The Board of Directors of the Wirtschaftsprüferkammer: Consideration on the Proportionate (Scaled) Performance of an Audit on the Basis of the ISA

The Board of Directors of the Wirtschaftsprüferkammer: Consideration on the Proportionate (Scaled) Performance of an Audit on the Basis of the ISA Table of Contents 1. Basic Principles and Objectives of the Guidelines... 2 2. Subject of the Proportionate Performance of an Audit and of this Guideline, Limits to its Application... 3 3. Understanding of Proportionate (scaled) Performance of an Audit... 4 4. Fundamental Aspects of a Proportionate (Scaled) Performance of an Audit... 5 5. Scope of Application for a Proportionate Performance of an Audit... 7 6. Aspects of Proportionate Performance of an Audit in the Framework of the Risk-Based Audit Approach... 9 6.1 Illustration of the Risk-Based Audit Approach... 9 6.1.1 Fundamentals of the Risk-based Audit Approach... 9 6.1.2 Scaling Aspects within the Process of the Risk-Based Audit Approach... 14 6.2 Materiality... 19 6.2.1 Fundamentals of Materiality... 19 6.2.2 Scaling Aspects within the Framework of Materiality... 20 6.3 Audit Planning... 20 6.3.1 Fundamentals of Audit Planning... 20 6.3.2 Scaling Aspects within the Process of Audit Planning... 21 6.4 Audit Procedures to Obtain Audit Evidence on Audit Objectives... 22 6.4.1 Fundamentals of Obtaining Audit Evidence... 22 6.4.2 Scaling Aspects within the Process of Audit Procedures for Obtaining Audit Evidence... 24 6.5 Documentation... 26 6.5.1 Fundamentals of Documentation... 26 6.5.2 Scaling Aspects within the Process of Documentation... 27 7. Closing Remarks... 29 Appendix Comparison of IDW PS and IFAC ISA... 31 --------------------------------------------------------------------------------------------------------------------------- This publication includes extracts from the International Standards on Auditing (ISAs) of the International Auditing and Assurance Standards Board (IAASB), published by the International Federation of Accountants (IFAC) in April 2010 and used with permission of IFAC. IFAC assumes no responsibility for the accuracy and completeness of the extracts from the ISAs. ---------------------------------------------------------------------------------------------------------------------------------------- 1

1. Basic Principles and Objectives of the Guidelines This guideline aims to provide advice and suggestions for a scaled approach to auditing with consistent quality of audits and thereby facilitate the introduction into the International Standards on Auditing (ISA). It does not, however, constitute a comprehensive guide to performing audits. The rationale for preparing this guideline stems from the uncertainty that could be observed among members of the auditing profession with regard to the requirements of existing statements by national and international associations generally considered useful and helpful with respect to the audit of small and medium-sized companies (SMEs). The ISA implicitly follow the paradigm of auditing large, publicly listed companies, yet at the same time claim to be universally applicable standards. Since the legislature has codified the mandatory use of the ISA as part of the German Accounting Law Modernization Act (BilMoG) in 317 paragraph 5 of the German Commercial Code (HGB) and its acceptance by the EU Commission is expected in the medium term, the considerations presented below deal with the performance of audits in application of the ISA. Article 26 of the currently present proposal of the EU Commission to amend the Statutory Audit Directive mandates statutory audits of all companies to be carried out in accordance with international standards. It should be noted, however, that the application of the ISA is subject to the principle of the auditor's own responsibility. From the perspective of the WPK, it is possible to transfer explanations in this guideline for an audit using the IDW auditing standards as the international auditing standards have been transitioned into the IDW standards. Moreover, the auditing standards of the IDW point out special German considerations deriving from legal statutes. This guideline by the Board of Directors of the Wirtschaftsprüferkammer, with the support of its "Accounting and Auditing" committee, reflects the considerations of the WPK on taking into account size, complexity and risk of the audit subject within the process of performing an audit (so-called scaled performance of audits) and is designed to primarily support the members of the auditing profession in carrying out audits of financial statements in accordance with 316 et seq. German Commercial Code (HGB). The basic idea of scaled performance of audits can equally be applied to other audits as defined by 2 Section 1 WPO (e.g., audits according to 16 Real Estate Agents and Commercial Contractors Act (MaBV), audits according to ISA 800, ISA 805, ISA 810). 1 It should be noted that the EU Commission in Article 43a of the Amending Directive on Statutory Audits, requires scalability of the international auditing standards. The 1 For purposes of harmonization, the terms "auditor" and "audit" are used below. 2

