Aaa116 CSG Au

Audit & Assurance
(AAA) 116
Candidate Study Guide
February 2016
Copyright © Chartered Accountants Australia and New Zealand 2015. All rights reserved.
This publication is copyright. Apart from any use as permitted under the Copyright Act 1968 (Australia) and
Copyright Act 1994 (New Zealand), as applicable, it may not be copied, adapted, amended, published, communicated
or otherwise made available to third parties, in whole or in part, in any form or by any means, without the prior
written consent of Chartered Accountants Australia and New Zealand.
Dear Candidate,
Welcome to the Audit & Assurance (AAA) module of the Chartered Accountants Program.
On completion of this module you will be one step closer to becoming a Chartered Accountant.
Inside this pack you will find your Candidate Study Guide (CSG) which includes the entire core
content, the scenario and task for the activities and the readings for each unit. We would like to take
this opportunity to direct you to some of the key resources available online through myLearning:
Announcements
The Announcement area is our primary point of contact with you, where we provide directives on
assessments, virtual classrooms, etc. It is important that you log in immediately on commencement of
the module and read any messages. Please ensure you check the announcements regularly.
Module orientation
•• Study support tools – getting started, tools and techniques for successful completion of the module
•• Assumed knowledge, Module outline and Module plan.
•• Candidate code of conduct.
Learning materials
•• CSG, worked examples, activities and their solutions.
•• Quick reference guides.
•• Unit quizzes – for self-assessment.
Discussion forums
•• Technical issue of the week – additional tools and/or questions to assist with your studies.
•• Unit forums – where you can discuss individual units with module leaders and your peers.
•• An informal peer-to-peer forum – where you can interact with other candidates.
Virtual classrooms
•• Timetables and links to resources for virtual classrooms.
Online assessments
•• Online assessment tests (multiple choice) – short, graded tests that count towards your final mark.
•• Practice tests (multiple choice) – to help you prepare for online assessments.
Exam
•• Exam tips, techniques and administration information.
•• Past exam papers and exam preparation series questions.
My Grades
•• Results for online assessments – score for each and access to detailed feedback.
•• Results for exam and module overall.
Online learning is an exciting way to learn, and the best part about studying online is that education
comes to you no matter where you are. Above all, work hard to achieve the exam results you want and
to set yourself up for a successful career as a Chartered Accountant wherever your career may take
you around the globe.
Yours sincerely,
Jason Dale FCA

Head of Education
Contents
Introduction i
Unit 1: Assurance purpose and framework

Core content 1-1
Readings 1-23
Activities 1-25
Unit 2: Auditing Standards and quality control

Core content 2-1
Readings 2-23
Activities 2-25
Unit 3: Pre-engagement activities

Core content 3-1
Readings 3-17
Activities 3-19
Unit 4: Understanding the entity and its environment

Core content 4-1
Readings 4-37
Activities 4-39
Unit 5: Analysing audit risks, financial statement assertions and initial audit engagements
Core content 5-1
Readings 5-27
Activities 5-29
Unit 6: Analysing audit risks – fraud

Core content 6-1
Readings 6-23
Activities 6-25
Unit 7: Materiality in planning and performing an audit

Core content 7-1
Readings 7-17
Activities 7-19
Unit 8: Developing an overall audit plan

Core content 8-1
Readings 8-27
Activities 8-29
Unit 9: Responding to assessed risks – controls testing

Core content 9-1
Readings 9-25
Activities 9-27
Unit 10: Responding to assessed risks – substantive testing
Core content 10-1
Readings 10-23
Activities 10-25
Unit 11: Responding to assessed risks – evaluating audit evidence

Core content 11-1
Readings 11-21
Activities 11-23
Unit 12: Responding to assessed risk – using the work of others, external confirmations and
written representations
Core content 12-1
Readings 12-23
Activities 12-25
Unit 13: Subsequent events and going concern

Core content 13-1
Readings 13-17
Activities 13-19
Unit 14: Reviewing the financial statements and audit results

Core content 14-1
Readings 14-17
Activities 14-19
Unit 15: Forming an opinion and issuing an auditor’s report

Core content 15-1
Readings 15-21
Activities 15-23
Unit 16: Review engagements

Core content 16-1
Readings 16-19
Activities 16-21
Unit 17: Other assurance engagements and agreed-upon procedures engagements

Core content 17-1
Readings 17-29
Activities 17-31
Unit 18: Internal audit and public sector auditing

Core content 18-1
Readings 18-29
Activities 18-31
Unit 19: Case study, and current and future trends

Core content 19-1
Readings 19-15
Case study – Monty Travel Limited (MT) 19-17
Case study – Activities 19-29
Chartered Accountants Program Audit & Assurance
Introduction
Welcome to the Audit & Assurance (AAA) module. This module will provide you with the
opportunity to understand key concepts and to practise applying your understanding to a
variety of practical scenarios.
Learning model
The Chartered Accountants Program (the Program) material has been constructed applying the
learning principles of ‘tell, show, do’ to learning outcomes devised for each unit. Each unit is
made up, primarily, of core content, worked examples, activities and a unit quiz.
TELL SHOW DO
Tell me the relevant + Show me how to + Can I do the task
theory do the task unassisted?
Where do I start?
A good place to start is with the assumed knowledge quiz and our orientation video on
myLearning. You may also like to look at a past exam paper to see how topics are addressed in
examination format.
Once you’ve done this, open your Candidate Study Guide (CSG), and begin unit 1. It is best to
work through the units in order. If you’re working through the hard copy, don’t forget to logon
to myLearning to:
•• see our new technical videos in selected units
•• check announcements regularly
•• review your activity solutions
•• complete worked examples
•• do the end of unit quiz.
How the material is constructed

The material is delivered in two modes, printed (this Candidate Study Guide (CSG)) and in an
online format.
The following material is contained in the CSG (which will also be available online):
•• Core content – the ‘tell’ part of the learning model. The core content contains the theory
which addresses each of the learning outcomes of the unit.
•• Activities – the ‘do’ part of the learning model. The scenario and task of each activity
is included in the CSG. The activities are constructed in first person, and require you
Introduction Page i
Audit & Assurance Chartered Accountants Program
to complete the activity offline. You can compare your response to the suggested
solution provided online. If you struggle with completing the activity’s task, refer to the
recommended approach located after each suggested solution. The recommended approach
provides a suggested step approach for the successful completion of the task.
•• Readings – there are two types of reading: required readings and further readings.
Required readings provide additional examinable content. Further readings provide an
extension of knowledge and are not examinable.
The following learning material is presented in the online environment (myLearning):

•• Worked examples – the ‘show’ part of the learning model. The interactive worked examples
require you to assist a character in completing the task(s), methodically working through
steps answering questions directly related to the task(s). A key benefit of the online
environment over print is it provides a medium to promote deep learning. With print, you
can read a worked example and think you understand the concept. However, we have
found that candidates have struggled with transferring that knowledge to a new fact pattern
and to what may be required in exams.
You will find that as you work through the worked examples in myLearning you will
be required to actively participate in completing the task, by responding to a range of
questions. For example, you may be required to do a calculation or to select an appropriate
response from a range of options. As you respond to these questions, you will be provided
with immediate feedback confirming your answer or explaining why the response made
is incorrect. The questions asked (i.e. the interactivity component) focus on areas that
candidates have typically struggled with in past exams. You are encouraged to complete
the worked examples online to help maximise your understanding and application of the
theory.
•• Unit quiz – most units have a quiz with up to 10 questions aimed at checking your
understanding of the learning outcomes for the unit. Feedback is provided on both the
correct and the incorrect responses. These questions are to ensure you have understood key
aspects of the unit content, but they are often simpler than the Online Assessment questions.
In addition to interactive worked examples, you will find additional non-interactive examples
within some units which you can download and review, to support your learning.
•• Activity solutions – Copies of suggested solutions for all activities are provided to allow
you to assess your knowledge. In addition to the solutions, you will find Excel spreadsheets
for certain activities which are provided to help you work through these activities in an
efficient manner as well as enabling you to explore common uses of Excel within a business
environment.
•• Technical issue of the week – within the discussion forum, the AAA team will regularly
post questions for candidates to consider and discuss. These questions are designed to help
candidates explore their understanding of key topic areas within AAA.
•• Quick reference guides – key summaries for selected units.
•• Technical videos – these new short videos aim to help candidates to cut through the detail,
to quickly master the core principles in selected units.
•• Past exams – copies of the AAA215 main and supplementary exams are available in
myLearning. These papers are made available to help you further test your knowledge and
identify any knowledge gaps you may have prior to the exam. Solutions and feedback on
these papers are also available.
•• Exam preparation series – these are exam style questions. The feedback on these questions
is based around the type of answer an exam marking panel would expect from a merit list
candidate in answering each of these questions. The series is released after the final online
assessment.
You will be able to access all online material at commencement of the module. A navigation bar
will assist you with identifying each learning element.
Page ii Introduction
Discussion forums
In myLearning you will be able to access a number of discussion forums. Some of these forums
are designed for you to communicate informally with your peers who are also undertaking
AAA while others are designed for you to ask technical questions and receive feedback and
support from peers and technical specialists.
The peer-to-peer forum is great for helping you establish study groups and linking with your
fellow candidates. The unit forums are best used to get help when you are having difficulty
withy content, examples or activities. Do not underestimate the benefit you can gain by
participating in these forums.
Additional support
In addition to the material listed above, ensure you regularly read the announcements (in
myLearning), as this is our primary source of communication with you.
To get started, we suggest you download the module plan (available in myLearning).
This module plan provides a suggested timeline for completing each unit within the allocated
12 weeks of study. It has been devised around the key assessment dates for the module.
We will also assist you in working through the material, with regular discussion forum posts
providing guidance.
Learning outcomes
Learning outcomes provide an outline of the expected knowledge and skill level achieved
on completion of the unit. Each learning outcome commences with a verb, such as explain,
calculate, demonstrate etc. These taskwords are defined in the Exam tips and techniques
document (available in myLearning).
All learning elements are written based on the learning outcomes for the unit. Each learning
element starts by identifying the learning outcome(s) being explored by the material. To
succeed in the online assessments and the exam, you should ensure you understand the topic
the learning outcome is covering and also the level you are expected to achieve.
Introduction Page iii

Audit & Assurance overview

The diagram below summarises the content of the AAA module.
OVERALL FRAMEWORK, AUDIT PROCESS AND ETHICS
Understanding auditing and assurance

Unit 1 Assurance purpose and framework
Unit 2 Auditing Standards and quality control
AUDITS OF GENERAL PURPOSE FINANCIAL STATEMENTS

Continuous activities
• Direction, supervision Prior to the audit
and performance of the Unit 3 Pre-engagement activities
audit
• Assess continuing
relationship with client
Planning the audit
• Communicate with
Unit 4 Understanding the entity and its environment
those charged with Unit 5 Analysing audit risks, financial statement assertions and
governance and initial audit engagements
management Unit 6 Analysing audit risks – fraud
• Consult with appropriate Unit 7 Materiality in planning and performing an audit
persons on difficult or Unit 8 Developing an overall audit plan
contentious matters
• Document work
performed, findings and Responding to assessed risk – undertaking the audit
conclusions in Unit 9 Responding to assessed risks – controls testing
appropriate working Unit 10 Responding to assessed risks – substantive testing
papers Unit 11 Responding to assessed risks – evaluating audit evidence
• Consider going concern Unit 12 Responding to assessed risk – using the work of others,
external confirmations and written representations
and fraud
Unit 13 Subsequent events and going concern
• Ethics and
independence
Finalising the audit
Unit 14 Reviewing the financial statements and audit results
Unit 15 Forming an opinion and issuing an auditor’s report
ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF

GENERAL PURPOSE FINANCIAL STATEMENTS
As above
Other assurance engagements
Unit 16 Review engagements
Unit 17 Other assurance engagements and agreed-upon
procedures engagements
Unit 18 Internal audit and public sector auditing
OTHER TOPICS
Future developments
Unit 19 Case study, and current and future trends
To optimise your learning it is recommended that you complete each unit sequentially. As you
progress through the module, the material covered in a unit may be written assuming you have
the understanding of the content from an earlier unit. It will also ensure that you have covered
the material which will be examined in the online assessment tasks.
Page iv Introduction
Date convention
Generally, the date format is as follows:
Dates for the current decade are expressed as 20XX, the preceding decade are expressed
as 20WX and future years outside of this decade dates are expressed as 20YX. For example,
20X3 would be the equivalent of 2013 and 20W6 would be 2006, and 20Y3 would be equivalent
to 2023. All years are treated as having 365 days.
Assumed knowledge
Each unit has been constructed based on levels of assumed knowledge relevant to the topic
area being covered in that unit. Details of the assumed knowledge for the module are identified
in the Module outline document, which is available online. You can complete an assumed
knowledge quiz, which is also available online, to check on your initial understanding of the
content prior to commencing the module. Should you have any gaps in your knowledge we
recommend that you refer to your university notes or the appropriate text(s).
The assumed knowledge quiz can be accessed via My Learning > Audit & Assurance (1) 2016 >
Module orientation.
Six-month rule
Legislation changes constantly. In the Chartered Accountants Program modules, you are
expected to be up to date with relevant legislation, Standards, cases, rulings, determinations
and other guidance as they stand six months before the exam date unless otherwise stated.
You are always encouraged to be aware of current developments in all areas.
The relevant date for legislation is the date the legislation receives royal assent. The relevant
date for cases is the date the case decision was handed down. The relevant date for Auditing
Standards and other material is the issue date, early adoption of Standards is generally
encouraged.
Assessment
To pass the module, you must pass the exam and pass the module overall. The assessment
components are outlined below:
Assessment Contribution Details

component to final marks
Online assessment 20% Three (3) online assessments. Each assessment will consist of
10 single response, multiple-choice questions
Exam 80% Four (4) compulsory multi-part written questions based on

the learning outcomes. The exam will be three (3) hours,
plus 15 minutes reading time.
The exam makes up 80% of your assessment, and you must pass the exam (achieve 50% or
more of the available marks) to pass the module. It is therefore critical to practise your exam
technique and make the most of the time that you have. The exam is:
•• based on content covered in the learning elements
•• supervised
•• three (3) hours writing time, plus 15 minutes reading time
•• made up of four (4) compulsory, written, multi-part questions
•• open book
Introduction Page v
•• centrally marked
•• critically important, as you must pass the exam in order to pass the module.
Auditing, Assurance and Ethics Standards

The AAA module is based on the International Auditing and Assurance Standards and other
pronouncements. Australia-specific and New Zealand-specific guidance is provided in the
CSG where relevant. Where a question refers or requires candidates to provide a reference to
a Standard, International Standards, Australian Standards or New Zealand standards can be
used.
Readings section in each unit indicates corresponding readings under International, Australian
and New Zealand Standards and other pronouncements. You are only required to read and
apply one set of Standards (i.e. International, Australian or New Zealand).
Good luck!
The Chartered Accountants Program is challenging. It is designed to be the best educational
product it can be for you, the future practitioners in this profession. As it constantly evolves,
Chartered Accountants Australia and New Zealand will continue to seek your feedback to
ensure the Program meets the learner’s needs now and for future development.
We hope you find your journey through the Program a rewarding and enjoyable experience and
encourage you to work steadily through the material in the recommended way. If you require
further assistance, post your questions, in a professional manner, in the Discussion Forums.
Finally, best of luck with your studies.
Myself and the AAA team look forward to conversing with you on the technical query forum
online over the course of your studies.
Eija Burt
Senior Module Leader, AAA module
Page vi Introduction
CC
Core content
Unit 1: Assurance purpose and framework
Learning outcomes
At the end of this unit you will be able to:
1. Outline an overview of the Framework.*
2. Identify and apply the elements and objectives of an assurance engagement.*
3. Demonstrate how Auditing Standards, Standards on Review Engagements and Standards
on Assurance Engagements are to be applied.*
4. Demonstrate the auditor’s overall objectives and responsibilities when conducting an audit
of financial statements.
5. Identify which entities are required to be audited by legislation.*
* Customised for Australia
Introduction
Businesses, public and voluntary organisations, investors, governments, market regulators,
policymakers, non-government organisations and other interest groups need to rely on credible
information to make effective economic decisions and formulate policy. Trust and integrity are
important attributes that underpin credible information flows.
‘Assurance’ is a term commonly used to refer to any type of work that provides confidence to
the users. There are many ways to increase users’ confidence in the reliability of information.
Business entities and their stakeholders can build trust through actions such as engaging with
stakeholders, establishing an internal audit function or obtaining external assurance. External
assurance is the provision of an independent report by an assurance practitioner (such as a
Chartered Accountant) on information that is prepared by one party for the benefit of another
party or parties.
This unit introduces the assurance framework and regulatory environment that applies to
accountants performing audit and assurance engagements, starting with the international and
local regulatory environment. It then identifies the different types of international and local
Auditing and Assurance Standards.
This unit looks at the following International Standards on Auditing (ISAs) and other
pronouncements:
• The Preface to the International Quality Control, Auditing, Review, Other Assurance, and Related
Services Pronouncements (International Preface).
• The International Framework for Assurance Engagements (International Framework).
• ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with International Standards on Auditing (ISA 200).
aaa11601_au_csg
Unit 1 – Core content Page 1-1

CC
Audit and assurance

In the Audit & Assurance (AAA) module, we discuss both audit and assurance. An audit is
a particular type of assurance engagement, which provides a reasonable level of assurance,
typically on historical financial information. The audit of financial statements is the main focus
of the AAA module, but we also discuss reviews of financial statements and assurance over
other information that could be subject to external assurance, including information on:
•• Financial performance or conditions (e.g. historical or prospective financial information).
•• Non-financial performance or conditions (e.g. environmental performance, corporate social
responsibility reports or key performance indicators (KPIs)).
•• Physical characteristics (e.g. the existence of mineral reserves or production capacity).
•• Systems and processes (e.g. internal controls or outsourced activities).
•• Behaviour (e.g. corporate governance and human resources practices, or compliance with
laws and regulations or labour policies).
In addition to performing assurance engagements, audit and assurance skills can be applied
to a wide range of other services, such as consulting and advisory services, and investigative
services to provide forensic reports or due diligence.
International framework for assurance engagements
Learning outcome
1. Outline an overview of the Framework.
2. Identify and apply the elements and objectives of an assurance engagement.
Understanding the international regulatory regime

The International Federation of Accountants (IFAC) leads accountants globally. IFAC oversees a
number of regulatory boards, two of which are relevant to the studies in this unit:
•• International Auditing and Assurance Standards Board (IAASB).
•• International Ethics Standards Board for Accountants (IESBA).
The responsibilities of these bodies are summarised in the following table:
International regulatory bodies and their responsibilities
International Responsibilities
body
IFAC As the global organisation for the accounting profession, IFAC protects the public interest
by supporting the development of all sectors of the profession internationally. This helps to
provide the necessary infrastructure for the world’s financial markets to function effectively
IAASB The IAASB is ‘an independent standard-setting body that serves the public interest by setting
high-quality international standards for auditing, quality control, review, other assurance, and
related services, and by facilitating the convergence of international and national standards’
(www.ifac.org)
IESBA The IESBA is ‘…an independent standard-setting board that develops and issues, in the
public interest, high-quality ethical standards and other pronouncements for professional
accountants worldwide’ , including the Code of Ethics for Professional Accountants (IESBA Code)
Page 1-2 Core content – Unit 1

CC
Further information can be obtained from IFAC website at www.ifac.org. The relationship
between IFAC, IAASB and IESBA and their respective roles are shown in the following
diagram:
IFAC
International Federation
of Accountants
oversees operations of
IAASB IESBA
International Auditing and International Ethics
Assurance Standards Board Standards Board for Accountants
Sets international Standards for: Sets international Standards for:

• Auditing • Ethics
• Quality control • Other issues affecting
• Reviews professional accountants
• Other assurance
services
Required reading
International Framework paras 1–4.

CC
Australia-specific
Australian regulatory regime
Australian Auditing, Assurance and Ethical Standards largely follow the international
equivalents issued by the IAASB and IESBA.
The Australian financial reporting and assurance regulatory framework is illustrated in the
following diagram:
Financial Reporting and Assurance Regulatory Framework (Australia)
ASIC ASX APESB

(Australian Securities and Investments Commission) (Australian (Accounting
Conducts: Surveillance program to improve quality of Securities Professional
financial reporting Exchange) and Ethical
Standards Board)
Corporations Act (2001) FRC Issues: Issues:

(Financial Reporting Council)
Establishes: Listing Rules • Code of ethics
Legislative and regulatory Oversees: • Professional Standards
requirements which include class AASB and AUASB
orders and regulatory guides
Lobby groups:
CAANZ/CPA/IPA
ASX
ASIC
AASB AUASB
(Australian Accounting (Auditing and Assurance
Standards Board) Standards Board)
Issues: Issues:
• AASBs (Accounting Standards) • ASAs (Auditing Standards)
• Interpretations • ASREs (Review Standards)
• ASAEs (Assurance Standards)
• ASRSs (Related Services Standards)
• Guidance Statements
Australian Conceptual
Framework
AASB Framework for the Australian Conceptual
Preparation and Presentation of Framework
Financial Statements
Framework for Assurance
Engagements
SAC 1
Definition of the Reporting Entity
OUTPUT
Australian general purpose financial report1
Note
1.
A non‑reporting entity may be required to prepare a financial report. Where a financial report
is prepared, the output may be a special purpose financial report.
Details on the roles and responsibilities of each regulatory body can be obtained from their
respective websites. A brief summary is also provided in the ‘Regulatory Bodies’ document,
available in the Unit 1 folder in myLearning.

CC
Framework for assurance engagements

The IAASB has issued an International Framework for Assurance Engagements (the International
Framework) that describes the elements, outcomes and measurement criteria of an assurance
engagement. The Standards issued by the IAASB cover assurance engagements generally
and audit engagements specifically. This unit will identify which IAASB Standards apply to
different types of engagements, whether for audits or other assurance engagements, or for
related services.
When referring to an accountant in public practice, the International Framework uses the
term ‘assurance practitioner’ to reflect that the accountant may be performing an assurance
engagement. IAASB Standards that relate only to audits refer to the ‘auditor’.
Five elements of an assurance engagement

An assurance engagement contains what are known as the ‘elements of an assurance
engagement’, being (International Framework para. 26):
• A three party relationship involving an assurance practitioner, a responsible party, and intended
users;
• An appropriate underlying subject matter;
• Suitable criteria;
• Sufficient appropriate evidence; and
• A written assurance report in the form appropriate to a reasonable assurance engagement or a

limited assurance engagement.
The relationship between these elements becomes clearer when shown in the following
diagram:
Responsible party
provides subject
issues written matter and report to
report to prepared by
obtains
Practitioner (auditor) evidence Subject matter Intended users
about
uses
to evaluate
Criteria

CC
For example, in the audit of entity XYZ’s general purpose financial statements, the five elements
are as follows:
XYZ’s
directors
provides subject
issues written matter and report to
report to prepared by
Shareholders and
obtains XYZ’s general
evidence other interested
XYZ’s auditor purpose financial
about users of the financial
statements
statements
uses
to evaluate
International
Financial Reporting
Standards
Attestation and direct engagements

The revised International Framework introduces the concepts of attestation engagements and
direct engagements. The AAA module focuses on attestation engagements.
In an attestation engagement (refer to para. 12), a party other than the assurance practitioner
measures, or evaluates, the underlying subject matter against the criteria and presents the
underlying subject matter in a report. The assurance practitioner’s conclusion addresses
whether the subject matter information is free from material misstatement. The most common
form of attestation engagement is an audit or review of historical financial information. With
reference to the example diagram above, the responsible party (XYZ’s directors) prepares
subject matter (XYZ’s general purpose financial statements) against the criteria (International
Financial Reporting Standards). The practitioner (auditor) issues a written report (auditor’s
report) attesting that the financial statements ‘give a true and fair view’ of XYZ’s financial
position and financial performance.
In a direct engagement (refer to para. 13), the assurance practitioner is also the measurer or
evaluator of the underlying subject matter against the criteria and applies assurance skills and
techniques to obtain sufficient appropriate evidence about the subject matter information.
In a direct engagement, the responsible party (e.g. management) does not present the subject
matter information in a report. Instead, the assurance practitioner reports directly on the
subject matter and provides the intended users with an assurance report containing the subject
matter information. An example of a direct engagement would be a report on effective internal
control over financial reporting. A direct assurance report would be stating, for example: ‘In
our opinion, the entity has maintained, in all material respects, effective internal control over
financial reporting, based on criteria established by XYZ’. The primary practical difference for
the assurance practitioner between an attestation and a direct engagement is the additional
work effort for a direct engagement when planning and performing the engagement.

CC
Levels of assurance
In conducting an assurance engagement, the quality and quantity of the evidence that the
assurance practitioner gathers is determined by the level of assurance that users of the subject
matter require.
The International Framework divides assurance engagements into two types:
•• Reasonable assurance engagements.
•• Limited assurance engagements.
The higher the level of assurance required (e.g. an audit versus a review), the greater the quality
and quantity of the evidence gathered and, consequently, the more confidence users can have in
the subject matter. This level of confidence is reflected in the form and wording of the assurance
practitioner’s report on the subject matter.
Note that related services (e.g. agreed-upon procedures) are classified as non-assurance
engagements as they provide no assurance on the subject matter and fall outside the scope of
the International Framework.
The relationship between the levels of assurance and the degree of confidence expressed by
each is illustrated in the diagram below:
Non-assurance Assurance
engagement engagement
Level of
assurance Audit:
• Provide reasonable
Reasonable assurance
• Express a positive
opinion (e.g. ‘... in
our opinion’)
Review:
• Provide limited
assurance
Limited • Express a negative
conclusion (e.g. ‘...
nothing has come
to our attention’)
Related services
(e.g. agreed-upon
procedures)
• Provide no assurance
None • Do not express an
opinion or conclusion
None − no opinion or Negative conclusion Positive opinion

conclusion is expressed
Degree of confidence expressed to users

CC
The relationship between reasonable and limited assurance engagements, the types of opinions
or conclusions they produce and the quality and quantity of evidence required for each is
illustrated below:
Reasonable assurance Practitioner issues a Requires relatively

engagements positive opinion more/higher quality
(e.g. audit) evidence
Limited assurance Practitioner issues a Requires relatively

engagements negative conclusion less/lower quality
(e.g. review) evidence
Example – Identifying the appropriate level of assurance for a given engagement

Allgoodes has recently won the tender to conduct the following assurance work for Gadget, a
listed company:
•• An audit of the annual financial statements.
•• A review of the half-year financial statements.
Referring to para. 4 of the International Framework, the Allgoodes assurance partner has
determined that:
•• The audit of the annual financial statements is a reasonable assurance engagement.
•• The review of the half-year financial statements is a limited assurance engagement.
For the reasonable assurance engagement, Allgoodes will express its conclusion in the positive
form, for example: ‘In our opinion, the financial statements present fairly, in all material
respects, the financial position of Gadget as at 30 June 20X3, and (of ) its financial performance
and its cash flows for the year then ended in accordance with International Financial Reporting
Standards’.
For the limited assurance engagement, Allgoodes will express its conclusion in the negative
form, for example: ‘Based on our review, nothing has come to our attention that causes us
to believe that these financial statements do not present fairly, in all material respects, the
financial position of Gadget as at 31 December 20X3, and (of ) its financial performance and
cash flows for the period then ended, in accordance with International Financial Reporting
Standards’.

CC
Other aspects of assurance engagements

As well as the elements and types of assurance engagements, the International Framework also
outlines several other important principles regarding assurance engagements, outlined in the
table below:
International Framework – other aspects of assurance engagements
Key principle Requirement
Ethical principles and The assurance practitioner must only accept an assurance engagement where:
Engagement acceptance
•• The assurance practitioner believes they will be able to satisfy relevant ethical
(International Framework Standards – for example, independence
paras 5–8 and 22–25) •• The five elements of an assurance engagement (as discussed above) are
present
Professional ‘skepticism’ The assurance practitioner must adopt an attitude of professional scepticism
in order to determine whether any material misstatements exist in the subject
(International Framework
matter (e.g. financial statements). This involves:
paras 51–55)
•• Using a questioning mind when evaluating the validity of the evidence
obtained
•• Being alert to evidence that contradicts the reliability of documents or
representations made by the responsible party
Professional judgement The assurance practitioner must be able to exercise professional judgement in
an assurance engagement based on the facts and circumstances that are known.
This involves:
paras 56–66)
•• Consultation on difficult or contentious matters during the engagement, both
within the team and with others at an appropriate level inside or outside the
firm in making informed and reasonable judgements
•• Evaluating whether sufficient appropriate evidence has been obtained in
relation to the level of assurance being provided
Materiality An assurance practitioner applies the concept of materiality in order to

accumulate sufficient evidence to support the assurance conclusion
paras 67–70) It is impractical for an auditor to test every transaction or to verify every single
dollar in a set of financial statements. It is also unnecessary, as an auditor provides
reasonable or limited assurance, not absolute assurance or certainty
To practically accumulate sufficient audit evidence, amounts considered too small
to affect users’ decisions are given little or no audit effort
Engagement risk The assurance practitioner must reduce assurance engagement risk to an
acceptably low level by obtaining sufficient appropriate evidence
para. 72) Engagement risk is the risk that the assurance practitioner expresses an
inappropriate conclusion when the subject matter information is materially
misstated. As the assurance practitioner is not testing every transaction or
amount that makes up a set of financial statements, there will always be some
engagement risk
These key principles from the International Framework are expanded on in later units of the
AAA module.

CC
Required reading
Framework for Assurance Engagements
Worked example 1.1: Identifying elements of an assurance engagement

[Available online in myLearning]
Activity 1.1: Identifying assurance engagements

[Located at the end of this unit]

CC
International auditing and assurance pronouncements
Learning outcome
3. Demonstrate how Auditing Standards, Standards on Review Engagements and Standards on
Assurance Engagements are to be applied.
Earlier in this unit, we discussed the various international bodies involved in setting Auditing
and Assurance Standards. The next step is to look at the pronouncements that are issued by
these bodies and how they apply to different types of assurance engagements.
The relevant international pronouncements issued by the IAASB are set out in the following
diagram:
STRUCTURE OF PRONOUNCEMENTS ISSUED BY THE INTERNATIONAL

AUDITING AND ASSURANCE STANDARDS BOARD (IAASB)
IESBA Code of Ethics for Professional Accountants
PRONOUNCEMENTS
OVERARCHING
Engagements Governed by the Standards of the IAASB
ISQCs 1–99 International Standards on Quality Control
International Framework for Assurance Engagements
ENGAGEMENTS
Audits and Reviews of Other Assurance Related services

TYPES OF
Historical Financial Engagements

Information
ISAs 100–999 ISREs ASAEs 3000−3699 ISRSs 4000−4699

STANDARDS
APPLICABLE
International 2000–2699 International International

Standards on International Standards on Standards on
Auditing Standards on Assurance Related Services
Review Engagements
Engagements
Adapted from: IAASB, Handbook of International Quality Control, Auditing, Review, Other Assurance, and Related Services
Pronouncements, 2014 edn, vol. 1, p. 11.

