Your auditor: they’ve got to look so make sure they tell you what they found
Your auditor should be very (very) careful before doing your accounting. But here’s a way that you, as somebody involved in the management or governance of your organisation, can legitimately tap their accounting knowledge.
In order to come to their opinion on your financial report, your auditor will pore over your books and ask you lots of questions. This is because their opinion should be evidence-based:
The objective of the auditor is to design and perform audit procedures in such a way as to enable the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion[1].
So they’re going to learn a lot about your organisation. And there are two chapters in their rule book, the Australian Auditing Standards, that are dedicated to how and when they should communicate with you about these learnings. One is about communication generally[2], and one is specifically about your internal controls[3].
‘Communication with Those Charged with Governance’
Before the audit began the auditor should have made sure that you understood that the responsibility for the process that produces the financial report is yours, not theirs. But the good news is that they have the duty to give you ‘timely observations arising from the audit that are significant and relevant to’ this responsibility[4].
These observations fall into two classes:
1. ‘the auditor’s views about significant qualitative aspects of the entity’s accounting practices, including accounting policies, accounting estimates and financial report disclosures’, and
2. ‘other significant matters’…such…as material misstatements of fact or material inconsistencies in information accompanying the audited financial report that have been corrected[5].
But the help can extend beyond financial reporting matters: although they are not required to tell you about things that are likely to be significant to decisions about the organisation’s strategy and accountability, the rulebook says there’s nothing to stop them from doing so[6]. The examples given are ‘significant issues regarding governance structures or processes, and significant decisions or actions by senior management that lack appropriate authorisation[7]. So I’d askthem to let you know about these things too.
We turn now to the other Auditing Standard that may help you improve your accounting, the one about communicating internal control deficiencies.
‘Communicating Deficiencies in Internal Control’
Internal control means
the process designed, implemented and maintained by (you) to provide reasonable assurance about the achievement of (your) entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations[8].
Although the auditor doesn’t have to express an opinion on the effectiveness of internal control, in order to assess the risk of material misstatement in your report, they do have to understand it. This means that, in the course of getting this understanding (and indeed at any later stage of the audit), they may identify deficiencies[9]. These deficiencies may be shown not only by an actual misstatement but also by the likelihood of a misstatement[10].
From each of these deficiencies in internal control the auditor has to decide whether, individually or in combination, they are ‘significant’[11]. ‘Significant’ is defined as those that they think are important enough to warrant telling you about them[12]. However, they are also given permission[13] to tell you about ‘other control matters’, so I’d suggest, that if you want to get as much value as you can from the auditor’s investigation, you tell them that you’d like to know about everything to do with your internal control that they see.
For the significant deficiencies the auditor has to communicate with you in writing, and that communication has to include not only a description of the deficiencies, but also an explanation of their potential effects[14]. If your board includes people who don’t have significant experience in either your industry or the area in which the deficiencies were found, I’d suggest gently reminding the auditor of this fact. For this is one of the factors they have to take into account when deciding how detailed they should get in this communication[15].
Although the auditor need not quantify the effects of the deficiencies, his rule book gives him permission to include
suggestions for remedial action on the deficiencies, management’s actual or proposed responses, and a statement as to whether or not the auditor has undertaken any steps to verify whether management’s responses have been implemented[16].
So if your organisation is large enough to make this information useful to you, if you ask the auditor nicely they may give you this information too.
The ‘you’ above was directed to those people who the rule book calls ‘those charged with governance’. If you are only involved in management though, there’s help for you too. From the list of deficiencies that the auditor has not deemed ‘significant’, they must make a further selection of those that are of ‘sufficient importance to merit management’s attention’[17]. Which ones they disclose is left to their professional judgement[18].
There are many other Standards that include a requirement to communicate with you, but these two, ASA 260 and 265, are dedicated to client communication by auditor, including talking to you about what they found along the way to their opinion. You can use a knowledge of what’s in these two Standards to get a hand, legitimately, with your accounting.
Using this information you’ll have a win-win: their job is made easier the next time, and you improve your accounting (and can argue for a lower fee!). The bottom line: they’ve got to look so make sure they tell you what they found.
[1]Auditing Standard ASA 500 Audit Evidence, Auditing and Assurance Standards Board, Auditing and Assurance Standards Board, June 2011, paragraph 4.
[2] Auditing Standard ASA 260 Communication with Those Charged with Governance, Auditing and Assurance Standards Board, November 2013.
[3]Auditing Standard ASA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management, Auditing and Assurance Standards Board, November 2013.
[4] ASA 260, paragraph 9.
[5] ASA 260, paragraphs 16, A20.
[6] ASA 260, paragraph 3.
[7] ASA 260, paragraph A25.
[8] Auditing Standard ASA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, Auditing and Assurance Standards Board, November 2013.
[9] ASA 265, paragraphs 2,7.
[10] ASA 265, paragraph A5.
[11] ASA 265, paragraph 8.
[12] ASA 265, paragraph 6.
[13] ASA 265, paragraph 3.
[14] ASA 265, paragraph 11.
[15] ASA 265, paragraph A15.
[16] ASA 265, paragraph A28.
[17] ASA 265, paragraph 10.
[18] ASA 265, paragraph A22.