SSA 265 – Communicating Deficiencies in Internal Control to those Charged with Governance and Management

SSA 265 Summary

The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. Auditor can consider internal control when developing audit procedures, but there is no need to express opinion on internal control effectiveness.

The auditor needs to communicate appropriately with those charged with governance (CWG) on any deficiencies (must explain potential effects) in internal control identified during the audit. This must be done in writing. However, it is okay if there is earlier communication orally. The level of detail in the communication depends on auditor’s professional judgment.

Auditor should clarify with appropriate level of management (one that has authority to evaluate deficiencies and take necessary remedial action) if one or more deficiencies in internal control are identified. If the finding calls into question management’s integrity/competence, it may not be appropriate to discuss it directly with management.

This SSA also indicates examples and indications of significant deficiencies in internal control.

If the significant deficiency is not rectified in prior years, the auditor can communicate the same deficiency in the current year.

The communication of other deficiencies (not significant) may be communicated to management orally only. Communication of this to those CWG is also optional and dependent on the auditor’s professional judgment.

auditing-service-singapore

 

Advertisements

SSA 260 – Communication with Those Charged with Governance

SSA 260 – Communication with Those Charged with Governance

This SSA 260 concerns auditor’s responsibility to communicate with those charged with governance (CWG) in an audit of Financial Statements.

SSA 265 talks about the requirements to communicate (in writing), in a timely manner, significant deficiencies to those CWG.

There is a need for two-way communication between the auditor and those CWG.

Management also needs to communicate important matters to those CWG.

Some of the things to be communicated by the auditor are auditor’s responsibilities (express opinion on the FS, significant risks etc), scope and timing of the audit. In additions, matters like accounting policies, accounting estimates and financial statement disclosures should be communicated. Other things include whether the firm has complied with relevant ethical requirements regarding independence, safeguards to eliminate threats of independence. Significant difficulties faced in the audit should also be highlighted.

A subgroup of those CWG could be the audit committee. Auditor must assess whether this must also be highlighted to the Board.

Good governance principles highlight that (i) Auditor will be invited to attend meetings of the AC; (ii) Chair of the AC and other members will liaise with the auditor periodically; (iii) AC will meet the auditor without management’s presence.

Often, critical accounting estimates and critical accounting policies or practices are required to be disclosed in the FS.

pic_internal_audit_big

SSA 250 – Consideration of Laws and Regulations in an Audit of FS

This SSA is for periods after 15 Dec 2009.

This SSA concerns auditor’s responsibility to consider laws and regulations in an audit of FS.

There are many sorts of possible laws and regulations: regulated industries, OSH, equal employment opportunity. However, not all will affect the FS.

It is management’s responsibility, with the oversight of those charged with governance, to ensure entity’s operations are conducted in accordance with the provisions of laws and regulations.

This SSA will help the auditor to identify material misstatements of the FS due to non-compliance with laws and regulations. There is an inherent risk that auditor may not uncover all of them due to (i) many laws and regulations that affect operations and do not affect the FS; (ii) collusion or management override of controls; (iii) whether an act is a non-compliance should be determined by a court of law.

Generally, the auditor should be concerned with those laws/regulations that have a direct determination of material amounts and disclosures in the FS, like tax laws etc. For other laws/regulations, auditor only needs to consider those non-compliance that has material effect on FS.

Auditor is expected to maintain professional skepticism throughout the audit.

Auditor needs to obtain audit evidence regarding laws/regulations that have an impact on the FS.

Auditor needs to understand the entity and the environment and the legal regulatory framework for the entity/industry and how is the entity complying.

Written representations from management on compliance/non-compliance should be obtained.

If auditor suspects non-compliance, investigation into the effect on the FS must be performed. If insufficient evidence is obtained or management cannot demonstrate compliance, the auditor shall consider modifying the audit opinion.

There must be audit documentation on identified or suspected non-compliance and relevant correspondences.

Management can institute controls like monitoring of legal requirements, internal controls for systems, develop a code of conduct, ensuring employees are trained, monitor compliance with the code of conduct, engage legal advisors etc, in order to ensure compliance with laws and regulations.

Internal-Audit

audit financial company tax investigation process business accounting

SSA 240 Auditors’ Responsibilities Relating to Fraud

This SSA concerns auditor’s responsibilities relating to fraud in an audit of FS.

Misstatements can be either due to error or fraud. If it’s fraud, there are 2 kinds, namely, fraudulent financial reporting or misappropriation of assets.

Management and those charged with governance are responsible for the prevention and detection of fraud. There should be a strong culture of honesty and ethical behaviour.

