Top 10 audit problems revisited
As audit firms get into gear to plan their December 2013 year-end audits, Steve Collings takes a look at 10 of the most common pitfalls flagged up by file reviewers and the professional bodies which auditors should try to avoid.
1. Engagement letter
One of the most frequent areas of concern relates to the letter of engagement between the auditor and the client. In more rare situations there is not a letter of engagement between the client and the auditor. The importance of the engagement letter cannot be over-emphasised - not only to comply with ISA 210 Agreeing the terms of audit engagements but also to ensure that there is clear understanding as to the responsibilities of the auditor and the responsibilities of management.
Audit firms must ensure that the ‘preconditions’ for the audit are also incorporated in the engagement letter which are outlined in paragraph 6 to ISA 210 and requires the auditor to:
- Determine whether the financial reporting framework to be applied in the preparation of the financial statements is acceptable
- Obtain the agreement of management that it acknowledges and understands its responsibility:
o For the preparation of the financial statements in accordance with the applicable financial reporting framework, including where relevant their fair presentation
o For such internal control as management determines is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error
o To provide the auditor with:
§ Access to all information of which management is aware that is relevant to the preparation of the financial statements such as records, documentation and other matters
§ Additional information that the auditor may request from management for the purpose of the audit
§ Unrestricted access to persons within the entity from whom the auditor determines it necessary to obtain audit evidence
For recurring audits, the auditor is required (as per paragraph 13 to ISA 210) to assess whether circumstances require the terms of the audit engagement to be revised. In addition, ISA (UK and Ireland) 210 says that the auditor must also consider whether there is a need to remind the entity of the existing terms of the audit engagement.
2. Revenue recognition
Some reviewers have flagged up that audit evidence relating to revenue recognition in some cases is quite weak. Substantive testing for completeness will often start from the sales invoice to other supporting documentation rather than starting with the ‘source’ document (such as the customer order). It has also been flagged up that in some cases audit firms will use substantive analytical review procedures when such procedures are not likely to generate sufficient evidence and in these cases more detailed testing is likely to be more efficient and generate the required levels of evidence to support the assertions.
Some firms have also been criticised for rebutting the presumption that fraud in relation to revenue recognition is ‘not applicable’ to the client. The application and other explanatory material at paragraph A30 does acknowledge that the presumption that there are risks of fraud in revenue recognition may be rebutted, but some firms are rebutting this presumption with no apparent justification and for audit clients which do not necessarily have a single type of simple revenue transactions.
ISA 240 The auditor’s responsibilities relating to fraud in an audit of financial statements recognises that the risk of fraud due to management override of internal controls is a significant risk. To that end, the auditor has to set aside all beliefs concerning management’s honesty and integrity and apply professional scepticism when carrying out their audit. Because ISA 240 places management override of internal controls as a significant risk, the UK and Ireland ISA requires auditors to carry out the tests outlined in paragraph 32. This paragraph says that the auditor shall design and perform audit procedures to:
- Test the appropriateness of journal entries recorded in the general ledger and other adjustments made in the preparation of the financial statements. In designing and performing audit procedures for such tests, the auditor shall:
o Make inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the processing of journal entries and other adjustments
o Select journal entries and other adjustments made at the end of a reporting period
o Consider the need to test journal entries and other adjustments throughout the period
- Review accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material misstatement due to fraud. In performing this review, the auditor shall:
o Evaluate whether the judgments and decisions made by management in making the accounting estimates included in the financial statements, even if they are individually reasonable, indicate a possible bias on the part of the entity’s management that may represent a risk of material misstatement due to fraud. If so, the auditor shall re-evaluate the accounting estimates taken as a whole
o Perform a retrospective review of management judgments and assumptions related to significant accounting estimates reflected in the financial statements of the prior year
- For significant transactions that are outside the normal course of business for the entity, or that otherwise appear to be unusual given the auditor’s understanding of the entity and its environment and other information obtained during the audit, the auditor shall evaluate whether the business rationale (or the lack thereof) of the transactions suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets
Audit firms must, therefore, ensure that they can demonstrate compliance with paragraph 32 as regulators will be on the lookout to ensure that the above procedures have been complied with.
