THE CONTROL ENVIRONMENT OF A COMPANY
The purpose of this article is to provide candidates with a more detailed appreciation of matters pertinent to an auditor, focusing on the need for the auditor of a large limited liability company (in the UK – a limited company) to *uate the effectiveness of the company’s control environmentISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, sets out the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment including the entity’s internal control. One of the five components of internal control is the control environment and it is recognised that the control environment within small entities is likely to differ from larger entities. Many candidates have not yet had the opportunity of working in larger entities, or have chosen not to, so have not been exposed to working within the type of strong control environment often referred to in auditing texts. Consequently, they often have limited experience on which to draw when answering exam questions that require anything other than superficial knowledge of an entity’s control environment.
This article aims to provide common examples of matters the auditor needs to consider when assessing an entity’s control environment, and in making an assessment as to their impact on the risk of material misstatement in the financial statements. Reflecting the general trend of exam questions testing knowledge of this area, the article focuses on the need for the auditor of a large limited liability company (in the UK – a limited company) to *uate the effectiveness of the company’s control environment.
A company’s control environment comprises seven elements each requiring careful consideration by the company’s auditor, recognising that some elements may be more pertinent than others – depending on the subject company. Each one of these elements is identified below, along with an explanation of specific practical aspects that may be considered by the auditor when *uating its effectiveness. Candidates should be aware that this process forms part of the auditor’s assessment of the overall effectiveness of the company’s internal control, relevant to the audit.
1 Communication and enforcement of integrity and ethical values Many companies have high values and seek to promote honesty and integrity among their employees on a day-to-day basis. Clearly, if it is evident that such values do exist and are communicated effectively to employees and enforced, this will have the effect of increasing confidence in the design, administration and monitoring of controls – leading to a reduced risk of material misstatement in a company’s financial statements. For example, where a company adopts comprehensive anti-bribery and corruption policies and procedures with regard to contract tendering, and has formal employee notification and checking practices in this regard, it follows that there is reduced risk of material misstatement due to the omission of provisions for fines forthe non-compliance with relevant laws and regulations. Alternatively, the existence in a company of comprehensive and ethical procedures with regard to the granting of credit facilities to customers and the pursuance of payment of for goods and services supplied, together with regular supervisory control in this respect, is likely to lead to increased audit confidence in the trade receivables area. This is because the existence of a system allowing goods and services to be a supplied on credit to customers provides the opportunity for fraud to be perpetrated against the company by employees and customers, particularly if controls are deficient in terms of their design or implementation.
2 Commitment to competence Competence is the knowledge and skills necessary to accomplish tasks that define the individual’s job. It is self-evident that if individual employees are tasked with carrying out duties that are beyond their competence levels, then desired objectives are unlikely to be met. For example, there is an increased probability that the objective of avoiding material misstatement in a set of complex financial statements will not be met if prepared by an inexperienced company accountant. This is simply due to the inexperience (translating to a lower competence level) of the accountant. From this, it follows that the auditor will have increased confidence in internal control relevant to the audit, where management have taken measures to ensure employees who participate in internal control are competent to carry out relevant tasks effectively. Measures taken by management in this regard can cover a range of activity including for example, rigorous technical and aptitude testing at the employee recruitment stage and in-house or external training courses and mentoring from more senior colleagues3 Participation by those charged with governance The directors of a limited liability/limited company are charged with the company’s governance. As such, they are responsible for overseeing the strategic direction of the company and its obligations related to its accountability – for example, to governments, shareholders and to society in general. In particular, in most jurisdictions the company’s directors are responsible for the preparation of its financial statements. Given the influence that the actions of directors have on a company’s internal control, the extent of their day-to-day active involvement in the company’s operations has a pervasive effect on the internal control of the company.
The extent to which directors do get involved will, to some extent, depend on legislation or codes of practice setting out guidance for best practice in given jurisdictions. For example, the UK Corporate Governance Code (with which companies listed on the London Stock Exchange should comply) sets out standards of good practice, including those pertaining to board leadership and effectiveness. Notwithstanding legislation and codes of practice, the extent of each director’s participation is largely influenced by the nature of their professional discipline and their individual perspective about how they should carry out their respective roles. Some may see themselves as micromanagers, while others will trust subordinates to carry out defined duties with minimal interference. Frequently, directors will be very experienced and adopt an arms-length approach to getting involved in operational tasks. However, they may insist on monitoring activity by way of receipt of formalnarrative reports. Other directors may adopt a more casual (but equally thorough!) ‘working alongside subordinates’ approach as a method of monitoring activities.
