2. Audit Agenda
• Governance of EISA Audit
• Overview of recent
evolution of EISA Audit
• Overview key elements of
EISA Audit
– Acceptance and
Continuance
– Audit Comfort Cycle
– Substantive Procedures
– Other Audit Procedures
– Audit Committee
Communications Plan
2
3. 3
EISA Audit Governance
Global Audit Policy Board
Establish global overarching
policy principles & goals
and ratify policy statements.
Global R&Q
Ensure methodology is consistently
implemented by providing feedback
on practice issues.
Global Audit Methodology Steering Group
Drive execution of policy in practice through
processes, tools, guidance, training content, etc.
Implementation Partner Network
4. 4
Towards Performance Audit:
a continuous improvement program
EISA
Audit
EISA
Audit
• Audit Comfort
Cycle
• Management
controls focus
• Show me and
Taking stock
• Team re-
deployment
2004:
Historical Financial
Statements Opinion
Changes in Deliverables
• Business
analysis
framework
• Enhanced audit
guides/ practices
• Scaling up -
different client
situations
• MyClient
integration
2005:
• Converged
approach,
enhanced testing
guidance
• Enhanced client
communications,
transparency focus
• Application to
small companies/
MNCs
• Better use of
specialists and
knowledge sources
2006:
Time
5. 5
Changing the Focus of the Audit Model
Audit Risks
Identified
Risk
Key
Risk
Key
Key
Risk
Key
Risk
Key
Risk
Key
Risk
Business Risks
6. 6
EISA Audit in 2004
• Acceptance and Continuance (FRISK)
• Audit Comfort Cycle
– Scoping
– Understanding
– Evaluating
– Validating
• Substantive Testing
• Other Audit Procedures
• Audit Committee Communications Plan
8. 8
EISA Audit Approach – With
Attestation
•Other audit procedures
•Financial statements
•Completion
No / Limited
controls
comfort
Significant
controls
comfort
Other audit evidence
Mainly Mainly
tests of details substantive analytical
procedures
Audit
Comfort
Cycle
Broader and deeper assessment of COSO
controls over financial reporting, including
management’s evaluation of those controls.
e.g., estimates, fraud, tax accrual, more
locations.
Additional procedures deemed necessary
to provide independent assurance on
financial statements, taking into
consideration the internal controls
assessment.
Report on management’s assertions on
internal controls over financial reporting
Report on Financial Statements
Acceptance/Continuance Assessment
9. 9
Acceptance & Continuance Process
• Governance and oversight of management
• Past performance
• Management’s expertise and skill
• Adequacy of management resources
• Audit relationship
• Audit adjustments
• Revenue recognition
• Accounting control
• Integrity and ethics
• Management inclination for intentional misstatement in financial reporting
• Reliability of estimates
• Incentive for intentional misstatements in financial reporting
• Risk of insolvency
10. 10
Acceptance & Continuance Process
Risk Conditions (13)
(defined within
Acceptance &
Continuance module)
Key Risks
(user defined or
selected from
Master Data)
Engagement Leader and Team Manager apply
professional judgment in describing specific Key
Risks that relate to the broader Risk Conditions
Risk and
Approach
Schedule The Risk and Approach Schedule is populated
by the Key Risks selected and completed by the
Engagement Leader and Team Manager
1
2
3 MyClient
Client File
Audit Comfort
Matrix
11. 11
Audit Comfort Cycle
4 Key Questions
• What does management
need to get comfort on?
• How does management
get comfort?
• Are they entitled to that
comfort?
• Can we audit that comfort?
