quality review program - cpa australia/media/corporate/allfiles/... · asae 3402 / isae (nz) 3402...

1 | Review of assurance engagements questionnaireCPA

H10

21_E

_V.09/20

14

QUALITY REVIEW PROGRAMREVIEW OF ASSURANCE ENGAGEMENTS QUESTIONNAIRE


H10

21_E

_V.09/20

14

INTRODUCTION

This questionnaire has been designed to help you assess whether assurance engagements have been conducted in accordance with relevant professional standards. The suite of standards relating to assurance engagements (ASAE 3000 / IASE (NZ) 3000, ASAE 3100 / ISAE (NZ) 3100, ASAE 3402 / SAE 3402, and ASAE 3500) apply to audit or review engagements not covered by the Auditing Standards (ASAs and ISAs) or Standards on Review Engagements (ASREs and ISREs). This questionnaire has the following sections:

• Background: details on the applicable standard for each type of engagement.

• Part A: review questions that are to be completed for ALL assurance engagements.

• Part B: review questions for compliance engagements covered by ASAE 3100 / SAE 3100 only.

• Part C: review questions for assurance reports on controls at service organisations covered by ASAE 3402 / ISAE (NZ) 3402 only.

• Part D: review questions for performance engagements covered by ASAE 3500 only.

Where there are two or more partners, separate questionnaires for each partner must be completed.

All non-compliance with mandatory professional or legislative requirements is to be reported in the quality review report. The reviewer is advised to comment on all non-mandatory breaches in the Other Matters Report.

PRIVACY

In this Privacy Statement, “Personal Information” has the same meaning as in the Privacy Act 1988 (Cth).

CPA Australia is committed to protecting the privacy and security of the Personal Information which it holds about you.

The Personal Information which you provide us with in this Questionnaire will be used by CPA Australia to process your Quality Review; and may be used for aggregated statistics for monitoring and research. This information may be viewed by the CPA Australia Board Quality Review Advisory Committee and also the Financial Reporting Council and any other Regulatory authority.

If you do not provide us with this Personal Information, we may not be able to process your review.

You have the right to access any Personal Information which CPA Australia holds about you, subject to the exceptions in the Privacy Act 1988 (Cth).

You may also request the correction of information which is inaccurate. Access and/or correction requests can be made at your local CPA Australia office. For more information on CPA Australia’s Privacy Policy, visit our website at cpaaustralia.com.au/privacypolicy.

Review Code(s)

Reviewer

Date submitted to Reviewer


H10

21_E

_V.09/20

14

BACKGROUND

Standards on Assurance Engagements (ASAEs, ISAEs NZ and SAEs) apply to audits or reviews not covered by the Auditing Standards (ASAs / ISAs) or Standards on Review Engagements (ASREs, ISRE (NZ) and NZ SRE), and include reviews of information other than historical financial information (e.g. performance, compliance, controls, prospective financial information). For reviews of historical financial information, refer to the ASREs / ISRE and NZ SRE and the ‘Review of Review Engagements Questionnaire’.

A member may perform two types of assurance engagement under the ASAEs / ISAEs NZ and SAEs:

• Reasonable assurance engagement (positive form of expression); and

• Limited assurance engagement (negative form of expression).

Refer to the Framework for Assurance Engagements for further details on how to interpret ASAEs / ISAEs NZ and SAEs.

ASAE 3000 / ISAE (NZ) 3000

ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OR REVIEWS OF HISTORICAL FINANCIAL INFORMATION

ASAE 3000 / ISAE (NZ) 3000 applies to the undertaking and reporting on assurance engagements other than audits or reviews of historical financial information covered by ASAs /ISAs or ASREs / ISREs. ASAE 3000 / ISAE 3000 is operative for reporting periods commencing on or after 1 July 2007. ASAE 3000 / ISAE 3000 provides general application to assurance engagements even though other ASAEs / ISAEs (e.g. ASAE 3100 / SAE 3100 or ASAE 3500) may relate to specific topics, such as compliance or performance.

ASAE 3000 / ISAE (NZ) 3000 is not part of the Auditing Standards made under the Act. Inter alia, it is to be applied in the review of prospective financial information. AUS 804 The Audit of Prospective Financial Information establishes requirements and guidance in relation to audits of prospective financial information.

APPLICATION CRITERIA

• Assurance engagements other than audits or reviews of historical financial information.

• Used by an auditor of the entity or an assurance practitioner who is not the auditor of the entity.

• General application to assurance engagements other than audits or reviews of historical financial information covered by ASAs / ISAs or ASREs / ISREs.

