SSA 330 – The Auditor’s Responses to Assessed Risks

SSA 330 Summary

The SSA concerns the auditor’s responsibility to design and implement responses to ROMM at the financial statement (FS) level.

There are two types of testing: substantive procedures (test of details and substantive analytical procedures) and test of controls.

In deciding whether to perform further audit procedures, the auditor should look at likelihood of MM and whether the risk assessment takes account of relevant controls.

Auditor should test controls if auditor’s assessment of ROMM at the assertion level includes expectation that controls are operating effectively. They should also look at consistency of the controls and who applied the controls.

Test of controls are performed only on those controls that the auditor determined are suitably designed to prevent, or detect and correct, a material misstatement in an assertion. Inquiry alone is not sufficient to test operating effectiveness of controls and must be combined with inspection/re-performance of control.

Audit evidence obtained during an interim period can be used, but there needs to understand what are significant changes to these controls during the finals. If auditor wishes to rely on audit evidence from previous audits, same issue. Retesting controls must be done at least in every third year.

Controls over significant risks like revenue must be tested yearly. If there are deviation in controls, they may be a need to test additional controls or potential ROMM need to be addressed using substantive procedures (including test of details). There may be a need to perform more test of details if test of controls are unsatisfactory as the auditor cannot rely on such controls.

Substantive procedures need to be designed for every material class of transactions, and consider the need for external confirmation procedures. Substantive procedures should be extended to year end period if they were only performed during interim period.

Material FS assertions must be obtained, or if not, a qualified opinion might be issued.

In order to respond to ROMM, the auditor may provide more supervision, assign more staff, change the nature, extent and timing of audit procedures etc.

If the control environment is strong, more controls can be tested during interims as compared to finals.

For IT processing, it may not be necessary to increase the extent of testing of an automated control, due to inherent consistency of IT processing. However, there is a need to ensure that there are no unauthorised changes to program change controls etc. SSA530 concerns audit sampling.

pic_internal_audit_big

Advertisements

SSA 300 – Planning an Audit of Financial Statements

Good planning can really help to focus the audit and make it more efficient and effective.

The objective of the auditor is to plan the audit so that it will be performed in an effective manner.

Engagement partner and key members of the engagement shall plan and discuss the planning with the team.

The auditor needs to perform procedures on client relationship and engagement, evaluate compliance with ethical requirements and understand the terms of the engagement.

The audit plan shall include the nature, extent, timing of planned audit procedures and also the resources required to complete the audit. The audit strategy can be modified as the audit progresses. The extent of supervision also needs to be planned.

The audit plan and strategy must be part of audit documentation (can be memorandum form, checklists etc). Significant changes to the audit plan needs to be explained. Planning needs to consider things like analytical procedures, understanding of legal framework, materiality, involvement of experts etc.

auditing-service-singapore

SSA 265 – Communicating Deficiencies in Internal Control to those Charged with Governance and Management

SSA 265 Summary

The auditor is required to obtain an understanding of internal control relevant to the audit when identifying and assessing the risks of material misstatement. Auditor can consider internal control when developing audit procedures, but there is no need to express opinion on internal control effectiveness.

The auditor needs to communicate appropriately with those charged with governance (CWG) on any deficiencies (must explain potential effects) in internal control identified during the audit. This must be done in writing. However, it is okay if there is earlier communication orally. The level of detail in the communication depends on auditor’s professional judgment.

Auditor should clarify with appropriate level of management (one that has authority to evaluate deficiencies and take necessary remedial action) if one or more deficiencies in internal control are identified. If the finding calls into question management’s integrity/competence, it may not be appropriate to discuss it directly with management.

This SSA also indicates examples and indications of significant deficiencies in internal control.

If the significant deficiency is not rectified in prior years, the auditor can communicate the same deficiency in the current year.

The communication of other deficiencies (not significant) may be communicated to management orally only. Communication of this to those CWG is also optional and dependent on the auditor’s professional judgment.

auditing-service-singapore

 

SSA 240 Auditors’ Responsibilities Relating to Fraud

This SSA concerns auditor’s responsibilities relating to fraud in an audit of FS.

Misstatements can be either due to error or fraud. If it’s fraud, there are 2 kinds, namely, fraudulent financial reporting or misappropriation of assets.

Management and those charged with governance are responsible for the prevention and detection of fraud. There should be a strong culture of honesty and ethical behaviour.