CC
The various types of international pronouncements are discussed below.
Overarching international pronouncements

The overarching IAASB pronouncements are:
•• Preface to the International Quality Control, Auditing, Review, Other Assurance, and Related
Services Pronouncements (International Preface).
•• International Standard on Quality Control 1 Quality Control for Firms that Perform Audits and
Reviews of Financial Statements, and Other Assurance and Related Services Engagements (ISQC 1).
• International Framework for Assurance Engagements (International Framework).
The purpose of each pronouncement is explained in the table below:
Overarching IAASB pronouncements
Pronouncement Purpose
International Preface Facilitates understanding of the scope and authority of the pronouncements
issued by the IAASB
ISQC 1 Prescribes the mandatory minimum quality control requirements for firms of
professional accountants who perform assurance engagements that are needed
to ensure all engagements are performed to the appropriate Standard
For example: ISQC 1 requires a firm’s managing partner (or equivalent) to assume
responsibility for the firm’s quality control policies and procedures. This helps to
ensure that quality control is given an appropriate level of priority by the firm
International Framework Defines and describes the elements and objectives of an assurance engagement
and thus establishes the basic principles under which these engagements are
conducted. Does not apply to non-assurance Standards issued by the IAASB
The identification of the type of engagement a client might request and the applicable guidance
is determined by both the level of assurance provided and the subject matter of the engagement.
Applicable Standards
As indicated in the IAASB flow chart diagram, the IAASB issues a range of Standards, as
follows:
•• International Standards on Auditing (ISAs).
•• International Standards on Review Engagements (ISREs).
•• International Standards on Assurance Engagements (ISAEs).
•• International Standards on Related Services (ISRSs).
These are collectively referred to as the ‘IAASB’s Engagement Standards’.

Assurance engagements comprise engagements conducted under ISAs, ISREs and ISAEs.
These engagements are covered by the International Framework.
The IAASB also issues International Standards on Quality Control (ISQCs) and non-
authoritative material, including International Auditing Practice Notes.
Standards applicable to audits of historical financial information (ISAs)

In a performing an audit, the auditor provides reasonable assurance over the historical financial
information contained in financial statements.

CC
The focus of this module is largely on the audit of general purpose financial statements (GPFS)
to which ISAs 200–720 apply. However, there are also audits of historical financial information
not presented in GPFS. These include:
•• Special purpose financial statements (SPFSs) under ISA 800 Special Considerations—Audits of
Financial Statements Prepared in Accordance with Special Purpose Frameworks (ISA 800).
•• Single financial statements or components of financial statements under ISA 805
Special Considerations—Audits of Single Financial Statements and Specific Elements, Accounts
or Items of a Financial Statement (ISA 805).
•• Summary financial statements (SFSs) under ISA 810 Engagements to Report on Summary
Financial Statements (ISA 810).
These special purpose audit engagements involve auditing information prepared for special
circumstances for specific users. Special purpose audit engagements are discussed in the unit on
other assurance engagements and agreed-upon procedures engagements.
Standards applicable to reviews of historical financial information (ISREs)

The assurance practitioner may conduct a review over the historical financial information
contained in financial statements. When conducting review engagements, assurance
practitioners use the ISREs and a limited level of assurance is provided.
Review engagements performed by an assurance practitioner that is not the auditor of the entity
are performed under ISRE 2400 Engagements to Review Historical Financial Statements (ISRE 2400).
Review engagements performed by the independent auditor of the entity are performed under
ISRE 2410 Review of Interim Financial Information Performed by the Independent Auditor of the Entity
(ISRE 2410). Review engagements are discussed in the unit on review engagements.
Standards applicable to other assurance engagements (ISAEs)

It is also possible to audit (or review) many other types of information (or subject matter)
not based on historical information. For example, whether public transport services meet
established punctuality criteria; how many people use a local library; or whether entity’s
internal controls are operating effectively.
When conducting engagements on these other types of information, assurance practitioners use
the ISAEs. If an audit is conducted, this provides a reasonable level of assurance. If a review
type engagement is conducted, this provides limited level of assurance. These engagements
are discussed in the unit on other assurance engagements and agreed-upon procedures
engagements.
The overarching Standard for assurance engagements other than audits or reviews of historical
financial information is ISAE 3000 Assurance Engagements other than Audits or Reviews of Historical
Financial Information (Revised) (ISAE 3000). ISAE 3000 applies to engagements when a more
specific Standard does not exist.
Standards applicable to agreed-upon procedures and other related service engagements

(ISRSs)
There may be times when an entity requires certain procedures to be performed by an assurance
practitioner but does it not require any assurance. An example of this type of engagement is an
agreed-upon procedures engagement (ISRS 4400 Engagements to Perform Agreed-Upon Procedures
Regarding Financial Information (ISRS 4400)), where an assurance practitioner performs selected
procedures as agreed with the client and then issues a report of factual findings outlining the
results of the work performed.
When conducting such engagements, no assurance is provided. Assurance practitioners use the
ISRSs for these types of engagements.
Other types of services such as consulting or advisory engagements do not provide assurance
and are not covered by the IAASB’s Engagement Standards.

CC
Australia-specific
Australian auditing and assurance pronouncements
Australian pronouncements follow the structure and content of their international
counterparts. The relevant Australian pronouncements issued by the AUASB are set out in the
following diagram:
STRUCTURE OF PRONOUNCEMENTS ISSUED BY THE AUDITING

AND ASSURANCE STANDARDS BOARD (AUASB)
Foreword to AUASB Pronouncements and Glossary
PRONOUNCEMENTS
OVERARCHING
ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports
and Other Financial Information, Other Assurance Engagements and
Related Services Engagements
Framework for Assurance Engagements
ENGAGEMENTS
Audits of Reviews of Assurance Related services
TYPES OF
historical historical engagements other (Non-assurance
financial financial than audits or reviews engagements)
information information of historical financial
information
Australian Standards on Standards on Standards on

STANDARDS
APPLICABLE
Auditing Review Assurance Related Services

Standards Engagements Engagements ASRS 4400−4450
ASA 100−810 ASRE 2400−2415 ASAE 3000−3500
Adapted from: CA ANZ, Auditing Assurance and Ethics Handbook 2015, Appendix 1 and Appendix 2
to the ‘Foreword to AUASB Pronouncements’, pp. 35–6.
The structure of the AUASB pronouncements is similar to that used by the IAASB, as below:
Australian equivalents to IAASB Standards series

IAASB Standards series Australian equivalent
ISQC 1 Australian Standard on Quality Control 1 (ASQC 1)
ISAs Australian Auditing Standards (ASAs)
ISREs Australian Standards on Review Engagements (ASREs)
ISAEs Australian Standards on Assurance Engagements (ASAEs)
ISRSs Australian Standards on Related Services (ASRSs)
Collectively, ASAs, ASREs, ASAEs and ASRSs are referred to as the ‘AUASB Standards’.

CC
Force of law
Certain Standards in Australia have the ‘force of law’. The AUASB is required to issue Auditing
Standards under s. 336 Corporations Act 2001, for use in the audit of entities regulated under the
Act. This is commonly referred to as ‘force of law’.
These ‘force of law’ Standards are called ‘Auditing Standards’ and include:
•• Most ASAs.
•• ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and
Other Financial Information, Other Assurance Engagements and Related Services Engagements
(ASQC 1).
•• ASRE 2410 Review of a Financial Report Performed by the Independent Auditor of the Entity
(ASRE 2410) and ASRE 2415 Review of a Financial Report: Company Limited by Guarantee
or an Entity Reporting under the ACNC Act or Other Applicable Legislation or Regulation
(ASRE 2415).
Complying with Australian Auditing and Assurance Standards
Australia has a single set of Auditing and Assurance Standards issued by the AUASB, which are
used by assurance practitioners for all engagements they perform.
Australian assurance practitioners are required to comply with these Auditing and Assurance
Standards as follows:
•• For assurance engagements performed under the Corporations Act, s. 307A requires
assurance practitioners to comply with AUASB Standards. Audits and reviews conducted
under the Corporations Act are enforced by ASIC.
•• For other assurance engagements, APES 210 Conformity with Auditing and Assurance
Standards (APES 210) requires members of CA ANZ (also CPA Australia and the IPA) to
comply with AUASB Standards. This is enforced by the professional accounting bodies (e.g.
via the CA ANZ Quality Review Program).
APES 210 also requires CA ANZ members to:
–– Observe and comply with public interest obligations (see APES 110 s. 100 ‘Introduction
and Fundamental Principles’).
–– Comply with independence requirements (see APES 110 ss 290 and 291 on
independence).
Paragraph Aus 0.1 in each ASA refers to Corporations Act audits and reviews. Making this
paragraph mandatory reflects the legal enforceability of ASAs in relation to engagements
conducted under the Corporations Act.
Paragraph Aus 0.2 in each ASA is explanatory material. This is because para. Aus0.2 in each ASA
refers to non-Corporations Act audits and reviews. For these engagements, ASAs are not legally
enforceable.
Differences between IAASB and AUASB pronouncements
There are two key differences between the IAASB and AUASB pronouncements. In Australia:
•• The Foreword to AUASB Pronouncements (AUASB Foreword) sets out the:
–– Functions, composition and operating procedures of the AUASB.
–– Range of pronouncements issued by the AUASB.
•• ASA 101 Preamble to Australian Auditing Standards (ASA 101) sets out how the AUASB
Standards should be understood, interpreted and applied. ASA 101 was issued because
ASAs are mostly legally enforceable.
Internationally, the IAASB has issued the Preface to the International Quality Control, Auditing,
Review, Other Assurance, and Related Services Pronouncements (discussed above under
international auditing and assurance pronouncements). It explains how the IAASB Standards
are to be used and applied.

CC
Other Australian pronouncements

Other Australian pronouncements include AUASB Guidance Statements (GSs) – these provide
non-mandatory guidance on specific matters. They are not covered in this module, unless
specifically stated otherwise.
Structure of Australian Auditing Standards and the ASA 101 requirements

As with their international equivalents, the ASAs issued by the AUASB follow the same structure.
Each ASA presents information in a number of different sections. ASA 101 prescribes which
sections are mandatory and which contain explanatory material. Because ASA 101 relates to the
Australian legislative environment, there is no equivalent ISA.
Mandatory and explanatory material sections
Under ASA 101, each ASA comprises both mandatory components and explanatory
material. The mandatory components are listed in ASA 101 para. 9 and impose a legal and/or
professional obligation on auditors for audit or review engagements.
The explanatory material is listed in ASA 101 para. 10 and ‘does not create or extend mandatory
components’. Paragraph 10 creates the requirement for the auditor to consider the whole
text of an Auditing Standard to understand, interpret and apply the mandatory components.
Essentially, this means that the auditor must read the whole Standard, including the
explanatory material.
Required reading
AUASB, Foreword to AUASB Pronouncements.
AUASB, Australian Framework for Assurance Engagements.
ASA 101.
Corporations Act ss 336, 307 and 307A.
APES 210.
Worked example 1.2: Identifying the type of engagement and the applicable Standards

CC
Auditor’s objectives and responsibilities in conducting an audit

– ISA 200
Learning outcome
4. Demonstrate the auditor’s overall objectives and responsibilities when conducting an audit of
financial statements.
Having covered international and Australian auditing and assurance pronouncements, this unit
now looks at an auditor’s objectives and responsibilities in conducting an audit under the ISAs
and ASAs. This section begins a more in-depth examination of the requirements of individual
Standards that will continue throughout the other units in this module.
The first international Standard to be examined in detail in the module is ISA 200. This
Standard deals with the auditor’s overall responsibilities when conducting an audit of financial
statements, in accordance with the ISAs. Later ISAs expand on and provide more detail about
these responsibilities.
Auditor’s overall objectives

ISA 200 para. 11 outlines the auditor’s overall objectives:
•• To obtain reasonable assurance as to whether the financial statements as a whole are free
from material misstatement, enabling the auditor to express an opinion on those financial
statements.
•• To report on the financial statements and communicate those findings as required by ISAs.
Requirements
ISA 200 contains five key requirements for an auditor in the conduct of an audit, which relate to:
1. Ethics.
2. Professional scepticism.
3. Professional judgement.
4. Sufficient appropriate audit evidence and audit risk.
5. Conduct of an audit in accordance with ISAs.
1. Ethics
The auditor needs to comply with relevant ethical requirements, including independence, when
conducting an audit (ISA 200 para. 14). At the international level, these ethical requirements
include IESBA’s Code of Ethics.
2. Professional scepticism
The auditor needs to plan and perform an audit with professional scepticism (ISA 200 para. 15).
Professional scepticism, as mentioned earlier, means ‘an attitude that includes a questioning
mind, being alert to conditions which may indicate possible misstatement due to error or fraud,
and a critical assessment of evidence’ (IAASB Glossary of Terms). This includes being alert to the
following (ISA 200 para. A18):

CC
Professional scepticism – areas in which the auditor should remain alert
Area Example
Audit evidence that contradicts Management may have given the auditor verbal assurances that an
other audit evidence obtained entity has no obsolete inventory. However, the auditor notices boxes of
goods in the warehouse that were there the previous year
Information that brings into Management may claim to have increased profit margins during the
question the reliability of documents period, but press reports and industry journals have consistently
and responses to enquiries reported falling margins in that sector
Conditions that may indicate A senior staff member of the entity being audited appears to have
possible fraud a lifestyle beyond their earnings
Circumstances that suggest the need External confirmation of bank balances is not mandatory under ISAs.
for audit procedures in addition to However, if the auditor has doubts about client-produced evidence
those required by ISAs relating to bank balances, it may be appropriate to obtain written
confirmation from the client’s bankers
Since professional scepticism is an attitude, it is influenced by many factors, such as

the auditor’s experience and competencies. Therefore, there is no single way to exercise
professional scepticism and is dependent on the auditor’s professional judgement. In 2013,
the then Institute of Chartered Accountants in Australia (now CA ANZ) and the Chartered
Professional Accountants of Canada prepared a paper, ‘Practical ways to improve the exercise
and documentation of professional scepticism in an ISA audit’, which provides examples of
how an audit engagement team can exercise and document professional scepticism at different
stages of an audit engagement.
3. Professional judgement
The auditor needs to exercise professional judgement in planning and performing an audit
(ISA 200 para. 16). This is because interpreting ISA requirements and making informed
decisions throughout an audit can only be made with the application of relevant knowledge
and experience.
As outlined in ISA 200 para. A23, professional judgement is particularly necessary regarding
decisions involving:
•• Assessing materiality and audit risk.
•• Determining the nature, timing and extent of audit procedures.
•• Evaluating whether sufficient appropriate audit evidence has been obtained.
•• Evaluating management’s judgements.
•• Drawing conclusions based on evidence obtained.
Professional judgement is discussed further in later units of this module.
4. Sufficient appropriate audit evidence and audit risk

The auditor needs to obtain sufficient appropriate audit evidence to reduce audit risk to an
acceptably low level to enable them to draw reasonable conclusions on which to base the audit
opinion (ISA 200 para. 17). To clarify:
•• ‘Sufficiency’ refers to the quantity of evidence obtained (ISA 200 para. A29) – for example,
should 20 or 30 debtors be selected for testing?
•• ‘Appropriate’ refers to the quality of evidence obtained – that is, the relevance and reliability
of the evidence (ISA 200 para. A30). For example, written evidence provided by a party
independent of the client is generally considered to be more reliable than oral evidence
provided by a client’s staff member.
There is no easy measurement or rule of thumb to assess whether evidence is sufficient and
appropriate – it is a matter of professional judgement.

CC
Audit evidence is commonly sourced from clients’ accounting records (e.g. ledgers, journals and
invoices); discussions with the client and external sources such as banks; and share registries.
Audit risk is the risk that the auditor expresses an unmodified (i.e. ‘clean’) opinion when the
financial statements are materially misstated. Auditors always aim to keep audit risk low;
however, it is not possible to eliminate audit risk entirely. This is because an audit engagement
is to provide reasonable assurance (not absolute assurance) and, therefore, the auditor would
not test all transactions or amounts that make up the financial statements.
5. Conduct of an audit in accordance with ISAs

The auditor must comply with all ISAs that are relevant to the audit (ISA 200 para. 18), unless
the entire ISA is not relevant. For example, ISA 610 (Revised 2013) Using the Work of Internal
Auditors (ISA 610) contains requirements applicable to the auditor’s use of the work of internal
auditors. If the entity being audited has no internal auditors, then ISA 610 is not relevant.
Alternatively, requirements within an ISA may not be relevant because they are conditional
and the condition does not exist in the entity being audited. For example, ISA 570 Going Concern
(ISA 570) contains audit procedures where an entity has going concern problems. If the entity
being audited does not have going concern problems, then the ‘condition’ does not exist and
those requirements are not relevant.
In order to properly apply ISAs, an auditor needs to understand their entire text, not just the
mandatory components (ISA 200 para. 19). The auditor must not state in the auditor’s report
that ISAs have been complied with unless this is true (ISA 200 para. 20).
Required reading
ISA 200 paras 1–24, A1, A12–A31, A45, A58–A69 and A72–A76.
Institute of Chartered Accountants in Australia and Chartered Professional Accountants of Canada,
2013, ‘Practical ways to improve the exercise and documentation of professional scepticism in an
ISA audit’, May [available online in myLearning].
Audit quality
As stated in ISA 200 para. 3, the purpose of an audit is to enhance the degree of confidence
of intended users in financial reports. This is achieved by the expression of an opinion by the
auditor on whether the financial report is prepared, in all material respects, in accordance
with an applicable financial reporting framework. Under A Framework for Audit Quality (the
Framework) issued by the IAASB, for an external audit to fulfil its objective, the users of audited
financial statements must have confidence that the auditor has worked to a suitable standard
and that ’a quality audit has been performed’.
Audit quality is a widely debated topic, both internationally and locally, among the audit
profession, regulators and other audit stakeholders. It is a complex topic for which there is
no universal definition. The framework explains that the term audit quality includes ‘the key
elements that create an environment which maximizes the likelihood that quality audits are
performed on a consistent basis’.
Paragraph 2 of the framework states:
A quality audit is likely to have been achieved by an engagement team that:
• Exhibited appropriate values, ethics and attitudes;
• Was sufficiently knowledgeable, skilled and experienced and had sufficient time allocated to
perform the audit work;
• Applied a rigorous audit process and quality control procedures that complied with law,
regulation and applicable standards;
• Provided timely reports; and
• Interacted appropriately with relevant stakeholders.

CC
Subsequent units of the AAA module explore concepts contributing to audit quality in more
detail.
Australia-specific
Auditor’s objectives and responsibilities in conducting an audit in Australia – ASA 200
ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
with Australian Auditing Standards (ASA 200) largely follows its international equivalent, ISA 200,
discussed above.
Differences between ISA 200 and ASA 200
The key differences between ISA 200 and ASA 200 are as follows:
•• ASA 200’s application paragraphs state that audits conducted under the Corporations Act
must be conducted in accordance with ASA 200.
•• In relation to compliance with Auditing Standards, ASA 200 para. Aus 22.1 contains an
additional requirement which permits non-compliance with mandatory requirements of
the ASAs where the amount in question is immaterial.
Required reading
ASA 200 paras Aus 0.1–Aus 0.3, Aus 12.1, Aus 13.1–Aus 13.4, Aus 22.1, Aus 23.1, Aus A14.1,
Aus A66.1 and Aus A74.1
Activity 1.2: Applying professional scepticism and professional judgement


CC
Australian legislative requirements
Learning outcome
5. Identify which entities are required to be audited by legislation.
Australia-specific
There are a number of pieces of legislation that specify the requirements for an entity to be
audited or reviewed. Some of these are outlined below.
Corporations Act 2001 (Cth)
The Corporations Act requires certain entities registered under the Act to prepare an annual
financial report (s. 292) and have it audited (s. 301). Examples include:
•• Disclosing entities.
•• Public companies.
•• Large proprietary companies.
•• Registered schemes.
The financial report prepared by these entities must include (s. 295(1)):
•• Financial statements for the year and related notes.
•• A directors’ declaration about the statements and notes.
The financial report must be prepared in accordance with Accounting Standards and the
Corporations Regulations 2001 (Cth), which are made under the Corporations Act (s. 296). In
addition, disclosing entities need to prepare half-yearly financial reports (s. 302(a)) and have
these audited or reviewed (s. 302(b)).
Companies limited by guarantee with annual or consolidated revenue of less than $1 million
may elect to have their annual financial report reviewed rather than audited (s. 301(3)).
When conducting an audit or review under the Corporations Act, the auditor must comply with
the Act’s requirements, which include:
•• Forming an opinion as to whether the financial report is in accordance with Accounting
Standards and gives a true and fair view (s. 307(a)).
•• Conducting the engagement in accordance with Auditing Standards (s. 307A). It is this
section which gives rise to the expression ‘force of law’ in relation to Auditing Standards.
•• Retaining work papers for seven years after the date of the audit report to which they relate
(s. 307B).
•• Providing the directors of the client with an independence declaration (s. 307C).
•• Reporting to members of the client whether the financial report is in accordance with the
Corporations Act (s. 308(1)).
•• Reporting to ASIC any contraventions and suspected contraventions of the Corporations
Act during the conduct of an audit (s. 311).
Financial statements versus financial report
The Corporations Act and ASAs both refer to ‘financial report’, comprising the financial
statements, notes, and the directors’ declaration about the statements and notes (Corporations
Act) or an assertion statement by those charged with governance (AUASB Glossary).
However, ISAs apply to ‘financial statements’. The definition in the IAASB’s Glossary of Terms
defines this as complete set of financial statements as determined by the requirements of the
applicable financial reporting framework. A complete set of financial statements is defined
in para 10. of Australian Accounting Standard AASB 101 Presentation of Financial Statements
(AASB 101).

CC
For the purposes of this module, ‘financial statements’ will be used, except where referring
specifically to the Australian regulatory environment.
ASIC class orders – exemptions from specified financial reporting and audit requirements
ASIC has the power, in certain circumstances, to provide entities with relief from certain
financial reporting and audit requirements of the Corporations Act through class orders. ASIC’s
class orders commonly entail extensive prerequisites for any entity that wishes to apply for
relief.
ACNC Act
The Australian Charities and Not-for-profits Commission (ACNC) is the independent national
regulator of charities. The Australian Charities and Not-for-profits Commission Act 2012 (Cth) (the
ACNC Act) sets out the objects and functions of the ACNC, as well as the framework for the
registration and regulation of charities.
The audit or review requirements of charities depend on the size of the charity. A large charity
must have its financial report audited and submit the financial report and auditor’s report to
the ACNC. Medium-sized charities must submit a financial report, but they can choose to have it
reviewed or audited. More information can be found on the ACNC website at (www.acnc.govt.au).
Other legislation
While the focus of this module is primarily on audits of financial reports prepared under the
Corporations Act, there are many entities across Australia that require auditing or review under
other legislation, for example:
•• Solicitors and real estate agents’ trust accounts, which are audited under state legislation.
•• Government departments, which are audited under various state and federal legislation.
Required reading
Corporations Act ss 292, 295, 296, 301, 302, 307, 307A, 307B, 307C, 308 and 311.
Audit and review requirements for Australian entities (available on myLearning).
Quick reference guide

1.1: Professional scepticism and professional judgement
Quiz

Readings
References to Auditing and Assurance

All references to Auditing and Assurance Standards in the learning elements in the AAA module
are to international Standards, except where they relate to jurisdiction-specific content.
The table below provides a summary of the readings from the international pronouncements
together with the equivalent Australian and New Zealand pronouncements.
In the exam, candidates can refer to the international Standards or the Australian or New Zealand
Standards.
Required reading
Relevant International Standards on Auditing and national equivalents and guidance
International Australia New Zealand
International Framework for Framework for Assurance Explanatory Guide Au1 Overview of
Assurance Engagements Engagements (June 2014) Auditing and Assurance Standards
(EG Au1)
Explanatory Guide Au1A
Framework for Assurance
Engagements (EG Au1A)
Preface to the International Quality Foreword to AUASB Pronouncements XRB Standard Au1 Application of
Control, Auditing, Review, Other Auditing and Assurance Standards
Assurance, and Related Services (XRB Au1)
Pronouncements
ISA 200 Overall Objectives of the ASA 200 Overall Objectives of XRB Standard Au1 Application of
Independent Auditor and the the Independent Auditor and the Auditing and Assurance Standards
Conduct of an Audit in Accordance Conduct of an Audit in Accordance (XRB Au1)
with International Standards on with Australian Auditing Standards
Auditing
•• Paragraphs 1–24, A1, A12–A31, •• Paragraphs 1–24, A1, A12–A31,
A45, A58–A69 and A72–A76 A45, A58–A69, A72–A76,
AUS 0.1–AUS 0.3, AUS 12.1,
AUS 13.1–AUS 13.4, AUS 22.1,
AUS 23.1, AUS A14.1 and
AUS A74.1
APES 210 Conformity with Auditing ISA (NZ) 200 Overall Objectives of
and Assurance Standards the Independent Auditor and the
Conduct of an Audit in Accordance
with International Standards on
Auditing (New Zealand)
•• Paragraphs 1–24, A1, A12–A31,
A45, A58–A69 and A72–A76
ASA 101 Preamble to Australian
Auditing Standards
Corporations Act 2001 (Cth) Auditors Regulation Act 2011
•• Sections 292, 295, 296, 301, 302, •• Sections 5, 8–10, 17 and 20
307, 307A, 307B, 307C, 308, 311
and 336
Financial Markets Conduct Act 2013
•• Sections 451 and 461
Unit 1 – Readings Page 1-23

Relevant International Standards on Auditing and national equivalents and guidance

Companies Act 1993
•• Sections 206, 207, 207A–207C,
208 and 211
www.ifac.org www.auasb.gov.au www.xrb.govt.nz
Further reading
Further reading and resources

Please check the Further reading and resources sections in myLearning for up-to-date videos
and further reading material.
Page 1-24 Readings – Unit 1

ACT
[Solutions to activities are available online. Please access myLearning to view]
Activity 1.1
Identifying assurance engagements
Introduction
To meet the definition of an assurance engagement, an engagement must possess five elements
as defined by the International Framework for Assurance Engagements (International
Framework).
This activity links to learning outcome:
•• Identify and apply the elements and objectives of an assurance engagement.
At the end of this activity you will be able to identify and apply the five elements of an
assurance engagement, in accordance with the International Framework.
It will take you approximately 20 minutes to complete.
Scenario
You are an audit senior at AAA Partners Chartered Accountants (AAA Partners). AAA
Partners provides a variety of services to its clients. As part of an internal review of AAA’s
quality control procedures, the audit managers have asked you to assess which of the given
engagements are assurance engagements under the International Framework.
Task
For this activity you are required to assess each the following engagements and identify
whether it is an assurance engagement. Justify your response.
1. Reporting on retail store turnover reports provided to the stores’ lessors under the terms of
the lease agreements.
2. Investigating management’s compliance with internal risk management policies for clients
in the financial services industry.
3. Valuation services.
4. Assisting boards of directors to develop corporate strategies.
5. Reporting to regulatory bodies on adherence to environmental laws and regulations.
Unit 1 – Activities Page 1-25

ACT
Activity 1.2
Applying professional scepticism and
professional judgement
Introduction
It is important for the auditor to exhibit professional scepticism and judgement when
conducting an audit.
The International Framework for Assurance Engagements (International Framework) provides
guidance on professional scepticism and professional judgement for assurance engagements
generally. ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in
Accordance with International Standards on Auditing (ISA 200) contains the requirements and
guidance in respect of audits.
•• Demonstrate the auditor’s overall objectives and responsibilities when conducting an audit
of financial statements.
At the end of this activity you will be able to identify how professional scepticism and
professional judgement should be exercised in the conduct of an assurance engagement, in
accordance with ISA 200.
Scenario
You are an audit manager at Addup Chartered Accountants (Addup), a successful accounting
firm. Addup is the auditor of the annual financial statements of Ratchet, a large private
company. Ratchet’s audit is to be conducted in accordance with International Standards on
Auditing (ISAs).
Kathy Gull is the engagement partner assigned to the audit of Ratchet, which has experienced
some instability over the last two years, culminating in the departure of key members of the
senior management team. The new chief executive officer (CEO), John Swan, has subsequently
stabilised the company through his hands-on leadership style and detailed involvement in key
aspects of the business.
You are the audit manager assigned to the audit of Ratchet. Before the audit commences Kathy
has informed you that over the last six months, she noted the following in relation to Ratchet’s
operations:
•• Changes in key operating ratios that cannot be adequately explained, particularly in relation
to profit margins.
•• A lack of qualified staff in the accounting area.
•• Reduced compliance with, and awareness of, internal controls.
Kathy has also informed you that John leads an extravagant lifestyle which his salary alone does
not seem able to support.
Page 1-26 Activities – Unit 1

ACT
Task
For this activity, you are required to:
•• Outline the ways that the audit team should exercise professional scepticism in response to
Kathy’s concerns regarding Ratchet.
•• Outline the key areas in which the audit team will need to exercise professional judgement.

