Introduction
Scope of this SA 1. This Standard on Auditing (SA) establishes the independent auditor’s overall responsibilities when conducting an audit of financial statements in accordance with SAs. Specifically, it sets out the overall objectives of the independent auditor, and explains the nature and scope of an audit designed to enable the independent auditor to meet those objectives. It also explains the scope, authority and structure of the SAs, and includes requirements establishing the general responsibilities of the independent auditor applicable in all audits, including the obligation to comply with the SAs. The independent auditor is referred to as “the auditor” hereafter.
2. SAs are written in the context of an audit of financial statements by an auditor. They are to be adapted as necessary in the circumstances when applied to audits of other historical financial information. An Audit of Financial Statements
3. The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements. This is achieved by the expression of an opinion by the auditor on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. In the case of most general purpose frameworks, that opinion is on whether the financial statements are presented fairly, in all material respects, or give a true and fair view in accordance with the framework. An audit conducted in accordance with SAs and relevant ethical requirements enables the auditor to form that opinion.
4. The financial statements subject to audit are those of the entity, prepared and presented by management of the entity with oversight from those charged with governance. SAs do not impose responsibilities on management or those charged with governance and do not override laws and regulations that govern their responsibilities. However, an audit in accordance with SAs is conducted on the premise that management and, where appropriate, those charged with governance have responsibilities that are fundamental to the conduct of the audit. The audit of the financial statements does not relieve management or those charged with governance of those responsibilities.
1
5. As the basis for the auditor’s opinion, SAs require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (i.e., the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level. However, reasonable assurance is not an absolute level of assurance, because there are inherent limitations of an audit which result in most of the audit evidence on which the auditor draws conclusions and bases the auditor’s opinion being persuasive rather than conclusive.
6. The concept of materiality is applied by the auditor both in planning and performing the
audit, and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements. In general, misstatements, including omissions, are considered to be material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. Judgments about materiality are made in the light of surrounding circumstances, and are affected by the auditor’s perception of the financial information needs of users of the financial statements, and by the size or nature of a misstatement, or a combination of both. The auditor’s opinion deals with the financial statements as a whole and therefore the auditor is not responsible for the detection of misstatements that are not material to the financial statements as a whole. 7. The SAs contain objectives, requirements and application and other explanatory material that are designed to support the auditor in obtaining reasonable assurance. The SAs require that the auditor exercise professional judgment and maintain professional scepticism throughout the planning and performance of the audit and, among other things: ? Identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including the entity’s internal control. ? Obtain sufficient appropriate audit evidence about whether material misstatements exist, through designing and implementing appropriate responses to the assessed risks. ? Form an opinion on the financial statements based on conclusions drawn from the audit evidence obtained.
8. The form of opinion expressed by the auditor will depend upon the applicable financial reporting framework and any applicable laws or regulations.
2
Effective Date ? This SA is effective for audits of financial statements for periods beginning on or after April 1 2010.
Objectives ? In conducting an audit of financial statements, the overall objectives of the auditor are: (a) To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and
(b) To report on the financial statements, and communicate as required by the SAs, in accordance with the auditor’s findings.
3
Definitions
? For purposes of the SAs, the following terms have the meanings attributed below:
(a) Applicable financial reporting framework – The financial reporting framework adopted by management and, where appropriate, those charged with governance in the preparation and presentation of the financial statements that is acceptable in view of the nature of the entity and the objective of the financial statements, or that is required by law or regulation. The term “fair presentation framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework and: (i) Acknowledges explicitly or implicitly that, to achieve fair presentation of the financial statements, it may be necessary for management to provide disclosures beyond those specifically required by the framework; or (ii) Acknowledges explicitly that it may be necessary for management to depart from a requirement of the framework to achieve fair presentation of the financial statements. Such departures are expected to be necessary only in extremely rare circumstances. The term “compliance framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework, but does not contain the acknowledgements in (i) or (ii) above.
(b) Audit evidence – Information used by the auditor in arriving at the conclusions on which the auditor’s opinion is based. Audit evidence includes both information contained in the accounting records underlying the financial statements and other information. For purposes of the SAs: (i) Sufficiency of audit evidence is the measure of the quantity of audit evidence. The quantity of the audit evidence needed is affected by the auditor’s assessment of the risks of material misstatement and also by the quality of such audit evidence. (ii) Appropriateness of audit evidence is the measure of the quality of audit evidence; that is, its relevance and its reliability in providing support for the conclusions on which the auditor’s opinion is based.
4
(c) Audit risk – The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk. (d) Auditor – “Auditor” is used to refer to the person or persons conducting the audit, usually the engagement partner or other members of the engagement team, or, as applicable, the firm. Where an SA expressly intends that a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “auditor” is used. “Engagement partner” and “firm” are to be read as referring to their public sector equivalents where relevant. (e) Detection risk – The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. (f) Financial statements – A structured representation of historical financial information, including related notes, intended to communicate an entity’s economic resources or obligations at a point in time or the changes therein for a period of time in accordance with a financial reporting framework. The related notes ordinarily comprise a summary of significant accounting policies and other explanatory information. The term “financial statements” ordinarily refers to a complete set of financial statements as determined by the requirements of the applicable financial reporting framework, but can also refer to a single financial statement. (g) Historical financial information – Information expressed in financial terms in relation to a particular entity, derived primarily from that entity’s accounting system, about economic events occurring in past time periods or about economic conditions or circumstances at points in time in the past. (h) Management – The person(s) with executive responsibility for the conduct of the entity’s operations. For some entities in some jurisdictions, management includes some or all of those charged with governance, for example, executive members of a governance board, or an owner-manager. (i) Misstatement – A difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud.
5
(j) Premise, relating to the responsibilities of management and, where appropriate, those charged with governance, on which an audit is conducted – That management and, where appropriate, those charged with governance have the following responsibilities that are fundamental to the conduct of an audit in accordance with SAs. That is, responsibility: For the preparation and presentation of the financial statements in accordance with the applicable financial reporting framework; this includes the design, implementation and maintenance of internal control relevant to the preparation and presentation of financial statements that are free from material misstatement, whether due to fraud or error; and To provide the auditor with: a) All information, such as records and documentation, and other matters that are relevant to the preparation and presentation of the financial statements; b) Any additional information that the auditor may request from management and, where appropriate, those charged with governance; and c) Unrestricted access to those within the entity from whom the auditor determines it necessary to obtain audit evidence. In the case of a fair presentation framework, the responsibility is for the preparation and fair presentation of the financial statements in accordance with the financial reporting framework; or the preparation of financial statements that give a true and fair view in accordance with the financial reporting framework. This applies to all references to “preparation and presentation of the financial statements” in the SAs. The “premise, relating to the responsibilities of management and, where appropriate, those charged with governance, on which an audit is conducted” may also be referred to as the “premise”.
