7532 Risk assessment procedures for related party transactions
Jul-2017

Overview

This topic explains:

  • The types of risk assessment procedures which we are expected to perform during the audit;

  • The procedures required when we identify fraud risk factors when performing the risk assessment procedures;

  • The topics to be discussed at the team planning meeting for related parties and related party transactions;

  • The procedures we are expected to perform in relation to controls over related party transactions;

  • The requirements specific to smaller entities;

  • How we are expected to maintain alertness for related party information when reviewing records or documents;

  • The procedures we are expected to perform for transactions outside the entity’s normal course of business.

Risk assessment procedures

CAS Requirement

As part of the risk assessment procedures and related activities that CAS 315 and CAS 240 require the auditor to perform during the audit, the auditor shall perform the audit procedures and related activities set out in paragraphs 12‑17 to obtain information relevant to identifying the risks of material misstatement associated with related party relationships and transactions (CAS 550.11).

In meeting the CAS 315 requirement to identify and assess the risks of material misstatement, the auditor shall identify and assess the risks of material misstatement associated with related party relationships and transactions and determine whether any of those risks are significant risks. In making this determination, the auditor shall treat identified significant related party transactions outside the entity’s normal course of business as giving rise to significant risks (CAS 550.18).

The CAS 550 requirements in CAS 550.12-17 for risk assessment are set out in the following blocks below;

  • Engagement team discussions,
  • Management inquiries,
  • Controls over related parties,
  • Maintaining alertness for related party information when reviewing records or documents,
  • Transactions outside the entity’s normal course of business.

CAS Requirement

In addition, an understanding of the entity’s related party relationships and transactions is relevant to the auditor’s evaluation of whether one or more fraud risk factors are present as required by CAS 240, because fraud may be more easily committed through related parties (CAS 550.5).

Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with the CASs. In the context of related parties, the potential effects of inherent limitations on the auditor’s ability to detect material misstatements are greater for such reasons as the following (CAS 550.6):

  • Management may be unaware of the existence of all related party relationships and transactions, particularly if the applicable financial reporting framework does not establish related party requirements.

  • Related party relationships may present a greater opportunity for collusion, concealment or manipulation by management.

Planning and performing the audit with professional skepticism as required by CAS 200 is therefore particularly important in this context, given the potential for undisclosed related party relationships and transactions. The requirements in this CAS are designed to assist the auditor in identifying and assessing the risks of material misstatement associated with related party relationships and transactions, and in designing audit procedures to respond to the assessed risks (CAS 550.7).

OAG Guidance

Risks in relation to related parties will frequently be significant because of fraud considerations. The risk assessment includes considering if there are significant risks in relation to related parties which will require special audit consideration. See OAG Audit 5500 for guidance on fraud considerations.

Typical risk assessment procedures

Review information provided by management identifying related parties and perform the following procedures in respect of this information:

  • review prior year working papers for names of known related parties;

  • inquire as to the affiliation of directors and officers with other entities;

  • review shareholder records to determine the names of principal shareholders or, if appropriate, obtain a listing of principal shareholders from the share register;

  • review minutes of the meetings of shareholders and the board of directors and other relevant statutory records such as the register of directors’ interests for information about material transactions authorized or discussed at their meetings;

  • review filings with, and other information supplied to, the relevant authorities/regulatory agencies (including income tax returns);

  • review correspondence and invoices from law firms for possible transactions;

  • review the extent and nature of business transacted with major customers, suppliers, borrowers and lenders;

  • review the names of officers and trustees of pension or similar plans;

  • Inquire of other auditors currently involved in the audit, or predecessor auditors, as to their knowledge of additional related parties. When other auditors audit a related enterprise, arrange for timely exchange of information on the names of known related parties and the extent of management involvement in material transactions at an early stage of the audit;

  • consider using other available sources of information, including external data and internet searches to identify the names of related parties and for other businesses in which officers and directors have ownership interests or occupy directorship or management positions.

Fraud considerations

CAS Requirement

If the auditor identifies fraud risk factors (including circumstances relating to the existence of a related party with dominant influence) when performing the risk assessment procedures and related activities in connection with related parties, the auditor shall consider such information when identifying and assessing the risks of material misstatement due to fraud in accordance with CAS 240 (CAS 550.19).

