The Audit Of Related Parties And The Application Of Professional Scepticism (Part 1)
The audit of related party relationships and transactions is a crucial aspect in the performance of an audit of financial statements under the International Standards on Auditing (ISAs).
Many financial reporting frameworks, including GAPSE and IFRS, include specific requirements in respect of accounting for and disclosing related party relationships, transactions and balances. The rationale for these requirements is grounded in the fact that related parties by their nature are not independent of each other and, therefore, additional disclosures and more stringent rules should apply to relationships and transactions between the entity and related parties in order to enable users of the financial statements to understand their nature and the actual or potential effects on the business.
ACCA has published Technical Factsheet 180 that deals with reporting requirements in respect of related parties. Most of the guidance in the factsheet will be relevant to entities applying GAPSE and IAS 24. The document can be accessed at http://www.accaglobal.com/content/dam/ACCA_Global/Technical/fact/technical-factsheet-180.pdf.
In many cases related party transactions are undertaken in the course of the normal business of an entity, for instance a company may perform the acquisition of certain items for all the entities in a group or, rather, members of the management of an entity may occasionally buy the same goods or services offered to the entity’s clients with the same “staff discount” applicable to other employees.
In such a case related party transactions may not pose a higher risk of material misstatement of the financial statements than similar transactions with unrelated parties.
However, in other circumstances, in view of the nature of related party relationships and transactions, they may carry a higher risk of material misstatement in respect of:
Risks from inappropriate accounting;
Risks from non-identification or non-disclosure;
Risks of fraud;
Risks about the ability of the company to continue in business as a going concern – if the entity’s interest is constantly subordinated to that of related parties.
Related party relationships and transactions may be difficult to identify and report by the entity, and subject to an increased risk of fraud, for various reasons, including:
The entity’s related parties may operate via an extensive and complex network of relationships, sometimes put in place to obfuscate control of the entity, making related party transactions difficult to unravel.
The entity’s information systems may not be effective in identifying and recording related party relationships and transactions.
Transactions with related parties may not take place on normal commercial terms, even though, prima facie, the price charged may be in line with that of similar arm’s length transactions.
Additionally, in respect of related parties, the detection risk faced by the auditor is generally greater than for other assertions in the financial statements. The inherent limitations of an audit, whereby some material misstatement may not be identified even if the audit is properly planned and performed under the ISAs, are magnified by peculiar causes such as:
Management may be unaware of the existence of some related party relationships and transactions because it may not grasp the complexity of their structure and the interaction with relevant reporting requirements.
Related party relationships may offer the opportunity for collusion, manipulation or concealment by management and, consequently, present a heightened risk of fraud.
The auditing standard that deals with the auditor’s responsibilities relating to related party relationships and transactions is ISA 550 Related parties. The standard effectively expands on how other standards, namely ISA 315 and ISA 330, which require and explain how to perform risk assessment procedures and further audit procedures to respond to assessed risks, should be applied in the context of related parties.
ISA 550 therefore requires a risk-based approach for the audit of related parties; one where the procedures performed by the auditor are aimed at identifying, assessing and responding to the risks of material misstatement connected with the entity’s failure to account for and disclose related party relationships and transactions in line with the applicable financial reporting framework.
A risk-based approach implies gaining a thorough understanding of related parties to be able to perform an effective risk assessment. For such purpose ISA 550 indicates specific audit procedures and illustrates a number of common situations to help the auditor recognize significant risks and respond appropriately.
Gaining a detailed understanding of related party relationships and transactions is also important for the auditor’s evaluation of whether fraud risk factors are present, as required by ISA 240 The auditor’s responsibilities relating to fraud in an audit of financial statements, since, as mentioned, related party relationships carry a higher risk of fraud.
When auditing related parties, the objectives for the auditor are those of:
recognising fraud risk factors that may lead to material misstatement of the accounts due to fraud, and
to conclude whether, on the basis of the evidence obtained, the financial statements achieve fair presentation, as far as related parties are concerned, and the related party requirements in the applicable financial reporting framework have been met.
ISA 550 stresses the importance of planning and performing the audit with professional skepticism, particularly in the context of related parties, given the inherent potential for unidentified and undisclosed related party relationships and transactions.
Professional skepticism is an attitude, or a mindset, of the auditor that drives him to adopt a questioning approach when considering information or forming conclusions; therefore enhancing the auditor’s ability to identify and respond to conditions that may indicate possible misstatement due to error or fraud.
Professional skepticism also includes being alert to audit evidence that contradicts other audit evidence obtained or information that brings into question the reliability of documents or of responses to inquiries obtained from management or directors. It also involves being alert to conditions that may indicate possible fraud.
Another essential aspect of professional skepticism is a critical assessment of audit evidence, which comprises both information that supports and corroborates management’s assertions and any information that contradicts them. A critical assessment of audit evidence implies questioning and considering whether the evidence is sufficient and appropriate in light of the circumstances. For instance a material amount in the financial statements may be supported by a single document, susceptible to fraud, in a context where fraud risk factors exist. In such a case the auditor should question the reliability of the information, further investigate and determine what modifications or additions to the audit procedures are necessary to resolve the matter.
While the auditor should not disregard past experience with management and directors of an entity, believing that they are honest and have integrity does not relieve the auditor from maintaining professional skepticism or accepting audit evidence that is not persuasive.
The application of professional skepticism in the audit of related party relationships and transactions is particularly relevant in a number of circumstances, such as:
while remaining alert during the audit for information that may indicate previously unidentified or undisclosed related parties or transactions;
in respect of identified significant related party transactions outside the normal course of the entity’s business, when evaluating whether the business rationale, or lack of it, of the transactions suggests that they may have been used to misappropriate assets or for fraudulent financial reporting;
when assessing significant risks of material misstatement due to fraud as a result of the presence on a related party with dominant influence.
In view of the susceptibility of related party relationships and transactions to fraud, the exercise of professional skepticism is also especially relevant in dealing with the risks of management manipulation or override of controls. In that respect ISA 240 notes that the risk of not detecting a material misstatement resulting from management fraud is greater than for employee fraud, as management is frequently in a position to directly or indirectly manipulate accounting records, present fraudulent financial information or override controls designed to prevent similar frauds by other employees.
In the audit of related parties professional skepticism should therefore be incorporated, as an auditor’s attitude, in the performance of all the procedures outlined below.
The performance of audit procedures in respect of related parties, the audit evidence obtained from them and the conclusions drawn by the auditor will have to be duly documented in the audit file, as that will be significant in understanding how the engagement was planned and performed and in supporting the auditor’s opinion.
Risk assessment – Understanding the entity’s Related parties
Obtaining a detailed understanding of related parties is essential to adopt a risk-based approach to the audit of related party relationships and transactions and needs to involve the following procedures:
Discussion among the engagement team of related parties’ issues;
Inquiry of management about the identity of related parties, the nature of relationships and the type and purpose of related party transactions;
Inquiry of management and others within the entity to understand the entity’s controls on related party relationships and transactions.
Engagement Team Discussion
The discussion among the engagement team, which needs to be undertaken at the planning stage of the audit and suitably documented, needs to expressly consider whether the financial statements may be materially misstated because of fraud or error resulting from related party relationships or transactions.
In particular the issues that could be addressed at the meeting may include a review of the entity’s relationships and transactions with related parties, possibly starting from the auditor’s register of related parties that were identified in previous audits, as well as discussing the importance to management and directors of the requirements to identify and disclose related parties.
The existence of complex relationships and structures, including the use of special purpose entities, which may indicate related parties not identified or disclosed by management should be also discussed.
In respect of the possibility of material misstatement due to fraud the engagement team should specifically consider whether related parties may be involved in fraud. For instance if there are transactions between the entity and somebody that can be associated with a member of management, like a known business partner or an entity controlled by a known friend or, rather, by a non-close relative of the member of management, the team should discuss how such transactions may be based on collusion to facilitate the misappropriation of the entity’s assets.
Identification of Related Parties
In order to identify related parties, including changes from the prior period, and to understand the nature of their relationship with the entity, as well as to establish whether transactions have been entered with these related parties during the audited period and, if so, the type and purpose of the transactions, ISA 550 requires the auditor to inquire management.
The reason for this approach is that management is normally in the best position to identify related party relationships and transactions than any other subject, notwithstanding the risk of manipulation and concealment posed by management override of controls. In particular management is likely to be aware of the relationships that have economic significance to the entity and that are more likely to carry a risk of material misstatement.
In case of recurring audits of the same entity, management inquires provide a basis for testing the consistency of the information provided by management for the current year with the auditor’s record of related parties noted in previous audits. The identity of related parties and the nature of their relationship with the entity is, in fact, normally documented in the permanent section of the audit file and updated for each year.
Related Parties Controls
The inquiry of management and others within the entity who are likely to have knowledge of the entity’s related party relationships and transactions is also essential in obtaining an understanding of the controls, or rather lack of them, that the entity has in place in respect of related parties for the purpose of:
Identifying and disclosing parties and transactions under accounting requirements;
Authorising and approving significant transactions and arrangements with related parties and
Authorising significant transactions outside the entity’s normal course of business.
Apart from management, those that may know about the entity’s related parties and controls on them may include internal auditors, in-house legal counsel or employees with the authority to initiate, process or record significant transactions outside the normal course of business.
As part of gaining an understanding the overall control environment of the entity it is important for the auditor to take into account whether features of such environment may mitigate the risk of related parties’ material misstatement.
For instance that would the case if the entity had policies in place for the timely disclosure of interests that management and directors have in related party transactions. Likewise a positive aspect of the ‘tone at the top’ would be the fact that management has taken proactive action to resolve related party disclosure issues by seeking advice from the auditor or external lawyers.
However in some cases the auditor may gather that related parties’ controls are deficient or non-existent for an entity. That may happen for a number of reasons, such as that the management does not grasp the related party requirements under the applicable financial reporting framework, or rather that it attaches low importance to such requirements. More concerning is the possibility that controls may not be implemented or operated intentionally because, for example, related party disclosures may reveal information, like transactions with family members of management, that management may not want to divulge.
If the auditor encounters deficient or non-existent controls, it may not be possible to obtain sufficient appropriate audit evidence about related party relationships and transactions and the auditor should consider the implication for the auditor’s report, including qualification.
When assessing an entity’s control on related parties, the auditor should also be alert to the possibility of management override of controls that may otherwise appear to be designed and operating effectively.
The risk of fraud arising from management override of controls is difficult to assess given the higher potential of collusion with other parties, manipulation and concealment that is available to management. However if it is ascertained that the entity does business with other entity controlled by management, or a member of it, the risk would be greater as, for instance, management may be incentivized to conclude transactions for the benefit of the other parties. That may be achieved by creating fictitious terms of transactions with related parties in order to misrepresent their business rationale.
When auditing a smaller entity the auditor may find that there are less formal controls or no documented processes to identify related parties and authorise transactions with them. Sometimes the direct involvement of an owner-manager may reduce the risks in respect of related party transactions or may instead increase them, given the greater potential for override of any controls. For the auditor of a smaller entity, inquiry of management would not be enough to obtain an understanding of related parties and any related controls and further procedures should be performed, for example inspection of relevant documentation for related party transactions and observation of how management supervises or unduly influences the work of the entity’s personnel.
Reviewing Records and Documents for Unidentified or Undisclosed Related Parties or Transactions
Searching for related party relationships or transactions that management has not identified or disclosed to the auditor is likely to be an onerous task, especially as management may be unaware or may be trying to conceal them. ISA 550 takes a robust but practical approach to the problem by mandating the inspection of limited types of documents, such as:
Bank and legal confirmations obtained as part of the audit procedures, and
Minutes of shareholders’ and board of directors’ meetings.
However the standard requires the exercise of the auditor’s professional judgement to consider which other records or documents should be inspected by taking into account the specific circumstances of the entity.
There is a vast array of records and documents potentially capable of providing information about related parties that the auditor may consider inspecting. Some of them include:
other third party confirmations obtained by the auditor;
returns made by the entity to regulatory authorities;
shareholder registers to identify significant shareholders;
records of the entity’s investments;
contracts and agreements with key management and directors;
contracts and agreements with other entities that have directors in common;
significant contracts and agreements outside the entity’s normal course of business;
specific invoices and correspondence from the entity’s professional advisers (perhaps in respect of the sale of the entity’s assets).
