wirtschaftsprüferkammer - …...2. subject of the proportionate performance of an audit and of this...
TRANSCRIPT
1
The Board of Directors of the Wirtschaftsprüferkammer: Consideration on the Proportionate (Scaled) Performance of an Audit on the Basis of the ISA Table of Contents
1. Basic Principles and Objectives of the Guidelines .......................................................... 2
2. Subject of the Proportionate Performance of an Audit and of this Guideline, Limits to its Application ...................................................................................................................... 3
3. Understanding of Proportionate (scaled) Performance of an Audit ................................. 4
4. Fundamental Aspects of a Proportionate (Scaled) Performance of an Audit .................. 5
5. Scope of Application for a Proportionate Performance of an Audit ................................. 7
6. Aspects of Proportionate Performance of an Audit in the Framework of the Risk-Based Audit Approach ............................................................................................................... 9
6.1 Illustration of the Risk-Based Audit Approach .................................................................. 9 6.1.1 Fundamentals of the Risk-based Audit Approach .................................................. 9
6.1.2 Scaling Aspects within the Process of the Risk-Based Audit Approach .............. 14
6.2 Materiality ...................................................................................................................... 19
6.2.1 Fundamentals of Materiality ................................................................................. 19
6.2.2 Scaling Aspects within the Framework of Materiality ........................................... 20
6.3 Audit Planning ............................................................................................................... 20
6.3.1 Fundamentals of Audit Planning .......................................................................... 20
6.3.2 Scaling Aspects within the Process of Audit Planning ......................................... 21
6.4 Audit Procedures to Obtain Audit Evidence on Audit Objectives .................................. 22
6.4.1 Fundamentals of Obtaining Audit Evidence ......................................................... 22
6.4.2 Scaling Aspects within the Process of Audit Procedures for Obtaining Audit Evidence .............................................................................................................. 24
6.5 Documentation .............................................................................................................. 26
6.5.1 Fundamentals of Documentation ......................................................................... 26
6.5.2 Scaling Aspects within the Process of Documentation ........................................ 27
7. Closing Remarks ........................................................................................................... 29
Appendix – Comparison of IDW PS and IFAC ISA ................................................................ 31
---------------------------------------------------------------------------------------------------------------------------
This publication includes extracts from the International Standards on Auditing (ISAs) of the International Auditing and Assurance Standards Board (IAASB), published by the International Federation of Accountants (IFAC) in April 2010 and used with permission of IFAC. IFAC assumes no responsibility for the accuracy and completeness of the extracts from the ISAs.
----------------------------------------------------------------------------------------------------------------------------------------
2
1. Basic Principles and Objectives of the Guidelines
This guideline aims to provide advice and suggestions for a scaled approach to auditing
with consistent quality of audits and thereby facilitate the introduction into the
International Standards on Auditing (ISA). It does not, however, constitute a
comprehensive guide to performing audits.
The rationale for preparing this guideline stems from the uncertainty that could be
observed among members of the auditing profession with regard to the requirements of
existing statements by national and international associations – generally considered
useful and helpful – with respect to the audit of small and medium-sized companies
(SMEs). The ISA implicitly follow the paradigm of auditing large, publicly listed
companies, yet at the same time claim to be universally applicable standards.
Since the legislature has codified the mandatory use of the ISA as part of the German
Accounting Law Modernization Act (BilMoG) in § 317 paragraph 5 of the German
Commercial Code (HGB) and its acceptance by the EU Commission is expected in the
medium term, the considerations presented below deal with the performance of audits in
application of the ISA. Article 26 of the currently present proposal of the EU Commission
to amend the Statutory Audit Directive mandates statutory audits of all companies to be
carried out in accordance with international standards. It should be noted, however, that
the application of the ISA is subject to the principle of the auditor's own responsibility.
From the perspective of the WPK, it is possible to transfer explanations in this guideline
for an audit using the IDW auditing standards as the international auditing standards
have been transitioned into the IDW standards. Moreover, the auditing standards of the
IDW point out special German considerations deriving from legal statutes.
This guideline by the Board of Directors of the Wirtschaftsprüferkammer, with the support
of its "Accounting and Auditing" committee, reflects the considerations of the WPK on
taking into account size, complexity and risk of the audit subject within the process of
performing an audit (so-called scaled performance of audits) and is designed to primarily
support the members of the auditing profession in carrying out audits of financial
statements in accordance with §§ 316 et seq. German Commercial Code (HGB). The
basic idea of scaled performance of audits can equally be applied to other audits as
defined by § 2 Section 1 WPO (e.g., audits according to § 16 Real Estate Agents and
Commercial Contractors Act (MaBV), audits according to ISA 800, ISA 805, ISA 810).1
It should be noted that the EU Commission in Article 43a of the Amending Directive on
Statutory Audits, requires scalability of the international auditing standards. The
1 For purposes of harmonization, the terms "auditor" and "audit" are used below.
3
Professional Code contains a corresponding provision in § 24b paragraph 1 Professional
Charter for Wirtschaftsprüfer/vereidigte Buchprüfer - BS WP/vBP.
For additional guidance a comparison of the ISA with the corresponding IDW Auditing
Standards is attached.
2. Subject of the Proportionate Performance of an Audit and of this Guideline, Limits to its Application2
The proportionate performance of an audit has two areas of application:
1. The provision of an adequate System of Quality Control is to be commensurate with
the size of the company audited, the special circumstances of the client structure
(e.g., §319a German Commercial Code engagements), the span of control of the
auditors, and their physical presence during audits.
2. The completion of audit engagements [engagement acceptance, performance of the
audit and reporting (long form report, audit report)].
Re: 1. The scaling of the System of Quality Control is not the subject of this guideline.
Reference is made to Regulation 1/2006 and the corresponding guideline of the
Commission for Quality Assurance for auditing a System of Quality Control with
particular reference to small practices.
Re: 2. This guideline is limited to the area of the performance of an audit. Engagement
acceptance and reporting are not the subject of this WPK guideline.
This guideline is intended to provide practical ideas and recommendations on the
proportionate (scaled) performance of an audit and is expressly to be construed merely
as a guide. This guideline does not represent a comprehensive manual for performing
audits. It does not release the members of the auditing profession from carrying out
audits according to their professional judgment in individual circumstances. Moreover,
this guideline does not make any claim of completeness. The ISA standards may contain
further approaches for a scaling of audits that are perhaps not described below.
This guideline also does not release the members of the auditing profession from their
duty to carefully study the ISA and gain a reasonable understanding of the ISA
provisions. In case of conflict, the ISA standards shall take legal precedence over the
remarks in this guideline – taking into account the auditor's own responsibility.
2 For scaling aspects with respect to auditing practice, cf. Regulation 1/2006 as well as ISA 220.
4
The following principles – also under application of the ISA – are to be considered
indispensable elements in performing audits:
risk-based audit approach
determination of materiality levels
substantive, personnel and schedule considerations of audit planning
audit procedures for obtaining sufficient appropriate audit evidence
documentation.
3. Understanding of Proportionate (scaled) Performance of an Audit
Under the proportionate performance of an audit, the nature, scope and documentation
shall be determined as a function of the size, complexity and risk of the subject of the
audit. The audit quality as well as reliability of the audit opinion, however, must be
uniform for all audits of financial statements.
