Regulator releases monitoring programme aimed at assessing whether Registered Auditors in the Dubai International Financial Centre meet the appropriate international standards which include: the International Standards on Auditing, the International Standard on Quality Control and the Code of Ethics for Professional Accountants (Code of Ethics) issued by International Federation of Accountants (IFAC)…
THE DUBAI Financial Services Authority (DFSA), has released its first audit monitoring programme, which covers audit inspections conducted by the DFSA in the period January 1 2008 to December 31, 2012.
This report complies with the International Forum of Independent Audit Regulators Core Principles for Independent Audit Regulators and aims to promote high-quality external audits of financial reports issued in accordance with Chapter 8 of the GEN Module (DFSA Rulebook).
The purpose of this audit monitoring programme is to assess whether Registered Auditors (RAs) in the Dubai International Financial Centre (DIFC) meet the appropriate international standards which include: the International Standards on Auditing (ISAs), the International Standard on Quality Control and the Code of Ethics for Professional Accountants (Code of Ethics) issued by International Federation of Accountants (IFAC).
During the period covered by this report, the DFSA conducted thirty three (33) on-site assessments, assessed fifty six (56) Audit Principals and reviewed one hundred and six (106) audit engagement files focusing on the substance of a RA’s work and assessing whether sufficient and appropriate evidence was obtained and documented to support the conclusions reached in relation to key audit judgments.
Dubai Financial Services Authority
The DFSA is the independent regulator of financial and ancillary services conducted in or from the DIFC, a purpose-built financial free-zone in Dubai.
The DFSA regulates a broad range of firms based in the DIFC, including banks, insurers, fund managers, advisory firms and brokers, exchanges and clearing houses, together with credit rating agencies, RAs and other ancillary service providers. These Firms provide a wide range of services to their clients, including Islamic finance.
In addition to regulating financial and ancillary services, the DFSA is responsible for supervising and enforcing Anti-Money Laundering and Combating the Financing of Terrorism requirements applicable in the DIFC. The DFSA has also accepted a delegation of powers from the DIFC Registrar of Companies to investigate the affairs of DIFC companies and partnerships where a material breach of DIFC Companies Law is suspected and to pursue enforcement remedies that are available to the Registrar.
With respect to RAs, the DFSA is responsible for the registration, oversight and suspension/removal of RAs in the DIFC in respect of Authorised Firms (AFs), Authorised Market Institutions (AMIs) and Public Limited Companies.
Key findings
Reviews of engagement files across RAs inspected raised a number of issues about the sufficiency and appropriateness of evidence obtained by RAs to support their conclusions on significant areas of the audit. Key findings were mainly in the areas outlined below:
i) Professional scepticism
Professional scepticism must be maintained and exercised throughout the planning and performance of an audit.
Audit principals and staff should have questioning minds, obtain a full understanding of all relevant facts, not be over reliant on management’s explanations and representations, and not just seek to obtain audit evidence that corroborates rather than challenges management’s judgment.
ii) Going concern
ISA 570 – Going concern requires an auditor to evaluate management’s assessment of an entity’s ability to continue as a going concern.
In five (5) audit engagement files, there was a lack of evidence that the Audit Principals challenged evidence provided by the management of the AF to support their assumption that the entity was a going concern.
iii) Independence of employees
The DFSA noted that six (6) RAs retained the passports of their employees. The argument put forward by those RAs was for security purposes, however, evidence suggested that this might not be the reason.
The DFSA is of the view that the retention of an employee’s passport may affect the independence of those employees in terms of raising their concerns (if any) on a particular audit.
Subsequent to our on-site assessments, these RAs confirmed that they had returned the passports of their employees. The DFSA will continue close monitoring of issues relating to the independence of employees.
iv) External confirmations
Audit evidence in the form of external confirmations received directly by the auditor from confirming parties may be more reliable than evidence generated internally by the entity.
On eight (8) audit engagement files, the audit teams failed to receive external confirmations from independent third parties. They did perform alternate procedures on one (1) file to satisfy themselves however on the remaining seven (7) files, no alternate procedures were carried out nor did the files did contain an adequate explanation as to why any alternate procedures were not carried out by the engagement team.
On eighteen (18) audit engagement files, there was no trail of the confirmation process, while fifteen (15) engagement teams failed to keep proper control over the external confirmation process as required by ISA 505 – External confirmations. These RAs prepared the confirmation letters, provided the same to their clients in soft copy and allowed the client to send the confirmation to the relevant banks.
Implementation of Clarity ISAs
In 2009, the International Auditing and Assurance Standards Board issued Clarity ISAs which were effective for audits of financial statements for periods beginning on or after 15 December 2009.
In relation to a number of the DFSA’s inspections during the Period, the Clarity ISAs were not yet effective. Moreover, the DFSA reminded the RAs to make adequate arrangements to implement Clarity ISAs for audits of financial statements for periods beginning on or after 15 December 2009.
Self-review threat
As per the International Federation of Accountants (IFAC) Code of Ethics, providing services such as preparation of financial statements for an audit client creates a self-review threat when the auditor subsequently audits these financial statements.
An auditor may provide services related to the preparation of financial statements based on information in the trial balance to an audit client which is not a public interest entity so long as any self-review threat created is reduced to an acceptable level.
