ISA (UK) 505: External Confirmations

 The trustworthiness of audit evidence is influenced by its source and nature and is reliant on the unique conditions under which it is gathered, according to ISA (UK) 500. The following generalizations about audit evidence are included in the ISA (UK):

·         When audit evidence is collected from independent sources outside the company, it is more dependable.

·         Direct audit evidence obtained by the auditor is more reliable than indirect or inferred audit evidence.

·         When audit evidence is in documentary form, whether on paper, electronic media, or another medium, it is more dependable.

As a result, audit evidence in the form of external confirmations received directly by the auditor from confirming parties may be more reliable than evidence generated internally by the entity, depending on the conditions of the audit. The purpose of this ISA (UK) is to assist auditors in creating and executing external confirmation procedures in order to collect relevant and credible audit evidence. When implementing external confirmation methods in response to a risk of material misstatement, an auditor's goal is to develop and implement such procedures in order to collect relevant and credible audit evidence.

External confirmation is the process of acquiring and analyzing audit evidence directly from a third party in response to a request for information on a specific item from the auditor. Such audit evidence, when combined with audit evidence from other audit techniques, may help to reduce the evaluated risk to a level that is acceptable. External confirmations are of two types.

Positive confirmation request - A request for the confirming party to react directly to the auditor, either by agreeing or disagreeing with the information in the request or by giving the desired information.

Negative confirmation request — A request that the confirming party reacts immediately to the auditor only if the information provided in the request is incorrect.

·         External confirmations are frequently used to confirm the following:

·         bank balances, loans, guarantees, and other information from bankers;

·         bank accounts opened in connection with imprests (e.g. delegations);

·         amounts held at financial intermediaries at year-end;

·         accounts receivable or accounts payable balances.

Practice:

The auditor should determine if the results of the external confirmation process, along with the results of any other audit processes completed, provide sufficient, relevant, and credible audit evidence for the assertion under scrutiny, or whether more audit procedures are required.

 

 

Reference:      https://bit.ly/3v28dJI

                        https://bit.ly/3K7Vg5o

ISA (UK) 500: Audit Evidence

 The primary goal of an auditor's job in an audit engagement is to achieve reasonable assurance that the financial statements as a whole are free of material misstatement so that the auditor can make an opinion on the financial statements and reflect accordingly in the auditor's report. The auditor must develop and implement audit processes to acquire sufficient relevant audit evidence to be able to draw reasonable inferences on which to base the auditor's opinion, which is a high but not absolute level of certainty.

Audit evidence — Information used by the auditor to reach the conclusions that constitute the basis of the auditor's opinion. Information from the accounting records that underpin the financial statements, as well as information gathered from other sources, are included in audit evidence.

The relevance and reliability of the information on which all audit evidence is based have an impact on its quality. The logical link with, or impact on, the goal of the audit method and, where appropriate, the assertion under consideration is referred to as relevance. The source and nature of the information to be used as audit evidence, as well as the conditions under which it is received, including the controls over its production and maintenance if applicable, all influence the audit evidence's reliability.

Obtaining and assessing audit evidence, which is generally produced from audit processes carried out during the engagement but can also be obtained from other sources, is a substantial component of the effort involved in performing an audit. For example, past audits; provided that any modifications that have occurred in the meantime have been properly considered; or the firm's quality control methods, particularly those relating to customer acceptance and continuation.

The auditor obtains audit evidence by performing: 

(a) risk assessment procedures; and 

(b) additional audit procedures, which include:

(i)         controls tests, when required by the ISAs (UK) or when the auditor chooses to do so; and

(ii)   substantive procedures, including tests of details and substantive analytical procedures.

The auditor must decide how to pick things for testing that are successful in satisfying the purpose of the audit method while creating controls and detail tests. If: (a) audit evidence obtained from one source differs from that obtained from another, or (b) the auditor has doubts about the reliability of information to be used as audit evidence, the auditor must determine what changes or additions to audit procedures are required to resolve the issue, as well as the impact of the issue, if any, on other aspects of the audit.

Practice:

The auditor may use inspection, observation, external confirmation, recalculation, reperformance, analytical procedures, inquiry, etc. as risk assessment procedures, tests of controls, or substantive procedures, depending on the context in which they are applied by the auditor.

 

Reference:      https://bit.ly/37TwybO

https://bit.ly/3M7quLh

ISA (UK) 402: Audit Considerations Relating to an Entity Using a Service Organization

 When a user entity utilizes the services of one or more service organizations, this International Standard on Auditing (UK) (ISA (UK)) addresses the user auditor's responsibilities to gather adequate appropriate audit evidence. It explains how the user auditor can use ISA (UK) 315 and ISA (UK) 330 to gain a sufficient understanding of the user entity, including relevant internal controls, to identify and assess the risks of material misstatement, and to design and perform additional audit procedures in response to those risks. When services provided by a service organization, as well as the controls over them, are part of the user entity's information system, including related business activities, relevant to financial reporting, they are relevant to the audit of the user entity's financial statements. The user auditor must comprehend how a user entity uses the services of a service organization in the user entity's activities when developing an understanding of the user entity in accordance with ISA (UK) 315.

