CFRA
NFRA & PCAOB – Dissecting
Peformance Evaluation of Audits and
Its relevance in current times for
Small and Medium Sized practitioners
January 22, 2020
CA Chirag Doshi
CD Financial ReEngineering Advisors LLP(CFRA)
CFRA
Way Forward
PCAOB
Personal Experience
NFRA
NFRA first report
How SMP can deal with it
CFRA
PCAOB
Formation
Top areas of Focus as per 2019
inspection outlook:
System of Quality control in firms
Independence
Recurring audit deficiencies
Internal Control Over Financial Reporting
Revenue Recognition
Allowance for Loan Losses
Other Accounting Estimates
Risks of Material Misstatement
External factors considerations
CFRA
PCAOB Statistics
The report by the Project On Government Oversight (POGO)
A top U.S. accounting watchdog has brought only 18 enforcement actions and
levied just $6.5 million in fines against the Big Four accounting firms in its 16-year
existence
The Washington-based group’s analysis of 16 years’ of PCAOB inspection reports
on the U.S. arms of the Big Four audit firms - Deloitte & Touche, Ernst & Young,
PricewaterhouseCoopers and KPMG - found the regulator identified 808
instances in which the firms issued defective audits.
the agency has only brought 18 enforcement cases related to 21 audits against
the Big Four. The Big Four audit 99% of companies in the S&P 500, according to
POGO.
According to the report, under its powers the agency could have fined the Big
Four a minimum of $1.6 billion, but public records indicate fines of only $6.5
million.
CFRA
My Learning and Experience
PCAOB
Initial Letter
Review consist of 2 parts:
Quality control review
Tone at the top
Partners evaluation, compensation , admission, responsibilities and disciplinary action
Practice for client acceptance and Retention
Independence
Firms internal inspection process
Audit policies and Procedure
Firms Training Calendar
Audit Engagement review
CFRA
My Learning and Experience
PCAOB Procedure
Exhibit A and B to be complied before the review starts
Conference calls
Team visit
Timing and Pre visit call
Team size and calibre
Area of focus
Independence of the team
On field Review procedure
Independent review of files and day end queries
Tricky questions
Discussion with partner
Closing meeting
CFRA
My Learning and Experience
PCAOB
More focus on auditing standards then accounting standards
Risk control matrix
Sampling procedure and techniques
Training of Staff
Internal control Review
Communication with those charge with governance (pre and post audit)
Fraud documentation
External confirmations
CFRA
My Learning and Experience
PCAOB
Current year vs previous year
Audit papers vs client papers
Confidentiality
Xerox copies
Procedures after field reviews
Draft report - Part A and Part B
Our replies
Board Approved
Final Letter and Report on PCAOB website
CFRA
NFRA
Constitution
Media Clips
First report
Combat
CFRA
NFRA
Constitution
Rule 8 of the NFRA Rules, 2018, provides that, for the purpose of monitoring
and enforcing compliance with auditing standards in the act, the NFRA
may:
a . review working papers (including audit plan and other documents) and
communications related to the audit;
evaluate the sufficiency of the quality control system of the auditor and the
manner of documentation of the system by the auditor; and
perform such other testing of the audit, supervisory, and quality control
procedures of the auditor, as may be considered necessary or appropriate.
CFRA
NFRA
Media Clips
CFRA
NFRA – First Report
The AQR is designed
to identify and highlight non-compliance with the requirements of the Standards
on Auditing (SAs) and
to bring out insufficiencies in the quality control system of the audit firm,
To identify shortcomings in the documentation of the audit process.
The AQR also evaluates the quality and adequacy of the supervisory
procedures of the audit firm.
CFRA
First NFRA Report
The AQR process commenced on 25th February, 2019.
Went through several different stages before a draft AQR Report was issued
to DHS on 23’d September, 2019.
After considering the responses of DHS to the draft AQR Report, both at the
oral presentation made by DHS to the NFRA on 30 October, 2019, and
in writing on 4 November, 2019, NFRA has finalized the AQR Report.