• If the subject of the engagement is financial information, the financial information must not be historical.

• Applies to reviews of prospective financial information.

COMPLETE PART A OF THIS QUESTIONNAIRE

ASAE 3100 / SAE 3100

COMPLIANCE ENGAGEMENTS

Compliance engagements are assurance engagements in which the member expresses a conclusion, after evaluating an entity’s compliance with the requirements as measured by the suitable criteria.

ASAE 3100 / SAE 3100 applies to the performing and reporting on compliance engagements other than audits or reviews of historical financial reports. Compliance may be with externally and/or internally imposed requirements (e.g. through law and regulation, contractual arrangements, or company policies). ASAE 3100 is operative for reporting periods or engagements commencing on or after 1 October 2008. SAE 3100 is operative for reporting periods or engagements commencing on or after 1 November 2011.

ASAE 3100 / SAE 3100 has been developed as an adjunct standard to ASAE 3000 / ISAE (NZ) 3000 for specific application to compliance engagements, and applies to both review engagements and audit engagements. When an assurance engagement includes a number of subject matters on which there are topic specific ASAEs /ISAEs, the member needs to apply the relevant topic specific ASAEs / ISAEs, as well as ASAE 3000 / ISAE (NZ) 3000, in performing the assurance engagement.


• Compliance Engagements. • Used by the auditor of the entity or an assurance practitioner who is not the auditor of the entity; and

• Provide assurance on an entity’s compliance with internally or externally imposed requirements as measured by the suitable criteria.

COMPLETE PART A AND PART B OF THIS QUESTIONNAIRE


H10

21_E

_V.09/20

14

ASAE 3402 / ISAE (NZ) 3402

ASSURANCE REPORTS ON CONTROLS AT A SERVICE ORGANISATION

This standard applies to an assurance engagement to provide an assurance report for use by user entities and their auditors on the controls at a service organisation, where those controls are likely to be relevant to user entities’ internal control as it relates to financial reporting. ASAE 3402 is operative for service auditors’ assurance reports covering periods commencing on or after 1 July 2010. ISAE (NZ) 3402 is operative for service auditors’ assurance reports covering periods commencing on or after 1 November 2011.

There are a number of pronouncements that are relevant to the user auditor or service auditor and care should be taken as to which pronouncement applies in the circumstances (e.g. ASAE 3402 / ISAE (NZ) 3402, ASA 402 (Oct 2009) / ISA (NZ) 402, ASA 402 (Apr 2006) / ISA (NZ) 402, GS 007, or AGS 1042).You may wish to see the AUASB website http://www.auasb.gov.au) for further clarification or XRB website (http://www.xrb.govt.nz).

ASAE 3402 / ISAE (NZ) 3402 expands on how ASAE 3000 / ISAE (NZ) 3000 is to be applied in a reasonable assurance engagement to report on controls at a service organisation. This standard only deals with assurances on controls of a services organisation.


• Assurance Reports on Controls at Service Organisations. • Used by the auditor of the service entity or an assurance practitioner who is not the auditor of the service entity;

• Assertion-based engagements (i.e. not direct reporting engagements);

• Convey reasonable assurance (i.e. not limited assurance); and

• Assurance conclusion worded directly in terms of the subject matter and the criteria (i.e. not in terms of the responsible party’s assertion).

COMPLETE PART A AND PART C OF THIS QUESTIONNAIRE

ASAE 3500

PERFORMANCE ENGAGEMENTS

Performance engagements include performance audits or performance reviews of all or a part of the activities of an entity (or entities) to assess economy, efficiency or effectiveness.

• Economy means the acquisition of the appropriate quality and quantity of resources at the appropriate times and at the lowest cost.

• Efficiency means the use of resources such that output is optimised for any given set of resource inputs, or input is minimised for any given quantity and quality of output.

• Effectiveness means the achievement of the objectives or other intended effects of activities at a program or entity level.

ASAE 3500 applies to the undertaking of and reporting on performance reviews and performance audits. ASAE 3500 is operative for engagements commencing on or after 1 January 2009.

ASAE 3500 is a composite revision of both AUS 806 Performance Auditing and AUS 808 Planning Performance Audits. When an assurance engagement includes a compliance component, the member needs to apply both ASAE 3100 / SAE 3100 and ASAE 3500, as well as ASAE 3000 / ISAE (NZ) 3000, in conducting the assurance engagement.


• Performance Engagements. • Used by the auditor of the entity or an assurance practitioner who is not the auditor of the entity; and

• Reasonable and acceptable standards of performance against which the extent of economy, efficiency or effectiveness of an activity may be assessed.