CAS Guidance

Domination of management by a single person or small group of persons without compensating controls is a fraud risk factor. Indicators of dominant influence exerted by a related party include (CAS 550.A29):

  • The related party has vetoed significant business decisions taken by management or those charged with governance.

  • Significant transactions are referred to the related party for final approval.

  • There is little or no debate among management and those charged with governance regarding business proposals initiated by the related party.

  • Transactions involving the related party (or a close family member of the related party) are rarely independently reviewed and approved.

Dominant influence may also exist in some cases if the related party has played a leading role in founding the entity and continues to play a leading role in managing the entity.

In the presence of other risk factors, the existence of a related party with dominant influence may indicate significant risks of material misstatement due to fraud. For example (CAS 550.A30):

  • An unusually high turnover of senior management or professional advisors may suggest unethical or fraudulent business practices that serve the related party’s purposes.

  • The use of business intermediaries for significant transactions for which there appears to be no clear business justification may suggest that the related party could have an interest in such transactions through control of such intermediaries for fraudulent purposes.

  • Evidence of the related party’s excessive participation in or preoccupation with the selection of accounting policies or the determination of significant estimates may suggest the possibility of fraudulent financial reporting.

Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively. The risk of management override of controls is higher if management has relationships that involve control or significant influence with parties with which the entity does business because these relationships may present management with greater incentives and opportunities to perpetrate fraud. For example, management’s financial interests in certain related parties may provide incentives for management to override controls by (a) directing the entity, against its interests, to conclude transactions for the benefit of these parties, or (b) colluding with such parties or controlling their actions. Examples of possible fraud include (CAS 550.A19):

  • Creating fictitious terms of transactions with related parties designed to misrepresent the business rationale of these transactions.

  • Fraudulently organizing the transfer of assets from or to management or others at amounts significantly above or below market value.

  • Engaging in complex transactions with related parties, such as special-purpose entities, that are structured to misrepresent the financial position or financial performance of the entity.

OAG Guidance

See OAG Audit 5508 for additional guidance on management override of controls. Be aware of the possibility that transactions with related parties may have been motivated solely, or in large measure, by conditions similar to the following:

  • Lack of sufficient working capital or credit to continue the business.

  • An overly optimistic earnings forecast.

  • Dependence on a single or relatively few products, customers, or transactions for the continuing success of the venture.

  • Excess capacity.

  • Significant litigation, especially litigation between stockholders and management.

  • Significant obsolescence dangers because the company is in a high-technology industry.

Transactions that because of their nature may be indicative of the existence of related parties include:

  • Borrowing or lending on an interest-free basis or at a rate of interest significantly above or below market rates prevailing at the time of the transaction.

  • Selling real estate at a price that differs significantly from its appraised value.

  • Exchanging property for similar property in a nonmonetary transaction.

  • Making loans with no scheduled terms for when or how the funds will be repaid.

See OAG Audit 5500 for additional guidance on fraud considerations.

Engagement Team discussions

CAS Requirement

The engagement team discussion that CAS 315 and CAS 240 require shall include specific consideration of the susceptibility of the financial statements to material misstatement due to fraud or error that could result from the entity’s related party relationships and transactions (CAS 550.12).

The auditor shall share relevant information obtained about the entity’s related parties with the other members of the engagement team (CAS 550.17).

CAS Guidance

Discussion among the Engagement Team

Matters that may be addressed in the discussion among the engagement team include (CAS 550.A9):

  • The nature and extent of the entity’s relationships and transactions with related parties (using, for example, the auditor’s record of identified related parties updated after each audit).

  • An emphasis on the importance of maintaining professional skepticism throughout the audit regarding the potential for material misstatement associated with related party relationships and transactions.

  • The circumstances or conditions of the entity that may indicate the existence of related party relationships or transactions that management has not identified or disclosed to the auditor (for example, a complex organizational structure, use of special-purpose entities for off-balance sheet transactions, or an inadequate information system).

  • The records or documents that may indicate the existence of related party relationships or transactions.

