Professional Documents
Culture Documents
An engagement in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the
Assurance
intended users other than the responsible party about the outcome of the evaluation or measurement of a subject
matter against criteria.
Auditing
A subset of assurance; a systematic process of objectively obtaining and evaluating evidence regarding assertions about
economic actions and events to ascertain the degree of correspondence between those assertions and established
criteria and; communicating the results to interested users. It bridges the lack of trust between buyers and sellers.
Overview of the Principal- Agent Relationship Leading to the Demand for Auditing
The Principal- Agent Relationship
Agent usually has more information. Hence, role of auditor: determine whether reports prepared by the
manager conform to the contract's provision. Reduce information risk [risk that information circulated by a
company's management will be false or misleading,
To reduce problem: manager may have agree to some monitoring provisions to assure he/she will not misuse
resources.
Level of Assurance
Practitioner gathers sufficient appropriate evidence to enable him to express his conclusion in a positive form
E.g. “In our opinion, management’s assertions are fairly presented”
Practitioner gathers sufficient appropriate evidence to enable him to express his conclusion in a negative form
E.g. “ In our opinion, nothing has come to our attention that causes us to believe that management’s assertions are
not fairly presented”
1
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Types of Assurance
Practitioner either directly performs the evaluation or measurement of the subject matter, or obtains a
representation from the responsible party that has performed the evaluation or measurement that is not available
to the intended users.
Subject matter info is provided to the intended users in the assurance report
E.g. Compliance and Operational Audits (where no assertions are made by the responsible party to intended users)
Intended users=no report + practitioner prepare report instead of responsible party
Audit Risk
Audit Risk
Audit Risk is the risk that the Auditor expresses an inappropriate audit opinion when the financial statements are
materially misstated.
To be covered later.
Audit Evidence
Audit Evidence
All the information used by the Auditor in arriving at the conclusions on which the audit opinion is based, and
includes the information contained in the accounting records underlying the financial statements and other
information.
To be covered later.
2
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Profession
Profession
A disciplined group of individuals who adhere to high ethical standards and uphold themselves to, and are
accepted by, the public as possessing special knowledge and skills in a widely recognized, organized body of
learning derived from education and training at a high level, and who are prepared to exercise this knowledge and
these skills in the interest of others.
Characteristics of a Profession
Institute of Singapore Chartered The ISCA is the national professional body for accountants in
Accountants Singapore. It sets out to develop, support and enhance the
(ISCA) integrity, status and interests of the accountancy profession in
Formerly ICPAS Singapore.
Association of Chartered Certified ACCA is a leading international accountancy body. The ACCA
Accountants (ACCA) qualification is recognised and is treated in other countries as being
equivalent to their local qualification.
Other Countries Other professional bodies for different countries around the world
American Institute of CPAs (AICPA)
Institute of Chartered Accountants in
England and Wales (ICAEW)
CPA Australia
The Institute of Internal Auditors (IIA) The IIA is recognized as the internal audit profession's leader in
Professional Associations
3
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
REGULATION IN SINGAPORE
The Chartered Accountant of Singapore (CA (Singapore)) title is protected under the Singapore Accountancy
Commission (SAC) Act and the Singapore Qualification Programme (SQP).
SQP is a pathway to obtain the CA (Singapore) designation is owned by the SAC, a statutory board of the Singapore
Chartered Accountants
Government.
The SQP comprises 3 components, namely: academic base, professional programme and practical experience. To
attain the CA (Singapore) designation, Candidates will have to complete 3 years of relevant practical work
experience, under the supervision of an Approved Mentor, and with a Training Agreement at an Accredited
Training Organization (ATO)
The ISCA is also the Administrator of the SQP. ISCA works closely with the SAC in raising the profile of the SQP,
helping it to attain international recognition, and promote it as the educational pathway of choice for professional
accountants.
No longer used widely in Singapore because of the name change: An accountant - previously known as a CPA - will now
be called a Chartered Accountant of Singapore. All CPA Singapore holders will be automatically converted to the CA
Singapore designation in July 2013.
1. Government Regulation
National regulator of business entities and public accountants in Singapore and plays the role of facilitator for their
development.
ACRA undertakes the oversight of issuance of Singapore Standards of Auditing.
2. Self Regulation by the Professional Association (i.e. ISCA) Government regulation has stricter regulation
and more public oversight. International Standards
Institute of Singapore Chartered Accountants on Auditing more comprehensive.
ISCA’s Auditing and Assurance Standards Committee (AASC) manages the due process of localizing the standards
issued by ACRA.
REGULATION IN USA
Sarbanes-Oxley Act (SOX) is a legislation passed by the U.S. Congress to protect shareholders and the general public
SOX
from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate
disclosures.
The government agency that regulates disclosure of information for an initial public offering of securities and on-
going reporting by companies whose securities are listed and traded on a US stock exchange.
Oversees the Public Company Accounting Oversight Board (PCAOB):
Regulation in USA
o The PCAOB is a nonprofit corporation established by Congress through the Sarbanes-Oxley Act (2002) to oversee
the audits of public companies in order to protect the interests of investors and further the public interest in
the preparation of informative, accurate and independent audit reports.
o The PCAOB also oversees the audits of broker-dealers, including compliance reports filed pursuant to federal
securities laws, to promote investor protection.
A privately-funded, independent board consisting of accounting professionals who establish and communicate
standards of financial accounting and reporting in the United States. FASB standards, known as Generally
Accepted Accounting Principles (US GAAP), govern the preparation of corporate financial reports and are
recognized as authoritative by the SEC.
4
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
INTERNATIONAL STANDARDS AND ORGANIZATIONS
International IFAC is the global organization for the accountancy profession. It establishes international
Federation of standards on ethics, auditing and assurance, accounting education, and public-sector
Accountants (IFAC) accounting through its independent standard-setting boards:
International Auditing and IAASB is the board (funded by IFAC) that develops and
Assurance Standards Board issues standards:
(IAASB)
International Standards of Auditing (ISAs) are
professional standards for the performance of
financial auditing of financial information.
International Standards on Review Engagements
(ISRE) apply in the review of historical financial
information.
International Standards on Assurance Engagements
(ISAE) apply in assurance engagements other than
audits or reviews of historical financial information.
International Standards on Related Services (ISRS)
International Standards and Organizations
To ensure the activities of the IFAC and the independent boards are responsive to public
interest, an international Public Interest Oversight Board (PIOB) was established to
oversee the standard-setting process:
Public Interest PIOB is an international body that oversees the IFAC and seeks to improve the quality
Oversight Board and public interest focus of the IFAC standards in areas of Audit, education and ethics.
(PIOB) Members of PIOB are nominated by regulators and related organizations.
Before a standard is finalized, the PIOB must approve that the standard-setting has
followed a due process, including that the standard-setting was sufficiently responsive to
the needs and perceptions of various stakeholders.
International IASB is an independent, privately-funded accounting standard-setter that is responsible for
Accounting the development and publication of International Financial Reporting Standards (IFRS)
Standards Board and for approving interpretations of IFRS.
(IASB) Their predecessor is the International Accounting Standards Committee (IASC) and
supersedes their old International Accounting Standards (IAS).
5
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
MANDATORY AUDIT REQUIREMENTS IN SINGAPORE
Mandatory Audit in Singapore S201, section 14A - True and Fair override
Mandatory Audit in SG
'... need not comply with that requirement (of Accounting Standards) to the
Companies Act, Section 201: extent that this is necessary for them to give a true and fair value of the matter.'
Directors of every Company to present at AGM audited profit/loss account and balance sheet that comply with
the requirements of the Accounting Standards and give a true and fair view of the profit and loss and state of
affairs of the Company respectively
Holding Companies to present audited balance sheet of the holding Company and Consolidated profit/loss account
and balance sheet.
6
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
The difference between the actual and expected performance of an Auditor, also defined as ‘the difference
between what the public and financial statement users believe Auditors are responsible for and what Auditors
themselves believe their responsibilities are’.
Some measures that the profession has taken to narrow the Audit Expectation Gap: Education (e.g. more
information), Improving Auditing Standards
Loss of confidence and trust by society could be explained by the audit expectation- performance gap.
The gap has 2 components: a ‘reasonableness gap’ which is the responsibilities society unreasonably expects auditors to
perform. Responsibilities reasonably expected of auditors should be that which is cost-beneficial for auditors to perform;
unreasonable expectations would be things such as guarantee FS are completely accurate or is financially sound.
Performance gap has two components: deficient standards gap (duties reasonably expected but not required of
auditors based on their existing duties). That is, duties that extend beyond auditors current legal and professional
responsibilities. For example, requiring auditors to disclose in the audit report, or to an appropriate authority, matters of
concern encountered during an audit – such as effectiveness of company’s internal controls; reliability of information
relating to the company on the internet.
Profession
Deficient performance gap: society perceiving auditors not to perform the responsibilities required of them to the
expected standard.
To narrow unreasonable expectations: one primary way is thru educating the users on what an audit can accomplish
within reasonable time and cost constraints; to that end, the auditor’s report explains what is management’s
responsibility and auditor’s responsibility. The enhanced auditor report further clarifies the responsibilities (refer them to
seminar 4); involvement of public in standard setting process (AASC for example, has public members).
To narrow deficient standards: improved auditing standards to better align auditor’s responsibilities with society’s
reasonable expectations (hence, the clarity project was undertaken by IAASB and now we have the clarified auditing
standards); enhanced auditor reporting;
To narrow deficient performance: can enhance monitoring of auditor’s performance (such as the PMP by ACRA); better
training of auditors (CPE requirements, SQP, new standards for registering as a public accountant); and more stringent
quality control over audit (SSQC 1)
JUDGMENT IN AUDITS
Role and Importance of Judgment in Audits
Auditor needs to exercise judgment throughout the Audit, such as:
Judgment in Auditing
Framing
Frames are mental structures that we use, usually subconsciously, to simplify, organize and guide our
understanding of a situation.
They shape our perspectives and determine the information that we will see as relevant or irrelevant, important or
unimportant. Frames are necessary and helpful, but the problem is that we often are not aware of the perspective
or frame we are using.
Availability
Availability Heuristic is the tendency for decision-makers to consider information that is easily retrievable from
memory as being more likely, more relevant and more important for a judgment.