Professional Code contains a corresponding provision in 24b paragraph 1 Professional Charter for Wirtschaftsprüfer/vereidigte Buchprüfer - BS WP/vBP. For additional guidance a comparison of the ISA with the corresponding IDW Auditing Standards is attached. 2. Subject of the Proportionate Performance of an Audit and of this Guideline, Limits to its Application 2 The proportionate performance of an audit has two areas of application: 1. The provision of an adequate System of Quality Control is to be commensurate with the size of the company audited, the special circumstances of the client structure (e.g., 319a German Commercial Code engagements), the span of control of the auditors, and their physical presence during audits. 2. The completion of audit engagements [engagement acceptance, performance of the audit and reporting (long form report, audit report)]. Re: 1. The scaling of the System of Quality Control is not the subject of this guideline. Reference is made to Regulation 1/2006 and the corresponding guideline of the Commission for Quality Assurance for auditing a System of Quality Control with particular reference to small practices. Re: 2. This guideline is limited to the area of the performance of an audit. Engagement acceptance and reporting are not the subject of this WPK guideline. This guideline is intended to provide practical ideas and recommendations on the proportionate (scaled) performance of an audit and is expressly to be construed merely as a guide. This guideline does not represent a comprehensive manual for performing audits. It does not release the members of the auditing profession from carrying out audits according to their professional judgment in individual circumstances. Moreover, this guideline does not make any claim of completeness. The ISA standards may contain further approaches for a scaling of audits that are perhaps not described below. This guideline also does not release the members of the auditing profession from their duty to carefully study the ISA and gain a reasonable understanding of the ISA provisions. In case of conflict, the ISA standards shall take legal precedence over the remarks in this guideline taking into account the auditor's own responsibility. 2 For scaling aspects with respect to auditing practice, cf. Regulation 1/2006 as well as ISA 220. 3

The following principles also under application of the ISA are to be considered indispensable elements in performing audits: risk-based audit approach determination of materiality levels substantive, personnel and schedule considerations of audit planning audit procedures for obtaining sufficient appropriate audit evidence documentation. 3. Understanding of Proportionate (scaled) Performance of an Audit Under the proportionate performance of an audit, the nature, scope and documentation shall be determined as a function of the size, complexity and risk of the subject of the audit. The audit quality as well as reliability of the audit opinion, however, must be uniform for all audits of financial statements. This means that with a uniform objective for all audits of financial statements, the path to achieving an objective may vary depending upon the size, complexity, and risk of the subject of the audit. This path to achieving the objective, i.e., definition and implementation of the nature, scope and documentation of the audit performance, is to be decided according to the professional judgment of the member of the auditing profession, within the scope of his own responsibility. The proportionate performance of an audit is not a new concept being introduced for the first time by the ISA. The scalability can also be derived from the IDW auditing standards (e.g., IDW PS 200 Item 18 et seq., IDW PS 240 Item 12, IDW PS 261 Item 74 et seq.). Nature and scope of the performance of an audit is based in particular on the determination of materiality, the specification of the nature and number of audit activities, the volume of the audit evidence as well as the definition of control sampling and random sampling method. Complexity and risk primarily relate to the risk of a material misstatement in the financial statements being audited, whereby this risk derives naturally from the risk of the entity s business, the complexity of the entity s operations, and the nature of accounting at the entity. This WPK guideline, in this regard, is based on the risk-based audit approach of ISA 315 and 330. The audit subject refers to the audit engagement as a whole and to individual audit fields. Thus, there is a distinction between engagement-related (financial statement level) and audit field-related (assertion level) risks. 4

4. Fundamental Aspects of a Proportionate (Scaled) Performance of an Audit The scaling of the performance of an audit is expressed in the following guidelines, whereby focus is on letters c. and d.: a. decision on the non-applicability of an ISA standard, b. decision on the non-applicability of specific detailed requirement of an ISA standard, c. implementation of generally held ("scalable") requirements in the ISA standard, d. guidelines of specific Application and Other Explanatory Material in the ISA standards ("special considerations for smaller entities"). Re: a. ISA 200.18 in connection with 200.19 requires the auditor to comply with all auditing standards relevant to the audit. If the issues raised in a standard do not exist, the relevance of the particular ISA standard is to be negated and therefore the standard in its entirety does not apply (ISA 200.22). Prior to beginning the audit, it is helpful to assess the relevance of the following auditing standards: ISA 402 Audit Considerations Relating to an Entity Using a Service Organization ISA 510 Initial Audit Engagements Opening Balances ISA 600 Special Considerations Audits of Group Financial Statements (Including the Work of Component Auditors) ISA 610 Using the Work of Internal Auditors ( Internal Audit ) ISA 620 Using the Work of an Auditor s Expert Re: b. Pursuant to ISA 200.22 the auditor shall comply with each requirement of a relevant ISA standard as defined in a., unless the requirement is not relevant because it is conditional and the condition does not exist (e.g., certain requirements for granting a qualified audit opinion do not apply when granting an unqualified audit opinion). During the process of the audit of companies, there may be facilitation due to the permissible non-application of conditional individual rules. In addition, the ISA comprise so-called Application and Other Explanatory Material. These application information do not constitute any independent 5