The auditor is responsible for providing reasonable assurance that the FS as a whole is free of material misstatement, whether caused by fraud or error. Frauds are often concealed and hence, the inherent limitations are larger. It is difficult to determine whether misstatements are due to fraud or error. Management fraud is even harder to detect due to management override of controls.

Auditor needs to assess ROMM due to fraud and also to respond to fraud/suspected fraud during the audit. Auditors need to be aware of the fraud risk factors that can be perpetuated by management. They need to maintain professional scepticism throughout the audit.

There needs to be a discussion among engagement team on how the FS can be susceptible to ROMM due to fraud, and how fraud might occur.

The auditor should question the management on what is management’s assessment of fraud risks. They should understand management’s fraud risk assessment, and the escalation process. Auditor should ask whether management has knowledge about any suspected fraud etc. It is also possible to ask the IA team about it. It is also good to understand how those charged with governance maintain oversight of fraud risk management.

Unusual relationships using analytical procedures for revenue accounts should be identified and assessed. The auditor should also examine fraud risk indicators as these are potential ROMM.

There is a presumed risk of fraud in revenue recognition and the auditor needs to investigate further. The auditor should incorporate elements of unpredictability in the testing (use different sampling methods etc, surprise audit etc) and see whether the accounting policies are subject to subjective measurements etc.

There is also a presumed risk of management override of controls. As such, the auditor needs to test appropriateness of the journal entries in the GL and adjustments made. They need to select JE near the end of the reporting period and may test JE/adjustments throughout the audit period. There is a need to review estimates for biases and determine whether they are reasonable.

Analytical procedures should be performed and an assessment must be made on whether it is in line with normal business practices/trends.

If auditor is unable to carry on the engagement, he may withdraw or report to the relevant authorities.

The auditor needs to obtain written representations from management that they acknowledge the responsibility for the design, implementation and maintenance of internal controls to prevent and detect fraud. They also need to disclose potential fraud cases and management’s assessment of the risk of fraud.

If auditor suspects fraud, this must be disclosed to those charged with governance. The auditor can also consider reporting it to the regulatory authorities.

Auditor needs to keep documentation on the understanding of entity’s environment and assessment of ROMM.

The fraud triangle: incentive (eg earning management so that can get more bonus. The auditor should analyse incentives that relate to the entity’s environment); opportunity (poor internal controls); rationalisation (sufficient pressure, poor character etc)

The SSA also goes into detail about how fraud may be perpetuated in relation to financial reporting and misappropriation of assets.

Management is often in the best position to perpetuate fraud.  

There is a need to understand oversight exercised by those charged with governance. Fraud risks cannot be ranked easily.

It is possible to rebut the risk of fraud in revenue recognition if the revenue stream is simple and straightforward.

Management may not implement every control to combat fraud due to the cost-benefit analysis. Therefore, it is important for the auditor to understand which such controls are.

For accounting estimates, auditor needs to perform a retrospective review of management judgments and assumptions related to significant accounting estimates in the prior year. This is also required under SSA540. The auditor needs to look out and question complex transactions.

The SSA describes many other procedures the auditor can perform.

pic_internal_audit_big

SSA 230 – Audit Documentation

SSA230 Summary (Nov 2015)

This SSA concerns the auditor’s responsibility to prepare audit documentation for an audit of financial statements.

The objective of documentation is to have a sufficient record of the basis of auditor’s report. Documentation serves as evidence that audit was planned in accordance with SSAs, applicable legal and regulatory requirements.

Audit documentation shall be prepared on a timely basis.

The documentation should be sufficient to enable an experienced auditor to understand. It shall include nature, timing and extent of audit procedures (including identifying characteristics of specific items tested, who performed the work and when, who reviewed the work and when), results of audit procedures, audit evidence obtained and significant matters arising during the audit.

Auditor should document discussions of significant matters with management and the nature of matters discussed, and the venue, personnel involved and timing of discussion.

Auditor shall assemble the audit documentation in an audit file and assemble the final audit file after date of audit report. Any modifications subsequently must be explained and by when/whom they were made.

Audit documentation should include things like audit program, analyses, issues memoranda, summaries of significant matters, letters of confirmation and representation, checklists, correspondences concerning significant matters.

Superseded/draft documents or audit reports need not be included in the audit file. It is not necessary to have a checklist for compliance with matters if compliance is already demonstrated by documents within the audit file.

Ultimately, the form/content/extent of audit documentation of significant matters is a matter of professional judgment.

There is no requirement per se to have every specific working paper to have evidence of review, but there needs to be documenting of what audit work was reviewed, who reviewed such work and when it was reviewed.