Also it is worth pointing out that in the team discussion, paragraph 15 to ISA 240 requires the team to place emphasis on how and where the entity’s financial statements may be susceptible to material misstatement due to fraud, including how fraud might occur. For example, discussions relating to how management may override internal controls to perpetrate a fraud and how employees might manipulate weaknesses in internal controls to commit fraud.
Linked with ISA 240 is the requirement in ISA (UK and Ireland) 550 Related parties at paragraph 12 for the audit team to specifically consider the susceptibility of the financial statements to material misstatement due to fraud or error that could result from the entity’s related party relationships and transactions. Some file reviewers have criticised files that have not considered the susceptibility of the financial statements to material misstatement due to related party relationships/transactions.
If stock is material to the financial statements, then attendance at stocktake is required under ISA 501 Audit evidence - specific considerations for selected items unless it is impracticable to do so. Some firms have been criticised for not attending stocktakes on the grounds that it is inconvenient or too costly as these are not acceptable reasons.
Some audit firms have been criticised for failing to address the relevant assertions where stocktake attendance is concerned. For example, the auditor may test items from stock sheets to the physical inventory (which tests the existence assertion) but then not reversing the test (i.e. from physical inventory to stock sheets) which tests the completeness assertion.
To assist auditors, paragraph A2 to the application and other explanatory material says that attendance at physical inventory counting involves:
- Inspecting the inventory to ascertain its existence and evaluate its condition, and performing test counts
- Observing compliance with management’s instructions and the performance of procedures for recording and controlling the results of the physical inventory count
- Obtaining audit evidence as to the reliability of management’s count procedures
5. Written representations
The first thing to avoid where written representations are concerned is to not view them as sufficient appropriate audit evidence in their entirety. Paragraph 4 to ISA 580 Written representations is specific on this point and says that:
“Although written representations provide necessary audit evidence, they do not provide sufficient appropriate audit evidence on their own about any of the matters with which they deal.”
The idea, therefore, about written representations is that they complement existing audit evidence.
ISA 580 has an appendix which requires subject-matter specific written representations, so audit firms are encouraged to ensure that the written representations obtained from management include the following:
- ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements - paragraph 39
- ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements - paragraph 16
- ISA 450 Evaluation of Misstatements Identified during the Audit - paragraph 14
- ISA 501 Audit Evidence - Specific Considerations for Selected Items - paragraph 12
- ISA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures - paragraph 22
- ISA 550 Related Parties - paragraph 26
- ISA 560 Subsequent Events - paragraph 9
- ISA 570 Going Concern - paragraph 16(e)
- ISA 710 Comparative Information - Corresponding Figures and Comparative Financial Statements - paragraph 9
6. Going concern
Professional regulators are still placing going concern as a high risk area of the audit due to the continued economic strains faced by companies. In some cases it appears to be unclear as to the work performed by the auditor on management’s assessment of the entity’s ability to continue as a going concern. Other cases have indicated that the period of assessment by the directors is incorrect. Management must assess a period of 12 months from the date of approval of the financial statements when undertaking their going concern assessment. ISA 570 Going concern requires the auditor to evaluate management’s assessment of the entity’s ability to continue as a going concern and the auditor must use the same period of assessment as that used by the auditor.
Auditors should remain alert where the UK and Ireland ISA is concerned as this says that the period used by those charged with governance in making their assessment is usually at least one year from the date of approval of the financial statements - not one year from the date of the financial statements.
Some reviewers have said that files they have reviewed generally contain forecasts (e.g. a cash flow forecast) which management have prepared to assess the entity’s ability to continue as a going concern. This forecast has generally been put on the audit file with no additional work performed on the forecast. Paragraph 16(c) to ISA 570 says that:
“Where the entity has prepared a cash flow forecast, and analysis of the forecast is a significant factor in considering the future outcome of events or conditions in the evaluation of management’s plans for future action:
- Evaluating the reliability of the underlying data generated to prepare the forecast
- Determining whether there is adequate support for the assumptions underlying the forecast.”