additional requirements for the auditor. According to IFAC, they are, however, of significance for the correct application of ISA requirements. 3 Re: c. The ISA contain a variety of statements on the performance of an audit, in which the scalability of auditing standards is expressed in general terms, for example: ISA 230 Audit Documentation (Item A2): form, content and extent of audit documentation depend on factors such as: size and complexity of the entity, ISA 300 Planning an Audit of Financial Statements (Item A1): nature and extent of planning activities will vary according to the size and complexity of the entity ISA 500 Audit Evidence (Item 6): The auditor shall design and perform audit procedures that are appropriate in the circumstances for the purpose of obtaining sufficient appropriate audit evidence. In particular, phrases in the standards like appropriate, "adequate" adequate to the circumstances or sufficient emphasize the scalability of the provisions. In these cases, the auditor is to determine in its professional judgment the nature and scope of each activity, i.e., make a decision as to the degree of scalability. In addition, many requirements in the ISA are expressed in general terms, without concrete conditions as to the type and manner in which they should be fulfilled. In these cases, it is up to the discretion of the auditor to determine the specific measures to fulfill the ISA requirements. The remarks under 6, Aspects of Proportionate Performance of an Audit in the Framework of a Risk-based Audit Approach are intended to provide additional assistance on this aspect. Re: d. Individual ISA contain Considerations Specific to Smaller Entities in various places within the application information. IFAC thus provides members of the auditing profession with special hints and guidelines on the audit of smaller companies. A summary prepared by the WPK of the Considerations Specific to Smaller Entities contained in the ISA can be downloaded on the homepage of the WPK at www.wkp.de/aktuell/skalierung.asp. In this context it should be noted that the additional application of further regulations depending upon the specifics of the audit engagement based on the regulations always to be observed in the ISA leads to the same result ("scaling up"). It should also be noted, however, that a proportionate performance of an audit does not mean ignoring essential ISA provisions based on the argument that they are "too 3 cf. IFAC: Guide to Using ISAs in the Audit of Small- and Medium-Sized Entities, Volume 1; p. 14; 3rd Edition, 2011 6

laborious" for the company subject to the audit. Scaling is therefore only possible in the above-mentioned cases and only in a reasonable proportion based on the circumstances of the individual case (size, complexity, risk). In particular, the provision in ISA 200.23 ( In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement in the ISA. ) is not to be understood as a general standard for scaling. 5. Scope of Application for a Proportionate Performance of an Audit The considerations concerning a proportionate performance of an audit may basically be applied to any audit of financial statements for example, independent of the legal form or size of the subject of the audit and are thus not restricted to the audit of SMEs. Given equal audit quality and dependability of the audit opinion, the nature, scope, and documentation of the audit are determined in relationship to the size, complexity and risk of audit subject. The difference ultimately is the degree of scalability of ISA requirements. The size of an entity as a quantitative characteristic alone cannot be the decisive criterion for determining the degree of scalability of the audit performance. The qualitative aspects of complexity and risk of the audit subject are to be weighed more heavily. In case of doubt, the risk criteria should be weighed most heavily. Complexity is primarily understood to be how complicated the accounting issues are (as derived from the complexity of the business activity). 4 Risk is understood to be the possibility of a material misstatement in the financial statements being audited. Among other things, this is in turn derived from the risk of the entity s business, the complexity of the entity s operations, and the nature of the entity s accounts. The auditor is to use his professional judgment in assessing the aspects of size, complexity and risk, and weighing the facts to deduce the degree of scalability of the audit. The above aspects are also considered in the ISA themselves. Thus the international auditing standards in ISA 200.A64 contain the following definition for so-called smaller entities : For purposes of specifying additional considerations to audits of smaller entities, a smaller entity refers to an entity which typically possesses qualitative characteristics such as 4 The complexity of non-balance sheet issues is also to be considered here. 7

