7532 Risk assessment procedures for related party transactions

Jul-2017

CAS Guidance

Domination of management by a single person or small group of persons without compensating controls is a fraud risk factor. Indicators of dominant influence exerted by a related party include (CAS 550.A29):

• The related party has vetoed significant business decisions taken by management or those charged with governance.

• Significant transactions are referred to the related party for final approval.

• There is little or no debate among management and those charged with governance regarding business proposals initiated by the related party.

• Transactions involving the related party (or a close family member of the related party) are rarely independently reviewed and approved.

Dominant influence may also exist in some cases if the related party has played a leading role in founding the entity and continues to play a leading role in managing the entity.

In the presence of other risk factors, the existence of a related party with dominant influence may indicate significant risks of material misstatement due to fraud. For example (CAS 550.A30):

• An unusually high turnover of senior management or professional advisors may suggest unethical or fraudulent business practices that serve the related party’s purposes.

• The use of business intermediaries for significant transactions for which there appears to be no clear business justification may suggest that the related party could have an interest in such transactions through control of such intermediaries for fraudulent purposes.

• Evidence of the related party’s excessive participation in or preoccupation with the selection of accounting policies or the determination of significant estimates may suggest the possibility of fraudulent financial reporting.

Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively. The risk of management override of controls is higher if management has relationships that involve control or significant influence with parties with which the entity does business because these relationships may present management with greater incentives and opportunities to perpetrate fraud. For example, management’s financial interests in certain related parties may provide incentives for management to override controls by (a) directing the entity, against its interests, to conclude transactions for the benefit of these parties, or (b) colluding with such parties or controlling their actions. Examples of possible fraud include (CAS 550.A19):

• Creating fictitious terms of transactions with related parties designed to misrepresent the business rationale of these transactions.

• Fraudulently organizing the transfer of assets from or to management or others at amounts significantly above or below market value.

• Engaging in complex transactions with related parties, such as special-purpose entities, that are structured to misrepresent the financial position or financial performance of the entity.

CAS Guidance

Discussion among the Engagement Team

Matters that may be addressed in the discussion among the engagement team include (CAS 550.A9):

• The nature and extent of the entity’s relationships and transactions with related parties (using, for example, the auditor’s record of identified related parties updated after each audit).

• An emphasis on the importance of maintaining professional skepticism throughout the audit regarding the potential for material misstatement associated with related party relationships and transactions.

• The circumstances or conditions of the entity that may indicate the existence of related party relationships or transactions that management has not identified or disclosed to the auditor (for example, a complex organizational structure, use of special-purpose entities for off-balance sheet transactions, or an inadequate information system).

• The records or documents that may indicate the existence of related party relationships or transactions.

• The importance that management and those charged with governance attach to the identification, appropriate accounting for, and disclosure of related party relationships and transactions (if the applicable financial reporting framework establishes related party requirements), and the related risk of management override of controls.

In addition, the discussion in the context of fraud may include specific consideration of how related parties may be involved in fraud. For example (CAS 550.A10):

• How special-purpose entities controlled by management might be used to facilitate earnings management.

• How transactions between the entity and a known business partner of a key member of management could be arranged to facilitate misappropriation of the entity’s assets.

Relevant related party information that may be shared among the engagement team members includes, for example (CAS 550.A28):

• The identity of the entity’s related parties.

• The nature of the related party relationships and transactions.

• Significant or complex related party relationships or transactions that may be determined to be significant risks, in particular transactions in which management or those charged with governance are financially involved.

CAS Guidance

Where the applicable financial reporting framework establishes related party requirements, information regarding the identity of the entity’s related parties is likely to be readily available to management because the entity’s information systems will need to record, process and summarize related party relationships and transactions to enable the entity to meet the accounting and disclosure requirements of the framework. Management is therefore likely to have a comprehensive list of related parties and changes from the prior period. For recurring engagements, making the inquiries provides a basis for comparing the information supplied by management with the auditor’s record of related parties noted in previous audits. (CAS 550.A11)

However, where the framework does not establish related party requirements, the entity may not have such information systems in place. Under such circumstances, it is possible that management may not be aware of the existence of all related parties. Nevertheless, the requirement to make the inquiries specified by paragraph 13 still applies because management may be aware of parties that meet the related party definition set out in this CAS. In such a case, however, the auditor’s inquiries regarding the identity of the entity’s related parties are likely to form part of the auditor’s risk assessment procedures and related activities performed in accordance with CAS 315 to obtain information regarding the entity’s organizational structure, ownership, governance and business model. In the particular case of common control relationships, as management is more likely to be aware of such relationships if they have economic significance to the entity, the auditor’s inquiries are likely to be more effective if they are focused on whether parties with which the entity engages in significant transactions, or shares resources to a significant degree, are related parties (CAS 550.A12).

