How to avoid common weaknesses in audit
It is often seen as a necessary evil, but audit planning is required by the auditing standards. While it can seem like a form-filling exercise, there are ways to make it easier for yourself. Here, Simon Kettlewell shows you how to finesse your audit planning, with tips on avoiding common weaknesses.
Audit planning is often seen as a necessary evil. It is required by the auditing standards but it can seem like a form-filling exercise. Planning is often delegated to less experienced members of staff with a tight turnaround time and a simple instruction of “just roll forward and follow last year’s pack”. This may be seen as saving time, but it often results in unfocused planning that fails to take into account any new developments in the entity or any recommendations for improvement that may have been made in your cold file reviews.
As an external file reviewer, I see lots of examples of audit planning – some good and some poor. Where planning is poor, it tends to be due to a number of recurring weaknesses.
Preliminary analytical review
Preliminary analytical review (PAR) is a key procedure in the planning of an audit in helping to assess risk. This should not simply be a schedule that includes statements such as “trade debtors have increased because sales have increased” or “creditors have increased by 20% compared to last year – to be investigated”.
As noted in paragraph A15 of ISA (UK) 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding of the Entity and Its Environment: “Analytical procedures may help identify the existence of unusual transactions or events, and amounts, ratios, and trends that might indicate matters that have audit implications. Unusual or unexpected relationships that are identified may assist the auditor in identifying risks of material misstatement, especially risks of material misstatement due to fraud.”
In order to carry out effective PARs, auditors need to understand their client and have some expectation of what the financial statements should look like. Based on discussions held with the client at the planning stage, the auditor may expect to see an increase in sales of 20% due to the client winning a couple of major new contracts in the year. Let’s assume that when performing the PAR, the auditor identifies that sales have increased by just 10%. If the difference between 10% and 20% is material, this deviation from expectation should raise a red flag for the auditor – and even if it isn’t material, the auditor should understand the reasons for the trend. As a result, specific procedures should be planned to deal with this risk (such as detailed cut off testing, review of those new contracts and the revenue recognition methods used).
Any material deviation of a balance away from expectation should be considered to represent a risk and appropriate procedures must be planned to cover this risk.
Every methodology has a formula for ‘calculating’ materiality, whether it’s based on the selection of an appropriate benchmark (such as turnover or profit before tax) or an averaging approach. Irrespective of the methodology followed, the fundamental requirement is for the auditor to exercise professional judgement in assessing materiality; the figure provided by your materiality form should merely be a starting point to help with this assessment. As with all areas of audit, documentation of the judgement made, along with justification of the appropriateness of the materiality figure, is key.
Overall risk assessment
Many auditors have developed a default low-risk mindset, where all of their clients are assessed as having low overall inherent risk. In addition, a number of (usually) smaller firms use a checklist to drive their overall risk assessment, which stifles free thought. A better way to approach the overall risk assessment is to start from an attitude of the client being high risk and then thinking about what factors and conditions exist which reduce this level of risk.
These may include, for example: the client being profitable and generating healthy levels of cash; no third-party interest in the financial statements; a management team that is stable and responsive to any recommendations set out in the management letter. The auditor should note down their thoughts in free form and ultimately conclude on the overall risk level.
Management override and fraud in revenue recognition
Every auditor should recognise these points as being recurring weaknesses identified by regulators. Management override is a significant risk in all entities, as per paragraph 31 of ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements. Auditors must plan to carry out appropriate procedures to mitigate this risk – typically this involves the testing of journal entries and reviewing accounting estimates for bias.
Like many of the other areas of audit highlighted in this article, ICAEW makes helpful practical guidance and other resources available on addressing the risk of management override in audit.
Fraud risk is an area where auditors can expect greater pressure from the UK financial regulator going forward. It was recently identified (along with going concern) by the government and the Financial Reporting Council (FRC) as needing “more work” by auditors see the June 2019 issue of Audit & Beyond.
Regarding revenue recognition, it is not appropriate to simply rely on the fact that “the audit team will test revenue in detail”. When assessing the risk of misstatement in revenue as anything other than high risk, the planning documentation needs to explain why. There needs to be sufficient documentation to rebut the high risk presumption, as well as tailored audit tests planned to mitigate the risk.
Lack of professional scepticism
Professional scepticism, or indeed the lack of it, is a perennial weakness picked up by both cold file reviewers and audit regulators across many jurisdictions. Again, there are numerous ICAEW resources available to assist with this. The key point is that the audit team should put aside any thoughts that their client is beyond reproach. There needs to be a robust discussion of where fraud risks could be present in the entity. Typically, this is strongest in the earlier years of the assignment, before familiarity begins to creep in.
Lack of tailoring of audit programmes
Although many firms understandably take advantage of off-the-shelf methodologies (such as those produced by HAT Group), it’s important to remember that these are written to deal with a generic audited entity. Lack of tailoring of such methodologies can lead to unnecessary and/or unfocused testing being carried out. The audit programmes should be tailored appropriately to reflect the responsible individual’s assessment of risk and areas of focus; immaterial areas should be tailored out of the audit file.
And a few more
There are also other areas where weaknesses are noted frequently.Ethical threats
Failure to adequately identify and evaluate threats to compliance with the fundamental principles of the ICAEW Ethics Code and the FRC Ethical Standard and to apply appropriate safeguards when necessary. For example, in the provision of non-audit services, and the mitigation of those threats (which can be achieved, for example, by having the non-audit services reviewed by a second partner).
Failure to recognise related party transactions has been cited as an audit weakness by regulators. If related parties are not identified and documented at the planning stage, this increases the risk that unidentified related parties can be used to conceal fraudulent activities or financial reporting.
These are often held with the financial controller, when planning discussions should be held with those charged with governance prior to the detailed audit planning process.
Action on weaknesses
It is not unusual to see ‘points forward’ not appropriately actioned. As a cold file reviewer, it is disappointing to see a file for the second year running where weaknesses identified in the prior year’s file review have not been dealt with.
By taking steps to avoid some (or all) of these common weaknesses around audit planning, firms can raise the quality of their audits and support continuous improvements. Audit planning is much more than a form-filling exercise and good audit planning can deliver numerous benefits because it:
ensures that knowledge of the client is sufficient at the start of the process to understand the key audit risks;
allows audit work to be tailored to address and resolve those risks;
minimises time spent on audit; and
is continually updated (revisited at fieldwork and finalisation).
Good audit planning is something that all auditors should aim for.
Examples of some of the specialist resources available from ICAEW are in the following list (though a Google search will quickly reveal how many more articles, papers, webinars and other practical support resources are also available).
Audit planning and risk assessment resources including articles, helpsheets, webinars and other support tools are collected together.
Materiality in the review of financial statements (a guide) is available for download.
Audit & Beyond articles on materiality.
Management override – and how to assess and respond to the risk – is covered in ICAEW guidance available online.
Understanding the design and implementation of controls in smaller audits: why and how is covered in a document.
Professional scepticism is the subject of lots of ICAEW guidance. Resources to help auditors in applying and demonstrating a sceptical mindset in their audit include articles, practical guidance and training tools, videos and webinars.
Various audit weaknesses highlighted by this article – from lack of professional scepticism to fraud risks around management override of controls – are covered in ICAEW’s two educational film dramas False assurance and Without question.