(a) Concentration of ownership and management in a small number of individuals (often a single individual either a natural person or another enterprise that owns the entity, provided the owner exhibits the relevant qualitative characteristics); and (b) One or more of the following: (i) (ii) (iii) (iv) (v) (vi) straightforward or not complicated transactions; simple record keeping; few lines of business and few products within business lines; few internal controls; few levels of management with responsibility for a broad range of controls; or few personnel, many who have a wide range of duties. These qualitative characteristics are not exhaustive, nor are they exclusive to smaller entities, and smaller entities do not necessarily exhibit all of these characteristics. From our understanding, the criteria listed above as examples represent possible circumstances for the scaling requirements of complexity and risk. Smaller entities, as defined by ISA 200.A64, are companies of a small size, low complexity, and/or a low risk and therefore a high degree of scalability (these are referred to below as SMEs). Other possible indicators for the existence of an SME could include (cf. IDW PH 9.100.1, Item 3): decisions relevant to the company lie predominantly in the area of authority of the owner or owners, no dependency upon a parent company, strong influence of typical regional and industry-specific factors, straightforward accounting, only few assigned employees in the accounting department have accounting-related information, company-specific knowledge is primarily restricted to only a few persons. The decision as to the extent in which proportionate performance of the audit is justified by the facts is up to the responsible auditor as defined by 24a Professional Charter WP/vBP. The relevant factors for this decision are to be considered in their entirety. 8

6. Aspects of Proportionate Performance of an Audit in the Framework of the Risk- Based Audit Approach 6.1 Illustration of the Risk-Based Audit Approach 6.1.1 Fundamentals of the Risk-based Audit Approach The international auditing standards codify the risk-based audit approach in ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 330 The Auditor s Responses to Assessed Risks. ISA 315.1, in connection with ISA 315.3, requires the auditor to identify and assess the risks of material misstatement in the financial statements through understanding of the entity and its environment, including the entity s internal control in order to create the basis for designing and implementing responses to the assessed risks. Additionally, ISA 330.1, in connection with ISA 330.3, codifies the responsibility of the auditor to design and implement responses to the risks of material misstatement identified and assessed by the auditor in order to obtain sufficient appropriate audit evidence regarding the assessed risks of material misstatement. The design of the risk-based audit approach can be accounting-based, function-based or process-based. With an accounting-based approach, the audit fields are determined essentially based on the accounting issues or the balance sheet items in the financial statements. With a function-based approach, the audit field determination is made in alignment with the operational functions of the company (e.g., purchasing, production, sales). With a process-based approach, the audit field determination is made on the basis of material company processes (e.g., procurement process, from needs assessment to goods payment; sales process, from posting of orders to posting of payments). When deciding on how to structure the risk-based audit approach, organizational structures and processes of the company being audited are taken into consideration. In simple terms, the risk-based audit approach can be divided into the following three phases: Phase 1: Risk Identification (determination of risks of material misstatement by understanding the entity and its environment as well as including the entity s internal control) Understanding the entity and its environment is particularly used to determine inherent risks and at the company level includes such criteria as organization, financing, 9

investment plans, business objectives and strategies, key performance indicators, competence and integrity of management and the employee, the nature, scope and special considerations of company activity and company development. At the assertion level (audit field level) significant aspects include, for example, the susceptibility to errors of items in the financial statements, the complexity of the business transactions, the risk of fraud, and the latitude for discretion in recognition and measurement. Understanding the entity s internal control serves as a basis for determining the control risk. The auditor is first of all to become convinced of the structure (i.e., the adequacy and implementation) of the entity s internal control. The focus of the auditor in this test of design lies on the accounting-related internal control of the entity, i.e., the controls relevant to the audit of financial statements. For this, the auditor is to gain understanding for all of the following entity s internal control components (ISA 315.14 -.22): Control environment According to ISA 315.A69 the control environment includes the governance and management functions as well as the attitudes, awareness and actions of those charged with governance and management concerning the entity s internal control and its importance in the entity. Further, the control environment sets the tone of the organization by influencing the control consciousness of its employees. Elements of the control environment include inter alia communication and enforcement of integrity and ethical values, management s philosophy and operating style of the management, and organizational structure. Risk-assessment process The risk-assessment process constitutes the basis for the determination of risks to which management must react. In particular, this includes the identification of business risks, the estimation of the significance of risks, the assessment of their likelihood to occur and the decision about actions to address those risks (ISA. 315.15). Financial reporting-related information system (including the related business processes) and communication The information system relevant to financial reporting objectives, which includes the accounting system, consists of the procedures and records that the company has designed and established to (ISA 315.A81): o o initiate, record, process and report entity transactions and to maintain accountability for the related assets, liabilities and equity; identify and resolve incorrect processing of transactions; 10

