What we have studied?

Audit and assurance right and duties of auditor, internal auditor appointment and selection
according to ISA. How ISA development

Auditor publicity, promotion and advertisement, appointment, acceptance rules and regulations,
engagement letter content, revision required

External auditor is appointed

Chapter 3
The auditor is now appointed. Client/entity sign an engagement letter with auditor. Now we plan
and do a risk assessment.

The purpose of an audit plan:

Auditor uses various types of tools such as audit plan, audit programme etc. for carrying out an
audit. An audit plan lays down the strategies to be followed for carrying out an audit. It is the
first step of audit.

The reason or objective for which audit plan is done is explained by the purpose of an audit plan.
Why the engagement is being done and what is the scope of the objective is explained by the
purpose of audit plan. The purpose is to meet the objective timely by the external or internal
auditor. An audit plan sets out what needs to be done to achieve an objective. The objective of
the auditor is to plan the audit so that it will be performed in an effective manner.

Both external and internal auditors; objective is the production of an audit report. The objective
of the external and nternal auditor both is to evaluate the company and make an audit report.

An audit plan lays out the strategies to be followed to conduct an audit. It includes the nature,
timing and extent of audit procedures to be performed by the engagement team members. The
auditor shall develop an audit plan while considering the following:

a) The nature, timing and extent of planned risk assessment procedures.

b) The nature, timing and extent of audit procedures at the assertion level.
 c) Other planned audit procedures that are required to be carried out so that the engagement
complies with International Standard of Auditing.(ISA)
1) Content of an audit plan:

The content tells what will make up the audit plan. What is included in the audit plan is
described by the audit plan.

 Who will perform the audit work? Who is doing the audit work?

If the external or internal auditor is doing the party, then at what level is the external party or
internal party doing the auditing.

Staffing

Auditor shall determine the exact requirements of the staff along with the broad estimate of time
required by each staff members. So that the audit work will be completed on time.
The audit company decides what type of staff needs to be for auditing of the particular company.
It depends on what kind of auditing is being done. Staffing depends on complexity of work done
by organization, the geographical location. If the operations of the organization are complex then
senior staff members to gain a better understanding of the work. If the organization’s subsidiary
are dispersed in different location, then senior staff, more number of staff are sent or staff which
are closer to the area and has no problem in travelling to the company’s location is sent for
auditing. If the auditing needs to be done of a local store or warehouse, lower staff can be sent .

There are two types of auditing

a) Interim audit
The staff in this audit is internees or staff who report back to senior executives.
b) Full Audit
The staff in this audit are senior executives.
 When will the work be done?

Auditor should determine timing of the report. This will help auditor in determining time
schedule of the audit. The timing of audit decide how long will auditing take place. This depends
on the complexity of the subject being audited.
 What work is to be done?
Auditor should determine the form of the report. This will help auditor in determining the
scope of the audit.
When auditor sign the engagement letter, the scope of work is clearly mentioned in the
letter. Limit and boundaries stated. Auditor can be restricted in their work/ For example,
if an auditor wants to meet an employee to confirm information stated in the financial
statement, the auditor can meet that person. If an auditor wants to see an invoice, the
management is obliged to give it to the auditor. The auditor is just obliged to follow the
laws, rules regulation followed by the applicable financial reporting framework. The
auditor clearly states what work is exempted due to the international laws or ISA.
2) Risk Assessment and the audit plan:
When auditor get appointed, they need to identify threat, limitation and problem they will
face during auditing. They need to identify the safeguards too associated with the threats
to limit threats. Risk assessment is done by the auditor to find the threat the environment
poses on the entity (company).Risk assessment is done of the client, how the client
affects the environment and major risks the auditor would have to encounter while doing
the auditing of the company. If the company is involved in a fraud, how would you
evaluate the fraud. Risk assessment would be used to find out the threat posed on the
environment and entity of not detecting the fraud. The self competence and learning of
the auditor will be affected through fraud detection.
 The entity to be audited, and
Which company is to be audited. The size, location of the company will be seen. The
nature of the entity's business, for example, the potential for technological obsolescence
of its products and services, the complexity of its capital structure, the significance of
related parties and the number of locations and geographical spread of its production
facilities
 The environment in which the entity operates
The external environment and internal environment affects the way in which entity
operates. The external environment includes factor like political, technological,
economical, demographical so on. The internal environment include the supplier,
competitor, distributor, employees, so on. The industry it work in, regulatory body that
governs the entity to ensure standardization, stakeholder, government perception is
created by the way taxes are payed by the entity, investors. The threat the environment
poses on the entity or the entity poses on the environement will be assessed in the risk
assessment done by auditor and thus help in assessing the risk all this has on the audit
plan.
Factors affecting the industry in which the entity operates, for example, economic and
competitive conditions as indicated by financial trends and ratios, and changes in
technology, consumer demand and accounting practices common to the industry
How the auditing will be affected by the risk assessed?
The assessment of risk in the audit will affect:
 The amount of audit work performed in general; and
The risk assessment will tell the type of work that needs to be done. It would help and
guide in planning the auditing process. For example, if the client will face a risk during
auditing because of technological changes in the environment, the auditing plan would be
made to help reduce risk faced by the technological changes of the environment. Risk
would be reduced in a way that it does not cause any problem in the auditing or on the
entity.
 The areas on which the auditor will focus his attention
Risk assessment is used to identify the risk of entity and environment. An awareness is
created about the areas on which the auditor should do auditing on properly and how
would the threats in the areas be reduced by making a proper audit plan.
Significant Audit Areas are identified in Audit Plan. It is important for the auditor to
identify the areas which involves greater audit risk, so that the audit can be planned in
such a way that overall audit risk will be less. More risky areas should be checked in
detail and vice-versa.
The auditor makes an audit report using the materiality concept. The areas in which the
risk is most and threatens the company most is material for the company. The auditor
uses only material information to save his time, energy, effort and money used. If a risk
assessment is not done, the auditor would not be able to focus on areas that matter the
most in making an audit plan., the auditor may have to bear high cost if he does not do
risk assessment.
 3) Important for both internal, external, audit and review
The effect of risk assessment is important for both internal, external, audit and review.
If an internal or an external auditor is doing a review or even a full audit, risk assessment
is necessary for the auditor to convey it opinion in a fair and true manner using the
materiality concept.

1.2. Professional skepticism (ISA 200):

“An audit that includes a questioning mind, being alert to conditions which may indicate
possible misstatement due to error or fraud, and a critical assessment of audit evidence”

Political, questioning mind should be used by an auditor. An auditor should critically evaluate its
situation. They ask different type of question by seeing anything or anyone to finally identify
what is the problem and detect fraud.

1.3. Introduction to ISA 300:

a) Overview:
Planning an audit of financial statements is to plan the audit work so that the audit will be
performed in an effective manner.Audit of Financial statement is prepared in such a way
that is effective. The purpose of doing the audit is achieved.
b) Adequate planning benefits the audit. Sufficient and enough planning benefits the audit
through the following:
 Adequate planning devotes appropriate attention to important areas of audit.
Proper planning will tell which areas need to be emphasized and which ares do not need
to be emphasized on.
 Adequate planning identifies and resolves potential problems on a timely
basis.
Interim audit has been done. The interim audit can used to find the potential problems in
a timely manner. It can used to tell where the problem occurs, why and measures need to
be taken to solve the problem.
 Adequate planning organizes and manages the audit engagement so that it is
performed in an effective and efficient manner.
Audit engagement has contents that are managed in an efficient and effective manner.
This means that less cost and time is spent on audit and the audit plan gives the most
benefit.The purpose of the audit plan should be achieved in a way that it reaps the most
benefit to the parties concerned by the auditing.
 Adequate planning helps in the selection of staff with appropriate experience
to respond to risk and the assignment work.
Staff should be capable enough to find the errors in the entity and detect fraud.
The audit company decides what type of staff needs to be for auditing of the particular
company. It depends on what kind of auditing is being done. Staffing depends on
complexity of work done by organization, the geographical location. If the operations of
the organization are complex then senior staff members to gain a better understanding of
the work. If the organization’s subsidiary are dispersed in different location, then senior
staff, more number of staff are sent or staff which are closer to the area and has no
problem in travelling to the company’s location is sent for auditing. If the auditing needs
to be done of a local store or warehouse, lower staff can be sent .
There are two types of auditing
a) Interim audit
The staff in this audit is internees or staff who report back to senior executives.
b) Full Audit
The staff in this audit are senior excecutives.
 Adequate planning helps in directing and supervising of staff and review of
their work.
The seniors of external auditor provides direction on how the audit will be done. The
senior staff of external auditor plays an important role in ensuring that auditing is planned
in an efficient and effective manner. Current external auditor supervise and review the
work of company staff and staff of audit company.
 Adequate planning helps in coordinating of work done by auditors of
components and experts
Auditor works to gather information from every department e.g. purchase, accounting,
finance , marketing etc. The report from each department is combined to form a final
audit report.
ISA 300 requires the auditor to:

1. ISA 300 requires the auditor to involve whole management team in auditing.
Whole management team is the members who are involved in the discussion of audit
engagement. Partner, firms involved in the audit engagement are the whole management
team who work together to ensure that auditing is done in an efficient and effective
manner.
2. Performing procedures (ISA 220),
 ISA 220 for performing procedures requires continuance of the client
relationship
Recurrent audit is when auditing is done again from the firm that did the previous
audit too. The same procedures which were used to do the previous audit would be
used again.
 ISA 220 for performing procedures requires specific audit engagement,
The audit engagement letter would be made in same way except it would be
modified to meet the current requirement of audit plan. If there is a change in
structure, top level management, or accounting framework , the engagement letter
can be made again to suit the requirements.
 ISA 220 for performing procedures requires compliance with the relevant
ethical requirements and independence
 The code of ethics should be met. This includes professional, no dishonesty, no
cheating while doing the auditing. Independence means that external or internal
auditor should not be personally be involved with the business. This is so that
management does not influence the auditor’s opinion and the pinion given by the
auditor is fair and true. The auditor should not have a personal relationship so that
management does not influence decision of creating a positive audit report when the
report is negative in fact. The evaluation should not be biased
3. ISA 210 requires understanding the terms of the engagement
Both parties involved in the audit engagement should have an understanding of the
preconditions needed to do audit engagement
4. Overall strategy for the audit that sets the scope, timing and direction of the audit,
Audit plan needs a strategy in which the limitation and restriction of the plan is defined.
Auditor should determine the form and the timing of the report. This will help auditor in
determining the scope and time schedule of the audit. These questions should be
answered while making overall strategy:
 How much time is needed to complete the audit?
 How will work be supervised and reviewed?
 How will the work be done? What is the scope of work done?
5. Document the overall strategy and the audit plan

The audit plan developed should be documented and written in an audit report so that it can be
easily reviewed when needed to do so.The Audit Working Papers the official record that contains
the planning and execution of the audit agreement.

1. Involvement of Key engagement team members:

ISA 300 requires the engagement partner and other key members of the engagement
team to be involved in planning the audit, including planning and participating in the
discussion among engagement team members to enhance the efficiency and effectiveness
of the planning process.

Whole management team is the members who are involved in the discussion of audit
engagement. Partner, firms involved in the audit engagement are the whole management
 team who work together to ensure that auditing is done in an efficient and effective
manner.

The factors which affect the audit plan include:

• The size of client

If the company is big, then audit engagement team would be large to

accommodate the needs of the organization and ensure an efficient and effective
auditing is planned. If the company is small, then audit engagement team would
be small to accommodate the needs of the organization and ensure an efficient
and effective auditing is planned.

• Complexity

If the activities of the business is complex and difficult, then audit engagement
team would be large to accommodate the needs of the organization and ensure an
efficient and effective auditing is planned. If the activities of the business is not
complex and not difficult, then audit engagement team would be large to
accommodate the needs of the organization and ensure an efficient and effective
auditing is planned.

• Any other relevant factors

If you are dealing with a defense institute then you need to consider many other
factor like staff involved. Relevant factors may involve the location of the
organization, the type of organization. If the organization’s subsidiary are
dispersed in different location, then, more number of staff are sent or staff which
are closer to the area and has no problem in travelling to the company’s location
is sent for auditing. If the auditing needs to be done of a local store or warehouse,
less engagement team members can be sent.

Preliminary engagement activities:

When an engagement team is made then Preliminary engagement activities need to be planned.
Terms of Engagement and any Statutory Responsibilities: While framing an audit plan
auditor should ascertain his terms of appointment and responsibilities cast by various legislations
on him. The auditor should then prepare his audit plan based on what he is required to do.

1. Perform procedures required by ISA 220.

ISA 220 is Quality control that is performance procedures required to do an Audit of
Financial Statements. It is done to check whether the auditor is working according to the
applicable financial reporting framework.
ISA 220 sees how well the internal auditor has effectively control the audit plan to comply
with the external auditor’s work. The internal auditor makes the internal control system
which is made according to ISA 220 Quality Control.

 Auditor should be competent to perform the engagement;

Isa 220 checks whether the internal auditor is competent to perform the
engagement. This means that it follows all the rules and obligation listed by the
applicable financial reporting framework for the appointment of the auditor. The
auditor should be qualified enough to perform its right and duties in the correct
manner to convey an opinion which is true, fair and is based upon material
information.

 Auditor should comply with relevant ethical requirements;

Internal auditor should meet ethical requirement. This includes professional

behavior, no dishonesty, no cheating while doing the auditing.

