COMMON DEFICIENCIES FOUND AT AUDIT MONITORING VISITS
AGENDA Common deficiencies in compliance with auditing standards Independence issues Communication with those charged with governance Identification requirements per the AML Directive
COMMON DEFICIENCIES IN COMPLIANCE WITH AUDIT STANDARDS PLANNING . Inadequate planning or planning activities carried out but not effectively applied. Documenting the understanding of business No risk assessment - Identifying risks from: - understanding of the business - compliance with laws and regulations - consideration of fraud and error - preliminary analytical review Key audit areas based on risk assessment / audit approach Overall and/or performance materiality not calculated
COMMON DEFICIENCIES IN COMPLIANCE WITH AUDIT STANDARDS Design of audit procedures - audit programme not used or suitably tailored DOCUMENTATION . We only recognize work recorded on file No audit work recorded Basis of sample size and selection not recorded Insufficient record of nature and extent of audit work – source of audit evidence and samples tested not recorded No summary and evaluation of the results of audit tests to support the conclusion
COMMON DEFICIENCIES IN COMPLIANCE WITH AUDIT STANDARDS CONTROL AND REVIEW . None or inadequate evidence of engagement partner supervision and review Principal not ensuring that sufficient appropriate audit evidence is obtained to support the conclusions reached. No or not adequate second partner review
COMMON DEFICIENCIES IN COMPLIANCE WITH AUDIT STANDARDS DEFICIENCIES IN AUDIT EVIDENCE . Existence of plant and equipment not verified Ownership of property and motor vehicles not verified (especially those brought forward from prior years) Valuation of property not assessed Ownership and valuation of investments, including group companies. Inventory -Physical count not attended -No tests on cost and net realisable value -No consideration of stock obsolescence
COMMON DEFICIENCIES IN COMPLIANCE WITH AUDIT STANDARDS Deficiencies in audit evidence (continued) Recoverability of receivables not tested No bank letter Completeness of payables not tested Validity of related party balances not tested. Recoverability of debit balances of related parties (including directors and shareholders) not tested Completeness of income for understatement not tested Validity of expenses, including payroll Where firm does relevant work by checking after date payments either in bank section or in subsequent events testing, work not properly referenced to ensure that completeness of payables is also addressed
COMMON DEFICIENCIES IN COMPLIANCE WITH AUDIT STANDARDS Deficiencies in audit evidence (continued) No analytical review on completion No subsequent events review or no documented extent of review No going concern review no documented extent of review No review of financial statements for adequate disclosures No management representation letter No evidence of communication with client (either pre-audit communication – ISA 260 or communication of deficiencies – ISA 265)
COMMON DEFICIENCIES IN COMPLIANCE WITH AUDIT STANDARDS GOING CONCERN REVIEW . Firm needs to document its assessment of the going concern assumption If it disagrees, then it must issue a qualified audit opinion/ consider disclaimer depending on circumstances If it agrees but there are uncertainties, firm needs to consider the adequacy of audit evidence obtained to support the assessment and ensure that the uncertainties are properly disclosed in the financial statements in the notes.
INDEPENDENCE ISSUES IFAC Code of Ethics for Professional Accountants (IFAC Code of Ethics) (2014) and the breach of Law 42(I)/2009.
Provision of Non-assurance Services to Audit Clients. Self Review (paragraph290.154 of the IFAC Code of Ethics) For example from bookkeeping and VAT services to audit clients (paragraph 290.165) Client money. Separate bank account not used (paragraphs 270.1 and 270.2 of the IFAC Code of Ethics)
Long Association of Senior Personnel. Familiarity and self-interest threats are created by using the same senior personnel on an audit engagement over a long period of time. (Paragraphs 290.148 -290.153 of IFAC Code of Ethics) Key audit partner
Undue dependence. On fees from one client or group of clients On clients referred to the firm from one source. (Paragraph 290. 217 of IFAC Code of Ethics)
Serving as director or officer in the audit client. (Paragraphs 290.127 – 290.131 and paragraphs 290.146 to 290.148 of the IFAC Code) The principal and/or employees of the firm Immediate family members Close family members Other relationships Paragraph 43 (3) of Law 42(I)/2009
Network firms.
Network firms. Paragraph 290.3 of the IFAC Code of Ethics states the term “Firm” in section 290 includes network firm, except where otherwise stated. Paragraph 28 (2) of Law 42(I)/2009 states that a statutory auditor or a statutory audit firm shall not carry out a statutory audit if there is any direct or indirect financial or business or employment or other relationship between the statutory auditor, the statutory audit firm or network and the audited entity.
Network firms. (Paragraphs 290.14 – 290.24 of IFAC Code of Ethics) Although two entities are legally separate entities, there may be facts and circumstances that would suggest that they are associated in such a way that a network exists.
Network firms. The judgment as to whether the larger structure is a network shall be made in light of whether a reasonable and informed third party would be likely to conclude, weighing all the specific facts and circumstances, that the entities are associated in such a way that a network exists.
Network firms. Main weakness /characteristics identified: Common ownership (or immediate and close family relationships) Ownerships hidden behind friends or employees The fiduciary services company does not service other audit firms (or very few other audit firms) as a result appears as an extension of the audit firm or as a separate department of the audit firm. The firm’s website promotes the services of the separate entity as their own or as offered through associates or collaborators. Presentations and promotional material carried out jointly offering the client the impression of one entity and a one stop shop. …
Network firms. Main weakness /characteristics identified : Invoices for services are issued by one of the two. Invoices show the same contact details for both entities. Joint statement of account to clients showing the transactions and balances relating to both entities. A current account is maintained between the two entities and a number of financial transfers are made between them for financial support. The practitioner acts a signatory on bank accounts, and/or has viewing rights on bank accounts …
Network firms. Main weakness /characteristics identified : The firm relies on the due diligence work performed by the fiduciary services company without due diligence work of its own. The fiduciary services company communicates with clients on audit matters on behalf of the firm which may create the impression that they are one firm. Both entities share the same data and file server or other resources.