o o process and account for system overrides or bypasses to control; transfer information from transaction processing systems to the general ledger; o capture information relevant to financial reporting for events and conditions other than transactions (e.g., depreciation of assets); and o ensure that information required to be disclosed is accumulated, recorded, processed, summarized and appropriately reported in the financial statements. Communication on the one hand includes communication of financial reporting roles and responsibilities in financial reporting, on the other hand, communication of relevant financial reporting issues. Examples of communication are policy manuals and financial reporting manuals (ISA 315.A86). Control activities relevant to the audit of financial statements Relevant control activities are those the auditor deems necessary to understand in order to assess the risks of material misstatement at the assertion level, and to design further audit procedures as a response to the assessed risks (ISA 315.20). Control activities are the policies and procedures that help ensure that management directives are carried out (e.g., authorization, performance reviews, information processing, physical controls, separation of duties; ISA 315.A88). Monitoring of controls Monitoring of controls is a process by which the effectiveness of the entity s internal control is assessed over a period of time. This includes both one-time and ongoing activities. Phase 2: Risk analysis and assessment (assessment of the risks of material misstatement and deduction of the audit strategy) Risk identification is followed by the assessment of the effects of the risks of material misstatement to the financial reporting according to the dimension and likelihood of occurrence. This assessment is to be conducted on both the financial statement level and on the assertion level for the classes of transactions, account balances and disclosures (ISA 315.25). Based on this assessment, the auditor devises the audit strategy. Significant identified risks (e.g., revenue recognition or non-routine transactions) require special consideration within the process of the audit. Thus the auditor is obliged to gain an understanding in each case for the controls relevant for these significant risks (ISA 315.27 et seq.). 11

Moreover, for some risks the auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence only from substantive procedures (e.g., for automated mass production processes). In these cases, the auditor shall obtain an understanding of the controls relevant to these risks (ISA 315.30). Phase 3: Audit procedures as a response to the assessed risks In order to address the assessed risks of material misstatement, the auditor has to design and implement responses on both the financial statement level as well as the assertion level (ISA 330.5 and.6). Responses at the financial statement level may include, in particular, emphasizing the need to maintain professional skepticism, assigning more experienced staff or using experts on the audit team, incorporating unpredictable audit procedures as well as special quality assurance measures (ISA 330.A1). At the assertion level, the auditor must respond reasonably by means of tests of controls of the entity s internal control, substantive audit procedures or both respectively. The assessment of identified risks by the auditor on the assertion level provides a basis for considerations of the appropriate audit approach for designing and performing further audit procedures (ISA 330.A4). The auditor can thus specify that Only by performing tests of controls may the auditor achieve an effective response to the assessed risk of material misstatement for a particular assertion; Performing only substantive audit procedures is appropriate for particular assertions, and, therefore, the auditor excludes the effect of controls from the relevant risk assessment; A combined approach using both tests of controls and substantive audit procedures is an effective approach. Tests of controls are geared towards evaluating the operating effectiveness of controls in preventing or detecting and correcting material misstatements at the assertion level (ISA 330.4(b)). The auditor shall design and perform tests of controls if (ISA 330.8): the risk assessment of material misstatements at the assertion level is based on the assumption that controls are operating effectively (i.e., the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and scope of substantive audit activities), or substantive audit procedures alone cannot provide sufficient appropriate audit evidence. 12

Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each material class of transactions, account balance, and disclosure (ISA 330.18). In this, the auditor shall consider whether external confirmation procedures are to be performed as substantive audit procedures. The nature, scope and timing of substantive audit procedures depend on the results of the risk assessment. On a case-by-case basis, the auditor may decide that the performance of substantive analytical audit procedures alone is sufficient, tests of details by themselves are adequate, or a combination of substantive analytical audit procedures and tests of details are the most appropriate response to the assessed risks. In summary, it can be said that the identification of potential risks of material misstatement is made on the basis of the insights gained about the client, the client s environment and the reasonableness and implementation of its internal control (test of design) by the auditor in Phase 1. Subsequently in Phase 2, the identified risks of material misstatement are considered regarding their effect and likelihood of occurrence, and the audit strategy is determined accordingly. In Phase 3, the determination and performance of the audit program for the following audit procedures occur on this basis as a response to the assessed risks of material misstatement. When used properly, the auditor can gain a high degree of audit confidence relatively quickly by application of the risk-based audit approach. This may mean that in certain cases after Phase 2, sufficient audit evidence may be obtained for specific audit fields (as described earlier, substantive audit procedures are to be designed and executed also in this case for all material classes of transactions, account balances, as well as disclosures). The risk-based audit approach leads to a focus on the activities of the audit risk-prone areas of the entity, while low-risk audit areas are consequently audited with less intensity. 13

