wirtschaftsprüferkammer - …...2. subject of the proportionate performance of an audit and of this...

1

The Board of Directors of the Wirtschaftsprüferkammer: Consideration on the Proportionate (Scaled) Performance of an Audit on the Basis of the ISA Table of Contents

1. Basic Principles and Objectives of the Guidelines .......................................................... 2

2. Subject of the Proportionate Performance of an Audit and of this Guideline, Limits to its Application ...................................................................................................................... 3

3. Understanding of Proportionate (scaled) Performance of an Audit ................................. 4

4. Fundamental Aspects of a Proportionate (Scaled) Performance of an Audit .................. 5

5. Scope of Application for a Proportionate Performance of an Audit ................................. 7

6. Aspects of Proportionate Performance of an Audit in the Framework of the Risk-Based Audit Approach ............................................................................................................... 9

6.1 Illustration of the Risk-Based Audit Approach .................................................................. 9 6.1.1 Fundamentals of the Risk-based Audit Approach .................................................. 9

6.1.2 Scaling Aspects within the Process of the Risk-Based Audit Approach .............. 14

6.2 Materiality ...................................................................................................................... 19

6.2.1 Fundamentals of Materiality ................................................................................. 19

6.2.2 Scaling Aspects within the Framework of Materiality ........................................... 20

6.3 Audit Planning ............................................................................................................... 20

6.3.1 Fundamentals of Audit Planning .......................................................................... 20

6.3.2 Scaling Aspects within the Process of Audit Planning ......................................... 21

6.4 Audit Procedures to Obtain Audit Evidence on Audit Objectives .................................. 22

6.4.1 Fundamentals of Obtaining Audit Evidence ......................................................... 22

6.4.2 Scaling Aspects within the Process of Audit Procedures for Obtaining Audit Evidence .............................................................................................................. 24

6.5 Documentation .............................................................................................................. 26

6.5.1 Fundamentals of Documentation ......................................................................... 26

6.5.2 Scaling Aspects within the Process of Documentation ........................................ 27

7. Closing Remarks ........................................................................................................... 29

Appendix – Comparison of IDW PS and IFAC ISA ................................................................ 31

---------------------------------------------------------------------------------------------------------------------------

This publication includes extracts from the International Standards on Auditing (ISAs) of the International Auditing and Assurance Standards Board (IAASB), published by the International Federation of Accountants (IFAC) in April 2010 and used with permission of IFAC. IFAC assumes no responsibility for the accuracy and completeness of the extracts from the ISAs.

----------------------------------------------------------------------------------------------------------------------------------------

2

1. Basic Principles and Objectives of the Guidelines

This guideline aims to provide advice and suggestions for a scaled approach to auditing

with consistent quality of audits and thereby facilitate the introduction into the

International Standards on Auditing (ISA). It does not, however, constitute a

comprehensive guide to performing audits.

The rationale for preparing this guideline stems from the uncertainty that could be

observed among members of the auditing profession with regard to the requirements of

existing statements by national and international associations – generally considered

useful and helpful – with respect to the audit of small and medium-sized companies

(SMEs). The ISA implicitly follow the paradigm of auditing large, publicly listed

companies, yet at the same time claim to be universally applicable standards.

Since the legislature has codified the mandatory use of the ISA as part of the German

Accounting Law Modernization Act (BilMoG) in § 317 paragraph 5 of the German

Commercial Code (HGB) and its acceptance by the EU Commission is expected in the

medium term, the considerations presented below deal with the performance of audits in

application of the ISA. Article 26 of the currently present proposal of the EU Commission

to amend the Statutory Audit Directive mandates statutory audits of all companies to be

carried out in accordance with international standards. It should be noted, however, that

the application of the ISA is subject to the principle of the auditor's own responsibility.

From the perspective of the WPK, it is possible to transfer explanations in this guideline

for an audit using the IDW auditing standards as the international auditing standards

have been transitioned into the IDW standards. Moreover, the auditing standards of the

IDW point out special German considerations deriving from legal statutes.

This guideline by the Board of Directors of the Wirtschaftsprüferkammer, with the support

of its "Accounting and Auditing" committee, reflects the considerations of the WPK on

taking into account size, complexity and risk of the audit subject within the process of

performing an audit (so-called scaled performance of audits) and is designed to primarily

support the members of the auditing profession in carrying out audits of financial

statements in accordance with §§ 316 et seq. German Commercial Code (HGB). The

basic idea of scaled performance of audits can equally be applied to other audits as

defined by § 2 Section 1 WPO (e.g., audits according to § 16 Real Estate Agents and

Commercial Contractors Act (MaBV), audits according to ISA 800, ISA 805, ISA 810).1

It should be noted that the EU Commission in Article 43a of the Amending Directive on

Statutory Audits, requires scalability of the international auditing standards. The

1 For purposes of harmonization, the terms "auditor" and "audit" are used below.

3

Professional Code contains a corresponding provision in § 24b paragraph 1 Professional

Charter for Wirtschaftsprüfer/vereidigte Buchprüfer - BS WP/vBP.

For additional guidance a comparison of the ISA with the corresponding IDW Auditing

Standards is attached.

2. Subject of the Proportionate Performance of an Audit and of this Guideline, Limits to its Application2

The proportionate performance of an audit has two areas of application:

1. The provision of an adequate System of Quality Control is to be commensurate with

the size of the company audited, the special circumstances of the client structure

(e.g., §319a German Commercial Code engagements), the span of control of the

auditors, and their physical presence during audits.

2. The completion of audit engagements [engagement acceptance, performance of the

audit and reporting (long form report, audit report)].

Re: 1. The scaling of the System of Quality Control is not the subject of this guideline.

Reference is made to Regulation 1/2006 and the corresponding guideline of the

Commission for Quality Assurance for auditing a System of Quality Control with

particular reference to small practices.

Re: 2. This guideline is limited to the area of the performance of an audit. Engagement

acceptance and reporting are not the subject of this WPK guideline.

This guideline is intended to provide practical ideas and recommendations on the

proportionate (scaled) performance of an audit and is expressly to be construed merely

as a guide. This guideline does not represent a comprehensive manual for performing

audits. It does not release the members of the auditing profession from carrying out

audits according to their professional judgment in individual circumstances. Moreover,

this guideline does not make any claim of completeness. The ISA standards may contain

further approaches for a scaling of audits that are perhaps not described below.

This guideline also does not release the members of the auditing profession from their

duty to carefully study the ISA and gain a reasonable understanding of the ISA

provisions. In case of conflict, the ISA standards shall take legal precedence over the

remarks in this guideline – taking into account the auditor's own responsibility.

2 For scaling aspects with respect to auditing practice, cf. Regulation 1/2006 as well as ISA 220.

4

The following principles – also under application of the ISA – are to be considered

indispensable elements in performing audits:

risk-based audit approach

determination of materiality levels

substantive, personnel and schedule considerations of audit planning

audit procedures for obtaining sufficient appropriate audit evidence

documentation.

3. Understanding of Proportionate (scaled) Performance of an Audit

Under the proportionate performance of an audit, the nature, scope and documentation

shall be determined as a function of the size, complexity and risk of the subject of the

audit. The audit quality as well as reliability of the audit opinion, however, must be

uniform for all audits of financial statements.

