Recent developments in auditing standards - Bangalore ICAI
Recent developments in auditing standards CA Suresh DM Bangalore Branch of SIRC of ICAI 15th December 2010 All U DO IS TICKING Auditing Standards: Indian Perspective Auditing Standards are codification of existing best practices in the area of auditing. International Standards on Auditing (ISAs) are issued by the IAASB of IFAC.
In India, the ICAI formulates Auditing and Assurance Standards (AASs). Basic Considerations behind AASs formulation Harmonization with ISAs, to the extent possible a Membership obligation for ICAI Applicable laws in India. Customs, usages & business environment in India. Auditing Standards: Indian Perspective Companies Bill 2009 NACAAS to be given authority to notify Auditing Standards
MCA has observed that Auditing Standards are currently issued by a Single Institute. The fact is standards are issued after due consultations by releasing Exposure Drafts Auditing Standards: Indian Perspective (contd. ) Scope of AASs Apply whenever independent audit carried out. Apply irrespective of size, legal form or commercial motives of the client. May appropriately apply to other functions of auditors. Authority Attached to AASs Mandatory compliance by members of ICAI. Material departures from AASs to be brought out in the report
Engagement & Quality Control Standards Road to Convergence Clarity Project AASB founder member of IFAC Auditing standards based to the extent possible on corresponding International Standards (IS) of International Auditing and Assurance Standards Board (IAASB). Chalked out timeline for bridging gap in convergence with IS under IAASB Clarity Project
Revised the entire suite of 36 Standards on Auditing in line with the International Standards. Engagement & Quality Control Standards AASBs response to IAASB Clarity Project (2006 till date): Revised & more rigorous Due Process Revised Framework & Preface AASs renamed & renumbered in line with IAASB terminology ENGAGEMENT STANDARDS: Standards on Auditing Standards on Review Engagements Standards on Assurance Engagements Standards on Related Services Mother Standard on Quality Control Revised/ new Standards on Fraud, Audit Planning & Risk-based
Audits Many new/ revised Standards in pipeline Diagrammatic presentation of structure of standards under New preface Chartered Accountants Act, 1949 Pronouncements by ICAI Standards on Quality Controls (SQC) Assurance services Related Services Framework for Assurance Engagements Audits and review of historical financial information Assurance engagements other than Audits and
review of historical financial information Standards on Review engagements (SRE) Standards on Assurance Engagements (SAE) Standards on Related Services (SRS) 3000- 3699 4000 - 4699 Standards on
Audting (SA) 100-999 2000- 2699 Clarity Project Exercise to rewrite and Update. Includes : Identifying the overall objectives of the auditor when conducting an audit in accordance with ISAs, setting an objective in each ISA, and establishing an obligation on the auditor in relation to those objectives Clarifying the obligations imposed on auditors by the requirements of the ISAs and the language used to communicate such requirements Eliminating ambiguity about the requirements the auditor needs to fulfil.
