Audits of SMEs - Sometimes Less is More


Published on

Keeping up with standards and regulation is biggest challenge facing SMPs. Insight from IFAC SMP Quick Poll Findings and tips for audit efficiency are discussed in this presentation by Mats Olsson, Member, IFAC Small and Medium Practices Committee, at the KibR Seminar in Warsaw on November 7, 2013.

Published in: Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • ISAs acknowledge that the appropriate exercise of professional judgment is essential to the proper conduct of an audit. Professional judgment is necessary, in particular, regarding decisions about the nature, timing, and extent of audit procedures used to meet the requirements of the ISAs and gather audit evidence.However, while the auditor of an SME needs to exercise professional judgment, this does not mean that the auditor can decide not to apply a requirement of an ISA except in exceptional circumstances and provided that the auditor performs alternative audit procedures to achieve the aim of the requirement.
  • The auditor need not be concerned with ISAs that are not relevant to the audit. Nevertheless, it is necessary that the auditor understands the scope of each ISA to determine whether it is relevant or not in the circumstances.
  • The auditor’s objectives are the same for audits of entities of different sizes and complexities. This, however, does not mean that every audit will be planned and performed in exactly the same way. The requirements of the ISAs, therefore, focus on matters that the auditor needs to address in an audit and do not ordinarily detail the specific procedures that the auditor should perform.ISA 330 paragraph 8 The Auditor’s Response to Assessed Risk paragraph 8 states that “The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating effectiveness of relevant controls if the auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive procedures)”.ISA 220 paragraphs 19-21 Quality Control for an Audit of Financial Statements paragraphs 19 -21 all relate to an Engagement Quality Control Review, which are required for all audits of financial statements of listed entities.
  • The objective of ISA315 is critical and underpins every audit engagement regardless of size. The requirement in ISA 315 is for the auditor to obtain an understanding of the entity and its environment. While the audit considerations underlying this requirement will be equally relevant for both large and small entities, the typically simpler structure and processes in an SME often mean that the auditor may obtain an understanding of the entity and its environment quite readily and document this in a straightforward manner. This is emphasized several times in the ISAs e.g. “Smaller entities may use less structured means and simpler processes and procedures to achieve their objectives” (ISA 315, paragraph A45).ISAs allow for an effective and efficient audit. The ISAs explain that the appropriate audit approach for designing and performing audit procedures depends on the auditor’s risk assessment. For example, in the context of an SME audit where there are not many control activities in the SME that can be identified by the auditor, the auditor may decide that it is efficient to perform further audit procedures that are primarily substantive procedures (ISA 330, paragraph A18).
  • ISAs also include useful guidance that assists the auditor in understanding or applying specific requirements in the ISAs in the context of an SME audit. Analytical proceduresFor example, because interim or monthly financial information may not be available in an SME for purposes of analytical procedures to identify and assess the risks of material misstatement, the auditor may need to plan to perform analytical procedures when an early draft of the entity’s financial statements becomes available (ISA 315, paragraph A10).DocumentationFor example, “the form, content, and extent of documentation depend on various factors, including the size and complexity of the entity”, and the audit methodology and technology used in the audit (ISA 230, paragraph A2, ISA 315, paragraph A131.“The documentation for the audit of a smaller entity is generally less extensive than that for the audit of a larger entity (ISA 230, paragraph A16). “Documentation may be simple and relatively brief” (ISA 315, paragraph A132).ISAs provide examples of how the documentation in an SME audit can be approached in an efficient and effective manner, e.g. - The documentation of the understanding of the entity may be incorporated in the auditor’s documentation of the overall strategy and audit plan. Similarly, the results of the risk assessment may be documented as part of the auditor’s documentation of further procedures (ISA 315, paragraph A131)
  • The objective of implementing a system of quality control is the same for all firms regardless of their nature or size. However, this does not mean that all firms have to design and implement exactly the same specific policies and procedures, or policies and procedures at the same level of detail, to achieve the objective and requirements of ISQC 1. Smaller firms will find that effective and proportionate implementation may be best achieved by first studying the provisions of ISQC 1 and then, in light of the nature and size of a firm and the services thefirm provides, developing policies and procedures tailored to the firm’s circumstances.The ISQC does not call for compliance with requirements that are not relevant (ISQC 1 paragraph 14).Explains that smaller firms may use more informal methods in the documentation of their systems of quality control such as manual notes, checklists and forms (ISQC 1 paragraph A75).Firms can draw on external resources to meet some of the requirements of ISQC 1. For example, in relation to the requirements of ISQC 1 addressing the need for sufficient personnel with the competence and capabilities to perform engagements in accordance with professional standards, firms may use a suitably qualified external person, for example, when internal technical and training resources are unavailable. Often, this will likely be an effective (and cost effective) way to achieve the aims of the requirements.
