34 0 324KB
www.pwc.co.uk
Audit planning takeaway Time to Learn 2014
Audit planning takeaway
Table of Contents Independence ............................................................................................................................................... 4 New audit clients ..................................................................................................................................... 4 Management’s processes around non-audit fees .................................................................................. 4 Required assessments and consultation ................................................................................................ 4 Impact of non-audit services ...................................................................................................................5 Role of Service Delivery Centres in AFSs................................................................................................5 Communications with those charged with governance .........................................................................5 Rotation tracking..................................................................................................................................... 6 Consulting with independence ............................................................................................................... 6 Guidance .................................................................................................................................................. 8 Related parties .............................................................................................................................................. 9 Financial reporting framework requirements ....................................................................................... 9 Obtaining a list of related parties ........................................................................................................... 9 Completeness..........................................................................................................................................10 Our risk assessment ...............................................................................................................................10 Communications within the team ......................................................................................................... 11 Professional scepticism..........................................................................................................................12 Representation letter .............................................................................................................................12 Completion procedures..........................................................................................................................12 Communications with management and those charged with governance .........................................12 Updates to EGAs ....................................................................................................................................12 Fraud ............................................................................................................................................................13 Fraud discussions and risk assessment ................................................................................................13 Unpredictable procedures .....................................................................................................................14 Journals ..................................................................................................................................................16 Responding to identified fraud..............................................................................................................19 And finally… .......................................................................................................................................... 20 Laws and regulations...................................................................................................................................21 ISA (UK&I) requirements ......................................................................................................................21 What does this mean in practice? .........................................................................................................21 Bribery Act 2010 and Transparency International ............................................................................. 22 Required communications.................................................................................................................... 23 Audit opinion......................................................................................................................................... 23
Time to Learn 2014 PwC
Page 2 of 40
Audit planning takeaway
Materiality................................................................................................................................................... 24 Overall materiality ................................................................................................................................ 24 Performance materiality ....................................................................................................................... 25 De Minimis SUM posting level..............................................................................................................27 Disaggregating materiality ....................................................................................................................27 Materiality in a group audit context..................................................................................................... 28 Reassessing materiality at the final audit ............................................................................................ 29 Reporting to those charged with governance ...................................................................................... 29 Other planning reminders.......................................................................................................................... 30 Planning top tips ................................................................................................................................... 30 Risk assessment..................................................................................................................................... 30 ISA (UK&I) 700..................................................................................................................................... 33 Internal audit......................................................................................................................................... 33 Use of ISAE 3402 controls reports on service organisations ............................................................. 34 Audit of tax ............................................................................................................................................ 34 Estimates ............................................................................................................................................... 34 Confirmations........................................................................................................................................ 35 Referred reporting audit engagements and ‘letterbox’ audits ............................................................ 35 Group and component audits............................................................................................................... 36 Planning sign-off ................................................................................................................................... 38 Significant matters ................................................................................................................................ 38
Time to Learn 2014 PwC
Page 3 of 40
Audit planning takeaway
Independence New audit clients As a result of increased tendering activity in the marketplace, we are seeing a greater number of proposals and first year audits. This brings about specific independence challenges, and independence is also a ‘hot topic’ with our regulators. Engagement teams need to consider non-audit services previously provided to those entities for which we are proposing for the audit, to ensure that we can accept the audit if we are appointed. As many are aware, another large audit firm accepted an audit appointment and had to decline after discovering what were now impermissible services being provided, causing embarrassment for the entity and the audit firm. For new audit engagements, non-audit and audit related services are identified by the Relationship Checking team. The articulation of the rationale as to why non-audit services previously provided do not impair our independence, and what safeguards are in place, is absolutely critical and needs to be clearly documented on the audit file. Management’s processes around non-audit fees As part of our consideration of independence, and where appropriate, we should understand the systems and controls management have in place in order to monitor non-audit services provided. Engagement teams confirm that management have followed these procedures and seek evidence to corroborate this. If management have robust procedures in place, then we may be able to place some reliance on these processes. Required assessments and consultation Ethical Standards state that “a self-interest threat exists when the auditor has financial or other interests which might cause the auditor to be reluctant to take actions that would be adverse to the interests of the audit firm or any individual in a position to influence the conduct or outcome of the audit. In relation to non-audit services, the main self-interest threat concerns fees and economic dependence and these are addressed in APB Ethical Standard 4”. Where substantial fees are regularly generated from the provision of non-audit services, and the fees for non-audit services are greater than the annual audit fees, it could be perceived as a loss of our independence. In these instances, the audit engagement partner considers whether the engagements giving rise to the substantial fees were:
audit related services; provided on a contingent fee basis; consistent with the engagements undertaken in previous years, and fees received on a consistent basis to previous years; in the case of a group, disproportionate in relation to any individual group entity; unusual in size but unlikely to recur; and/or of such a size and nature that a reasonable and informed third party would be concerned at the effect that such engagements would have on the objectivity and independence of the engagement team.
Having made that assessment, the audit engagement partner determines whether the threats to independence from the level of non-audit fees are at an acceptable level (or can be reduced to an acceptable level by putting in place appropriate safeguards). For listed entities, where the fees for non-audit services for a financial year are expected to be greater than the annual audit fee, the engagement team consults formally with the UK Ethics Partner (currently Bill Morgan) before the ratio has exceeded 1:1 and, as soon as he/she considers that the ratio will be exceeded. As this is a consultation under ISA (UK&I) 230, it is required to be appropriately documented in the file. For non-listed entities where the non-audit fees are expected to exceed the audit fees, the engagement leader may also consult with the Ethics Partner if they deem it necessary or useful, although this is not required.
Time to Learn 2014 PwC
Page 4 of 40
Audit planning takeaway
Impact of non-audit services Engagement teams need to better assess the impact that non-audit services can have on their independence. This needs to be an ongoing exercise throughout the audit, and is not to be regarded solely as a planning or completion activity. Recent internal and external reviews have identified more complex independence issues that have developed over a number of years. It is therefore critical that the engagement team understand enough about the nature of the services that are being performed to be able to make a proper assessment of threats to their independence and whether the safeguards which have been put in place remain adequate. For example, consider the following set of circumstances:
before tendering for the audit, we assist management by building a model to forecast the company’s business; the auditors review the model as part of their normal audit procedures; having won the audit, we continue to support the client through its expansion, including providing assistance to the client in updating the functionality of the forecasting model; the client encounters some financial difficulties and we are asked by management to update the forecasting model’s functionality; and management use the forecasting model to support going concern, impairment and deferred tax asset recovery calculations that we subsequently audit.
Does this cause an independence issue? It is worth taking a step back and considering the non-audit services as a whole (especially those that are delivered in different phases). Individually, these services might not present an issue, but when considered as a whole, the team might come to a different conclusion and the threats and safeguards applicable might also differ. Role of Service Delivery Centres in AFSs An engagement team may request the Service Delivery Centre (SDC) to assist with monitoring and checking the completeness of AFSs that are received from component or other teams. It is important to note that when performing the completeness checks, the SDC solely checks that all boxes have been completed. In other words, they do not assess whether what has been written is correct, whether the right threats have been identified, or whether the right safeguards have been put in place. The SDC may also prepare a fee summary report which reflects actual billings for services compared to estimated fees per the AFS request forms, if the engagement team requests this. Communications with those charged with governance Communications required by ISAs (UK&I) and UK Ethical Standards ISAs (UK&I) state that: “In the case of listed entities, the auditor shall communicate to those charged with governance: (a) A statement that the engagement team and others in the firm as appropriate, the firm and, when applicable, network firms have complied with relevant ethical requirements regarding independence; and (b) (i) All relationships and other matters between the firm, network firms, and the entity that, in the auditor's professional judgement, may reasonably be thought to bear on independence. This shall include total fees charged during the period covered by the financial statements for audit and non-audit services provided by the firm and network firms to the entity and components controlled by the entity. These fees shall be allocated to categories that are appropriate to assist those charged with governance in assessing the effect of services on the independence of the auditor; and (ii) The related safeguards that have been applied to eliminate identified threats to independence or reduce them to an acceptable level.”
Time to Learn 2014 PwC
Page 5 of 40
Audit planning takeaway
In the case of listed entities, UK Ethical Standards require that: 'The audit engagement partner shall ensure that those charged with the governance of the audit client are appropriately informed on a timely basis of all significant facts and matters that bear upon the auditor’s objectivity and independence.' The audit engagement partner shall ensure that the audit committee, or those charged with governance, of a listed entity is provided with:
a written disclosure of relationships that bear on the auditor’s objectivity and independence, any safeguards that are in place and details of non-audit services provided to the audited entity and the fees charged in relation thereto; written confirmation that the auditor is independent; details of any inconsistencies between UK Ethical Standards and the company’s policy for the supply of non-audit services by the audit firm and any apparent breach of that policy; and an opportunity to discuss auditor independence issues.
For all unlisted entities, written communication of these matters is considered best practice, but is not required. Reporting to an unlisted entity can be done either in writing or verbally providing that if the latter option is chosen then full details of the conversation with those charged with governance (i.e. when, with whom and what was discussed) is documented on the audit file. Communication required by change to International Ethics Standards Board for Accountants Code of Ethics The International Ethics Standards Board for Accountants (IESBA) have made changes to their Code of Ethics which has an impact on the way we respond to breaches of external independence requirements. The change came into effect on 1 April 2014. This change impacts PwC because of the network’s commitment to follow the IESBA Code of Ethics even though these changes have yet to be incorporated into the UK Ethical Standards. The change to the IESBA Code of Ethics now requires the auditor to report all breaches of external independence rules (i.e. any breaches of UK Ethical Standards, SEC and PCAOB rules, or the IESBA Code of Ethics) to those charged with governance “as soon as possible”, unless the firm has agreed a protocol with those charged with governance in respect of “less significant” breaches. “As soon as possible” is intended to allow the firm reasonable time to investigate the matter and conduct an evaluation of the significance of the breach but also means “without undue delay”. It is not intended to mean “immediately”. Therefore, audit teams are strongly recommended to engage with their clients to establish whether they will require all breaches to be reported as soon as possible, or whether less significant breaches, such as personal independence breaches not relating to members of the audit team, can be reported on a periodic basis. Rotation tracking Remember to keep rotation tracking up to date and reflective of the current team. HPC and other internal reviews regularly find inaccuracies and/or omissions. Remember to also include Key Audit Partners, which needs to include overseas engagement leaders of subsidiary entities if they relate to a significant component. Consulting with independence Taking on a new PIE client, or a non-PIE client becomes a PIE Taking on a new PIE client, or an existing client becoming a PIE are only two situations when consultation is required. You also need to consult in the following situations (amongst others):
contingent fee arrangements; significant unpaid fees; non-audit fees exceed (or are likely to exceed) the audit fee for listed companies; independence breaches have been identified; when the Assurance engagement partner or member of the chain of command is considering employment with the Assurance client where a listed company is “in distress” and restructuring services are proposed to be provided.
