Guide to Using ISAs in the Audits

of Small and Medium-Sized

Entities

Presented by: Tariq Mahmood

Brief Introduction
Importance of SMEs and SMPs
• Role of SMEs
– SMEs account for majority of private sector employment
– Essential for job creation, social cohesion, innovation and growth

• Role of SMPs
– SMPs are small businesses and are uniquely placed to help SMEs
– Help SMEs perform better and comply with regulations
– Provide business support services
– Have special role in SME financing
Role of ICMA Pakistan – Quality Assurance Board
“Building the capacity of SMPs to Support SMES”
The ISAs
• A suite of standards applicable to all audits
– Can be applied in a manner appropriate with the size and complexity of
any entity
– Designed to achieve reasonable assurance on all audits, regardless of the
size and complexity of an entity
– Recognize that the characteristics of SMEs differ significantly from those of
larger, more complex entities
Structure and Content of Guide

• Volume I
– Fundamental concepts of a risk-based
audit in conformance with the
International Standards on Auditing
– Directed at practitioners and students
with little or no understanding of ISAs
Structure and Content of Guide

• Volume II
– Practical guidance on performing SME
audits
– Directed at practitioners with
reasonable working knowledge of ISAs
– Includes two illustrative case studies,
one of an SME audit and one of micro
entity audit
Introduction
• Developed by IFAC SMP Committee
• Responds to a need for practical support in implementing the ISAs on
SME Audits
• Helps Firms apply the ISAs Appropriately and Efficiently on SME
Audits
Introduction
• Provides practical guidance, but is not a substitute of:
– Reading and understanding the ISAs
– Using professional judgement

• Helps develop a deeper understanding of audit conducted in

compliance with ISAs, for example
– As a basis for training and education
– A reference material
Risk Based Audit
Overview
Inherent Limitations of Audit
• Nature of financial reporting
- Judgement in applying financial reporting framework
- Subjective decisions / assessments / estimates

• Nature of evidenced available

- Audit evidence tends to be persuasive in character rather than conclusive

• Nature of audit procedures

- Risks involved in sampling
- Non-provision of information by management
- Audit procedures may not detect the missing information
• Timeliness of financial reporting
Audit Risk
• A combination of risk of material misstatement and detection risk
• Risk of material misstatement = Inherent risk and control risk
Summary of Audit Risk Components

The extent to which the

control risk bars do not
completely mitigate the
inherent risks is often called
management’s residual risk,
risk appetite or risk
tolerance.
Summary of Audit Risk Components
Three Steps in Risk-Based Audit
Risk-Based Audit – Key Points
• Audit objectives are the same for any size of audit;

• Specific audit procedures required may vary considerably depending on the

size of entity and the assessed risks;

• ISAs focus on matters the auditor needs to address—not on the details of

specific procedures;

• Design of further audit procedures depends on the auditor’s risk

assessment;

• Appropriate exercise of professional judgment is essential in tailoring the

procedures to respond appropriately to the assessed risks; and

• Professional judgment cannot be used to avoid compliance with any ISA

requirements except in exceptional circumstances.
 Phase I
Risk Assessment
Risk Assessment - Objective
Types of Risk
• Business Risk
• Risk of Material Misstatement in the Financial Statements

• Fraud Risk
• Risk of Intentional Material Misstatement in the Financial Statements

• Types:
• Fraudulent Financial Reporting
• Misappropriation of Assets
Risk Assessment - Overview
Activity Purpose Documentation
Listing of risk factors
Perform preliminary Decide whether to accept Independence
engagement activities engagement Engagement letter

Materiality
Develop an overall audit
Risk Assessment

Plan the Audit Audit Team Discussion

strategy and audit plan
Overall Audit Strategy

Identify and assess RMM Business & fraud risk including

Perform Risk significant risk
through understanding the
Assessment Procedure
entity Design/implementation of
relevant internal controls
Assess RMM
• F/S Level
• Assertion Level
Risk Assessment – Steps Involved
Step-1
Quality Controls within the Firm
Pre-engagement Activities
Terms of Engagement
(Required by ISQC-1 and ISA 210 & 220)
Quality Control - Ethics, Independence and ISAs
 Quality Control - Ethics, Independence and ISAs
• Firm Level Objectives (ISQC 1.11): To establish and maintain a system of
quality control to provide the firm with reasonable assurance that:
a. The firm and its personnel comply with professional standards and applicable legal
and regulatory requirements; and
b. Reports issued by the firm or engagement partners are appropriate in the
circumstances
• Engagement Level Objectives: (ISA 220.6): To implement quality control
procedures at the engagement level that provide the auditor with
reasonable assurance that:
a. The auditor complies with professional standards and applicable legal and
professional requirements; and
b. The auditor’s report issued is appropriate in the circumstances
 Quality Control Systems
Internal Control Elements Firm-Level QC Elements (ISQC 1) Engagement-Level QC Elements (ISA 220)
(ISA 315)

