top of page
  • CCS

Who Inspects Auditor's work to ensure that they are doing it correctly?

Updated: Jan 7


Statutory audit work is necessary for many jurisdictions (However, certain businesses may opt to have a voluntary audit, their financiers or investors may need an audit, or the entity's Constitution may dictate that the financial statements must be audited).


Audit firms will have to do internal reviews of their work.


They will also be visited by their professional body, regulatory inspectors, or both.


In general, visits are typically carried out by reviewers from professional bodies to ensure that member firms are performing audit work to the required levels of standards and to ensure that they are complying with auditing standards (International Standards on Auditing).


When it is discovered that a firm is lacking in certain areas, the inspector would generally bring this to the attention of the audit engagement partner(s) to better understand why the firm is lacking in certain areas.


Sanctions can be brought against the auditor if it is determined that the audit work was inadequate. These sanctions can range from a follow-up visit later so that the inspector can determine whether the firm has considered recommendations and improved on the inadequate audit work to more severe sanctions such as removing the audit firm's audit registration and the imposition of fines.


In Malaysia, a visit of this nature is referred to as a "Practice Review."


Practice Review is essential in improving audit quality, bolstering efficient regulation of the accounting profession and safeguarding the public interest.


The Malaysian Institute of Accountants has given the MIA Practice Review Committee the authority to conduct surveillance activities on audit firms (AFs) registered with the Institute.


These activities aim to ensure that audit practitioners perform their audit work in accordance with the International Standards of Auditing (ISAs), professional standards, and legal and regulatory requirements.


The Practice Review Programme (PRP) is established under Section B250: Quality Assurance and Practice Review of the By-Laws of MIA.


Practice Review is a process whereby members’ audit practice standards and procedures are assessed to ensure they comply with professional standards and legal and regulatory requirements.


As MIA is an IFAC member, the PRP is a mandatory requirement that forms the substance of the Statements of Membership Obligations (SMOs), in particular, SMO1, on the requirements to conduct practice reviews of its member firms.


The Practice Review Programme has 3 objectives:

  • Confirm members’ obligation to maintain, apply and observe the standards promulgated by the Institute.

  • To carry out the regulatory role that is mandated by the Accountants Act of 1967 and to bring our practices in line with the most recent advancements made on a global scale;

  • To increase the level of trust that the business community has in the professionalism maintained by our members of the MIA.

The PRP does not set new standards. Instead, the Practice Review Department reviews the compliance with existing professional and regulatory standards that auditors, regardless of the size of their firm, are expected to comply with.


MIA applies a risk-based approach to selecting audit firms for practice review.


The selection of firms for review is based on their risk profiles, developed using information obtained from the Annual Return submitted by AFs and other relevant sources.


Audit firms may also be selected for review based on referrals from other regulatory bodies in Malaysia or other committees of the Institute.

Some of the most common questions a file reviewer will ask themselves during a review are:

  • Has the audit firm undertaken adequate audit planning before executing the audit

  • Has the audit firm considered fraud issues at the planning stage?

  • Has an appropriate audit strategy and audit plan been constructed?

  • Have financial statement materiality levels and performance materiality levels been determined at the planning stage?

  • Has an appropriate risk assessment been carried out?

  • Did the auditor understand the entity subject to audit and the environment in which the client operates?

  • Is there an up-to-date letter of engagement between the client and the auditor

  • Are the skills and technical competence required conducive to the staff assigned to this audit?

  • Were the procedures adopted during the detailed audit fieldwork responsive to the assessed levels of risk?

  • Has adequate audit documentation been prepared to allow an auditor, without any previous connection to the audit, to understand the nature, timing and extent of the audit procedures performed?

  • Has there been appropriate supervision and review of the audit engagement?

  • Has sufficient and appropriate audit evidence covered the material areas of the audit?

  • Has there been adequate audit engagement partner involvement in the audit

  • Have there been representations obtained from management and, where applicable, those charged with governance?

  • Are specific representations required by auditing standards incorporated within the written representation obtained from management and, where applicable, those charged with governance?

  • Has the audit client considered subsequent events and undertaken an appropriate going concern review?

  • Have the materiality levels been revisited at the audit's completion stage to ensure they are still appropriate?

  • If the level of misstatements identified is approaching the materiality levels or has exceeded the materiality levels, has the auditor considered the need for extending their audit procedures and if so, is the extension of such procedures adequate to reduce the risk of material misstatement?

  • Has the auditor evaluated the identified misstatements and communicated those misstatements to management and, where applicable, those charged with governance?

  • Has an emphasis on matter paragraph been appropriately incorporated into the audit report (where fundamental uncertainty needs to be communicated to the users of the financial statements)?

  • Is the audit report appropriately signed and dated (for ‘cold’ file reviews only)?

  • Has the work determined at the planning stage been adequately cross-referenced to the detailed audit work?

Note:


The above list is by no means exhaustive, and there are many other areas of the audit that reviewers will be keen to ensure have been appropriately covered.


The aforementioned items are merely some of the essential areas that auditors will be looking for, and what is most important is that an audit file can able "tell a story" about how the audit engagement partner arrived at their conclusion regarding whether or not the financial statements give a true and fair view (or present fairly in all material respects).


Practice Review Framework

Firm Selection Approach

MIA uses a risk-based approach for selecting audit firms for practice review, which has been streamlined under the Practice Review Framework, to select firms based on a risk profiling system using information extracted from the Annual Return submitted by Audit Firms.


Audit firms may also be selected for review based on referrals from other regulatory bodies in Malaysia or other committees of the Institute.


The identity of the audit firm is kept confidential at all times from all parties who are not directly involved in the practice review of the firm, including the PRC and staff of the Institute.

Scopes of Review

Firm-level Inspections:

Practice Review inspects the audit firm’s system of quality control (firm-level inspections) to ensure that they comply with the requirements of ISQC 1 [effective from December 15, 2022: ISQM 1 & 2].


Engagement Inspections:

Practice Review’s approach in performing inspections of individual engagements comprises detailed engagement inspections of audit firms to assess whether the audit work complies with relevant professional standards.


The sample of files selected for practice review should reflect the firms’ overall operations and size.


Types of Ratings

After the practice review, the reviewer must table a report to the PRC.


Before the deliberation of the report, the reviewer will delete any reference to the audit firm’s identity to preserve confidentiality.


The PRC shall determine a rating for the report in the following manner, considering the practice review report and the audit firm’s comments.


Types of Rating

Type 1

The firm complies with ISQC 1 [effective from December 15, 2022: ISQM 1 & 2], applicable professional standards, and legal and regulatory requirements. No breach of mandatory auditing standards was noted. It signifies a comfortable pass, and no further action is required.


Type 2

Minimal, non-pervasive weaknesses are noted in compliance with ISQC 1 [effective from December 15, 2022: ISQM 1 & 2] and mandatory auditing standards. Weaknesses are noted in some engagement files but not in others. It requires written assurance and commitment from audit firms that remedial action and improvement shall be implemented.


Type 3