This means that with a uniform objective for all audits of financial statements, the path to

achieving an objective may vary depending upon the size, complexity, and risk of the

subject of the audit. This path to achieving the objective, i.e., definition and

implementation of the nature, scope and documentation of the audit performance, is to be

decided according to the professional judgment of the member of the auditing profession,

within the scope of his own responsibility. The proportionate performance of an audit is

not a new concept being introduced for the first time by the ISA. The scalability can also

be derived from the IDW auditing standards (e.g., IDW PS 200 Item 18 et seq., IDW PS

240 Item 12, IDW PS 261 Item 74 et seq.).

Nature and scope of the performance of an audit is based in particular on the

determination of materiality, the specification of the nature and number of audit activities,

the volume of the audit evidence as well as the definition of control sampling and random

sampling method.

Complexity and risk primarily relate to the risk of a material misstatement in the financial

statements being audited, whereby this risk derives naturally from the risk of the entity’s

business, the complexity of the entity’s operations, and the nature of accounting at the

entity. This WPK guideline, in this regard, is based on the risk-based audit approach of

ISA 315 and 330.

The audit subject refers to the audit engagement as a whole and to individual audit fields.

Thus, there is a distinction between engagement-related (financial statement level) and

audit field-related (assertion level) risks.

5

4. Fundamental Aspects of a Proportionate (Scaled) Performance of an Audit

The scaling of the performance of an audit is expressed in the following guidelines,

whereby focus is on letters c. and d.:

a. decision on the non-applicability of an ISA standard,

b. decision on the non-applicability of specific detailed requirement of an ISA standard,

c. implementation of generally held ("scalable") requirements in the ISA standard,

d. guidelines of specific Application and Other Explanatory Material in the ISA standards

("special considerations for smaller entities").

Re: a. ISA 200.18 in connection with 200.19 requires the auditor to comply with all

auditing standards relevant to the audit. If the issues raised in a standard do not

exist, the relevance of the particular ISA standard is to be negated and therefore

the standard in its entirety does not apply (ISA 200.22).

Prior to beginning the audit, it is helpful to assess the relevance of the following

auditing standards:

ISA 402 – Audit Considerations Relating to an Entity Using a Service

Organization

ISA 510 – Initial Audit Engagements – Opening Balances

ISA 600 – Special Considerations – Audits of Group Financial Statements

(Including the Work of Component Auditors)

ISA 610 – Using the Work of Internal Auditors (“Internal Audit”)

ISA 620 – Using the Work of an Auditor’s Expert

Re: b. Pursuant to ISA 200.22 the auditor shall comply with each requirement of a

relevant ISA standard as defined in a., unless the requirement is not relevant

because it is conditional and the condition does not exist (e.g., certain

requirements for granting a qualified audit opinion do not apply when granting an

unqualified audit opinion). During the process of the audit of companies, there

may be facilitation due to the permissible non-application of conditional individual

rules.

In addition, the ISA comprise so-called “Application and Other Explanatory

Material”. These “application information” do not constitute any independent

6

additional requirements for the auditor. According to IFAC, they are, however, of

significance for the correct application of ISA requirements.3

Re: c. The ISA contain a variety of statements on the performance of an audit, in which

the scalability of auditing standards is expressed in general terms, for example:

ISA 230 – Audit Documentation (Item A2): form, content and extent of audit

documentation depend on factors such as: size and complexity of the entity,…

ISA 300 – Planning an Audit of Financial Statements (Item A1): nature and extent

of planning activities will vary according to the size and complexity of the entity…

ISA 500 – Audit Evidence (Item 6): The auditor shall design and perform audit

procedures that are appropriate in the circumstances for the purpose of obtaining

sufficient appropriate audit evidence.

In particular, phrases in the standards like “appropriate”, "adequate" “adequate to

the circumstances” or “sufficient” emphasize the scalability of the provisions. In

these cases, the auditor is to determine in its professional judgment the nature

and scope of each activity, i.e., make a decision as to the degree of scalability. In

addition, many requirements in the ISA are expressed in general terms, without

concrete conditions as to the type and manner in which they should be fulfilled. In

these cases, it is up to the discretion of the auditor to determine the specific

measures to fulfill the ISA requirements. The remarks under 6, “Aspects of

Proportionate Performance of an Audit in the Framework of a Risk-based Audit

Approach” are intended to provide additional assistance on this aspect.

Re: d. Individual ISA contain “Considerations Specific to Smaller Entities” in various

places within the “application information”. IFAC thus provides members of the

auditing profession with special hints and guidelines on the audit of smaller

companies. A summary prepared by the WPK of the “Considerations Specific to

Smaller Entities” contained in the ISA can be downloaded on the homepage of the

WPK at www.wkp.de/aktuell/skalierung.asp.

In this context it should be noted that the additional application of further regulations

depending upon the specifics of the audit engagement based on the regulations always

to be observed in the ISA leads to the same result ("scaling up").

It should also be noted, however, that a proportionate performance of an audit does not

mean ignoring essential ISA provisions based on the argument that they are "too

3 cf. IFAC: Guide to Using ISAs in the Audit of Small- and Medium-Sized Entities, Volume 1; p. 14; 3rd Edition, 2011

7

laborious" for the company subject to the audit. Scaling is therefore only possible in the

above-mentioned cases and only in a reasonable proportion based on the circumstances

of the individual case (size, complexity, risk). In particular, the provision in ISA 200.23 (“In

exceptional circumstances, the auditor may judge it necessary to depart from a relevant

requirement in the ISA.”) is not to be understood as a general standard for scaling.

5. Scope of Application for a Proportionate Performance of an Audit

The considerations concerning a proportionate performance of an audit may basically be

applied to any audit of financial statements – for example, independent of the legal form

or size of the subject of the audit – and are thus not restricted to the audit of SMEs. Given

equal audit quality and dependability of the audit opinion, the nature, scope, and

documentation of the audit are determined in relationship to the size, complexity and risk

of audit subject. The difference ultimately is the degree of scalability of ISA requirements.

The size of an entity as a quantitative characteristic alone cannot be the decisive

criterion for determining the degree of scalability of the audit performance. The

qualitative aspects of complexity and risk of the audit subject are to be weighed

more heavily. In case of doubt, the risk criteria should be weighed most heavily.

Complexity is primarily understood to be how complicated the accounting issues

are (as derived from the complexity of the business activity).4

Risk is understood to be the possibility of a material misstatement in the financial

statements being audited. Among other things, this is in turn derived from the risk

of the entity’s business, the complexity of the entity’s operations, and the nature of

the entity’s accounts. The auditor is to use his professional judgment in assessing

the aspects of size, complexity and risk, and weighing the facts to deduce the

degree of scalability of the audit.

The above aspects are also considered in the ISA themselves. Thus the international

auditing standards in ISA 200.A64 contain the following definition for so-called “smaller

entities”:

“For purposes of specifying additional considerations to audits of smaller entities, a

‘smaller entity’ refers to an entity which typically possesses qualitative characteristics

such as

4 The complexity of non-balance sheet issues is also to be considered here.

8

(a) Concentration of ownership and management in a small number of individuals (often

a single individual – either a natural person or another enterprise that owns the entity,

provided the owner exhibits the relevant qualitative characteristics); and

(b) One or more of the following:

(i) straightforward or not complicated transactions;

(ii) simple record keeping;

(iii) few lines of business and few products within business lines;

(iv) few internal controls;

(v) few levels of management with responsibility for a broad range of controls; or

(vi) few personnel, many who have a wide range of duties.