CFRA
First NFRA Report
The AQR has disclosed that DHS has failed to comply with the requirements
of the SAs. The instances of failure noticed are of such significance that it
appears to NFRA that DHS did not have adequate justification for issuing
the audit report asserting that the audit was conducted in accordance
with the SAs.
For listed entities,
Engagement Quality
Control Review is
compulsory and not
an option
CFRA
First NFRA Report
The independence of the auditor was compromised by the provision of
non-audit services for substantial fees; that these non-audit services were
clearly prohibited services in terms of Section 144 of the Companies Act,
2013; and the mandatory approval of the Audit Committee that would
have been required if the provision of such services was permissible was not
obtained
Annexure to the report provide all details of other services provided by Firms and
its network firms
The need to maintain
independence in mind,
and also independence
in appearance, is
paramount.
There is no definition of
“management services”
provided in the Act;
hence it is to be
understood in its literal
meaning
Audit Committee
approval as mandated
by Section 144 of the
Companies Act, 2013
was NOT found
CFRA
First NFRA Report
The Engagement Partner, i.e., the partner designated by DHS as the person
in overall charge of the statutory audit work had signed the Audit Report
without discharging most of the important duties that the Engagement
Partner is required to fulfill; the Audit Firm also violated SQC 1 and SA 220 by
naming two partners as Engagement Partners, thereby leading to loss of
accountability.
Having more than
one EP can only
enhance audit
quality
Could it then be 5
or 10, or even
more? Clearly, the
absurdity of this
argument need
not be explained
further
CFRA
First NFRA Report
DHS did not display the required professional skepticism, and did not challenge the management on important issues;
More reliance on Management Representations
DHS failed to appropriately deal with identification, categorization and minimization of Engagement risk, especially looking at the size, nature and economic significance of the Auditee company. The risk of misstatement due to fraud was ruled out by DHS. This led to inadequate audit responses.
DHS did not adequately question the going concern assumption on the basis of which the management had prepared the financial statements.
There were significant contradictions in the assessment of ROMM which lead to
the conclusion that the assessment had been carried out in so casual a manner
as to result in a complete sham.
CFRA
First NFRA Report
DHS accepted the stand of the management about not disclosing the fact
that the Net Owned Funds (NOF) and the Capital to Risk Assets Ratio
(CRAR) of IFIN as on 31st March, 2018 were both negative, and that this
situation would lead to cancellation of the NBFC license of the company.
DHS certified the accounts showing positive NOF and CRAR, accepting the
explanations of the management which were clearly contrary to law.
The Audit Firm seems to imply that this communication of the RBI was not
available to them. This explanation we held to be unacceptable for the reason
that this clearly showed the complete lack of due diligence and professional
skepticism on the part of the Audit Firm. Had proper enquiries been made both
with TCWG and the RBI, it is certain that this communication would have been
formally made available to the Audit Firm
CFRA
First NFRA Report
DHS did not question the management and challenge the inflation of profit
by over Rs.180 crores through inclusion of the value of a derivative asset
which was entirely unjustified.
DHS did not communicate any matter arising out of the audit to those
charged with governance of the IFIN, even though mandated by the SAs
to do so
Similarly, as regards the argument that all work was done in the company’s office, and hence communication with the Management was on a daily basis, is concerned, this
argument, logically, would mean that no documentation at all would be required. Hence, the unacceptability of such an argument is obvious.
The actions of the auditor in not having done so, and having accepted the
stand of the management without question, shows clearly a gross dereliction
of duty and negligence on the part of Audit Firm.
CFRA
First NFRA Report
The Engagement Quality Control Review, as said to have been carried out,
has been shown to have been a complete sham
NFRA has concluded that the quality control system and processes of DHS
are severely inadequate and ineffective
Reference to global
standards for any reason,
notwithstanding any
similarity to Indian
standards, does not
meet the essence of the
engagement and is not
in compliance with the
section 143(9) of the Act.
