Pr rac ctic How
Prrac ctic ce Ale ertt May 2013 Visit ou ur website at: ppm.cga-canada.org How w to Addre A ess th he Three R Rs Witthout Chec cklists s by Joan Porter, CGA ment The purpose of thiis practice alerrt is to providee guidance annd encouragem uditors perform ming audits off smaller entitiies in accordannce with Canaadian to au Auditing Standard ds (CAS) who want to increase engagemeent efficiency. This unication skillss and a practitiioner who is apprroach requires good commun williing to invest tiime up front too obtain a thorrough understtanding of the audit stand dards. Knowin ng how to use the standardss effectively annd combining this know wledge with prractice speciallty, practice auutomation, annd appropriate staff assig gnment will reesult in greaterr efficiencies iin performing audits — partiicularly those audits of smalller or less com mplex entitiess. Wha at are th he Thre ee Rs? The Three Rs are the t audit proccess that appliees to all auditss: 1. Risk R identification and asseessment (CAS S 240, CAS 2550, CAS 315); 2. Response R to significant s asseessed risks (C CAS 330); and 3. Report R (CAS 700, CAS 7100). Thiss audit processs is common too all audits reggardless of thee size of the enntity being audited. Thee old phrase “A An audit is ann audit is an auudit” remains ttrue. a audit as deefined by CAS S must be met in all instancees, The objective of an but CAS C also reco ognizes that thhe same docum mentation or appproach is nott apprropriate for alll audits. Appenndix 1 of this document (paage 9) presentss the auditt process with h references too the relevant C CAS, compariing the use of the PPM M checklists with the Smalleer Audit Alternnative documeentation (refeerenced in the PPM as the S Sample Audit F File (Part F)). The docu umentation useed in the Smalller Audit Alteernative uses a limited num mber of diirected memorrandums alongg with a few cchecklists to reeplace a large volu ume of checkliists. The most important eleement of this aapproach is not the comp pletion of the precise docum mentation sugggested, but ratther the undeerstanding by the t auditor thaat meeting thee objectives off CAS should alwaays be the prim mary focus rathher than the foorm of docum mentation used durin ng the course of the engagem ment. The data in the sam mple memoranndums is takeen from the Saample Audit uded with the CGA-Canadaa Orientation tto Public Pracctice — Audit inclu Enga agements sem minar. The Apppendices were first developeed for this program. The references under the Smalleer Audit Alterrnative have beeen revised too ndices attachedd to this practiice alert. relatte to the appen CGA PRACTICE ALERT What are the requirements that must be respected for all audits? To plan and perform an audit of historical financial statements the auditor must: • Comply with relevant ethical requirements; • Maintain professional skepticism; • Exercise professional judgement; • Obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level; and • Comply with all CASs that are relevant to the audit. In order to be in compliance with a relevant CAS, the auditor must have an understanding of the entire text of the standard, including its application and other explanatory material, so they can understand its objectives and properly apply the requirements. This knowledge and comprehension is not optional; it is fundamental to the conduct of each audit. The auditor cannot make a judgement as to the relevance and application of CAS if they are not familiar with what is required within the standards in the first place. The overall objective of the auditor is to obtain reasonable assurance that the financial statements as a whole are free from material misstatement in order to express an opinion that the financial statements are prepared in accordance with the applicable accounting framework. Compliance with this overall objective and the objective of each CAS can be documented using directed memorandums through the risk assessment and planning stage of the audit. This part of the process often consumes around 60% of the time on any audit, but is crucial — if planning is properly and thoroughly carried out, it will save significant time in subsequent phases of the engagement. What is a “smaller audit”? A smaller audit is an audit of a “smaller entity” as defined by CAS: • An entity normally controlled by a small number of individuals. • Simple record keeping, few internal controls, not complex transactions, few personnel with a wide range of duties. (CICA Handbook — Assurance, Glossary of Terms) It is possible for a smaller entity to have one area of more complex transactions, such as a defined benefit pension plan for employees. This would still be documented as an audit of a small entity, but the area of increased complexity would be addressed with expanded audit procedures to address the risks of the complex transactions. What audit documentation is required? As a general principle, the auditor must prepare audit documentation that is sufficient to enable an experienced auditor, having no previous connection with the audit, to understand: • The nature, timing, and extent of audit procedures; • The results of the audit procedures performed and evidence obtained; and • Any significant matters that arose during the audit, the conclusions reached, and the significant professional judgements made. (CAS 230.8) Page 2 of 44 CGA PRACTICE ALERT CAS recognizes that recording various aspects of the audit together in a single document cross-referenced to supporting working papers will increase efficiency when preparing audit documentation. CAS 230 — Audit Documentation Considerations Specific to Smaller Entities (Ref: Para 8) A16. The audit documentation for the audit of a smaller entity is generally less extensive than that for the audit of a larger entity. Further, in the case of an audit where the engagement partner performs all the audit work, the documentation will not include matters that might have to be documented solely to inform or instruct members of an engagement team, or to provide evidence of review by other members of the team (for example, there will be no matters to document relating to team discussions or supervision). Nevertheless, the engagement partner complies with the overriding requirement in paragraph 8 to prepare audit documentation that can be understood by an experienced auditor, as the audit documentation may be subject to review by external parties for regulatory or other purposes. A17. When preparing audit documentation, the auditor of a smaller entity may also find it helpful and efficient to record various aspects of the audit together in a single document, with cross-references to supporting working papers, as appropriate. Examples of matters that may be documented together in the audit of a smaller entity include the understanding of the entity and its internal control, the overall audit strategy and audit plan, materiality determined in accordance with CAS 320, assessed risks, significant matters noted during the audit, and conclusions reached. The example outlined in CAS 230.A17 may appear a little extreme, but it does provide authority for auditors to conduct more efficient audits based on memorandums rather than checklists. Examples of this type of documentation are included in the following appendices, which are expanded on below. • Appendix 2 — Identifying risk through understanding the entity and its environment • Appendix 3 — Identifying risk through understanding internal controls • Appendix 4 — Identifying financial statement level risks • Appendix 5 — Audit strategy • Appendix 6 — Risk assessment and audit plan by assertion (RAS) • Appendix 7 — Communication • Appendix 8 — Audit high level checklists One of the key things for a firm to remember if they wish to employ smaller audit documentation processes is the need for strong documentation procedures. These procedures must be designed to capture the auditor’s thought process, not just conclusions from the work done, and explicitly set out these thoughts in the audit file. Appendix 2 — Identifying risk through understanding the entity and its environment It is important to remember why the auditor needs to understand the entity and its environment. Simply put, this is necessary because the auditor must be able to identify the risks of material misstatement (RMM) in the financial statements, whether due to fraud or error. With this in mind, an experienced auditor is able to prepare a single document describing this understanding and identify the RMM. Page 3 of 44 CGA PRACTICE ALERT This worksheet is used to identify possible business and fraud risk factors. Identified risk factors are then carried forward to the Risk Assessment Summary (RAS) shown in Appendix 6. The information in this memorandum comes from a number of sources, including: • Discussions with management and others in the entity; • Research of the environment, industry, etc.; • Prior experience of the auditor with clients in the same or a similar business; and • Analytical review of the client’s financial statements. Where appropriate, the auditor should cross reference information to supporting documents such as business plans, budgets, reports, agreements, minutes, correspondence, etc. If the information recorded is the result of discussion with management or other employees of the client, the auditor should ensure that the documentation includes the name of the person interviewed together with the date the interview was conducted. The standards supporting this procedure are found in CAS 315.5 and 315.11. For a more comprehensive understanding of the requirements we invite you to review these materials in detail. Once this memorandum is completed as part of a first-year engagement it can simply be updated in subsequent years to include any changes, resulting in efficiencies in all future years. Appendix 3 — Identifying risk through understanding internal controls The objective of these procedures is not to document the controls, but rather to identify risks through the auditor’s understanding of the controls that are in place within the entity. Internal controls are designed, implemented, and maintained by management to address identified business risks that threaten the achievement of any of the entity’s objectives concerning: • The reliability of the entity’s financial reporting; • The effectiveness and efficiency of its operations; and • Its compliance with applicable laws and regulations. There is unlikely to be an established risk assessment process in a smaller entity. In such cases, it is probable that management will identify risks through direct personal involvement in the business. Irrespective of the circumstances, however, inquiry about identified risks and how they are addressed by management is still necessary. Internal controls are not always recognized as controls within smaller entities, as they are less structured and seldom documented. Information systems and related business processes relevant to financial reporting in smaller entities are likely to be less sophisticated than in larger entities, but their role is just as significant. The owner-manager/CEO may be able to exercise more effective oversight than in a larger entity. This oversight may compensate for the more limited opportunities for segregation of duties. Smaller entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting Page 4 of 44 CGA PRACTICE ALERT records, or written policies. Communication between management and other personnel may be informal, but effective. In place of a written code of conduct, a smaller entity may develop a culture of integrity and ethical behavior through oral communication. Management’s monitoring of control is often accomplished by close involvement in operations. This involvement will often identify significant variances from expectations and inaccuracies in financial data. On the other hand, the owner-manager/CEO may be more able to override controls because the system of internal control is less structured. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include inquiries of personnel, observing the application of specific internal controls and inspecting documents and reports. However, inquiry alone does not represent sufficient examination of the system of internal control. The implementation of controls is confirmed by conducting a walkthrough to observe the application of specific controls. In a walkthrough, the auditor traces a transaction from each major class of transactions from origination, through the entity’s accounting and information systems and financial report preparation processes, to its being reported in the financial statements. A walkthrough is not a test of the operating effectiveness of a control because it only confirms the existence of a control at a specific point in time. If the auditor intends to rely on the internal controls, it will be necessary to perform a test of operating effectiveness over a period of time (such as a year), based on a sample of transactions. The auditor then reviews the controls to identify weaknesses, strengths, and key controls. Risk factors identified are documented on the Risk Assessment Summary (RAS) and then assessed. The assessment includes consideration of management’s response to the risk (internal controls). This contributes to the design of further audit procedures that will be responsive to the assessed risks, which may include the testing of controls that the auditor decides to rely upon. At this point in the audit, material weaknesses should be recorded on the highlights memorandum for consideration at the end of the audit. It may be necessary to communicate any material weaknesses to management and those charged with governance. Appendix 4 — Identifying financial statement level risks The objective of this memorandum is to identify risks in the specific areas that would affect the financial statements overall and then to address any identified risks by conducting further audit procedures. If there are no identified risks in the area, no further audit procedures will be required. Based on the auditor’s understanding of the entity and its environment, a determination is made regarding the financial statement level risks in the following areas: • Going concern (CAS 570); • Accounting estimates (CAS 540); • Related parties (CAS 550); • Litigation, claims, and non-compliance (CAS 250, CAS 505); and • Using the work of an auditor’s expert (CAS 610, CAS 620). Page 5 of 44 CGA PRACTICE ALERT Note that each area of this memorandum asks if the specific area is relevant to the client. For example: • Are there going concern issues? • Are there accounting estimates? • Are there related parties? • Is there any litigation pending, any claims, or non-compliance with laws and regulations? • Will the auditor be using the work of an expert? If the answer to any of these queries is NO, based on the auditor’s understanding of the entity and its environment, no further work or documentation is required. If the response to any question is YES, then the objective(s) of the relevant CAS must be met. Appendix 5 — Audit strategy CAS 300 The auditor shall establish an overall audit strategy that sets the scope, timing, and direction of the audit, and that guides the development of the audit plan. (CAS 300.7) The auditor may summarize the overall audit strategy in the form of a memorandum that contains key decisions regarding the overall scope, timing, and conduct of the audit. (CAS 300.A16) The appendix to CAS 300 — planning an audit of financial statements — details the information that should be included in an audit strategy document. This document is completed subsequent to the risk assessment phase after information has been collected about the entity. The audit of a smaller entity is as much about the people as it is about the numbers and notes, which makes auditor communication essential. It is advisable to communicate the audit strategy to management or those charged with governance, as appropriate, verbally or in writing, prior to commencing the field work. Appendix 6 — Risk assessment and audit plan by assertion (RAS) THIS IS THE MOST IMPORTANT DOCUMENT WITHIN THE AUDIT FILE. It brings together all of the risks identified from the beginning of the audit (preengagement procedures) to the end of the risk assessment process, and links those risks to the other audit procedures. The RAS is first populated with identified risks. For each risk the following is considered: • Location within the file that the risk was identified; • Whether the risk was considered significant; • Identification of the area of financial statement that is affected; • Identification of the management assertion that is affected; • Level of risk — L, M, H; and • Plan for further audit procedures to address each risk at the assertion level. Page 6 of 44 CGA PRACTICE ALERT Tests of controls and substantive audit procedures, including analytical procedures (wherever possible), are then conducted to address the significant identified risks. Appendix 7 — Communication CAS 260.23 “When matters … are communicated orally, the auditor shall include them in the audit documentation including when and who.” At every turn the standards are replete with the need to communicate, either in writing or orally, with management and those charged with governance. For many smaller entities the audit visit is one of the few opportunities during the year that management and those charged with governance will have to speak to a professional accountant experienced in their specific sector, thus representing a valuable resource to the smaller entity. Financial statement users are looking for assurance that the statements are presented fairly, but management is also usually looking for an interpretation of what the statements say about the financial performance of the organization in addition to seeking constructive criticism on internal controls and any other matters that the auditor deems significant. This advice may or may not be directly related to the audit. It is these discussions and sharing of knowledge that is the cornerstone of client service to smaller entities. Appendix 7 provides a sample of a memorandum used to document verbal communications with the client on the audit of a smaller entity. Appendix 8 — High level audit checklists Appendix 8 is a sample of three high level checklists taken from “Anatomy of a 12-Hour ISA Audit: An Assurance Specialty Service,” written by Phil Cowperthwaite, FCA for the International Auditing and Assurance Standard Board (IAASB) in June 2010. These checklists include: • Pre-engagement checklist (Risk identification); • Risk assessment and response checklist (Risk identification, assessment, and response); and • Forming an opinion checklist (Report). These high level checklists can be used with directed memorandums to assist the auditor and staff to remember the most essential procedures that are required in each audit engagement and to assist with training new staff. The auditor should always be receptive to the use of new tools in order to accomplish a more effective and efficient audit process. However, it must always be remembered that they are just tools and the exercise of their completion alone does not meet the objective(s) of an audit. Conclusion As stated at the opening of this practice alert, knowing how to use the standards effectively in combination with practice automation, appropriate staff assignment, and practice specialty will result in greater efficiencies in performing audits of smaller entities. Performing an efficient audit requires that the auditor reduce the time needed to make professional judgements. Many of these decisions can be made immediately provided those qualified to make the decisions are present at the time. The engagement team Page 7 of 44 CGA PRACTICE ALERT must also be able to communicate succinctly and have the ability to describe in words, rather than just completing answers to checklist questions, their understanding of the client and its environment, including identification of the risks that are unique to the particular engagement. This requires that all audit staff be well trained. It may be helpful for a firm to have an audit manual specific to the firm to assist with this training. Much of the guidance included in the current checklists could be made available within an audit manual that would be used during the initial firm training in addition to serving as a quick reference on an ongoing basis. But it must be said that no audit manual can mitigate the need for all audit staff to be truly knowledgeable of CAS. It is worth mentioning once more that one of the key things for a firm to remember if they wish to employ smaller audit documentation processes is the need for strong documentation procedures. These procedures must be designed to capture the auditor’s thought process, not just conclusions from the work done, and explicitly set these thoughts out in the audit file. Disclaimer The purpose of this Practice Alert is to provide guidance on the application of Canadian Auditing Standards. It is not to be relied upon as a substitute for consultation with the requirements documented in the CICA Handbook on this topic, nor for the exercise of sound professional judgement. Page 8 of 44 CGA PRACTICE ALERT Appendix 1 Schedule of the Audit Process — PPM audit approach — CAS reference — Small Audit Alternative AUDIT PROCESS PPM SAMPLE AUDIT FILE INDEX PPM AUDIT FILE DOCUMENT RISK IDENTIFICATION AND ASSESSMENT Assess engagement 11 A-121 Audit risk independence engagement acceptance — Continuing client Agree on terms of engagement 11.2 29 Engagement quality control review needed? 