Group audits represent some of the most risky audits to undertake, as most public interest audits comprise the audit of groups of companies. However, the standards and audit principles relevant to group audits do not always receive the detailed attention they deserve. In the discussion of audit procedures, this article EXCLUDES the consolidation process, and should be read in conjunction with parts 1 and 3 to reach an understanding of group audits as a whole. It addresses key requirements which auditors would be wise to include in their group audit methodology.
Sources of information from which to assess risk of misstatement at group level include:
- Understanding of the group, its components and their environments
- The consolidation process and controls relevant to it
- Group-wide controls evaluation for design and implementation
- Component auditor communication
- Preliminary analytic review .
Examples of factors indicating a risk of material misstatement in a group:
- A complex group structure, especially where there are frequent acquisitions, disposals or reorganisations
- Poor corporate governance structures, including decision-making processes that are not transparent
- Non-existent or ineffective group-wide controls, including inadequate group management information on the monitoring of components’ operations and their results
- Components operating in foreign jurisdictions that may be exposed to factors such as unusual government intervention in, for example, trade and fiscal policy, and restrictions on currency and dividend movements; and fluctuations in exchange rates
- Business activities of components that involve high risk, such as long-term contracts, or trading in innovative or complex financial instruments
- Uncertainties regarding which components’ financial information requires incorporation in the group financial statements, in accordance with the applicable financial reporting framework, for example, whether any special-purpose entities or non-trading entities exist and require incorporation
- Unusual related-party relationships and transactions
- Prior occurrences of intra-group account balances that did not balance or reconcile on consolidation
- The existence of complex transactions that are accounted for in more than one component
- Components’ application of accounting policies that differ from those applied to the group financial statements
- Components with different financial year-ends, which may be utilised to manipulate the timing of transactions
- Prior occurrences of unauthorised or incomplete consolidation adjustments
- Aggressive tax planning within the group, or large cash transactions with entities in tax havens
- Frequent changes in auditors engaged to audit the financial statements of components.
The standard requires the identification of significant components for which certain procedures are required, and required procedures for the other components. The revised standard, which is expected to be approved for issue in December 2021, does away with identifying significant components in favour of overall risk assessment of components with appropriate responses. It further clarifies whether ISA 600 (Revised) applies to shared service centres, non-controlled entities and entities with branches or divisions.
Group and component materiality
Component materiality is set lower than materiality for the group financial statements, as a whole, to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements in the group financial statements exceed materiality for the group financial statements as a whole.
Different levels of materiality may be established for different components.
Component materiality need not be an arithmetical portion of the materiality for the group financial statements as a whole and, consequently, the aggregate of component materiality for the different components may exceed the materiality for the group financial statements as a whole.
Component materiality is used when establishing the overall audit strategy for a component.
A threshold for misstatements is determined, in addition to component materiality. Misstatements identified in the financial information of the component which are above the threshold for misstatements are communicated to the group engagement team.
Requirements regarding obtaining an understanding of group-wide controls are based on basic principles for obtaining a proper understanding of the entity being audited. With group financial statements, perspective needs to be obtained on how the whole group is controlled by group management.
The audit procedures relating to group-wide controls, as set out in ISA 600, are as follows:
- Obtain an understanding of group-wide controls, including instructions given to components by management.
Matters included in group-wide controls are:
Financial reporting framework
- Understanding of framework by component management
- Process for accounting for components
- Identifying segments for segment reporting
- Accounting policies and changes from prior period or in standards
- Process for dealing with different year-ends.
Group-wide controls may include a combination of the following:
- Regular meetings between group and component management to discuss business developments and review performance
- Monitoring of components’ operations and their financial results, including regular reporting routines, which enables group management to monitor components’ performance against budgets, and to take appropriate action
- Group management’s risk assessment process, that is, the process for identifying, analysing and managing business risks, including the risk of fraud, which may result in material misstatement of the group financial statements
- Monitoring, controlling, reconciling, and eliminating intra-group transactions and unrealised profits, and intra-group account balances at group level
- A process for monitoring the timeliness, and assessing the accuracy and completeness of financial information received from components
- A central IT system controlled by the same general IT controls for all or part of the group
- Control activities within an IT system that are common for all or some components
- Monitoring of controls, including activities of the internal audit function and self-assessment programmes
- Consistent policies and procedures, including a group financial reporting procedures manual
- Group-wide programmes, such as codes of conduct and fraud prevention programmes
- Arrangements for assigning authority and responsibility to component management.