The information that is most ‘available’ to our memory may unduly influence estimates, probability assessments
and other professional judgments.
E.g. Having just encountered a client involved in Fraud/misappropriation of cash, an Auditor pays disproportionate
attention in the Audit of Cash in the current engagement
Confirmation
Cognitive Biases
Confirmation is the tendency for decision-makers to seek for and give more weight to information that is consistent
with their initial beliefs or preferences.
After receiving confirmatory evidence, decision-makers often are confident that they have/will be able to find
adequate evidence to support their belief.
E.g. Auditors tend to be prone to over-relying on management’s explanation for a significant difference between the
Auditor's Expectation and Management’s Recorded Values, even when the client’s explanation is inadequate.
Representativeness
Representativeness Heuristic is the tendency for decision-makers to compare information to their mental prototypes
(i.e. stereotypes)
E.g. Having known the Management are highly-learned people with MBA educational background from top business
schools, an Auditor concludes that Fraud Risk factor is low
E.g. Believing that the internal controls should be working well, an Auditor disregards his ad-hoc observations that
there were lacking in segregation of duties on certain occasions in the purchasing function.
Anchoring is the tendency for decision-makers to make assessments by starting from an initial numerical value and
then to adjust insufficiently away from that value in forming a final judgment.
E.g. Management’s estimate/unaudited account balance can serve as an Anchor. The Auditor is charged with
objectively assessing the fairness of an account balance.
E.g. When setting preliminary materiality at the planning phase, the Auditor apply a rate of 10% on PBT (the same
basis used as in the previous year’s Audit), even though there are significant increase in the business risks.
1. Utilitarianism: Interests of all parties affected should be considered and not just one’s own self-interest. Also
Ethical Behaviour
recognizes the trade-offs between the benefits and burdens of alternative actions
2. Rights-based approach: Individuals have certain rights and other individuals have a duty to respect those rights
(However, note that it is difficult to satisfy all rights of all affected parties)
Theories of
3. Justice-based approach: Each person has a right to have the maximum degree of personal freedom that is still
compatible with the liberty of others + social and economic actions should be to everyone’s advantage and the
benefits available to all
8
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
MISSTATEMENTS
Misstatement
SSA 200: A difference between the amount, classification, presentation, or disclosure of a reported financial
statement item and that required for it to be in accordance with the applicable financial reporting framework
Can arise from either errors or frauds and can be either immaterial, material OR material and pervasive.
Material Misstatements
Misstatement
SSA 320(2): Misstatements, including omissions, are considered to be material if they, individually or in aggregate,
could reasonably be expected to influence the economic decisions of users taken on the basis of the financial
statements.
Judgments about materiality are made in light of surrounding circumstances, and are affected by the size or nature
of a misstatement, or a combination of both.
Pervasive Misstatements
Misstatements so serious and severe that they are not confined to specific elements, accounts or items of the
financial statements.
Or, if they are confined, they represent or could represent a substantial proportion of the financial statements.
Or, in relation to disclosures, are fundamental to user’s understanding of the financial statements.
In A Framework for Audit Quality by the IAASB, they adopt the view that a quality Audit is likely to be achieved
when the Auditor’s opinion on the financial statements can be relied upon as it was based on sufficient
Quality of Audit
Within these input factors, quality attributes are further organized between those that apply directly at:
(a) The audit engagement level;
Factors Affecting Audit Quality
(b) The level of an audit firm, and therefore indirectly to all audits undertaken by that audit firm; and
(c) The national (or jurisdictional) level and therefore indirectly to all audit firms operating in that country and the audits they
undertake.
The inputs to audit quality will be influenced by the context in which an audit is performed, the interactions with key
stakeholders and the outputs. For example, laws and regulations (context) may require specific reports (output) that influence
the skills (input) utilized.
Process
The rigor of the audit process and quality control procedures impact audit quality.
Outputs
Outputs include reports and information that are formally prepared and presented by one party to another, as well as outputs
that arise from the auditing process that are generally not visible to those outside the audited organization. For example, these
may include improvements to the entity’s financial reporting practices and internal control over financial reporting, that may
result from auditor findings.
The outputs from the audit are often determined by the context, including legislative requirements.
While some stakeholders can influence the nature of the outputs, others have less influence.
9
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Indeed, for some stakeholders, such as investors in listed companies, the auditor’s report is the primary output.
Contextual Factors
There are a number of environmental – or contextual – factors, such as laws and regulations and corporate governance, which
have the potential to impact the nature and quality of financial reporting and, directly or indirectly, audit quality. Where
appropriate, auditors respond to these factors when determining how best to obtain sufficient appropriate audit evidence.
Audit Failure
Causes of Audit Failure can be due to: Lack of Competence, Lack of Due Care, Lack of Experience, Laziness, Self-
Rationalization, Lack of Integrity, Lack of Objectivity, Conflicts of Interest
The financial statements are found to be materially misstated after the Auditor has issued an Unqualified Audit
Opinion.
The company goes bankrupt in less than 12 months after financial year end, but the Auditors’ report did not
highlight any going-concern uncertainty when in fact there were several that existed.
Audit Failure
One can argue that a negative audit outcome does not necessarily imply an audit failure. This is consistent with the
profession’s position that an audit provides only reasonable (not absolute) assurance that the f/s is free from material
misstatements, and that the audit does not provide assurance on the future viability of the entity. However, this position may
not be accepted by the public due to unreasonable expectations.
In contrast, a “process-based” definition of audit failure is consistent with the court’s practice of examining the audit process
to determine whether the auditor has been negligent (i.e., not met reasonable expectations). Thus, a negative audit outcome
may provide prima facie, but not conclusive, evidence of an audit failure.
1
0
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
QUALITY CONTROLS OVER AUDIT FIRMS & ENGAGEMENTS
SSA 220: Quality Control for an Audit of Financial Statements (Engagement Specific)
Addresses quality control for the Engagement Team. It requires Engagement Teams to implement quality controls
procedures for every Audit. Provide the firm with relevant information to enable the function of the firm's system of
quality control relating to independence.
i.e. specifically requires engagement partner to take responsibility for the overall quality audit
Addresses a firm’s system of quality control to provide reasonable assurance that the firm and personnel comply
with professional standards and applicable legal and regulatory requirements and compliance with those policies.
2. Relevant ethical requirements: Policies and procedures designed to provide the firm with reasonable assurance that the firm
and its personnel comply with relevant ethical requirements, including independence requirements, and that is notified of
breaches of independence requirements, and that is able to take appropriate actions to resolve such situations
Adoption of ACRA (IFAC) Code or equivalent
Staff awareness
‘Ethics’ partner
Potential threats to independence
Communicate requirements to staff
Prompt identification of breaches and circumstances and relationship that may pose a threat
Safeguards and action taken to resolve matters
3. Acceptance and continuance of client relationships and specific engagements: The firm should establish policies and
procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide the firm
with reasonable assurance that it will undertake or continue relationships and engagements only when the firm:
a. is competent to perform the engagement and has the capabilities, including time and resources, to do so; (Ref: par. A11)
b. can comply with legal and relevant ethical requirements; and
c. has considered the integrity of the client and does not have information that would lead it to conclude that the client lacks
integrity. (Ref: par. A12– A13)
Clients gained and lost
Risk assessments before accepting appointments
Procedure before accepting assignment
Engagement letters
High risk clients
Policy on withdrawal
4. Human resources: The firm should establish policies and procedures designed to provide it with reasonable assurance that
it has sufficient personnel with the competence, capabilities, and commitment to ethical principles necessary to:
a. perform engagements in accordance with professional standards and applicable legal and regulatory requirements and
b. enable the firm to issue reports that are appropriate in the circumstances. (Ref: par. A17 – A24)
Staff used in the conduct of audit
Firm’s assessment of adequacy of suitable staff resources
Policies and procedures on:
Recruitment
Performance evaluation
Capabilities and competence
Career development
Quality of Audit
Remuneration
Review of personnel files
References
Job descriptions
Appraisals
Appropriate training to meet needs
10
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
5. Engagement performance: The firm should establish policies and procedures designed to provide it with reasonable
assurance that engagements are performed in accordance with professional standards and applicable legal and regulatory
requirements and that the firm issues reports that are appropriate in the circumstances
Audit methodology
Procedure for engagement partner to inform team of responsibilities, background information, planning issues and
audit approach
Supervision by engagement partner
Review procedures
Consultation
Assembly of final engagement files
Documentation
6. Monitoring: Established monitoring process designed to provide the firm with reasonable assurance that the policies and
procedures relating to the system of quality control are relevant, adequate and operating effectively.
Review of firm’s system of quality control
Periodic “cold” reviews of engagement files
Issue of an inappropriate report
Complaints regarding non-compliance with professional standards and firm’s own system of quality control
10
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Code of Ethics (ACRA and IFAC/IESBA)
Competence that a client or employer receives competent professional services based on current developments in
and Due Care practice, legislation and techniques and act diligently [make sound judgment] and in accordance with
applicable technical and professional standards.
Confidentiality A professional accountant shall respect the confidentiality of information acquired as a result of
professional and business relationships and not disclose any such information to third parties without
proper and specific authority, unless there is a legal or professional right or duty to disclose, nor use the
information for the personal advantage of the professional accountant or third parties.
Professional A professional accountant shall comply with relevant laws and regulations and avoid any action that
Behaviour discredits the profession
10
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
IESBA CODE OF ETHICS FOR PROFESSIONAL ACCOUNTANTS
The state of mind that permits the expression of a conclusion without being affected by influences that
compromise professional judgment, thereby allowing an individual to act with integrity and exercise objectivity
and professional skepticism.
The avoidance of facts and circumstances that are so significant that a reasonable and informed third party would
be likely to conclude, weighing all the specific facts and circumstances, that a firm’s, or a member of the audit
team’s, integrity, objectivity or professional skepticism has been compromised.
Refer to Page 42 of IESBA for Table of Contents of all Independence- Related situations
Threats to Fundamental Principles
A circumstance or relationship may create more than one threat, and a threat may affect compliance with more than one
fundamental principle. Memory Tip: Si.r. A.f.i.”
