This presentation by Paul Thompson, Deputy Director, SME & SMP Affairs, explores the challenges currently faced by SMP's, provides regulators' observations and offers tips for audit efficiency.
Performing Audits Efficientlyand Expanding Service Offerings: Global and Local Insights (Part I)
1. Page 1 | Confidential and Proprietary Information
Performing Audits Efficiently
and Expanding Service Offerings:
Global and Local Insights (Part I)
Paul Thompson
Deputy Director, SME & SMP Affairs
MIA Seminar
Kuala Lumpur, Malaysia
December 6, 2013
2. Page 2 | Confidential and Proprietary Information
Agenda - Challenges and Solutions
• IFAC SMP Committee
• Insights from IFAC SMP Quick Poll
• Understanding the ISAs
• Proportional Application of ISAs and ISQC 1
– ISAs 200, 210, 315 and ISQC 1
• Documentation
• Tips for Audit Efficiency
• IFAC Resources
– Knowledge Sharing / Implementation
3. Page 3 | Confidential and Proprietary Information
SMP Committee - Overview
• To represent interests of small- and medium-sized
practices (SMPs)
• Comprises 18 members, including 3 from Asia, spanning
assurance and advisory experts
• Robust and regular input to IAASB on key projects
– Proportionality/scalability and stability are key considerations
– Internal controls and documentation may be insufficiently scalable
– ISQC 1 needs to be more risk-based and proportionate
– Need for impact analysis and post-implementation reviews
4. Page 4 | Confidential and Proprietary Information
Insights from IFAC SMP Quick Poll I
• May-June poll ran in 17 languages and attracted almost
3,700 respondents (Nov-Dec just launched)
• Report at https://www.ifac.org/publications-resources/ifac-
smp-quick-poll-mid-year-2013
• Responses are heavily skewed in favor of practitioners from
Europe and Asia (especially China) working in 2 smallest
categories of practice
5. Page 5 | Confidential and Proprietary Information
Insights from IFAC SMP Quick Poll II
• What is the biggest challenge faced by your SME clients?
23%
17%
16%
13%
11%
8%
7%
5%
Burden of regulation
Economic uncertainty
Pressure to lower prices of their products and services
Difficulties accessing finance
Rising costs
Lack of demand for their products and services
Competition
Attracting and retaining staff
6. Page 6 | Confidential and Proprietary Information
Insights from IFAC SMP Quick Poll III
• What is the biggest challenge your practice is facing right
now?
25%
23%
20%
7%
6%
6%
5%
4%
2% 2%
Keeping up with new regulations and standards
Pressure to lower fees
Attracting and retaining clients
Work-life balance
Attracting and retaining staff
Competition
Rising costs
Ability to adapt to changing client needs
Keeping up with new technology
Succession planning
7. Page 7 | Confidential and Proprietary Information
Insights from IFAC SMP Quick Poll IV
• How is your fee revenue split among the following areas?
30%
37%
18%
15%
Audit and assuranceAccounting, compilation, and other non-assurance/related servicesTax Advisory/consulting services
8. Page 8 | Confidential and Proprietary Information
Insights from IFAC SMP Quick Poll V
• What is the fastest growing source of revenue for your
practice?
35%
26%
22%
17%
Accounting, compilation, and other non-
assurance/related services
Audit and assurance
Advisory/consulting services
Tax
9. Page 9 | Confidential and Proprietary Information
Insights from IFAC SMP Quick Poll VI
• What is the main driver of your practice's profitability?
45%
23%
11%
10%
7%
2%
2%
Acquisition of new clients
Better retention of existing clients
Increased productivity
Increased average fee size
Reduced overheads
Better utilization of working capital and other assets
Other, please describe.
10. Page 10 | Confidential and Proprietary Information
Insights from IFAC SMP Quick Poll VII
• Other findings
– Pace of change was that aspect of standards and regulation that
posed the greatest challenge for SMPs
– Audit & assurance were the types of standards and regulation that
posed the 2nd greatest challenge for SMPs
11. Page 11 | Confidential and Proprietary Information
Understanding the ISAs – Option #1
13. Page 13 | Confidential and Proprietary Information
Understanding the ISAs – Option #3
Need to decide:
– Can you reduce audit risk sufficiently?
– Is auditing a viable service for your firm?
