For example, a smaller entity may not have a written code of conduct but, instead, may have developed a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Domination of management by a single individual in a small entity does not generally, in and of itself, indicate a failure by management to display and communicate an appropriate attitude regarding internal control and the financial reporting process.
For example, a brief memorandum prepared at the completion of the previous audit, based on a review of the working papers and highlighting issues identified in the audit just completed, updated in the current period based on discussions with the owner-manager, can serve as the documented audit strategy
The Guide to Usuing ISAs in the Audits of SMEs is intended to be updated in 2016. This will reflect the changes since the third Guide was published where the IAASB have completed projects on:
Using the Work of Internal Auditors The Auditors Responsibilities Relating to Other Information Auditor Reporting Disclosures
The changes to Auditor Reporting and Disclosures will be effective for audits of financial statements for periods ending on or after December 15, 2016.
In February 2014 IFAC launched the Global Knowledge Gateway, a platform designed to bring together news, views, resources, and thought leadership for the worldwide accountancy profession.
The Gateway Global hub Content from IFAC, our member organizations, and other notable groups and individuals The result of a year-long project to answer the call to better leverage IFAC’s position as the global accountancy organization Designed to serve IFAC’s member organizations and the profession by sharing the valuable resources members produce with a broader, global audience of professional accountants
Allows professionals to access resources from around the world learn about emerging areas of the profession stay connected to the most pressing accountancy issues and news of the day interact by exchanging views, making recommendations, and sharing information and resources.
Ten topic areas: Business reporting Ethics Financial leadership & development Governance Performance and financial management Risk management & internal control Sustainability Audit & assurance Practice management Islamic Finance
The Latest is a bi-weekly newsletter which summarizes the news, resources and discussions added every two weeks. You can tailor the e-mail to focus on some or all of the above areas. To register visit www.ifac.org.
Global Knowledge Gateway www.ifac.org/Gateway Audit & Assurance
Audit & Assurance includes sub topics on: Agreed-upon procedures Audit Compilation Other assurance Quality control Review
On 17 December the IAASB released its Invitation to Comment, Enhancing Audit Quality in the Public Interest: A Focus on Professional Skepticism, Quality Control and Group Audits (the ITC). This ITC highlights the board’s discussions in these three topic areas and indicates potential standard-setting activities that could enhance audit quality. You are invited to ensure the SMP voice is heard. Please see www.iaasb.org for details. The comment period is open to May 16, 2016.
Proportionate Application of ISA™ and ISQC™ 1
Page 1 | Confidential and Proprietary Information
EMPOWERING ASIA’S SMALL &
MEDIUM BUSINESS HUB
SMP Committee Member
Proportionate Application of
ISA™ and ISQC™ 1
CA Sri Lanka-SAFA-IFAC SMP
January 26, 2016
Page 2 | Confidential and Proprietary Information
OVERALL OBJECTIVES OF AN AUDITOR
• Free from material
• Prepared in accordance
with financial reporting
• Report on financial
• Communicate as
required in ISAs
Page 3 | Confidential and Proprietary Information
HOW A STANDARD HELPS THE AUDITOR
express an appropriate opinion
designed to support the auditor in obtaining
reasonable assurance about the financial statements
Objectives, requirements and application and other
Page 4 | Confidential and Proprietary Information
WHEN TO APPLY A STANDARD
ISA is effective;
addressed in the
Auditor to have an understanding of the entire text of
an ISA to apply it properly
Page 5 | Confidential and Proprietary Information
HOW TO USE ISAs IN AUDIT ENGAGEMENT
• Use the OBJECTIVE/s as base for audit planning
• Understand the link between OBJECTIVE/s and
• Identify what needs to be accomplished
• Identify the appropriate means of doing so; and
• Evaluate whether more needs to be done to achieve
• Understand interrelationship between various ISAs
Page 6 | Confidential and Proprietary Information
ISAs vis a vis PROPRTIONAL APPLICATION
SME) and not
the auditor (ie
of an ISA
of the auditor
to apply and
of the ISA is
Page 7 | Confidential and Proprietary Information
• ISAs are designed by the IAASB to be usable for entities of all sizes,
all types and in all jurisdictions. Application guidance sets out specific
ways in which relevant standard might be applied to an SME.