Auditors should therefore ensure that they test the assumptions underlying the forecast.
The issue surrounding audit documentation always seems to crop up during reviews and always begs the question “how much is enough?” There is no ‘hard and fast’ rule where audit documentation is concerned and the reality is that the auditor must make a judgement based on the objective contained in ISA 230 Audit documentation. The objective of the auditor is to prepare documentation that provides:
- A sufficient and appropriate record of the basis for the auditor’s report
- Evidence that the audit was planned and performed in accordance with ISAs and applicable legal and regulatory requirements
The key points to note where audit documentation is concerned is that it is often very difficult to identify if audit work has been carried out if it is not documented on file. For example, the audit engagement partner may be aware of facts or circumstances that are relevant (and material) to the current year’s audit but may not document such facts or circumstances. This could result in relevant audit procedures not being carried out.
Where the auditor holds discussions with management, those charged with governance and others about significant matters, these discussions must also be documented to comply with paragraph 10 in ISA 230.
8. Two-way communication
Some firms have been informed that it is not always apparent from their files that they have considered the adequacy of the communication process. ISA 260 Communication with those charged with governance at paragraph 22 requires the auditor to evaluate the two-way communication between the auditor and those charged with governance to assess whether it has been adequate for the purpose of the audit.
Where the auditor concludes the two-way communication process has not been adequate, the auditor must then evaluate the effect (if any) on their assessment of the risks of material misstatement and the ability to obtain sufficient appropriate audit evidence and take appropriate action.
9. Subsequent events
Some reviewers have criticised firms for failing to carry out an appropriate subsequent events review to comply with ISA 560 Subsequent events. The purpose of this UK and Ireland ISA is to ensure that the auditor obtains sufficient appropriate evidence relating to events that occur between the balance sheet date and the date of the auditor’s report which may need to be adjusted in the financial statements or disclosed (depending on whether it is an adjusting or non-adjusting event) and to respond appropriately to facts that the auditor becomes aware after the audit report has been signed which would have caused the auditor to amend the auditor’s report.
Many audit programmes these days contain an individual section on subsequent events, but during reviews it might be the case that the subsequent events review has not been undertaken up to the date of the auditor’s report and hence the work fails to achieve the objective of ISA 560.
10. Audit report
Where the auditor considers a matter to be of particular significance, they will include an emphasis of matter paragraph within their report. The emphasis of matter paragraph must be included immediately after the opinion paragraph (not before) and:
- Use the heading ‘Emphasis of Matter’ or other appropriate heading
- Include within the paragraph a clear reference to the matter being emphasised and the relevant disclosure within the financial statements
- Indicate that the auditor’s opinion is not modified in respect of the matter emphasised
The use of an emphasis of matter paragraph is not a modified opinion - it is a modification to the auditor’s report and must cross-reference to the relevant disclosure within the financial statements.
Sometimes an emphasis of matter paragraph may be used in an auditor’s report that includes too much information and this is the reason why paragraph 6 to ISA 706 Emphasis of matter paragraphs and other matter paragraphs in the independent auditor’s report restricts the use of an emphasis of matter paragraph to matters presented or disclosed in the financial statements.
This article has considered some of the more common pitfalls which auditors should avoid during the course of their work. However, a good review process by the audit firm may also flag up any additional areas that may be viewed as a deficiency by professional regulators. The production of audit files which will stand up to scrutiny and the carrying out of appropriate procedures on site should not be viewed merely as a necessity to satisfy professional regulators, but should also be viewed as a means by which firms can protect themselves and comply with the UK and Ireland ISAs.
Steve Collings is the audit and technical partner at Leavitt Walmsley Associates and the author of ‘Interpretation and Application of International Standards on Auditing’.