CFRA
Tips for Small and Mediums Size Practicing
Firms
Audit Manual model
Process and Procedure
Independence Confirmation
Firm
Staff
Partner in charge
Team members
Trainings
SQC 1
Quality reviews Partner
Internal Inspections
CFRA
Contents of a Audit manual
Table of Contents
Chapter 1: INTRODUCTION AND FUNDAMENTAL PRINCIPLES
1.1 USE OF THIS MANUAL
1.2 REASONABLE ASSURANCE
1.3 OBJECTIVE OF AN AUDIT
1.4 AUDIT EVIDENCE
1.5 DOCUMENTATION
1.6 FINANCIAL REPORTING FRAMEWORK
1.7 QUALITY CONTROL
1.8 ETHICS
1.9 PROFESSIONAL SCEPTICISM
1.10 TECHNICAL STANDARDs
CFRA
Contents of a Audit manual
Chapter 2: PRE-ENGAGEMENT ACTIVITIE
2.1 INTRODUCTION
2.2 BASIC ENGAGEMENT INFORMATION
2.3 ENGAGEMENT EVALUATION: CLIENT ACCEPTANCE / CONTINUANCE
2.4 INDEPENDENCE DECLARATIONS
2.5 STAFF ASSESSMENT AND AUDIT BUDGET
2.6 PLANNING MEETING
2.7 TERMS OF THE ENGAGEMENT
CFRA
Contents of a Audit manual
Chapter 3: PLANNING THE AUDIT
3.1 DEVELOPMENT OF AUDIT APPROACH
3 .2 GATHERING KNOWLEDGE OF THE BUSINESS, LAWS AND REGULATION AND UNDERSTANDING THE ACCOUNTING SYSTEMS AND INTERNAL CONTROLS