[This page has deliberately been left blank]

CC
Core content
Unit 2: Auditing Standards and quality
control
Learning outcomes
1. Outline the audit process.
2. Illustrate the overall responsibilities of firms with regard to ethics and quality control.
3. Demonstrate the nature and purpose of audit documentation, and the objective and
requirements of preparing audit documentation.
Introduction
Conducting an audit under the International Auditing and Assurance Standards Board (IAASB)
International Framework for Assurance Engagements (International Framework) requires
understanding the:
•• Importance of complying with ethical requirements to ensure the integrity of the audit
process.
•• Significance of quality control policies and procedures in ensuring audits are consistently
conducted to the same high standard.
•• Overall audit process, including understanding that audit is an ongoing process of
interaction between the auditor and the audited entity.
•• Importance of audit documentation in providing evidence that the work was carried out in
accordance with applicable Standards and regulations.
These topics are covered in this unit. This unit looks at the following International Standards on
Auditing (ISAs) and other guidance and legislation:
•• ISQC 1 Quality Controls for Firms that perform Audits and Reviews of Financial Statements, and
other Assurance and Related Services Engagements (ISQC 1).
•• ISA 220 Quality Control for an Audit of Financial Statements (ISA 220).
•• ISA 230 Audit Documentation (ISA 230).
aaa11602_csg

CC
Overview of audit process

Learning outcome
1. Outline the audit process.
This section addresses the overall audit process for auditing general purpose financial
statements and how this process is covered in the Audit & Assurance (AAA) module.
Introduction to audit process

The ultimate objective of an audit is to issue an appropriate auditor’s report containing the
auditor’s opinion. In order to achieve this objective, the audit process follows a number of steps.
Every audit follows the same steps, although the time spent on each step will vary from one
audit to the next depending on the complexity of the entity, the degree of reliance that can be
placed on its internal controls, and the level of regulation that it is subject to. For example, it
would be expected that more time would be spent planning the audit of a listed company with
diverse operations than that of a smaller company that sells only a limited number of products.
Each step in the audit process builds on the information gathered during the previous steps.
For example, responding to assessed risks uses information gathered during the planning
phase. At times during the audit, it will also be necessary to revisit previous steps to reassess
judgements made.

CC
The initial units of the AAA module work through the audit process in a logical manner, similar
to that set out in the diagram below.
AUDIT PROCESS

Overall framework Assurance purpose and framework
Auditing Standards and quality control
AUDITS OF FINANCIAL STATEMENTS

Prior to the audit
• Consider engagement
independence and ethical Pre-engagement activities
considerations
• Direction, supervision and
performance of the audit Planning the audit
• Assess continuing Understanding the entity and its environment
relationship with client Analysing audit risks, financial statement assertions and initial audit
• Communicate with those engagements
charged with governance Analysing audit risks – fraud
and management Materiality in planning and performing an audit
• Consult with appropriate Developing an overall audit plan
persons on difficult or
contentious matters
• Document work
Responding to assessed risk – undertaking the audit
performed, findings and
conclusions in appropriate Responding to assessed risks – controls testing
working papers Responding to assessed risks – substantive testing
• Revisit planning Responding to assessed risks – evaluating audit evidence
assumptions Responding to assessed risks – using the work of others, external
• Consider going concern confirmations and written representations
and fraud Subsequent events and going concern

Reviewing the financial statements and audit results
Forming an opinion and issuing an auditor’s report
The audit process, as illustrated above, has four main stages:

1. Prior to the audit. This includes assessing ethical requirements of both the client and the
engagement, including the integrity of the client and agreeing the terms of any engagement.
2. Planning the audit. Planning is essential to any audit and includes key steps, such
as gaining an understanding of the client and its environment, assessing risks, and
determining materiality. The information gathered in these steps assists the auditor
in developing the overall audit plan.
3. Responding to assessed risk – undertaking the audit. This includes performing the audit
field work, or the evidence-gathering process. Gathering sufficient appropriate audit
evidence is essential to enabling an auditor’s opinion to be formed. The process may
include testing an entity’s controls and will include performing substantive tests, such
as verifying dollar amounts. The evidence gathered then needs to be evaluated to determine
its sufficiency and appropriateness. Part of this process includes assessing the effect of
subsequent events and determining the appropriateness of the basis of an entity’s going
concern assumption. Subsequent events and going concern are dealt with together because

CC
there are often interrelated issues – for example, a subsequent event can lead to a going
concern issue.
4. Finalising the audit. This covers formulation of the auditor’s opinion and reporting
activities.
It is important to remember that many Auditing Standards apply to more than one step in
the audit process and are therefore relevant to more than one unit in this module. These are
referred to as continuous audit activities. For example, ISA 570 Going Concern is referred to
during the planning stage and, again, when undertaking the audit and finalising the audit.
Continuous audit activities

The key continuous activities of the audit process and their related Standards are outlined in the
table below:
Continuous audit activities and related Standards
Activity Related Standards and requirements
Consider engagement ISQC 1

independence and
•• Requires an audit firm to establish policies and procedures that will help ensure
ethical considerations
it only undertakes or continues engagements and relationships in which the firm
and its personnel comply with relevant ethical requirements (ISQC 1 para. 20).
Complying with ethical requirements is a continual obligation throughout the
engagement
ISA 220
•• Requires the engagement partner to ‘remain alert’ throughout the engagement ‘for
evidence of non-compliance with relevant ethical requirements by members of the
engagement team’ (ISA 220 para. 9)
Direction and ISQC 1

supervision of the
•• Requires appropriate quality control policies and procedures to help ensure
audit
engagements are performed in accordance with IAASB Standards, ethical
requirements and applicable legal and regulatory requirements (ISQC 1 para. 11)
ISA 220
•• Requires the engagement partner to take responsibility for the ‘direction,
supervision and performance’ of the audit (ISA 220 para. 15(a))
Assess continuing ISA 220

relationship with
•• Requires the engagement partner to reconsider the client relationship if the firm
client
obtains any information that would have caused it to decline the engagement had
that information been available earlier (ISA 220 para. 13)
Communicate with ISA 260 Communication with Those Charged with Governance (ISA 260).
management and
•• Requires the auditor to communicate specific matters to those charged with
those charged with
governance (ISA 260 para. 3). Additional matters to be communicated which
governance
complement these requirements are identified in other Auditing Standards, such as:
ISA 265 Communicating Deficiencies in Internal Control to Those Charged with
Governance and Management (ISA 265)
•• Requires the auditor to ‘communicate in writing significant deficiencies in internal
control identified during the audit to those charged with governance on a timely
basis’ (ISA 265 para. 9)
ISA 450 Evaluation of Misstatements Identified during the Audit (ISA 450)
•• Requires the auditor to ‘communicate on a timely basis all misstatements
accumulated during the audit’ to ‘the appropriate level of management’ and
request that they be corrected (ISA 450 para. 8)
These may result in a number of communications throughout the audit

CC
Continuous audit activities and related Standards
Activity Related Standards and requirements
Consult with ISQC 1

appropriate persons
•• Requires the firm to establish policies and procedures to help ensure that
on difficult or
‘appropriate consultation takes place on difficult or contentious matters’
contentious matters
(ISQC 1 para. 34)
ISA 220
•• Requires the engagement partner to ‘take responsibility for’ and ‘be satisfied that
members of the engagement team have undertaken appropriate consultation
during the course of the engagement, both within the engagement team and
between the engagement team and others at an appropriate level within or outside
the firm’ (ISA 220 paras 18(a) and (b))
ISA 620 Using the Work of an Auditor’s Expert (ISA 620)

•• Requires the auditor to determine whether to use the work of an expert ‘if expertise
in a field other than accounting or auditing is necessary to obtain sufficient
appropriate audit evidence’ (ISA 620 para. 7). Under para. A4, an expert may be
needed at various stages of the audit to assist in one or more of the following:
–– Obtaining an understanding of the entity and its environment, including its

internal control
–– Identifying and assessing the risks of material misstatement
–– Determining and implementing overall responses to assessed risks at the
financial statements level
–– Designing and performing further audit procedures to respond to assessed risks
at the assertion level, comprising tests of controls or substantive procedures
–– Evaluating the sufficiency and appropriateness of audit evidence obtained in
forming an opinion on the financial statements
Document work ISA 220

performed, findings
•• Requires the auditor to include a number of items in the audit documentation
and conclusions in
– for example, ‘issues identified with respect to compliance with relevant ethical
appropriate work
requirements and how they were resolved’ (ISA 220 para. 24(a))
papers
ISA 230
•• Requires the auditor to prepare audit documentation that would enable an
experienced auditor, who has no previous association with the audit, to understand
the nature, timing, extent, results and conclusions drawn from the audit procedures
performed (ISA 230 para. 8)
Revisit planning ISA 300 Planning an Audit of Financial Statements (ISA 300)

assumptions
•• Reminds us that audit planning is ‘not a discrete phase’ but rather a ‘continual and
iterative process’, which often begins soon after the completion of the last audit and
continues through to completion of the current audit (ISA 300 para. A2)
ISA 450
•• Requires the auditor to revisit the overall audit strategy and audit plan if individual
or aggregated misstatements identified during the audit could be material
(ISA 450 para. 6)
Consider going ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
concern and fraud (ISA 240)
•• Requires the auditor to maintain ‘professional scepticism throughout the audit’ and
recognise that a material misstatement due to fraud could exist (ISA 240 para. 8)
ISA 570 Going Concern (ISA 570)
•• Requires the auditor to ‘remain alert throughout the audit for … evidence of events
or conditions that may cast significant doubt on the entity’s ability to continue as a
going concern’ (ISA 570 para. 11)

CC
International Standard on Quality Control 1 (ISQC 1)
Learning outcome
2. Illustrate the overall responsibilities of firms with regard to ethics and quality control.
ISQC 1, issued by the IAASB, deals with a firm’s responsibilities for its system of quality control
in respect of assurance and related services engagements (ISQC 1 para. 1), and it applies to all
firms of professional accountants. Under ISQC 1 para. 3, a system of quality control consists of:
•• Policies designed to achieve particular objectives.
•• Procedures ‘necessary to implement and monitor compliance with those policies’.
In the accounting profession, firms need to establish policies for accepting new clients and
performing engagements. They also need procedures for implementing these policies.
ISQC 1 para. 11 states that the objective of a firm’s quality control system is to provide
reasonable assurance that:
(a) The firm and its personnel comply with professional standards and applicable legal and regulatory
requirements; and
(b) Reports issued by the firm or engagement partners are appropriate in the circumstances.
In order to achieve these objectives, ISQC 1 requires firms to:

•• Document their policies and procedures and communicate them to their personnel
(ISQC 1 para. 17).
•• Document ‘evidence of the operation of each element’ of their quality control systems
(ISQC 1 para. 57).
•• Retain documentation to permit the personnel who are responsible for monitoring a firm’s
compliance with its quality control policies and procedures to carry out their duties
(ISQC 1 para. 58).
•• Document complaints and allegations made against the firm, and the firm’s responses to
these (ISQC 1 para. 59).
Required reading
ISQC 1 paras 1–15, 17 and 57–59.
Elements of a system of quality control

ISQC 1 para. 16 requires firms to implement quality control policies and procedures
(i.e. a system) that address each of the following elements:
(a) Leadership responsibilities for quality within the firm.
(b) Relevant ethical requirements.
(c) Acceptance and continuance of client relationships and specific engagements.
(d) Human resources.
(e) Engagement performance.
(f) Monitoring.
Further, ISQC 1 para. 17 requires firms to document the policies and procedures, and
to communicate these to their personnel.
Each element of an audit firm’s quality control system supports and reinforces the other
elements. For example:

CC
•• Strong ethical leadership helps ensure requirements are met.
•• Professional human resources practices help ensure engagements are performed
by appropriately skilled staff.
In addition, the system needs to be monitored to ensure its objectives are being achieved.
The elements of a quality control system for an audit firm can be shown diagrammatically
as follows:
Documentation and
communication of system
of quality control
Leadership responsibilities
for quality
Engagement acceptance and

continuance
Elements of
quality control Engagement performance
system
Ethical requirements
Human resources
Monitoring
Leadership responsibilities for quality

ISQC 1 requires firms to establish policies and procedures that are designed to promote an
appropriate firm culture (ISQC 1 para. 18). For example, by requiring staff and partners to
perform work that meets the requirements of professional Standards. Such requirements could
be communicated by holding training seminars or pre‑engagement meetings with staff. In
addition, staff appraisal procedures should support and reinforce the firm’s views on what
constitutes quality.
The firm’s chief executive officer (or equivalent) or managing board (or equivalent) is required
to assume ‘ultimate responsibility for the firm’s system of quality control’ (ISQC 1 para. 18).
Operational responsibility for quality control may be delegated, but only to a person who has
‘appropriate experience and ability’ as well as the ‘necessary authority’ to effectively perform
the function (ISQC 1 para. 19).
ISQC 1 recognises that commercial considerations, such as completing an engagement within
budget, can sometimes put the quality of the work performed at risk. By requiring a firm’s
leaders to establish an appropriate internal culture and accept ultimate responsibility for
quality control, ISQC 1 aims to ensure that the quality of the work performed is the firm’s main
consideration (ISQC 1 para. A5).
Required reading
ISQC 1 paras 16, 18–19, A2 and A4–A6.

CC
Ethical requirements
A firm’s quality control system needs to provide ‘reasonable assurance that the firm and its
personnel comply with relevant ethical requirements’ (ISQC 1 para. 20). In order to achieve this,
ISQC 1 requires firms to establish policies and procedures that enable the firm and its personnel
to maintain independence when required by relevant Standards (ISQC 1 para. 21). Under these
policies and procedures:
•• Engagement partners must provide the firm with relevant information about client
engagements to allow the impact on the firm’s independence to be assessed (ISQC 1
para. 22(a)). For example, partners must disclose any personal relationships they have with
the directors of a new client entity.
•• Personnel must notify the firm immediately of any circumstances or relationships that
constitute a threat to the firm’s independence (ISQC 1 para. 22(b)) – for example, when a
family member is employed by, or has a significant investment in, the audit client.
•• Under ISQC 1 para. 22(c), the firm must accumulate and communicate any relevant
information to personnel so that:
–– The firm and its personnel can determine whether they satisfy independence
requirements.
–– The firm can update its independence records, as well as take ‘appropriate action’ with
regard to threats to its independence.
For example, the firm might circulate a list of prospective clients to its personnel
on a monthly basis and request they confirm that they are not aware of any threats to their
personal or the firm’s independence that would be created by the firm accepting the
engagements.
•• The firm must establish procedures that facilitate prompt communication of any breaches
of independence, so that the appropriate action to resolve these situations can be taken
(ISQC 1 para. 23).
•• The firm must obtain, at least once a year, written confirmation from all the relevant
personnel of their compliance with the firm’s independence policies and procedures
(ISQC 1 para. 24).
•• The firm must establish criteria for determining the need for safeguards of independence
when the same senior personnel work on a particular assurance client for numerous
engagement periods (ISQC 1 para. 25(a)). For example, a firm might implement a policy
that requires a second audit partner to review the work papers of every non-listed entity
assurance engagement where the engagement partner and manager have both been
assigned to the client for five years or more.
•• For audits of listed entities, the firm must ensure that rotation of the engagement
partner and others is carried out in accordance with relevant ethical requirements
(ISQC 1 para. 25(b)).
Required reading
ISQC 1 paras 20–25.
Engagement acceptance and continuance

Under ISQC 1 para. 26, a firm’s quality control system needs to provide reasonable assurance
that client engagements are accepted and continued only when the firm:
•• Is capable of performing the engagement competently.
•• Can comply with relevant ethical requirements.
•• Has considered the integrity of the client.
In order to achieve this, ISQC 1 para. 26 obligates firms to establish policies and procedures
designed to collect necessary information prior to accepting a new engagement or continuing

CC
with an existing one. For example, the engagement partner might be required to record current,
publicly available information regarding the integrity of the directors of a prospective client.
The firm must determine whether an engagement should be accepted, or an existing
engagement continued, when a conflict of interest is identified and document the resolution of
the issue (ISQC 1 paras 27(b) and (c)). The firm must also document how the issue was resolved,
irrespective of whether the engagement was accepted or declined.
Example – Acceptance of additional engagements

This example illustrates how a conflict of interest can impact a firm’s acceptance of an
engagement.
Slick Oil Refinery (Slick) is an audit client of Green Tick (a large accounting firm). Green Tick
has been approached by a government environmental agency to carry out an audit on Slick’s
compliance with environmental regulations.
Green Tick needs to determine whether it should accept the environmental compliance audit
given the potential for a conflict of interest – that is, there may be a self-interest threat to the
firm’s relationship with Slick in connection with the annual financial statement audit, putting
pressure on Green Tick to provide a favourable auditor’s report on the compliance engagement.
The firm must address the circumstances in which it ‘obtains information that would have
caused it to decline the engagement had that information been available earlier’ (ISQC 1
para. 28). For example, the firm may become aware of an independence issue only after a new
audit engagement has already commenced. The firm then needs to determine what action it
should take to address that issue. This would include determining:
•• whether appropriate safeguards can be implemented
•• the firm’s external reporting obligations, and
•• whether or not the firm needs to withdraw from the engagement.
Required reading
ISQC 1 paras 26–28, A7, A9 and A18–A19.
Human resources
A firm’s quality control system needs to provide reasonable assurance that it has sufficient,
appropriately skilled personnel to:
•• Perform engagements in accordance with relevant Standards and legislation.
•• Enable appropriate reports to be issued.
To achieve this, ISQC 1 para. 29 obliges firms to establish policies and procedures that require:
•• The client to be informed of the identity and role of the engagement partner (ISQC 1
para. 30(a)). This may be done in the engagement letter.
•• Each engagement to be assigned to an engagement partner with the appropriate skills
and authority to perform the role, and whose responsibilities are clearly defined and
communicated to them (ISQC 1 paras 30(b) and (c)). For example, the firm may maintain
a register of each partner’s industry experience to enable an appropriate partner to be
assigned to any new clients.
•• That the firm assign personnel to engagements who can perform the work in accordance
with the relevant Standards and legislation, and whose work allows the firm to issue
appropriate reports (ISQC 1 para. 31). For example, some larger firms organise audit staff
into specialist groups (e.g. banking and finance, manufacturing, mining, information
technology and communications, retail, etc.) to ensure that appropriately skilled staff are
assigned to engagements within specific industries.

CC
Required reading
ISQC 1 paras 29–31.
Engagement performance
The performance of engagements is critical to a firm’s quality control system. Without adequate
quality processes surrounding engagement performance, a firm would have greater exposure
to the risk of providing an inappropriate auditor’s report. Accordingly, ISQC 1 sets down
numerous requirements regarding this element.
As with the human resources element, a firm’s engagement policies and procedures need to
provide reasonable assurance that it has sufficient, appropriately skilled personnel to:
•• Perform engagements in accordance with relevant Standards and legislation.
•• Enable the firm to issue appropriate reports.
In order to achieve this, ISQC 1 para. 32 requires firms to establish policies and procedures that
include:
•• Methods to promote a consistent level of quality in the performance of engagements
(ISQC 1 para. 32(a)). For example, the firm may use an audit manual and specific audit
software to ensure its audit documentation is prepared consistently across all engagements.
•• Supervision responsibilities (ISQC 1 para. 32(b)). For example, the audit manager might
keep track of each team member’s progress in working through their assigned tasks, and
provide additional instructions where required.
•• Review responsibilities (ISQC 1 para. 32(c)). For example, the audit manager might review
each file section and determine whether the work performed is sufficient to support the
conclusions reached.
•• Regarding review responsibilities, the work of less experienced team members must always
be reviewed by more experienced team members (ISQC 1 para. 33). A practical example of
how a firm might apply this requirement would be to establish a policy requiring the work
of a first-year auditor to be reviewed by a senior auditor, the work of a senior auditor to
be reviewed by a manager, and the work of a manager to be reviewed by the engagement
partner.
As set out in para. A35 of ISQC 1, a review consists of consideration of whether:
•• The work has been performed in accordance with professional Standards and applicable
legal and regulatory requirements.
•• Significant matters have been raised for further consideration.
•• Appropriate consultations have taken place and the resulting conclusions have been
documented and implemented.
•• There is a need to revise the nature, timing and extent of work performed.
•• The work performed supports the conclusions reached and is appropriately documented.
•• The evidence obtained is sufficient and appropriate to support the report.
•• The objectives of the engagement procedures have been achieved.
ISQC 1 also requires a firm to implement further policies and procedures on engagement
performance, in relation to:
•• Consultation.
•• Engagement quality control review (EQCR).
•• Differences of opinion.
•• Documentation, confidentiality and safe custody, and document retention.

CC
These performance areas are outlined below.
Consultation
Policies and procedures related to consultation need to provide reasonable assurance that:
•• Where ‘difficult or contentious matters’ are involved, consultation will occur (ISQC 1
para. 34(a)). For example, a firm may require a second audit partner to review an
engagement file where it appears a qualified audit opinion may be issued.
•• There are sufficient resources to allow proper consultations to occur (ISQC 1 para. 34(b)).
For example, a firm may allocate all or part of a senior staff member’s time to a technical
support role, to ensure specialised resources are available when required.
•• Details of consultations are documented and agreed to by the parties involved, and
conclusions resulting from consultations are implemented (ISQC 1 paras 34(c) and (d)). For
example, the firm might have a standard work paper or form that must be used to record all
consultations and any action subsequently taken.
Engagement quality control review (EQCRs)

Firms are required to implement quality control policies and procedures related to the conduct
of EQCRs. These reviews are designed to provide an ‘objective evaluation’ of significant
judgements made by engagement teams, and the conclusions arrived at when formulating
reports (ISQC 1 para. 35). In order to achieve this objective, the EQCR must be completed prior
to the date of the engagement report.
ISQC 1 para. 35 requires an EQCR to be performed for all:
•• Audits of the financial statements of listed entities (para. 35(a)).
•• All other assurance services that meet the criteria for EQCRs established by the firm. For
example, a firm may decide that an EQCR is required for all financial statements audits in
which the entity appears to have a going concern problem (paras 35(b) and (c)).
EQCRs are therefore aimed at engagements involving riskier, high-profile clients where the risk
of reaching an inappropriate conclusion is higher than normal, and the negative consequences
of an erroneous conclusion are greater.
Under ISQC 1 para. 37, firms must, at a minimum, implement policies and procedures that
require an EQCR to include:
•• Discussing ‘significant matters’ with the engagement partner. For example, changes in a
client’s accounting policies are often considered a significant matter (para. 37(a)).
•• Reviewing the subject matter and proposed report. For a financial statements audit, this
would include review of both the financial statements and auditor’s report (para. 37(b)).
•• Reviewing documentation regarding significant judgements made and conclusions
reached. For example, a mining company may have complex accounting issues related to
asset impairment that require the engagement team to exercise significant judgement in its
evaluation (para. 37(c)).
•• Evaluating the conclusions reached and considering if the auditor’s report is appropriate
in the circumstances of the engagement. For example, if a qualified opinion is planned, the
EQCR would check that the proposed wording properly reflects the conclusions reached
(para. 37(d)).
For listed entities, under ISQC 1 para. 38, the policies and procedures related to EQCRs also
need to include:
•• The engagement team’s evaluation of the firm’s independence with regard to the
engagement (para. 38(a)).
•• Whether ‘appropriate consultation’ has occurred regarding matters over which there are
differences of opinion or which are contentious (para. 38(b)).
•• Whether documentation that has been selected for review is supportive of the engagement’s
conclusions (para. 38(c)).

CC
In order to be effective, EQCRs need to be carried out by an appropriate engagement quality
control reviewer. ISQC 1 requires firms to establish policies and procedures that provide
reasonable assurance that reviewers:
•• Have the necessary technical qualifications, experience and authority (ISQC 1 para. 39(a)).
For example, the firm may require that reviewers are only appointed to engagements where
they have prior experience in the client’s industry.
•• Are only consulted by engagement partners and staff to an extent that does not compromise
their objectivity (ISQC 1 para. 39(b)).
•• Are replaced in circumstances where they are unable to perform an objective review
(ISQC 1 para. 41) – for example, where the reviewer is required to provide extensive
technical assistance to an engagement team due to changes in the client’s operations.
As with all audit and assurance-related matters, documentation is important. ISQC 1 para. 42
requires that documentation of an EQCR should provide evidence that:
•• The procedures required by the firm have been performed – for example, procedures
related to the appointment of an appropriate reviewer (para. 42(a)).
•• The review was completed on or before the date of the report (para. 42(b)).
•• No unresolved matters have come to the reviewer’s attention that would cause them to
believe that the conclusions reached are inappropriate (para. 42(c)).
Differences of opinion
Where there are differences of opinion within the engagement team – with those consulted, and
between the engagement partner and engagement quality control reviewer – the firm’s policies
and procedures shall require any conclusions reached to be documented and implemented, and
the report to be dated only once the matter is resolved (ISQC 1 paras 43–44).
Documentation, confidentiality and safe custody, and document retention

ISQC 1 requires a firm to implement policies and procedures providing reasonable assurance that:
•• Engagement teams complete the assembly of final engagement files on a timely basis
(ordinarily not more than 60 days) after the engagement reports have been finalised (ISQC 1
paras 45 and A54).
•• Engagement documentation is maintained in a way that ensures its confidentiality, safe
custody, integrity, accessibility and retrievability (ISQC 1 para. 46).
•• Engagement documentation is retained long enough to meet the requirements of the firm or
as required the relevant laws and regulations (ISQC 1 para. 47).
Required reading
ISQC 1 paras 32–47 and A35 and A54.
Monitoring
The five elements of a quality control system addressed so far form the basis of a firm’s quality
control system. Such a system can only work effectively if it is regularly checked and corrections
made when the system does not function as planned.
ISQC 1 para. 48 requires firms to establish a ‘monitoring process’ that is designed to provide
reasonable assurance that the quality control system’s policies and procedures are ‘relevant,
adequate, and operating effectively’. The monitoring process is required to:
•• Include ongoing evaluation of the quality control system, including inspection of at least
one completed engagement for each partner by an independent (of the engagement) party.
(The explanatory material provided by ISQC 1 para. A66 notes that an inspection cycle may
span three years.)
•• Assign responsibility of the process to a person with appropriate experience and authority.

CC
ISQC 1 also requires a firm to implement monitoring policies and procedures that cover
a number of other issues, including:
•• Evaluating, communicating and remedying identified deficiencies.
•• Complaints and allegations.
These are outlined below.
Evaluating, communicating and remedying identified deficiencies

ISQC 1 para. 49 requires firms to evaluate deficiencies in quality control to determine whether
or not they are systemic or repetitive. Under ISQC 1 paras 50–51, firms needs to inform the
engagement partners and relevant personnel of deficiencies noted as part of the monitoring
process and to recommend appropriate remedial action, which must include one or more of the
following:
•• Taking remedial action in relation to an individual engagement or staff member
(para. 51(a)).
•• Communicating its findings to those responsible for training and professional development
(para. 51(b)).
•• Making changes to its quality control policies and procedures (para. 51(c)).
•• Taking disciplinary action against non-compliant personnel, particularly for repeat offences
(para. 51(d)).
For example, if independence breaches in an audit are revealed during the monitoring
process, the action taken might include informing the relevant staff member and engagement
partner, and requesting that the matter be included as an example in upcoming training and
development programs.
When the monitoring process indicates that a report issued by the firm may be inappropriate,
the firm needs to determine what further action is required and consider whether to obtain legal
advice (ISQC 1 para. 52).
Once a year at a minimum, the firm needs to communicate the results of the monitoring process
to engagement partners and other relevant parties (ISQC 1 para. 53).
The information communicated must:
•• Describe the monitoring procedures that were performed (para. 53(a)).
•• Provide the conclusions of the procedures (para. 53(b)).
•• Where relevant, describe the systemic or repetitive deficiencies of the quality control system
as well as the remedial action that was taken (para. 53(c)).
Complaints and allegations

From time to time, firms may receive complaints from clients (or staff) regarding the work
performed. It is important that appropriate policies and procedures are in place to handle these
complaints. Therefore, ISQC 1 para. 55 requires firms to establish policies and procedures to
help ensure it deals appropriately with:
•• Complaints and allegations (whether from internal or external sources) that the work
performed does not meet the appropriate professional standards. In relation to internal
complaints, the firm needs to establish ‘clearly defined channels’ so that staff can raise
issues without worry of retaliation (para. 55(a)).
•• Allegations of non-compliance with the firm’s quality control system. For example, the
firm may appoint a staff member in the human resources department to be the recipient of
any internal complaints and allegations, thus ensuring the anonymity of the complainant
(para. 55(b)).