14. Page 14 | Confidential and Proprietary Information
Understanding the ISAs – Steps to Take
• Treat it as an exercise in change management
• Appoint a team leader
• Recognize that understanding all the ISAs is key to
performing effective and efficient audits of SMEs
• Determine requirements relevant to your audit (see later)
• Take time to digest it all
• Talk to your colleagues and clients now
15. Page 15 | Confidential and Proprietary Information
Understanding the ISAs – Overall Structure
• Preface
• Scope and Authority
• Glossary
• Terms applicable to the standards
• ISQC1
• QC for firms
• ISAs
• 36 in all , 570+ requirements (incl. ISQC1)
16. Page 16 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 I
• ISAs - Overview
– New structure in which information is presented in separate sections:
Introduction, Objective, Definitions, Requirements and Application and
Other Explanatory Material
– Emphasis on professional judgment, the standards are principles
based which allows practitioners to tailor audit procedures
– Contain special considerations for smaller entity audits
– Some ISAs only apply to larger entity audits
– Many requirements may not be relevant to SME audits
17. Page 17 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 II
• ISA 200, Overall Objectives of the Independent Auditor
and the Conduct of an Audit in Accordance with
International Standards on Auditing
– The practitioner needs to comply with all ISAs relevant to the audit
and with all requirements in ISAs relevant to the audit
– A complete knowledge of all the standards is essential in order to
make a professional judgment as to what to leave out
18. Page 18 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 III
• Examples of some of the ISAs that would not be relevant
in an SME audit include:
– ISA 402 Audit Considerations Relating to an Entity Using a Service
Organization if the SME does not use a service organization
– ISA 510 Initial Audit Engagements – Opening Balances if the SME
is a continuing, and not an initial, engagement
– ISA 600, Special Considerations – Audits of Group Financial
Statements (Including the Work of Component Auditors) if the SME
audit engagement is not a group audit
– ISA 610 Using the Work of Internal Auditors if the SME has no
internal audit function
19. Page 19 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 IV
• ISA 200 continued:
– Not all ISA requirements are relevant to every audit as the
standards are designed to cover audits in every situation globally.
For example, it is possible that there are requirements which are
not relevant to some SME audits including:
– requirements to test the expectation that controls are operating
effectively (ISA 330, paragraph 8)
– requirements when an engagement needs an engagement quality
control review (ISA 220, paragraphs 19-21)
20. Page 20 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1
• ISA 210 Agreeing the Terms of Audit Engagements
– Paragraph 6, agreeing the terms of engagement with
management, and paragraphs 9 and 10, which require you to
communicate the terms in writing to management in a letter, will be
applicable in every engagement
– Paragraphs 7 and 8 deal with an imposed scope limitation and the
situation where the preconditions do not exist. Paragraphs 14 – 17
deal with changes to the terms of engagement in mid-audit and
paragraphs 18 - 21 the situation where laws and regulation
supersede the ISAs
• It is important to know what the requirements are, but these situations
are also likely to be far and few between for most SME audits
21. Page 21 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 V
• ISA 210 Agreeing the Terms of Audit Engagements
continued
– To summarize, of the 16 requirements in ISA 210, paragraphs 6, 9
and 10 are critical and will apply in every engagement. For
SMPs, knowing they have to deal with 3 main requirements out of
16 is a lot less daunting than considering all 16 every time.
22. Page 22 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 VI
• ISA 315 Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its
Environment
– The objective of the auditor is to identify and assess the risks of
material misstatement, whether due to fraud or error, at the
financial statement and assertion levels, through understanding
the entity and its environment, including the entity’s internal
control, thereby providing a basis for designing and implementing
responses to the assessed risks of material misstatement.
• Focus on significant risks – effectiveness and efficiency
– Understand the business – important from an engagement risk
perspective
– Identify significant risks up front and focus audit effort on these
23. Page 23 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 VII
• ISA 315 focus on significant risks – effectiveness and
efficiency continued
– Substantive tests are required for each material class of
transactions, account balances and disclosures, but tests of details
only required for significant risks
– Consider analytical procedures (follow requirements of ISA 520
Analytical Procedures) for non-significant risk items where
appropriate
– Use professional judgment to determine what substantive tests to
use on items not considered significant risks
– ISAs explicitly encourage the auditor to exercise professional
judgment in determining the form and extent of documentation – they
acknowledge extent may vary depending on the circumstances
24. Page 24 | Confidential and Proprietary Information
Proportional Application of ISAs and ISQC 1 VIII
• ISQC 1 Quality Control for Firms that Perform Audits and
Reviews of Financial Statements and Other Assurance
and Related Services Engagements
– Applies to firms of all sizes that provide services covered by the
IAASB’s International Standards
– Requirement for the firm to comply with each requirement of the
standard unless, in the circumstances of the firm, the requirement
is not relevant to the services provided…
– Contains special considerations for smaller practices
– Indicates that the form and content of documentation evidencing
the operation of each of the elements of the system of quality
control is a matter of judgment and depends on the size, nature
and complexity of the firm and number of offices
25. Page 25 | Confidential and Proprietary Information
Documentation – ISA 230
• ISA 230 on documentation is one of the shortest ISAs
• Only 9 requirements but another 22 specific requirements
in other ISAs listed in the appendix
• Must be in detail (e.g. specific items sampled) and show
who did what and when (paragraph 9)
• Document discussions of significant
matters, inconsistencies, and departures from
requirements (paragraphs 10-12)
• Remainder covers matters arising after the audit report is
signed, and assembly of the file
26. Page 26 | Confidential and Proprietary Information
Documentation - Regulator Observations I
• Worldwide regulators complain about poor documentation
• Too much documentation in some established and low risk
areas and not enough in other difficult areas
• Poor evidence of link between risk analysis and procedures
performed – problems identified but not addressed
• Not enough showing the thought processes – but how!?
