News
 

Audit


An Overview of Auditing

image

Auditing in the United Kingdom and Ireland has become somewhat arduous over the last couple of years.  More stringent regulations i.e. the International Standards on Auditing and an increased emphasis being placed on technical compliance means that Auditing can be particularly complex.

One of the key features of the audit process is the actual planning of the audit.  Thorough and concise planning means that the detailed audit work carried out will also be concise and thorough.

This article by Steven Collings considers some of the testing the auditor will do during their audit and looks at the different types of risk associated with the audit process.

As mentioned above, the last few years has seen the audit profession being issued with stricter standards that mean that there are no corners that can be cut.  When audit work was undertaken using the now defunct SAS’s (Statement of Auditing Standards) it was not uncommon for auditors to detail in the working papers that they had undertaken an audit task but had not, in fact, documented exactly what they had done.  The ISA’s, by virtue of ISA 500 ‘Audit Evidence’ now serves to expect the auditor to obtain audit evidence from an appropriate mix of (a) tests of control and (b) substantive testing of transactions and balances and thoroughly document the actual work they have done.

So what do we mean by ‘tests of control’ and ‘substantive testing’.  It all sounds very ‘glamorous’ doesn’t it?

Tests of control do what it says on the tin! Tests the controls!  At the outset of the audit, the auditor will meet with the audit client and discuss the processes and procedures within the company.  The auditor will then document the processes and procedures and carry out a ‘risk assessment’ to identify whether, in their opinion, that the procedures and processes would (a) prevent, (b) detect and (c) correct a material misstatement within the accounting systems.

Of course, the auditor cannot just take the client’s word that their processes and procedures (otherwise known as ‘internal controls’) are sufficient.  The auditor will need to test these by virtue of their audit to ensure that the internal controls do, in fact, work and would prevent, detect and correct a material misstatement.  The auditor uses various testing methods to test the internal controls and the most common test of control is a ‘walk through’ test.  This is where the auditor will observe a procedure being carried out, for example, watching a sales invoice being created and observing the sales invoice going through the ‘paper trail’ i.e. from initial order, through to its final destination in the debtors control and on the customer’s sales ledger account.

Substantive testing is the testing which auditors do on transactions and balances.  Substantive testing is the ‘ticking and flicking’ testing and is the more detailed audit testing which involves taking a sample of transactions and balances and tracing their journey through the various paper trails and to their ultimate destination within the financial statements and/or notes to the financial statements.

So how do auditors decipher which tests to do and which tests they don’t have to do? This is all deciphered at the planning stage of the audit.  At the planning stage, the auditor will obtain a detailed understanding of the audit client and make an initial conclusion as to whether or not the client has reliable systems in place.  A reliable system is not just a well-known accounting programme.  The auditor needs to conclude whether adequate controls exist that safeguard the assets of the company.  When deciphering whether a reliable internal control environment exists the auditor looks at various aspects of the business.  For example:

• the ‘culture’ of the organisation;
• the management style and structure;
• the authorisation procedures in place within the company;
• the quality of the staff the company employs;
• the integrity of the management;
• the expectations of the management as to the outcome of the audit;
• the history and complexity of the client; and
• the sector the client operates in.

So as you can see, the auditor looks very much beyond the accounting systems and the planning of the audit will ultimately decipher the nature and the extent to which the auditor will (a) place reliance on the company’s internal controls, which then (b) decides the types and the extent of audit sampling the auditor will undertake.  It’s probably easier to start off looking at a typical audit scenario.

Let us assume we are auditing a client in the “Do-it-Yourself” sector.  The client’s year end is 31 January 2008 and this is the third time we have audited the client.

We have met with the client and our initial discussions suggest that the client has a relatively straight-forward and robust internal control environment which has remained unchanged since the previous year (note internal controls should always be tested in full at least every third audit).  The client has very low levels of staff turnover.  However, an area of weakness which we have noted during our initial planning is that the same person is responsible for recording and banking the takings – this was not the case in previous audits.  The audit manager proposes to send an audit senior and an audit junior to undertake the detailed audit work.  What testing would the Audit Manager have expected to be undertaken prior to making a recommendation as to the overall audit opinion? These are the tests that should be done on a selection of audit areas within the financial statements:

Fixed Assets
Fixed assets within a DIY company would be relatively low risk, with maybe a couple of motor vehicles, tills and a few computers.  The audit manager should expect this audit area to be delegated to a more junior member of staff who should undertake the following testing (note these tests are not exhaustive and each audit will be different):

• check that fixed asset carrying values have been correctly brought forward from the previous period;
• trace a sample of fixed assets from the asset register to the assets themselves and vice versa;
• verify additions during the year to supporting documentation i.e. invoices;
• check that additions during the year have been properly authorised and that this authorisation does comply with the management’s assertion during the meeting regarding invoice authorisation;
• verify the carrying value within the financial statements and check if impairment is necessary;
• check accounts such as ‘repairs and renewals’ to see if this account contains any capital items;
• similarly check items capitalised during the year are, in fact, capital in their nature;
• check that assets obtained under finance leases are correctly capitalised and the correct disclosures are made within the financial statements in terms of leased assets;
• check that disposals during the year have been recorded correctly and reperform the profit or loss on disposal calculation;
• check that depreciation charges have been correctly calculated and that they are in accordance with the company’s accounting policies; and
• undertake an analytical review (if appropriate).