6.1.2 Scaling Aspects within the Process of the Risk-Based Audit Approach Possible approaches for scaling aspects while keeping the professional skepticism unchanged are illustrated below: Facilitated gaining of an understanding of the entity and its environment due to a long-lasting relationship It can be easier for the auditor to gain an understanding of the client, its environment and its accounting related controls, the longer he has actively been engaged as an auditor for the client. The auditor uses professional judgment to determine the extent of the understanding required. The depth of the overall understanding that is required by the auditor can be less than that possessed by management in managing the entity (ISA 315.A3). Moreover, the auditor can use information from previous years, resulting from previous experiences with the entity or from audit procedures from previous audits of the financial statements. The auditor then is to determine, however, whether changes have occurred since than that may affect its relevance to the current audit (ISA 315.9). It is often easier to gain an understanding of the entity's internal control for smaller companies The structure of the entity s internal control can indeed be very basic for smaller companies (ISA 315.A41). Thus it is conceivable that the company has put into place a few controls for key issues at the management level, without being able to demonstrate that an overall system of internal controls exists. Gaining an understanding of internal controls is possible in such a case with relatively small effort. Focusing on the controls relevant for financial reporting The auditor shall only obtain an understanding of internal control relevant to the audit (ISA 315.12) and thus only of the company's control activities that are necessary to assess the risks of material misstatement on the assertion level and to be able to design adequate audit procedures as a response to the assessed risks. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. Furthermore, it is not necessary to gain an understanding of all the control activities related to each significant class of business transactions, account balances, and disclosures in financial statements (ISA 315.20). 14

Aspects concerning the components of the entity s internal control In gaining an understanding of the entity s internal control, the auditor is to be concerned with all of the following internal control components, even if the following sub-classification is not necessarily reflected in the structure and implementation of the entity's internal control: o Control environment The attitude, awareness and actions of those charged with governance and management which are decisive for the control environment encountered are of special significance to the auditor's understanding of the control environment of a smaller entity, because, for instance (ISA 315.A76): - In small entities those charged with governance may not include an independent or outside manager and the role of governance may be carried out directly by the owner-manager where there are no other owners. - Audit evidence for elements of the control environment in smaller entities may not be available in documentary form, in particular where communication between management and other personnel may be informal. - The nature of the control environment may also influence the significance of other controls, or their absence (an actively involved owner-manager can reduce or increase the risks arising from the lack of segregation of duties within the company). o Risk assessment process of the entity In a small entity, there is often no established risk assessment process. It is more likely that management identifies risks through direct personal involvement in the business. It is nonetheless necessary to inquire about identified risks and how they are addressed by management (ISA 315.A80). o Information system including related business processes, relevant to financial reporting, as well as communication The financial reporting-related information systems in smaller entities are likely to be less sophisticated than in larger entities. Small entities with active management involvement may not need extensive descriptions of accounting procedures, sophisticated accounting records, or written policies. In these cases, the understanding of the systems and processes of the entity may therefore be less complicated and possibly more dependent upon inquiries then upon a review of documentation (ISA 315.A85). 15

o Control activities The level of formalization of control activities may differ among larger and smaller entities. Certain types of control activities in smaller entities may in fact not be relevant due to controls applied by management. For example, management s sole authority for granting credit to customers and approving significant purchases can provide strong control over important account balances and transactions, thus lessening or removing the need for more detailed control activities (ISA 315.A93). It should be mentioned here, however, that an increased risk exists due to management override. o Monitoring of controls Management s monitoring of controls is often accomplished by management s or the owner-manager s close involvement in operations. Through this involvement, significant variances from expectations and inaccuracies in financial data are often identified, leading to remedial action to the control (ISA 315.A100). Tests of controls are not mandatory in every case On the financial statement level as well as on assertion level, the auditor is to respond adequately to any identified material risks by means of tests of controls and / or substantive audit procedures. As mentioned above, tests of controls are necessary if the auditor wants to rely on the effectiveness of the entity s internal control for audit assurance, or when substantive audit procedures alone do not yield sufficient appropriate audit evidence. Tests of controls are particularly useful for frequently recurring, automated routine transactions, as with relatively little effort a high level of audit assurance can be achieve, which could only have been achieved through a large number of substantive audit procedures (or in some cases not at all). Conversely, this means that tests of controls are not mandatory for every audit of financial statements: If the auditor assesses the risk of material misstatements to be low, or if existing controls are not adequate, the auditor may within the process of the audit rely solely on substantive audit procedures, which then if necessary, would have to be carried out in a wider scope. Another such case would be if there are not many control activities in the company that can be identified by the auditor or the scope to which their existence or operation have been documented by the entity may be limited (ISA 330.A18). In such cases it can be more efficient for the auditor to mainly carry out substantive audit procedures. 16

