This document was prepared by: Centre for Financial Reporting Reform (CFRR) Governance Global Practice, The World Bank Praterstrasse 31 1020 Vienna, Austria Web: www.worldbank.org/cfrr Email: cfrr@worldbank.org Phone: +43-1-217-0700 © 2017 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. Audit Training of Trainers Contents Acknowledgments...................................................................................................................... 2 Introduction ............................................................................................................................... 3 About Volume II – Documentation Templates and Examples ........................................... 4 Other education and teaching resources ........................................................................... 4 Templates and Examples ........................................................................................................... 6 1. Example: Engagement Letter ...................................................................................... 6 2. Template: Client/Engagement Acceptance Form ....................................................... 8 3. Template: Understand the Entity and its Environment ............................................ 17 4. Template: Entity Level Control Form ........................................................................ 21 5. Template: Fraud Considerations ............................................................................... 31 6. Template: Audit Planning Memorandum ................................................................. 34 7. Example: Internal Control Review Template ............................................................ 39 8. Example: Walkthrough .............................................................................................. 42 9. Example: Sampling .................................................................................................... 45 10. Template: Test of Controls ........................................................................................ 47 11. Template: Substantive Audit Programs .................................................................... 48 12. Template: Estimates Audit Program ......................................................................... 49 13. Template: Audit Conclusion Memorandum.............................................................. 50 1 Audit Training of Trainers Acknowledgments The audit client simulation PejaSko Cheese Ltd. was developed by a team of World Bank Centre for Financial Reporting Reform (CFRR) experts led by Kalina Shukarova Savovska, Senior Financial Management Specialist, and including Piotr Pyziak, Extended Term Consultant and with the editorial assistance of Denise Brettschneider and Ecaterina Gusarova. Members of the regional Audit Training of Trainers (Audit ToT) Community of Practice provided a platform for the exchange of ideas and information through several workshops and discussions. The team is very grateful to the following institutions, trainers and Professional Accountancy Organizations (PAOs) who participated in the Audit ToT Community of Practice and for the input they provided (listed below in order of country): • Institute of Authorized Charted Auditors of Albania (IEKA) • Association of Accountants and Auditors of Republika Srpska (AAARS) • Union of Accountants, Auditors and Financial Workers of Federation of Bosnia and Herzegovina (SRRF-FBH) • Auditors Chamber in the Federation of Bosnia and Herzegovina • Institute of Certified Public Accountants of Bulgaria • Croatian Audit Chamber • Estonian Auditors’ Association • Society of Certified Accountants and Auditors of Kosovo (SCAAK) • Institute of Certified Auditors of the Republic of Macedonia (ICARM) • Council for Advancement and Oversight of the Audit (CAOA) • Institute of Certified Accountants of Montenegro (ICAM) • Philippines Board of Accountancy • Chamber of Financial Auditors of Romania (CAFR) • Chamber of Authorized Auditors of Serbia (CAA) • Serbian Association of Accountants and Auditors (SAAA) 2 Audit Training of Trainers Introduction The PejaScko Cheese Case Study was developed to facilitate the Audit Training of Trainers (Audit ToT) workshops under the EU REPARIS 1 Program and simulates a small audit client. The Audit ToT workshops focus on Small and Medium Practices (SMP) and aim to develop the capacity of the audit profession to deliver targeted high-quality training to SMPs and provide continuing professional development (CPD) programs based on International Standards on Auditing (ISA). The workshops also develop practical tools and solutions to help SMPs implement ISAs, and maintain quality audit documentation from the quality assurance perspective at the firm and engagement levels. Please visit the program’s homepage for more details: http://go.worldbank.org/D6CT7QUHM0 The workshops topics covered are logically sequenced in the context of the audit cycle, as shown in the graph. The approach and format of the workshops is designed to be highly interactive and enable shared learning and peer exchange among countries in the region and members of the Community of Practice. 1 Road to Europe: Program of Accounting Reform and Institutional Strengthening. 3 Audit Training of Trainers This Case Study is a core teaching resource during the Audit ToT workshops and its aim is to provide an opportunity to bridge the gap between theory and the practical application of ISA by simulating a small audit client scenario. Audit documentation templates and examples form part of the case study and allow the audience to go through a real-life business situation, and tackle and solve some real life problems. The Case Study is structured into three volumes that should be used simultaneously: • Volume I – Audit Simulation This volume represents a summary of the PejaSko Cheese scenario providing the background information about the audit case and also including references to the assignments that participants are expected to work through during the training sessions. • Volume II – Documentation Templates and Examples Volume II is a collection of documentation templates that should be used by participants when completing the assignments of the audit simulation. This section also includes a few examples aiming to assist participants to work through the Case Study. • Volume III – Trainers Guide The proposed solutions and examples outlined in Volume III - Trainers guide, have been complied based on the discussions and exchange of opinions among the members of the Audit ToT Community of Practice. Any audit engagement is however unique and subject to the exercise of professional judgment on behalf of the auditor. The proposed approach and examples shown on this client are therefore just one way to approach challenges related to performing an effective small audit. About Volume II – Documentation Templates and Examples Volume II – Documentation Templates and Examples should be referred to and used while addressing the Assignments required in Volume I – Audit Simulation. Participants working groups should use the templates provided to document their proposed answers. Other education and teaching resources In addition to the three volume PejaSko Cheese Ltd. Case Study, the Audit Training of Trainers program offers other available teaching resources and exercises that supplement the modules / workshops and in some instances, build further on the PejaSko Cheese Ltd. Scenario. These can be found at the Audit Training of Trainers web site: http://go.worldbank.org/D6CT7QUHM0, and include: • The Ethical Dilemmas Board Game • Group Challenge: Most Inspiring Audit Trainer • Role Play Exercise: Developing Effective Interview Skills 4 Audit Training of Trainers • Simulated Client Meeting: Developing Client Relationship Skills • Group Exercise: Going Concern Judgements • Group Challenge: The PejaSko Quiz 5 Audit Training of Trainers Templates and Examples 1. Example: Engagement Letter To: Mr. Svetozar Brankomat Chairman of the Board and Founder PejasSko Cheese Ltd. Western Balkans Dear Mr. Brankomat, You have requested that we audit the financial statements of PejasSko Cheese Ltd., which comprise the following: the balance sheet as at December 31; the income statement; the statement of changes in equity; the cash flow statement for the year then ended; and a summary of significant accounting policies and other explanatory information. We are pleased to confirm our acceptance and our understanding of this audit engagement by means of this letter. Our audit will be conducted with the objective of our expressing an opinion on the financial statements. We will conduct our audit in accordance with International Standards on Auditing (ISAs). Those standards require that we comply with ethical requirements and plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement. An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor’s judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. An audit also includes evaluating the appropriateness of accounting policies used and the reasonableness of accounting estimates made by management, as well as evaluating the overall presentation of the financial statements. Because of the inherent limitations of an audit, together with the inherent limitations of internal control, there is an unavoidable risk that some material misstatements may not be detected, even though the audit is properly planned and performed in accordance with ISAs. In making our risk assessments, we consider internal control relevant to the entity’s preparation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. However, we will communicate to you in writing concerning any significant deficiencies in internal control relevant to the audit of the financial statements that we have identified during the audit. 6 Audit Training of Trainers Our audit will be conducted on the basis that management acknowledge and understand that they have responsibility: a) For the preparation and fair presentation of the financial statements in accordance with International Financial Reporting Standards (i.e. the IFRS for SME); b) For such internal control as management determines is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error; and c) To provide us with: • Access to all information of which management is aware that is relevant to the preparation of the financial statements such as records, documentation and other matters; • Additional information that we may request from management for the purpose of the audit; and • Unrestricted access to persons within the entity from whom we determine it necessary to obtain audit evidence. As part of our audit process, we will request from management written confirmation concerning representations made to us in connection with the audit. Our fees for the above-mentioned work, based on the expected time and level of staff that will be involved on the assignments, will be € 4,000. Our fees will be payable within seven days from receipt of our invoices. Our final report will not be issued if our fee invoices have not been paid. If additional work is required, we will discuss with you the basis for undertaking this work and the fees associated before we undertake such work. No additional amounts will be billed unless previously discussed with you. The form and content of our report may need to be amended in the light of our audit findings. We look forward to full cooperation from your staff during our audit. Please sign and return the attached copy of this letter to indicate your acknowledgement of, and agreement with, the arrangements for our audit of the financial statements including our respective responsibilities. Acknowledged and agreed on behalf of PejasSko Cheese Ltd. by Mr. Dejan Vuk, Certified Public Accountant Best Audit Ltd. Mr. Svetozar Brankomat April Chairman of the Board and Founder April 7 Audit Training of Trainers 2. Template: Client/Engagement Acceptance Form 1. General Information Client’s Legal Name: Address: Phone: Fax: Email: Website: 2. Management 2.a List the principal members of management Name Title 1. 2. 3. 4. 2.b Discuss any factors that should be known about key client management (e.g. experience, age, health, ease of replacement, etc.): 3. Industry 3.a In what industries does the company operate? 8 Audit Training of Trainers 3.b Describe the company’s key products or services, and how the products or services are used: 3.c Describe any special regulatory or reporting requirements that apply to companies in the industry: 4. Financial Information 4.a Provide historical financial information sources from the latest financial statements of the company: As of 31 December _______ Euro ‘000 Current assets Fixed assets Current liabilities Debt Retained Earnings/(Accumulated Deficit) Revenue Operating income/(loss) Income/(Loss) before taxes 4.b Describe any identified risks related to the nature of the company’s major assets and liabilities or the company’s revenues and marketing methods: 9 Audit Training of Trainers 4.c Does the Company face liquidity issues (e.g. going concern opinion, loan defaults, etc.): 5. Other considerations 5.a Is the potential client a listed company (if yes – refer to separate form tailored for listed entities)? Yes No 5.b Does the company expect to become public within two years? Yes No 6. Preliminary Risk Assessment Consider whether information you have gathered about the company, its operations, and its industry indicates incentives or pressures or opportunities for management to intentionally misstate the financial statements. Describe below if any. 6.a Risk Factor Yes No N/A Comment Has the potential client ever been audited? Is the size of the accounting department considered reasonable in relation to the size and the nature of the potential client’s operations? Describe the nature of related party transactions, if any. Briefly describe the intended use of the audited or other financial statements (e.g. sale of company, IPO, creditor requirements, pending public shell reverse merger, etc.). 10 Audit Training of Trainers Yes No N/A Comment Briefly describe the organizational structure of the potential client and its accounting department. For prior periods, were the audit opinions other than “unqualified”? Describe in detail if the answer is “Yes”. Were there any disagreements or other matters reported regarding the change in auditors? Has the client restated the results of its operations within the last three years? If so, state the nature and amount of each restatement. Has the client had any material weaknesses, reportable conditions or significant un remediated internal control deficiencies within the last three years? Does the client have an Audit Committee or equivalent? Does the client have an effective internal audit function? Does the client use service organizations? If so, state the nature and type of services. Attempts by the entity to reduce the audit scope (directly or by unreasonable fee constraints) or to impose unreasonable deadlines? Significant changes in directors, legal counsel, or status of litigation? Unexpected reorganization or replacement of management or high turnover among key executives or unnecessarily complex management structure? Pressure on new management to achieve results? Unfavorable economic conditions within the industry or the geographic area in which the entity or its customers operate. 11 Audit Training of Trainers Yes No N/A Comment Significant operations in countries where business practices are questionable. Major changes in the entity’s business or operations. Involvement of other or joint auditor 6.b Management Integrity Yes No N/A Comment Are there any concerns about management’s integrity based on contacts or discussions with others? Are there any concerns about management’s integrity or competence (e.g. high turnover, lack of industry expertize)? Unfavorable relationships with outside parties or employees? Domineering CEO? Unusually high lifestyle enjoyed by executives? 6.c Independence Yes No N/A Comment What services does the company desire from our firm? • Audit of financial statements? • Audit of internal control? • Preparation of tax returns? • Due diligence? • Agreed upon procedures? • Other? Do the fees for this client, and its related group, represent a significant portion (≥15%) of the firm’s total revenue? Explain a “Yes” answer. Are there any relationships with the prospective client or conflicts of interests that might impair independence? Explain “Yes” answers. 12 Audit Training of Trainers Yes No N/A Comment •Employment relationships? •Business relationships? •Contingent fee or commission arrangements? • Litigation? • Other? (Specify.) Have any prohibited non-audit services been performed for this client? Explain a “Yes” answer. 6.d Financial Condition: Yes No N/A Comment Inadequate capital base for the scope of operations Insufficient working capital and/or reduced ability to acquire credit. High debt or heavily leveraged condition History of operating losses Significant deterioration in earnings — both historical and projected. Debt agreements that contain material adverse change or subjective acceleration clauses Poor quality of earnings or history of earnings volatility Rapid growth/acquisitions 6.e Related Party Transactions Yes No N/A Comment Transactions with related parties, including entities affiliated with members of the Board of Directors that have a significant effect on operations or financial position. Dependence on related parties for financing. Year-end or quarter-end transactions with related entities that sustain operating trends. Other auditors involved in related entities, or some related entities unaudited. 13 Audit Training of Trainers 7. Engagement Economics and Related Considerations 7.a Document your consideration of whether the engagement meets the firm’s standards from an economic standpoint. Document the following: Proposed budget (Euro ‘000) Proposed fees (Euro ‘000) Total engagement hours (number) Partner time (%) Expected realization (%) 7.b Do we have the appropriate expertise and staff to perform the required work within the expected deadlines? Yes No 7.c Will an outside expert be required? Yes No 7.d Is the timing of the audit fieldwork flexible to any significant degree (i.e., by several weeks) to allow for the work to be performed outside of our busiest periods? Yes No 8. Predecessor Auditor Communication 8.a Provide information regarding predecessor auditor Audit Company Length of Relationship Audit Partner Contact Information 8.b Document the results of communications with the predecessor auditor Yes No N/A Comment Has the predecessor auditor had disputes with the client about accounting principles, proposed adjustments, or other significant matters? 14 Audit Training of Trainers Yes No N/A Comment Has the predecessor auditor been prevented from applying necessary auditing procedures? Does the predecessor auditor have reason to doubt management’s integrity? Have other auditors refused to serve this client? Are there unpaid fees owed to the predecessor auditor for services rendered? Are there any fee disputes with the predecessor auditor? Has management been domineering in dealing with the predecessor auditor? Has management placed unreasonable demands (such as unrealistic time constraints concerning the audit) on the predecessor auditor? Has the predecessor auditor had any communications with the client concerning fraud, illegal acts, or internal control related matters? Document the identified reasons for a change in auditor and any additional comments based on inquiries of the predecessor auditor. Based on the above, are there any reasons we should not accept the client? 9. References 9.a Provide information gathered during inquiries of Company bankers, lawyers, and other sources Person inquired and relationship to company Comments 10. Client Scoring 10.a Considerations of the client’s risk rating include, but are not limited to, the following (score each factor with 0 is not present and 1 if present. If a high score is determined the client/engagement should be subject to additional monitoring procedures – e.g. involving a second partner review): 15 Audit Training of Trainers Yes No N/A Score Client is a public company, or plans to make an offering (public or private) in the next 12 months. Client has history of a going concern issue and/or negative cash flow from operating activities. Client is litigious as a plaintiff. Client restated its financial statements (interim or annual) at least once in the past 24 months. Client’s audit committee or Board of Directors does not have any independent members. Client frequently has complex accounting transactions. Client is planning to sell the Company within 12 months. Client has a history of multiple related party transactions Client’s quality of accounting records is at times less than adequate. Client does not always pay audit fees on a timely basis Client Risk Rating: 11. Client / Engagement Acceptance should We accept the client / engagement. should not Partner Signature Date Concurring Partner Signature Date 16 Audit Training of Trainers 3. Template: Understand the Entity and its Environment Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: To obtain understanding of the entity and its environment sufficient to identify and assess the risk of material misstatements of the financial statements Information sources: Review notes from prior audits (if applicable), inquiry management, review press and other public information, management accounts Prepared by: Reviewed by: Date: 1. Industry Relevant industry, regulatory, and other external factors including the applicable financial reporting framework 1.a Industry conditions such as the competitive environment, supplier and customer relationships, and technological developments. Examples of matters the auditor may consider include: • The market and competition, including demand, capacity, and price competition. • Cyclical or seasonal activity. • Product technology relating to the entity’s products. • Energy supply and cost. 1.b Regulatory environment encompasses the applicable financial reporting framework and the legal and political environment. Examples of matters the auditor may consider include: • Accounting principles and industry-specific practices. • Regulatory framework for a regulated industry. • Legislation and regulation that significantly affect the entity’s operations, including direct supervisory activities. • Taxation (corporate and other). 17 Audit Training of Trainers • Government policies currently affecting the conduct of the entity’s business, such as monetary, including foreign exchange controls, fiscal, financial incentives (for example, government aid programs), and tariffs or trade restrictions policies. • Environmental requirements affecting the industry and the entity’s business. 1.c Other external factors affecting the entity that the auditor may consider include the general economic conditions, interest rates and availability of financing, and inflation or currency revaluation 2. The nature of the entity, including: operations, governance structures, types of investments, subsidiaries, financing sources, balances, and disclosures to be expected in the financial statements • Nature of revenue sources, products or services. • Location of production facilities, warehouses, and offices. • Key customers and important suppliers of goods. • Research and development activities. • Transactions with related parties. • How the company is governed, information used by management, attitudes, relationship with authorities Investment activities and how the company is financed. 18 Audit Training of Trainers 3. Entity’s selection and application of accounting policies, including the reasons for changes • Appropriateness of selection of accounting policies. • Accounting policies for complex transactions. • New accounting standards, methods used for significant transactions, changes in policies. 4. Entity's Objectives & Strategies, related Business Risks • Industry developments. • New products. • Possible expansion or contraction of the business. • Accounting and regulatory requirements. • Current and future financing requirements. • Use of IT. 5. Measurement and review of the entity’s financial performance • Performance measures, whether external or internal, create pressures on the entity. • Means of measuring current and future performance. • Description of situations requiring management action. 19 Audit Training of Trainers 6. Documenting the risk of material misstatement arising from the Entity and its Environment 6.a Risk description: 6.b Significance of risk: 6.c Risk related to material account balance, class of transactions, disclosure or pervasive? 20 Audit Training of Trainers 4. Template: Entity Level Control Form Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: To obtain understanding of the internal control sufficient to identify and assess the risk of material misstatements of the financial statements. Information sources: Review notes from prior audits (if applicable), inquiry management, perform walkthroughs of identified controls. Prepared by: Reviewed by: Date: Consider the unique circumstances, as well as the size and complexity, of smaller entities: for example, a small non-public client may not have a written code of conduct or formally documented corporate policies and procedures. In these instances, pay particular attention to the “tone” set by management in its own actions, as well as its efforts to communicate to employees the company’s policies and values and the importance of integrity and ethical behavior. These conditions may not negatively affect our assessment of the effectiveness of internal control at the entity level. Recognize that smaller entities, by nature, will have varying degrees of internal control. As a result, judgment is involved in determining the effects of internal control at the entity level on the audit approach. 1. Control Environment 1.a Integrity, ethical values, and behavior of key executives Example Control Document Control The entity has developed a clearly articulated statement of ethical values that is understood at all level. The entity has a formal code of conduct, which reflects the ethical values of the entity, guides employees in making appropriate decisions, and has been communicated to employees. 21 Audit Training of Trainers Example Control Document Control (For smaller entities that do not have a written code of conduct.) The entity has developed a culture that emphasizes the importance of integrity and ethical behavior through oral communication and by management example. Employees in senior management and the accounting/finance function, as well as others in control-sensitive areas, periodically certify that they are aware and in compliance with the code of conduct. Employees are encouraged and given the means to communicate concerns, anonymously if preferred, about potential violations of the entity's code of conduct, without fear of retribution (i.e., a whistle- blower program). The CEO and senior management demonstrate the importance of sound integrity and ethical values to their employees, such as in day-to-day actions and decisions, interactions with customers, suppliers, and external parties, performance appraisals and incentives, and intolerance of ethical violations. The entity has policies and procedures regarding remedial actions to be taken in response to deviations from sound integrity and ethical values or violations of the entity's code of conduct. (Note: Examples of deviations include departures from the entity's policies and procedures, unethical behavior, illegal acts, and allegations of or actual fraud.) 22 Audit Training of Trainers 1.b Management’s Control Consciousness and Operating Style Example Control Document Control Management emphasizes the importance of minimizing risks related to financial reporting in its interaction with those involved in the financial reporting process and its dealings with others. Management approves large or unusual transactions. 1.c Management’s Commitment to Competence Example Control Document Control Management participates in the establishment of accounting for non- routine or complex transactions or significant estimates requiring substantial judgment. Management establishes and articulates financial reporting objectives, including those related to complete, accurate, and fair financial reporting. Management supports correct financial reporting and does not view it as something to be manipulated or managed. The entity maintains formal job descriptions that clearly outline the required duties and responsibilities for key positions, including financial reporting positions. Before hiring for key financial positions, management establishes and agrees on the knowledge, skills, and abilities needed to effectively carry out associated responsibilities. Management supplements in-house financial reporting competencies, as needed, with outside specialists. 23 Audit Training of Trainers Example Control Document Control Competencies of individuals serving in key financial reporting roles are periodically evaluated by those charged with governance (or the board or audit committee). Management periodically reviews and evaluates employees relative to their assigned roles to determine whether the employees' skills are appropriate for their current job responsibilities. 1.d Board of Directors and/or Audit Committee/and or those charged with governance (for companies without BoD and Audit Committee) Participation in Governance and Oversight Example Control Document Control Those charged with governance are sufficiently independent of management to challenge management's practices, decisions, and financial reporting practices. Those charged with governance have sufficient organization stature to challenge management's practices, decisions, and financial reporting practices. Those charged with governance review policies and procedures used by management for determining significant estimates, including key assumptions. Those charged with governance are timely and fully apprised of sensitive information, investigations, and improper acts (e.g., significant litigation, investigations of regulatory agencies, defalcations, embezzlement, or misuse of assets, violations of insider trading rules, political payments, illegal payments). 24 Audit Training of Trainers Example Control Document Control Those charged with governance are sufficiently engaged to scrutinize the activities of management, ask difficult questions, and challenge management’s judgments and decisions. Those charged with governance pursue questions raised until satisfactorily resolved. Those charged with governance oversee the work of both internal and external auditors. Those charged with governance meet with external / internal auditors to discuss relevant matters, such as audit results, management letters, and letters of auditors' responsibility, including private meetings without management's participation. Those charged with governance interact with regulatory auditors, as necessary. 1.e Organizational Structure and Assignment of Authority and Responsibility Example Control Document Control Policies and procedures for the authorization of transactions established at the appropriate level. There is clear assignment of responsibility and authority for decision making with respect to areas with financial reporting significance. The assignment of authority and responsibility also includes limitations. 25 Audit Training of Trainers 1.f Human Resource Policies and Practices Example Control Document Control The entity has employee handbooks (or equivalent) that adequately describe human resources policies and practices. The entity periodically updates materials outlining its human resources policies and practices. Management reviews resumes and performs reference checks in considering candidates for key financial reporting positions. For positions with high-level responsibility, background checks are performed. All personnel (regardless of organizational status) receive a documented periodic performance review and appraisal. Exit interviews include inquiries about concerns related to integrity and ethical values, financial reporting, and internal control. Those charged with governance (or the board or audit committee) review management compensation plans to determine whether the plans create an inappropriately high risk of financial reporting misstatements. Management evaluates the sufficiency and competency of personnel involved in recording and reporting financial information. (Note: Matters of evaluation may include technical skills, nature and frequency of training, ability to identify issues) 1.g Control Environment – Conclusion Effective Ineffective 26 Audit Training of Trainers Document rationale for conclusion: 2. Risk Assessment 2.a Risk Assessment – Controls Example Control Document Control Management has a defined process for identifying internal risks relevant to the preparation of financial statements in conformity with accounting principles. Management has a defined process for identifying external risks relevant to the preparation of financial statements in conformity with accounting principles, such as economic, competitive, and industry conditions, regulatory and political environment, changes in technology, supply sources, customer demands, or creditor requirements. Management updates its risk assessment on a periodic basis. The accounting department have processes in place to identify significant changes in generally accepted accounting principles promulgated by relevant authoritative bodies The accounting department have processes in place to identify significant changes in the operating environment, including regulatory changes Key finance personnel periodically meet with executive management, IT personnel, HR personnel, and legal counsel to identify issues that may affect financial reporting. 27 Audit Training of Trainers Example Control Document Control The risk assessment process specifically includes identifying and assessing the risks of fraud 2.b Risk Assessment – Conclusion Effective Ineffective Document rationale for conclusion: 3. Control Activities, Information and Communication 3.a Control activities, Information and Communication – Controls Example Control Document Control Adequate physical controls (e.g., secured facilities, adequate safeguards over access to assets and data, authorization for access to computer programs and data files, and periodic counting and comparison of physical assets with amounts shown on control records) exist Management periodically assesses the sufficiency of its information systems to capture and report data that are timely, current, accurate, and accessible. Processes for reviewing actual performance versus budgets, forecasts, and prior period performance, with adequate reporting of exceptions and variations from planned performance and appropriate responses to such exceptions and variations. Adequate segregation of duties. Able to prepare accurate and timely financial reports, including interim reports 28 Audit Training of Trainers Example Control Document Control Users generally satisfied with information systems processing, including the reliability and availability of reports. Appropriate level of coordination between the accounting and IT functions. Turnover of accounting and information technology personnel is at a reasonable level. 3.b Control activities, Information and Communication – Conclusion Effective Ineffective Document rationale for conclusion: 4. Monitoring 4.a Monitoring – Controls Example Control Document Control Does management respond in a timely and appropriate manner to recommendations on internal control from the internal auditors and us? Are monitoring procedures performed in a timely manner? There is a low level of customer complaints: does management respond in a timely and appropriate manner to the cause of such complaints? For smaller entities, is the owner/manager actively involved in the business? 29 Audit Training of Trainers 4.b Monitoring – Conclusion Effective Ineffective Document rationale for conclusion: 30 Audit Training of Trainers 5. Template: Fraud Considerations Company Name: PejaSko Cheese Ltd. Year end: 31 December Prepared by: Reviewed by: Date: 1. Document the audit team’s discussions regarding fraud, including how and when the discussion took place and who was present. 2. Document below any unusual or unexpected observations from the results of our analytical procedures performed in planning the audit, particularly those related to revenue and related accounts. 3. Fraud inquiries 3.a Document below fraud inquiries of senior management: 31 Audit Training of Trainers 3.b Document below fraud inquiries of those charged with governance: 3.c Document below fraud inquiries of internal auditors: 3.d Document below fraud inquiries of service organizations (if financial reporting is outsourced): 3.e Document below fraud inquiries of employees regarding the following matters: • Do you have knowledge of any fraud that has been perpetrated or any alleged or suspected fraud; • Are you aware of allegations of fraudulent financial reporting, for example, because of a “whistleblower” or other communications from employees, former employees, analysts, short sellers, or other investors? 32 Audit Training of Trainers 4. Programs and controls that the entity has established to mitigate specific fraud risks which the entity has identified, or that otherwise help to prevent, deter, and detect fraud, and how senior management monitors those programs and controls: 5. Indicate below the identified risk factors to be considered relating to incentives/pressures associated with misstatements arising from fraudulent financial reporting and factors relating to misappropriation of assets: 33 Audit Training of Trainers 6. Template: Audit Planning Memorandum Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: To document the audit strategy in an integrated document Information sources: Prior year working papers, discussions with management, team discussions and other working papers. Matters already documented in other work papers that are relevant can be cross referenced. Prepared by: Reviewed by: Date: 1. Section 1 1.a Scope of the engagement 1.b Audit team and need for specialist assistance 1.c Audit time plan 1.d Significant changes in client business or operations 34 Audit Training of Trainers 1.e Significant risks, matters identified in the internal control evaluation and fraud considerations 1.f Preliminary analytical procedures 1.g Materiality Document the levels of planning materiality, performance materiality and trivial error, including their basis for determination. Benchmark: Period Considered: Percent: Materiality amount: Performance materiality: Trivial error amount: Justification 35 Audit Training of Trainers 2. Section 2 2.a Significant Accounts Is High Complex or In EUR millions Significant 31 Account Transaction Judgmental (converted from local Account Process Dec Material Volumes Transactions currency) (Y or N) (Y or N) (Y or N) (Y or N) Revenue 1,30 Cost of sales 0,60 Payroll 0,25 Other operating 0,20 expenses Depreciation 0,12 Net financial costs 0,05 Income taxes 0,01 Fixed assets 0,30 Inventory 0,24 Other current assets 0,36 Equity 0,10 Long-term liabilities 0,20 Short term debt 0,10 Other liabilities 0,50 2.b Significant Disclosures 36 Audit Training of Trainers 3. Section 3 3.a Audit or accounting issues New or changed audit or accounting standards, first time audits, financial statement preparation and other significant audit or accounting issues: 3.b Fraud risk factors Discuss any fraud risk factors identified and the plan to address this risk: 3.c Audit approach Based on the risk assessment procedures, identify the inherent risks and the auditor’s response to those risks. Consider the nature, timing and extent of procedures to be performed. Inherent Reliance Audit risk (low, Timing and Process risk (Higher on medium and Related audit area extent of or Lower) controls higher) procedures Sale of goods Revenue, receivables, estimates Purchase of Purchase of goods, goods inventory, fixed assets, payables Payroll Payroll 37 Audit Training of Trainers Inherent Reliance Audit risk (low, Timing and Process risk (Higher on medium and Related audit area extent of or Lower) controls higher) procedures Various Financial financial transactions processes Various Taxation financial processes Various Transactions of financial equity and processes dividend payments Estimates Provision for bad debt, depreciation, claims provision, Inventory obsolescence, claims provision Proceeds Bank and cash, receivables Payments: Bank and cash, (Bank) payroll, payables (to suppliers) Payments Bank and cash, (Cash) payables (sundry) 38 Audit Training of Trainers 7. Example: Internal Control Review Template Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: To document internal controls and understand the flow of transactions, including how transactions are initiated, authorized, processed and recorded. Information sources: Interviews, client flowcharts, policy and procedure manuals, narrative descriptions, internal control documentation and inquiries, and other sources. Class of transactions: Payments Accounts affected: Cash and Bank, Payables, Payroll Prepared by: Assistant Auditor # 1 Reviewed by: Dejan Vuk, Certified Public Accountant and Partner Date: Today 1. System description Document how transactions are initiated, authorized, processed and recorded. Also cover the following areas: • Authorizations • Segregation of duties • Cut off procedures • Manual and automated procedures • Control and review procedures Payments to suppliers and payroll are made via electronic banking with the three different banks with which the company has accounts. Mr. Bankomat is the authorized signature of all three bank accounts. Payments below EUR 300 relating to other sundry/small suppliers can also be performed in cash. If the payment made is in foreign currency, the foreign exchange difference between the transaction value in the supplier specification and value of the payment is booked as financial costs/income. Exchange rates are automatically uploaded in the system. Authorization: The payments to suppliers are authorized by both Mr. Brankomat and the Chief Accountant. In some cases, especially during Mr. Brankomat’s holidays, the Chief Accountant authorizes the payments using her password and that of Mr. Brankomat. When 39 Audit Training of Trainers back at work, Mr. Brankomat controls all such payments made from the main account and issues final clearance by initialing the paid invoices. The accounting system automatically produces a weekly proposal based on the registered due dates of the invoices. Similarly, the two monthly wage payments and other benefits are also approved. The documents and records are archived in their own voucher binder for the current year in bank statement date order. Segregation of duties: For payments to suppliers there is appropriate segregation of duties since both the automated process and staff are responsible for initiating, authorizing, and recording transactions. In the case of cash payments to smaller sundry suppliers, the Chief Accounting is responsible for both approving cash payments (below EUR 300), authorizing small requisitions (below EUR 500), recording these payments and handling the cash balance. As such, there is an insufficient segregation of duties, which represents a higher audit risk due to the possibility of misappropriation. Cut off: The Chief Accountant reconciles the monthly bank statements against the account balance of the general ledger and explains differences or investigates reconciling items between the bank statements and the general ledger. The bank reconciliation is then submitted to Mr. Brankomat for review and approval of the reconciliation. Control and review procedures: The following control and review procedures are observed only for electronic payments and for payments to suppliers and the payroll: • Payments are properly authorized (authorization control); • Monthly bank reconciliations (manual control); • Exchange rates are automatically uploaded into the system which is set up to record exchange differences on transitions (automated control.) 2. Risk assessment For each assertion associated with an affected account, describe the type of errors that may occur and the assessed risk. In making these risk assessments, consider the following: a) the inherent risk and account characteristics of the related accounts; b) the client's control environment, including the influence of the owner or manager; c) the accounting procedures and any controls that may have been identified; and d) the effect of segregation of duties. 40 Audit Training of Trainers Account: Cash and Bank Assertion Type of error Risk assessment Occurrence Recorded cash disbursement Low – for electronic payments to transactions may not be real suppliers as there are authorization (i.e., duplicate or fictitious). controls in place High – for cash payments due to lack of appropriate segregation of duties. Refer to the Petty Cash audit program (Ref. to appropriate working paper) for audit tests to address this risk. Completeness Cash disbursement Low - Monthly Bank Reconciliations transactions may not be (manual control) recorded. Accuracy Recorded cash disbursement Moderate transactions may not be properly posted to the accounting records. Cutoff Cash disbursement Low - Monthly Bank Reconciliations transactions may not be (manual control) recorded in the proper period. Classification Recorded cash disbursement Moderate transactions may not be classified properly. Valuation and Recorded cash disbursement Low – Exchange rates are automatically allocation transactions may not be uploaded in the system which is set up to properly valued. record exchange differences on transitions (automated control) 41 Audit Training of Trainers 8. Example: Walkthrough Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: To confirm that our understanding of the significant classes of transactions or significant disclosure process is as we have documented; to confirm the points where data is captured or modified as these are the points where misstatements are most likely to occur; and verify that we have