When a user entity uses the services of a service organization, the user auditor's objectives are to:

(a) gain a sufficient understanding of the nature and significance of the service organization's services and their impact on the user entity's internal control relevant to the audit to identify and assess the risks of material misstatement; and

(b) design and perform audit procedures responsive to those risks.

Maintenance of the user entity's accounting records is an example of a service organization service that is important to the audit. Regardless of the controls in place at the service organization, the user entity may establish controls over the service organization's services that the user auditor can test, allowing the user auditor to conclude that the user entity's controls are operating effectively for some or all of the related assertions. If a user entity, for example, hires a service organization to conduct its payroll transactions, the user entity can set up controls over the submission and receipt of payroll data to prevent or identify serious misstatements.

 

Practice:

The user auditor shall evaluate the design and implementation of relevant controls at the user entity that relates to the services provided by the service organization, including those that are applied to the transactions processed by the service organization, when obtaining an understanding of internal control relevant to the audit in accordance with ISA (UK) 315.

 

 

Reference:      https://bit.ly/3Mm0kVB

ISA (UK) 450: Evaluation of Misstatements Identified During the Audit

 A difference between the reported amount, classification, presentation, or disclosure of a financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in compliance with the applicable financial reporting framework is referred to as a misstatement. Errors or fraud can lead to misstatements. When the auditor expresses an opinion on whether the financial statements are presented fairly, in all material respects, or give a true and fair view, misstatements also include any adjustments to amounts, classifications, presentation, or disclosures that the auditor believes are required for the financial statements to be presented fairly, in all material respects, or to give a true and fair view. Except for those that are manifestly inconsequential, the auditor must keep track of any misstatements discovered throughout the audit.

The auditor's goals, according to ISA 450, are to examine the following: The impact of recognized misstatements on the audit, and the impact of uncorrected misstatements, if any, on the financial statements. A misrepresentation happens when anything in the financial accounts is not treated appropriately, implying that the applicable financial reporting framework, particularly IFRS, has not been applied effectively.

The following are some examples of misstatement that can occur as a result of human error or fraud:

§  An inaccurate amount was recognized, such as when an asset was not appraised in compliance with the appropriate IFRS requirement.

§  An item is misclassified - for example, finance costs are included in cost of sales in the profit and loss statement.

§  The presentation is ineffective; for example, the results of discontinued operations are not displayed individually.

§  A contingent liability disclosure is missing or inadequately detailed in the notes to the financial statements, for example a disclosure related to contingent liability is not correct or deceptive disclosure has been added as a result of management bias.

Management is responsible for correcting any errors brought to their attention by the auditor. If management refuses to rectify any or all of the misstatements, ISA 450 requires the auditor to learn about management's reasons for not making the corrections and to include that information when determining whether the financial statements are free of material misrepresentation as a whole.

 

Practice:

According to ISA 450, the auditor must inform those in charge of governance of uncorrected misstatements and the impact they would have on the auditor's report's conclusion, either individually or collectively. The auditor's communication should identify important uncorrected misstatements one by one, and it should request that the misstatements be addressed. The auditor may examine the reasons for, and the ramifications of, a failure to correct misstatements with those in charge of governance, as well as probable repercussions for future financial statements.

 

Reference:      https://bit.ly/3wRCcpe

https://bit.ly/3wVJNTA

ISA (UK) 330: The Auditor’s Responses To Assessed Risks

 The auditor's goal is to collect enough suitable audit evidence to support the evaluated risks of material misstatement, as well as to create and implement effective solutions to such risks. The auditor is responsible for developing and implementing overall remedies to the risks of substantial misstatement in the financial statements.

Test of controls as defined by ISA (UK) 330 – An audit procedure designed to evaluate the operating effectiveness of controls in preventing, or detecting and correcting, material misstatements at the assertion level.

Examining a sample of purchase orders to confirm that they have been properly authorized would be a control test. A 'yes' response indicates that the internal control requiring purchase order permission is operational, whereas a 'no' response indicates that the internal control does not appear to be operational, necessitating further audit inquiry.

 

Substantive procedure as defined by ISA (UK) 330 – An audit procedure designed to detect material misstatements at the assertion level. Substantive procedures comprise:

(i) Tests of details (of classes of transactions, account balances, and disclosures); and

(ii) Substantive analytical procedures.

According to ISA 330, the auditor must always execute substantive procedures on material items, regardless of the risk of substantial misstatement, and must design and perform substantive procedures for each material class of transactions, account balance, and disclosure. Invariably, substantive procedures will need more effort than control testing. Consider the example of a manufacturing company's purchasing system and the assertion of account balances' existence in the statement of financial position. Typical detail checks would entail receiving and examining the closing purchase ledger account balances for a sample of purchase ledger accounts with selected suppliers, as well as some physical verification of year-end balances outstanding. Typically, this entails agreeing on the closing balance figure with the supplier's statement, or even asking third-party confirmation of the amount owing from the supplier.