Time to Learn 2014 PwC
Page 6 of 40
Audit planning takeaway
Contingent fees Where a contingent fee arrangement exists, the non-audit service team is required to include “Compliance Independence” as an approver on the AFS form, as well as the engagement leader. If engagement teams receive an AFS for a contingent fee arrangement and “Compliance Independence” hasn’t been included as an approver, the AFS should be sent back to the non-audit service team to be amended. The Independence team will feed back the outcome of the independence analysis to the audit team and the team carrying out the work. This may include details of the safeguards required to maintain our independence, which may include review of key audit judgements and work by ARQ where appropriate. Unpaid fees Audit fees Prior year audit fees should be agreed before the appointment for the next year is accepted. This fee should have been paid before any significant work is done in the current year. Non-audit fees Where fees for professional services are overdue, and the amount can’t be regarded as trivial, consult with the Independence and Ethics Team. There’s currently no definition of ‘trivial’ in this context. The engagement team will use their judgement to decide the level of unpaid fees that are deemed acceptable based on the individual circumstances. The team needs to be satisfied that the client will eventually pay and to consider whether there’s a legitimate reason fees have not yet been received. Independence breaches For all clients in the UK, the Independence and Ethics Team will provide details to the UK audit engagement leader of all personal independence breaches of Ethical Standards and SEC rules in respect of:
members of the UK audit engagement team; any other partner in the firm; the UK firm; those in the UK who are in a position to influence the conduct and outcome of the audit; and for SEC audit clients in the UK, those individuals who are covered persons for the client, which the Independence and Ethics team are aware of as a result of the annual independence confirmation process or through other matters reported to them. If the Independence and Ethics Team does not contact the team, then there are no matters to report.
If the Independence and Ethics Team becomes aware of a significant independence breach during the year, then the engagement leader will be informed immediately. Considering employment with an Assurance client If the Assurance engagement partner or member of the Assurance engagement team is considering employment with the Assurance client, then they are removed from the engagement immediately. They do not re-join the engagement until any negotiations have come to an end. If a member of the chain of command is considering employment with the Assurance client, then the Independence and Ethics Team would inform the Assurance engagement team, as needed, and discussions would take place before considering whether this could be accepted. In all the above instances, consultation with the Independence and Ethics Team is strongly recommended. Please refer to section 5.18 of the UK Independence Policy for further guidance.
Time to Learn 2014 PwC
Page 7 of 40
Audit planning takeaway
Entities in distress There is a partial prohibition on restructuring services for listed clients and their significant affiliates where the company is ‘in distress’. The permissible services are limited to:
preliminary general advice; assistance with immaterial elements of the overall restructuring plan; challenging, but not developing, the projections and assumptions used in a financial model; reporting on a restructuring plan in connection with an investment circular; and any service specifically permitted by a regulatory body with oversight of the audit client.
Due to the complexities involved, a xLoS acceptance panel is required. This includes representatives from Consulting Risk and Quality and Assurance Risk and Quality, as well as from Compliance. Compliance Consultation System (CCS) CCS is a tool that helps you to consult with, or make enquiries to, the Independence and Ethics Team on all matters affecting independence. The system acts as a repository for all independence enquiries and consultations. A consultation is a query which needs to be agreed and documented with the Independence and Ethics Team in respect of a client specific set of facts and circumstances. Remember that if you submit an independence query to Assurance Risk and Quality using IGLO, then you will be directed to re-log the query on CCS. Guidance GAAS requirements:
ISA (UK&I) 220.11 Engagement partner conclusion on compliance with independence requirements ISA (UK&I) 260.17 Communication with those charged with governance – Auditor Independence
PwC UK Independence Policy:
PwC UKIP – Section 4 Engagement Management and Engagement Team Responsibilities: o 4.9 Accepting a Non-Audit Engagement for an Existing Audit Client PwC UKIP – Section 5 Individual Financial Interests and Relationships PwC UKIP – Section 6 Member Firm Financial and Business Relationships: o 6.8 Contingent Fees and Related Matters o 6.9 Commissions and Fees for Referrals PwC UKIP – Section 7 Non-Assurance Services PwC UKIP – Section 9 Member Firm Processes and Controls
APB Ethical Standards:
ES 1 Integrity, objectivity and independence ES 4 Fees, remuneration and evaluation policies, litigation, gifts and hospitality – Fees (para. 5-43) ES 5 Non-audit services provided to audit entities
Audit Guide:
2500 Use of a Service Delivery Centre (SDC) 3030 Independence 3060 Engagement team
UK guidance documents from the Independence site
Time to Learn 2014 PwC
Page 8 of 40
Audit planning takeaway
Related parties Financial reporting framework requirements In the UK, most of the entities we audit have a legal obligation to prepare financial statements in accordance with an accounting framework, the most common being IFRS as adopted by the European Union, UK GAAP and US GAAP. All these accounting frameworks establish related party requirements. If the entity does not identify its related parties, then it is unable to identify related party transactions and assess whether disclosure is required. Consequently, the financial statements may not comply with the relevant accounting framework or legal requirements. We have a responsibility to perform audit procedures to ‘identify, assess and respond’ to the risk of material misstatement arising from the entity’s failure to appropriately account for, or disclose, related party relationships, transactions or balances in accordance with the requirements of the framework to be able to conclude whether the financial statements achieve a fair presentation (for fair presentation frameworks) or are not misleading (for compliance frameworks). If we do not have a list of related parties, then it is difficult to meet the requirements of ISAs (UK&I). Therefore, in order to meet our responsibilities as auditors, we need to obtain a comprehensive list of related parties, and related party transactions from management. Obtaining a list of related parties ISA (UK&I) 550 requires the auditor to enquire of management regarding: (a) the identity of the entity's related parties, including changes from the prior period; (b) the nature of the relationships between the entity and these related parties; and (c) whether the entity entered into any transactions with these related parties during the period and, if so, the type and purpose of the transactions. Some entities, particularly the larger more sophisticated entities, may have systems to record, process and summarise related party relationships and transactions to enable the entity to meet the accounting and disclosure requirements of the framework and, hence, management is therefore likely to have a comprehensive list of related parties and changes from the prior period. Where this is not the case, which will be the case for the majority of entities, we consider the following points:
the entity’s ownership and governance structures; types of investment that the entity is making, and plans to make; the way in which the entity is structured and how it is financed; and the individuals that constitute key management.
Discussing who the related parties of the entity are is often a sensitive matter with management being reluctant to provide, sometimes for understandable reasons, details of who the related parties are (especially in the area of connected persons, which could include the names of children and other close relatives). We have therefore developed a new pro forma letter on related parties to assist teams. The letter, which is intended to be sent to the entity at the planning phase of the audit, will:
explain why we have sent the letter; explain what related parties are under the entity’s accounting framework (e.g. IFRS as adopted by the European Union, UK GAAP, US GAAP); and clarify the auditor’s responsibilities around related parties.
We should include a list of all potential categories of related parties under the reporting framework to assist the entity in identifying related parties in the entity or group. The list will be signed off by a director as being complete to the best of their knowledge and provided to us for the purpose of the audit at the planning stage.
Time to Learn 2014 PwC
Page 9 of 40
Audit planning takeaway
We need to be mindful of concerns the entity may have in disclosing some information such as the names of directors’ children. We have had situations where a 16 year-old child has been working for the entity as their sole source of income, which has meant that the “transaction” has become disclosable, or where the wife has provided all the catering for business meetings. Conversely, it is highly unlikely that a three month old baby is going to be transacting with the entity, or in control of an entity which is a related party. The letter will help to deal with such concerns. Our discussions with management and those charged with governance in respect of related parties and related party transactions are documented in full on the audit file. Completeness Once we have a list of related parties we need to perform procedures to identify whether that list is complete. During the planning phase of the audit, we inspect a number of documents as part of our risk assessment procedures. Reviewing such documents will act as a test for completeness over the related parties' listing. ISAs (UK&I) require us to look at the following documents:
bank and legal confirmations; minutes of the meetings of shareholders, and those charged with governance; and such other records or documents as we consider necessary.
Such other records/documents could include:
payroll listings, accounts receivable and accounts payable listings for similarly named individuals and entities; other relevant statutory records such as the register of directors' interests (for information about material transactions authorised or discussed at their meetings); filings with, and other information supplied to, the relevant authorities/regulatory agencies (including tax returns); prior year working papers; correspondence and invoices from law firms; and documents detailing the names of officers and trustees of pension or similar plans.
In addition, other available sources of information, including external data and internet searches, such as Google, can be used to identify the names of related parties and other businesses in which officers and directors have ownership interests or hold directorship or management positions (e.g. Boardex reports). We also consider the extent and nature of business transacted with major customers, suppliers, borrowers and lenders. Our risk assessment Many related party transactions are in the normal course of business. In such circumstances, they may carry no higher risk of material misstatement to the financial statements than similar transactions with unrelated parties. However, the nature of related party relationships and transactions may, in some circumstances, give rise to higher risks of material misstatement to the financial statements than transactions with unrelated parties. For example:
Related parties may operate through an extensive and complex range of relationships and structures, with a corresponding increase in the complexity of related party transactions. Information systems may be ineffective at identifying or summarising transactions and outstanding balances between an entity and its related parties. Related party transactions may not be conducted under normal market terms and conditions; for example, some related party transactions may be conducted with no exchange of consideration.
Significant related party transactions outside the entity’s normal course of the business give rise to a significant risk. During the audit, we also need to remain alert when inspecting records and documents for arrangements, or other information, that may indicate the existence of related party relationships or transactions that management has not previously identified or disclosed to us.
Time to Learn 2014 PwC
Page 10 of 40
Audit planning takeaway
If we identify fraud risk factors when performing the risk assessment procedures on related parties, including circumstances relating to the existence of a related party with dominant influence, we link this to the appropriate fraud risk and appropriately articulate the rationale on the file together with documenting our response to that fraud risk. All the discussions around related parties with management, those charged with governance and internally amongst the team and with component auditors (in group situations) are documented in full on the audit file. Sufficient involvement from the engagement leader is expected in this area. Be aware of the possibility that transactions with related parties may have been motivated solely, or in large measure, by conditions similar to the following:
lack of sufficient working capital or credit to continue the business; an urgent desire for a continued favourable earnings record in the hope of supporting the price of the company's stock; an overly optimistic earnings forecast; dependence on one, or relatively few, products, customers, or transactions for the continuing success of the venture; a declining industry characterised by a large number of business failures; excess capacity; significant litigation, especially litigation between stockholders and management; and significant obsolescence dangers because the company is in a high-tech industry.
Transactions that because of their nature may be indicative of the existence of related parties include:
borrowing or lending on an interest-free basis or at a rate of interest significantly above or below market rates prevailing at the time of the transaction; selling real estate at a price that differs significantly from its appraised value; exchanging property for similar property in a nonmonetary transaction; and making loans with no scheduled terms for when, or how, the funds will be repaid.
Finally, if management has made an assertion in the financial statements to the effect that a related party transaction was made on an arm’s length basis, then we need to obtain sufficient audit evidence that this is the case. This is because management need to substantiate that assertion. Management's support for the assertion may include:
comparing the terms of the related party transaction to those of an identical or similar transaction with one or more unrelated parties; engaging an external expert to determine a market value and to confirm market terms and conditions for the transaction; and/or comparing the terms of the transaction to known market terms for broadly similar transactions on an open market.
As ever, remain professionally sceptical when auditing this information, utilising industry knowledge and verifying the source of the data used in their assertion. Also, evaluate the reasonableness of significant assumptions on which the assertion has been based. Communications within the team Remember that as part of our team fraud discussions, we discuss the risks associated with related parties, and related party transactions, and specifically whether any fraud risks exist. This discussion provides the opportunity to communicate the details of who the related parties are and any related party transactions of which we are already aware. Any team member who could not attend the meeting is briefed separately and that briefing evidenced on the audit file. In the context of a group audit, ISA (UK&I) 600 requires the group engagement team to provide each component auditor with a list of related parties prepared by group management and any other related parties of which the group engagement team is aware. Obtaining the list from the client and undertaking completeness procedures will enable a list to be provided to component auditors.
