ISA (UK) 330: The Auditor’s Responses To Assessed Risks

 The auditor's goal is to collect enough suitable audit evidence to support the evaluated risks of material misstatement, as well as to create and implement effective solutions to such risks. The auditor is responsible for developing and implementing overall remedies to the risks of substantial misstatement in the financial statements.

Test of controls as defined by ISA (UK) 330 – An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.

Examining a sample of purchase orders to confirm that they have been properly authorized would be a control test. A 'yes' response indicates that the internal control requiring purchase order permission is operational, whereas a 'no' response indicates that the internal control does not appear to be operational, necessitating further audit inquiry.

 

Substantive procedure as defined by ISA (UK) 330 – An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise:

(i) Tests of details (of classes of transactions, account balances, and disclosures); and

(ii) Substantive analytical procedures.

According to ISA 330, the auditor must always execute substantive procedures on material items, regardless of the risk of substantial misstatement, and must design and perform substantive procedures for each material class of transactions, account balance, and disclosure. Invariably, substantive procedures will need more effort than control testing. Consider the example of a manufacturing company's purchasing system and the assertion of account balances' existence in the statement of financial position. Typical detail checks would entail receiving and examining the closing purchase ledger account balances for a sample of purchase ledger accounts with selected suppliers, as well as some physical verification of year-end balances outstanding. Typically, this entails agreeing on the closing balance figure with the supplier's statement, or even asking third-party confirmation of the amount owing from the supplier.

An effective control environment may enable the auditor to have greater confidence in internal control and the reliability of audit evidence generated internally within the entity, allowing the auditor, for example, to conduct some audit procedures at an interim date rather than at the end of the period. Deficiencies in the control environment, on the other hand, have the opposite impact; for example, an ineffective control environment may prompt the auditor to:

§  Conduct more audit processes at the end of the period rather than at an interim date;

§  Obtaining more extensive audit evidence from fundamental procedures;

§  Expanding the audit scope to include more locations.

 

Practice:

Control tests are often brief, rapid audits, whereas substantive procedures will necessitate more extensive auditing. The auditor must create and perform substantial processes for each type of transactions, account balance, and disclosure, regardless of the assessed risks of material misstatement, according to ISA 330.

 

Reference:      https://bit.ly/34QrvaI

https://bit.ly/3uawuvw

Audit Method: Testing Revenue

Audit-is-cool continues to supply auditors with information on different topics of audit methodology. This week we provide most popular procedures to provide assurance on financial statement line "Revenue".

TEST OF CONTROLS

• Make a selection of sales transactions from independent source records e.g. shipping records, delivery orders, purchase orders etc.
• Test the completeness of source records by ensuring their numerical sequences.
• Check that sales data is input only once and is subject to validation.
• Access to sales system is restricted by user ID and password.
• Check that prices are charged in accordance with the approved price list.
• Check that the quantity discounts are in accordance with the approved limits.

ANALYTICAL PROCEDURES

• Have the client prepare a comparative monthly analysis of sales by product line, division or other business segment, including gross sales, returns and allowances and discounts. Verify the clerical accuracy of the analysis.
• Perform analytical procedures on sales by developing an expected amount of sales based on prior year’s figures or current period economic conditions and then comparing it with actual amount. Any significant differences should be enquired into and corroborated.

TEST OF DETAILS

• Have the client reconcile totals for gross sales and sales deductions to the general ledger control accounts.
• Verify the sales invoices and check that the customer name, product description and quantities and price are mentioned on the invoice and compare it with the description of sales order.
• Review applicable sales invoices and shipping documents to determine the accuracy and validity of each selected sales transaction and sales tax charged thereof, if applicable.
• Document the criteria for selection of sales invoices for verification purposes and ensure that sample is representative both for volume and amount of transaction.
• Scan the sales journal to check whether there is any duplication of sales invoice numbers or gap in the sequence of invoice numbers to identify invoices cancelled, if any.
• Review significant sales returns and credit memos issued during the period as well as subsequent to the balance sheet date to determine whether they were properly authorized and recorded in the proper period.
• Discuss with appropriate client’s personnel the existence of significant uncertainties at the time
• of sales, if any, like recoverability, warranty and other obligations, price protection agreement or revenue limitation.
• Make a selection of transactions from recorded sales and shipping records for prior and after period-end and ensure proper cut-off.
• Ensure that all sales in foreign currencies are translated using exchange rate prevailing at the date of sale (a rate that approximates the actual rate for example, weekly / monthly average is also acceptable).
• Consider reasonableness of revenue by multiplying the number of units with the average selling price.
• Determine that the accounting policies and methods of revenue recognition are appropriate and are applied consistently.

Audit Method: Fraud

Accounting fraud has long been the buzzword in the industry due to its wider and deeper implications on the company, industry and the economy at large. Window dressing is a term used in accounting for presenting financial statements in such a manner that disguise the actual financial transactions and present them in a more favorable way. According to PWC Economic crime survey the five most commonly reported types of economic crimes are asset misappropriation, procurement fraud, bribery and corruption, cybercrime and accounting fraud.

Auditors are required to keep themselves up to date about all these fraudulent practices and should apply professional skepticism while conducting the audit of financial statements.

ISA 240, The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements addresses all the issues which an auditor has to deal with while conducting the audit. Under ISA-240, auditors are now required to evaluate the effectiveness of an entity’s risk management framework (internal control) in preventing misstatements whether through fraud or otherwise, in all audits. Furthermore, auditors are now required to be more proactive in their search for fraud. The auditor is responsible for maintaining an attitude of professional skepticism throughout the audit, recognizing the possibility that a material misstatement due to fraud could exist, notwithstanding the auditor’s past experience of the honesty and integrity of the entity’s management and those charged with the governance. An overriding requirement of ISA 240 is that auditors are aware of the possibility of there being misstatements due to fraud.