These qualitative characteristics are not exhaustive, nor are they exclusive to smaller

entities, and smaller entities do not necessarily exhibit all of these characteristics.”

From our understanding, the criteria listed above as examples represent possible

circumstances for the scaling requirements of “complexity” and “risk.” “Smaller entities,”

as defined by ISA 200.A64, are companies of a small size, low complexity, and/or a low

risk and therefore a high degree of scalability (these are referred to below as SMEs).

Other possible indicators for the existence of an SME could include (cf. IDW PH 9.100.1,

Item 3):

decisions relevant to the company lie predominantly in the area of authority of the

owner or owners,

no dependency upon a parent company,

strong influence of typical regional and industry-specific factors,

straightforward accounting,

only few assigned employees in the accounting department have accounting-related

information,

company-specific knowledge is primarily restricted to only a few persons.

The decision as to the extent in which proportionate performance of the audit is justified

by the facts is up to the responsible auditor as defined by § 24a Professional Charter

WP/vBP. The relevant factors for this decision are to be considered in their entirety.

9

6. Aspects of Proportionate Performance of an Audit in the Framework of the Risk-Based Audit Approach

6.1 Illustration of the Risk-Based Audit Approach

6.1.1 Fundamentals of the Risk-based Audit Approach

The international auditing standards codify the risk-based audit approach in ISA 315 –

Identifying and Assessing the Risks of Material Misstatement through Understanding the

Entity and Its Environment – and ISA 330 – The Auditor’s Responses to Assessed Risks.

ISA 315.1, in connection with ISA 315.3, requires the auditor to identify and assess the

risks of material misstatement in the financial statements through understanding of the

entity and its environment, including the entity’s internal control in order to create the

basis for designing and implementing responses to the assessed risks. Additionally, ISA

330.1, in connection with ISA 330.3, codifies the responsibility of the auditor to design

and implement responses to the risks of material misstatement identified and assessed

by the auditor in order to obtain sufficient appropriate audit evidence regarding the

assessed risks of material misstatement.

The design of the risk-based audit approach can be accounting-based, function-based or

process-based.

With an accounting-based approach, the audit fields are determined essentially based

on the accounting issues or the balance sheet items in the financial statements.

With a function-based approach, the audit field determination is made in alignment

with the operational functions of the company (e.g., purchasing, production, sales).

With a process-based approach, the audit field determination is made on the basis of

material company processes (e.g., procurement process, from needs assessment to

goods payment; sales process, from posting of orders to posting of payments).

When deciding on how to structure the risk-based audit approach, organizational

structures and processes of the company being audited are taken into consideration.

In simple terms, the risk-based audit approach can be divided into the following three

phases:

Phase 1: Risk Identification (determination of risks of material misstatement by

understanding the entity and its environment as well as including the entity’s internal

control)

Understanding the entity and its environment is particularly used to determine inherent

risks and at the company level includes such criteria as organization, financing,

10

investment plans, business objectives and strategies, key performance indicators,

competence and integrity of management and the employee, the nature, scope and

special considerations of company activity and company development. At the assertion

level (audit field level) significant aspects include, for example, the susceptibility to errors

of items in the financial statements, the complexity of the business transactions, the risk

of fraud, and the latitude for discretion in recognition and measurement.

Understanding the entity’s internal control serves as a basis for determining the control

risk. The auditor is first of all to become convinced of the structure (i.e., the adequacy and

implementation) of the entity’s internal control. The focus of the auditor in this test of

design lies on the accounting-related internal control of the entity, i.e., the controls

relevant to the audit of financial statements. For this, the auditor is to gain understanding

for all of the following entity’s internal control components (ISA 315.14 - .22):

Control environment

According to ISA 315.A69 the control environment includes the governance and

management functions as well as the attitudes, awareness and actions of those

charged with governance and management concerning the entity’s internal control

and its importance in the entity. Further, the control environment sets the tone of the

organization by influencing the control consciousness of its employees. Elements of

the control environment include inter alia communication and enforcement of integrity

and ethical values, management’s philosophy and operating style of the

management, and organizational structure.

Risk-assessment process

The risk-assessment process constitutes the basis for the determination of risks to

which management must react. In particular, this includes the identification of

business risks, the estimation of the significance of risks, the assessment of their

likelihood to occur and the decision about actions to address those risks (ISA.

315.15).

Financial reporting-related information system (including the related business

processes) and communication

The information system relevant to financial reporting objectives, which includes the

accounting system, consists of the procedures and records that the company has

designed and established to (ISA 315.A81):

o initiate, record, process and report entity transactions and to maintain

accountability for the related assets, liabilities and equity;

o identify and resolve incorrect processing of transactions;

11

o process and account for system overrides or bypasses to control;

o transfer information from transaction processing systems to the general ledger;

o capture information relevant to financial reporting for events and conditions other

than transactions (e.g., depreciation of assets); and

o ensure that information required to be disclosed is accumulated, recorded,

processed, summarized and appropriately reported in the financial statements.

Communication on the one hand includes communication of financial reporting roles

and responsibilities in financial reporting, on the other hand, communication of

relevant financial reporting issues. Examples of communication are policy manuals

and financial reporting manuals (ISA 315.A86).

Control activities relevant to the audit of financial statements

Relevant control activities are those the auditor deems necessary to understand in

order to assess the risks of material misstatement at the assertion level, and to

design further audit procedures as a response to the assessed risks (ISA 315.20).

Control activities are the policies and procedures that help ensure that management

directives are carried out (e.g., authorization, performance reviews, information

processing, physical controls, separation of duties; ISA 315.A88).

Monitoring of controls

Monitoring of controls is a process by which the effectiveness of the entity’s internal

control is assessed over a period of time. This includes both one-time and ongoing

activities.

Phase 2: Risk analysis and assessment (assessment of the risks of material

misstatement and deduction of the audit strategy)

Risk identification is followed by the assessment of the effects of the risks of material

misstatement to the financial reporting according to the dimension and likelihood of

occurrence. This assessment is to be conducted on both the financial statement level and

on the assertion level for the classes of transactions, account balances and disclosures

(ISA 315.25). Based on this assessment, the auditor devises the audit strategy.

Significant identified risks (e.g., revenue recognition or non-routine transactions) require

special consideration within the process of the audit. Thus the auditor is obliged to gain

an understanding in each case for the controls relevant for these significant risks (ISA

315.27 et seq.).

12

Moreover, for some risks the auditor may judge that it is not possible or practicable to

obtain sufficient appropriate audit evidence only from substantive procedures (e.g., for

automated mass production processes). In these cases, the auditor shall obtain an

understanding of the controls relevant to these risks (ISA 315.30).