11
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
(a) Self-Interest Threat – the threat that a financial or other interest will inappropriately influence the professional
accountant’s judgment or behavior; Examples
A member of the assurance team having a direct financial interest in the assurance client.
A firm having undue dependence on total fees from a client.
A member of the assurance team having a significant close business relationship with an assurance client.
A firm being concerned about the possibility of losing a significant client.
A member of the audit team entering into employment negotiations with the audit client.
A firm entering into a contingent fee arrangement relating to an assurance engagement.
A professional accountant discovering a significant error when evaluating the results of a previous professional
service performed by a member of his own firm.
(b) Self-Review Threat – the threat that a professional accountant will not appropriately evaluate the results of a previous
judgment made or service performed by himself, or by another individual within his firm or employing organization, on
which he will rely when forming a judgment as part of providing a current service;
A firm issuing an assurance report on the effectiveness of the operation of financial systems after designing or
implementing the systems.
A firm having prepared the original data used to generate records that are the subject matter of the assurance
engagement.
A member of the assurance team being, or having recently been, a director or officer of the client.
A member of the assurance team being, or having recently been, employed by the client in a position to exert
significant influence over the subject matter of the engagement.
The firm performing a service for an assurance client that directly affects the subject matter information of the
assurance engagement.
(c) Advocacy Threat – the threat of promoting a client’s or employer’s position till his objectivity is compromised;
(d) Familiarity Threat ─ the threat that due to a long or close relationship with a client or employer, a professional
accountant will be too sympathetic to their interests or too accepting of their work;
(e) Intimidation Threat – the threat that a professional accountant will be deterred from acting objectively because of
actual or perceived pressures, including attempts to exercise undue influence over the professional accountant.
12
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
If the Practitioner determines that appropriate Safeguards are not available/cannot be applied to eliminate the threat
or reduce them to an acceptable level, then he shall eliminate the circumstance/relationship creating the threats, or
decline or terminate the Audit Engagement.
Safeguards
Educational, training and experience requirements for entry into the profession.
Continuing professional development requirements.
Corporate governance regulations.
Professional standards.
Professional or regulatory monitoring and disciplinary procedures.
Leadership of the firm that stresses the importance of compliance with the fundamental principles.
Leadership of the firm that establishes the expectation that assurance team will act in the public interest.
Policies and procedures to implement and monitor quality control of engagements.
Documented policies regarding the need to identify threats to compliance with the fundamental principles, evaluate
the significance of those threats, and apply safeguards to eliminate or reduce the threats to an acceptable level or,
when appropriate safeguards are not available or cannot be applied, terminate or decline the relevant
engagement.
Documented internal policies and procedures requiring compliance with the fundamental principles.
Safeguards
Policies and procedures that will enable the identification of interests or relationships between the firm or members
of engagement teams and clients.
Policies and procedures to monitor and, if necessary, manage the reliance on revenue received from a single client.
Using different partners and engagement teams with separate reporting lines for the provision of non-assurance
services to an assurance client.
Policies and procedures to prohibit individuals who are not members of an engagement team from inappropriately
influencing the outcome of the engagement.
Timely communication of a firm’s policies and procedures, including any changes to them, to all partners and
professional staff, and appropriate training and education on such policies and procedures.
Designating a member of senior management to be responsible for overseeing the adequate functioning of the
firm’s quality control system.
Advising partners/professional staff of assurance clients and related entities from which independence is required.
A disciplinary mechanism to promote compliance with policies and procedures.
Published policies and procedures to encourage and empower staff to communicate to senior levels within the firm
any issue relating to compliance with the fundamental principles that concerns them.
Having a professional accountant who was not involved with the assurance/non- assurance service review the
assurance/non- assurance work performed or otherwise advise as necessary.
Consulting an independent third party, such as a committee of independent directors, a professional regulatory
body or another professional accountant.
Discussing ethical issues with those charged with governance of the client.
Disclosing to those charged with governance of client the nature of services provided and extent of fees charged.
Involving another firm to perform or re- perform part of the engagement.
Rotating senior assurance team personnel.
13
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
14
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Client Acceptance
SSA 220(A8) states that the following information assists the engagement partner in determining if the conclusions
reached regarding acceptance/ continuance of client relationships and Audit Engagements are appropriate:
Client Acceptance
The Integrity of the Principal Owners, Key Management and those charged with Governance of the entity
Whether the Engagement Team is Competent to perform the Audit Engagement and has the necessary
capabilities, including time and resources;
Whether the firm and the Engagement Team can comply with relevant ethical requirements; and
Significant matters that have arisen during the current or previous Audit Engagement, and their implications for
continuing the relationship.
Minimum likelihood that auditors would associate with clients who lack integrity [Increase risk, RMM may exist and
not detected]
1. Obtain and Review available financial information (Annual Reports, Interim Financial Statements, Income Tax
Procedures for Evaluating
Returns, etc.)
2. Inquire of Third Parties (e.g. Client's Bankers, Lawyers, Credit Agencies, Business Community) regarding any
Prospective Client
Information concerning the Integrity of the Prospective Client and its Management
3. Communicate with the predecessor Auditor about whether there were any disagreements about Accounting
Policies, Audit Procedures or similar significant matters.
4. Consider whether the Prospective Client has any circumstances that will require special attention or that may
represent unusual business or Audit risks, such as litigation or going-concern issues.
5. Determine if the firm is independent of the entity and able to provide the desired service.
6. Determine if the firm has the necessary technical skills/knowledge of the industry to complete the engagement.
7. Determine if acceptance of the entity would violate any applicable regulatory or ethical requirements such as
those in the IESBA Code of Ethics for Professional Accountants.
Client Continuance
Continuance
Client
Audit firms need to ensure that their engagements are completed by Auditors having the proper degree of
technical training and proficiency given the circumstances of the entity.
Factors that should be considered in determining staffing requirements include:
o Engagement Size and Complexity
o Level of Risk (If high, maybe need more senior/experienced Auditors)
o Any Special Expertise Required (e.g. Banking/Insurance/Casino or Sophisticated IT processes)
o Personnel Availability
o Timing of Work to be performed
STAGE 2.2 ENSURING THAT THE AUDIT TEAM AND AUDIT FIRM ARE IN COMPLIANCE WITH
ETHICAL AND INDEPENDENCE REQUIREMENTS [Independence refer to page 20]
Ensure Compliance
Auditing Standards require the Auditors comply with the profession’s ethical requirements, especially that of
Independence. The legal and regulatory requirements in the jurisdiction and the IESBA Code of Ethics prescribe the
relevant requirements.
At the Engagement Level, the Partner should ensure that all individuals assigned to the Engagement are
independent of the entity (review Annual Independence Reports in Database etc.)
Other examples include being Objective when evaluating activities developed by Consultancy branch of our firm,
not taking on a client until all prior year’s fees/AR are paid as it may impair Independence etc…
15
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 2.3 ESTABLISHING AN UNDERSTANDING WITH THE ENTITY
The Auditor should establish an understanding with the entity about the Terms of Engagement (documented in
the Engagement Letter). This understanding reduces the risk that either party may misinterpret what is expected
or required of the other party.
In establishing an understanding with the entity, three topics should be discussed:
Reporting
Additional things like arrangements involving the use of experts/internal Auditors, explanation
of the Auditor's responsibilities to communicate Audit matters of governance interest with
those charged with governance, additional services to be provided relating to regulatory
requirements, arrangements regarding other services (e.g. consulting, tax) etc…
2. Using the If the entity has a Internal Audit Function (IAF), Auditor may use their work as evidence and
Work of request IAF assistance in conducting the Audit (if direct assistance is not prohibited by
Internal law/regulation)
Auditors The Auditor first needs to obtain an understanding of the IAF, including information about the
activities that it performs and whether they are relevant to the Audit of financial statements.
The Auditor must evaluate:
o The extent to which the IAF’s organizational status and relevant policies and procedures
support the objectivity of the internal Auditors.
o The level of competence of the IAF
o Whether the IAF has a quality, systematic and disciplined approach.
3. The Role Can be Supervisory Boards (Two-tier Board Structure) or Board of Directors (Single Board
of Those Structure) or an Audit Committee (Large/Public Entities)
Charged Communicate with those charged with governance before the Engagement starts, to establish a
With communication process and discuss matters such as Auditor's Responsibilities, Significant
Governance Accounting Policies of the Entity, Overview of the planned Scope and Timing of the Audit and
Compliance matters etc.
SSA 210.6b Auditor has to obtain the agreement from Management that it acknowledges and understands its
responsibility:
i. For the preparation of financial statements in accordance with the applicable financial reporting framework,
including where relevant their fair presentation
ii. For such internal control as management determines is necessary to enable the preparation of financial
statements that are free from material misstatement, whether due to fraud or error; and
Preconditions for Audit
SSA 210.8 states that if the preconditions for an Audit are not present, the Auditor shall discuss the matter with
Management. Unless required by law/regulation to do so, the Auditor shall not accept the proposed Audit
Engagement.
SSA 210.7 states that if management or those charged with governance impose a limitation on the scope of the
Auditor's work in terms of a proposed Audit Engagement such that the Auditor believes the limitation will result in the
Auditor Disclaiming an Opinion on the financial statements, the Auditor shall not accept such a limited engagement as
an Audit Engagement, unless required by law/regulation to do so.
20
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Audit Strategy
Audit Strategy
and Plan
Engagement Planning involves all the issues that an Auditor should consider in developing an Overall Audit
Strategy for conducting the Audit, which will help in determining what resources are needed for the engagement.
Determine the Scope of the Engagement, Ascertain reporting objectives to plan the timing of the Audit, Consider
the factors that will determine the focus of the Engagement Team’s Efforts etc.
Audit Plan
The Audit Plan is more detailed than the Audit Strategy.
In the Audit Plan, Auditor documents a description of Nature, Timing and Extent of the planned Audit Procedures
To be used in order to comply with Auditing Standards and to conduct the Audit effectively and efficiently.
Audit Plan
Audit plan should consider how to conduct the engagement in an effective and efficient manner and develop an overall
audit strategy which will help to determine what resources are needed to perform the engagement.
Quintessentially, the Auditor should be guided by the results of the Entity Acceptance/Continuance Process,
Procedures performed to gain the understanding of the entity and the Preliminary Engagement Activities. The
Auditor should modify the overall Audit Strategy and Audit Plan as necessary if circumstances change significantly
during the course of the Audit.