Market
Overview
Strategy Value
Creating
Activities
Financial
Performance
OTHER AUDIT PROCEDURES
FINANCIAL STATEMENTS
COMPLETION
ACCEPTANCE/CONTINUANCE ASSESSMENT
SUBSTANTIVE AUDIT EVIDENCE
MAINLY SUBSTANTIVE
ANALYTICAL
PROCEDURES
SIGNIFICANT
CONTROLS
COMFORT
NO/LIMITED
CONTROLS
COMFORT
Audit
comfort
cycle
MAINLY TESTS
OF DETAILS
12. 12
Audit Comfort Cycle
Market
Overview
Strategy Value
Creating
Activities
Financial
Performance
OTHER AUDIT PROCEDURES
FINANCIAL STATEMENTS
COMPLETION
ACCEPTANCE/CONTINUANCE ASSESSMENT
SUBSTANTIVE AUDIT EVIDENCE
MAINLY SUBSTANTIVE
ANALYTICAL
PROCEDURES
SIGNIFICANT
CONTROLS
COMFORT
NO/LIMITED
CONTROLS
COMFORT
Audit
comfort
cycle
MAINLY TESTS
OF DETAILS
• What does management
need to get comfort on?
13. 13
Scoping: Forming a Point of View
• Perform company and industry analytical procedures
• Research and analyze external communications
• Partners connect with staff members
• Document the team’s understanding of the business
• Knowledge broker to capture and share industry
information
• Form a point of view on the risks that management
should be concerned about
15. 15
Scoping:
Risk Assessment – Key Risks
Key Risk
We identify audit risk
through understanding
the entity’s business
objectives and related
risks.
Business
Risks
Audit
Risks
Key Risk
Key Risk
Key Risk
Key Risk
Key risks are those conditions or
factors within an audit that, in
the judgment of the auditor, give
rise to a greater risk of material
financial misstatement or other
matters resulting in the issuance
of an inappropriate audit report.
16. 16
Scoping: Analytical Procedures
• High Level
– Understand the business
– Identify areas of risk
• Disaggregated Account Level
– Determine the nature, timing & extent of testing
• External benchmarking to peers, market trends
– Looking for anomalies, areas of risk
– Use of extensive knowledge management tools
available
17. 17
Scoping Translated into Audit Strategy
Where controls over significant account balances or classes of transaction are not
aligned, we will need to perform substantive tests of details.
Stakeholders
Risks Controls
Alignment
Business
Objectives
18. 18
Scoping: Audit Team of Specialists
Our best teams use our specialist capabilities to help in forming a point of view.
Stakeholders
Business
Objectives
Financial
Risk
Business
Process
Enterprise-wide
Risk
Systems &
Technology
Energy Trading
Risk
Business
Resilience
Project
Management
Internal Audit
Security
Data Risk
Regulatory/
Compliance
Performance
Improvement
Treasury
Risks Controls
Alignment
Computer-Assisted Audit
Techniques
Fraud
19. 19
Scoping: Use of Specialists
• Policies for the use of Systems and Process
Assurance specialists and Fraud Risk & Controls
specialists are based around risk attributes
• Policies are for consultation with specialists – level
of involvement remains a decision of engagement
leader
• At a minimum, RequiredRequired to consider use of
specialists at mobilization stage
20. 20
Audit Comfort Cycle
4 Key Questions
• What does management
need to get comfort on?
Market
Overview
Strategy Value
Creating
Activities
Financial
Performance
OTHER AUDIT PROCEDURES
FINANCIAL STATEMENTS
COMPLETION
ACCEPTANCE/CONTINUANCE ASSESSMENT
SUBSTANTIVE AUDIT EVIDENCE
MAINLY SUBSTANTIVE
ANALYTICAL
PROCEDURES
SIGNIFICANT
CONTROLS
COMFORT
NO/LIMITED
CONTROLS
COMFORT
Audit
comfort
cycle
MAINLY TESTS
OF DETAILS
• How does
management get
comfort?
• Are they entitled to
that comfort?
• Can we audit that
comfort?
21. 21
Applying Audit Comfort Cycle
from the Top-Down
• Organize audit team to align
with how management runs
the business.
• Extend discussions about
business objectives & risk
to management controls.
• Understand & evaluate how
management controls risk.