Phase 3: Audit procedures as a response to the assessed risks

In order to address the assessed risks of material misstatement, the auditor has to design

and implement responses on both the financial statement level as well as the assertion

level (ISA 330.5 and .6). Responses at the financial statement level may include, in

particular, emphasizing the need to maintain professional skepticism, assigning more

experienced staff or using experts on the audit team, incorporating unpredictable audit

procedures as well as special quality assurance measures

(ISA 330.A1).

At the assertion level, the auditor must respond reasonably by means of tests of controls

of the entity’s internal control, substantive audit procedures or both respectively. The

assessment of identified risks by the auditor on the assertion level provides a basis for

considerations of the appropriate audit approach for designing and performing further

audit procedures (ISA 330.A4). The auditor can thus specify that

Only by performing tests of controls may the auditor achieve an effective response to

the assessed risk of material misstatement for a particular assertion;

Performing only substantive audit procedures is appropriate for particular assertions,

and, therefore, the auditor excludes the effect of controls from the relevant risk

assessment;

A combined approach using both tests of controls and substantive audit procedures is

an effective approach.

Tests of controls are geared towards evaluating the operating effectiveness of controls in

preventing or detecting and correcting material misstatements at the assertion level (ISA

330.4(b)). The auditor shall design and perform tests of controls if (ISA 330.8):

the risk assessment of material misstatements at the assertion level is based on the

assumption that controls are operating effectively (i.e., the auditor intends to rely on

the operating effectiveness of controls in determining the nature, timing and scope of

substantive audit activities), or

substantive audit procedures alone cannot provide sufficient appropriate audit

evidence.

13

Irrespective of the assessed risks of material misstatement, the auditor shall design and

perform substantive procedures for each material class of transactions, account balance,

and disclosure (ISA 330.18). In this, the auditor shall consider whether external

confirmation procedures are to be performed as substantive audit procedures. The

nature, scope and timing of substantive audit procedures depend on the results of the

risk assessment. On a case-by-case basis, the auditor may decide that

the performance of substantive analytical audit procedures alone is sufficient,

tests of details by themselves are adequate, or

a combination of substantive analytical audit procedures and tests of details are the

most appropriate response to the assessed risks.

In summary, it can be said that the identification of potential risks of material

misstatement is made on the basis of the insights gained about the client, the client’s

environment and the reasonableness and implementation of its internal control (test of

design) by the auditor in Phase 1. Subsequently in Phase 2, the identified risks of

material misstatement are considered regarding their effect and likelihood of occurrence,

and the audit strategy is determined accordingly.

In Phase 3, the determination and performance of the audit program for the following

audit procedures occur on this basis as a response to the assessed risks of material

misstatement.

When used properly, the auditor can gain a high degree of audit confidence relatively

quickly by application of the risk-based audit approach. This may mean that in certain

cases after Phase 2, sufficient audit evidence may be obtained for specific audit fields (as

described earlier, substantive audit procedures are to be designed and executed also in

this case for all material classes of transactions, account balances, as well as

disclosures).

The risk-based audit approach leads to a focus on the activities of the audit risk-prone

areas of the entity, while low-risk audit areas are consequently audited with less intensity.

14

6.1.2 Scaling Aspects within the Process of the Risk-Based Audit Approach

Possible approaches for scaling aspects – while keeping the professional skepticism

unchanged – are illustrated below:

Facilitated gaining of an understanding of the entity and its environment due to a

long-lasting relationship

It can be easier for the auditor to gain an understanding of the client, its environment

and its accounting related controls, the longer he has actively been engaged as an

auditor for the client. The auditor uses professional judgment to determine the extent

of the understanding required. The depth of the overall understanding that is required

by the auditor can be less than that possessed by management in managing the

entity (ISA 315.A3).

Moreover, the auditor can use information from previous years, resulting from

previous experiences with the entity or from audit procedures from previous audits of

the financial statements. The auditor then is to determine, however, whether changes

have occurred since than that may affect its relevance to the current audit (ISA

315.9).

It is often easier to gain an understanding of the entity's internal control for smaller

companies

The structure of the entity’s internal control can indeed be very basic for smaller

companies (ISA 315.A41). Thus it is conceivable that the company has put into place

a few controls for key issues at the management level, without being able to

demonstrate that an overall system of internal controls exists. Gaining an

understanding of internal controls is possible in such a case with relatively small

effort.

Focusing on the controls relevant for financial reporting

The auditor shall only obtain an understanding of internal control relevant to the audit

(ISA 315.12) and thus only of the company's control activities that are necessary to

assess the risks of material misstatement on the assertion level and to be able to

design adequate audit procedures as a response to the assessed risks. Although

most controls relevant to the audit are likely to relate to financial reporting, not all

controls that relate to financial reporting are relevant to the audit. Furthermore, it is

not necessary to gain an understanding of all the control activities related to each

significant class of business transactions, account balances, and disclosures in

financial statements (ISA 315.20).

15

Aspects concerning the components of the entity’s internal control

In gaining an understanding of the entity’s internal control, the auditor is to be

concerned with all of the following internal control components, even if the following

sub-classification is not necessarily reflected in the structure and implementation of

the entity's internal control:

o Control environment

The attitude, awareness and actions of those charged with governance and

management which are decisive for the control environment encountered are of

special significance to the auditor's understanding of the control environment of a

smaller entity, because, for instance (ISA 315.A76):

- In small entities those charged with governance may not include an independent

or outside manager and the role of governance may be carried out directly by the

owner-manager where there are no other owners.

- Audit evidence for elements of the control environment in smaller entities may not

be available in documentary form, in particular where communication between

management and other personnel may be informal.

- The nature of the control environment may also influence the significance of other

controls, or their absence (an actively involved owner-manager can reduce or

increase the risks arising from the lack of segregation of duties within the

company).

o Risk assessment process of the entity

In a small entity, there is often no established risk assessment process. It is more

likely that management identifies risks through direct personal involvement in the

business. It is nonetheless necessary to inquire about identified risks and how they

are addressed by management (ISA 315.A80).

o Information system including related business processes, relevant to financial

reporting, as well as communication

The financial reporting-related information systems in smaller entities are likely to be

less sophisticated than in larger entities. Small entities with active management

involvement may not need extensive descriptions of accounting procedures,

sophisticated accounting records, or written policies. In these cases, the

understanding of the systems and processes of the entity may therefore be less

complicated and possibly more dependent upon inquiries then upon a review of

documentation (ISA 315.A85).

16

o Control activities

The level of formalization of control activities may differ among larger and smaller

entities. Certain types of control activities in smaller entities may in fact not be

relevant due to controls applied by management. For example, management’s sole

authority for granting credit to customers and approving significant purchases can

provide strong control over important account balances and transactions, thus

lessening or removing the need for more detailed control activities (ISA 315.A93). It

should be mentioned here, however, that an increased risk exists due to

management override.

o Monitoring of controls

Management’s monitoring of controls is often accomplished by management’s or the

owner-manager’s close involvement in operations. Through this involvement,

significant variances from expectations and inaccuracies in financial data are often

identified, leading to remedial action to the control (ISA 315.A100).

Tests of controls are not mandatory in every case

On the financial statement level as well as on assertion level, the auditor is to

respond adequately to any identified material risks by means of tests of controls and /

or substantive audit procedures.