All of the variables mentioned above with regard to director involvement, should be important considerations of an auditor as part of the process of ascertaining the extent of internal control in the company and in assessing its effectiveness.
4 Management’s philosophy and operating style A company’s board of directors will comprise of individuals each with a different mind – set as to philosophy and operating style, manifested in characteristics such as their:
approach to taking and managing business risk? attitudes and actions toward financial reporting? attitudes toward information processing and accounting and functions personnel.
Each of the above characteristics underlie a company’s control environment and it is crucial for an auditor to have an understanding of them. Dealing with each in turn:
Approach to taking and managing business risk. Business risk is the risk inherent in a company as a consequence of its day-to-day operations and it comprises several components. The first of these is financial risk – for example, the risk that the company may have insufficient cash flow to continue in operation. The second component is operational risk – for example, the risk that the company’s product lines may decline in popularity leading to a sharp decline in sales and profitability. The final component of business risk is compliance risk – for example, the risk that the company may be in breach of health and safety regulations, leading to the possibility of hefty fines or even the closedown of operational activity.
Candidates should be aware that a risk-based approach to an audit requires the identification and assessment of inherent risk factors and then of the control risk pertaining to these, in order to determine the risk of material misstatement, prior to carrying out substantive procedures. By adopting a top-down approach to the audit and first identifying business risks, auditors should be able to identify the associated inherent risks arising. They can then progress through the audit using the audit risk model (audit risk = the risk of material misstatement x detection risk) to determine the amount of detailed testing required in each area of the financial statements. To illustrate this approach, referring to the compliance risk example above, an inherent risk arising from the risk of a breach of health and safety regulations. As a consequence, there is a risk that the company’s liabilities may be understated due to the omission of a provision required in the financial statements, in respect of a fine for a non-compliance.
The directors’ approach to taking and managing business risk has obvious ramifications on a company’s financial statements, and the auditor should be aware of the various factors that influence directors in this area, and of applicable controls in place. It is often the case that a newly established company with young entrepreneurial directors and a flat management structure will have a more liberal approach to taking and managing business risk than a well-established company withmore experienced directors, and a steep hierarchical management structure. Consequently, it is likely that there would be a lower level of a risk of material misstatement in the financial statements of the latter company.
Attitude and actions toward financial reporting. Financial Reporting Standards exist to help facilitate fairness, consistency and transparency of financial reporting. However, some determinants of profitability such as the measure of depreciation, the valuation of inventory or the amount of a provision remain open to the subjective judgment of management. Consequently, the auditor needs to gain an understanding of directors’ attitudes and actions to financial reporting issues and then make a judgment as to the extent of reliance that can be placed upon these. It may be that a company that is struggling in a faltering economy, and in another driven by a culture to report increasing profits, there is a tendency to adopt aggressive (as opposed to conservative) accounting principles, in order to meet profit expectations. Clearly, on such audit engagements it is important for the auditor to remain resolute in exercising appropriate levels of professional sceptism throughout.
Attitude towards information processing and accounting functions and personnel.Properly financed and resourced with sufficient numbers of appropriately qualified staff and contemporary information and communications technology, the financial reporting (accounting) and information processing functions of a company are vital to a company’s ongoing existence. They are key to the facilitation of compliance with laws and regulations, transactions with third parties, administration and control systems and in the provision of information for decision making. In most very large companies many aspects of the accounting function are inextricably intertwined with specific aspects of the company’s information processing systems, and there is an ongoing programme of investment in these, to ensure that the accounting and information processing systems are contemporary and fit for purpose. This is reflective of a situation where directors recognise that business risk will be significantly reduced, if the company has effective information processing and accounting functions. However, this situation does not apply to all companies. In some, both functions may be seen by the directors merely as necessary functional overhead areas of the business and, as such, they become under-funded and inadequately resourced in terms of staffing and equipment. An auditor engaged on an audit in such a company should be aware that there is an increased risk of material misstatement in the financial statements.
