Archive for November, 2015

Frameworks in Emergency Situations: The Provisions of ISA 800

Tuesday, November 17th, 2015

We are auditors and financial controllers. Our task is to control finances. In the last years, we – i.e. our firm, my colleagues and I – we were asked more and more to perform audits in countries which undergo a crisis. This could be civil unrest or civil war but also processes of nation building, ecological crisis, droughts or floods, this could natural disasters and epidemics, or a mixture of many factors.
Frequently, in these engagements, it is not so clear which accounting framework would apply. Which rules should be followed if the world is drowning in chaos? Which rules should be followed in regions of limited statehood? Which rules should be followed, if the implementers openly do not accept the legal environment? If these tasks are put in front of us, we have to make one major decision:

Do we accept this engagement or do we not accept this engagement?

In many cases, this decision is made too quickly. Even worse, this decision is too often made purely on commercial grounds. What I would like to say is: it is worth thinking about this point of acceptance. This, I will try in the next minutes.
Acceptance of an engagement has several aspects:
• We could ask ourselves, whether an engagement is acceptable in the framework of our professional standards. This we will do: we will analyze the ISAs, whether engagements in regions of limited statehood or in a hostile environment are acceptable, and what conditions exist for this.
• We could ask ourselves, whether an engagement is legally realizable in a certain country or whether the established framework contradicts somehow with the legal environment.
• We could ask ourselves, whether the engagement is sufficiently secure, and we can weigh the possible monetary output against the risk, or sometimes even the ethical gain of doing what has to be done.
• We could ask ourselves, whether an engagement is ethically justifiable, i.e. whether this engagement contradicts with the core values of our profession, namely with our conceptions of integrity, objectivity, professional competence and due care, confidentiality and professional behavior and with our conception of independence.

If the overall result is NO, this would mean that, in our opinion, the funds are not controllable, at least they are not controllable with this setting or these resources, because the framework is not acceptable. This also means that, with the result of this analysis, we can enter into negotiations.
In other words, what I suggest is that we first think before we take action. It may be that certain pre-conditions must be fulfilled in order to start an audit.
I give here one classical example: imagine you have to perform an audit in another country, in a “nasty” environment. Clients have conflicts with law-enforcing organs. However, it is not that foreigners are put into custody when they enter this country. What could you do to make this engagement acceptable?

Acceptance in the light of the International Standards on Auditing

If an auditor accepts an engagement, which determines that his framework for his working processes should be the ISAs, then of course these standards are mandatory for this auditor. Financial controllers usually do not work in the framework of the ISAs. Anyway, this paragraph could also be taken as a guidance for their work.

Framework for Auditors: International Standard on Auditing e.a.
Framework for Reporting: Financial reporting framework

You see that we must make a difference between our framework as controllers (our control framework) and the framework in which the reporting is drawn up (the financial reporting framework). These frameworks should not to be mixed. While the reporting framework can be determined by the client for instance with a project contract, the framework for the auditors is more or less limited: either ISAs or a national framework, for instance US GAAS or UK GAAS or others apply.
However, if an audit framework is absent, you cannot call the result an audit. This would then rather be “agreed upon procedures” – agreed upon procedures are also regulated by the IFAC, but this would be then a different discussion.
The differentiation between the framework for the controller and the framework for the controlled is a very important differentiation, because in emergency situations, auditees too easily require that auditors should do this or that – “because it is an emergency”. The professional answer here from the auditor is: No, the procedure for reporting is the “cup of tea” of the funding organisation, while the work procedure for the audit is the auditor’s “cup of tea”.

The financial reporting framework can be drawn up for general purposes or specific purposes. Specific means that these reports satisfy only the specific information needs of specific users. Most project audits are special purpose audits: this means that the financial report which has to be controlled, audited, checked, is drawn up for a special purpose not for a general purpose. The difference is that a financial report drawn up for general purposes must satisfy the information needs which could be expected from the general public.

The linkage between the frameworks for the reporting entity and the framework for the controller is the following: if the reporting framework is a special purpose framework and the ISAs should apply for the envisaged engagement, then we must use ISA 800 for this engagement.
The standard deals with special considerations in the application of those ISAs to an audit of financial statements prepared in accordance with a special purpose framework. You see that first this standard is a kind of exception standard: we try to standardize exceptions (you remember what we have said about the rule and the exception at the beginning of this workshop), second the standard treats special considerations to other standards, i.e. it is a kind of overrunning standard in special situations.