COMPLETE PART A AND PART D OF THIS QUESTIONNAIRE


H10

21_E

_V.09/20

14

The following diagram reveals the applicable assurance standards for a given practitioner and set of information:

Information not covered by ASAs / ISAs or ASREs / ISAEs

ASAE 3000 / ISAE (NZ) 3000

ASAE 3100 / SAE 3100

ASAE 3402 / ISAE (NZ) 3402

ASAE 3500

AUDITOR OF ENTITY OR ASSURANCE PRACTITIONER WHO IS NOT THE AUDITOR

OF THE ENTITY


H10

21_E

_V.09/20

14

PART A

Questions in Part A are to be completed for all assurance engagements.

CLIENT AUTHORITY1. Has permission been obtained from clients for the peer review of their file?

Note: Please place the appropriate letter from the below list into the above box that corresponds with the type of file(s) being reviewed (i.e. a = Public Listed, b = Public Unlisted, etc).

Type of engagement files to be reviewed:

a. Public Listed

b. Public Unlisted

c. Disclosing

d. Proprietary Large

e. Proprietary Small

f. Superannuation Fund

g. Incorporated Association

h. Unincorporated Association

i. Partnership

j. Joint Venture

k. Unit Trust

l. Discretionary Trust

m. Trust Account

n. Compliance Plan

o. Individual

p. Sole Trader

q. Other (please list)

Each client’s authority must be obtained before reviewing their file. If insufficient files exist for which client permission has been provided, and accordingly you believe it not possible to form an opinion based on the small sample size, contact the Quality Review Department at CPA Australia.

COMMENTS

INTRODUCTION2. Where the member has been unable to comply with the ASAEs / ISAEs due to factors outside the member’s control, have they performed

alternative procedures, included appropriate documentation in the working papers and, if appropriate, considered the implications for the member’s report? (ASAE 3000.8, ASAE 3100.8, or ASAE 3500.11)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.8, ASAE3100.8, or ASAE 3500.11.

COMMENTS


H10

21_E

_V.09/20

14

GENERAL PRINCIPLES OF ENGAGEMENT3. Is there any evidence to suggest that the member has not complied with relevant ethical requirements, including those pertaining to

independence, relating to assurance engagements? (ASAE 3000.9 / ISAE (NZ) 3000.4, ASAE 3100.12 / SAE 3100.10, ASAE 3402.Aus6.1 / ISAE (NZ) 3402.6 and ASAE 3402.11 / ISAE (NZ) 3402.11, or ASAE 3500.19)

Note: If answered ‘Yes’ to the above, the member is in breach of ASAE 3000.9 / ISAE (NZ) 3000.4, ASAE3100.12 / SAE 3100.10, ASAE 3402.Aus6.1 / ISAE (NZ) 3402.6 and ASAE 3402.11 / ISAE (NZ) 3402.11, or ASAE 3500.19.

COMMENTS

4. Has the member implemented quality control procedures that are applicable to the individual engagement? (ASAE 3000.12 / ISAE (NZ) 3000.6, ASAE 3100.15 / SAE (NZ) 3100.12, ASAE 3402.Aus6.1 / ISAE (NZ) 3402.6, or ASAE 3500.23)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.12 / ISAE (NZ) 3000.6, ASAE 3100.15 / SAE (NZ) 3100.12, ASAE 3402.Aus6.1 / ISAE (NZ) 3402.6, or ASAE 3500.23.

COMMENTS

ACCEPTANCE AND CONTINUANCE5. Was the subject matter of the engagement the responsibility of a party other than the sole intended user or the member?

(ASAE 3000.14 / ISAE (NZ) 3000.7, ASAE 3100.17 / SAE 3100.13, or ASAE 3500.27)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.14 / ISAE (NZ) 3000.7, ASAE 3100.17 / SAE 3100.13, or ASAE 3500.27.

COMMENTS


H10

21_E

_V.09/20

14

6. Is there evidence on file that the member accepted (or continued where applicable) the engagement where:

a. the member was aware that the requirements of the fundamental ethical principles or of the ASAEs / ISAEs NZ and SAEs would not be satisfied; or

b. the member was not satisfied that the engagement team collectively possessed the necessary professional competencies? (ASAE 3000.16 / ISAE (NZ) 3000.8 and ASAE 3000.18 / ISAE (NZ) 3000.9, ASASE 3100.17 / SAE 3100.13, or ASAE 3500.27)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.16 / ISAE (NZ) 3000.8 and ASAE 3000.18 / ISAE (NZ) 3000.9, ASASE 3100.17 / SAE 3100.13, or ASAE 3500.27.