The auditor is responsible for providing reasonable assurance that the FS as a whole is free of material misstatement, whether caused by fraud or error. Frauds are often concealed and hence, the inherent limitations are larger. It is difficult to determine whether misstatements are due to fraud or error. Management fraud is even harder to detect due to management override of controls.

Auditor needs to assess ROMM due to fraud and also to respond to fraud/suspected fraud during the audit. Auditors need to be aware of the fraud risk factors that can be perpetuated by management. They need to maintain professional scepticism throughout the audit.

There needs to be a discussion among engagement team on how the FS can be susceptible to ROMM due to fraud, and how fraud might occur.

The auditor should question the management on what is management’s assessment of fraud risks. They should understand management’s fraud risk assessment, and the escalation process. Auditor should ask whether management has knowledge about any suspected fraud etc. It is also possible to ask the IA team about it. It is also good to understand how those charged with governance maintain oversight of fraud risk management.

Unusual relationships using analytical procedures for revenue accounts should be identified and assessed. The auditor should also examine fraud risk indicators as these are potential ROMM.

There is a presumed risk of fraud in revenue recognition and the auditor needs to investigate further. The auditor should incorporate elements of unpredictability in the testing (use different sampling methods etc, surprise audit etc) and see whether the accounting policies are subject to subjective measurements etc.

There is also a presumed risk of management override of controls. As such, the auditor needs to test appropriateness of the journal entries in the GL and adjustments made. They need to select JE near the end of the reporting period and may test JE/adjustments throughout the audit period. There is a need to review estimates for biases and determine whether they are reasonable.

Analytical procedures should be performed and an assessment must be made on whether it is in line with normal business practices/trends.

If auditor is unable to carry on the engagement, he may withdraw or report to the relevant authorities.

The auditor needs to obtain written representations from management that they acknowledge the responsibility for the design, implementation and maintenance of internal controls to prevent and detect fraud. They also need to disclose potential fraud cases and management’s assessment of the risk of fraud.

If auditor suspects fraud, this must be disclosed to those charged with governance. The auditor can also consider reporting it to the regulatory authorities.

Auditor needs to keep documentation on the understanding of entity’s environment and assessment of ROMM.

The fraud triangle: incentive (eg earning management so that can get more bonus. The auditor should analyse incentives that relate to the entity’s environment); opportunity (poor internal controls); rationalisation (sufficient pressure, poor character etc)

The SSA also goes into detail about how fraud may be perpetuated in relation to financial reporting and misappropriation of assets.

Management is often in the best position to perpetuate fraud.  

There is a need to understand oversight exercised by those charged with governance. Fraud risks cannot be ranked easily.

It is possible to rebut the risk of fraud in revenue recognition if the revenue stream is simple and straightforward.

Management may not implement every control to combat fraud due to the cost-benefit analysis. Therefore, it is important for the auditor to understand which such controls are.

For accounting estimates, auditor needs to perform a retrospective review of management judgments and assumptions related to significant accounting estimates in the prior year. This is also required under SSA540. The auditor needs to look out and question complex transactions.

The SSA describes many other procedures the auditor can perform.

pic_internal_audit_big

SSA 230 – Audit Documentation

SSA230 Summary (Nov 2015)

This SSA concerns the auditor’s responsibility to prepare audit documentation for an audit of financial statements.

The objective of documentation is to have a sufficient record of the basis of auditor’s report. Documentation serves as evidence that audit was planned in accordance with SSAs, applicable legal and regulatory requirements.

Audit documentation shall be prepared on a timely basis.

The documentation should be sufficient to enable an experienced auditor to understand. It shall include nature, timing and extent of audit procedures (including identifying characteristics of specific items tested, who performed the work and when, who reviewed the work and when), results of audit procedures, audit evidence obtained and significant matters arising during the audit.

Auditor should document discussions of significant matters with management and the nature of matters discussed, and the venue, personnel involved and timing of discussion.

Auditor shall assemble the audit documentation in an audit file and assemble the final audit file after date of audit report. Any modifications subsequently must be explained and by when/whom they were made.

Audit documentation should include things like audit program, analyses, issues memoranda, summaries of significant matters, letters of confirmation and representation, checklists, correspondences concerning significant matters.

Superseded/draft documents or audit reports need not be included in the audit file. It is not necessary to have a checklist for compliance with matters if compliance is already demonstrated by documents within the audit file.

Ultimately, the form/content/extent of audit documentation of significant matters is a matter of professional judgment.