• Validate controls against
engagement team’s point of
view.
Audit controls
from the
top down
Board
Sr Mgmt
Department
Heads
Operations
Transaction Processing
22. 22
“Taking Stock”: Real-Time Linkage in
the Iterative Process
• Share team members’ cumulative knowledge
• Update risk identification and assessment
• Consider the audit comfort gained to date, by audit
assertion
• Answer: “Do we have enough comfort?”
• Answer: “What do we do next?”
23. 23
Business
Risks
related to
achieving
Objectives
•……
•……
•……
Business Process A
• Completeness
• Accuracy
• Validity
• Restricted Access
Business Process B
• Completeness
• Accuracy
• Validity
• Restricted Access
Business Process C
• Completeness
• Accuracy
• Validity
• Restricted Access
Account
Balances and
Transactions
Account
Balances and
Transactions
General Computer Controls
Account
Balances and
Transactions
Connecting the Dots …
Business Objectives
Financial Statement
Assertions/
Audit Objectives
Classes of
Transactions
• Occurrence
• Completeness
• Accuracy
• Cutoff
• Classification
Account Balances
• Rights &
Obligations
• Existence
• Completeness
• Accuracy/Valuation
Presentation &
Disclosure
• Occurrence/R&O
• Completeness
• Understandability
• Accuracy/Valuation
28. 28
Assurance Hierarchy
Will we obtain audit assurance from
tests of controls?
Test controls.
No further testing
required.
Can we obtain audit assurance from
substantive analytical procedures?
Perform substantive
analytical procedures.
Perform tests of
details.
Do we need additional
audit assurance?
No
Yes
No
No
Yes
Yes
30. 30
Other Audit Procedures:
More Connecting the Dots
• Link management informationmanagement information to financial statements
• Review adjustmentsadjustments necessary to reconcile
management information to the financial statements
• Review non-standard journal entries and other
adjustments to ascertain whether entries may be
indicative of fraudindicative of fraud based upon the risk of management
override on controls
• Perform ongoing analytical procedures, including
updating analytical procedures related to revenueanalytical procedures related to revenue
31. 31
Audit Committee Communications
Framework: Objectives
• Promote effective and candid communications
• Enhance timely reporting, dialogue and sharing
views
– Service approach
– Risk and Control
– Financial Reporting
– Governance
• Provide consistency in our deliverables through
recommended templates and practice aids
32. 32
Service
approach
Risk and
control
Financial
reporting
Governance
Ongoing assessment of needs & expectations
[Indicate timing] [Indicate timing] [Indicate timing] [Indicate timing]
Understanding the audit Staying informed Resolution and completion
Corporate
governance:
roles and
practices
Internal
control and
business
issues
report
Assessing
our
performance
and yours
– Reporting timetable
– Business unit
scope
– Engagement team
– Other deliverables
Risk analysis
Perspectives on
fraud risk
Other regulatory
requirements –
plan
Our audit plan
Communications
plan
Risk condition
alert
Transparency
of corporate
reporting
Reporting
requirements
– Internal control
deficiencies
– Accounting
policies
– Management
judgments
– Quality of
earnings
– Independence
– Transparency
Audit
opinionBest
practices in
corporate
reporting
Audit
principles and
practices
Engagement
letter and
independence
confirmation
Update on
accounting/audit
issues and risk
analysis
Quarterly
review
Quarterly
review
Quarterly
review
Getting started
Audit Committee Communications Plan
33. 33
The EISA Audit
• Global approach adaptable to all clients
• Designed for continuous improvement
• Performance metrics will play a larger role in future
audits
• Audit quality is at the core of our long term
business objectives.
Over the past Ten years, the EISA audit approach has evolved to reflect the rapidly changing marketplace, the complexities of the 21st Century audit and the increasing expectations of the auditor’s roles and responsibilities in the corporate reporting supply chain.