COMMENTS

AGREEING ON THE TERMS OF THE ENGAGEMENT7. Has the member agreed the terms of the engagement with the client, including any changes, in writing?

(ASAE 3000.20 / ISAE (NZ) 3000.10 and ASAE 3000.23, ASAE 3100.19 / SAE 3100.23, or ASAE 3500.28)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.20 / ISAE (NZ) 3000.10 and ASAE 3000.23, ASAE 3100.19 / SAE 3100.23, or ASAE 3500.28.

Note: If the engagement is undertaken pursuant to legislation, the legislation contains the minimum applicable terms. For compliance and performance engagements, the member may ‘communicate’ or ‘agree’ the terms of engagement with the client.

COMMENTS


H10

21_E

_V.09/20

14

8. After commencing the engagement, did the member agree to a request to reduce the level of assurance provided without reasonable assurance? (ASAE 3000.22 / ISAE (NZ) 3000.11)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.22 / ISAE (NZ) 3000.11.

COMMENTS

PLANNING AND CONDUCTING THE ENGAGEMENT9. Is there evidence on file that the member:

a. planned the engagement so that it would be performed effectively; and

b. planned and performed the engagement with an attitude of professional scepticism? (ASAE 3000.25 / ISAE (NZ) 3000.12 and ASAE 3000.28 / ISAE (NZ) 3000.14, ASAE 3100.22 / SAE (NZ) 3100.29 and ASAE 3100.27 / SAE (NZ) 3100.30, or ASAE 3500.32 and ASAE 3500.36)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.25 / ISAE (NZ) 3000.12 and ASAE 3000.28 / ISAE (NZ) 3000.14, ASAE 3100.22 / SAE (NZ) 3100.29 and ASAE 3100.27 / SAE (NZ) 3100.30, or ASAE 3500.32 and ASAE 3500.36.

COMMENTS

10. Did the member obtain an understanding of the client, requirements or activity (as appropriate), and other engagement circumstances, sufficient to identify material risks, and sufficient to design and perform further evidence-gathering procedures? (ASAE 3000.30 / ISAE (NZ) 3000.15, ASAE 3100.28 / SAE 3100.31, or ASAE 3500.37)


COMMENTS


H10

21_E

_V.09/20

14

11. Did the member assess:

a. the appropriateness (e.g. identifiability; measurability) of the subject matter; and

b. the suitability of the criteria to evaluate or measure the subject matter? (ASAE 3000.33 / ISAE (NZ) 3000.18 and ASAE 3000.35 / ISAE (NZ) 3000.19, ASAE 3100.33 / SAE 3100.14 and ASAE 3100.36 / SAE 3100.17, or ASAE 3500.40 and ASAE 3500.44)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.33 / ISAE (NZ) 3000.18 and ASAE 3000.35 / ISAE (NZ) 3000.19, ASAE 3100.33 / SAE 3100.14 and ASAE 3100.36 / SAE 3100.17, or ASAE 3500.40 and ASAE 3500.44.

COMMENTS

MATERIALITY AND ENGAGEMENT RISK12. Did the member:

a. consider materiality and engagement risk when planning and performing the engagement; and

b. reduce engagement risk to an acceptable level in the circumstances of the engagement? ASAE 3000.40 / ISAE (NZ) 3000.22 and ASAE 3000.43 / ISAE (NZ) 3000.24, ASAE 3100.40 / SAE 3100.33 and ASAE 3100.43 / SAE 3100.34, or ASAE 3500.53 and ASAE 3500.58)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.40 / ISAE (NZ) 3000.22 and ASAE 3000.43 / ISAE (NZ) 3000.24, ASAE 3100.40 / SAE 3100.33 and ASAE 3100.43 / SAE 3100.34, or ASAE 3500.53 and ASAE 3500.58.

COMMENTS


H10

21_E

_V.09/20

14

USING THE WORK OF AN EXPERT13. Where the work of an expert was used:

a. was the combined skill and knowledge of the member and expert adequate for the member to determine that sufficient appropriate evidence had been obtained; and

b. did the member obtain a sufficient working knowledge to enable the member to accept responsibility for its conclusions; and

c. did the member obtain sufficient appropriate evidence that the expert’s work was adequate for the purposes of the assurance engagement? (ASAE 3000.47 / ISAE (NZ) 3000.26, ASAE 3000.51 / ISAE (NZ) 3000.30 and ASAE 3000.54 / ISAE (NZ) 3000.32, ASAE 3100.62 / SAE 3100.38, or ASAE 3500.61)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.47 / ISAE (NZ) 3000.26, ASAE 3000.51 / ISAE (NZ) 3000.30 and ASAE 3000.54 / ISAE (NZ) 3000.32, ASAE 3100.62 / SAE 3100.38, or ASAE 3500.61.