Time to Learn 2014 PwC
Page 11 of 40
Audit planning takeaway
Professional scepticism Being sceptical and thinking about fraud risks is essential in auditing related parties and related party transactions. For example, team members need to take a wider view and consider the commercial rationale for any transactions (i.e. Why is this transaction taking place? What is the purpose of the transaction? Why has it been structured in the way it has? Does the transaction make sense?) and whether they have been conducted at arm's length. It is important to have an understanding of the industry so as to be able to identify any unusual transactions, based on price, nature, terms, etc. Have any team members identified transactions during their audit work which indicate that related parties might be involved that are not on the list? Are the entity’s controls sufficient to identify and monitor relationships and transactions? Representation letter We have updated the representation letter in respect of related parties such that the list of related parties provided by the client at planning, plus any subsequent updates, is attached to the letter and those charged with governance confirm that it is a complete list in respect of the period audited. Completion procedures The following procedures are performed upon completion:
obtain a representation that management has disclosed the identity of related parties, relationships and transactions of which they are aware and that related parties and transactions have been appropriately accounted for and disclosed – this representation incorporates the list of related parties provided by the client; communicate significant related party matters arising during the audit to those charged with governance unless all of them are involved in its management; check that the accounting for, and disclosure of, related parties and related party transactions are appropriate. consider the implications of the findings from work performed on related parties and related party transactions for the audit opinion.
Communications with management and those charged with governance We may identify a number of matters that we want to communicate to management. For example, a lack of controls to monitor related parties, or transactions with related parties that have not been appropriately authorised. There are a number of matters that, if identified, we are required to communicate to those charged with governance. These include, but are not limited to:
non-disclosure of related parties by management; significant related party transactions that have not been appropriately authorised and approved; disagreements with management regarding accounting and disclosure of related party transactions; non-compliance with applicable law or regulations; and difficulties in identifying related parties.
Updates to EGAs We have enhanced the planning EGA ‘Understand related parties’ to include:
sending the letter to the client to obtain a list of related parties; performing completeness procedures over that list; and documenting procedures you will take to refresh the list throughout the audit
We have also enhanced the related parties procedure in the completion activities EGA ‘Update preliminary assessment of fraud, going concern, laws and regulations, related parties, accounting estimates and other assertion level risks’ to confirm that the list of related parties has been updated.
Time to Learn 2014 PwC
Page 12 of 40
Audit planning takeaway
Fraud Fraud discussions and risk assessment PwC Audit 5503 states that the engagement leader (i.e. the individual who is the signing engagement leader if aspects of the engagement leader role have been delegated) uses professional judgement, prior experience with the entity, and knowledge of current developments to determine which other members of the engagement team are included in the fraud discussion. The discussion will include participation by most, if not all, engagement team members including:
the engagement leader; all other engagement and quality review partners (if applicable); other members of the engagement team, including managers and staff; any forensic specialists, where heightened risk exists; and key members from other relevant lines of service (Tax, Risk Assurance, Consulting, Deals, etc.).
The engagement leader will need to ensure that any members of the team who could not attend the team fraud discussion are appropriately briefed and that evidence of those briefings is also retained on the audit file. The team fraud discussion includes, as a minimum, the following:
the identification and assessment of fraud risk factors, examples of which can be found at PwC Audit 5502; the identification of the potential risks of material misstatement due to fraud (which includes both the misappropriation of assets and fraudulent financial reporting); and the planned audit approach in response to the risks identified, including the planned approach to journals testing and unpredictable procedures and how both of these procedures address the fraud risks identified.
The discussion may include such matters as:
an exchange of ideas amongst engagement team members about how and where they believe the entity’s financial statements may be susceptible to material misstatement due to fraud, how management could perpetrate and conceal fraudulent financial reporting, and how assets of the entity could be misappropriated; a consideration of circumstances that might be indicative of earnings management and the practices that might be followed by management to manage earnings that could lead to fraudulent financial reporting; a consideration of the known external and internal factors affecting the entity that may create an incentive or pressure for management or others to commit fraud, provide the opportunity for fraud to be perpetrated, and indicate a culture or environment that enables management or others to rationalise committing fraud; a consideration of management’s involvement in overseeing employees with access to cash or other assets susceptible to misappropriation; a consideration of any unusual or unexplained changes in behaviour or lifestyle of management or employees which have come to the attention of the engagement team; an emphasis on the importance of maintaining a proper state of mind throughout the audit regarding the potential for material misstatement due to fraud; a consideration of the types of circumstances that, if encountered, might indicate the possibility of fraud; a consideration of how an element of unpredictability will be incorporated into the nature, timing and extent of the audit procedures to be performed; a consideration of the audit procedures that might be selected to respond to the susceptibility of the entity’s financial statements to material misstatement due to fraud and whether certain types of audit procedures are more effective than others; a consideration of any allegations of fraud that have come to the auditor’s attention; and a consideration of the risk of management override of controls.
Time to Learn 2014 PwC
Page 13 of 40
Audit planning takeaway
But the discussion would ordinarily also cover:
review with the entire team of any fraud risk conditions identified in the acceptance and continuance process; qualitative and quantitative factors to be considered in assessing risk of fraud; the need for professional scepticism at all times and sufficient appropriate audit evidence to support the audit opinion; determination of specific procedures to be conducted as part of the audit to address any fraud risks identified in this meeting, including determination of the use of fraud experts, and the plan for reviewing results with engagement leadership; discussion of evidential fraud risk factors to be aware of at all times during the audit (for examples of evidential risk factors see PwC Audit 5502); the importance of the tone at the top; the need to assess the risk of fraud at each stage of the audit and for engagement team members to communicate about the risks of material misstatement due to fraud; a discussion regarding fraud and new issues arising since the date of the last audit that may potentially affect the entity (such discussion may include recent frauds in the industry in which the company operates).
Our fraud discussions may also usefully consider fraud schemes that could occur given the entity’s control system. Fraud schemes are numerous and will vary from industry to industry. However, thinking about potential schemes will put us in the best position to design audit procedures. See PwC Audit 5504 for related guidance. The Aura file clearly evidences that the engagement leader led the team discussions on fraud. It is expected that teams are specific with their fraud discussions and identify where, and how, a fraud could be perpetrated. As noted earlier, teams consider both misappropriation of assets and fraudulent financial reporting at the FSLI or even transaction level. To date we have focussed on fraud discussions within the team but remember to also hold fraud discussions with:
management and those charged with governance, including the audit committee where one exists; and internal audit, where such a function exists (including where the function is outsourced by the entity).
These discussions also need to be documented together with how any fraud risks identified have been responded to. Finally, it is important that the various discussions lead to action on our part and that this is evidenced. ARQ see files where the discussion has happened, but there is no linkage to what was agreed as needing to be done to address the fraud risks identified. Therefore, it is critical to link the fraud risks identified from our discussions to the procedures to be performed which address them. Unpredictable procedures We need to incorporate an element of unpredictability in the nature, timing and extent of audit procedures in order to respond to an assessed risk of material misstatement due to fraud at the financial statement level. It is this connection between a specific fraud risk and an unpredictable procedure that teams often omit and simply perform an unpredictable procedure for the sake of it. Remember that the whole point of performing such procedures is to address a specific fraud risk. Unpredictable procedures are important, because management may be familiar with audit procedures normally performed by us and hence they may be more able to conceal fraud in the areas which they think would not be tested by us, either in the way we test them, or when we test them. Incorporating unpredictability throughout the course of the audit helps us to address the risk of fraud. No specific level of unpredictability is required; however, engagement teams document those procedures that are deemed to be unpredictable in nature.
Time to Learn 2014 PwC
Page 14 of 40
Audit planning takeaway
The engagement team discusses how to incorporate unpredictability into the audit during the fraud discussion. Remember that an unpredictable procedure is one where the nature and/or timing and/or extent of the test varies from what we have historically performed. Some examples of unpredictable procedures which may address specific fraud risks are as follows: Audit area Inventory
Examples of unpredictable procedures that might be appropriate Conduct meetings and enquiries with client staff with whom we have not had much previous contact (e.g. key personnel in the purchasing department, quality control managers). Attend inventory counts performed at locations not attended in the past, and without advance notice at the planning phase. Work in progress or recording of transit items: we may consider testing at a more detailed level.
Sales / Accounts receivable
Purchases / Accounts payable
Cash
Property, plant and equipment
Multi-location audits
Time to Learn 2014 PwC
Conduct meetings with client staff with whom we have not had much previous contact (e.g. sales staff responsible for handling major customer accounts). Change the nature of substantive analytical procedures (e.g. use different basis for disaggregating revenue). Extend cut-off testing beyond the periods normally covered, including sales and sales returns. Accounts receivable confirmations: we may alter the selection criteria for the sample of accounts receivable balances to confirm. Perform other procedures which were not previously considered. For example: o Confirm sales terms and/or amounts for a selection of customers. o Test classes of sales transactions not previously tested (e.g. export sales). o Perform more detailed analytical procedures (e.g. by using CAATs to scan sales accounts or customer accounts). o Change the date used for confirmations (i.e. confirm as of an earlier or later date). o Perform work to verify intercompany sales and related balances beyond confirming details with component auditors. If not normally performed, obtain confirmations of outstanding amounts directly from suppliers. If this is already performed, vary the scope and/or timing of the confirmation process. Test areas of expense not previously tested in detail. Use CAATs to scan purchase accounts/payments to look for unusual items (e.g. suppliers with similar bank details). Select additional month(s) to perform work on bank reconciliations. Where there are large numbers of bank accounts and selective testing is performed, change the basis of selection. Perform work on property, plant and equipment not previously considered (e.g. consider inspecting existence of lower value assets such as company cars and equipment). We may alter the extent of physical verification procedures. Change scope or locations of overseas work (e.g. more work in smaller locations, visiting overseas locations).
Page 15 of 40
Audit planning takeaway
Finally, for the avoidance of doubt, sampling is not an unpredictable procedure; just because we do not know which invoices we will select for testing does not make it an unpredictable procedure. Journals We have made considerable progress over the years with regards to journals testing, but a few areas continue to be identified for improvement. These are documenting how we obtained evidence as to the completeness of the population, why we are selecting the journals we have selected and, in situations where Computer Assisted Audit Techniques (CAATs) have been used, how we rationalised testing only a proportion of those which the CAAT identified. Remember that we test journals to respond to a specific risk, or risks, of fraud. As such, we need to clearly link our journals testing to the risk of fraud identified. To effectively plan and perform testing over journal entries, we need to:
understand and evaluate the entity's financial reporting process and the controls over journal entries and other adjustments, which includes evaluating the design of controls and determining whether they have been implemented. Without an understanding of how the entity uses journals, we cannot effectively design our journals testing; use professional judgement in determining the nature, timing and extent of testing of journal entries and other adjustments and assess completeness of the populations of entries subject to testing. Consider our fraud risk assessment in our analysis, in particular regarding the risk of management override of internal controls and place additional emphasis on identifying and testing items processed outside of the normal course of business; and document our rationale for what we are doing.
In audits of entities with complex IT systems, Risk Assurance involvement is likely to be needed, in which case the approach to journal entries will be discussed with them. In addition, the use of Data Assurance has greatly enhanced our work on journals enabling us to deal with a number of the issues we face. We may consider the following procedures related to journal entry testing as part of planning our approach:
In order to obtain an understanding of the entity's financial reporting process and controls over journal entries and other adjustments, consider the following: o the entity’s written, and unwritten, policies and procedures regarding the initiation, recording and processing of standard, and non-standard, journal entries and other adjustments; o the sources of significant debits and credits to an account; o individuals responsible for initiating entries to the general ledger, transaction processing systems, or consolidation; o approvals and reviews required for such entries and other adjustments; o how journal entries and other adjustments are recorded (e.g. whether entries are initiated and recorded online with no physical evidence, or created in paper form and entered in batch mode); o controls, if any, designed to prevent and detect fictitious entries and unauthorised changes to journals and ledgers; and o controls over the integrity of the process used to generate journals reports which we use for audit purposes. If not already doing so, determine whether you can use journals CAATs. During planning, consider performing enquiry of individuals involved in the financial reporting process about inappropriate or unusual activity related to the processing of journal entries and other adjustments to provide input into determining the timing, nature and extent of testing, and then update enquiries at year end. This is documented in the EGA ‘Respond to the risk of material misstatement involving management override of controls’. Consider including an element of unpredictability regarding the value, amount and types of journal entries and other adjustments tested.