This means that with a uniform objective for all audits of financial statements, the path to
achieving an objective may vary depending upon the size, complexity, and risk of the
subject of the audit. This path to achieving the objective, i.e., definition and
implementation of the nature, scope and documentation of the audit performance, is to be
decided according to the professional judgment of the member of the auditing profession,
within the scope of his own responsibility. The proportionate performance of an audit is
not a new concept being introduced for the first time by the ISA. The scalability can also
be derived from the IDW auditing standards (e.g., IDW PS 200 Item 18 et seq., IDW PS
240 Item 12, IDW PS 261 Item 74 et seq.).
Nature and scope of the performance of an audit is based in particular on the
determination of materiality, the specification of the nature and number of audit activities,
the volume of the audit evidence as well as the definition of control sampling and random
sampling method.
Complexity and risk primarily relate to the risk of a material misstatement in the financial
statements being audited, whereby this risk derives naturally from the risk of the entity’s
business, the complexity of the entity’s operations, and the nature of accounting at the
entity. This WPK guideline, in this regard, is based on the risk-based audit approach of
ISA 315 and 330.
The audit subject refers to the audit engagement as a whole and to individual audit fields.
Thus, there is a distinction between engagement-related (financial statement level) and
audit field-related (assertion level) risks.
5
4. Fundamental Aspects of a Proportionate (Scaled) Performance of an Audit
The scaling of the performance of an audit is expressed in the following guidelines,
whereby focus is on letters c. and d.:
a. decision on the non-applicability of an ISA standard,
b. decision on the non-applicability of specific detailed requirement of an ISA standard,
c. implementation of generally held ("scalable") requirements in the ISA standard,
d. guidelines of specific Application and Other Explanatory Material in the ISA standards
("special considerations for smaller entities").
Re: a. ISA 200.18 in connection with 200.19 requires the auditor to comply with all
auditing standards relevant to the audit. If the issues raised in a standard do not
exist, the relevance of the particular ISA standard is to be negated and therefore
the standard in its entirety does not apply (ISA 200.22).
Prior to beginning the audit, it is helpful to assess the relevance of the following
auditing standards:
ISA 402 – Audit Considerations Relating to an Entity Using a Service
Organization
ISA 510 – Initial Audit Engagements – Opening Balances
ISA 600 – Special Considerations – Audits of Group Financial Statements
(Including the Work of Component Auditors)
ISA 610 – Using the Work of Internal Auditors (“Internal Audit”)
ISA 620 – Using the Work of an Auditor’s Expert
Re: b. Pursuant to ISA 200.22 the auditor shall comply with each requirement of a
relevant ISA standard as defined in a., unless the requirement is not relevant
because it is conditional and the condition does not exist (e.g., certain
requirements for granting a qualified audit opinion do not apply when granting an
unqualified audit opinion). During the process of the audit of companies, there
may be facilitation due to the permissible non-application of conditional individual
rules.
In addition, the ISA comprise so-called “Application and Other Explanatory
Material”. These “application information” do not constitute any independent
6
additional requirements for the auditor. According to IFAC, they are, however, of
significance for the correct application of ISA requirements.3
Re: c. The ISA contain a variety of statements on the performance of an audit, in which
the scalability of auditing standards is expressed in general terms, for example:
ISA 230 – Audit Documentation (Item A2): form, content and extent of audit
documentation depend on factors such as: size and complexity of the entity,…
ISA 300 – Planning an Audit of Financial Statements (Item A1): nature and extent
of planning activities will vary according to the size and complexity of the entity…
ISA 500 – Audit Evidence (Item 6): The auditor shall design and perform audit
procedures that are appropriate in the circumstances for the purpose of obtaining
sufficient appropriate audit evidence.
In particular, phrases in the standards like “appropriate”, "adequate" “adequate to
the circumstances” or “sufficient” emphasize the scalability of the provisions. In
these cases, the auditor is to determine in its professional judgment the nature
and scope of each activity, i.e., make a decision as to the degree of scalability. In
addition, many requirements in the ISA are expressed in general terms, without
concrete conditions as to the type and manner in which they should be fulfilled. In
these cases, it is up to the discretion of the auditor to determine the specific
measures to fulfill the ISA requirements. The remarks under 6, “Aspects of
Proportionate Performance of an Audit in the Framework of a Risk-based Audit
Approach” are intended to provide additional assistance on this aspect.
Re: d. Individual ISA contain “Considerations Specific to Smaller Entities” in various
places within the “application information”. IFAC thus provides members of the
auditing profession with special hints and guidelines on the audit of smaller
companies. A summary prepared by the WPK of the “Considerations Specific to
Smaller Entities” contained in the ISA can be downloaded on the homepage of the
WPK at www.wkp.de/aktuell/skalierung.asp.
In this context it should be noted that the additional application of further regulations
depending upon the specifics of the audit engagement based on the regulations always
to be observed in the ISA leads to the same result ("scaling up").
It should also be noted, however, that a proportionate performance of an audit does not
mean ignoring essential ISA provisions based on the argument that they are "too
3 cf. IFAC: Guide to Using ISAs in the Audit of Small- and Medium-Sized Entities, Volume 1; p. 14; 3rd Edition, 2011
7
laborious" for the company subject to the audit. Scaling is therefore only possible in the
above-mentioned cases and only in a reasonable proportion based on the circumstances
of the individual case (size, complexity, risk). In particular, the provision in ISA 200.23 (“In
exceptional circumstances, the auditor may judge it necessary to depart from a relevant
requirement in the ISA.”) is not to be understood as a general standard for scaling.
5. Scope of Application for a Proportionate Performance of an Audit
The considerations concerning a proportionate performance of an audit may basically be
applied to any audit of financial statements – for example, independent of the legal form
or size of the subject of the audit – and are thus not restricted to the audit of SMEs. Given
equal audit quality and dependability of the audit opinion, the nature, scope, and
documentation of the audit are determined in relationship to the size, complexity and risk
of audit subject. The difference ultimately is the degree of scalability of ISA requirements.
The size of an entity as a quantitative characteristic alone cannot be the decisive
criterion for determining the degree of scalability of the audit performance. The
qualitative aspects of complexity and risk of the audit subject are to be weighed
more heavily. In case of doubt, the risk criteria should be weighed most heavily.
Complexity is primarily understood to be how complicated the accounting issues
are (as derived from the complexity of the business activity).4
Risk is understood to be the possibility of a material misstatement in the financial
statements being audited. Among other things, this is in turn derived from the risk
of the entity’s business, the complexity of the entity’s operations, and the nature of
the entity’s accounts. The auditor is to use his professional judgment in assessing
the aspects of size, complexity and risk, and weighing the facts to deduce the
degree of scalability of the audit.
The above aspects are also considered in the ISA themselves. Thus the international
auditing standards in ISA 200.A64 contain the following definition for so-called “smaller
entities”:
“For purposes of specifying additional considerations to audits of smaller entities, a
‘smaller entity’ refers to an entity which typically possesses qualitative characteristics
such as
4 The complexity of non-balance sheet issues is also to be considered here.
8
(a) Concentration of ownership and management in a small number of individuals (often
a single individual – either a natural person or another enterprise that owns the entity,
provided the owner exhibits the relevant qualitative characteristics); and
(b) One or more of the following:
(i) straightforward or not complicated transactions;
(ii) simple record keeping;
(iii) few lines of business and few products within business lines;
(iv) few internal controls;
(v) few levels of management with responsibility for a broad range of controls; or
(vi) few personnel, many who have a wide range of duties.