There is no requirement per se to have every specific working paper to have evidence of review, but there needs to be documenting of what audit work was reviewed, who reviewed such work and when it was reviewed.

SSQC1 stipulates that the appropriate time limit to complete assembly of final audit file is not more than 60 days after date of auditor’s report. Companies need to establish P&P for retention of engagement documentation. Retention period is no shorter than 5 years from date of auditor’s report.

Internal-Audit

audit financial company tax investigation process business accounting

SSA 210 – Agreeing the Terms of Audit Engagement

This SSA is effective after periods ending 15 Dec 2016.

This SSA deals with auditor’s responsibilities in agreeing the terms of the audit engagement with management and those charged with governance.

The objective of the auditor is to accept or continue an audit engagement only when the basis upon which it is to be performed has been agreed:

  1. a) Establish whether preconditions for an audit are present; and b) confirm whether there is a common understanding between auditor and management

Preconditions are firstly that the FR framework is acceptable. Next, management understands its responsibility to prepare FS in accordance with the FR framework and to have internal controls to enable the preparation of FS to be free from material misstatement, whether due to fraud or error (via a management representation to the auditor). Agreeing the terms of the audit engagement will help avoid misunderstanding about one another’s responsibilities.

Management should allow the auditor (i) access to information; (ii) any additional information; (iii) unrestricted access to persons for whom the auditor determines necessary to obtain audit evidence.

If the preconditions are not met, auditor shall discuss with management and auditor will consider not to accept the proposed engagement. If not possible due to law/regulations, auditor will need to explain to management the importance of these matters and implications for the auditor’s report.

Auditor needs to draft an engagement letter. Auditor should not agree to changes to the terms when there is no reasonable justification for doing so, for instance from changing from an audit engagement to a review engagement in order to avoid the qualified opinion that will be issued by the auditor. If there are changes, both parties will need to acknowledge them.

Assurance and audit engagements may only be accepted when the practitioner considers that relevant ethical requirements such as independence and professional competence will be satisfied, and when the engagement exhibits certain characteristics.

Some general purpose frameworks are the Financial Reporting Standards (FRS) promulgated by the Accounting Standards Council etc.

Please read the SSA for more details of what sections are required in the engagement letter.

For Singapore incorporated companies, the description of responsibilities for the financial statements is as follows:

Management is responsible for the preparation of FS that give a true and fair view in accordance with the provision of the Companies Act, Chapter 50 and Financial Reporting Standards in Singapore, and for devising and maintaining a system of internal accounting controls sufficient to provide a reasonable assurance that assets are safeguarded against loss from unauthorized use or disposition; and transactions are properly authorized and that they are recorded as necessary to permit the preparation of true and fair financial statements and to maintain accountability of assets.

auditing-service-singapore

IIA Magazine Feb 2016 Issue

This is the 75th year of the anniversary of the IIA.

Capturing the Moment. Experts from around the globe provide a snapshot of the profession, discussing key issues impacting IA. In the past, IA was more focused on hindsight, it is now more about foresight too. Often, some IA staff may want to move to other departments. It is critical to find a clear path ahead for IA. Some of them might just want to stay in the profession forever. There has a clear shift from compliance to risk based audits. It is also good to volunteer for the profession. Combined assurance is also becoming more widely used. Students should try to contact the industries and ask for challenging assignments on IA. IA should set aside a portion of their paycheck every month to attend training etc. Work objectives should be clear and there must be clear communication. IA can also provide assurance on the management of strategy risks. IA can also add value to process effectiveness.

A Career on Point. There are many more women in this profession. IA has matured and many have viewed this function more positively now. To some, IA seems interesting and challenging. It is good as it helps you prepare for a leadership role.

Expanding the Foundation. Required audit competencies have changed considerably over the years, placing more and more emphasis on technology, business acumen and soft skills. IA is now a very respected profession. Effectiveness and efficiency are the hallmarks now. Information has increased over time and data analytics is being used more frequently nowadays. Soft skills and business acumen are very important too. Nowadays, it is good for IA to possess leadership capabilities and strategic thinking capabilities. There is a need for long-term adaptability, continuous learning etc.

Changing with the Profession. The IPPF has a history of adapting to meet stakeholder and member needs. They often listen to the needs of the profession. Now, the framework is more broad and flexible in its approach. The Standards are separated into attribute, performance and implementation types.