 Auditor should consider the integrity of the client;

The auditor should meet the needs of client. The auditor should be approachable,
friendly, honest, fair, true and professional with the client.

 Auditor should Consider significant matters that have arisen during the
current or previous audit engagement

The special matters which came into consideration now should be audited in a true
and fair manner.
2. Evaluate compliance with relevant ethical requirements, including independence (ISA
220)
a) ISA 220 is used to confirm that the auditor remains compliant with ethical
requirements
The code of ethics should be met. This includes professional, no dishonesty, no cheating
while doing the auditing. Independence means that external or internal auditor should not
be personally be involved with the business. This is so that management does not
influence the auditor’s opinion and the pinion given by the auditor is fair and true. The
auditor should not have a personal relationship so that management does not influence
decision of creating a positive audit report when the report is negative in fact. The
evaluation should not be biased.

• ISA 220 is used to establish appropriate safeguards against non-compliance

Threat can be given to auditor in case they are not working according to standards of
applicable financial reporting framework. If the auditor is dishonest and commiting
fraud, then extreme measure like jail can be used.

b) The engagement partner will need to provide the firm with relevant information
about the client engagement.

• Scope of services

Engagement partner should give their firm relevant info about their client. This is to
provide proof of their independence. The info will be shared to show in what limit
and restriction were the service of auditing provided.

3. Establish an understanding of the terms of the engagement

The terms of the engagement should be considered. Auditor should frame an audit plan by
ascertaining his terms of appointment and responsibilities cast by various legislations on auditor.
The auditor should then prepare his audit plan based on what he/she is required to do.

• Planning Activities:
Audit plan needs a strategy in which the limitation and restriction of the plan is defined.
Auditor should determine the form and the timing of the report. This will help auditor in
determining the scope and time schedule of the audit. These questions should be answered
while making overall strategy:

• How much time is needed to complete the audit?

• How will work be supervised and reviewed?

• How will the work be done? What is the scope of work done?

An audit plan lays out the strategies to be followed to conduct an audit. It includes the nature,
timing and extent of audit procedures to be performed by the engagement team members.
Planning activities include establishing an overall audit strategy that sets the scope, timing
and direction. The auditor shall develop an audit plan while considering the following:

a) The nature, timing and extent of planned risk assessment procedures.

b) The nature, timing and extent of audit procedures at the assertion level.
c) Other planned audit procedures that are required to be carried out so that the engagement
complies with International Standard of Auditing.(ISA)

a) Overall audit strategy

 identify the characteristics of the engagement that defines its scope;

Engagement letter will include scope of the work. While framing an audit plan
auditor should ascertain his terms of appointment and responsibilities cast by
various legislations on him. The auditor should then prepare his audit plan based on
what he is required to do.
 Ascertain the reporting objectives: to plan the timing of the audit and the
nature of the communication
The timing of the audit would be listed. The way in which the plan will be
communicated that is whether the audit is verbal or written. The written
communication would be in the form of report or email. : Auditor should determine
the form and the timing of the report. This will help auditor in determining the scope
and time schedule of the audit.
  Consider the factors that are significant in directing the engagement team’s
efforts
The factors that will direct the engagement team into knowing how the plan will be
conducted. Accounting policies followed by the enterprise affect the audit plan.
While preparing an audit plan due consideration may be given to the areas where
there is any change in accounting policies. Any change in accounting and auditing
standards may affect the scope of audit or the manner in which it is conducted.
Therefore these should be carefully considered while drawing up the audit plan.
 Whether knowledge gained on other engagements performed by the
engagement partner for the entity is relevant
The engagement partner should have experience on the basis to judge whether the
situation being faced could be solved using same measure the auditor used to solve
the same situation faced by the previous audit engagement. If the entity of previous
and new engagement is of the same industry, then experience and knowledge
learned could be applicable to many situations faced by new engagement.
 Ascertain the nature, timing and extent of resources
The audit firm has how much resource( money) to use to do the audit of a particular
company. The audit firm has how much time( energy, effort) to use to do the audit.
Auditor shall determine the exact requirements of the staff along with the broad
estimate of time required by each staff members so that the audit workwill be
completed on time.

b) Documentation:

The auditor should document in a written form The overall audit strategy, the audit plan, and any
significant changes made during the audit engagement along with the reasons. The audit plan
developed should be documented and written in an audit report so that it can be easily reviewed
when needed to do so.

1.4. Contents of the overall business strategy and the audit plan

A. The overall Audit Strategy:

 Defining the Scope

Scope is the accounting framework that will b used, the industry regulatory body used
and locations that will be travelled to gather the information to conduct the auditing.

1. The financial reporting framework used

2. Any industry specific reporting requirements

3. The location of the components of the entity

The nature of the entity's business, for example the number of locations and
geographical spread of its production facilities.

4. The nature of the control relationships between a parent and its components

The relationship between the external and internal auditor. The relationship
between parent and the subsidiary.

5. The nature of the business segments to be audited

The nature of the entity's business, for example, the potential for technological
obsolescence of its products and services, the complexity of its capital structure,
the significance of related parties and the number of locations and geographical
spread of its production facilities. If a company sells different kind of product.
Example of such companies include Protector and Gambler. Experts needed with
specialized knowledge to deal with such companies.

6. The reporting currency to be used

iF a multinational company is being evaluated then there is a need for a reporting

currency to be used. For example, If the parent conmany is in Pakistan and one
subsidiary is in US and another is in the UK. The subsidiary company would
translate the currency back into the currency of parent company. UK and Us
subsidiaries would translate it into Rs. The purpose of currency translation is to
allow parent company to make consolidated report. The consolidated report would
include all report from subsidiary companies. Currency translation is when
subsidiaries translate their report into parent company’s currency. An expert
would be used to ensure there are no errors in the currency translation and hence
 the consolidated report. Investors will not treat the company positively if there are
errors in the report.

7. Need for statutory audit of standalone financial statements for consolidation

purposes

Statutory audit is audit that is applied by law or legal bodies on a company. Small
companies, NGOS, clubs may be exempted from statutory audit. It would be seen
whether there should be an audit for subsidiary companies or there should be a
consolidated report including all report from subsidiary companies.

8. Whether the entity has an internal audit function,

The purpose is to have an independent audit function finding the possible threats,
risks faced during the audit. The internal can share it s finding with the external so
external can prevent them from occurring during the audit. The external can plan
measures to prevent the risks and threats in order to report and evaluate the firm in
a true and fair manner using material information.
9. How the auditor may obtain evidence concerning the design or operations of
control performed by service organizations
The scope of auditing may include finding evidence according to structure and
activities of business.
10. Use of audit evidence obtained in previous audits
Auditor may use experience from previous audits to find solution to the threat
faced by the current audit.
11. Effect of information technology on the audit procedures
IT plays an important role in organization’s success. ERP is used to get
information of a company through use of technology. The procedures of audit can
be done in a better and well defined manner through using technology because
every ype of information of the company is stored using technology.
12. Coordination of the expected coverage and timing of the audit work with any
reviews of interim financial information.
Interim audit will make a financial report. The external auditor will check the
financial statement audited by the internal auditor .Expected coverage is how many
 departments will be covered in the financial report and timing of the audit work is
time that will be taken to audit each department that is decided to be audited.
13. The availability of client personnel and data.
The auditor’s should have access to information using people. These people could
be employee, director, executive.
 Ascertaining the reporting objectives of the engagement, such as reporting deadlines
This means that when scope or objective is defined using an engagement letter, then a
reporting deadline which indicates when the audit work will be completed and presented
to the directors and shareholders.
 Important factors which will determine the focus of the audit’s team efforts;
1) Materiality thresholds
The information which is risky and costly at what level should be known. A
materiality threshold means the limit which should not be crossed to ensure an
effective and efficient audit. At the planning stage the auditor sets the materiality
levels. For example the auditor may decide that in the case of audit of sales he will
examine all sales transactions above Rs.5000.

2) High risk areas of the audit

It is important for the auditor to identify the areas which involves greater audit
risk, so that the audit can be planned in such a way that overall audit risk will be
less. More risky areas should be checked in detail and vice-versa.
The auditor makes an audit report using the materiality concept. The areas in
which the risk is most and threatens the company most is material for the
company. The auditor uses only material information to save his time, energy,
effort and money used. For example, if the client will face a risk during auditing
because of technological changes in the environment, the auditing plan would be
made to help reduce risk faced by the technological changes of the environment.
Risk would be reduced in a way that it does not cause any problem in the auditing
or on the entity
3) Audit approach (internal/external)
Audit approach is internal or external would be seen.
 4) Any recent development
There is a new instrument so what is done with the previous one. Any change in
accounting and auditing standards may affect the scope of audit or the manner in
which it is conducted. Therefore these should be carefully considered while
drawing up the audit plan.
5) Process to identify and prepare disclosures
The procedure to disclose information and audit report is explained in audit
strategy

B. The Audit Plan:

 The audit plan will set out:

1. Procedures required for assessment of the risk of misstatement
Risk of misstatement or fraud is identified first to see whether something is not
missed or evaluated wrong by the auditor before making the audit report.
2. Planned further audit procedures for each material audit area.
 The audit procedures required for:
1. Obtain sufficient appropriate audit evidence
The step to step procedure of audit planning helps in obtaining sufficient
appropriate audit evidence.
2. Reduce audit risk to an acceptably level.
This means that step to step procedure of auditing is done to ensure that risk is at
minimum level, the objectives of the organization is met and the organization is
not evaluated in the wrong manner.

Audit programs

Audit programs are sets of instructions to the audit team, specifying the audit procedures that
should be performed in each area/department of the audit. An audit programme is a set of
instructions which are to be followed for proper execution of audit. After the development of
audit plan a detailed written audit programme containing the various steps and procedures shall
be required. This helps the auditor in proper supervision of the audit.
The audit programme contains the measures that are generally employed to determine what, and
how much evidence must be collected and evaluated. It also lays down the responsibilities for the
whole audit team for carrying out different tasks. The prepared audit program may be revised if
needed in accordance with the prevailing circumstances. An audit program largely depends on
the size of the organization and other relevant factors. There is no standard audit
programmeapplicable for all situations.

1.5. Interim and Final Audit:

The system assessment work and transaction testing will be carried out in Interim Audit.

It asses audit work for 10-15 days. Interim Adit is done before full audit. Articleship students or
people who have completed the last CA 4 module paper do the interim audit. Then they see the
environment, develop an understanding and activities of client/entity, financial statements,
books, whether auditing standard are met, risks that are faced, safeguards used to prevent
damage from threat. The materiality concept should be seen in which values that are too high or
information that is too risky are considered. Organization should have an internal auditor to have
internal audotou.

The balance of the work and testing of statement of financial position items taking place at the
final audit.

The audit report is made using evaluation of organization done through auditor. A full audit is
done after interim audit. It is done using annual report with the help of substansive testing.

Key Benefits:

 More flexible resource planning within the firm

An entity first decides to do interim audit to make it easy to do the final audit.

 Helps reduce demand for audit staff during ‘busy season’

 Earlier identification of significant matters
 Shareholders and other users receive audited accounts
 Increased audit efficiency

ISA 300 states:

“The higher the risk of material misstatement, the more likely it is that the auditor may decide it
is more effective to perform substantive procedures nearer to, or at, the period end rather than at
an earlier date.”

Audit need to be performed an audit report on time. Auditor may decide to performan interim
audit before final audit.

During the interim audit, the internal control system is documented and evaluated. This will
determine the mix of tests of control and substantive procedures but both will tend to focus on
transactions that have occurred so far in the period.

During the final audit, the focus is on the financial statements and the assertions about assets,
liabilities and equity interests. At this stage the auditor will design substantive procedures to
ensure that assurance has been gained over all relevant assertions.

A. Interim Audit procedures includes:

 Understanding the entity, assessing the inherent risk and identifying significant matters
Entity will accept that auditor worked previous time. Assessing the inherent risk means if
an auditor is doing audit work then threats that will occur will be identified.
 Recording, evaluating the design and testing the entity’s system of internal control.
Internal system should be designed closely and properly.
 Performing the substantive testing to ensure the books and records are a sound basis for
performing.There should be a third opinion to get a view on whether interim audit is
performed properly.
B. Final Audit procedures includes:
 Substantive Testing: Interim phase auditor test the period between interim audit and
period end.
Substantive testing is analysis or critical evaluation to check errors. The report that is
developed after substantive testing is used to do auditing and reach a conclusion.[ The
interim auditor has already done most of the work so money, energy, effort and time of
the organization and auditor does not need to be wasted.
Risks for which Substantive Procedures Alone are Inadequate
 Some testing of controls is likely to be necessary in addition to substantive testing where
there is a large volume of routine transactions subject to automated processing. This is
particularly relevant where there is little or no source documentation, where transactions
are generated by the system itself, such as in on-line ordering from the Internet and
airline ticketing, and even more so where the information is held in electronic form only.
This is the principal type of risk for which substantive procedures alone are inadequate.
Again, the requirement is for auditors to understand the relevant controls.
 Tests to ensure the validity of conclusions formed at an interim auditing
Interim auditing’s conclusion is verified. Interim Auditor’s experience is checked.
 Obtaining third party confirmations such as bank letters and trade receivables.
An opinion from third party should be given. It could be bank form which bank
reconciliation statement may be gathered. Details of documentation is not given in
interim audit while in final audit includes information from all department. The final
audit evaluates information from recievable, payable, vouchers. Invoices from purchase
department, cash from cash account, ad expense from marketing, supply chain and
management etc all of these information are gathered and evaluated in full audit.
Operations and activities are checked to see whether they are practically aligned with the
information stated in the books.
 Analytical review and subsequent events review
The agents doing auditing should be checked. Analytical review and subsequent events
review are different methods which are used to identify threat. Analytical review includes
seeing different issues and trends to identify problem. For example, When people do
analytical review, information from financial statement is seen and information of
financial data over years is evaluated in a horizontal line to know by seeing at a glance to
know which value is wrong. The trend is not being followed, there is an unusual value.
For example, net proceeds are being seen in which a difference of 20 is being found in
the values but fifth value has a difference of 60. Subsequent events review is analysis in
which the previous year’s data is compared with the current year. The
conclusion,financial statement and infccreditormation from previous year is reviewed.
 Obtaining written representations
 Full audit is needed to keep u involved in the process. Written information and
representation is needed to verify information found verbally.

