by John McCarthy Consulting Ltd. | Mar 19, 2025 | Blog, News
It’s the best slogan invented by estate agents which they say are the three most important things with property which are location, location, location.
The same could be said for the most common audit file weakness. The three most important things to have on audit file are Documentation, Documentation, Documentation.
Documentation is key.
The audit standard on this topic is Audit Documentation ISA (Ireland) 230.
The most common audit file weaknesses often involve a lack of documentation evidencing the audit work that has been performed.
Too often it is unclear:
- which audit assertion is being tested;
- how an assertion has been tested;
- what the full results of the test are; and/or
- how outstanding points/queries have been cleared.
In many cases audit teams are able to provide additional verbal explanations or evidence but the fact that this is necessary is a good indication that the quality and extent of documentation needs improvement.
Every audit assertion being tested should be supported by a clear work paper record in the form of a schedule detailing:
- the objective;
- the method (including sample size and selection methods);
- the results; and
- the overall conclusion and sign off by the audit engagement partner.
Just a quick reminder that the 12 main audit assertions are in ISA (Ireland) 315.A190 and are divided into two main classes:
Income Statement or Profit & Loss Account
(i) Occurrence – the transactions and events that have been recorded or disclosed have actually occurred, and such transactions and events pertain to the entity.
(ii) Completeness – all transactions and events that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have been included (probably the most difficult assertion to prove)
(iii) Accuracy – amounts and other data relating to recorded transactions and events have been recorded appropriately, and related disclosures have been appropriately measured and described.
(iv) Cut–off – transactions and events have been recorded in the correct accounting period.
(v) Classification – transactions and events have been recorded in the proper accounts (either P&L versus Balance Sheet).
(vi) Presentation – transactions and events are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework.
Balance Sheet and Related Disclosures at the Period End
(i) Existence – assets, liabilities and equity interests actually exist.
(ii) Rights and obligations – the entity holds or controls the rights to assets, and liabilities are correctly the obligations of the entity.
(iii) Completeness – all assets, liabilities and equity interests that should have been recorded have been recorded, and all related disclosures that should have been included in the financial statements have actually been included.
(iv) Accuracy, valuation and allocation – assets, liabilities and equity interests have been included in the financial statements measured at appropriate amounts and any resulting valuation or allocation adjustments have been appropriately recorded, and related disclosures have been appropriately measured and described.
(v) Classification – assets, liabilities and equity interests have been recorded in the correct accounts.
(vi) Presentation – assets, liabilities and equity interests are appropriately aggregated or disaggregated and clearly described, and related disclosures are relevant and understandable in the context of the requirements of the applicable financial reporting framework.
For tailored training sessions explaining more about the ISAs, please send a mail to john@jmcc.ie.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Mar 18, 2025 | Blog, News
The requirements of the ISA (Ireland) 550 ‘Related Parties’ are most important, given the propensity in recent times, for related parties to commit fraud!
Whilst many firms include a detailed list of related parties and likely transactions, the potential for fraud risk within related party transactions is often overlooked and not fully assessed. The approach adopted by many firms is to reconcile the financial statement disclosures to the accounting records.
Whilst this does test the accuracy and validity of the disclosures, it provides little evidence as to the completeness of the related party disclosures.
The good audit file will document the procedures that have been carried out to ensure that there are no undisclosed related party transactions. For example, the client’s accounting records and minutes of board meetings are scanned to assess the completeness of disclosure.
Where there are significant related party transactions, the standard requires that one must be highly sceptical of the veracity of the transactions.
Then work backwards from there to prove why these transactions are adequately supported with appropriate documentation. Bear in mind that in many SME audits, the primary source of such audit evidence is often the related parties themselves, so a higher degree of scepticism is often called for.
For tailored training sessions explaining more about the ISAs, please send a mail to john@jmcc.ie.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Mar 4, 2025 | Blog, News
Often the topic of fraud is addressed poorly on audit files.
Frequently audit files include a simple statement that ‘risk is low’ (because the Directors say there has not been any fraud) and there is no knowledge of any fraud in the past year. Audit teams need to take a more professional and appropriately sceptical approach by justifying in writing how this low risk assessment has been arrived at. The file must show how the risks were discussed and the results of those discussions:
- with the client and
- within the audit team – (known as the ‘engagement team discussion’ or ‘brainstorming session’).
Consideration must be given to specific areas susceptible to fraud through theft such as:
- cash based businesses,
- high value stocks,
- fake suppliers (posing as real creditors) who allege they have just recently changed their banking details; and
- fixed assets etc.
Another good question to ask is what security measures are in place over tangible assets and are all tangible assets adequately insured? Sometimes a comparison between the fixed assets register and the list of insured items could throw up some interesting anomalies.
I often recommend to clients that they read the ISAs and the one on fraud (ISA (Ireland) 240) makes very interesting reading, especially the Appendices which have the titles:
- Appendix 1 – Examples of fraud risk factors.
- Appendix 2 – Examples of possible audit procedures to address the assessed risks of material misstatement due to fraud.
- Appendix 3 – Examples of circumstances that indicate the possibility of fraud.
In terms of fraudulent reporting, the audit file needs to show how the auditor has considered what risk management policies and procedures management has in place to mitigate the fraud threat. Also carefully document the result of the risk assessment and assess whether it has nay impact on the audit work and/or on the audit opinion.
Fraud risk can change from one year to the next and therefore should be reassessed on an annual basis. Opening balances, especially in relation to matters like fixed assets are often ignored. The excuse being ‘we audited them last year or in a prior year’. What if those assets are destroyed, sold or not in use and potentially impaired?