The auditor may also obtain some information regarding the identity of the entity’s related parties through inquiries of management during the engagement acceptance or continuance process. (CAS 550.A14)

CAS Guidance

In the context of a group audit, CAS 600 requires the group engagement team to provide each component auditor with a list of related parties prepared by group management and any other related parties of which the group engagement team is aware. Where the entity is a component within a group, this information provides a useful basis for the auditor’s inquiries of management regarding the identity of the entity’s related parties. (CAS 550.A13)

CAS Guidance

The audit is conducted on the premise that management and, where appropriate, those charged with governance have acknowledged and understand that they have responsibility for the preparation of the financial statements in accordance with the applicable financial reporting framework, including, where relevant, their fair presentation, and for such internal control as management and, where appropriate, those charged with governance determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. Accordingly, where the framework establishes related party requirements, the preparation of the financial statements requires management, with oversight from those charged with governance, to design, implement and maintain adequate controls over related party relationships and transactions so that these are identified and appropriately accounted for and disclosed in accordance with the framework. In their oversight role, those charged with governance monitor how management is discharging its responsibility for such controls. Regardless of any related party requirements the framework may establish, those charged with governance may, in their oversight role, obtain information from management to enable them to understand the nature and business rationale of the entity’s related party relationships and transactions. (CAS 550.A16)

Others within the entity are those considered likely to have knowledge of the entity’s related party relationships and transactions, and the entity’s controls over such relationships and transactions. These may include, to the extent that they do not form part of management (CAS 550.A15)

• those charged with governance;

• personnel in a position to initiate, process, or record transactions that are both significant and outside the entity’s normal course of business, and those who supervise or monitor such personnel;

• the internal audit function;

• in-house legal counsel; and

• the chief ethics officer or equivalent person.

In meeting the CAS 315 requirement to obtain an understanding of the control environment, the auditor may consider features of the control environment relevant to mitigating the risks of material misstatement associated with related party relationships and transactions, such as (CAS 550.A17):

• Internal ethical codes, appropriately communicated to the entity’s personnel and enforced, governing the circumstances in which the entity may enter into specific types of related party transactions.

• Policies and procedures for open and timely disclosure of the interests that management and those charged with governance have in related party transactions.

• The assignment of responsibilities within the entity for identifying, recording, summarizing, and disclosing related party transactions.

• Timely disclosure and discussion between management and those charged with governance of significant related party transactions outside the entity’s normal course of business, including whether those charged with governance have appropriately challenged the business rationale of such transactions (for example, by seeking advice from external professional advisors).

• Clear guidelines for the approval of related party transactions involving actual or perceived conflicts of interest, such as approval by a subcommittee of those charged with governance comprising individuals independent of management.

• Periodic reviews by the internal audit function, where applicable.

• Proactive action taken by management to resolve related party disclosure issues, such as by seeking advice from the auditor or external legal counsel.

• The existence of whistle-blowing policies and procedures, where applicable.

Controls over related party relationships and transactions within some entities may be deficient or non-existent for a number of reasons, such as (CAS 550.A18):

• The low importance attached by management to identifying and disclosing related party relationships and transactions.

• The lack of appropriate oversight by those charged with governance.

• An intentional disregard for such controls because related party disclosures may reveal information that management considers sensitive, for example, the existence of transactions involving family members of management.

• An insufficient understanding by management of the related party requirements of the applicable financial reporting framework.

• The absence of disclosure requirements under the applicable financial reporting framework.

Where such controls are ineffective or non-existent, the auditor may be unable to obtain sufficient appropriate audit evidence about related party relationships and transactions. If this were the case, the auditor would, in accordance with CAS 705, consider the implications for the audit, including the opinion in the auditor’s report.