Time to Learn 2014 PwC
Page 16 of 40
Audit planning takeaway
Manage multilocation audit planning, if applicable, for the testing of journal entries and other adjustments by including the following in instruction letters: o the group engagement team’s assessment of the risk of material misstatement due to fraud; o if appropriate, identification of any specific classes of journal entries for testing and the extent of testing (or provide a list of journal entries to test if selections are made by the group engagement team); and o a contact for fraud related questions on the group engagement team.
Controls over journals Effective controls over the preparation and posting of journal entries and other adjustments may reduce the extent of substantive testing necessary, provided that we have tested the operating effectiveness of the controls and consider that they are effective. However, even though controls might be implemented and operating effectively, our procedures for testing journal entries and other adjustments include the identification and testing of specific items. In other words, we may be able to justify obtaining partial reliance on controls over journals, but, due to the risk of management override of controls, we do not seek high controls reliance in respect of journal entries. Where controls over journal entries and other adjustments, including segregation of duties (restricted access), are dependent on automated controls, we also need to test the relevant ITGCs. Completeness of the population Before we begin to test a sample of journals, we need to ensure that we are selecting from a complete population. Ordinarily, we are now utilising Risk Assurance to use CAATs to assist us in our testing of journals. CAATs enable a complete output of journals to be populated through extraction from a transactional listing which is reconciled to the trial balance. While obtaining the population of journal entries electronically is the preferred method of ascertaining completeness when auditing journal entries, it is also acceptable to use other manual auditing procedures. This can be done by, for example, using accept-reject testing (agreeing balances from a detailed account breakdown reconciled to the general ledger, to the journals listing). Further guidance with regards to obtaining evidence as to the completeness of the population can be found in PwC Audit 5509. Substantive testing Substantive testing can include scanning analytics and tests of details. Scanning analytics can be performed on detailed lists of journal entries to identify unusual or unexpected entries (e.g. accounts, amounts, individuals approving the entry, times of day, dates the entry was recorded). The unusual or unexpected entries are identified and then tested substantively, for example by agreement to source documentation. Substantive tests of details are the typical means of testing journal entries or other adjustments. Since we are testing entries which represent a fraud risk, target testing (manual or CAATs) based on fraud risk is the appropriate approach for selecting items which are then substantively tested, again by agreement to source documentation for example. Remember that, in addition to agreeing journal entries to supporting documentation, part of our evidence is understanding the purpose and appropriateness of the journal and documenting that on the audit file. Sorting down large populations We will often provide Data Assurance with a list of risk-based criteria and ask that they isolate a subset of non-standard journal entries based on, for example, unusual general ledger account combinations (this example demonstrates only one risk-based criteria, but consider other criteria when testing).This may identify a total population of 1,000 journal entries for example. In identifying this population of 1,000 journal entries that potentially require 100 per cent examination, we may, after additional analysis, be able to further refine our initial definition of 'unusual account combinations' or other criteria used in selecting journal entries. This process might be thought of as an iterative 'sorting down' until we conclude we have the remaining population that in our judgement represents the risk of material misstatement due to fraud and has to be examined 100 per cent. Time to Learn 2014 PwC
Page 17 of 40
Audit planning takeaway
It would be rare that we have to test each of the 1,000 items initially identified in this example. The fact that the 1,000 items were identified is more likely indicative that certain account combinations are not, in fact, unusual and may be valid in certain circumstances (i.e. they do not represent a significant risk of material fraud). Sorting down the 1,000 items by account combination and then researching the reasons for combinations of a significant number of items or monetary value may lead to a conclusion based on our knowledge and existing audit evidence that no further testing of a particular combination is necessary (i.e. the account combination is not unusual). Alternatively, the client may provide a plausible explanation why the classes of entries or other adjustments do not represent a risk of fraud, We need to obtain additional evidence to support this explanation, and could perform this testing on a targeted basis (based on monetary amount or some other criteria). In situations where the client is providing a plausible explanation for a large number of similar items, use accept-reject testing on the attributes of the journal entries and underlying transactions to support the client’s explanation and the appropriateness of the entry. If accept-reject test results corroborate the client's explanation that the entries do not represent risk of fraud, then the entries can be filtered out of our selection for testing. Accept-reject testing would only be used to further 'sort down' the population to better identify the targets that represent the risk of material misstatement. Once identified, those entries that represent the risk of material misstatement would then be tested 100 per cent. Finally, the team document clearly their rationale for how they got from 1,000 possible items down to the number actually tested. Criteria for journal selection At the planning stage, once we have a detailed understanding of how and why the entity uses journal entries, we need to agree the criteria we will use to select journal entries for substantive testing. Below are examples of the criteria which could be used to select journals for substantive testing. It is important to remember that each entity is different and requires some combination of the examples below:
largest journal entries (manual and/or automated); unusual general ledger account combinations (e.g. entries to revenue that do not impact cash, accounts receivable, or deferred revenue); journal entry activity that is reversed in a subsequent period (e.g. month end, quarter end); this test will identify whether one or both sides of the journal entry are reversed in the subsequent period; unusual intercompany and/or related party transactions; unusual ratios and changes for sales/assets, debt/equity, etc., including those that are too consistent, or conflict with our knowledge of the business; journal entries not documented in the general ledger (such as reclassification made to a reporting system, where general controls over the general ledger may not apply); journal entries with a net P&L impact over a certain amount; items just under a threshold (e.g. if any posting over £10,000 required an approval process, entries in the amount of £9,999.99 or £9,999.00); infrequently used general ledger accounts; missing or duplicate journal numbers (where the general ledger system has logical numbering system); entries made at unusual times (e.g. off-peak/overnight) or days (e.g. weekends/holidays); large volume of non-standard entries in accounts where there are likely primarily standard entries; unusual volume of entries at certain times of the month (last 5 days, first 5 days), quarter, or year; and unexpected individuals posting entries (e.g. IT staff, senior management or non-finance personnel).
Time to Learn 2014 PwC
Page 18 of 40
Audit planning takeaway
When determining the appropriate journals to test, engagement teams need to consider the specific risk conditions/factors identified at the entity. What may be an appropriate approach for one entity might not be appropriate for another. Consider carefully whether the risk conditions/factors you identify are genuinely the risky ones (e.g. do you really think the fraud risk lies with round sum journals posted out of hours?). The criteria applied for selecting journals have to be at a level such that potentially fraudulent journals would be tested. However, clearly there is a balance to be sought and this remains a matter of significant professional judgement. Once we have identified our risk criteria, we are required to test all journals that fall within those criteria. Year end testing or testing journals throughout the period ISAs (UK&I) require that we test journal entries at the end of the reporting period, including consolidation journals, because fraudulent journal entries are often made at that time. However, fraudulent adjustments could arise during the period. Therefore we need to consider whether to test journals throughout the period (e.g. if our journal testing is a response to the risk of fraud in revenue recognition, then we test journals posted to revenue throughout the period). Responding to identified fraud When our work indicates that fraud has or may have taken place:
the engagement leader calls OGC to discuss the matter; any advice provided by OGC is followed; and the engagement team will also need to complete a suspicious activity report and submit the report to Compliance.
Further consultations may then be required (e.g. with ARQ). The engagement leader and team then discuss and agree a course of action. This may include seeking the advice or involvement of a forensic specialist, for example with regard to:
the most appropriate approach to determine the full facts and extent of the fraud and its impact on the financial statements; the communication of the problem and of recommendations for dealing with it to the client; wider legal and regulatory issues; and remedial and asset recovery options.
The engagement leader will assess whether sufficient additional work has been performed either to ascertain the impact of the fraud on the financial statements, or to gain reasonable assurance that there is no material impact. The actual and potential magnitude of the fraud, its nature, the extent of concealment, and the staff involved are all factors to consider when determining the appropriate course of action. In situations where adequate information about a suspected act of fraud cannot be obtained, consider the effect of the lack of evidence on our audit report. If we conclude that the effect of the suspected act of fraud on the financial statements might be material, then consider expressing a qualified, or adverse, opinion. If we are precluded by the entity from obtaining sufficient appropriate audit evidence to evaluate whether fraud that may be material to the financial statements has occurred, then consider qualifying our opinion on the basis of a scope limitation, or deny any opinion on the financial statements, following the necessary consultation procedures with ARQ. Teams often struggle to identify and articulate the impact of an actual fraud on our audit strategy and plan. Have we considered whether the fraud is isolated to a specific transaction or process? Have we adequately designed procedures to mitigate the risks that have arisen? Does this yield wider concerns around the control environment and management’s integrity? Consider whether the circumstances surrounding the fraudulent act affect our ability to rely on management's representations or suggest that we should not continue our association with the entity. In reaching decisions on these matters, carefully evaluate whether top management, including the board of directors or its audit committee, gives appropriate consideration to the act after it has been brought to their attention. As ever, consultation is critical in such situations. Time to Learn 2014 PwC
Page 19 of 40
Audit planning takeaway
And finally… Remember that our assessment of the risk of fraud does not stop at the planning phase of the audit, but continues throughout the audit process until we sign. Consider whether any:
fraud risk factors changed or whether there are new risk factors which have arisen; of the uncorrected misstatements are indicative of fraud, or fraud risks; and of the control deficiencies identified are indicative of fraud, or fraud risks.
We need to be alert to the possibility of additional fraud risks being identified as the audit progresses as well as applying professional scepticism throughout the audit process. Where further risks of fraud are identified during the audit, we design an appropriate response to those fraud risks and document full details on the audit file. At the end of the audit we need to step back and consider whether:
all fraud risks have been identified; fraud risks have been appropriately responded to; sufficient audit evidence has been obtained; and our work is fully documented on the audit file.
Time to Learn 2014 PwC
Page 20 of 40
Audit planning takeaway
Laws and regulations ISA (UK&I) requirements The requirements in ISA (UK&I) 250A are designed to assist the auditor in identifying material misstatement of the financial statements due to non-compliance with laws and regulations. However, the auditor is not responsible for preventing non-compliance and cannot be expected to detect noncompliance with all laws and regulations (i.e. the auditor is not meant to go hunting for noncompliance with laws and regulations but we are required to make an informed risk assessment and design a response to any risk of material misstatement of the financial statements due to noncompliance). The auditor is responsible for obtaining reasonable assurance that the financial statements, taken as a whole, are free from material misstatement, whether caused by fraud or error. In conducting an audit of financial statements, the auditor takes into account the applicable legal and regulatory framework. Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements in the financial statements may not be detected, even though the audit is properly planned and performed in accordance with the ISAs (UK&I). In the context of laws and regulations, the potential effects of inherent limitations on the auditor’s ability to detect material misstatements are greater for such reasons as the following:
there are many laws and regulations, relating principally to the operating aspects of an entity that typically do not affect the financial statements and are not captured by the entity’s information systems relevant to financial reporting; non-compliance may involve conduct designed to conceal it, such as collusion, forgery, deliberate failure to record transactions, management override of controls or intentional misrepresentations being made to the auditor; whether an act constitutes non-compliance is ultimately a matter for legal determination by a court of law; and ordinarily, the further removed non-compliance is from the events and transactions reflected in the financial statements, the less likely the auditor is to become aware of it or to recognise the non-compliance.