5 Organisational structure ISA 315 describes a company’s organisational structure as being ‘the framework within which an entity’s activities for achieving its objectives are planned, executed, controlled and reviewed’. The appendix to the ISA then explains ‘that the appropriateness of an entity’s organisational structure depends, in part, on its size and the nature of its activities’. It follows from this that an international consulting company with offices and operations in several countries has different priorities in terms of organisational structure to a national car sales company with several offices and a number of sales branches in a single country. Similarly, the organisational structure deemed suitable for such a car sales company would not be appropriate for a single site manufacturing company. Generally, an auditor may reasonably expectthere to be a positive correlation between the level of inherent risk and the size and complexity of a company’s operations. In assessing, the level of the risk of material misstatement the auditor should consider as to whether the company’s organisational structure in terms of authority, responsibility and lines of reporting meet desired objectives.
6 Assignment of authority and responsibility Normally, the larger a company’s scale of operations, then the larger the size of the workforce and, inevitably, the larger the amount of assignment of authority and responsibility that is required. Consequently, companies need to deal not only with ensuring that appropriate levels of authority and responsibility are assigned to appropriately qualified and experienced individuals. They also need to ensure that adequate reporting relationships and authorisation hierarchies are in place. Additionally, individuals need to be properly resourced and made fully aware of their responsibilities and of how their actions interrelate with the actions of others and contribute to the objectives of the company. If a company is not successful in meeting each of these needs, then there is an increased probability of ineffective decisions, errors and oversights by employees leading to an increased risk of material misstatement in its financial statements. For example, where a wages clerk is authorised to process the wages payroll and is then assigned the (inappropriate!) authority to enter new employee details into the wages master file.
7 Human resources policies and practices As explained in ISA 315, ‘human resource policies and practices demonstrate important matters in relation to the control consciousness of an entity’. This implies that if human resources policies and practices are considered to be sound both in design and in implementation over a range of matters, then the risk of material misstatement will be reduced.
Examples of these matters include:
Recruitment policies and procedures. These should ensure that only competent individuals with integrity are employed by the company. Interview procedures should ensure that only candidates meeting the company’s criteria for recruitment are engaged.
There should be adequate induction procedures for new employees, such that they can carry out their assigned responsibilities effectively and efficiently soon after being engaged by the company.
Employees should be provided with ongoing training, support and mentoring as appropriate, such that they can continue to carry out their assigned responsibilities effectively and efficiently.
There should be regular formal appraisal, at least annually of an employee’s performance. Performance should be measured against standardised criteria authorised by senior management of the company, and there should be ongoing monitoring and feedback to employees about their performance and development needs.
The company should employ comprehensive and transparent employment grievance procedures, such that employees can be confident that grievances will be dealt with openly and impartially.
There should be open, transparent and equitable employee disciplinary procedures, such that employees can be confident they will not be treated unfairly by the company in the event that an action triggers its disciplinary process.
Employment termination procedures should incorporate provision for an exit interview so that the reason for the termination can be confirmed or clarified, all emoluments due to the employee can be settled and arrangements can be made for the return of all company assets prior to the termination date.
While each of the above measures will have a positive impact on the internal control of a company, to some extent they all have the effect of reducing the risk of material misstatement in the financial statements. For example, the existence of fair and robust grievance and disciplinary procedures reduce the possibility of a successful claim against the company for constructive or unfair dismissal, and the absence of a material provision in this respect. Significantly, the existence of human resources policies and practices that are the same or similar to those above should leave a favourable impression with the auditor, as to the directors’ attitude toward their company’s workforce. It is likely that such an attitude would foster good working relationships with employees, leading to an increased likelihood that individuals would reciprocate by carrying out their tasks diligently with integrity in the best interests of the company – resulting in a reduced risk of material misstatement.
Summary As indicated at the beginning of this article, the purpose of it is to provide candidates with a more detailed appreciation of matters pertinent to an auditor, when *uating the control environment of a limited liability/limited company. When asked to explain what is meant by the term ‘control environment’, they typically comment that it is a component of a company’s internal control and that it centres around how a company is operated by its management, reflecting such matters as their philosophy and operating style. While there is some merit in this answer, having now read the above commentary, candidates should be aware that the term has much more meaning than that.