Establish Materiality
Consider Multi- Locations/Business Units
Assess the need for Experts
Consider Non--Compliance with Laws and Regulations
Identify Related Parties
Consider Additional Value- Added Services
Document the Overall Audit Strategy and Audit Plan
Engagement Partner has the overall responsibility for the engagement and its performance and should supervise
the Audit Engagement Team so that the work is performed as directed and supports the conclusions reached.
Audit Strategy and Plan
21
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 3.3 CONSIDER TYPES OF AUDIT TESTS
A. RISK ASSESSMENT PROCEDURES
Used to obtain an understanding of the entity and its external/internal environment to access the risks of material
misstatement at the financial statement and relevant assertion levels.
Includes Inquiries of Management and Others, Preliminary Analytical Procedures, Observation, Inspection etc.
B. TEST OF CONTROLS
Used to test the operating effectiveness of controls in preventing, or detecting and correcting, material
misstatements at the relevant assertion level.
Includes Inquiries of Management and Others, Inspection of Documents, Observation of Application of Controls,
Walk-throughs (Tracing), Reperformance of Application of Controls by Auditors etc.
C. SUBSTANTIVE PROCEDURES
Types of Audit Tests
ii. Tests of Details of Account Balances and Disclosures: Focus on items that are contained in the ending
financial statement account balances and disclosures.
D. DUAL-PURPOSE TESTS
Tests of transactions that are designed to both evaluate the effectiveness of controls and detect material
misstatements simultaneously Enhance audit efficiency
Substantive Analytical Procedures: Used to obtain evidence about particular assertions related to account
balances or classes of transactions. If control ineffective, more substantive procedure and vice versa.
Final Analytical Procedures: Used as an overall review of the financial information in the final review stage of the
Audit. SSA 520.6
Consists of evaluation of financial info through analysis of plausible rs among both financial and non-financial data
Help auditor understand the entity’s business, directing attention to high-risk areas, identifying audit issues that might
not be apparent, providing audit evidence and assisting in the evaluation of audit results
Commonly used to gather substantive evidence as they are effective at detecting misstatements
Types
Major Relatively inexpensive
of Analytical test
Procedures
1. Trend Analysis of changes in an account over time.
Objectives andtheSimple
Analysis facts & trend
circumstances will dictatelast
analysis compares the year’s
type ofaccount
analytical procedure
balance (‘theused to from anwith
expectation’) expectation
the
Types
and the
(Evaluative) techniques in investigating
current balance. significant difference.
Trend Analysis can also encompass multiple time periods and includes comparing recorded
trends with budget amounts and with competitor and industry information.
Predictability and precision depends on number of time periods
22
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
2. Ratio Analysis Comparison, across time or benchmarks, of relationships between financial statement
accounts (e.g. ROE) or between an account and non-financial data (e.g. sales per item)
Industry or competitor ratios are often used to benchmark the entity’s performance
Also includes ‘common-size analysis’, which is the conversion of financial statement amounts
into Percentages (%).
More effective than trend analysis in detecting risks and potential MM
(Evaluative) As comparisons of rs be accounts and operating data are more likely to identify unusual
more effective than
trend analysis patterns than analysis focused on individual account.
Assessed risk of material misstatement: Higher Risk Greater Reliance on Test of Details
Usefulness
Substantive
Analytical
Procedures
- Can be used to test all transactions and balance assertions except rights & obligations
23
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
- More effective at identifying certain types of MM than testing individual transactions
(eg. detecting omissions than providing detailed evidence)
Final Analytical - Used to assit the auditor in assessing the conclusions reached and evaluating the overall FS presentation
Procedure
- This requires reviewing trial balance, FS and notes to:
Judge the adequacy of evidence (appropriateness) gathered to support any unusal/unexpected
balances investigated during the audit
- Precision of expectation
Measure of the potential effectiveness of an analytical procedure
Represent degree of reliance that can be placed on the procedure
Measure of how closely the expectation approximates the ‘correct’ but unknown amount
Assertion tested requires a low level of detection risk, the expectation needs to be precise, the more
extensive & expensive the audit procedures to develop the expectation
this results in cost-benefit trade-off
Disaggregation
- The more detailed the level which an expectation is formed, the greater the precision
- Eg. Expectation formed using monthly data will be more precise than expectations formed using annual
data.
As Misstatements are difficult to detect due to offsetting trends/activities that can mask risks and MM
- Many factors (changes in biz/industry) influence the predictability of rs bw financial and non-financial data
- Eg. Income statement tend to be more predictable than balance sheet items
Income statement accounts involve transactions over a period of time
Balance sheet accounts represent amounts at specific point in time
Data Reliability
- More reliable the available data, the more precise the expectation
24
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
- Reliability depends on:
Independence of evidence source
Effectiveness of internal control
Auditor’s direct personal knowledge
Data subjected to audit in current/prior period
When expectation is developed from multiple sources of data
- Eg. Nature & extent of AP at planning stage of a small entity audit may be limited due to the lack of reliable
interim or monthly financial info at that point in time
- Tolerable difference (eg. 5% of entity’s recorded amount)always lower than performance materiality
Step 3: - Determine if the difference b/w auditor’s expected amount and the recorded amount exceeds auditor’s
Compare tolerable difference.
expectation to
the recorded - Observed difference < Tolerable difference, auditor accepts the account. Otherwise, auditor must
amount investigate the difference using other AP
25
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
- If difference is due to error or fraud, entity may provide with plausible but untrue biz explanation. Hence,
effectiveness of SAP in identifying MM is enhanced when (idpt consideration) auditors develop potential
explanation before obtaining personnel explanation based on:
Previous experience with entity
Other audit work performed
Discussion with members of the engagement team
- Auditor re-examines and understands the various rs in financial and non-financial data.
- Indpt consideration for potential explanation is more impt for more significant accounts (higher degree of
assurance is desired from SAP); and must be followed up and resolved through
Quantification
Involves determining if the explanation or error can explain the observed difference.
Auditor should quantify the amount that could be explained
(Eg. entity employee may offer the explanation that the significant increase in inventory over prior
years is due to 12% increase in raw material prices.
Auditor should compute the effects of raw materials price increase and determine the extent to which
the price increase explains/not explain the increase in the overall inventory account)
Corroboration; and
By obtaining sufficient appropriate audit evidence linking the explanation to the difference and
substantiating that the info supporting the explanation is reliable, and should be of same quality as test
of details evidence.
(include examination of supporting evidence, inquires of indpt persons and evaluating evidence
obtained from other audit procedures)
Evaluation
Evaluate the results of SAP to conclude if the desired level of assurance has been achieved.
If auditor cannot find sufficient evidecne within the working papers, auditor would formulate possible
explanations, conduct additional testing and seek explanation from entity’s personnel.
26
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Any additional AP performed in response to any significant differences identified
Example:
Interest rates recorded on the loan statements have remained stable over the year, fluctuating between 5-5.5%.
As interest expense is a predictable account, the info used to form the expectation is deemed reliable; auditor set the tolerable
difference at 5% of recorded interest expense.
$27 < $49.15; auditor will accept the interest expense account is fairly stated
$50 > $49.15; auditor will need to investigate the difference
Month-end model: Auditor will examine loan activity within each month to determine if there was significant variation in the balance that
was not accounted for by month-end model.
Inquire of management about the cause of the difference providing a plausible explanation (interest expense include ST loans interest
expense that were only outstanding for a few days at a time)
If the personnel’s explanation and corroborative evidence are adequate to resolve difference, auditor can accept the amount as fairly
stated.
Industry data may not be available in sufficient detail for a particular entity
Industry data may not capture operating and geographical factors that may be
specific to entity
MM may not significantly affect certain ratios, particularly true for activity ratios
Ratio favorable due to its unfavorable components. Hence, auditor may draw
incorrect conclusion if he didn’t examine related ratios
27
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 3.4 DETERMINE MATERIALITY
Materiality
SSA 320(2): Misstatements, including omissions, are considered to be material if they, individually or in the
aggregate, could reasonably be expected to influence the economic decisions of users taken on the basis of the
financial statements.
Materiality
Judgments about materiality are made in light of surrounding circumstances, and are affected by the size or nature
of a misstatement, or a combination of both.
SSA 320(A1): Materiality and Audit Risk are considered throughout the Audit, in particular when:
o Identifying and Assessing the Risks of Material Misstatement (SSA 315)
o Determining the Nature, Timing and Extent of further Audit Procedures. (SSA 330)
o Evaluating the effect of uncorrected misstatements, if any, on the financial statements and in forming the
opinion in the Auditor's Report (SSA 700)
SSA 320.10: When establishing the overall audit strategy, the auditor shall determine materiality:
For the financial statements as a whole
Where applicable, for particular classes of transactions, account balances or disclosures for which misstatements of
lesser amounts than materiality for the FS as a whole could reasonably be expected to influence the economic
decisions of users taken on the basis of the FS, due to circumstances such as (SSA 320.A11):
Law, regulation or applicable financial reporting framework affecting users’ expectations (e.g., related party
transactions, directors’ remuneration).
Key disclosures in relation to the industry in which entity operates (e.g., R&D costs for a pharmaceutical
company).
Attention focused on particular aspect of entity’s business that is separately disclosed in the FS (e.g., business
segments).
Performance materiality
SSA 320 (9 & A13):
Performance materiality means the amount(s) set by the auditor at less than materiality for the financial statements as a
whole (and, where applicable, for particular classes of transactions, account balances or disclosures) to reduce to an
appropriately low level the probability that the aggregate of uncorrected and undetected misstatements exceeds
materiality.
The determination of performance materiality is not a simple mechanical calculation and involves the exercise of
professional judgment.
IFAC Guide to Using ISAs in the Audits of SMEs (Vol 2, page 61): proposes a rule of thumb of between 60% (higher risk of
material misstatement) and 85% (lower risk of material misstatement) of overall or specific materiality
28
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STEP 1 (DURING THE AUDIT PLANNING STAGE): DETERMINE OVERALL MATERIALITY
SSA 320 (A3-4, A7, A13): Overall Materiality is the maximum amount by which the Auditor believes the financial
statements could be misstated and still not affect the decisions of users.
