Chapter 7 Responsibilities Flashcards
1.1 Management’s responsibilities – business risk
Management of a company have certain responsibilities defined by ISAs or set out in Companies Act 2006. It follows these duties cannot be the responsibility of the audit or assurance firm.
Management is responsible for managing the business so that objectives are achieved. They should assess the business risks facing the company and devise the necessary strategies to deal with risks.
1.2 Companies Act 2006
Companies Act 2006 sets out statutory duties of the directors of a company. The directors should act in a way to promote the success of the company for the benefit of its members as a whole. Directors are assigned responsibility for safeguarding the company’s assets, keeping proper accounting records, preparing company financial statements, and delivering them to companies house and ensuring they comply with laws and regulations.
The responsibility of the assurance provider in all assurance engagements is determined by relevant legislation or regulation, terms of engagement, ethical and professional standards, and quality control standards.
2.1 Auditor’s responsibilities
Companies Act 2006 sets these out which are to form an independent opinion on the truth of the financial statements, confirm the accounts have been prepared in accordance with Companies Act 2006 and state in the audit report whether information in director’s report is consistent with annual accounts.
The auditor must plan the audit, obtain sufficient evidence, and draw valid conclusions.
2.2 Fraud and error
The auditor is responsible for forming an opinion on whether the accounts are free from material misstatement. Misstatement could be caused by fraud or error and audit procedures should be directed to detecting fraud or error. Fraud is more difficult to detect than error as it can be accompanied by a deliberate attempt to conceal. ISA 240 covers auditor’s responsibilities in relation to fraud and this identifies two types of misstatement from fraud, fraudulent financial reporting, and misappropriation of assets. The responsibilities of management are to prevent and detect fraud. Auditor is responsible for obtaining reasonable assurance that the accounts are free from material misstatement, whether caused by fraud or error.
The auditor should perform a fraud risk assessment. ISA 240 says typical indicators of fraud are incentives/pressures, opportunities, and attitudes/rationalisations. Auditor should exercise professional scepticism (attitude with questioning mind, alert to conditions indicating possible misstatement due to error or fraud and an assessment of audit evidence), discuss fraud among engagement team, respond appropriated to assessed level of fraud risk (assign appropriate personnel, assess controls and look for instances of management override and introduce an element of unpredictability into audit procedures) and consider the implications for other areas of the audit (suspected fraud may cast doubt into reliability of management representations).
The auditor should discuss suspected or actual fraud with management and those charged with governance and make the appropriate reports. Report to management if management suspected of fraud report to those charged with governance. Only if the fraud causes a material misstatement or uncertainty in the accounts report to shareholders. If there is a duty or right to disclose to a third party, such as a regulator do so.
2.3 Compliance with laws and regulations
A material misstatement could be caused by non-compliance with laws and regulations. The auditor should obtain an understanding of legal framework within which the company operates as part of the process of understanding and its environment. ISA 250 covers responsibilities in relation to compliance with laws and regulations. Management are responsible for complying with relevant laws and regulations. Auditor should obtain appropriate evidence of compliance with laws and regulations generally recognised to have a direct effect on the accounts.
The auditor should carry out procedures to identify misstatements caused by non-compliance. They perform a risk assessment considering relevant laws and regulation and how the client ensures compliance, and obtain evidence about compliance (enquiries with management, inspect correspondence with regulatory bodies and obtain written management representations). The auditor should discuss suspected non-compliance with management and those charged with governance and make appropriate reports.
- Internal management: report to management, if management suspected of involvement in non-compliance report to those charged with governance. If no higher level of management, consider legal advice
- Shareholders: only report if non-compliance causes a material misstatement or uncertainty in the accounts
- Third parties: if there is a duty or right to disclose, for example a regulator.
2.4 Bribery act 2010
Penalties exist for both individuals and organisations for the offences of offering a bribe, accepting a bribe, or bribing a foreign public official. Organisations can be penalised for failing to prevent bribery by employees or agents. Organisations should design and implement bribery prevention policies. The policy should focus on top level culture in which bribery is unacceptable, risk assessment, due diligence procedures taking a risk-based approach, communication and staff training and monitoring and review.
