When we examine the findings of professional bodies and those of Mercia reviewers, a number of ISAs surface to the top time and time again as areas that require improvement, and that are the root cause of much of the weaknesses identified on files during quality reviews. Not necessarily in order, but the following are in the spotlight (unfortunately in a negative way):
- ISA 230 – Audit Documentation;
- ISA 315 - Identifying and assessing the risks of material misstatement through understanding the entity and its environment; and
- ISA 500 – Audit Evidence.
ISA 230 – Audit Documentation
In the case of ISA 230, one of the most common problems is failing to record material aspects of the audit work, or the link between the audit evidence and the final conclusion of the audit. We regularly see monitoring inspection comments referring to a lack of documentation on those files reviewed of the “nature, timing and extent of the audit procedures performed”. In order words, there is an apparent gap in telling the “story” of the audit work undertaken on file i.e. what audit work was undertaken, when and to what extent.
One of the key takeaway points at an audit training course for staff is always to ensure that staff understand that the audit working papers on files must properly record and summarise the audit objectives / assertions tested, the method used to test a given assertion, the results obtained from the procedures performed and lastly (but very importantly) the conclusion reached. Quite often a firm does not give itself the credit, so to speak, for the audit work it has actually done by not properly / fully documenting it. It can quite often come out in a discussion with the audit engagement partner and senior staff following a cold file review, that they had performed additional audit work over and above that which had been recorded on file, but they concede that they did not document it and unfortunately if it’s not there “in black and white” you don’t get the credit for it. Reviewers tend to work off the assumption that if something hasn’t been documented then it hasn’t been done!
ISA 315 - Identifying and assessing the risks of material misstatement through understanding the entity and its environment
This ISA is one of the larger auditing standards, and one of the standards that unfortunately features in many quality review inspection reports as an area of weakness. This ISA’s scope deals with “the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control.” In essence, the auditor needs to gain a comprehensive understanding of the audit client under many headings (some of which may be more significant than others in terms of assessing risk for a given client) and to make sure that this understanding of the client and its business etc. is fully documented on file.
One of the issues we sometimes encounter during cold file reviews is that the documentation of the client background information has been compiled by a more junior member of the audit team, and through a lack of experience or awareness of the key elements relevant to the client, the documentation is not sufficiently comprehensive, or something fundamental has been overlooked or missed. It is always recommended that the person tasked with recording the background knowledge of the entity and its environment should be a senior member of the engagement team, as he or she will have a far greater chance due to their knowledge and experience of covering all the relevant bases and have a greater awareness of what is particularly pertinent in terms of risk in relation to the client.
Some of the sections within the recording of background information that tend to be problematic or in some instances possibly even overlooked include such areas, for example as, laws and regulations considerations, related parties, use of service organisations (ISA 402), use of accounting estimates etc. In addition, recording the auditor’s understanding of the client’s accounting systems and internal controls is often an area where improvement is required as the documentation on file can be all too brief or light on detail. Remember of course that ISA 315 (para. 13) also states that “When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel.” Unfortunately, in some cases the systems and controls documentation of itself may be well documented, but complimentary evidence of the auditor’s confirmation of the design and implementation of internal controls is lacking. This confirmation of design and implementation of internal controls is required as part of the risk assessment process irrespective of whether or not the auditor intends to place any reliance on internal controls or has any intention to perform controls testing at the fieldwork stage of the audit.
Where the auditor does not adequately assess risk through a lack of understanding of the client’s activities and internal controls, this can lead to an inappropriate audit plan and, consequently, audit evidence, which fails to address the risks of material misstatement of the financial statements.
ISA 500 – Audit Evidence
Frequently monitoring inspectors cite insufficient audit evidence as the main weakness on audit files. There are certain aspects that seem to crop up in reviews more than others, and these are also noted regularly on Mercia cold file reviews including issues / inadequacies relating to testing completeness of income / revenue, fixed assets testing (rights and obligations / ownership), stock (valuation testing), creditors (completeness testing). Other areas where professional judgment is required (e.g. goodwill or intangibles) can also cause problems.
On staff audit training courses, time is always well spent by highlighting / emphasising / reminding staff of the relevant audit assertions that related to profit and loss and balance sheet areas and to remind staff to always keep sight of the areas with the largest possible risk of material misstatement and to ensure that all of the key assertions that relate to those areas are fully addressed during the audit fieldwork stage. It is important that staff fully understand and appreciate what the purpose of the testing they undertake in a given area is for, and what assertions they need to focus on, in order to get sufficient and appropriate audit evidence. The direction of the testing performed is also a key consideration - for example when testing debit balances that we focus on overstatement and with credit balances we look for possible understatement etc. Clearly making sure that we get the right type of audit evidence and that we get enough evidence to provide a basis for our audit opinion is crucial, but so too is making sure that we fully record the evidence obtained which links us back to the first segment above on ISA 230.
To conclude, as mentioned at the outset of this article, the above ISAs have been highlighted from reviews by the professional bodies and from Mercia as being common areas of weakness, but of course there are other areas that also crop up within reviews quite regularly, including within the planning and risk assessment sections of audit files - For example, the use of sampling, materiality, analytical review etc. Documentation of the auditor’s consideration of compliance with the Ethical Standard for Auditors can also be a bit of a minefield in terms of staff understanding the threats to auditor independence and objectivity, and what safeguards can be applied and a common misunderstanding of when and how to use the provisions and exemptions available within Section 6 of the Ethical Standard (Provisions Available for Audits of Small Entities (PAASE)). Completion sections of files also have recurring problem areas including for example, recording of audit work regarding subsequent events and going concern etc.
Audit file reviews from Mercia incorporating SWAT
Each year, we carry out hundreds of audit file reviews for firms throughout the UK and Ireland.
Our experienced team can provide a range of reviews including cold file reviews and hot file reviews as well as audit compliance reviews to help you ensure that your audit quality is maintained.
All our reviews include a full written report, detailing the findings from the review and any recommendations.
We can also provide in-house training based on the findings from your file review, helping to develop the skills of your audit team. It also counts towards their CPD.
Find out more and book your audit file review today by contacting a member of our friendly team on the details below.
- Tel: 0330 058 7141
- Email: email@example.com
Republic of Ireland
- Tel: +353 (0)1 8090080
- Email: firstname.lastname@example.org