It may need to be revised as the Audit progresses due to changes in circumstance.
Auditing standards require the Auditor to establish a Materiality Amount for the financial statements as a whole
and for particular classes of transactions, account balances or disclosures.
o For Non- Profit- Organizations, Total Revenues/Total Expenses might be more appropriate benchmarks. For
Asset- Based Entities (e.g. Investment Funds), Net Assets would be a more appropriate benchmark.
Deciding the %
o Lower the percentage (more strict; easier to exceed) if there is high risk of fraud; material misstatements in
prior years; entity close to violating a covenants in a loan agreement; entity operating in a highly volatile
environment; small amounts may cause the entity to miss forecasted revenue/earnings etc…
o Consider all the above and the quantitative amounts may be adjusted for the qualitative factors
IFAC Guide to Using ISAs in the Audits of SMEs (Vol 2, page 61): proposes rules of thumb of 3-7% for profit from continuing
operations, 1-3% for revenue, expenditures or assets, and 3-5% for equity.
SSA 320 (9, 11, A12) In practice, Auditors commonly set Performance Materiality (PM) for each account at
between 50 and 75% of Overall Materiality (OM). This results in total combined PM that is greater than OM so
most firms cap the size of Combined/Aggregated PM to a multiple of OM (e.g. 4 times)
This is because it is inefficient for the Auditor to simply subdivide Materiality proportionally to each account,
resulting in unnecessarily low PM levels. The lower the Performance Materiality, the more extensive the required
Audit Testing will be.
Deciding the %
In addition to those discussed in Overall Materiality, Lower the percentage if there is high risk of misstatement
within the account balance/class of transaction/disclosure; if there is increased number of accounting issues that
require significant judgment and/or more estimates with high estimation uncertainty; a history of significant
deficiencies and/or a high number of deficiencies in internal control; high turnover of senior management or key
financial reporting personnel.
29
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STEP 3 (NEAR THE END OF AUDIT): EVALUATE AUDIT FINDINGS
SSA 450.11 The Auditor shall determine whether uncorrected misstatements are material, individually or in
aggregate, considering
o Size and Nature of the misstatements
o Particular circumstances of their occurrence
o Effect of uncorrected misstatements related to prior periods
Steps in Applying Materiality
Affects compliance with regulatory requirements, debt covenants or other contractual requirements
Masks a change in earnings or other trends
Affects ratios used to evaluate the entity’s financial position, results of operations or cash flows
Affects significant segment information presented in the financial statements
Increases management compensation (e.g. by meeting bonus criteria)
The effect of setting Materiality limits at different levels on Audit Risk and Planned Audit Procedures.
30
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 3.5 AUDITOR'S RISK ASSESSMENT (TO RMM AND SET DR
(TOIN AUDIT RISK MODEL) A &
S
S
E
S
S
SSA 200:
As the basis for the auditor's opinion, SSAs require the auditor to obtain reasonable assurance about whether the FS as a whole
are free from material misstatement, whether due to fraud or error.
Reasonable assurance is a high level of assurance. It is obtained when the auditor obtain appropriate audit evidence to reduce
audit risk to an acceptably low level
Audit risk is a function of RMM: The risk that the FS are materially misstated prior to the audit. May exist at overall FS level
Audit Riskpervasively
(relate is the risktothat
FS asthe Auditor
a whole expresses affect
and potentially an inappropriate audit
many assertions) or opinion when
at assertion levelthe financial statements are
materially misstated. (Issue an unmodified opinion on materially
At assertion level, RMM consists of inherent and control risk. misstated financial statements)
o Audit Risk = Inherent Risk (IR) x Control Risk (CR) x Detection Risk (DR)
o Risk of Material Misstatements (RMM) = IR x CR
Inherent Risk (IR): The susceptibility of a Management Assertion (about a class of transactions, account balance or
disclosure) to a misstatement that could be material (either individually or when aggregated with other misstatements)
before consideration of any related or internal controls.
Control Risk (CR): The risk that a misstatement that could occur in a Management Assertion (about a class of
transactions, account balance or disclosure) and that could be material (individually or when aggregated with other
misstatements), will not be Prevented, or Detected and Corrected on a timely basis by the entity’s internal control.
Detection Risk (DR)
Audit Risk
The risk that the procedures performed by the Auditor to reduce Audit Risk to an acceptably low level will not detect
a misstatement that exists and that could be material (either individually or when aggregated with other
misstatements)
Relates to the Nature, Timing and Extent of Auditors' procedures determined by Auditors to reduce Audit Risk to an
acceptably low level. SSA 200
Is a function of the effectiveness of an Audit Procedure and its application by Auditors, which may be affected by
factors such as: Adequate Planning, Proper assignment of personnel to the engagement team, Application of
profession skepticism, Supervision and review of the Audit work performed.
Not possible to reduce to 0 because:
o Sampling Risk: Auditor will never examine 100% of the class of transactions/ account balances
o NonSampling Risk: Erroneous conclusion as a result of human error. Auditor might select an inappropriate audit
procedure / misapply the appropriate audit procedure / misinterpret the audit results / judgment bias
DR has an inverse relationship to IR x CR. [Planned DR = Planned AR / RMM (IR x CR]
o If Auditor judges a client’s IR x CR to be high, he31would set a lower DR in order to achieve the planned level of
Audit Risk and vice versa.
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
2. Analytical Procedure
The Auditor conducts preliminary analytical procedures to evaluate financial information and analysis plausible
relationships between financial and nonfinancial data. These procedures assist the Auditor in understanding the entity
and its environment and identify areas that may represent specific risks relevant to the Audit.
Helpful in identifying unusual transactions or events, amounts, ratios and trends that might have implications for
Audit planning.
To be discussed in other chapter.
3. Observation or Inspection
Reading reports prepared by Management, TCWG, Internal Audit function
Visits to the entity’s premises and plant facilities
Read about industry development and trends, read the current year’s interim financial statements and review
regulatory or financial publications.
Preliminary observation of entity activities and operations.
Preliminary inspection of documents, records, internal control manuals
32
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STEP 2 UNDERSTANDING THE ENTITY & ITS ENVIRONMENT
The goal of this process is to assess the business risks faced by the entity and how those risks are controlled or not
controlled by the entity. (Refer to previous Diagram)
The Auditor's understanding of the entity and its environment includes knowledge about the following categories:
The risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely
affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate
objectives and strategies. SSA 315
Business Risks includes any external/internal factors, pressures, forces that bear on the entity’s ability to survive
and be profitable.
Hence, there are implications for the Auditor:
o Risk of Materiality Misstatement (Inherent and Control Risk) SSA 315
o Auditor's Business Risk (Engagement Risk)
o Financial Statement Expectations SSA 520
o Going- Concern Risks SSA 570
o Value- added Advice and Services
SSA 315 (11): Auditor is required to obtain an understanding of the entity and its environment, including the
entity’s internal control:
o Relevant industry, regulatory and other external factors
o Nature of the entity, including its ownership and governance, operating, investing and financing activities
o Selection and application of accounting policies
o Objectives and strategies and those related business risks that may result in risks of misstatement
o Measurement and review of entity's financial performance
Auditor's business risk (also called engagement risk): the risk that auditor is exposed to loss or injury to professional practice from
litigation, adverse publicity or other events arising in connection with financial statements audited and report on.
33
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
34
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
3. SWOT Analysis
1. Strategic (internal) Risk: They are the risks associated with the operations of that particular industry. These kind of
risks arise from
o Business Environment: Buyers and sellers interacting to buy and sell goods and services, changes in supply
and demand, competitive structures and introduction of new technologies.(small portfolio, mkt strategy
o Transaction: Assets relocation of mergers and acquisitions, spin-offs, alliances and joint ventures. Emphasis on
wrong products, inappropriate acquisitions etc.
o Investor Relations: Strategy for communicating with individuals who have invested in the business.
2. Financial (internal) Risk [*]: These are the risks associated with the financial structure and transactions of the
particular industry.
3. Operational (internal) Risk: These are the risks associated with the operational and administrative procedures of
the particular industry, which are very common in today's generation. They could be flaws in the way business is
carried on, its processes and systems (e.g. poor labor-relations, loss of key employees, reliance on few suppliers or
Types of Business Risks
4. Compliance Risk (Legal Risk): These are risks associated with the need to comply with the rules and regulations of
the government.
5. Other Risks
o Governance (internal) Risk: Poor or inadequate Corporate Governance
o Reputational Risk: A risk of loss resulting from damages to a firm's reputation, in lost revenue; increased
operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or
potentially criminal event even if the company is not found guilty. Adverse events typically associated with
reputation risk include ethics, safety, security, sustainability, quality, and innovation. Reputational risk can be
a matter of corporate trust.
o Political Risk: A type of risk faced by investors, corporations, and governments. It is a risk that can be
understood and managed with reasoned foresight and investment. Broadly, political risk refers to the
complications businesses and governments may face as a result of what are commonly referred to as political
decisions—or “any political change that alters the expected outcome and value of a given economic action by
changing the probability of achieving business objectives”
35
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
a. Asset-backed Risk: Risk that the changes in one or more assets that support an asset-backed security will
significantly impacts the value of the supported security. Risks include interest rate, term modification, and
prepayment risk.
b. Credit Risk: Credit risk, also called default risk, is the risk associated with a borrower going into default (not
making payments as promised). Investor losses include lost principal and interest, decreased cash flow, and
increased collection costs. An investor can also assume credit risk through direct or indirect use of leverage. For
example, an investor may purchase an investment using margin. Or an investment may directly or indirectly use
or rely on repo, forward commitment, or derivative instruments
o Refinancing Risk: Possibility that a borrower cannot refinance by borrowing to repay existing
c. Foreign Investment Risk: Risk of rapid and extreme changes in value due to: smaller markets;
differing accounting, reporting, or auditing standards; nationalization, expropriation or confiscatory
taxation; economic conflict; or political or diplomatic changes. Valuation, liquidity, and regulatory issues may
also add to foreign investment risk.