3.3 FRAUD RISK DISCUSSIONS AND INDICATORS
3.4 RELATED PARTIES
CFRA
Contents of a Audit manual
Chapter 4: RISK ASSESSMENT PROCEDURES
4.1 RISK OF MATERIAL MISSTATEMENT AT THE FINANCIAL STATEMENT LEVELS
4.2 RISK ASSESSMENT AT THE BALANCES, TRANSACTIONS AND DISCLOSURES
4.3 SIGNIFICANT RISKS
4.4 FRAUD RISK ASSESSMENT AT FINANCIAL STATEMENT LEVEL
4.5 FRAUD RISK ASSESSMENT AT ACCOUNT BALANCE LEVEL Policy
4.6 GOING CONCERN CONSIDERATION AT THE PLANNING STAGE
CFRA
Contents of a Audit manual
Chapter 5: PLANNING MATERIALITY
Chapter 6: AUDIT PROGRAMMES
Chapter 7: DIRECTION, SUPERVISION AND REVIEW
Chapter 8: TEST OF CONTROLS AND SUBSTANTIVE TESTS
8.1 TESTS OF CONTROLS
8.2 SUBSTANTIVE TESTS
Chapter 9: CONSIDERING THE WORK OF INTERNAL AUDIT
CFRA
Contents of a Audit manual
Chapter 10: PERFORMING THE AUDIT
10.1 AUDIT SAMPLING
10.2 INITIAL ENGAGEMENTS
10.3 CONSIDERATION OF LAWS AND REGULATIONS
10.4 ENQUIRIES REGARDING LITIGATION AND CLAIMS
10.5 EXTERNAL CONFIRMATIONS
10.6 ANALYTICAL PROCEDURES
10.7 AUDITING ACCOUNTING ESTIMATES
10.8 AUDITING FAIR VALUE MEASUREMENTS AND DISCLOSURES – If applicable
10.9 RELATED PARTIES
10.10 PROVISIONS, CONTINGENT ASSETS AND CONTINGENT LIABILITIES AND COMMITMENTS
CFRA
Contents of a Audit manual
0.11 GOING CONCERN CONSIDERATION DURING THE CONDUCT OF THE AUDIT
10.12 USING THE WORK OF ANOTHER AUDITOR
10.13 CONSIDERING THE WORK OF INTERNAL AUDIT
10.14 USING THE WORK OF AN EXPERT
10.15 ATTENDANCE AT PHYSICAL INVENTORY COUNTING
10.16 VALUATION AND DISCLOSURE OF LONG TERM INVESTMENTS
10.17 SEGMENT INFORMATION
10.18 JOURNALS
10.19 SERVICE ORGANISATIONS – As applicable
10.20 COMPARATIVES
10.21 OTHER INFORMATION IN DOCUMENTS CONTAINING AUDITED FINANCIAL STATEMENTS
CFRA
Contents of a Audit manual
Chapter 11: FINALISATION: AUDIT CONCLUSIONS AND REPORTING
11.1 ADEQUACY OF PRESENTATION AND DISCLOSURE
11.2 SUBSEQUENT EVENTS
11.3 GOING CONCERN CONSIDERATION AT THE FINALISATION STAGE AND GENERAL PRINCIPLES
11.4 FINAL ANALYTICAL REVIEW
11.5 FINAL MATERIALITY ASSESSMENT AND UNADJUSTED ERRORS
11.6 EVALUATION OF AUDIT TEST RESULTS
11.7 CONSIDERATION OF THE AUDITOR’S REPORT
11.8 REPORTABLE IRREGULARITIES
11.9 REPORT TO THOSE CHARGED WITH GOVERNANCE
11.10 ENGAGEMENT PARTNER’S CONSIDERATION OF COMPLIANCE WITH ETHICS AT THE COMPLETION OF THE AUDIT.
11.11 MANAGEMENT REPRESENTATIONS
CFRA
Example
2.4 INDEPENDENCE DECLARATIONS
Policy
2.4.01 We will comply with relevant ethical requirements relating to audit engagements.
2.4.02 We will therefore comply with the Code of Ethics and the Code of Professional Conduct
2.4.03 The engagement partner will consider whether members of the engagement team have complied with ethical requirements.
2.4.04 The fundamental principles of the Code may be threatened by a broad range of circumstances. These threats will fall into one of the following categories: self-interest threats, self-review threats, advocacy threats, familiarity threats and intimidation threats. We will as far as possible avoid any of these threats. In exceptional cases we will ensure we have appropriate safeguards in place for those threats than can not be avoided.
CFRA
Example
2.4.05 The engagement partner will ensure compliance with independence requirements that apply to the audit engagement. In doing so, the engagement partner will:
Obtain relevant information from the firm and, where applicable, network firms, to identify and evaluate
circumstances and relationships that create threats to independence;
Evaluate information on identified breaches, if any, of the firm’s independence policies and procedures to
determine whether they create a threat to independence for the audit engagement;
Take appropriate action to eliminate such threats or reduce them to an acceptable level by applying
safeguards. The engagement partner will promptly report to the firm any failure to resolve the matter for
appropriate action; and
Document conclusions on independence and any relevant discussions with the firm that support these
conclusions.
2.4.06 We will perform the following activities at the beginning of the current audit engagement:
Perform procedures regarding the continuance of the client relationship and the specific audit
engagement;
Evaluate compliance with ethical requirements, including independence; and
Establish an understanding of the terms of the engagement.
CFRA
Example
Procedures
2.4.07 The Code of Professional Conduct is forwarded to all audit staff annually. Staff is required to familiarise themselves with the requirements.
2.4.08 A copy of Code of Professional Conduct is provided to all new audit staff. The Code, SQC 1 and SA 220R is discussed annually with all new audit staff joining the firm as part of staff orientation.
2.4.09 Audit staff have been instructed to discuss any concerns in respect of the FAC Code with any of the Partners.
2.4.10 Independence declarations in terms of the FAC code is completed by audit staff for all audit engagements and placed on the relevant audit file.
2.4.11 A list of prohibited investments is forwarded by the MP to the firm staff at the beginning of each year. Firm staff complete declarations stating that they do not have any such investments and return it to the MP’s PA for filing in the Quality Control Manuals.
2.4.12 We will attempt to resolve all ethical conflicts but if, after exhausting all relevant possibilities, the ethical conflict remains unresolved we will, where possible, refuse to remain associated with the matter creating the conflict. We may determine that, in the circumstances, it is appropriate to withdraw from the assignment.
2 Independence Confirmation_Employee name.doc
CFRA
Example
11.9 REPORT TO THOSE CHARGED WITH GOVERNANCE –
Policy
11.9.01 If we have identified a fraud or has obtained information that indicates that a fraud may exist; we will communicate these matters as soon as practicable to the appropriate level of management.
