- 1 PHASE 2: ASSERTIONS
- 1.1 Introduction
- 1.2 External audit and related assertions
- 1.3 Non-Financial Internal Audit and Related Assertions
- 1.4 Deterministic and Non-deterministic Assertions
- 1.5 Effect of audit findings on assertions and impact on the audit report.
- 1.6 A Checklist of Internal Audit Standard Assertions:
- 1.7 Using Assertions (in brief)
- 1.8 Threat Testing
- 1.9 Backlinks
PHASE 2: ASSERTIONS
Statement of Auditing standards states that the auditor should gain an understanding of the accounting system and related internal controls and should study and evaluate the operation of those internal controls upon which he/she wishes to rely in determining the nature, timing and extent of other audit procedures.
The existence of these controls imply the existence of assertions.
An Assertion is something we (as auditors) wish to be able to state about a system in order to give it the "Big Tick" - Systems are designed and operating correctly.
Be it an external or internal audit, assertions are fundamental to the review of any type of organisation or area, and form the basis of our reporting. Assertions are intended to provide a framework to help the auditor accumulate sufficient appropriate audit evidence to form a conclusion.
- Assertions direct the audit view and represent the scope of our opinion formation.
In an external or financial statements audit the key opinion focus is on the financial statements as a whole. That is:
- whether the financial statements present fairly the state of affairs of the entity, and the assertions are geared to establish the truth and fairness of the statement.
In an internal audit the auditor is reporting based on the assertions identified in relation to the scope of the review conducted.
In an internal audit, no one set of detailed assertions can be identified as being standard. They will normally vary according to:
- the type of entity being reviewed,
- specific management concerns (if any),
- the scope of the review,
- the purpose of the review,
- the nature of the review being conducted, and
- legislative requirements.
A standard set of core assertions can be established. These are identified later in this section.
Auditors undertake a combination of "compliance" and "substantive" procedures to obtain sufficient appropriate audit evidence to either support or suppress the assertions established.
Compliance procedures are tests which are designed to obtain reasonable assurance that the internal controls on which audit reliance is being placed are operating effectively.
Substantive procedures are designed to obtain evidence about completeness, accuracy and validity of the data produced by the clients accounting system and therefore to obtain reasonable assurance as to the accuracy and reliability of accounting records.
As mentioned earlier, the global assertions in relation to external audits are:
- financial statements present fairly the state of affairs the entity, and
- all relevant legislative requirements have been complied with.
The principal overall objective of an external audit is to add credibility to statutory accounts by the expression of an independent opinion thereon. They are therefore predominantly financial assertions.
In an external audit the auditor is concerned with the following general assertions areas:
- valuation, and
- presentation and disclosure.
All account balances and transactions that should be included in the accounts are included. The completeness assertion deals with matters opposite to those of the existence assertion. The completeness assertion is concerned with the possibility of omitting items from the financial statements that should have been included, whereas the existence assertion is concerned with inclusion of amounts that should have been excluded.
Recorded transactions and account balances are mathematically accurate, are based on correct amounts, have been classified in the proper accounts, and have accurately summarised and posted to the general ledger.
Assets and liabilities recorded on the balance sheet existed at balance date and revenue and expenses included on the income statement actually occurred during the accounting period.
Appropriate accounting measurement and recognition principles are properly selected and applied to record transactions at appropriate amounts.
Presentation and disclosure
Account balances and classes of transactions are properly classified and described; appropriate disclosures are made.
The tables on the following pages present the general financial assertions and type of evidence implied therefrom. These are generally applicable to non-government and government environments.
This area is generally applicable only to non-government and government business entities with rights to raise debt.
This area is generally applicable only to non-government and government business entities with rights to raise debt.
Note for Government Internal Auditors: Most Australian and International Government financial reporting guidelines do not currently allow the recognition of future government appropriations in the accounts of government funded organisations.
Non-Financial Internal Audit and Related Assertions
Internal audit is volatile in terms of the nature and type of review being conducted (refer to reasons stated above). As such, no one set of assertions can be identified that will act as a norm for assertions. Assertions, in the case of internal audits, are developed pertaining to each individual review.
Most internal audits, however, should have some common ground on which standard assertions will agree. Common internal audit assertions include:
- effectiveness, and
Efficiency encompasses the use of financial, human and physical resources such that output is maximised for any given set of resource inputs, or input is minimised for any given quantity and quality of output.
Efficiency in relation to internal audit could include the time taken to perform a particular review and produce the internal audit report for consideration by the internal audit committee.
Effectiveness encompasses the achievement of the objectives, including other intended effects, of programs, operations or activities.
Effectiveness in relation to internal audit may include the appropriateness of the audit findings in a review, the significance of the assertions affected with respect to the particular audit finding, the risk with which the organisation may be faced and how effectively the recommendations eliminate the risks associated with the findings.
Economy encompasses the acquisition of the appropriate quality and quantity of financial, human and physical resources at the appropriate times and at the lowest costs.
Economy in relation to internal audit may include having the appropriate skills and competence to perform the required review. The skill and competence will be reflected in the standard of the work performed and the quality of the report.
Deterministic and Non-deterministic Assertions
In applying assertions to an internal audit review it is useful to distinguish between deterministic and non-deterministic assertions.
A deterministic assertion is defined as one where the criteria for evaluating the assertion well understood and the risk with which the organisation may be faced can be reliably determined.
A non-deterministic assertion is one where the criteria for evaluating the is not well understood, defined or agreed and the scale of risk the with which the organisation may be faced cannot generally be reliably determined.
The concept of deterministic and non-deterministic assertions can best be explained by an example.
Suppose we are conducting a purchasing review for an organisation and two of the assertions include:
- ensure value for money is being obtained; and
- executive approval is obtained for all purchases greater than $30,000.
