Review of Audit Files
In many instances, the review of audit files by audit managers and partners has become more of a chore than an effort to add value and ensure audit quality. Many audit failures might have been prevented, if a thorough review were performed prior to signing the audit report. Performing timely reviews is critical and additional peace of mind may be gained when auditing a higher-risk client, by adding a safeguard in the form of an EQCR or independent file review on higher risk audits.
Review basics
The key to quality and efficiency is professionalism. In order to perform thorough reviews, reviewers need to know and understand all the relevant requirements at both the engagement and firm quality-system levels. This includes the relevant auditing standards (ISAs), audit quality control standards (ISQC1), laws and regulations, ethical requirements, quality control policies and procedures of the firm, and the financial reporting framework. In addition to the requirements, reviewers need to apply their professional judgment and professional scepticism.
Reviewers need to understand the industry and the client, and determine whether the documentation addresses all the relevant issues indicating possible risk of material misstatement. Timely reviews to identify shortcomings, so that alternative procedures may still be performed, are crucial, and adds to the on-the-job training of team members.
Reviewers need to ensure compliance with all relevant requirements, with specific focus on the areas set out below.
Documentation requirements
In line with the purpose of an audit, which is to obtain reasonable assurance on whether the financial statements are fairly stated, audit documentation is maintained to provide a thorough record of procedures, evidence, and judgment to support the audit report, and evidence of compliance with all the relevant requirements.
It is important that the auditor prepare audit documentation that is re-performable, i.e. that the nature, timing and extent, and results of procedures performed, evidence obtained, and conclusions reached are understandable by another sufficiently experienced auditor with no prior connection to the audit. When documenting, auditors should record identifying characteristics of the nature, timing and extent of procedures performed, and evidence obtained, which will include who performed the work and when, who reviewed the work and when, and the extent of the review.
Discussions of significant matters with management, those charged with governance, and persons who can make a contribution to the audit section, need to be recorded, including the nature of the matter discussed, and when and with whom the discussions took place. If significant inconsistencies were identified, it should also be documented how these were addressed.
During the performance of an audit, the auditor must document clear reasoning for judgments made, and work performed must reflect how the auditor maintained professional scepticism by challenging management’s judgments, instead of merely accepting them.
When considering whether sufficient appropriate audit evidence was obtained and documented, the auditor should consider whether the form, content and extent of documentation are appropriate under the circumstances. All audit assertions should be clearly addressed in audit working papers, and special attention should be paid to documenting work performed in response to identified risks of material misstatement, especially significant risks. The extent of evidence required varies with the risk of material misstatement assessed for each audit area.
Risk and the audit approach
An audit of financial statements revolves around the risk assessment performed, and the consequent audit approach determined. If significant risks are not identified, or the level of risk is not correctly assessed, the audit approach and procedures in response to risks may be inappropriate, and result in an inappropriate audit report. The risk assessment procedures, which include obtaining knowledge of the business, analytical review, and documentation and understanding of internal controls, should obtain sufficient audit evidence to provide an appropriate basis for the identification and assessment of risks, whether due to fraud or error, and the design of further audit procedures.
Therefore, it is critical for the reviewer to pay specific, detailed attention to procedures performed to identify risk; whether identified risks are assessed appropriately; and whether the resultant audit approach to addressing identified risks is appropriate under the circumstances. The reasons supporting significant judgments in this regard should be clearly documented.
It is, therefore, imperative for the reviewer to have a sound understanding of the client’s industry and business, as the challenge is not only to identify the quality of what is documented, but also the extent of considerations which should have been documented.
Review requirements
The engagement partner shall ensure that reviews are performed in line with the firm’s policies and procedures, and must be satisfied on or before the audit report date that sufficient appropriate audit evidence was obtained to support the conclusions reached and the audit report to be issued.
The engagement partner shall review audit documentation at appropriate points in time during the engagement, including documentation on significant matters, significant judgments, and other matters considered to be relevant by the engagement partner. Review considerations should include the following:
• The work was performed in accordance with professional standards, and legal and regulatory requirements. Review work may be split between the manager and the partner, in order for the partner to focus on significant issues.
• Significant matters identified by the audit team have been raised for further consideration. By the time the partner reviews the file, the issues should have been addressed and resolved with input by the partner, where necessary.
• Appropriate consultations have taken place, internally within the team and firm, or externally, and resulting conclusions are documented and implemented.
• There is a need to revise the nature, timing and extent of work performed.
• The work performed supports conclusions reached and is appropriately documented.
• Sufficient, appropriate audit evidence was obtained to support the audit report.
• The objectives of procedures were achieved, i.e. to reduce the risk of misstatement of all the relevant assertions to a comfortable level as determined by the materiality assessed.
ISA 220 Revised takes it a step further by requiring the engagement partner to review the financial statements and audit report prior to dating the audit report, in order to first determine whether the audit report will be appropriate in the circumstances. In addition, the engagement partner must review formal written communications to management, those charged with governance and other regulatory authorities, prior to the issuance of such communications. Paragraphs A90 to A98 of ISA 220 Revised provide further guidance on the engagement partner’s review and how the approach to review may be tailored.
Ultimately, it must be clearly documented who reviewed the work and when, and the extent of the review.
Reviewers should be aware of certain events and documentation, which should be shared with the quality control leader of the firm for consideration at firm level, e.g. details of consultations and differences of opinion, details of modified opinions, considerations to appoint EQCR or other safeguards and staff evaluations.
In Summary
Performing thorough file reviews forms an integral part of ensuring engagement quality. LEAF stands ready to assist you and add value to your engagements by performing independent file reviews.
References
1. IAASB: ISA 200, Overall objectives of the independent auditors and the conduct on an audit in accordance with International Standards on Auditing
2. IAASB: ISA 220, Quality control for an audit of financial statements
3. IAASB: ISA 220 Revised, Quality management for an audit of financial statements
4. IAASB: ISA 230, Audit documentation
5. IAASB: ISA 315 (Revised 2019), Identifying and assessing the risks of material misstatement
6. IRBA: Public inspections report, 2020
Need help?
If you need advice, guidance, assistance or training, our experienced specialists at LEAF are ready to help your firm to push above and beyond the norm.