This article explores the objectives and requirements of clarified ISA 550, Related Parties. The standard has been revised and redrafted by the International Auditing and Assurance Standards Board, and is now broadly consistent with other ISAs in that a risk-based approach to the audit of related parties is adopted. This is often a challenging area, with a high risk of material misstatement, frequently leading to the identification of fraud risk indicators. Gaining an understanding the requirements of ISA 550 is essential for all auditors.
The definition provided of a related party in ISA 550 is based on a person or entity that has control or significant influence, directly or indirectly, over the reporting entity; another entity over which the reporting entity has control or significant influence, directly or indirectly, or another entity that is under common control of the reporting entity. The applicable financial reporting framework is likely to provide similar definitions (for example in IAS 24, Related Party Disclosures). The issue is that all entities, whether large or small, will have related parties, which the auditor must take steps to identify, and to assess the risk of material misstatement arising.
Risk factors and objectives
Regardless of whether the applicable financial reporting framework establishes related party requirements, the auditor's objective is to obtain an understanding of related party relationships and transactions. This understanding should then be used to assess any resulting fraud risk indicators, and to conclude on the appropriateness of the accounting treatment and disclosures applied to related parties and transactions.
It is important to appreciate that ISA 550 recognises that related parties and transactions may give rise to a high-risk of material misstatement, and are therefore of particular significance to the auditor. Risks arise because:
- Many entities operate through a complex range of relationships and structures, increasing the complexity of related party transactions;
- Management may be unaware of the existence of all related-party relationships and transactions;
- The entity's information systems may not identify transactions or outstanding balances with related parties, especially for transactions conducted at nil value, or outside the normal course of business;
- Related-party transactions may not be conducted under normal terms and conditions; and
- Related-party transactions may be deliberately concealed by management, and their accounting treatments often carry a high risk of deliberate manipulation.
ISA 550 emphasises the importance of maintaining professional scepticism when planning and performing audit work on related parties.
Identification of related-party relationships and transactions
ISA 550 requires the use of a risk-based approach to the audit of related parties and transactions. Specific reference is made to the engagement team discussion, in which specific consideration shall be made of the susceptibility of the financial statements to material misstatement resulting from related parties and transactions. Matters that could be discussed by the engagement team may include, for example, the entity's organisational structure, instances of off balance sheet finance, and the existence of any special purpose entities controlled or influenced by management.
ISA 550 imposes specific requirements in terms of enquiry with management. The auditor shall inquire regarding:
- The identity of related parties, including changes from the last reporting period;
- The nature of the relationships between the entity and the related parties; and
- Whether any related-party transactions have been entered into, and the type and purpose of any such transactions.
From a practical point of view, to help fulfil these requirements, the auditor should ask management for a list of related parties and all relevant transactions. This list can then be reviewed for completeness, based on the auditor's business understanding. Of course, management may not have such a list, especially if the applicable financial reporting framework contains limited or no disclosure requirements, in which case the auditor may need to discuss the ISA 550 definition of related party relationships with management and ask for a list to be drawn up.
ISA 550 also requires that the auditor obtains an understanding of controls used by management to:
- Identify, account for and disclose related-party relationships and transactions;
- Authorise and approve significant transactions and arrangements with related parties; and
- Authorise and approve significant transactions and events outside the normal course of business.
The application paragraphs of ISA 550 explain that the risk of management override of controls is potentially high when considering related-party relationships and transactions, especially when the relationships present management with incentives and opportunities to conduct fraud. Examples of such frauds include the transfer of assets to related parties at an amount significantly different to market value, and using special-purpose entities to deliberately misrepresent the financial position or performance of the reporting entity.
ISA 550 imposes a requirement that specific documents shall be inspected for indications of the existence of related-party relationships or transactions that management has not previously identified or disclosed to the auditor. The documents referred to in the ISA are:
- Bank and legal confirmations; and
- Minutes of meetings of shareholders and of those charged with governance.