• This can be both indicating a simpler approach or a particular
challenge. For instance, ISA 315 on risk assessment points out both
that in a smaller entity the active involvement of an owner-manager
may mitigate certain risks such as those arising from lack of
segregation of duties in a small entity but may increase other risks
such as risk of override of controls.
• Majority of documentation requirements for ISA audits are set out in
ISA 230 with requirements for specific areas set out in specific
Page 8 | Confidential and Proprietary Information
• It is possible to take a proportionate approach to documentation of
• ISA 230 requires documentation should enable an experienced
auditor, having no previous connection with the audit, to understand
what has been done. It does not require documentation of every
matter considered or professional judgment made or every last
thought by the auditor. Test is whether an experienced auditor can
understand what has been done, not whether someone with no
knowledge of auditing can.
• ISA 200 makes it clear there is no requirement to apply an ISA or
those individual requirements of an ISA which are not relevant to the
audit. If he does not use the work of an expert or there is no internal
audit function, then he does not need to justify why he has not
applied ISA 610/620
Proportionate Application—ISA (cont.)
Page 9 | Confidential and Proprietary Information
SME—DEFINITION IN ISA 200
One or more of these
in a small
Page 10 | Confidential and Proprietary Information
PROPORTIONALITY IN SPECIFIC ISA
ONWARD SLIDES WILL GIVE AN OVERVIEW OF
PROPORTIONALITY IN VARIOUS ISA
(these slides are not intended to be an
exhaustive list of smaller entity audit
considerations envisaged in ISA)
Page 11 | Confidential and Proprietary Information
ISA 230—AUDIT DOCUMENTATION
Pre-conditions for an audit
Requirement—In order to establish whether the preconditions for an audit are
present, the auditor shall, inter alia, obtain the agreement of management that it
acknowledges and understands its responsibility.
Proportional Application—When a third party has assisted with the preparation
of the financial statements, remind management that the preparation of the
financial statements in accordance with the applicable financial reporting
framework remains management’s responsibility.
Page 12 | Confidential and Proprietary Information
ISA 230—AUDIT DOCUMENTATION
Form, Content, and Extent of Documentation
Requirement: The auditor shall prepare audit documentation
that is sufficient to enable an experienced auditor, having no
previous connection with the audit, to understand:
(a) The nature, timing, and extent of the audit procedures
performed to comply with the SAs and applicable legal and
(b) The results of the audit procedures performed, and the audit
evidence obtained; and
(c) Significant matters arising during the audit, the conclusions
reached thereon, and significant professional judgments made in
reaching those conclusions.
Page 13 | Confidential and Proprietary Information
• Audit documentation generally less extensive than that for
the audit of a larger entity.
• Where the engagement partner performs all the audit
work, the documentation will not include matters that might
have to be documented solely to inform or instruct
members of an engagement team, or to provide evidence
of review by other members of the team
• It may be helpful and efficient to record various aspects of
the audit together in a single document, with cross
references to supporting working papers as appropriate.
Page 14 | Confidential and Proprietary Information
ISA 240: THE AUDITOR’S
RESPONSIBILITIES RELATING TO FRAUD
Evaluation of Fraud Risk Factors
Requirement—The auditor shall evaluate whether the information
obtained from the other risk assessment procedures and related activities
performed indicates that one or more fraud risk factors are present.
While fraud risk factors may not necessarily indicate the existence of
fraud, they have often been present in circumstances where frauds have
occurred and therefore may indicate risks of material misstatement due to
Proportional Application—In SMEs, some or all of these considerations
may be inapplicable or less relevant.
In some SMEs, the need for management authorization can compensate
for otherwise deficient controls and reduce the risk of employee fraud.
Page 15 | Confidential and Proprietary Information
ISA 265: COMMUNICATING DEFICIENCIES
IN INTERNAL CONTROL
Requirement—The auditor shall communicate in writing
significant deficiencies in internal control identified during the
audit to those charged with governance on a timely basis.