  • The importance that management and those charged with governance attach to the identification, appropriate accounting for, and disclosure of related party relationships and transactions (if the applicable financial reporting framework establishes related party requirements), and the related risk of management override of controls.

In addition, the discussion in the context of fraud may include specific consideration of how related parties may be involved in fraud. For example (CAS 550.A10):

  • How special-purpose entities controlled by management might be used to facilitate earnings management.

  • How transactions between the entity and a known business partner of a key member of management could be arranged to facilitate misappropriation of the entity’s assets.

Relevant related party information that may be shared among the engagement team members includes, for example (CAS 550.A28):

  • The identity of the entity’s related parties.

  • The nature of the related party relationships and transactions.

  • Significant or complex related party relationships or transactions that may be determined to be significant risks, in particular transactions in which management or those charged with governance are financially involved.

OAG Guidance

See OAG Audit 2300 for related guidance on group audits.

Practice aids

Team Planning meeting

The procedure ‘Determine audit strategy and plan’ within the program ‘Develop Audit Plan’ or the procedure ‘General engagement decisions’ within the program ‘Timetable and Engagement Management’ are procedures that engagement teams may use to record the engagement team discussion. For further guidance on team planning meetings, see OAG Audit 4010.

Taking stock

In addition to the team planning meeting, engagement team members are also able to communicate and share information obtained throughout the audit that may affect the assessment of or responses to risks, at taking stock meetings. For further guidance on taking stock meetings, see OAG Audit 7022.

Management Inquiries

CAS Requirement

The auditor shall inquire of management regarding (CAS 550.13):

(a) The identity of the entity’s related parties, including changes from the prior period;

(b) The nature of the relationships between the entity and these related parties; and

(c) Whether the entity entered into any transactions with these related parties during the period and, if so, the type and purpose of the transactions.

CAS Guidance

Where the applicable financial reporting framework establishes related party requirements, information regarding the identity of the entity’s related parties is likely to be readily available to management because the entity’s information systems will need to record, process and summarize related party relationships and transactions to enable the entity to meet the accounting and disclosure requirements of the framework. Management is therefore likely to have a comprehensive list of related parties and changes from the prior period. For recurring engagements, making the inquiries provides a basis for comparing the information supplied by management with the auditor’s record of related parties noted in previous audits. (CAS 550.A11)

However, where the framework does not establish related party requirements, the entity may not have such information systems in place. Under such circumstances, it is possible that management may not be aware of the existence of all related parties. Nevertheless, the requirement to make the inquiries specified by paragraph 13 still applies because management may be aware of parties that meet the related party definition set out in this CAS. In such a case, however, the auditor’s inquiries regarding the identity of the entity’s related parties are likely to form part of the auditor’s risk assessment procedures and related activities performed in accordance with CAS 315 to obtain information regarding the entity’s organizational structure, ownership, governance and business model. In the particular case of common control relationships, as management is more likely to be aware of such relationships if they have economic significance to the entity, the auditor’s inquiries are likely to be more effective if they are focused on whether parties with which the entity engages in significant transactions, or shares resources to a significant degree, are related parties (CAS 550.A12).

The auditor may also obtain some information regarding the identity of the entity’s related parties through inquiries of management during the engagement acceptance or continuance process. (CAS 550.A14)

Group audit considerations

CAS Guidance

In the context of a group audit, CAS 600 requires the group engagement team to provide each component auditor with a list of related parties prepared by group management and any other related parties of which the group engagement team is aware. Where the entity is a component within a group, this information provides a useful basis for the auditor’s inquiries of management regarding the identity of the entity’s related parties. (CAS 550.A13)

OAG Guidance

Group Audit Planning

Ordinarily we do not accept engagements where a related entity is either unaudited or audited under circumstances lacking in effectiveness, e.g., where there are questions regarding the independence or competence of other auditors. If, a significant related party is either unaudited or audited under circumstances lacking in effectiveness, e.g., where there are questions regarding the independence or competence of other auditors, proceed with caution. In some cases it may be necessary to perform audit procedures with regards to the financial statements of the related party. When a related entity is not audited by us, there is an increased risk that the nature of transactions between the entities audited by us and the related entities may not be detected by normal auditing procedures. In addition, where significant amounts are involved, questions can be raised as to whether our scope was sufficient to enable us to issue an opinion on the financial statements. When other auditors audit a related entity, consider arranging for timely exchange of information on the names of known related parties and the extent of management involvement in material transactions.