Written by a member of the audit examining teamISA 315 (REVISED), IDENTIFYING AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT THROUGH UNDERSTANDING THE ENTITY AND ITS ENVIRONMENTOne of the major revisions of ISA 315 relates to the inquiries made by external auditors of the internal audit function since internal auditors have better knowledge and understanding of the organisation and its internal control. This article addresses and highlights the components of internal controlThe International Auditing and Assurance Standards Board (IAASB) issues International Standard on Auditing (ISA) for international use. From time to time, ISAs are revised to provide updated standards to auditors. In order to enhance the overall quality of audit, IAASB published a consultation draft on a proposed revision to ISA 315. The objective in revising ISA 315 is to enhance the performance of external auditors by applying the knowledge and findings of an entityˇs internal audit function in the risk assessment process, and to strengthen the framework for *uating the use of internal auditors work to obtain audit evidence.
In March 2012, ISA 315 (Revised) was approved and released. One of the major revisions of ISA 315 relates to the inquiries made by external auditors of the internal audit function since internal auditors have better knowledge and understanding of the organisation and its internal control. This article addresses and highlights the components of internal control.
OBJECTIVES IN ESTABLISHING INTERNAL CONTROLSGenerally speaking, internal control systems are designed, implemented and maintained by the management and personnel in order to provide reasonable assurance to fulfil the objectives that is, reliability of financial reporting, efficiency and effectiveness of operations, compliance with laws and regulations and risk assessment of material misstatement. The manner in which the internal control system is designed, implemented and maintained may vary with the entityˇs business nature, size and complexity, etc. Auditors focus on both the audit of financial statements and internal controls that relates to the three objectives that may materially affect financial reporting.
In order to identify the types of potential misstatements and to determine the nature, timing and extent of audit testing, auditors should obtain an understanding of relevantinternal controls, *uate the design of the controls, and ascertain whether thecontrols are implemented and maintained properly.
The major components of internal control include control environment, entityˇs riskassessment process, information system (including the related business processes,control activities relevant to the audit, relevant to financial reporting, andcommunication) and monitoring of controls.
CONTROL ENVIRONMENT
The control environment consists of the governance and management functions andthe attitudes, awareness and actions of the management about the internal control.
Auditors may obtain an understanding of the control environments through thefollowing elements.
1. Communication and enforcement of integrity and ethical valuesIt is important for the management to create and maintain honest, legal and ethicalculture, and to communicate the entityˇs ethical and behavioral standards to itsemployees through policy statements and codes of conduct, etc.
2. Commitment to competence
It is important that the management recruits competent staff who possess the requiredknowledge and skills at competent level to accomplish tasks.
3. Participation by those charged with governanceAn entityˇs control consciousness is influenced significantly by those charged withgovernance; therefore, their independence from management, experience and stature,extent of their involvement, as well as the appropriateness of their actions areextremely important.
4. Managementˇs philosophy and operating styleManagementˇs philosophy and operating style consists of a broad range ofcharacteristics, such as managementˇs attitude to response to business risks,financial reporting, information processing, and accounting functions and personnel,etc. For example, does the targeted earning realistic? Does the management applyaggressive approach where alternative accounting principles or estimates areavailable? These managementˇs philosophy and operating style provide a picture toauditors about the managementˇs attitude about the internal control.
5. Organisational structure The organisational structure provides the framework on how the entityˇs activities are planned, implemented, controlled and reviewed.
6. Assignment of authority and responsibility With the established organisational structure or framework, key areas of authority and reporting lines should then be defined. The assignment of authority and responsibility include the personnel that make appropriate policies and assign resources to staff to carry out the duties. Auditors may perceive the implementation of internal controls through the understanding of the organisational structure and the reporting relationships.
7. Human resources policies and practices Human resources policies and practices generally refer to recruitment, orientation, training, *uation, counselling, promotion, compensation and remedial actions. For example, an entity should establish policies to recruit individuals based on their educational background, previous work experience, and other relevant attributes. Next, classroom and on-the-job training should be provided to the newly recruited staff. Appropriate training is also available to existing staff to keep themselves updated. Performance *uation should be conducted periodically to review the staff performance and provide comments and feedback to staff on how to improve themselves and further develop their potential and promote to the next level by accepting more responsibilities and, in turn, receiving competitive compensation and benefits.