ISA 300 specifically states that the following procedures can only be performed at or after
the period end:

1. Agreeing the financial statements to the accounting records,

Adjustments should be made from the balance sheet, income statement in the
financial statement and be disclosed in it. The accounting statements are made 1
and half month befaore making the annual report. The changes in the entitiy’s
information are evaluated and included in the final year financial statement
report. The accounting records are verified and matched with the financial
statement.
2. Examining adjustments made during the course of preparing the financial
statements,
The written engagement would be on the basis of trade recievable so on. The
debit side and credit side are not equal so changes and adjustments to ensure that
they are equal are taken. Year end adjustments are made in the closing account
to get true, accurate, fair and material information.
3. Procedures to respond to a risk that the entity may have entered into
improper sales contract or transactions may not have been finalized.
The risk could be found from the full audit in a better way. For example, a sales
contract is done. The sales contract does not provide valid information or sales
contract is incomplete and not according to laws, regulations required. The sales
contract is not legalized and cannot claim sales legally. For example, if the
commodity has been sold but the purchaser is stating that the commodity is not
sold.he supplier cannot guarantee the sales contract has occurred due to
incomplete information and claim legally that transaction has been done.
Transaction are not finalized. If the transaction are done at end of year the there is
a confusion of where the transaction needs to be recorded in the previous year or
current year. The transaction needs to be stated as approved revenue or draft
revenue. The procedure of transactions is occuring but not completed.
ISA with number need to be learned. For example, audit engagement rules and regulation are in
200. Audit plan is 300. Align ISAs

1.6. Audit consideration in Initial Audit engagements:

For an initial audit engagement, additional matters the auditor may consider in establishing the
overall audit strategy and audit plan include the following:

Audit engagement letter includes specific components. The auditor wants to consider some
specific, important matter from audit engagement in the auditing.

 Unless prohibited by law or regulation, arrangements to be made with the

predecessor auditor.
If the laws and regulation state that additional that the auditor may not consider them in
establishing the overall audit strategy and audit plan, these matters would not be
considered. For example, the matter in previous audit engagement can not be included
because there is change in current year’s law and regulation. Accounting and auditing
standards may have changed due to which matters included in the previous audit may not
be included and overall audit strategy and audit planned to be established in that way.
 Any major issue regarding the initial selection of auditor, communication of these
matters with governance, and how these factors effect the overall audit strategy and
plan.
 The audit procedures necessary to obtain sufficient appropriate audit
evidence.Other procedures required by the firm’s system of quality control for
initial audit
engagements.
The organization need to clearly manage it stategy, procedureand define the extent to
which it can describe procedures to get appropriate, sufficient audit information. The
scope of every kind of objective present in the strategy and procedure will be defined and
described for auditing. The information should be defined according to the applicable
financial enough to do auditing and has the resources needed to do external audit. This is
all stated in overall audit strategy and audit plan.

Section 2
 Understanding the Business and Materiality (ISAs 315 and
320)
Auditor’s Risk Assessment Process:

ISAs 315 and 320 is related to the Auditor’s Risk Assessment Process.
Risk assessment is the systematic process for estimating the likelihood of adverse conditions
occurring. Risks are assessed in terms of both likelihood and impact. For Example, managers
of a company would assess the risk of weather conditions (e.g., hurricane, blizzard) affecting
supply or of key suppliers going out of business. As part of this assessment, they also would
attempt to determine the financial impact if such an occurrence happened. By combining
these risk assessments, they would be able to better prioritize the events and their potential
effects on store operations. For example, a week before Hurricane struck location where
company was location, business’s continuity director was tracking the storm’s progress from
an emergency command center.
ISAs state that the Auditor’s Risk Assessment Process is done on the basis of these:
1. Inquiries:
Professional skepticism should be done while asking questions. The auditor should have a
questioning mind to critically evaluate the information provided through the inquiries . It
would also help to detect fraud and error present in the information. It is used to identify
problem. Inquires include enquiring from the client, his staff or third parties having
knowledge about a particular item or activity.

 Management

Lower level manager and upper level manager are asked questions to get
sufficient and appropriate information. The whistle blow is done by lower level.
The company’s employee speak about company’s information to external party.
Company’s secrets are revealedto thepublic. The media and legal body began to
support the company so that no harm comes to environment and
company.Company staff may commit fraud.

 Appropriate individuals within the internal audit function if such function exists;
  Others who may have information regarding the risks of material misstatement
due to fraud or error.

2. Analytical Procedures:
It is a study of ratios and trends to identify the existence of unusual transactions or events
that might have implications for the audit. Financial ratios are calculated. Vertical and
horizontal analysis may be done by the auditor. Analytical procedures is analysis of
significant ratios and trends for investigating unusual fluctuation and items.
3. Observation and Inspection:
Analysis is done on the basis of the observation and inspection done by the auditor.
Observation: The process or procedure being performed by others is observed. For example,
physical verification and counting of inventory can be observation done by an auditor. This
includes inspecting internal controls manuals or business plan.
Inspection: Inspecting the documentary evidence like deed papers, certificates etc relating to
the audit whether in possession of the entity or the third parties.
Example of Observation and Inquiry:
Institutional Framework evaluation is a method in which HEC sends a person that evaluates a
university. HEC would demand files from each department like HR department,
administration, and research so on. When files of admission department are seen, HEC will
find the way in which selection of a student is done, proper documents were there, filtering
method was a proper one. HR is making good policies, purchase department is recording fees
correctly and so on will be checked by HEC will see whether the work by the university is
done properly and govern rules to ensure they are followed by the university.

Case: Recession in the industry of client company is occurring therefore an increase in

commodity prices have forced companies to raise the prices and so pass on the higher cost to
customer. The auditor may also be aware that the client company has a poor track record in
collecting trade receivables.

Recession is taking in the industry of client company. In recession, the demand increase and
supply decrease because industry is not in the position to make products. Input price increase
since demand increase. Output price or sale price also increase to pay input price. Customer has
to pay higher price. The organization would increases its sale on credit basis to get more profit.
Auditor see what will be effect on environment and ensure that whole country does not go into
recession and how will the people pay on credit basis.

4. Conclusion
The audit should give particular attention to the measurement of trade receivables, and the
estimates for bad and doubtful debts.
Auditor will see if the company was capable enough to use trade receivables. Company has
policy to cater customer needs by providing discounts. The average collection period will be
calculate. Bad debt and write off will be found so the trade policy is not good. The auditor
will give opinion that the company was already in a bad position, how did it do more sales on
basis of credit. The company keeps on doing bad debts then revenue will decrease since bad
debts are there so no profit will occur. If the company is not evaluating the situation then this
means the company is involved in malfunction

2.1Understanding the entity and its environment:

When risk assessement is done then the industry, regulatory, environment is evaluated.

Knowledge and understanding of the client’s business in the context of the client’s industry is
essential in an audit. Auditing standards require auditors to obtain a thorough understanding of
the business to plan and perform the audit work. Obtaining an understanding of the company
includes understanding:

 Relevant industry, regulatory and other external matters,

Obtaining an understanding of relevant industry, regulatory, and other external

factors encompasses the competitive environment and technological
developments; the regulatory environment, including the applicable financial
reporting framework (e.g., U.S. GAAP or IFRS) and the legal and political
environment; and external factors, including general economic conditions.
Auditors must understand the broad economic environment in which the client
operates, including such things as the effects of national economic policies (e.g.,
price regulations and import/export restrictions), the geographic location and its
economy (e.g., northeastern states versus sunbelt states), and developments in
 taxation and regulatory areas (e.g., industry regulation, approval processes for
products in the drug and chemical industries). Industry characteristics are also
important. There is a great deal of difference in the production and marketing
activities of banks, insurance companies, mutual funds, supermarkets, hotels, oil
and gas industries, agriculture organizations, manufacturers, and so forth. Industry
expertise also involves knowledge of the competition and an understanding of the
client’s market. Few auditors are experts in all of these areas. Public accounting
firms must have experts in all industries that examine and rely on them to
supervise audits in those industries. Indeed, some public accounting firms have
reputations for having many audit clients in a particular industry while others
have a larger presence in other industries. In addition, auditors should be aware of
the effects that economic distress and slow recovery can have on their clients.
There have been examples of the past in which inspectors have identified
instances where auditors sometimes failed to comply with auditing standards in
connection with the economic crisis, such as fair value measurements,
impairment of goodwill, indefinite lived intangible assets, and other long-lived
assets, allowance for loan losses, off-balance sheet structures, revenue
recognition, inventory, and income taxes.

 The nature of the entity, including its operations, ownership, management

structures and types of current and planned investments. The nature of
company and related parties.
Related parties include those individuals or organizations that can influence or be
influenced by decisions of the company, possibly through family ties or investment
relationships. The nature of the entity's business, for example, the potential for
technological obsolescence of its products and services, the complexity of its capital
structure, the significance of related parties and the number of locations and
geographical spread of its production facilities
Obtaining an understanding of the nature of the company includes understanding:
 The company’s organizational structure and management personnel.
Is the client centralized or decentralized? Who makes the decisions? Are
senior managers familiar with accounting and reporting requirements? Do
 they value the importance of good controls? Are any officers, employees,
or shareholders involved in related-party transactions?
 The sources of funding of the company’s operations and investment
activities.
Is the company funded by debt or equity? Are there restrictions placed by
lenders that management must meet? Does it have the financing in place to
meet future cash requirements? Are any lenders or shareholders involved
in related-party transactions?
 The company’s operating characteristics, including its size and
complexity.
Does the company operate internationally? Do subsidiaries operate in
diverse industries?

 The entity’s selection and application of accounting policies and related

disclosures regarding the entity’s business and consistent with the industry
and the applicable financial reporting framework.

Auditors should evaluate whether the company’s selection and application of

accounting principles are appropriate for its business and consistent with the
applicable financial reporting framework and accounting principles used in the
relevant industry. Auditors should pay attention to significant changes in the
company’s accounting principles, financial reporting policies, or disclosures and
the reasons for such changes; significant accounting principles in controversial or
emerging areas; and the methods the company uses to account for significant and
unusual transaction. With respect to auditing accounting estimates, auditors are
supposed to monitor the differences between management’s estimates and the
closest reasonable estimates supported by the audit evidence and evaluate the
differences taken altogether for indications of a systematic bias.

 The entity’s objectives, plans and strategies and those related business risk
that might be reasonably be expected to result in risks of material
misstatement.
 The purpose of obtaining an understanding of the company’s objectives,
strategies, and related business risks is to identify business risks that could
reasonably be expected to result in material misstatement of the financial
statements. The following are examples of situations in which business risks
might result in material misstatement of the financial statements:

 Industry developments, for example, a potential related business risk

might be that the company does not have the personnel or expertise to
deal with the changes in the industry.
 New products and services, for example, a potential related business
risk might be that the new product or service will not be successful.
 Expansion of the business, for example, a potential related business
risk might be that the demand for the company’s products or services
has not been accurately estimated.
 The effects of implementing a strategy, particularly any effects that
will lead to new accounting requirements.
 Financing requirements, for example, a potential related business risk
might be the loss of financing due to the company’s inability to meet
financing requirements.

 The company’s measurement and analysis of its financial performance.

The purpose of obtaining an understanding of the company’s performance

measures is to determine what information management and others deem to be
key indicators of company performance. They also reveal what items
management or financial statement users might be sensitive to. For example,
measures used to determine management compensation or analysts’ ratings might
place pressure on management to manipulate results. Also, auditors might gain a
better understanding of their clients by reviewing measures management uses to
monitor operations, such as budget variances or trend analysis. Finally, those
measures might be indicators of qualitative materiality factors.

How business performance is evaluated?

Business Performance is evaluated using:

 Audit risk
 Business risk

Business Risks

Business risk includes factors that could hinder the goals and objectives of the company
during the course of an audit. Risks that could adversely affect companies’ ability to achieve
objectives and execute strategies are called business risks. Business risks might result from
setting inappropriate objectives and strategies, or from complexity in the company’s
operations, changes in the industry environment, or even management
incompetence.Financial statements can be used to see the effects of the industry environment,
including economic and political events, weather occurrences, technological advances, and
social and demographic patterns on business. Auditors need to take the time to carefully
acquire knowledge about a client’s business, industry, and strategy to achieve competitive
advantage in order to get a better understanding of business risk.

Business risks relate exclusively to the company and its stakeholders. These risks can be very
diverse, but the largest risk facing any company is that is ceases to continue. The risks
include any factors that could lead to business failure. The following is a list of common
business risks, but it is not all-inclusive.

• Significant conditions,

Loss of profitability

Over trading

Cash flow issues

This may include risk like major plant failure, labour price rise, labour union arise which
may negatively affect the cash flow.