For guidance on communications with other auditors, refer to OAG Audit 2340.

A group audit is more effective and efficient when the group engagement team provides information to the component auditors relating to known related party relationships and transactions (including intercompany transactions) that have been identified at the group level. Accordingly, instructions to component auditors may include:

  • A listing of subsidiaries, affiliates and other known related parties with whom the entity may transact business.

  • A description of the business purpose of the subsidiary, affiliate, division or branch to be examined and its relationship to other business units within the group.

  • A description of the types of related party transactions expected to be encountered in the unit under examination and the basis of pricing or other terms.

  • A program of audit procedures for testing intercompany transactions (including, where practicable, testing the basis for pricing, such as cost, cost plus a fixed percentage, or approximate market price to an independent third party), cash and other asset transfers, and balances.

Instructions of this nature to component auditors will permit the audit to proceed on an “exception basis.” That is, the audit plan will contemplate coverage of routine transactions with subsidiaries, affiliates and other identified related parties. Significant transactions discovered during the course of the work that are outside the normal course of business or with related parties not identified at the group level should be treated as giving rise to significant risks and will require additional audit work. The necessity to account for and send information to component auditors is, of course, flexible and take into consideration the company’s internal reporting, manuals and procedures and other information available within the company. In many cases, the nature of transactions and the basis of pricing will be evident and duplicate supplemental information should not be required.

See OAG Audit 2300 for related guidance on group audits.

Controls over related party transactions

CAS Requirement

The auditor shall inquire of management and others within the entity, and perform other risk assessment procedures considered appropriate, to obtain an understanding of the controls, if any, that management has established to (CAS 550.14):

(a) Identify, account for, and disclose related party relationships and transactions in accordance with the applicable financial reporting framework;

(b) Authorize and approve significant transactions and arrangements with related parties; and

(c) Authorize and approve significant transactions and arrangements outside the normal course of business.

CAS Guidance

The audit is conducted on the premise that management and, where appropriate, those charged with governance have acknowledged and understand that they have responsibility for the preparation of the financial statements in accordance with the applicable financial reporting framework, including, where relevant, their fair presentation, and for such internal control as management and, where appropriate, those charged with governance determine is necessary to enable the preparation of financial statements that are free from material misstatement, whether due to fraud or error. Accordingly, where the framework establishes related party requirements, the preparation of the financial statements requires management, with oversight from those charged with governance, to design, implement and maintain adequate controls over related party relationships and transactions so that these are identified and appropriately accounted for and disclosed in accordance with the framework. In their oversight role, those charged with governance monitor how management is discharging its responsibility for such controls. Regardless of any related party requirements the framework may establish, those charged with governance may, in their oversight role, obtain information from management to enable them to understand the nature and business rationale of the entity’s related party relationships and transactions. (CAS 550.A16)

Others within the entity are those considered likely to have knowledge of the entity’s related party relationships and transactions, and the entity’s controls over such relationships and transactions. These may include, to the extent that they do not form part of management (CAS 550.A15)

  • those charged with governance;

  • personnel in a position to initiate, process, or record transactions that are both significant and outside the entity’s normal course of business, and those who supervise or monitor such personnel;

  • the internal audit function;

  • in-house legal counsel; and

  • the chief ethics officer or equivalent person.

In meeting the CAS 315 requirement to obtain an understanding of the control environment, the auditor may consider features of the control environment relevant to mitigating the risks of material misstatement associated with related party relationships and transactions, such as (CAS 550.A17):

  • Internal ethical codes, appropriately communicated to the entity’s personnel and enforced, governing the circumstances in which the entity may enter into specific types of related party transactions.

  • Policies and procedures for open and timely disclosure of the interests that management and those charged with governance have in related party transactions.

  • The assignment of responsibilities within the entity for identifying, recording, summarizing, and disclosing related party transactions.