With the ISA 315 (Revised), external auditors are now required to make inquiries of the internal audit function to identify and assess risks of material misstatement. Auditors may refer to the managementˇs responses of the identified deficiencies of the internal controls and determine whether the management has taken appropriate actions to tackle the problems properly. Besides inquiries of the internal audit function, auditors may collect audit evidence of the control environment through observation on how the employees perform their duties, inspection of the documents, and analytical procedures. After obtaining the audit evidence of the control environment, auditors may then assess the risks of material misstatement.
ENTITYˇS RISK ASSESSMENT PROCESS
Auditors should assess whether the entity has a process to identify the business risks relevant to financial reporting objectives, estimate the significance of them, assess the likelihood of the risks occurrence, and decide actions to address the risks. If auditors have identified such risks, then auditors should *uate the reasons why the risk assessment process failed to identify the risks, determine whether there is significant deficiency in internal controls in identifying the risks, and discuss with the management.
THE INFORMATION SYSTEM, INCLUDING THE RELEVANT BUSINESS PROCESSES, RELEVANT TO FINANCIAL REPORTING AND COMMUNICATIONAuditors should also obtain an understanding of the information system, including the related business processes, relevant to financial reporting, including the following areas:
The classes of transactions in the entityˇs operations that are significant to the financial statements. The procedures that transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the financial statements.
How the information system captures events and conditions that are significant to the financial statements.
The financial reporting process used to prepare the entityˇs financial statements.
Controls surrounding journal entries.
Understand how the entity communicates financial reporting roles, responsibilities and significant matters to those charged with governance and external regulatory authorities.
CONTROL ACTIVITIES RELEVANT TO THE AUDIT
Auditors should obtain a sufficient understanding of control activities relevant to the audit in order to assess the risks of material misstatement at the assertion level, and to design further audit procedures to respond to those risks. Control activities, such as proper authorisation of transactions and activities, performance reviews, information processing, physical control over assets and records, and segregation of duties, are policies and procedures that address the risks to achieve the management directives are carried out.
MONITORING OF CONTROLS
In addition, auditors should obtain an understanding of major types of activities that the entity uses to monitor internal controls relevant to financial reporting and how the entity initiates corrective actions to its controls. For instance, auditors should obtain an understanding of the sources and reliability of the information that the entity used in monitoring the activities. Sources of information include internal auditor report, and report from regulators.
LIMITATIONS OF INTERNAL CONTROL SYSTEMS
Effective internal control systems can only provide reasonable, not absolute, assurance to achieve the entityˇs financial reporting objective due to the inherent limitations of internal control for example, management override of internal controls. Therefore, auditors should identify and assess the risks of material misstatement at the financial statement level and assertion level for classes of transactions, account balances and disclosures.
CONCLUSION
As internal auditors have better understanding of the organisation and expertise in its risk and control, the proposed requirement for the external auditors to make enquiries of internal audit function in ISA 315 (Revised) will enhance the effectiveness and efficiency of audit engagements. External auditors should pay attention to the components of internal control mentioned above in order to make effective and efficient enquiries. An increase in the work of internal audit functions is also expected because of such proposed requirement.
Raymond Wong, School of Accountancy, The Chinese University of Hong Kong, and Dr Helen Wong, Hong Kong Community College, Hong Kong Polytechnic UniversityReference ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its EnvironmentCONTINUE TO BE REST ASSURED
This article looks at the topic of assurance in the context of Paper P7, Advanced Audit and Assurance, describing a framework for the classification of assurance and non-assurance engagements, and giving guidance on the practical approach required when undertaking assurance assignmentsNote: ISAE 3000, ISAE 3400, ISRS 4400, ISRS 4410 and ISRE 2400 are not examinable documents for Paper P7 UK and Ireland.
ASSURANCE ENGAGEMENTS
The glossary of terms published by the International Auditing and Assurance Standards Board (IAASB) describes an assurance engagement as:
‘An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the *uation or measurement of a subject matter against criteria.’