11.9.02 If we have identified fraud involving
Management;
Employees who have significant roles in internal control; or
Others where the fraud results in a material misstatement,
We will communicate these matters to those charged with governance as soon as practicable.
11.9.03We will make those charged with governance and management aware, as soon as practicable, and at the appropriate level of responsibility, of material weaknesses in the design or implementation of internal control to prevent and detect fraud which may have come to our attention.
11.9.04We will consider whether there are any other matters related to fraud to be discussed with those charged with governance of the entity.
11.9.05We will document communications about fraud made to management, those charged with governance, regulators and others.
CFRA
Example
11.9.06 When we believe there may be non-compliance with laws and regulations, we will document the findings and discuss them with management.
11.9.07 We will, as soon as practicable, either communicate with those charged with governance or obtain audit evidence that they are appropriately informed, regarding non-compliance with laws and regulations that comes to our attention.
11.9.08 If in our judgment the non-compliance is believed to be intentional and material, we will communicate the finding without delay.
11.9.09 If we suspect that members of senior management, including members of the board of directors, are involved in non-compliance with laws and regulations, we will report the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or a supervisory board.
11.9.10 We will communicate audit matters of governance interest arising from the audit of financial statements with those charged with governance of an entity.
11.9.11 We will determine the relevant persons who are charged with governance and with whom audit matters of governance interest are communicated.
11.9.12 We will inform those charged with governance of those uncorrected misstatements aggregated by us during the audit that were determined by management to be immaterial, both individually and in the aggregate, to the financial statements taken as a whole.
CFRA
Example
11.9.13 We will communicate audit matters of governance interest on a timely basis.
11.9.14 We will make those charged with governance or management aware, as soon as practicable, and at an appropriate level of responsibility, of material weaknesses in the design or implementation of internal control which have come to our attention
11.9.15 If we have identified a material misstatement resulting from error, we will communicate the misstatement to the appropriate level of management on a timely basis, and consider the need to report it to those charged with governance in accordance with SA 260 “Communication of Audit Matters with those charged with Governance”.
CFRA
Example
Procedures
11.9.16 Our communication of audit matters during planning is recorded in hard copy file. We will inform those charged with governance of the general approach and overall scope of the audit, including any expected limitations thereon, or any additional requirements.
11.9.17 Our communication of audit matters during completion is recorded in hard copy file.
11.9.18 Weaknesses in internal controls are discussed with those charged with governance. Our management letter points are filed.
11.9.19 The schedule of unadjusted audit differences are discussed with those charged with governance. The schedule of unadjusted audit differences is in 14 Summary of Unadjusted Difference__Client Name_Period.
11.9.20 During our audit we will come across information which we will want to communicate to management and the board of directors. This information would normally include at a minimum weaknesses in the client’s internal control and possible corrective measures that the client can adopt. A report to management is given at the end of the audit when a summary of all the issues can be compiled.
CFRA
Example
11.9.21“Governance” is the term used to describe the role of persons entrusted with the supervision, control and direction of an entity. Those charged with governance ordinarily are accountable for ensuring that the entity achieves its objectives, with regard to reliability of financial reporting, effectiveness and efficiency of operations, compliance with applicable laws, and reporting to interested parties. Those charged with governance include management only when it performs such functions.
11.9.22“Audit matters of governance interest” are those that arise from the audit of financial statements and, in our opinion, are both important and relevant to those charged with governance in overseeing the financial reporting and disclosure process. Audit matters of governance interest include only those matters that have come to our attention as a result of the performance of the audit. We are not required to design audit procedures for the specific purpose of identifying matters of governance interest.
11.9.23Matters of governance interest may include:
Details of uncorrected misstatements that were determined by management to be immaterial;
Any suspected or identified fraud issues, however material;
Details of any non-compliance with laws or regulations; and
Material weaknesses in the design or operation of the accounting and internal control system which have come to our attention.
The general approach and overall scope of the audit, including any expected limitations thereon, or any additional requirements;…………………….
CFRA
Example
Timing of communications
11.9.28 By communicating audit matters of governance interest on a timely basis we enable those charged with governance to take
appropriate action.