COMMENTS

OBTAINING & EVALUATING EVIDENCE14. Has the member:

a. obtained sufficient appropriate evidence on which to base the conclusion; and

b. determined whether sufficient appropriate evidence has been obtained to support the conclusion(s) expressedin the report? (ASAE 3000.56 / ISAE (NZ) 3000.33 and ASAE 3000.73 / ISAE (NZ) 3000.45, ASAE 3100.51 / SAE 3100.37 and ASAE 3100.75 / SAE 3100.56, or ASAE 3500.62 and 3500.79)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.56 / ISAE (NZ) 3000.33 and ASAE 3000.73 / ISAE (NZ) 3000.45, ASAE 3100.51 / SAE 3100.37 and ASAE 3100.75 / SAE 3100.56, or ASAE 3500.62 and 3500.79.

COMMENTS


H10

21_E

_V.09/20

14

15. Has the member obtained, or endeavoured to obtain, written representations from the responsible party, as appropriate? (ASAE 3000.64 / ISAE (NZ) 3000.38, ASAE 3100.58 / SAE 3100.45, ASAE 3402.38-40 / ISAE (NZ) 3402.38-40, or ASAE 3500.70)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.64 / ISAE (NZ) 3000.38, ASAE 3100.58 / SAE 3100.45, ASAE 3402.38-40 / ISAE (NZ) 3402.38-40, or ASAE 3500.70.

COMMENTS

CONSIDERING SUBSEQUENT EVENTS16. Has the member considered the effects on the subject matter information, entity’s compliance, or activity (as applicable for the engagement),

and on the member’s report, of events up to the date of the report? (ASAE 3000.68 / ISAE (NZ) 3000.41, ASAE 3100.70 / SAE 3100.49, or ASAE 3500.74)


COMMENTS


H10

21_E

_V.09/20

14

DOCUMENTATION & REPORTING17. Has the member prepared documentation that is sufficient and appropriate to support the conclusion(s) (and any recommendations), and that

provides evidence that the engagement was performed in accordance with ASAEs / ISAEs? (ASAE 3000.70 / ISAE (NZ) 3000.42, ASAE 3100.72 / SAE 3100.50, 3402.45-52 / ISAE (NZ) 3402.45-52, or ASAE 3500.76)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.70 / ISAE (NZ) 3000.42, ASAE 3100.72 / SAE 3100.50, 3402.45-52 / ISAE (NZ) 3402.45-52, or ASAE 3500.76.

COMMENTS

18. Does the assurance report (which must be in writing) contain a clear expression of the member’s conclusion about the subject matter information? (ASAE 3000.75 / ISAE (NZ) 3000.46, ASAE 3100.78 / SAE 3100.57, or ASAE 3500.82)


COMMENTS

19. On the basis of the engagement, has the member stated an appropriate conclusion and issued an appropriate level of assurance (unqualified; qualified; adverse; or disclaimer)? (ASAE 3000.82–84 / ISAE (NZ) 3000.51-52, ASAE 3100.84–85 / SAE 3100.59-61, or ASAE 3500.89–90)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.82–84 / ISAE (NZ) 3000.51-52, ASAE 3100.84–85 / SAE 3100.59-61, or ASAE 3500.89–90.

Note: Under ASAE 3000.82 / ISAE (NZ) 3000.51, reports can be modified with an emphasis of matter paragraph added to an unqualified conclusion.

COMMENTS


H10

21_E

_V.09/20

14

20. Does the assurance report include the following:

• a title that clearly indicates the report is an independent assurance report;

• an addressee;

• identification and description of the subject matter information, requirements, activity, systems or assertions (as appropriate for the engagement);

• for compliance engagements only, the period of compliance being reported on by the member; (ASAE 3100 / SAE 3100 only)

• identification of the criteria and, where appropriate, the party specifying the objectives;

• where appropriate, a description of any significant, inherent limitation associated with the evaluation or measurement of the subject matter, compliance with requirements, or activity (as appropriate for the engagement) against the criteria;

• when the criteria used to evaluate or measure the subject matter, requirements, or activity (as appropriate for the engagement) are available only to specific intended users, or are relevant only to a specific purpose, a statement restricting the use of the assurance report to those intended users or that purpose;

• a statement to identify the responsible party and describe the each party’s responsibilities;

• a statement that the assurance engagement was performed in accordance with ASAEs / ISAEs NZ or SAEs and the level of assurance provided;