In this example the value for money assertion can be classified as a non-deterministic assertion while obtaining executive approval is a deterministic assertion.
- Obtaining value for money assertion explained.
Obtaining value for money is the most important assertion in a government organisation as Departmental officers are held accountable for the use of public monies. To evaluate the assertion, that is, whether value for money has been obtained is somewhat difficult. There is no definite measure for value for money (it cannot be measured in real terms).
Value for money is more of a subjective assertion, and in determining whether value for money has been obtained, auditors professional judgement will have to be exercised (or a client survey conducted). There may be certain ground rules established to act as a guide in obtaining value for money. This may include; obtaining a minimum of three quotes and giving all interested parties an opportunity to put in a quote.
In situations where a department has standing (period) contracts with particular suppliers, there is no guarantee that value for money is being obtained on every purchase. New suppliers may have entered the market, subsequent to the standing contract, offering more competitive prices.
Where an auditor is faced with a non-deterministic assertion, it is wise to further break the assertion down or to identify standards which will give it a deterministic assertion. For example, someone says to you "please walk quickly". Quickly is a non-deterministic assertion; if however, the term quickly is defined or is given some measure (example 1 km per hour) then the non-deterministic assertion becomes deterministic.
- Obtaining executive approval assertion explained.
Obtaining executive approval is a deterministic assertion. Detailed tests of all purchases over $30,000 would reveal, with a high degree of certainty, what percentage of purchases greater than $30,000 have executive approval and what percentage do not.
Effect of audit findings on assertions and impact on the audit report.
When the auditor commences the internal audit review, audit findings will be identified which should be reported to management. All audit findings should be listed in the strengths and weaknesses table.
Each finding should be related to the assertions identified. All assertions affected due to each finding should be weighed amongst each other and a thorough discussion should be provided in the "Implication and risk" section of the RIAM audit report findings.
Where possible, each finding should be argued from both sides, that is, the advantages/benefits and the disadvantages/risks with which the organisation may be faced by the existing approach identified in each finding.
The implication and risk section of the RIAM audit report should:
- identify the assertions affected;
- justify why the assertion is affected;
- identify the advantages (if any) the organisation may derive from the practice resulting in the finding;
- identify the disadvantages/risks with which the organisation is faced;
- weigh the advantages and disadvantages of each finding currently practiced by the organisation; and
- form an opinion on each finding which ultimately leads to the overall conclusion.
The entrance interview and scoping phases of the internal audit review attempt to interpret the assertions appropriately for the area under review, and add any assertions necessary to appropriately reflect management's specific data research needs.
A Checklist of Internal Audit Standard Assertions:
You will recall that 5 opinion goals detailed earlier which summarise the assertion classes we adopt under RIAM:
- Compliance with the relevant policies, plans, legislation and directions etc;
- Accomplishment of established goals and objectives for plans and procedures;
- Reliability and integrity of data; and
- Economical and efficient use of resources.
- Safeguarding assets;
A table summary of these assertions covering a wide range of standard organisational and functional areas is provided in RIAM:VLA:ASSERTIONS.
In a review of a Grants Management Control system. We might pose one or more appropriate the focus question(s) and then define the criteria under which a "yes" or "no" answer is established, thus answering the question.
We might express this in the scope section of the review thus:
"The purpose of the review is examine the Grants System and answer the focus question:
Are grant management controls for Government grants under programme XXX operating effectively and efficiently, and are grants being awarded for the intended purpose?
For the purposes of this review, the question will be considered proven if audit can support the assertions that:
|a.||Grant expenditure is bona fide (ie that acquittals are for actual grants and for services appropriate to grant activity);|
|b.||Grant data reported/processed is:|
|d.||The assets of the Department are appropriately protected and applied (ie having an appropriate process of grant approval that assures projects are of an appropriate standard, and that institute resources are used efficiently).|
Using Assertions (in brief)
The first step is to formulate the assertions for the review, and have them agreed along with the scope.
The second step is to document the control systems and identify the controls in terms of the assertions:
- Each control of interest in the system will go to support one or more of the assertions on which we wish to form an opinion.
- Each weakness of interest likewise.
- We only consider control strengths and weaknesses relevant to our assertions and establish a list of these controls in a control strengths and weaknesses schedule.
- Our opinion of controls as they impact our assertions decisions is summarised on the Assertions Matrix which maps the strengths and weaknesses to the assertions.
- Use testing to confirm the assertion assessments.
The assertion testing may be performed in a number of ways. Two approaches are:
- Desired Control Model comparison; and
- Threat testing.
Desired Control Model testing is outlined in Section 6.
Threat Testing is outlined in 7.8.
The third step is to form an opinion as to the overall support or suppression of an assertion, and report both at the summary level, and for each finding in terms of the assertions affected.
Threat testing is an approach to assertion testing used in the absence of a desired Control Model.
Each assertion is examined in turn. For each assertion a list of causes for failure of an assertion is prepared based on experience, statistical sampling, management advice, consultant advice, and checklists, etc.
Each cause is described in terms of events rather than the "absence" of a control, eg.
"Purchase made for personal use"
"Purchase Orders do not have to be authorised"
The latter is describing the absence of a control.
These causes are called threats. To each threat a probability of occurrence may be assigned (perhaps based on historic samples).
Each threat is then applied to the control system model to investigate the probability of the system preventing the threat (ie. mitigating the risk). This probability is expressed as a probability of system failure.
We can then multiply the risk of the threat by the risk of system failure and get an overall probability of the assertion not being sustained in operation. The sum of all such threat related probabilities is the total risk of assertion failures.
Risk analysis is further discussed in Section 9.
- Back To The Four Phases of RALSBA
- Back To Conduct of the Very Large Audit (Main)
- Back To The RIAM (Main)