• Events,
 There may be a political event or religious event. There may an unexpected event that may
cause business to fail. The current dilemma that is being faced includes the corona pandemic.
Political or economic instability

• Circumstances,

There may be circumstance like earthquake, flood, corona that affect business negatively.

Legal issues

• Actions or inactions that could affect an entity’s ability to reach its objectives and
carry out its strategies

High financial risk

High risk of theft and fraud

Increase in production cost

Lack of financing

Market action that may include an unexpected decrease in stock price, an unexpected
decrease of customer, increased competition, decline in demand of product or service that
causes the organization to not timely meet its planned goal and objectives.

There are conditions in economy which cause business risks. Busines risk are known as
operational technical volatility. Risk that arise form activities of the business is called
operational technical volatility

Audit Risk

Auditors’ evidence-gathering and reporting reduce information risk to financial statement

users, but the auditor itself faces the risk of issuing an incorrect opinion on the financial
statements— giving an unmodified audit opinion when unknown material misstatements
whether due to errors, frauds, or noncompliance with laws or regulations that directly affect
the financial statements actually exist in the statements. This overall risk is known as audit
risk.
 Audit risks includes factors that can cause a misstatement, error or omission in the financial
statements this is directly related to the auditor. Business risks relate to the company itself,
including stakeholders. While these risks are very different, if there are large business risks
they could lead to higher detection of audit risks. To ensure that business risks are considered
in audit planning, a top down approach is encouraged. Ensuring that the auditor fully
understands the environment of the company prior to auditing.

There are three types of audit risk:

a. Inherent Risk
b. Control Risk
c. Detection Risk

Auditing standards require auditors to design audits to provide reasonable assurance of detecting
material errors and frauds to minimize audit risk.

How is audit Risk and Business Risk linked with each other?
Slide 15 Missing

Internal control System( not plagiarized)

Internal control, as defined by accounting and auditing, is a process for assuring of an

organization's objectives in operational effectiveness and efficiency, reliable financial reporting,
and compliance with laws, regulations and policies. The internal control structure of a company
consists of the policies and procedures established to provide reasonable assurance that specific
entity objectives will be achieved. o achieve the objective of a business proper execution of
business activities in the light of prevailing laws and socio-economic conditions of the country is
called an internal control system or structure.The internal control system is introduced to avoid
errors and frauds and for systematic control of business activities.

American Institute of Certified Public Accountants (AlCPA) says; the plan of organization and
all of the coordinate methods and measures adopted within a business safeguard its assets, check
the accuracy and reliability of its accounting data, promote operational efficiency and encourage
adherence to preserved managerial policies.

Example where internal control system is needed

For example;

In small business organizations, generally, the owner-manager controls the total activities of his
business by his personal supervision and direct participation. The owner generally purchases
required business materials and other properties. He himself gives the appointment of employees,
completes the contract with them through discussion and also keeps, constant watch over their
activities. He himself signs cheques for payments in different heads. Since the signs all the
cheques, he can easily have an idea of what commodities, assets, and services he is signing for.
But with the expansion of business, the appointment of additional employees and officers is
needed and the scope of business also widens. Under such conditions, it becomes almost
impossible on the part of the manager to perform all the activities of the business alone for which
he is to delegate authority and so his overall control tends to decrease. The owner needs an
internal control system to ensure that his overall control remains same.

Conditions under which ICS differs

The internal control system differs from one business organization to another depending on the
nature and size of the business.

 The nature of the entity's business, for example, the potential for technological
obsolescence of its products and services, the complexity of its capital structure, the
significance of related parties and the number of locations and geographical spread of its
production facilities.
 The size of business may include how large or small the business is.
How is risk assessed? Internal Audit System is made up of 5 steps.

1. Control Environment
This step ensures that an environment is buildup in which whatever operation is done by the
organization is automatically monitored and controlled by the environment. Control
environment is the “risk consciousness” of the organization and includes the
organization’s risk management philosophy and “risk appetite,” its integrity and ethical
values, and the environment in which it operates.

The control environment is arguably the most important component because it sets the tone
for the organization. Factors of the control environment include employees' integrity, the
organization's commitment to competence, management's philosophy and operating style,
and the attention and direction of the board of directors and its audit committee. The control
environment provides discipline and structure for the other components. Objective setting is
management’s responsibility to determine the goals and objectives of the organization.
.
The core of any organization is its people – their individual attributes, including integrity,
ethical values and competence – and the environment in which they operate. They are the
engine that drives the organization and the foundation on which everything rests. Effectively
controlled organizations set a positive "tone at the top" and strive to:
 Train staff to understand and use appropriate management controls in all areas.
 Provide structure and process for implementing these controls.
Internal controls are likely to function well if management believes that those controls are
important and communicates that view to employees at all levels. If management views controls
as unrelated to achieving its objectives, or even worse, as an obstacle, this attitude will also be
communicated. Despite policies to the contrary, employees will then view internal controls as
"red tape" to be "cut through" to get the job done. An effective internal control environment:

 Sets the tone of an organization influencing the control consciousness of its people
 Is an intangible factor that is the foundation for all other components of internal control,
providing discipline and structure
 Describes "organizational culture"
 Includes a commitment to hire, train, and retain qualified staff
 Encompasses both technical competence and ethical commitment
2. Entity’s Risk Assessment Process.
After setting up the objective of business, external and internal risks are to be assessed. The
management determines risk controlling means after examining the risks related to every
objective.
Risk assessment refers to the identification, analysis, and management of uncertainty facing
the organization. Risk assessment focuses on the uncertainties in meeting the organization's
financial, compliance, and operational objectives. Changes in personnel, new product lines,
or rapid expansion could affect an organization's risks.
A risk is anything that endangers the achievement of an objective. Always ask: What can go
wrong? What assets do we need to protect?
 Risk assessment is the process used to identify, analyze, and manage the potential risks
that could hinder or prevent an agency from achieving its objectives.
 Risk increases during a time of change, for example, turnover in personnel, rapid growth,
or establishment of new services.
 Other potential high risk factors include complex programs or activities, cash receipts,
direct third party beneficiaries, and prior problems.
Management must be aware of and deal with the risks the organization faces. It must set
objectives, integrated with other activities so that the organization is operating in concert.

Management must also establish mechanisms to identify, analyze and manage the related risks.
Risk assessment is the systematic process for estimating the likelihood of adverse conditions
occurring. Risks are assessed in terms of both likelihood and impact. For Example, managers of
a company would assess the risk of weather conditions (e.g., hurricane, blizzard) affecting
supply or of key suppliers going out of business. As part of this assessment, they also would
attempt to determine the financial impact if such an occurrence happened. By combining these
risk assessments, they would be able to better prioritize the events and their potential effects on
store operations. For example, a week before Hurricane struck location where company was
location, business’s continuity director was tracking the storm’s progress from an emergency
command center.

It has 4 steps in it which include:

1. Identify business risks

It needs to be identified in which department is the risk. The risk can be in any department
for example poor advertising due to marketing department, operational, cash flow volatility
due to purchasing, poor logistics due to supply and chain management, finance department,
HR department hire unqualified employees reducing efficiency of the business. Identify
Potential Problems. Review goals and objectives. Determine potential problem areas - for
example, areas that receive complaints or have had problems in the past, Areas that have
undergone recent changes in staff or structure and Complex activities. Event identification is
the identification of conditions and events that could adversely affect management’s
objectives. For example problems for retail stores could include Supplier problems, poor
weather conditions that can affect the trucks supplying the stores, and information system
breakdowns are just several of the events that could adversely affect store’s ability to keep its
stores’ shelves stocked.
2. Estimate its Significance
Risks are assessed in terms of impact. Significance of risk is determined in amounts i.e. at
level. The risk that causes most damage to business is identified. Determine severity of risks
by asking both, Where do we face the greatest possible harm? What types of losses are most
likely to occur? A moderate loss that is likely to occur presents as much danger as a more
serious loss that is less likely to occur. Use this evaluation to prioritize your efforts.
3. Assess likelihood of its significance
 Risks are assessed in terms of likelihood. It is the chances of the risk occurring. Chances is
multiplied with significance to identify the risk that causes most damage or expense for the
company.
4. Actions to reduce risk
Information system is used to reduce risk .A written narrative or flow chart could be used to
explain how the problem is supposed to be handled by describing each activity or transaction
within the cycle. The following could be described in the narrative:
 Who is performing each step?
 What is involved in the step?
 Any resulting documentation, for example, reports
Review the information available in policy and procedure manuals to find out ways to reduce
risk. Written materials such as organizational charts, job descriptions, reviews, checklists,
department records, and reports could also be used to review the methods to reduce problem.
Supplement written sources through conversations with and observations of appropriate staff
could help in providing a suggestion to reduce risk. The problem is identified and reduced.
Finally, communicate the process to be sure every action to reduce risk is understood.

3. Information System
Relevant information for taking decision are to be collected and reported in proper time. The
events that yield data may originate from internal or external sources. Communication is very
important for achieving management goals. The employees are to realize what is expected of
them and how their responsibilities are related to the activities of others. Communication of
the owners with outside parties’ like’s suppliers is also very important.
Information and communication encompasses the identification, capture, and exchange of
financial, operational, and compliance information in a timely manner. People within an
organization who have timely, reliable information are better able to conduct, manage, and
control the organization's operations.
Control activities are surrounded by information and communication systems. These systems
enable the organization’s people to capture and exchange the information needed to conduct,
manage and control its operations.
  Obtain external and internal information, and provide management with necessary
reports on the organization’s performance relative to established objectives.
 Provide information to the right people in sufficient detail and on time to enable them
to carry out their responsibilities efficiently and effectively.
 Develop or revise information systems based on a strategic plan, linked to the
organization’s overall strategy, and responsive to achieving the entity-wide and
activity-level objectives.
 Demonstrate support for developing necessary information systems by committing
adequate human and financial resources.
4. Control activities
The management establishes a controlling activities system to prevent risk associated with
every objective. These controlling activities include all those measures that are to be
followed by the employees. Control activities are policies and procedures to ensure that risk
responses are appropriate given the circumstances and environment in which the organization
operates.

Control activities include the policies and procedures maintained by an organization to

address risk-prone areas. An example of a control activity is a policy requiring approval by
the board of directors for all purchases exceeding a predetermined amount. Control activities
were once thought to be the most important element of internal control, but COSO suggests
that the control environment is more critical since the control environment fosters the best
actions, while control activities provide safeguards to prevent wrong actions from occurring.
Control policies and procedures must be established and executed to help ensure that
management directives are carried out. They help ensure that necessary actions are taken to
address risks to achievement of the organization’s objectives. Control activities occur
throughout the organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of
operating performance, security of assets and segregation of duties.
 Review each cycle to determine whether existing controls are sufficient to avoid
potential problems.
 Identify any outside policies or procedures in place to offset potential risks.
  If controls do not exist or appear ineffective, establish new controls.
 Identify any controls that are excessive or unnecessary and modify or eliminate them.
 Remember that a good control environment is the first step toward establishing
effective controls.

Organizations establish policies and procedures so that identified risks do not prevent the
organization from reaching its objectives.

 Clearly identified activities minimize risk and enhance effectiveness.

 Internal control activities are nothing more than the policies, procedures, and
organizational structure of an entity.
 Controls can be either preventive, for example, requiring supervisory approval, or
detective, for example, reconciling reports.
 Avoid excessive controls, which are as harmful as excessive risk and result in increased
Bureaucracy and reduced productivity.

5. Monitoring Of Controls
When the internal control system is in practice, the organization monitors its effectiveness so
that necessary changes can be brought if any serious problem arises. Monitoring includes
regular management and supervisory activities over risk management activities to make sure
they remain in place and operate effectively. Many companies have large internal audit
groups to monitor their internal control process.
Monitoring refers to the assessment of the quality of internal control. Monitoring activities
provide information about potential and actual breakdowns in a control system that could
make it difficult for an organization to accomplish its goals. Informal monitoring activities
might include management's checking with subordinates to see if objectives are being met. A
more formal monitoring activity would be an assessment of the internal control system by the
organization's internal auditors.

The entire process must be monitored, and modifications made as necessary. This way, the
system can react dynamically, changing as conditions warrant. Ongoing monitoring occurs in the
course of operations. It includes regular management and supervisory activities, and other
actions personnel take in performing their duties. The scope and frequency of separate
evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing
monitoring procedures.

 Schedule monitoring on a regular basis. 

 Test controls at least annually to determine whether they continue to be adequate and are
still functioning as intended. 
 Use program monitors, auditors and reviewers as a resource in monitoring controls. 
 Select a sample. Review all documentation. Visit outside sites, if appropriate.
Supplement sample with special tests of sensitive items and problem areas. 
 Always follow up to insure that any identified problems are corrected.

After implementing internal controls, organizations must monitor their effectiveness periodically
to ensure that controls continue to be adequate and continue to function properly. Management
must also revisit previously identified problems to ensure that they are corrected.

IMPORTANT WITH EXAMPLES EXPLANATIONS

The COSO model is just one representation that can be used, and at its heart it
guides management through the implementation of a control framework that’s
measurable and targeted at reducing risk.