These qualitative characteristics are not exhaustive, nor are they exclusive to smaller
entities, and smaller entities do not necessarily exhibit all of these characteristics.”
From our understanding, the criteria listed above as examples represent possible
circumstances for the scaling requirements of “complexity” and “risk.” “Smaller entities,”
as defined by ISA 200.A64, are companies of a small size, low complexity, and/or a low
risk and therefore a high degree of scalability (these are referred to below as SMEs).
Other possible indicators for the existence of an SME could include (cf. IDW PH 9.100.1,
Item 3):
decisions relevant to the company lie predominantly in the area of authority of the
owner or owners,
no dependency upon a parent company,
strong influence of typical regional and industry-specific factors,
straightforward accounting,
only few assigned employees in the accounting department have accounting-related
information,
company-specific knowledge is primarily restricted to only a few persons.
The decision as to the extent in which proportionate performance of the audit is justified
by the facts is up to the responsible auditor as defined by § 24a Professional Charter
WP/vBP. The relevant factors for this decision are to be considered in their entirety.
9
6. Aspects of Proportionate Performance of an Audit in the Framework of the Risk-Based Audit Approach
6.1 Illustration of the Risk-Based Audit Approach
6.1.1 Fundamentals of the Risk-based Audit Approach
The international auditing standards codify the risk-based audit approach in ISA 315 –
Identifying and Assessing the Risks of Material Misstatement through Understanding the
Entity and Its Environment – and ISA 330 – The Auditor’s Responses to Assessed Risks.
ISA 315.1, in connection with ISA 315.3, requires the auditor to identify and assess the
risks of material misstatement in the financial statements through understanding of the
entity and its environment, including the entity’s internal control in order to create the
basis for designing and implementing responses to the assessed risks. Additionally, ISA
330.1, in connection with ISA 330.3, codifies the responsibility of the auditor to design
and implement responses to the risks of material misstatement identified and assessed
by the auditor in order to obtain sufficient appropriate audit evidence regarding the
assessed risks of material misstatement.
The design of the risk-based audit approach can be accounting-based, function-based or
process-based.
With an accounting-based approach, the audit fields are determined essentially based
on the accounting issues or the balance sheet items in the financial statements.
With a function-based approach, the audit field determination is made in alignment
with the operational functions of the company (e.g., purchasing, production, sales).
With a process-based approach, the audit field determination is made on the basis of
material company processes (e.g., procurement process, from needs assessment to
goods payment; sales process, from posting of orders to posting of payments).
When deciding on how to structure the risk-based audit approach, organizational
structures and processes of the company being audited are taken into consideration.
In simple terms, the risk-based audit approach can be divided into the following three
phases:
Phase 1: Risk Identification (determination of risks of material misstatement by
understanding the entity and its environment as well as including the entity’s internal
control)
Understanding the entity and its environment is particularly used to determine inherent
risks and at the company level includes such criteria as organization, financing,
10
investment plans, business objectives and strategies, key performance indicators,
competence and integrity of management and the employee, the nature, scope and
special considerations of company activity and company development. At the assertion
level (audit field level) significant aspects include, for example, the susceptibility to errors
of items in the financial statements, the complexity of the business transactions, the risk
of fraud, and the latitude for discretion in recognition and measurement.
Understanding the entity’s internal control serves as a basis for determining the control
risk. The auditor is first of all to become convinced of the structure (i.e., the adequacy and
implementation) of the entity’s internal control. The focus of the auditor in this test of
design lies on the accounting-related internal control of the entity, i.e., the controls
relevant to the audit of financial statements. For this, the auditor is to gain understanding
for all of the following entity’s internal control components (ISA 315.14 - .22):
Control environment
According to ISA 315.A69 the control environment includes the governance and
management functions as well as the attitudes, awareness and actions of those
charged with governance and management concerning the entity’s internal control
and its importance in the entity. Further, the control environment sets the tone of the
organization by influencing the control consciousness of its employees. Elements of
the control environment include inter alia communication and enforcement of integrity
and ethical values, management’s philosophy and operating style of the
management, and organizational structure.
Risk-assessment process
The risk-assessment process constitutes the basis for the determination of risks to
which management must react. In particular, this includes the identification of
business risks, the estimation of the significance of risks, the assessment of their
likelihood to occur and the decision about actions to address those risks (ISA.
315.15).
Financial reporting-related information system (including the related business
processes) and communication
The information system relevant to financial reporting objectives, which includes the
accounting system, consists of the procedures and records that the company has
designed and established to (ISA 315.A81):
o initiate, record, process and report entity transactions and to maintain
accountability for the related assets, liabilities and equity;
o identify and resolve incorrect processing of transactions;
11
o process and account for system overrides or bypasses to control;
o transfer information from transaction processing systems to the general ledger;
o capture information relevant to financial reporting for events and conditions other
than transactions (e.g., depreciation of assets); and
o ensure that information required to be disclosed is accumulated, recorded,
processed, summarized and appropriately reported in the financial statements.
Communication on the one hand includes communication of financial reporting roles
and responsibilities in financial reporting, on the other hand, communication of
relevant financial reporting issues. Examples of communication are policy manuals
and financial reporting manuals (ISA 315.A86).
Control activities relevant to the audit of financial statements
Relevant control activities are those the auditor deems necessary to understand in
order to assess the risks of material misstatement at the assertion level, and to
design further audit procedures as a response to the assessed risks (ISA 315.20).
Control activities are the policies and procedures that help ensure that management
directives are carried out (e.g., authorization, performance reviews, information
processing, physical controls, separation of duties; ISA 315.A88).
Monitoring of controls
Monitoring of controls is a process by which the effectiveness of the entity’s internal
control is assessed over a period of time. This includes both one-time and ongoing
activities.
Phase 2: Risk analysis and assessment (assessment of the risks of material
misstatement and deduction of the audit strategy)
Risk identification is followed by the assessment of the effects of the risks of material
misstatement to the financial reporting according to the dimension and likelihood of
occurrence. This assessment is to be conducted on both the financial statement level and
on the assertion level for the classes of transactions, account balances and disclosures
(ISA 315.25). Based on this assessment, the auditor devises the audit strategy.
Significant identified risks (e.g., revenue recognition or non-routine transactions) require
special consideration within the process of the audit. Thus the auditor is obliged to gain
an understanding in each case for the controls relevant for these significant risks (ISA
315.27 et seq.).
12
Moreover, for some risks the auditor may judge that it is not possible or practicable to
obtain sufficient appropriate audit evidence only from substantive procedures (e.g., for
automated mass production processes). In these cases, the auditor shall obtain an
understanding of the controls relevant to these risks (ISA 315.30).
Phase 3: Audit procedures as a response to the assessed risks
In order to address the assessed risks of material misstatement, the auditor has to design
and implement responses on both the financial statement level as well as the assertion
level (ISA 330.5 and .6). Responses at the financial statement level may include, in
particular, emphasizing the need to maintain professional skepticism, assigning more
experienced staff or using experts on the audit team, incorporating unpredictable audit
procedures as well as special quality assurance measures
(ISA 330.A1).