As mentioned above, tests of controls are necessary if the auditor wants to rely on

the effectiveness of the entity’s internal control for audit assurance, or when

substantive audit procedures alone do not yield sufficient appropriate audit evidence.

Tests of controls are particularly useful for frequently recurring, automated routine

transactions, as with relatively little effort a high level of audit assurance can be

achieve, which could only have been achieved through a large number of substantive

audit procedures (or in some cases not at all).

Conversely, this means that tests of controls are not mandatory for every audit of

financial statements: If the auditor assesses the risk of material misstatements to be

low, or if existing controls are not adequate, the auditor may within the process of the

audit rely solely on substantive audit procedures, which then if necessary, would have

to be carried out in a wider scope. Another such case would be if there are not many

control activities in the company that can be identified by the auditor or the scope to

which their existence or operation have been documented by the entity may be

limited (ISA 330.A18). In such cases it can be more efficient for the auditor to mainly

carry out substantive audit procedures.

17

Focusing on superordinate controls

It may be possible that a company has implemented a variety of controls on multiple

levels along its processes (e.g., materials purchasing: requirements requisition sheet

– superior approval – maintenance of budget limits / suggested account application –

managing director approval – pre-posting of invoice – incoming goods inspection –

payment proposal list – approval of payment / entry). Often it is not necessary to carry

out a test of controls on all existing controls along the relevant process. There may be

cases where limiting the test of controls to a few identifiable “superordinate” controls

seems reasonable.

Multiple use of audit procedures

Audit procedures within the process of the test of design of controls can

simultaneously yield audit evidence as to the effectiveness of control procedures. The

auditor may thus consider it efficient to simultaneously test the operating

effectiveness of the controls, assess the design of the controls, and determine that

they have been implemented, (ISA 330.A21). Even if some audit procedures for risk

assessment are not specially designed as tests of controls, they may nonetheless

provide audit evidence about the operating effectiveness of the controls and,

consequently, serve as tests of controls (ISA 330.A22).

Moreover, the auditor may design a test of controls to be performed concurrently with

a test of details on the same transaction. The auditor may, for example, design and

evaluate a test to examine an invoice to determine whether it has been approved and

to provide substantive audit evidence of a transaction. Such a “dual-purpose test” is

designed and evaluated whereas each of the test purposes is considered separately

(ISA 330.A23).

Laborsaving measures through increased use of analytical substantive audit

procedures

Nature, scope and timing of substantive audit procedures depend on the result of the

risk assessment. In individual cases, the performance of substantive analytical audit

procedures according to the requirements of ISA 520 alone may be sufficient. For

example, where risk assessment of the auditor is based on audit evidence gained

from tests of controls. Substantive analytical audit procedures are generally more

adequate for large volumes of transactions that tend to be predictable over time (ISA

330.A44).

18

The use of results from previous years’ audits

As part of the test of controls, the auditor may consider it appropriate based on his

risk assessment to rely on audit evidence gained from previous years' audits (ISA

330.13). In such a case, the auditor, – e.g., through discussion with management –

has to obtain audit evidence about whether significant changes have been made to

the control(s) in the meantime. If changes have been made that affect the continuing

relevance of the audit evidence from the previous audit, the auditor shall test the

controls in the current audit, to the extent that he plans to rely on their effectiveness.

If no changes have been made to the controls, the auditor may consider it appropriate

to rely on the assessment of the effectiveness of these controls from previous years.

The time span between the new tests of such unchanged controls can encompass up

to three years (new test in the third year) and it is up to the auditor's own due

consideration (ISA 330.14(b)). As a general rule: the higher the risk of material

misstatements or the more one depends on the respective control, the shorter the

time interval between two tests of controls.

At the same time, the auditor shall test the controls at least once in every third audit,

and shall test some controls each audit to avoid the possibility of testing all the

controls on which the auditor intends to rely in a single audit period with no testing of

controls in the subsequent two audit periods (ISA 330.14(b)).

The auditor cannot rely on audit procedures from previous years on controls over a

risk he has determined to be a significant risk. In such cases the auditor shall test

those controls during the current audit (ISA 330.15).

Absence of documentation of the entity’s internal control on the behalf of the entity5

Absence of documentation of the entity’s internal control, in part or in whole on the

behalf of the entity, does not necessarily constitute a limitation on the scope of the

audit, as long as the auditor is capable of testing the design and – to the extent

necessary – the function of the ICS (cf. ISA 315.A77, .A80). The auditor shall

however, evaluate whether the absence of a documented risk assessment process is

appropriate to the circumstances, or determine whether it constitutes a significant

deficiency in the internal control system of the entity (ISA 315.17).

The auditor is not required to document substantial parts or all of the entity's internal

control in lieu of the entity. However, the following must be documented by the auditor

according to ISA 315.32, taking into consideration ISA 230.8 et seq. with respect to

the entity’s internal control:

5 Bookkeeping is subject to statutory audit in Germany. Proper bookkeeping principles are to be observed.

19

o key elements of the understanding obtained regarding each of the five aspects of

the internal control components, and sources of information from which the

understanding was obtained;

o significant risks identified, and related controls about which the auditor has

obtained an understanding.

6.2 Materiality6

6.2.1 Fundamentals of Materiality

The concept of materiality is regulated in ISA 320 – Materiality in Planning and

Performing an Audit. When establishing the overall audit strategy, the auditor shall first

determine materiality for the financial statements as a whole

(ISA 320.10). The level of materiality for the financial statements as a whole shall be

measured in terms of the level beyond which a misstatement in the financial statements

influences the economic decisions of users of the financial statements. It is not justified

if the auditor sets a low level of materiality as a whole because there was a high risk of

errors (cf. Guide to using ISAs in the Audits of Small- and Medium-Sized Entities, Vol. 1

– Core Concepts, 3rd Edition, p. 95).

At the same time, the auditor is to establish a lower threshold of materiality for

particular types of business transactions, account balances, or disclosures in financial

statements, if in the specific circumstances of the entity, misstatements of lesser

amounts than materiality for the financial statements as a whole could reasonably be

expected to influence the economic decisions of users on the basis of the financial

statements (ISA 320.10). It is not permissible to set a higher threshold of materiality for

particular types of business transactions, account balances or disclosures in financial

statements.

According to ISA 320.11 the auditor is also to determine the so-called performance

materiality. This is the amount or amounts below materiality for the financial statements

as a whole or the specific materialities, in order to reduce to an appropriately low level

the probability that the aggregate of uncorrected and undetected misstatements

exceeds materiality for the financial statements as a whole. Performance materiality is

relevant within the process of determining the audit strategy, in particular the starting

point for the determination of the nature, timing and scope of further audit procedures

(ISA 320.11) for the performance of the audit.

6 Detailed remarks on materiality according to ISA 320 can be obtained from Questions and Answers on

Determining Materiality and Tolerance Materiality according to ISA 320 and IDW PS 250 published by IDW on 17 November 2011 (cf. IDW Fachnachrichten 12/2011, see: 743 et seq.)

20

6.2.2 Scaling Aspects within the Framework of Materiality

Possible scaling aspects are illustrated below.