Who decides whether an engagement is a special purpose audit engagement? Ultimately the auditor: if the auditor sees that the reporting is only limited to special information needs, then the audit report could not be a general audit opinion. ISA 800 gives guidance, how this decision – the decision whether a financial reporting framework is firstly a special purpose framework, and second whether this financial reporting framework is acceptable – could be taken. The auditor should ask himself three questions:

The auditor shall obtain an understanding for which purpose the financial statements are prepared. This means others prepare it, with a view of a purpose – and we should understand this purpose. This includes even the following: statements could be “evidently” prepared for a special purpose, but they do not fulfil this special purpose. They still would be special purpose statements. Thus the question is:
Do I understand for which purpose the financial statements are prepared? As you see, I only ask myself. And if I answer YES to myself, then it is acceptable. It is an interesting question whether others could, and if yes, how, they could challenge this understanding.

The auditor should obtain an understanding of the intended users. Thus, we should ask ourselves: “Do I understand who is intended as user of the financial statements?” Immediately, we would ask: whose intention? This could be either the intention of those who prepare the report, or the intention of those who require the report, or even a third party. Once again, it is not necessary that the statements were or will be really used by a specified group. It is sufficient if we can say: “ah, this is done for the grant giving institution, and nobody else would understand this report”. It is not necessarily the auditee nor the ordering party who determines who should be the final user. A determination could be also fixed in the side conditions.

Example: The UNDP requires that a grantee engages an auditor, with the view that the back donors of the UNDP are informed. Although the back donors are not present, they do not determine the reporting format and they do not dictate the contract, they are still the intended final users of financial report.

The auditor has to obtain an understanding of the steps taken by management to determine that the applicable financial report framework is acceptable in the circumstances. We already understand which is the purpose or the report under audit and who are the intended users. Now, we also ask: what has been done by management? They also should determine whether the financial reporting framework is acceptable.

This regulation is already very thin air: yes, we could say, management read the project contract, indeed! And we can criticize management by saying: no, they did not fully understand what the purpose of their report is. They do not know what they want to say. Why can we say so? Because we know better what they want to say – because we obtained an understanding – of their misunderstanding.

ISA 800 explicitly says that the financial information needs of the intended users are a key factor in determining the acceptability of the financial reporting framework. We should understand the consequences: if the framework is inadequate for the intended purpose, we should not accept.
Example: A funding agency develops a reporting standard, which includes the complete general ledger. The full reporting in accordance with this standard covers more than 1,000 pages – this is of course non-sense. The intended user of this non-sense reporting is their back donor, a ministry of finance in another country. Is this acceptable? No, because a reporting in the form of a telephone book does not satisfy their information needs.

Why is this question so important? Because this is the only anchor that we have to maintain our independence. A client, who has the power to decide that a framework is acceptable, could do whatever he wants: if the audit opinion is qualified, he could interpret the framework in a different, more suitable way. The audit opinion would be always clean, because the framework could be amended or interpreted in a way that the result is without any qualification. You understand that auditors have no possibility to determine the framework – but they can say that it is not acceptable. Thus, this “Caveat” in ISA 800 is our only remedy to prevent a downgrading of the framework or distorted frameworks.

Unfortunately, this discussion seems to be easy only at first glance. There are, in our emergency situations, manifold cases which are not regulated. What kind of invoice, receipt or documentation should you require for a ransom sum, paid for a kidnapped aid worker? Are there any requirements to the form? Could you say to kidnappers, we would like to have a prenumbered invoice for the ransom sum, duly dated, addressed and signed? Who would write this into a financial manual? And because we are in exceptional situations, there could have been no rule for this (or, if there would be rules, it would not be an exceptional incident).

Thus, we are doomed to say whether a practice is acceptable or not – post factum and without an explicit rule. Some even say: rules always start like this. Somebody starts with a practice, without regulation. If there is a second kidnapping, we already have a kind of practice.

If you follow this thought carefully, you see that here is a point where we can learn something from emergency cases for our normality: all rules start as a risky first step. It is our task to evaluate this step. It could be that we honor the risk taken by the actors – in the example above, we could say: it was very good to mark the transmitted cash to the gangsters with fluorescent ink, so that the way of the cash could be traced later, or the like.

If we do so, we try to establish a rule. And with this we are also exposed to a risk (because rules can go wrong). On the other hand, there is also a risk of non-performance. If we are not able to cope with emergency situations, the ISAs loose a lot of their power, because then it would mean that the standards are not able to generate normality, but only benefit from normality.


We can accept – acceptance in the sense of the ISAs – an engagement in an emergency situation , i.e. in a situation without a functioning legal framework or in a hostile environment, if

  • we understand the purpose of the report,
  • we understand who are the intended users of the report, AND
  • if we understand what management has done in order to understand these questions.

The key is that the auditor determines the information needs of the users of the report – independently. Others (clients, users, auditees) have no power to superseed this determination.

Frank Fabel, CEO FWS, Chairman Empacta, CPA (inactive), MA