In any case, the significance of any such threat created shall be evaluated and safeguards applied when necessary to eliminate the threat or reduce it to an acceptable level. Such safeguards include arranging for such services to be performed by an individual who is not a member of the audit team.
The DFSA noted that five (5) audit teams prepared/provided assistance with preparation of financial statements to their audit clients. Based on the regulator’s discussions with the managers in-charge on these audits, the financial statements were prepared by the members of the audit team who subsequently performed the audit of the financial statement.
Insufficient evidence of review
Under the DFSA rules, audits of Domestic AFs must be conducted by RAs registered with the DFSA. Often audit work is carried out by another office of the same network of the RA. Regardless where the work was carried out, a RA must appoint an Audit Principal who is responsible for the direction, supervision and performance of the audit engagement.
Findings from particular files:
- The audit work was conducted by another office of the same network to which the RA belonged. The audit report was signed by the RA based on an inter-office opinion signed off by a partner from another office. The engagement letter was issued by the other office and not by the RA as required under the DFSA rules. The RA recorded its work containing reporting documents prepared by the other office. However, review work conducted by the RA was not evident on this file nor was there any evidence of Audit Principal’s review, with only the audit manager sign-off evident. The DFSA could not determine from the file what review work had been conducted by the RA in order to satisfy itself that audit evidence was sufficient.
- The underlying audit work was undertaken at the office of an affiliate of the RA with the RA signing-off on the audit report based on the work done by the affiliate office. The audit engagement file included information submitted by the affiliate office but did not reflect the work done by the RA over directing the scope of the audit or contain sufficient evidence of review procedures done. There was insufficient evidence on the file of Audit Principal’s involvement on the audit with inter-office arrangements.
Quality of audit work
RAs are responsible for the quality of individual audits, and should aim to ensure that quality audits are consistently performed.
In respect of two (2) RAs, the DFSA noted issues with the quality of audit work conducted relating to both documentation and underlying audit approach.
The engagement files did not display a thorough understanding of the requirements of auditing standards. It was concluded that the audit staff did not have prior knowledge of audit requirements and had not received sufficient training.
Involvement of Audit Principal
Under the DFSA rules, a RA must appoint an Audit Principal who is responsible for the direction, supervision and performance of the audit engagement.
Findings from particular files:
* The Audit Principal, who retained responsibility for signing the audit report, was not sufficiently involved in the audit.
* A director who was not an Audit Principal managed the conduct of the RA’s audit work. However, a different partner who was an Audit Principal signed the audit report. There was no evidence that the signing partner had been sufficiently involved in the audit process.
* The signing Audit Principal was only involved at the final stage of completion and was not responsible throughout the audit for its direction, supervision and performance.
Insufficient audit work
The RA should design and perform audit procedures that are appropriate in the circumstances for the purposes of obtaining sufficient appropriate audit evidence.
Findings from particular files:
- No audit work was conducted on a significant revenue transaction other than obtaining a representation letter from management. There was no other evidence on the audit engagement file.
- Unsatisfactory audit work had been done on the revenue component. Random invoices were filed in the working paper file. Invoices were not cross-referred to the agreements to ensure that the entity has legal right over these invoices.
- The senior-in-charge stated that he had sighted relevant documents and obtained net asset valuations but there was no documentary evidence to substantiate this statement on the file.
- Unsatisfactory audit work had been done on the receivables balance. The RA failed to obtain independent confirmations from the debtors and also did not perform alternative tests.
- Significant and material investment in a Special Purpose Vehicle (SPV) which had been purchased from a related entity. Insufficient audit work had been done on the SPV as a whole.
Disclosure of an asset placed as a cash equivalent
Cash equivalents are defined in International Accounting Standards (IAS) 7 – Statement of cash flows as ‘short-term, highly liquid investments that are readily convertible to known amounts of cash and which are subject to an insignificant risk of changes in value’.
Findings from particular files:
A significant balance was classified as cash and cash equivalents which represented an amount transferred to a related entity that itself placed it with a third party bank in its own name and not that of the AF. Although the amount was held in a bank, it was not held in a ring-fenced bank account in the name of the AF. The audit work conducted by the RA extended to seeking confirmation from the related entity only and not seeking confirmation from the third party bank.
Other findings:
Audit Planning
• 26% of the audit engagement files inspected failed to show sufficient evidence that the procedures required to address the risk of fraud, as stated in ISA 240 – The auditor’s responsibilities relating to fraud in an audit of financial statements, had been conducted; and
• 26% of the audit engagement files inspected did not consider an auditor’s right and duty to report to the DFSA under Article 104(3) of DIFC Law No 1 of 2004.
Audit Execution
• 27% of the audit engagement files inspected did not adequately document matters which were important to support the audit opinion.
Audit Conclusion
• 18% of the audit engagement files inspected failed to evaluate and document the aggregated uncorrected misstatements arising out of the audits; and
• There was insufficient documentation of work done on subsequent events on 17% of the audit engagement files inspected.
Audit Financial Statements Disclosures and Audit Report
• 31% of the audit reports contained references to laws that do not apply to AFs and / or AMIs; and
• 28% of the audit opinions did not comply with the requirements of DFSA Rulebook.
* This report is an abridged version – the full report can be found on www.dfsa.ae.