Risk Assessment Procedures


The auditor obtains a sufficient understanding of the SMSF and its environment, including its internal control, to identify and assess the risks of material misstatement of the financial report, whether due to fraud or error, and the risk of non-compliance with the specified requirements of the SISA and SISR, in order to design and perform further audit procedures. The risk assessment for the financial audit includes identifying and assessing risks at the financial report level and at the assertion level for classes of transactions, account balances and disclosures, as required by ASA 330.


Under ASA 315, the auditor is required to examine the internal controls of the SMSF. ASAE 3100 requires the auditor to document the key elements of the compliance framework, such as procedures for identifying, assessing and reporting compliance incidents and breaches. Given the nature of a SMSF, it is possible that there may be limited reliable internal controls on which the auditor may rely. Even if the auditor considers that a fully substantive audit approach is appropriate, the auditor is still expected, under ASA 230, to document their consideration of the internal control environment.


Under ASA 250, the auditor is required to consider whether the SMSF has breached the SISA or SISR previously and whether there are any outstanding correspondence or unresolved issues with the ATO. Any such matters identified will impact on the risk assessment and the auditor’s assessment of the compliance framework.


SMSFs are often small entities, with a close and related membership where all trustees or directors of the corporate trustee may be equally responsible for managing the fund and making decisions. There may be little or no opportunity for implementing segregation of duties between trustees. Consequently, the auditor may assess the SMSF’s internal control environment and compliance framework as ineffective, in which case the auditor will be unable to rely on the effectiveness of the internal controls to reduce the level of substantive testing. As a result, the auditor would design and perform further audit procedures which are entirely substantive procedures. If the administration of the SMSF is outsourced, the auditor evaluates the controls prevailing at the administrator.

Use of Underlying Data in a SMSF Audit


Initial risk assessment and audit planning includes considering the method of data collection used by the preparer of the financial report for the SMSF. It is common to see the use of technology for data management and transfer and this may influence the risk assessment undertaken by the SMSF auditor.


Traditionally, the primary source document for SMSF account preparation was the bank statement and individual transactions were manually loaded into accounting software (including excel) for the report preparation. Inherent risks in this approach included the risk of compromised bank statements and, therefore, the auditor would normally obtain direct confirmation from the bank in the audit planning phase. In current practice it is more common for cash transaction data to be sourced via data feeds, which entails the transmission of information between the financial institution directly into the software of the report preparer. Data feeds are also being used to obtain information from share brokers, WRAP accounts and term deposit providers.


Where the data feeds are utilised via a ‘direct-connect’ process, that is, an end-to-end encrypted link over a point-to-point connection, the ability to intercept or manipulate the data is removed as the information feeds directly from a financial institution into the software of the party preparing the annual compliance report. If an ASAE 3402 type 2 report on controls has been obtained, this process of data transfer does not ordinarily represent any additional risks to the SMSF audit process. However, this does not change the need for the audit planning process to encompass an assessment of the inherent risks associated with the transactional data being held by a service organisation provider such as an Investor Directed Portfolio Services (IDPS).[71]


Additional testing by the auditor may be considered for the audit of a SMSF that utilises this data transfer process for the preparation of the annual compliance report and would normally be undertaken in the audit planning phase. The consideration of additional testing may be necessary where the preparer of the financial report utilises manual file imports from financial institutions and the data integrity of the information may not be reliable.


‘IDPS’ means an investor directed portfolio service, consisting of a number of functions including a custody, settlement and reporting system and service. The clients of the service have the sole discretion to decide what assets will be acquired or disposed of. See ASIC CO 13/763.