• a summary of the work performed and, where appropriate, a statement of any limitations;

• a statement as to the existence of any relationship (other than the assurance practitioner) which the assurance practitioner has with, or any interests which the assurances practitioner has in, the entity; (ISAE (NZ) 3000, SAE 3100 and ISAE (NZ) 3402 only)

• the member’s conclusion:

– the context in which the member’s conclusion is to be read;

– in a reasonable assurance engagement, expressed in the positive form;

– in a limited assurance engagement, expressed in the negative form;

– where other than unqualified, a clear description of all the reasons;

– where both positive and negative forms are expressed, shall clearly separate the two types of conclusions; (ASAE 3500 only)

• the assurance report date; and

• the name of the firm or the member, and a specific location, which ordinarily is the city where the member maintains the office that has responsibility? (ASAE 3000.78 / ISAE (NZ) 3000.49, ASAE 3100.80 / SAE 3100.58, ASAE 3402.53 / ISAE (NZ) 3402.53, or ASAE 3500.83)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.78 / ISAE (NZ) 3000.49, ASAE 3100.80 / SAE 3100.58, ASAE 3402.53 / ISAE (NZ) 3402.53, or ASAE 3500.83 noting the relevant sub-paragraphs contained within the applicable standard(s).

COMMENTS


H10

21_E

_V.09/20

14

21. Has the member considered other reporting responsibilities and obligations, including the appropriateness of communicating relevant matters of governance interest arising from the engagement to the responsible entity? (ASAE 3000.86 / ISAE (NZ) 3000.54, ASAE 3100.88-89 I SAE 3100.65-66, or ASAE 3500.91 and ASAE 3500.93)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3000.86 I ISAE (NZ) 3000.54, ASAE 3100.88-89 I SAE 3100.65-66, or ASAE 3500.91 and ASAE 3500.93.

COMMENTS


H10

21_E

_V.09/20

14

PART BQUESTIONS IN PART B ARE TO BE COMPLETED FOR ASAE 3100 / SAE 3100 COMPLIANCE ENGAGEMENTS ONLY.

OBJECTIVE OF ENGAGEMENT22. Has the member met the objective of the engagement and expressed a conclusion on whether the client has complied in all material respects?

(ASAE 3100.9 / SAE 3100.8)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3100.9 / SAE 3100.8.

COMMENTS

PLANNING AND CONDUCTING THE ENGAGEMENT23. In planning the engagement, did the member obtain an understanding of the entity’s compliance environment and document the key elements

of the entity’s compliance framework? (ASAE 3100.31 / SAE 3100.32)


COMMENTS


H10

21_E

_V.09/20

14

MATERIALITY AND ENGAGEMENT RISK24. If material deficiencies were noted in the entity’s compliance framework, did the member assess the impact on the risk of noncompliance,

and the implication for planning and performing the engagement? (ASAE 3100.47 / SAE 3100.35)


COMMENTS

25. Did the member evaluate any compliance breach with the requirements as measured by the suitable criteria to determine:

a. if the breach was material; and

b. how it impacted on the member’s planned engagement approach for an effective engagement? (ASAE 3100.49)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3100.49.

COMMENTS


H10

21_E

_V.09/20

14

OBTAINING & EVALUATING EVIDENCE26. Where deficiencies and/or compliance breaches came to the member’s attention, did the member:

a. evaluate, individually and in aggregate, whether they were material; and

b. make the responsible party aware as soon as practicable, of such material issues? (ASAE 3100.64 / SAE 3100.47 and/or ASAE 3100.68 / SAE 3100.48)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3100.64 / SAE 3100.47 and/or ASAE 3100.68 / SAE 3100.48.

COMMENTS

DOCUMENTATION & REPORTING27. Where the member issued a qualified, adverse, or disclaimer of conclusion, is there evidence that the member considered any obligations

under the terms of the engagement to separately report such matters to the responsible party and/or the intended users of the report? (ASAE 3100.87 / SAE 3100.62)


COMMENTS


H10

21_E

_V.09/20

14

PART CQUESTIONS IN PART C ARE TO BE COMPLETED FOR ASAE 3402 / ISAE (NZ) 3402 ASSURANCE REPORTS ON CONTROLS AT SERVICE ORGANISATIONS ONLY.

