In February 2023, new material assisting auditors in the investigation of exceptions and the application of performance materiality when carrying out audits using automated tools and techniques (“ATT’s”) was issued. This article will cover the investigation of exceptions.
ATT’s could be used on a number of audit procedures, including risk assessment procedures, further audit procedures or at the end of an audit.
ATT’s could be used in the testing of controls or substantive procedures. While the auditor is expected to understand the entity and its environment, including the relevant classes of transactions, account balances or disclosures, such understanding will assist in setting an expectation for the population to which ATT’s will apply, including items that will be indicative of a control deviation (in the case of controls testing) or a misstatement (in the case of substantive procedures).
For purposes of better understanding this article, think of an auditor who is to use data analytics software to review a company’s financial results to identify unusual transactions. The software would flag transactions that are significantly larger or smaller than typical transactions. During testing, the software flagged an unusually large transaction, which the auditor investigated and found to be legitimate and valid. In this case therefore, the software produced results that were the same as expected, given that it identified an usually large transaction. However, an exception was in place given such large transaction was actually valid and not indicative of any issues.
The auditor’s expectation in the above example would be for the data analytics software to accurately identify potential issues in the company’s financial results, in so far as it will recognise unusually large or small transactions.
Meanwhile, actual results would relate to flagged transactions produced by the data analytics software. These flagged transactions would represent the transactions that the software identified as unusual or outside of parameters set by the auditor.
While certain flagged transactions would be indicative of a potential misstatement, others may turn out to be legitimate and not indicative of any misstatement or control deficiency.
With consideration to the above, when testing procedures include ATT’s, the auditor’s expectation for the population could therefore either:
a. Produce a result through the application of the ATT which matches the expectation (data analytics software flags a number of large or small transactions)
b. Produce a result through the application of the ATT which does not match the expectation (no unusual transactions flagged)
a. Result which matches the expectation
Where the auditor’s expectation for the population matches the actual result for the population, then items indicative of a control deficiency or misstatement, referred to as exceptions, will require investigation from the auditor to further understand whether a control deficiency or misstatement could be in place.
The investigation of exceptions could be handled through testing on a sample of these, assuming that such exceptions are representative of the entire population of exceptions. Therefore, it is imperative that the auditor selects items within its sample that are representative of the typical characteristics of the population.
However, should the population of exceptions not be identical, then consideration should be given to the stratification of homogenous sub-populations to test such exceptions. Alternatively, the auditor may opt to test all exceptions identified.
In the case of items that are not indicative of a control deviation or a misstatement, then the auditor is not required to investigate these further. However, investigation may be necessary to obtain sufficient appropriate audit evidence about the population, which would include both exceptions and non-exceptions.
b. Result which does not match the expectation
Where the result of an ATT does not match the auditor’s expectation for the population (for example purposes, the data analytics software did not produce unusually large or small transactions), the auditor may need to redefine its tests on ATT’s to assess whether these were inappropriately defined.
Risk assessment procedures
When using ATT’s during risk assessment procedures or when forming an overall conclusion on an audit, the auditor would need to establish what result would be considered as unusual. Given that risk assessment procedures are not targeted at detecting specific misstatements or control deviations, the auditor is not required to look into all unusual items for purposes of the ATT. However, results of the test may highlight possible risks of material misstatement that previously went unnoticed. In such case, the auditor will need to revise its assessment of the risks of material misstatement and modify the audit plan accordingly.
Should you require further information or assistance in relation to this subject matter, please feel free to get in touch with Janis Hyzler on jh@zampadebattista.com.
Please note that this article is being published for information purposes only. As such, it does not constitute or should not be interpreted or construed as legal advice or guidance. ZD does not accept responsibility or liability for any damages arising as a result of using this information as legal advice or guidance.