SME Audits And Difficulties Faced By Their SMP Auditors
The Quality Assurance Unit (‘QAU’) is now well into its second cycle of monitoring visits. The first cycle of visits, which came to an end in mid-2012, was a learning experience for us regulators and practitioners alike ever since Quality Assurance (‘QA’) kicked in, in February 2007. Our findings in the last eighteen months are clearly indicating that a significant number of repeat breaches are occurring particularly amongst smaller audit practices, whose audit clients are generally SMEs and micro-entities. There are a number of reasons for this, which I will focus on more closely later on in this article.
In this article I will look at the more common pitfalls on SME audits and the problems smaller practices are experiencing when addressing these issues. Audit policy and regulation across Europe focuses on the protection of the Public Interest. A simple risk based approach would indicate that the sector of major concern is in listed and regulated entities. There are 154 Public Interest Entities (‘PIEs’) in Malta; all of which (other than 26 entities) are audited by the larger international audit network firms, (the Big 4 firms).
Clearly, protecting the capital markets is one of the key objectives of Public Oversight. However, in many countries, SMEs are major contributors to GDP and therefore Public Oversight cannot overlook this factor. SMEs across Europe account for 98% of all incorporated businesses across Europe and therefore impact heavily on the economic activity of EU Member States. The EU has been sympathetic towards SMEs and, quite rightly, believes that burdens on SMEs (including audit and accountancy) should be reduced. The Single Accounting Directive (issued in June 2013) bears evidence to this. Whether micro-entities should still be subjected to an external audit is a subject which has been debated for the last three decades, at least. One should note that whilst the Companies Act does provide for an audit exemption for small entities (albeit with very low thresholds), the Income Tax Management Act still requires all incorporated entities to file audited financial statements along with their tax returns.
Against this backdrop, all incorporated businesses in Malta, irrespective of the size, stature and exposure, are required to have their financial statements audited and therefore fall within the remit of the QA Directive. Some of the problems I note in this article emanate from the fact that a large number of the micro-entities being audited, particularly those that are owner run businesses having no internal controls in place, are difficult if not impossible to audit, at least in accordance with International Standards on Auditing, which today, is the accepted international benchmark.
For the sake of clarity, I am simply advocating that there should be some other form of assurance reporting for micro-entities, but certainly not one based on the application of International Standards on Auditing to come to a “true and fair” opinion on the financial statements. I understand however that this is not a view that is shared by all the stakeholders concerned.
Be that as it may, not all SMEs are owner run businesses. SMEs also include relatively large public but unlisted entities, family businesses which have developed into complex group structures, public corporations as well as other foreign owned businesses (for example companies operating in the gaming, IT, financial and services industries etc.). Such companies have to rely on proper systems of internal quality controls and governance because of the volume and complexity of the risks of their business. There are of course also companies whose directors are not always the owners of the entity. The country’s exposure to these types of entities can be material if they are taken collectively. Hence the need to ensure that SME audits are carried out in accordance with the applicable auditing and accounting standards and in conformity with the relative ethical requirements embedded in the Code of Ethics.
Audit documentation and audit evidence
Audit work carried out by smaller practices was found to be particularly lacking in the following areas:-
- Inventories. Issues invariably arise mostly in relation to existence as well as valuation. We come across a number of instances where practitioners simply resort to the qualification of the audit report – particularly where no year end stock take is carried out by the audit client. Application Guidance and other material to ISA 705 makes it amply clear that the auditor should apply other practical alternative audit procedures to assess the reasonableness at which inventories are stated (both existence and valuation). More often than not the audit opinion given is not supported by an adequately documented conclusion of the professional judgement exercised by the auditor based on the audit work carried out;
- Debtors and creditors. Too often, very little documentation is available about the substantive testing carried out particularly in relation to possible impairment of debtor balances;
- Related parties. Documentation on the work carried out to identify related parties and any related party transactions, and the propriety and validity of these transactions is particularly lacking on many of the audit files we review;
- Going concern (see Audit reports section below);
- Completeness of income and cost of sales. Many practitioners simply choose to resort to reconciliation of nominal ledger figures to VAT returns when it comes to validating sales and cost of sales and nothing more. This gives very little audit comfort, if any at all;
- Materiality thresholds. No documentation of any thresholds applied or the basis on which these have been arrived at;
- Professional scepticism. Impairment, fair values, assessed risks, sole reliance being placed on representations made by management or experts appointed by management, with little or no consideration being given to possible management bias. Very often audit files are laden with endless documents, with no documentation as to whether such valuations were challenged or financial models questioned on the propriety of the underlying assumptions.
