ACC 4010

Assurance Engagement

• Enhance reliability/credibility of subject matter reported on

• Must have accountability relationship present for ae to exist

Five elements of assurance engagement

• Three-party relationship

• Appropriate subject matter

• Suitable criteria

• Sufficient appropriate evidence

• Conclusion

Why assurance services are needed?

• Provide some level of assurance to users about reliability/credibility of information thus reducing information risk.

• Users rely on independent, ethical behaviour, integrity, and professional competence of auditor to reduce information risk.

Causes of information risk

• Remoteness

• Complexity

• Competing

• Incentives

• Reliability

Information risk

Risk users will rely on incorrect information to make decisions

Types of Assurance Engagements

• Audit of financial statements are most common type

• Other includes: Internal, compliance, performance/comprehensive, forensic/fraud, and environmental audits

Audit of Financial Statements

• Includes investors, suppliers, customers, lenders, employees, governments, and general public

• Audit objective is to express opinion on fairness of FS in accordance with applicable financial reporting framework

Limitations of Audit of FS

• FS audit is not a guarantee free from error or fraud

• Limitations of an audit of FS results from:

  • Nature of financial reporting

  • Nature of audit procedures

  • Need for audit to conducted on timely basis and at reasonable cost

Levels of Assurance

Three levels of assurance on FS:

• Reasonable

• limited

• No assurance

Reasonable assurance

• Auditor obtains sufficient evidence during audit engagement to express a positive opinion on fairness of FS

• Reasonable is not absolute assurance

Limited assurance

• Auditor gathers enough evidence during review engagement to express negative opinion on fairness of FS

• Auditor states “nothing has come to their attention” that causes them to believe FS are not fairly presented

No assurance

• A compilation engagement provides no assurance or opinion

• Ensure FSs are mathematical correct

• Auditor must ensure they are not associated with false or misleading information when performing a compilation engagement

Types of Audit Opinions

• Audit reports on FS may contain unmodified or modified audit opinions

• Most audit reports contain unmodified audit opinions and may contain emphasis of matter paragraph

• Other audit reports have three types: Qualified, adverse, and disclaimer of opinion.

Qualified opinion

• When departure from GAAP or scope limitation is material but not pervasive

• Auditor believes FSs can be relied upon “except for” effects of matter explained in FS

Adverse opinion

• When departure from GAAP is material and pervasive

Disclaimer of opinion

• When scope limitation is material and pervasive

Departure from GAAP

Occurs when FS are not prepared in accordance with applicable financial reporting framework. Examples include:

• Inappropriate selection and/or application of accounting policy

• Inappropriate valuation

• Failure to adequately disclose required information in FS

Scope Limitation

Occurs when auditor is unable to obtain sufficient appropriate audit evidence. Scope limitations can be:

• Imposed by entity

• Caused by circumstances beyond control of entity or auditor

Role of Management

Management responsible for:

• Selection of accounting principles and preparation of FS in accordance with applicable financial reporting framework

• Establishment of internal controls to enable preparation of FS which are free from error and fraud

• Providing auditor with unrestricted access to all information needed for purposes of audit

Role of Board of Directors

• Overseeing direction of entity to ensure it achieves its goals and objectives

• Monitoring and evaluating performance of entity and management

• Overseeing audit of FS and approving audited FS

Role of Audit Committee

• Usually have someone with a accounting background

• Disagreement between audit and accounting get sent here

Role of Auditor

To enhance/add creditability to FS, auditor does this by:

• Complying with rules of professional conduct and auditing standards

• Assessing risk of material misstatements in FS

• Obtaining sufficient appropriate evidence to support opinion

• Expressing opinion on fairness of FS in accordance with applicable financial reporting framework

What does auditing standards require auditors to do when performing audits?

Professional judgement - appropriate judgement in assessing audit risk, determining audit procedures, and evaluating audit evidence and management estimates

Professional skepticism - Refers to attitude/mindset set adopted by auditor. they must remain independent of entity, keep an open mind, seek corroborating evidence, and follow-up on suspicions of fraud

Role of Regulators and Regulations

The following regulators regulate the auditing profession in Canada:

• Auditing and Assurance Standards Board (AASB)

• Canadian Securities Administrators (CSAs)

• Canadian Public Accountability Board (CPAB)

• Chartered Professional Accountants of Canada (CPA Canada)

Audit Expectations Gap

Audit expectations gap due to misconceptions/unrealistic expectations of auditor’s role by users and general public. Examples:

• Auditor not responsible for preparation of FS

• Auditor does not provide 100% assurance that FS are correct and internal controls operating effectively

How to reduce audit expectations gap?