26 Specialist or secondary auditor needed? Inquiries of management and others Communication with governance 9.2 Minutes of governance 37 Determine materiality levels 22 Identify risks through understanding entity and environment 12 32.1 1010-B21 Engagement letter Engagement letter (duplication) A-251 Determining whether the risks indicate the need for an Engagement Quality Control Review (EQCR) Not relevant to this sample audit CAS REFERENCE CAS 210.6–.8 CEPROC, CGA Independence Standard CAS 210.9–.12 SMALL AUDIT ALTERNATIVE 1 Audit engagement acceptance (Alternative — Appendix 8-1) 2 Engagement letter (Appendix 8-1) CAS 220.19–.21 3 EQCR Required (Not required) CAS 600, 610, 620 11 Identifying financial statement level risks (Appendix 4) 5 Communication with management and others (Appendix 7) A-299 Discussions with management A-311 Inquiries for management (relating to risk assessment) A-314 Inquiries of others relating to risk assessment Review of minutes A-211 Determining materiality CAS 230.10, 315.6 (a) CAS 260 CAS 240 A-131 Understanding the entity and its environment CAS 315 CAS 250 CAS 315.A11, 240.A20, 250.A11, 550.15(b), 570.A15 (Appendix 2) CAS 320 6 Determine materiality (F-22) 7 Identifying risks through understanding of the entity and its environment (Appendix 2) Page 9 of 44 CGA PRACTICE ALERT AUDIT PROCESS Analytical procedures at FS level Identify risks through understanding internal controls PPM SAMPLE AUDIT FILE INDEX 23 12 33 35 35.2 35.4 35.5 35.7 35.8 35.10 35.11 Financial statement level risks 25 31 34 WW.1 UU VV XX.1 PPM AUDIT FILE DOCUMENT A-221 Identifying risks using analytical procedures A-131 Understanding the entity and its environment A-321 Evaluating the control environment A-331 General IT systems and IT controls A-341 & A-342 Revenue, receivables and receipts A-343 Donations revenue A-351 Purchases, payables and payments (P, P, P) A-353 Walkthrough (P, P, P) A-361 Payroll A-371 Inventory, cost of sales, and production A-381 Financing and equity A-241 Assessing inherent risks A-301 Assessing the risks of material misstatement A-323 Evaluating management’s use of estimates, including fair value estimates C-560 Accounting estimates C-540 Going concern C-550 Foreign currency translation C-511 Related party transactions (for NPOs) Specialists, secondary auditors CAS REFERENCE CAS 315.6 (b) CAS 315.14–.24 CAS 250 SMALL AUDIT ALTERNATIVE 8 Analytical procedures (F-23) 9 Identifying risks through understanding internal controls (Appendix 3) 10 Walkthroughs CAS 315 CAS 540 CAS 315.A5 CAS 570 11 Identifying financial statement level risks (Appendix 4) CAS 550 CAS 600, 610, 620 Page 10 of 44 CGA PRACTICE ALERT PPM SAMPLE AUDIT FILE INDEX 5 PPM AUDIT FILE DOCUMENT D-210 Financial statement presentation and disclosure review (for PEs and NPOs) Change in accounting WW.2 C-565 Changes in policy accounting policies and correction of prior-period errors (for PEs) RESPONSE TO IDENTIFIED RISKS Overall audit strategy 21 A-201 Establishing the overall audit strategy Risk assessment 38 A-391 Risk summary and audit assessment summary plan by assertion CAS REFERENCE CAS 200.11 (a), 200.13 (f) SMALL AUDIT ALTERNATIVE 12 Identifying presentation and disclosure risks (F-5) CAS 300.12 Time budget 27 CAS 300.A8 Team planning meeting 24 13 Overall audit strategy (Appendix 5) 14 Risk assessment summary (RAS) Audit plan by assertion (Appendix 6) 16 Time budget (F-27) 17 Team planning meeting (F-24) 5 Communication (Appendix 7) AUDIT PROCESS FS presentation and disclosure review Communicate audit plan to client Complete other planned audit procedures to address identified risks Adjusting journal entries A-264 Determining the audit fee A-231 Audit team planning meeting CAS 330.5, .6 CAS 240.15, CAS 220.15 See inquiries of management and others (above) Complete other audit procedures* (Appendix 8-2) 7 Client trial balance 8 Approved and responsibility of management Client data Client prepared documents 27 Client data Client data Not performed in sample audit C-570 (b) Journal entries Various checklists and lead sheets CAS 330.8–.17 Tests of Controls Substantive audit procedures XX A-YY 100-700 Responding to indications of fraud TT C-580 Responding to indications of fraud Accounting assistance 18 Adjusting journal entries Client data 19 Client trial balance 20 Other client data without auditor notations Test of Controls* CAS 330.18–.23 CAS 500 CAS 501 CAS 540 CAS 570 CAS 550 Substantive audit procedures to address risks at the assertion level* Responding to identified FS level risks* Page 11 of 44 CGA PRACTICE ALERT AUDIT PROCESS Subsequent events Analytical review at FS level Obtain management representation letter PPM SAMPLE AUDIT FILE INDEX YY 3 9.1 PPM AUDIT FILE DOCUMENT C-530 Contingencies and contractual obligations D-110 Final analytical review Management representation letter CAS REFERENCE CAS 520.6 CAS 580 SMALL AUDIT ALTERNATIVE 25 Subsequent events 30 Analytical review at FS level 31 Management representation letter REPORTING Schedule of unadjusted errors 1.2 22.2 Detailed, engagement partner, EQCR reviews 4 6 Issue properly worded audit report Communicate findings to client Members annual report D-520 Engagement completion memorandum A-213 Evaluating misstatements D-310 Reviewer’s checklist D-410 Engagement partner/sole practitioner review Not required in this sample audit Audit report in financial statements CAS 450.15 (b) CAS 450.15 (a) CAS 300.1, A.14– .15 CAS 220.16–.17 CAS 700 CAS 705 CAS 706 32 Evaluation of misstatements (Appendix 8-3) 33 Highlights memorandum 34 Detailed review 35 Engagement Partner review 36 EQCR (Appendix 8-3) 37 Audit report 5 Communication (Appendix 7) 38 Review of client Document 10 Review of client document containing audit report CAS 720 Audit file closing 1.1-1 D-510 (a) Audit file closing Administrative 40 Audit file closing — Administrative Audit file closing 1.1-2 CAS 230.14–.16 Subsequent changes to audit file 1.3 D-510 (b) Audit file closing D-520 Engagement completion memorandum 39 Audit file completion 39a Subsequent change ADMINISTRATION CAS 230.14–.16 * The tests of controls and substantive audit procedures completed and documented are only those which address the identified risks as planned on the Risk assessment summary. Page 12 of 44 CGA PRACTICE ALERT Appendix 2 Sample Not-for-Profit Society Year end: December 31, 20X0 Identifying Risks Through Understanding the Entity and its Environment Use this form to identify possible business and fraud risk factors. Identified risk factors should be recorded on the Risk Assessment Summary (RAS) — Appendix 6. Where possible, cross reference answers to supporting documents such as business plans, budgets, reports, agreements, minutes, correspondence, etc. OBJECTIVE To obtain and document our understanding of the entity and its environment for the purpose of identifying sources of risk or updating sources of risk already identified in previous periods. Requirements: CAS 315.5 and 315.11 The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. The auditor shall obtain an understanding of the following: a) Relevant industry, regulatory, and other external factors, including the applicable financial reporting framework. b) The nature of the entity, including operations, ownership, and governance structures; types of investments the entity is making and plans to make; and the way that entity is structured and financed. This will enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements. c) The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry. d) The entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement. e) The measurement and review of the entity’s financial performance. INDUSTRY, REGULATORY, AND OTHER EXTERNAL FACTORS Identify possible risk factors resulting from the industry, regulatory, and external factors. Factors to consider: • Entity operations; • Key industry indicators, trends, and constraints; • Impact of economic factors such as interest rates and inflation; • Legal and regulatory requirements (including environmental); and • Key customers, suppliers, and competitors. Page 13 of 44 CGA PRACTICE ALERT Some possible risk factors may be: • Industry is high risk, dangerous, or controversial? • Economic dependence? • Attracts government/media scrutiny or litigation? • Subject to complex regulations? • New technology or other factors are making existing products/services less valuable or obsolete? • Constraints on the availability of capital and credit or restrictions on use of funding? • Major price increases/volatility in raw materials or other key supplies expected? Sample Not-for-Profit Society (Society) operates a local historical museum and gift shop. Since the Society is dependent on grants for 57% of its income, the economic environment could have a significant effect on the Society’s operations. Currently there is a resurgence of interest in the history of the area and this has led to an increase in visitors to the museum. Also, the area schools bring students to the museum to supplement their education about the local history. The only major supplier to the museum is the supplier of the inventory for the gift shop, ABC Supplies Inc. The Society has had a good relationship with this supplier for a number of years. NATURE OF THE ENTITY AND ACCOUNTING POLICIES Identify possible risk factors resulting from the nature of the entity and its accounting policy. Factors to consider: • How the entity operates and its locations; • Ownership, role of the Board of Directors, management oversight, and operating style; • Key people and advisors; • Pressures on management, investigations, charges, and convictions; • Related parties; • Financing and investments; and • Accounting policies used and significant estimates. Some possible risk factors may be: • Operations dominated by a single person or small group of people? • Lack of personnel with appropriate accounting and financial reporting skills? • Poor attitudes by management to internal controls? • Overly aggressive risk taking? • No regular monitoring/review of financial results to budget? • Recurring negative cash flows? • Entity is highly leveraged? • Management staff bonus plans based on sales/profits? • Significant related party transactions not in the ordinary course of activities? • Significant estimates involve subjective judgements or uncertainties that are difficult to corroborate? • Inconsistent application of accounting policies? Sample Not-for-Profit Society was incorporated on January 1, 20XX. It is exempt from income taxes under section 149 (1)(1). The Society operates a local history museum and gift shop. The executive director is Jane Executive. All employees report to the executive director and the executive director reports to the Board. The other employees include a bookkeeper and one other office staff, three employees in the gift shop, three custodial staff, and three clerks on museum admissions. The Chair of the Board of Directors is Joe Walker. The Chair of the Audit and Finance Committee is Robert Director. There are no other related parties. Page 14 of 44 CGA PRACTICE ALERT The Society’s lawyer is Big Law Firm, 789 Main St., Anytown, Your Province. The Society’s banker is Big Bank of Canada Limited, Main Street Branch, Anytown, Your Province. The Society’s insurance agent is Big Insurance Co., Anytown, Your Province. The operation is funded by municipal, provincial, and other grants — 57%; gift shop revenues — 32%; admission and membership fees — 7%; and donations — 4%. The museum has one location in Anytown, Your Province. The use of funds received under grants from the provincial government is restricted to capital investments. The use of funds received under grants from the municipal government and from other sources is unrestricted. See copies of grants for details of any restrictions (permanent file). The funding received from the municipality is restricted to a break even budget. If revenues from other areas result in a surplus, this funding is reduced. The Society owns its building and Big Mortgage Co. holds the first mortgage. From time to time the Society has excess funds to be invested and these funds are invested in publicly traded companies and corporate bonds. The Society has a small US dollar bank account. The Society adopts the CICA Handbook — Accounting Standards for Not-for-Profit Organizations. The accounting staff is knowledgeable with ASNPO. The Society uses Fund Accounting to track the restricted grants received. The Society’s management presents an annual budget to the Board for approval. This is done three months before the start of the relevant year. OBJECTIVES, STRATEGIES, AND RELATED BUSINESS RISKS Identify possible risk factors resulting from the objectives and strategies of the entity. Factors to consider: Nature of business plans and the risks involved; Significant new contracts; Planned expansions or contraction of services; Any new accounting or regulatory requirements to be addressed; and Any new investments required, including IT and accounting. • • • • • Some possible risk factors may be: • Entity is drifting with no plans or sense of direction? • Significant management time spent on cost control? • Control systems are not keeping up with the growth? • Plans are overly ambitious or poorly thought through? • Contract terms are onerous and are undermining the financial viability of the entity? • No investment being made in key areas such as training personnel, IT support, and information systems? • New/proposed regulations have a major impact on operations? • Loss of key personnel likely? The client is not planning any expansions. Their objective is to provide a high quality educational experience to the attendees of the museum and increase knowledge about local history. The goal is to fund ongoing operations and any capital asset additions. Management monitors operations closely and makes adjustments based on available government funding and economic conditions. Page 15 of 44 CGA PRACTICE ALERT MEASUREMENT AND REVIEW OF FINANCIAL PERFORMANCE Identify possible risks resulting from measurement and review of financial performance. Factors to consider: • What key performance indicators (KPIs) are used? • Are actual financial results tracked to budget? • Have reasons for variations to budget or performance norms been explained? Some possible risk factors may be: • Performance is not measured by the use of indicators? • Internal accounts, cash flows, and forecasts are prone to error? • Budget to actual variations is significant but not often explained? • Monthly accounts are not reviewed or approved by the Board? • Significant audit adjustments are required each year? Actual financial results are tracked to the budget monthly by the bookkeeper and reviewed by the executive director. All variations are explained. EMPLOYEE FUTURE BENEFITS POLICIES Factors to consider: • • • • • Does the entity provide for income after retirement? Does the entity provide post-employment benefits to former or inactive employees? Is the benefit a defined benefit or a defined contribution plan? Does the benefit vest or accumulate? Does the entity provide any other employee future benefits? There are no employee future benefits. Summary of risks identified through understanding of the entity and its environment (carry to RAS): 1. There is a risk that government policies will change and the grants currently extended will not be carried to the future — this represents a risk of material misstatement if management has not mitigated this risk and the economic dependence is not disclosed in the notes to the financial statements. 2. Restrictions on the use of funding could introduce a risk that the Society is not meeting the restrictions and therefore could be jeopardizing the funding. 3. Restraints on surpluses placed by the municipal funding grants may provide an incentive for management to understate revenue from other sources. 4. The Society may be exposed to interest rate risk on the mortgage. 5. The Society may be exposed to investment risk due to the fact that they are investing in equity and corporate bonds in the stock market, which could be higher risk investments — this could be a disclosure issue. 6. Depending on the amount of money that is held in the US bank account, the Society could be exposed to currency risk; the currency translation introduces complexity to the accounting. Page 16 of 44 CGA PRACTICE ALERT CONCLUSIONS Through the use of appropriate risk assessment and other audit procedures, we have: • Obtained/updated an understanding of the entity and its environment; and • Identified possible risks of material misstatement and recorded them on the Risk Assessment Summary — Appendix 6. Prepared by: Date: Reviewed by: Date: Page 17 of 44 CGA PRACTICE ALERT Appendix 3 Sample Not-for-Profit Society Year end: December 31, 20X0 Identifying Risks Through Understanding the Entity’s Environment (Internal Controls) OBJECTIVE To evaluate the design (matching controls to risks) and implementation (controls in use) of the following elements of internal controls: • Control Environment; • Risk Assessment; • Financial Reporting; • Fraud Prevention; and • Monitoring. ENTITY LEVEL CONTROLS In smaller entities there will be less documentation available to support entity level controls. Consequently, the attitudes, awareness, and actions of management (owner-manager) will often form the basis for evaluating control design and implementation. Risks to consider: • No emphasis placed on the need for integrity and ethical values by management. • No commitment to employee competence. • Ineffective management oversight by those charged with governance. • Management has a poor attitude toward internal control and/or managing business risks. • Inappropriate/ineffective structure for planning, controlling, and achieving objectives. • Unclear lines of accountability/reporting leading to poor decision making and possible errors in the financial statements. • No policies/procedures exist to ensure effective HR management. • Management is often surprised by events (including internal and external events, transactions, or circumstances) that were not previously identified/assessed or is continually reacting to events rather than planning ahead. • Events and conditions (other than transactions) that are significant to the financial statements may not be captured or recorded. • Poor oversight/control over financial reporting, journal entries, and preparation of significant estimates/disclosures that could result in material misstatements in the financial statements. • Significant matters relating to financial reporting may not be communicated to the Board of Directors or external parties, such as bankers or regulators. • Management has not considered or assessed the risks of fraud occurring (including management override). • No procedures exist to monitor whether internal controls are operating as intended or to correct identified control weaknesses on a timely basis. Page 18 of 44 CGA PRACTICE ALERT SUMMARIZE UNDERSTANDING OF ENTITY LEVEL CONTROLS The following is based on discussions with Jane Executive on February 10, 20X2. Management believes that the risk of fraud is low given the oversight by the Board and the charitable nature of the work. No risks have been identified by management and none have been brought to management’s attention. There have been no communications with the Board or employees about the risks of fraud within the organization. Management believes that the Society is in compliance with all relevant laws and regulations. There are no specific policies in place to identify, document, or disclose risk of fraud, compliance with laws and regulations, economic dependence, contingencies, contractual obligations, subsequent events, and related parties. The following is based on discussions with Mr. Robert Director, Chair of the Audit and Finance Committee on February 10, 20X2. The Board of Directors provide oversight of the Society by way of their budget approval process and the monthly monitoring of financial results. The Board follows up on all significant variances between actual financial results and the board approved budget. The Board is not aware of any actual, suspected, or alleged fraud. The Board believes that the Society is in compliance with all laws and regulations that may be expected to have a fundamental effect on the operations of the Society. The following is based on a discussion with Mr. Sales, the manager of the gift shop, March 1, 20X2. Mr. Sales is not aware of any actual, suspected, or alleged fraud. He claims that there is very little communication between management and the employees in the gift shop regarding business practices and ethical behaviour. He is not aware of any errors that have occurred during the year. He is also not aware of any problem areas. He believes the gift shop is running well and no changes need be instituted. The Board of Directors is independent of management. They are volunteers who are interested in maintaining the museum. They have a wide range of backgrounds. The Chair of the Audit and Finance Committee is a qualified accountant. The Board and the committees meet monthly to review operations and to make policy decisions. Monthly financial statements are reviewed in detail at the Audit and Finance committee meeting and an overview report is presented to the Board. The Board approves the annual budget. The minute book