audit process
TRANSCRIPT
Preparation of the mission Execution of the Audit 1. Reception of the engagement letter = contract between the auditor and the client that has to be signed before the start of the audit. It includes: v the fees, v the number of hours that are
going to be spend on the audit, v the way the audit is going to be
done, v the responsibilities of the
management, of the board of director and of the auditor,
v the applicable laws, v the general terms and
conditions, v the applicable laws, v the general terms and
conditions, v the time when the audit is
going to be done, v the output of the auditor (the
audit report) v the standards of auditing that
are going to be used v the framework used 2. Confirmation of the date of performance of the audit within the audited entity 3. Secure logistics and make practical arrangements 4. Starting date of the fieldwork (including opening meeting)
Step 1: Planning the audit Step 2: Assessment of the activity and its risks + Determination of the audit strategy
Step 3: Performance of the audit procedures
Step 4: Assessment of the results and conclusion on the audit
Generally performed before and at the beginning of the audit fieldwork (or during identification visit)
Performed during the first two days of the audit fieldwork Performed throughout the audit fieldwork Performed at the end of the fieldwork
1. Understand the auditee’s activities in order to identify main risk areas: -‐ Internal factors of risk -‐ External factors of risk
AR = IR x ICR x NDR Objectives: perform audit procedures determined in step 2 (NDR) in order to hold the AR at a low level by decreasing the NDR. è It’s the basis for the formulation of the Audit Opinion
Objective: -‐ summarise and quantify audit findings -‐ verify the general coherence of the audit -‐ prepare the debriefing memorandum è basis in order to prepare the audit report
AR = Audit Risk
-‐ IR = Inherent Risk -‐ ICR = Internal Control Risk -‐ NDR = Non Detection Risk
2. Assess the control environment in order to understand the structure of the company to be audited and to identify elements of risks linked to the internal control structure è it’s done through interviews and reading report and minutes.
Audit risk = risk that the auditor concludes that the financial statements he has audited contain no significant errors, although they do contain such errors. The auditor will fix the AR himself: he usually accepts an Audit Risk of 5%.
1. General audit Procedures = audit procedures, general in nature and necessary to verify certain contractual aspects or to comply with professional standards.ènot specific to some accounts. Ex: getting an engagement letter or a representation letter.
Analysis & quantification of findings: -‐ The errors identified with analytical review procedures can’t be used to estimate the error. There’s a need for further investigation/analysis.
-‐ The errors identified on key items can’t be extrapolated and need to be reported individually in the audit report
-‐ The errors identified on representative samples may be extrapolated to the sub-‐population.
Rules for extrapolation: -‐ only allowed for representative sample -‐ extrapolation method // sampling method -‐ the qualitative aspect of errors must be taken into account
-‐ separate extrapolation for each account
3. Determine the materiality: that’s the level of error/change under which a user of the financial statement is not going to change is opinion, his decision making. This concept is connected to the principle of true and fair view, it determines the sample size for substantive testing and it’s the basis for interpretation of audit results è it helps determining the “vouching limit”. There are 3 levels: -‐ the materiality (whole F/S) -‐ the tolerable error(significant accounts) -‐ the adjustment level (error accumulation)
1. Determine the Inherent Risk: It’s the likelihood of significant inaccuracies due to a fraud or error independently of the existing specific internal control procedures. The Inherent Risk depends on: -‐ quality of the personnel responsible -‐ general internal organisation -‐ econ. & financial situation of the country -‐ general risk //the type of transaction
2. Analytical & Data Analysis Procedures = logical tests of relationships between numbers, aimed at reviewing whether the numbers reported in the financial statements are reasonable. Ex: trends, ratios, examination of variations. Levels of confidence in Analytical Review: -‐ minimal: the analytical review is not sufficient to give confidence
-‐ corroborative -‐ persuasive The + data you have, the -‐ confidence analytical review gives you è need for + precise analysis in order to have + confidence
2. Determine the Internal Control Risk: this is the likelihood that the internal control system does not prevent or detect significant inaccuracies due to a fraud or error. The ICR depends on: -‐ organisational structure followed for project management and connected potential risks
-‐ main aspects related to personnel management -‐ accounting system used to record and report the expenses and revenues
-‐ supervision/governance measures -‐ prevention><detection IC put in place 2 options in order to test internal controls: -‐ test of controls -‐ final assessment: no test of the internal controls: straight to the audit
Type of errors & consequences: -‐ Intentional errors: it coves potential fraud and/or irregularities and should be reported to governance ASAP
-‐ Formal errors: due to insufficient documentation, lack of clarity, incompliance with contractual basis, etc.
If recurring errors, it might be necessary to: -‐ extend audit procedures in risky area -‐ revise the risk assessment -‐ enlarge the sample for risky sub-‐population è High error rate + recurrent errors = sign of internal control weakness ç
-‐ reassessment of the CRA -‐ Calculation of revised sample size
4. Determine the significant accounts in order to determine whether some specific procedures should be applied to those accounts. The criteria are: -‐ the amount -‐ the nature of the account -‐ the complexity and homogeneity -‐ the predisposition to manipulations or proneness to losses
-‐ the problems or errors identified in previous audits
3. Substantive tests applied on financial data = verification of the supporting documents. è Example: -‐ physical observation (ex:inspect fixed assets) -‐ check of payments -‐ review of the invoices -‐ testing the respect of tendering and awarding procedures for a sample of contracts
-‐ testing the expenses to the invoices and bank documents
-‐ recalculation, etc.
5. Prepare the audit programme by making a complete description of the work that is to be performed; aiming to justify the appropriateness of the auditor’s work. It needs to be prepared by the audit team, based on the info collected and the requirements of the client, and to be approved by the audit partner. Assertions for each account: -‐ existence : physical observation -‐ valuation (transactions well valued) -‐ cut-‐off (recorded in the proper period: when delivered)
-‐ classification (recorded in the right account) -‐ completeness (all transactions recorded)
Key items: items selected by the auditor on a judgmental basis because of: significant amount, risky transaction, unusual transaction, etc. In this case, no extrapolation is allowed. Representative sample: items selected on statistical sampling. In this case, extrapolation is allowed è The NDR can be reduced by performing analytical review procedures and by performing substantive tests on key items (see above). It must be completed by performing tests on a representative sample.
3. Combined risk assessment (IR + ICR): -‐ if CRA = low è accept high NDR and do less audit procedures
-‐ if CRA = high è lower the NDR by doing a lot of audit procedures
Audit report The objective of an audit is to enable the auditor to express an opinion and issue a report in accordance with the requirements of the Commission Different possible opinions: -‐ Unqualified opinion: “the Financial Report gives a true and fair view, in all material respects, of the results and financial position”
-‐ Qualified opinion: “The FR gives a true and fair view, in all material respects, of the results and financial position except for an error on a specific account…”
-‐ Adverse opinion: “The FR doesn’t give a true and fair view (…)”
-‐ Disclaimer of opinion: “… The auditor is unable to express an opinion…”
4. Non Detection Risk: This is the likelihood that the external auditor does not detect significant inaccuracies by means of audit procedures. = Only criteria that can be influenced by the auditor depending on the extent of substantive procedures (see CRA)è it allows a reduction of the audit risk.
Statistical sampling aims at determining the sample size needed to further reduce the NDR. è see how it works page 27
Audit strategy: set the scope, the timing, the type of audit procedures and the extent of substantive tests.