• Engagement letter which specifies terms of audit of FS

• Audit report which describes scope of audit of FS and explanation of management’s and auditor’s responsibilities

• Peer reviews of audits, enhanced reporting, and public education

5 Fundamental ethical principles

• Professional behaviour

• Integrity and due care

• Professional competence

• Confidentiality

• Objectivity

Professional behaviour

Member should behave in a professional manner and should:

• Follow rules and regulations of profession

• Avoid actions that may discredit profession

• Not claim to provide services they cannot provide or qualifications or experience they do not possess

• Not undermine reputation of, or quality of work produced by, others

Integrity and Due Care

• Be straightforward and honest and not be associated with false or misleading information

• Comply with technical and professional standards

• Act diligently by completing each task thoroughly, and documenting and finishing work on a timely basis

• Ensure staff properly trained and supervised

Professional Competence

• Stay up to date with changes in regulations and standards

• Maintain competence through continuing education and work experience

• Not undertake work which they lack necessary competence

Confidentiality

• Refrain from disclosing information to people outside workplace obtained as a result of employment. Exception made where client allows disclosure or legal requirement to disclose

• Not use confidential information to their advantage or advantage of another person

Objectivity

• Be unbiased and not allow conflict of interest or influence of others to impair decision making

• Not allow personal feelings or prejudices to influence professional judgment

Rules of professional conduct

• Fees and pricing - Fees quoted for services must be reasonable. Contingent fees are not permitted

• Advertising, firm names and solicitation - Must be in good taste and cannot be false or misleading

• Contact with predecessor - Must communicate with predecessor auditor before accepting new audit engagement to ask if any reason why you should not accept engagement. Predecessor auditor required to reply to request on a timely basis

• Professional conduct - Duty to protect reputation of professional if become aware of a breach of the rules of professional conduct

Ethical Behaviour

• Requires both thinking about and doing the right thing

• Adopting the profession’s values

• Maintaining a stakeholder focus

• Adhering to laws, professional standards and policies

Ethical Issues

• A situation or problem in which your actions, or the actions of others, might harm other people, or violate what is considered to be right or good

• Ex. Lying or intentionally misleading others, hiding information from auditors or regulators, bribery, theft

Ethical Risks

Red flags that can increase the risk of unethical behaviour:

• Inadequate corporate governance / Poor internal control environment

• No code of ethics/conduct, or inadequate training and enforcement of compliance with existing code

• Organizational culture that discourages good behaviour and encourages peer pressure, intimidation, and compliance with status quo

• Negative operating or financial trends / performance-based pay incentives

• Conflicts of interest / personal relationships / gifts or preferential treatment

• Conflicts of values

Ways to resolve ethical issues

• Identifying the ethical issue and obtaining relevant facts

• Determining which stakeholders are affected and how they are affected

• Identifying the alternatives and the consequences of each

• Deciding on appropriate action

Questions to ask yourself when faced with an ethical issue

• Are any rules being violated? Any groups rights being violated?

• Is everyone better off? If not, are the persons or groups most disadvantaged the ones that can best afford it?

• What would happen if everyone did this? Is this consistent with precedents? Are you comfortable with establishing a new precedent?

• If everyone knew of your actions, could you comfortably justify it?

What does the code of professional conduct require members to do when fulfilling their professional responsibilities?

• Require to be independent

• Independence - The ability to act with integrity, objectivity, and professional scepticism

Perception of Independence

• Auditor must be seen to be independent both in fact and appearance

• Fact - Ability to make decision free from bias, personal belief, and client pressures

• Appearance - belief/perception by others that independence in fact has been achieved

5 key threats to auditor independence

• Self-interest threats

• Self review threats

• Advocacy threats

• Familiarity threats

• Intimidation threats

Self-Interest Threats

• Where member or firm has a financial interest in the client or business relationship with the client

• Ex. Client’s fees are in relation to total fees of member or firm, close business relationship with client, loan made by client to member that is outside of normal leading terms

Self-Review Threats

• Where member is in position of having to review their own work or work done by others in their firm.