• Sample sizes being cut, materiality levels being
raised, analytical procedures not being used much - without
documentation for the justification of this – big issues
27. Page 27 | Confidential and Proprietary Information
Documentation – Regulators’ Observations II
• ISA 200: scepticism is an attitude including a questioning
mind, being alert to conditions which may indicate possible
misstatement, and a critical assessment of audit evidence
• Scepticism is not cynicism / distrusting everything: assume
documents are genuine unless reason to suspect not
• Scepticism is about challenging assumptions and actively
considering the possibility of bias
• Little evidence of professional scepticism
• Insufficient evidence of challenge to client assumptions
(e.g., impairments, going concern): often, the challenge
took place in meetings but was not documented
28. Page 28 | Confidential and Proprietary Information
Documentation – Real Problem
• Excessive documentation for compliance purposes is real
problem – keeps auditors from engaging with the client
• Largely a product of over-engineered and inefficient audit
methodologies – leading to under- or over-auditing
• Poor documentation by auditors – for example
– Keeping interesting but irrelevant information on the file
– Full documents rather than extracts
– Not making use of facilities for electronic cross-referencing
– Poor checklists used indiscriminately without thought
29. Page 29 | Confidential and Proprietary Information
Tips for Audit Efficiency
• Automation – standardized templates and customized
checklists
• Software – utilizing commercially available products
• Planning – timeframe, list of deliverables, client meeting
• Risk based approach – in line with ISAs
• Staff training / supervision
• Communication
30. Page 30 | Confidential and Proprietary Information
IFAC Resources - Knowledge Sharing /
Implementation I
• Building and sharing knowledge, including access to
resources and tools, amongst member bodies and SMPs
– Implementing standards (incl. ISAs, ISQC 1)
– Insight articles (e.g., efficiently auditing SMEs, review engagements)
– Comprehensive guides on how to efficiently implement ISAs and
ISQC 1 (guidance, case studies, checklists etc.)
– Guide to Review Engagements (due Dec. 2013)
– Suite of links to free resources from member bodies
– IFAC Global Knowledge Gateway (launching in early 2014)
– See ‘References’ at end
31. Page 31 | Confidential and Proprietary Information
IFAC Resources - Knowledge Sharing /
Implementation II
ISA Guide Volume 1
• Fundamental concepts of a risk-
based audit in conformance with the
ISAs
ISA Guide Volume 2
• Practical guidance on performing
SME audits. Includes two illustrative
case studies—one of an SME audit
and one of a micro-entity audit
32. Page 32 | Confidential and Proprietary Information
IFAC Resources - Knowledge Sharing /
Implementation III
• QC Guide
• Helps SMPs apply ISQC 1
proportionately and
efficiently. Includes
guidance, case study, two
sample QC manuals and
checklists
• Reference, training,
customize manuals and
checklists
34. Page 34 | Confidential and Proprietary Information
References – IAASB
• Staff Q&A, Applying ISAs Proportionately with the Size and Complexity of an Entity:
http://www.ifac.org/publications-resources/staff-questions-answers-applying-isas-
proportionately-size-and-complexity-ent
• Staff Q&A, Applying ISQC 1 Proportionately with the Nature and Size of a Firm:
http://www.ifac.org/sites/default/files/publications/files/Staff%20QA%20ISQC%201%20Prop
ortionality_FINAL.pdf
• The Clarified ISAs—Findings from the Post-Implementation Review:
http://www.ifac.org/publications-resources/clarified-isas-findings-post-implementation-
review
35. Page 35 | Confidential and Proprietary Information
References – Knowledge Sharing - Implementation
• Guide to Using International Standards on Auditing in the Audits of Small- and Medium-
Sized Entities (Third Edition) (incl. companion manual and slides):
https://www.ifac.org/publications-resources/guide-using-international-standards-auditing-
audits-small-and-medium-sized-en
• Guide to Quality Control for Small- and Medium-Sized Practices (Third Edition) (incl.
