefits and the importance of specific control objectives.
The level of assurance given by the accountant will depend on several factors including the nature of the entity, the knowledge of the business, and the scope of the engagement.
Providing assurance on the applicable risks and the design and operation of a system would involve a high degree of judgement as there are no recognised criteria suitable for evaluating the effectiveness of an entity’s risk evaluation. This means that accountants are unlikely to be able to provide a high level of assurance.
Any assessment will need to consider:
- The completeness of the applicable identified risks,
- The probability of a risk crystallising,
- The materiality of the likely impact of the risk,
- The time period over which crystallisation may occur.
In their report the accountants should outline the business objectives of the entity, a description of the risk identification process and the applicable risks.
Internal control systems have inherent limitations such as the risk of staff collusion in fraud to override the system. Any assurance report on internal controls should include a mention of these limitations in order to reduce the risk of an expectations gap.
It is difficult to issue a standard report for assurance services that are dependent on the scope and nature of the individual assignment.
A vast number of businesses use computer systems to run their business and produce financial information. This means that controls that directors are required to put into place to safeguard the assets of a company are now generally incorporated into computer systems. A balance must be struck between the degree of control and the requirement for a user friendly system.
Controls can be classified into:
- Security controls
- Integrity controls and
- Contingency controls
Integrity controls are subdivided into Data integrity and Security integrity.
With data integrity the data is the same in the computer system as it is in source documents and has not been accidentally or intentionally altered, destroyed or disclosed.
Systems integrity refers to systems operations conforming to the design specification despite deliberate or accidental attempts to cause it to do otherwise.
Auditors focus on the general and application controls of the systems which relate to security and policies for data input when carrying out control assessment, whereas it is important to stakeholders in the company that the system used operates reliably and that risks are mitigated against.
Key risks include the system being put at risk by a virus or some other fault which spreads across the system and the system being invaded by an unauthorised user who could affect the smooth operation of the system or obtain commercially sensitive information. The client should have contingency plans in the event of a system difficulty.
Need for assurance
It is important to know that the original system is as reliable as could be expected and whether it is the best system that the company could be using at the given cost. The company might seek such assurance from its service provider. However, the service provider may not be objective as they have a vested interest. They are paid to provide a solid system, they will hardly find fault with it.
This means that the directors might seek an assurance from its auditors to undertake work to ascertain if the assertions of the service provider are accurate.
In considering taking on such an assurance engagement, one should ensure that sufficient skills are available to undertake such procedures.
Internal control effectiveness is generally assessed by undertaking a systems audit.
An auditor could accept such an assurance engagement outside the audit and to report specifically on findings.
The key areas to concentrate on to establish the reliability of systems are management policy, segregation of duties and security.
- Is there a written policy for computer systems,
- Is it compatible with policies in other areas,
- Is it adhered to,
- Is it sufficient and effective,
- Is it updated when the systems are updated,
- Does it relate to the current systems?
Segregation of duties
- Is there adequate segregation of duties for data input,
- Are there adequate system controls e.g. passwords to enforce segregation?
- Is there a physical security policy in place such as a locked room and password access,
- Is there data security software such as virus shields?
Management should receive information on the effectiveness of their controls systems and systems reliability. The operations are likely to rely heavily if not completely on computer systems and if problems arise, operations could be severely affected. Such problems could include no production, no invoicing or duplicate or omitted invoicing.
Other stakeholders, customers and suppliers will be interested in the reliability of the company systems as they would not want to deal with ineffective operations.
- ELECTRONIC COMMERCE
Engaging in e-commerce
A business can engage in e-commerce to a greater or a lesser degree. The greater the involvement in e-commerce the more risk there is.
- Information provision,
- Transactions with existing customers,
- Access to new customers,
- New business model.
- Risk of non-compliance with law,
- Contractual issues,
- Risk of technology failure and business interruption,
- Determining accounting policies especially revenue may pose problems, Impact of technology on the going concern assumption,
- Security risks.
Internal controls issues
Controls over transactions integrity are important as the system will automatically process transactions that it has captured. It is vital that transactions are processed completely in the accounting system. The controls over the design and operation of the computer systems will be important.
There is a more substantial risk of fraud being perpetrated against the company if transactions are carried out via a website rather than in person. Security is also relevant to the customer who is inputting sensitive personal data into the computer system.
- FORENSIC AUDITING
“Forensic Auditing” in general terms is used to describe the wide range of investigative work which accountants in practice could be asked to perform. The work would normally involve an investigation into the financial affairs of an entity and is often associated with investigations into alleged fraudulent activity, including potentially acting as an expert witness if the fraud comes to trial. It is important to be aware that forensic accountants could be asked to look into non-fraud situations, such as the settling of monetary disputes in relation to a business closure or matrimonial disputes under insurance claims. The investigation is likely to be similar in many ways to an audit of financial information in that it will include:-
- A Planning Stage,
- Gathering of Evidence,
- Review Process,
- Report to the Client,
Audit evidence is gathered to prove:-
- How long the fraud had been carried out,
- How it was conducted and concealed by the perpetrators,
- The suspect’s motive,
- Whether the fraud involved collusion between several suspects,
- Any physical evidence at the scene of the crime or contained in documents,
- Attempts to destroy evidence.
Definition: “An individual in an organization who makes disclosures in the public interest about dangerous or illegal activities, in order that the misconduct or perceived misconduct can be addressed, is a whistleblower”. Whistleblowing can either occur internally within the employing organization or externally, and should not be used as a method of resolving a personal complaint or grievance.
Whistleblowing arrangements within an organization should act as a deterrent to:- • Malpractice,
- Encourage Openness,
- Promote transparency,
- Help protect the reputation of the company and senior management.
Factors to consider about possible misconduct include:-
- Is the concern genuine or might there be an innocent explanation?
- Who is affected?
- Does the organization have a whistleblowing policy?
- Is there legal protection for whistleblowing?
Whistleblowing procedures are important in organisations as it informs those who need to know about dangerous or illegal activities that affect others and gives them an opportunity to address the issue. Setting up formal whistleblowing procedures within an organization strengthens corporate governance and ethics.
You are the partner in a firm where a major audit client is seeking finance from its bank to fund the development of a new factory. Market research conducted shows that the extra 30% production capacity will be sufficient to meet the increased demand for the company’s product. The financial director has contacted you to inform you that the bank is keen to obtain a reference from you. The bank is anxious to gain assurance on the company’s ability to repay the loan and whether their business plan is reasonable. The financial director said the bank just need the paperwork for their files and assures you that the bank knows that the company can repay and that they are one of the better clients. Your audit team is about to commence the audit for the year ended March 2010.
Comment on the matters you would consider in relation to giving such a reference to the bank.
The finance director of one of your clients telephoned. He recently attended one of your firm’s training seminars on the importance of corporate governance. He has told the other directors in the company the issues discussed at the seminar and they now feel it might be a good idea to engage the firm to undertake an assurance engagement to assess the risk management and internal control systems of the company.
Comment on the matters you would consider in relation to accepting and planning such an engagement.