Application—In the case of audits of smaller entities, the
auditor may communicate in a less structured manner with
those charged with governance than in the case of larger
Page 16 | Confidential and Proprietary Information
ISA 300: PLANNING AN AUDIT OF
Requirement—In establishing the overall audit strategy, the auditor shall
ascertain the nature, timing and extent of resources necessary to perform
Proportional Application—The entire audit may be conducted by a very
small audit team, say, the engagement partner working with one
engagement team member. With a smaller team, co-ordination of, and
communication between, team members are easier.
Establishing the overall audit strategy for the audit of a small entity need
not be a complex or time-consuming exercise; it varies according to the
size of the entity, the complexity of the audit, and the size of the
Page 17 | Confidential and Proprietary Information
Direction, supervision and review
Requirement—The auditor shall plan the nature, timing and extent of direction
and supervision of engagement team members and the review of their work.
Proportional Application—When an audit is carried out entirely by the
engagement partner, questions of direction and supervision of engagement team
members and review of their work do not arise.
Forming an objective view on the appropriateness of the judgments made in the
course of the audit can present practical problems when the same individual also
performs the entire audit.
When particularly complex or unusual issues are involved, and the audit is
performed by a sole practitioner, it may be desirable to consult with other suitably-
experienced auditors or the auditor’s professional body
Page 18 | Confidential and Proprietary Information
ISA 315: Identifying And Assessing The Risk Of
Material Misstatement Through Understanding The
Entity And Its Environment
Requirements—Risk Assessment procedures shall include
Proportional Application—Some SMEs may not have interim or
monthly financial information for analytical procedures. The auditor
may need to plan to perform analytical procedures to identify and
assess the risks of material misstatement when an early draft of
the entity’s financial statements is available
Page 19 | Confidential and Proprietary Information
Discussion among engagement team
Requirements—The engagement partner and other key engagement
team members shall discuss the susceptibility of the entity’s financial
statements to material misstatement, and the application of the applicable
financial reporting framework to the entity’s facts and circumstances.
The engagement partner shall determine which matters are to be
communicated to engagement team members not involved in the
Proportional Application—Many small audits are carried out entirely by
the engagement partner. In such situations, it is the engagement partner
who, having personally conducted the planning of the audit, would be
responsible for considering the susceptibility of the entity’s financial
statements to material misstatement due to fraud or error.
Page 20 | Confidential and Proprietary Information
Measurement and review of the entity’s financial
Requirement—The auditor shall obtain an understanding of, inter alia,
the measurement and review of the entity’s financial performance.
Proportional Application—Smaller entities often do not have processes
to measure and review financial performance.
Inquiry of management may reveal that it relies on certain key indicators
for evaluating financial performance and taking appropriate action.
If such inquiry indicates an absence of performance measurement or
review, there may be an increased risk of misstatements not being
detected and corrected.
Page 21 | Confidential and Proprietary Information
Limitations of internal control
Requirement—The auditor shall obtain an understanding of internal control
relevant to the audit.
Proportional Application—SMEs often have fewer employees which may
limit the extent to which segregation of duties is practicable. However, the owner-
manager may be able to exercise more effective oversight than in a larger entity.
This oversight may compensate for the generally more limited opportunities for
segregation of duties.
Page 22 | Confidential and Proprietary Information
Obtaining understanding of control environment
• Those charged with governance in small entities may not include an
independent or outside member, and the role of governance may be
undertaken directly by the owner-manager where there are no other owners.
• The nature of the control environment may also influence the significance of
other controls, or their absence.
• Audit evidence for elements of the control environment in SMEs may not be
available in documentary form
• Attitudes, awareness and actions of management or the owner-manager are
of particular importance to the auditor’s understanding of a smaller entity’s
Page 23 | Confidential and Proprietary Information
Obtaining understanding of the information system,
including the related business processes, relevant to
financial reporting, and communication
• Information systems and related business processes relevant to financial
reporting in small entities are likely to be less sophisticated than in larger
entities, but their role is just as significant.