At the assertion level, the auditor must respond reasonably by means of tests of controls
of the entity’s internal control, substantive audit procedures or both respectively. The
assessment of identified risks by the auditor on the assertion level provides a basis for
considerations of the appropriate audit approach for designing and performing further
audit procedures (ISA 330.A4). The auditor can thus specify that
Only by performing tests of controls may the auditor achieve an effective response to
the assessed risk of material misstatement for a particular assertion;
Performing only substantive audit procedures is appropriate for particular assertions,
and, therefore, the auditor excludes the effect of controls from the relevant risk
assessment;
A combined approach using both tests of controls and substantive audit procedures is
an effective approach.
Tests of controls are geared towards evaluating the operating effectiveness of controls in
preventing or detecting and correcting material misstatements at the assertion level (ISA
330.4(b)). The auditor shall design and perform tests of controls if (ISA 330.8):
the risk assessment of material misstatements at the assertion level is based on the
assumption that controls are operating effectively (i.e., the auditor intends to rely on
the operating effectiveness of controls in determining the nature, timing and scope of
substantive audit activities), or
substantive audit procedures alone cannot provide sufficient appropriate audit
evidence.
13
Irrespective of the assessed risks of material misstatement, the auditor shall design and
perform substantive procedures for each material class of transactions, account balance,
and disclosure (ISA 330.18). In this, the auditor shall consider whether external
confirmation procedures are to be performed as substantive audit procedures. The
nature, scope and timing of substantive audit procedures depend on the results of the
risk assessment. On a case-by-case basis, the auditor may decide that
the performance of substantive analytical audit procedures alone is sufficient,
tests of details by themselves are adequate, or
a combination of substantive analytical audit procedures and tests of details are the
most appropriate response to the assessed risks.
In summary, it can be said that the identification of potential risks of material
misstatement is made on the basis of the insights gained about the client, the client’s
environment and the reasonableness and implementation of its internal control (test of
design) by the auditor in Phase 1. Subsequently in Phase 2, the identified risks of
material misstatement are considered regarding their effect and likelihood of occurrence,
and the audit strategy is determined accordingly.
In Phase 3, the determination and performance of the audit program for the following
audit procedures occur on this basis as a response to the assessed risks of material
misstatement.
When used properly, the auditor can gain a high degree of audit confidence relatively
quickly by application of the risk-based audit approach. This may mean that in certain
cases after Phase 2, sufficient audit evidence may be obtained for specific audit fields (as
described earlier, substantive audit procedures are to be designed and executed also in
this case for all material classes of transactions, account balances, as well as
disclosures).
The risk-based audit approach leads to a focus on the activities of the audit risk-prone
areas of the entity, while low-risk audit areas are consequently audited with less intensity.
14
6.1.2 Scaling Aspects within the Process of the Risk-Based Audit Approach
Possible approaches for scaling aspects – while keeping the professional skepticism
unchanged – are illustrated below:
Facilitated gaining of an understanding of the entity and its environment due to a
long-lasting relationship
It can be easier for the auditor to gain an understanding of the client, its environment
and its accounting related controls, the longer he has actively been engaged as an
auditor for the client. The auditor uses professional judgment to determine the extent
of the understanding required. The depth of the overall understanding that is required
by the auditor can be less than that possessed by management in managing the
entity (ISA 315.A3).
Moreover, the auditor can use information from previous years, resulting from
previous experiences with the entity or from audit procedures from previous audits of
the financial statements. The auditor then is to determine, however, whether changes
have occurred since than that may affect its relevance to the current audit (ISA
315.9).
It is often easier to gain an understanding of the entity's internal control for smaller
companies
The structure of the entity’s internal control can indeed be very basic for smaller
companies (ISA 315.A41). Thus it is conceivable that the company has put into place
a few controls for key issues at the management level, without being able to
demonstrate that an overall system of internal controls exists. Gaining an
understanding of internal controls is possible in such a case with relatively small
effort.
Focusing on the controls relevant for financial reporting
The auditor shall only obtain an understanding of internal control relevant to the audit
(ISA 315.12) and thus only of the company's control activities that are necessary to
assess the risks of material misstatement on the assertion level and to be able to
design adequate audit procedures as a response to the assessed risks. Although
most controls relevant to the audit are likely to relate to financial reporting, not all
controls that relate to financial reporting are relevant to the audit. Furthermore, it is
not necessary to gain an understanding of all the control activities related to each
significant class of business transactions, account balances, and disclosures in
financial statements (ISA 315.20).
15
Aspects concerning the components of the entity’s internal control
In gaining an understanding of the entity’s internal control, the auditor is to be
concerned with all of the following internal control components, even if the following
sub-classification is not necessarily reflected in the structure and implementation of
the entity's internal control:
o Control environment
The attitude, awareness and actions of those charged with governance and
management which are decisive for the control environment encountered are of
special significance to the auditor's understanding of the control environment of a
smaller entity, because, for instance (ISA 315.A76):
- In small entities those charged with governance may not include an independent
or outside manager and the role of governance may be carried out directly by the
owner-manager where there are no other owners.
- Audit evidence for elements of the control environment in smaller entities may not
be available in documentary form, in particular where communication between
management and other personnel may be informal.
- The nature of the control environment may also influence the significance of other
controls, or their absence (an actively involved owner-manager can reduce or
increase the risks arising from the lack of segregation of duties within the
company).
o Risk assessment process of the entity
In a small entity, there is often no established risk assessment process. It is more
likely that management identifies risks through direct personal involvement in the
business. It is nonetheless necessary to inquire about identified risks and how they
are addressed by management (ISA 315.A80).
o Information system including related business processes, relevant to financial
reporting, as well as communication
The financial reporting-related information systems in smaller entities are likely to be
less sophisticated than in larger entities. Small entities with active management
involvement may not need extensive descriptions of accounting procedures,
sophisticated accounting records, or written policies. In these cases, the
understanding of the systems and processes of the entity may therefore be less
complicated and possibly more dependent upon inquiries then upon a review of
documentation (ISA 315.A85).
16
o Control activities
The level of formalization of control activities may differ among larger and smaller
entities. Certain types of control activities in smaller entities may in fact not be
relevant due to controls applied by management. For example, management’s sole
authority for granting credit to customers and approving significant purchases can
provide strong control over important account balances and transactions, thus
lessening or removing the need for more detailed control activities (ISA 315.A93). It
should be mentioned here, however, that an increased risk exists due to
management override.
o Monitoring of controls
Management’s monitoring of controls is often accomplished by management’s or the
owner-manager’s close involvement in operations. Through this involvement,
significant variances from expectations and inaccuracies in financial data are often
identified, leading to remedial action to the control (ISA 315.A100).
Tests of controls are not mandatory in every case
On the financial statement level as well as on assertion level, the auditor is to
respond adequately to any identified material risks by means of tests of controls and /
or substantive audit procedures.
As mentioned above, tests of controls are necessary if the auditor wants to rely on
the effectiveness of the entity’s internal control for audit assurance, or when
substantive audit procedures alone do not yield sufficient appropriate audit evidence.