CC
If the firm’s investigations into complaints and allegations reveal deficiencies in its quality
control policies and procedures, appropriate remedial action must be taken.
As an auditor rises in seniority, the more relevant ISQC 1’s monitoring requirements
(as described above) become. However, even junior auditors need to understand the purpose of
the monitoring process and the key activities performed in this regard.
Required reading
ISQC 1 paras 48–56 and A66.
Documentation and communication of system of quality control

As with other audit and assurance-related Standards, ISQC 1 requires firms to prepare
documentation providing evidence that their quality control systems exists and are functioning
according to requirements. In addition to the firm-wide documentation requirements discussed
at the outset of this section on elements of a system of quality control, ISQC 1 contains policy
and procedure documentation requirements that are specific to assurance engagements. These
require firms to establish policies and procedures to:
•• Enable engagement file finalisation on a timely basis after the completion of an engagement
(ISQC 1 para. 45).
•• Maintain the ‘confidentiality, safe custody, integrity, accessibility and retrievability’
of engagement documentation (ISQC 1 para. 46).
•• Retain documentation long enough to allow monitoring procedures to take place
(ISQC 1 para. 47).
This section, relating to audit documentation, demonstrates the interrelationship between the
elements of quality control. Establishing appropriate documentation policies and procedures is
fundamental to the provision of assurance services.
Required reading
ISQC 1 paras 17, 45–47, 57 and 59.
Worked example 2.1: New client engagement acceptance


CC
Australia-specific
Quality control in Australia
There are four key Standards relating to quality control in Australia:
•• ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and
Other Financial Information, Other Assurance Engagements and Related Services Engagements
(ASQC 1).
•• APES 320 Quality Control for Firms (APES 320).
•• ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other
Assurance Engagements (ASA 102).
•• ASA 220 Quality Control for an Audit of a Financial Report and Other Historical Financial
Information (ASA 220).
ASQC 1
ASQC 1, issued by the Auditing and Assurance Standards Board (AUASB), deals with a firm’s
responsibility for a system of quality control in its assurance practices. It does not apply
to individual auditors within a firm. As with the Australian Auditing Standards (ASAs), ASQC 1
is based on its international equivalent, ISQC 1. In issuing ASQC 1, the AUASB brings the
international Standard into the suite of Australian Standards that are legally enforceable under
the Corporations Act 2001 (Cth) (Corporations Act) for engagements governed by that Act.
While ASQC 1 conforms to ISQC 1, the differences are denoted by the prefix ‘Aus’ in the relevant
paragraph numbers. There are two key differences:
•• The annual independence confirmation is required to also cover compliance with legal
and regulatory requirements, as well as with ethical requirements. This brings, for example,
compliance with the independence requirements of the Corporations Act into the scope
of the confirmation (ASQC 1 para. Aus 24.1).
•• In relation to consultation, Australian practices must comply with an additional
requirement to document the reasons for undertaking alternative courses of action from
consultation (ASQC 1 para. Aus 34.1).
In addition:
•• Requirements in ISQC 1 in relation to compliance with ethical requirements have been
moved to ASA 102 (discussed below), and therefore do not appear in ASQC 1. There is no
international equivalent to ASA 102.
Unlike ISQC 1:
•• ASQC 1 requires that work papers be retained for seven years in relation to all audits and
reviews performed under the Corporations Act.
ASQC 1 also incorporates the terminology and definitions that are used in Australia. These are
found in paras Aus 12.1–Aus 12.2.
APES 320
Prior to the AUASB issuing ASQC 1, the APESB issued APES 320, which is based on ISQC 1 but,
due to different drafting conventions, appears different. This is largely because APES 320
applies to all firms, regardless of whether they conduct assurance engagements. Accordingly,
for each of the quality control elements, APES 320 outlines the requirements that are relevant
to all firms, and then separately lists the requirements that apply only to assurance practices.
The content of APES 320 and ASQC 1 is, for all practical purposes, the same. Therefore,
compliance with APES 320 ensures compliance with ASQC 1.
ASA 102
The AUASB issued ASA 102 for Australian legislative purposes – that is, to bring the
requirements of APES 110 into the suite of Standards that are legally enforceable under the
Corporations Act, for engagements carried out under that Act. For example, in Australia,

CC
under APES 110, the key audit partner is normally required to rotate off a listed entity audit
after a period of no more than seven years (APES 110 para. 290.152). However, further
to the requirements of APES 110, more stringent rotation requirements apply to the audits
of listed entities and registered schemes in Australia. Under s. 324DA of the Corporations Act,
an individual who plays a significant role in the audit of such entities for five successive financial
years must not play a significant role in the audit for at least two successive years before playing
a significant role on the audit again. There is, therefore, no international equivalent to ASA 102.
The single objective and requirement of ASA 102 is that individuals and firms comply with
relevant ethical requirements, including those pertaining to independence, when conducting
assurance engagements.
ASA 220
ASQC 1 and APES 320 prescribe quality control requirements at the firm level, while ASA 220
prescribes them at the individual engagement level.
For example, ASQC 1 requires partners (or their equivalents) to be responsible for the firm’s
overall quality control system, while ASA 220 requires the engagement partner to take
responsibility for quality control on all audits to which that partner is assigned.
ASA 220 is based on its international equivalent, ISA 220, and is discussed further in the unit on
pre-engagement activities.
The relationship between the four Australian quality control Standards above and their
international equivalents can be shown as follows:
QUALITY CONTROL IN AUSTRALIA
ISQC 1 FIRM LEVEL
forms basis of
AUASB-issued APESB-issued
essentially
ASQC 1 the same APES 320
• Deals with overall firm • Deals with overall firm

quality control policies quality control policies
and procedures and procedures
• Applies to firms that • Applies to all firms
conduct assurance
engagements
INDIVIDUAL
ENGAGEMENT LEVEL
ASA 102 ASA 220

• Deals with ethical • Deals with quality
requirements at the control requirements
engagement level at the individual
engagement level

CC
Required reading
ASQC 1 paras Aus 0.1–Aus 0.2, Aus 1.1, Aus 4.1–Aus 4.2, Aus 12.1–Aus 12.12, Aus 24.1,
Aus 34.1, Aus A1.1, Aus A10.1, Aus A12.1, Aus A13.1, Aus A14.1, Aus A61.1–Aus A61.2,
Aus A63.1 and Aus A68.1.
APES 110 paras 1.2, 2 and s. 290.
APES 320 paras 1–18.
ASA 102.
ASA 220.
Corporations Act (Cth) s. 324DA.
New Zealand-specific
Quality control in New Zealand
There are two key Standards relating to quality control in New Zealand:
•• PES 3 (Amended) Quality Control for Firms that Perform Audits and Reviews of Financial
Statements, and Other Assurance Engagements (PES 3).
•• ISA (NZ) 220 Quality Control for an Audit of Financial Statements (ISA (NZ) 220).
PES 3
PES 3, issued by the New Zealand Auditing and Assurance Standards Board (NZAuASB), deals
with a firm’s responsibility for a system of quality control in its assurance practices. It does
not apply to individual auditors within a firm. As with the New Zealand Auditing Standards
(ISAs (NZ)), PES 3 is based on its international equivalent, ISQC 1. In issuing PES 3, the NZAuASB
brings the Standard in line with international requirements. These Standards are legally
enforceable under the Financial Markets Conduct Act 2013 (FMCA), the Companies Act 1993
and Financial Reporting Act 1993 (FRA93) by virtue of the requirement for audits of financial
statements to comply with applicable auditing and assurance standards. With the change in
legislation discussed in the unit on assurance purpose and framework, this requirement exists
in the FMCA for FMC reporting entities, Companies Act 1993 for large entities that are not FMC
reporting entities, and FRA93 for entities that have not yet transitioned to the new legislation.
While PES 3 conforms to ISQC 1, the differences are denoted by the prefix ‘NZ’ in the relevant
paragraph numbers. These include:
•• NZ 31.1 – An emphasis on the requirement of sufficient time being a consideration when
assigning the engagement team.
•• NZ 34.1 – In relation to consultation, New Zealand practices must comply with an
additional requirement to document the reasons for undertaking alternative courses of
action from consultation.
Unlike ISQC 1:
•• PES 3 does not apply to related service engagements (i.e. agreed-upon procedures and
compilation engagements).
ISA (NZ) 220
ISA (NZ) 220 deals with quality control on audit engagements. It is based on its international
equivalent, ISA 220, and is consistent with PES 3, which prescribes quality control requirements
for all assurance engagements. ISA (NZ) 220 is discussed further in the unit on pre-engagement
activities.

CC
Required reading
PES 3 paras NZ 1.1, NZ 3.1, NZ 4.1, NZ 12.1–NZ 12.9, NZ 31.1 and NZ 34.1.
ISA (NZ) 220.
Audit documentation
Learning outcome
3. Demonstrate the nature and purpose of audit documentation, and the objective and
A number of regulators have audit oversight responsibilities and conduct inspection programs
related to audits performed by registered auditors. In conducting these inspections, there
is usually a presumption that if audit work has not been documented, then it has not been
done. This assumption is supported by the requirements of the Auditing Standards regarding
audit documentation at the engagement level, and by separate obligations regarding the
establishment and maintenance of quality control policies and procedures applicable to all audit
engagements conducted by the audit firm.
Guidance on audit documentation is provided by ISA 230.
Audit documentation is critical to the audit process, as it provides a record of:
•• audit procedures performed and the reasons behind selecting those procedures
•• evidence obtained, and
•• conclusions reached based on that evidence.
It also helps to demonstrate that an audit was performed in accordance with relevant Auditing
Standards and legal and regulatory requirements. This is particularly important in the event
that the auditor’s report is ever called into question – for example, during a court case brought
about by the financial collapse of a client, or during an examination by a regulatory authority.
Under ISA 230 para. 3, audit documentation also:
•• Assists the engagement team in planning and performing the audit – for example,
by providing a record of the audit procedures to be performed.
•• Assists senior staff in supervising the audit work and carrying out their review
responsibilities – for example, the audit partner can initial work papers prepared by junior
staff as evidence of the audit partner’s review.
•• Retains records of matters of ongoing significance to future audits – for example, work
papers describing the entity’s internal controls.
•• Enables the conduct of quality reviews by relevant professional bodies, or regulatory
reviews by relevant authorities.
What is audit documentation?

While the nature and extent of audit documentation will vary from client to client (ISA 230
para. A2), the standardised nature of the audit process means there will always be some
common elements regardless of the engagement being performed. The common documentation
elements are described in ISA 230, but other Auditing Standards may contain specific

CC
documentation requirements (refer ISA 230 para. 1, Appendix). Audit documentation should
include (but is not limited to):
•• Descriptions of a client’s internal control systems (ISA 315 (Revised) Identifying and Assessing
the Risks of Material Misstatement through Understanding the Entity and Its Environment
(ISA 315) para. 32(b)).
•• Analysis of the risks of material misstatement of the various amounts in the financial
statements (ISA 315 para. 32(c)).
•• The audit strategy and plan, and any significant changes made to the audit strategy or plan
(including the reasons for changes) (ISA 300 para. 12).
•• External confirmations, such as those received from the client’s bankers (ISA 230 para. A3).
•• Trial balance and final financial statements, cross-referenced to the relevant audit work
papers (ISA 330 The Auditor’s Response to Assessed Risks (ISA 330) para. 30).
•• Minutes of meetings with the client and among engagement team members (ISA 230
paras A7 and A14).
•• Management representation letters (ISA 230 para. A3).
•• Evidence of the use of professional scepticism (ISA 230 para. A7) – for example, where there
are doubts about an entity’s ability to continue as a going concern and the matter is further
investigated in order to determine whether management’s view is justified.
In addition to the above, ISA 230 para. 12 requires that if, ‘in exceptional circumstances’, there is
a need to depart from a relevant requirement in an ISA, the following is to be documented:
•• How alternative audit procedures met the aim of the requirement.
•• The reasons for using alternative procedures.
Specific audit documentation requirements are covered in the relevant units of the
AAA module.
How much documentation is sufficient?

One of the difficulties that auditors face is determining how much documentation should be
prepared.
ISA 230 para. 9 provides a benchmark for the sufficiency of audit evidence, by requiring the
preparation of audit documentation that is sufficient to enable an experienced auditor, having
no previous connection with the audit, to understand:
•• The nature, timing and extent of the audit procedures performed. This involves recording:
–– The identifying characteristics of the specific items or matters tested. For example, a
test of sales invoices would commonly record the invoice number, date, customer name
and/or the number of goods ordered and invoice total (para. 9(a)).
–– Who performed the work and the date it was completed (this is commonly done by the
preparer initialling and dating work papers) (para. 9(b)).
–– Who reviewed the work performed, and the date and extent of such a review.
For example, this can be done by the engagement partner leaving an electronic signature
on soft copies of file sections they have reviewed (para. 9(c)).
•• Results of the audit procedures, and the evidence that was obtained from them (ISA 230
para. 8(b)).
•• Significant matters that arose during the audit, the conclusions that were reached on those
matters, and significant professional judgements that were made in coming to those
conclusions (ISA 230 para. 8(c)).

CC
When does the audit file need to be completed?

While all the audit evidence to support the auditor’s report needs to be gathered before the
report is signed, ISA 230 recognises that it may take some time after the date of the auditor’s
report to sort and file all the work papers (ISA 230 paras 14 and A21).
Finalising the audit file requires:
•• Assembling the audit documentation in an audit file (hard or soft copy) (ISA 230 para. 14).
•• Completing this administrative process on a timely basis after the date of the auditor’s
report. The application guidance in ISA 230 suggests that an appropriate time limit is no
longer than 60 days after the date of the auditor’s report (ISA 230 para. A21).
Once the final audit file has been completed, none of the contents are to be deleted or discarded
before the end of the appropriate retention period (ISA 230 para. 15).
Required reading
ISA 230.
Audit support systems and electronic audit documentation

Audit files and audit documentation, including audit work papers, are commonly held in
electronic format. Major audit firms have developed their own electronic audit support systems,
which act both as electronic audit files and to automate some audit tasks. Some audit firms use
‘off the shelf’ audit software, such as Caseware, rather than their own audit platforms to assist
them in performing their audits.
Audit support systems support audit firms’ systems of quality control as they can facilitate
effective and efficient execution of audits. For example, the audit software can provide a
personalised dashboard that show current tasks assigned to the individual auditor which
promotes effective performance and review of audit work. Audit software can also include
alerts or highlights to focus the attention of the user on critical areas of the audit.
Many clients also provide the source documents requested by the auditors in electronic format
rather than paper. Paper documentation is commonly scanned and saved to the electronic audit
file.
Computer-assisted audit techniques and data analytics

Rapid advancements in technology and the exponential growth in data and the availability
of Big Data are transforming the audit. Computer-assisted audit techniques (CAATs) and
data assurance techniques are now enabling auditors, for example, to better identify financial
reporting, fraud and operational business risks and tailor their approach to deliver a more
relevant audit. This section introduces the use of CAATs in audit. The application of CAATs and
data analysis tools in audit testing will be discussed in more detail in the relevant units of the
AAA module.
CAATs and data analysis tools involve the application of audit procedures using information
technology (IT) as an audit tool. Technically, whenever an auditor uses software to apply audit
procedures, they are applying CAATs. For example, using the ‘sort’ function in Microsoft Excel®
to identify transactions of a value greater than a certain value in a particular general ledger
account (i.e. basic stratification) is a type of CAAT.
Data analytics refers to any analysis performed on a dataset. While data analysis can be used to
generate business insights, it is not necessarily specific to audit. However, obtaining assurance
from data is a technique specifically developed and used for audit purposes. It uses data
analysis methods and strategies that have been designed to provide the audit evidence required
by Auditing Standards.

CC
Benefits of CAATs and data analysis tools

Some of the benefits of CAATs and data analysis tools include:
•• Deeper business insights – A data-driven audit process does not only provide assurance,
but also deliver business insights and feedback that may not have previously been available
to the company.
•• Higher quality audit evidence – The application of specifically designed data tests will
result in higher quality audit evidence.
•• Greater volumes of data tested – With an ability to interrogate, test and analyse large
numbers of transactions recorded by a company’s system, greater populations are covered
for audit purposes.
•• Accuracy – CAATs can eliminate the risk of certain manual errors.
•• Speed – CAATs quickly complete tasks that would otherwise take longer to complete when
performed manually, and may also decrease time spent by clients in responding to audit-
related questions.
Challenges in using CAATs and data analysis tools

•• Obtaining and extracting client data – If auditors are not able to efficiently obtain and
extract client data, they will not be able to analyse the data or obtain assurance from it. An
example of a situation where it may be challenging to extract client data is where a company
uses multiple different accounting systems, or where an audit tool is only able to capture
data from specific systems, such as SAP or Oracle.
•• Validating the data – Auditors need to be comfortable around the process used to extract
transactional data and other data from the client systems.
•• Obtaining client approval and concerns over data security – It is not unusual for clients to
have concerns over giving the auditors access to all their electronic data, particularly access
to sensitive information such as payroll data.
•• IT skills of auditors – Traditionally advanced IT skills have not been core audit skills.
Today’s auditor needs more advanced IT skills to be able to evaluate different systems,
extract data or to be able ask the relevant questions from the client about the data.
Australia-specific
Audit documentation in Australia
ASA 230 Audit Documentation (ASA 230) is based on its international equivalent, ISA 230, with
only three key differences (denoted by the prefix ‘Aus’ in the relevant paragraph numbers):
•• In ASA 230 para. Aus 12.1, where factors ‘outside the auditor’s control’ prevent the auditor’s
compliance with an ‘essential procedure’ of a requirement, there is a need to document:
–– the circumstances preventing the auditor’s compliance (para. Aus 12.1(a))
–– the reasons for their inability to comply (para. Aus 12.1(b)), and
–– a justification of how alternative audit procedures meet the aim of the requirement
(para. Aus 12.1(c)).
For example, if some of the client’s accounting records were destroyed in a fire, the auditor
might not be able to carry out all the required procedures, and may have to obtain audit
evidence by other means.
•• The auditor needs to ‘adopt appropriate procedures for maintaining the confidentiality,
safe custody, integrity, accessibility and retrievability of the audit documentation’
(ASA 230 para. Aus 16.1).

CC
•• Under the Corporations Act, the auditor or audit firm is required to ‘retain all audit
working papers prepared by or for, or considered or used by, the auditor in accordance
with the requirements of the Australian Auditing Standards until the end of seven
years after the date of the audit report’ or a time otherwise determined by the
Australian Securities Investment Commission (ASIC) (see s. 307B), or for a period of
time specified by relevant legislation or regulation other than the Corporations Act
(ASA 230 paras Aus A23.1–A23.2).
Required reading
ASA 230 paras Aus 12.1, Aus 16.1 and Aus A23.1–A23.2.
Corporations Act s. 307B.
Worked example 2.2: Determining finalisation of audit documentation

Activity 2.1: Consultation and documentation


2.1: Audit documentation (ISA 230)
Quiz

Readings

Standards.
Required reading
Relevant International Standards on Auditing and national equivalents
International Standard on Quality Auditing Standard ASQC1 Quality PES 3 (Amended) Quality Control
Control ISQC 1 Quality Controls Controls for Firms that Perform for Firms that Perform Audits and
for Firms that Perform Audits and Audits and Reviews of Financial Reviews of Financial Statements,
Reviews of Financial Statements, Reports and Other Financial and Other Assurance Engagements
and Other Assurance and Related Information, Other Assurance
Services Engagements Engagements and Related Services
Engagements
•• Paragraphs 1–59, A2, A4–A7, A9, •• Paragraphs 1–59, A2, A4–A7, A9, •• Paragraphs 1–59, A2, A4–A7, A9,
A18–A19, A54 and A66 A18–A19, A54 and A66 A18–A19, A54 and A66
•• Paragraphs Aus 0.1–Aus 0.2, •• Paragraphs NZ 1.1, NZ 3.1,
Aus 1.1, Aus 4.1–Aus 4.2, NZ 4.1, NZ 12.1–NZ 12.9, NZ 31.1
Aus 12.1–Aus 12.12, Aus 24.1, and NZ 34.1
Aus 34.1, Aus A1.1, Aus A10.1,
Aus A12.1, Aus A13.1, Aus A14.1,
Aus A61.1–Aus A61.2, Aus A63.1
and Aus A68.1
APES 320 Quality Control for Firms

•• Paragraphs 1–18
ISA 220 Quality Control for an Audit ASA 220 Quality Control for an Audit ISA (NZ) 220 Quality Control for an
of Financial Statements of a Financial Report and Other Audit of Financial Statements
Historical Financial Information
ISA 230 Audit Documentation ASA 230 Audit Documentation ISA (NZ) 230 Audit Documentation
Code of Ethics for Professional APES 110 Code of Ethics for PES 1 (Revised) Code of Ethics for
Accountants (IESBA Code) (2015) Professional Accountants Assurance Practitioners
•• Definitions and s. 290 •• Paragraphs 1.2, 2 and s. 290 •• Paragraphs NZ 1.2, NZ 210.12.1,
NZ 220.10.1, NZ 290.11.1 and
NZ 291.10.1, Definitions and
s. 290
ASA 102 Compliance with Ethical

Requirements when Performing
Audits, Reviews and Other Assurance
Engagements

•• Sections 307B and 324DA


www.nzica.com

ACT
Activity 2.1
Consultation and documentation
Introduction
ISA 230 Audit Documentation (ISA 230) contains the documentation requirements applicable to
individual audit engagements.
ISQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other
Assurance and Related Services Engagements (ISQC 1) provides audit firms with the framework for
establishing a system of quality controls that is applicable to all audits they conduct.
One aspect of ISQC 1 is the requirement for firms to establish policies and procedures for
consultation on contentious issues. Closely related to this is the ISA 230 requirement for firms to
document significant matters arising during the audit. That is, matters requiring consultation,
by nature, are likely to be significant items regardless of the conclusions reached.
This activity considers how audit documentation at the engagement level can provide evidence
to support the existence and implementation of appropriate audit quality controls at the firm
level, while also demonstrating compliance with audit documentation obligations that are
specific to the engagement.
This activity links to learning outcomes:
•• Illustrate the overall responsibilities of firms with regard to ethics and quality control.
•• Demonstrate the nature and purpose of audit documentation, and the objective and
At the end of this activity, you will be able to identify appropriate audit documentation
requirements in respect of contentious issues for a listed company.
Scenario
You are a first year auditor at a large accounting firm, Green Tick, reporting to Adam Ant, the
senior manager on an audit engagement with Slick Oil Refinery Limited (Slick). Slick is a locally
listed company that has a significant shareholder, Good Oil Inc. (Good Oil), a large energy
company listed on the New York Stock Exchange.
Due to a major oil spill that occurred in January 20X3, Slick recognised a large remediation
provision. Green Tick’s audit team has been able to gain reasonable assurance over the estimate
of this provision. However, because of the provision, Slick has a net liability of $15 million as at
the year ended 30 June 20X3, which raises a going concern issue for the company.
Slick has obtained a letter of financial support from Good Oil stating that it will financially
support Slick in the event that Slick is unable to meet its financial obligations. Slick has
prepared its financial statements on a going concern basis. The letter of financial support is one
factor in Slick’s assessment of the going concern assumption.
Adam has reviewed Good Oil’s audited financial report for the year ended 30 April 20X3 and
notes that it has a cash and cash equivalents balance of US$400 million. Good Oil also has other
financial assets totalling US$800 million and net assets of US$10 billion.

ACT
Adam has also consulted with Green Tick’s in-house legal counsel, John Frost, and the firm’s
technical partner, Joanne Abbot. These consultations have indicated that Good Oil’s letter of
financial support can be relied on and provides evidence to support the appropriateness of
Slick’s going concern assumption.
Adam has discussed this matter with Eduardo Priestly, the engagement partner, and Joanne
Abbot. Joanne has requested that the engagement team ensures the financial statements contain
appropriate disclosure of both the going concern assumption and the existence of the letter of
financial support. Joanne has also requested that the auditor’s report include an Emphasis of
Matter paragraph that refers to that note of disclosure dealing with the entity’s going concern
assumption.
The following file note is contained in the engagement file:
File note: Ref FN002

Title: Slick Oil Refinery Limited – consideration of Good Oil Inc.’s letter of financial support
Background
Due to a major oil spill that occurred in January 20X3, Slick recognised a large remediation provision. As a
result of the provision being raised, Slick has a net liability of $15 million as at the year ended 30 June 20X3.
Slick has obtained a letter of financial support from Good Oil Inc., a significant shareholder, stating that it will
financially support Slick in the event that Slick is unable to meet its financial obligations.
Slick has prepared its financial statements on a going concern basis.
Audit risk
Slick’s basis of preparation of the financial statements may be inappropriate.
Audit procedures performed
1. Sought in-house legal opinion from John Frost regarding the legal enforceability of Good Oil’s letter of
financial support.
2. Reviewed Good Oil’s audited financial statements for financial year ended 30 April 20X3 to provide
reasonable assurance that it has sufficient financial capacity to support Slick.
3. Consulted Green Tick’s technical partner, Joanne Abbot, regarding Slick’s going concern assumption.
Results
A. Received in-house legal advice that the letter of financial support from Good Oil Inc. is a legally
enforceable undertaking.
B. A review of Good Oil’s financial statements indicates that the company has adequate cash resources to
meet both its own financial obligations and those of Slick.
C. Confirmed that Slick has adequately disclosed both the basis for its going concern assumption and the
existence of the letter of financial support in its financial statements dated 30 June 20X3.
D. The draft auditor’s report has been amended to include an Emphasis of Matter paragraph drawing
attention to these disclosures in the financial statements.
Conclusion
The letter of support provided by Good Oil provides evidence to support Slick’s going concern assumption
for the year ended 30 June 20X3.
Preparer sign-off: AA 01/08/20X3
Engagement partner sign-off: EP 26/08/20X3

ACT
Tasks
Adam is coaching you on the importance of audit documentation. He has requested that you
review the file note and then perform the following tasks:
1. Identify the relevant requirements of:
•• ISQC 1 regarding engagement performance, consultation and engagement quality
control review, and
•• ISA 230 regarding the form, content and extent of audit documentation.
2. State whether the file note provides evidence that the requirements identified in Task 1 have
been met.
3. Justify your conclusion from Task 2.
Adam points out that there may be other existing documentation that demonstrates the firm’s
compliance with requirements of the Auditing Standards. However, for the purpose of this
exercise, consider the file note as the only evidence of compliance with the relevant Standards.
You may wish to use the consultation and documentation template provided below:
Consultation and documentation template
ISQC 1 objective Met/Not met Justification
ISA 230 requirement Met/Not met Justification
For this activity, you do not need to consider the requirements of ISA 570 Going Concern or
ISA 706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s
Report.


CC
Core content
Unit 3: Pre-engagement activities
Learning outcomes
1. Apply the code of ethics and relevant guidance, statements and legislation regarding
auditor independence.
2. Apply the elements of quality control that must be applied at the individual engagement
level.
3. Outline the auditor’s responsibilities in agreeing the terms of the audit engagement,
including the mandatory items to be included in an engagement letter.
4. Describe and explain the auditor’s responsibility to communicate audit matters to those
charged with governance.
Introduction
This unit addresses the activities and processes an auditor must undertake prior to commencing
an engagement, which are collectively known as the pre-engagement activities.
The major steps in the pre-engagement process are shown below:
Does the firm have the

Is the firm independent Are the risks involved
resources, time and Accept or continue?
and free from conflict? acceptable?
competence?
YES NO
Document procedures performed and how threats and issues were resolved
STOP
Are the audit Are there any Agree on the Prepare/sign
preconditions scope limitations? terms of engagement
present?1 engagement letter
1
The preconditions are the steps set out in the top three boxes of the diagram.
Adapted from: IFAC Guide, Exhibit 4.0-2, vol. 2, p. 27.

aaa11603_csg

CC
This unit looks at the following International Standards on Auditing (ISAs) and other guidance
that applies to pre-engagement activities:
•• ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance
•• ISA 210 Agreeing the Terms of Audit Engagements (ISA 210).
•• ISA 220 Quality Control for an Audit of Financial Statements (ISA 220).
•• ISA 260 Communication with Those Charged with Governance (ISA 260).
•• International Ethics Standards Board for Accountants (IESBA), Code of Ethics for Professional
Accountants (IESBA Code).
•• International Standard on Quality Control ISQC 1 Quality Control for Firms that Perform
Audits and Reviews of Financial Statements and Other Assurance and Related Services
Engagements (ISQC 1).
Auditor independence
Learning outcome
1. Apply the code of ethics and relevant guidance, statements and legislation regarding auditor
independence.
Chartered Accountants can face a broad range of relationships and circumstance, some of which
may pose a threat to their compliance or perceived compliance with the fundamental principles
of the IESBA Code. This section addresses the ethical and other guidelines, as well as legislative
obligations, that an auditor must comply with when undertaking audit and assurance
engagements.
IESBA Code
The IESBA issues the IESBA Code, which sets out the ethics requirements for professional
accountants. The IESBA Code is structured in three parts:
•• Part A – General Application of the IESBA Code.
•• Part B – Professional Accountants in Public Practice.
•• Part C – Professional Accountants in Business Practice.
Part A establishes the fundamental principles and provides a conceptual framework that can be
applied to:
(a) Identify threats to compliance with the fundamental principles;
(b) Evaluate the significance of the threats identified; and
(c) Apply safeguards, when necessary, to eliminate the threats or reduce them to an acceptable level.
Safeguards are necessary when the professional accountant determines that the threats are not
at a level at which a reasonable and informed third party would be likely to conclude, weighing
all the specific facts and circumstances available to the professional accountant at that time, that
compliance with the fundamental principles is not compromised.
A professional accountant shall use professional judgment in applying this conceptual framework.
(IESBA Code para. 100.2)
Parts B and C describe how the conceptual framework applies in specific circumstances. They
provide examples of safeguards that may appropriately address threats to compliance with the
fundamental principles. Where no safeguard is available in the circumstance, the threat must be
avoided altogether.

CC
It is important to note that accountants are expected to be guided not merely by the words, but
also by the spirit of the IESBA Code, using the conceptual framework (paras 100.6–100.11).
While all sections of the IESBA Code are equally important, this unit focuses on Part A and
s. 290 of Part B.
Fundamental principles
The IESBA Code lists its five fundamental principles in para. 100.5, as outlined below:
IESBA Code – fundamental principles
Paragraph Principle Definition
100.5(a) Integrity To be straightforward and honest in all professional and business relationships
100.5(b) Objectivity To not allow bias, conflict of interest or undue influence of others to override
professional or business judgments
100.5(c) Professional To maintain professional knowledge and skill at the level required to ensure
competence that a client or employer receives competent professional services based on
and due care current developments in practice, legislation and techniques and act diligently
and in accordance with applicable technical and professional standards
100.5(d) Confidentiality To respect the confidentiality of information acquired as a result of professional

and business relationships and, therefore, not disclose any such information
to third parties without proper and specific authority, unless there is a legal or
professional right or duty to disclose, nor use the information for the personal
advantage of the professional accountant or third parties
100.5(e) Professional To comply with relevant laws and regulations and avoid any action that
behaviour discredits the profession
Each of these principles is discussed in more detail in the IESBA Code ss 110–150.
Threats and safeguards

An accountant can face a wide range of relationships and circumstances, some of which may
create a threat to their compliance, or perceived compliance, with the fundamental principles.
The IESBA Code para. 100.12 identifies the following categories of threats to its fundamental
principles:
IESBA Code – threats to fundamental principles
Paragraph Threat Definition Example
100.12(a) Self-interest The threat that a financial or other •• Loans to or from an audit client
interest will inappropriately influence •• Concern about the possibility of
the professional accountant’s judgment losing a recurring client
or behaviour
•• The temptation to accept gifts
offered by a client
100.12(b) Self-review The threat that a professional •• Reporting on systems where

accountant will not appropriately the professional accountant has
evaluate the results of a previous been involved in their design or
judgment made or service performed implementation
by the professional accountant, or •• A member of the engagement team
by another individual within the being, or having recently been,
professional accountant’s firm or a director or officer of the audit
employing organisation, on which the client or employed in an executive
accountant will rely when forming a position by the client
judgment as part of providing a current
service

CC
IESBA Code – threats to fundamental principles
Paragraph Threat Definition Example
100.12(c) Advocacy The threat that a professional •• Promoting shares in a listed audit
accountant will promote a client’s client
or employer’s position to the point •• Acting as an advocate on behalf of
that the professional accountant’s an audit client in resolving disputes
objectivity is compromised with third parties
100.12(d) Familiarity The threat that due to a long or close •• Accepting preferential treatment
relationship with a client or employer, unless the value is clearly
a professional accountant will be too insignificant
sympathetic to their interests or too •• Close or immediate family
accepting of their work relationship with a director or
officer of a client, or with an
employee who has a position
of influence over the subject of
the engagement (applies to any
member of the engagement team)
100.12(e) Intimidation The threat that a professional •• Being threatened with dismissal
accountant will be deterred from or replacement in a client
acting objectively because of actual engagement
or perceived pressures, including •• Being threatened with litigation
attempts to exercise undue influence
•• Being pressured to reduce the
over the professional accountant
extent of work required in order to
reduce fees
Source: IESBA Code Part A para. 100.12 and Part B paras 200.4–200.8.
Safeguards are actions or other measures that may eliminate threats or reduce them to an
acceptable level. There are two broad categories of safeguards (IESBA Code paras 100.13–
100.14):
•• Those created by the profession, legislation or regulation – for example, professional
Standards, professional or regulatory monitoring, and disciplinary procedures.
•• Those created in the workplace – for example, documented internal policies or a firm’s
quality control policies and procedures.
Required reading
IESBA Code 2015 ss 100–150.
Application to audit and assurance engagements

As noted above, the IESBA Code Part B describes how the conceptual ethical framework applies
to accountants in public practice. However, it should be noted that Part B does not describe all
of the circumstances and relationships that create, or may create, threats to compliance with the
fundamental principles that an accountant in public practice may encounter. It states that public
practice accountants are encouraged to be alert to circumstances or relationships that create, or
may create, a threat to compliance with the fundamental principles (IESBA Code para. 200.1).
IESBA Code s. 280 addresses the principle of objectivity, and requires an accountant to
determine whether there are any threats to their objectivity from having interests in, or
relationships with, a client or its directors, officers or employees. IESBA Code para. 280.2
emphasises that an accountant in public practice who provides an assurance service must be
independent of the assurance client. Further, para. 280.2 notes that ‘independence of mind
and in appearance’ (i.e. both actual and perceived independence) is necessary to enable the
accountant ‘to express a conclusion, without bias, conflict of interest or undue influence of
others’. IESBA Code ss 290 and 291 provide specific guidance on independence requirements
for accountants when they provide assurance services.