COMMUNICATION
COMMUNICATION WITH THOSE CHARGED WITH GOVERNANCE ISA 260, Communication with Those Charged with Governance ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management
Communication with those charged with governance. ISA 260, Communication with Those Charged with Governance Those charged with governance can be defined as the persons with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity Management are defined as the persons with executive responsibility for the conduct of the entity’s operations.
Communication with those charged with governance. ISA 260, Communication with Those Charged with Governance Communicate : responsibilities as auditors in relation to the financial statements, overview of the planned scope and timing of the audit, significant findings from the audit, for instance the auditor’s views about significant qualitative aspects of the entity’s accounting practices matters of auditor independence.
Communication with those charged with governance. ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management Communicate the significant deficiencies in the entity’s internal control found during the course of its audit
Communication with those charged with governance. Means of communication The auditor should communicate the form, timing and expected general content of communications with those charged with governance Communications should be given on a timely basis
Communication with those charged with governance. Means of communication (cont’d) Communication may involve many methods such as presentations, discussions and written reports The typical form on communication in relation to weaknesses is the management letter The management letter or any other form of communication is not a substitute for modifying the audit report if the circumstances demand it
Control of audits & access to clients. Audit clients that were international business companies Issues: direct contact with the beneficial owners. The information and explanations provided by the firms of legal advisors (or any other service provider) which refers the clients to the firm.
Control of audits & access to clients. Issues: No written correspondence between the audit principals and the beneficial owners of the audit clients who manage the businesses of these companies in accordance with ISA 260.
Control of audits & access to clients. Issues: No direct communication on : understanding the business and associated risks, planning and evidential matters including on representations, analytical review, going concern and subsequent events. In addition the firm does not obtain formal approval of the financial statements from the beneficial owners.
Control of audits & access to clients. As a result the firm was not in a position to properly control the audits of these companies, in serious breach of the ISAs.
IDENTIFICATION REQUIREMENTS PER THE AML DIRECTIVE The primary purpose of an audit monitoring visit is to monitor a firm’s compliance with International Standard on Quality Control 1 (ISQC 1) and International Standards on Auditing (ISAs) in the conduct of audit work. Currently the visit also includes checking the firm’s awareness of the regulations on money laundering (ML).
Directive to the Members. The Directive is issued by the ICPAC to its members. The Directive deals with the statutory and professional requirements in relation to the avoidance, recognition and reporting of money laundering and combating the financing of terrorism.
Identification and client due diligence procedures. The auditor, external accountant, tax advisor or trust and company service provider will need to obtain a good working knowledge of a client’s business and financial background as well as information on the purpose and intended nature of the business relationship in order to provide an effective service. (5.02)
Identification and client due diligence procedures. The identification and verification of identity of clients are requirements which must be completed regardless of the risk-based approach. The extent of client due diligence will depend on the client’s risk assessment. (4.24)
Identification and client due diligence procedures. Identification and client due diligence measure in the following cases: When they establish a business relationship For transactions amounting to Euro 15k or more Where there is a suspicion of money laundering Where there is doubt about the validity of documents collected in the past. ( 5.16)
Identification and client due diligence procedures. An on-going client due diligence on the client business should be done, including scrutiny of transactions undertaken throughout the course of the relationship to ensure that the transactions being conducted are consistent with the firm’s knowledge of the client, their business and risk profile, and where necessary the source of funds. Records must be reviewed and updated. ( 5.09)
Identification and client due diligence procedures. Reliance on third parties Reliance for client identification and due diligence purposes may only be placed on a credit institution, a financial institution, an auditor…… from a country which is a member of the European Economic Area or a third country that the Advisory Authority has determined to be applying procedures and measures for the prevention of money laundering and terrorist financing equivalent to the EU Directive. The firm must verify that the third party is subject to professional registration …….. as well as supervision … (5.28)
Identification and client due diligence procedures. The firm should obtain immediately from the third party all relevant information and documentation in order that they may satisfy themselves that the information is sufficient. A third party consenting to be relied upon must…. Make available to the person relying on it as soon as its reasonably practicable: Any information obtained from the client Copies of any identification and verification date and other documents on the identity of the client. (5.29)
Identification and client due diligence procedures. Before accepting the client identification data verified by the third party the firm should: Assess and evaluate the systems and procedures applied by the third party for the prevention of money laundering and terrorist financing Satisfy itself…. That the third party implements client identification and due diligence systems and procedures in ling with the Directive Maintain a separate file for every such third party where it stores the assessment report regarding point (a) and other relevant information Take steps to ensure that the third party will provide the required information The commencement of the cooperation …… is subject to approval by the Compliance officer. (5.30)
Identification and client due diligence procedures. The firm may rely on third parties only at the outset (5.31)
Identification and client due diligence procedures. For the occasions where the client is introduced by one of the firm’s overseas branch offices or associated firms, the firm could obtain the introducer’s written confirmation that it has verified the client’s identity and that relevant information data is retained by the overseas office branch or firm, provided that the group applies common client due diligence and record-keeping procedures and measures against money laundering and terrorist financing and the effective application of such measures as and procedures is supervised at group level by a competent authority. (5.32)
THANK YOU