Stocks
Stock in a DIY company is going to be material to the financial statements.  The audit firm should have attended the year-end stock take (in accordance with ISA 500) and should have undertaken audit testing at the stock take to satisfy themselves that the stock take is being correctly carried out.

During the course of the stock take the auditor should have:

• discussed the stock take procedures with a senior official and reviewed any instructions given to the staff;
• traced a sample of stock from the stock take sheets to the shelves and confirmed the quantities are correct;
• traced a sample of stock from the shelves to the stock take sheets and, again, confirmed the quantities are correct;
• traced the stock in the above samples to the cost price and checked that this valuation is correct in accordance with SSAP 9 ‘Stocks and long term contracts’ or IAS 2 ‘Inventories’; and
• made a conclusion as to whether or not the stock take is being carried out sufficiently.

During the course of detailed audit work, the auditor should:

• revisit the stock take work and trace a sample of stock from the ‘rough’ stock taking sheets to the final stock valuation;
• check that the stock take sheets are complete i.e. they run in sequence and that they don’t contain any obvious omissions or errors or have been amended without authorisation from a senior official;
• check that the stock figure in the financial statements is the same as that on the final stock valuation;
• check the mathematical accuracy of the stock valuation;
• trace cost prices of a sample of stock to ensure they are in accordance with SSAP 9 or IAS 2;
• undertake a ‘net realisable value test’.  This involves checking that stock is being sold in excess of cost;
• carry out an analytical review to address issues such as gross profit margins;
• check the valuations placed on obsolete or slow-moving stocks;
• carry out checks on the stock control systems to check they are adequate;
• obtain details of the last goods in and goods out notes to check for accurate cut-off;
• check the company’s security policy to ensure no goods leave the premises without being paid for; and
• where appropriate, review the company’s policy for misappropriated stock due to theft which is particularly applicable to a client in the DIY sector.

Cash
As mentioned above in the introduction to the example, the audit firm discovered that there is a lack of segregation of duties in terms of recording and banking cash.  If we assume that the DIY company in the example is largely cash-based then this poses a significant financial statement risk in terms of potential fraud.

It would be inappropriate for an Audit manager to delegate the audit of the cash and bank to a junior member of the team due to the risks identified above.  Before attending the client to undertake the detailed audit work, the auditor should have obtained a ‘bank audit letter’ from the client’s bankers confirming the balances on each operable bank account at the year-end and this bank letter should also give details of secured debts i.e. bank loans and overdrafts.  The bank audit letter is crucial audit evidence as it is independent, third party confirmation.

In our example above, the auditor should undertake the following testing:

• confirm all brought forward bank balances have been correctly brought forward;
• trace a sample of cash receipts from the till readings, to the cash sheets, to the cash book, to the paying in book, to the bank statement and then through the accounting system and vice versa (this is the substantive testing);
• review the bank reconciliation as at the year-end and check the casts i.e. check it adds up (you would be surprised as to how many bank reconciliations do not add up!)
• note on the bank reconciliation statement, the dates of clearance of any payments and receipts which are outstanding on the bank reconciliation at the balance sheet date;
• review the bank reconciliations for periods, other than the balance sheet date, to confirm the accuracy;
• review the bank letter and check the balances on the year end bank reconciliation match;
• confirm there are no undue delays in banking monies;
• trace the reconciled balance on the bank reconciliation to the financial statements;
• write a letter of weakness to the directors of the company to draw their attention to a lack of segregation of duties (see ISA 260 ‘Communication of matters to those charged with governance’);
• review the internal control environment to check that the internal controls within this audit area are adequate and operate sufficiently (walk through tests);
• check the holiday pattern of the person responsible for recording and banking cash; and
• in terms of the person recording and banking cash, review their annual salary and try to gauge an understanding of their lifestyle – particularly if fraud is suspected.

Whilst the last test may seem odd, it may give an indication if a fraud is being committed i.e. a high standard of living where the salary of the individual may not normally allow.


The above example considers three audit areas and the types of testing typical within that audit area.  However, it must be noted that the above tests are not exhaustive and every client will be different. 

The auditor will use an ‘audit programme’ to help them during the course of their audit.  The audit programme typically details every test appropriate to a specific audit area but not all the tests may be appropriate.  For example, the audit of fixed assets for a client in the Financial Services sector will not be as detailed as that of a client in the manufacturing industry where plant and machinery is used more intensely.  This is why auditors must tailor their testing to client specifics rather than doing everything on the audit programme which would give rise to ‘over auditing’.