CC
Independence
IESBA Code s. 290 addresses the independence requirements for audit and review engagements
in which the accountant expresses a conclusion on the financial statements (either a complete
set of financial statements or a single financial statement).
The independence requirements for other types of assurance engagements are addressed in
IESBA Code s. 291.
The following parties are required under IESBA Code para. 290.4 to be independent of the audit
client:
•• Members of the audit team.
•• The firm.
•• Any network firms.
Each of these, including the term ‘audit client’, is defined in the IESBA Code Definitions.
It should be noted that these are broad definitions. For example, a ‘firm’ is defined as:
(a) A sole practitioner, partnership or corporation of professional accountants;
(b) An entity that controls such parties, through ownership, management or other means; and
(c) An entity controlled by such parties, through ownership, management or other means.
The audit of an entity is relevant to a wide range of potential users, and so the actual and
perceived independence of the audit is of particular significance. The IESBA Code ‘Definitions’
(and also para. 290.6) defines ‘independence’ as:
(a) Independence of mind – the state of mind that permits the expression of a conclusion without being
affected by influences that compromise professional judgment, thereby allowing an individual to
act with integrity, and exercise objectivity and professional skepticism.
(b) Independence in appearance – the avoidance of facts and circumstances that are so significant that
a reasonable and informed third party would be likely to conclude, weighing all the specific facts
and circumstances, that a firm’s, or a member of the audit or assurance team’s, integrity, objectivity
or professional skepticism has been compromised.
The objective of IESBA Code s. 290 is to assist firms and members of audit teams in applying the
conceptual framework approach to achieving and maintaining independence.
As set out in IESBA Code para. 290.7, the conceptual framework is applied by an accountant to:
•• identify threats to independence
•• evaluate the significance of the threats identified, and
•• apply safeguards (when necessary) to eliminate or reduce the threats to an acceptable level.
If the accountant determines that no appropriate safeguards are available, or that appropriate
safeguards do not reduce the threats to an acceptable level, either the circumstance or
relationship that creates the threat must be eliminated, or the accountant should decline or
terminate the audit engagement.
The application of the conceptual framework approach to independence is addressed in
IESBA Code paras 290.100–290.228. These paragraphs describe specific circumstances and
relationships that create, or may create, threats to independence; the types of safeguards that
may be appropriate; and circumstances in which no safeguards could reduce the threats to an
acceptable level.
Required reading
IESBA Code 2015 ss 200–290.
IESBA Code 2015 paras 291.1–291.3.
IESBA Code ‘Definitions’.

CC
Australia-specific
APES 110
APES 110 Code of Ethics for Professional Accountants (APES 110) is issued by the Accounting
Professional and Ethical Standards Board (APESB) and is the Australian equivalent of the IESBA
Code.
As noted in the unit on Auditing Standards and quality control, the requirements of APES 110
are within the suite of Standards that are legally enforceable under the Corporations Act 2001
(Cth) (Corporations Act). APES 110 para. 1.4 states:
This Code is not intended to detract from any responsibilities which may be imposed
by law or regulation. AUASB has issued auditing standards as legislative instruments
under the Corporations Act 2001 (the Act). For audits and reviews under the Act, those
standards have legal enforceability. To the extent that those auditing standards make
reference to relevant ethical requirements, the requirements of APES 110 have legal
enforceability due to Auditing Standard ASA 102 Compliance with Ethical Requirements
when Performing Audits, Reviews and Other Assurance Engagements.
Under ‘Compliance with the IESBA Code’ at the end of APES 110, the Standard notes that the
principles and requirements of APES 110 and the IESBA Code are consistent, with the following
exceptions:
•• The addition of a Scope and Application section in APES 110;
•• The addition of paragraphs and definitions prefixed as AUST in APES 110. The
additional definitions are of AASB, Administration, AuASB, AUASB, Auditing and
Assurance Standards, Australian Accounting Standards and Member;
•• APES 110 generally refers to Members whereas the IESBA Code refers to
professional accountants;
•• Defined terms are in title case in APES 110;
•• The definition of Engagement Team in APES 110 does not exclude individuals
within the client’s internal audit function who provide direct assistance on an Audit
Engagement as the AUASB has prohibited the use of direct assistance in Auditing
and Assurance Standard ASA 610 Using the Work of Internal Auditors (November
2013);
•• APES 110 tailors the following IESBA defined terms to the Australian environment:
Audit Engagement, Engagement Team, Financial Statements, Firm, Member in
Public Practice, and Review Engagement;
•• Paragraph 290.25 of APES 110 expresses Public Interest Entity in the singular form
consistent with its definition in section 2;
•• Paragraph 290.26 in APES 110 mandates Firms to determine whether additional
entities are Public Interest Entities and the reference to member bodies has been
removed; and
•• Unless strict requirements are met, APES 110 prohibits Members in Public
Practice from providing accounting and bookkeeping services and preparing tax
calculations for Audit Clients which are Public Interest Entities, even in emergency
situations (refer APES 110 paras 290.169–290.170, and 290.182).
Required reading
APES 110 para. 1.4.

CC
Independence requirements of the Corporations Act

Members of Chartered Accountants Australia and New Zealand, CPA Australia and the Institute
of Public Accountants who carry out audits under the Corporations Act must comply with the
independence requirements of both the Corporations Act and APES 110.
This part of the unit principally examines the independence requirements of the Corporations
Act relating to pre-engagement activities.
The auditor independence requirements are contained in Corporations Act s. 307C and
Divisions 3, 4 and 5 of Part 2M.4. A summary of these key requirements is outlined in the table
below:
Corporations Act – key statutory provisions for auditor independence
Section(s) Independence provisions
Part 2M.3
Division 3 Auditor’s independence declaration – the auditor must give the directors of the
s. 307C entity a written statement that there have been no contraventions of the auditor
independence requirements of the Corporations Act in relation to the audit, unless
set out in that declaration
Part 2M.4
Division 3 Sets out the general requirements for audit independence for individual auditors,
ss 324CA–324CC members of audit firms and directors of audit companies
Division 3 Conflict of interest situations applicable to ss 324CA–324CC above, in which an

s. 324CD auditor or a professional member of the audit team is not capable of exercising
objective and impartial judgement in relation to the conduct of the audit of the
audited body
Division 3 Sets out the specific requirements for audit independence for individual auditors,
ss 324CE–324CG members of audit firms and directors of audit companies
Division 3 Relevant relationships that may result in contravention of the above sections
s. 324CH
Division 3 Special rules applicable to former audit firm partners or audit company directors.
ss 324CI–324CK A two-year waiting period applies to such personnel before they can be engaged as
officers of the audited body
Division 4 Details circumstances in which an individual, audit firm or audit company are
s. 324CM deliberately disqualified from being appointed as an auditor of an entity requiring
an audit, in accordance with the Corporations Act
Division 5 Deals with the requirements for auditor rotation of listed companies and registered
ss 324DA–324DD schemes
Refer to the Corporations Act, available at www.austlii.edu.au.

Other sections of the Corporations Act are also applicable to auditors, but these are discussed
in other units.
Required reading
Corporations Act s. 307C and Part 2M.4 Divisions 3–5.

CC
New-Zealand specific
PES 1 (Revised) Code of Ethics for Assurance Practitioners (PES 1)
PES 1 is the New Zealand equivalent of the IESBA Code. The requirements of PES 1 are within
the suite of Standards that are legally enforceable under the Financial Markets Conduct Act 2013
and the Financial Reporting Act 1993.
PES 1 was issued by the by the External Reporting Board (XRB) and the New Zealand Audit
and Assurance Standards Board (NZAuASB). It is applicable to all assurance engagements and
practitioners.
The principles and requirements of PES 1 are generally consistent with the IESBA Code,
including the numbering of the IESBA Code being used as the structure of PES 1. Additional
paragraphs for the New Zealand environment are denoted by the prefix ‘NZ’ in the relevant
paragraph numbers.
The key differences between PES 1 and IESBA Code include:
•• PES 1 has a narrower scope and is only applied to assurance practitioners, whereas the
IESBA Code applies to all professional accountants.
•• Sections have been deleted if they don’t apply, including sections that do not relate to
•• More stringent requirements, including paragraphs added with the prefix ‘NZ’, such as:
–– Extending the independence requirements to all public interest entities.
–– Extending partner rotation requirements to all key audit partners.
–– Key audit partners are not allowed to be compensated for selling non-assurance.
As noted in the unit on Auditing standards and quality control, NZICA has a statutory obligation
to have a code of ethics which governs the professional conduct of members of Chartered
Accountants Australia and New Zealand that reside in New Zealand. The NZAuASB mandate
covers Professional and Ethical Standards, which govern the professional conduct of assurance
practitioners. Therefore, both NZICA and NZAuASB maintain a code of ethics; however, the
requirements of both are aligned with each other to ensure that assurance practitioners are not
subject to differing obligations.
Required reading
PES 1 paras NZ 1.2 and NZ 1.4, and the New Zealand Preface.
Worked example 3.1: Applying the code of ethics regarding auditor independence
Activity 3.1: Identifying and safeguarding against threats to independence


CC
Quality control systems
Learning outcome
2. Apply the elements of quality control that must be applied at the individual engagement
level.
Elements of quality control at the individual engagement level

The unit on Auditing Standards and quality control addressed the significance of quality control
policies and procedures in ensuring that audits are consistently conducted to the same high
standard. It also covered the requirements of a firm’s quality control system under ISQC 1.
ISA 220 deals with the specific responsibilities of the auditor regarding quality control
procedures for an audit of financial statements (ISA 220 para. 1). Within the context of the audit
firm’s system of quality control, under ISA 220 paras 6(a) and (b), engagement teams must also
implement quality control procedures on an individual engagement level to ensure that:
(a) The audit complies with professional standards and applicable legal and regulatory requirements;
and
(b) The auditor’s report issued is appropriate in the circumstances.
Under ISA 220 para. 8:

The audit partner is responsible for the overall quality of each audit engagement to which that partner
is assigned.
The main pre-engagement activities of an engagement partner are:

•• Remaining alert for evidence of non-compliance with relevant ethical requirements (i.e. the
IESBA Code) by members of the engagement team and, if indication of non-compliance
exists, taking appropriate action (ISA 220 paras 9–10 and A4).
•• Forming a conclusion on compliance with independence requirements that apply to the
audit engagement (ISA 220 para. 11).
•• Satisfying themselves that appropriate procedures regarding the acceptance and
continuance of client relationships and audit engagements have been followed, and
ensuring that conclusions reached in this regard are appropriate (ISA 220 paras 12 and 13).
Such procedures include, prior to accepting an engagement, investigating ‘the integrity of
the principal owners, key management and those charged with governance of the entity’,
as well as ‘whether the engagement team is competent to perform the audit engagement
and has the necessary capabilities, including time and resources’ (ISA 220 para. A8).
•• Satisfying themselves that the engagement team, and any auditor’s experts who are not part
of the engagement team, are capable and competent to achieve the audit objectives (ISA 220
paras 14 and A11).
Australia-specific
ASIC audit inspection and surveillance programs
In Australia, the quality control systems of auditors of entities that are required to be audited
in accordance with the Corporations Act are subject to review by the Australian Securities and
Investments Commission (ASIC).
Responsibility for the surveillance, investigation and enforcement of the financial reporting and
auditing requirements of the Corporations Act lies with ASIC.

CC
ASIC’s audit inspection program aims to promote high-quality external audits under
Chapter 2M of the Corporations Act, and to raise the standard of conduct in the auditing
profession.
The ASIC inspection program is focused on audit quality and promoting compliance with
the requirements of the Corporations Act, Auditing Standards, and professional and ethical
standards. Audit firms are selected for inspection based on a number of criteria, with an
emphasis on auditors of publicly listed or public interest entities.
The audit inspection process is designed to gain an understanding of the key elements of
quality control as required by:
•• ASA 220 Quality Control for an Audit of a Financial Report and Other Historical Financial
Information.
•• APES 320 Quality Control for Firms.
•• ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports
and Other Financial Information, Other Assurance Engagements and Related Services
Engagements.
At the completion of the review, ASIC prepares a private and confidential report for the firm
that has been inspected, describing the inspection process, observation and findings, and
suggested remedial actions. A public report is periodically published by ASIC. This report does
not identify either the audit firm or the clients, and is aimed at better informing interested
stakeholders of the key observations and findings of the inspection program.
ASIC undertakes auditor surveillance generally as a result of complaints from the public to
ASIC, media reports, or intelligence from other areas within ASIC – for example, the financial
reporting surveillance program, in which queries are sometimes raised about the performance
of an auditor or the nature of the auditor’s report.
Audit inspection and surveillance program
In New Zealand, the quality control systems of auditors of FMC reporting entities are subject to
review by the Financial Markets Authority (FMA).
The FMA enforces the Auditor Regulation Act 2011. The Act establishes an independent audit
oversight regime for the auditors of FMC reporting entities within New Zealand. All registered
audit firms and individual auditors who are not members of a registered audit firm will be
subject to a quality review at least once every four years. The review will include an assessment
of the design of the internal control systems of the audit firm or licensed auditor, as well as a
review of selected audit files for compliance with Auditing and Assurance Standards. It is the
FMA’s responsibility to conduct these reviews – however, it may arrange for accredited bodies
to carry out a quality review, in whole or in part, on its behalf.
Required reading
ISA 220 paras 2–14, A4, A8 and A11.
Worked example 3.2: Implementing quality control procedures in accepting an audit

engagement

CC
Agreeing the terms of audit engagements
Learning outcome
3. Outline the auditor’s responsibilities in agreeing the terms of the audit engagement, including
the mandatory items to be included in an engagement letter.
After evaluating any prospective new client or an existing client as part of pre-engagement
activities, and deciding whether to accept a new engagement or continue with an existing one,
the auditor must agree on the terms of the engagement (i.e. what is to be done, by whom and
when) with the client.
This is typically done by the auditor sending the client an audit engagement letter. This is sent
before the beginning of the audit to help avoid misunderstandings regarding the engagement.
The engagement letter documents and confirms the:
•• Auditor’s acceptance of the appointment.
•• Objective and scope of the audit.
•• Extent of the auditor’s responsibilities to the entity.
•• Form of any reports.
ISA 210 deals with the auditor’s responsibilities in agreeing the terms of the engagement with
the client’s management. This includes establishing that certain preconditions (which are the
responsibility of management) are present. The aspects of client acceptance that are within the
control of the auditor are addressed in ISA 220.
Prerequisites for an audit

Before agreeing to undertake an audit, the auditor (under ISA 210 para. 6) is required to:
•• Determine whether the ‘financial reporting framework to be applied in the preparation
of the financial statements is acceptable’. This is not an issue for entities reporting in
accordance with legislation, as these entities would normally identify which financial
reporting framework must be applied – for example, Australian Accounting Standards or
the New Zealand equivalents of International Financial Reporting Standards (NZ IFRS).
•• Obtain agreement from management that it acknowledges and understands it is responsible
for:
–– ‘the preparation of the financial statements in accordance with the applicable financial
reporting framework, including where relevant, their fair presentation’
–– the internal controls determined by management to be ‘necessary to enable the
preparation of financial statements that are free from material misstatement, whether
due to fraud or error’, and
–– providing the auditor with access to all information ‘that is relevant to the preparation
of the financial statements’, and ‘unrestricted access to persons within the entity from
whom the auditor determines it necessary to obtain audit evidence’.
In accordance with ISA 210 para. 7, if management imposes ‘a limitation on the scope of the
auditor’s work in terms of a proposed audit engagement such that the auditor believes the
limitation would result in the auditor disclaiming an opinion on the financial statements’,
the auditor should not accept the engagement unless it is required to do so by either law or
regulation.
ISA 210 para. 8 sets out other factors that the auditor needs to consider if the preconditions for
an audit are not present.

CC
Contents of an audit engagement letter

The auditor agrees on the terms of the audit engagement with the client’s management or those
charged with governance, depending on who is appropriate. The roles taken by management
and those charged with governance are dependent on the governance structure of the entity and
relevant law or regulation (ISA 210 paras 9 and A21).
The agreed terms of the engagement that must be detailed in the audit engagement letter are set
out in ISA 210 para. 10. The table below sets out the mandatory matters to be addressed:
Agreed terms of the engagement
Terms Description
Objective, •• Identification of the financial reporting framework to be used

financial reporting •• Objective of the audit of the financial statements, and the anticipated form of auditor’s
framework, report or other communication. Also, the circumstances in which a report may differ
scope, and form from its expected form and content
of auditor’s
•• The scope of the audit, including reference to applicable legislation, regulations, ISAs,
report resulting
and ethical and other pronouncements of professional bodies to which the auditor
from the audit
adheres
of the financial
statements •• Other parties to whom a report is required to be made (e.g. a regulator)
Responsibilities of •• To conduct the audit in accordance with ISAs

the auditor •• Recognition that, due to the inherent limitations of an audit and the limitations of
internal control, there is an unavoidable risk that some material misstatements may not
be detected, even though the audit is properly planned and performed in accordance
with ISAs
Responsibilities of •• Preparation of the financial statements in accordance with the applicable financial
management framework, and for designing and implementing such internal control as management
determines is necessary to enable the preparation of financial statements that are free
from material misstatement, whether due to fraud or error
•• Accept the terms of the engagement as outlined in the engagement letter
•• Provide auditors with unrestricted access to any records, documentation and other
information requested in connection with the audit
•• Provide auditors with unrestricted access to persons within the entity
•• Confirm auditor’s expectation of receiving written confirmation from management
concerning representations made in connection with the audit
•• Agreement to inform the auditor of facts that may affect the financial statements,
of which management may become aware during the period from the date of the
auditor’s report to the date the financial statements are issued

CC
In addition, an audit engagement letter may also make reference to a number of other issues,
as detailed in ISA 210 paras A22–A25 and set out in the table below:
Optional audit engagement terms
Terms Description
How the Address arrangements regarding:

audit will be
•• The planning and performance of the audit, including the composition of the audit team
conducted,
and details of what (if any) draft financial statements or other working papers are to be
any dispute
prepared by the client, along with the dates on which the auditor requires these
resolution,
obligations •• Involvement of other auditors and experts
and fee •• Involvement of the predecessor auditor, if any, with respect to opening balances
arrangements •• Any restrictions of the auditor’s liability where such a possibility exists
•• The basis on which fees are computed and any billing arrangements
•• Any obligation by the audit firm to provide audit working papers to other parties
•• Reference to any further agreements between the auditor and the client, or other letters
or reports that the auditor expects to issue to the client
•• Client to confirm the terms of the engagement by acknowledging receipt of the
engagement letter

An example engagement letter is included in ISA 210 Appendix 1. In the national equivalents,
ASA 210/ISA (NZ) 210 Agreeing the Terms of Audit Engagements (ASA 210 and ISA (NZ) 210
respectively) Appendix 1, the example engagement letter has been drafted taking local
legislative requirements into account.
Recurring engagements
Where the auditor is engaged to work on recurring engagements, it must assess whether there
has been a change in circumstances that would require the terms of the audit engagement to
be revised, and whether there is a need to remind the entity of the existing terms of the audit
engagement (ISA 210 para. 13). Examples of such a change in circumstances are detailed in
ISA 210 para. A28, and include significant changes in ownership, senior management, and legal
or regulatory requirements.
If there is a change in the terms of an audit engagement, the auditor should not agree to them
unless there is reasonable justification for doing so. If the auditor has agreed to such a change,
the new terms should be agreed on and recorded in a new engagement letter or other suitable
form of written agreement (ISA 210 paras 14–17).
Required reading
ISA 210 paras 6–10, 13–17 and A21–A25, and Appendix 1.
ASA 210/ISA (NZ) 210 Appendix 1.
Activity 3.2: Outlining the terms of audit engagements


CC
Communication with those charged with governance
Learning outcome
4. Describe and explain the auditor’s responsibility to communicate audit matters to those
It is important for the auditor to develop a constructive working relationship with the
audit client in a financial statement audit by having effective two-way communication with
management and those charged with governance. Similar to mandatory requirements regarding
documentation, the communication of audit matters that are of interest to those charged with
an entity’s governance must occur at all stages of the audit. Effective two-way communication
benefits both the auditor and those charged with governance.
The objectives of the auditor in an audit of financial statements regarding communication with
those charged with governance are to:
•• Communicate the responsibilities of an auditor in relation to the financial statements audit.
•• Communicate an overview of the planned scope and timing of the audit.
•• Provide those charged with governance timely observations arising from the audit that are
significant and relevant to their responsibility to oversee the financial reporting process.
ISA 260 establishes mandatory requirements, and provides guidance on communication

between the auditor and those charged with governance. Note that the Standard does
not provide guidance on communication by the auditor to parties outside the entity – for
example, external regulatory agencies. While ISA 260 is primarily focused on communication
by the auditor to those charged with governance, it does recognise that effective two-way
communication is important in conducting an efficient and effective audit (ISA 260 paras 4–5).
Who the auditor should communicate with

The auditor is required to determine the appropriate person(s) within an entity’s governance
structure with whom to communicate (ISA 260 para. 11). ISA 260 paras A1–A4 provide further
guidance on identifying the appropriate person(s). ISA 260 para. A1 states:
Governance structures vary by entity, reflecting influences such as size and ownership characteristics.
For example:
• In some jurisdictions, a supervisory (wholly or mainly non-executive) board exists that is legally
separate from an executive (management) board (a two-tier board structure). In other jurisdictions,
both the supervisory and executive functions are the legal responsibility of a single, or unitary,
board (a one-tier board structure).
• In some entities, those charged with governance hold positions that are an integral part of the
entity’s legal structure, for example, company directors. In others, for example, some public sector
entities, a body that is not part of the entity is charged with governance.
• In some cases, some or all of those charged with governance are involved in managing the entity.
In others, those charged with governance and management comprise different persons.
• In some cases, those charged with governance are responsible for approving the entity’s financial
report (in other cases management has this responsibility).
In entities where governance is a collective responsibility, the auditor’s communications may be

directed to a subgroup of those charged with governance, such as an audit committee. In these
circumstances, the auditor would determine whether there is also a need to communicate with
the entire governing body.
Where the appropriate person(s) with whom to communicate may not be clearly identifiable
from the applicable legal framework or other engagement circumstances, the auditor may
need to discuss and agree with the engaging party on the relevant person(s) with whom to

CC
communicate. In deciding this, the auditor’s understanding of an entity’s governance structure
and processes is relevant and necessary. The appropriate person(s) with whom to communicate
may also vary depending on the matter to be communicated.
When the entity is a component of a group, the appropriate person(s) with whom the
component auditor communicates depends on the engagement circumstances and the matter to
be communicated.
What should be communicated

ISA 260 paras 14–17 and A9–A27 detail issues that should be included in correspondence with
those charged with governance, some of which are:
•• The auditor’s responsibilities in relation to the financial statements audit.
•• An overview of the planned scope and timing of the audit.
•• Significant findings from the audit.
•• Significant qualitative aspects of accounting practices.
•• Significant difficulties encountered during the audit.
•• For listed entities, a statement on auditor independence.
ISA 260 Appendix 1 identifies paragraphs in ISQC 1 and other Auditing Standards that require
communication of specific matters to those charged with governance.
Some of the more common matters of interest to those charged with governance that may be
communicated (preferably in writing) are outlined in the following table:
Common audit matters of interest to those charged with governance
Matters Communication considerations
Accounting policies The selection of (or changes in) significant accounting policies and
practices that have, or could have, a material effect on the entity’s financial
statements
Significant matters, if any, These matters are discussed with those charged with governance, unless
arising from the audit that they are all involved in managing the entity. This ensures that those
were discussed with, or charged with governance have the same understanding of the facts and
communicated to, management circumstances that management does
Significant deficiencies in As set out in ISA 265 Communicating Deficiencies in Internal Control to
internal control Those Charged with Governance and Management, the auditor needs to
communicate significant deficiencies in internal control identified during
the audit on a timely basis
Audit misstatements ISA 450 Evaluation of Misstatements Identified during the Audit requires the
auditor to communicate to those charged with governance uncorrected
misstatements and the effect they, individually or in aggregate, may have
on the auditor’s opinion
Written representations that the Written representations are required by the auditor to confirm certain
auditor requests matters or support other audit evidence
Required reading
ISA 260 paras 14–17 and A9–A27, Appendix 1.
Worked example 3.3: Describing the auditor’s responsibilities to communicate with those
charged with governance

CC
Australia-specific
ASA 260 Communication with Those Charged with Governance
ASA 260 Communication with Those Charged with Governance (ASA 260) deals with
communication by an auditor with those charged with governance. It is based on its
international equivalent, ISA 260, and, while it conforms to the international Standard, the
differences are denoted by the insertion of the prefix ‘Aus’ in the relevant paragraph numbers.
There are two key additional requirements in ASA 260:
•• In the case of entities that are audited in accordance with the Corporations Act, the auditor
is required to provide those charged with governance with the auditor’s independence
declaration required by Corporations Act s. 307C (discussed earlier in this unit) (ASA 260
para. Aus 17.1).
•• If the auditor is concerned that a written report intended for those charged with
governance has not been, or may not be, distributed to all members of that group, the
auditor is required to endeavour to ensure that all members are appropriately informed of
the contents of the report (ASA 260 para. Aus 19.1).
ISA (NZ) 260 Communication with Those Charged with Governance
ISA (NZ) 260 Communication with Those Charged with Governance (ISA (NZ) 260) deals
with communication by an auditor with those charged with governance. It is based on its
international equivalent, ISA 260, and, while it conforms to the international Standard, the
differences are denoted by the insertion of the prefix ‘NZ’ the relevant paragraph numbers.
There is one additional requirement in ISA (NZ) 260:
•• If the auditor is concerned that a written report intended for those charged with
governance has not been, or may not be, distributed to all members of that group, the
auditor is required to endeavour to ensure that all members are appropriately informed of
the contents of the report (ASA 260 para. NZ19.1).
Quiz
Quick reference guide: IESBA Code of Ethics for Professional Accountants


Readings

Standards.
Required reading
Relevant International Standards on Auditing and national equivalents and legislation and guidance
ISA 200 Overall Objectives of the ASA 200 Overall Objectives of ISA (NZ) 200 Overall Objectives of
Independent Auditor and the the Independent Auditor and the the Independent Auditor and the
Conduct of an Audit in Accordance Conduct of an Audit in Accordance Conduct of an Audit in Accordance
with International Standards on with Australian Standards on with International Standards on
Auditing Auditing Auditing (New Zealand)
ISA 210 Agreeing the Terms of Audit ASA 210 Agreeing the Terms of Audit ISA (NZ) 210 Agreeing the Terms of
Engagements Engagements Audit Engagements
•• Paragraphs 6–10, 13–17, •• Paragraphs 6–10, 13–17, •• Paragraphs 6–10, 13–17,
A21–A25, and Appendix 1 A21–A25, and Appendix 1 A21–A25, and Appendix 1
ISA 220 Quality Control for an Audit ASA 220 Quality Control for an Audit ISA (NZ) 220 Quality Control for an
of Financial Statements of a Financial Report and Other Audit of Financial Statements
•• Paragraphs 2–14, A4, A8 and •• Paragraphs 2–14, A4, A8 and •• Paragraphs 2–14, A4, A8 and
A11 A11 A11
ISA 260 Communication with Those ASA 260 Communication with Those ISA (NZ) 260 Communication with
Charged with Governance Charged with Governance Those Charged with Governance
•• Paragraphs 14–17 and A9–A27, •• Paragraphs 14–17 and A9–A27, •• Paragraphs 14–17 and A9–A27,
and Appendix 1 and Appendix 1 and Appendix 1
Code of Ethics for Professional APES 110 Code of Ethics for PES 1 (Revised) Code of Ethics for
Accountants (IESBA Code) (2015) Professional Accountants Assurance Practitioners
•• Sections 100–290 •• Sections 100–290 •• Sections 100–290
•• Paragraphs 291.1–291.3 •• Paragraphs 1.4 and 291.1–291.3 •• Paragraphs NZ 1.2, NZ 1.4,
291.1–291.3 and the New
•• Definitions
Zealand Preface

•• Section 307C
•• Part 2M.4 Divisions 3–5

www.apesb.org.au
www.austlii.edu.au

Further reading
There are no further readings for this unit.
References
International Federation of Accountants 2011, Guide to using ISAs in the audits of small- and
medium-sized entities, 3rd edn (IFAC Guide), vol. 2, Exhibit 4.0-2, p. 27; Exhibit 4.4-1, p. 36;
Exhibit 4.4-2, p. 37

ACT
Activity 3.1
Identifying and safeguarding against threats
to independence
Introduction
Chartered Accountants can face a broad range of relationships and circumstances, some of
which may pose a threat to their compliance, or perceived compliance, with the fundamental
principles of the Code of Ethics for Professional Accountants (IESBA Code). A relationship or
circumstance can also affect compliance with more than one fundamental principle. In deciding
whether to accept or continue an audit engagement, the auditor needs to identify and evaluate
potential threats to independence.
This activity, links to learning outcome:
•• Apply the code of ethics and relevant guidance, statements and legislation regarding
At the end of this activity you will be able to apply the IESBA Code to identify and evaluate
threats to auditor independence, and recommend relevant safeguards to eliminate or reduce the
identified threats.
Scenario
You are a newly qualified Chartered Accountant working for A&C Partners Chartered
Accountants (A&C). As part of your continuing professional education and training, one
of the partners of A&C has asked you to read through six situations and conclude on the
independence issues involved to ensure you are alert to independence and ethical issues before
your next audit engagement.
The six situations the partner gives you are as follows:
Situation 1
Louis Jones, chief financial officer (CFO) of Shanti Limited (a large textile manufacturer),
is thrilled that the audit for the 20X2 financial year was completed in a timely manner and
within budget, and, even better, that it resulted in an unmodified audit opinion. To express his
gratitude, he insists on offering each engagement team member a dinner voucher for two at Vue
de Monde, a famous Melbourne restaurant. The approximate value of a dinner voucher for two
is $400.
Situation 2
Elsa, your work colleague, was seconded to the Sydney office of your audit firm for three
months to assist with achieving urgent deadlines in an audit engagement with one of the firm’s
biggest clients, Lagaf Limited (Lagaf). One month into her secondment, on the audit firm’s
online chat system, Elsa asks you whether she can speak to you in confidence. She then admits

ACT
that she started ‘hanging out’ with Herbert, the financial controller of Lagaf, but that they are
just friends. The following week, she calls you and advises that their friendship has developed
into a closer relationship. The audit of Lagaf is yet to be finalised.
Situation 3
Your engagement team has recently completed the audit of SocaDance Limited (SocaDance),
a large manufacturer of various musical instruments. You are the audit manager. A number of
issues were identified and, following a review, you determine that one of the issues requires
adjustments to the financial statements in order for an unmodified audit opinion to be issued.
The issue relates to the valuation of some warehouse real estate held by SocaDance and, as
the valuation of the real estate is outdated, you are of the view that there is insufficient audit
evidence to support the valuation and allocation assertion.
You therefore organise a meeting with Kaolin, the financial controller of SocaDance, and express
your concerns to him. Numerous times during the meeting, Kaolin reminds you that he has
significant experience in property valuations, and has worked for a number of other companies
in the property industry. When it is clear that Kaolin will not agree to change the value of the
real estate, you advise that this might lead to a modified audit opinion. Kaolin then advises
that, if this is the case, he will see to it that your audit firm is dismissed from the SocaDance
engagement for the next financial year.
Situation 4
You are the auditor of Ushuaia Limited (Ushuaia), a manufacturer of beauty products aimed at
a niche market of very wealthy customers. Ushuaia’s trademark is its most valuable marketing
tool, as the public identifies its trademarked goods as being of top quality. Ushuaia has
approached your audit firm with a major concern that one of its competitors is trying to steal
its trademark and has asked you to assist by providing legal services to help in resolving the
imminent litigation with the competitor.
Situation 5
You are the senior auditor in charge of the audit of Indochine Limited (Indochine), one of the
largest clients of your firm. The year-end audit is being undertaken and, while reviewing the
file, the manager on the job informs you that it is absolutely crucial for the engagement to go
well and for an unmodified opinion to be issued. If this is not the case, the likelihood of you and
the manager being promoted within the firm is very remote.
Situation 6
You are the audit manager in charge of the audit of the Yeye Managed Investment Fund (Yeye),
a new client. A few years ago, Yeye acquired a parcel of shares in an unlisted Russian energy
company, and have no idea what the shares are worth. You note that the shares have been
valued at the same amount for the last five years, and that it is material to the financial report.
You notify the directors of Yeye that a third-party valuation will be required, to determine what
the shares are worth in the 20X3 financial year. The directors are more than happy to oblige and
have approached your audit firm to provide the valuation services.