o Political Risk
o Valuation Risk: The financial risk that an asset is overvalued and is worth less than expected when it
matures or is sold. Factors contributing to valuation risk can include incomplete data, market instability,
financial modeling uncertainties and poor data analysis by the people responsible for determining the
value of the asset. This risk can be a concern for investors, lenders, financial regulators and other people
involved in the financial markets. Overvalued assets can create losses for their owners and lead to
reputational risks; potentially impacting credit ratings, funding costs and the management structures of
financial institutions.
e. Liquidity Risk: This is the risk that a given security or asset cannot be traded quickly enough in the market to
prevent a loss (or make the required profit).
f. Market Risk
o Equity Risk is the risk that stock prices in general (not related to a particular company or industry) or
the implied volatility will change.
o Interest Rate Risk is the risk that interest rates or the implied volatility will change.
o Currency Risk is the risk that foreign exchange rates or the implied volatility will change, which affects, for
example, the value of an asset held in that currency.
o Commodity Risk is the risk that commodity prices (e.g. corn, copper, crude oil) or implied volatility will
change.
g. Other Risks
o Reputational Risk
o Volatility Risk: The risk of a change of price of a portfolio as a result of changes in the volatility of a risk
factor. It usually applies to portfolios of derivatives instruments, where the volatility of its underlying is a
major influencer of prices.
o Settlement Risk: The risk that a counterparty does not deliver a security or its value in cash as per
agreement when the security was traded after the other counterparty or counterparties have already
delivered security or cash value as per the trade agreement.
o Profit Risk: A risk management tool that focuses on understanding concentrations within the income
statement and assessing the risk associated with those concentrations from a net income perspective.
o Systemic Risk: The risk of collapse of an entire financial system or entire market, as opposed to risk
associated with any one individual entity, group or component of a system that can be contained therein
without harming the entire system.
STEP 3 IDENTIFY BUSINESS RISKS THAT MAY RESULT IN MATERIAL MISSTATEMENTS IN F/S
The Auditor identifies Business Risks that may result in Material Misstatements.
36
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STEP 4 EVALUATE THE ENTITY’S RISK ASSESSMENT PROCESS (IE HOW MANAGEMENT
RESPONDS TO THOSE BUSINESS RISKS) AND OBTAIN EVIDENCE ON ITS IMPLEMENTATION
Management has a responsibility to identify, control and mitigate Business Risks that may affect the Entity’s ability
to achieve its Objectives. The Auditor should obtain information on the Management’s Risk Assessment process
and whether it is operating effectively.
o If the Entity’s response to the identified risks are adequate, the RMM may be reduced.
o If the Entity’s response to the identified risks are inadequate, the RMM may be increased.
o If the Entity does not have any response to identified risks, then the Auditor must develop tests to determine
if any misstatements are present in the related class of transactions or account balance.
STEP 5 ASSESS THE RISK OF MATERIAL MISSTATEMENT (DUE TO ERROR / FRAUD)
To assess the RMM, the Auditor must consider how the identified risks could result in a Material Misstatement in
the Financial Statements. This includes considering how the Entity’s Risk Assessment Process may affect the
magnitude and likelihood of potential misstatements.
SSA 315 (27-28) As part of Risk Assessment, Auditors shall determine whether any risks identified are significant
risks, including:
o Fraud
o Significant economic, accounting or other developments
o Complex transactions
o Significant transactions with related parties
o Financial information involving high measurement subjectivity or uncertainty.
o Significant transactions outside normal course of business or otherwise appear unusual.
Such risks are associated with a higher RMM because they often involve significant non-routine transactions or
judgmental matters, and are less subject to routine controls.
The primary responsibility for Prevention and Detection of Fraud rests with Management and TCWG.
Fraud
Auditor conducting an audit is responsible for obtaining reasonable assurance that the FS taken as a whole are
free from material misstatement, whether caused by fraud or error.
30
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
d. Evaluate Fraud Risk Factors (Appendix 1, SSA 240) [Fraud risk triangle: incentive,
opportunity, rationalization]
Identification and At the F/S Level and at the Assertion Level
Assessment of the RMM Base on a presumption that there are risks of Fraud in the Revenue Recognition
due to Fraud process and Management Override of Controls
Responses to the At the F/S Level (Overall Responses) – SSA 240 (A28)
Assessed RMM due to o Assignment of more experienced staff/ experts with special skills or use experts
Fraud o Closer/more supervision
o Emphasizing to the audit team the need to maintain professional skepticism
o Incorporating additional elements of unpredictability in the selection of further
audit procedures to be performed
o Making general changes to the nature, timing, or extent of audit procedures,
for example: performing substantive procedures at the period end instead of at
an interim date; or modifying the nature of audit procedures to obtain more
Fraud
Consideration of Related SSA 550 Audit Significance of Related Parties (RP) and RP Transactions include:
Parties o Risk from inappropriate accounting
o Risk from non--identification or non- disclosure
- Inherent difficulty in identifying undisclosed RPs/RPTs (management
themselves may be unaware; esp. if framework does not req. disclosure)
o Heightened Risk of Fraud-- RPs present greater opportunities for
Fraud
SSA 315 Risk-based Approach requires a thorough understanding of RPs and RPTs to
identify and assess risks.
o Consider RPs in Engagement Team Discussion
o Inquire into changes in RPs from prior period, nature of RP relationships and
type and purpose of RPTs
o Understand controls to identify, account for, and disclose RPs and RPTs; and
to authorize and approve significant RPTs
o Determine whether any of the assessed risks are significant
o Respond appropriately to assessed risks.
39
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STEP 6 AUDITOR'S RESPONSE TO ASSESSED RMM
SSA 330 (5, A1-3): Auditor shall design and implement overall responses to address the assessed RMM at the FS level,
including:
SSA 330 (6, A4-16): Auditor shall design and perform further Audit Procedures whose Nature, Timing and Extent are
based on and are responsive to the assessed RMM at the Assertion Level:
Nature: Purpose (e.g. Tests of Control vs Substantive Procedures) and Type (e.g. Confirmation vs Substantive
Analytical Procedures)
Timing: (e.g. At Interim Date vs Period End)
Extent: (e.g. Sample Size, Frequency of Observation)
40
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
41
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 3.6 CONSIDER MANAGEMENT ASSERTIONS
Management is responsible for the fair presentation of the financial statements. Assertions are representations by
Management that are embodied in the financial statements.
Used by Auditor to consider the different types of potential misstatements that may occur.
Categories of Assertions
Classes of Account Balances at the end Presentation and Disclosure
Transactions/Events during of the period
the period
Occurrence Transactions and events that Disclosed events,
have been recorded have transactions and other
occurred and pertain to the matters have occurred and
entity. pertained to the entity.
Existence Assets, Liabilities, Equity
Interests exist.
Rights & The entity holds or controls The rights and obligations
Obligations the rights to Assets and have been disclosed in the
Overview of Management Assertions
42
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
ASSERTIONS ABOUT CLASSES OF TRANSACTIONS (P&L)
Occurrence VS Completeness
Occurrence assertion relates to whether all recorded transactions have occurred and pertained to the entity.
For e.g. Management asserts that all revenue transactions recorded during the period were valid but entity’s
personnel might have incentives to record fictitious transactions, resulting in an Overstatement in the related
account. Sometimes referred as validity.
Completeness assertion relates to whether all transactions that occurred during the period have been recorded.
For e.g. If the entity fails to record a valid revenue transaction that ought to be recorded, it will result in an
Assertions about Classes of Transactions
Accuracy
Accuracy assertion addresses whether amounts and other data relating to recorded transactions have been
recorded in appropriate amounts.
Financial reporting frameworks establish the appropriate method for recording a transaction. For e.g. FRS states
that the amount recorded for the cost of a new machine includes all directly attributable costs necessary to bring
the machine to its required working condition.
Cut- Off
Cut- Off assertion relates to whether transactions have been recorded in the correct accounting period.
For e.g. Auditor may want to test proper cut-off of revenue transactions at 31-Dec-2015. The Auditor can examine a
sample of shipping documents/sale invoices for a few days before and after year-end to test whether the sale
transactions have been recorded in the proper period.
Classification
Classification assertion is concerned with whether transactions and events have been recorded in the proper
accounts.
For e.g. Management asserts that Maintenance costs to repair a machine that do not add to its usefulness are
properly charged to the Repairs and Maintenance Expense account instead of the Machine Asset account.
Existence
Existence assertion addresses whether ending balances of Assets, Liabilities and Equity included in the financial
Assertions about Account Balances
Rights (Assets) & Obligations (Liabilities) assertion addresses whether the entity holds or controls the rights to
assets and that liabilities are the obligations of the entity.
For e.g. Amounts capitalized for leases reflect assertions that the entity has rights to leased property and that the
corresponding lease liability represents an obligation of the entity.
Completeness
Completeness assertion addresses whether all Assets, Liabilities and Equity Interests that should have been
included as ending balances on the financial statements have been included.
For e.g. Management implicitly asserts that the ending balance shown for Accounts Payable on the Balance Sheet
includes all such liabilities as of the balance sheet date.
43
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Valuation and Allocation assertion addresses whether Assets, Liabilities and Equity Interests included in the
financial statements are at appropriate amounts, and any resulting adjustments are appropriately recorded.
For e.g. For Valuation, Management asserts that inventory is carried at the lower of cost or NRV on the Balance
Sheet. For Allocation, Management asserts that the cost of PPE is systematically allocated to appropriate
accounting periods by recognizing Depreciation Expense.
Occurrence & Rights and Disclosure assertions address whether disclosed events, transactions and other matters
have occurred and pertained to the entity.
For e.g. When Management presents capitalized lease transactions on the Balance Sheet as leased assets, the related
liabilities as long-term debts, and the related note, it is asserting that a lease transaction occurred, it has a right to
the leased asset and it owes the related lease obligation to the lessor.
Assertions about Presentation & Disclosure
Completeness
Completeness assertion relates to whether all disclosures that should have been included in the financial
statements have been included.
Therefore, Management asserts that no material disclosures have been omitted from the notes and other
disclosures accompanying the financial statements.
Classification and Understandability addresses whether the financial information is appropriately presented and
described, and disclosures and clearly expressed.
For e.g. Management asserts that the portion of long-term debt shown as a current liability will mature in the current
year. Similarly, Management asserts that all major restrictions on the entity resulting from debt covenants are disclosed
in notes and are able to be understood by the users of the financial information.