An effective control environment may enable the auditor to have greater confidence in internal control and the reliability of audit evidence generated internally within the entity, allowing the auditor, for example, to conduct some audit procedures at an interim date rather than at the end of the period. Deficiencies in the control environment, on the other hand, have the opposite impact; for example, an ineffective control environment may prompt the auditor to:

§  Conduct more audit processes at the end of the period rather than at an interim date;

§  Obtaining more extensive audit evidence from fundamental procedures;

§  Expanding the audit scope to include more locations.

 

Practice:

Control tests are often brief, rapid audits, whereas substantive procedures will necessitate more extensive auditing. The auditor must create and perform substantial processes for each type of transactions, account balance, and disclosure, regardless of the assessed risks of material misstatement, according to ISA 330.

 

Reference:      https://bit.ly/34QrvaI

https://bit.ly/3uawuvw

ISA (UK) 315: Identifying and Assessing the Risks of Material Misstatement Through Understanding of the Entity and Its Environment

 The auditor's goal is to detect and analyze the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, so that responses to the estimated risks of material misstatement can be designed and implemented. ISA 315 (Revised) outlines the reasons "why" risk assessment processes should be performed, as well as "what" has to be evaluated and "how" it should be assessed.

The following steps for risk assessment must be followed:

(a)        Inquiries of management, suitable personnel within the internal audit function (if    one exists), and others inside the organization who, in the auditor's opinion,   may have knowledge that can help detect substantial misstatement risks due to   fraud or error.

(b)        Analytical procedures.

c)         Inspection and observation

In September 2019, the International Audit and Assurance Standards Board (IAASB) authorized major revisions to ISA 315. The modifications will apply to financial statement audits for periods beginning on or after December 15, 2021. The adjustments will have far-reaching consequences, requiring businesses of all kinds to rethink their risk-assessment strategies. The key areas of the revisions are shown below.

§  Subjectivity, complexity, uncertainty, change, and susceptibility to misstatement due to managerial bias or fraud are five new inherent risk characteristics that have been introduced to aid in risk assessment.

§  A new risk spectrum has emerged, with major dangers at the higher end.

§  The risk evaluation must be based on "adequate, appropriate" evidence acquired via risk assessment methods.

§  There will be a lot greater emphasis on IT, particularly on IT general controls.

§  More on audit-relevant controls, as well as the design and implementation effort that goes into them.

§  The removal of smaller entity considerations as a separate category of paragraph and the inclusion of that content inside the main body of the text, as well as the addition of new material.

 

Practice:

The improvements attempt to improve the quality and consistency of risk evaluations while also encouraging professional skepticism. Understanding the nature and scope of the required modifications will be a major task for those conducting ISA audits. ISA 315 (Revised) contains new and updated content for understanding IT and general IT controls, as well as expanded auditor concerns relating to IT. The auditor must be aware of how the entity handles data and how it is used within the organization. The accounting records, how information is gathered and maintained, and how these flow into the accounts in the financial statements should all be understood.

 

References:    https://bit.ly/3vRIswE

https://bit.ly/34ujhF2

https://bit.ly/3HSVLPO

https://bit.ly/3Kv5nlt

ISA (UK) 265: COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT

 The auditor's goal is to report to those charged with governance and management any flaws in internal control that the auditor discovered during the audit and that, in the auditor's professional opinion, are important enough to warrant their attention. When identifying and assessing the risks of material misstatement, the auditor must have a thorough understanding of the internal controls that are relevant to the audit.  In making those risk assessments, the auditor considers internal control in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control. Internal control deficiencies may be discovered by the auditor not only during the risk assessment process but also at any other stage of the audit. This ISA (UK) defines which detected problems the auditor must notify to those charged with governance and management.

The auditor may examine the following factors when deciding whether a defect in internal control or a combination of failures constitutes a substantial deficiency.

§  The possibility of major misstatements while preparing the financial statements in the future as a result of internal control weaknesses.

§  The associated asset's or liability's susceptibility to loss or fraud.

§  Estimated amounts, such as fair value accounting estimates, are prone to subjectivity and complexity.

§  The amounts on the financial statement that are vulnerable to flaws.

§  The amount of activity in the account balance or class of transactions exposed to the shortfall or deficiencies that have occurred or could occur.

§  The value of controls in the financial reporting process, such as:

 

ü  General monitoring controls (such as oversight of management).

ü  Maintains control over fraud prevention and detection.

ü  Has authority over the selection and application of major accounting policies.

ü  Maintains control over major transactions involving associated parties.

ü  Has authority over large transactions that occur outside of the normal course of business.

ü  Period-end financial reporting process controls (such as non-recurring journal entry controls).

§  The reason for the exceptions found as a result of control flaws, as well as the frequency with which they occur.

§  The interaction of the weakness with other internal control problems.

Practice:

Internal control problems that have been identified may call into doubt management's integrity or competence. For example, there could be proof of management fraud or purposeful non-compliance with rules and regulations, or management could show an incapacity to oversee the preparation of the proper financial statements, raising questions about management's competency. As a result, it may not be acceptable to inform management about such deficiencies immediately. When an auditor discovers or suspects fraud involving management, ISA (UK) 240 establishes requirements and provides guidance on how to communicate with those charged with governance.

Reference:      https://bit.ly/35NC6U9