6
Requirements
? Ethical Requirements Relating to an Audit of Financial Statements The auditor shall comply with relevant ethical requirements, including those pertaining to independence, relating to financial statement audit engagements. ? Professional Skepticism The auditor shall plan and perform an audit with professional skepticism recognising that circumstances may exist that cause the financial statements to be materially misstated. ? Professional Judgment The auditor shall exercise professional judgment in planning and performing an audit of financial statements. ? Sufficient Appropriate Audit Evidence and Audit Risk To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion. ? Complying with Relevant Requirements Subject to paragraph 23, the auditor shall comply with each requirement of an SA unless, in the circumstances of the audit:
(a) The entire SA is not relevant; or (b) The requirement is not relevant because it is conditional and the condition does not exist.
o In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement in an SA. In such circumstances, the auditor shall perform alternative audit procedures to achieve the aim of that requirement. The need for the auditor to depart from a relevant requirement is expected to arise only where the requirement is for a specific procedure to be performed and, in the specific circumstances of the audit, that procedure would be ineffective in achieving the aim of the requirement.
7
Application and Other Explanatory Material
An Audit of Financial Statements Scope of the Audit A1. The auditor’s opinion on the financial statements deals with whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. Such an opinion is common to all audits of financial statements. The auditor’s opinion therefore does not assure, for example, the future viability of the entity nor the efficiency or effectiveness with which management has conducted the affairs of the entity. In some cases, however, the applicable laws and regulations may require auditors to provide opinions on other specific matters, such as the effectiveness of internal control, or the consistency of a separate management report with the financial statements. While the SAs include requirements and guidance in relation to such matters to the extent that they are relevant to forming an opinion on the financial statements, the auditor would be required to undertake further work if the auditor had additional responsibilities to provide such opinions.
Preparation of the Financial Statements
A2. An audit in accordance with SAs is conducted on the premise that management and, where appropriate, those charged with governance have responsibility: (a) For the preparation and presentation of the financial statements in accordance with the applicable financial reporting framework; this includes the design, implementation and maintenance of internal control relevant to the preparation and presentation of financial statements that are free from material misstatement, whether due to fraud or error; and (b) To provide the auditor with: (i) All information, such as records and documentation, and other matters that are relevant to the preparation and presentation of the financial statements; (ii) Any additional information that the auditor may request from management and, where appropriate, those charged with governance; and (iii) Unrestricted access to those within the entity from whom the auditor determines it necessary to obtain audit evidence.
8
A3. As part of their responsibility for the preparation and presentation of the financial statements, management and, where appropriate, those charged with governance are responsible for: The identification of the applicable financial reporting framework, in the context of any relevant laws or regulations. The preparation and presentation of the financial statements in accordance with that framework. An adequate description of that framework in the financial statements. The preparation of the financial statements requires management to exercise judgment in making accounting estimates that are reasonable in the circumstances, as well as to select and apply appropriate accounting policies. These judgments are made in the context of the applicable financial reporting framework.
A4. The financial statements may be prepared in accordance with a financial reporting framework designed to meet: The common financial information needs of a wide range of users (i.e., “general purpose financial statements”); or The financial information needs of specific users (i.e., “special purpose financial statements”).
A5. The applicable financial reporting framework often encompasses financial reporting standards established by an authorised or recognised standards setting organisation, or legislative or regulatory requirements. In some cases, the financial reporting framework may encompass both financial reporting standards established by an authorised or recognised standards setting organisation and legislative or regulatory requirements. Other sources may provide direction on the application of the applicable financial reporting framework. In some cases, the applicable financial reporting framework may encompass such other sources, or may even consist only of such sources. Such other sources may include: The legal and ethical environment, including statutes, regulations, court decisions, and professional ethical obligations in relation to accounting matters; Published accounting interpretations of varying authority issued by standards setting, professional or regulatory organisations; Published views of varying authority on emerging accounting issues issued by standards setting, professional or regulatory organisations; General and industry practices widely recognised and prevalent.
9
A6. The requirements of the applicable financial reporting framework determine the form and content of the financial statements. Although the framework may not specify how to account for or disclose all transactions or events, it ordinarily embodies sufficient broad principles that can serve as a basis for developing and applying accounting policies that are consistent with the concepts underlying the requirements of the framework. A7. Some financial reporting frameworks are fair presentation frameworks, while others are compliance frameworks. Financial reporting frameworks that encompass primarily the financial reporting standards established by an organisation that is authorised or recognised to promulgate standards to be used by entities for preparing and presenting general purpose financial statements are often designed to achieve fair presentation. A8. The requirements of the applicable financial reporting framework also determine what constitutes a complete set of financial statements. In the case of many frameworks, financial statements are intended to provide information about the state of affairs, results of operations and cash flows of an entity. For such frameworks, a complete set of financial statements would include a balance sheet; statement of profit and loss; a cash flow statement; and related notes. For some other financial reporting frameworks, a single financial statement and the related notes might constitute a complete set of financial statements: For example, normally, in government departments and local bodies, the primary financial statement is a statement of cash receipts and payments. Other examples of a single financial statement, each of which would include related notes, are: ? ? ? ? Balance sheet. Statement of profit & loss. Statement of cash flows. Statement of operations by product lines.
A9. SA 210 establishes requirements and provides guidance on determining the acceptability of the applicable financial reporting framework. SA 800 deals with special considerations when financial statements are prepared in accordance with a special purpose framework. A10. Because of the significance of the premise to the conduct of an audit, the auditor is required to obtain agreement from management and, where appropriate, those charged with governance that they acknowledge and understand their responsibilities set out in paragraph A2 as a precondition for accepting the audit engagement. The auditor is also required to obtain written representations about whether management and, where appropriate, those charged with governance have fulfilled those responsibilities
10
Form of the Auditor’s Opinion ? The opinion expressed by the auditor is on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. The form of the auditor’s opinion, however, will depend upon the applicable financial reporting framework and any applicable laws or regulations. Most financial reporting frameworks include requirements relating to the presentation of the financial statements; for such frameworks, preparation of the financial statements in accordance with the applicable financial reporting framework includes presentation. ? Where the financial reporting framework is a fair presentation framework, as is generally the case for general purpose financial statements, the opinion required by the SAs is on whether the financial statements are presented fairly, in all material respects, or give a true and fair view. Where the financial reporting framework is a compliance framework, the opinion required is on whether the financial statements are prepared, in all material respects, in accordance with the framework. Unless specifically stated otherwise, references in the SAs to the auditor’s opinion cover both forms of opinion.
Ethical Requirements Relating to an Audit of Financial Statements ? The auditor is subject to relevant ethical requirements, including those pertaining to independence, relating to financial statement audit engagements. Relevant ethical requirements ordinarily comprise the Code of Ethics issued by the Institute of Chartered Accountants of India. ? The Code establishes the following as the fundamental principles of professional ethics relevant to the auditor when conducting an audit of financial statements and provides a conceptual framework for applying those principles; (a) Integrity; (b) Objectivity; (c) Professional competence and due care; (d) Confidentiality; and (e) Professional behaviour. ? In the case of an audit engagement it is in the public interest and, therefore, required by the Code of Ethics, that the auditor be independent of the entity subject to the audit. The Code describes independence as comprising both independence of mind and independence in appearance. The auditor’s independence from the entity safeguards the auditor’s ability to form an audit opinion without being affected by influences that might compromise that opinion. Independence enhances the auditor’s ability to act with integrity, to be objective and to maintain an attitude of professional scepticism.
11
? Standard on Quality Control (SQC) 19 sets out the responsibilities of the firm for establishing policies and procedures designed to provide it with reasonable assurance that the firm and its personnel comply with relevant ethical requirements, including those pertaining to independence. SA sets out the engagement partner’s responsibilities with respect to relevant ethical requirements. These include evaluating whether members of the engagement team have complied with relevant ethical requirements, determining the appropriate action if matters come to the engagement partner’s attention that indicate that members of the engagement team have not complied with relevant ethical requirements, and forming a conclusion on compliance with independence requirements that apply to the audit engagement. SA recognises that the engagement team is entitled to rely on a firm’s systems in meeting its responsibilities with respect to quality control procedures applicable to the individual audit engagement, unless information provided by the firm or other parties suggests otherwise. Professional Skepticism ? Professional skepticism includes being alert to, for example: Audit evidence that contradicts other audit evidence obtained. Information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence. Conditions that may indicate possible fraud. Circumstances that suggest the need for audit procedures in addition to those required by the SAs. ? Maintaining professional skepticism throughout the audit is necessary if the auditor is, for example, to reduce the risks of: Overlooking unusual circumstances. Over generalising when drawing conclusions from audit observations. Using inappropriate assumptions in determining the nature, timing, and extent of the audit procedures and evaluating the results thereof. ? Professional skepticism is necessary to the critical assessment of audit evidence. This includes questioning contradictory audit evidence and the reliability of documents and responses to inquiries and other information obtained from management and those charged with governance. It also includes consideration of the sufficiency and appropriateness of audit evidence obtained in the light of the circumstances, for example in the case where fraud risk factors exist and a single document, of a nature that is susceptible to fraud, is the sole supporting evidence for a material financial statement amount. ? The auditor may accept records and documents as genuine unless the auditor has reason to believe the contrary. Nevertheless, the auditor is required to consider the reliability of information to be used as audit evidence. In cases of doubt about the reliability of information or indications of possible fraud (for example, if conditions identified during the audit cause the auditor to believe that a document may not be
12
authentic or that terms in a document may have been falsified), the SAs require that the auditor investigate further and determine what modifications or additions to audit procedures are necessary to resolve the matter. ? The auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance. Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional skepticism or allow the auditor to be satisfied with less-than-persuasive audit evidence when obtaining reasonable assurance.
Professional Judgment ? Professional judgment is essential to the proper conduct of an audit. This is because interpretation of relevant ethical requirements and the SAs and the informed decisions required throughout the audit cannot be made without the application of relevant knowledge and experience to the facts and circumstances. Professional judgment is necessary in particular regarding decisions about: The nature, timing, and extent of audit procedures used to meet the requirements of the SAs and gather audit evidence. Evaluating whether sufficient appropriate audit evidence has been obtained, and whether more needs to be done to achieve the objectives of the SAs and thereby, the overall objectives of the auditor. The evaluation of management’s judgments in applying the entity’s applicable financial reporting framework. The drawing of conclusions based on the audit evidence obtained, for example, assessing the reasonableness of the estimates made by management in preparing the financial statements. Materiality and audit risk.
13
Tests of Controls ? The user auditor is required to design and perform tests of controls to obtain sufficient
appropriate audit evidence as to the operating effectiveness of relevant controls in certain circumstances. In the context of a service organisation, this requirement applies when: (a) The user auditor’s assessment of risks of material misstatement includes an expectation that the controls at the service organisation are operating effectively (i.e., the user auditor intends to rely on the operating effectiveness of controls at the service organisation in determining the nature, timing and extent of substantive procedures); or (b) Substantive procedures alone, or in combination with tests of the operating effectiveness of controls at the user entity, cannot provide sufficient appropriate audit evidence at the assertion level.
? If a Type 2 report is not available, a user auditor may contact the service organisation,
through the user entity, to request that a service auditor be engaged to provide a Type 2 report that includes tests of the operating effectiveness of the relevant controls or the user auditor may use another auditor to perform procedures at the service organisation that test the operating effectiveness of those controls. A user auditor may also visit the service organisation and perform tests of relevant controls if the service organisation agrees to it. The user auditor’s risk assessments are based on the combined evidence provided by the work of another auditor and the user auditor’s own procedures.
? Using a Type 2 Report as Audit Evidence that Controls at the Service Organisation Are Operating Effectively
? A Type 2 report may be intended to satisfy the needs of several different user
auditors; therefore tests of controls and results described in the service auditor’s report may not be relevant to assertions that are significant in the user entity’s financial statements. The relevant tests of controls and results are evaluated to
14
determine that the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment. In doing so, the user auditor may consider the following factors:
(a) The time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; (b) The scope of the service auditor’s work and the services and processes covered, the controls tested and tests that were performed, and the way in which tested controls relate to the user entity’s controls; and (c) The results of those tests of controls and the service auditor’s opinion on the operating effectiveness of the controls.
?
For certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less audit evidence the test may provide. In comparing the period covered by the Type 2 report to the user entity’s financial reporting period, the user auditor may conclude that the Type 2 report offers less audit evidence if there is little overlap between the period covered by the Type 2 report and the period for which the user auditor intends to rely on the report. When this is the case, a Type 2 report covering a preceding or subsequent period may provide additional audit evidence. In other cases, the user auditor may determine it is necessary to perform, or use another auditor to perform, tests of controls at the service organisation in order to obtain sufficient appropriate audit evidence about the operating effectiveness of those controls. It may also be necessary for the user auditor to obtain additional evidence about significant changes to the relevant controls at the service organisation outside of the period covered by the Type 2 report or determine additional audit procedures to be performed. Relevant factors in determining what additional audit evidence to obtain about controls at the service organisation that were operating outside of the period covered by the service auditor’s report may include:
?
The significance of the assessed risks of material misstatement at the assertion level; The specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel; The degree to which audit evidence about the operating effectiveness of
15
those controls was obtained; The length of the remaining period; The extent to which the user auditor intends to reduce further substantive procedures based on the reliance on controls; and
? Additional audit evidence may be obtained, for example, by extending tests of
controls over the remaining period or testing the user entity’s monitoring of controls.
? If the service auditor’s testing period is completely outside the user entity’s financial
reporting period, the user auditor will be unable to rely on such tests for the user auditor to conclude that the user entity’s controls are operating effectively because they do not provide current audit period evidence of the effectiveness of the controls, unless other procedures are performed. ? In certain circumstances, a service provided by the service organisation may be designed with the assumption that certain controls will be implemented by the user entity. For example, the service may be designed with the assumption that the user entity will have controls in place for authorising transactions before they are sent to the service organisation for processing. In such a situation, the service organisation’s description of controls may include a description of those complementary user entity controls.
? If the user auditor believes that the service auditor’s report may not provide
sufficient appropriate audit evidence, for example, if a service auditor’s report does not contain a description of the service auditor’s tests of controls and results thereon, the user auditor may supplement the understanding of the service auditor’s procedures and conclusions by contacting the service organisation, through the user entity, to request a discussion with the service auditor about the scope and results of the service auditor’s work. Also, if the user auditor believes it is necessary, the user auditor may contact the service organisation, through the user entity, to request that the service auditor perform procedures at the service organisation.
? The service auditor’s Type 2 report identifies results of tests, including exceptions
and other information that could affect the user auditor’s conclusions. Exceptions noted by the service auditor or a modified opinion in the service auditor’s Typ e 2 report do not automatically mean that the service auditor’s Type 2 report will not be useful for the audit of the user entity’s financial statements in assessing the risks of material misstatement. Rather, the exceptions and the matter giving rise to a modified opinion in the service auditor’s Type 2 report are considered in the user auditor’s assessment of the testing of controls performed by the service auditor. In considering the exceptions and matters giving rise to a modified opinion, the user auditor may discuss such matters with the service auditor. Such communication is
16
dependent upon the user entity contacting the service organisation, and obtaining the service organisation’s approval for the communication to take place.
? Communication of Deficiencies in Internal Control identified during the Audit
? The user auditor is required to communicate in writing significant deficiencies
identified during the audit to both management and those charged with governance on a timely basis. The user auditor is also required to communicate to management at an appropriate level of responsibility on a timely basis other deficiencies in internal control identified during the audit that, in the user auditor’s professional judgment, are of sufficient importance to merit management’s attention. Matters that the user auditor may identify during the audit and may communicate to management and those charged with governance of the user entity include: Any monitoring of controls that could be implemented by the user entity, including those identified as a result of obtaining a Type 1 or Type 2 report; Instances where complementary user entity controls are noted in the Type 1 or Type 2 report and are not implemented at the user entity; and Controls that may be needed at the service organisation that do not appear to have been implemented or that are not specifically covered by a Type 2 report.
? Type 1 and Type 2 Reports that Exclude the Services of a Subservice Organisation
?
If a service organisation uses a subservice organisation, the service auditor’s report may either include or exclude the subservice organisation’s relevant control objectives and related controls in the service organisation’s description of its system and in the scope of the service auditor’s engagement. These two methods of reporting are known as the inclusive method and the carve-out method, respectively. If the Type 1 or Type 2 report excludes the controls at a subservice organisation, and the services provided by the subservice organisation are relevant to the audit of the user entity’s financial statements, the user auditor is required to apply the requirements of this SA in respect of the subservice organisation. The nature and extent of work to be performed by the user auditor regarding the services provided by a subservice organisation depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.
17
? Fraud, Non-Compliance with Laws and Regulations and Uncorrected Misstatements
in Relation to Activities at the Service Organisation
? A service organisation may be required under the terms of the contract with user
entities to disclose to affected user entities any fraud, non-compliance with laws and regulations or uncorrected misstatements attributable to the service organisation’s management or employees. The user auditor makes inquiries of the user entity management regarding whether the service organisation has reported any such matters and evaluates whether any matters reported by the service organisation affect the nature, timing and extent of the user auditor’s further audit procedures. In certain circumstances, the user auditor may require additional information to perform this evaluation, and may request the user entity to contact the service organisation to obtain the necessary information.
? Reporting by the User Auditor
? When a user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organisation relevant to the audit of the user entity’s financial statements, a limitation on the scope of the audit exists. This may be the case when: The user auditor is unable to obtain a sufficient understanding of the services provided by the service organisation and does not have a basis for the identification and assessment of the risks of material misstatement;
A user auditor’s risk assessment includes an expectation that controls at the service organisation are operating effectively and the user auditor is unable to obtain sufficient appropriate audit evidence about the operating effectiveness of these controls; or Sufficient appropriate audit evidence is only available from records held at the service organisation, and the user auditor is unable to obtain direct access to these records. Whether the user auditor expresses a qualified opinion or disclaims an opinion
18
depends on the user auditor’s conclusion as to whether the possible effects on the financial statements are material or pervasive.
? Reference to the Work of a Service Auditor
? In some cases, law or regulation may require a reference to the work of a service
auditor in the user auditor’s report, for example, for the purposes of transparency in the public sector. In such circumstances, the user auditor may need the consent of the service auditor before making such a reference.
? The fact that a user entity uses a service organisation does not alter the user auditor’s
responsibility under SAs to obtain sufficient appropriate audit evidence to afford a reasonable basis to support the user auditor’s opinion. Therefore, the user audit or does not make reference to the service auditor’s report as a basis, in part, for the user auditor’s opinion on the user entity’s financial statements. However, when the user auditor expresses a modified opinion because of a modified opinion in a service auditor’s report, the user auditor is not precluded from referring to the service auditor’s report if such reference assists in explaining the reason for the user auditor’s modified opinion. In such circumstances, the user auditor may need the consent of the service auditor before making such a reference.
19
Material Modifications to ISA 402, “Audit Considerations Relating to an Entity Using a Service Organisation”
1. Paragraphs A10 and A11 of ISA 402 deal with the application of the requirements of ISA 402 to public sector auditors who have broad rights of access established by legislation. Since as mentioned in the “Preface to the Standards on Quality Control, Auditing, Review, Other Assurance and Related Services”, the Standards issued by the Auditing and Assurance Standards Board, apply equally to all entities, irrespective of their form, nature and size, a specific reference to applicability of the Standard to public sector entities has been deleted. However, since the situation envisaged in paragraphs A10 and A11 may be possible even in case of auditors of non-public sector entities, the spirit of paragraphs A10 and A11 has been retained and made generic. 2. Paragraph 13 (a) and paragraph A19 of ISA 402 deal with assessment of the service auditor’s professional competence and independence from the service organisation for obtaining sufficient and appropriate audit evidence and for reporting purposes. The corresponding paragraphs of SA 402 also require such assessment of professional competence except where the service auditor is also a member of the Institute of Chartered Accountants of India.
20
BIBILOGROPHY
? www.icai.org.in ? www.wikipedia.com ? www.caclub.co.in ? www.cablogs.com ? www.google.com
21
doc_618564359.docx
Scope of this SA 1. This Standard on Auditing (SA) establishes the independent auditor’s overall responsibilities when conducting an audit of financial statements in accordance with SAs. Specifically, it sets out the overall objectives of the independent auditor, and explains the nature and scope of an audit designed to enable the independent auditor to meet those objectives. It also explains the scope, authority and structure of the SAs, and includes requirements establishing the general responsibilities of the independent auditor applicable in all audits, including the obligation to comply with the SAs. The independent auditor is referred to as “the auditor” hereafter.
2. SAs are written in the context of an audit of financial statements by an auditor. They are to be adapted as necessary in the circumstances when applied to audits of other historical financial information. An Audit of Financial Statements
3. The purpose of an audit is to enhance the degree of confidence of intended users in the financial statements. This is achieved by the expression of an opinion by the auditor on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. In the case of most general purpose frameworks, that opinion is on whether the financial statements are presented fairly, in all material respects, or give a true and fair view in accordance with the framework. An audit conducted in accordance with SAs and relevant ethical requirements enables the auditor to form that opinion.
4. The financial statements subject to audit are those of the entity, prepared and presented by management of the entity with oversight from those charged with governance. SAs do not impose responsibilities on management or those charged with governance and do not override laws and regulations that govern their responsibilities. However, an audit in accordance with SAs is conducted on the premise that management and, where appropriate, those charged with governance have responsibilities that are fundamental to the conduct of the audit. The audit of the financial statements does not relieve management or those charged with governance of those responsibilities.
1
5. As the basis for the auditor’s opinion, SAs require the auditor to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. Reasonable assurance is a high level of assurance. It is obtained when the auditor has obtained sufficient appropriate audit evidence to reduce audit risk (i.e., the risk that the auditor expresses an inappropriate opinion when the financial statements are materially misstated) to an acceptably low level. However, reasonable assurance is not an absolute level of assurance, because there are inherent limitations of an audit which result in most of the audit evidence on which the auditor draws conclusions and bases the auditor’s opinion being persuasive rather than conclusive.
6. The concept of materiality is applied by the auditor both in planning and performing the
audit, and in evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements. In general, misstatements, including omissions, are considered to be material if, individually or in the aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of the financial statements. Judgments about materiality are made in the light of surrounding circumstances, and are affected by the auditor’s perception of the financial information needs of users of the financial statements, and by the size or nature of a misstatement, or a combination of both. The auditor’s opinion deals with the financial statements as a whole and therefore the auditor is not responsible for the detection of misstatements that are not material to the financial statements as a whole. 7. The SAs contain objectives, requirements and application and other explanatory material that are designed to support the auditor in obtaining reasonable assurance. The SAs require that the auditor exercise professional judgment and maintain professional scepticism throughout the planning and performance of the audit and, among other things: ? Identify and assess risks of material misstatement, whether due to fraud or error, based on an understanding of the entity and its environment, including the entity’s internal control. ? Obtain sufficient appropriate audit evidence about whether material misstatements exist, through designing and implementing appropriate responses to the assessed risks. ? Form an opinion on the financial statements based on conclusions drawn from the audit evidence obtained.
8. The form of opinion expressed by the auditor will depend upon the applicable financial reporting framework and any applicable laws or regulations.
2
Effective Date ? This SA is effective for audits of financial statements for periods beginning on or after April 1 2010.
Objectives ? In conducting an audit of financial statements, the overall objectives of the auditor are: (a) To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and
(b) To report on the financial statements, and communicate as required by the SAs, in accordance with the auditor’s findings.
3
Definitions
? For purposes of the SAs, the following terms have the meanings attributed below:
(a) Applicable financial reporting framework – The financial reporting framework adopted by management and, where appropriate, those charged with governance in the preparation and presentation of the financial statements that is acceptable in view of the nature of the entity and the objective of the financial statements, or that is required by law or regulation. The term “fair presentation framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework and: (i) Acknowledges explicitly or implicitly that, to achieve fair presentation of the financial statements, it may be necessary for management to provide disclosures beyond those specifically required by the framework; or (ii) Acknowledges explicitly that it may be necessary for management to depart from a requirement of the framework to achieve fair presentation of the financial statements. Such departures are expected to be necessary only in extremely rare circumstances. The term “compliance framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework, but does not contain the acknowledgements in (i) or (ii) above.
(b) Audit evidence – Information used by the auditor in arriving at the conclusions on which the auditor’s opinion is based. Audit evidence includes both information contained in the accounting records underlying the financial statements and other information. For purposes of the SAs: (i) Sufficiency of audit evidence is the measure of the quantity of audit evidence. The quantity of the audit evidence needed is affected by the auditor’s assessment of the risks of material misstatement and also by the quality of such audit evidence. (ii) Appropriateness of audit evidence is the measure of the quality of audit evidence; that is, its relevance and its reliability in providing support for the conclusions on which the auditor’s opinion is based.
4
(c) Audit risk – The risk that the auditor expresses an inappropriate audit opinion when the financial statements are materially misstated. Audit risk is a function of the risks of material misstatement and detection risk. (d) Auditor – “Auditor” is used to refer to the person or persons conducting the audit, usually the engagement partner or other members of the engagement team, or, as applicable, the firm. Where an SA expressly intends that a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “auditor” is used. “Engagement partner” and “firm” are to be read as referring to their public sector equivalents where relevant. (e) Detection risk – The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level will not detect a misstatement that exists and that could be material, either individually or when aggregated with other misstatements. (f) Financial statements – A structured representation of historical financial information, including related notes, intended to communicate an entity’s economic resources or obligations at a point in time or the changes therein for a period of time in accordance with a financial reporting framework. The related notes ordinarily comprise a summary of significant accounting policies and other explanatory information. The term “financial statements” ordinarily refers to a complete set of financial statements as determined by the requirements of the applicable financial reporting framework, but can also refer to a single financial statement. (g) Historical financial information – Information expressed in financial terms in relation to a particular entity, derived primarily from that entity’s accounting system, about economic events occurring in past time periods or about economic conditions or circumstances at points in time in the past. (h) Management – The person(s) with executive responsibility for the conduct of the entity’s operations. For some entities in some jurisdictions, management includes some or all of those charged with governance, for example, executive members of a governance board, or an owner-manager. (i) Misstatement – A difference between the amount, classification, presentation, or disclosure of a reported financial statement item and the amount, classification, presentation, or disclosure that is required for the item to be in accordance with the applicable financial reporting framework. Misstatements can arise from error or fraud.
5
(j) Premise, relating to the responsibilities of management and, where appropriate, those charged with governance, on which an audit is conducted – That management and, where appropriate, those charged with governance have the following responsibilities that are fundamental to the conduct of an audit in accordance with SAs. That is, responsibility: For the preparation and presentation of the financial statements in accordance with the applicable financial reporting framework; this includes the design, implementation and maintenance of internal control relevant to the preparation and presentation of financial statements that are free from material misstatement, whether due to fraud or error; and To provide the auditor with: a) All information, such as records and documentation, and other matters that are relevant to the preparation and presentation of the financial statements; b) Any additional information that the auditor may request from management and, where appropriate, those charged with governance; and c) Unrestricted access to those within the entity from whom the auditor determines it necessary to obtain audit evidence. In the case of a fair presentation framework, the responsibility is for the preparation and fair presentation of the financial statements in accordance with the financial reporting framework; or the preparation of financial statements that give a true and fair view in accordance with the financial reporting framework. This applies to all references to “preparation and presentation of the financial statements” in the SAs. The “premise, relating to the responsibilities of management and, where appropriate, those charged with governance, on which an audit is conducted” may also be referred to as the “premise”.
6
Requirements
? Ethical Requirements Relating to an Audit of Financial Statements The auditor shall comply with relevant ethical requirements, including those pertaining to independence, relating to financial statement audit engagements. ? Professional Skepticism The auditor shall plan and perform an audit with professional skepticism recognising that circumstances may exist that cause the financial statements to be materially misstated. ? Professional Judgment The auditor shall exercise professional judgment in planning and performing an audit of financial statements. ? Sufficient Appropriate Audit Evidence and Audit Risk To obtain reasonable assurance, the auditor shall obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion. ? Complying with Relevant Requirements Subject to paragraph 23, the auditor shall comply with each requirement of an SA unless, in the circumstances of the audit:
(a) The entire SA is not relevant; or (b) The requirement is not relevant because it is conditional and the condition does not exist.
o In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement in an SA. In such circumstances, the auditor shall perform alternative audit procedures to achieve the aim of that requirement. The need for the auditor to depart from a relevant requirement is expected to arise only where the requirement is for a specific procedure to be performed and, in the specific circumstances of the audit, that procedure would be ineffective in achieving the aim of the requirement.
7
Application and Other Explanatory Material
An Audit of Financial Statements Scope of the Audit A1. The auditor’s opinion on the financial statements deals with whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. Such an opinion is common to all audits of financial statements. The auditor’s opinion therefore does not assure, for example, the future viability of the entity nor the efficiency or effectiveness with which management has conducted the affairs of the entity. In some cases, however, the applicable laws and regulations may require auditors to provide opinions on other specific matters, such as the effectiveness of internal control, or the consistency of a separate management report with the financial statements. While the SAs include requirements and guidance in relation to such matters to the extent that they are relevant to forming an opinion on the financial statements, the auditor would be required to undertake further work if the auditor had additional responsibilities to provide such opinions.
Preparation of the Financial Statements
A2. An audit in accordance with SAs is conducted on the premise that management and, where appropriate, those charged with governance have responsibility: (a) For the preparation and presentation of the financial statements in accordance with the applicable financial reporting framework; this includes the design, implementation and maintenance of internal control relevant to the preparation and presentation of financial statements that are free from material misstatement, whether due to fraud or error; and (b) To provide the auditor with: (i) All information, such as records and documentation, and other matters that are relevant to the preparation and presentation of the financial statements; (ii) Any additional information that the auditor may request from management and, where appropriate, those charged with governance; and (iii) Unrestricted access to those within the entity from whom the auditor determines it necessary to obtain audit evidence.
8
A3. As part of their responsibility for the preparation and presentation of the financial statements, management and, where appropriate, those charged with governance are responsible for: The identification of the applicable financial reporting framework, in the context of any relevant laws or regulations. The preparation and presentation of the financial statements in accordance with that framework. An adequate description of that framework in the financial statements. The preparation of the financial statements requires management to exercise judgment in making accounting estimates that are reasonable in the circumstances, as well as to select and apply appropriate accounting policies. These judgments are made in the context of the applicable financial reporting framework.
A4. The financial statements may be prepared in accordance with a financial reporting framework designed to meet: The common financial information needs of a wide range of users (i.e., “general purpose financial statements”); or The financial information needs of specific users (i.e., “special purpose financial statements”).
A5. The applicable financial reporting framework often encompasses financial reporting standards established by an authorised or recognised standards setting organisation, or legislative or regulatory requirements. In some cases, the financial reporting framework may encompass both financial reporting standards established by an authorised or recognised standards setting organisation and legislative or regulatory requirements. Other sources may provide direction on the application of the applicable financial reporting framework. In some cases, the applicable financial reporting framework may encompass such other sources, or may even consist only of such sources. Such other sources may include: The legal and ethical environment, including statutes, regulations, court decisions, and professional ethical obligations in relation to accounting matters; Published accounting interpretations of varying authority issued by standards setting, professional or regulatory organisations; Published views of varying authority on emerging accounting issues issued by standards setting, professional or regulatory organisations; General and industry practices widely recognised and prevalent.
9
A6. The requirements of the applicable financial reporting framework determine the form and content of the financial statements. Although the framework may not specify how to account for or disclose all transactions or events, it ordinarily embodies sufficient broad principles that can serve as a basis for developing and applying accounting policies that are consistent with the concepts underlying the requirements of the framework. A7. Some financial reporting frameworks are fair presentation frameworks, while others are compliance frameworks. Financial reporting frameworks that encompass primarily the financial reporting standards established by an organisation that is authorised or recognised to promulgate standards to be used by entities for preparing and presenting general purpose financial statements are often designed to achieve fair presentation. A8. The requirements of the applicable financial reporting framework also determine what constitutes a complete set of financial statements. In the case of many frameworks, financial statements are intended to provide information about the state of affairs, results of operations and cash flows of an entity. For such frameworks, a complete set of financial statements would include a balance sheet; statement of profit and loss; a cash flow statement; and related notes. For some other financial reporting frameworks, a single financial statement and the related notes might constitute a complete set of financial statements: For example, normally, in government departments and local bodies, the primary financial statement is a statement of cash receipts and payments. Other examples of a single financial statement, each of which would include related notes, are: ? ? ? ? Balance sheet. Statement of profit & loss. Statement of cash flows. Statement of operations by product lines.
A9. SA 210 establishes requirements and provides guidance on determining the acceptability of the applicable financial reporting framework. SA 800 deals with special considerations when financial statements are prepared in accordance with a special purpose framework. A10. Because of the significance of the premise to the conduct of an audit, the auditor is required to obtain agreement from management and, where appropriate, those charged with governance that they acknowledge and understand their responsibilities set out in paragraph A2 as a precondition for accepting the audit engagement. The auditor is also required to obtain written representations about whether management and, where appropriate, those charged with governance have fulfilled those responsibilities
10
Form of the Auditor’s Opinion ? The opinion expressed by the auditor is on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. The form of the auditor’s opinion, however, will depend upon the applicable financial reporting framework and any applicable laws or regulations. Most financial reporting frameworks include requirements relating to the presentation of the financial statements; for such frameworks, preparation of the financial statements in accordance with the applicable financial reporting framework includes presentation. ? Where the financial reporting framework is a fair presentation framework, as is generally the case for general purpose financial statements, the opinion required by the SAs is on whether the financial statements are presented fairly, in all material respects, or give a true and fair view. Where the financial reporting framework is a compliance framework, the opinion required is on whether the financial statements are prepared, in all material respects, in accordance with the framework. Unless specifically stated otherwise, references in the SAs to the auditor’s opinion cover both forms of opinion.
Ethical Requirements Relating to an Audit of Financial Statements ? The auditor is subject to relevant ethical requirements, including those pertaining to independence, relating to financial statement audit engagements. Relevant ethical requirements ordinarily comprise the Code of Ethics issued by the Institute of Chartered Accountants of India. ? The Code establishes the following as the fundamental principles of professional ethics relevant to the auditor when conducting an audit of financial statements and provides a conceptual framework for applying those principles; (a) Integrity; (b) Objectivity; (c) Professional competence and due care; (d) Confidentiality; and (e) Professional behaviour. ? In the case of an audit engagement it is in the public interest and, therefore, required by the Code of Ethics, that the auditor be independent of the entity subject to the audit. The Code describes independence as comprising both independence of mind and independence in appearance. The auditor’s independence from the entity safeguards the auditor’s ability to form an audit opinion without being affected by influences that might compromise that opinion. Independence enhances the auditor’s ability to act with integrity, to be objective and to maintain an attitude of professional scepticism.
11
? Standard on Quality Control (SQC) 19 sets out the responsibilities of the firm for establishing policies and procedures designed to provide it with reasonable assurance that the firm and its personnel comply with relevant ethical requirements, including those pertaining to independence. SA sets out the engagement partner’s responsibilities with respect to relevant ethical requirements. These include evaluating whether members of the engagement team have complied with relevant ethical requirements, determining the appropriate action if matters come to the engagement partner’s attention that indicate that members of the engagement team have not complied with relevant ethical requirements, and forming a conclusion on compliance with independence requirements that apply to the audit engagement. SA recognises that the engagement team is entitled to rely on a firm’s systems in meeting its responsibilities with respect to quality control procedures applicable to the individual audit engagement, unless information provided by the firm or other parties suggests otherwise. Professional Skepticism ? Professional skepticism includes being alert to, for example: Audit evidence that contradicts other audit evidence obtained. Information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence. Conditions that may indicate possible fraud. Circumstances that suggest the need for audit procedures in addition to those required by the SAs. ? Maintaining professional skepticism throughout the audit is necessary if the auditor is, for example, to reduce the risks of: Overlooking unusual circumstances. Over generalising when drawing conclusions from audit observations. Using inappropriate assumptions in determining the nature, timing, and extent of the audit procedures and evaluating the results thereof. ? Professional skepticism is necessary to the critical assessment of audit evidence. This includes questioning contradictory audit evidence and the reliability of documents and responses to inquiries and other information obtained from management and those charged with governance. It also includes consideration of the sufficiency and appropriateness of audit evidence obtained in the light of the circumstances, for example in the case where fraud risk factors exist and a single document, of a nature that is susceptible to fraud, is the sole supporting evidence for a material financial statement amount. ? The auditor may accept records and documents as genuine unless the auditor has reason to believe the contrary. Nevertheless, the auditor is required to consider the reliability of information to be used as audit evidence. In cases of doubt about the reliability of information or indications of possible fraud (for example, if conditions identified during the audit cause the auditor to believe that a document may not be
12
authentic or that terms in a document may have been falsified), the SAs require that the auditor investigate further and determine what modifications or additions to audit procedures are necessary to resolve the matter. ? The auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance. Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional skepticism or allow the auditor to be satisfied with less-than-persuasive audit evidence when obtaining reasonable assurance.
Professional Judgment ? Professional judgment is essential to the proper conduct of an audit. This is because interpretation of relevant ethical requirements and the SAs and the informed decisions required throughout the audit cannot be made without the application of relevant knowledge and experience to the facts and circumstances. Professional judgment is necessary in particular regarding decisions about: The nature, timing, and extent of audit procedures used to meet the requirements of the SAs and gather audit evidence. Evaluating whether sufficient appropriate audit evidence has been obtained, and whether more needs to be done to achieve the objectives of the SAs and thereby, the overall objectives of the auditor. The evaluation of management’s judgments in applying the entity’s applicable financial reporting framework. The drawing of conclusions based on the audit evidence obtained, for example, assessing the reasonableness of the estimates made by management in preparing the financial statements. Materiality and audit risk.
13
Tests of Controls ? The user auditor is required to design and perform tests of controls to obtain sufficient
appropriate audit evidence as to the operating effectiveness of relevant controls in certain circumstances. In the context of a service organisation, this requirement applies when: (a) The user auditor’s assessment of risks of material misstatement includes an expectation that the controls at the service organisation are operating effectively (i.e., the user auditor intends to rely on the operating effectiveness of controls at the service organisation in determining the nature, timing and extent of substantive procedures); or (b) Substantive procedures alone, or in combination with tests of the operating effectiveness of controls at the user entity, cannot provide sufficient appropriate audit evidence at the assertion level.
? If a Type 2 report is not available, a user auditor may contact the service organisation,
through the user entity, to request that a service auditor be engaged to provide a Type 2 report that includes tests of the operating effectiveness of the relevant controls or the user auditor may use another auditor to perform procedures at the service organisation that test the operating effectiveness of those controls. A user auditor may also visit the service organisation and perform tests of relevant controls if the service organisation agrees to it. The user auditor’s risk assessments are based on the combined evidence provided by the work of another auditor and the user auditor’s own procedures.
? Using a Type 2 Report as Audit Evidence that Controls at the Service Organisation Are Operating Effectively
? A Type 2 report may be intended to satisfy the needs of several different user
auditors; therefore tests of controls and results described in the service auditor’s report may not be relevant to assertions that are significant in the user entity’s financial statements. The relevant tests of controls and results are evaluated to
14
determine that the service auditor’s report provides sufficient appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment. In doing so, the user auditor may consider the following factors:
(a) The time period covered by the tests of controls and the time elapsed since the performance of the tests of controls; (b) The scope of the service auditor’s work and the services and processes covered, the controls tested and tests that were performed, and the way in which tested controls relate to the user entity’s controls; and (c) The results of those tests of controls and the service auditor’s opinion on the operating effectiveness of the controls.
?
For certain assertions, the shorter the period covered by a specific test and the longer the time elapsed since the performance of the test, the less audit evidence the test may provide. In comparing the period covered by the Type 2 report to the user entity’s financial reporting period, the user auditor may conclude that the Type 2 report offers less audit evidence if there is little overlap between the period covered by the Type 2 report and the period for which the user auditor intends to rely on the report. When this is the case, a Type 2 report covering a preceding or subsequent period may provide additional audit evidence. In other cases, the user auditor may determine it is necessary to perform, or use another auditor to perform, tests of controls at the service organisation in order to obtain sufficient appropriate audit evidence about the operating effectiveness of those controls. It may also be necessary for the user auditor to obtain additional evidence about significant changes to the relevant controls at the service organisation outside of the period covered by the Type 2 report or determine additional audit procedures to be performed. Relevant factors in determining what additional audit evidence to obtain about controls at the service organisation that were operating outside of the period covered by the service auditor’s report may include:
?
The significance of the assessed risks of material misstatement at the assertion level; The specific controls that were tested during the interim period, and significant changes to them since they were tested, including changes in the information system, processes, and personnel; The degree to which audit evidence about the operating effectiveness of
15
those controls was obtained; The length of the remaining period; The extent to which the user auditor intends to reduce further substantive procedures based on the reliance on controls; and
? Additional audit evidence may be obtained, for example, by extending tests of
controls over the remaining period or testing the user entity’s monitoring of controls.
? If the service auditor’s testing period is completely outside the user entity’s financial
reporting period, the user auditor will be unable to rely on such tests for the user auditor to conclude that the user entity’s controls are operating effectively because they do not provide current audit period evidence of the effectiveness of the controls, unless other procedures are performed. ? In certain circumstances, a service provided by the service organisation may be designed with the assumption that certain controls will be implemented by the user entity. For example, the service may be designed with the assumption that the user entity will have controls in place for authorising transactions before they are sent to the service organisation for processing. In such a situation, the service organisation’s description of controls may include a description of those complementary user entity controls.
? If the user auditor believes that the service auditor’s report may not provide
sufficient appropriate audit evidence, for example, if a service auditor’s report does not contain a description of the service auditor’s tests of controls and results thereon, the user auditor may supplement the understanding of the service auditor’s procedures and conclusions by contacting the service organisation, through the user entity, to request a discussion with the service auditor about the scope and results of the service auditor’s work. Also, if the user auditor believes it is necessary, the user auditor may contact the service organisation, through the user entity, to request that the service auditor perform procedures at the service organisation.
? The service auditor’s Type 2 report identifies results of tests, including exceptions
and other information that could affect the user auditor’s conclusions. Exceptions noted by the service auditor or a modified opinion in the service auditor’s Typ e 2 report do not automatically mean that the service auditor’s Type 2 report will not be useful for the audit of the user entity’s financial statements in assessing the risks of material misstatement. Rather, the exceptions and the matter giving rise to a modified opinion in the service auditor’s Type 2 report are considered in the user auditor’s assessment of the testing of controls performed by the service auditor. In considering the exceptions and matters giving rise to a modified opinion, the user auditor may discuss such matters with the service auditor. Such communication is
16
dependent upon the user entity contacting the service organisation, and obtaining the service organisation’s approval for the communication to take place.
? Communication of Deficiencies in Internal Control identified during the Audit
? The user auditor is required to communicate in writing significant deficiencies
identified during the audit to both management and those charged with governance on a timely basis. The user auditor is also required to communicate to management at an appropriate level of responsibility on a timely basis other deficiencies in internal control identified during the audit that, in the user auditor’s professional judgment, are of sufficient importance to merit management’s attention. Matters that the user auditor may identify during the audit and may communicate to management and those charged with governance of the user entity include: Any monitoring of controls that could be implemented by the user entity, including those identified as a result of obtaining a Type 1 or Type 2 report; Instances where complementary user entity controls are noted in the Type 1 or Type 2 report and are not implemented at the user entity; and Controls that may be needed at the service organisation that do not appear to have been implemented or that are not specifically covered by a Type 2 report.
? Type 1 and Type 2 Reports that Exclude the Services of a Subservice Organisation
?
If a service organisation uses a subservice organisation, the service auditor’s report may either include or exclude the subservice organisation’s relevant control objectives and related controls in the service organisation’s description of its system and in the scope of the service auditor’s engagement. These two methods of reporting are known as the inclusive method and the carve-out method, respectively. If the Type 1 or Type 2 report excludes the controls at a subservice organisation, and the services provided by the subservice organisation are relevant to the audit of the user entity’s financial statements, the user auditor is required to apply the requirements of this SA in respect of the subservice organisation. The nature and extent of work to be performed by the user auditor regarding the services provided by a subservice organisation depend on the nature and significance of those services to the user entity and the relevance of those services to the audit.
17
? Fraud, Non-Compliance with Laws and Regulations and Uncorrected Misstatements
in Relation to Activities at the Service Organisation
? A service organisation may be required under the terms of the contract with user
entities to disclose to affected user entities any fraud, non-compliance with laws and regulations or uncorrected misstatements attributable to the service organisation’s management or employees. The user auditor makes inquiries of the user entity management regarding whether the service organisation has reported any such matters and evaluates whether any matters reported by the service organisation affect the nature, timing and extent of the user auditor’s further audit procedures. In certain circumstances, the user auditor may require additional information to perform this evaluation, and may request the user entity to contact the service organisation to obtain the necessary information.
? Reporting by the User Auditor
? When a user auditor is unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organisation relevant to the audit of the user entity’s financial statements, a limitation on the scope of the audit exists. This may be the case when: The user auditor is unable to obtain a sufficient understanding of the services provided by the service organisation and does not have a basis for the identification and assessment of the risks of material misstatement;
A user auditor’s risk assessment includes an expectation that controls at the service organisation are operating effectively and the user auditor is unable to obtain sufficient appropriate audit evidence about the operating effectiveness of these controls; or Sufficient appropriate audit evidence is only available from records held at the service organisation, and the user auditor is unable to obtain direct access to these records. Whether the user auditor expresses a qualified opinion or disclaims an opinion
18
depends on the user auditor’s conclusion as to whether the possible effects on the financial statements are material or pervasive.
? Reference to the Work of a Service Auditor
? In some cases, law or regulation may require a reference to the work of a service
auditor in the user auditor’s report, for example, for the purposes of transparency in the public sector. In such circumstances, the user auditor may need the consent of the service auditor before making such a reference.
? The fact that a user entity uses a service organisation does not alter the user auditor’s
responsibility under SAs to obtain sufficient appropriate audit evidence to afford a reasonable basis to support the user auditor’s opinion. Therefore, the user audit or does not make reference to the service auditor’s report as a basis, in part, for the user auditor’s opinion on the user entity’s financial statements. However, when the user auditor expresses a modified opinion because of a modified opinion in a service auditor’s report, the user auditor is not precluded from referring to the service auditor’s report if such reference assists in explaining the reason for the user auditor’s modified opinion. In such circumstances, the user auditor may need the consent of the service auditor before making such a reference.
19
Material Modifications to ISA 402, “Audit Considerations Relating to an Entity Using a Service Organisation”
1. Paragraphs A10 and A11 of ISA 402 deal with the application of the requirements of ISA 402 to public sector auditors who have broad rights of access established by legislation. Since as mentioned in the “Preface to the Standards on Quality Control, Auditing, Review, Other Assurance and Related Services”, the Standards issued by the Auditing and Assurance Standards Board, apply equally to all entities, irrespective of their form, nature and size, a specific reference to applicability of the Standard to public sector entities has been deleted. However, since the situation envisaged in paragraphs A10 and A11 may be possible even in case of auditors of non-public sector entities, the spirit of paragraphs A10 and A11 has been retained and made generic. 2. Paragraph 13 (a) and paragraph A19 of ISA 402 deal with assessment of the service auditor’s professional competence and independence from the service organisation for obtaining sufficient and appropriate audit evidence and for reporting purposes. The corresponding paragraphs of SA 402 also require such assessment of professional competence except where the service auditor is also a member of the Institute of Chartered Accountants of India.
20
BIBILOGROPHY
? www.icai.org.in ? www.wikipedia.com ? www.caclub.co.in ? www.cablogs.com ? www.google.com
21
doc_618564359.docx