Understanding the entity Fam workshop

Objectives of the session on understanding the entity At the end of the session you will be able to understand how you should go about identifying risks from various sources

Overview of understanding the entity AUDIT STEPS DOCUMENTATION STEP 1. General information about the entity STEP 2. The entity’s governance structure STEP 3. The legal framework of the entity STEP 4. The operational environment of the entity STEP 5. Fraud considerations STEP 6. The entity’s internal controls STEP 7. Other relevant considerations STEP 8. Transactions and balances UE 1. Understanding the entity: General information Governance structures Legal framework of the entity The operational environment Fraud considerations The entity’s internal controls Other considerations as litigations and claims, related parties, service entities, going concern, risks from prior years, Lead schedule and analytical review UE 2. Quality control questionnaire

KP-1. Experiences from previous audits What experiences can we share from previous years (RAM) or from FAM pilots?

KP 2. General and operational information Type and mandate of entity Address Key personnel Review auditee’s strategies, budgets, minutes of management meetings

Kp 3: The entity’s governance structure Obtain information on governance structures Who are those charged with governance? What are their responsibilities? Are there other committees – i.e. audit committee What other oversight structures are there?

KP 4. Legislative framework In line with ISSAI 1250 identify laws and regulations with a direct effect on the financial statements. Financial reporting framework and accounting policies

ISSAI 1250 The focus of the financial auditor is: To perform audit procedures and obtain evidence regarding compliance with laws and regulations which have a direct material effect on the financial statements. This is done with the intention of identifying non-compliances. To respond appropriately to non-compliance or suspected noncompliance.

How can we do it Identify and read high level financial laws and identify sections which may directly and materially affect the FS. Look at audited FS items and disclosures and identify specific acts which may impact on these. Identify any specific act which may be applicable can be included in the risk assessment on assertion level for the component.

ISSAI 250 v ISSAI 4000 ISSAI 250 deals with the auditor’s responsibility to consider laws and regulations in an audit of financial statements. The ISA does not apply to other assurance engagements in which the auditor is specifically engaged to test and report separately on compliance with specific laws or regulations (ISSAI 4000)

Step 5. Understand fraud risks What is fraud risk? Fraud risk refers to the possibility that there may be intentional misstatements in the financial statements. Two types of fraud: fraudulent financial reporting and misappropriation of assets Auditors responsibilities regarding fraud Obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error

Responsibilities Auditors responsibilities regarding fraud Obtain reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error Management’s responsibilities regarding fraud primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management Create a strong culture of ethics, placing a emphasis on fraud prevention Auditors responsibilities regarding fraud The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management

What should management do to prevent and detect fraud? Assess fraud risks regularly (risk assessment) Implement internal controls to mitigate the risk of fraud, processes for identifying and responding to the risks of fraud. Actual, suspected or alleged fraud affecting the entity identified and actions are taken Promote a culture of ethical behaviour throughout the organisation

What should auditors do? Obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement due to fraud (UE 1.) Design and implement appropriate responses to the identified risk. (RA 1 and 3)

Red Flags Red flags are anomalies that point to symptoms or indicators that are to be associated with fraud. For example: Invoices without matching orders (Occurrence or validity of expenditure) Payments have been made without matching invoices (Occurrence or validity of expenditure) Documents may be lost due to poor document management (unintentional) Documents may not exist or destroyed to cover up invalid payments (intentional, fraudulent)

Responses to fraud If any fraud is discovered during the audit, it must be communicated to those charged with governance and management. Fraud risks are considered to be SIGNIFICANT for the audit

KP 6. Internal controlS Manual controls Based on COSO The control environment; The entity’s risk assessment process; The information system, including the related processes, relevant to financial reporting, and communication; Control activities; and Monitoring of controls. IT controls checklist Basic general control review

kP 7. other considerations Litigations and claims against the entity Significance – provisions raised Service organisations – outsourced functions which are relevant to the financial statements Examples What to do when the outsourced function is relevant? Find evidence of the internal controls reducing the RMM Use the audit report of the service organisation Perform tests of controls at the service org.

KP 8. Lead schedule / Analytical review Identify the transactions and balances audited from the financial statements Link the financial statements to the audit work Keep it up to date Analytical reviews Compare current year figures to budget and prior year. Understand large changes to figures and identify risks Important: keep the Lead schedule updated to correlate with the latest audited financial statements.

Exercise – group discussion From the information in the case study of Council A complete the relevant parts of the UE 1 working paper. Draw conclusions on risks identified. Conclude whether the risks are pervasive or can be linked to an audit component. For the Lead schedule: The overall materiality for the audit is $4,15 million. Identify which expenditre components you would audit. Identify which items you would consider not auditing or combining with others.

KP-9 Quality control review Working paper UE 1. can be completed by auditors and reviewed by Team leader and/or audit manager. Second level reviewer should focus attention on the adequacy or audit work and conclusions drawn on risks Third level reviewer should focus on pervasive risks, fraud risks and the audit coverage of the AFS

Understanding the entity conclusion Understanding the entity What have we done during understanding the entity? What are the next steps?