Here are the five components of internal controls:

 Control environment: This term refers to the attitude of the company,

management, and staff regarding internal controls. Do they take internal
controls seriously, or do they ignore them? Your client’s environment isn’t
very good if, during your interviews with management and staff, you see a
lack of effective controls or notice that previous audits show many errors.
 Risk assessment: In a nutshell, you should evaluate whether
management has identified its riskiest areas and implemented controls to
prevent or detect errors or fraud that could result in material
misstatements (errors that cause net income to change significantly). For
 example, has management considered the risk of unrecorded revenue or
expense transactions?
 Control activities: These are the policies and procedures that help ensure
management’s directives are carried out. One example is a policy that all
company checks for amounts more than $5,000 require two signatures.
 Information and communication: You have to understand
management’s information technology, accounting, and communication
systems and processes. This includes internal controls to safeguard
assets, maintain accounting records, and back up data.

For example, to safeguard assets, does the client tag all computers with
identifying stickers and periodically take a count to make sure all
computers are present? Regarding the accounting system, is it
computerized or manual? If it’s computerized, are authorization levels set
for employees so they can access only their piece of the accounting
puzzle? For data, are backups done frequently and kept offsite in case of
fire or theft?

 Monitoring: This component involves understanding how management

monitors its controls and how effectively. The best internal controls are
worthless if the company doesn’t monitor them and make changes when
they aren’t working. For example, if management discovers that tagged
computers are missing, it has to put better controls in place. The client may
need to establish a policy that no computer gear leaves the facility without
managerial approval.
2.2. Understanding the accounting and Internal control system:

The primary responsibility for the development and maintenance of internal

control rests with an organization's management. Top management at a publicly
owned organization is responsible for the organization's annual financial report to
the shareholders. Financial statement is a statement indicating that management
has established a system of internal control that holds the belief that it is effective.
The statement may also provide specific details about the organization's internal
control system.

Internal control must be evaluated in order to provide management with some

assurance regarding its effectiveness. Internal control evaluation involves
everything management does to control the organization in the effort to achieve its
objectives. Internal control would be judged as effective if its components are
present and function effectively for operations, financial reporting, and
compliance. The board of directors and its audit committee have responsibility for
making sure the internal control system within the organization is adequate. This
responsibility includes determining the extent to which internal controls are
evaluated. Two parties involved in the evaluation of internal control are the
organization's internal auditors and their external auditors. The auditors evaluate
the effectiveness of the internal control structure of a business organization and
determine whether the business policies and activities are followed properly. The
communication network helps an effective internal control structure in execution.
And all officers and employees are part of this communication network.

Internal auditors' responsibilities typically include ensuring the adequacy of the

system of internal control, the reliability of data, and the efficient use of the
organization's resources. Internal auditors identify control problems and develop
solutions for improving and strengthening internal controls. Internal auditors are
concerned with the entire range of an organization's internal controls, including
operational, financial, and compliance controls.

Internal control will also be evaluated by the external auditors. External auditors
assess the effectiveness of internal control within an organization to plan the
financial statement audit. In contrast to internal auditors, external auditors focus
primarily on controls that affect financial reporting. External auditors have a
responsibility to report internal control weaknesses (as well as reportable
conditions about internal control) to the audit committee of the board of directors.

The auditors evaluate the effectiveness of the internal control structure of a

business organization and determine whether the business policies and activities
are followed properly. The communication network helps an effective internal
control structure in execution. And all officers and employees are part of this
communication network.

An Auditor should ensure that certain rules and procedures are followed by the business unit he
is working on, in spite of the fact that a sound system of internal control is as sole responsibility
of the management. The Auditor can simply guide or help the management if he is asked to do
so, because he has no authority to prescribe such rules and procedures. The degree of reliance on
the system depends upon the effectiveness of internal control system; therefore, the Auditor
should review and evaluate the internal control system of an organization to prepare his audit
Program. The auditor should try to reach a judgement about how strong (or weak) the internal
controls, in order to make a decision about the amount of testing that should be carried out in the
audit. He should consider:

 His previous knowledge of the client company

Past references should be used. A great deal of information about the client is gathered in
the pre-engagement planning process.Auditors evaluate the competence and integrity of
management and the riskiness of the business before taking or continuing a client. the
best indicator of the risk of a material misstatement is the presence of misstatements in
previous audits that required adjusting entries. For example, for nonpublic clients, public
accounting firms often develop client income tax provisions once the audit is complete;
thus, the income tax adjusting entry would show up as an adjustment every year. Finally,
auditors who have industry expertise often have more than one client in that industry, so
they can transfer general knowledge of risks encountered in other clients while
maintaining confidentiality standards required by the profession.
 Any recent changes
  Any known problems in the internal controls of the client
Other early information-gathering activities include
(1) reviewing the corporate charter and bylaws or partnership agreement,
(2) reviewing contracts, agreements, and legal proceedings, and
(3) reading the minutes of the meetings of directors and committees of the board of
directors. The minutes provide a history of the company, critical events and
significant transactions, and future company intentions. A company’s failure to
provide minutes is a significant scope limitation that could result in the public
accounting firm’s disclaiming an opinion on the company’s financial statements.
 The effect of any new auditing or accounting requirements.

Interim Auditors check how strong company’s internal control system is. The internal control
system is efficiently, effectively and independently evaluating the company according to
accounting standards. If this is happening, this means that the chances of error, fraud or
malfunction is less. Internal control system can be used for evaluation of the company by the
external auditor.

ISA 315 emphasizes that establishing communications with the appropriate individuals within an
entity’s internal audit function early in the engagement, and maintaining such communications
throughout the engagement, can facilitate effective sharing of information. Internal control
system tells how the organization should work and ensure standardization in the company.

To be useful, information must be reliable and it must be communicated to those who need it.
For example, supervisors must communicate duties and responsibilities to the employees that
report to them and employees must be able to alert management to potential problems.

• Information must be communicated both within the organization and to those outside, for
example, vendors, recipients, and other constituents

• Communication must be ongoing both within and between various levels and activities of
the organization.

2.3. The financial statement assertions (ISA 315)

Assertions: Representations by management, explicit or otherwise, that are embodied in the
financial statements, as used by the auditor to consider the different types of potential
misstatements that may occur.

The management either clearly or using unclear statement try to show that everything in the
company is according to requirements in the financial statements. Auditor tries ot find potential
misstatements, errors, possible problems form the assertions.

If the auditor performs tests to confirm the occurrence of sales this will also provide some
assurance about the existence of receivables so these assertions are linked to each other.There are
two type of assertions:

 Assertions about classes of transactions and events and related disclosures for the period
under audit. How are transaction made and disclosed?
Transactions include sales, purchases, and wages paid during the accounting period.
 Assertions about account balances and related disclosures at the period end. How are
account balances made and disclosed?
Account balances include all the asset, liabilities and equity interests included in the
statement of financial position at the period end.

Assertions about classes of transactions and events and related disclosures:

 Occurrence: Transactions and events that have been recorded or disclosed have occurred
and relate to the entity.
Assertions related to transaction have recorded and disclosed and relate to the entity.
Recorded means mentioned in the document and disclosed mentioned in the annual
report.
 Completeness: there are no unrecorded transactions, events and disclosures.
 Accuracy: amounts and other data relating to recorded transactions and events have been
recorded appropriately. For example different amount recorded in the document and
different amount mentioned in the annual report.
 Cut-off: Transactions and events have been recorded in the correct account period.
The timing should be correct. International financial management and taxation states that
if you have payed the expense of next year in the previous year then it should not
 recorded in the previous year but next year. Previous year expenditure will increase so
profit will decrease while the next year will have less expenditure so more profit will be
shown.
 Classification: Transactions and events have been recorded in the proper accounts.
There are two different type of account- Sale and Sale return
Sale mentioned In the sale return.
Advertisement expenditure should not be recorded in operating expenditures.
 Presentation: Transactions and events are appropriately aggregated or disaggregated and
clearly described and related disclosures are relevant and understandable.
The transactions are properly identified and described clearly. The financial statements of
a Nishat Textile Mills with 6 years at a glance show how to properly present the
transaction.
A great deal of work takes place on completeness and accuracy but it is important not to
underestimate the significance of the other elements.
Outright frauds may show up in tests for occurrence, i.e. tests designed to show whether
transactions actually happened, but cut-off errors give rise to many misstatements, i.e.
moving transactions into or out of the accounting period around the period-end.
Cut-off issues can arise for a whole host of reasons. Cut-off is not always a well-
controlled part of the financial reporting process and may involve period-end journal
entries. Errors often arise unintentionally. However, cut-off is often a higher-risk area not
simply because of poor control, but because intentionally shifting transactions across the
reporting date can be useful to:
• meet profit targets or manipulate bonus or tax payments;
• prevent the breach of banking covenants, i.e. promises to the bank not to exceed certain
asset to liability ratios, for example;
• maintain or improve key performance indicators such as earnings per share, or simply
keep them on the right side of industry averages.
Classification is often important for tax or regulatory purposes as well as for disclosures
in the notes to the accounts. If expenditure is posted incorrectly to a capitalized research
and development account, assets and profits are overstated and tax may be understated,
among other things.
 Assertions about account balances and related disclosures are as follows:

 Existence: Assets, liabilities and equity interests exist.

 Rights and Obligations: The entity holds or controls the rights to assets, and
liabilities are those of the entity.
 Completeness: There are no recorded assets, liabilities or equity interests and all
related disclosures have been included.
 Accuracy, valuation and allocation: assets, liabilities and equity interests, their
valuation or allocation and related disclosure have been appropriately measured and
described.
 Classification: All items are appropriately aggregated or disaggregated and clearly
described, and related disclosures are relevant and understandable.

Completeness and valuation are clearly important but auditors can be made to look very silly if
they do not check on existence. There have been a number of celebrated cases in which auditors
have not checked on the physical existence of assets by going and seeing them, or have done so
in a very predictable manner. Inevitably, there have been cases where significant assets in the
balance sheet turned out to be elaborate documentary fabrications. Auditors can never entirely
rely on records, however good they appear to be and checking on existence at random or in an
unpredictable manner improves the chances of fraud detection.

Example: Using your accounting knowledge, apply the appropriate

assertions to the audit of sales of goods.

 Occurrence: All sale invoices reflected in the accounting records relate to goods
dispatched by the entity during the current year. The figure for revenue in the financial
statements agrees to the sales account in the nominal ledger.
 Completeness: All goods dispatched have been invoiced and all such sales invoices have
been entered into the accounting records. All entries in the sales account in the nominal
ledger have been included within “revenue”.
 Accuracy: All invoices have been correctly priced and discounts properly applied, and
they have been accurately entered in the accounting records. The sales account in the
 nominal ledger has been properly added to arrive at the “revenue ” figure in the financial
statements.
 Cut-off: Goods dispatched just before the year end have been invoiced and included in
sales. Goods dispatched just after the year end have not been included in sales.
 Classification: All sales invoices have been posted to the sales account in the nominal
ledger. ‘Revenue’ is properly disclosed in the financial statements in the income
statement or statement of comprehensive income for the current year.

Assertions (need to be plagiarized)

Occurrence – this means that the transactions recorded or disclosed actually

happened and relate to the entity. For example that a recorded sale represents
goods which were ordered by valid customers and were despatched and invoiced in
the period. An alternative way of putting this is that sales are genuine and are not
overstated.

Relevant test – select a sample of entries from the sales account in the general
ledger and trace to the appropriate sales invoice and supporting goods dispatched
notes and customer orders.

Completeness –  this means that transactions that should have been recorded and
disclosed have not been omitted.

Relevant test – select a sample of customer orders and check to dispatch notes
and sales invoices and the posting to the sales account in the general ledger.

Accuracy – this means that there have been no errors while preparing documents
or in posting transactions to ledgers. The reference to disclosures being
appropriately measured and described means that the figures and explanations are
not misstated.
Relevant test – reperformance of calculations on invoices, payroll, etc, and the
review of control account reconciliations are designed to provide assurance about
accuracy.

Cut–off – that transactions are recorded in the correct accounting period.

Relevant test – recording last goods received notes and dispatch notes at the
inventory count and tracing to purchase and sales invoices to ensure that goods
received before the year end are recorded in purchases at the year end and that
goods dispatched are recorded in sales.

Classification  –  transactions recorded in the appropriate accounts – for example, the

purchase of raw materials has not been posted to repairs and maintenance.

Relevant test – check purchase invoices postings to general ledger accounts.

Presentation  – this means that the descriptions and disclosures of transactions

are relevant and easy to understand. There is a reference to transactions being
appropriately aggregated or disaggregated. Aggregation is the adding together of
individual items. Disaggregation is the separation of an item, or an aggregated
group of items, into component parts. The notes to the financial statements are
often used to disaggregate totals shown in the statement of profit or loss.
Materiality needs to be considered when judgements are made about the level of
aggregation and disaggregation.

Relevant test – confirm that the total employee benefits expense is analysed in
the notes to the financial statements under separate headings– ie wages and
salaries, pension costs, social security contributions and taxes, etc.