The EISA Audit is designed to be totally flexible, adapting to the needs of our large multinational clients as well as our smaller private companies practice. While the core of our audit methodology is consistent across all clients, the working practices surrounding how we implement our methodology vary by industry and by client size and sophistication. We create working practices around what our best teams are doing in the field while preserving the flexibility to adapt to specific client situations.
At EISA, we operate under a single global audit methodology which is codified in the EISA Audit Guide, our HTML-based electronic audit policy and methodology handbook. The continuous improvement of our methodology is a collaborative effort of technical experts and practitioners from multiple countries with oversight and coordination from three groups.
The Global Audit Policy Board establishes the overarching policy principles and direction of our development and improvement efforts. This group also coordinates our firm response to the actions of international audit standard setters and is made up of both EISA representatives on various standard setting bodies and line service partners.
The Global Audit Methodology Steering Group overseas the detail development activities and drives the execution of methodology and policy in the practice through processes, support tools, maintaining guidance and contributing to training content. This steering group works through a central global team and a network of Implementation Partners identified at both a theater and country level.
The Global Risk and Quality Group ensures that our methodology is consistently implemented through annual quality reviews. R&Q provides feedback into the process so that practice issues can be reacted to and addressed as necessary in our continuous improvement process.
At the time of the begin of EISA Alderbasti Accounting and Auditing in 2004, we crafted a single, comprehensive and documented global audit methodology, a first in our industry. Since that time, EISA Audit has continued to evolve, moving toward a much broader understanding of the businesses we audit in order to better assess risk, independently from management, and address the balance between reliance on management controls and the amount of substantive testing included in the audit.
From this evolution, back in 2001 we anticipated the need to change deliverables moving “towards performance auditing.” But we did not foresee that the first of the new deliverables would be regulatory mandated and would address the adequacy of internal controls over financial reporting.
Before I can explain our audit approach, I need to explain how we had to first fundamentally change the focus of the audit. If you view this large circle as the population of business risks facing a company, this smaller circle represents our audit risks. The traditional model focused on identifying audit risks through the focal point of the financial statements. What we found is that this approach did not necessarily lead to a complete risk assessment.
So we turned the focus around to first focus on the business risks faced by the company and how those business risks translated into audit risks. We believe that this approach results in a much better risk assessment and places the financial statements as the output of the process.
The traditional phases of the audit – beginning with a discrete planning process, moving to interim then year-end testing, and culminating in report issuance – are outdated. The EISA Audit involves a logical, iterative process that begins with a rigorous risk assessment even before we decide to take on or retain a client and culminates in robust communications of the results of our audit, communications that involve much more that just the audit opinion.
The EISA Audit builds on our initial risk assessment through a broader risk assessment and testing regimen we refer to as the Audit Comfort Cycle, which principally focuses on management controls. We complete our testing with any necessary substantive procedures and other audit procedures required by GAAP. This process diagram graphically depicts the basic audit approach we utilize on all engagements.
This process is equally applicable in the audit of a U.S. registrant where we must also report on internal controls.
However, to achieve the level of comfort we need for the attestation, our assessment of controls in the audit comfort cycle must be broader and deeper and take into consideration management’s own evaluation of those controls.
This broader and deeper view of the COSO controls over financial reporting may further limit the amount of substantive testing we have to perform or may result in additional procedures being focused in particular areas in order for us to provide independent assurance on the financial statements.
FRISK is our proprietary client acceptance and continuance software. All assurance clients are subject to an annual assessment process using this module. FRISK contains a series of questions designed to identify risk conditions under 13 different categories. Using extensive research we have developed a sophisticated risk scoring model that drives an overall risk rating, which factors into our acceptance or continuance decision.
Our research has demonstrated that these thirteen risk conditions are effective predictors of risk to the firm and ultimately help us identify audit risks that must be addressed during the engagement.