The auditor may encounter certain arrangements that, by virtue of their peculiarity, may indicate the existence of unidentified or undisclosed related party relationships or transactions. That could be the case for instance for:
agreements for the provision of services to certain parties under terms and conditions that are outside the entity’s normal course of business;
relationships of guarantees and guarantor.
It is important for the auditor to remain alert throughout the performance of the engagement for information that may indicate the existence of unidentified or undisclosed related parties.
Significant transactions outside normal business
Consideration of significant transactions outside the entity’s normal course of business is very important in the audit of related parties as it is a means to help identifying undisclosed related party relationship and transactions and fraud risk factors.
ISA 550 does not specifically require the auditor to search for these transactions but rather to understand which controls are in place to authorise and approve them.
If the auditor identifies significant transactions outside the entity’s normal business, when inspecting records or documents or when performing other audit procedures, it will be necessary to make specific inquiries of management about:
The nature of these transactions, i.e. understand their business rationale and the terms and conditions involved;
Whether related parties may be involved.
Examples of significant transactions outside normal business that may require inquiry of management may include:
Complex equity transactions like corporate restructuring or acquisitions;
Transactions with offshore entities in jurisdictions with weak corporate law;
Sales transactions with large discounts or returns;
Transactions with circular arrangements, like sale and repurchase agreements.
By obtaining further information on significant transactions outside normal business, the auditor would be able to evaluate whether fraud risk factors are present. For instance a related party may be involved in such a transaction not only directly, by being party to it, but also indirectly, by influencing the transaction via the use of an intermediary. Such influence may be an indication of the existence of a fraud risk factor.
Significant Related Party Transactions outside normal business
Apart from gaining an understanding of related parties, the auditor is required, by ISA 315, to identify and assess the risks of material misstatement associated with related party relationships and transactions and to determine which of those risks are significant.
The auditor is also required, by ISA 330, to design and perform further audit procedures in response to the assessed risks of material misstatement involving related parties.
When significant related party transactions outside the normal course of the entity’s business are identified, they should be treated as significant risks. That implies that the auditor will need to perform substantive procedures that are specifically responsive to those risks.
The substantive procedures that have to be performed to obtain sufficient appropriate evidence about related party transactions outside normal business include:
Inspecting underlying contracts or agreements, if any;
Evaluating the business rationale, or rather lack of it, of the transactions to see whether they may have been initiated to engage in fraudulent financial reporting or to conceal misappropriation of assets;
Considering whether the terms of the transactions are consistent with management’s explanations;
Verifying if the transactions have been appropriately accounted for and disclosed in accordance with the applicable financial reporting requirements; and
Obtaining evidence that the transactions have been appropriately authorised and approved.
When evaluating if the business rationale of a related party transaction outside the entity’s normal business suggests the possibility of fraud, the auditor may consider a number of aspects such as:
Whether the transaction is excessively complex;
If it lacks an apparent logical business reason;
If it carries unusual terms of trade, like unusual prices, interest rates, repayment terms or guarantees;
Whether it involves related parties that were not previously identified by management.
Whether management is placing more emphasis on a particular accounting treatment rather than giving regard to the underlying economics of the transaction.
If the management’s explanations of the transaction is inconsistent with the its actual terms, the auditor should consider the reliability of other management’s explanations and representations on other significant matters.
When it is possible to establish that significant related party transactions outside the entity’s normal business have been authorised and approved by management, directors, or shareholders in certain circumstances, the auditor may infer that these have been properly considered at the appropriate level within the entity and the approval may also provide audit evidence that they have been properly disclosed in the financial statements. On the other hand when such transactions are not subject to authorisation and approval and in the absence of rational explanations, they may represent a risk of material misstatement due to error or fraud. In any case, if the entity is subject to dominant influence by a related party or in view of the possibility of collusion between related parties, authorisation and approval may not be effective and may not provide sufficient evidence to exclude the risk of misstatement due to fraud.
When auditing a smaller entity the auditor may rely less on authorisation and approval to obtain audit evidence in respect of significant related party transactions outside the entity’s normal business. In fact a smaller entity is unlikely to have the type of controls available in a larger entity with different levels of authority and approval. In such circumstances the auditor may perform other procedures like inspecting relevant documentation, confirming aspects of the transactions with relevant parties or observing the involvement of the owner-manager with the transactions.