IAASB AND THE ASSURANCE FRAMEWORK
The IAASB has developed the International Framework for Assurance Engagements in which it gives detailed guidance on assurance and non-assurance engagements. The structure and hierarchy of pronouncements are summarised at www.ifac.org in the IAASB handbook, which is freely available online. For Paper P7 purposes, a summary of the developing framework for assurance and non-assurance engagements is shown below:
ASSURANCE ENGAGEMENTS ON HISTORIC FINANCIAL INFORMATIONThe first distinction to be made is to distinguish between the two types of assurance engagements on historic financial information that can be provided. The difference is the level of assurance provided on the historical information.
Reasonable assurance engagement This is a statutory audit, where the approach required will need to be consistent with local legislative requirements, such as the Companies Act 2006 in the UK, and audit work will need to be carried out in accordance with International Standards on Auditing (ISAs). The auditor will express a conclusion designed to enhance the degree of confidence of the intended users of the financial statements, and moderate to high assurance would normally be given.
Limited assurance engagement A limited assurance engagement is increasingly being seen as an alternative to thestatutory audit. A good example of this type of engagement is represented by recentinitiatives in the UK, which have proposed the introduction of ‘mini’ audits forcompanies below the audit exemption threshold. There currently exists no UKstatutory requirement for a ‘mini’ audit, although an increasing number of companiesare requesting, on a voluntary basis, limited assurance engagements. Suchengagements do not give the same level of assurance as a statutory audit, but insteadgive ‘negative assurance’ based on more limited procedures than are required with astatutory audit. Negative assurance will typically be worded as follows:
‘Based on our review, nothing has come to our attention to indicate that theaccompanying financial statements contain material misstatement.’
With a negative assurance statement, effectively no opinion is given on theinformation, but at least some assurance is provided that the information ‘appearsreasonable’.
ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OFHISTORICAL FINANCIAL INFORMATION
The International Standard on Assurance Engagements (ISAE) 3000 gives guidanceto practitioners (defined by ISAE 3000 as ‘professional accountants in public practice’)for the performance of assurance engagements other than audits or reviews ofhistorical financial information. A summary of the key requirements of ISAE 3000 isshown in the following table.
1
Ethical requirements – practitioners should comply with ethicalrequirements (ie IESBA’s Code of Ethics for Professional Accountants andACCA’s Code of Ethics and Conduct).
2
Quality control – the practitioner should implement quality controlprocedures that are applicable to the individual engagement.
3
Engagement – the terms of the engagement should be recorded in anengagement letter, and the practitioner should agree on the terms of theengagement with the engaging party.
4
Planning and obtaining evidence – the practitioner should plan theengagement so that it will be performed effectively, and should considermateriality and assurance engagement risk, and sufficient appropriateevidence should be obtained on which to base the conclusion.
5
Reporting – the assurance report should be in writing and should contain aclear * of the practitioner’s conclusion about the subject matterinformation.
The approach required by ISAE 3000, and the work undertaken with an assurance engagement, may be similar in many respects to an audit engagement, although the context is different. For each of the assurance engagements on other information, the guidance from ISAE 3000 will apply, with the exception of Prospective Financial Information (PFI) work, where separate guidance is given in ISAE 3400, which is summarised later in this article.
Listed below are the most relevant areas where assurance engagements on other information will typically arise:
Internal controls and systems reviews
Due diligence reviews
Prospective financial information.
Internal control and systems reviews The type of assurance work arising here is very similar to the work that auditors have been doing for a long time as part of the audit approach required when *uating the effectiveness of internal control systems. Control and systems review work is tested in Paper F8 and, as such, needs little further coverage in this article.
Key performance indicators Developments in performance measurement have led to many companies publishing a selection of key performance indicators (KPIs) in the annual financial statements. KPIs represent a set of measures focusing on those aspects of performance that are most crucial for the continued success of an organisation. Many companies are increasingly opting for voluntary disclosure of KPIs, which can be financial (such as ratios based on the financial statements) or non-financial (such as targets on social and environmental matters). The increased tendency to disclose such data is often in response to shareholder expectations. The assurance approach towards KPIs requires careful consideration of how the KPI has been defined, the KPI calculation method, and the purpose of reporting the KPI, and the nature of evidence that would be available on the source of the underlying data.
Problems facing assurance providers in relation to KPI assessment may include the lack of precise definitions of KPI targets, lack of developed systems to capture KPI data, and the potential for KPIs, as disclosed, to be manipulated to achieve a desired result. However, an assurance report provided on the KPIs should add credibility to the published data if sufficient evidence is available to the assurance provider.