Engagement teams need to focus on the specific laws and regulations that have a direct impact on the financial statements. Further, where teams identify such applicable laws and regulations, they need to identify how the entity has complied with those laws and regulations (e.g. the Companies Act); it is not sufficient just to say that nothing has come to their attention. For other laws and regulations, we need to perform specific procedures to help identify instances of non-compliance which may have a material effect on the financial statements including, where an entity is regulated, inspecting any correspondence with the regulatory authorities and considering, and documenting, the impact, if any, on the audit strategy and plan. What does this mean in practice? We need to have discussions within the team and with the management of the entity, including the audit committee where one exists, as to what laws and regulations impact them, focussing on those which, if there was non-compliance, could have a material impact on the financial statements. In our team discussions, this will utilise prior year knowledge and experience of similar entities within the same industry. We also discuss with the individuals at the entity responsible for compliance matters how they ensure that the entity complies with relevant laws and regulations as well as enquiring whether there has been any non-compliance and obtaining details. In larger clients, an in-house legal or compliance department may be responsible for managing the entity’s compliance with laws and regulations. In smaller organisations, this is often more informal and may be performed by someone in the finance team. Consider disclosures made in the annual report such as in the principal risks and uncertainties section. Has the entity identified laws and regulations which we have not considered and, if so, document our consideration of these areas. Some areas which are often covered in the principal risks and uncertainties in annual reports include the Bribery Act, compliance with operating permits, health, safety, environmental and security risks and infringement of intellectual property of others.
Time to Learn 2014 PwC
Page 21 of 40
Audit planning takeaway
As ever, document the team discussions as well as those with management. We also consider correspondence with legal advisers and may also need to discuss issues arising with an entity’s in-house and/or external legal counsel. If this happens after we have performed our initial assessment, then we need to update and revise our assessment of the risk of non-compliance accordingly. In regulated industries, we read correspondence with regulators; it is worth noting that regulators are becoming more active. We also check whether there are press reports of regulatory action within the industry to consider whether the same issues could impact our entity and discuss the matter with those charged with governance. The procedures below may help identify instances of non-compliance with other laws and regulations that may have a material effect on the financial statements:
use our existing understanding of the entity’s industry, regulatory and other external factors; read board minutes; read last year’s annual report or the latest draft; review the whistleblowing log; enquire of management and the entity’s in house legal counsel, or external legal counsel regarding litigation claims and assessments; enquire of management as to other laws and regulations that may impact them; enquire of management as to the entity’s policies and procedures regarding compliance with laws and regulations; enquire of management as to the entity’s policies for accounting for litigation claims; inspect correspondence, if any, with the relevant licensing or regulatory authorities; and perform internet searches on competitors to see if there have been any significant fines or penalties enforced as a result of non-compliance with laws and regulations; determine and assess if similar situations could be applicable for your client.
The above procedures enable us to assess the risk of non-compliance with laws and regulations and more effectively document our rationale in this area. In addition, we document our evaluation of the design and implementation of controls at the entity in respect of the risk of non-compliance with laws and regulations. We also clearly document our responses to identified risks of non-compliance with laws and regulations. We also include in our representation letter a representation from those charged with governance that all known instances of non-compliance or suspected non-compliance with laws and regulations whose effects should be considered when preparing the financial statements have been disclosed to us. Finally, remember to consider the potential impact of the Bribery Act 2010 – see below for more information. Written representations also provide audit evidence about management’s knowledge of identified, or suspected, non-compliance with laws and regulations, whose effects may have a material impact on the financial statements. Bribery Act 2010 and Transparency International We need to assess whether there is a risk of the financial statements being materiality misstated as a result of the entity making questionable payments which might be deemed to be bribes, and consequently result in non-compliance with the Bribery Act 2010; this could have significant financial consequences for the entity. This means, for example, considering the culture and business practices with the industries and countries in which the entity operates, to understand the risks of such payments, and also the consequences to the entity in the event of non-compliance.
Time to Learn 2014 PwC
Page 22 of 40
Audit planning takeaway
Transparency International has produced resources that can help in our audits. They are the UK’s leading anti-corruption organisation and you might be aware of the Corruptions Perception Index and Bribe Payers Index which they update periodically. These indices can help us identify countries where there may be a heightened risk, and these can be useful as part of our risk assessment:
the 2013 Corruptions Perception Index measures the perceived level of public sector corruption in 176 countries and territories around the world; and the 2011 Bribe Payers Index ranks the likelihood of companies from 28 leading economies winning business abroad by paying bribes.
These indices can be used to assess how the country that your entity is based in, or trades with, ranks in terms of public sector corruption and the likelihood that they might win business abroad by paying bribes. In addition, if we use the work of auditors in countries with a low index (i.e. in a country where there is a high risk of bribery and corruption), then we carefully consider what procedures we need to perform to satisfy ourselves about the quality of their work and document our considerations and findings. Please refer to the 2013 corruption perceptions index and bribery index for detailed information about different countries and then document the impact on your audit. Where we have assessed risks in the area of questionable payments being made, we understand how the client has responded to the Bribery Act 2010 to enable us to complete our assessment of the risk of non-compliance with laws and regulations. Therefore, as part of our discussions with management, those charged with governance, etc., we discuss what processes and controls they have in place to ensure compliance with the Bribery Act 2010, including the results of any whistle-blowing by employees or others. Required communications It is likely we will identify matters that we want to communicate with management (e.g. deliberate instances of non-compliance by management need to be communicated to the entity’s legal counsel, the audit committee and the board of directors as appropriate). If we suspect that members of senior management are involved in the non-compliance, then you need to consult with ARQ and, where appropriate, OGC. When we audit the parent company, and another office audits a component, matters related to the component need to be communicated to the group engagement team, and vice versa. Audit opinion We need to consider the impact on the audit opinion of any non-compliance. What action we take depends on the results of our work and whether sufficient audit evidence has been obtained, what actions the entity has taken, what has been disclosed in the financial statements, and any uncertainties. For example, where the entity has paid an illegal dividend, if the entity has made appropriate disclosures and taken action to recover, or has recovered, the dividends, then we may conclude that there is no impact on the audit report. If no disclosures are made and the matter is material, then we have a disagreement with management and would issue a modified opinion. Remember, if you are thinking about issuing an emphasis of matter or modified opinion, then you are required to consult with ARQ.
Time to Learn 2014 PwC
Page 23 of 40
Audit planning takeaway
Materiality Overall materiality Our assessment of materiality for the financial statements as a whole is termed overall materiality. We apply professional judgement to determine overall materiality when establishing the overall strategy for the audit based on the results of risk assessment analytical procedures, our understanding of the entity and its environment and discussions within the engagement team. Overall materiality is also considered in evaluating the effect of identified uncorrected misstatements on the financial statements as a whole and the opinion in our audit report (PwC Audit 9015). When the determination of materiality is particularly complex or judgemental, ARQ is consulted. We determine a single quantitative level (that is, one number) of overall materiality based on a selected benchmark (e.g. profit before tax) that is relevant to users of the financial statements. Overall materiality based on this benchmark is applied to the financial statements as a whole and forms the basis for calculating performance materiality. Applying separate quantitative levels of overall materiality (e.g. a certain materiality level for the profit and loss account and a different materiality level for the balance sheet) will not enable us to plan our audit effectively to detect material misstatements. See PwC Audit 2104 for further guidance on materiality for particular classes of transactions, account balances or disclosures. Professional judgement Engagement teams apply their professional judgement in determining materiality levels rather than defaulting to a mechanical calculation based on PwC Audit 2102. Engagement leaders often know, based on their experience and knowledge of the entity, what an appropriate materiality level should be and are able to articulate their thought process in determining that materiality. In such instances, teams can use this as a starting point to fit it into the framework guidance in PwC Audit 2102. We need to balance the materiality framework set out in the Audit Guide with the application of judgement in light of the specific circumstances of the entity for the period being audited. Total assets Where total assets is used as the benchmark in determining overall materiality, there is a distinction between PIEs which are ‘not-for-profit’ and those PIEs which are ‘other than not-for-profit’. For notfor-profit entities we can use up to 0.5% of total assets, whereas for other than not-for-profit entities we can use up to 1% of total assets for PIEs and up to 2% for non-PIEs. Alternative benchmarks When alternative benchmarks are used (e.g. total revenue for a profit-oriented entity), it is normally expected that the alternative benchmark, together with the generally accepted benchmark, will be evaluated and materiality would be set using professional judgement and based on the most appropriate benchmark in the circumstances of the entity being audited. When using an adjusted profit-based benchmark, it is necessary to consider whether the benchmark is relevant to the users of the financial statements and that the benchmark has been identified by the directors as a financial key performance indicator in the annual report. It is difficult to argue that a benchmark should be used on the basis that it is relevant to users of the financial statements if it is not talked about in the annual report and does not appear in the financial statements in a prominent position (e.g. on the face of the income statement). If you do consider a measure to be appropriate which has not been identified by the directors as a financial key performance indicator in the annual report, then include a clear and robust rationalisation of your decision on the audit file. Consultation with ARQ is also recommended in such situations. Common adjustments to profit may include interest, tax, amortisation, depreciation and exceptional items or, in the context of owner-managed businesses, remuneration. In the case of exceptional items, exceptional credits, which are often ignored, as well as debits need to be taken into consideration. Whilst other adjustments may be made, they can only be regarded as appropriate if the adjustedprofit measure is demonstrably of interest to users as outlined above as may be the case in determining an underlying profit measure. However, remember that in some cases we will need to explain our benchmark in the audit report or to others. For example, do you think that using a measure of PBT adding back x, y and z and averaging over three or five years would look sensible?
Time to Learn 2014 PwC
Page 24 of 40
Audit planning takeaway
Where adjustments to profit other than those listed above are being considered, contact ARQ by logging an enquiry on IGLO to discuss whether the proposed adjustments are appropriate in the circumstances. Whatever adjustments are made to profit, the documentation in the audit file needs to clearly set out the factors considered in using that benchmark and hence why the adjustments were considered to be appropriate adjusting items. Once the benchmark has been determined, consideration of the appropriate rule of thumb is required. In the scenario of a profit-oriented PIE where 5% of PBT could be used, using 5% of an adjusted profit benchmark may not always be appropriate. In considering whether the rule of thumb applied is appropriate, the proposed overall materiality as a percentage of PBT is calculated to assess whether it remains reasonable. In other words, taking 5% of an adjusted profit measure which equates to 30% of PBT may not be a sensible option as we have to have regard to PBT as users will not ignore PBT totally. The documentation will therefore include the rationale for the rule of thumb being applied. In the situation where the adjustments to PBT represent genuinely one-off exceptional items (debits and/or credits), a 5% rule of thumb is normally considered acceptable. We also need to bear in mind situations where we are required to disclose the basis on which overall materiality has been determined in the audit report. In such situations, consider how you will describe your overall materiality to users of the financial statements. Performance materiality The AQR team’s thematic review on materiality identified that “auditors should demonstrate consideration of risk in setting performance materiality and avoid, as a default, simply setting this at the highest level allowed under the firm’s guidance”. The Audit Guide has been updated to provide three specific levels of haircut (10%, 25% and 50%) which can be applied as appropriate. Rather than using any haircut percentage within the range of 10% to 50%, engagement teams are encouraged to choose between the three haircut percentages based on evaluating relevant risk factors, although we expect the 10% haircut to be used in rare circumstances. Engagement teams currently using other haircut percentages (e.g. 33%, 40%) need to consider the appropriateness of continuing to do so and are encouraged to select one of the specific percentages above to promote further consistency across our audit engagements and increase efficiency of our documentation. Consider whether changing the haircut (e.g. from say 33% to 25%) is appropriate and document the rationale. However, it is generally not expected to result in significant changes in the aggregation risk, as long as the engagement team appropriately consider the related factors. Teams may consider consulting when the factors affecting the haircut percentage have changed significantly.