  • Timely disclosure and discussion between management and those charged with governance of significant related party transactions outside the entity’s normal course of business, including whether those charged with governance have appropriately challenged the business rationale of such transactions (for example, by seeking advice from external professional advisors).

  • Clear guidelines for the approval of related party transactions involving actual or perceived conflicts of interest, such as approval by a subcommittee of those charged with governance comprising individuals independent of management.

  • Periodic reviews by the internal audit function, where applicable.

  • Proactive action taken by management to resolve related party disclosure issues, such as by seeking advice from the auditor or external legal counsel.

  • The existence of whistle-blowing policies and procedures, where applicable.

Controls over related party relationships and transactions within some entities may be deficient or non-existent for a number of reasons, such as (CAS 550.A18):

  • The low importance attached by management to identifying and disclosing related party relationships and transactions.

  • The lack of appropriate oversight by those charged with governance.

  • An intentional disregard for such controls because related party disclosures may reveal information that management considers sensitive, for example, the existence of transactions involving family members of management.

  • An insufficient understanding by management of the related party requirements of the applicable financial reporting framework.

  • The absence of disclosure requirements under the applicable financial reporting framework.

Where such controls are ineffective or non-existent, the auditor may be unable to obtain sufficient appropriate audit evidence about related party relationships and transactions. If this were the case, the auditor would, in accordance with CAS 705, consider the implications for the audit, including the opinion in the auditor’s report.

Authorization involves the granting of permission by a party or parties with the appropriate authority (whether management, those charged with governance or the entity’s shareholders) for the entity to enter into specific transactions in accordance with pre-determined criteria, whether judgmental or not. Approval involves those parties’ acceptance of the transactions the entity has entered into as having satisfied the criteria on which authorization was granted. Examples of controls the entity may have established to authorize and approve significant transactions and arrangements with related parties or significant transactions and arrangements outside the normal course of business include (CAS 550.A21):

  • Monitoring controls to identify such transactions and arrangements for authorization and approval.

  • Approval of the terms and conditions of the transactions and arrangements by management, those charged with governance or, where applicable, shareholders.

OAG Guidance

See OAG Audit 5030 for guidance relating to the evaluation of the entity’s controls.

See OAG Audit 8000 for general guidance on audit report considerations.

Considerations specific to smaller entities

CAS Guidance

Controls in smaller entities are likely to be less formal and smaller entities may have no documented processes for dealing with related party relationships and transactions. An owner‑manager may mitigate some of the risks arising from related party transactions, or potentially increase those risks, through active involvement in all the main aspects of the transactions. For such entities, the auditor may obtain an understanding of the related party relationships and transactions, and any controls that may exist over these, through inquiry of management combined with other procedures, such as observation of management’s oversight and review activities, and inspection of available relevant documentation. (CAS 550.A20)

A smaller entity may not have the same controls provided by different levels of authority and approval that may exist in a larger entity. Accordingly, when auditing a smaller entity, the auditor may rely to a lesser degree on authorization and approval for audit evidence regarding the validity of significant related party transactions outside the entity’s normal course of business. Instead, the auditor may consider performing other audit procedures such as inspecting relevant documents, confirming specific aspects of the transactions with relevant parties, or observing the owner‑manager’s involvement with the transactions. (CAS 550.A41)

OAG Guidance

Significant transactions are often entered into between the small entity and the owner‑manager, or between the small entity and entities related to the owner‑manager. Indeed, related party transactions are a regular feature of many entities that are owned and managed by an individual or by a family. Further, the owner‑manager may not fully understand the definition of a related party, especially where relevant accounting standards deem certain relationships to be related and others not. We may therefore need to explain the technical definition of a related party to the entity in order to obtain management representations in respect of the completeness of disclosure.

We may act as the auditor of other entities related to the small entity, which may assist us in identifying related parties.

Our in-depth knowledge of the smaller entity may be of assistance in the identification of related parties, which in many instances, will be with entities controlled by the owner‑manager. This knowledge can also help us assess whether related party transactions might have taken place without recognition in the entity’s accounting records.