A quick re-cap

This article has considered the work required by an auditor in an attempt to satisfy themselves that the financial statements are free from material misstatement.  The two types of testing typically adopted by the auditors are:

• tests of control i.e. testing the internal control environment to see if the controls in place would prevent, detect and correct a material misstatement; and
• substantive testing i.e. the detailed ‘ticking’ of a sample of transactions and balances.

It is worth mentioning at this point that if the auditor samples, say, twenty payments and a failing within the sample is noted (let’s say a payment is missed in the accounting system), the auditor would normally increase their substantive testing to satisfy themselves that the error or omission is an isolated incident.  If the sampling suggests this is not an isolated incident, then this would have an impact on the auditor’s opinion as to whether or not the financial statements give a true and fair view.

Risk

Risk is a significant factor in the audit process and every audit will carry a certain amount of risk.

Business risk is the risks faced by the audit client within the industry it operates in. For example, nowadays the banking industry faces a lot of business risk because of the sector it operates in.  The widely publicised ‘credit crunch’ would have a huge affect on bank’s business risk.

Financial statement risk is the risk that the financial statements are materially misstated whether this misstatement is due to fraud and/or error.

Audit risk is the risk that the auditor’s opinion on the financial statements is inappropriate.

Inherent risk is the measure of the auditor’s assessment that the financial statements may be misstated before they consider how effective the internal controls adopted by the client actually are.

Detection risk is the risk that the auditor will not detect a material misstatement within the accounts.

Tolerable error otherwise known as the ‘materiality level’ is the error the auditor is willing to accept and still conclude that the financial statements are free from material misstatement whether caused by fraud and/or error.


‘Detection risk’ and ‘financial statement risk’ have what is known as an ‘inverse’ relationship.

As we have said, financial statement risk is the risk that the financial statements contain material errors.  If the financial statement risk is deemed low then this means that the auditor is relying on the company’s internal control systems and therefore is not going to undertake as much detailed substantive testing they would otherwise undertake.  In this case, detection risk will be high because there is a risk that the auditor could overlook a material misstatement because they are not doing as much detailed testing.

Conversely, if financial statement risk is deemed high, in other words the auditor suspects that there are material misstatements within the accounts, then detection risk becomes low because the auditor will then not rely wholly on the internal control systems, but instead adopt a more substantive approach to their audit.

To summarise this:

Financial statement risk = low
Detection risk = high

Financial statement risk = high
Detection risk = low

You can see from the above, the inverse relationship of the two types of risk.

As mentioned above, risk factors are significant when planning and undertaking audit work and auditors will always try to reduce risk as far as they can, by doing their testing, to an acceptable level.

The assertions

Assertions are defined as ‘something declared or stated positively’.  Management at audit clients will make various assertions such as what their internal controls are, the fact that they are not aware of any fraudulent activity or they are the best in their industry.

Financial statement assertions are the framework which auditors adopt to help them form their audit opinion.  There are generally three assertions which are then sub-divided as follows:

Transactions
• Occurrence (the transaction has actually occurred);
• Completeness (all transactions/events that should have been recorded have been recorded);
• Accuracy (all reported transactions and events are accurate);
• Cut off (all reported transactions and events have been reported in the correct period); and
• Classification (all reported transactions and events have been correctly classified).

Accounts
• Existence (assets and liabilities actually exist at the reporting date);
• Rights and obligations (the company holds the right to assets or is obliged by its liabilities);
• Completeness (all assets, liabilities and equity is complete); and
• Valuation and allocation (all assets and liabilities have been correctly valued and allocated within the financial statements).

Presentation and disclosure
• Occurrence (the transactions or events have occurred);
• Rights and obligations (the transactions are applicable to the entity);
• Completeness (all disclosures that should have been made have been made);
• Classification and understandability (financial statements are properly presented and the information contained within them is understandable); and
• Accuracy and valuation (financial and other information is correctly valued and is accurate).


Conclusion

As you can see the audit process is very complex and if handled inappropriately could be wreckless for audit firms and their clients.  Over the last few years the audit profession has been undermined by well-publicised corporate disasters and the ‘Big 5’ becoming the ‘Big 4’.  This gave rise to the auditing standards being completely overhauled and adoption of the International regime meant that smaller firms of auditors often had difficulty in dealing with the more complex auditing standards.  ‘Corner-cutting’ by firms nowadays is, again, wreckless and nowadays auditors can be prosecuted for knowingly undertaking a wreckless audit.  It cannot be emphasised enough that audit firms must document all their work and not just sign off an area of the audit as being ‘completed’ without documenting what they did and when they did the work.


Steven Collings FMAAT ACCA is Audit Manager at Leavitt Walmsley Associates Limited and a regular contributor to AccountancyStudents

 
1 comments Posted by Mark Ellis Posted on 02/03/2008 Email this article Print this article del.icio.us Digg Google Bookmarks Ma.gnolia StumbleUpon YahooMyWeb