Accuracy & Valuation assertions addresses whether financial and other information is disclosed fairly and at
appropriate amounts.
For e.g. When Management discloses the FV of Securities, it is asserting that these financial instruments are
properly valued in accordance with the applicable financial reporting framework. In addition, Management may
disclose in a note other information related to financial instruments.
Management assertions for the accounts receivable balance. [example]
Assertions Possible misstatement Example of audit procedures
Existence Fictitious customer Confirm AR
Rights and onligations Receivables have been sold or factored Inquire of management whether
receivables have been sold
Completeness Customer accounts are not recorded Agree of total AR subsidiary ledger to
AR control account
Valuation and allocation Delinquent receivable carried at full Test the adequacy of the allowance of
amount doubtful accounts
44
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 3.7 PLAN FOR GATHERING AUDIT EVIDENCE
The information used by the Auditor in arriving at the conclusions on which the Audit Opinion is based, and it
includes the information contained in the accounting records underlying the financial statements and other
information.
The following concepts of Audit Evidence are important to understanding the conduct of the Audit:
The nature of the evidence refers to the form or type of information, which includes accounting records and other
available information.
o Accounting Records: Includes the records of initial entries and supporting records, such as records of
1. Nature
electronic funds transfers; invoices; contracts; the general and subsidiary ledgers, journal entries and other
adjustments to the financial statements that are not reflected in formal journal entries; and records such as
worksheets/spreadsheets supporting cost allocations, computations, reconciliations and disclosures.
o Other Information: Includes the minutes of meetings; confirmation from third parties; analysts’ reports;
comparable data about competitors (for benchmarking); controls manuals; information obtained by the
Auditor from such Audit Procedures as Inquiry, Observation and Inspection; and other information developed
by/available to the Auditor that permits the Auditor to reach conclusions through valid reasoning.
2. THE SUFFICIENCY & APPROPRIATENESS OF AUDIT EVIDENCE
SSA 500(6): The Auditor should obtain sufficient appropriate evidence to be able to draw reasonable conclusions on
which to base the Audit Opinion. SSA 200(A48): The matter of difficulty, time or cost is not in itself a valid basis for the
Auditor to omit an Audit Procedure for which there is no alternative or to be satisfied with Audit Evidence that is less than
persuasive.
Obtaining more evidence may not compensate for its poor quality.
Evidence is considered appropriate when it provides information that is both relevant and reliable:
o Relevant: Relevance of Audit Evidence refers to its relationship to the assertion being tested. If the Auditor
relies on evidence that is unrelated to the assertion, he may reach an incorrect conclusion about the
assertion.
Relevant + Reliability = Appropriateness = a measure of the quality of audit evidence.
o Reliability: Reliability refers to whether a particular type of evidence can be relied upon to signal the true
state of an assertion.
– Independence of Source: Evidence obtained by the Auditor from an independent source outside the
entity is usually viewed as more reliable than evidence obtained solely from within the entity.
More reliable
Document obtained directly by Auditor that originate outside the Client (e.g. Direct Bank confirmation)
Document obtained by the Auditor from the Client that originated from outside (e.g. Bank Statements)
Documents originating inside the Client but which circulates outside (e.g. Cancelled Cheques)
Documents originating inside the Client and never circulated outside (e.g. Cash Book)
45
SPOTLIGHT ON: AUDIT PROCEDURES
AC3101
Audit Procedures are specific acts ASSURANCEby
performed & the
AUDITING | BYto
Auditor SAMUEL WYSTAN
gather evidence about whether specific assertions are
being met. There are three categories of Audit Procedures and serve the following purposes:
Risk Assessment Procedures Used to obtain an understanding of the entity and its external/internal environment
to access the risks of material misstatement at the financial statement and relevant
assertion levels.
Tests of Controls Used to test the operating effectiveness of controls in preventing, or detecting and
inverse r/s w substantive test. correcting, material misstatements at the relevant assertion level.
Audit Procedures
Substantive Procedures Used to detect material misstatements at the relevant assertion level.
Two Categories: Test of Details (of Classes of Transactions, Account Balances,
Disclosures) and Substantive Analytical Review Procedures
Analytical Consists of evaluations through analysis of plausible relationships among financial/non- financial
Review data. Involves comparison of recorded values with expectations by auditor.
Procedures Effective and efficient form of Audit Evidence.
External Audit Evidence obtained by Auditor as a direct written response from a Confirming Third- Party.
Information Confirmed Source of Confirmation
Confirmation
Cash Balance Bank
Existence,
Account Receivable Customers
completeness
Inventory on Consignment Consignee
Accounts Payable Individual Vendors (Suppliers)
Insurance Coverage Insurance Company
Contingent Liability Lawyer
Collateral for Loan Creditor
Inquiry Seeking information of knowledgeable persons within the entity.
Usually to understand entity and its environment (i.e. internal controls)
Types of Audit Procedures
Inquiry alone ordinarily does not provide sufficient Audit Evidence, and requires additional
collaborative evidence to support the responses.
Inspection Inspection Reliability of Records or Documents (Internal/External)
of Records Internal documents: Generated and maintained within the entity [Less reliable ]
and External documents (generally more reliable) has two forms:
Documents o Documents originating within the entity but circulated to independent
sources outside (e.g. remittance advices returned with cash receipts from
customer payment and payroll payments)
o Documents generated outside the entity but included in the entity’s
accounting records. (e.g. bank statements, vendors’ invoices)
Direction of Testing
Vouching (Occurrence) – From Journal Ledger to Source Document: This
approach provides evidence that the items included in the accounting records
have occurred. (e.g. Auditor examine a sample of sales transactions from sales
journal to ensure that sales are not fictitious.)
Tracing (Completeness) – From Source Document to Journal Ledger: Ensures
that transactions that occurred are indeed recorded in the accounting records.
(e.g. Auditor selects a sample of shipping documents and traces them to the
related sales invoices and then to the sales journal)
Inspection Physical Inspection (Existence) of the Assets. (e.g., counting Cash on Hand,
of Tangible examining Inventory Stock, Marketable Securities, Fixed Assets)
Assets Physical Inspection (Valuation) of the Assets. (e.g. Identifying items that are
obsolete or slow-moving)
Observation Looking at a process or procedure being performed by others. The actions being observed
typically do not leave an Audit trail that can be tested by examining documents
However, not very reliable and requires additional corroborating evidence.
46
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
RecalcUlation Checking the mathematical accuracy of documents through manual/use of IT (i.e. Computer-
Assisted Audit Techniques)
Includes footing, crossfooting, reconciling subsidiary ledgers to account balances and testing
postings from journals to ledgers.
Highly reliable as the Auditor creates the evidence.
Reperformance Independent execution by the Auditor of procedures/controls originally performed by
Company personnel. Highly reliable as Auditor creates the evidence.
Scanning Review of accounting data for large/unusual items, non- standard journal entries.
Designing
Nature, Timing, Extent of Audit Procedures need to respond to the assessed risks of material misstatement at the
assertion level.
E.g. Internal Auditors: Some of their work performed may be directly relevant to External Auditors’ work.
But before the decision to use Internal Auditors’ work, the External Auditors must evaluate the internal Auditors’
objectivity and competence first.
47
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
SPOTLIGHT ON: AUDIT DOCUMENTATION
Definition
Audit Documentation
Audit Documentation consists of the record of Audit Procedures performed, relevant Audit Evidence obtained and
conclusions the Auditor reached, aka the ‘Audit File’ or ‘Working Papers’. It is like the ‘story’ of the Audit.
1. To provide Principal support for the representation in the Auditor’s Report that the Audit was conducted in
accordance with Auditing Standards and applicable legal and regulatory requirements
2. To aid in the planning, performance and supervision of the Audit
3. To provide the basis for the review of the quality of the work by providing written documentation of the evidence
supporting the Auditor’s significant conclusions.
i.e. to provide a sufficient and appropriate record of the basis for the auditor's report
Objectives
SSA 230(8): The Auditor shall prepare Audit Documentation that is sufficient to enable an experienced Auditor, having
no previous connection with the Audit, to understand:
(a) The nature, timing and extent of the Audit Procedures performed to comply with the SSAs and applicable legal and
regulatory requirements.
(b) The results of the Audit Procedures performed and the Audit Evidence obtained; and
(c) Significant matters arising during the Audit, the Conclusions reached thereon, and significant professional
judgments made in reaching those Conclusions.
40
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
COSO Internal Control Integrated Framework: Internal Control is a process designed and effected by an entity’s
Board of Directors, Management and Other Personnel to provide reasonable assurance that the organization’s
Objectives are being met in the following categories:
o Reliability, timeliness and transparency of internal and external, non- financial and financial reporting
o Effectiveness and efficiency of operations, including safeguarding of assets
o Compliance with applicable laws and regulations
SSA 315(12): most controls relevant to the audit are likely to relate to financial reporting
Control environment
Includes the governance and management functions and the attitudes, awareness, and actions of those charged with
governance and management concerning the entity’s internal control and its importance in the entity.
Auditor should consider: Communication and enforcement of integrity and ethical values
o Commitment to competence
o Participation by those charged with governance
Internal Control
Functions of AC: Companies Act 201B (5): The functions of an AC shall be:
(a) to review —
(i) with the auditor, the audit plan;
(ii) with the auditor, his evaluation of the system of internal accounting controls;
(iii) with the auditor, his audit report;
(iv) the assistance given by the company’s officers to the auditor;
(v) the scope and results of the internal audit procedures; and
(vi) the financial statements of the company and, if it is a parent company, the consolidated financial statements, submitted
to it by the company or the parent company, and thereafter to submit them to the directors of the company or parent
company; and[Act 36 of 2014 wef 01/07/2015]
(b) to nominate a person or persons as auditor, notwithstanding anything contained in the constitution or under section 205,[
Act 36 of 2014 wef 03/01/2016]
Together with such other functions as may be agreed to by the audit committee and the board of directors.
41
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
SSA 200 (A2): An audit in accordance with SSAs is conducted on the premise that Management and TCWG have
acknowledged and understand their responsibility for:
o Preparation of f/s in accordance with the applicable financial reporting framework; and
o Such internal control determined by them to be necessary for preparation of f/s that are free from material
misstatement, whether due to fraud or error.