• Ex. Member prepared information or performed services for client which is then audited by member or firm

Advocacy Threats

• When member or firm perceived to promote, or actually promotes, position of client.

• Ex. Member or firm represents client in negotiations with third party, represents client in legal dispute

Familiarity Threats

• Where close relationship exists between member or firm and client making it difficult to exercise professional scepticism.

• Ex. Member/firm has long standing association with client, former member of firm holds senior position at client, accept gifts and/or hospitality from client

Intimidation Threats

• When the client intimidates member or firm

• Ex. Client threatens to use different assurance firm next year, undue pressure from client to reduce audit hours to reduce fees

Safeguards to Independence

• Developed by profession, legislation, regulators, clients, and firms to eliminate or reduce threats to independence to acceptable level

• A third party would conclude auditor’s objectivity is not impaired, or likely to be impaired

• Member/firm should remove staff from audit, refuse audit engagement or resign from audit engagement if threat to independence cannot be eliminated or reduced to acceptable level

• Engagement partner and senior audit staff must be alert to threats to independence throughout entire audit process

• Mandatory rotation of engagement partners, senior staff and quality reviewers required on audits of listed entities

• Audit committee must approve all non-audit services provided to client and engagement partners must not be compensated for selling such services

Framework to Assess Independence

• Consider independence in fact and appearance during entire audit

• Consider if any circumstances exist which member must avoid

• Identify any threats to independence and consider whether any safeguards exist to reduce or eliminate threats to acceptable low level. May require eliminating the activity, interest or relationship

• Must always consider the public perception of a threat

• Document all threats to independence identified and safeguards applied

Prohibitions

Circumstances that must be avoided by member or firm

Exceptions for Independent

• Members may discuss appropriateness of new accounting policies, FS disclosures, controls, and valuation techniques with client without threatening their independence

• Members can assist client with preparation of journal entries and FS

• Members can be loaned to client for temporary/short periods of time

Auditor’s Relationship with Others

• Audit report addressed to shareholders of entity being audited who are relying on audited FS to evaluate entity and make investment decisions

• Board of Directors represents shareholders and oversees activities of entity and management

• Board responsible to ensure entity’s FS are fairly presented

• Audit Committee should be composed of independent directors who are financially literate. Responsible for resolving differences between auditors and management and recommending approval of FS to Board of Directors

• Auditor may rely on work of internal auditor in auditing FS

Legal Liability of Auditors

• Auditor must exercise due care when performing audit. If found negligent, auditor may be sued for damages by client and its shareholders or third party

• Negligence relates to situations where one party suffers loss or damage as result of another party’s carelessness

• Negligence means auditor has not performed audit with reasonable skill, care and caution

• Auditor should comply with technical and professional standards, perform audit in accordance with engagement letter, and properly document audit work performed

• Need to establish duty of care owed to third party and auditor’s negligence responsible for third party’s loss. Third party must also establish auditor aware third party’s was using FS and third party suffered loss due to auditor negligence

Avoidance of Ligitation

• Hiring competent staff and providing regular training

• Complying with ethical and auditing regulations

• Following appropriate procedures to accept new client, allocate staff and document work, and gather sufficient and appropriate audit evidence to support opinion

• Meeting with Audit Committee to discuss significant audit issues

• Following-up on significant internal control weaknesses previously identified

What does client have to do in the first stage of audit?

• Client acceptance or continuance decision

• Auditor performs following steps in making decision:

  • Assesses client’s integrity

  • Assesses firm’s ability to meet ethical requirements and perform audit

  • Prepares engagement letter

Assessing client’s integrity

• Reputation and reason for changing audit firms

• Attitude towards risk and using internal controls to mitigate risks

• Aggressiveness in interpreting accounting rules

• Willingness to give auditor full/unrestricted access to information and pay fair amount for audit

How can auditor obtain information to access client’s integrity?