Tests of controls are particularly useful for frequently recurring, automated routine
transactions, as with relatively little effort a high level of audit assurance can be
achieve, which could only have been achieved through a large number of substantive
audit procedures (or in some cases not at all).
Conversely, this means that tests of controls are not mandatory for every audit of
financial statements: If the auditor assesses the risk of material misstatements to be
low, or if existing controls are not adequate, the auditor may within the process of the
audit rely solely on substantive audit procedures, which then if necessary, would have
to be carried out in a wider scope. Another such case would be if there are not many
control activities in the company that can be identified by the auditor or the scope to
which their existence or operation have been documented by the entity may be
limited (ISA 330.A18). In such cases it can be more efficient for the auditor to mainly
carry out substantive audit procedures.
17
Focusing on superordinate controls
It may be possible that a company has implemented a variety of controls on multiple
levels along its processes (e.g., materials purchasing: requirements requisition sheet
– superior approval – maintenance of budget limits / suggested account application –
managing director approval – pre-posting of invoice – incoming goods inspection –
payment proposal list – approval of payment / entry). Often it is not necessary to carry
out a test of controls on all existing controls along the relevant process. There may be
cases where limiting the test of controls to a few identifiable “superordinate” controls
seems reasonable.
Multiple use of audit procedures
Audit procedures within the process of the test of design of controls can
simultaneously yield audit evidence as to the effectiveness of control procedures. The
auditor may thus consider it efficient to simultaneously test the operating
effectiveness of the controls, assess the design of the controls, and determine that
they have been implemented, (ISA 330.A21). Even if some audit procedures for risk
assessment are not specially designed as tests of controls, they may nonetheless
provide audit evidence about the operating effectiveness of the controls and,
consequently, serve as tests of controls (ISA 330.A22).
Moreover, the auditor may design a test of controls to be performed concurrently with
a test of details on the same transaction. The auditor may, for example, design and
evaluate a test to examine an invoice to determine whether it has been approved and
to provide substantive audit evidence of a transaction. Such a “dual-purpose test” is
designed and evaluated whereas each of the test purposes is considered separately
(ISA 330.A23).
Laborsaving measures through increased use of analytical substantive audit
procedures
Nature, scope and timing of substantive audit procedures depend on the result of the
risk assessment. In individual cases, the performance of substantive analytical audit
procedures according to the requirements of ISA 520 alone may be sufficient. For
example, where risk assessment of the auditor is based on audit evidence gained
from tests of controls. Substantive analytical audit procedures are generally more
adequate for large volumes of transactions that tend to be predictable over time (ISA
330.A44).
18
The use of results from previous years’ audits
As part of the test of controls, the auditor may consider it appropriate based on his
risk assessment to rely on audit evidence gained from previous years' audits (ISA
330.13). In such a case, the auditor, – e.g., through discussion with management –
has to obtain audit evidence about whether significant changes have been made to
the control(s) in the meantime. If changes have been made that affect the continuing
relevance of the audit evidence from the previous audit, the auditor shall test the
controls in the current audit, to the extent that he plans to rely on their effectiveness.
If no changes have been made to the controls, the auditor may consider it appropriate
to rely on the assessment of the effectiveness of these controls from previous years.
The time span between the new tests of such unchanged controls can encompass up
to three years (new test in the third year) and it is up to the auditor's own due
consideration (ISA 330.14(b)). As a general rule: the higher the risk of material
misstatements or the more one depends on the respective control, the shorter the
time interval between two tests of controls.
At the same time, the auditor shall test the controls at least once in every third audit,
and shall test some controls each audit to avoid the possibility of testing all the
controls on which the auditor intends to rely in a single audit period with no testing of
controls in the subsequent two audit periods (ISA 330.14(b)).
The auditor cannot rely on audit procedures from previous years on controls over a
risk he has determined to be a significant risk. In such cases the auditor shall test
those controls during the current audit (ISA 330.15).
Absence of documentation of the entity’s internal control on the behalf of the entity5
Absence of documentation of the entity’s internal control, in part or in whole on the
behalf of the entity, does not necessarily constitute a limitation on the scope of the
audit, as long as the auditor is capable of testing the design and – to the extent
necessary – the function of the ICS (cf. ISA 315.A77, .A80). The auditor shall
however, evaluate whether the absence of a documented risk assessment process is
appropriate to the circumstances, or determine whether it constitutes a significant
deficiency in the internal control system of the entity (ISA 315.17).
The auditor is not required to document substantial parts or all of the entity's internal
control in lieu of the entity. However, the following must be documented by the auditor
according to ISA 315.32, taking into consideration ISA 230.8 et seq. with respect to
the entity’s internal control:
5 Bookkeeping is subject to statutory audit in Germany. Proper bookkeeping principles are to be observed.
19
o key elements of the understanding obtained regarding each of the five aspects of
the internal control components, and sources of information from which the
understanding was obtained;
o significant risks identified, and related controls about which the auditor has
obtained an understanding.
6.2 Materiality6
6.2.1 Fundamentals of Materiality
The concept of materiality is regulated in ISA 320 – Materiality in Planning and
Performing an Audit. When establishing the overall audit strategy, the auditor shall first
determine materiality for the financial statements as a whole
(ISA 320.10). The level of materiality for the financial statements as a whole shall be
measured in terms of the level beyond which a misstatement in the financial statements
influences the economic decisions of users of the financial statements. It is not justified
if the auditor sets a low level of materiality as a whole because there was a high risk of
errors (cf. Guide to using ISAs in the Audits of Small- and Medium-Sized Entities, Vol. 1
– Core Concepts, 3rd Edition, p. 95).
At the same time, the auditor is to establish a lower threshold of materiality for
particular types of business transactions, account balances, or disclosures in financial
statements, if in the specific circumstances of the entity, misstatements of lesser
amounts than materiality for the financial statements as a whole could reasonably be
expected to influence the economic decisions of users on the basis of the financial
statements (ISA 320.10). It is not permissible to set a higher threshold of materiality for
particular types of business transactions, account balances or disclosures in financial
statements.
According to ISA 320.11 the auditor is also to determine the so-called performance
materiality. This is the amount or amounts below materiality for the financial statements
as a whole or the specific materialities, in order to reduce to an appropriately low level
the probability that the aggregate of uncorrected and undetected misstatements
exceeds materiality for the financial statements as a whole. Performance materiality is
relevant within the process of determining the audit strategy, in particular the starting
point for the determination of the nature, timing and scope of further audit procedures
(ISA 320.11) for the performance of the audit.
6 Detailed remarks on materiality according to ISA 320 can be obtained from Questions and Answers on
Determining Materiality and Tolerance Materiality according to ISA 320 and IDW PS 250 published by IDW on 17 November 2011 (cf. IDW Fachnachrichten 12/2011, see: 743 et seq.)
20
6.2.2 Scaling Aspects within the Framework of Materiality
Possible scaling aspects are illustrated below.
Determining the materiality for the financial statements as a whole influences the
scope of the subsequent audit procedures
The ISA do not prescribe for the auditor any particular method of determining
materiality as a whole. Nor do the standards provide for the application of any
particular mandatory reference size for determining materiality. The selection of the
appropriate reference value as well as the quantitative approach lies in the due
consideration of the auditor.