OBJECTIVES28. Has the member met the objective of the engagement and reported on whether the member obtained reasonable assurance that, in all material

respects, the service organisation’s controls relating to financial reporting were fairly described, suitably designed and effective, based on suitable criteria? (ASAE 3402.8 / ISAE (NZ) 3402.8)


COMMENTS

ASAE 300029. Has the member represented compliance with ASAE 3402 / ISAE (NZ) 3402 where there is evidence they have not complied with

ASAE 3402 / ISAE (NZ) 3402 and ASAE 3000 / ISAE (NZ) 3000? (ASAE 3402.10 / ISAE (NZ) 3402.10)

Note: If answered ‘Yes’ to the above, the member is in breach of ASAE 3402.10 / ISAE (NZ) 3402.10.

COMMENTS


H10

21_E

_V.09/20

14

MANAGEMENT AND THOSE CHARGED WITH GOVERNANCE30. Has the member determined the appropriate person(s) within the service organisation’s management or governance structure with whom

to interact? (ASAE 3402.12 / ISAE (NZ) 3402.12)


COMMENTS

ACCEPTANCE AND CONTINUANCE31. Is there evidence that the member accepted or continued an engagement without:

• making the necessary determinations (such as whether the scope is too limited); or

• obtaining the agreement of the service organisation that it acknowledged and understood its various responsibilities (such as describing its system of controls)? (ASAE 3402.13 / ISAE (NZ) 3402.13)


COMMENTS


H10

21_E

_V.09/20

14

32. Where the service organisation requested a change in the scope of the engagement before the completion of the engagement, was the member satisfied that there was a reasonable justification for the change? (ASAE 3402.14 / ISAE (NZ) 3402.14)


COMMENTS

ASSESSING THE SUITABILITY OF THE CRITERIA33. Has the member assessed whether the service organisation has used suitable criteria in preparing the description of its system, in evaluating

whether controls are suitably designed and, where applicable, in evaluating whether controls are operating effectively? (ASAE 3402.15-18 / ISAE (NZ) 3402.15-18)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3402.15-18 / ISAE (NZ) 3402.15-18.

COMMENTS

MATERIALITY34. When planning and performing the engagement, did the member consider materiality with respect to the fair presentation of the description,

the suitability of the design of controls and, where applicable, the operating effectiveness of controls? (ASAE 3402.19 / ISAE (NZ) 3402.19)


COMMENTS


H10

21_E

_V.09/20

14

OBTAINING AN UNDERSTANDING35. Has the member obtained an understanding of the service organisation’s system, including controls that are included in the scope of the

engagement? (ASAE 3402.20 / ISAE (NZ) 3402.20)


COMMENTS

OBTAINING EVIDENCE36. Has the member determined, obtained, tested and evaluated sufficient appropriate evidence regarding:

a. the service organisation’s description of its system; (ASAE 3402.21-22 / ISAE (NZ) 3402.21-22)

b. the design of controls at the service organisation; and (ASAE 3402.23 / ISAE (NZ) 3402.23)

c. where appropriate, the effectiveness of controls throughout the period? (ASAE 3402.24-29 / ISAE (NZ) 3402.24-29)

Note:

COMMENTS


H10

21_E

_V.09/20

14

THE WORK OF AN INTERNAL AUDIT FUNCTION37. If the service organisation has an internal audit function, did the member obtain an understanding of the nature of the responsibilities of the

internal audit function and of the activities performed in order to determine whether the internal audit function was likely to be relevant to the engagement? (ASAE 3402.30 / ISAE (NZ) 3402.30)


COMMENTS

38. If the service organisation has an internal audit function, did the member determine whether the work of the internal auditors was adequate for purposes of the engagement and, if so, the planned effect of that work on the member’s procedures? (ASAE 3402.31-35 / ISAE (NZ) 3402.31-35)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3402.31-35 / ISAE (NZ) 3402.31-35.

COMMENTS

39. If the work of the internal audit function has been used, has the member made reference to that work in the section of the member’s assurance report that contains the member’s opinion? (ASAE 3402.36 / ISAE (NZ) 3402.36)

Note: If answered ‘Yes’ to the above, the member is in breach of ASAE 3402.36 / ISAE (NZ) 3402.36.