Obtain information to assess client’s integrity from:

• Communication with prior auditor, client, and third parties

• Review of news articles or background or internet search

• Review of prior period FS

Assessing Ethical Requirements

• Identify any threats to ethical/independance requirements and whether any potential safeguards are available to eliminate or reduce threat to acceptable levels

• Ensure it has sufficient staff with required competencies to complete audit

• Auditor should decline/resign from audit engagement if threats insurmountable

Preparing Engagement Letter

• A form of contract between auditor and client

• Prepared by the auditor and agreed to by client and:

  • Sets out scope and terms of audit and summarizes/confirms responsibilities of auditor and management

  • Identifies applicable financial reporting framework and expected form/content of auditor report

Three stages of an Audit

• Planning

• Execution

• Reporting

Planning Stage of an audit

• Decides whether to accept or continue with client engagement

• Plans audit to reduce audit risk to acceptable low level

• Gains an understanding of client and performs preliminary analytical procedures

• Performs risk assessment to identify risks that may result in material misstatement in FS due to error or fraud

• Determine materiality and overall audit strategy

• Prepares audit plan and detailed audit procedures

Execution Stage of an audit

• Auditor performs testing of controls, and detailed substantive procedures to obtain sufficient appropriate evidence to determine whether FS are fairly presented

Reporting Stage of an audit

• Evaluates audit evidence obtained and misstatements found

• Performs final analytical procedures and considers subsequent events

• Forms opinion on fair presentation of FS

• Prepares audit report and management letter

Why does auditor need to gain understanding of client?

To assess risk FS may contain a material misstatement due to nature of the client’s business, the industry in which the client operates in, and how economy overall is affecting the client

• Operations, industry, and operating/regulatory environment

• System of internal control with particular focus on controls over financial reporting

How can auditor gain an understanding of client?

• Make inquiries of management and others to help identify risks of material misstatement

• Performing analytical procedures to identify any unusual or unexpected changes that indicate a risk may exist

• Performing observation and inspection procedures to corroborate information obtained from management and others

What info auditor should document knowledge of client?

• Operations, industry, level of competition, customers and suppliers

• Ownership, government structure, regulatory environment

• Objectives, strategies and related business risks

• Types of investments and financial arrangements

• Financial reporting framework and selection of accounting policies

• Measurement and review of financial performance

• Internal control

Auditor responsibility with related parties

• Auditor ensure related party identified and transactions appropriated disclosed in FS.

• Related parties include parent companies, subsidiaries, joint ventures, associates, directors, managers, and close family members of key staff

Related parties risk assessment procedures

Auditor assesses risk posed by related parties by:

• Discussing with audit team sustainability of FS to fraud or error due to related parties

• Asking management to identify all related parties and transactions

• Obtaining understanding of clients processes to identify and approve related party transactions

• Remaining alert when inspecting documents for indications of related party transactions not disclosed

• Identifying and assessing any transactions not in normal course of operations and inspecting documents to determine business rational to ensure not an attempt to misstate FS

Fraud risk

• Auditor must assess risk FS materially misstated due to fraud

• Auditor adopts attitude of professional scepticism when assessing fraud and cannot rely solely on past experience with clients processes to guide assessment of fraud risk. Auditor remains alert for red flags indicating possibility of fraud occurring

Types of Fraud

• Fraudulent financial reporting - occurs at management level by manipulating operating results

• Fraud through misappropriation of assets - Occurs at employee level and typically involves smaller amounts as a general rule

Fraud Risk Triangle

Three factors when assessing risk of fraud

• Incentives and pressure to commit fraud

• Opportunities to commit fraud

  • Ex. Poor internal controls, weak corporate governance, complex business model and transactions

• Attitudes and rationalization to justify fraud

  • Poor tone at the top, effective internal controls not a priority, excessive focus on profit maximization

Fraud Risk procedures

• Ask management and those charged with governance if aware of any actual fraud

• Discuss with audit team susceptibility of FS to fraud

• Perform preliminary analytics to identify unusual relationships

• Consider risk of management override of internal controls and carefully examine any unusual business transactions

Fraud risk response

• Seek legal advice to determine reporting responsibilities

• Report fraud to appropriate level of management and those charged with governance

• Consider need to withdraw from audit

• Auditor must document fraud risk assessment and procedures performed to support assessment