Within the process of determining materiality, which as described above is to be
guided by the decision relevance for the users of the financial statements, the
conditions surrounding the entity to be audited (such as ownership structure, nature
of financing, economic environment) are to be taken into account in determining the
reference value and the quantitative approach – and thus subsequently also in the
determination of the nature, timing and scope of further audit procedures.
Determining the line-item performance materiality influences the scope of
subsequent audit procedures
Performance materiality can either be determined as an amount analogous to
materiality for the financial statements as a whole or also issue-specific for certain
types of business transactions, account balances, or disclosures in financial
statements (cf. Guide to using ISAs in the Audits of Small- and Medium-Sized
Entities, Vol. 1 – Core Concepts, 3rd Edition, p. 96). As a function of risk and
complexity, the determination of issue-specific tolerance materiality can lead to a
reduction of the audit procedures to be performed for smaller entities.
It should be noted at this point that the negotiation of possible follow-on engagements
in connection with the audit of financial statements, such as the preparation of
explanatory notes in the long-form audit report, eliminates the previous materiality
considerations due to the necessarily higher level of certainty and thus may negate any
associated scaling aspects.
6.3 Audit Planning
6.3.1 Fundamentals of Audit Planning
ISA 300 – Planning an Audit of Financial Statements prescribes the duty of the auditor
to engage in audit planning. The planning of the audit of financial statements includes
21
the development of an audit strategy and subsequent design of the audit program. Key
factors that the auditor is to consider when developing the audit strategy and devising
the audit program have already been illustrated in the section
“Risk-Based Audit Approach.”
6.3.2 Scaling Aspects within the Process of Audit Planning
Possible scaling aspects are illustrated below.
Size and complexity of the audit subject influence the nature and scope of audit
planning
The nature and scope of planning activities are dependent upon the size and
complexity of the audit subject, the previous experiences of members of the audit
team with the entity, and any changing conditions during the ongoing audit. The
development of the audit strategy for audits of small entities must not be a complex
or time-consuming procedure; this depends on the size of the entity, the complexity
of the audit, and the size of the audit team (ISA 300.A11).
Furthermore, the nature, scope and timing of direction and supervision of the
members of the audit team, as well as the review of their work, must be planned
(ISA 300.11). This is ultimately influenced by the size of the audit team. For small
entities the entire audit can be conducted by a very small audit team or even by the
engagement partner alone. The coordination and communication within the audit
team is influenced accordingly by the size of the audit team (ISA 300.A11).
Facilitated planning requirements for one-person audits
If an audit is carried out completely by the engagement partner, considerations on
direction and supervision of the audit team as well as reviewing their work is not
required. In such cases, the engagement partner will be aware of all key issues.
There may be situations, however, that require the auditor to consult the
professional opinion of a third party in cases involving particularly complex or
unusual issues (ISA 300.A15).
Initial or follow-on audit
Within the process of audit planning for subsequent audits, the auditor can, on the
one hand, also use knowledge and information about the entity from previous years,
and on the other hand, for SMEs can refer back to working papers from previous
years that are being updated within the process of the current audit.
22
6.4 Audit Procedures to Obtain Audit Evidence on Audit Objectives
6.4.1 Fundamentals of Obtaining Audit Evidence
The following chart represents an overview of the various types of audit procedures and
activities according to the ISA (cf. IDW PS 300, Item 14):
Fundamental remarks on audit procedures are contained in ISA 315 – Identifying and
Assessing the Risks of Material Misstatement through Understanding the Entity and Its
Environment and ISA 330 – The Auditor's Responses to Assessed Risks (for both
standards, see the remarks above under section VI.1 – Risk-Based Audit Approach),
ISA 520 – Analytical Procedures and ISA 530 – Audit Sampling.
Basic requirements for audit evidence are found in ISA 500 – Audit Evidence.
In addition, there is a series of additional standards that deal with special audit fields or
types of audit evidence, e.g.:
ISA 501 – Audit Evidence – Specific Considerations for Selected Items
ISA 505 – External Confirmations
ISA 540 – Auditing Accounting Estimates, Including Fair Value Accounting
Estimates, and Related Disclosures
ISA 550 – Related Parties
ISA 560 – Subsequent Events
ISA 570 – Going Concern
ISA 580 – Written Representations
Test of Controls Substantive Audit
Procedures
Test of Details
23
The predominant rule applies that, during the course of an audit of a particular audit
field, the ISA do not prescribe for the auditor any specific audit procedures or activities
or the seeking out of a particular type of audit evidence. On the contrary, it is the
auditor's due consideration to design and perform audit procedures to obtain sufficient
appropriate audit evidence to be able to draw reasonable conclusions on which to base
the auditor’s opinion (ISA 500.1).
In some cases however, the ISA prescribe specific audit procedures and activities, or
require obtaining specific audit evidence, such as, (but not limited to):
the mandatory attendance at physical inventory counting, to the extent that
inventories are material to the financial statements and that attendance is practical
(ISA 501.4),
inquiry of management, reviewing minutes of meetings of those charged with
governance and correspondence between the company and its external legal
counsel, and reviewing legal expense accounts to determine any litigation and
claims (ISA 501.9),
mandatory performance of analytical audit procedures near the end of the audit that
assist the auditor when forming an overall conclusion as to whether the financial
statements are consistent with the auditor’s understanding of the entity (ISA 520.6),
specific audit procedures for risk assessment with respect to accounting estimates
(incl. ISA 540.8, .12 et seq.),
specific audit procedures for risk assessment with respect to related parties
(ISA 550.12, et seq.),
specific audit procedures in case events or conditions have been identified that may
cast significant doubt on the entity’s ability to continue as a going concern
(ISA 570.16),
the request for management to provide a written representation that it has fulfilled
its responsibility for the preparation of the financial statements as well as for other
specific assertions (ISA 580.10 and 580.13).
Audit evidence is to be sufficient and appropriate (ISA 500.6). “Sufficient” refers to the
required quantity of audit evidence. As a rule, the quantity of the audit evidence needed
is affected not only by the auditor’s assessment of the risks of material misstatement
but also by the quality of such audit evidence (ISA 500.5(e)). Audit evidence is
“appropriate” if it is relevant and reliable in providing support for the conclusions on
which the auditor’s opinion is based.
24
According to ISA 315.A110, in representing that the financial statements are in
accordance with the applicable financial reporting framework, management implicitly or
explicitly makes assertions regarding the recognition, measurement, presentation and
disclosure of the various elements of financial statements along with the related
disclosures. This covers the objectives of the audit of financial statements. In order to
implement these objectives on the assertion level, the audit evidence gained by means
of the audit must enable the assessment of the following assertions about the financial
statements:
Completeness (of assets, liabilities, expenses and revenues)
Existence ( of certain assets and liabilities)
Accuracy (correct recording of amounts in the accurate accounting period)
Valuation (of the stated assets, liabilities)
Ownership (allocation of asset, liabilities to the beneficial owner)
Presentation (correct presentation in the financial statements)
6.4.2 Scaling Aspects within the Process of Audit Procedures for Obtaining Audit Evidence
Possible scaling aspects are illustrated below.