Identification of revenue recognition and management override risks (ISA (Ireland) 240)
Following on from fraud risk, ISA 240 assumes that there are at least two significant risks present on practically all audit assignments:
- those arising from revenue recognition criteria and
- management override of controls.
While most firms are adequately highlighting revenue recognition as a significant risk, there continues to be no clear statement of the specific audit procedures planned to address this. There is often no sufficient record of the client’s revenue recognition criteria and the accounting policy for revenue recognition contained in the financial statements is often poorly phrased or not appropriately worded.
For example, an accounting policy for an apartment management company stating that ‘turnover represents goods sold net of VAT’!! The accounting policy for revenue recognition/turnover/income is often the most significant accounting policy of them all and auditors need to pay more attention to this topic.
Management override is a risk area that a lot of firms often overlook, concluding that the risk is low due to strong internal controls or because the management is ‘honest’. Where there is potential for management override of controls, this must be identified as a significant risk and appropriate audit procedures performed. This is likely to be the case for most owner-managed SME businesses.
ISA 240 gives details of three areas which need to be tested when considering the risks associated with management override of controls. These are:
- the appropriateness of journals;
- accounting estimates, the appropriateness of which needs to be challenged; and
- gaining an understanding of significant transactions which appear to be outside the normal course of business.
More often than not, some or all of the above procedures will have been performed during the course of the fieldwork, but these need to be properly documented and clearly linked back to management override risk.
It’s important to note that with the advent of ISA (Ireland) 315 (Identifying and Assessing the Risks of Material Misstatement) for accounting periods commencing on/after 15 December 2021 that control risk is measured more appropriately on a 5-point scale as follows:
- Very Low
- Low
- Medium
- High
- Very High
The assessment of control risk is extremely important as it is designed to help identify areas where there may be a risk of misstatement due to:
The results of this assessment will influence the choice of sample sizes and better focus on the tailoring of the audit programme. A common feature of files that fail inspection reviews is the lack of appropriate tailoring, especially for fraud risk. The results of substantive tests cannot therefore be used as the scope and extent of those tests cannot be determined until the risk assessment process is complete. It’s like putting the cart before the horse.
It is important to remember that where a risk is deemed ‘significant’, audit procedures must include an appropriate element of substantive testing.
We will look at more audit file weaknesses next week.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Feb 22, 2025 | Blog, News
Our firm carries out many cold file reviews of audit files and comes across many varieties of audit file weaknesses with varying degrees of seriousness.
In the following series of blogs, we are going to highlight the more typical audit file weaknesses that we encounter.
We will also indicate some key tips that will:
- save time and effort in producing more effective audit files; and
- ensure that your firm is better prepared for its next regulatory inspection.
Audit Planning (ISA 300)
What a logical place to start?
Planning the audit properly is the key to an efficient and effective audit assignment. This is one of the areas which is often poorly documented. In most audit teams knowledge of the client, their business and associated risks among the team is good, yet the documentation of this is often too brief (e.g. missing an organisation chart) and does not fully embrace the requirements of the recently revised risk and fraud ISAs (ISA 315 and ISA 240).
Tips for a better audit file
The planning memorandum should summarise:
-
- The key matters to be addressed in the audit;
- The detailed tests that will be performed in these areas;
- Materiality levels set – don’t follow the previous year materiality levels blindly, especially if the results are showing losses or a break-even, instead of profits;
- Stocks – Include a map of the warehouse location, photographs of the more expensive stock items (with an explanatory index);
- The names of the 5 largest suppliers/customers
- Names of key management personnel and years of service;
- Related parties – especially dormant ones i.e. those that qualify as related but have no transactions/balances with the audited entity yet.
More weaknesses and tips next week.
For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:
ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements. Please contact John McCarthy FCA by email at john@jmcc.ie.
by John McCarthy Consulting Ltd. | Aug 17, 2020 | Blog, News
The recent reminder from the Chartered Accountants Ireland Professional Standards Department about findings on audit review visits, could have been written ten years ago or more. The same issues keep coming up. They are essentially about the lack of adequate evidence and lack of documentation of the audit work performed.
There are some critical concepts involved in the ISAs on audit documentation (ISA 230) and audit evidence (ISA 500). Space does not allow us room to list all the requirements but a brief reminder of the key ones is contained here:
Audit documentation:
- Ensure the documentation is sufficient to allow an experienced auditor, having no previous connection with the audit, to understand the audit work done, the evidence obtained and the results derived from that work (including the assembly of the audit file within 60 days from the date of the audit report);
- Understand the significant matters arising and the conclusions and significant professional judgements made in arriving at the conclusions (e.g. going concern during CORONAVIRUS (COVID-19).
- Even where audit work is performed as part of accounts preparation procedures (there is nothing wrong with this per se), the audit evidence obtained from accounts preparation work, must be documented in line with ISA 230.
Audit evidence
It is critical that audit evidence is collected during audits with scepticism in mind.
As is the case in most SME audits, the auditor has few other options but to rely on information produced by the client entity or client personnel. In this case, the auditor must evaluate whether the information is sufficiently robust for the auditor’s purposes and assess whether it is sufficiently accurate/complete and whether it is sufficiently precise/detailed for the auditor’s purposes.
Too often firms fail to get this right, as they rely too heavily on management supplied data, when neither the Directors nor their personnel are not trained or sufficiently experienced to adequately satisfy this purpose.
We have an Audit Update webinar available on our website to remind you of the requirements of the ISAs and how to prepare a good audit file. We also have several audit template letters on this page, up to date for the GDPR and the Coronavirus (COVID-19)
For a full list of all our webinar recordings, please got to our webinar site here. They may be viewed at any time for 12 months after the date of purchase.
We also have a complete set of letters of representation in our publications store, updated for the Coronavirus (COVID-19), and letters of engagement for immediate download here.