Twenty-first Century Milestones. Over the last 15 years, several watershed events helped define the practice of IA. IA is never dull. The first is flagrant financial reporting fraud, with cases like Enron etc. IA cannot ignore controls over financial reporting. The next is financial markets meltdown. The dotcom crash and the subprime crisis wreaked chaos throughout. ERM grew in stature as a result of all these meltdowns. The 3 lines of defence is all the more important in recent times. The next 2 big issues were cybersecurity and bribery and corruption.

The Perception of Value. A comparison of 2 IIA studies suggest internal audit may still have a long way to go in delivering stakeholder insight. Most IA are not meeting stakeholders’ expectations. Sometimes, there might be a lack of general management or operating insights within IA. Sometimes, IA also does not consult departments when developing audit plans.

Where We Are. Today’s IA enjoy greater stature within the organization and are working to meet ever-increasing expectations.

A Steady Progression. Audit professionals are in demand. IA needs to shape management’s expectations of them. IA should market themselves more. Cross-training and gaining exposure from other departments is the key. Auditors must be well-rounded and learn to take personal responsibility.

Conformance to the Standards. The top 10 non-conformance issues are: 1) Internal assessments; 2) reporting on the QAIP; 3) recognition of the definition of IA, code of ethics, standards in the IA charter; 4) external assessments; 5) QAIP; 6) requirements of the QAIP; 7) Engagement work program; 8) purpose, authority and responsibility; 9) co-ordination; 10) communication and approval

The ‘Anti-Fraud Moment’. Fighting fraud demands more than just awareness. There needs to be meaningful training when it comes to learning of skills. There is little training on red flag indicators. Create simple articles to share with employees. Record 5 minute training videos. Take advantage of live formal and informal skills training opportunities.

How Much Do Risks Really Change? The risk landscape shifts radically from 1 year to the next. It can changed a lot in 75 years. Global events can rock the market and commodity prices etc. Tech breakthroughs happen fast and world events disrupt things. Regulations change as well.

Internal Audit Fundamentals. The most basic skills remain largely unchanged. Critical thinking and communication are the key. Co-sourcing is an option when IA lacks certain technical skill sets.

Around the Globe. IA around the world are providing value to their organizations in a wide variety of ways and at different levels of complexity and sophistication. The role of IA may not be well-understood. Value demonstration is the key. Different auditors will be at different levels of proficiency and maturity.

Industry Roundup. The challenges IA face today are many and vary by sector. Public sector audit has moved beyond compliance or financial audits into performance auditing. There is also emphasis on effectiveness. There are sophisticated products in banking and safeguarding information is one of the key objectives. Money laundering is also a key area to watch. As for health care, there are issues like quality of service, compliance, data security are all big challenges.

A Different Perspective. IA’s business partners offer their views of the profession. Audit can identify opportunities for improvement throughout the organization. It is important to have a sharing environment. Technical skills matter a lot nowadays. IA should look at areas that management struggle with. IA should not hide or mask problems from management. Being able to understand IT etc would make IA more valuable.

Educating Auditors. Determining what IA students need to know now is a constant challenge. Being skilled in IA is a unique skill that is useful. It is possible to simulate real-world IA case studies for students. IA needs to be intellectually curious to learn more. One cannot speed up experience as time is required.

IA Future. IA allows one to understand the business. Do not miss the change to meet senior leaders.

‘I realized the role of IA aligned with many of my interests. I wanted to add value and bring a positive impact to a business while understanding how it operates, and IA presents opportunities not found in other roles within the company.’

IT Audit Trends and Foresight. Technology will continue to bring new risks for organizations. IA need to address the IOTs. We need to understand the inventory of devices and the type of data that is collected. One needs to understand the value of digital strategy.

The Changing Business World. Auditors can anticipate future developments by looking beyond their organization’s current business situation. Africa is going to grow fast in future. Businesses need to create space to think. IA needs to be able to anticipate new risks. IA can follow current affairs. Talk to customers to see how their needs are changing. IA is really looking to delight people.

Five Trends. Top global IA thinkers take a broad look at key issues that will shape the profession. The world is changing fast and risk are interdisciplinary. New risks must be understood and evaluated. IA can learn new ways of analysing and also develop strategic foresight. The compliance scope is continually expanding and making things more difficult. IA needs to link compliance activities to upstream processes and control improvements. It will be a challenge for lower the cost of compliance. Stakeholders are more demanding nowadays. IA must have knowledge of the various industries and any new business lines. Technology risk is getting more complicated. Data is becoming more prevalent and data analytics is getting more useful than ever before.

auditing-service-singapore