Financial statements audited according to ISA does not require “absolute
assurance”
According to ISA 200.5, the auditor is required to obtain reasonable assurance
about whether the financial statements as a whole are free from material
misstatement. However, reasonable assurance is “a high level of assurance” – but
not an absolute (i.e. 100%) assurance.
A risk-based audit approach can reduce the scope of subsequent audit activities
The risk assessment to be performed on the basis of the risk-based audit approach
determines the nature, timing and scope of subsequent audit procedures. Low-risk
audit areas consequently are audited with less intensity. As a rule, this also applies
to the special audit fields regulated in separate standards:
o Accounting estimates: Depending upon the risk assessment with respect to
accounting estimates, ISA 540 specifies the scope of additional audit activities
for the auditor (ISA 540.8, 10 seq., 12 et seq., 15 et seq.).
25
o Related parties: The nature, timing and scope of the further audit procedures
that the auditor may choose in response to the assessed risks of material
misstatement associated with related party relationships and transactions
depend upon the nature of those risks and the circumstances of the entity
(550.A31).
o Subsequent events (events after the balance sheet date): Depending on the
auditor’s risk assessment, the audit procedures required may include
procedures such as the review or testing of accounting records or transactions
occurring between the date of the financial statements and the date of the audit
opinion (560.A6).
o Going Concern: The existence of events or conditions that may cast significant
doubt on the entity’s ability to continue as a going concern affect the nature,
timing and scope of the auditor’s further audit procedures in response to the
assessed risks (ISA 570.A6).
As a rule, the auditor is to obtain more persuasive audit evidence, the higher the
auditor’s assessment of risk (ISA 330.7(b)). In doing so, the auditor may increase
the quantity of the evidence or obtain evidence that is more relevant or reliable
(e.g., ISA 330.A19).
Use of audit evidence from previous audits
Audit evidence is primarily obtained from audit procedures performed during the
course of the audit. Audit evidence from previous audits of financial statements may
also be used, however, provided the auditor has determined whether changes have
occurred since the previous audit that may affect its relevance to the current audit
(ISA 500.A1).
Special considerations for the testing of accounting estimates of SMEs
In SMEs the process for making accounting estimates is likely to be less structured
than in larger entities. SMEs may not have extensive descriptions of accounting
procedures, sophisticated accounting records, or written policies. Even if the entity
has no formal established process, it does not mean that management of the SME
is not able to provide a basis upon which the auditor can test accounting estimates
(ISA 540.A70).
Controls over the process to make an accounting estimate may exist in SMEs, but
the formality with which they operate varies. Furthermore, smaller entities may
determine that certain types of controls are not necessary due to active
management involvement in the financial reporting process.
26
In the case of very small entities with only a few controls, however, the auditor’s
response to the assessed risks is likely to be primarily substantive audit procedures
(ISA 540.A86).
Special considerations for the testing of a going concern for SMEs
In many cases, the management of an SME may not have prepared a detailed
assessment of the entity’s ability to continue as a going concern, but instead may
rely on in-depth knowledge of the business and anticipated future prospects.
Nevertheless, the auditor needs to evaluate management’s assessment of the
entity’s ability to continue as a going concern.
In addition to considering the one-year planning cycle, for SMEs it may be
appropriate to discuss the medium and long-term financing of the entity with
management, provided that management’s assertions can be backed up by
sufficient documentary evidence and are not inconsistent with the auditor’s
understanding of the entity (ISA 570.A11).
The ongoing support by owner-managers is frequently vital to the ability of an SME
to continue as a going concern (e.g., financing by means of a (subordinated) loan
by the owner-manager or the assumption of a bank guarantee).
In such cases the auditor may obtain appropriate evidence, backed up by
documents, concerning the subordination of the loan or the guarantee. Where an
SME is dependent on additional support from the owner-manager, the auditor may
evaluate the owner-manager’s ability to meet the obligation under the support
arrangement. In addition, the auditor may request written confirmation of the terms
associated with such support and the owner-manager’s intent (ISA 570.A12).
6.5 Documentation
6.5.1 Fundamentals of Documentation
The documentation requirements are essentially specified in ISA 230 – Audit
documentation. Further auditing standards may contain additional requirements for
audit documentation. The appendix of ISA 230 provides an overview of these additional
auditing standards.
Audit documentation (“working papers”) is defined as the record of audit procedures
performed, relevant audit evidence obtained, and conclusions reached by the auditor
(ISA 230.6(a)). The objective of the documentation is to obtain a sufficient and
appropriate record of the basis for the auditor’s report and evidence that the audit was
27
planned and performed in accordance with the International Standards on Auditing and
the applicable legal (e.g. § 51b WPO) and other regulatory requirements (ISA 230.5).
6.5.2 Scaling Aspects within the Process of Documentation
Possible scaling aspects are illustrated below.
Reference criterion: Range of experience of an experienced auditor having no
previous connection with the audit
Concerning the nature, timing and scope, ISA 230.8 provides that audit
documentation is to be prepared so that it is sufficient to enable an experienced
auditor having no previous connection with the audit to understand the following:
(a) nature, timing and scope of audit procedures;
(b) the results of the audit procedures performed and the audit evidence obtained;
(c) significant matters arising during the audit, the conclusions reached thereon,
and significant professional judgments made in association with these
conclusions.
Focusing on relevant issues
Furthermore, ISA 230.A2 specifies that the form, content and scope of audit
documentation depend on factors such as size and complexity of the entity, the
identified risks of material misstatement and the audit procedures performed and
audit tools used. Moreover, it is neither practicable nor necessary during an audit to
document every matter considered or professional judgment made (ISA 230.A7).
For tests of receipts, no copies of the reviewed receipts need to be added to the
files. Original receipts must only be identifiable based on the identifying
characteristics (ISA 230.A12). In addition, the auditor must not separately document
consistency with issues separately if they have already have been proven through
the documents contained in the audit file.
Significant issues arising during the audit are to be documented however (see
above ISA 230.8 (c)). The assessment of the significance of an issue requires in
this an analysis of the given facts and circumstances. Significant matters according
to ISA 230.A8, for example, are matters that give rise to significant risks, results of
audit procedures indicating that the financial statements could be materially
misstated or that there is a need to revise the auditor’s previous risk assessment,
circumstances that cause the auditor significant difficulty in applying necessary
audit procedures as well as findings that could result in a modification to the audit
opinion, or the inclusion of a paragraph to emphasize an issue in the auditor’s
28
report. A key factor in determining the form, content and scope of audit
documentation about significant issues is the degree of professional judgment
exercised within the process of carrying out the activity and the evaluation of the
findings.
Summarizing Documents
For the auditing of companies that, due to their size, complexity and risk are defined
by the ISA as “smaller entities,” the documentation for the audit is generally less
extensive than that for the audit of a “larger entity” (ISA 230.A16).
Thus it may not be necessary to document the entirety of the auditor’s
understanding of the entity and matters related to it (ISA 315.A132). It is also
conceivable that a memorandum prepared at the completion of the previous audit,
based on a review of the working papers and updated for the current audit, can
serve as the documented audit strategy (ISA 300.A11).
In addition, it may be useful to record various aspects of the audit together in a
single document, with cross-references to supporting working papers. ISA 230.A17
specifies in this context the understanding of the entity and the entity’s internal
control, the overall audit strategy and audit plan, the materiality determined,
assessed risks, significant issues noted during the audit, and conclusions reached.