Although the clarified ISA 550 requires the inspection of few specific documents, it requires the auditor to actively consider the inspection of other records or documents to identify related-party relationships transactions. Paragraph A22 provides a comprehensive list of suggestions, including:
- Entity income tax returns;
- Information supplied by the entity to regulatory authorities;
- Shareholder registers to identify the entity's principal shareholders;
- Statements of conflicts of interest from management and those charged with governance;
- Records of the entity's investments and those of its pension plans;
- Contracts and agreements with key management or those charged with governance;
- Significant contracts re-negotiated during the period.
Related-party transactions outside the normal course of business
ISA 550 requires that significant related-party transactions outside the normal course of business shall be treated as a significant risk. The ISA provides examples of such transactions, including complex equity transactions, sales transactions with unusually large discounts or returns, transactions with circular arrangements such as sale and repurchase, and the rendering of management services if no consideration is exchanged.
If such transactions are identified, enquiries should be made into the business rationale of the transaction, and the relevant terms and conditions. Of course, the issue here is that the auditor should be alert to fraud-risk indicators, as well as considering whether the transaction has been accounted for correctly, and disclosed appropriately in the financial statements.
The application paragraphs of ISA 550 provide a helpful summary of matters that may be considered in evaluating the business rationale of a transaction, including the consideration of whether the transaction is overly complex, has unusual terms of trade, involves previously unidentified related parties, or is processed in an unusual manner.
It is also important to consider whether significant related-party transactions outside the normal course of business have been authorised and approved by management, those charged with governance, or shareholders (where relevant). The absence of such authorisation and approval without rational explanation may indicate a high risk of material misstatement due to fraud or error.
Related parties with dominant influence
One of the revisions to ISA 550 was the introduction of the term 'dominant influence'. The domination of management by an individual or a small group of people without compensating controls is a fraud risk indicator. Examples are provided of indicators of dominant influence:
- The related party has vetoed significant business decisions;
- Significant transactions are referred to the related party for final approval;
- There is little or no debate regarding business proposals initiated by the related party; and
- Transactions involving the related party or a close family member are rarely independently reviewed and approved.
Clearly, this type of situation could be common in owner-managed businesses. Additional procedures are suggested by ISA 550, with reference to ISA 240, The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements.
When the auditor discovers a related-party relationship or significant transaction with a related party that had not been disclosed by management, ISA 550 requires additional procedures to be conducted. These include prompt communication of the discovery with the audit engagement team, enquiry with management as to why controls failed to identify or disclose the related party or transaction, and the performance of additional substantive procedures, such as analysis of accounting records for transactions with the newly identified related party.
The main issues for the auditor to address here are whether the non-identification of the related party or transaction is deliberate, and whether there are other non-identified related parties or transactions.
If it appears that management has concealed their existence, the auditor may consider whether it is necessary to re-evaluate management's responses to auditor's enquiries. Deliberate concealment may be viewed as a fraud risk indicator, and ISA 240 becomes relevant.
Representations and communication
ISA 550 requires that where the financial reporting framework establishes related party requirements, the auditor shall obtain written representations from management, and where appropriate, those charged with governance that:
- They have disclosed the identity of all related parties, related party relationships and transactions that they are aware; and
- They have appropriately accounted for and disclosed such relationships and transactions in accordance with the financial reporting framework.
ISA 550 also provides guidance on matters relevant to related parties that the auditor may communicate to those charged with governance, for example:
- Non-disclosure (whether intentional or not) by management to the auditor of related parties or significant related-party transactions, which may alert those charged with governance to significant related-party relationships and transactions of which they may not have been previously aware;
- Disagreement with management regarding the accounting for and disclosure of significant related party transactions in accordance with the framework; and
- Difficulties in identifying the party that ultimately controls the entity.
ISA 550 focuses the auditor's attention on the risk of material misstatement that may arise due to the existence of related-party relationships and transactions. The standard emphasises the importance of considering these matters during planning and especially as part of risk assessment. There are some specific procedural requirements, and audit firms may need to review current practice to ensure that these requirements are met. Ultimately, ISA 550 provides clear guidance on the audit of this potentially challenging and extremely important area.