CPD: Information produced by the entity to be used as audit evidence

The auditor is tasked with obtaining audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion1 and in obtaining such evidence, to consider the relevance and reliability of the information to be used as audit evidence.2 This article focuses on information to be used as audit evidence that is produced by the entity and how the auditor evaluates whether the information is sufficiently reliable for the auditor’s purpose.

 

Requirements of the International Standards on Auditing
International Standard on Auditing (ISA) 500, Audit Evidence, requires the auditor to design and perform audit procedures in such a way as to enable the auditor to obtain sufficient appropriate audit evidence to be able to draw reasonable conclusions on which to base the auditor’s opinion4 and in designing and performing audit procedures, consider the relevance and reliability of the information to be used as audit evidence.5 The auditor’s evaluation of the relevance and reliability of information to be used as audit evidence must include obtaining audit evidence about the accuracy and completeness of the information.6

The requirement in relation to the completeness of information produced by the entity is expanded on in ISA 530, Audit Sampling, where it states that when performing audit sampling, the auditor performs audit procedures to obtain evidence from that the population from which the audit sample is drawn is complete.7

The completeness of the information is a particularly tricky requirement to evaluate, as this entails a search for missing items. This requirement often sees auditors being tripped up. How should auditors approach gaining audit evidence to support such evaluation?

 

Understanding the requirements

It is firstly important to clarify that the requirement to evaluate the completeness and accuracy of the information contained in ISA 500 and expanded on in ISA 530 only applies to information produced by the entity. Common examples of such information are:

• Fixed asset registers
• Schedule of contractual agreements, such as lease agreements, construction contracts and other contracts to deliver goods or services
• Inventory listings
• Debtor’s age analysis
• Creditor’s listings
• A schedule of provisions

Examples of information not produced by the entity but that may still provide relevant and reliable information to be used as audit evidence are:

• External confirmations, including bank confirmations and legal confirmations
  Information established through the auditor’s knowledge of the business and understanding, including:
  ° Projects underway identified by the auditor that should be included in work in progress
  ° Vehicles and other company assets identified by the auditor that should be recorded
  ° Assets or group of assets owned by the entity where there should be a related lease agreement and recorded revenue and expenditure. This could include hospitals in a healthcare group, shopping centres, office parks and residential accommodation in a real estate investment trust (REIT), a fleet of vehicles in a car rental business, aircraft in an airline business, and construction equipment in an equipment rental company

In terms of ISA 505, External Confirmations, the auditor is only required to obtain further evidence to confirm the reliability of the external confirmation so obtained if factors are identified that give rise to doubts about the reliability of the response.8

The auditor therefore needs to understand the origin of the information before determining whether additional procedures need to be performed. The rest of this practical guidance is focused on evaluating information produced by the entity and the additional procedures that the auditor should carry out to verify the reliability thereof.

To ensure that reliance placed on information used by the auditor is justified, the auditor should test the completeness and accuracy of such information. Here, the auditor may perform either substantive procedures to determine whether the information is sufficiently complete to be reliable, or test whether internal controls over the information’s completeness and accuracy are operating effectively.

If the auditor chooses to test the operating effectiveness of the internal controls, the auditor can draw on the understanding of the entity and its environment, including the entity’s internal controls obtained during the planning stage of the audit, and expand on this in understanding the controls that management have designed and implemented in ensuring that the information produced is complete and accurate. This includes controls over capturing and amending inputs into the system that ultimately generates the information to be used by the auditor. The auditor is reminded that any internal controls implemented by management to ensure that the information is complete, which are relied upon by the auditor, need to be tested.9

In terms of verifying completeness by performing substantive testing, the auditor needs to verify that all items that should have been recorded, and therefore that the auditor expects to see, are in fact included in the information produced by the entity. This can be achieved either by performing a separate substantive test or as part of the further audit procedures designed to obtain sufficient appropriate audit evidence.

An important check for the auditor to perform relates to the parameters for the report in ensuring that these are accurately defined. This includes information around the date range; locations, business units or legal entities; and descriptions and item codes. It is not sufficient for the auditor to merely observe management of the entity extracting the information. The auditor needs to verify that the parameters entered to generate the report are accurately captured.

Auditors provide reasonable and not absolute assurance and are therefore not expected to test 100% of the information subject to audit. The nature and extent of the procedures performed are based on the professional judgement of the auditor.

The principles above can be applied by the auditor in evaluating the completeness of a population from which the audit sample is drawn.
Practical considerations

All entities’ businesses and therefore operating systems are unique. There is unfortunately not a one size fits all solution that is suitable for all entities in verifying the completeness of the population from which the audit sample is drawn. A good starting point for the auditor to achieve this objective is to understand how management satisfies themselves that the information is completely and accurately captured and that all related supporting documentation is stored in a secure location. This may include obtaining an understanding of the internal controls that are relevant to the audit, evaluating the design of those controls and determining whether they have been implemented, as required by ISA 315 (Revised), Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment.10

Controls that management can implement in ensuring the completeness of information produced by the entity typically include segregation of duties, sequential numbering of documents, pre-populated company stationery that is subject to access control, the use of registers, physical access controls, inability to delete records and performance of reconciliations.

Auditors are reminded to consider the documentation requirements contained in ISA 230, Audit Documentation, in documenting how the auditor concluded that the information produced by the entity is sufficiently complete and accurate to be reliable.

 

In conclusion

The ISAs are not prescriptive in the specific procedures that auditors are required to perform in evaluating the relevance and reliability of information produced by the entity. Rather, the ISA are principles-based and require the auditor to exercise professional judgement in applying the requirements. To ensure that the auditor appropriately places reliance on information, the auditor should perform testing to confirm the reliability of such information. The testing can either be detailed substantive testing or in the form of tests of controls to confirm that internal controls over the information are operating effectively; a decision that is left up to the professional judgement of the auditor based on the specific circumstances of each engagement.

Notes
1 ISA 500, 4.
2 ISA 500, 7.
3 ISA 500, 9.
4 ISA 500, 4.
5 ISA 500, 7.
6 ISA 500, 9(a).
7 ISA 530, A5.
8 ISA 505, 10.
9 ISA 330, The Auditor’s Responses to Assessed Risks, 11.
10 ISA 315 (Revised), 12 and 13.

AUTHOR | Hayley Barker Hoogwerf, Project Director: Assurance at SAICA