Using the risk conditions highlighted in FRISK, the engagement leader and team manager identify key audit risks that are impacted by or give rise to these risk conditions. Some common key risks are populated in our Master Data sets (databases containing libraries of potential audit procedures). Other key risks are defined by the engagement team based on the specific circumstances of the engagement and the attributes of the client.
The key risks identified are automatically populated into a risk and approach schedule which outlines, at a high level, our proposed audit approach to dealing with these risks.
The Acceptance & Continuance process is fully integrated into MyClient, our audit documentation software, with the automatic population of the risks identified in FRISK into the “Audit Comfort Matrix “in the Client File for follow up and resolution during the audit process. Thus, risk identification begins in the Acceptance & Continuance process.
EISA Audit is based on understanding the risks in the business, forming our own point of view on how those risks should be managed, assessing how well management controls the business, auditing the information they use in running the business, and reconciling that internal information to what they tell their external stakeholders, including the appropriate application of generally acceptable accounting principles.
In short, we understand the company environment and how management runs the business; we validate the information management uses to run the business by testing controls and the internal data used to measure performance; we relate internal performance information to what they tell investors; and we assess the appropriate selection and application of GAAP.
To guide us through the thought process, we use the Audit Comfort Cycle and four key questions that we need to consider, linked to the four phases of the cycle. These questions are not what we actually ask clients; but they provide a framework within which the audit team considers carefully what in-depth enquiries to make of management.
We begin the Audit Comfort Cycle with the scoping process.
What does management need to get comfort on? How do we answer this question? It requires us to consider what we know about the industry, the marketplace and the company to form our own point of view on the risks that management should be concerned about.Thus, we rely heavily on our knowledge of the industry and the company’s business. We have to form our own independent point of view on the business and the risks faced by investors and management. We have to develop a deeper knowledge of the business through independent research and analysis and our own professional skepticism, and then use this point of view as we go about testing management’s assessment of risk, the controls they have put in place, and their effectiveness in mitigating risk of material misstatement in the financial statements.
The scoping process is what allows us to form our independent point of view. Through research, analytical procedures, and knowledge sharing among and across engagement teams, we develop and document our understanding of the risks facing the business. Only through this deep understanding can we truly form an independent point of view.
The information that investors and management use to analyze the business is also useful in the audit approach. We gather and analyze this information to form our own point of view on the client’s business, and use this point of view to test management’s risk assessment during the rest of the audit comfort cycle.
By addressing each element of the business analysis framework with our team we consider all aspects of a client’s business in identifying the client’s objectives. The business analysis framework was created out of over six years of extensive research. It enables us to understand the market in which the company operates, the strategy of the client and how it translates into their business goals and objectives, the key performance indicators that management uses to measure how they are doing, and the critical inputs and drivers of success.
To perform a EISA Audit we need to develop a broader and deeper understanding of the business, its operating model and processes and the way in which management exercises control.
We should have a clear appreciation of how the company is viewed by the outside world - within its industry, geographic market place and amongst its stakeholders. To achieve this we need to be aware of what the outside world is saying about our client. We should also be familiar with the picture the company is creating of itself and the impact this may have on its reputation and market value.
The EISA Audit approach requires us to identify audit risks by viewing risk from management’s perspective. We begin by requiring consideration of business conditions that could prevent the entity from achieving its business objectives.
While beginning with this broad perspective, our aim is ultimately to focus on those risks, and management’s response thereto, that primarily relate to the entity’s objectives that have an impact on its financial reporting requirements and our audit responsibilities. Treating all audit risks as equally important during the audit process can lead to unnecessary work or a potentially inappropriate level of focus on less significant risk areas. Therefore, in planning the scope of our work, we concentrate our efforts around “Key Risks”.
EISA Audit also look to analytical procedures during the scoping phase. These preliminary analytical procedures help us understand the entity's business, identify unusual changes or the absence of expected changes in the financial statements, and assist in forming our own point of view about the areas of key risk and matters that should be critical to the entity. Preliminary analytical procedures can help drive an effective and efficient audit process by identifying audit issues that might not otherwise be apparent.