Focusing on superordinate controls It may be possible that a company has implemented a variety of controls on multiple levels along its processes (e.g., materials purchasing: requirements requisition sheet superior approval maintenance of budget limits / suggested account application managing director approval pre-posting of invoice incoming goods inspection payment proposal list approval of payment / entry). Often it is not necessary to carry out a test of controls on all existing controls along the relevant process. There may be cases where limiting the test of controls to a few identifiable superordinate controls seems reasonable. Multiple use of audit procedures Audit procedures within the process of the test of design of controls can simultaneously yield audit evidence as to the effectiveness of control procedures. The auditor may thus consider it efficient to simultaneously test the operating effectiveness of the controls, assess the design of the controls, and determine that they have been implemented, (ISA 330.A21). Even if some audit procedures for risk assessment are not specially designed as tests of controls, they may nonetheless provide audit evidence about the operating effectiveness of the controls and, consequently, serve as tests of controls (ISA 330.A22). Moreover, the auditor may design a test of controls to be performed concurrently with a test of details on the same transaction. The auditor may, for example, design and evaluate a test to examine an invoice to determine whether it has been approved and to provide substantive audit evidence of a transaction. Such a dual-purpose test is designed and evaluated whereas each of the test purposes is considered separately (ISA 330.A23). Laborsaving measures through increased use of analytical substantive audit procedures Nature, scope and timing of substantive audit procedures depend on the result of the risk assessment. In individual cases, the performance of substantive analytical audit procedures according to the requirements of ISA 520 alone may be sufficient. For example, where risk assessment of the auditor is based on audit evidence gained from tests of controls. Substantive analytical audit procedures are generally more adequate for large volumes of transactions that tend to be predictable over time (ISA 330.A44). 17

The use of results from previous years audits As part of the test of controls, the auditor may consider it appropriate based on his risk assessment to rely on audit evidence gained from previous years' audits (ISA 330.13). In such a case, the auditor, e.g., through discussion with management has to obtain audit evidence about whether significant changes have been made to the control(s) in the meantime. If changes have been made that affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current audit, to the extent that he plans to rely on their effectiveness. If no changes have been made to the controls, the auditor may consider it appropriate to rely on the assessment of the effectiveness of these controls from previous years. The time span between the new tests of such unchanged controls can encompass up to three years (new test in the third year) and it is up to the auditor's own due consideration (ISA 330.14(b)). As a general rule: the higher the risk of material misstatements or the more one depends on the respective control, the shorter the time interval between two tests of controls. At the same time, the auditor shall test the controls at least once in every third audit, and shall test some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit period with no testing of controls in the subsequent two audit periods (ISA 330.14(b)). The auditor cannot rely on audit procedures from previous years on controls over a risk he has determined to be a significant risk. In such cases the auditor shall test those controls during the current audit (ISA 330.15). Absence of documentation of the entity s internal control on the behalf of the entity 5 Absence of documentation of the entity s internal control, in part or in whole on the behalf of the entity, does not necessarily constitute a limitation on the scope of the audit, as long as the auditor is capable of testing the design and to the extent necessary the function of the ICS (cf. ISA 315.A77,.A80). The auditor shall however, evaluate whether the absence of a documented risk assessment process is appropriate to the circumstances, or determine whether it constitutes a significant deficiency in the internal control system of the entity (ISA 315.17). The auditor is not required to document substantial parts or all of the entity's internal control in lieu of the entity. However, the following must be documented by the auditor according to ISA 315.32, taking into consideration ISA 230.8 et seq. with respect to the entity s internal control: 5 Bookkeeping is subject to statutory audit in Germany. Proper bookkeeping principles are to be observed. 18

o key elements of the understanding obtained regarding each of the five aspects of the internal control components, and sources of information from which the understanding was obtained; o significant risks identified, and related controls about which the auditor has obtained an understanding. 6.2 Materiality 6 6.2.1 Fundamentals of Materiality The concept of materiality is regulated in ISA 320 Materiality in Planning and Performing an Audit. When establishing the overall audit strategy, the auditor shall first determine materiality for the financial statements as a whole (ISA 320.10). The level of materiality for the financial statements as a whole shall be measured in terms of the level beyond which a misstatement in the financial statements influences the economic decisions of users of the financial statements. It is not justified if the auditor sets a low level of materiality as a whole because there was a high risk of errors (cf. Guide to using ISAs in the Audits of Small- and Medium-Sized Entities, Vol. 1 Core Concepts, 3rd Edition, p. 95). At the same time, the auditor is to establish a lower threshold of materiality for particular types of business transactions, account balances, or disclosures in financial statements, if in the specific circumstances of the entity, misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to influence the economic decisions of users on the basis of the financial statements (ISA 320.10). It is not permissible to set a higher threshold of materiality for particular types of business transactions, account balances or disclosures in financial statements. According to ISA 320.11 the auditor is also to determine the so-called performance materiality. This is the amount or amounts below materiality for the financial statements as a whole or the specific materialities, in order to reduce to an appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds materiality for the financial statements as a whole. Performance materiality is relevant within the process of determining the audit strategy, in particular the starting point for the determination of the nature, timing and scope of further audit procedures (ISA 320.11) for the performance of the audit. 6 Detailed remarks on materiality according to ISA 320 can be obtained from Questions and Answers on Determining Materiality and Tolerance Materiality according to ISA 320 and IDW PS 250 published by IDW on 17 November 2011 (cf. IDW Fachnachrichten 12/2011, see: 743 et seq.) 19