COMMENTS


H10

21_E

_V.09/20

14

40. For reports that include the operating effectiveness of controls, where the work of the internal audit function has been used in performing tests of controls, has the member included a description of that work and the member’s procedures with respect to that work in the relevant part of the member’s assurance report? (ASAE 3402.37 / ISAE (NZ) 3402.37)


COMMENTS

WRITTEN REPRESENTATIONS41. If, having discussed the matter with the member, the service organisation has not provided one or more of the requested written representations,

did the member disclaim an opinion? (ASAE 3402.40 / ISAE (NZ) 3402.40)


COMMENTS

OTHER INFORMATION42. Has the member read any other information included in a document containing the service organisation’s description of its system to identify

possible material inconsistencies or misstatements of fact? (ASAE 3402.41 / ISAE (NZ) 3402.41)


COMMENTS


H10

21_E

_V.09/20

14

43. If the member became aware of a material inconsistency or an apparent misstatement of fact in the other information, did the member discuss the matter with the service organisation and, where appropriate, take further action? (ASAE 3402.42 / ISAE (NZ) 3402.42)


COMMENTS

SUBSEQUENT EVENTS44. Is there evidence that the member enquired whether the service organisation was aware of any subsequent events up to the date of the member’s

report that could have had a significant effect upon the member’s report? (ASAE 3402.43 / ISAE (NZ) 3402.43)


COMMENTS

PREPARING THE SERVICE AUDITOR’S ASSURANCE REPORT45. For reports that include the operating effectiveness of controls, does the member’s assurance report include a separate section after the opinion,

or an attachment, that appropriately describes the tests of controls that were performed, the results of those tests and details on any deviations noted? (ASAE 3402.54 / ISAE (NZ) 3402.54)

Note: : If answered ‘No’ to the above, the member is in breach of ASAE 3402.54 / ISAE (NZ) 3402.54.

COMMENTS


H10

21_E

_V.09/20

14

46. If the member was unable to obtain sufficient appropriate evidence, or was not satisfied, in all material respects, with a particular aspect of the service organisation’s descriptions or controls, did the member modify their opinion, and did the member’s assurance report contain a clear description of all the reasons for the modifications? (ASAE 3402.55 / ISAE (NZ) 3402.55)


COMMENTS

OTHER COMMUNICATION RESPONSIBILITIES47. Is there any evidence on file that the member became aware of non-compliance with laws and regulations, fraud, or uncorrected errors

attributable to the service organisation that are not clearly trivial and may affect one or more user entities, but did not ensure the matter had been communicated appropriately to user entities? (ASAE 3402.56 / ISAE (NZ) 3402.56)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3402.56 / ISAE (NZ) 3402.56 / ISAE (NZ) 3402.56.

COMMENTS


H10

21_E

_V.09/20

14

PART DQUESTIONS IN PART D ARE TO BE COMPLETED FOR ASAE 3500 PERFORMANCE ENGAGEMENTS ONLY.

OBJECTIVE OF ENGAGEMENT48. Has the member met the objective of the engagement and expressed a conclusion designed to enhance the degree of confidence of the

intended users other than the responsible party by reporting on assertions, or information obtained directly, concerning the economy, efficiency or effectiveness of an activity against identified criteria? (ASAE 3500.12)


COMMENTS

ACCEPTANCE AND CONTINUANCE49. Is there evidence on file that the member initiated or accepted the engagement where, based on their preliminary knowledge, the member

formed the view that:

a. the activity was not appropriate as a subject matter for the engagement; or

b. the identified criteria was not suitable? (ASAE 3500.27)


COMMENTS


H10

21_E

_V.09/20

14

PLANNING AND CONDUCTING THE ENGAGEMENT50. If the member concluded, during the engagement, that the subject matter was not appropriate for review or audit, or that the identified criteria

was not suitable, did the member assess whether to change the terms of engagement or discontinue the engagement? (ASAE 3500.42 and ASAE 3500.48)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3500.42 and/or ASAE 3500.48.

COMMENTS

OBTAINING & EVALUATING EVIDENCE51. Where deficiencies in systems or controls and/or variations of the measures or assertions from the identified criteria came to the member’s

attention, did the member:

a. evaluate, individually and in aggregate, whether they were material; and

b. make the responsible party aware of such material issues? (ASAE 3500.66 and ASAE 3500.68)

Note: If answered ‘No’ to the above, the member is in breach of ASAE 3500.66 and/or ASAE 3500.68.

COMMENTS


H10

21_E

_V.09/20

14

OVERALL FINDINGS

BREACHES OF MANDATORY REQUIREMENTS IDENTIFIED:

POSITIVE FEEDBACK TO BE CONVEYED TO THE MEMBER(S) IN THE REVIEWER’S SUMMARY – OTHER MATTERS REPORT:

DEFICIENCIES IN THE QUALITY CONTROL SYSTEM THAT WILL BE NOTED IN THE REVIEWER’S SUMMARY – OTHER MATTERS REPORT WITH SUGGESTIONS FOR IMPROVEMENT:


H10

21_E

_V.09/20

14

cpaaustralia.com.au

CPAH1021_E_09.14

quality review program - cpa australia/media/corporate/allfiles/... · asae 3402 / isae (nz) 3402...

Documents