Time to Learn 2014 PwC
Page 25 of 40
Audit planning takeaway
The following table summarises the factors supporting various haircut percentages: Factors supporting the haircut* History of misstatements
10%
25%
50%
History of limited, or no, booked or proposed audit adjustments
History of limited, or no, booked or proposed audit adjustments
History of frequent audit adjustments. Significant management turnover that suggests a potential increase in the frequency of audit adjustments
Risk assessment and aggregation risk
The characteristics of the company being audited result in low aggregation risk related to potential misstatements arising from environmental factors (e.g. sufficient qualified management resources are present, there is low pressure to achieve targeted results, the company does not operate in a high risk industry).
The characteristics of the company being audited result in low to medium aggregation risk related to potential misstatements arising from environmental factors (e.g. sufficient qualified management resources are present, there is low pressure to achieve targeted results, the company does not operate in a high risk industry).
The characteristics of the company being audited result in high aggregation audit risk related to potential misstatements arising from environmental factors (e.g. insufficient qualified management resources are present, the initial audit of a company having never been audited before, there is unusually high pressure to achieve targeted results, the company operates in a high risk industry).
Where testing of operational effectiveness of controls is part of the overall audit strategy, the controls have historically been determined to be operating effectively.
Expected or known significant deficiencies in controls.
Aggregation risk is low related to potential misstatements because there are a limited number of significant accounts and a limited number of locations. Effectiveness of controls
Where testing of operational effectiveness of controls is part of the overall audit strategy, the controls have historically been determined to be operating effectively.
*A haircut lower than 25% may not be used on PCAOB engagements or those subject to PCAOB inspection and would include work performed in support of such an engagement. See below for further restrictions. Using one of the haircut percentages above will generally be appropriate and facilitate standardisation and effective execution of our audit engagements, as well as efficient audit documentation. We determine an appropriate haircut based on the evaluation of the factors above and considering whether all or some of the factors are present on the engagement. In situations when a combination of various factors is present (e.g. the engagement is considered high risk, but there is no history of adjustments and controls are operating effectively), we would normally select an appropriate haircut using professional judgement and considering which factors are most important to the engagement. Time to Learn 2014 PwC
Page 26 of 40
Audit planning takeaway
However, in limited circumstances we may consider using percentages other than those above. For example, a percentage between 25% and 50% may be appropriate in some circumstances (e.g. if the risk assessment concludes that the entity has a predominant factor at the higher and lower end of the range and we consider these factors to be equally important). When in doubt, consider consulting ARQ. Using a 10% haircut It is expected that the 10% haircut will be used in rare circumstances. Engagement teams carefully consider the factors identified in the table above to determine whether it is appropriate to apply a 10% haircut, together with the following:
A 10% haircut must only be used where there are a limited number of significant accounts and a limited number of locations. A 10% haircut must not be used for: o PIEs or full scope components of PIEs; and o First year audit engagements. A haircut lower than 25% must not be used on PCAOB engagements or those subject to PCAOB inspection, and would include work performed in support of such an engagement.
If you are considering using a 10% haircut, then you need to consult with ARQ first. Using a 50% haircut Determine if all the factors above have been appropriately evaluated, and consider consulting ARQ. Consider using a 50% haircut only when the risk factors described above are pervasive across the entity rather than related to specific risks. For those engagements where there are specific risks, consider using a 25% haircut and varying the nature, timing, and extent of testing to address the specific risk items (documenting this as materiality for particular classes of transactions, account balances or disclosures). For example, if there is a history of misstatements and significant risk in a particular account, we may apply a higher haircut to that account (based on our judgement) and apply a 25% haircut for performance materiality to be used for all other accounts. Documenting in Aura In Aura v5, the Materiality view has been updated to provide a pre-populated choice of haircut values (10%, 25%, 50% and “other”). PwC Audit 2103 includes factors to consider when selecting the haircut percentage. If we wish to use an “other” haircut percentage, we can do so, but in such cases Aura will display a warning message and will generally necessitate further documentation of the rationale for doing so. We clearly demonstrate our consideration of risk when setting performance materiality with reference to the factors identified in the table above. De Minimis SUM posting level We normally select a de minimis SUM posting level of 0, 3, 5 or 10% of overall materiality, applying professional judgement and considering the engagement circumstances. In particular, we consider our experience of the number and amount of misstatements, our risk assessment and the expectation of management and the audit committee. In practice, we generally select a SUM posting level of 5% of overall materiality. Disaggregating materiality When is it necessary to disaggregate materiality? Within an FSLI, performance materiality may be applied to each sub-component and there is no need to disaggregate performance materiality to perform tests of details on each sub-component. However, there are certain considerations to be made. For example:
We need to test FSLIs which are immaterial, but consist of material debit and credit elements (e.g. a net pension surplus/deficit). If we target test each element for coverage, or use risk based characteristics based on our performance materiality, then we need to aggregate the untested balances in each element of the FSLI to determine the untested balance for the whole FSLI and consider if we have a material untested balance left what further evidence is needed, if any. We need to complete some substantive work on all material FSLIs, so where every sub-FSLI element is immaterial, but the FSLI is material, some substantive testing is still required.
Time to Learn 2014 PwC
Page 27 of 40
Audit planning takeaway
If substantive analytical review is being completed, further consideration is required to disaggregate materiality when assessing an acceptable threshold for exceptions. In areas of significant risk where the test of details is the only source of audit evidence, consider whether you need to disaggregate materiality (e.g. when testing multiple revenue streams).
Disaggregating materiality when performing substantive analytical procedures Where we have determined that substantive analytical procedures are appropriate, we need to determine an appropriate threshold; this is the level above which we will need to investigate differences from our expectation. The threshold that we determine for substantive analytical procedures will depend on a number of factors:
desired level of evidence from the analytical procedures – the greater the evidence sought from the procedure, the lower the threshold; the precision of the expectation – the more precise the expectation is, the lower the threshold should be; overall materiality and performance materiality, including the impact of disaggregation; and the type of analytical procedures and the rigour with which it is applied.
Materiality, and hence disaggregating materiality due to the disaggregation of data, is just one component in determining an appropriate threshold for the substantive analytical procedure. Materiality in a group audit context PwC Audit 2333 and PwC Audit 2334 set out the basis on which group materiality is determined and outline the optional component materiality framework which many teams apply. If materiality is being determined for group reporting, then it will be determined or approved, and advised to the component auditor, by the group engagement team. If materiality is being determined for the purposes of group reporting and local statutory reporting, then materiality is determined at the component level, whilst considering group requirements and agreeing the amount with the group engagement team. In most situations, component materiality will exceed local statutory materiality, but this is not always the case and hence both materialities need to be assessed. The component team should alert the group engagement team if, for example, their statutory materiality is higher than their allocated component materiality. This can happen in a group where there are components making significant profits and losses. The component auditor is also required to communicate their performance materiality to the group engagement team, because the group engagement team is required to evaluate its appropriateness. Teams are reminded of the ISA (UK&I) 600 requirement that materiality at the component level should be lower than overall materiality for the group financial statements as a whole. ARQ have identified, through a matter raised by the AQR and also through the HPC reviews, that there may be a number of teams who have set component materiality equal to group overall materiality. Where group teams identify that component materiality has been set equal to group overall materiality, materiality will need to be revised downwards for those components to a level that is below group overall materiality. It is the engagement leader's judgement as to what would be considered an acceptable level, taking into account the materiality and risk profile of the component and the level of aggregation risk within the group; ISA (UK&I) 600 is not prescriptive in this respect. Further, it would be reasonable to expect that, for certain larger components, materiality would remain at a level that is approaching group overall materiality, but at a level that leaves some headroom to accommodate misstatements arising elsewhere in the group. Remember that you need to be clear when advising component auditors whether you are advising them of the overall materiality to be applied, the performance materiality, or both. This is to avoid any confusion between the group engagement team and component audit team.
Time to Learn 2014 PwC
Page 28 of 40
Audit planning takeaway
Reassessing materiality at the final audit We reassess our determination of overall materiality, performance materiality and group and component materiality at the final audit. Where materiality has reduced since the original assessment made at planning, we need to evaluate the impact on our audit plan. Do not panic and assume that this will mean that significant amounts of additional testing is now required. Instead, carefully evaluate the impact of the change in materiality on an FSLI by FSLI basis and assess whether the audit evidence we currently have remains sufficient or whether additional audit evidence needs to be obtained. In some cases you may be able to rationalise that no further audit evidence is required based on the risk assessment and the totality of audit evidence already obtained. Where non-statistical sampling has been used, if the change in the sample size is insignificant, again you may be able to rationalise that no further audit evidence is required based on the risk assessment and the totality of audit evidence already obtained. However in other instances, further audit evidence will be required. Before we undertake further work, the nature and extent of further testing is discussed and agreed with the engagement leader. Our assessment of the impact of the change in materiality and revisions to the audit plan are documented on the audit file and, where significant, are approved by the engagement leader and QRP, where one has been appointed. Reporting to those charged with governance ISA (UK&I) 260 requires the auditor to communicate with those charged with governance an overview of the planned scope and timing of the audit. Matters communicated would ordinarily include the application of materiality in the context of an audit. Our communication may include a general explanation of how materiality is applied on the audit and, if the engagement leader considers it appropriate, it may also include:
an indication of the broad quantitative range within which our overall materiality judgement will lie; the broad impact that this will have on our performance materiality; and the de minimis SUM posting level.
In the UK, it is becoming common to be more transparent in our communication of materiality, partly as a result of the requirement in our audit of certain companies to disclose materiality in the audit report. Therefore, our communication may include the amount of overall materiality, performance materiality and the de minimis SUM posting level. However, we need to make clear that there are also qualitative factors that will impact on our assessment of whether misstatements identified during the audit are material. Refer to PwC Audit 2210 for further guidance on communicating our summary audit strategy. If we have communicated our materiality assessments to the client and our approach to materiality changes significantly during the course of the audit, then communicate the change to the entity and the impact on our plan, if any. Further, if there are significant changes between the presentation of the audit strategy and plan and the final audit clearance meeting, then these changes are communicated to those charged with governance.
Time to Learn 2014 PwC
Page 29 of 40
Audit planning takeaway
Other planning reminders Planning top tips The audit needs to tell the whole story and hence all the different parts of the audit have to link together. As a starting point, do you understand the business processes, transaction flows, systems and, in effect, how the FSLI comes into existence? Whilst you may understand the accounting policy for the FSLI, do you understand how the accounting policy for the FSLI is actually effected into the books and records? The benefits of this understanding can be huge. It will help you perform an effective and focussed risk assessment, specifically:
understanding precisely what within the FSLI is driving the risk; what the relevant assertions are; and to develop a focussed, effective and efficient planned audit response to the identified risks and assertions within that FSLI.
