Common Issues on Audit Monitoring Visits

The Quality Review Section (QRS) of the Institute recently published the most common issues that arise on its monitoring visits.

These issues are quite serious as similar issues have been re-occurring for many years,

1.      ISQM – Firms are required to have a documented ISQM system of quality management (SoQM) in place, including a risk assessment with quality risks identified in the firm’s risk assessment clearly linked to the achievement of a quality objective.

There must be a documented annual evaluation of the SoQM which concludes one of 3 outcomes with these grades:

1. SoQM provides reasonable assurance that the objectives of the SoQM are being achieved;
2. Except for matters that have a severe but not pervasive effect, the SoQM provides reasonable assurance that the objectives of the SoQM are being achieved; or
3. The SoQM does not provide the firm with reasonable assurance that the objectives of the SoQM are being achieved.

Evidence that an annual evaluation has been performed, and the results of the annual evaluation will be assessed for consistency with the visit findings.

More information is available in Technical Alert 04 2025 Quality Management Top tips available on the Institute’s website. A template ISQM Toolkit (to assist with the ISQM implementation) is available to purchase for €250 +VAT.

2. RI CPD – Each Responsible Individual’s (RI) CPD is reviewed in line with the IAASA CPD Guidelines on the regulation, monitoring and enforcement of continuing education for statutory auditors. More details are available at final-cpd-guidelines-020221.pdf (iaasa.ie).

RIs are required to:

• Plan CPD annually by reflecting on the knowledge, skills and values required to fulfil their responsibilities;
• Identify learning and development needs;
• Complete sufficient, relevant, and appropriate CPD annually to meet the learning and development needs and to demonstrate achievement of learning outcomes in the Institute IES 8, Table A template document;
• Evaluate the effectiveness of the CPD activities regularly and revise the approach as necessary;
• Maintain appropriate written CPD records, including supporting documentation to evidence CPD planning, completion, and evaluation; and
• Submit an annual declaration confirming compliance with CPD

More information is available at the CPD hub on the Institute’s website CPD for Responsible Individuals – ..rteredaccountants.ie (charteredaccountants.ie)

3. Evidence of challenge and scepticism – Audit files must demonstrate that the

auditor has evaluated whether the accounting estimates and related disclosures are reasonable (see ISA540). Auditors should watch out for indicators of possible management bias.

4. Central Bank Regulated Entities– Under the Companies Act 2014 (Schedule 5)

Republic of Ireland entities cannot avail of the small company exemption and cannot file abridged financial statements with the CRO.

Auditors are reminded that financial statements for such entities cannot be prepared under FRS 102 Section 1A, and full financial statements must be filed with CRO. Neither can such entities avail of the Provisions Available for Audits of Small Entities (PAASE).

5. Risk assessment (ISA 315) – the risk assessment on file must be tailored to the specific client’s circumstances and generic risks that are prepopulated with not be regarded as convincing.

6. Fraud considerations (ISA 240) – fraud considerations should be evidenced on the file, including the likelihood of management override of controls and risks connected to related parties. In our own file reviews John McCarthy Consulting Ltd. Has seen comments like ‘there has never been a fraud’, according to the Directors. Such comments are not regarded as displaying sufficient scepticism by the auditors.

7. Audit of construction contracts, including long term contracts and work in Audit files need to show that the audit firm has a good understanding of the entity being audited, the risk assessment is appropriate and responses to assessed risks are adequate. The requirements of ISA 540 on accounting estimates and judgements will be relevant. The audit file will also need to contain adequate evidence of challenge of management assumptions.

8.      Assembly of the final audit file – ISA 230 requires the auditor to complete the administrative process of assembling the final audit file on a timely basis, typically within 60 days after the date the auditor’s report is signed. New audit procedures or forming new conclusions cannot be documented once the audit report is signed.

9.      Statutory Duty Confirmation (SDC) – under Section 27B of the Central Bank Act 1997, auditors are obliged to make a written report (‘SDC’) to the Central Bank of Ireland (CBI), stating whether or not circumstances have arisen that require the auditor to report a matter to the CBI.

The ‘SDC’ must be submitted to the CBI within one month of the date of the auditor’s report. The ‘SDC’ should cover the period commencing on the date of issue of the previous declaration to the date of signing the current declaration. The format for these reports is set out in Appendix 2 of Technical Release 02 2025 – Reporting under The Central Bank and Financial Services Authority of Ireland Act 2004 which is available on the Institute’s website.

10. Group Audits (ISA 600) – Where group accounts are not prepared, firms are expected to clearly document the basis for the non-consolidation.

Group Audit documentation should clearly demonstrate how the component auditor’s work was directed, supervised, and reviewed. Firms are reminded that component performance materiality should be set at an amount lower than group performance materiality.

See our ISQM TOOLKIT at this link. We can tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements.  Please contact John McCarthy FCA by email at john@jmcc.ie.

For AML training and compliance please send a mail to john@jmcc.ie.

For audit cold file reviews and tailored training sessions explaining more about various topics like AML, Audit, FRS 102, please send a mail to john@jmcc.ie.

For more on engagement and representation letter templates and a variety of CPD webinars on money laundering and other accounting/audit related topics, please go to our website for:

• Our latest CPD Webinar on The Main Changes in Irish GAAP (recorded July 2024)
• Anti-Money Laundering Policies Controls and Procedures Manual (March 2022) — View the table of contents
• AML Webinar (December 2023) available here, which accompanies the AML Manual. It explains the latest legal AML reporting position for accountancy firms and includes a quiz. Upon completion you receive a CPD certificate for attendance in your inbox.
• Letters of engagement and similar templates—Please visit our website here where immediate downloads are available in Word format. A bulk discount is available for orders of five or more items bought together.

ISQM TOOLKIT, or if you prefer to chat through the different audit risks and potential appropriate responses presented by this new standard. We typically tailor ISQM training and brainstorming sessions to suit your firm’s unique requirements.  Please contact John McCarthy FCA by email at john@jmcc.ie.