Determining the materiality for the financial statements as a whole influences the

scope of the subsequent audit procedures

The ISA do not prescribe for the auditor any particular method of determining

materiality as a whole. Nor do the standards provide for the application of any

particular mandatory reference size for determining materiality. The selection of the

appropriate reference value as well as the quantitative approach lies in the due

consideration of the auditor.

Within the process of determining materiality, which as described above is to be

guided by the decision relevance for the users of the financial statements, the

conditions surrounding the entity to be audited (such as ownership structure, nature

of financing, economic environment) are to be taken into account in determining the

reference value and the quantitative approach – and thus subsequently also in the

determination of the nature, timing and scope of further audit procedures.

Determining the line-item performance materiality influences the scope of

subsequent audit procedures

Performance materiality can either be determined as an amount analogous to

materiality for the financial statements as a whole or also issue-specific for certain

types of business transactions, account balances, or disclosures in financial

statements (cf. Guide to using ISAs in the Audits of Small- and Medium-Sized

Entities, Vol. 1 – Core Concepts, 3rd Edition, p. 96). As a function of risk and

complexity, the determination of issue-specific tolerance materiality can lead to a

reduction of the audit procedures to be performed for smaller entities.

It should be noted at this point that the negotiation of possible follow-on engagements

in connection with the audit of financial statements, such as the preparation of

explanatory notes in the long-form audit report, eliminates the previous materiality

considerations due to the necessarily higher level of certainty and thus may negate any

associated scaling aspects.

6.3 Audit Planning

6.3.1 Fundamentals of Audit Planning

ISA 300 – Planning an Audit of Financial Statements prescribes the duty of the auditor

to engage in audit planning. The planning of the audit of financial statements includes

21

the development of an audit strategy and subsequent design of the audit program. Key

factors that the auditor is to consider when developing the audit strategy and devising

the audit program have already been illustrated in the section

“Risk-Based Audit Approach.”

6.3.2 Scaling Aspects within the Process of Audit Planning


Size and complexity of the audit subject influence the nature and scope of audit

planning

The nature and scope of planning activities are dependent upon the size and

complexity of the audit subject, the previous experiences of members of the audit

team with the entity, and any changing conditions during the ongoing audit. The

development of the audit strategy for audits of small entities must not be a complex

or time-consuming procedure; this depends on the size of the entity, the complexity

of the audit, and the size of the audit team (ISA 300.A11).

Furthermore, the nature, scope and timing of direction and supervision of the

members of the audit team, as well as the review of their work, must be planned

(ISA 300.11). This is ultimately influenced by the size of the audit team. For small

entities the entire audit can be conducted by a very small audit team or even by the

engagement partner alone. The coordination and communication within the audit

team is influenced accordingly by the size of the audit team (ISA 300.A11).

Facilitated planning requirements for one-person audits

If an audit is carried out completely by the engagement partner, considerations on

direction and supervision of the audit team as well as reviewing their work is not

required. In such cases, the engagement partner will be aware of all key issues.

There may be situations, however, that require the auditor to consult the

professional opinion of a third party in cases involving particularly complex or

unusual issues (ISA 300.A15).

Initial or follow-on audit

Within the process of audit planning for subsequent audits, the auditor can, on the

one hand, also use knowledge and information about the entity from previous years,

and on the other hand, for SMEs can refer back to working papers from previous

years that are being updated within the process of the current audit.

22

6.4 Audit Procedures to Obtain Audit Evidence on Audit Objectives

6.4.1 Fundamentals of Obtaining Audit Evidence

The following chart represents an overview of the various types of audit procedures and

activities according to the ISA (cf. IDW PS 300, Item 14):

Fundamental remarks on audit procedures are contained in ISA 315 – Identifying and

Assessing the Risks of Material Misstatement through Understanding the Entity and Its

Environment and ISA 330 – The Auditor's Responses to Assessed Risks (for both

standards, see the remarks above under section VI.1 – Risk-Based Audit Approach),

ISA 520 – Analytical Procedures and ISA 530 – Audit Sampling.

Basic requirements for audit evidence are found in ISA 500 – Audit Evidence.

In addition, there is a series of additional standards that deal with special audit fields or

types of audit evidence, e.g.:

ISA 501 – Audit Evidence – Specific Considerations for Selected Items

ISA 505 – External Confirmations

ISA 540 – Auditing Accounting Estimates, Including Fair Value Accounting

Estimates, and Related Disclosures

ISA 550 – Related Parties

ISA 560 – Subsequent Events

ISA 570 – Going Concern

ISA 580 – Written Representations

Test of Controls Substantive Audit

Procedures

Test of Details

23

The predominant rule applies that, during the course of an audit of a particular audit

field, the ISA do not prescribe for the auditor any specific audit procedures or activities

or the seeking out of a particular type of audit evidence. On the contrary, it is the

auditor's due consideration to design and perform audit procedures to obtain sufficient

appropriate audit evidence to be able to draw reasonable conclusions on which to base

the auditor’s opinion (ISA 500.1).

In some cases however, the ISA prescribe specific audit procedures and activities, or

require obtaining specific audit evidence, such as, (but not limited to):

the mandatory attendance at physical inventory counting, to the extent that

inventories are material to the financial statements and that attendance is practical

(ISA 501.4),

inquiry of management, reviewing minutes of meetings of those charged with

governance and correspondence between the company and its external legal

counsel, and reviewing legal expense accounts to determine any litigation and

claims (ISA 501.9),

mandatory performance of analytical audit procedures near the end of the audit that

assist the auditor when forming an overall conclusion as to whether the financial

statements are consistent with the auditor’s understanding of the entity (ISA 520.6),

specific audit procedures for risk assessment with respect to accounting estimates

(incl. ISA 540.8, .12 et seq.),

specific audit procedures for risk assessment with respect to related parties

(ISA 550.12, et seq.),

specific audit procedures in case events or conditions have been identified that may

cast significant doubt on the entity’s ability to continue as a going concern

(ISA 570.16),

the request for management to provide a written representation that it has fulfilled

its responsibility for the preparation of the financial statements as well as for other

specific assertions (ISA 580.10 and 580.13).

Audit evidence is to be sufficient and appropriate (ISA 500.6). “Sufficient” refers to the

required quantity of audit evidence. As a rule, the quantity of the audit evidence needed

is affected not only by the auditor’s assessment of the risks of material misstatement

but also by the quality of such audit evidence (ISA 500.5(e)). Audit evidence is

“appropriate” if it is relevant and reliable in providing support for the conclusions on

which the auditor’s opinion is based.

24

According to ISA 315.A110, in representing that the financial statements are in

accordance with the applicable financial reporting framework, management implicitly or

explicitly makes assertions regarding the recognition, measurement, presentation and

disclosure of the various elements of financial statements along with the related

disclosures. This covers the objectives of the audit of financial statements. In order to

implement these objectives on the assertion level, the audit evidence gained by means

of the audit must enable the assessment of the following assertions about the financial

statements:

Completeness (of assets, liabilities, expenses and revenues)

Existence ( of certain assets and liabilities)

Accuracy (correct recording of amounts in the accurate accounting period)

Valuation (of the stated assets, liabilities)

Ownership (allocation of asset, liabilities to the beneficial owner)

Presentation (correct presentation in the financial statements)

6.4.2 Scaling Aspects within the Process of Audit Procedures for Obtaining Audit Evidence


Financial statements audited according to ISA does not require “absolute

assurance”

According to ISA 200.5, the auditor is required to obtain reasonable assurance

about whether the financial statements as a whole are free from material

misstatement. However, reasonable assurance is “a high level of assurance” – but

not an absolute (i.e. 100%) assurance.