When developing the audit plan, think holistically by considering all evidence planned to be obtained from the business process as well as evidence from the corresponding double entry; never plan the audit of an FSLI in isolation. A poor understanding at the planning stage leads to poor quality and inefficient audits. Invest the time in understanding the entity and planning our audit and involve the engagement leader throughout, as it will ensure that we do the right work and save time later on. Risk assessment Risk assessment analytics It is an ISA (UK&I) requirement for risk assessment analytics to be performed for every entity for which we sign an audit opinion, but what is the point of performing risk assessment analytics? Whilst they do not provide direct audit evidence, when performed well, they help us identify potential risks and where to focus our audit effort. At a basic level, risk assessment analytics confirm whether there are any risks we have missed or whether there is anything unusual, or something which does not appear consistent with our knowledge of the business, or which simply does not make sense. This enables us to make further enquiries to help determine what work, if any, is required. The effectiveness of risk assessment analytics depends on our understanding of the entity and its environment, the level of disaggregation of the data and the use of our experience and professional judgement. Therefore, you need to involve suitably experienced members of the team. When performing risk assessment analytics, we may set a threshold in terms of an absolute number or a percentage and simply review for what is ‘unusual’:
Risk assessment analytics do not need to be performed at the same level of precision and disaggregation as substantive analytics since risk assessment analytics are not designed as a source of audit evidence. Hence, the threshold is generally higher than the threshold used for disaggregated substantive analytics and generally will be performance materiality. In defining what may be ‘unusual’, we do not necessarily need to define it at the start of the process. Auditors, using their experience and knowledge of the entity, will generally know when something is unusual or odd when they see it and it is at that stage that they can articulate why it is unusual or odd. However, it is always useful to document the factors you may be looking for.
Remember not to fall into the trap that just because a number is the same as last year, then it is OK. Ask yourself “should it be?”. Sometimes, the fact that a number is the same is wrong and needs further investigation. Also remember that, just because the risk assessment analytics indicate that further work may be required, this may just be further investigation to get a better understanding of the facts and once we have that enhanced understanding, we are able to conclude that no further work is needed. The EGA for risk assessment analytics in each FSLI has been updated in the 2014 Aura libraries. Refer to PwC Audit 5012 for further guidance on risk assessment analytics. Time to Learn 2014 PwC
Page 30 of 40
Audit planning takeaway
Assess risks Being clear as to why a risk is normal, elevated or significant is essential and ensuring that the file reflects that rationale is critical. In documenting your rationale it can be helpful to think in terms of nature, likelihood and magnitude. This is particularly helpful in being able to rationalise why an elevated risk is not a significant risk or why a significant risk is not an elevated risk. Having the documentation on file to explain why the risk has been classified as it is will also help you determine your response. Also remember to be as specific as you can as to where or what in the FSLI is driving the risk. When considering the risk of fraud in revenue recognition we are very good and precise at stating that the risk is in manual journals within the X revenue stream with the relevant assertion being occurrence. Outside of the risk of fraud in revenue recognition, we tend not to get to that level of granularity yet, by doing so, we can better focus our audit effort to where it really matters. If you describe elevated risks, don’t use words such as “high” or “significant” as this implies the risk is a significant risk. Where there is a need to use these words to describe the risk concerned, you need to consider whether this risk is actually significant rather than elevated. Pay particular attention where you have previously categorised a risk as significant and you are now classifying it as elevated that you do change the terminology such as “high” or “significant” in your description of the risk and that your explanation supports the classification. How we explain our risks to those charged with governance needs to align t0, and be consistent with, the audit file. Avoid discussing risks with those charged with governance using different language. We frequently have regulatory findings where the audit file indicates we have say three significant risks, but the audit planning document implies we have many more due to the language we have used. This clarity and consistency is even more important in light of the new enhanced audit report.
Time to Learn 2014 PwC
Page 31 of 40
Audit planning takeaway
Risk slider settings Getting the slider settings right is essential in determining the audit strategy and then the audit plan. As a reminder, there are six ‘recommended optimal’ risk slider combinations which will be applicable in the majority of scenarios; remember that this does not mean that other slider settings are wrong, but you should challenge yourself as to whether you have the optimal approach. These are detailed in PwC Audit 4024 and are as follows: Inherent risk
N
N
Slider settings Expected Planned controls substantive reliance evidence N
H
L
L
E
N
M
E
H
L
S
S
N
H
H
L
Scenario This strategy would be typical for a normal risk where either tests of details and/or properly designed substantive analytical procedures are expected to provide all the required evidence. This strategy would be expected where a largely controls based approach is adopted. The substantive work will frequently be leveraged from another risk and may include substantive analytical review. This strategy would be typical for an elevated risk where either controls are not in place or we cannot effectively or efficiently rely upon those controls. This strategy would be typical for an elevated risk where effective controls exist and can be efficiently tested. This strategy would be typical for a significant risk where either effective controls do not exist or they exist, but cannot be efficiently tested (note that you are required to evaluate the design effectiveness of relevant controls and determine whether they have been implemented). Substantive testing is required to include tests of details. It is often the case that a significant risk arises because of circumstances where controls can be overridden (e.g. related party transactions) or do not exist due to the nature/frequency of the risk. However, where controls over a significant risk can be identified and their effectiveness can be efficiently tested, this would be an acceptable testing plan. The substantive testing will normally include tests of details.
When the slider settings are not consistent with common testing strategies based on ISAs (UK&I) and PwC Audit, Aura displays an alert. You would either need to change the sliders, or document in the system-prompted explanation why the setting is appropriate. As you know, without doing this, the risk cannot be marked as prepared. When setting the risk sliders, set the slider based on the level of planned substantive evidence you need, not the level of substantive evidence the testing will provide. Let’s consider bank and cash as an example. The typical slider settings will be normal risk, no controls reliance and low planned substantive audit evidence. However, sending bank confirmation requests actually gives you a high level of substantive evidence. But we do not change the slider setting to high planned substantive evidence as we only need to obtain a low level of substantive evidence.
Time to Learn 2014 PwC
Page 32 of 40
Audit planning takeaway
The risk is that we end up over-auditing as we do not challenge the work we are planning to do. Therefore, never set the sliders to match the work we are planning to do, but instead challenge where we are getting more audit evidence than we need and ask whether we actually need that level of audit evidence. If we conclude that we do need a higher level of audit evidence, ask why that is and whether we need to change our risk assessment. Another example where you need to carefully consider risk slider settings is where you plan to perform the two-step approach for auditing revenue. One of the criteria which needs to be met to apply the two-step approach is that the level of evidence related to the existence of accounts receivable from confirmations or from liquidation testing (i.e. after-date cash procedures) is either moderate or high. Where the risk relating to accounts receivable is normal, we recommend creating another risk for accounts receivable relating solely to existence and set the planned substantive evidence slider as moderate or high depending on the planned level of evidence gathered. The original RoMM would then address the remainder of the assertions. ISA (UK&I) 700 ISA (UK&I) 700 was revised in 2013 and now requires, amongst other things, the following information to be provided in the audit reports of companies which are either required to, or voluntarily choose to, comply with the UK Corporate Governance Code, or explain where they do not: 1.
describe those assessed risks of material misstatement that were identified by the auditor and which had the greatest effect on the overall audit strategy, the allocation of resources in the audit, and directing the efforts of the engagement team; 2. provide an explanation of how the auditor applied the concept of materiality in planning and performing the audit. Such explanation shall specify the threshold used by the auditor as being materiality for the financial statements as a whole; and 3. provide an overview of the scope of the audit, including an explanation of how the scope addressed the assessed risks of material misstatement disclosed in accordance with item 1 and was influenced by the auditor’s application of materiality disclosed in accordance with item 2. As we are now disclosing the overall materiality and how it has been calculated, it is even more important that our rationale for the determination of materiality is clear and robust. It is also more important than ever that the risks in the audit file, our various communications to management or the audit committee, the significant issues which the audit committee have identified in the preparation of the financial statements and the areas of focus in the audit opinion are reconciled. Whilst we do not expect them to be identical, we need to have documentation on file which reconciles these items and explains any differences. To assist teams in their documentation, the EGA 'Other auditing and completion procedures' was updated to include what you need to do in relation to drafting the new look PwC audit report, including mapping the significant risks in your Aura file to:
the matters communicated to the audit committee in our audit committee report (and audit plan if different); the 'areas of particular audit focus' in the audit report; and the significant issues described by the audit committee in the front half of the annual report.
Internal audit Enquiries of internal audit ISA (UK&I) 315 requires risk assessment procedures to include enquiries of appropriate individuals within the entity which include, amongst others, the internal audit function who may have information that is likely to assist in identifying risks of material misstatement due to fraud or error. This means that audit teams need to enquire of internal audit and document this on the Aura file even if they don’t plan to use any of the internal audit function’s work. In addition, where an internal audit function exists, we are required to read their reports as part of our risk assessment and audit planning process. Direct assistance ISA (UK&I) 610 (revised) no longer permits the use of internal audit staff as members of the external audit engagement team and hence they are not allowed to perform audit procedures (referred to as ‘direct assistance’) with effect for periods ending on or after 15 June 2014.
Time to Learn 2014 PwC
Page 33 of 40
Audit planning takeaway
Direct assistance refers to situations where, for example, a member of internal audit works as part of our audit team directly under our control, or where we select a sample of items and internal auditors test those items and provide the resulting working papers directly to us. It would not include situations where we discuss the scope of internal audit’s work at the planning stage. This is because the work is subject to internal audit’s usual direction, supervision, review and reporting procedures and processes. Remember that the prohibition of the use of direct assistance extends to component teams as well where their work contributes to an ISA (UK&I) opinion. Therefore, as the group engagement team, you will need to communicate this prohibition to component teams because the international version of ISA 610 does not include such a prohibition and hence they may be planning to use internal audit in a direct assistance capacity. Use of ISAE 3402 controls reports on service organisations Clients use service organisations for a variety of services (e.g. to process the payment of payroll) and many have ISAE 3402, or equivalent, controls reports which we can obtain. Often we see files where the report is attached but there is no documentation as to what we have used it for or there are references to reliance on the controls report without a clear articulation as to how we have used the report or any evidence that the report has been read. Where we decide to obtain a copy of a service organisation’s controls report we have to be clear as to the purpose for getting the report and document clearly on the audit file how the report will be used and incorporated in the audit plan (i.e. if all we are doing is to understand the service organisation’s processes and controls, then just state that). If we are planning on relying on controls, then:
be clear that is what we are doing; be clear as to which controls you are planning to place reliance on and check that they are mapped in the Aura file and linked to the controls report; consider any gap period and determine what further procedures are needed; appropriately deal with any exceptions identified in the controls report (PwC Audit 6043 contains the relevant guidance to help you determine what needs to be done); and determine what further controls testing or other audit procedures are needed at our client.
Audit of tax In 2013, the “Planning for the Audit of Tax” elective at the classroom day introduced new tools to help audit teams plan more effectively for the audit of tax, thereby driving quality and efficiency. If you did not attend the classroom session or you would like to refresh your knowledge, then a remote access version is available to complete. Further information is also available by reading Technical Alert 109. We also launched the tax benchmarking web enabled tool in late 2013. It is strongly recommended that the scores gathered as part of the completion of the ‘Understanding the tax control environment’ tool are input into the tool which provides insights by enabling benchmarking of clients against both peers and best practice. There is also a risk assessment tool to assist teams to determine whether tax on their client is straightforward or complex. The tool assists in identification and documentation of the tax risks relevant to clients which drives the build of the work plan and the correct use of tax specialists. Remember to involve tax specialists if you have a complex tax engagement and ensure that they document their work in Aura in the new EGAs. Estimates Remember that our risk assessment needs to cover all FSLIs where estimates arise. Needless to say, whilst some estimates will have a bigger impact on the financial statements than others, teams often forget other estimates when performing their risk assessment.