• SMEs with active management involvement may not need extensive
descriptions of accounting procedures, sophisticated accounting records, or
• Understanding the entity’s systems and processes may therefore be easier in
an audit of smaller entities, and may be more dependent on inquiry than on
review of documentation.
Page 24 | Confidential and Proprietary Information
Obtaining understanding of control activities relevant to
• The concepts underlying control activities in SMEs would be similar to those
in larger entities, but the formality with which they operate may vary.
• Certain types of control activities are not relevant to SMEs because of controls
applied by management.
• Control activities relevant to the audit of a smaller entity are likely to relate to
the main transaction cycles such as revenues, purchases and employment
Page 25 | Confidential and Proprietary Information
Obtaining an understanding—monitoring of controls
Proportional Application—Management’s monitoring of control is often
accomplished by management’s or the owner-manager’s close involvement in
operations. This involvement often will identify significant variances from
expectations and inaccuracies in financial data leading to remedial action to the
Page 26 | Confidential and Proprietary Information
SA 330: THE AUDITOR’S RESPONSES TO
Audit Procedures Responsive to the Assessed Risks of Material
Misstatement at the Assertion Level
Requirement—In designing the further audit procedures to be performed, the
auditor shall consider the reasons for the assessment given to the risk of material
misstatement at the assertion level for each class of transactions, account
balance, and disclosure and obtain more persuasive audit evidence the higher
the auditor’s assessment of risk.
Proportional Application—There may not be many control activities that could
be identified by the auditor, or the extent to which their existence or operation
have been documented by the entity may be limited. In such cases, it may be
more efficient for the auditor to perform further audit procedures that are primarily
substantive procedures. In some rare cases, however, the absence of control
activities or of other components of control may make it impossible to obtain
sufficient appropriate audit evidence.
Page 27 | Confidential and Proprietary Information
SA 550: RELATED PARTIES
Understanding the Entity’s Related Party Relationships
• TCWG may not include an outside member, and the role of governance may
be undertaken directly by the owner-manager where no other owner exists.
• Control activities likely to be less formal and undocumented processes for
dealing with related party relationships and transactions.
• An owner-manager may mitigate some of the risks arising from related party
transactions, or potentially increase those risks, through active involvement in
all the main aspects of the transactions.
• Auditor may obtain an understanding through inquiry of management
combined with other procedures, such as observation of management’s
oversight and review activities, and inspection of available relevant
Page 28 | Confidential and Proprietary Information
Identified Significant Related Party Transactions outside
the Entity’s Normal Course of Business
• SME may not have the same controls provided by different levels of authority
and approval that may exist in a larger entity.
• Auditor may rely to a lesser degree on authorization and approval for audit
evidence regarding the validity of significant related party transactions outside
the entity’s normal course of business.
• Instead, consider performing other audit procedures such as
– inspecting relevant documents,
– confirming specific aspects of the transactions with relevant parties
– observing the owner-manager’s involvement with the transactions
Page 29 | Confidential and Proprietary Information
SA 570: GOING CONCERN
The period of Management’s Assessment
Requirement—The auditor shall evaluate management’s assessment of the
entity’s ability to continue as a going concern.
Proportional Application—SMEs may not have prepared a detailed assessment
of the entity’s ability to continue as a going concern, but instead may rely on in-
depth knowledge of the business and anticipated future prospects.
• Auditor may discuss the medium and long-term financing of the entity with
management, provided that management’s contentions can be corroborated
by sufficient documentary evidence and are not inconsistent with the auditor’s
understanding of the entity.