is up to date. The Executive Director appears to be the source of all decisions. The Board does not appear to have ever disagreed with the ED’s decisions. Current management appears conservative in its approach to taking and managing risks. The operations have not varied in level of activity or complexity for many years. Financial decisions are made during the budgetary process. No added expenditures are made without assurances that there will be sufficient resources to meet the added financial obligation. Current management is diligent in its monthly and year-end financial reporting to its stakeholders. Management appears to place high importance on staff retention. Staff morale appears high. From our observations and past experience with the client, we believe the Society’s staff are competent and possess the necessary skills and knowledge for their positions. The Society’s annual report is normally completed a few weeks before the annual general meeting. It is therefore not available for review until after the audit is completed. Conclusion: The lack of policies and procedures to identify, document, or disclose risk of fraud, compliance with laws and regulations, economic dependence, contingencies, contractual obligations, subsequent events, and related parties increases the risk of misstatement in the financial statements. The control environment collectively does not provide appropriate foundation for the other Page 19 of 44 CGA PRACTICE ALERT components of internal control (i.e., other components of internal control are undermined by control environment weaknesses). The Society is controlled by the Executive Director. As a result there exist risks of management override of controls. IT CONTROLS In a small entity there will likely be less complex IT systems. Risks to consider: • No policies/procedures exist to ensure effective IT management or IT staff supervision. • No alignment exists between business objectives, risks, and IT plans. • Reliance is placed on systems/programs that are inaccurately processing data or processing inaccurate data. • Unauthorized access to data is possible (i.e., data could be destroyed or amended). SUMMARIZE UNDERSTANDING OF IT CONTROLS Management appears to be diligent in ensuring the Society’s information processing and accounting functions are operating effectively. The Society maintains a fairly basic IT function. There is one server that connects the computer terminals used by the office staff and cash registers used by the admission staff and gift shop staff. The point of sales systems used by the admission staff and gift shop staff are not integrated with the accounting software. There are three desktop computers and four cash registers. An outside computer support service is used to provide maintenance and support for the IT function. There is currently no disaster recovery plan in place. Software acquisition, change, and maintenance is initiated by management with consultation from the outside computer support service. All expenditures are indirectly authorized by the Board through the budget approval process. The outside computer service maintains the Society’s firewall and protection from viruses, spyware, and spam. The data is backed up weekly on a DVD and stored off site. The main accounting software used by the Society is ABC software. It can only be accessed by the bookkeeper and the ED. Staff is required to change their passwords on semi-annual basis. CONCLUSIONS The strengths of the general IT controls provide an appropriate foundation for maintaining the integrity of information, the security of data, and support for application controls. Transaction Stream Controls REVENUES, RECEIVABLES, AND RECEIPTS Risks to consider: • Goods shipped/services performed not invoiced. • Revenues partially or not recorded. • Fictitious sales/sales credits recorded in accounts. • Revenue recognition policies not followed. • Revenue/receipts recorded in wrong accounting period. • Receipts are partially/not deposited or recorded (fraud or error). Page 20 of 44 CGA PRACTICE ALERT • No allowance for doubtful or uncollectable accounts. • Related party transactions are not identified. • Goods shipped/services provided to a bad credit risk. • Receipts are credited to the wrong account. • Overdue receivables are not followed up on a timely basis. SUMMARIZE UNDERSTANDING OF THE REVENUE, RECEIVABLES, AND RECEIPTS CONTROLS Gift shop sales, admission/membership fees, and donation revenue are recognized when received; grant revenue is recognized on the basis of the grant terms, whether that is for a period of time (operating grant) or at the same time as the related expense is incurred. There are no accounts receivables so there is no consideration of an allowance for doubtful accounts. There is one grant receivable only. Gift shop cash sales are initiated when a customer arrives at the cash register to purchase an item. The sale is entered into the cash register (cash, credit, or debit card). The ED or bookkeeper clears the cash register daily. The bookkeeper posts from the cash register tapes into the accounting software. Grants and donations are recorded into the accounting software when the monies are deposited into the bank. The following key controls address theft of cash revenue: • The variances between actual and budgeted sales are analyzed by management on a monthly basis. Unexpected results are followed up by inquiry only. • The price lists and sales tax identifications are built into the cash register. Products are scanned at the cash register to determine invoice amounts. Management is responsible for maintaining and updating the price lists. • All cheques are stamped upon receipt “For deposit only” with the Society’s bank account number. • Only the ED and the bookkeeper have access to clearing the cash register totals. • The gift shop employees are instructed to always provide the customer with a receipt. • The daily deposit total is matched independently (by the bookkeeper) to the cash receipts records. • The bank statements are received directly from the bank and reconciled by the bookkeeper, who is independent from the cash receipts function. • All bank reconciliations are reviewed in detail and approved by the ED. • All bank deposits are made intact and daily by the office clerk. • A listing of cheques is prepared by the office clerk before each bank deposit. • Access to the supply of unused donation receipts is restricted to the ED, who locks the unused receipts in her desk. Cut-off procedures are used for the year end at which time the client reviews all deposits near and around the year-end date. Adjustments are then made to ensure the revenues are recorded in the proper period. Document any change in understanding resulting from walkthrough procedures (WP 10) CAS 315.A74. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes. Page 21 of 44 CGA PRACTICE ALERT CONCLUSIONS Based on a walkthrough of the key controls over revenue, receivables, and receipts, audit evidence was obtained to determine that the controls were implemented as described. PURCHASES, PAYABLES, AND PAYMENTS Risks to consider: • Payments made for goods/services not received or ordered. • Unauthorized (fraud or error) payments made. • Duplicate payments (fraud or error) made. • Incorrect or no accruals made for unbilled goods/services received. • Goods/services are not recorded in the correct period. • Payments recorded in wrong G/L account (fraud or error). • Capital asset purchases are not capitalized. • Related parties are not identified. SUMMARIZE UNDERSTANDING OF PURCHASE, PAYABLES, AND PAYMENTS CONTROLS The ED authorizes and initiates all payments and purchases, subject to Board approval in the annual budget. Invoices are received in the office and are recorded by the bookkeeper. Payments are made by cheque with the ED’s signature. The following key controls address the risk of improper acquisitions: • Supplier statements are reconciled to the accounts payable ledger by the bookkeeper. • Accounting function and receiving function are segregated. • The variances between actual and budgeted purchases and expenses are analyzed by management on a monthly basis. Unexpected results are followed up by inquiry and review of goods and services received. • When applicable, payments are only processed for invoices supported by authorized receiving slips. • Supplier invoices are clearly marked “Paid” by the bookkeeper to avoid duplicate payments or postings. • Cheques and supporting documentation are reviewed in detail by the ED and the Chair of the Audit and Finance committee, who are also the signing officers. • Blank cheque forms are restricted to the ED and the bookkeeper. • The bookkeeper matches all cheque amounts to supporting documentation. • All computer-generated cheques are based on previously entered and approved purchase transactions. Other key controls are: • Refundable amounts of sales taxes are recorded in separate accounts. • All new bank accounts must be authorized by the Board of Directors. • Spoiled cheques are marked “Void.” • Each petty cash fund is the responsibility of a specific employee. o Fund reimbursements require management approval; and o Funds are independently counted on a weekly basis. • Bank reconciliations are performed monthly and outstanding items are reviewed for reasonableness. They are reviewed in detail and approved by the ED on a monthly basis. • Cheques are mailed out by the office clerk immediately after they are signed. • Extensions and additions on the supporting documentation are recalculated by the bookkeeper when manual cheques are issued. Page 22 of 44 CGA PRACTICE ALERT • All debit balances in creditor accounts are investigated by the bookkeeper. • Review of period-end accruals and related cut-off procedures are only performed during the year end. • The bookkeeper is responsible for the accuracy of purchases and payables. The current bookkeeper is very experienced with full cycle bookkeeping. Document any change in understanding resulting from walkthrough procedures (WP 10.1) CAS 315.A74. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes. CONCLUSIONS Based on a walkthrough of the key controls over purchases, payments, and payables it has been determined that the controls were implemented as described. PAYROLL Risks to consider: • Fictitious personnel on payroll. • Payments made for work not performed. • Over/under payments (pay rate calculation errors or fraud). • Work performed but not paid or accrued in accounts. • Incorrect deductions made for taxes and benefits. • Employee deductions not paid or only partially paid. • Payroll expense recorded in wrong period. • Payroll expense incorrectly recorded or allocated in the GL. SUMMARIZE UNDERSTANDING OF PAYROLL CONTROLS All the employees other than the ED are hourly compensated. The pay period is bi-weekly. There is no union. Time records are prepared by all employees except the ED, who is the only salaried employee. The ED reviews and approves all time records prior to forwarding to the bookkeeper. Payroll is processed and all postings are made to the Payroll module and GL by the bookkeeper. The following key controls address risk of improper payment of employee compensations: • The ED deals with all employee inquiries and complaints. She ensures all issues are promptly investigated and appropriate corrective action is promptly identified, authorized, and completed. • All time records prepared by each employee are reviewed and approved by the ED. • Terminations and hiring of employees are performed by the ED and she is responsible for advising the bookkeeper. • The paycheques are prepared by the bookkeeper; the ED and Chair of Audit and Finance Committee sign the cheques and the bookkeeper distributes them. When they sign the cheques they review the details of the payslips for hours worked and hourly rate to ensure reasonableness. Page 23 of 44 CGA PRACTICE ALERT • The variances between actual wages and budgeted salaries are analyzed by management on a • • • • • • • monthly basis. The ED is responsible for adhering to a budget that includes oversight over payroll costs. The ED authorizes and monitors absenteeism, sickness, other leave, and overtime. The current bookkeeper is very experienced with payroll. The bookkeeper reports to the ED, who oversees the personnel and payroll functions. Payslips are provided to employees on each pay date with details of deductions taken. Salaries, hourly rates, and deductions are authorized in writing by the ED, forwarded to the bookkeeper, and filed in the employee’s personnel file. Review of period-end accruals and related cut-off procedures are only performed during the year end. Document any change in understanding resulting from walkthrough procedures (WP 10.2) CAS 315.A74. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes. CONCLUSIONS Based on a walkthrough of the key controls over payroll, audit evidence was obtained to determine that the controls were implemented as described. FINANCING AND EQUITY Risks to consider: • Not all new debt is recorded as debt. • Not all new share capital is recorded as equity. • Overall risk that reported financing and equity are not complete due to fraud or error. • Recorded debt includes amounts that are not owed. • Recorded share capital includes amounts that are not paid up or contributed equity. • Overall risk that reported financing and equity include amount that should not be included due to fraud or error. The key controls over financing and equity are the following: • The Board of Directors is responsible for authorizing all debt. The recording, processing, correcting, transferring to GL, and reporting in the financial statements is performed by the bookkeeper. • The Society’s bylaws require debts and bank accounts to be authorized by the Board of Directors. • Repayment terms are dictated by the terms of the loan agreement. Payments are processed by preauthorized withdrawals from the Society’s general operating account. Document any change in understanding resulting from walkthrough procedures (WP 10.3) (NOTE: There is no complete walkthrough in the sample file as required by CAS to obtain audit evidence that the controls as described have been implemented.) CAS 315.A74. Risk assessment procedures to obtain audit evidence about the design and implementation of Page 24 of 44 CGA PRACTICE ALERT relevant controls may include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes. CONCLUSIONS Based on a walkthrough of the key controls over financing and equity audit evidence was obtained to determine that the controls were implemented as described. FINANCIAL STATEMENT PREPARATION CONTROLS Risks to consider: • Accounting policies not properly or inconsistently applied. • Transactions/events affecting financial statements have not been recorded. • Faulty or invalid data/assumptions used for estimates, etc. • Identified misstatements not corrected. • Accounts misclassified. • Journal entries posted in wrong financial period. • Unsupported or duplicate journal entries made. SUMMARIZE UNDERSTANDING OF FINANCIAL STATEMENT PREPARATION CONTROLS The bookkeeper prepares the interim and year-end financial statements. Interim statements are prepared monthly and distributed to the Executive Director (ED) and the Board of Directors. The bookkeeper completes all adjusting entries and they are approved by the ED. The accounting policies are discussed with the auditor but the final decisions regarding policies are made by the ED. Except for the valuation of donated materials there are no significant estimates recognized and disclosed in the financial statements. In regards to donated materials, management obtains a third party document to support the fair value of the donated materials. The third party document could include a price list from a retailer. Other areas that require significant estimates are inventory obsolescence, fair value of estimates, and useful lives of assets. Management does not have the competence to make these estimates and relies on the auditor. Document any change in understanding resulting from walkthrough procedures (WP 10.4) CAS 315.A74. Risk assessment procedures to obtain audit evidence about the design and implementation of relevant controls may include: • Inquiring of entity personnel. • Observing the application of specific controls. • Inspecting documents and reports. • Tracing transactions through the information system relevant to financial reporting. Inquiry alone, however, is not sufficient for such purposes. CONCLUSIONS Based on the walkthrough of the key controls over financial statement preparation, audit evidence was obtained to determine that the controls were implemented as described. Page 25 of 44 CGA PRACTICE ALERT Summarize risks identified through understanding of the internal controls (carry to RAS — Appendix 6): 1. Completeness of cash donations cannot be verified by audit procedures. If there is not reliance possible on key controls there may have to be a scope limitation in the audit report. 2. Because there are a large number of cash sales, admittance fees are taken in cash, and there are too few staff to segregate duties; there is a risk that cash could be stolen. 3. Inventory is only counted once, at the year end. This means that inventory could be stolen and the theft would not be identified until the year end. 4. There is a risk of employee fraudulent expense claims. 5. There is a risk that payroll could be manipulated. 6. There is a risk that the annual report will contain financial information that is not consistent with the audited financial information, since the report is not ready until after the audit is completed. 7. An independence risk is present due to the reliance of the client on the auditor to prepare significant estimates. 8. Inaccurate cut-off procedures could result in understatement or overstatement of revenue. CONCLUSIONS (AFFECT RISK ASSESSMENT AT THE FINANCIAL STATEMENT AND ASSERTION LEVELS) Do the strengths of the controls provide an appropriate foundation for maintaining the integrity of information, the security of data, and support for application controls? Yes, except as noted under identified risks. Prepared by: Date: Reviewed by: Date: Page 26 of 44 CGA PRACTICE ALERT Appendix 4 Sample Not-for-Profit Society December 31, 20X0 Identifying Risks at the Financial Statement Level Based on understanding of the entity, where there are assessed risks at the financial statement level in any of the following areas, carry the risks to the Risk assessment summary (RAS) and design audit procedures to address those risks, such as: • Going concern • Understanding accounting estimates • Identifying related parties • Litigation, claims, and non-compliance • Using the work of an auditor’s expert GOING CONCERN Objective: To identify any events or circumstances that may cast significant doubt on the entity’s ability to continue as a going concern. 1. Ask management whether they have identified any events or conditions that cast significant doubt on the entity’s ability to continue as a going concern. If events have been identified, inquire how management plans to address them. (Note: the minimum period for management’s assessment is 12 months from the report date.) 2. Consider whether any adverse events/conditions were identified as a result of performing other risk assessment procedures. Consider the following: a) Financing/cash flow challenges. b) Adverse market conditions, trends, or events. c) Regulatory or legal challenges. IS THERE AN IDENTIFIED GOING CONCERN RISK? Response: Based on the understanding of the entity and its environment there is no indication of a going concern risk to this entity other than economic dependence. The risk assessment summary and audit plan by assertion assesses this risk and indicates further audit procedures to reduce the risk to an acceptably low level. Page 27 of 44 CGA PRACTICE ALERT UNDERSTANDING ACCOUNTING ESTIMATES Objective: To assess the risk of material misstatement relating to accounting estimates, including fair value estimates, in the financial statements. 1. Inquire of management about events/conditions that could give rise to accounting estimates. IS THERE ANY RISK OF MATERIAL MISSTATEMENT DUE TO SIGNIFICANT ACCOUNTING ESTIMATES? Response: Based on our understanding of the entity there are no contingent liabilities. There are fair value estimates in regards to financial instruments. This risk will be addressed in the audit plan by increasing the audit of these estimates. See RAS. IDENTIFYING RELATED PARTIES Objective: To identify/assess the risks of material misstatement (fraud or error) arising from the use/misuse of related party transactions. 1. Preparation a) Review the entity’s list of directors, managers, key staff, family members, and advisors to identify potential or existing related party transactions. b) Obtain or prepare a listing of related party transactions with details such as name, relationship, approximate dollar value of transactions, reason for transaction, terms, and basis of valuation. c) Consider history (if any) of not disclosing related parties or transactions. d) Inquire of management and document what internal controls (if any) or procedures exist to ensure that related parties are identified, approved (especially those outside the normal course of business), and accounted for in accordance with the applicable financial reporting framework. Assess the control design and implementation of any relevant internal controls. 