A risk-based audit approach can reduce the scope of subsequent audit activities

The risk assessment to be performed on the basis of the risk-based audit approach

determines the nature, timing and scope of subsequent audit procedures. Low-risk

audit areas consequently are audited with less intensity. As a rule, this also applies

to the special audit fields regulated in separate standards:

o Accounting estimates: Depending upon the risk assessment with respect to

accounting estimates, ISA 540 specifies the scope of additional audit activities

for the auditor (ISA 540.8, 10 seq., 12 et seq., 15 et seq.).

25

o Related parties: The nature, timing and scope of the further audit procedures

that the auditor may choose in response to the assessed risks of material

misstatement associated with related party relationships and transactions

depend upon the nature of those risks and the circumstances of the entity

(550.A31).

o Subsequent events (events after the balance sheet date): Depending on the

auditor’s risk assessment, the audit procedures required may include

procedures such as the review or testing of accounting records or transactions

occurring between the date of the financial statements and the date of the audit

opinion (560.A6).

o Going Concern: The existence of events or conditions that may cast significant

doubt on the entity’s ability to continue as a going concern affect the nature,

timing and scope of the auditor’s further audit procedures in response to the

assessed risks (ISA 570.A6).

As a rule, the auditor is to obtain more persuasive audit evidence, the higher the

auditor’s assessment of risk (ISA 330.7(b)). In doing so, the auditor may increase

the quantity of the evidence or obtain evidence that is more relevant or reliable

(e.g., ISA 330.A19).

Use of audit evidence from previous audits

Audit evidence is primarily obtained from audit procedures performed during the

course of the audit. Audit evidence from previous audits of financial statements may

also be used, however, provided the auditor has determined whether changes have

occurred since the previous audit that may affect its relevance to the current audit

(ISA 500.A1).

Special considerations for the testing of accounting estimates of SMEs

In SMEs the process for making accounting estimates is likely to be less structured

than in larger entities. SMEs may not have extensive descriptions of accounting

procedures, sophisticated accounting records, or written policies. Even if the entity

has no formal established process, it does not mean that management of the SME

is not able to provide a basis upon which the auditor can test accounting estimates

(ISA 540.A70).

Controls over the process to make an accounting estimate may exist in SMEs, but

the formality with which they operate varies. Furthermore, smaller entities may

determine that certain types of controls are not necessary due to active

management involvement in the financial reporting process.

26

In the case of very small entities with only a few controls, however, the auditor’s

response to the assessed risks is likely to be primarily substantive audit procedures

(ISA 540.A86).

Special considerations for the testing of a going concern for SMEs

In many cases, the management of an SME may not have prepared a detailed

assessment of the entity’s ability to continue as a going concern, but instead may

rely on in-depth knowledge of the business and anticipated future prospects.

Nevertheless, the auditor needs to evaluate management’s assessment of the

entity’s ability to continue as a going concern.

In addition to considering the one-year planning cycle, for SMEs it may be

appropriate to discuss the medium and long-term financing of the entity with

management, provided that management’s assertions can be backed up by

sufficient documentary evidence and are not inconsistent with the auditor’s

understanding of the entity (ISA 570.A11).

The ongoing support by owner-managers is frequently vital to the ability of an SME

to continue as a going concern (e.g., financing by means of a (subordinated) loan

by the owner-manager or the assumption of a bank guarantee).

In such cases the auditor may obtain appropriate evidence, backed up by

documents, concerning the subordination of the loan or the guarantee. Where an

SME is dependent on additional support from the owner-manager, the auditor may

evaluate the owner-manager’s ability to meet the obligation under the support

arrangement. In addition, the auditor may request written confirmation of the terms

associated with such support and the owner-manager’s intent (ISA 570.A12).

6.5 Documentation

6.5.1 Fundamentals of Documentation

The documentation requirements are essentially specified in ISA 230 – Audit

documentation. Further auditing standards may contain additional requirements for

audit documentation. The appendix of ISA 230 provides an overview of these additional

auditing standards.

Audit documentation (“working papers”) is defined as the record of audit procedures

performed, relevant audit evidence obtained, and conclusions reached by the auditor

(ISA 230.6(a)). The objective of the documentation is to obtain a sufficient and

appropriate record of the basis for the auditor’s report and evidence that the audit was

27

planned and performed in accordance with the International Standards on Auditing and

the applicable legal (e.g. § 51b WPO) and other regulatory requirements (ISA 230.5).

6.5.2 Scaling Aspects within the Process of Documentation


Reference criterion: Range of experience of an experienced auditor having no

previous connection with the audit

Concerning the nature, timing and scope, ISA 230.8 provides that audit

documentation is to be prepared so that it is sufficient to enable an experienced

auditor having no previous connection with the audit to understand the following:

(a) nature, timing and scope of audit procedures;

(b) the results of the audit procedures performed and the audit evidence obtained;

(c) significant matters arising during the audit, the conclusions reached thereon,

and significant professional judgments made in association with these

conclusions.

Focusing on relevant issues

Furthermore, ISA 230.A2 specifies that the form, content and scope of audit

documentation depend on factors such as size and complexity of the entity, the

identified risks of material misstatement and the audit procedures performed and

audit tools used. Moreover, it is neither practicable nor necessary during an audit to

document every matter considered or professional judgment made (ISA 230.A7).

For tests of receipts, no copies of the reviewed receipts need to be added to the

files. Original receipts must only be identifiable based on the identifying

characteristics (ISA 230.A12). In addition, the auditor must not separately document

consistency with issues separately if they have already have been proven through

the documents contained in the audit file.

Significant issues arising during the audit are to be documented however (see

above ISA 230.8 (c)). The assessment of the significance of an issue requires in

this an analysis of the given facts and circumstances. Significant matters according

to ISA 230.A8, for example, are matters that give rise to significant risks, results of

audit procedures indicating that the financial statements could be materially

misstated or that there is a need to revise the auditor’s previous risk assessment,

circumstances that cause the auditor significant difficulty in applying necessary

audit procedures as well as findings that could result in a modification to the audit

opinion, or the inclusion of a paragraph to emphasize an issue in the auditor’s

28

report. A key factor in determining the form, content and scope of audit

documentation about significant issues is the degree of professional judgment

exercised within the process of carrying out the activity and the evaluation of the

findings.

Summarizing Documents

For the auditing of companies that, due to their size, complexity and risk are defined

by the ISA as “smaller entities,” the documentation for the audit is generally less

extensive than that for the audit of a “larger entity” (ISA 230.A16).

Thus it may not be necessary to document the entirety of the auditor’s

understanding of the entity and matters related to it (ISA 315.A132). It is also

conceivable that a memorandum prepared at the completion of the previous audit,

based on a review of the working papers and updated for the current audit, can

serve as the documented audit strategy (ISA 300.A11).