Control Environment • Leadership Responsibilities for • Leadership Responsibilities for Quality on Audits
Quality within the Firm • Relevant Ethical Requirements
• Relevant Ethical Requirements • Assignment of Engagement Teams
• Human Resources

Risk Assessment • Acceptance and Continuance of • Acceptance and Continuance of Client

Client Relationships and Specific Relationships and Audit Engagements
Engagements Risks that the report might not be appropriate in
the circumstances
Information Systems • Quality Control System • Audit Documentation
Documentation

Control Activities • Engagement Performance • Engagement Performance

Monitoring (Are the • Ongoing Monitoring of the Firm’s • Applying Results of Ongoing Monitoring to
Quality Control Policies and Specific Audit Engagements
Procedures
Quality Control Within Firm
• Performing Quality Work Begins with:
“Strong Leadership within the Firm”
and
“Engagement Partners committed to the Highest
Ethical Standards”.
Refer to IFAC Guide to Quality
Control for Small-and-Medium-
Sized Practices & ICMAP ISQC-1
Implementation guidelines
Hindrance to Strong Tone at Top
• Poor attitudes to quality
- Audit work tailored to fee received – not the risk involved
- Belief that there is no risk to the firm in small audits
- Clients considered totally trustworthy by the partners
- Asking staff to follow the firm’s policies, but not complying personally

• Unwillingness to invest in training and development

• Lack of discipline
How to set a healthy tone at the top..?
• Establish the firm’s objectives, priorities and values
• Communicate regularly
• Update the quality control manual
• Hold people accountable
• Develop staff competence and reward quality work
• Continually improve
• Set an example
Pre-engagement Activities
• Financial reporting framework
• Agreement and acknowledgement of
management responsibilities etc.
Agreeing Terms of Engagement
Step-2
Planning the Audit
Determining Audit Materiality
Audit Team Discussions
(Relevant ISA, 300, 240, 320 & 450)
Planning the Audit
Benefits of Planning
• Team members learn from the experience/insight of the partner and
other key personnel.
• The engagement is properly organized, staffed, and managed.
• Experience gained from previous periods’ engagements and other
assignments is properly utilized.
• Important areas of the audit receive the appropriate attention.
• Potential problems are identified and resolved on a timely basis.
• Audit file documentation is reviewed on a timely basis.
• Work performed by others is coordinated (other auditors, experts,
etc.).
Determining and Using Materiality
Considerations in Determining Materiality
• Users of financial statements are reasonable
• Choose right benchmark to use as a basis:
- Determine who are likely users of financial statements
- Identify any specific users expectations
- Identify major elements of F/S that are of interest to users
- Nature of entity and its current status in life cycle (growing, declining etc.)
- Determine adjustments required
- Primary focus of users
- Evaluation financial performance; or
- Resource utilized to achieve goals
- Source of financing
- Volatility of the benchmark
- Alternative benchmarks necessary to address special circumstances
Use of Materiality in Audit

Reporting
Audit Team Discussions
Audit Team Discussions
Step-3
Identification and Assessment of Risk
Understanding and Evaluating Controls
Communicating Control Deficiencies
(Relevant ISA, 240, 265, 315 & 330)
Identification of Risk

3 – Step Risk Identification Process

Gather Design, Perform and Relate or Map the Risk

Information Document Risk Identified to Material
About the Assessment Financial Statement Areas
Entity Procedures
Obtain Understanding of Entity and Environment
Sources of Information about the entity
 Scope of Information about Entity
• External factors • Entity objectives and strategies
- Nature of industry - Business plans and strategies
- Regulatory environment - Financial implications and risks
- Financial reporting framework undertaken
• Nature of Entity • Measurement / Review of financial
- Operations and key personnel performance
- Ownership and governance - What is measured..?
- Investment, structure and financing - Who reviews financial results
• Accounting Policies • Internal controls relevant to audit
- Selection and application - Processes and relevant controls to
- Reasons for change mitigate risks:
- At entity level
- Appropriateness to entity - At transaction level
Risk Assessment Procedures
Inquiries of Management and Others
• Inquiries of management regarding: Paragraph #
- Management’s assessment of risk of fraud 240.17
- Process for identifying and responding to risk of fraud 240.18
- Communication to those charged with governance and employees
- Knowledge of actual or suspected fraud or allegations

