By Phil Cowperthwaite
Illustration: Blair Kelly
Familiarity with a client and the self-review threat don’t have to impede an auditor’s performance
A professional auditor is trained to be skeptical from his or her first day on the job, and he or she needs to maintain this skepticism throughout the course of every audit. In larger engagements, safeguards are put in place to ensure that skepticism is always reinforced: a junior auditor’s judgments regarding audit evidence are questioned by the engagement audit senior, whose judgments in turn are questioned by the audit manager, whose judgments are in turn questioned by the audit partner, and so on.
While there are mechanisms to promote skepticism in multiperson audit engagements, ensuring skepticism during the audit of a micro-entity, when the auditor often works alone, is not as straightforward. For example, consider this situation. An auditor, engaged by a client for the past few years, expects to perform the audit engagement alone. The client is run by an experienced executive director, who is also in charge of finances, and an active board of directors that has experience in governance. Management asks the auditor to help draft the annual financial statements. There has not been a lot of change in the client’s sector over the past year and the numbers in that year’s trial balance appear reasonable. Overall, this audit appears to be low risk and the auditor expects to complete the engagement in a day or two.
In this scenario, what should the auditor do to ensure a sufficiently skeptical attitude, especially when receiving information and answers from management and following up unusual trends? More specifically, how will the auditor meet the standard of skepticism required in every audit? To answer these questions, it is important to understand skepticism requirements.
The relevant audit requirement regarding skepticism is stated in Canadian Auditing Standards (CAS) 200.15: “The auditor shall plan and perform an audit with professional skepticism recognizing that circumstances may exist that cause the financial statements to be materially misstated.”
This principled requirement is supported with application material in CAS 200 A18 to A22, which explains why skepticism is important to an auditor’s success, also laying out some limits of an auditor’s responsibilities: “The auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance. Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional skepticism or allow the auditor to be satisfied with less than persuasive audit evidence when obtaining reasonable assurance.”
And therein lies the problem. How does an auditor working alone maintain a skeptical edge while auditing a very small entity? This requires that an auditor overcome the power of suggestion and familiarity with management and those charged with governance, believing they are honest and have integrity thanks to past experience. (See www.youtube.com/watch?v=0bG7EFhMw8w for a demonstration of the power of suggestion.) As a result, unless sufficient safeguards are in place in such an environment, an auditor may too readily accept the information and answers and fail to follow up unusual trends.
One of the great benefits of partner and staff continuity on any audit is the specific knowledge that the independent auditor learns over time and applies to that engagement over the years. As well as making for an efficient audit, having past experience can both facilitate good communication and make it easier for an auditor to spot problems and make workable recommendations for changes when needed.
While the Chartered Accountants’ Code of Conduct mandates partner rotation for listed public entities, partner rotation is not required for micro-entity audits. The benefits of staff continuity generally outweigh the danger of familiarity, provided adequate safeguards are in place to guard against a threat to independence. Having adequate safeguards is especially important if the auditor is working alone.
The challenges faced by an auditor working alone and second guessing his or her work must be overcome. For example, assisting management in statement preparation is seen by clients as a value-added service and is common in many micro-entity audit engagements. Helping management prepare statements that the auditor will then audit typically does not pose a significant threat to independence, provided there are few or no difficult accounting judgments required for statement preparation, which is often the case with micro-entity financial reporting. However, an auditor must nonetheless have adequate safeguards in place to guard against the self-review threat, as micro-entity management usually has little to no understanding of the financial report framework and relies heavily on the auditor’s expertise.
Safeguarding the skeptical edge while auditing micro-entities
Ensure pre-conditions for engagement acceptance are in place (CAS 210.06) Not only may micro-entity management not have a good understanding of the financial reporting framework and ask the auditor to have a significant role in statement preparation, but management also may not understand that it is ultimately responsible for its financial statements. As a result, the auditor must first determine whether management is capable of accepting that responsibility before starting the audit. Key elements of management’s taking responsibility are understanding and approving the information in those statements.
It is at the engagement acceptance stage that the auditor should also consider whether there are sufficient safeguards in place to mitigate the self-review threat. This is the time to ask such questions as: what significant judgments are required for statement preparation? Are any of them unusual for this type of client? Are there likely to be any management biases? Are the reporting deadlines unusually tight?
To help the auditor determine if his or her judgment is sound when forming his or her audit opinion at the end of the engagement, the auditor should determine if:
Know the client’s business A significant factor in evaluating the persuasiveness of audit evidence is being able to compare it with expectations, which helps the auditor look out for danger signals. It is essential to know enough about a client and its business to develop meaningful expectations, such as the expected ratio of staff costs to revenue, cost-of-sales to sales, or investment income to investments. It is critical to establish an acceptable range outside of which additional audit procedures would be required.
An auditor is required to perform analytical procedures at the beginning of every audit to assist in the identification of risks of material misstatement (CAS 315.06) and must also perform a similar task prior to signing the audit report (CAS 700.11). The auditor should document his or her thought process used to arrive at the original estimates, and his or her conclusions when comparing actual results with those estimates. If an auditor’s work is not reviewed by someone else, it is important to be careful to ensure there is sufficient appropriate audit evidence to explain the unexpected and that documentation reflects an appropriate degree of professional skepticism.
Introduce an element of the unexpected into every audit Audit standards require introducing an element of the unexpected in every audit. Spending time obtaining additional audit evidence over and above what would normally be obtained could unearth an industry insight or an unsuspected area that requires additional audit emphasis, and perhaps a control improvement. Examples of additional work could include an increased focus on payroll processing, expense report documentation and approval, approval of electronic payments, computer backup and security procedures or the budget process.
Periodic file review The quality control standard for firms requires that every engagement partner have an independent monitoring review of an assurance engagement file normally no less than once every three years (CSQC1 48(a) and A66). This requirement helps ensure that judgments and evidence of professional skepticism are adequately documented. File review can only strengthen every engagement partner’s professional performance, especially when the auditor performs engagements alone. Having one file reviewed every three years is likely not frequent enough, especially where an auditor’s work is not often reviewed by a second person.
Micro-entities can obtain many benefits from an audit, especially if it is conducted by an auditor with prior experience with the entity and the industry. Despite the fact that familiarity with a client and the self-review threat can pose problems to maintaining skepticism, taking a few steps can result in adequate safeguards, a solid audit and a successful engagement.
Phil Cowperthwaite, FCA, is a partner of Toronto CA firm Cowperthwaite Mehta and an IAASB member since 2006
Technical editor: Ron Salole, vice-president, Standards, CICA