Going concern assumption

• To belief entity will remain in business for foreseeable future and is used as accounting basis to prepare FS

• Management responsible for assessing going concern assumption based on judgements about future events

• Auditor responsible to assess validity of management’s use of going concern assumption to prepare FS

Going concern risk

• Consider whether any events or conditions exist that may cast significant doubt on entity’s ability to continue as going concern

• Factors indicate going concern may include:

  • Significant debt-to-equity ratio, working capital deficit

  • Inability to repay debts, obtain refinancing

  • Ongoing losses, negative cash flows, weak profit margins

  • Intense competition, loss of major customers

  • Over-reliance on few customers or suppliers

  • Loss of key personnel, labor issues

  • Major litigation

• Must also consider migration factors:

  • Letter of guarantee from parent company

  • Ability to sell assets or business segment to raise cash

  • Ability to raise funds through share issue or borrowings

Corporate governance

• The rules, systems and processes used to guide and control entities and enhance accountability to shareholders

• Public entities must disclose their corporate governance practices and state why they believe these practices are appropriate for entity

• Auditor must gain understanding of corporate governance to assess risk of material misstatement in FS. Weak governance corporation can be strong indicator of risk of material misstatement in FS

Corporate governance guidelines

• Be composed of majority of independent directors including Chair

• Hold regular meetings where non-independent directors and management not present

• Adopt written mandate to oversee stewardship of entity

• Establish written position descriptions and code of business conduct and ethics

• Ensure directors receive proper orientation and access to continuing education

IT systems

• Auditor must understand client’s IT systems, and associated IT risks when planning audit to assess risk of material misstatement in FS

• IT system used to initiate, process and record transactions, and prepare financial and non-financial information for decision-making and reporting purposes

• Implement appropriate controls to maximize benefits and minimize IT risks associated with IT systems

IT risks

• Unauthorized access to computers, software and data

• Errors in programs

• Lack of backup and loss of data

IT controls

• General controls - policies and procedures that apply to entity’s IT systems as whole and support effective functioning of application controls

• Application controls - manual or automated controls that operate at business level and apply to processing of transactions by individual IT applications

• If auditor believes IT controls appear:

  • Strong - audit strategy to test and rely on IT controls and reduce reliance on substantive procedures

  • Inadequate - audit strategy to rely more heavily on substantive procedures

Closing procedures

• Client must close its account for the reporting period when finalizing its FS. FS should include all transactions that occurred during the reporting period and exclude all transactions that relate to other periods

• Auditor is concerned that transactions are recorded in proper accounting period when assessing client’s closing procedures

• Auditor must assess adequacy of client’s closing procedures to assess risk of material misstatement in FS. Auditor must also be alert for any indications management is manipulating or smoothing its operating results

Audit risk

Risk auditor expresses incorrect (i.e. unmodified or “clean”) opinion when FS are materially misstated due to error or fraud

How is audit risk different than business risk?

From significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies

Acceptable Level of Audit Risk

• Most auditors set acceptable level of audit risk for FS as a whole as no more than 5%. This basically means auditor is:

  • Willing to accept 5% probability material misstatement exists, or alternatively

  • Seeking 95% assurance (i.e. confidence level) no material misstatement exists

• Audit risk set at beginning of audit and remains constant throughout audit. Audit risk can also vary from year to year. Important - The lower the level of audit risk the more audit evidence is required to achieve desired level of assurance.

Audit Risk Factors

Factors that influence acceptable level of (overall) audit risk include:

• Number of users relying on FS.

• Concerns about client’s financial viability (i.e. going concern issues).

• Concerns about/past issues with management’s integrity or competence

Audit Risk Model

Function of RMM, which includes inherent and control risk, and detection risk.

• RMM exists at both overall FS level and assertion level for each FS line item.

• RMM at FS level involves pervasive risks that affect FS as a whole and potentially affect many assertions

• RMM at assertion level comprises inherent risk and control risk.

There’s an inverse relationship between assessed levels of inherent risk and control risk and acceptable level of detection risk

If inherent and control risk are high, then detection risk will need to be low. Auditor requires more assurance from detailed substantive procedures

Inherent risk

• Susceptibility of FS to material misstatement
  without considering internal controls.