Authorization involves the granting of permission by a party or parties with the appropriate authority (whether management, those charged with governance or the entity’s shareholders) for the entity to enter into specific transactions in accordance with pre-determined criteria, whether judgmental or not. Approval involves those parties’ acceptance of the transactions the entity has entered into as having satisfied the criteria on which authorization was granted. Examples of controls the entity may have established to authorize and approve significant transactions and arrangements with related parties or significant transactions and arrangements outside the normal course of business include (CAS 550.A21):

• Monitoring controls to identify such transactions and arrangements for authorization and approval.

• Approval of the terms and conditions of the transactions and arrangements by management, those charged with governance or, where applicable, shareholders.

CAS Guidance

Controls in smaller entities are likely to be less formal and smaller entities may have no documented processes for dealing with related party relationships and transactions. An owner‑manager may mitigate some of the risks arising from related party transactions, or potentially increase those risks, through active involvement in all the main aspects of the transactions. For such entities, the auditor may obtain an understanding of the related party relationships and transactions, and any controls that may exist over these, through inquiry of management combined with other procedures, such as observation of management’s oversight and review activities, and inspection of available relevant documentation. (CAS 550.A20)

A smaller entity may not have the same controls provided by different levels of authority and approval that may exist in a larger entity. Accordingly, when auditing a smaller entity, the auditor may rely to a lesser degree on authorization and approval for audit evidence regarding the validity of significant related party transactions outside the entity’s normal course of business. Instead, the auditor may consider performing other audit procedures such as inspecting relevant documents, confirming specific aspects of the transactions with relevant parties, or observing the owner‑manager’s involvement with the transactions. (CAS 550.A41)

CAS Guidance

During the audit, the auditor may inspect records or documents that may provide information about related party relationships and transactions, for example (CAS 550.A22):

• Third-party confirmations obtained by the auditor (in addition to bank and legal confirmations).
• Entity income tax returns.
• Information supplied by the entity to regulatory authorities.
• Shareholder registers to identify the entity’s principal shareholders.
• Statements of conflicts of interest from management and those charged with governance.
• Records of the entity’s investments and those of its pension plans.
• Contracts and agreements with key management or those charged with governance.
• Significant contracts and agreements not in the entity’s ordinary course of business.
• Specific invoices and correspondence from the entity’s professional advisors.
• Life insurance policies acquired by the entity.
• Significant contracts re-negotiated by the entity during the period.
• Reports of the internal audit function.
• Documents associated with the entity’s filings with a securities regulator (for example, prospectuses).

An arrangement involves a formal or informal agreement between the entity and one or more other parties for such purposes as (CAS 550.A23):

• The establishment of a business relationship through appropriate vehicles or structures.
• The conduct of certain types of transactions under specific terms and conditions.
• The provision of designated services or financial support.

Examples of arrangements that may indicate the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor include:

• Participation in unincorporated partnerships with other parties.

• Agreements for the provision of services to certain parties under terms and conditions that are outside the entity’s normal course of business.

• Guarantees and guarantor relationships.

CAS Guidance

Obtaining further information on significant transactions outside the entity’s normal course of business enables the auditor to evaluate whether fraud risk factors, if any, are present and, where the applicable financial reporting framework establishes related party requirements, to identify the risks of material misstatement. (CAS 550.A24)

Examples of transactions outside the entity’s normal course of business may include (CAS 550.A25):

• Complex equity transactions, such as corporate restructurings or acquisitions.

• Transactions with offshore entities in jurisdictions with weak corporate laws.

• The leasing of premises or the rendering of management services by the entity to another party if no consideration is exchanged.

• Sales transactions with unusually large discounts or returns.

• Transactions with circular arrangements, for example, sales with a commitment to repurchase.

• Transactions under contracts whose terms are changed before expiry.

Inquiring into the nature of the significant transactions outside the entity’s normal course of business involves obtaining an understanding of the business rationale of the transactions, and the terms and conditions under which these have been entered into. (CAS 550.A26)

A related party could be involved in a significant transaction outside the entity’s normal course of business not only by directly influencing the transaction through being a party to the transaction, but also by indirectly influencing it through an intermediary. Such influence may indicate the presence of a fraud risk factor. (CAS 550.A27)