ACT
Task
For this activity, you are required to apply the conceptual framework of the IESBA Code to each
of the six situations the partner has given you and:
•• Identify potential threats to independence.
•• Recommend safeguards to reduce the independence threats.
•• Determine whether audit independence can be achieved.
You can present your answer in the following table format:
Situation Threats Safeguards Can audit independence be

achieved?

ACT
Activity 3.2
Outlining the terms of audit engagements
Introduction
After evaluating a prospective client or an existing client and deciding whether to accept the
new client or continue with the existing client, the auditor must agree on the terms of the
engagement with the client. This is typically done by sending an engagement letter.
The auditor sends the engagement letter prior to beginning the audit, to help avoid any
potential misunderstandings regarding the engagement. The engagement letter documents and
confirms the auditor’s acceptance of the appointment, the objective and scope of the audit, the
extent of the auditor’s responsibilities to the entity, and the form of any reports.
•• Outline the auditor’s responsibilities in agreeing the terms of the audit engagement,
including the mandatory items to be included in an engagement letter.
At the end of this activity, you will be able to outline the terms to be included in an engagement
letter under particular circumstances, in accordance with ISA 210 Agreeing the Terms of Audit
Engagements (ISA 210).
Scenario
You are a Chartered Accountant working for the accountancy firm A&C Partners (A&C). You
have been a member of the audit team for one of the firm’s audit clients, O’Brien’s Newspapers
Limited (ONL), a non-listed entity, for the past two years.
You have researched ONL and prepared the following summary. It contains your findings for
the lead audit partner on this audit engagement, Gerald Hiraldo, and will help to inform his
decision on whether the firm will continue as auditors of this client in the upcoming financial
year, ending 30 June 20X3. If it is decided to continue the audit engagement, this summary will
also serve to highlight elements that need to be included in the engagement letter.

ACT
Consideration Findings
Have the audit preconditions been met? ONL’s financial statements will be prepared by management
using the International Financial Reporting Standards (IFRS)
Management agrees (and will confirm in a signed engagement
letter) that it acknowledges and understands its responsibility
to:
•• Make available all information as requested
•• Provide unlimited access to personnel
•• Design and implement such internal controls as
management determines is necessary to enable the
preparation of financial statements that are free from
material misstatement, whether due to fraud or error
Have the acceptance/continuance Yes. Refer to policies 3 and YY of the A&C Quality Control manual
requirements in the firm’s quality control
manual been followed?
Any change in the terms of reference or No
requirements for the audit engagement?
Any independence issues or conflicts of A&C and several A&C staff members have subscriptions to ONL
interest? publications for which they paid the retail price. This is not
considered a threat to our independence
Any circumstances that would cast doubt on No. However, Maria (daughter of the ONL marketing manager)
the integrity of the client’s owners? received some negative publicity in recent months. She was an
advisor in a land deal where government officials were accused
of receiving bribes from developers. This matter has also been
noted on our listing of risk factors for the audit
Does the engagement team have sufficient Yes. We plan to use the same senior staff as last period to
knowledge of accounting principles complete the engagement
and industry practices to perform the
engagement?
Are there areas where specialised We will need to bring in an expert to correctly value intangible
knowledge is necessary? assets (newspaper mastheads) recognised by the entity
Does the firm have the capacity in time, Yes. See the firm’s resource planning and budget for the year
competencies and resources to complete
the engagement in accordance with
professional Standards and the firm’s
guidelines?
Are there any issues identified in previous Falling circulation for a number of the ONL publications has
audits and other engagements for this entity been an issue in previous audits. This matter has also been
that need to be addressed? noted on our listing of risk factors for the audit
Are there any new circumstances that No. Management has a professional attitude towards internal
increase our engagement risk? control, and no new circumstances have arisen to increase the
engagement risk in this regard
Can the client continue to pay our fees? Yes
Conclusion Overall assessment of engagement risk is low. Recommend
that we should continue with this client and prepare the audit
engagement letter accordingly
Gerald has reviewed your summary and accepts the comments and conclusions reached with
only minor adjustments.
Task
For this activity, you are required to outline the key contents of the engagement letter for
the ONL audit engagement for the year ended 30 June 20X3. Assume that ONL’s financial
statements are prepared on a true and fair basis.


CC
Core content
Unit 4: Understanding the entity and its
environment
Learning outcomes
1. Discuss and demonstrate the auditor’s responsibility to gain a thorough understanding of
the entity and its environment.
2. Discuss and demonstrate the auditor’s responsibility to identify and assess the risks of
material misstatement in financial statements.
3. Demonstrate how the identification of risks and internal controls affect the audit of an
entity.
4. Explain an auditor’s responsibilities when a client uses a service organisation.
Introduction
Every entity is affected by unique events, transactions and practices, and, therefore, unique
risks. Many of these risks have the potential to impact on the financial statements. Therefore, in
order to adequately plan an audit, the auditor must understand the entity and its environment,
and also how the entity responds to the risks it faces.
The auditor uses the understanding of an entity obtained to identify and assess risks of material
misstatements in the financial statements, and to plan audit procedures to respond to those
risks.
The following diagram summarises the steps in the risk assessment process:
Understand Respond to
Identify the risks Assess the risks
the entity the risks
This unit focuses on ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and Its Environment (ISA 315 (Revised)). The concepts and
requirements in ISA 315 (Revised) extend across several units in the Audit & Assurance
(AAA) module.
aaa11604_csg

CC
Key steps in the planning and risk assessment process are covered in multiple units throughout
the AAA module as follows:
Key steps in the planning and risk assessment process
Step ISAs requirement Purpose AAA unit
1. Gather information The auditor is required to To provide a frame of Understanding the entity
about the entity gather information about: reference within which and its environment
the auditor plans the
•• The entity and its
audit and revises the audit
environment
strategy and audit plan
•• Internal controls throughout the audit
2. Perform risk The auditor is required To identify sources Analysing audit risks,
assessment to: of risks of material financial statement
procedures misstatement due to assertions and initial
•• Make enquiries
error or fraud, and to audit engagements
•• Perform analytical obtain audit evidence to
procedures Analysing audit risks –
support the assessment
fraud
•• Observe and inspect of risk at both the
financial statement and
assertion levels
3. Use information The auditor is required To enable the auditor to Analysing audit risks,
to assess the to assess the risks of direct the audit work to financial statement
risks of material material misstatement at where it is most needed assertions and initial
misstatement the financial statement – that is, to areas where audit engagements
and assertion levels the risks of material
Analysing audit risks –
misstatement are highest
fraud
4. Determine The auditor is required To enable the auditor to Materiality in planning

materiality to apply the concept of plan and perform the and performing the audit
materiality in planning audit appropriately by
and performing the audit directing the audit work
where it is most needed
5. Determine audit The auditor is required To enable the auditor to Developing an overall
strategy and plan to set and document the plan and perform the audit plan
overall audit strategy and audit in an efficient and
audit plan effective manner
This unit will cover the following:

•• Why the auditor is required to obtain an understanding of the entity and its environment.
•• What types of information the auditor is required to obtain.
•• An introduction to the audit risk model.
•• The relationship between the information obtained and audit risk.
•• An introduction to the way in which this relationship affects the selection of audit
procedures.
This unit also covers what the auditor needs to consider when auditing an entity that uses a
service organisation to operate part of its business processes, in accordance with ISA 402 Audit
Considerations Relating to an Entity Using a Service Organization (ISA 402).

CC
Understanding of the entity and its environment
Learning outcomes
1. Discuss and demonstrate the auditor’s responsibility to gain a thorough understanding of the
entity and its environment.
2. Discuss and demonstrate the auditor’s responsibility to identify and assess the risks of material
misstatement in financial statements.
Understand Respond to
Identify the risks Assess the risks
the entity the risks
Understanding the entity and its environment enables the auditor to identify risks that the
entity faces. When the auditor understands the entity, they are able to identify risks that could
result in a material misstatement in the financial statements. Therefore, risk identification is an
integral part of understanding the entity. Using this approach, the auditor can focus the audit
work on risks that are relevant to each audit.
Basis for audit planning

The information the auditor gathers on an entity and its environment forms the basis for planning
the audit. The auditor responds to the level of risk assessed, and the reason behind the risk.
Example – Responding to risk

An entity receives the majority of its revenue in cash and performs daily cash counts at several
locations. The auditor assesses cash collected at several locations as a factor that increases the
risk of material misstatement. The auditor responds to this identified risk by increasing the
level of audit testing that is performed on cash revenue and receipts. The auditor also plans to
perform surprise cash counts at several of the entity’s locations to address the circumstances
that cause the risk.
In addition to forming a basis for assessing risks and designing audit procedures,
understanding the entity and its environment is used for (ISA 315 (Revised) para. A1):
•• Determining materiality.
•• Considering the appropriateness of an entity’s accounting policies and financial statement
disclosures.
•• Identifying areas where specific testing is required, such as complex transactions, significant
estimates/judgements, and management’s use of the going concern assumption.
•• Designing audit procedures, such as tests of controls and/or substantive procedures that
directly respond to the risk(s) identified.
•• Evaluating whether the audit evidence is sufficient and appropriate.

CC
Examples – Identify the risks and the practical implications for audit planning
AUDIT ENTITY 1
Entity information Impact on risk Implication for audit

Inventory is held at 20 It is harder for manage- The auditor must decide
different warehouses ment to control inventory which warehouses to visit
dispersed over a wide with 20 warehouses in as part of the audit
geographical area different locations,
resulting in increased risk
AUDIT ENTITY 2
Entity information Impact on risk Implication for audit

The payroll clerk will be Unless this is a regular Plan to perform the
on leave during the last occurrence, there is no payroll audit testing in
week of planned impact on risk the first week of the final
three-week final audit audit fieldwork
fieldwork
Understanding the entity and its environment

ISA 315 (Revised) para. 3 defines the objective of the auditor as:
.... to identify and assess the risks of material misstatement, whether due to fraud or error, at the
financial statement and assertion levels, through understanding the entity and its environment,
including the entity’s internal control, thereby providing a basis for designing and implementing
responses to the assessed risks of material misstatement.
In practice, an auditor gains an understanding of the entity and its environment, including the
entity’s internal control, from a variety of sources and activities, such as discussions with the
client, preliminary financial data about the entity, regulators and the media. This information
is gathered throughout the client acceptance and planning stages of the audit, and when
performing the audit procedures.

CC
The following chart shows areas that are potential sources of risks for material misstatement in
the financial statements, which the auditor is required to understand:
RC E S O F R I S K
SOU
Entity objectives
and strategies
Internal External
control factors
RMM* in the
financial
statements
Accounting Internal factors
policies (nature of entity)
Industry
performance
indicators
*RMM = Risks of material misstatements
Source: Adapted from Australian audit manual and toolkit 2015 for small and medium sized entities, Exhibit 23.5-1,
p. 283.
Identifying risks of material misstatement

When the auditor understands the entity, they are able to identify risks that could result in a
material misstatement in the financial statements. Therefore, risk identification is an integral
part of understanding the entity
One way of thinking about the risk is to consider:
•• What could go wrong?
•• What chance is there that it will go wrong?
•• If it does go wrong, what could happen?
The following diagram uses the example of sales revenue to illustrate this:
What could cause a transaction to

What could go wrong?
be recorded in the wrong period?
Revenue is
recorded in the What chance is there What controls are in place to prevent
correct financial it will go wrong? (or detect and correct) an error?
period
What could happen What is the potential error(s) in

if it went wrong? monetary terms?

CC
What the auditor is required to understand about an entity

ISA 315 (Revised) provides a framework for the auditor to gain an understanding of the entity.
This is done in two parts, as illustrated by the following diagram:
Obtain an understanding of:
The entity and its environment Internal control
(ISA 315 (Revised) para. 11) (ISA 315 (Revised) paras 12−24)
Obtain an understanding of the entity and its environment

The types of information the auditor must obtain about an entity and its environment are
summarised in the following diagram (ISA 315 (Revised) para.11):
Industry, regulatory and other

external factors, including the
financial reporting framework
Nature of the entity
The entity and

Accounting policies
its environment
Objectives and strategies

and related business risks
Measurement and review of

financial performance

CC
Industry, regulatory and other external factors

Identifying external factors requires the auditor to consider the industry and the regulatory
regime in which the entity operates (ISA 315 (Revised) para. 11(a)).
Industry factors
Different industries have different risks, and the impact on the entity depends on its position in
that industry. For instance, operating in an industry that experiences rapid technological change
presents a risk of falling behind its competitors. This may lead to products becoming obsolete,
and a risk of the entity overvaluing its inventory on hand.
Examples – Industry factors and potential impacts on the entity
Industry factor Example Potential impact on the entity
Competition A highly price-competitive industry Pressure on results, financial

(e.g. retail) hardship
Demand Seasonal demand (e.g. utility companies) Financial results fluctuate

seasonally
Managing cash flow can be difficult
Nature of industry Industry operating on long-term contracts Judgement required to estimate

(e.g. the construction industry) future contract revenues and costs
Regulatory factors
The regulatory environment may govern an entity’s operations, its financial reporting
requirements, or both. Regulations over operations may have an economic impact, which in
turn affects the financial statements. Financial reporting regulations may create specific risks for
particular industries.
Examples – Regulatory factors and the potential impact on the entity
Regulatory factor Potential impact on the entity
Government tariffs Increase in costs of doing business
Australian financial services Imposes operating and reporting obligations on AFSL holders,
licence (AFSL) regulations increasing compliance risks
Australian Prudential Regulation Imposes financial and reporting obligations on certain financial
Authority (APRA) services businesses, including entities involved in banking, insurance
and superannuation, increasing compliance risks
External factors
Other external factors include the general economic environment. This will impact on
businesses differently. The auditor will need to consider how factors such as a declining
economy, interest rates and the availability of financing affect the entity.
ISA 315 (Revised) paras A24–A29 provide further guidance on the auditor’s consideration of
industry, regulatory and other external factors.
Example – External factors and the potential impact on the entity

Mining companies are generally dependent on regular debt and equity fundraising to carry out
exploration work and project development.
There is a high level of competition for investment dollars, including both debt and equity
fundraising. This external factor is a key constraint on the mining industry. The auditor of a mining
company would assess the availability of required funding as a key business and audit risk.

CC

By obtaining information about the entity itself, the auditor can understand what transactions,
account balances and disclosures should be in the financial statements.
There is potentially a large amount of information the auditor could obtain, and ISA 315
(Revised) para. 11(b) provides the following framework:
Industry, regulatory and other Operations

external factors, including the
financial reporting framework
Ownership and governance
Types of investments
The entity and
Accounting policies
its environment
Structure and finance
Objectives and strategies

and related business risks
Measurement and review of

financial performance
Operations
Information about the entity’s operations includes:
•• How an entity earns revenue.
•• Products and services.
•• Customer and supplier relationships.
•• Geographic locations.
•• Workforce profile.
Information on operations will assist the auditor to understand which account balances should
be present and which should be absent in the financial statements, and may also provide an
understanding of the appropriate accounting treatment.
Examples – Information on operations and its potential impact on the entity
Information on operations Potential impact on the entity
A manufacturer has high fixed costs and operates Financial risk if sales decline
at low margins/high volumes to earn profits
Risk of net realisable value of inventory falling
below cost
A service entity enters into long-term sales Risk that revenue will not be recognised in the
contracts correct accounting period
Potential risk that losses on long-term contracts
will not be accounted for appropriately

CC
Ownership and governance

The owners of an entity are the primary stakeholders. Therefore, the ownership structure and
the relationship between the owners and management (i.e. corporate governance) have an
impact on risk. 
Example – Potential impact of an entity’s ownership structure on risk
Information on ownership and governance Potential impact on the entity
A company has an active and appropriately Reduces risk due to enhanced oversight of the
constituted audit committee comprising integrity of financial reporting
non‑executive directors, the majority of whom are
independent
Types of investments
Investing potentially covers a wide range of activities, including investments in income-
producing assets, new business operations, and joint ventures and associates. The auditor
needs to consider what the appropriate accounting treatment for each investment is (e.g. fair
value, depreciated cost), as well as any related risks, such as impairment. Investments in other
businesses will carry risks related to each type of business.
Examples – Investments and their potential impact on the entity
Information on investments Potential impact on the entity
A retail group acquires a significant subsidiary Accounting for acquisitions can be complex
offering insurance products
Risks related to insurance operations and the type
of industry
An entity acquires a significant investment in new Determining the appropriate accounting

business treatment for subsidiaries, associates, joint
ventures or partnerships can be complex
Structure and finance

The higher the level of debt, the greater the business risk and, potentially, the risk of material
misstatement. The auditor needs to understand the terms that are attached to significant
borrowings, in order to identify any conditions that impact on risk and to assess the appropriate
accounting treatment.
Examples – Structural/financial information and its potential impact on the entity
Structural/financial information Potential impact on the entity
A company carries a relatively high level of debt The going concern assumption may become
inappropriate if trading conditions decline
The terms of a bank loan contain strict financial Covenants could motivate management to
covenants misstate related account balances
A company has a high level of debt owed to its The classification of debt versus equity and
shareholders current versus non-current liabilities may be
difficult to ascertain

CC
Accounting policies
In accordance with ISA 315 (Revised) paras 11(c) and A35, the auditor needs to understand the
entity’s selected accounting policies in order to:
•• Assess whether the accounting policies are appropriate.
•• Design audit procedures that address the accounting policies.
Example – Accounting policies and the auditor

An entity is developing a software product and capitalising the associated costs as an
intangible asset.
The auditor needs to ensure:
•• The capitalisation is in accordance with the appropriate Accounting Standards and
consistent with industry practice.
•• The entity has maintained adequate documentation for the auditor to examine.
Objectives and strategies and related business risks

ISA 315 (Revised) para. 11(d) requires the auditor to consider the entity’s objectives and
strategies, and those related business risks that may result in risks of material misstatement.
Business risks arise from factors that present risks to the entity’s ability to achieve its objectives.
Business risk also encompasses events that arise from change, complexity or the failure to
recognise the need for change. For example:
•• The development of new products that may fail.
•• An inadequate market, even if new products are successfully developed.
•• Flaws in new products that may result in liabilities.
Most business risks have a potential financial consequence and, therefore, an effect on the
financial statements. However, the auditor does not need to identify or assess all business
risks because not all give rise to risks of material misstatement (ISA 315 (Revised) para. A38).
The term ‘business risk’ encompasses more than just the risk of material misstatement in the
The ‘Application and Other Explanatory Material’ in ISA 315 (Revised) para. A39 provides
examples of matters the auditor may consider in obtaining an understanding of the entity’s
objectives, strategies and related business risks.
Examples – Matters the auditor may consider in obtaining an understanding of the entity’s objectives,
strategies and related business risks
Strategy/potential Potential impact on the entity

business risk
Expanding to new locations Risks relating to control over remote operations (e.g. have all sales
transactions been recorded? Are payments appropriately authorised?
Is cash handling managed and controlled?)
Developing new products or The risk that new products or services will fail; therefore corresponding
services pressure on management to meet expected results and a risk that the
inventory of new products and assets used to manufacture those new
products, may be overvalued
Significant new competitor The risk that inventory is overvalued at more than can be recovered
enters the market through potential sales of inventory; pressure on management from
poor sales results
Product is found to be faulty Warranty and/or cosumer liabilities increased

CC
ISA 315 (Revised) Appendix 2 contains a useful list of conditions and events that may indicate
risks of material misstatement.
Complexity
The more complex an entity, the greater the risk that something could go wrong and therefore
the greater the risk of material misstatement.
For example, the accounting that is required to produce financial statements for a large
multinational organisation with multiple subsidiaries, joint ventures and associates, foreign
operations, and acquisitions and disposals of investments, will be more complex and difficult
than that required for a small, simple one-entity business.
Specific examples of potential risks associated with complex entities include:
•• Not correctly distinguishing between, and accounting for, joint ventures, associates,
subsidiaries and special purpose entities.
•• Not identifying special purpose entities that require consolidation.
•• Impairment of significant goodwill and intangibles balances.
•• Not identifying related parties and related party transactions.
•• Errors in the consolidation process.
•• Translation of foreign currency transactions and balances.
The importance of understanding complexity is outlined in ISA 315 (Revised) para. A30.
Signficant changes
Significant changes in the entity from prior periods may give rise to, or change, risks of material
misstatement (ISA 315 (Revised) para A32), and consequently are a key audit focus area.
Examples – Significant changes and potential risks
Significant change Source of potential risks
Initial public offering Increased focus on performance

(IPO) during the current
Additional financial statement disclosure requirements
year – entity now listed
on a stock exchange Other financial reporting requirements
Increased number of stakeholders and public scrutiny
Installation of a new Risks over proper implementation and transfer of balances and supporting
accounting software data from previous system
system
Change in IT controls
Staff may need extensive training – increased risk of error due to lack of
familiarity with system
Outsourcing of a Controls over processing located at third party

significant component of
Need for internal controls over transfer of information to/from third party
the accounting system to
a third party (e.g. payroll)
Acquisition of a New risk profile for all amounts relating to the new business (e.g. potentially
significant new business different products, management, controls and markets)
Development of new Changes in risks related to revenue recognition

products or services
New products or services may fail

CC
Measurement and review of financial performance

ISA 315 (Revised) para. 11(e) requires the auditor to consider the measurement and review of
the entity’s financial performance.
An auditor can gain valuable insights into the risks posed to the entity by examining how its
management and external stakeholders measure financial performance:
•• The internal measures used by management and measures used by external stakeholders
are likely to be important to the entity. These measures could motivate management to take
action to improve performance, or to misstate the financial statements.
•• The performance results themselves may help the auditor identify potential audit risks.
Examples – Measures of financial performance and potential impacts on the audit
Measure of financial performance Potential impact on the audit
A retail business uses revenue per store as a key The auditor identifies a risk that management are
measure of performance for the business and store motivated to overstate reported revenue
managers
When reviewing management’s analysis of The auditor identifies a risk that accounts
variances between actual, forecast and prior period receivable balances may be overstated
results, the auditor notes that accounts receivable
balances and accounts receivable to sales ratios
are significantly higher than forecast and previous
financial periods
Investment analysts focus on consistent gross The auditor identifies a risk that direct costs could
margins be overstated or understated from one financial
period to the next to ‘smooth’ reported gross
margins
Required reading
ISA 315 (Revised) paras 1–5, 7–9, 11, A1–A5, A24–A27, A29–A32 and A35–A48, and Appendix 2.


CC
Internal control
A key part of understanding the entity includes understanding the entity’s internal control:
Obtain an understanding of:
The entity and its environment Internal control
(ISA 315 (Revised) para. 11) (ISA 315 (Revised) paras 12−24)
According to ISA 315 (Revised) para. 4(c), internal control means:

... the process designed, implemented and maintained by those charged with governance, management
and other personnel to provide reasonable assurance about the achievement of an entity’s objectives
with regard to reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations. The term ‘controls’ refers to any aspects of one or
more of the components of internal control.
Internal control is implemented by management to mitigate business risks that are related to
(ISA 315 (Revised) para. A51):
•• Financial reporting.
•• Efficiency and effectiveness of operations.
•• Compliance with laws and regulations.
It is important to understand, however, that internal control cannot completely mitigate risks.
Importance of internal control to the auditor
Understanding the entity’s internal control allows the auditor to assess where material
misstatements are likely to occur. The auditor is also identifying business risks that create risks
of material misstatements. When the auditor then understands the entity’s controls over those
business risks, a more complete risk profile emerges. According to ISA 315 (Revised) para. 12:
The auditor shall obtain an understanding of internal control relevant to the audit. Although most
controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to
financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgement
whether a control, individually or in combination with others, is relevant to the audit.
The auditor is only concerned with those controls that relate to a risk of material misstatement
in the financial statements. Some controls that address operational or compliance risks will also
impact on financial reporting, others will not.
Examples – Internal controls and their potential impact on financial reporting
Internal control Potential impact on financial reporting
Management prepares monthly actual to budget Identifies potential errors in the financial reporting
statements of profit or loss and statements of process and is therefore relevant to the audit
financial position. All significant variances are
investigated and explained
Regular health and safety inspections are Not relevant to the audit. However, if an accident
performed at all warehouses occurred, that event could be relevant to the audit
as a contingent or actual liability

CC
ISA 315 (Revised) para. A68 lists some factors that the auditor should consider in determining
whether a control is relevant to the audit.
When obtaining an understanding of controls that are relevant to the audit, the auditor must
evaluate the design of those controls and determine whether they have been implemented
by the entity. The process of evaluating the design and implementation of controls will be
discussed in detail in the unit on controls testing.
Required reading
ISA 315 (Revised) paras 12–13 and A68.
Types of internal controls

Controls work by preventing or detecting and correcting errors. Controls may operate on a
pervasive entity-wide level, or they can be specific to the initiation, processing or recording of a
particular transaction.
Controls can be manual, automated or manual with an automated component. For the purposes
of this unit, an entity’s mix of manual and automated controls is referred to as its system of
internal control. The diagram below demonstrates examples and the suitability of manual and
automated controls:
System of internal control
Manual control elements Automated control elements
Suitable where judgement and Suitable for:

discretion are required • High volume or recurring
• Large, unusual or non-recurring transactions
transactions • Errors can be anticipated or
• Errors are difficult to define, predicted
anticipate or predict
Examples: Example:
• Approval of transactions • Controls embedded in computer
• Review of transactions programs
• Follow-up of reconciling items
Manual controls operate over the manual elements of the accounting system. An example of a
manual control is a review of payroll exception report.
Automated controls include general IT controls (GITCs) and IT application controls.
IT application controls are fully automated controls designed to ensure complete and accurate
processing of data. An example of an IT application control is numerical sequence check. GITCs
are controls over the environment in which computer systems and databases operate. Controls
over program changes is an example of a GITC.
The different types of controls are often interrelated. For example, a review of payroll exception
reports (manual control) is reliant on the automated controls (both general and application) to
process payroll data and to generate the exception reports.

CC
Components of internal control

To assist the auditor in obtaining information about internal controls, ISA 315 (Revised) para.
A58 provides a framework of five components of internal control:
Control environment
Entity’s risk assessment process
Components of
Information system
internal control
Control activities
Monitoring of controls
ISA 315 (Revised) allows the auditor to use different terminology or frameworks to describe the
various aspects of internal control, provided all the components described in the Standard are
addressed.
Control environment
The control environment provides the foundation on which the other components of internal
control are built. It comprises the attitude, awareness and actions of the entity’s governing body
and management concerning the importance of internal control (ISA 315 (Revised) para. A76). It
is often referred to as the entity’s governance culture or ‘tone at the top’.
Internal controls in the control environment are often pervasive to the financial statements as a
whole and are commonly referred to as entity-wide controls or entity-level controls.
The control environment does not in itself prevent or detect errors. However, a poor control
environment is likely to undermine the other components of internal control. For instance,
employees are more likely to ignore or bypass an internal control process if it is perceived that
management is indifferent to overall governance in the organisation.
For this reason, the auditor is concerned that as per ISA 315 (Revised) para. 14:
•• Management (overseen by the governing body) maintains a culture of honesty and
integrity.
•• The control environment provides a strong foundation for the other components of internal
control and does not undermine those components.

CC
Elements of the control environment

ISA 315 (Revised) para. A77 includes some of the elements of the control environment, as
explained in the table below:
Elements of the control Why is it important?

environment
Communication and If people understand what is expected of them, they are less likely to ignore or
enforcement of integrity bypass internal controls
and ethical values
Commitment to Errors are more likely if employees are not competent in relation to their
competence responsibilities
Participation by those Independent, competent directors who are actively involved in overseeing
charged with governance management will have a positive influence on management
Management’s philosophy Influences employees’ attitudes to internal controls

and operating style
Auditor will assess how management makes estimates and exercises judgement
in financial reporting
Organisational structure Provides a framework for controlling and monitoring activities
Assignment of authority Appropriate authority enhances control

and responsibility
Human resources policies Competent, ethical and well-trained people reduce the risks of errors or control
and practices breaches
Entity’s risk assessment process

Management may have a formal or informal process for identifying and managing business
risks. The process should be appropriate to the entity and is likely to be less formal for smaller
entities (ISA 315 (Revised) paras A87–A88).
The auditor is interested in the risks of material misstatement, and therefore is required to
understand how the entity manages business risks. If the entity’s risk assessment process is
appropriate, the auditor can use that process to help identify potential audit risks (ISA 315
(Revised) para. 15).
However, if the entity’s risk management process is not appropriate, this will impact on the
auditor’s opinion of the control environment. For instance, if the entity’s risk assessment
process did not identify a risk that the auditor has already identified, or if management decided
to accept a particular risk, the auditor will take this into account in assessing the entity’s overall
control environment.
Information system
The information system is how the entity initiates, records, processes and reports transactions,
as well as how it accounts for assets and liabilities. It includes the accounting system and will
generally comprise automated and manual processes (ISA 315 (Revised) para. A89).
The information system includes the computer hardware and software, manual records, people
and procedures that are designed to:
•• Initiate, record, process and report transactions.
•• Account for assets, liabilities and equity.
•• Resolve incorrect processing of transactions.
•• Process and account for system overrides.
•• Transfer information from transaction processing systems to the general ledger.
•• Capture information for non-transaction events and conditions that are relevant to financial
reporting, such as depreciation and asset impairments.
•• Ensure transactions and disclosures are presented appropriately in the financial statements.

CC
An important feature of an information system is the audit trail. This is made up of the
documents and records that can be used to trace individual transactions through the system to
the financial statements.
Why is the information system important to the auditor?

The financial statements are the result of data processed through the information system.
Therefore, it is critical that the auditor understands how transactions are processed and the
controls that exist along the way.
ISA 315 paras 18–19 require the auditor to obtain an understanding of the key areas of the
information system. The components of an information system are illustrated in the following
diagram:
CLASSES OF TRANSACTIONS
Initiate
ACCOUNTING RECORDS
INFORMATION SYSTEM
Non-
transaction
events Record
Process
General
ledger
journals
Financial reporting
process
Financial statements

CC
General IT controls (GITCs)

As part of obtaining an understanding of an entity’s control environment, the auditor also
obtains an understanding of how the entity has responded to risks arising from its IT systems.
Controls over IT systems are effective when they maintain the integrity of information and
security of data that they process, and include effective IT application controls and GITCs
(ISA 315 (Revised) para. A103).
GITCs are controls over the environment in which computer systems and databases operate.
They relate to many applications in the entity’s IT environment. They support the effective
functioning of IT application controls and apply to both mainframe and end-user environments.
Examples − GITCs
The following examples illustrate GITCs.
General IT controls
Standards, planning, •• The IT governance structure

policies, etc (the IT •• How IT risks are identified, mitigated and managed
control environment)
•• The required information system, strategic plan (if any) and budget
•• IT policies, procedures and standards
•• The organisational structure and segregation of duties
•• Contingency/disaster recover planning
Security over data, the •• Acquisitions, installations, configurations, integration and maintenance of
IT infrastructure and the IT infrastructure
daily operations •• Delivery of information services to users
•• Management of third-party providers
•• Use of system software, security software, database management systems
and utility programs
•• Incident tracking, system logging and monitoring functions
Access to programs and •• Issuance/removal and security of user passwords and IDs
application data •• Internet firewalls and remote access controls
•• Data encryption and cryptographic keys
•• User accounts and access privilege controls
•• User profiles that permit or restrict access
Program development •• Acquisition of implementation of new applications

and program changes •• System development and quality assurance methodology
•• The maintenance of existing applications, including controls over program
changes
Monitoring of IT •• Policies, procedures, inspections and exception reports, ensuring

operations –– That information users are receiving accurate data for decision-making
–– Ongoing compliance with general IT controls; and
–– That IT is serving the entity’s needs and aligned with the business
requirements
Source: Australian audit manual and toolkit 2015 for small and medium sized entities, Exhibit 3.7.1, pp 65–6.
The auditor generally focuses on the key GITCs that support the effective functioning of ITACs
that the auditor plans to rely on.
Required reading
ISA 315 (Revised) paras A103–A105.

CC
Control activities
The auditor must obtain an understanding of control activities relevant to the audit. To identify
relevant controls, the auditor uses professional judgement. This may involve considering
previously identified risks of misstatement and then identifying controls that address those
risks. However, as per ISA 315 (Revised) para. A97, the auditor would always consider control
activities to be relevant to the audit where:
•• Control activities relate to ‘significant risks’.
•• Substantive procedures alone will not provide sufficient appropriate audit evidence, and
thus tests of controls are needed to supplement substantive procedures
Control activities are policies and procedures that help ensure that management’s directives are
carried out (ISA 315 (Revised) para. A96). Control activities are applied over the information
system to ensure the information recorded is accurate, complete and reliable.
Examples – Main types of control activities
Type of control activity Example
Authorisation All bank payments must be approved by two senior managers
Performance reviews Senior management and the board review actual results against those
forecast on a monthly basis
Information processing IT system performs a validity check on employee numbers as they are
entered
Physical controls Regular cyclical counts of inventory are conducted and compared to
recorded amounts
Segregation of duties Different people are responsible for credit control, receipts, banking,
and initiating and authorising sales transactions
In understanding the entity’s control activities, the auditor must obtain an understanding of
how the entity has responded to risks arising from IT (ISA 315 (Revised) para. 21). From the
auditor’s perspective, controls over IT systems are effective when they maintain the integrity of
information and the security of the data such systems process, and include effective general IT
controls and application controls (ISA 315 (Revised) para. 103).
Control activities are further discussed in the unit on responding to risks – controls testing.
Monitoring of controls
An entity may have a formal process for monitoring the design and implementation of internal
controls. This may include an internal audit function. In this case, the auditor will need to
obtain an understanding of the internal audit function (ISA 315 para. 23). Using the work of
internal auditors is considered in the unit on responding to assessed risk – using the work of
others.
The auditor is required to obtain an understanding of the major monitoring activities (ISA 315
(Revised) para. 22). This assists the auditor in:
•• Assessing the quality of internal control.
•• Identifying any breakdowns or deficiencies in internal controls.

CC
Limitations of internal control

Internal controls have inherent limitations, either in design or operation, or because
management chooses to accept some risk (ISA 315 (Revised) paras A53–A55). For these reasons,
there will always be a residual risk of material misstatement. As per ISA 315 (Revised) paras
A53–A55, controls can break down due to a number of reasons, including:
•• Human error.
•• Management overriding the controls.
•• Circumvention by collusion of multiple people.
Required reading
ISA 315 (Revised) paras 4(c), 12–24, A49–A59, A67– A71, A73–A83, A87–A92, A94, A96–A117 and
Appendix 1.

Worked example 4.1: Understanding the entity and its environment and identifying risk
factors
Worked example 4.2: Understanding the entity’s internal control and identifying control
strengths and weaknesses

CC
How the identification of risks and internal controls affects the

audit of an entity
Learning outcome
3. Demonstrate how the identification of risks and internal controls affect the audit of an entity.
Earlier in this unit, we identified the auditor’s responsibility to understand the entity and
its environment in order to identify and assess risks of material misstatement (see ISA 315
(Revised) para. 3).
In this section, we will begin to consider how the auditor applies their understanding of the
entity to respond to the risks identified. The relevant Standard, ISA 330 The Auditor’s Responses
to Assessed Risks (ISA 330), is also introduced.
The following diagram illustrates the risk assessment process and how the auditor responds to
the identified risks:
Design audit Perform audit

Identify risks Assess risks
procedures procedures
ISA 315 (Revised) ISA 330
RISK ASSESSMENT CONTINUES THROUGHOUT THE AUDIT PROCESS
REASSESS RISKS FOR NEW INFORMATION
Audit risk model

The link between risk assessment and the responses to risk is explained through the audit risk
model, illustrated by the following diagram:
Susceptibility to material Risk that a material Risk that audit Risk that the auditor
misstatements before misstatement is not procedures expresses an
considering related prevented, or detected and will not detect inappropriate
controls corrected by internal control material misstatements opinion
Inherent risk Control risk Detection risk Audit risk
IR × CR × DR = AR
Risk of material misstatement
Determined from the auditor’s Controlled by the auditor Set by the auditor
understanding of the entity, through design and to an acceptably
including its internal control performance of audit low level
procedures

CC
Before discussing the audit risk model further, the definition of each component will be
considered and some examples provided.
Audit risk
ISA 200 para. 13(c) defines ‘audit risk’ as follows:
Audit risk – The risk that the auditor expresses an inappropriate audit opinion when the financial report
is materially misstated. Audit risk is a function of the risks of material misstatement and detection risk.
Inherent risk
ISA 200 para. 13(n)(i) defines ‘inherent risk’ as:
The susceptibility of an assertion about a class of transaction, account balance or disclosure to a
misstatement that could be material, either individually or when aggregated with other misstatements,
before consideration of any related controls.
In other words, inherent risks are risks that result from an entity’s operations, activities or
industry. They are risks that management faces in running the business. The auditor identifies
inherent risks in the process of obtaining an understanding of the entity.
Examples – Inherent risk factors and the impact on risk in the financial statements
Inherent risk factor Impact on risk in the financial statements
High technology industry Products may become outdated, which could lead to
inventory being overvalued
Complex revenue recognition criteria for Revenue may be recognised in wrong period
revenue from services
Opportunity for management or employees to manipulate
revenue recognition
Pressure from analysts to achieve Pressure on management to overstate results

expected results
Control risk
According to ISA 200 para. 13(n)(ii), ‘control risk’ is:
The risk that a misstatement that could occur in an assertion about a class of transaction, account
balance or disclosure and that could be material, either individually or when aggregated with other
misstatements, will not be prevented, or detected and corrected, on a timely basis by the entity’s
internal control.
Management implements internal controls to respond to the risks to an entity’s objectives. The
auditor has a responsibility concerning the risks and related controls that relate to the financial
statements. Control risk is the risk that management’s internal controls over risks to the
financial statements are not effective or do not exist at all.
Internal controls are either:
•• pervasive to the financial statements as a whole – in the control environment, controls are
commonly pervasive
or
•• relate to specific accounts in the financial statements.

CC
Example – Control risk factors pervasive to the financial statements and the impact on risk
Control risk factor Impact on risk
An active and appropriately constituted audit Control strength over the financial statements as a
committee comprising non-executive directors, whole (i.e. pervasive) – reduces control risk
the majority of whom are independent
Examples – Control risk factors relating to specific accounts in the financial statements
Control risk factor Impact on risk
Purchase orders must be approved by the Control strength over purchases and inventory –
purchasing manager reduces control risk
All cheques and electronic funds transfers must be Control strength over cash at bank and expenses –
approved by two authorised managers from a list reduces control risk
of four
There are no adequate controls to ensure sales Control weakness over revenue – increases control
transactions are recorded at the date that risk
responsibility for goods passes to customers
Detection risk
As per ISA 200 para. 13(e), ‘detection risk’ is:
The risk that the procedures performed by the auditor to reduce audit risk to an acceptably low level
will not detect a misstatement that exists and that could be material, either individually or when
aggregated with other misstatements.
Detection risk is the component of risk that is controlled by the auditor, since it is the risk that
audit procedures will not detect risks of material misstatement. Detection risk is inversely
proportional to the level of testing (i.e. increasing the amount of audit testing decreases
detection risk).
In contrast, inherent risks and control risks relate to the entity and its environment and are
outside auditor’s control. These risks are identified through the auditor’s knowledge of the
business. Together, these two types of risks comprise the risk of material misstatement (RMM).
Applying the audit risk model

Consider each of the components of risk in the audit risk model:
IR × CR × DR = AR
RMM
The auditor uses the audit risk model as a framework for designing the audit procedures that
are required to reduce audit risk to an acceptable level, as follows:
Step 1: Determine the acceptable level of audit risk – this relates to the level of assurance being
provided by the auditor. Overall, audit risk must be sufficiently low.
Step 2: Understand the entity and its environment, including internal control.
Step 3: Identify and assess inherent risks and control risks.
Step 4: Determine the risk of material misstatement (RMM) using the audit risk model:
Risk of material misstatement (RMM) = inherent risk (IR) × control risk (CR).
Step 5: Determine the level of detection risk that is necessary to achieve the audit risk as
determined by the auditor using their professional judgement.

CC
The auditor applies the audit risk model and determines the RMM at two levels:
•• the overall financial reporting level, and
•• the assertion level for classes of transactions, account balances, and disclosures.
The following diagram illustrates how the auditor will then respond to assessed risks:
ASSESSED RISKS ...
At financial statement level At assertion level
AUDITOR’S RESPONSE
Overall response Further audit procedures
Examples include:
• Professional scepticism Substantive Test of
• Level of staff assigned procedures control
• Ongoing staff supervision
• Evaluate accounting policies
• Nature/extent/timing and
unpredictability of planned
procedures Test of Substantive
• Other further procedures detail Analytical
RESULT
Sufficient appropriate audit evidence to reduce audit risk to an

acceptably low level
Relationship between risk and audit approach

Risk assessment will also impact on the audit approach – the mix of different audit procedures
the auditor can select to perform to respond to assessed risks.
The following diagram illustrates how the auditor’s response to risks impacts on the audit
approach:
Inherent risk × Control risk × Detection risk = Audit risk
Tests of control used to Substantive procedures used

confirm the to reduce residual detection
assessment of control risk risk to an acceptable level

CC
There are two main types of audit procedures that auditors use to obtain audit evidence: tests of
controls and substantive procedures. These are illustrated in the following diagram:
Audit procedures
Tests of controls Substantive procedures
(see unit on responding to assessed (see unit on responding to assessed

risks – controls testing) risks – substantive testing)
Substantive analytical
Tests of details
procedures
A brief summary of the types of audit procedures is provided below:
Type of Description ISA

audit reference
procedure
Tests of A test of controls is an audit procedure designed to obtain evidence relating to the ISA 330
controls operating effectiveness of controls designed and implemented by management to para. 4(b)
prevent, or detect and correct, material misstatements at the assertion level
A test of control focuses on whether a transaction has gone through a process
designed to reduce the chance of material misstatement occurring in the financial
statements
Substantive Substantive procedures (i.e. either tests of details (TODs) or substantive analytical ISA 330
procedures procedures (SAPs), or both) must be performed for all material classes of para. 18
transactions, accounts balances and disclosures
A substantive procedure is a test designed to detect a material misstatement that
has occurred in the financial statements
Tests of controls and substantive procedures will be discussed in detail in later units on
responding to assessed risks – controls testing and substantive testing.
The following diagram summarises some of the considerations in developing the appropriate
audit approach for an account balance or class of transactions:
Would substantive tests alone

NO provide sufficient appropriate audit YES
evidence at the assertion level?
Tests of controls Would it be more

efficient to obtain the
YES audit evidence through
tests of controls (such as
Substantive procedures reducing the extent of
NO
substantive procedures)?
Adapted from: IFAC Guide, 3rd edn, vol. 2, p. 116.

CC
Determining the audit approach will be discussed in detail in the unit on developing an overall
audit plan.
Relationship between risk and audit evidence

As the RMM increases, the auditor needs to obtain more, and better quality, audit evidence:
Risk of
material
misstatement
Quantity and quality of audit evidence
Professional judgement is needed to determine the required balance between quality and
quantity. By increasing the quality of evidence, the auditor will often be able to reduce
the quantity. However, if the quality is poor, increasing the quantity will not necessarily
compensate (ISA 500 para. A4).
Required reading
ISA 500 paras 5–7 and A1–A33.
Worked example 4.3: Understanding the impact of control risk on the audit
Worked example 4.4: Identifying inherent and control risks and the impact on detection risk
Activity 4.1: Understanding the entity and its environment – inherent and control risks
Activity 4.2: Identifying internal control strengths and weaknesses in a sales process

CC
Auditor’s responsibility when a client uses a service

organisation
Learning outcome
4. Explain an auditor’s responsibilities when a client uses a service organisation.
Many entities outsource aspects of their business to external organisations that provide services
ranging from performing a specific task under the direction of an entity, to replacing an entire
business unit or function on behalf of the entity. In certain circumstances, the systems of these
external service providers (service organisations) effectively become part of the entity’s own
financial reporting information systems.
This section examines the auditor’s responsibilities when conducting an audit for an entity that
uses a service organisation as part of its business processes. These responsibilities are covered in
ISA 402 Audit Considerations Relating to an Entity Using a Service Organization (ISA 402).
This section will cover:
•• Which types of services are commonly outsourced to a service organisation.
•• The impacts on both the organisation that outsources its functions and its auditor.
•• The auditor’s responsibility to obtain an understanding of the services provided and their
effect on the entity’s internal controls.
•• How the auditor’s responsibility to design and perform appropriate audit procedures is
affected when a service organisation is used.
•• The two different types of reports that an auditor of the user entity can request from the
auditor of a service organisation to assist in understanding and assessing the service
organisation’s systems and controls that are relevant to the services it provided.
Using service organisations

Outsourcing functions to external service providers is becoming more common in today’s
business environment. This is usually because a service organisation can perform the function
more efficiently than the user entity itself, or because the user entity does not have the required
skills, or both. The provision of some of these services may impact on information that is
presented in the financial statements of the user entity.
A service organisation is defined in ISA 402 para. 8(e) as:
... a third-party organization (or segment of a third-party organization) that provides services to user
entities that are part of those entities’ information systems relevant to financial reporting.
When is an outsourced service relevant to the audit of the user entity?

Not all outsourced services are relevant to the audit. ISA 402 para. 3 provides that outsourced
services are relevant to the audit when the services form part of a user entity’s information
system for financial reporting. This is the case where the services affect any of the following:
•• Classes of transactions that are significant to the financial statements.
•• The procedures in both the IT and manual systems by which transactions are initiated,
recorded, processed, corrected as necessary, transferred to the general ledger and reported
in the user entity’s financial statements.
•• The related accounting records, either in electronic or manual form, that support
information and specific accounts in the user entity’s financial statements.

CC
•• How the user entity’s information system captures events and conditions other than
transactions, which are significant to the financial statements.
•• The process for preparing the financial statements.
•• Controls over journal entries.
Examples – Outsourced services that are relevant to an audit
Outsourced service Balances/transactions affected in the user

entity’s financial statements
Payroll function provided by service organisation’s Payroll expense and payroll-related provisions
computerised payroll system (e.g. annual leave)
Tax compliance Tax balances
Custody and record-keeping for certain classes of Asset balances

assets
Maintaining a trade receivables ledger on a service Accounts receivable balances

organisation’s system as part of a debtor financing
arrangement
IT services May have wide-ranging impacts if they affect

IT processes and related internal controls
The following types of services are not likely to be relevant, because these would not directly
affect the financial statements of the user entity:
•• Human resources services.
•• Marketing services.
•• Health and safety.
Required reading
ISA 402 paras 1–8.

CC
Impact of outsourcing on the audit of the user entity

The auditor needs to consider whether the processes, internal controls and documentation are
relevant to the audit of the user entity. If they are relevant, the auditor has a number of options
in obtaining the information needed from the service organisation, which this section discusses.
The diagram below illustrates how the systems and processes of a service organisation interact
with the user entity’s financial records:
ENTITY BEING AUDITED (USER ENTITY) SERVICE ORGANISATION
USER CONTROLS
Financial records Financial records
DATA DATA
Processes Processes
and and
controls controls
User entity’s controls over a service organisation

An important feature of using a service organisation is that the user entity will generally
implement additional controls over the data sent to and received from the service organisation.
These user entity controls are particularly important to the auditor. In some instances, the
controls can be strong enough for the auditor to rely on them without considering the controls
at the service organisation (ISA 402 para. A12).
Auditor’s responsibilities in an audit involving a service organisation

ISA 402 para. 7 states that the objectives of the auditor are:
(a) To obtain an understanding of the nature and significance of the services provided by the service
organization and their effect on the user entity’s internal control relevant to the audit, sufficient to
identify and assess the risks of material misstatement; and
(b) To design and perform audit procedures in response to those risks.
In the earlier section on gaining an understanding of the entity and its environment,
we discussed the auditor’s objective (ISA 315 (Revised) para. 3), which is to obtain an
understanding of the entity being audited and its environment, including internal control. The
requirements of ISA 402 reflect those of ISA 315 (Revised), but are adapted to circumstances in
which a service organisation is used.

CC
The following diagram illustrates the relationship between the auditor’s responsibilities and the
controls and evidence at both the user entity and service organisation:
OVER THE SERVICES

USER CONTROLS
DATA DATA
Controls and Controls and

evidence at the evidence at the
user entity service organisation
MUST consider MAY consider
Understand services and effect on internal control
Design and perform audit procedures
Required reading
ISA 402 paras 7 and A12.
How the auditor addresses these responsibilities is best explained through the following four-
step process:
•• Step 1 – Understanding the user entity – information located at the user.
•• Step 2 – Understanding the user entity – information located at the service organisation.
•• Step 3 – Audit procedures – information located at the user entity.
•• Step 4 – Audit procedures – information located at the service organisation.

CC
Step 1 – Understanding the user entity – information located at the user

ISA 402 para. 7(a) requires the auditor to obtain an understanding of:
•• The nature and significance of the services provided by the service organisation.
•• The effect of the services on the user entity’s internal control relevant to the audit.
The process of obtaining this understanding is illustrated by the diagram below:
Services provided
by service
organisation
Consider
Effect on user Nature and Interaction between Relationship,

entity’s internal materiality of user and service including
control transactions organisation contract terms
Evaluate
user entity’s controls over the
service organisation
Is the understanding obtained sufficient?
NO YES
Obtain additional
information from the
Auditor understands
user entity’s use of
ISA 402 para. 9 requires the auditor to understand how the entity uses a service organisation,
including:
•• The nature of the services provided by the service organisation and the significance of those
services to the user, including the effect on internal control.
•• The nature and materiality of the transactions that are processed, or accounts or financial
reporting processes affected.
•• The degree of interaction between the activities of the service organisation and those of the
user.
•• The nature of the user entity’s relationship with the service organisation, including relevant
contractual terms.

CC
User controls over the service organisation

The auditor then needs to understand the user entity’s controls over the services that are
provided (ISA 402 para. 10).
The more interaction the user entity has with the service organisation, the more opportunity
there is for the user to implement controls. These controls could be:
•• Controls over data sent to the service organisation (e.g. authorisation controls).
•• Controls over data received from the service organisation (e.g. review controls).
In certain circumstances, the user entity may have sufficient controls in place for the auditor to
rely on, regardless of the controls at the service organisation. In such cases, the auditor does not
need to consider the controls at the service organisation.
Does the user entity information provide the auditor with sufficient understanding?
If the auditor gains a sufficient understanding of the user entity from information at the user,
then the risk assessment is complete. If not, the auditor must then consider the controls and
procedures in place at the service organisation (ISA 402 para. 11).
Required reading
ISA 402 paras 7, 9–11 and A1–A14.
Step 2 – Understanding the user entity – information located at the service

organisation
If the auditor requires information from the service organisation to obtain a sufficient
understanding of the user entity, as mentioned above, there are a number of options. These are
outlined in ISA 402 para. 12 and illustrated in the following diagram:
To obtain additional
information from the
Auditor uses a combination of:
Type 1 or Type 2 Contact service Visit service Use another

report organisation – organisation – auditor to perform
request specific perform relevant procedures –
information procedures obtain necessary
information
Type 1 and Type 2 reports are assurance reports provided by another auditor and are discussed
in more detail later in this section.
Required reading

CC
Step 3 – Audit procedures – information located at the user entity

The auditor has now completed the risk assessment stage regarding the services provided.
The auditor now needs to respond to the risks of material misstatement. In determining this
response, the following needs to be considered as per ISA 402 para. 15:
•• Is there sufficient appropriate audit evidence available from records held by the user entity?
If not:
•• How can the auditor obtain sufficient appropriate audit evidence from the service
organisation?
The auditor’s determination will be based on:

•• The mix of tests of controls and substantive tests that the auditor plans to carry out.
•• The location of the relevant evidence.
Note: For a description of the types of audit procedures, candidates may wish to refer back to
the section on how the identification of risks and internal controls affects the audit of an entity.
How the auditor determines their response can be summarised as follows:
USER ENTITY SERVICE ORGANISATION
Does the auditor plan to rely on

operating effectiveness of controls?
YES
Consider if need to test

Test user entity’s
controls at service
NO controls over services
organisation
Consider if need to
Perform substantive perform substantive
tests at user entity procedures at service
organisation
Testing controls
This involves testing the controls the user entity has over the outsourced function, such as
authorising data that is sent to the service organisation, and reviewing information that comes
back into the user entity’s financial reporting systems.
Substantive testing
This involves testing any records that are held by the user entity, including any reports from
the service organisation, and performing analytical procedures on the reasonableness of the
information.
Required reading
ISA 402 paras 15 and A24–A28.

CC
Step 4 – Audit procedures – information located at the service organisation

If the auditor decides that audit evidence is required from the service organisation, there are
two testing options available: testing controls (i.e. service organisation’s internal control) and
substantive testing (i.e. of service organisation records).
Testing controls
The following diagram shows what procedures are appropriate for testing a service
organisation’s internal controls:
To test internal control

at the service
organisation
Auditor uses a combination of:
Type 2 report Visit service Use another auditor

organisation – to perform tests of
perform tests of controls
controls
Substantive testing
If the auditor decides it is necessary to perform substantive procedures on information and
documentation that is held by the service organisation, this could comprise a combination of:
•• Obtaining written confirmations of amounts directly from the service organisation.
•• Visiting the service organisation to inspect records.
•• Using another auditor to inspect records.
Required reading

CC
Reports from service organisation auditors

As mentioned above, the auditor may seek to obtain either Type 1 or Type 2 reports on controls
at the service organisation for the purposes of understanding the entity being audited or for
testing the operating effectiveness of controls.
Type 1 report
A Type 1 report is a report prepared by another auditor on the description and design of
controls at a service organisation. According to ISA 402 para. 8(b), a Type 1 report comprises:
(i) A description, prepared by management of the service organization, of the service organization’s
system, control objectives and related controls that have been designed and implemented as at a
specified date; and
(ii) A report by the service auditor with the objective of conveying reasonable assurance that includes
the service auditor’s opinion on the description of the service organization’s system, control
objectives and related controls and the suitability of the design of the controls to achieve the
specified control objectives.
Type 2 report
A Type 2 report is a report prepared by another auditor on the description, design and
operating effectiveness of controls at a service organisation. According to ISA 402 para. 8(c),
a Type 2 report comprises:
(i) A description, prepared by management of the service organization, of the service organization’s
system, control objectives and related controls, their design and implementation as at a specified
date or throughout a specified period and, in some cases, their operating effectiveness throughout
a specified period; and
(ii) A report by the service auditor with the objective of conveying reasonable assurance that includes:
a The service auditor’s opinion on the description of the service organization’s system, control
objectives and related controls, the suitability of the design of the controls to achieve the
specified control objectives, and the operating effectiveness of the controls; and
b A description of the service auditor’s tests of the controls and the results thereof.
Difference between Type 1 and Type 2 reports

The main differences between Type 1 and Type 2 reports are best illustrated by the following
diagram:
Understanding the service

organisation’s systems
TYPE 1 Design and implementation of TYPE 2

report service organisation’s internal controls report
Service auditor’s opinion on operating

effectiveness of service organisation’s
internal controls
Required reading
ISA 402 para. 8.