  • There are a number of practical steps which could be considered for improving audit efficiencies. AutomationAutomating the audit practice provides an opportunity to improve audit quality at both firm-wide and individual engagement levels. At the firm level, setting up standardized templates helps ensure that all phases have been completed in every audit. Customized checklists can be updated as needed and incorporated into individual engagement files at the beginning of every engagement. It is important that every file is customized for the individual client. The generic firm template is a great place to start, but it is only a start. SoftwareWhen using commercially available software SMPs engagements, you can roll forward last year’s electronic file almost instantly and have ‘mapped’ trial balance codes for efficiency if generating the financial statements. You can also e-mail an engagement letter and list of deliverables required when you visit the client at the beginning of the audit. If you import data from one application program to another, data conversion errors should be eliminated and grouping and arithmetical errors can be minimized.PlanningThe essential component for an efficient audit is proper planning and organisation both from the perspective of the audit firm and the business. It is important that the timeframe is agreed in advance with clearly specified delivery dates. The field work should be scheduled and the board meeting to sign the accounts agreed. A list of client deliverables should be provided by the audit firm. The initial planning meeting should be scheduled in advance. Risk based approachThe audit team should focus on working smarter, not harder. The work should be concentrated on the key risk areas with the level and amount of work tailored accordingly. A thorough analytical review should be undertaken which identifies the key risks and the level of testing that will be performed on these and other areas. This review should include scoping out of balances which are fully understood and would not lead to a material misstatement. When considering the audit approach, sometimes less is more. The audit team should limit procedures on areas considered to be low risk and focus attention and time on significant risks or historical areas known to cause issues. Staff training/ supervisionThe audit firm must ensure that their staff are resourced at the correct level and that more junior team members receive adequate supervision to complete the work to a high standard. Senior reviews of the testing must be scheduled in a timely manner, so any open points are closed when the audit team is onsite and not later at greater cost. CommunicationRegular, effective communication is important for individuals in audit team and the business. A daily tracker with open queries is useful tool to facilitate these conversations. As a result any issues will also be discussed early, so there is less likelihood of last minute changes and late surprises.
  • Audits of SMEs - Sometimes Less is More

    1. 1. Page 1 | Confidential and Proprietary Information Audits of SMEs – Sometimes Less is More Mats Olsson Member, IFAC Small and Medium Practices Committee KibR Seminar, Warsaw November 7, 2013
    2. 2. Page 2 | Confidential and Proprietary Information Agenda • Insights from IFAC SMP Quick Poll • SMP Committee – Input to Standard Setting (IAASB) • Proportional application of ISAs and ISQC 1 – ISAs 200, 210, 315 and ISQC 1 • Tips for Audit Efficiency • IFAC Resources – Knowledge Sharing / Implementation
    3. 3. Page 3 | Confidential and Proprietary Information IFAC SMP Quick Poll Findings • Keeping up with standards and regulation is biggest challenge facing SMPs • Pace of change was that aspect of standards and regulation that posed the greatest challenge for SMPs • Audit & assurance were the types of standards and regulation that posed the 2nd greatest challenge for SMPs
    4. 4. Page 4 | Confidential and Proprietary Information Input to Standards (IAASB) • Robust and regular input on key projects – Proportionality/scalability is key consideration – Comment letter on A Framework for Audit Quality CP (May) – Comments on ISA Implementation Monitoring project (April) • Response to IAASB strategy survey (April) – Need for stable platform but….. – Internal controls and documentation may be insufficiently scalable – ISQC 1 needs to be more risk-based and proportionate – Need for impact analysis and post-implementation reviews
    5. 5. Page 5 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 I • ISAs - Overview – New structure in which information is presented in separate sections: Introduction, Objective, Definitions, Requirements and Application and Other Explanatory Material – Emphasis on professional judgment, the standards are principles based which allows practitioners to tailor audit procedures – Contain special considerations for smaller entity audits – Some ISAs only apply to larger entity audits – Many requirements may not be relevant to SME audits
    6. 6. Page 6 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 II • ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing – The practitioner needs to comply with all ISAs relevant to the audit and with all requirements in ISAs relevant to the audit – A complete knowledge of all the standards is essential in order to make a professional judgment as to what to leave out
    7. 7. Page 7 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 III • Examples of some of the ISAs that would not be relevant in an SME audit include: – ISA 402 Audit Considerations Relating to an Entity Using a Service Organization if the SME does not use a service organization – ISA 510 Initial Audit Engagements – Opening Balances if the SME is a continuing, and not an initial, engagement – ISA 600, Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors) if the SME audit engagement is not a group audit – ISA 610 Using the Work of Internal Auditors if the SME has no internal audit function
    8. 8. Page 8 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 IV • ISA 200 continued: – Not all ISAs are relevant to every audit as the standards are designed to cover audits in every situation globally. For example, it is possible that there are requirements which are not relevant to some SME audits including: – requirements to test the expectation that controls are operating effectively (ISA 330) – requirements when an engagement needs an engagement quality control review (ISA 220)
    9. 9. Page 9 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 • ISA 210 Agreeing the Terms of Audit Engagements – Paragraph 6, agreeing the terms of engagement with management and paragraphs 9 and 10 which require you to communicate the terms in writing to management in a letter will be applicable in every engagement – Paragraphs 7 and 8 deal with an imposed scope limitation and the situation where the preconditions do not exist. Paragraphs 14 – 17 deals with changes to the terms of engagement in mid-audit and paragraphs 18 - 21 the situation where laws and regulation supersede the ISAs • It is important to know what the requirements are, but these situations are also likely to be far and few between for most SME audits
    10. 10. Page 10 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 V • ISA 210 Agreeing the Terms of Audit Engagements continued – To summarize, of the 16 requirements in IAS 210, paragraphs 6, 9 and 10 are critical and will apply in every engagement. For SMPs, knowing they have to deal with 3 main requirements out of 16 is a lot less daunting than considering all 16 every time.