The internal audit function may be regarded as part of group-wide controls .
Risk of misstatement, due to fraud
The group auditor shall assess the risk of misstatement, due to fraud. In a group audit, considerations may include:
- Group management’s assessment of the risk that the group financial statements may be materially misstated, as a result of fraud
- Group management’s process for identifying and responding to the risks of fraud in the group, including any specific fraud risks identified by group management, or account balances, classes of transactions or disclosures where a risk of fraud is likely
- Whether there are particular components for which a risk of fraud is likely
- How those charged with governance of the group monitor management of the group’s processes for identifying and responding to the risks of fraud in the group, and the controls group management have established the mitigation of these risks
- Responses by those charged with governance of the group, group management, and appropriate individuals within the internal audit function (and, if considered appropriate, component management, the component auditors, and others) to the group engagement team’s enquiry, on whether they have knowledge of any actual, suspected, or alleged fraud affecting a component or the group.
The key members of the engagement team are required to discuss the susceptibility of an entity to material misstatement of the financial statements, due to fraud or error, specifically emphasising the risks caused by fraud. In a group audit, these discussions may also include the component auditors.
The discussions provide an opportunity for the following:
• To share knowledge of the components and their environments, including group-wide controls
• To exchange information about the business risks of the components or the group
• To exchange ideas on how and where the group financial statements may be susceptible to material misstatement, due to fraud or error; how group management and component management could perpetrate and conceal fraudulent financial reporting; and how assets of the components could be misappropriated
• To identify practices followed by group or component management that may be biased, or designed to manage earnings in such a way that it could lead to fraudulent financial reporting, for example, revenue recognition practices that do not comply with the applicable financial reporting framework
• To consider known external and internal factors affecting the group that may create an incentive or pressure for group management, component management or others to commit fraud, or to provide the opportunity for fraud to be perpetrated; or that may indicate a culture or environment that enables group management, component management, or others to rationalise committing fraud
• To consider the risk that group or component management may override controls
• To consider whether uniform accounting policies are used to prepare the financial information of the components for the group financial statements and, if not, how differences in accounting policies are identified and adjusted (where required by the applicable financial reporting framework)
• To discuss fraud identified in components, or information indicating the presence of fraud in a component
• To share information that may indicate non-compliance with national laws or regulations, for example, payment of bribes and improper transfer pricing practices.
Communication with component auditors
Note that the term, ‘component auditors’, not only refers to component auditors in other firms, but also includes auditors of components who are from the same firm as the group auditors. Component auditor communication is a crucial element in a group audit and the quality of communication with component auditors needs to be considered and documented, even if it is the same audit team. Issues in components need to be communicated, considered and documented in the group audit file, regardless of who performs the component audit.
If there is no effective two-way communication between the group engagement team and the component auditors, there is a risk that the group engagement team may not obtain sufficient, appropriate audit evidence on which to base the group audit opinion.
Group instructions are a common and effective way to communicate with component auditors, and responses by component auditors need to be at the appropriate time during the group audit, in order for the group auditors to make timely and informed decisions.
The group auditor may also deem it appropriate to be involved in the risk assessment process of the component, and to review certain sections of the audit work of the component.
Evaluation of evidence
The evaluation of evidence is of paramount importance in a group audit. From the acceptance of the client, where the probability of obtaining appropriate evidence from the group and its components is considered, the evaluation of group-wide controls and the assessment of risks of material misstatement at group and component level, to the completion stage where the audit opinion is considered, the quality of evidence must be evaluated, in order to conclude appropriately.
In general, group audit procedures are found to be very limited, and do not reflect careful consideration of risks, fraud risks and circumstances in the group, and the proper evaluation of evidence obtained. LEAF can assist firms by performing thorough file reviews, providing practical advice and training staff on the relevant requirements.
1. IAASB: International Standard on Auditing 600 (ISA 600), Special considerations – Audits of group financial statements (Including the work of component auditors)