We must translate our knowledge of and views on our client’s business objectives and related risks into our audit plan – by understanding not only their business objectives and risks but also management’s response to those risks.
This slide represents ORCA – a framework for identifying risks and controls. ORCA stands for business Objectives, Risks, Controls and Alignment. Where controls over significant account balances or classes of transactions are not aligned, we must perform substantive tests of details.
During the Scoping phase of the audit, we supplement the core engagement team with specialists to assist in understanding the business. These specialists become part of the team, rather than sitting outside of the process.
Due to the increasing complexity of our clients, we have instituted policies requiring the use of certain specialists if certain risk triggers exist. In particular, Systems and Process Assurance personnel are involved in audits were the client uses complex information systems. Fraud specialists must be consulted where we have determined there is a heightened risk of fraud on an engagement.
The involvement of specialists on the audit engagement may be at any of three levels:
Consulting, where the specialist's involvement may be limited to identification of key risks based on the client's business and changes since the prior year.
Coaching, where the specialist's involvement is generally targeted at areas of change and generally consists of attendance at key meetings as well as assistance in the development of the risk assessment and audit comfort matrix. The specialist will coach a core team member as he or she performs the work in the specialist's area of expertise.
Completing, where the specialist performs the work in the specialist's area of expertise, which is higher risk, in a complex environment, or where significant changes have occurred. The specialist will be involved in all aspects of the audit process.
Once we have completed our initial scoping, we should have a pretty good handle on the answer to What does management need to get comfort on? We have formed our own point of view, and we’re ready to talk to the client and get their point of view – to see if it matches ours, or if there are some risks that they have missed (and are therefore not apt to be managing).
The next step in the audit comfort cycle is gaining an understanding of How does management get comfort? – This requires that we understand how management goes about identifying risks in their business model and designing controls to mitigate that risk. This extends our audit process beyond the accounting controls testing and reliance to additional reliance on business controls. This is where we begin to use the tool of “show me” meetings to verify the information obtained from management.
We are also going to be evaluating whether they are entitled to that comfort? Are controls effectively designed to mitigate the risks we’ve identified? This involves us challenging management, probing whether the controls they have to run the business should be effective and whether they can truly provide support for a conclusion that financial or other relevant information used in the business should be reliable. And, finally, we must validate that the controls are working effectively if we want to share in that comfort – The audit team needs to make in-depth inquiries of management and corroborate explanations where appropriate. We cannot rely wholly on what management tells us, and have to obtain evidence ourselves that the controls are reliable. Inquiry, observation, examination and reperformance – all of these tests of controls are used.
We start this process from the top down through the organization to get an understanding of the real business objectives and risks at our clients. Our audit approach is therefore analogous to the “scoping” of target clients. When the Firm pursues business opportunities, we obtain an understanding of the business from the top-down. We don’t begin from the bottom of the organization. The same holds true for our recurring engagements.
Finding out about how the business is really controlled - not just how we think it is controlled - and using the whole team’s knowledge and experience to focus our work defines how EISA Audit works. The result should be a more effective and efficient audit.
Key to this process is using the point of view developed during scoping, testing management’s views against our own independent, objective research and analysis. We should not concede to management’s views without further testing these with independent research – our own views on the risks in the business should be well formulated in advance of the top-down audit process so that we retain our audit objectivity throughout.
Instead of organizing the audit team around business cycles, the team should be aligned with how management runs the business, across geographic lines if necessary, to mirror reporting and control structures in the client’s organization.
We begin the audit by meeting with the board and senior management to fully understand the organization and its performance targets, the risks and opportunities it faces, and how the board and management believe they are controlling the risks and maximizing the opportunities. This is not a casual conversation, but a rigorous, in-depth inquiry followed up by observation, examination and/or reperformance, either during or after the meeting – using all 4 methods of testing internal controls.