    11. 11. Page 11 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 VI • ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment – The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. • Focus on Significant risks – effectiveness and efficiency – Understand the business – important from an engagement risk perspective – Identify significant risks up front and focus audit effort on these
    12. 12. Page 12 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 VII • ISA 315 focus on Significant risks – effectiveness and efficiency continued – Substantive tests are required for each material class of transactions, account balances and disclosures, but tests of details only required for significant risks – Consider analytical procedures (follow requirements of ISA 520 Analytical Procedures) for non-significant risk items where appropriate – Use professional judgment to determine what substantive tests to use on items not considered significant risks – ISAs explicitly encourage the auditor to exercise professional judgment in determining the form and extent of documentation – they acknowledge extent may vary depending on the circumstances
    13. 13. Page 13 | Confidential and Proprietary Information Proportional Application of ISAs and ISQC 1 VIII • ISQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Statements and Other Assurance and Related Services Engagements – Applies to firms of all sizes that provide services covered by the IAASB’s International Standards – Requirement for the firm to comply with each requirement of the standard unless, in the circumstances of the firm, the requirement is not relevant to the services provided… – Contains special considerations for smaller practices – Indicates that the form and content of documentation evidencing the operation of each of the elements of the system of quality control is a matter of judgment and depends on the size, nature and complexity of the firm and number of offices
    14. 14. Page 14 | Confidential and Proprietary Information Tips for Audit Efficiency • Automation – standardized templates and customized checklists • Software – utilizing commercially available products • Planning – timeframe, list of deliverables, client meeting • Risk based approach – in line with ISAs • Staff training/ supervision • Communication
    15. 15. Page 15 | Confidential and Proprietary Information Knowledge Sharing – Implementation • Building and sharing knowledge, including access to resources and tools, amongst member bodies and SMPs – Implementing standards (incl. ISAs, ISQC 1) – Insight articles (e.g., efficiently auditing SMEs, review engagements) – Comprehensive guides on how to efficiently implement ISAs and ISQC 1 (guidance, case studies, checklists etc.) – Guide to Review Engagements (Dec. 2013) – Suite of links to free resources from member bodies
    16. 16. Page 16 | Confidential and Proprietary Information Knowledge Sharing – Implementation II ISA Guide Volume 1 • Fundamental concepts of a risk- based audit in conformance with the ISAs ISA Guide Volume 2 • Practical guidance on performing SME audits. Includes two illustrative case studies—one of an SME audit and one of a micro-entity audit
    17. 17. Page 17 | Confidential and Proprietary Information Knowledge Sharing – Implementation III • QC Guide • Helps SMPs apply ISQC 1 proportionately and efficiently. Includes guidance, case study, two sample QC manuals and checklists • Reference, training, customize manuals and checklists
    18. 18. Page 18 | Confidential and Proprietary Information References – General  IFAC SMP Committee website:  IFAC SMP Twitter: (please follow us)  IFAC SMP Community: (please join us)  IFAC SMP Quick Poll: Mid-Year 2013: quick-poll-mid-year-2013 (please take the Nov./Dec. 2014 poll)  Resources and tools (all): committee/smp-resources-and-tools  IFAC Translations and Permissions: • Links to implementation of ISAs resources:,Audit • Links to implementation of ISQC 1 resources:,Quality%20Control
    19. 19. Page 19 | Confidential and Proprietary Information References – IAASB • Staff Q&A, Applying ISAs Proportionately with the Size and Complexity of an Entity: proportionately-size-and-complexity-ent • Staff Q&A, Applying ISQC 1 Proportionately with the Nature and Size of a Firm: ortionality_FINAL.pdf • The Clarified ISAs—Findings from the Post-Implementation Review: review
    20. 20. Page 20 | Confidential and Proprietary Information References – Knowledge Sharing - Implementation • Guide to Using International Standards on Auditing in the Audits of Small- and Medium- Sized Entities (Third Edition) (incl. companion manual and slides): audits-small-and-medium-sized-en • Guide to Quality Control for Small- and Medium-Sized Practices (Third Edition) (incl. companion manual and slides): small-and-medium-sized-practices-third-edition-0 • Boosting the Quality and Efficiency of Smaller Entity Audits article: audits • Tips for Cost-Effective ISA Application article: resources/tips-cost-effective-isa-application • Tips for Cost-Effective ISQC 1 Application article: resources/tips-cost-effective-isqc-1-application
    21. 21. Page 21 | Confidential and Proprietary Information Thank You