• Areas of inquiry are:

- Those charged with governance (BOD etc.)
- Management and those responsible for financial reporting
- Key Employees
- Purchasing
- Payroll
- Accounting etc.
- Marketing or sales personnel
Analytical Procedures – Steps Involved
• Identify relationships within the data
- Develop expectations about plausible relationships among various types of
information
- Financial and non-financial information could include:
- Financial statements of comparable previous periods
- Budgets, forecasts, and extrapolations
- Information regarding the industry
- Current economic conditions

• Compare
- Compare expectations with recorded amounts
- Develop ratios from recorded data
• Evaluate results
- Where unusual or unexpected relationships are found, consider potential risk of
material misstatement
Observation and Inspection
Identification of Significant Risk
Significant Risk
• Factors indicating possible significant risk:
- Risk of fraud
- Significant recent economic, accounting or other development
- Complexity of transaction
- Significant transactions with related parties
- Significant transactions outside normal course of business
- Degree of subjectivity in measurement of financial information

• Significant risk in Smaller Entities

- Significant non-routine transactions
- Significant judgmental matters
- Significant transactional risk
- Fraud
Effective Risk Assessment
• Up-front involvement of senior team members
• An emphasis on professional skepticism
• Planning
• Team discussions and ongoing communications
• Focus on risk identification
• Ability to evaluate management responses to risk
• Use of professional judgment
Understanding Internal Controls
Understanding Internal Controls
“A control is always designed to respond to (mitigate) a possible risk. A
control that does not address a risk is obviously redundant.”
Key Objectives are:
Identify the risk that
Step -1 require mitigation by • Strategic, high-level goals that support the
control
mission of the entity;
• Financial reporting (internal control over
Identify what controls financial reporting);
Step -2 are in place to • Operations (operational controls); and
address those risks • Compliance with laws and regulations
Internal Control Components
Control Environment
Key Elements
- Communication and Enforcement of Integrity and Other Ethical Values;
- Commitment to Competence
- Participation by Those Charged with Governance (BOD etc.)
- Management Philosophy and Operating Style
- Organizational Structure
- Assignment of Authority and Responsibility
- Human Resource Policies and Practices
Control Environment – Smaller Entities
- Mostly entity does not have staff to implement traditional control
activities – segregation of duties…?
- Active involvement of owner manager reduces the need for other
control activities e.g. segregation of duties etc.
- Example:
- Owner-manager reviews and approves individual transactions before they are
completed.
- Does not mitigate other risks like management override of controls
- No or less supporting documentation available for the auditors
Control Environment – Smaller Entities
Considerations for auditors:

- Identify the entity’s control environment (values, acceptable behavior

and enforcement actions through discussions with management

- Ask one or two employees what they believe

- Prepare a memorandum for the file

Entity’s Risk Assessment Process

In smaller entities where a formal risk

assessment process is unlikely to exist, the
auditor would discuss with management how
business risks are identified and how they are
addressed.
Entity’s Risk Assessment Process
Risk assessment process would normally address such matters
Information System and Communication
Information System and Communication
Information system relevant to financial reporting objectives include:
Information System and Communication
Information System and Communication
Obtaining Understanding of Information System
• Sources of information used
- Significant class of transactions
- Accounting records (Electronic or manual)

• How information is captured and processed

- Financial reporting process over:
- Initiate, record, process and report transactions
- Prepare financial statements, significant accounting estimates and disclosures
- Procedures designed to addressed:
- ROMM associated with inappropriate management override of controls
- Identification of exceptions and reporting the actions taken to remedy

• How the information produced is used

- Communication of financial reporting roles and responsibilities
- Types of reports regularly produced by the system
- Nature and type of information provided my management to those charged with governance
Control Activities

Typical controls at business process level include:

- Segregation of duties - Actual results review
- Authorization controls - Physical controls
- Account reconciliations - IT application controls
Control Activities
Control activities in smaller entities
- Informal and limited documentation
- Limited scope
- are likely to relate to the main transactions cycles e.g. revenue, purchase and employment
expenses)
- Risk may be mitigated by the control environment itself (Owner-manager)

Auditor’s judgment whether a control activity is relevant is influenced

by:
- Knowledge about presence / absence of control activities identified in other
components of internal controls
- Existence of multiple control activities to achieve the same objective.
- Audit efficiency gained from testing operating effectiveness of internal controls
Monitoring
Pervasive Vs Specific Controls
Evaluation of Internal Controls

4 – Step Process to Evaluate Control Design and Implementation

1. Risk identification – What risks require mitigation…?
2. Evaluate Control Design – Do the controls designed by management mitigate risk ..?
3. Are the controls that mitigate the risk in operation ?
4. Has the operation of relevant controls been documented..?
Communicating Deficiencies in Internal Control
 Phase II
Responding to Assessed Risk
Areas Covered
Risk Response – Overview
Responsive Audit Plan
Determining the extent of testing
Documenting Work Performed
Written Representations
(Relevant ISA, 230, 240, 300, 330, 500, 530, & 580)
Response to Assessed Risk - Objective

Audit risk cannot be

eliminated or avoided.
It has to be reduced/mitigated
to an acceptably low level
Steps in Risk Response
Responsive Audit Plan
Developing Responsive Audit Plan
1. Respond to assessed risk at financial statement level
2. Identify specific procedures required for material financial
statement areas
3. Determine the nature and extent of audit procedures required
Overall Responses to Assessed Risk at F/S Level
• Engagement management
- Maintain professional skepticism
- Assign more experienced staff
- More ongoing supervision
• Incorporate unpredictability in selection of further audit procedures
- Perform substantive procedures on selective account balances ISA 240 & 330 outline
some possible overall
- Adjust timing of audit procedures
responses to risks
- Use different sampling methods
identified at the
- Performed surprised audit procedures
financial statement level
• Revise the planned audit procedures
- Perform substantive procedures at the period end instead of interim
- Perform physical observation of certain assets
- Increase sample size or perform analytical procedures at more detail level etc.
• Changes in audit approach
- Consider the understanding obtained of control environment and make changes accordingly
- Use combined approach (Tests of controls and substantive procedures)
• Review accounting policies being used
Management Override of Controls (Risk of Fraud)
• Identify, select and test journal entries and other adjustments based on: Paragraph
- Understanding of entity’s financial reporting process 240.26, 240.32
- Design and implementation of internal controls and 240.33
- Considerations of: prescribes certain
- Characteristics of fraudulent journal entries and other adjustments
- Presence of fraud risk factors procedures.
- Inquiries of individuals involved in financial reporting process
• Review estimates relating to specific transactions and balances to identify
possible biases
- Reconsider estimate taken as a whole
- Perform retrospective review of management judgement and assumptions
• Obtain understanding of the business rationale of significant transactions that are
unusual or outside normal course of business. Assess whether;
- Management emphasis more emphasis on a particular accounting treatment
- Arrangement surrounding such transactions are overly complex
- Transaction involves previously unidentified related parities
• For revenue recognition, perform substantive analytical procedures to identify
unusual or unexpected revenue relationships or transactions
Response to Assessed Risk at Assertion Level
Designing and Performing Further Audit Procedures

• Auditor shall consider the following:

- Nature of assertion being addressed
- Reasons for the assessed risk
- Characteristics of financial statement area
- Identified risk and relevant controls
- Assessed level of risk
- Source of information used
- Potential for dual-purpose test
Tests of Controls
Tests of Controls
Tests of Controls - Examples
Substantive Procedures
Substantive Procedures - Types
Substantive Procedures - Examples
Tests of Details
When designing substantive procedures to respond to assessed risk,
consider the matters to be addressed:

- Each material account balance, COT and disclosure

- Audit procedures required by specific ISAs, (related party etc.)
- Need for external confirmation procedures
- Significant risk and procedures specifically designed to address the
identified risk
Auditor may perform:
- Timing • Only TODs
• Only SAPs (where there is not a significant ROMM)
• Combination of TODs and SAPs
External Confirmations

Types are:
Audit evidence is more reliable when:
• Obtained from independent sources outside the entity. • Positive confirmation
• Obtained directly • Negative confirmation
• Exists in documentary form i.e. paper, electronic or other
medium
External Confirmations - Examples
Substantive Analytical Procedures
Substantive Analytical Procedures