Special considerations for one-person audits
If the entire audit work is performed only by the engagement partner, no issues
need to be documented that are only required to inform or instruct members of an
audit team, or to provide evidence of a review by other members of the team (ISA
230.A16).
Oral explanations
Oral explanations may be used to explain or clarify information contained in the
audit documentation (ISA 230.A5). Oral explanations by the auditor, by their own,
do not adequately fulfill the documentation requirements for the procedures carried
out or the conclusions reached by the auditor.
Special considerations in documenting the entity’s internal control
The form and extent of audit documentation is a matter of professional judgment
and is influenced by the nature, size and complexity of the entity and its internal
control, by the availability of information from the entity as well as by the audit
procedures performed as part of the audit (ISA 315.A131, 330.A63).
29
For entities that have uncomplicated business and processes relevant to financial
reporting, the documentation may be simple in form and relatively brief. In these
cases, the auditor’s understanding of the entity and the related issues must not
necessarily be fully documented. Key elements of the auditor’s basic understanding
to be documented definitely include those on which the auditor based the
assessment of the risks of material misstatement (ISA 315.A132).
The extent of documentation may also reflect the experience and capabilities of the
members of the audit team. If an audit team consists of experienced individuals, a
less detailed documentation may be adequate, as these individuals will be able to
gain a reasonable understanding of the entity more easily than less experienced
individuals (ISA 315.A133).
For recurring audits, certain parts of the documentation may be carried forward,
updated as necessary to reflect changes in the entity’s business or processes (ISA
315.A134).
No duty to sign each individual working paper
According to ISA 230.9 it must be identifiable from the documentation from whom,
when and to what extent the audit documentation was reviewed. This does not
mean, however, that each individual working paper must be signed (ISA 230.A13).
7. Closing Remarks
The Management Board of the WPK is publishing this guideline with the aim of
demonstrating to members of the auditing profession the opportunities and limits that
size, complexity and risk of the audit subject can have on the performance and
documentation of audits. These so-called “SME audits” lead to auditor opinions which
are equal in quality compared to non-SME audits. The statement, “an audit is an audit”
is to be understood in this context as “an audit opinion is an audit opinion.”
The instruction is intended to help mitigate some of the existing deficiencies in the
transposition of the SME instructions of the ISA into German auditing standards. The
Management Board of WPK hopes to have cleared up existing uncertainties and
sources of error in the performance of audits.
This also does not release the members of the auditing profession from their duty to
carefully study the ISA and gain a reasonable understanding of the ISA provisions. In
case of conflict, the ISA standards shall take legal precedence over the remarks in this
instruction.
30
This instruction does not make any claim of completeness. It is based on the ISA
effective 31 December 2011 and will be revised as required. The professional
associations and other auditing service providers are called upon to provide useful
advice to the auditing profession on the basis of this instruction for the implementation
in auditing practice.
---
31
Appendix – Comparison of IDW PS and IFAC ISA
IDW Auditing Standards (PS) International Standards on Auditing (ISA)
PS 200 Objectives and General Principles for the Conduct of Audits of Financial Statements
ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing PS 201 Accounting and Auditing Principles for the Audit of Financial Statements
PS 202 The Assessment of Additional Information Published by Entities Together with the Financial Statements
ISA 720 The Auditor’s Responsibilities Relating to Other Information in Documents Containing Audited Financial Statements
PS 203 Events after the Balance Sheet Date ISA 560 Subsequent Events
PS 205 Audit of Opening Balance Sheet Figures as Part of First-Time Audits ISA 510 Initial Audit Engagements – Opening Balances
PS 208 Performance of Group Audits /
PS 210 Detecting Irregularities in an Audit of Financial Statements
ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements
PS 220 Engagement of Financial Statement Auditors ISA 210 Agreeing the Terms of Audit Engagements
PS 230 Understanding of the Business Activities and the Economic and Legal Environment of the Enterprise to be Audited for a Financial Statement Audit
ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment
PS 240 Principles for Planning Audits of Financial Statements ISA 300 Planning an Audit of Financial Statements
PS 250 Materiality in the Audit of Financial Statements ISA 320 Materiality in Planning and Performing an Audit
PS 255 Related Party Relationships in Audits of Financial Statements ISA 550 Related Parties
32
IDW Auditing Standards (PS) International Standards on Auditing (ISA)
PS 261 Identification and Assessment of Risks of Material Misstatement and the Reaction of the Auditor of Financial Statements to the Assessed Risks of Material Misstatement
ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management
ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment
ISA 330 The Auditor’s Responses to Assessed Risks
PS 270 The Assessment of Going concern in the Audit of Financial Statements ISA 570 Going Concern
PS 300 Audit Evidence in the Audit of Financial Statements ISA 500 Audit Evidence
ISA 501 Audit Evidence – Specific Considerations for Selected Items PS 301 Inventory Audit
PS 302 External Confirmations ISA 505 External Confirmations
PS 303 Management Representations to the Auditor ISA 580 Written Representations
PS 312 Analytical Audit Procedures ISA 520 Analytical Procedures
PS 314 The Audit of Estimated Values in the Accounting incl. Fair Values ISA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures
PS 318 Audit of Comparative Disclosures About Prior Years ISA 710 Comparative Information – Corresponding Figures and Comparative Financial Statements
PS 320 Using the Work of Another External Auditor ISA 600 Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors)
33
IDW Auditing Standards (PS) International Standards on Auditing (ISA)
PS 321 Internal Audit and Audits of Financial Statements ISA 610 Using the Work of Internal Auditors
PS 322 Using the Work of Experts ISA 620 Using the Work of an Auditor’s Expert
PS 330 The Audit of Financial Statements by Application of Information Technology
/
PS 331 Audits of Entities Using Service Organizations for Accounting Functions ISA 402 Audit Considerations Relating to an Entity Using a Service Organization
PS 340 The Audit of the Early Risk Recognition System Pursuant to § 317 Section 4 HGB
/
PS 345 Effects of the German Corporate Governance Code on Audits /
PS 350 Audit of the Management Report /
PS 400 Principles for the Issuance of Auditors’ Reports for the Audits of Financial Statements
ISA 700 Forming an Opinion and Reporting on Financial Statements
ISA 705 Modifications to the Opinion in the Independent Auditor’s Report
ISA 706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report
PS 450 Principles for the Issuance of Long-form Audit Reports for the Audits of Financial Statements
ISA 260 Communication with Those Charged with Governance
PS 460 The Auditor’s Working Papers ISA 230 Audit Documentation
PS 470 Principles for the Auditor’s Oral Report to the Supervisory Board ISA 260 Communication with Those Charged with Governance
HFA 1/88 Application of Audit Sampling Methods for an Audit of Financial Statements
ISA 530 Audit Sampling
VO 1/2006
Requirements of Quality Assurance in Auditor Practice ISA 220 Quality Control for an Audit of Financial Statements (as well as ISQC 1)
/ ISA 450 Evaluation of Misstatements Identified during the Audit
34
IDW Auditing Standards (PS) International Standards on Auditing (ISA)
/ ISA 800 Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks
/ ISA 805 Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement
/ ISA 810 Engagements to Report on Summary Financial Statements
---