Account balance assertions

 Existence – means that assets and liabilities really do exist and there has
been no overstatement – for example, by the inclusion of fictitious
receivables or inventory. This assertion is very closely related to
the occurrence assertion for transactions.
Relevant tests – physical verification of non–current assets, circularisation
of receivables, payables and the bank letter.
 Rights and obligations – means that the entity has a legal title or controls the
rights to an asset or has an obligation to repay a liability.
Relevant tests – in the case of property, deeds of title can be reviewed.
Current assets are often agreed to purchase invoices although these are
primarily used to confirm cost. Long term liabilities such as loans can be
agreed to the relevant loan agreement.
 Completeness – that there are no omissions and assets and liabilities that
should be recorded and disclosed have been. In other words there has been no
understatement of assets or liabilities.
Relevant tests – A review of the repairs and expenditure account can
sometimes identify items that should have been capitalised and have been
omitted from non–current assets. Reconciliation of payables ledger balances
to suppliers’ statements is primarily designed to confirm completeness
although it also gives assurance about existence.
 Accuracy, valuation and allocation – means that amounts at which assets,
liabilities and equity interests are valued, recorded and disclosed are all
appropriate. The reference to allocation refers to matters such as the inclusion
of appropriate overhead amounts into inventory valuation.
Relevant tests – Vouching the cost of assets to purchase invoices and
checking depreciation rates and calculations.
 Classification – means that assets, liabilities and equity interests are
recorded in the proper accounts.
Relevant tests – the test for transactions of checking purchase invoice
postings to the appropriate accounts in the general ledger will be relevant
again. Also that research expenditure is only classified as development
expenditure if it meets the criteria specified in IAS® 38 Intangible Assets.
 Presentation – this means that the descriptions and disclosures of assets and
liabilities are relevant and easy to understand. The points made above
regarding aggregation and disaggregation of transactions also apply to assets,
liabilities and equity interests.
Relevant tests – auditors often use disclosure checklists to ensure that
financial statement presentation complies with accounting standards and
relevant legislation. These cover all items (transactions, assets, liabilities and
equity interests) and would include for example confirming that disclosures
relating to non–current assets include cost, additions, disposals, depreciation,
etc.

Assertions
PCAOB ASB Assertions Key Questions Examples of Representative
Assertions Evidence Available Audit Procedures
Existence or Existence Do the assets The physical Inspection of
occurrence recorded really presence of the tangible assets
 exist?) assets
Inspection of
Occurrence Did the recorded Client Shipping records or
sales transactions documents documents
really occur? (vouching)
Completeness Completeness Are the financial Documents Inspection of
statements prepared by the records or
(including client documents
footnotes) (tracing)
complete?
Cutoff Cutoff Were all Client receiving, Inspection of
transactions shipping reports records or
recorded in the documents (tracing
proper period? or vouching)
Rights and Rights and Does the entity Statements by Confirmation
obligations obligations really own the independent parties
responsibilitie assets?Are related
s identified? legal
responsibilities
identified?
Valuation and Valuation or Are the accounts Client-prepared Reperformance
allocation allocation valued correctly? accounts receivable
aging schedule
Accuracy Accuracy Were transactions Vendor invoices Inspection of
recorded records or
accurately? documents (tracing
or vouching)
Classification Classification Were all Comparisons of Analytical
transactions current-year procedures
recorded in the amounts with those
proper accounts? from the prior year
Presentation Understandability Are the Management Inquiry
and disclosure presentations and prepared financial
disclosures statements and
understandable to footnotes
users?

2.4. Risk and Materiality: (from the slides)

The financial statement level refers to risks which are pervasive to the financial statements
as a whole which potentially affect many assertions.
  If management have a tendency to override internal controls. This would affect all areas
of the accounting systems. The quality of the risk is to be seen. This includes its
relevance, reliability and validity to the audit evidence.
 The risk involved in making an incorrect observation or reaching an invalid conclusion
need to be considered when auditor is obtaining audit evidence. For an example, if any
risk of legal action against the auditee results from reporting an observation, the standard
of evidence demanded will be high.

The assertion level refers to specific objectives of the financial statements.

 It should be noted by the auditor what type of level of assurance is required An audit
level of assurance can be high assurance while a review level of assurance is moderate
assurance.
For example, a higher level of assurance is required for evidence to support observations
than is required to support contextual information included in the report.
 All liabilities have been recorded and that recorded assets exist.

Risk assessment is an important aspect of planning an audit:

 The areas where risk of misstatement (error) appear to exist, and the nature of the risk.
 When an error should be considered material, and when it may be ignored
 What aspects of the audit will be the most difficult to plan because of the high risk of
misstatement.

The auditor should consider:

 Assessment of inherent risks and control risks and the identification of the
significant audit areas;
Assessing the inherent risk means if an auditor is doing audit work then threats that will
occur will be identified. . When the inherent risk is high, this means that there is a high
risk of misstatement of an item in the financial statements. Inherent risk operates
independently of controls. The auditor must accept that the inherent risk that exists will
not just be removed itself. The control is risk that a misstatement that could occur in an
assertion about a class of transaction, account balance or disclosure that could be
 material, either individually or when aggregated with other misstatements, will not be
prevented, or detected and corrected, on a timely basis by the entity’s internal control.
Significant Audit Areas are identified in Audit Plan. It is important for the auditor to
identify the areas which involves greater audit risk, so that the audit can be planned in
such a way that overall audit risk will be less. More risky areas should be checked in
detail and vice-versa.
 Setting materiality levels
The level of materiality in Rupees terms or the significance of the observation or
conclusion. Generally, the higher the level of significance or materiality, the higher the
standard that evidence will have to meet.
 The possibility of material misstatements
Information is material if its omission or misstatement could influence the economic
decisions of users taken on the basis of the financial statements. The management either
clearly or using unclear statement try to show that everything in the company is
according to requirements in the financial statements. Auditor tries to find potential
misstatements, errors, possible problems from the assertions, audit evidence so on.
 The identification of complex accounting areas
There is a new instrument so what is done with the previous one. Any change in
accounting and auditing standards may affect the scope of audit or the manner in which it
is conducted. Therefore these should be carefully considered while finding the risk in
auditing.

Audit Risk Approach:

• The substantive approach whereby every item in the financial statements is tested and
vouched to supporting documents.

• Used for small entities, where internal controls and weak and are few
transactions.

A substantive audit plan would contain a list of audit procedures for gathering evidence related
to the relevant assertions identified for an audit client’s significant financial statement accounts
and disclosures.
The substantive audit plan (i.e., the nature, timing, and extent of futher procedures) depends
almost exclusively upon the assessment of risk at an audit client. For example, consider the
nature of procedures.

There are two ways to conduct substantive tests:

(1) substantive analytical procedures and

(2) tests of details

When completing analytical procedures to gather evidence, the auditor must develop an
independent expectation of what he or she thinks the account balance should be. Once this is
developed, the expectation is compared to the recorded amount. Any significant differences must
be investigated and then corroborated with evidence. When applying substantive test of details,
the auditor must seek to understand the account balance and/or economic transaction to ensure,
based on valid and reliable evidence, that the amount was recorded in accordance with the
applicable financial reporting framework. In general, analytical procedures are considered more
efficient while a test of details is considered more effective. Thus, an auditor must take great care
in determining the nature of the testing procedure that is whether substantive analytical
procedure or test of detail is to be specified in the audit plan.

• The system approach whereby the underlying accounting systems were tested with less
emphasis on the testing of individual transactions and balances.

• Avoid over auditing

Risks for which Substantive Procedures Alone are Inadequate

Some testing of controls is likely to be necessary in addition to substantive testing where there is
a large volume of routine transactions subject to automated processing. This is particularly
relevant where there is little or no source documentation, where transactions are generated by the
system itself, such as in on-line ordering from the Internet and airline ticketing, and even more so
where the information is held in electronic form only. This is the principal type of risk for which
substantive procedures alone are inadequate. Again, the requirement is for auditors to understand
the relevant controls.

2.5. Materiality (ISA 320):

It reflects the fact that the users of financial statements find the statements useful even if they
are not 100% accurate.

• The IASB’s Framework for the preparation and presentation of financial statements state
that:

• “Information is material if its omission or misstatement could influence the economic

decisions of users taken on the basis of the financial statements”

• ISA 320 materiality in planning and performing an audit states that, assessing what is or
is not material is a matter of professional judgement.

Therefore, auditors are entitle to:

 Have a reasonable knowledge of business and are willing to study the information in the
financial statements diligently.
 Understanding that financial statements are prepared, presented and audited levels of
materiality,
 Recognize the uncertainties inherent in certain amounts in the financial statements,
 Make reasonable economic decisions based on the information in the financial
statements.

ISA 320 requires the auditor the concept of materiality:

 When planning and performing the audit, and

 When evaluating the effect of misstatements on the financial statements and therefore on
his audit opinion.

At planning stage:

 The auditor must determine the materiality level or materiality threshold

 Performance materiality recognizes the fact that if all areas of the audit are carried out to
detect all errors/omissions under the materiality level.

 As the auditor progresses, the auditor must revise materiality, if he becomes aware of
information which would have caused him to have initially set different levels.
  Documentation must includes details of all materiality levels set and any revision of these
levels as the audit progresses.

 Setting materiality levels:

 Materiality levels are often based on ‘quantitative’ factors, and expressed as a

percentage of profit before tax, total revenue, gross profit etc.

o If the auditor finds, as a result of audit tests, that his estimate of inventory is more
than the client measurement, then the error would be considered material.

 For setting overall materiality ‘qualitative’ characteristics may also be taken into
account.

o Many auditors would take the view that certain figures in financial statements
should be absolutely correct and that any errors in those figures would be judged
to be material.

 Share equity and director remuneration.

For understanding whether misstatements in qualitative disclosures could be material, the

auditor may identify the relevant factors:

o The circumstances of the entity for the period.

o The applicable financial reporting framework, including changes therein.

o Qualitative disclosures that are important to users of the financial statements

because of the nature of the entity

 Liquidity risk for FI

Illustration

 Draft financial statements for XYZ ltd show the following:

  Revenue: Rs. 100M

 Pre-tax profit = Rs. 8M

 Inventory = Rs. 4M

 Trade Payables = Rs. 3M

 Materiality for the financial statements as a whole:

 0.5% of revenue (Rs. 500K) or 5% of pre-tax profits (Rs. 400K)

 Performance materiality

 Inventory = high risk of material misstatement

 Trade payables = low risk of material misstatement

 Apply risk-based weightage (80% for low risk, 70% for moderate risk and 60% for high
risk)

 Inventory: 60% * Rs. 400K = Rs. 240K

 Trade Payables: 80% * Rs. 400K = Rs. 320K

3. Audit risk (ISA 330)

AUDIT RISK is The likelihood that an error or fraud will occur and not be caught by either
internal controls or auditor’s procedures. Audit risk is the probability that an audit team will
express an inappropriate audit opinion when the financial statements are materially misstated.
Financial statements are materially misstated when unmodified opinion is given on financial
statements. They are misleading because auditor was unable to discover material misstatements.
These risk always exists, even when audits are well planned and carefully performed. The risk is
much higher in poorly planned and carelessly performed audits. The auditing profession has no
official standard for an acceptable level of overall audit risk except that it should be
“appropriately” low. In practice, audit risk is evaluated for both the financial statements as a
whole and for each relevant assertion for significant accounts and disclosures. A significant
account or disclosure is an account or disclosure that has a reasonable possibility of containing
a material misstatement regardless of the effect of controls. Relevant assertions are
management assertions that have a reasonable possibility of containing material misstatements
without regard to the effect of controls.

3.1. Risk-based approach to auditing:

At the planning stage, ISA 315, the auditor will identify and assess the main risks associated with
the business to be audited.

 Prepare an overall audit strategy and an audit plan

3.2. Responses to assessed risks (ISA 330):

 Emphasising to the audit team the need to maintain an attitude of professional

scepticism.

 Assigning more experienced staff or increased supervision of staff

 The use of experts

 Incorporating additional elements of unpredictability in the selection of further

audit procedures to be performed.

 Changing the nature, timing and directions of audit procedures.

• Performing more substantive procedures at the final rather than at the

interim audit , or obtaining more ‘persuasive’ audit evidence.

The environment of the risks at this level and therefore the auditor’s response is very much
affected by the auditor’s assessment of the control environment.

An effective control environment will be likely to increase the auditor’s confidence in controls in
all areas and allow him to carry out more procedures at the interim audit and to carry out less test
of details.

3.3 The audit risk model:

The risk that the auditor expresses an inappropriate audit opinion when the financial statements
are materially misstated. Audit risk is a function of the risks of material misstatement and
detection risk.
Formula

Audit risk = Inherent risk * control risk * detection risk

Inherent and control risk are client risk. Detection risk are under the control of the
auditor.

Inherent Risk: An inherent risk occurs when a material misstatement occurs. Inherent risk is the
susceptibility of an assertion about a class of transaction, account balance or disclosure to a
misstatement that could be material, either individually or when aggregated with other
misstatements, before consideration of any related controls. The nature of the items, entity and
industry in which it operates. When the inherent risk is high, this means that there is a high risk
of misstatement of an item in the financial statements. Inherent risk operates independently of
controls. The auditor must accept that the risk exists and will not ‘go away’.

Inherent risk is the probability that, in the absence of internal controls, material errors or frauds
could enter the accounting system used to develop financial statements. Inherent risk can be
described as the susceptibility of the account to misstatement. Inherent risk is a function of the
nature of the client’s business, the major types of transactions, and the effectiveness and integrity
of its managers and accountants. It is important to understand that for different accounts,
different assertions are riskier than others. For example for cash, existence is riskier than
valuation; for receivables, valuation is riskier than completeness; and for liabilities, completeness
is riskier than existence. Thus, auditors focus their attention on relevant assertions. Auditors do
not create or control inherent risk. They can only try to assess its magnitude.

 Control Risk: The likelihood that an error or fraud will not be prevented or detected by
client internal controls is control risk. It is the risk that a misstatement that would occur in
an assertion about a class of transaction, account balance or disclosure would be
material, either individually or when aggregated with other misstatements, will not be
prevented, or detected and corrected, on a timely basis by the entity’s internal control.