companion manual and slides): www.ifac.org/publications-resources/guide-quality-control-
small-and-medium-sized-practices-third-edition-0
• Boosting the Quality and Efficiency of Smaller Entity Audits article:
https://www.ifac.org/news-events/2013-07/boosting-quality-and-efficiency-smaller-entity-
audits
• Tips for Cost-Effective ISA Application article: https://www.ifac.org/publications-
resources/tips-cost-effective-isa-application
• Tips for Cost-Effective ISQC 1 Application article: https://www.ifac.org/publications-
resources/tips-cost-effective-isqc-1-application
36. Page 36 | Confidential and Proprietary Information
Thank You
www.ifac.org/smp
Notes de l'éditeur
1. Panic and bail - dramatically change the focus of or give up your practice. If you decide to opt out of auditing SMEs, what will you do instead given that change appears to be everywhere? If you don’t like change then I think you have a problem on your hands unless, of course, you are close to retirement and are able change the focus of your life.
Head in the sand - ignore the changes in the profession and the new standards. If you choose this option you could have: problems with audit regulators like your Audit Oversight Board; liability issues if you have an audit failure; loss of clients as they grow and need more demanding services; and risk to your professional reputation.
3. Study, ponder and decide - make an informed decision. Study the changes. Set up an implementationplan. Figure out what you can do, what you want to do and how to make the changes in our profession work for you. If you perform one or two audits a year then the investment in professional development may not be worth the time. Auditing is increasingly a specialty for trained auditors and has been for some time. And auditing SMEs effectively and efficiently is a sub-specialty. If you take time to learn a few skills to increase both your level of service and competence in this area you should be able to take advantage of those skills. Benefits should include a thriving professional and profitable practice with a risk profile to meet your needs. If you decide audit is not viable hold your breath to this afternoon’s session!
Change is everywhere, inevitable and often for the better!
HAND OVER TO EDDIEQUESTIONS
ISAs acknowledge that the appropriate exercise of professional judgment is essential to the proper conduct of an audit. Professional judgment is necessary, in particular, regarding decisions about the nature, timing, and extent of audit procedures used to meet the requirements of the ISAs and gather audit evidence. However, while the auditor of an SME needs to exercise professional judgment, this does not mean that the auditor can decide not to apply a requirement of an ISA except in exceptional circumstances and provided that the auditor performs alternative audit procedures to achieve the aim of the requirement.
The auditor need not be concerned with ISAs that are not relevant to the audit. Nevertheless, it is necessary that the auditor understands the scope of each ISA to determine whether it is relevant or not in the circumstances.
The auditor’s objectives are the same for audits of entities of different sizes and complexities. This, however, does not mean that every audit will be planned and performed in exactly the same way. The requirements of the ISAs, therefore, focus on matters that the auditor needs to address in an audit and do not ordinarily detail the specific procedures that the auditor should perform.ISA 330 paragraph 8 The Auditor’s Response to Assessed Risk paragraph 8 states that “The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures)”.ISA 220 paragraphs 19-21 Quality Control for an Audit of Financial Statements paragraphs 19 -21 all relate to an Engagement Quality Control Review, which are required for all audits of financial statements of listed entities.
Let’s use ISA 210 to illustrate that many requirements will not be relevant to an SME audit.
The objective of ISA 315 is critical and underpins every audit engagement regardless of size. Risk assessment is critical to achieving audit efficiency. A common mistake is to simply bolt on a risk assessment to your existing substantive audit. The requirement in ISA 315 is for the auditor to obtain an understanding of the entity and its environment. While the audit considerations underlying this requirement will be equally relevant for both large and small entities, the typically simpler structure and processes in an SME often mean that the auditor may obtain an understanding of the entity and its environment quite readily and document this in a straightforward manner. This is emphasized several times in the ISAs e.g. “Smaller entities may use less structured means and simpler processes and procedures to achieve their objectives” (ISA 315, paragraph A45).ISAs allow for an effective and efficient audit. The ISAs explain that the appropriate audit approach for designing and performing audit procedures depends on the auditor’s risk assessment. For example, in the context of an SME audit where there are not many control activities in the SME that can be identified by the auditor, the auditor may decide that it is efficient to perform further audit procedures that are primarily substantive procedures (ISA 330, paragraph A18).