The external auditor must document all the evidence on which he/she has based his/her opinion of the audited financial statements in an audit file. The auditor must show that he/she has conducted the statutory audit in accordance with the applicable regulations. This documentation must support the direction, planning and conduct of the audit to make it possible to assess the quality of work performed at a later stage. This documentation is at times conspicuously missing. “More documentation is not better documentation” – superfluous schedules and documents do not add value to the audit. The golden rule to audit documentation is that it shall be sufficient to enable an experienced (third) auditor to understand the audit procedures performed, the audit evidence obtained and any significant judgement applied. Where the audit entity is not a complex one, the audit documentation can be reduced but not discarded completely. This is what proportionality in the application of standards is all about. The root cause of a number of the shortcomings noted from the review of audit working papers emanate from the fact that audit programs used by smaller practices (predominantly ACCA audit programs) are excessively and inappropriately tailored. A frequently quoted and possibly unpopular dictum (possibly because of patronising connotations) is that “an audit is an audit.” Today, one refers to the “proportionality concept” in the application of clarified ISAs. In either case, it is the complexity rather than size which is the determining factor on the effort to be put in to carry out an effective and efficient audit. Not enough thinking is going into audits of SMEs particularly at the planning and completion stages of such audits and, more often than not, the audit degenerates into just a ticking and bashing exercise with an excessive and inappropriate tailoring of the ISA compliant audit programs.
The biggest risk here is that often, audit effort is put into those areas where there’s little or no exposure whilst other more pertinent inherent risks remain exposed.
The external auditor must identify and assess the risks, and establish whether or not the financial statements could contain material misstatements. The auditor is then expected to design and implement appropriate audit measures to mitigate these risks, and thereby obtain adequate and appropriate audit information with regard to these risks. We often note inconsistencies between the audit plan and field work carried out, as well as instances where no audit plans are prepared or when prepared, these fail to address the major risk areas pertaining to the entity being audited.
Very often, I attribute these pitfalls to the false sense of security some practitioners get from a friendly chat with management over a cup of coffee before the audit begins. Again this is far from being sceptical! The business environment is dynamic and changes constantly and accordingly more tenable, better documented Know Your Client (‘KYC’) procedures should be applied.
While improvements have been noted in the form of audit reports, the content of the audit report is still somewhat lacking and not always in compliance with the related ISAs. Going Concern qualification and Going Concern Emphasis of Matter paragraphs are two areas of major concern. These are particularly relevant at a time when the financial crisis gripped global economies unrelentingly.
Apart from the form and content in audit reports of this kind, the documentation of the audit work carried out to establish whether the entity being audited is in fact a Going Concern is frequently inadequate. This is somewhat surprising given that ISA 570, in my view, is one of the best written ISAs which clearly sets out the procedures to be applied when assessing Going Concern. The key issue here is that the auditor still chooses to qualify the audit report on this basis even when he himself documented that a material uncertainty was dispelled. There also appears to be some confusion between the section of ISA 570 which deals specifically on Emphasis of Matter paragraphs pertaining to Going Concern and ISA 706 which deals with other Emphasis of Matter paragraphs (other than on Going Concern).
Small practitioners are still struggling with the ISA 705 qualification – particularly in relation to qualifications relating to limitation of scope, and its materiality and pervasiveness to the financial statements. The impact of year on year qualifications of this kind on the auditor’s ability to continue the engagement, is an area which smaller practices do not quite grasp. The auditor’s inability to attend the year end stock take is one qualification which features regularly under this heading, more often than not the auditor choosing to resort to modifying the audit opinion – with no alternative audit procedures being applied, even where it is clear that these could be carried out.
To conclude, the lack of appropriate documentation of conclusions reached to support the SME audit opinion given is widespread within SME audits.