In addition, it may be useful to record various aspects of the audit together in a

single document, with cross-references to supporting working papers. ISA 230.A17

specifies in this context the understanding of the entity and the entity’s internal

control, the overall audit strategy and audit plan, the materiality determined,

assessed risks, significant issues noted during the audit, and conclusions reached.

Special considerations for one-person audits

If the entire audit work is performed only by the engagement partner, no issues

need to be documented that are only required to inform or instruct members of an

audit team, or to provide evidence of a review by other members of the team (ISA

230.A16).

Oral explanations

Oral explanations may be used to explain or clarify information contained in the

audit documentation (ISA 230.A5). Oral explanations by the auditor, by their own,

do not adequately fulfill the documentation requirements for the procedures carried

out or the conclusions reached by the auditor.

Special considerations in documenting the entity’s internal control

The form and extent of audit documentation is a matter of professional judgment

and is influenced by the nature, size and complexity of the entity and its internal

control, by the availability of information from the entity as well as by the audit

procedures performed as part of the audit (ISA 315.A131, 330.A63).

29

For entities that have uncomplicated business and processes relevant to financial

reporting, the documentation may be simple in form and relatively brief. In these

cases, the auditor’s understanding of the entity and the related issues must not

necessarily be fully documented. Key elements of the auditor’s basic understanding

to be documented definitely include those on which the auditor based the

assessment of the risks of material misstatement (ISA 315.A132).

The extent of documentation may also reflect the experience and capabilities of the

members of the audit team. If an audit team consists of experienced individuals, a

less detailed documentation may be adequate, as these individuals will be able to

gain a reasonable understanding of the entity more easily than less experienced

individuals (ISA 315.A133).

For recurring audits, certain parts of the documentation may be carried forward,

updated as necessary to reflect changes in the entity’s business or processes (ISA

315.A134).

No duty to sign each individual working paper

According to ISA 230.9 it must be identifiable from the documentation from whom,

when and to what extent the audit documentation was reviewed. This does not

mean, however, that each individual working paper must be signed (ISA 230.A13).

7. Closing Remarks

The Management Board of the WPK is publishing this guideline with the aim of

demonstrating to members of the auditing profession the opportunities and limits that

size, complexity and risk of the audit subject can have on the performance and

documentation of audits. These so-called “SME audits” lead to auditor opinions which

are equal in quality compared to non-SME audits. The statement, “an audit is an audit”

is to be understood in this context as “an audit opinion is an audit opinion.”

The instruction is intended to help mitigate some of the existing deficiencies in the

transposition of the SME instructions of the ISA into German auditing standards. The

Management Board of WPK hopes to have cleared up existing uncertainties and

sources of error in the performance of audits.

This also does not release the members of the auditing profession from their duty to

carefully study the ISA and gain a reasonable understanding of the ISA provisions. In

case of conflict, the ISA standards shall take legal precedence over the remarks in this

instruction.

30

This instruction does not make any claim of completeness. It is based on the ISA

effective 31 December 2011 and will be revised as required. The professional

associations and other auditing service providers are called upon to provide useful

advice to the auditing profession on the basis of this instruction for the implementation

in auditing practice.

---

31

Appendix – Comparison of IDW PS and IFAC ISA

IDW Auditing Standards (PS) International Standards on Auditing (ISA)

PS 200 Objectives and General Principles for the Conduct of Audits of Financial Statements

ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing PS 201 Accounting and Auditing Principles for the Audit of Financial Statements

PS 202 The Assessment of Additional Information Published by Entities Together with the Financial Statements

ISA 720 The Auditor’s Responsibilities Relating to Other Information in Documents Containing Audited Financial Statements

PS 203 Events after the Balance Sheet Date ISA 560 Subsequent Events

PS 205 Audit of Opening Balance Sheet Figures as Part of First-Time Audits ISA 510 Initial Audit Engagements – Opening Balances

PS 208 Performance of Group Audits /

PS 210 Detecting Irregularities in an Audit of Financial Statements

ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements

ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements

PS 220 Engagement of Financial Statement Auditors ISA 210 Agreeing the Terms of Audit Engagements

PS 230 Understanding of the Business Activities and the Economic and Legal Environment of the Enterprise to be Audited for a Financial Statement Audit

ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

PS 240 Principles for Planning Audits of Financial Statements ISA 300 Planning an Audit of Financial Statements

PS 250 Materiality in the Audit of Financial Statements ISA 320 Materiality in Planning and Performing an Audit

PS 255 Related Party Relationships in Audits of Financial Statements ISA 550 Related Parties

32


PS 261 Identification and Assessment of Risks of Material Misstatement and the Reaction of the Auditor of Financial Statements to the Assessed Risks of Material Misstatement

ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management

ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

ISA 330 The Auditor’s Responses to Assessed Risks

PS 270 The Assessment of Going concern in the Audit of Financial Statements ISA 570 Going Concern

PS 300 Audit Evidence in the Audit of Financial Statements ISA 500 Audit Evidence

ISA 501 Audit Evidence – Specific Considerations for Selected Items PS 301 Inventory Audit

PS 302 External Confirmations ISA 505 External Confirmations

PS 303 Management Representations to the Auditor ISA 580 Written Representations

PS 312 Analytical Audit Procedures ISA 520 Analytical Procedures

PS 314 The Audit of Estimated Values in the Accounting incl. Fair Values ISA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures

PS 318 Audit of Comparative Disclosures About Prior Years ISA 710 Comparative Information – Corresponding Figures and Comparative Financial Statements

PS 320 Using the Work of Another External Auditor ISA 600 Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors)

33


PS 321 Internal Audit and Audits of Financial Statements ISA 610 Using the Work of Internal Auditors

PS 322 Using the Work of Experts ISA 620 Using the Work of an Auditor’s Expert

PS 330 The Audit of Financial Statements by Application of Information Technology

/

PS 331 Audits of Entities Using Service Organizations for Accounting Functions ISA 402 Audit Considerations Relating to an Entity Using a Service Organization

PS 340 The Audit of the Early Risk Recognition System Pursuant to § 317 Section 4 HGB

/

PS 345 Effects of the German Corporate Governance Code on Audits /

PS 350 Audit of the Management Report /

PS 400 Principles for the Issuance of Auditors’ Reports for the Audits of Financial Statements

ISA 700 Forming an Opinion and Reporting on Financial Statements

ISA 705 Modifications to the Opinion in the Independent Auditor’s Report

ISA 706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report

PS 450 Principles for the Issuance of Long-form Audit Reports for the Audits of Financial Statements

ISA 260 Communication with Those Charged with Governance

PS 460 The Auditor’s Working Papers ISA 230 Audit Documentation

PS 470 Principles for the Auditor’s Oral Report to the Supervisory Board ISA 260 Communication with Those Charged with Governance

HFA 1/88 Application of Audit Sampling Methods for an Audit of Financial Statements

ISA 530 Audit Sampling

VO 1/2006

Requirements of Quality Assurance in Auditor Practice ISA 220 Quality Control for an Audit of Financial Statements (as well as ISQC 1)

/ ISA 450 Evaluation of Misstatements Identified during the Audit

34


/ ISA 800 Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks

/ ISA 805 Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement

/ ISA 810 Engagements to Report on Summary Financial Statements

---