The objectives of the auditor are:

a) To identify and assess the risks of material misstatement of the financial statements due to fraud;

b) To obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud, through designing and implementing appropriate responses; and

c) To respond appropriately to fraud or suspected fraud identified during the audit.

The ISA, however, recognize the fact that owing to inherent limitation of an audit, there is an unavoidable risk that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with the ISAs.

Practice

 Misstatements in the financial statements can arise from either fraud or error. The distinguishing factor between fraud and error is whether the action that results in the misstatement of the financial statements is intentional or unintentional. In planning the audit, auditors must be alert to the possibility of fraud and assess the risk that fraud might occur. The auditor shall treat those assessed risks of material misstatement due to fraud as significant risks and accordingly, the auditor shall obtain an understanding of the entity’s related controls, including control activities, relevant to such risks.

Audit Method: Controls

Control activities are the policies and procedures that help ensure that management directives are carried out. Control activities, whether within IT or manual systems, have various objectives and are applied at various organizational and functional levels. Examples of specific control activities include those relating to the following:

1. Authorization.
2. Performance reviews.
3. Information processing.
4. Physical controls.
5. Segregation of duties.

An auditor would be required to conduct a walk through test to confirm the understanding as documented. Identify the preventive (exercised before occurrence of transactions and event) and detective and corrective (exercised after occurrence of transactions and event) controls established by management to support its assertions. Preventive, detective and corrective controls can be:

1. Application controls
2. IT-dependent manual controls
3. Manual controls

Application controls are automated controls processed by the entity’s IT applications without manual interference. Examples of Application controls are Edit Checks, Validations, Automatic calculations, Authorizations etc.

IT-dependent manual controls are controls in which we consider both the manual and automated aspect of the control e.g. a review of a computer generated sales orders report to determine that all sales are invoiced.

Manual controls are those controls that are operated completely manually e.g. bank reconciliations when the entity reconciles cash to bank statement.

Recommendation

Controls are performed to check the accuracy, completeness, and authorization of transactions.  A concept called The Internal Control Stream is introduced by Thomas P. Houck in his book “Why and How Audits Must Change: Practical Guidance to Improve Your Audits”. According to Thomas P. Houck this concept help auditors better understand the many controls that can exist in a company. The "stream" represents the path that a transaction follows as it moves from inception to its ultimate resting place in the financial statements. Controls can be located at different spots along the stream. Upstream controls help to ensure that transactions are properly entered into the computer system. Information technology controls are automated controls that help to prevent misstatements. Downstream controls come into play after information is processed in a computer system. An auditor is required to apply appropriate tests of controls to assess the reasonableness of design of system of internal control by enquiring relevant client personnel and documenting the same.

Audit Method: Audit Approach

Audit planning is one of the most interesting steps in the audit process. It requires to apply audit specific knowledge, business skills, understanding of the own resources and velocity of their usage.

In this post I am going to make the brief overview of some audit approaches and their applicability in real life.

Audit Process

The audit process could be depicted very simply, but work done and time spent on each stage of audit process have crucial effect on audit efficiency and effectiveness (audit risk). The illustration demonstrates that basically we have two types of approach: business risk approach with controls testing and substantive approach.

Audit Process

The approach in strategy should not be confused with approach in tactics regarding the concrete account connected with business process. In any case, we have to detect most risky and material areas of clients’ financial statements, i.e. substantive testing of all accounts is not reasonable.
         The second step is to identify our tactic regarding concrete type of account and assertion. For example, account is “fixed assets” (FA) and assertion is “valuation”. The process which is reflected by these two elements is “FA purchases” process. So at this point we might decide to test value of FA items substantively or do some preliminary purchases tests of controls to reduce substantive work in later stages. 

To test or not to test?

The outcome of control testing should be combined risk assessment of financial statement risk and audit risk, i.e. the result per well-known models:

         Audit Risk = Inherent Risk x Control Risk x Detection Risk (1);

Audit Risk = Financial Statement Risk x Detection Risk (2).

The audit firms try to formalize risk assessments (low, moderate, high) and spot the point at which it would be reasonable to reduce substantive procedures. However, there is still a problem: test of controls is time and money spent on procedures. And how do we know whether we should even start testing controls? What if after extensive control testing they proved to be ineffective? The mistakes might lead to inefficient audit, harming auditors’ profit margin. Unfortunately, I might say in majority cases the decision is made based on common sense and subjective opinion, i.e. there is no 100% proven scientific way to figure this out. Admittedly, to facilitate a right decision auditors should understand client’s business process, document suggested controls, and do process walk-through. There are also some rules of thumb, e.g. if there are lots of small routine transaction, then tests of controls are likely to be the right option.

Additional factors

The audit with accurate planning stage, through understanding of business processes and risk detection would require highly proficient audit team. However, we live in a real world and we do not always have access to the best dream audit teams J . The point is that the audit approach should be understandable by team members and fit their abilities: for someone it would be easier (time/budget factor) to vouch 1000 transaction than make decision based analytical job of connecting facts from process narrative, walk-through, initial strategy, and audit methodology. I mean, that process need not be overcomplicated. I would suggest following basic principles for establishing strategy:

1. Efficiency (budget);
2. Effectiveness (prudence, audit risk);
3. Complexity/easiness to bring about;
4. Understandability (and acceptability) for all members of team: from partner to audit staff.

In the future blog posts, it would be interesting to elaborate each of the above principles.

Conclusions

This is only outline of audit approaches. The topic is enormous and I will try to cover most arguable areas. Your comments are welcome as usual.

PS Please, do not forget to vote for your top 3 favorite subjects. The polls are going on the right-hand side of the blog.