The above is only a sample of the more common pitfalls emanating from the review of SME audit files.
Whole firm issues
The other facet to a QA monitoring visit is that to assess the internal quality contol procedures adopted by audit practitioners in the exercise of their profession. In essence, I am here referring to compliance with ISQC 1 – which standard outlines the five pillars which underpin Quality Assurance. In common parlance, these, we refer to as Whole Firm issues.
ISCQ 1 procedures manual have become a mere formality. Often, practitioners fail to put into practice what they themselves set out in their own manuals. EQCRs and ACRs are areas which are generally not looked at with rigour and commitment.
Audit work subcontracted to other fellow practitioners is also an area of some concern as indeed, ethics and safeguards to independence, again need to be looked at more closely.
Maintaining Competence is one other area considered by ISQC1. It is indeed sad to note a number of audit practitioners who repetitively fall short of their CPE obligations. Without going into the reasons allegedly giving rise to poorly attended audit related CPE events, CPE still remains an integral part of any profession in today’s ever changing world.
In summary, the concerns in regard to SMPs generally, which could, in turn be representative of the poor audit working papers of some of the smaller practitioners, are as follows:-
- ISQC 1 compliance – This is generally taken lightly by the smaller set ups;
- The time and resources spent on audits by SMPs – the poor quality generally is a reflection of the lack of “quality” time spent on audits.
Difficulties being encountered by small audit practitioners
In my view, the following could be the difficulties being encountered by many SMPs which in turn could also be the root cause as to why audit quality falls short of the standards required. These are :-
- Balancing the cost of increased regulation and pressures to lower audit fees. The public at large is unaware of the added cost to audit practitioners emanating from increased regulation in the field of auditing;
- The difficulty to attract and retain experienced audit staff – thereby impacting on the quantity and quality of resources spent on audits;
- The shortage of “audit” oriented CPE events; and
- Coping with multi disciplinary services which smaller practices provide which bring with them endless deadlines, thereby alienating their attention from more pressing audit needs.
Other challenges facing SMPs today
IFAC’s SMP quick poll review for mid year 2013 lists a number of challenges which SMPs to day are facing. 25% of all respondents attribute this to keeping up with added regulation and auditing and accounting standards while 23% regard the pressure to reduce fees as the next biggest challenge. Other challenges listed in this survey include the following:
- Attracting and retaining clients (20%)
- Rising costs and competition (11%)
- Ability to adapt to changing client needs (4%)
- Keeping up with new technology (2%)
- Work – life balance (7%)
- Attracting and retaining staff (6%)
- Succession Planning (2%)
Generally speaking, I believe that auditing in Malta is of a good standard. Many of these smaller practices do have the professional competence and the integrity and the mindset needed to meet the ever increasing demands brought about by audit regulation. However there are other practitioners who need to show more rigour and commitment to QA.
Undoubtedly, the audit and the accountancy profession in Malta is one of the few professions which has moved away from self regulation and introduced independent Public Oversight and QA, in line with the the European Statutory Audit Directive way back in 2007. This, I believe, has stepped up audit quality, but clearly, there is still ample room for improvement.
This article is primarily intended to create an awareness of the existing auditing pitfalls of smaller practices along with, what I believe, could be the root cause of a number of these deficiencies. I also highlighted other difficulties being encountered by smaller practices in Malta as well as the perceived challenges facing SMPs across the Globe. This, I hope, could be the basis of further discussion by all stakeholders concerned, with a view to ensure that audit quality in Malta is maintained and that the full scope of QA is attained.
With the expectations gap on auditor reporting widening the need to have appropriate systems of internal quality controls, and adequate risk management procedures are today more pronounced than ever before. The financial and the banking crisis which reaped havoc across the Globe bear evidence to this.
The issue of micro-entities, and audit exemption is one which still needs to be addressed. The EU Single Accounting Directive is very clear on the view it has taken in regard to its “think small first” concept, with a view to reducing burderns on SMEs across Europe. The decision required here is political – but clearly consultation with all stakeholders concerned is of essence.
The views expressed in this article are purely the author’s own views and do not in any way reflect any opinion or position taken either by the Quality Assurance Oversight Committee or the Accountancy Board in Malta on any of the matter noted in this article.