2. Risk of unidentified transactions a) Identify where related party transactions could possibly occur. Consider existence of transactions designed to improve liquidity or profitability, reduce debt to equity leverage, avoid corporate or personal taxes, avoid breach of a bank covenant, shift income expense to future periods, or conceal other financial statement manipulation or misappropriation of assets. b) Inquire of management, key employees, and any component auditors about the existence of: • Related parties not already identified and details of such transactions. • Agreements or loan guarantees not reflected in the financial statements. • Any payments (kickbacks), preferential terms, or side deals not disclosed. c) Review minutes of corporate meetings and other relevant documentation. ARE THERE ANY RELATED PARTY TRANSACTIONS? Response: Based on our understanding of the entity, related parties include the employees and directors and their immediate families. There is a risk of management override, which is addressed in the RAS and audit plan by assertion. Page 28 of 44 CGA PRACTICE ALERT LITIGATION, CLAIMS, AND NON-COMPLIANCE Objective: To identify and respond appropriately to instances of non-compliance with laws and regulations (CAS 250). 1. Consider our understanding of the entity, the applicable legal and regulatory framework, nature of the industry, and previous history of litigation and non-compliance, and then assess the risk of material misstatement with regard to litigation, claims, and non-compliance with laws and regulations. ARE THERE ANY SIGNIFICANT LITIGATIONS, CLAIMS, OR NON-COMPLIANCE WITH LAWS AND REGULATIONS? Response: Based on our understanding of the entity and its environment and other risk identification procedures there is no indication of litigation or claims. There will be no legal letters required. USING THE WORK OF AN AUDITOR’S EXPERT Objective: Assess the need for an expert. 1. Determine whether expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence. If so, describe the nature of expertise required. Consider: a) Valuation of complex financial instruments, land and buildings, plant and machinery, jewellery, works of art, antiques, intangible assets, assets acquired and liabilities assumed in a business combination, and assets that may have been impaired. b) The actuarial calculations of liabilities associated with insurance contracts or employee benefit plans. c) The estimation of oil and gas reserves. d) The valuation of environmental liabilities and site clean-up costs. e) The interpretation of contracts, laws, and regulations. f) The analysis of complex or unusual tax compliance issues. g) Other (specify). IS THERE A NEED FOR THE USE OF AN AUDITOR’S EXPERT? Response: Based on our understanding of the entity and its environment there is no need for the use of an auditor’s expert. The members of the audit team have sufficient knowledge to complete this audit. Prepared by: Date: Reviewed by: Date: Page 29 of 44 CGA PRACTICE ALERT Appendix 5 Sample Not-for-Profit Society Year end: December 31, 20X0 Audit Strategy Memorandum Staff Assignments Staff Member Joe Auditor, CGA Not required Title Partner EQCR Partner Manager Senior Junior Linda Jones Initials JA LJ Significant Field Work Dates Activity Interim field work Preliminary engagement procedures Inventory observation Planning meeting with management End of fieldwork Other — annual general meeting Date No interim field work Feb 1, 20X2 Not significant Feb 10, 20X2 Mar 1, 20X2 Mar 31, 20X2 Performed by Reviewed by Date LJ JA Feb 9, 20X2 LJ & JA LJ Feb 10, 20X2 JA JA Mar 15, 20X2 Mar 31, 20X2 Other Significant Dates Expected date of auditor’s report Expected date of report release Expected documentation completion and file closing Mar 22, 20X2 Mar 24, 20X2 May 20, 20X2 When substantially all evidence is in the file Date of enclosure letter 45 days from report release date Page 30 of 44 CGA PRACTICE ALERT Audit Plan (the following are samples of the items that would be addressed): • What financial reporting framework is the client using? • Have there been changes in accounting standards and what will their impact (if any) be on the audit? • What significant changes occurred in the last year (key personnel change, changes in IT or business processes, acquisition, mergers, new products)? • Are there specific areas of complexity to address in the audit (availability of entity personnel, complex estimates, complex transactions, complex IT, etc.)? • See Risk assessment summary (RAS) for determination of financial statement areas that are susceptible to fraud, including management override. • Outline the proposed audit strategy to respond to the preliminary assessment of risk at the financial • • • • • statement level. Will the audit include tests of key controls to reduce tests of details? Will the firm perform more audit procedures at an interim date? Will there be increased reliance on audit evidence generated internally by the entity? Will we use more experienced staff? Will we use specialists? Will we provide staff supervision? Materiality calculated at $__. Were there any outcomes from the team planning meeting that should be noted? Were there any significant factors from preliminary engagement activities and knowledge gained on other engagements? Has an outline for each team member been prepared addressing roles, responsibilities, expectations, assignment of tasks, supervisory responsibilities, and reviews? Has some additional time been set aside in the budget for audit team debriefing sessions? The Audit Strategy for this audit is: • Auditing materiality is determined to be $4,000 (Doc #). • Donation revenues are expected to be beyond the scope of audit procedures. • Prior year, note indicated no changes in procedures required for this year. • In the prior year management letter, a comment was made regarding the need for better controls for • • • • the handling of cash donations. We will follow up in the control system review. Qualified for donation income — will review materiality of donations and control system to determine whether qualification still required. The Society has an audit and finance committee that has been assigned the responsibility for oversight of the audit engagement. Controls will not be tested, so further audit procedures to address identified risks will be substantive procedures, including analytical procedures first where possible. The possible fraud and error has been discussed with the ED and the Chair of the Audit and Finance committee. Prepared by: Date: Reviewed by: Date: Page 31 of 44 CGA PRACTICE ALERT Appendix 6 Sample Not-for-Profit Society Prepared by: December 31, 20X0 Date: Risk Assessment Summary (RAS) and Audit Plan by Assertion Reviewed by: Date: This worksheet is used to bring together all the risk assessment results (from the initial assessment of client acceptance/retention to the assessment of the final risk considerations at document 12) to determine a risk of material misstatement for each class of transaction, financial statement item, and disclosure. These risk assessments are then used to design appropriate audit responses, including tests of controls and substantive audit procedures. Combined Assertions Classes of Transactions Account Balances Presentation and Disclosure Completeness Completeness Completeness Accuracy and Cut-off Accuracy and Cut-off Rights and Obligations Completeness Accuracy, Rights and Obligations, Classification and Understandability Valuation Classification Valuation and Allocation Valuation Existence Occurrence Existence Occurrence Page 32 of 44 CGA PRACTICE ALERT Identified Risks Financial Statement Level Business risks (1, 7, 9) 1. There is a risk that government policies will change and the grants currently extended will not be carried on in the future — economic dependence risk 2. Restrictions on the use of funding could introduce risk of non-compliance and if not adhered to lead to loss of funding Risk Ident WP Significant? Y/N 7 Yes 7 Yes Area Impacted F/S Revenue Assertion RMM H, M, L C, A M ALL M Fund balances 3. Restraints on the use of funding of current operations by municipal government may provide an incentive to understate revenue or overstate expenses so future funding is not cut 4. The Society may be exposed to interest rate risk on mortgages 7 7 Yes Yes Audit response (procedures) 1. Determine whether client has disclosed this risk in the notes to the financial statements FS notes & disclosures 2. Review government grant documents for commitments made by the government 1. Test compliance with grant provisions regarding restrictions over the use of funds 2. Test allocation of funds received to ensure that funds are presented as restricted FS notes & disclosures Revenue C, A M 1. Test cut-off on revenue recognition by selecting all sales greater than $200 before and after the year end Expenses C, A, V M 2. Review bank reconciliation F/S C, A M WP 3. Test cut-off of purchases, expenses by selecting all purchases greater than $200 five days before and after year end 1. Perform analytical procedures regarding the effect of possible fluctuation in interest rates FS notes & disclosures Fund balances Deferred revenue Revenue Deferred revenue Expenses Payables Financial instruments FS notes & disclosures Page 33 of 44 CGA PRACTICE ALERT Identified Risks Financial Statement Level Risk Ident WP Significant? Y/N 5. The Society may be exposed to investment risk due to the fact that their investments are not in low risk vehicles 7 Yes F/S C, A RMM H, M, L M 6. There could be a foreign currency risk since the client has a US bank account 7 No F/S C, A, V M 7. The adoption of new accounting standard introduces a risk of misstatement due to lack of knowledge of standards on the part of the client 7 Yes F/S C, A, V, E H Control environment (405) 1. There is an independence risk involved with the fact that the client relies on the auditor to do estimates 2. The client’s lack of knowledge regarding estimates, including fair value, presents a risk 9 9 Area Impacted F/S Yes Financial Instruments Assertion ALL V M M Audit response (procedures) WP 1. Perform analytical procedures regarding the effect of possible fluctuation in investments and determine if disclosure of this risk is appropriate 1. The client holds an insignificant amount in the US account and the exchange rate is very low; no further work is required 1. Test transaction records and disclosures of significant changes including financial instruments FS notes & disclosures 2. Complete presentation and disclosure checklist FS notes & disclosures 1. Document that the estimates are the responsibility of management in the representation letter. Also document discussions with management about any estimates 2. Have a second partner in the firm review any estimates prepared by the auditor for