Maintaining alertness for related party information when reviewing records or documents

CAS Requirement

During the audit, the auditor shall remain alert, when inspecting records or documents, for arrangements or other information that may indicate the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor.

In particular, the auditor shall inspect the following for indications of the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor (CAS 550.15):

(a) Bank and legal confirmations obtained as part of the auditor’s procedures;

(b) Minutes of meetings of shareholders and of those charged with governance; and

(c) Such other records or documents as the auditor considers necessary in the circumstances of the entity.

CAS Guidance

During the audit, the auditor may inspect records or documents that may provide information about related party relationships and transactions, for example (CAS 550.A22):

  • Third-party confirmations obtained by the auditor (in addition to bank and legal confirmations).
  • Entity income tax returns.
  • Information supplied by the entity to regulatory authorities.
  • Shareholder registers to identify the entity’s principal shareholders.
  • Statements of conflicts of interest from management and those charged with governance.
  • Records of the entity’s investments and those of its pension plans.
  • Contracts and agreements with key management or those charged with governance.
  • Significant contracts and agreements not in the entity’s ordinary course of business.
  • Specific invoices and correspondence from the entity’s professional advisors.
  • Life insurance policies acquired by the entity.
  • Significant contracts re-negotiated by the entity during the period.
  • Reports of the internal audit function.
  • Documents associated with the entity’s filings with a securities regulator (for example, prospectuses).

An arrangement involves a formal or informal agreement between the entity and one or more other parties for such purposes as (CAS 550.A23):

  • The establishment of a business relationship through appropriate vehicles or structures.
  • The conduct of certain types of transactions under specific terms and conditions.
  • The provision of designated services or financial support.

Examples of arrangements that may indicate the existence of related party relationships or transactions that management has not previously identified or disclosed to the auditor include:

  • Participation in unincorporated partnerships with other parties.

  • Agreements for the provision of services to certain parties under terms and conditions that are outside the entity’s normal course of business.

  • Guarantees and guarantor relationships.

OAG Guidance

Review of bank confirmations may indicate a guarantor relationship and other related party transactions. A review of investment transactions may indicate purchase/sale of equity interest in joint ventures. Reviewing large or unusual transactions, especially near the end of a reporting period may indicate related party transactions.

Significant transactions outside normal course of business

CAS Requirement

If the auditor identifies significant transactions outside the entity’s normal course of business when performing the audit procedures required by paragraph 15 or through other audit procedures, the auditor shall inquire of management about (CAS 550.16):

(a) The nature of these transactions; and

(b) Whether related parties could be involved.

CAS Guidance

Obtaining further information on significant transactions outside the entity’s normal course of business enables the auditor to evaluate whether fraud risk factors, if any, are present and, where the applicable financial reporting framework establishes related party requirements, to identify the risks of material misstatement. (CAS 550.A24)

Examples of transactions outside the entity’s normal course of business may include (CAS 550.A25):

  • Complex equity transactions, such as corporate restructurings or acquisitions.

  • Transactions with offshore entities in jurisdictions with weak corporate laws.

  • The leasing of premises or the rendering of management services by the entity to another party if no consideration is exchanged.

  • Sales transactions with unusually large discounts or returns.

  • Transactions with circular arrangements, for example, sales with a commitment to repurchase.

  • Transactions under contracts whose terms are changed before expiry.

Inquiring into the nature of the significant transactions outside the entity’s normal course of business involves obtaining an understanding of the business rationale of the transactions, and the terms and conditions under which these have been entered into. (CAS 550.A26)

A related party could be involved in a significant transaction outside the entity’s normal course of business not only by directly influencing the transaction through being a party to the transaction, but also by indirectly influencing it through an intermediary. Such influence may indicate the presence of a fraud risk factor. (CAS 550.A27)

OAG Guidance

Other examples of transactions outside the entity’s normal course of business may include:

  • Transactions with governmental agencies.
  • Transactions requiring large cash payments.
  • Transactions requiring the use of a 3rd party.
  • Transactions consummated by a 3rd party agent on behalf of the company.
  • Transactions with entities in industries/geographies with increased corruption risk.
  • Transactions with entities involving the transfer of protect data.
  • Sales transactions with large or unusual commissions.