Companies Act (S199, 2A): Every public company and every subsidiary of a public company shall devise and
maintain a system of internal accounting controls sufficient to provide a reasonable assurance that
o Assets are safeguarded against loss from unauthorized use or disposition; and
o Transactions are properly authorised and recorded to permit the preparation of true and fair profit and loss
accounts and balance-sheets and to maintain accountability of assets.
SSA 315 (12): Obtain an understanding of internal control relevant to the Audit when identifying and assessing the
risks of material misstatement.
SSA 265: Communicate identified control deficiencies to TCWG and management that are of sufficient importance
to merit their respective attention.
In some jurisdictions (e.g. USA) but not others (e.g. Singapore), Auditors are required to express an opinion on the
effectiveness of internal controls over financial reporting for public companies.
42
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 4.1
Understanding Internal Controls OBTAINING UNDERSTANDING OF INTERNAL CONTROLS
Auditor needs to evaluate the design of controls relevant to the Audit and determine whether they have been
implemented.
Typical Audit Procedures used include:
o Inquiry of Entity’s Personnel
o Observing Application of Specific Controls
o Inspecting Documents and Reports
o Tracing transactions through the information system relevant to financial reporting (‘walkthrough’)
STAGE 4.2 ASSESS CONTROL RISK AND DECIDE WHETHER TO RELY ON CONTROLS
Auditor do not intend to rely on the entity’s internal controls to reduce substantive testing because he concludes
Assess Control Risk
that Internal Controls are not effectively designed or implemented (hence reliance strategy is not justified), and/or
a Substantive Strategy is more efficient
Auditor intends to rely on the entity’s Internal Controls to reduce substantive testing. Need to test operating
effectiveness of controls to assess if the “achieved ” level of control risk is in line with the “planned” control risk
(i.e. whether preliminary assessment of control risk is supported)
43
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
STAGE 4.3 FOR RELIANCE STRATEGY – PLAN & PERFORM TEST OF CONTROLS
SSA 330 (8): Auditor shall test the operating effectiveness of relevant controls if:
• Auditor’s assessment of risks of material misstatement at the assertion level includes an expectation that the controls
are operating effectively (that is, the auditor intends to rely on the operating effectiveness of controls in determining the
nature, timing and extent of substantive procedures); OR
• Substantive procedures alone cannot provide sufficient appropriate audit evidence at the assertion level (e.g., for highly
Test of Controls
automated systems)
STAGE 4.4 FOR RELIANCE STRATEGY - SET CONTROL RISK BASED ON THE TEST OF CONTROLS
STAGE 4.5 PERFORM SUBSTANTIVE PROCEDURES BASED ON THE LEVEL OF CONTROL RISK
The Nature, Timing and Extent of Substantive Procedures will vary for different entities as a function of the
Detection Risk Level.
Nature Audit tests for all significant Audit assertions Corroborative Audit tests using the following types of
using the following types of Audit Audit tests:
procedures: o Physical examination (conducted at an interim
o Physical Examination (Conducted at date)
year end – stronger) o Analytical procedures
o Review of external documents o Substantive tests of transactions and balances
o Confirmation
o Reperformance
Timing All significant work completed at year- end Interim and year--end
Extent Extensive testing of significant accounts or Limited testing of accounts or transactions
transactions
Assertions about classes of transactions and events and related control activities
Assertions Control activities
Occurrence and existence Segregation of duties, pre-numbered documents accounted for, daily/monthly reconciliation of
subsidiary records with independent reviews
Completeness Segregation of duties, pre-numbered documents accounted for
Accuracy Internal verification of amounts and calculations, monthly reconciliation of subsidiary records by an
independent person
Authorization General and specific authorization of transactions at important control points
Cut-off Procedures for prompt recording of transactions, internal review and verification
Classification Charts of accounts, internal review and verification.
44
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
procedures for each material class of transactions, account balance, and disclosure.
Why?
Human Errors or Mistakes
Control
Collusion
o E.G. An individual who received cash from customers collude with the one recording receipts in
customer’s record to steal cash
Management Override of Internal Control
o Employees listen to employers in fear of losing job, or enter side-agreement to alter T&C hence affect
revenue recognition. Thus, senior management involvement = question on management’s integrity.
Auditor’s risk assessment judgmental
Deficiency:
Communication of deficiencies in internal
(1) A control designed, implemented or operated in such a way that it is unable to prevent, or detect and correct,
misstatements in the financial statements on a timely basis; or
(2) a control necessary to prevent, or detect and correct, misstatements in the financial statements on a timely basis is
missing.
Significant Deficiency:
control
A significant deficiency in internal control is a deficiency or combination of deficiencies in internal control that, in the
auditor’s professional judgement, is of sufficient importance to merit the attention of those charged with governance.
Communication:
SSA 265: Auditor shall communicate in writing significant control deficiencies [Depends not only on whether misstatement
has occurred but also on likelihood and potential magnitude of misstatement] to those charged with governance and
management. The auditor shall also communicate to management other control deficiencies judged to be of sufficient
importance to merit management’s attention.
1. Input Errors
Issues
The risk assessment process should consider external and internal events and circumstances that may arise and adversely
Entity’s Risk Assessment
affect the entity’s ability to initiate, record, process and report financial data consistent with the assertions of management in
the financial statements.
Process of IT
Client business risk can arise or change due to the following circumstances:
Changes in the operating environment New or revamped information systems New business models,
products, or activities
New personnel New technology Rapid growth
2. Describe on a timely basis the transactions in sufficient detail to permit proper classification of transactions for financial
reporting.
3. Measure the value of transactions in a manner that permits recording their proper monetary value in the financial
statements.
4. Determine the time period in which transactions occurred to permit recording of transactions in the proper accounting
period.
5. Properly present the transactions and related disclosures in the financial statements
45
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
computerised systems
Two main categories:
Levels of control in 1. User controls
– Those controls established and maintained by departments whose processing is performed by computer.
2. IT controls
– Those controls established and maintained at the location of the computer, for example in data-processing
departments.
SSA 315 (11d): Auditor shall obtain an understanding of the entity’s objectives and strategies, and those
related business risks that may result in risks of material misstatement.
SSA 315 (Appendix 2): Examples of events and conditions that may indicate risk of material misstatement:
o Inconsistencies between the entity’s IT strategy and its business strategies
o Changes in the IT environment
o Installation of significant new IT systems related to financial reporting
SSA 315 (A55-56): IT can improve an entity’s internal control (e.g. by enhancing consistency of information
processing, segregation of duties)
o However, IT can also pose specific risks to internal control (e.g., risks of unauthorized access or change to
data and programs.
Implications
SSA 315 (21): In understanding the entity‘s control activities, the auditor shall obtain an understanding of how
the entity has responded to risks arising from IT.
SSA 315 (18): The auditor shall obtain an understanding of the information system, including the related business
processes, relevant to financial reporting
SSA 315 (21): In understanding the entity‘s control activities, the auditor shall obtain an understanding of how the
entity has responded to risks arising from IT.
46
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
General Controls
Policies and procedures that relate to all applications and support the effective functioning of application
controls
Deficiencies will affect processing of various types of transactions
Manual and computer controls that relate to all or many computerised accounting applications. These provide a
reasonable level of assurance that overall objectives of internal control are achieved.
Includes segregation of duties, control over programs, control over data
Manual or automated controls over input, processing and output of individual applications to help ensure
transactions are authorized and processed accurately and completely
The reliance that can be placed on application controls often depends on the reliability of the general controls.
Application controls contribute to achievement of specific control objectives that the auditor considers in tests of
controls.
Examples include:
o Batch controls (e.g., record count, control totals)
o Data validation controls (e.g., validity, range, limit, reasonableness, sequence tests)
o Data capture controls for and/or source documentation, direct data entry: occurrence, completeness,
accuracy
o Processing controls
o Output controls: controls to minimized unauthorized use of outputs
o Error controls: ensure errors are handled appropriately.
47
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Segregation of duties within IT
Duty Positions within IT department
Knowledge: those with an understanding of systems and • IT manager
programs • System analyst
• Application programmmers
* The position of system programmer must have sufficient access to perform the function. However, system programmers
should have no detailed knowledge of the company’s accounting systems or application programs.
General controls
48
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
User controls
• Control totals: detect errors in input or processing. Generally, there are three types:
– Financial totals
– Record totals
– Hash totals
• Review and reconciliation of data by users.
• Formal error correction and resubmission procedures.
• Authorisation controls help ensure that only valid transactions and batches of transactions are processed.
IT controls
• Usually classified into the following categories:
– Input controls
Batch data preparation
o Control totals
o Key verification
Application controls
• If general controls are unreliable, an auditor has little confidence in programmed application controls and reduced
general and
confidence in manual application controls → auditor takes more substantive approach to the audit.
• If general controls are reliable, an auditor makes a preliminary evaluation of application controls. If reliance on application
controls is then planned, a more detailed evaluation of these controls is made → auditor determines appropriate degree of
testing of controls and substantive testing.
Auditor treats the computer system as a “black box” and performs tests on inputs and outputs of the system
Impact on Audit Strategy
May be appropriate for less complex IT systems with existence of ‘hard copy’ audit trail
Auditor directly tests IT controls, usually with the help of Computer Assisted Audit Techniques (CAATs)
SSA 330 (8) requires Auditors to test the operating effectiveness of relevant controls if substantive procedures
alone cannot provide sufficient appropriate audit evidence at the assertion level (e.g. for highly automated
systems)
49
AC3101 ASSURANCE & AUDITING | BY SAMUEL WYSTAN
Implementation of Computer Less extensive. More extensive.
Controls
Existence of Source Documents and Existence of ‘hard copy’ (paper) Source documents exist in electronic
Audit Trail source documents or Audit trail. format.
Results of one stage of computerized
processing are used as inputs in
subsequent stages of processing.
Computer Assisted Audit Techniques
1. Consistent application of predefined business rules and performance of complex calculations in processing large
Potential benefits to
1. Reliance on systems or programs that, unknown to the management, inaccurately process data, process inaccurate
data or both
2. Unauthorized access to data-> destruction or improper changes to data including recording of unauthorized or non-
form IT
50