Auditors consider the effectiveness of these policies, and the audit firm should also comply with the Act. The auditor will assess risk of non-compliance with the bribery act, exercise professional scepticism and assess bribery prevention policies with the client. the auditor should report suspicions of bribery to the National Crime agency under the Proceeds of Crime Act 2002.
2.5 Sarbanes-Oxley Act 2002
Act was passed in the US to improve qualify of financial reporting (referred to as SOX). It applies to subsidiaries of US listed companies and their auditors. Impact on management means the CEO and CFO must attest to the veracity of the accounts and greater disclosure of the amendments made to the financial statements during the audit process. Impact on auditors means stricter enforcement of auditor independence rules and public company accounting oversight board (PCAOB) can inspect the audit files of US listed companies, including subsidiaries based overseas.
2.6 Related parties
A related party is a company or person that might have an undue influence on the company being audited. Related party transactions may or may not be at arm’s length. The accounting rule is related party transactions should be disclosed in the accounts. The audit risk is non-disclosure would represent a material misstatement.
ISA 550 covers the requirements in relation to the audit of related party transactions. The responsibilities of management are disclosing related party transactions in the accounts. The auditor is responsible for performing audit procedures to identify, assess and respond to the risk of material misstatements arising from failure to correctly disclose related party transactions.
The auditor should carry procedures to identify misstatement caused by non-disclosure of related party transactions:
- Obtain a list of all related parties from management
- Carry out detailed tests of transactions and balances as usual, looking out for related party transactions
- Review minutes of meetings of shareholders and directors where these transactions may have been discussed
- Review bank confirmation letters for evidence of guarantor relationships
- Review investment transactions
- Confirm correct disclosures have been made in the accounts
- Obtain written management representations confirming all related party transactions have been disclosed.
Where all undisclosed related party transactions have been identified, the auditor should consider the implications for their opinion.
2.7 Money laundering
Money laundering aims to disguise the origins of funds from criminal conduct so that they can be used. The definition in the Proceeds of Crime Act 2002 includes using, acquiring, retaining, controlling, concealing, disguising, converting, transferring, and removing from the UK the proceeds of criminal conduct. Examples include tax evasion, saving costs by failing to comply with laws and regulations and offences committed overseas that are criminal offences in the UK. The auditor should report actual knowledge, or reasonable grounds for suspicion of money laundering to the firms money laundering nominated officer, they will consider whether it is necessary to report to the national crime agency. Offences include failure to report, failure to provide suitable training for staff and tipping off the money launderer. The most serve penalty is imprisonment for 14 years.
2.8 General data protection regulation (GDPR)
Individuals are given control of personal information under GDPR, which is an EU regulation. Under GDPR and the Data Protection Act anyone processing personal information has to make sure it is correctly protected; individuals can access their personal data and how it is processed, and personal data can only be held if a lawful reason exists, or they have chosen to allow the storage of data. Any organisation collecting or holding data must comply.
The information commissioner’s office (ICO) must be notified by organisations processing personal information (effective for a year). The person responsible for this is titled the data controller. Failure to notify is a criminal offence.
3.1 Expectations gap
This is the gap between expectations of the users of assurance reports and the firms responsibilities in respect of those reports. For example, common expectations of the auditor is they detect all instances of fraud, but the auditor identifies fraud causing a material misstatement. An expectation is the auditor tests all transactions for errors, but auditors carry out procedures that provide reasonable assurance that the accounts are free from material misstatement. Lastly an expectation is the auditor prevents fraud, but the responsibility is to detect fraud.
3.2 Narrowing the expectations gap
The audit report is set to outline the responsibilities of directors and auditors, explain how an audit is conducted (test basis, reasonable assurance, material misstatement), includes the responsibilities of directors and auditors in the engagement letter and liaise with audit committees. All of this is aimed to narrow the expectations gap.
3.3 Audit failure
If the auditor has identified a material misstatement as a result of fraud, they will have been able to warn the users of the accounts of serious problems that might result in company failure. If the auditor does not always identify fraud the effect can be immaterial, or the auditor did everything expected but the fraud was carefully executed and concealed. In some cases, the auditor may not be at fault. In some company failures the auditor is found to be negligent. Audit failure is due to one of the following causes:
- Failure to assess audit risk
- Failure to respond to the assessed audit risk
- Failure to recognise or respond to threats to objectivity
- Failure to recognise or respond to situations where the auditor is not competent