We work down and across the operations/business processes and more detailed functions as necessary, applying the same rigorous techniques to qualify as tests of controls.
As we work through the client’s organization, we apply the audit comfort cycle to identify higher level controls that management uses to run the business, evaluate the adequacy of these controls to mitigate the risks identified in our scoping, and ultimately validate that the controls are working, gathering audit evidence throughout this process. We record our understanding and evidence in the audit file as we go, building up the file to tell the story of the audit.
At certain points throughout the audit, we pause and “take stock” – What have we learned to date? Have we gained the level of audit comfort we need? If not, what do we need to do next? The “taking stock” process is critical to the iterative audit approach, allowing us to react quickly to new information and/or changes in the business. “Taking stock” involves the entire team, including specialists, to ensure the maximum effectiveness of the audit coupled with efficient performance.
Taking stock is about connecting the Dots. In past audit approaches, the “staff audit” took place in the tan boxes on this slide, while the “partner audit” had more to do with the orange boxes. And, Systems Assurance is more-or-less connected to other aspects of the audit, depending on the engagement team and approach.
Partners focus on business objectives and risks, and the financial statement assertions relative to the greatest areas of risk, while the staff look at business process controls and their relationship to financial statement account balances, without connecting the business objectives and risks. And, the true tie in of Systems Assurance is sometimes very murky.
The Audit Comfort Cycle is designed to bring this all together, through team participation in the Show Me and Taking Stock processes. It’s all about improved teamwork to reduce audit risk and improve audit quality.
The audit comfort matrix is the documentation tool we use to pull the audit evidence together on how we addressed the key risks identified. It helps us tie the audit risks to the underlying business objectives and risks and management’s approach to controlling these risks. The audit comfort matrix is required on all audits but our teams can adapt this matrix to their specific client circumstances as long as the fundamental concepts are preserved. Many teams prepare mutliple ACMs addressing the key risks at significant individual business or management units.
We have also developed a practice aid used to summarize all our comfort – from all testing – controls and substantive – key risks and general risks of material misstatement. It is a useful tool for partners to get an overview of the work performed.
The next stage of the process is to supplement our controls work with substantive testing – both substantive analytical procedures and tests of details. This work is necessary to meet GAAS requirements and to fill in the gaps remaining from the audit comfort cycle. The taking stock meetings continue to respond to the question: Do we have enough comfort?
This graphic depicts the testing continuum that we follow - while not prescribing which controls that must be tested. The engagement’s teams judgment is critical, and partner-led decisions are essential. Getting to the right balance in the testing approach is key to providing the highest quality audit.
Our determination of the type and extent of substantive testing to be performed is based on our responses to this assurance hierarchy decision tree. The way we perform substantive tests has not changed significantly and we continue to promote the use of Computer Assisted Auditing Techniques wherever possible.
In completing the audit we need to ensure the management information we have been relying on reconciles to the financial statements. This process is initially documented as part of scoping and progresses as we determine which reports management is relying on.
We consider subsequent events, analyze legal letters, review the financial statements and related disclosures and perform other procedures to bring the audit to completion.
These other auditing procedures represent the final step in “connecting all the dots” in order for us to issue our audit report.
Throughout the audit, we must maintain continuous communication with both management and those charged with governance of the company. Our Audit Committee Communications plan is designed to promote this communication by providing structure and consistency. The plan is centered around four central themes.
This graphic provides a summary depiction of our consolidated approach to communicating to those charged with governance throughout the audit
In summary, we believe that we have developed a flexible audit methodology that is scalable to our largest global clients as well as our smallest private customers.
We have built an ongoing development and continuous improvement process to address the rapidly changing environment we face.
We continue to believe that assurance around performance measures will grow in importance in the coming years.
But ultimately, our success in the future – our very viability – will be determined by the quality of execution on our audits. Thus, the centerpiece of our business strategy – both short-term and long-term – is to consistently achieve the highest level of audit quality.