Assumption is that the control risk is very high and the existing internal controls are
insufficient to prevent the risk of material misstatement.
 Control risk is the probability that the client’s internal control activities will fail to
prevent or detect material misstatements provided that they enter or would have entered
the accounting system in the first place. One of major purposes of internal control is to
ensure appropriate processing and recording of transactions to help ensure the production
of reliable financial statements. Auditors do not create or manage control risk. They can
only evaluate an entity’s control system and assess the probability of its failure to prevent
or detect material misstatements. External auditors’ task of control risk assessment starts
with learning about an entity’s controls designed to prevent, detect, and correct the
inherent risks discovered. The auditors then observe and test the control activities if
necessary to determine whether they are operating effectively.

Inherent risk and control risk are combined into risk of material misstatement (RMM) , which is
the risk a material misstatement exists in the financial statements before auditors apply their
procedures.

 Detection Risk: The likelihood that an error or fraud will not be caught by the auditor’s
procedures is detection risk. The risk that the procedures performed by the auditor to
reduce audit risk to an acceptably low level will not detect a misstatement that exists and
that could be material, either individually or when aggregated with other misstatements.

Detection risk is the probability that the auditor’s own procedures will fail to detect
material misstatements provided that any have entered the accounting system in the first
place and have not been prevented or detected and corrected by the client’s internal
controls. In contrast to inherent risk and control risk, auditors are responsible for
performing the evidence-gathering procedures that manage and establish detection risk.
These audit procedures represent the auditors’ opportunity to detect material
misstatements in financial statements. In other words, unlike inherent risk and control
risk, auditors can and do influence the level of detection risk.

Substantive procedures is the procedures used to detect material misstatements in dollar

amounts and disclosures presented in the financial statements and footnotes.

The two categories of substantive procedures are

(1) Tests of detail of transactions and balances and

 (2) Substantive analytical procedures, which study plausible relationships among
financial and nonfinancial data

Risks for which Substantive Procedures Alone are Inadequate

Some testing of controls is likely to be necessary in addition to substantive testing where

there is a large volume of routine transactions subject to automated processing. This is
particularly relevant where there is little or no source documentation, where transactions
are generated by the system itself, such as in on-line ordering from the Internet and
airline ticketing, and even more so where the information is held in electronic form only.
This is the principal type of risk for which substantive procedures alone are inadequate.
Again, the requirement is for auditors to understand the relevant controls.

Detection risk is produced when procedures in these two categories fail to detect material
misstatements.

Detection risk can be lowered by carrying out more tests in the audit.

 Set an overall level of audit risk which he judges to be acceptable for the particular
audit,

 Assess the levels of inherent risk and control risk, and then

 Adjust the level of detection risk in order to achieve the overall required level of risk
in the audit.

 Summary:

 Detection risk can be managed by the auditor in order to control the overall audit
risk.

 Inherent risk cannot be controlled.

 Control risk can be reduced by improving the quality of internal controls.

 Audit risk can be reduced by increasing testing and reducing detection risk.

These components of audit risk can be expressed in a conceptual model that is designed to help
auditors understand how the assessment of each component impacts the overall audit risk being
faced on the engagement. It is also important to point out that the audit risk model assumes that
each of the elements is independent. Thus, the risks can be expressed in a model form as follows:
Audit risk (AR) = Inherent risk (IR) * Control risk (CR) * Detection risk (DR)

Detection risk depends on and is planned for based on the assessment of the other risk factors.
DR is calculated and derived from the others by solving the risk model equation.

Based on the allowable or planned level of detection risk (which is based on the assessment of IR
and CR), auditors modify the nature, the timing, and the extent of further audit procedures. The
nature of the procedures refers to the overall effectiveness of further audit procedures in
detecting misstatements. While inquiry of management as to whether accounts receivable listed
on the balance sheet really exist is an audit procedure, it certainly is not an effective one. A much
more effective procedure would be to confirm accounts receivable directly with the client’s
customers. Timing refers to when the further audit procedures take place. While confirmation of
accounts receivable may be performed at an interim period, auditors are expressing an opinion
on year-end balances. The closer the further procedures are performed to year-end (the date of
the financial statements), the more effective they are because there is less chance of a material
misstatement occurring between the interim confirmation date and year-end. Finally, extent
refers to the number of tests performed. Clearly, the larger the number of accounts receivable
confirmations that are mailed to customers, the greater the chance of finding errors and fraud.

The Impact of Detection Risk Allowed on the Nature, Timing, and Extent of Further Audit
Procedures
Lower Detection Risk Higher Detection Risk
Allowed Allowed
Nature More effective tests Less effective tests
Timing Testing performed at year- Testing can be performed at
end interim
Extent More tests Fewer tests

Risk of Material Misstatement (RMM)

Set assess assess calculate

AR = IR * CR * DR
low or very HIGH if material HIGH if material What is the
low misstatement is likely misstatement is not acceptable level of
to enter the likely to be detected detection risk? HIGH
 accounting by client’s internal means we can afford
information system controls less effective testing,
LOW means we need
more effective
testing.
Auditors cannot calculate the exact level of DR (or, for that matter, IR or CR), so the model
represents more of a way to think about audit risks than a way to calculate them. However, the
AICPA Audit Sampling Guide does use this model to calculate risks and the related sample sizes

Audit Risk (need to be plagiarized)

There is always a risk involved in an audit, because the auditor is giving an opinion. An audit
risk is when the opinion is inappropriate on the financial statements. There is a model to
calculate this risk, it is the multiplication of inherent risk, control risk and detection risk.

Inherent Risk

The risk of materially misstating in the financial statements caused by errors or omissions,
from factors that are not a failure of controls. Inherent risk is usually higher when there is a
higher degree of judgement and estimation involved or when the company’s transactions are
very complex.

Control Risk

The risk of materially misstating in the financial statements caused by the lack of or failing of
relevant controls in operations of the company. Internal controls and checks and balances
must be in place to prevent and alert issues of error or fraud. Control risk tends to be higher
when the internal controls are not adequate.

Detection Risk

The risk of failure to detect the occurrence of material misstatements in the financial
statements. The auditor must use proper audit procedures to alert to misstatements whether
due to error or fraud. If proper procedures are not followed or not applied correctly a
misstatement could be undetected. There is always a certain amount of detection risk due to
 the inherent limits of an audit, for example, using sampling in selecting transactions. This
risk can be lessened by sampling more transactions.

Auditors use the audit risk model to attempt to lessen the audit risks. They will examine
inherent and control risk in order to understand the environment of the company.

Audit risk (also referred to as residual risk) refers to the risk that an auditor may issue an
unqualified report due to the auditor's failure to detect material misstatement either due to error
or fraud. This risk is composed of:

 Inherent risk (IR), the risk involved in the nature of business or transaction. Example,
transactions involving exchange of cash may have higher IR than transactions involving
settlement by cheques. The term inherent risk may have other definitions in other
contexts.[1];

 Control risk (CR), the risk that a misstatement may not be prevented or detected and
corrected due to weakness in the entity's internal control mechanism. Example, control
risk assessment may be higher in an entity where separation of duties is not well defined;
and

 Detection risk (DR), the probability that the auditing procedures may fail to detect
existence of a material error or fraud. Detection risk may be due to sampling error or non-
sampling error.[2]

Audit risk can be calculated as:

AR = IR × CR × DR

https://accounting-simplified.com/audit/risk-assessment/audit-risk/
\

i. FRAUD (ISA 240)

4.1. Fraud and the role of the external auditor:

Fraud is the act of knowingly making material misrepresentations of fact with the intent of
inducing someone to believe the falsehood and act on it and, thus, suffer a loss or damage.
Through both fraud and aggressive financial reporting, some companies have caused financial
statements to be misstated, usually by:

(1) overstating revenues and assets,

(2) understating expenses and liabilities, and
(3) giving disclosures that are misstated or that omit important
information.

Every company must face the subject of fraud and do fraud audit. This is because:

 Many companies have experienced the negative impact of fraud in the form of financial
losses and damage to their image.
 This has been necessitated by legal requirements.

Fraud is an intentional act by one or more persons while error results from a genuine mistake or
omission and is not intentional.

i. The objective is not primarily the prevention or detection of fraud.

 ii. Concerned only when it might impact on the view shown by the financial
statements i.e; risk of material fraud.

4.2. The auditor’s responsibilities relating to fraud (ISA 240)

Fraud audit has become increasingly important for businesses to equip their companies
adequately so it can deal with fraud problems. Auditor investigates and assesses every different
types of incidents and suspected fraud. To effectively deal with fraud it is important to have a
clearly structured organization, which immediately deals with the relevant circumstances of
fraud and triggers, coordinates, and performs the necessary activities quickly, accurately, and
reliably.

Fraud audits are aimed in particular at identifying suspected organizational and process
weaknesses, investigating anonymous accusations or specific information on irregularities, or
gathering evidence for cases of fraud that have already been proven. Fraud audit is used to find
whether and to what extent an incident has led to directly measurable, or at least indirectly
related, financial consequences for the company.

Auditors are concerned with fraud that affects the financial statements only. Auditor are not
responsible to detect all fraud but are responsible to detect cases where fraudulent activity results
in materially misstated financial statements. For example, if a warehouse employee is
misappropriating inventory but that embezzlement does not result in materially misstated
financial statements, auditors do not have responsibility for detecting this fraud. However, if
management is intentionally misstating revenues in order to meet earnings expectations, auditors
are responsible for detecting this misstatement. The auditors would not ignore immaterial fraud.
The primary responsibility of an auditor is to design procedures to provide reasonable assurance
that material frauds that might misstate the financial statements are detected.

The auditor’s responsibilities relating to fraud include:

 The auditor may accept records and documents as genuine only if auditor has no
reason to believe the contrary
  The auditor shall investigate the inconsistencies where responses to inquiries of
management are inconsistent.

 Fraudulent financial reporting

Financial statements may be materially misstated as a result of errors or fraud. While
accounting errors are usually unintentional, fraud consists of knowingly making material
misrepresentations of fact with the intent of inducing someone to believe the falsehood and
act on it and, thus, suffer a loss or damage. This definition encompasses all means by which
people can lie, cheat, steal, and dupe other people. Management fraud is deliberate fraud
committed by management that injures investors and creditors through materially misstated
information. Because management fraud usually takes the form of deceptive financial
statements, management fraud is sometimes referred to as fraudulent financial
reporting.Fraudulent financial reporting is defined as intentional misstatements, including
omissions of amounts or disclosures in financial statements to deceive financial statement
users. It can be caused by the efforts of management to manage earnings in order to deceive
financial statement users by influencing their perceptions about the entity’s performance and
profitability.

Fraudulent financial reporting includes:

a) manipulating, forging or altering accounting records or supporting documentation

which form the basis of the financial statements,

b) Misrepresenting or intentionally omitting events or transactions from the financial

statements,

c) Intentionally misapplying accounting principles,

Fraudulent Financial reporting often involves management overrides of controls.

Misappropriation of assets

Defalcation is another name for employee fraud, embezzlement, and larceny. Auditing standards
also call it misappropriation of assets.
 Misappropriation of assets include:

i. Embezzling receipts

Embezzlement is a type of fraud involving employees or nonemployees

wrongfully misappropriating funds or property entrusted to their care, custody,
and control, often accompanied by false accounting entries and other forms of
deception and cover-up.

ii. Diverting them to personal bank accounts

Employee fraud is the use of fraudulent means to misappropriate funds or other
property from an employer. It usually involves falsifications of some kind: using
false documents, lying, exceeding authority, or violating an employer’s policies. It
consists of three phases: (1) the fraudulent act, (2) the conversion of the funds or
property to the fraudster’s use, and (3) the cover-up

iii. Stealing physical assets or intellectual property

Larceny is simple theft; for example, an employee misappropriates an employer’s
funds or property that has not been entrusted to the custody of the employee.

iv. Causing an entity to pay for goods and services not received
This is an example of employee fraud in which employee uses false documents,
lying, exceeds authority, or violates an employer’s policies.

v. Using an entity’s assets for personal use

This is an example of employee fraud in which employee uses false documents,
lying, exceeds authority, or violates an employer’s policies.
 Management override of controls

Fraudulent financial reporting often involves management override that could occur, in which
management show control by that operations are working effectively.

A. Techniques are:

i. Recording fictitious journal entries, particularly close to the end of an accounting

period, to manipulate operating results or achieve other objectives.
 ii. Inappropriately adjusting assumptions and changing judgments used to estimate
account balances.

iii. Omitting, advancing or delaying recognition in the financial statements of events

and transactions that have occurred during the reporting period.

iv. Concealing or not disclosing facts that could affect the amounts recorded in the
financial statements.

v. Engaging in complex transactions that are structured to misrepresent the financial

position or financial performance of the entity.

vi. Altering records and terms related to significant and unusual transactions

B. Audit Procedure for fraud:

Auditing standards require that auditors specifically assess the risk of material misstatement
due to fraud for each engagement. Fraud risk factors relate to both misstatements arising
from fraudulent financial reporting and misstatements arising from misappropriations of
assets (usually as a result of employee theft and the resultant attempt to conceal this theft
through erroneous journal entries). Furthermore, auditors should consider these risk factors
when determining what audit procedures to perform.
The auditor shall design and perform audit procedures to:
i. Test the appropriateness of journal entries recorded in the general ledger and other
adjustments made in the preparation of financial statements.