Engagement & Quality Control Standards Layout of Standards Scope Effective Date Objective Definitions Requirements Application and Other Explanatory material ( Basically details out requirements) Audit Process Standard on Quality Control SQC 1
QUALITY CONTROL FOR FIRMS THAT PERFORM AUDITS AND REVIEWS OF HISTORICAL FINANCIAL INFORMATION, AND OTHER ASSURANCE AND RELATED SERVICES ENGAGEMENTS SQC 1 Quality Control for Firms Definitions Elements of a System of Quality Control Leadership Responsibilities for quality within the Firm Ethical Requirements Acceptance and Continuance of Client Relationships Human Resources Engagement Performance Monitoring
Documentation Objective of SQC 1 The firm should establish a system of quality control designed to provide it with reasonable assurance that the firm and its personnel comply with professional standards and regulatory and legal requirements, and that reports issued by the firm or engagement partner(s) are appropriate in the circumstances Meaning of certain terms Engagement quality control review How: a process designed to provide an Why objective evaluation,
When before the report is issued, What of the significant judgments the engagement team made and the conclusions they reached in formulating the report Meaning of Certain Terms Any individual with Engagement quality control reviewercapabilities to act as engagement partner a partner, other person in the firm, or suitably qualified external person, a team made up of such individuals, an employee of another firm with
sufficient and appropriate experience and authority to objectively evaluate, before the report is issued, the significant judgments the engagement team made and the conclusions they reached in formulating the report. However, in case the review is done by a team of individuals, such team should be headed by a member of the Institute Meaning of Certain Terms Engagement team all personnel performing an engagement, including
any experts contracted by the firm in connection with that engagement Meaning of Certain Terms Network Firm Change made during Clarity Project BEFORE An entity under common control, ownership or management with the firm or Any entity that a reasonable and informed third party having knowledge of all relevant information would
reasonably conclude as being part of the firm nationally or internationally AFTER That is aimed at cooperation, and aimed at profit or cost-sharing or shares common ownership, control or management, common quality control policies and procedures, common business strategy, Use of a common brand name, or a significant part
of professional resources. Elements of a System of Quality Control Policies to address (a) Leadership responsibilities for quality within the firm. (f) Monitoring (b) Ethical requirements. (e) Engagement performance. (c) Acceptance and continuance of
client relationships (d) Human resources. Leadership Responsibilities for Quality within the Firm promote an internal culture for stressing upon quality in deliverance firms chief executive officer to assume ultimate responsibility for the firms system of quality control Perform work that complies with
professional standards and regulatory and legal requirements How to promote qualityoriented internal culture clear, consistent and frequent actions and messages from all levels culture that recognizes and rewards high quality work training seminars, meetings, formal or informal dialogue, mission statements, newsletters, or briefing memoranda. Ethical Requirements
The firm should establish procedures that enable its personnel comply with ethical requirements: (a) Integrity; (b) Objectivity; (c) Professional competence and due care; (d) Confidentiality; and (e) Professional behavior. INDEPENDENCE Scope of various services provided to Client not to be threat to Independence Annual Independence confirmation from all the personnel of the Audit Firm regarding independence. Rotation of Partners and
Managers to reduce familiarity threat ( SEC Rules 7 years for listed entities and 10 years for other engagements) Note: For Sole Proprietors/Individuals auditing listed entities, rotation policy is not applicable. However they need to undergo compulsory Peer Review Process. Threats to Independence Prohibited Activities An auditor of an entity is prohibited from providing an audit client, any of nine specified non-audit services. Prohibited Non-Audit Activities 1. Bookkeeping or other services related to the accounting records or financial statements of the audit
client; 2. Financial information systems design and implementation; 3. Appraisal or valuation services, fairness opinions, or contributionin-kind reports; 4. Actuarial services; Prohibited Non-Audit Activities 4. Internal audit services;
5. Management functions or human resources; 6. Broker or dealer, investment adviser, or investment banking services; 7. Legal services and expert services unrelated to the audit; and Independence Firm Should frame policies so
that Firms personnel are aware of the independence requirements Partners are provided with relevant data about client hierarchy and threats to independence. Threats to Independence Independence of Mind Independence of Appearance Threat of potential employment Threat of undue dependence on fees and fear of losing client Threat of self review review of judgements made in earlier periods Threat of investment in clients shares
Acceptance & Continuance ( A&C) Undertake or continue relationships and engagements. Ascertain Integrity of Client Auditor is competent to perform and has sufficient resources. Compliance with ethical requirements achieved Human Resource Firms should frame policies to address (a) Recruitment;
(b) Performance evaluation; (c) Capabilities; (d) Competence; (e) Career development; (f) Promotion (g) Compensation; and (h) Estimation of personnel needs Engagement Performance establish consistency in the quality of engagement performance which is accomplished through standardized documentation. Qualitative deliverance involves
consultation Review of Quality Controls and Risks ( RQR process) Engagement Quality control review Objective evaluation of Judgments used, which should be done before issue of report. Must for all Listed Companies Audit Criteria to be set out for other Audits RQR Process Nature,
Timing and Extent Criteria for Reviewers Documentation Requirements Other Matters Engagement Documentation Final Working Files to be completed and assembled before reports have been finalized. (Means before release of report) Confidentiality, Safe Custody, Integrity, Accessibility and Retrievability of Documentation Retention of Documentation Ownership of Documentation Monitoring Process
International Standard on QC Vs Indian Standard on QC Subject Matter International SQC Indian SQC Engagement Quality Control Reviewer Reviewer can be anyone with sufficient and appropriate experience Reviewer should
be a member of ICAI Minimum Period of Retention of Working papers 5 Years 7 Years Rotation of Auditors 7 years No specific time limit SAs applicable for audits relating to accounting periods beginning on or after 1.4.2010
SA Title of the Standard 200 ( Revised) Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Standards on Auditing 210 (Revised) Agreeing the Terms of Audit Engagements 220 ( Revised) Quality Control for an Audit of Financial Statements
265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management 320 ( Revised) Materiality in Planning and Performing an Audit 402 ( Revised) Audit Considerations Relating to an Entity Using a Service Organization 450 Evaluation of Misstatements Identified during the
SAs applicable for audits relating to accounting periods beginning on or after 1.4.2010 SA Title of the Standard 510 ( Revised) Initial Audit Engagements Opening Balances 520 ( Revised) Analytical Procedures 550 (Revised) Related Parties
610 ( Revised) Using the work of Internal Auditors 620 ( Revised) Using the Work of an Auditors Expert 720 The Auditors Responsibility in Relation to Other Information in Documents Containing Audited Financial Statements SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT Scope
Auditor is required to obtain understanding of internal Control. This understanding is to design appropriate audit procedures and not for purpose of expressing opinion on internal controls. Standard is only a carve out standard from SA 260 Communicating to those charged with governance. No such separate reporting requirements normally.(Other than SOX assignments) SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT This standard is very simple. Contains Just 11 Para in the Main Text.
Others clauses are Application and explanatory Material SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT Identify deficiencies in Internal Control on the basis of audit work performed Determine whether they constitute significant deficiencies ( Deficiency which merit immediate attention of Management in terms of likelihood, susceptibility to Loss or Fraud, Amount exposed) Communicate to those charged with Governance Please note it is communicate to the
Management and not the owners. (Auditor Report under legal framework will be addressed to the Owners/Shareholders.) SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND MANAGEMENT What Should be Communicated Description of Deficiencies Context and effect of such deficiencies Highlight the fact that these are only identified deficiencies in designing the Audit Procedures. SA 265 - COMMUNICATING DEFICIENCIES IN INTERNAL CONTROL TO THOSE CHARGED WITH GOVERNANCE AND
MANAGEMENT What type of controls are analysed. General monitoring controls (such as oversight of management). Controls over the prevention and detection of fraud. Controls over the selection and application of significant accounting policies. Controls over significant transactions with related parties. Controls over significant transactions outside the entitys normal course of business. Controls over the period-end financial reporting process (such as controls over non-recurring journal entries). SA 402 Audit Considerations relating to an entity using a service organisation. This standard deals with auditors responsibility to obtain sufficient
appropriate audit evidence when an entity uses the services of service organisations. Common examples are Actuary Services, Payroll outsourcings, Vendor payment process etc. SA 402 Audit Considerations relating to an entity using a service organisation. Methodology of obtaining Audit Comfort Obtain a Type 1 or Type 2 Report Contact/Visit the Service Organization. Using the work of another auditor.
SA 501 Audit Evidence Selected Items This standard mainly deals with Inventory Litigation and Claims Segment Information Compared to earlier SA 501, this revised standard does not deal with Valuation and Disclosure of Long Term Investments. SA 501 Audit Evidence Selected Items - Inventory Attendance at Physical Count
Evaluate managements instructions and procedures Observe the performance of managements count procedures Inspect the inventory Perform test counts Verify financial inventory records to ensure it reflects physical counts SA 501 Audit Evidence Selected Items - Inventory If count < or > Balance Sheet Date, perform roll forward/backward testing Inventory lying with third party
Obtain confirmation Perform Inspection Inventories Basic Principles 50,000 lbs Quantities and prices Ending inventories = Net income Cenco Corporation Changed quantities on inventory tags Altered quantities on computer listings
Management created fictitious tags Cenco Corporation = Management explains: Computer keypunch errors Tags discarded Cenco Corporation "I am unable to
definitely say that the inventory is being inflated, but there are a few things about the new tags which bother me." SA 501 Audit Evidence Selected Items Litigations and Claims Inquiry of in house legal personnel/ Management Reviewing Minutes of Meetings Review Legal Expenses accounts Request confirmation from External Legal Counsel Written representations about completeness of disclosures SA 520(R) Analytical Procedures
Types of Procedures Trends Reasonableness Testing For Eg: Bank Deposits to Interest earned Raw Material Consumption to Production Ratios Affected by reliability of data, precision of estimation, source of information etc SAs applicable for audits relating to accounting periods beginning on or after 1.4.2011 SA 700 (Revised)
SA 705 SA 706 SA 710 ( Revised) Forming an opinion and Reporting on Financial Statements Modifications to the Opinion in the Independent Auditors Report Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditors Report Comparative Information Corresponding Figures and Comparative Financial Statements
Gist of requirements of the new SAs Indicate on the top of the report that it is INDEPENDENT AUDITORS REPORT Title should be prominently indicated about MANAGEMENT RESPONSIBILITY AUDITORS RESPONSIBILITY OPINION Report under other LEGAL FRAMEWORK Reference to CARO, Companies Act to be included in this clause. Gist of requirements of the new SAs Opinion on corresponding figures
in financial statements Generally audit report is for current period numbers If corresponding figure in previous period was qualified and such matter is unresolved than report should continue reference to the previous corresponding number also. RISK AND ASSESSMENT ASSESSING RISK IN AUDIT PLANNING Focus on Risk Management Out of the total 35 general standards There are 6 standards on Risk Management
ICAI has come up with a separate Implementation Guide to Risk Based Audit Audit involves Assessing the risks Risk of Material Misstatements Designing and performing audit procedures to obtain reasonable assurance Issue of audit report Key Definitions Risk: The uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk
assessment: A systemic process for assessing and integrating professional judgments about probable adverse conditions and/or events. Risk management: The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects. Why only reasonable assurance and not absolute assurance Limitation on Testing Use of sampling Internal Control Limitations
Undetected Frauds Persuasive nature of audit evidence Reliance on Judgement Key Risks in Audit Financial Statements contains Material Misstatements Auditor will not detect such Material Misstatements Control Inherent Detection Interrelationship of Audit Risk Components
R is R k is A k s R s e e s s p s o m n R
e s is n e k tR 3 Phases in Risk Based Audit e p o rt i n g Risk Assessment
Risk Response Reporting n e ll c e i c a s t li e S o d n t
a M a b a t o e k u m i t n e M g n g & t
t P s D r e o c c i e s s i s o n s Audit Time Spent
n a c ti ci o si n ai ol a n b S M o t u a kt D
ei m n e g e c & ni P st sri o n c e s s s e s
Ideal Audit Time Spending Risk Assessment Procedures Inquiries of Management and Others Observations and Inspections Analytical Procedures Results of Risk Assessment Process H Impact on Financials Target audit resources
where risk is greatest! L Probability of Risk H Fraud Risk Components of Fire Heat Oxygen FIRE Fuel
Components of Fraud Situational Opportunity Rationalization FRAUD Pressure or Motive Page 75 Top Management The ability of top management to override controls significantly increases the likelihood of fraud
Page 76 Fraud Comes in Bunches Theft Check Kiting Embezzleme nt Conversion Credit Card Financial Statement Expense Report
Launderin g Page 77 The Perfect Crime Any three people can commit the perfect crime as long as two of the three are dead Page 78 Materiality Immateri
al Page 79 Documentation Standardized be practiced Documentation to Importance of Documentation Risk Assessment in Annual Planning: The Tennessee Valley Authority Model A systemic process designed to yield a comprehensive risk assessment core business processes enabling processes
MATERIALITY Impact on Enterprise Operations Visibility and Sensitivity IDENTIFY AUDIT AREAS PROBABILITY PROBABILITY Risk Assessment in Annual Planning: The Tennessee Valley Authority Risk Planning Model Model
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Materiality Points ( account balances in INR) Audit Area > 100 million 8-10 Audit Area 10 million < 100 million 4-7 Audit Area < 10 million 1-3 Risk Assessment in Annual Planning: The Tennessee Valley Authority
Model Risk Factors Impact on Operations Significant impact on core business Significant impact on specific program moderate impact on core business 4-7 Negligible impact on specific program or core business 1-3 Points 8-10
Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Risk Factors Public Sensitivity Likely to result in public or congressional interest May result in public or congressional interest Unlikely to result in public or congressional interest Points 8-10 4-7
1-3 Risk Assessment in Annual Planning: The Tennessee Valley Authority Model Probability Factors Probability of Risk Points High probability of significant issues 0.8-1.0 Moderate probability of significant issues and high probability of improvement needed
0.4-0.7 Low probability of significant issues and moderate to low probability of improvement needed 0.1-0.3 Risk Assessment in Annual Planning: The Tennessee Valley Authority Example of Risk Model Potential Audit Subject Ma ter iali ty Im pa
ct Vis ibil ity Su bto ta l Pro ba bili ty Ris kS cor e Assessment Asset Capitalisation 4
Develop Audit Objectives & Program Understand Processes and Objectives 2 Identify Risks 5 3 Evaluate and Prioritize Risks
4 Evaluate Controls and Estimate Probability Measure Potential Impacts Largest Bankruptcy Filings (1980 to Present) Company Assets (Billions) When Filed 1. WorldCom
$101.9 July, 2002 2. Enron $63.4 Dec., 2001 3. Texaco $35.9 April, 1987 4. Financial Corp of America $33.9
Sept., 1988 5. Global Crossing $25.5 Jan., 2002 6. Adelphia $24.4 June, 2002 7. United Airlines $22.7 Dec. 2002
8. PG&E $21.5 June, 2002 9. MCorp. $20.2 March, 1989 10. Kmart $17.0 Jan., 2002 Auditing in the ERP Environments
SAP -R/3 Enterprises - Application components SD MM PP CO FI ERP AM QM PS PM
WF IS HR RISK ASSESMENT METHODOLOGY BY A QUANTIFICATION MODEL Key business processes in Sales and Distribution (SD), Materials Management (MM) and Financial Accounting (FI) need to be studied in detail to identify their vulnerability to threats from within and outside. Based on this and experience of internal audit team, risk statements relevant to businesses are to be captured. For each risk statement, risk impact and risk exposure is to be assessed as under Risk impact-Severity X
Detection Risk impact ( Severity x Detectability) to be assessed on a scale of 1 100 (100 being the highest adverse impact. A-Risk Severity ( on a scale of 1- 10 ) is determined based on weighted average affect on 5 parameters ie i- PBT, ii- Statutory / regulatory compliance iii- Strategic value iv- Financial statement accuracy , v- Reliability/ operational effectiveness . B- Risk Detectability ( on a scale of 1 10 ) is determined based on the stage of detectability of adverse event ie with in the co.or from outside customers. Risk exposure Risk exposure (likelihood of occurrence) to be assessed on a scale of 1-10 (10 being most likely).
Risk exposure is determind based on weighted average effect of 10 parameters,responsible for the exposure ie I-Incorrect source data/ data entry ii Incorrect incomplete execution iii-Incorrect/ non verification of output iv-Skill/ resource constraint v-Inadequate segregation of duties vi-Lack of system documentation viiAuthority norms not defined/ followed viiiInappropriate configuration/ process logic ixWeak internal/ compensating controls xOthers (i.e.: process complexity, frequency of changes, software limitation, unassignable causes etc.) RISK STATEMENTS SD-Examples Risk S . N o 1 2
3 Risk statement Severi ty DetectabIlit y Impa ct Risk exposu re Heat zone Invoice may be raised
without effecting physical delivery of the goods from depot/ plant (bill and hold) 7 8 56 5 R1 Sales order may not be executed in time and in full 4
6 24 3 Y2 Debit / credit notes sent to customers may not contain adequate supporting details 2 4 8 4
G2 RISK STATEMENTS MM-Examples Risk S . N o 1 2 3 Risk statement Financial authority norms for release of PO may not be mapped into SAP GR may be prepared for a
quantity lower/ higher than vendor delivery challan CENVAT credit availed may be lower than CENVATABLE excise duty credited to vendor through invoice verification Risk exposu re Heat zone Severi ty DetectabIlit
y Impa ct 4 8 32 6 4 6 24 4
Y2 3 6 18 4 G2 R3 RISK STATEMENTS FI-Examples Risk S . N o
Risk statement Severi ty DetectabIlit y Impa ct Risk exposu re Heat zone 1 Depreciation rates may
have been incorrectly set up 5 6 30 5 R3 2 Vendors account may not have been reconciled/ confirmed as per laid down frequency 5
6 30 4 Y2 Line items (individual entries) clearing may not have been carried out in vendor accounts 3 6 18 4
G2 3 RISK STATEMENTS Common to all functions Examples S . N o 1 2 3 Risk Risk statement
SAP transaction authorizations granted to users may not relate to their assigned role/responsibility SAP transactions may be carried out using group IDs resulting in non traceability of transactions to any specific individual (employee) Audit trails (chronological log of changes) may not be reviewed/ analyzed by process owners Risk expos ure
Heat zone Sever ity DetectabIl ity Imp act 8 8 64 8
R1 8 8 64 8 R1 5 8 40 7 R3
Risk Registers and Heat Maps Module wise Using the risk impact and risk exposure scores as worked out above,all possible risk statements ( like 3 examples given for each SD/MM/FI ) need to be prepared in the form of a RISK REGISTER of many pages and ultimately ,all risk statement Sr nos to be plotted on 1Y1page HEAT R2 MAP. R1 10 R I S K I M P A C
T HIGH 0 40 MEDIUM LOW 20 G1 Y2 R3 G3
G2 Y3 0 2 LOW RISK 4 MEDIUM EXPOSURE 10
HIGH INTEGRATED INTERNAL CONTROL FRAMEWORK 10 THANK YOU suresh Thank You suresh [email protected]
Department of Computer Science Slide . Problem-Driven Research Process(1) Phase 1: Problem space understanding. From high level to low level. Identify a concrete, important, open problem. Understand the motivation and importance of the problem. Problem may also come from your...
The Official Manual Guides the formation of each chapter's activities As well as state associations and the national organization The FFA Mission FFA makes a positive difference in the lives of students by developing their potential for premier leadership, personal...
Highlights of the AUA - Brazil Basic Sciences Jennifer Bishop, Ph.D. Bladder Cancer Peter Black, MD, FACS, FRCSC Umberto Capitanio, MD Timothy Chang, MD Siamak Daneshmand, MD Colin Dinney, MD Jason Efstathiou, MD, DPhil Igor Frank, MD Kris Gaston, MD...
The Poetry of Langston Hughes "Mother to Son" "Dreams" "A Dream Deferred" Language of Literature - P. 192 ("Mother to Son") Mirrors & Windows - P. 481 ("Dreams") Mirrors & Windows - P. 484 ("A Dream Deferred") Building Background Line...
The US Army utilizes an antiquated analytical process to analyze the battlespace. Focusing on the unified use of geospatial technologies and interconnected geographic spaces would best align the Army to understand the battlesapces of the future.
This is Duke training to become a police dog. This is Lilly a wonderful guide dog for the blind. This is Lucky a search & rescue dog looking for somebody. This is lacey and her dad with their 3 German...
Atoms and Molecules "The idea that matter is made of tiny indivisible particles was first suggested by the Greek philosopher Democritus (c460-370 BC). He called these particles atoms. In the late 18th century a modern theory about atoms originated. By...
Ready to download the document? Go ahead and hit continue!