• This is risk that “errors can simply happen regardless of any controls management may put in place ”.

• Inherent risk is influenced by the nature of the business that the entity is in or account in question.

Control risk

Risk client’s system of internal control will not prevent or detect a material misstatement.

Detection risk

Risk auditor’s procedures will not be effective in detecting a material misstatement should there be one.

Audit Risk Mathematical Model

Audit Risk (AR) = Inherent Risk (IR) x Control Risk (CR) x Detection Risk (DR)

Assessing Risk of Material Misstatement

The first step in assessing RMM involves an inherent risk assessment. This is done both at:

• FS level by considering nature of the business, the industry and previous experience with client.

• Assertion level for each FS line item and note disclosures.

Significant Risks

A risk is considered significant if it involves:

• Fraud or is related to significant economic (e.g. going concern issues) or accounting developments (e.g. new accounting standards).

• Complex transactions (e.g. derivatives) or significant subjectivity in measurement of financial information (e.g. management estimates).

• Significant related party transactions or significant “unusual or non-routine”
  transactions outside the client’s normal course of operations.

Responses to Address Audit Risk and RMM

Once auditor has identified and assessed audit risk and RMM at the assertion level for each FS line item, auditor will need to respond accordingly. Examples
of general responses include:

• Emphasizing need for professional skepticism and judgement to the audit
  team.

• Assigning more experienced staff to the audit team and/or increasing supervision of the audit.

• Adding elements of unpredictability to the audit procedures.

• Changing the nature, timing and extent of audit procedures.

• Increasing number of sites to visit if entity has multiple locations.

Audit Strategy

Auditor establishes audit strategy based on auditor’s preliminary inherent and control risk assessment (that is auditor’s overall assessment of RMM). Audit strategy:

• Sets scope, timing and direction of audit.

• Provides basis for developing detailed audit plan at the assertion level for each FS line item.

• Audit strategy can vary for each FS line item and assertion.

Types of Audit Strategy

2 types

• Substantive audit strategy - Focuses solely on substantive procedures.

• combined audit strategy - Focuses on both tests of internal controls and substantive procedures.

Substantive procedures are required under both strategies due to inherent limitations of internal controls

Substantive Audit Strategy

Auditor uses this when:

• Inherent and control risks assessed as high at assertion level (and thus detection risk assessed as low) in order to reduce audit risk to acceptably low level.

• Auditor documents understanding of client’s system of internal controls but does not test internal controls.

• Exception - where significant risk(s) identified - auditor must identify relevant internal controls and report any significant deficiencies in internal control to management and those charged with governance.

Combined Audit Strategy

Auditor uses this when:

• Control risk assessed as low and costs of testing internal controls do not exceed benefits (i.e. sometimes it is more cost-efficient to perform substantive procedures than test internal controls).

• If tests of internal controls are found to be effective, then auditor can reduce reliance on substantive procedures.

• If tests of internal controls found to be ineffective, auditor must report significant deficiencies in internal controls to management and those charged with governance and increase reliance on substantive procedures.

Materiality

• Information is considered material if it impacts decision-making process of users relying on FS

  • (i.e. to make decisions about whether to invest, lend, do business with, or assess compliance with laws, regulations, and contracts)

• Materiality includes information that is misstated or omitted but should be disclosed in FS.

• Materiality is based on auditor’s assessment of the needs and sensitivities of the users of the FS

Quantitative Materiality

• Information considered quantitatively material if it exceeds auditor’s preliminary materiality assessment

• Has a direct impact on the quantity and quality of evidence that needs to be gathered

• Should be revised during course of audit where is a change in circumstances

Calculating materiality steps

1. Identify main users of FS

2. Determine appropriate base for materiality based on needs of users of FS

3. Select appropriate % for materiality based on professional judgment

4. Calculate overall materiality

5. Calculate performance and specific materiality

How is materiality used by auditor during course of auditing?

• Planning - Preliminary materiality used to determine audit areas to focus on and extent of audit work required

• Execution - Materiality used to evaluate misstatements found and determine extent of any additional audit work required

• Reporting - Final materiality used to evaluate aggregate of uncorrected misstatements on FS and impact on audit opinion