identified the appropriate audit risks. Information sources: Inquiry, inspection and re-performance. Matters already documented in other work papers that are relevant can be cross referenced. Class of transactions: Payments Accounts affected: Cash & Bank, Payables, Payroll Prepared by: Assistant Auditor # 1 Reviewed by: Dejan Vuk, Certified Public Accountant and Partner Date: Today Note: Walkthroughs are performed in all audits of the: (i) significant classes of transactions and significant disclosure processes, including the financial statement close process; and (ii) relevant controls over significant risks, highly automated significant classes of transactions, and journal entries. When we use a controls reliance strategy, we perform a walkthrough of controls over those significant classes of transactions and significant disclosure processes. The walkthrough procedures performed should address the points at which the transactions are initiated, recorded, processed, and ultimately reported in the general ledger including both the manual and automated steps of the process. 1. Walkthrough Procedure Significant class of transactions – walkthrough Electronic payments: I obtained a requisition order and matched it to approval, the goods receipt note and invoice from the supplier. I traced the invoice to the list of weekly system reports of proposals for payment that had been authorized for payment. I traced the 42 Audit Training of Trainers payment through the bank account and also observed the recording in the payables and cash accounts. The payroll statement for March was traced to the electronic bank payment and the totals had been verified as cleared. Authorizations had also been observed. Cash payments: I selected a sundry small supplier payment from petty cash and traced it to the supporting document. I traced the payment and the journal entries. Controls - walkthrough Payments are properly authorized (authorization control): see walkthrough above of the authorization control on electronic payments. Monthly Bank Reconciliations (manual control) – I obtained the bank reconciliation for April and observed the procedure by tracing the balance in the books to the bank statements. I identified a single exception investigated by the Chief Accountant which turned out to be a timing difference. During the walkthrough it was observed that Bank reconciliations are not performed on a monthly basis with one Bank – Balkan Bank – as this account is dormant. I verified that the balance with the Bank is dormant for April. Exchange rates are automatically uploaded in the system that is set up to record exchange differences on transitions (automated control). I observed the exchange rate from an official source for a random day in June and compared it with the system uploaded exchange rate for the same day. I also performed another manual calculation of the payment of the supplier’s invoice for the same day. I traced the exchange difference to the profit and loss and found no exceptions. Supporting documents are attached. 2. Segregation of duties, authorization and management override of controls For payments to suppliers there is an appropriate segregation of duties since both automated process and persons are responsible for initiating, authorizing, recording transactions. In the case of cash payments to smaller sundry suppliers, the Chief Accountant is responsible for both approving cash payments (below EUR 300), authorizing small requisitions (below EUR 500), recording these payments and handling the cash balance. As such, there is an inadequate segregation of duties, which represents a higher audit risk. 43 Audit Training of Trainers 3. Conclusion My walkthrough confirmed our understanding of the payment system as well as the operating of the identified controls. 44 Audit Training of Trainers 9. Example: Sampling Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: Sample calculation: Accounts Receivable confirmations Information sources: PejaSko Accounts Receivable Ledger Prepared by: Reviewed by: Date: Sampling Parameters Population book value 100.000 EUR Number of items 30 Sampling Interval 8.450 EUR / 3 = 2,8 (Performance Materiality / Confidence Factor) Random number (between 1 and sampling interval) 2 Accounts Receivable Ledger as of 31 December Balance Cumulative Balance Customer Name Sampling item (‘000 Euro) (‘000 Euro) 1 0,1 0,1 2 0,1 0,2 3 0,1 0,3 4 0,3 0,6 5 0,3 0,9 6 0,3 1,2 7 0,4 1,6 8 0,4 2,0 9 0,6 2,6 10 0,6 3,2 11 0,7 3,9 12 0,9 4,8 45 Audit Training of Trainers Customer Name Balance Cumulative Balance Sampling item 13 1,0 5,8 14 1,1 6,9 15 1,4 8,3 16 1,5 9,8 17 1,6 11,4 18 1,6 13,0 19 2,0 15,0 20 2,0 17,0 21 2,0 19,0 22 2,5 21,5 23 3,0 24,5 24 3,0 27,5 25 4,0 31,5 26 4,5 36,0 27 8,0 44,0 28 11,0 55,0 29 20,0 75,0 30 25,0 100,0 Total 100,0 Sampled amount % of population 46 Audit Training of Trainers 10. Template: Test of Controls Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: Document the details of planned audit procedures to test operating effectiveness of internal controls within the sales, purchases, payroll and cash cycle. Your description should provide details of controls, related audit area and assertion, sample size, and timing of the tests. Information sources: Various PejaSko records Prepared by: Reviewed by: Date: Related Audit Area Selected Controls to Test Sample Size Timing and Assertion 47 Audit Training of Trainers 11. Template: Substantive Audit Programs Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: Design substantive procedures for fixed assets, receivables, cash and bank, revenues, and cost of sales. Information sources: Various PejaSko records Prepared by: Reviewed by: Date: Substantive Procedure Description Assertion Timing 48 Audit Training of Trainers 12. Template: Estimates Audit Program Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: Design audit procedures to test accounting estimates (including provisions for bad debt, depreciation, inventory obsolescence, claims provision) Information sources: Various PejaSko records Prepared by: Reviewed by: Date: Estimate Audit Procedures Provisions for bad debt Depreciation Inventory Obsolescence Claims Provision Other Estimates, if any 49 Audit Training of Trainers 13. Template: Audit Conclusion Memorandum Company Name: PejaSko Cheese Ltd. Year end: 31 December Objective: To prepare a summary of audit conclusions Information sources: Audit files Prepared by: Reviewed by: Date: 1. Evaluate the audit differences and appropriates of audit materiality 2. Document the Significant Audit Areas 3. Perform a final analytical review based on the final financial statements 50