This article aims to change the public's perception of the value of the external auditing exercise significantly, how the audit methodologies provide more value-added benefits to businesses which hopefully will be fully appreciated by more unlisted companies' overtime.
The survival of a business, its relevance as well as its growth, are constantly being challenged due to pressures from the internal and external environments arising from factors such as adverse economic downturns, sporadic changes in technology, increasing customers' taste, and fashion. Likewise, just like businesses and other professions, the auditing profession and its methodologies have also undergone vigorous changes arising from rising changes in technology, increasing business complexity and in recent times, rising corporate scandals and business failures. Although audit risks and business risks are dissimilar, it is often the case that identification of significant business risks leads to the detection of audit risks.(Ammar Ali ,2020 Accounting Simplified Web) However, this auditor's consideration of business risk can also impact positively on business operations, growth and survival beyond regulatory compliance purposes.
Auditor's Risk Assessment Procedures and Value to Business
In order to ensure the timeliness and relevance of the audit profession in meeting public expectation despite changes in business complexities, the International Standard on Audit 315 (Revised), identifying and assessing the risk of material misstatement through Understanding the Entity and its Environment, states that the auditor, at the audit planning stage (ISA 300), should perform an appropriate risk assessment of the client's business environment and understanding of its internal control systems in a manner that commensurate with the size and nature of the entity. Primarily, the consideration of these business risks provides the auditor the opportunity to identify the risk of material misstatement due to error or fraud in the financial statement and designing its audit strategy in response to the risk identified (ISA 330). However, on the other hand, it is quite clear that this risk-based approach also provides an independent evaluation of the entity's environments in identifying business risks that could impede the attainment of its set objectives.
Regrettably, some entities, majorly unlisted companies, perceive that the sole significance of audit is to ensure compliance with statutory or regulatory requirements, most importantly, filing of tax returns and ensuring deadlines are met. Such that if the audited financial statement (AFS) is expunged from filing requirements, the essence of the audit might be lost in totality. This perception could explain the perceived lack of full cooperation of some staff and management towards the auditors during the audit planning stage, thereby, underestimating the Value of the risk-based audit approach to business success.
We shall demonstrate, using examples, how the auditor's risk assessment of the client's business environment through Understanding its entity and its environment and understanding its internal control can impact on other business activities beyond compliance.
Understanding the Entity and its Environment: (ISA 315)
What is understanding the entity and its environment and how can businesses derive benefit from this auditor's assessment of its entity and its environment?
According to ISA 315, Understanding the entity and its environment entails, gaining relevant and sufficient knowledge of the internal and external factors that impacts or influences the client's businesses. from its corporate governance structure, organizational structure, business models, and objectives, measures to assess its financial performance, industry performance, regulatory and legal factors. Gaining an understanding of these factors is a key audit planning activity.
The following example illustrates how identifying risk through understanding the entity & its environs impacts audit strategy and how businesses can benefit from this risk-based audit approach in devising business strategies to attain its objectives.
The Auditor identified the following business risks during an assessment of the Client's operation and environment
- As Significant decline in Revenue resulting in operating losses over time.
- Indications that management & board of directors' personal financial situations are threatened by the entity's financial performance arising from significant financial interest in the entity.
- Marginal ability to fulfill loan or debt obligations.
- Continual complaint against manufacturing company about environmental issues.
Implication of Business risk identified on the Client's operations:
- There is a going concern risk where the affected product or service contributes a substantial portion to total revenue making the threat of bankruptcy imminent.
- Senior Management override of controls with the collaboration of Board.
- Financial Risk, Loss of Key assets used as collateral,
- Loss of goodwill.
- There is a risk of material misstatement on Revenue, Receivables and Cash Balances.
- Risk of Fraud resulting into applying inappropriate accounting estimate.
- Misstatement or no provision or disclosure on potential or contingent liability.
- There is a risk of material misstatement on Loan, asset valuation and finance cost as management might not provide necessary information to auditors.
Business Strategy to address Risk identified by the Auditor:
- Devise Product or Market Growth Strategy putting into consideration, the Product Life Cycle such as Market or Product Diversification,
- Review composition of Board Members for independence and separation of powers, Establish Anti-fraud Policies, corporate Governance Policies, Execute Disciplinary actions irrespective of the level of management involved.
- Business Restructuring Strategy such as Partnership, Mergers, Private investors, Debt: Equity restructuring.