SSQC1 stipulates that the appropriate time limit to complete assembly of final audit file is not more than 60 days after date of auditor’s report. Companies need to establish P&P for retention of engagement documentation. Retention period is no shorter than 5 years from date of auditor’s report.

Internal-Audit

audit financial company tax investigation process business accounting

SSA 210 – Agreeing the Terms of Audit Engagement

This SSA is effective after periods ending 15 Dec 2016.

This SSA deals with auditor’s responsibilities in agreeing the terms of the audit engagement with management and those charged with governance.

The objective of the auditor is to accept or continue an audit engagement only when the basis upon which it is to be performed has been agreed:

  1. a) Establish whether preconditions for an audit are present; and b) confirm whether there is a common understanding between auditor and management

Preconditions are firstly that the FR framework is acceptable. Next, management understands its responsibility to prepare FS in accordance with the FR framework and to have internal controls to enable the preparation of FS to be free from material misstatement, whether due to fraud or error (via a management representation to the auditor). Agreeing the terms of the audit engagement will help avoid misunderstanding about one another’s responsibilities.

Management should allow the auditor (i) access to information; (ii) any additional information; (iii) unrestricted access to persons for whom the auditor determines necessary to obtain audit evidence.

If the preconditions are not met, auditor shall discuss with management and auditor will consider not to accept the proposed engagement. If not possible due to law/regulations, auditor will need to explain to management the importance of these matters and implications for the auditor’s report.

Auditor needs to draft an engagement letter. Auditor should not agree to changes to the terms when there is no reasonable justification for doing so, for instance from changing from an audit engagement to a review engagement in order to avoid the qualified opinion that will be issued by the auditor. If there are changes, both parties will need to acknowledge them.

Assurance and audit engagements may only be accepted when the practitioner considers that relevant ethical requirements such as independence and professional competence will be satisfied, and when the engagement exhibits certain characteristics.

Some general purpose frameworks are the Financial Reporting Standards (FRS) promulgated by the Accounting Standards Council etc.

Please read the SSA for more details of what sections are required in the engagement letter.

For Singapore incorporated companies, the description of responsibilities for the financial statements is as follows:

Management is responsible for the preparation of FS that give a true and fair view in accordance with the provision of the Companies Act, Chapter 50 and Financial Reporting Standards in Singapore, and for devising and maintaining a system of internal accounting controls sufficient to provide a reasonable assurance that assets are safeguarded against loss from unauthorized use or disposition; and transactions are properly authorized and that they are recorded as necessary to permit the preparation of true and fair financial statements and to maintain accountability of assets.

auditing-service-singapore

SSA 220 – Quality Control for an Audit of Financial Statements

This SSA concerns the responsibilities of the auditor relating to quality control procedures and also the responsibilities of the EQCR (engagement quality control reviewer). This is necessary in order to comply with SSQC1. EQCR is useful as it gives assurance that the audit complies with professional standards and applicable legal and regulatory requirements.

The engagement partner shall take responsibility for the overall quality on each audit engagement. Quality is essential in performing audit engagements. He needs to remain alert for evidence of non-compliance with ethical requirements (ACRA code). If there is non-compliance, appropriate action must be taken.

The partner also needs to assess and conclude on the independence requirements (eliminate the activity, withdraw the engagement if not-independent). He needs to be satisfied on appropriate procedures in relation to acceptance and continuance of client relationships and audit engagements. He needs to be satisfied that the engagement team has the right competence and capabilities. He is also responsible for the right direction, supervision (track progress of engagement, address significant matters, identify matters for consultation) and performance of the audit engagement.

In addition, they are responsible for consultations that are taken within the engagement team.

For audits that require EQCR, the partner shall discuss significant matters arising during the engagement with the EQCR reviewer. The audit report should only be stated on or after the EQCR review and the EQCR should be conducted in a timely manner.

The EQCR needs to look at discussion of significant matters, review of FS, review of selected audit documentation and evaluation of the conclusions reached. They also might need to examine independence of the audit firm, and whether there is appropriate consultation.

There needs to be a proper monitoring process for EQCR as well, and to ensure that P&P relating to system of quality control are relevant, adequate and operating effectively. Partners can usually rely on the system of quality control and the role of engagement teams.

Reviews by the engagement partner must be timely in nature and they should examine areas like critical areas of judgment, significant risks, other areas etc. The engagement partner need not review all audit documentation, but may do so. However, as required by SSA230, the partner documents the extent and timing of the reviews.

pic_internal_audit_big