11.9.29 In order to achieve timely communications, we will have
discussed with those charged with governance the basis and timing of
such communications. In certain cases, because of the nature of the
matter, we may communicate that matter sooner than previously agreed.
Therefore it must be noted that communications are not limited to a report
handed to management at the end of the audit.
CFRA
Example
Forms of communications
11.9.30 Our communications with those charged with governance may be made orally or in writing. The decision whether to communicate orally or in writing is affected by factors such as the following:
The size, operating structure, legal structure, and communications processes of the client being audited.
The nature, sensitivity and significance of the audit matters of governance interest to be communicated.
The arrangements made with respect to periodic meetings or reporting of audit matters of governance interest.
The amount of on-going contact and dialogue we have with those charged with governance.
CFRA
Example
Confidentiality
Communications with regards to fraud
Other Matters
CFRA
Thank You !
CD Financial ReEngineering Advisors
(CFRA)
Checks & Balances
FinTaxTick BridgeGap LetNetWork
Chirag Doshi
+91 98204 52332
CFRA
PCAOB 2018 – Areas of Common Audit
Deficiencies
Internal Control over Financial Reporting
In many audits inspected, we observed deficiencies related to testing ICFR.
Common audit deficiencies in this area included instances where:
Auditors did not sufficiently test the design and operating effectiveness of
controls that include a review element. We observed that auditors did not obtain
an understanding or evaluate the activities performed and factors considered
by the control owner when reviewing the reasonableness of certain estimates
and assumptions.
Auditors did not select controls for testing that address the specific risks of
material misstatement. We observed that auditors did not obtain a sufficient
understanding of whether the control addressed the assessed risk of material
misstatement.
CFRA
PCAOB 2018 – Areas of Common Audit
Deficiencies
Risk Assessment and Revenue
We observed frequent deficiencies related to the design and performance
of audit procedures that address the assessed risk of material misstatement,
particularly when auditing revenue. For example, we identified audit
deficiencies in testing revenue where:
Auditors agreed the revenue transaction to the company-prepared
invoice without testing whether the invoice agreed to the terms of the
contractual arrangement and without obtaining evidence that the services
or products had been delivered.
Auditors limited their testing to revenue transactions exceeding a certain
amount or transactions recorded near year-end without considering the
need to test the remainder of the population.
CFRA
PCAOB 2018 – Areas of Common Audit
Deficiencies
Accounting Estimates
We continue to identify deficiencies in areas involving accounting
estimates such as allowance for loan and lease losses (ALLL), accounting
for business combinations, and the fair value of financial instruments.
Developing these estimates often involves unobservable inputs, complex
valuation models, and/or subjective judgments. To test accounting
estimates effectively, auditors should exercise professional skepticism and
involve senior engagement team members throughout the audit process.
CFRA
PCAOB 2018 – Areas of Common Audit
Deficiencies
Financial Instruments
We continue to find frequent deficiencies in auditing unobservable inputs used to measure the fair value of certain financial instruments. Common audit deficiencies include instances where:
Auditors did not obtain an understanding of the specific methods and assumptions underlying fair value measurements obtained from pricing services and used in the auditors’ testing.
Auditors did not test the accuracy and/or completeness of company data used to determine the fair value.
Auditors, when developing an independent estimate, did not appropriately corroborate the fair value measurement determined by the company because the auditor used the same pricing source the company used.
It is important for auditors to use professional skepticism when evaluating management’s views because they can be susceptible to bias.
CFRA
PCAOB 2018 – Areas of Common Audit
Deficiencies
Engagement Quality Review
Many of the deficiencies we identified during our inspections occurred in areas
reviewed by EQRs who failed to identify relevant deficiencies. In some instances,
EQRs may have placed too much reliance on discussions with the engagement
team. In other instances, EQRs may have limited their review by reading
summary memos that did not provide sufficient detail to allow for a review with
due professional care.
Audit Committee Communications
In our inspection of triennially inspected audit firms we continue to identify
deficiencies related to auditors failing to communicate to the audit committee
significant risks identified in the audit, including changes to those risks throughout
the audit.
Top Related