• Continued support by owner-managers is often important to smaller entities’
ability to continue as a going concern. Where a small entity is largely financed
by a loan from the owner-manager, it may be important that these funds are
Page 30 | Confidential and Proprietary Information
NOT AMENABLE TO PROPORTIONAL
APPLICATION IN SMEs
• ISA 250—Consideration of Laws and Regulations in an
Audit of Financial Statements
• ISA 450—Evaluation of Misstatements Identified During
• ISA 500—Audit Evidence
• ISA 700, 705 & 706 – relating to formation of auditor’s
opinion and contents of an audit report
Page 31 | Confidential and Proprietary Information
ISQC 1: PROPORTIONAL APPLICATION TO SMPs
• Applicability of ISQC 1—Compliance not expected for
requirements that do not apply to smaller firms/sole
• Documentation of QC Policies—Documentation and
communication of policies and procedures for smaller
firms may be less formal and extensive than for larger
• Human Resources—Smaller firms, in particular, may
employ less formal methods of evaluating the performance
of their personnel
Page 32 | Confidential and Proprietary Information
• Consultation—SMP needing to consult externally, for example, a
firm without appropriate internal resources, may take advantage of
advisory services provided by Other firms; Professional and regulatory
bodies; or Commercial organizations that provide relevant quality
• Engagement QC Reviewer
– Engagement partner in SMP may not to able be avoid involvement
in selecting the engagement quality control reviewer.
– Suitably qualified external persons may be contracted SMP
identifies engagements requiring engagement QC reviews.
Alternatively, some sole practitioners or small firms may wish to
use other firms to facilitate engagement quality control reviews
Page 33 | Confidential and Proprietary Information
– In SMPs, monitoring procedures may need to be performed by
individuals who are responsible for design and implementation of
the firm’s QC policies and procedures, or who may be involved in
performing the engagement quality control review.
– SMP with a limited number of persons may choose to use a
suitably qualified external person or another firm to carry out
engagement inspections and other monitoring procedures.
– Alternatively, SMP may establish arrangements to share resources
with other appropriate organizations to facilitate monitoring
Page 34 | Confidential and Proprietary Information
• Complaints & Allegations
– In SMPs, the partner supervising the investigation not be same as
the engagement partner for the engagement.
– SMPs may use the services of a suitably qualified external person
or another firm to carry out the investigation into complaints and
– SMPs may use more informal methods in the documentation of
their systems of quality control such as manual notes, checklists
Page 35 | Confidential and Proprietary Information
ISA Guide Volume 1
• Fundamental concepts of a risk-based
audit in conformance with the ISAs
ISA Guide Volume 2
• Practical guidance on performing SME
audits. Includes two illustrative case
studies—one of an SME audit and one
of a micro-entity audit
Page 36 | Confidential and Proprietary Information
Knowledge Sharing—Implementation (cont)
• QC Guide
• Helps SMPs apply ISQC 1
guidance, case study, two
sample QC manuals and
• Reference, training,
customize manuals and
Page 37 | Confidential and Proprietary Information
• Global Knowledge Gateway
• News, views, resources,
• 10 topic areas including Audit &
Management and Ethics
IFAC Global Knowledge Gateway I
Page 38 | Confidential and Proprietary Information
IFAC Global Knowledge Gateway II
Page 39 | Confidential and Proprietary Information
IAASB ENHANCING AUDIT QUALITY ITC
• The IAASB has released
its Invitation to
Comment, Enhancing Audit
Quality in the Public
Interest: A Focus on
Quality Control and Group
Audits (the ITC).
• The comment period is
open through May 16,
Page 40 | Confidential and Proprietary Information
• Staff Q&A, Applying ISAs Proportionately with the Size and
Complexity of an Entity: http://www.ifac.org/publications-
• Staff Q&A, Applying ISQC 1 Proportionately with the Nature and
Size of a Firm:
• The Clarified ISAs—Findings from the Post-Implementation
Page 41 | Confidential and Proprietary Information
• Guide to Using International Standards on Auditing in the Audits of Small- and
Medium-Sized Entities (Third Edition) (incl. companion manual and slides):
• Guide to Quality Control for Small- and Medium-Sized Practices (Third Edition)
(incl. companion manual and slides): www.ifac.org/publications-resources/guide-
• Boosting the Quality and Efficiency of Smaller Entity Audits article:
• Tips for Cost-Effective ISA Application article: https://www.ifac.org/publications-
• Tips for Cost-Effective ISQC 1 Application article: