International Standards on Auditing and their Applicability to SMEs
The impact of International Standards on Auditing (ISAs) on the work of small- and medium-sized practices (SMPs) and the audits of small- and medium-sized entities (SMEs), has been a subject of ongoing discussion for a number of years, and is still an issue that is raised repeatedly by practitioners. The annual SMP survey conducted by the International Federation of Accountants (IFAC, 2016) identified, that globally SMPs have consistently ranked ‘keeping up with new regulations and standards’ as one of their top challenges.
All local audits must be conducted in accordance with ISAs, and each ISA contains objectives, requirements and application and other explanatory material that apply to the audit of the financial statements of any entity regardless of its size, legal form, ownership, management structure or nature of its activities (IAASB, 2007). On the other hand the audit of a small entity has its own special considerations, mainly due its size, the nature of its management controls and the general lack of complexity in its transactions. SMEs are typified by an owner-managed entity, with few sources of income, simple off-the-shelf accounting package, and limited documentation of internal controls. Therefore how should one apply ISAs to a relatively uncomplicated SME?
In deconstructing aspects of some of the ISAs we will attempt to answer this question in a clear and concise manner.
Owner-directors of small entities tend to outsource the preparation of financial statements to third parties, relying on the expert knowledge of their accountants. In the process, they perhaps forget that the primary responsibility for the preparation of financial statements rests with the directors. ISA 210 – Agreeing the Terms of Engagements specifically requires that a precondition of every audit is to obtain the agreement of the board of directors that it acknowledges and understands its responsibilities. Therefore one of the purposes of the engagement letter is to avoid any misunderstanding about the respective responsibilities of the owner-director and the auditor. The auditor can also include other important matters such as fees and billing arrangements, timelines for availability of financial information and the expectation that the owner-directors will provide access to all information.
The provisions of the Code of Ethics for Warrant Holders provides safeguards that are to be followed to ensure that the auditor’s independence is not compromised when providing an audit client which is not a Public Interest Entity with book-keeping services and the preparation of financial statements based on information in the trial balance. These safeguards include arranging for such services to be performed by an individual who is not a member of the audit team; or if such services are performed by a member of the audit team, using a principal or senior staff member with appropriate expertise who is not a member of the audit team to review the work performed (Accountancy Profession Act Cap 281-Directive 2, 2016).
“If it’s not documented, it’s not done” – a basic message of ISA 230 – Audit Documentation which requires that documentation provides a sufficient and appropriate record of the basis for the auditor’s report and evidence that the audit was performed in accordance with ISAs. Unfortunately QAU inspections routinely identify deficiencies in audit documentation. The latest Accountancy Board Annual Report for 2016 noted amongst others, the lack of appropriate documentation with respect to the determination of a benchmark to calculate materiality, insufficient documentation of the client’s background and internal control systems, as well as a lack of appropriate documentation of testing performed with respect to inventory, loans and receivables and testing of revenue.
There are however more powerful reasons why adequate audit documentation should be retained aside from the requirement to adhere to regulations. Compiling clear and comprehensive audit documentation in a timely manner assists the auditor in planning, performing and supervising the conduct of the audit, including the review of work performed by assistants, and finally the evaluation of conclusions reached. The process of documentation assists in qualitatively enhancing the logic and clarity in thinking when evaluating issues, applying professional judgement and reaching conclusions (IAASB, 2009).
The key is to prepare audit documentation in an efficient manner. Although ISA 230 does not contain specific requirements of the precise documentation that has to be in the audit file, it encourages meaningful documentation. Its emphasis is on the documentation of significant audit matters and the significant professional judgements made by the auditor, with a focus on significant. The following are some examples included in the standard:
“… it is neither necessary nor practicable for the auditor to document every matter considered, or professional judgement made, in an audit…” ISA 230 (A7)
“…in the case of an audit where the audit engagement partner performs all the audit work, the documentation will not include matters that might have to be documented solely to inform or instruct members of an engagement team…” ISA 230 (A16)
“When preparing audit documentation, the auditor of a smaller entity may also find it helpful and efficient to record various aspects of the audit together in a single document, with cross-references to supporting working papers as appropriate…” IAS 230 (A17)
Effective internal controls prevent material misstatements due to error or fraud from occurring and going undetected. However small entities generally have less formal controls which are very often are not documented. Risks are typically mitigated through controls applied by the owner-directors involved in the business, it might not be possible for certain controls such as segregation of duties to be implemented and there is greater potential of management override of controls (IFAC, 2011)
Therefore one could perhaps question whether a controls-based audit approach is possible in an environment intrinsically controlled by owner-directors. A smaller entity might not necessarily have a written code of conduct, but the integrity of owner-directors and company culture can be assessed by observation and enquiries on communications to staff and management by example. Evidence of controls applied by owner-directors can be observed by for example reviewing bank reconciliation statements, stock taking procedures, cash till reconciliations and up to date controls of employee records, amongst others. However, as specified by ISA 240 – The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial statements, domination by owner-directors can be a potential deficiency in internal controls since they can override controls. This risk is perceived as so important that irrespective of the auditor’s assessment, the standard prescribes that the auditor has to design and perform procedures to test the appropriateness of journal entries, review accounting estimates and evaluate the business rationale of significant transactions outside the normal course of business or that appear to be unusual.
An audit conducted in accordance with ISAs is essentially a risk-based audit involving three key steps:
- Risk Assessment – Performing risk assessment procedures to identify and assess the risks of material misstatement in the financial statements.
- Risk Response – Designing and performing further audit procedures that respond to identified and assessed risks of material misstatement, at both the financial statement and assertion levels.
- Reporting – This involves: forming an opinion based on the audit evidence obtained; and preparing and issuing a report that is appropriate to the conclusions reached.” (IFAC, 2011)
Therefore in simple terms, the focus is on what could go wrong, how this can be addressed and formulating an audit opinion that is appropriate on the basis of the audit evidence obtained. This methodology is applicable to all engagements regardless of size, complexity or fee, but the underlying benefits are substantial as:
- It allows time flexibility since certain procedures can be performed earlier in the audit process;
- Focus is on key areas, facilitating better understanding of risks;
- Tests of detail are not performed for areas of low risk;
- Identification and reliance (where applicable) on internal controls;
- Effort is focused on addressing areas of high risk;
- Unnecessary audit procedures are scoped out; and
- Audit staff can understand and apply their professional judgement.
The positive aspects of a risk-based audit will not ensue if certain old habits are not eliminated. Auditors caught up in a never ending line up of jobs and deadlines tend to fall in the same old trap, where planning is ignored and detailed substantive testing is performed regardless of the risk assessment, priority is given to completing check lists, standard programs are used in all engagements, and no check is made to ensure that there is no over auditing of low risk areas (CPA Australia, 2014).
International Financial Reporting Standards (IFRSs) and the local General Accounting Principles for Small and Medium Sized Entities (GAPSME), assume that the entity is a going concern and that it will continue in operation in the foreseeable future. Furthermore both accounting frameworks require that management assess the entity’s ability to continue as a going concern. ISA 570 – Going Concern recognises that although smaller entities are quick to respond in exploiting opportunities, their size may affect their ability to withstand adverse conditions and they may lack the resources to sustain operations. Accordingly smaller entities could be more susceptible to the risk that lenders will cease their support or that a supplier, employee or major customer could discontinue the relationship.
Nonetheless ISA 570 still places the onus on the directors to conduct their own risk assessment about whether the entity is able to continue operating as a going concern. On his own part, the auditor is responsible to obtain sufficient appropriate audit evidence on the appropriateness of the director’s use of the going concern assumption in the preparation of the financial statements. The lack of formal documentation by the directors does not mean that the going concern assessment has necessarily not been performed, since the directors very often rely on their in-depth knowledge about the future expectations of their business. In these cases the auditor is required to discuss the directors’ plans and corroborate with documentary and other evidence obtained.
In the context of assessing going concern for smaller entities, the continued support of the owner-directors is often crucial (ACCA, 2012). ISA 570 gives clear guidance in this respect stating that in such circumstances the auditor should where applicable consider obtaining documentary evidence of the sub-ordination of the owner-director’s loan or guarantee, evaluate the owner-director’s ability to meet the obligation under a support agreement and in addition obtain written confirmation of the terms and conditions of such support.
The ISAs mentioned above are clearly not an exhaustive list of instances where ISAs give guidance when auditing a smaller entity. In certain cases requirements apply to all audits whereas in other cases the standards give specific guidance under the sub-heading ‘Considerations specific to the audit of smaller entities’ in the application material. As described by IFAC (IFAC, 2012) “the public has expectations about what an audit means, and will assume that an audit has been conducted on the same basis to arrive at the same opinion”. Each audit is different, however every audit should be conducted by adhering to the basic principles of ethical conduct, applying professional scepticism and appropriately documented judgements, ensuring that sufficient appropriate audit evidence is obtained, and ensuring that the audit is conducted in accordance with ISAs (IAASB, 2016 – ISA 200). This will ensure that regardless of size, an efficient and effective audit conclusion will be reached.
A detailed list of references is available from the editor and will be provided upon request.