Due diligence reviews There is little specific guidance on due diligence reviews, despite this being an increasingly common form of assurance. Normally, the assurance provider is engaged by the potential acquirer of a company, who seeks to discover information about the target organisation. The assurance provider will attempt to verify any representations made by the management of the target company, and may also offer practical recommendations regarding the acquisition process.
Prospective financial information Procedures by assurance firms on prospective financial information (PFI) are well established, and separate guidance is given by the IAASB in ISAE 3400, The Examination of Prospective Financial Information, which again is very practical in nature. The standard defines PFI as ‘financial information based about events that may occur in the future and possible actions by an entity’.
The standard recognises that, because PFI relates to events and actions that have not yet occurred and may not occur, PFI work is highly subjective in its nature, and its preparation requires the exercise of considerable judgment.
ISAE 3400 requires that before accepting a PFI engagement, the terms of the engagement should be agreed on and sufficient knowledge of the business should be obtained. The period of time covered by the PFI should be clarified, which could be a forecast (usually a period of up to 12 months) and/or a projection (usually up to five years).
ISAE 3400 also requires that written representations should be requested from management regarding the intended use of the PFI, the completeness of significant management assumptions, and also management’s acceptance of its responsibility for the PFI. The assurance report should make it clear that management is responsible for the PFI and also the assumptions on which it is based. Given the subjective and speculative nature of the PFI, an opinion cannot be given on whether the results shown in the report will be achieved, so only negative assurance can be given.
NON-ASSURANCE ENGAGEMENTS
Non-assurance engagements are more likely to arise with small companies, and only a general awareness will be required of the guidance given by the IAASB for each of these three areas. Each of the three so-called non-assurance areas is briefly summarised below.
Review engagements The objective of a review of financial statements is to enable an auditor to state whether, on the basis of procedures that do not provide all the evidence required in an audit, anything has come to the auditor’s attention that causes the auditor to believe that the financial statements are not prepared in accordance with the applicable financial reporting framework (ie negative assurance). Guidance to practitioners taking on this type of assignment is given by the IAASB in International Standard on Review Engagements (ISRE) 2400, Engagements to Review Historical Financial Statements.
Another type of review engagement is the review of interim financial information, covered by ISRE 2410, Review of Interim Financial Information Performed by the Independent Auditor of the Entity.
There are many similarities between review engagements and the limited assurance engagements (these were discussed earlier, in the context of so-called ‘mini’ orvoluntary audits). The best approach to adopt, however, is to consider the work required for the engagement itself, rather than to dwell on how the engagement is classified.
Agreed upon procedures The objective is for the auditor to carry out procedures of an audit nature to which the auditor, the entity, and any appropriate third parties have agreed, and for the auditor to report on factual findings. Guidance to practitioners taking on this type of assignment is given by the IAASB in International Standard on Related Services (ISRS) 4400,Engagements to Perform Agreed Upon Procedures Regarding Financial Information. Examples of this type of engagement could include the quantification of an insurance claim, or of the loss suffered due to a fraud. The specialist area of forensic accounting and auditing could be viewed as a specific type of agreed upon procedure engagement.
Compilation engagements The objective of a compilation engagement is for the practitioner to apply accounting and financial reporting expertise to assist management in the preparation and presentation of financial information in accordance with an applicable financial reporting framework based on information provided by management – and report in accordance with the requirements of ISRS 4410, Compilation Engagements. Thus, the practitioner’s report is not a vehicle to express an opinion or conclusion on the financial information in any form.
CONCLUSION
Students should expect to see assurance assignments other than reasonable assurance engagements appearing frequently in the Paper P7 exam. In other words, a question that is not based around a ‘traditional audit’, but is presented in the context – for example, of a due diligence engagement, a review of PFI, a review of KPIs, or a limited assurance engagement on historical information. Such a question could appear in Section A or B of the exam.
It is important that candidates appreciate the practical nature of these questions, which will require application of knowledge to the scenario. The requirement may ask the candidate to consider, for example:
whether or not to accept the engagement? matters to be discussed with the client post-acceptance? methods of gathering sufficient and appropriate evidence? the report to be provided.
Written by a member of the Paper P7 examining team