- Independent Audit of its compliance with environmental standards and voluntary Sustainability Report to the public.
Potential Benefits to Businesses:
- Regain Existing Market Share, Increased Profitability.
- Enhances Board Effectiveness.
- Increased compliance to established policies at all management levels.
- Increased awareness on anti-fraud policies and their implication on business.
- Improved Liquidity Level or Reduced cost of Debt.
- Goodwill, an improved reputation that could attract investors to attain business objectives.
Understanding the Components of the Entity's System of Internal Control
What are the Components of an entity's internal control system and how can businesses derive benefit from the auditor's assessment of its Internal Control systems?
The Committee Of Sponsoring Organizations (COSO) framework, defined ICS as the structures put in place by the board of directors and management to ensure compliance with the organization's policies and procedures, attainment of the organization's objective, and integrity of the financial reports. In 2013, COSO also updated its framework to address significant changes in the business environment. This simultaneously means, businesses can also derive other value-added benefits based on the auditor's assessment of its ICS.
The framework classified an effective Internal control system to consist of 5 Components which are: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. The most prominent of these components is “Control Activity”. However, believing an internal control system is all about “Control Activities” undermines the relevance of the other components of the internal control system.
Hence, understanding the entity's internal control means the auditor is expected to have adequate knowledge of all 5 components, assess the adequacy of their designs, test the operating effectiveness over financial reporting, and draws his conclusion thereon. The examples below illustrate how auditor's identification of control deficiency can impact Business, and how the business can respond to these identified risks to ensure attainment of its overall objectives.
The External Auditor Assessed the ICS of an entity and identified the following deficiencies:
Control Environment Deficiencies:
- Poor Board Evaluation of Senior Management's Performance.
- Some transactions in which the management is financially interested in is not properly scrutinized by Board Members
- Management circumvention of the procurement process; Kickbacks from collusion with suppliers
- Unauthorized or modification of Sales Contract Revenue Process by Management.
Control Activities Deficiencies:
- Overstating cash receipts in the books by making bank transfers from undisclosed bank accounts to cover up for embezzlement of cash receipts.
- A staff re-initiating a vendor's invoice that had already been settled by the company as those involved in the payment initiation were not involved during the final approval for the payment process.
Monitoring Activities Deficiencies:
- Sales personnel frequently grant unauthorized and unrecorded sales discounts to customers without the knowledge of the accounting department. These amounts are deducted by customers in paying their invoices and are recorded as outstanding balances on the accounts receivable aging. (Public Company Accounting Oversight Board)
- Falsifying the percentage of completion on construction projects for fraudulent purposes by construction companies.
Information and Communication Deficiencies
- Inadequate design of information and Communication Systems
Risk Assessment Deficiencies:
- Absence of risk management system
Potential areas Misstatement in the financials as a result of the Control deficiencies identified:
- Misstatement of Cash, receipt, and inventory balances
- Misstatement of revenue and overstatement of the Trade Receivable Balances
Implication of Control Deficiencies on Business:
- Risk of fraud and misappropriation of assets, Inefficient processes leading to wastage of resources, Loss of Revenue, misstatement of financials due to error or fraud, Cash misappropriation, Risk of operational or failure, if risk is left unattended depending on its severity
Business Strategy to Address Control Deficiencies identified by the Auditor:
Control Environment Responses: Senior Management or Board Reviews through External Consultant, establish a Code of Conduct and anti-fraud policies to be communicated across all management levels
Control Activities Responses: Engage services of internal auditor or Business Process Engineer to carry out periodic evaluation of designs and effectiveness of the Internal control system.
Monitoring Activities Responses: Periodic reconciliation of account balances, Staff Training on relevant financial reporting standards, Outsource Accounting functions
Information and Communication Responses: Establish strong ICT systems and update regularly.
Risk Assessment Responses: Ensure a formal documentation of its risk management policies, communication and orientation of its staff on risk topics.
The illustrations above depict how the auditor's risk assessment procedures can aid in the formulation of business risk management strategies and achieving business growths. To derive these benefits, Senior Management or Those Charged with Governance (TCWG) should ensure auditors perform audit procedures in line with the Professional requirements, the Involvement of TCWG during the audit planning stage to discuss and review the audit strategy and Management/Staff re-orientation on the significance of audit to business survival and growth. This will ensure that maximum cooperation is achieved and enables the seamless transfer of sufficient, relevant, and appropriate information necessary for the Auditor to identify significant business risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.