Factors to Consider Are:

• Nature of assertion
• Reliability of data (internal or external)
• Whether the expectation is sufficiently precise to identify a
material misstatement
• Amount of differences that would be acceptable
• Are the relationships developed:
- from a stable environment
- at a detailed level
Substantive Analytical Procedures - Examples
Documenting Work Performed
Written Representations
Written Representations
Written management representations are not be used as:
• A substitute for performing other audit procedures
• As the sole source of evidence on significant audit matters

Management representations may be:

Verbal, whether solicited or unsolicited

Such representations are typically obtained during the audit engagement.

Written
At the end of the engagement, the auditor is required to request a written statement from
management confirming certain matters such as:
– The verbal representations referred to above,
– Management has fulfilled its responsibility for the preparation of the financial statements
in accordance with the applicable financial reporting framework,
– All transactions have been recorded and are reflected in the financial statements, and
– Other representations as necessary to support the audit evidence obtained.
 Phase III
Reporting
Areas Covered
Reporting – Overview
Evaluating Audit Evidence
Communicating with TCWG
Modifications to the Auditors Report
Emphasis of Matter and Other Matters
Comparative Information
(Relevant ISA, 220, 260, 265, 330, 450, 520, 540, 705, 706 & 710)
Reporting
 Steps in Reporting
Reporting
Evaluating Audit Evidence
Reporting
Evaluating the Effects of Misstatements
Areas of Misstatements
• Inaccuracies or fraud
• Omissions or fraud
• Significant transactions
• Journal entries
• Errors in estimates or fair values
• Selection and application of accounting policies
• Uncorrected misstatements in opening equity
• Revenue recognition
• Internal control weaknesses
• Financial statements presentations and disclosures
Address Identified Misstatements
• Re-evaluate materiality

• Consider the reasons and impact on audit plan

• Request management to make corrections

• Ask management to perform additional procedures

• Management refuses to make some or all misstatements

Evaluate Sufficiency and Appropriateness of Evidence
Consider
• Materiality of misstatement
• Management response
• Previous experience
• Results of performed audit procedures Perform Final
Analytical
• Quality of information
Procedures when
• Persuasiveness forming overall
• Understanding the entity conclusion
Matters to be Communicated to TCWG
• Auditor’s responsibilities in relation to the financial statement audit
• Planned scope and timing of audit
• Significant findings arising from the audit
• Other audit matters:
- Accounting policies
- Risk of material misstatement
- Material uncertainties
- Significant difficulties encountered
- Comments on entity’s management
- Audit adjustments
- Uncorrected misstatements
- Auditor’s report
- Agreed upon matters
- Other matters, if any
Reporting
Important considerations are to determine:

• Any change in the assessed level of risk;

• Whether conclusions drawn from the work performed are appropriate;

• If any suspicious circumstances have been encountered; and

• That additional risks (not previously identified) have been appropriately

assessed and further audit procedures performed as required.
Modifications to the Auditor’s Report
Modifications to the Auditor’s Report
Emphasis of Matter Paragraph
Key Requirements are:
• Matter is already fully disclosed in the financial statements
• No material misstatement exists
• Immediately placed after the audit opinion
• Is not a modification to opinion
Examples are:
• Going concern assumption and uncertainties
• Subsequent events
• Early application of new accounting standard etc.
Other Matter Paragraph
Is used to highlight the matters like:
• Restriction on distribution of auditor’s report
• Highlight additional responsibilities
• Inability to withdraw from engagement
Conditions applying are:
• Matter is not already disclosed in the financial statements
• Disclosure is not prohibited
• Disclosure is relevant to users
• Information presented did not contradict the opinion
• Placed immediately after audit opinion
• State that such disclosure is not required
Comparative Information
Types
• Corresponding figures
• Comparative financial statements

Audit Procedures
• Obtain necessary audit evidence
• Identify any potential misstatements
• Obtain written representations
Comparative Information
Corresponding Figures
• No reference made to comparatives in auditor’s report
• Any restatements required.. ?
• Prior-period figures audited by another firm
• Prior period figures not audited

Comparative financial statements

• Make reference to each period presented
• Any changes required in previous opinion provided
• Prior-period figures audited by another firm
• Prior period figures not audited