Time to Learn 2014 PwC
Page 34 of 40
Audit planning takeaway
An ISA (UK&I) requirement which teams often forget is the need to review the outcome of prior year accounting estimates or review the re-estimation for the purpose of the current year. As a reminder, the results of these procedures performed need to be documented on the Aura file together with:
our understanding of the basis for the estimate; why we consider it reasonable or not; and what we have done or plan to do to audit the estimate.
Further guidance on auditing estimates can be found in PwC Audit 7070. Confirmations When requesting a confirmation about assets such as investment securities from an investment manager and custodian, do you understand what evidence the confirmation will give you and does it achieve what you want it to? These questions apply to any confirmation being requested. Typically, the investment manager will provide evidence over valuation and the custodian evidence over existence. Sometimes a custodian confirmation will include a valuation but this may not always be the latest upto-date valuation and hence further confirmations and/or testing may be required. Where the investment manager and custodian are part of the same group, you need to consider whether the investment manager and custodian are actually independent of each other. Audit teams may need to perform procedures to conclude that they are independent. Further procedures are required where they may not be independent of each other as this could indicate a heightened risk of fraud. Refer to PwC Audit 7052 for further guidance. Finally, a new electronic confirmation tool is currently in development with the aim of being available for December 2014 audits. Watch out for future communications from Assurance Transformation. Referred reporting audit engagements and ‘letterbox’ audits Referred reporting audit engagements (RRAEs) are scenarios where a significant part of the audit work on the financial statements is undertaken by another network member firm (the ‘overseas supporting firm’). RRAEs can either be entity audits or group audits (often also referred to as ‘letterbox’ audits). To be able to perform any audit, we have to be competent in the GAAP, and the laws and regulations, of the country in which the entity is incorporated and operates. Therefore, problems arise when the financial statements are prepared in accordance with a ‘local’ GAAP (UK GAAP, Dutch GAAP, Luxembourg GAAP, or other similar local GAAPs) as member firms do not train staff in local GAAPs of other territories. Hence, overseas supporting firms may not have the relevant competence to be able to issue an RRAE opinion on whether financial statements have been prepared in accordance with the relevant local GAAP, or with the applicable laws and regulations. Under previous guidance, the ability of an overseas supporting firm to issue an appropriate RRAE opinion in these circumstances was restricted and alternative reporting options explored on a case-bycase basis. New globally approved reporting guidance and illustrative reports have been agreed that should facilitate overseas supporting firms being able to issue an RRAE opinion on financial statements prepared under a local GAAP; the aim being to provide clarity as to what work has been performed by the overseas supporting firm and what work remains the responsibility of the engagement team in the territory where the external report is being issued, such that a quality audit is performed and that nothing has been overlooked. This new approach allows a number of options for the type of report issued by the overseas supporting firm, including:
utilising staff from the network firm issuing the external audit report to bring the relevant competence in local GAAP financial reporting onto the team, enabling a local GAAP RRAE opinion to be issued by the overseas supporting firm; issuing an RRAE opinion based on having audited the financial statements with reference to a group accounting manual (in the correct GAAP) or accounting policies disclosed in the financial statements and an appropriate disclosure checklist;
Time to Learn 2014 PwC
Page 35 of 40
Audit planning takeaway
issuing an RRAE opinion based on having audited the financial statements with reference to IFRS as a base framework, except for certain line items or disclosures where the instructions communicate areas of GAAP difference and how they should be audited. In doing so, it recognises that, in many of these RRAE scenarios, the financial statements are not complex and that, although the local GAAP itself is not considered sufficiently close to IFRS, the impact of preparing the financial statements in accordance with that local GAAP, including local laws impacting the financial statement presentation and disclosure, may not result in extensive differences had those financial statements been prepared in accordance with IFRS, and any such differences that do arise can be readily identified).
Updated guidance and reporting templates have been included in the UK Reporting Manual and Template Manager. PwC Audit 2400 has also been updated to include the following reminders when conducting a RRAE:
The UK engagement team member’s responsibility to have sufficient involvement at each stage of the audit: planning, execution and completion, when the UK firm issues the external audit report; and guidance on what 'sufficient involvement' means in practice. Responsibilities of UK members of the engagement team when the UK firm issues an audit opinion on group financial statements, including: o responsibilities for issuing the group audit instructions in addition to RRAE instructions (see PwC Audit 2425); and o responsibility for conducting audit procedures on the ‘consolidation’ (see PwC Audit 2434). Considerations for file structures and access by engagement team members from an overseas network firm that is issuing the external audit opinion.
Group and component audits Now a few reminders on group and component audits... Determine components The first step when scoping a group audit is to really understand the group and its structure (i.e. how do the numbers come together). Then we need to determine what a component is. A component is typically the entity or business activity for which management prepares financial information that is included in the group financial statements. For example, this may be based on organisational structure, geographical location, function, process, product or service. Key considerations include:
How does the entity manage the business? At what level are there discrete sets of auditable financial information? How is the business consolidated? How do the management level / consolidation level / legal entity level overlap?
Remember that you can have components at different levels within a group; in some instances subconsolidations may exist which may be a more appropriate component. But, whatever you determine to be the components, it is important to clearly define what a component is in the context of the group and its structure on the Aura file and to explain your rationale for the decisions taken. Evidence required from components Once the components have been identified, the group engagement team needs to work out what evidence is required from each of the components:
For financially significant components, a full scope audit of its financial information is required. For significant components which are significant as they include significant risks, the procedures can vary from a full scope audit, an audit of one or more FSLIs, or specified audit procedures.
Group engagement teams consider if they can focus on components where local statutory audits are performed in the group reporting timeline to be more efficient and effective in gathering audit evidence.
Time to Learn 2014 PwC
Page 36 of 40
Audit planning takeaway
Remember that for insignificant components, we need to perform group level analytical procedures; these are risk assessment analytical procedures in nature and are aimed at identifying whether there are any further risks of material misstatement in the group financial statements, and need to be performed by someone with the appropriate knowledge and experience. For each component, the group engagement team documents clearly and concisely the planned evidence to be obtained by component and why; this is especially important where we have similar components, but are adopting different approaches. This will also help teams to identify any components over which no work is being performed and to then justify why no work is required or to document the evidence required. In addition to the assessment of components, we also need to look at each FSLI to assess the level of audit evidence being obtained compared to the materiality of the FSLI and the risks of material misstatement. This will help identify those components where we want an audit of an FSLI or specified procedures to be performed over the FSLI to ensure that we have sufficient audit evidence. We want to avoid a situation where a component is insignificant and the group level analytics did not highlight anything, but it has an FSLI which is material to the group. The Assurance Transformation guide on scoping, the Centre of Excellence and ARQ are there to help you get the scoping right so consult as needed. But remember that the audit file reflects all your scoping decisions including your rationale for what you are doing. Group auditor’s involvement The group engagement team needs to direct and control the group audit. They need to evidence this in the Aura file during the planning phase by scoping, performing risk assessments and planning the procedures to be performed by the component team. At the planning stage, they also consider how they are going to review and evidence their involvement in the component auditor’s work. This can be documented for example in a summary that shows the components, the audit evidence required (i.e. full scope audit) and also the planned involvement (e.g. engagement leader visiting x number of components, the director x number of components and conference call for the other components). When considering visiting the components, the group engagement team focuses on those components which they are most concerned about. Clearly document on the audit file your planned involvement in the component auditor’s work, why you are planning to do what you are doing and discuss your plans with those charged with governance. If plans change, inform them of the change and why the change was made. Remember you have to justify what you did and why you consider that you were sufficiently involved in their work and that it also enabled you to adequately understand the group, the audit and the results of the audit work in those components. Refer to Audit methodology volume 4: Group scoping component selection for further guidance. Materiality Guidance on setting component materiality can be found in PwC Audit 2334. When determining component materiality:
carefully consider which components need to be included in the component materiality calculation and which to exclude (i.e. do not include those components where we are performing audits of FSLIs only); component materiality needs to be less than group materiality – this is an ISA (UK&I) 600 requirement; rather than allocating the entire multiple to the components, leave yourself some headroom in case of changes to materiality and/or components
Audit teams are reminded of the requirement at the year end stage of the audit to reassess materiality as determined at the planning stage for final year end results. This reassessment may mean that the component materiality calculations need to be reworked and may result in lower materialities needing to be advised to component auditors. Allowing headroom in the initial allocations may help mitigate the impact where group materiality is lower at the year end than originally planned.
Time to Learn 2014 PwC
Page 37 of 40
Audit planning takeaway
Finally, communicate any changes in materiality to those charged with governance together with the impact on our audit strategy and plan and document your judgements on the Aura file in all instances where judgement has been applied. Planning sign-off Signing off planning as soon as possible helps to minimise the risk that the fieldwork is misdirected. However, in some situations the planning sign-off is postponed by engagement teams due to a perception that it is not appropriate to do so before all planning activities have been completed, especially in relation to understanding and evaluating an entity’s internal control. PwC Audit 4025 has been clarified to explain that we may consider it inefficient and/or impractical to perform procedures other than enquiry in determining implementation of control activities prior to planning sign-off. For example, this may be the case when a single audit visit is planned at the end of the financial year and it is not considered practical to perform another visit solely for the purpose of evaluating control activities. Delaying the point of planning sign-off in such situations will be undesirable, as it may discourage other planning procedures from being performed on a timely basis and is generally unsupportive of timely, effective planning, including resource planning. In such cases it may be appropriate to perform further internal control evaluation procedures in addition to enquiries after the planning sign-off. We need to consider if we have obtained sufficient understanding of internal controls to be able to sign off planning, so that we can effectively and efficiently move forward with our engagement. However, where we plan to perform further internal control evaluation procedures after the planning sign-off, we need to remain alert to the increased likelihood of the need to modify the audit strategy and plan as a result of the finalisation of the internal control evaluation procedures. Significant matters Think before you write – a simple structure for a significant matter can be:
state what the risk or issue is; state what our judgement or conclusion is; explain the rationale for our judgement or conclusion; and articulate the evidence we have to support our judgement or conclusion.
Here are some top tips for writing and reviewing significant matters:
Start drafting early – do not leave it to the last minute Consider the structure Tell the story from start to finish – document relevant content as it evolves Document all key discussions Demonstrate how we have applied professional scepticism especially to show how we have challenged management’s decisions Explain the rationale and logic for our conclusion Walk the reader through the evidence obtained Consider whether we have obtained sufficient audit evidence Ensure our conclusion is clear – start with the conclusion as you may need to sign-post the judgement upfront where the significant matter is long to enable the reader to focus their review Write clearly, concisely and avoid jargon Be precise in the language used Allow plenty of time for engagement leader and QRP review, time to deal with their comments and time for their re-review – do not deliver it just before you expect them to approve it Allow time for central consultation if needed Step back at the end and cold read the significant matter: o Does it make sense? o Does it stand-alone? o Are the judgements supported?
Time to Learn 2014 PwC
Page 38 of 40
Audit planning takeaway
There are some good examples of significant matters available on PwC Audit 1143 covering:
management override of controls; professional scepticism; and goodwill.
Time to Learn 2014 PwC
Page 39 of 40
Audit planning takeaway
This document has been prepared for the intended recipients only. To the extent permitted by law, PricewaterhouseCoopers LLP does not accept or assume any liability, responsibility or duty of care for any use of or reliance on this document by anyone, other than (i) the intended recipient to the extent agreed in the relevant contract for the matter to which this document relates (if any), or (ii) as expressly agreed by PricewaterhouseCoopers LLP at its sole discretion in writing in advance. © 2014 PricewaterhouseCoopers LLP. All rights reserved. 'PricewaterhouseCoopers' refers to PricewaterhouseCoopers LLP (a limited liability partnership in the United Kingdom) or, as the context requires, other member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.
Time to Learn 2014 PwC
Page 40 of 40