objectivity 1. Test estimates of fair value of financial instruments for compliance with ASNPO 2. Discuss accounting for estimates with management and ensure they understand their responsibility Management representation letter None Financial instruments FS notes & disclosures EQCR Financial instruments Management representation letter Page 34 of 44 CGA PRACTICE ALERT Identified Risks Financial Statement Level Risk Ident WP 3. The ED has lone control over operations so that there is a risk of management override IT environment (406) 9 Revenue, Receivables, Receipts 1. Completeness of cash donations cannot be verified by audit procedures 2. Store sales and admittance fees — as the staff is small, there is no segregation of duties; there could be theft Significant? Y/N Area Impacted Assertion F/S ALL RMM H, M, L M 7 Yes Cash Revenue C C H 7 Yes Cash Revenue C, A M 3. Inaccurate cut-off procedures could result in understatement or overstatement of revenue Purchases, Payables, Payments 1. There is a risk of fraudulent related party expense claims 7 Yes Cash Revenue C, A M 11 Yes Expenses A M 2. There is a risk that professional fees are understated 23 Yes Expenses C M Audit response (procedures) WP 1. Review significant journal entries Journal Entries 1. Disclose in the audit report that there is this scope limitation if cash donations are significant 1. Test a sample of transactions from both revenue streams highlighting key controls, including numerical sequence of receipts; trace receipts to GL 2. Check numerical sequencing of donation receipts 3. Review bank reconciliation 4. Plan an interim unannounced check of a sample of transactions from each revenue stream 1. Request confirmation of grants issued from funders Audit report 1. Review expense accounts for expenses paid to related parties 2. Test mileage reported to actual mileage for trips taken 3. Review expense claims and ensure compliance with client policies 1. Analyze the client’s audit fee accrual and compare to our Revenue Revenue Revenue Revenue Expenses Expenses Page 35 of 44 CGA PRACTICE ALERT Identified Risks Financial Statement Level Risk Ident WP Significant? Y/N Area Impacted Assertion RMM H, M, L Audit response (procedures) WP estimate of audit fee Payroll 1. There is a risk of payroll manipulation by the bookkeeper or the ED 9 Yes Expenses A, E M 1. Test a sample of payroll transactions Payroll 2. Review payroll for any exceptional cheques 3. Compare T4s to payroll records 4. Review ED payroll in detail for abnormal transactions Cost of Goods Sold 1. Inventory is only counted at year end. There is a risk that there could be theft that was not recognized until year end 7 Yes Expenses Inventory A C M M 1. Perform analytical procedures that will test the gross margin on a monthly basis Cost of goods 2. Attend year end physical count of inventory Inventory 1. Ensure that disclosure is compliant with first time adoption standards of ASNPOdocument research 2. Complete the Financial statement presentation and disclosure checklist to ensure completeness (already done under Business Risk — 7) 1. Review the Annual Report for any misstatements FS notes & disclosures Financing and Equity Disclosures 1. See item 7 under business controls regarding new accounting policies 2. There is a risk that the Annual Report will misstate financial information that is in the audited financial statements 9 Yes F/S A, C M 7 Yes F/S C, A M Annual report Page 36 of 44 CGA PRACTICE ALERT Risk Assessment Summary (RAS) and Audit Plan by Assertion This worksheet is used to bring together all the risk assessment results (from the initial assessment of client acceptance/retention to the assessment of the final risk considerations at document 425) to determine a risk of material misstatement for each class of transaction, financial statement item, and disclosure. These risk assessments are then used to design appropriate audit responses, including tests of controls and substantive audit procedures. (For guidance refer to Document 502B — RAS Instructions or the Audit Manual.) Combined Assertions Classes of Transactions Account Balances Presentation and Disclosure Completeness Completeness Completeness Accuracy and Cut-off Accuracy and Cut-off Rights and Obligations Completeness Accuracy, Rights and Obligations, Classification and Understandability Valuation Classification Valuation and Allocation Valuation Existence Occurrence Existence Occurrence Page 37 of 44 CGA PRACTICE ALERT Identified Risks Financial Statement Level Area Impacted Assertion Business risks (304, 305, 403) FS ALL Control environment (405) FS ALL IT environment (406) FS ALL Assertion Level Revenue, Receivables, Receipts Risk Ident WP Significant? Y/N RMM H, M, L Audit response (procedures) WP FS Account Page 38 of 44 CGA PRACTICE ALERT Identified Risks Financial Statement Level Risk Ident WP Significant? Y/N Area Impacted Assertion RMM H, M, L Audit response (procedures) WP Purchases, Payables, Payments Payroll Cost of Goods Sold Financing and Equity Disclosures Page 39 of 44 CGA PRACTICE ALERT High Impact Low Probability High Impact High Probability Low Impact Low Probability Low Impact High Probability Impact on Users Probability of Occurrence Area in blue is significant Page 40 of 44 CGA PRACTICE ALERT Appendix 7 Sample Not-for-Profit Society Year end: December 31, 20X0 Verbal Client Communication Memorandum Documentation of verbal client communication is appropriate if: • The client is not a listed entity • All members of the governance of the entity are involved in the management of the entity In the case of audits of smaller entities, the auditor may communicate in a less structured manner with those charged with governance than in the case of larger entities. CAS 265.A18 If those charged with governance of the entity are involved in managing the entity and the auditor is satisfied that communication with persons with management responsibilities adequately informs all of those with whom the auditor would otherwise communicate in their governance capacity, documentation of verbal communication to management is sufficient. CAS 260.18, CAS 260.A8 Audit Planning Communication Date of communication: Client representative: Auditor representative: Notes: Audit Findings Communication Date of communication: Client representative: Auditor representative: Notes: Management Letter Date of communication: Client representative: Auditor representative: Notes: Other communication with those charged with governance and management Date of communication: Client representative: Auditor representative: Notes: Page 41 of 44 Appendix 8 Appendix i PRE‐ENGAGEMENT CHECKLIST Client: Year end: Question 1) Does client management understand and is it willing to accept its responsibility for statement preparation and internal control necessary to prepare those statements? 2) Is the financial reporting framework acceptable for purposes of the engagement? 3) Is the turnaround time for the audit adequate to obtain sufficient appropriate audit evidence? 4) Do members of the engage‐ ment team collectively have sufficient expertise and time available to perform the audit? 5) Have those charged with governance been advised who is responsible for the audit and been given an overview of the planned scope and timing of the engagement? 6) In your opinion, (i) can you; and (ii) do you want to accept this audit engagement? Checklist prepared by: Audit procedure Conclusion File reference ISA reference Engagement letter signed and obtained before or on the day of commence‐ mint of the engagement. 210.06(b)(i & ii) 300.06(c) Discuss with manage‐ ment the applicable financial reporting framework to be used. Determine turnaround time from availability of books and records to need for final statements. List any special expertise required for the audit. 210.6(a) Audit strategy letter sent to those charged with governance prior to commencement of procedures. 260.14 300.07 300.08 Date: 220.15 300.05 Comments: Appendix i, ii, iii Checklists, reproduced with permission of Cowperthwaite Mehta. All rights reserved. Page 42 of 44 Appendix ii RISK ASSESSMENT AND RESPONSE CHECKLIST Client: Year end: Question 1)Have results of initial enquiries of management and analytical procedures been factored into identification of areas of risk of material misstatement? 2) Have the actions decided by the team in discussions on planning and susceptibility to material misstatements and fraud been factored into the design of substantive audit procedures? 3) Were controls identified designed appropriately and implemented throughout the period of the audit? 4) Have the results of evaluation of the control environment been adequately factored into the design of substantive audit procedures? 5) Have the controls over IT systems been considered? 6) Have further audit procedures been designed to address identified risks of material misstatements in general and significant risks, and revenue completeness specifically? Checklist prepared by: Audit procedure Conclusion File reference ISA reference 315.06 240.15 300.05 300.09 315.10 300.13 Steps performed in addition to inquiry of management (walkthrough) 300.15 300.21 300.25 Date: Comments: Appendix i, ii, iii Checklists, reproduced with permission of Cowperthwaite Mehta. All rights reserved. Page 43 of 44 Appendix iii FORMING AN OPINION CHECKLIST Client: Year end: Question Audit procedure 1) Are the results of the analytical procedures performed at the end of the engagement consistent with your understanding of the entity? 2) Have you obtained significant appropriate audit evidence to support your conclusions for all identified significant risks, including completeness of revenue? 3) Have all recorded and unrecorded adjustments been discussed with management? 4) Do the financial statements contain all disclosures required for fair presentation? • 5) Is the form of opinion appropriate in the circumstance of the engagement and the evidence obtained? 6) Have all items of significance identified in the audit been reported in writing to those charged with governance? • Checklist prepared by: • • • • • Conclusion File reference Design end‐of‐ engagement analytical procedures. Evaluate consistency with understanding For each significant risk, review the conclusions reached in light of the analytical review performed in (1) Document the results of the discussion. 700.11 315.27 700.11 700.14 Read the financial statements prior to finalization and consider whether they present fairly Compare the opinion with the conclusions drawn in points 2‐4 700.16‐ 700.19 265.9 Document in the file points communicated to management Date: ISA reference 520.06 Comments: Appendix i, ii, iii Checklists, reproduced with permission of Cowperthwaite Mehta. All rights reserved. Page 44 of 44
© Copyright 2024