Fraud can be committed in any company therefore all companies should prepare their process
structures for such an eventuality. Fraud should be identified and evaluated reactively and
proactively. All measures should also be taken for adequate prosecution of those who commit
fraud. An organization should have a clear, unambiguous code of conduct. Guidelines and
instructions must be comprehensible and accessible to all employees. An organization should
have a shared set of values and clearly communicate the consequences that fraud entails. The
auditor shall design and perform audit procedures to test the appropriateness of journal entries
recorded in the general ledger and other adjustments made in the preparation of financial
statements.
 I. Make inquiries of individuals involved in the financial reporting process

Internal Audit interviews the people who are afected or involved in the
incident. Suspected employees that can be individuals involved in the
financial reporting process can also be questioned. If the interviews reveal
that employees are guilty and have directly or indirectly admitted their
guilt, the result of the interviews is of critical importance for reporting and
documenting the case. Interviews should always be conducted by two
auditors in order to ensure that the evidence is authentic.

II. Select journal entries and other adjustments made at the end of a reporting
period;

Preventive audit fieldwork focuses on the following processes and content

elements:

 income statement, expenses, and costs,

 accounts receivable,
 accounts payable,
 purchasing, procurement, invitations to bid,
 capital expenditure,
 payroll,
 external services and service contracts, and
 areas where bribery and corruption is possible

III. Consider the need to test

ii. Review accounting estimates for biases and evaluate whether the circumstances
producing the bias, if any, represent a risk of material misstatements due to fraud.

i. Evaluate the judgment and decisions made by management if they indicate a

possible bias on the part of the entity’s management.

ii. Perform a retrospective review of management judgements and assumptions

related to significant accounting estimates.
For significant transactions that are outside the normal course of business for the entity or that
otherwise appear to be unusual given the auditor’s understanding of the entity.

Procedures to identify risk to material misstatement include:

a) Make enquiries of management in respect of:

i. Their assessment of the risk of material fraud,

Once risk factors have been identified, auditors have a better

understanding of the potential for material misstatement. This includes
evaluating the risk that a significant disclosure might be misleading or
omitted. The auditors’ next task is to assess the types of risk present, the
likelihood that material misstatement has occurred, the magnitude of the
risk (usually measured in dollars), and the pervasiveness of the potential
for misstatement (how widespread the threat is). Auditors should evaluate
how risks at the financial statement level could affect risks of
misstatement at the assertion level. Auditors also consider controls
evaluated in the assessment of control risk and the expected results of tests
of controls (Chapter 5) in determining the likelihood of material
misstatement. In addition to the risk assessment based on factors
identified, auditing standards require several other fraud risk assessments.
Auditors must presume that improper revenue recognition is a fraud risk.
Another risk is that, despite the existence of controls, management might
override the controls through force of authority. If any significant unusual
accounting entries are identified, auditors must evaluate the business
rationale for the significant transactions. Team members gather
information necessary to identify key fraud risk factors (red flags)
indicating an increased potential for fraud to occur.

ii. Their process in place for identifying and responding to the risks of
fraud

When a fraud is suspected the Fraud Evaluation Committee should

convene immediately, depending on the significance and urgency of the
 information or report. In most places, this committee is made up of
employees from Internal Audit, Corporate Legal, and Corporate Security.
The committee decides which department is to take what action and when.
In addition to such ad-hoc meetings, the Fraud Evaluation Committee
should meet regularly so that all important matters can be discussed in this
communication forum. The fraud prevention model should be regarded as
a cycle, because the process is driven and supplemented to a significant
extent by past experience.. Consequence management and communication
in the organization of the fraud should be done. The reports and
memorandums of Internal Audit are the starting point for consequences
and the resulting communication. In addition to any criminal charges, the
consequences of economic crime or incidents that cause loss to the
company are mostly of a disciplinary or organizational nature.
Consequences must be applied uniformly, without favoritism and
irrespective of hierarchy levels.

b) Make enquiries of management and others within the entity

i. Knowledge of any actual, suspected or alleged fraud

Other company employees to question might include operations or

marketing managers or those involved in significant and unusual
transactions. Another source of information is company discussion boards
(such as those found on www.yahoo.com) where anonymous whistle-
blowers can post information that management may not wish to disclose to
auditors. Issues that could be discussed include selection of accounting
principles; susceptibility to errors and fraud, including known or suspected
fraud; and how management controls and monitors fraud risks.

c) Make enquiries of internal audit

Interviewing the entity’s management, internal auditors, directors, the audit

committee, and other employees is a required audit process that can bring auditors
up to date on changes in the business and the industry. Such inquiries of client
 personnel have the multiple purposes of building personal working relationships,
observing the competence and integrity of client personnel, obtaining a general
understanding, and probing for problem areas that could harbor financial
misstatements. Issues to discuss include selection of accounting principles;
susceptibility to errors and fraud, including known or suspected fraud; and how
management controls and monitors fraud risks.

d) Evaluate any unusual or unexpected relationships in analytical procedures

The investigation of significant differences is probably the most critical step in the
analytical procedures process. After generating basic financial data and
relationships, the next step is to determine whether the financial changes and
relationships actually describe what is going on within the company. Analytical
procedures are required at the beginning of an audit—the preliminary stage
application of analytical procedures discussed in this chapter and at the end of an
audit when the partners in charge review the overall quality of the work and look
for apparent problems. Analytical procedures can also be used as a substantive
testing procedure to gather evidence about the relevant assertion being tested.
When using substantive analytical procedures, the auditor must take great care to
develop an independent expectation that is based on reliable information. When
this has been developed, the expectation is compared to the recorded amount, and
any significant differences must be investigated and corroborated with
documentary evidence. The procedure to provide evidence about an assertion
must be conducted with exacting precision and a high degree of rigor. Regardless
of when analytical procedures are performed, auditors conclude their analytical
procedures test work by documenting the team’s findings.

e) Evaluate information obtained from other risk assessment procedures

4.3. Fraud risk factors relating to misstatements arising from fraudulent

financial reporting and misappropriation of assets (ISA 240)
a) Incentive or pressure to commit fraud

i. To achieve an unexpected earning target or financial outcome

There are times when management finds it beneficial to understate assets and revenues
and overstate expenses and liabilities. This can be in times when profits are low
anyway and management wants to store reserves use them to increase profits in future
years. Understating profits also can be desirable if the company is under scrutiny by
governmental bodies, taxing authorities, labor, or competitors (or, in one case, a
spouse’s divorce lawyer).

The management characteristic’s or influence to achieve an unexpected earning target or

financial outcome include:

 Management has a motivation (bonus compensation, stock options, etc.) to

engage in fraudulent reporting. Managers place too much emphasis on
earnings projections.

These industry conditions make the company commit fraud to achieve an unexpected earning
target or financial outcome:

 Company profits lag those of its industry. New requirements are passed
that could impair stability or profitability. The company’s market is
saturated due to fierce competition. The company’s industry is declining.
The company’s industry is changing rapidly.

Operating Characteristics and Financial Stability to achieve an unexpected earning target or

financial outcome include

 The company is not able to generate sufficient cash flows to ensure that it
is a going concern. There is pressure to obtain capital. The company
operates in a tax haven jurisdiction. The company has many difficult
accounting measurement and presentation issues. The company has
significant transactions or balances that are difficult to audit.

b) The opportunity to commit fraud

 i. Perceive opportunity to commit fraud as they believe internal control can be overridden
because he trust or has knowledge of specific deficiencies in internal control.

The management characteristic’s or influence perceive opportunity to commit

fraud as they believe internal control can be overridden because he trust or has
knowledge of specific deficiencies in internal control:

 Management fails to display an appropriate attitude about internal control

and financial reporting. Management participates excessively in the
selection of accounting principles or the determination of estimates.

Operating Characteristics and Financial Stability perceive opportunity to commit fraud as they
believe internal control can be overridden because he trust or has knowledge of specific
deficiencies in internal control:

 A weak internal control environment prevails because the person trusts or

has knowledge of specific deficiencies in internal control. The company
has many difficult accounting measurement and presentation issues. The
company has significant transactions or balances that are difficult to audit.

c) Rationalization for committing a fraudulent act

i. Individual may possess an attitude, character or setoff ethical values that allow them
knowingly and intentionally to commit a dishonest act.

The management characteristic’s or influence may possess an attitude, character or

setoff ethical values that allow them knowingly and intentionally to commit a
dishonest act:

 Management decisions are dominated by an individual or a small group

and that individual or group may possess an attitude, character or setoff
ethical values that allow them knowingly and intentionally to commit a
dishonest act. Managers’ attitudes are very aggressive toward financial
reporting. The company has a high turnover of senior management. The
company has a known history of violations. Managers and employees
 tend to be evasive when responding to auditors’ inquiries. Managers
engage in frequent disputes with auditors.

Operating Characteristics and Financial Stability may possess an attitude, character

or setoff ethical values that allow them knowingly and intentionally to commit a
dishonest act:

 The company has significant and unusual related-party transactions.

Company accounting personnel are lax or inexperienced in their duties.

4.4 Examples of circumstances that indicate the possibility of fraud

Financial statements may be materially misstated as a result of errors or fraud. While accounting
errors are usually unintentional, fraud consists of knowingly making material misrepresentations
of fact with the intent of inducing someone to believe the falsehood and act on it and, thus, suffer
a loss or damage. This definition encompasses all means by which people can lie, cheat, steal,
and dupe other people. Management fraud is deliberate fraud committed by management that
injures investors and creditors through materially misstated information. Management fraud
usually takes the form of deceptive financial statements, management fraud so is sometimes
referred to as fraudulent financial reporting.
A. Discrepancies in the accounting records,

i. Problems in assertions of transactions

ii. Unsupported or unauthorized balances of transactions

iii. Last minute adjustments

iv. access to systems without authorization

v. Tips or complaints to auditors

B. Conflicting or missing evidence including:

i. Missing documents

ii. Altered documents

iii. Instead of original documents, photocopied and electronic or electronic

transmitted documents

iv. Significant unexplained items on reconciliations

v. Unusual balance sheet changes (ratios)

vi. Inconsistent, vague or implausible responses

vii. Gap between records and replies

viii. Large number of credit entries and other adjustments in A/R

ix. Difference between A/R sub-ledger and control account, or between the customer
statements and the A/R sub-ledger

x. Missing of non-existence cancelled cheque

xi. Missing inventory or physical assets

xii. Unavailable of missing electronic evidence

xiii. Inconsistent record retention practices

xiv. Fewer responses to confirmations than expected and vice versa

 xv. Inability to produce evidence of key system developments

C. Problematic relationships between auditor and management;

i. Denial of access to entity’s items

ii. Undue time pressure by management

iii. Complaints about management about critical assessment of audit evidence

iv. Unusual delays by entity in providing information

v. Unwillingness for auditor’s access to key electronic files

vi. Denial of access to key IT operations

vii. Unwillingness to add or revise disclosures

viii. Unwillingness to address identified deficiencies in internal control

ix. Unwillingness my management to meet privately with those charged with

governance

x. Varied accounting policies with industry norms

xi. Frequent changes in accounting estimates

xii. Tolerance of violations of the entity’s code of conduct

Importance of Fraud Filter

Knowledge of communication channels, such as incident reporting or the whistleblower facility,

heightens employees’ awareness of the guidelines. The communication channels to the fraud
Filter, which activates the organization’s response system, will only function once the guidelines
have been positioned in a clear and comprehensible way and the employees are aware of their
responsibility.

Furthermore, preventive audit ieldwork focuses on the following processes and content elements:

 income statement, expenses, and costs,

 accounts receivable,
  accounts payable,
 purchasing, procurement, invitations to bid,
 capital expenditure,
 payroll,
 external services and service contracts, and
 areas where bribery and corruption is possible

Consequence management and its communication in the organization form the apex of the
prevention model. The reports and memorandums of Internal Audit are the starting point for
consequences and the resulting communication. In addition to any criminal charges, the
consequences of economic crime or incidents that cause loss to the company are mostly of a
disciplinary or organizational nature. Consequences must be applied uniformly, without
favoritism and irrespective of hierarchy levels. The line taken on consequences is communicated
throughout organization and thus creates a ixed set of values on which the entier fraud
prevention model is based.

Understanding the Business Checklist

External factors: industry, regulation and economy

 Market conditions and competition.

 Cyclical or seasonal factors.
 Accounting requirements, industry practices, environmental requirements, industry-
specific legislation, taxation.
 General levels of economic activity, the effect of interest rates on borrowing and
inflation.

The entity

 Business: sources of revenue, products and services, alliances and joint ventures,
outsourcing, locations, key customers and suppliers, R&D, related parties.
 Investments: investment strategy; acquisitions and disposals of property, plant and
equipment, acquisition of short- and long-term securities.
 Financing: bank loans and other debt financing such as loans from group companies and
other related parties including directors, shareholdings, overdraft facilities, leases and
derivative financial instruments.
 Financial reporting: accounting framework such as IFRS, industry specifi c accounting
requirements, accounting for revenue recognition, fair values, foreign currency
transactions, and financial statement presentation and disclosures.

Objectives Strategies Business risks

Financial: profit, growth, Investment, cost control, Availability of finance for
asset-related marketing, revenue growth investment; competition;
cost of raw materials,
effectiveness of marketing

Technical:new/leading Investment in innovation, Competitor technologies,

products and services HR and remuneration technical failure after
policies, IT product launch and
associated reputational risk
Market share Product/service bundling Effectiveness of competitor
and pricing, investment in strategies
marketing, technology, IT

Performance measurement and review

• Key ratios, operating statistics, performance indicators year to year

• Actual/budget variance analysis, analysts’ reports, credit ratings