ISAs also include useful guidance that assists the auditor in understanding or applying specific requirements in the ISAs in the context of an SME audit. Analytical proceduresFor example, because interim or monthly financial information may not be available in an SME for purposes of analytical procedures to identify and assess the risks of material misstatement, the auditor may need to plan to perform analytical procedures when an early draft of the entity’s financial statements becomes available (ISA 315, paragraph A10).DocumentationFor example, “the form, content, and extent of documentation depend on various factors, including the size and complexity of the entity”, and the audit methodology and technology used in the audit (ISA 230, paragraph A2, ISA 315, paragraph A131.“The documentation for the audit of a smaller entity is generally less extensive than that for the audit of a larger entity (ISA 230, paragraph A16). “Documentation may be simple and relatively brief” (ISA 315, paragraph A132).ISAs provide examples of how the documentation in an SME audit can be approached in an efficient and effective manner, e.g. documentation of the understanding of the entity may be part of documentation of the overall strategy and audit plan. Similarly, the results of the risk assessment may be documented as part of the auditor’s documentation of further procedures (ISA 315, paragraph A131)
The objective of implementing a system of quality control is the same for all firms regardless of their nature or size. However, this does not mean that all firms have to design and implement exactly the same specific policies and procedures, or policies and procedures at the same level of detail, to achieve the objective and requirements of ISQC 1. Smaller firms will find that effective and proportionate implementation may be best achieved by first studying the provisions of ISQC 1 and then, in light of the nature and size of a firm and the services the firm provides, developing policies and procedures tailored to the firm’s circumstances.The ISQC does not call for compliance with requirements that are not relevant (ISQC 1 paragraph 14).Explains that smaller firms may use more informal methods in the documentation of their systems of quality control such as manual notes, checklists and forms (ISQC 1 paragraph A75).Firms can draw on external resources to meet some of the requirements of ISQC 1. For example, in relation to the requirements of ISQC 1 addressing the need for sufficient personnel with the competence and capabilities to perform engagements in accordance with professional standards, firms may use a suitably qualified external person, for example, when internal technical and training resources are unavailable. Often, this will likely be an effective (and cost effective) way to achieve the aims of the requirements.
Must enable an experienced auditor with no previous experience of the audit to understand the procedures, their results, significant issues and judgements (paragraph 8).
Standards are quite clear about the need for files to contain a sufficient record to enable an independent reviewer…to understand the audit and confirm that standards have been followed. But this should not be understood to mean that the files are mainly for the benefit of the inspectors; the primary role of documentation is to drive audit quality and assure the firm that an appropriate quality has been achieved. [Emphasis added]HAND OVER TO EDDIEQUESTIONS
There are a number of practical steps which could be considered for improving audit efficiencies. AutomationAutomating the audit practice provides an opportunity to improve audit quality at both firm-wide and individual engagement levels. At the firm level, setting up standardized templates helps ensure that all phases have been completed in every audit. Customized checklists can be updated as needed and incorporated into individual engagement files at the beginning of every engagement. It is important that every file is customized for the individual client. The generic firm template is a great place to start, but it is only a start. SoftwareWhen using commercially available software SMPs engagements, you can roll forward last year’s electronic file almost instantly and have ‘mapped’ trial balance codes for efficiency if generating the financial statements. You can also e-mail an engagement letter and list of deliverables required when you visit the client at the beginning of the audit. If you import data from one application program to another, data conversion errors should be eliminated and grouping and arithmetical errors can be minimized.PlanningThe essential component for an efficient audit is proper planning and organization both from the perspective of the audit firm and the business. It is important that the timeframe is agreed in advance with clearly specified delivery dates. The field work should be scheduled and the board meeting to sign the accounts agreed. A list of client deliverables should be provided by the audit firm. The initial planning meeting should be scheduled in advance. Risk based approachThe audit team should focus on working smarter, not harder. The work should be concentrated on the key risk areas with the level and amount of work tailored accordingly. A thorough analytical review should be undertaken which identifies the key risks and the level of testing that will be performed on these and other areas. This review should include scoping out of balances which are fully understood and would not lead to a material misstatement. When considering the audit approach, sometimes less is more. The audit team should limit procedures on areas considered to be low risk and focus attention and time on significant risks or historical areas known to cause issues. Staff training/ supervisionThe audit firm must ensure that their staff are resourced at the correct level and that more junior team members receive adequate supervision to complete the work to a high standard. Senior reviews of the testing must be scheduled in a timely manner, so any open points are closed when the audit team is onsite and not later at greater cost. CommunicationRegular, effective communication is important for individuals in audit team and the business. A daily tracker with open queries is useful tool to facilitate these conversations. As a result any issues will also be discussed early, so there is less likelihood of last minute changes and late surprises. HAND OVER TO EDDIEQUESTIONS