6.2.2 Scaling Aspects within the Framework of Materiality Possible scaling aspects are illustrated below. Determining the materiality for the financial statements as a whole influences the scope of the subsequent audit procedures The ISA do not prescribe for the auditor any particular method of determining materiality as a whole. Nor do the standards provide for the application of any particular mandatory reference size for determining materiality. The selection of the appropriate reference value as well as the quantitative approach lies in the due consideration of the auditor. Within the process of determining materiality, which as described above is to be guided by the decision relevance for the users of the financial statements, the conditions surrounding the entity to be audited (such as ownership structure, nature of financing, economic environment) are to be taken into account in determining the reference value and the quantitative approach and thus subsequently also in the determination of the nature, timing and scope of further audit procedures. Determining the line-item performance materiality influences the scope of subsequent audit procedures Performance materiality can either be determined as an amount analogous to materiality for the financial statements as a whole or also issue-specific for certain types of business transactions, account balances, or disclosures in financial statements (cf. Guide to using ISAs in the Audits of Small- and Medium-Sized Entities, Vol. 1 Core Concepts, 3rd Edition, p. 96). As a function of risk and complexity, the determination of issue-specific tolerance materiality can lead to a reduction of the audit procedures to be performed for smaller entities. It should be noted at this point that the negotiation of possible follow-on engagements in connection with the audit of financial statements, such as the preparation of explanatory notes in the long-form audit report, eliminates the previous materiality considerations due to the necessarily higher level of certainty and thus may negate any associated scaling aspects. 6.3 Audit Planning 6.3.1 Fundamentals of Audit Planning ISA 300 Planning an Audit of Financial Statements prescribes the duty of the auditor to engage in audit planning. The planning of the audit of financial statements includes 20

the development of an audit strategy and subsequent design of the audit program. Key factors that the auditor is to consider when developing the audit strategy and devising the audit program have already been illustrated in the section Risk-Based Audit Approach. 6.3.2 Scaling Aspects within the Process of Audit Planning Possible scaling aspects are illustrated below. Size and complexity of the audit subject influence the nature and scope of audit planning The nature and scope of planning activities are dependent upon the size and complexity of the audit subject, the previous experiences of members of the audit team with the entity, and any changing conditions during the ongoing audit. The development of the audit strategy for audits of small entities must not be a complex or time-consuming procedure; this depends on the size of the entity, the complexity of the audit, and the size of the audit team (ISA 300.A11). Furthermore, the nature, scope and timing of direction and supervision of the members of the audit team, as well as the review of their work, must be planned (ISA 300.11). This is ultimately influenced by the size of the audit team. For small entities the entire audit can be conducted by a very small audit team or even by the engagement partner alone. The coordination and communication within the audit team is influenced accordingly by the size of the audit team (ISA 300.A11). Facilitated planning requirements for one-person audits If an audit is carried out completely by the engagement partner, considerations on direction and supervision of the audit team as well as reviewing their work is not required. In such cases, the engagement partner will be aware of all key issues. There may be situations, however, that require the auditor to consult the professional opinion of a third party in cases involving particularly complex or unusual issues (ISA 300.A15). Initial or follow-on audit Within the process of audit planning for subsequent audits, the auditor can, on the one hand, also use knowledge and information about the entity from previous years, and on the other hand, for SMEs can refer back to working papers from previous years that are being updated within the process of the current audit. 21

6.4 Audit Procedures to Obtain Audit Evidence on Audit Objectives 6.4.1 Fundamentals of Obtaining Audit Evidence The following chart represents an overview of the various types of audit procedures and activities according to the ISA (cf. IDW PS 300, Item 14): Test of Controls Substantive Audit Procedures Test of Details Fundamental remarks on audit procedures are contained in ISA 315 Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment and ISA 330 The Auditor's Responses to Assessed Risks (for both standards, see the remarks above under section VI.1 Risk-Based Audit Approach), ISA 520 Analytical Procedures and ISA 530 Audit Sampling. Basic requirements for audit evidence are found in ISA 500 Audit Evidence. In addition, there is a series of additional standards that deal with special audit fields or types of audit evidence, e.g.: ISA 501 Audit Evidence Specific Considerations for Selected Items ISA 505 External Confirmations ISA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures ISA 550 Related Parties ISA 560 Subsequent Events ISA 570 Going Concern ISA 580 Written Representations 22