CC
Australia-specific
In Australia, for audits that are performed under the Corporations Act 2001 (Cth) (Corporations
Act), the auditor has additional responsibilities regarding the use of service organisations.
Corporations Act s. 307(c) and (d) require the auditor to ‘form an opinion on whether the
entity has kept proper financial records, and other records and registers as required by that
Act’ (ASA 402 Audit Considerations Relating to an Entity Using a Service Organisation (ASA 402)
para. Aus 5.1). The auditor needs to be aware of this when obtaining an understanding of
records that are held by the user and those that are held by the service organisation. In other
words, if a service organisation is not keeping proper financial records, the user organisation
may be in breach of the Corporations Act.
Required reading
ASA 402 para. Aus 5.1.
Corporations Act s. 307(c) and (d).
In New Zealand, s. 455 of the Financial Markets Conduct Act 2013 (FMCA) requires that proper
accounting records be kept by a FMC reporting entity. The audit must be completed in
accordance with auditing and assurance standards. If the auditor’s report indicates that any
of the provisions of Part 7 have not been met, the auditor is required to notify the Financial
Markets Authority and the External Reporting Board within seven working days of signing the
report (FMCA s. 461G). This would include the requirement to keep proper accounting records.
Similar provisions in the Companies Act apply for the audit of entities that are not FMC reporting
entities: see ss 207–207C.
Required reading
Financial Markets Conduct Act 2013 ss 455 and 461G.
Companies Act 1993 ss 207–207C.
Quick reference guides

4.1: Components of internal control (ISA 315)
4.2: Audit risk
Quiz

Readings

Standards.
Required reading
Relevant International Standards on Auditing and national equivalents, and other relevant national
pronouncements
ISA 315 (Revised) Identifying ASA 315 Identifying and Assessing ISA (NZ) 315 (Revised) Identifying
and Assessing the Risks of the Risks of Material Misstatement and Assessing the Risks of
Material Misstatement through through Understanding the Entity Material Misstatement through
Understanding the Entity and Its and Its Environment Understanding the Entity and Its
Environment Environment
•• Paragraphs 1–5, 7–9,11–24, •• Paragraphs 1–5, 7–9,11–24, •• Paragraphs 1–5, 7–9,11–24,
30–31, A1–A5, A24–A27, 30–31, A1–A5, A24–A27, 30–31, A1–A5, A24–A27,
A29–A32, A35–A59, A67–A71, A29–A32, A35–A59, A67–A71, A29–A32, A35–A59, A67–A71,
A73– A83, A87–A92, A94, A73– A83, A87–A92, A94, A73– A83, A87–A92, A94,
A96–A121, A127– A128 and A96–A121, A127– A128 and A96–A121, A127– A128 and
A140–A143 A140–A143 A140–A143
•• Appendix 1 •• Appendix 1 •• Appendix 1
ISA 402 Audit Considerations ASA 402 Audit Considerations ISA (NZ) 402 Audit Considerations
Relating to an Entity Using a Service Relating to an Entity Using a Service Relating to an Entity Using a Service
Organization Organisation Organisation
ISA 200 Overall Objectives of ASA 200 Overall Objectives of ISA (NZ) 200 Overall Objectives of
the Independent Auditor and the the Independent Auditor and the Independent Auditor and the
Conduct of an Audit in Accordance the Conduct of an Audit in Conduct of an Audit in Accordance
with International Standards on Accordance with Australian with International Standards on
Auditing Auditing Standards Auditing (New Zealand)
•• Paragraphs 13(c), 13(e) and 13(n) •• Paragraphs 13(c), 13(e) and 13(n) •• Paragraphs 13(c), 13(e) and 13(n)
ISA 320 Materiality in Planning and ASA 320 Materiality in Planning and ISA (NZ) 320 Materiality in Planning
Performing an Audit Performing an Audit and Performing an Audit
•• Paragraph 2 •• Paragraph 2 •• Paragraph 2
ISA 330 The Auditor’s Responses to ASA 330 The Auditor’s Responses to ISA (NZ) 330 The Auditor’s Responses
Assessed Risks Assessed Risks to Assessed Risks
•• Paragraphs 3 and 4 •• Paragraphs 3 and 4 •• Paragraphs 3 and 4
Corporations Act 2001 Financial Markets Conduct Act 2013

•• Sections 307(c) and (d) •• Sections 455 and 461G
Companies Act 1993
•• Sections 207–207C

Relevant International Standards on Auditing and national equivalents, and other relevant national
pronouncements

www.austlii.edu.au www.legislation.govt.nz
Further reading

References
Chartered Accountants Australia and New Zealand 2015, Australian audit manual and toolkit for
small and medium sized entities, Thomson Reuters (Professional), Australia, Exhibit 3.7-1, pp 65–6;
Exhibit 23.5-1, p. 283.
International Federation of Accountants 2011, Guide to using ISAs in the audits of small- and
medium-sized entities, 3rd edn (IFAC) Guide, vol. 1, Exhibit 9.0-1, p. 109; vol.2, p. 116.

ACT
Activity 4.1
Understanding the entity and its
environment – inherent and control risks
Introduction
The auditor is required to obtain an understanding of the entity being audited, including its
internal control, in accordance with ISA 315 (Revised) Identifying and Assessing the Risks of
Material Misstatement through Understanding the Entity and Its Environment (ISA 315 (Revised)).
This understanding forms the basis for identifying and assessing risks of material misstatement
to the financial statements.
•• Discuss and demonstrate the auditor’s responsibility to gain a thorough understanding of
•• Discuss and demonstrate the auditor’s responsibility to identify and assess the risks of
•• Demonstrate how the identification of risks and internal controls affect the audit of an
entity.
At the end of this activity, you will be able to identify inherent and control risks from an
understanding of an entity and its environment, including its internal control, in accordance
with ISA 315 (Revised).
Scenario
Respingo is a private company in the retail swimwear industry in Queensland that has been
operating for a number of years. Factfigs Chartered Accountants (Factfigs) is Respingo’s
auditor. You are an audit senior at Factfigs assigned to the audit of Respingo for the year ending
30 June 20X3. Respingo is run by Charlotte Smith, the managing director, and one of two equal
shareholders, and a staff of 15. After the success of its first retail store, the company has grown
rapidly, opening five new stores along Queensland’s Sunshine Coast.
You visited the office of Respingo two months before the end of the financial year to perform
some audit planning procedures. During the visit, you performed procedures to obtain and
update your understanding of Respingo and its environment, including its internal control, in
accordance with ISA 315 (Revised).
You obtained the following information:
•• Respingo is currently renegotiating its financing arrangements, and the bank has requested
a copy of the June 20X3 audited financial statements.
•• The accounting records are maintained by a part-time accountant, who is able to assist
Respingo when he can. At other times, transactions are processed by a variety of staff
members.
•• Charlotte prepares a monthly budget for each financial year. The part-time accountant
prepares monthly management accounts using an accounting software package that

ACT
was purchased off-the-shelf. Charlotte reviews the monthly management accounts and
compares actual results to the budget.
•• Charlotte continues to be actively involved in all aspects of the business.
•• Charlotte authorises all payments and controls all inventory orders and deliveries.
•• Traditionally, the company focused on ladies’ swimwear and accessories. In response to a
fall in sales, Charlotte has diversified the product range this year by introducing male and
infant swimwear to all stores.
•• Sales at the stores have faced competition from the rapidly growing online market.
Charlotte is currently investigating options for Respingo to access this market through a
partnership with an online retailer.
•• Previous recommendations of the auditors, including internal control recommendations
contained in Factfigs’ management letters to Respingo, have received little attention from
Charlotte, and internal control recommendations have not been adopted.
Task
For this activity, you are required to identify risk factors from the information provided above,
determine whether each risk factor impacts inherent risk or control risk, and explain whether
each risk factor could lead to a material misstatement in the 20X3 financial statements.
You may wish to present your answer in the form of a table as follows:
Risk factor Impact on inherent risk or control risk Explanation

ACT
Activity 4.2
Identifying internal control strengths and
weaknesses in a sales process
Introduction
It is recommended you work through Worked examples 4.1, 4.2 and 4.3 before attempting this
activity.
To identify and assess the risks of material misstatement, the auditor is required to obtain an
understanding of the entity being audited and its environment. This includes obtaining an
understanding of the entity’s internal control.
ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment (ISA 315) requires the auditor to obtain an
understanding of internal control relevant to the audit, and provides a useful framework for
components of internal control.
•• Discuss and demonstrate the auditor’s responsibility to gain a thorough understanding of
•• Demonstrate how the identification of risks and internal controls affect the audit of an
entity.
At the end of this activity, you will be able to identify control strengths and weaknesses through
gaining an understanding of an entity’s internal control.
Scenario
You are the audit senior assigned to the audit of International Cookie for the year ended
30 June 20X3. The audit manager, Santiago Toro, has asked you to review International Cookie’s
process for accepting and processing sales orders.
This activity follows on from the scenarios in Worked examples 4.1–4.3. The following
information is additional to the information in Worked examples 4.1–4.3.
AuditUs Partners Chartered Accountants (AuditUs) has evaluated the control environment
and pervasive controls over International Cookie’s financial reporting. The pervasive controls
have been assessed as robust enough to rely on for audit purposes, and sufficient appropriate
evidence is expected to exist to test their operating effectiveness.

ACT
Sales process
In relation to the sales process, you have obtained the following information:
•• Different staff members are responsible for initiating sales by taking orders, despatching
goods, raising sales invoices and creating delivery documentation.
•• The credit controller performs credit checks on all new customers prior to approving them.
Once new customers are approved, the credit controller enters the customer’s credit limit
into the system. Credit limits can only be overridden by the general manager or chief
financial officer (CFO).
•• Before processing, sales orders must be signed and then faxed or emailed to International
Cookie. Sales orders must be authorised by the sales manager.
•• Sales orders are entered into the accounting system, which then produces pre-numbered
packing slips for use by warehouse staff to pick inventory for shipping.
•• When goods are ready for delivery, they are checked by the warehouse supervisor against
the packing slips and approved sales orders. A pre-numbered delivery note is then
produced by the accounting system and checked against the goods and the sales order by
the warehouse supervisor.
•• The accounting department uses the pre-numbered delivery notes on the computer system
to prepare sales invoices for recording on Wednesdays and Fridays. There are no further
checks to ensure invoice dates and processing in the system match the actual delivery dates.
Task
•• Identify and explain internal control strengths and weaknesses relating to the sales process
described in the scenario.
•• Outline the impact of each internal control strength and weakness on the planned audit
procedures of International Cookie.
•• Identify the key financial statement account at risk of misstatement.
You may wish to present your answer in the form of a table as follows:
Internal control Explanation Impact on audit Key financial statement

strength or weakness procedures account at risk

CC
Core content
Unit 5: Analysing audit risks, financial
statement assertions and initial audit
engagements
Learning outcomes
1. Explain and apply the process of risk identification.
2. Explain and apply the use of assertions in assessing the risks of material misstatement at
the financial statement level and at the assertion level.
3. Describe and explain the steps that the auditor shall take in order to obtain sufficient,
appropriate audit evidence in regard to opening balances.
4. Describe and explain the objectives and responsibilities of the auditor with respect to
accounting estimates.
Introduction
The previous unit on understanding the entity and its environment outlined the auditor’s
responsibility to gather information about the entity and its environment, including the entity’s
system of internal control. It also outlined how this information is used to identify and assess
the risks of material misstatement. This unit will further explore the risk assessment process,
and discuss the auditor’s specific responsibilities in relation to particular audit issues.
The unit is divided into two sections. The first section addresses risk identification, including
identifying specific items in the financial statements that are at risk of material misstatement,
and their specific characteristics (or assertions) that are at risk. The second section of this unit
will address the auditor’s specific responsibilities in relation to initial audit engagements and
This unit looks at the following International Standards on Auditing (ISAs):
•• ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements (ISA 250).
•• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment (ISA 315 (Revised)).
•• ISA 510 Initial Audit Engagements – Opening Balances (ISA 510).
•• ISA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related
Disclosures (ISA 540).
•• ISA 570 Going Concern (ISA 570)
aaa11605_csg

CC
Risk assessment procedures
Learning outcome
ISA 315 (Revised) para. 5 states that an auditor must perform sufficient risk assessment
procedures to provide a basis for the identification and assessment of risks of material
misstatement at both the financial statements and assertion levels. However, note that risk
assessment procedures, by themselves, do not provide sufficient appropriate audit evidence on
which to base an audit opinion.
Categories of risk assessment procedures

ISA 315 (Revised) para. 6 prescribes that the risk assessment procedures should include the
three categories of risk assessment procedures illustrated below:
Enquiries of
management
and others
Observation Analytical
and inspection procedures
Adapted from: IFAC Guide, vol. 1, Exhibit 8.0-1, p. 99.
In practice, these three types of procedures (enquiries, analytical procedures and observation
and inspection) overlap and work together. For example, the results of analytical procedures
might lead the auditor to make certain enquiries of management regarding year-to-date
results or reactions to market changes. Discussions with management may then lead to other
procedures.
Each of these categories of risk assessment procedures is discussed separately below.
Enquiries of management and others

Typically, most information resulting from enquiries is obtained from management and those
responsible for financial reporting. However, enquiries made of others within the entity and
employees of differing levels of authority can provide different perspectives and additional
information that can be useful in identifying risks of material misstatement that may otherwise
be missed.
Example – Enquiries of management and others

This example illustrates enquiries the auditor could make of management or others in the
entity.
The auditor could:
•• Discuss the accounting function with the financial controller to determine whether staff
have the required skills to properly prepare the financial statements.
•• Discuss market conditions with the sales manager to determine whether there are material
external risks facing the entity.

CC
Analytical procedures
Analytical procedures that are used as risk assessment procedures are typically performed at
a high level, which means that the results can only provide a broad indication of whether a
material misstatement may exist. However, using analytical procedures does help to identify
matters that have financial statements and audit implications.
Example – Analytical procedures

To identify any unusual overall trends, the auditor might calculate a series of common ratios
based on year-to-date results and compare these to the prior period.
Observation and inspection

Observation and inspection help support other risk assessment procedures conducted by the
auditor, as well as provide additional information about the entity and its environment.
The auditor could observe:
•• How the entity operates and is organised.
•• The entity’s premises and plant facilities.
•• Management’s operating style and attitude towards internal control.
•• The operation of various internal control procedures.
•• Compliance with key policies of the entity, by its management and employees.
The auditor could inspect documents related to the entity, such as:
•• Business plans, strategies and proposals.
•• Industry studies and media reports on the entity.
•• Major contracts and commitments.
•• Regulations and correspondence with regulators.
•• Correspondence with lawyers, bankers and other stakeholders.
•• Accounting policies and records.
•• Internal control manuals.
•• Reports prepared by management.
•• Other reports, such as the minutes from meetings of those charged with governance, and
reports from consultants.
Related activities
As well as considering the results of the specific risk assessment procedures described
above, ISA 315 (Revised) also requires the auditor to consider other sources of information
to determine whether they provide additional evidence that is relevant to identifying risks of
material misstatement. For example:
•• Information obtained from the client acceptance and continuance procedures
(ISA 315 (Revised) para. 7).
Example – Information obtained from the client acceptance and continuance procedures
When considering whether to accept the current year’s audit engagement, the auditor may
become aware of a substantial change in the board of directors, leading to the entity adopting
a more entrepreneurial focus. If this change results in the entity moving into new markets
and taking greater risks, it may increase the risks of material misstatement in the financial
statements.

CC
•• If the engagement partner has previously performed other engagements for the entity,
information that was obtained in performing those engagements (ISA 315 (Revised)
paras 8–9).
Example – Information obtained in other engagements for the entity

If a separate engagement to review loans receivable provisioning identified that a material
misstatement existed in the loans receivable account balance, the auditor might consider the
risk of this misstatement when planning the audit.
•• Engagement team communication. A critical element in the success of any audit

engagement is good, clear and continuing communication among the audit team members.
This starts with the identification and assignment of team members and arranging the team
meeting to plan the engagement, and continues throughout the engagement.
Once the auditor has gathered all available information from the risk assessment procedures,
ISA 315 (Revised) para. 10 requires the engagement partner and other key team members to
meet and discuss the financial statements’ susceptibility to material misstatement.
The purpose of this meeting is to ensure that key information is shared and understood by all
team members. It also helps team members to understand how the results of the procedures
they perform may affect other audit areas.
Required reading
ISA 315 (Revised) paras 6–10, A6–A23 and A74.
Identifying and assessing risks

The auditor uses the information obtained through the risk assessment procedures, together
with the information gathered about the entity and its environment (described in the unit
on understanding the entity and its environment), to actually identify and assess the risks of
material misstatement in the financial statements.
ISA 315 (Revised) para. 25 requires the auditor to assess the risks of material misstatement at
two levels:
•• The financial statements level.
•• The assertion level.
These levels of risk assessment are illustrated by the following diagram:
Assess risk at:
Financial statements level Assertion level
Pervasive risks – potentially Specific risks – generally

affect many areas of the affect a limited number of
financial statements specific balances
For example: For example:

• Going concern • Carrying value of inventory
• Management fraud • Completeness of trade
• Poor record keeping creditors account balance
Required reading
ISA 315 (Revised) paras 25, 26 and A118–A126.

CC
Significant audit risks
Learning outcome
When assessing the risks of material misstatement, ISA 315 (Revised) para. 27 requires the
auditor to determine whether any of the risks identified are, in the auditor’s judgement, a
significant risk. Significant risks are defined as risks that require ‘special audit consideration’
(ISA 315 (Revised) para. 4(e)), and are attached to items in the financial statements for which the
risks of material misstatement are highest. Therefore, these items require more audit time and
effort than other items in the financial statements.
Significant risks are assessed on their inherent risk, and before considering any related
mitigating controls. This means that significant risks are those items that are inherently risky
because of their nature, not because of the absence of internal controls. This is because internal
controls are ignored when assessing significant audit risks.
If all assessments of risks were charted as illustrated below, the two risks falling within the high
impact/high likelihood quadrant would be considered significant risks. Not all audits have risks
that fall into this quadrant, and therefore not all audits have significant risks.
High impact High impact

Low likelihood High likelihood
Impact
(magnitude)
of risk
Low impact Low impact

Low likelihood High likelihood
Likelihood of risk occurring
= Identified risk factor
Source: IFAC Guide, vol. 2, Exhibit 10.3-1, p. 121.

CC
Risks that require special audit considerations

ISA 315 (Revised) para. 28 requires the auditor to specifically consider the following matters
when deciding which risks are significant:
•• Whether there is a risk of fraud.
Example – Significant risk related to a risk of fraud

A casino handles large amounts of cash, which means the entity is highly susceptible to the
occurrence of fraud. The auditor might therefore determine cash balances are a significant risk
area for the casino.
•• Whether the risk is related to recent significant economic, accounting or other developments
that require specific attention.
Example – Significant risk related to recent economic changes

A mining company has been affected by significant fluctuations in commodity prices. The
fluctuations have impacted on cash flows and asset prices. The auditor might therefore
determine that assets and the related potential impairment expense are significant risk areas.
•• The complexity of transactions.
Example – Significant risk attached to complex transactions

A multinational entity might engage in foreign currency dealings across multiple entities and
countries. Foreign currency gains and losses might therefore be assessed as a significant risk area.
•• Whether the risk involves significant transactions with related parties.
Example – Significant risk attached to related party transactions

A privately held company may have many members of one family as shareholders, directors
and employees, which may lead to large volumes of related party transactions. The related
party disclosures might therefore be assessed as a significant risk area.
•• The degree of subjectivity in the measurement of financial information that is related to the
risk.
Example – Significant risk attached to subjective financial measurement

A mining company holds multiple leases, the value of which is dependent on the underlying
minerals. However, as it is not possible to ascertain the quality and quantity of the minerals
underground, determining their value is subjective. The valuation of the leases might therefore
be assessed as a significant risk area.
•• Whether the risk involves significant transactions outside the entity’s normal course of
business.
Example – Significant risk related to significant transactions outside the normal course of business
A milk processing company decides to purchase a large dairy farm to ensure a consistent
supply of fresh milk. It will require significant expertise on the company’s behalf to correctly
account for the purchase. Therefore, the auditor might assess all material balances affected by
the purchase as significant audit risks.

CC
Whenever the auditor determines that a significant risk exists, they need to obtain an
understanding of the entity’s internal controls, including control activities, related to the
risk (ISA 315 (Revised) para. 29). Testing control activities is covered in detail in the unit on
responding to assessed risks – controls testing.
Required reading
ISA 315 (Revised) paras 4(e), 27–29 and A129–A139, and Appendix 2.
Going concern
While ISA 315 (Revised) includes the fundamental principles of risk assessment, including
the procedures the auditor shall perform and the types of information ordinarily gathered,
a number of other Auditing Standards include additional guidance on issues that may affect the
auditor’s risk assessment. One of these is ISA 570.
When preparing the financial statements, an entity’s management is required to make an
assessment of the entity’s ability to continue as a going concern. For financial statements that
are prepared on a going concern basis, the auditor needs to consider whether it is appropriate
to assume that the entity will remain a going concern when planning and performing the audit,
and when evaluating the results of the audit.
At the risk assessment stage of an audit, the auditor should:
•• Consider and ask management about the existence of any events/conditions that may cast
doubt on the entity’s ability to continue as a going concern.
•• Review management’s assessment of possible events/conditions, and any response/plans.
•• Remain alert for possible conditions or events.
An auditor’s responsibilities and response in relation to going concern are covered in the unit
on subsequent events and going concern.
Required reading
Laws and regulations

Another special issue that an auditor needs to consider is the entity’s compliance with relevant
laws and regulations. This is addressed in ISA 250.
Management and those charged with governance are responsible for ensuring the entity’s
financial statements and operations comply with the provisions of relevant laws and
regulations. It is the auditor’s responsibility to determine the effect of non-compliance (if any)
on the financial statements.
Example – Compliance with laws and regulations

Assume that a candidate intends to set up a small accounting practice after completing the
Chartered Accountants Program. Which laws and regulations might this entity have to comply
with?
The following may apply:
•• Workplace relations laws, including pay rates and leave entitlements for employees.
•• Work health and safety laws, including the arrangement of the office space or access to fire
exits.
•• Chartered Accountants ANZ regulations, including those that regulate what is an
acceptable name for the practice, signage and advertising.
•• Government laws and regulations, including company and tax legislation and statutory
registrations.

CC
Even for a fairly simple business, the extent of laws and regulations and their effects is far-
reaching. In considering more complex businesses – for example, those involved in food
handling, mining or aged care – it quickly becomes apparent how integral laws and regulations
are to the operations of any business, and why it is important for an auditor to consider how
they have impact on an audit.
ISA 250 recognises the wide range of laws and regulations that exist, and notes that the auditor
is not expected to detect non-compliance with all laws and regulations that affect an entity.
Required reading
ISA 250 requirements
The requirements of ISA 250 therefore involve considering:
•• The relevant legal and regulatory framework within which an entity operates.
•• When it is identified or suspected that an entity is not complying with the relevant laws and
regulations.
•• Reporting identified or suspected non-compliance.
Considering the legal and regulatory framework

In order to focus audit effort on the areas it is most needed, ISA 250 divides laws and
regulations into two categories:
1. Laws and regulations that are generally recognised to have a direct effect on the financial
statements. These might include:
•• Laws that relate to the form and content of financial statements. For example, in
Australia many entities must comply with the financial reporting requirements of the
Corporations Act 2001 (Cth) (Corporations Act), and in New Zealand many entities have
obligations under the Companies Act 1993 and the Financial Reporting Act 2013.
•• Accounting Standards, including industry-specific regulations and requirements –
for example, restoration costs applicable to an open-cut mine.
•• Taxation laws – for example, income tax, payroll tax and customs and excise duties.
If an entity fails to comply with the relevant laws and regulations, this will generally
have a direct, and possibly material effect on the financial statements. For example, non-
compliance with the Accounting Standards may result in a lack of appropriate recognition,
measurement or disclosure of transactions. In Australia, non-compliance is a breach of the
entity’s reporting obligations under the Corporations Act.
2. Other laws and regulations that do not have a direct effect on the financial statements,
but which may be fundamental to the business. These might include:
•• Licensing laws – for example, a club that has poker machines must hold the relevant
licence to do so, and comply with responsible gambling regulations.
•• Environmental regulations – for example, a fish market that discharges waste into the
ocean must comply with relevant wastewater regulations.
•• Workplace safety laws – for example, a trucking company must allow set rest breaks
and enforce maximum shift times in relation to its drivers.
Failure to comply with these laws and regulations may have a material effect on the
financial statements of the company concerned. For example, non-compliance with
environmental regulations may lead to fines and/or restrictions on operations.

CC
The requirements of ISA 250 in relation to these two categories of laws and regulations can
be illustrated as follows:
Laws and regulations
Generally recognised to have a direct That do not have a direct effect

effect on the financial statements on the financial statements
(ISA 250 para. 6(a)) (ISA 250 para. 6(b))
Require the auditor to: Require the auditor to:

Obtain sufficient appropriate audit Undertake specific procedures to help
evidence regarding compliance identify non-compliance, including:
(ISA 250 para. 13) • Making enquiries of management
and those charged with governance
• Inspecting relevant correspondence
(ISA 250 para. 14)
Applying these requirements to a manufacturing company, the auditor is required to:
Obtain sufficient appropriate audit Make enquiries of management

evidence regarding the entity’s regarding workers’ compensation
compliance with taxation laws insurance and sight certificate of
currency from insurer
In addition to the above, ISA 250 also requires the auditor to remain alert to the possibility that
other audit procedures might reveal non-compliance (ISA 250 para. 15). For example, analytical
procedures that are performed on expenses may reveal material fines paid for non-compliance
with laws and regulations.
The auditor also needs to obtain appropriate written representations from management
regarding the entity’s compliance with laws and regulations (ISA 250 para. 16). These would be
included in management’s representation letter.
Required reading

CC
When non-compliance is identified or suspected

ISA 250 provides a list of items that may be indicators of an entity’s actual or suspected
non‑compliance with laws and regulations (ISA 250 para. A13). These include:
•• Investigations by regulatory authorities – for example, in relation to unpaid taxes.
•• Payment of fines or penalties – for example, for breaches of work health and safety laws.
•• Unusual transactions involving entities that are registered in tax havens. Such transactions
may take place, for example, to avoid cash transfer reporting obligations in the entity’s
home country.
If the auditor becomes aware of actual or suspected non-compliance, they need to obtain:
•• An understanding of the act(s) of non-compliance and related circumstances (ISA 250
para. 18(a)).
•• Further information to enable them to evaluate the effect of this non-compliance on the
financial statements (ISA 250 para. 18(b)).
The auditor also needs to:

•• Determine the effect of the non-compliance on other aspects of the audit – for example, risk
assessment (ISA 250 para. 21).
•• Evaluate the effect of the non-compliance on the audit opinion (ISA 250 para. 20).
Required reading
Reporting identified or suspected non-compliance

The auditor needs to report any actual or suspected non-compliance to those charged with
governance, except where the matters are clearly inconsequential (ISA 250 para. 22). For
example, the payment of a small fine due to the late payment of workers’ compensation
insurance premiums would ordinarily be considered inconsequential.
If the auditor suspects that management and those charged with governance are involved in
acts of non-compliance, the auditor needs to communicate this to a higher level of authority
within the entity, such as the audit committee (if it exists). Otherwise, the auditor should
consider obtaining legal advice (ISA 250 para. 24).
The auditor also needs to determine whether they have a responsibility to report the matter
to a third party or parties. For example, if the entity appears to have breached anti-money
laundering laws, the auditor may be required by law to report this to the relevant statutory
authorities (ISA 250 para. 28).
If actual or suspected non-compliance has a direct material effect on the financial statements,
the auditor may need to modify the audit opinion (ISA 250 para. 25). (Further information
on auditor’s opinions is included in the unit on forming an opinion and issuing an auditor’s
report.)
The auditor needs to comply with any legislative or regulatory reporting obligations regarding
potential or actual non-compliance.

CC
Example – Identifying risk of material misstatement in the planning stage

This example illustrates how risks are identified, in accordance with ISA 315 (Revised) and
ISA 250, during the audit planning stage.
Esther Chan is the audit manager with AuditUs Partners Chartered Accountants and is assigned
to the audit of XX Limited (XX). As part of planning for the audit for the year ended 30 June
20X3, she has had a meeting with Sally Smith, the chief financial officer of XX. During the
course of that meeting she learns that XX has recently acquired a company in Singapore, its first
international subsidiary. Sally tells Esther that she has been busy with the acquisition and an
audit by the Taxation Office.
While Esther was visiting XX, she noticed that there were a few empty desks in the accounts
area and was told that the financial controller, financial accounting manager and financial
accountant had all left XX in recent months and that Sally was still trying to fill those roles.
Esther reads the board minutes for the year to date and notes that XX has borrowed money
from a US lender to fund the Singapore acquisition and that the loan is in US dollars. The board
has asked for a hedging policy to be presented at the next board meeting.
Esther is given a copy of the latest management accounts, which show a dramatic lift in
revenue from the existing operations compared to the prior year. She is surprised by this as
media reports suggest that the industry in which XX operates in has been in decline due to
cheaper imports.
On returning to her office, Esther documents the risks that she has identified that may impact
on the financial statements:
•• Acquisition of a subsidiary – this transaction is outside the normal course of business and
requires expertise to correctly account for the purchase and ongoing consolidation.
•• Foreign operations and foreign currency borrowings – foreign currency transactions in
Singapore dollars and US dollars, as well as hedging, could represent complex transactions
that the finance staff are not familiar with.
•• Unexpected growth in revenue – the growth in revenue is contrary to expectations.
•• Staff changes in the finance function – there is a risk that the accounting team does not
currently have the capacity and/or the expertise to accurately produce the financial
statements.
•• Management time and focus is not on core ongoing business operations – Sally has been
focused on the acquisition of the subsidiary and the tax audit.
•• Compliance with taxation laws – given the audit by the Taxation Office, there is a risk that
non-compliance might have been identified.
Esther has used analytical procedures, observation and enquiries of management to identify
these risks.
Required reading


CC
Australia-specific
ASA 250 Consideration of Laws and Regulations in an Audit of Financial statements (ASA 250) is
based on its international equivalent, ISA 250, with the following differences (identified by the
prefix ‘Aus’ in the relevant paragraph numbers):
– ASA 250 para. Aus A18.1 clarifies that if, in the case of an audit conducted under the
Corporations Act, the auditor identifies non-compliance with an Australian Accounting
Standard, defects or irregularities in the financial report or deficiencies, failures or
shortcomings in respect of s. 307 of the Act, the auditor’s report needs to include the
information required by the Act. The auditor needs to consider any other relevant laws and
regulations.
– ASA 250 para. Aus A19.1 includes a statutory responsibility by the auditor to report
certain instances of non-compliance with laws and regulations. For example, in certain
circumstances, the auditor is required under the Corporations Act to report to the
Australian Securities and Investments Commission (ASIC).
ISA (NZ) 250 Consideration of Laws and Regulations in an Audit of Financial statements (ISA (NZ)
250) is based on its international equivalent, ISA 250, with the following differences (identified
by the prefix ‘NZ’ in the relevant paragraph numbers):
– ISA (NZ) 250 para. NZ3.1 states that, in New Zealand, those charged with governance often
have a statutory responsibility for the preparation of financial statements. In these cases the
process of financial reporting is usually delegated to management, but the responsibility
for such matters remains with those charged with governance. In applying ISA (NZ) 250
the auditor must apply professional judgement, their knowledge of New Zealand legal
requirements and corporate governance practices to determine whether ISA (NZ) 250
applies to management or those charged with governance.
– (ISA (NZ) 250 paras NZ16.1 and NZA12.1 explain that the auditor needs to request written
representations from those charged with governance that all known instances of non-
compliance or suspected non-compliance with laws and regulations whose effects should
be considered when preparing financial statements have been disclosed to the auditor.

CC
Audit assertions
Learning outcome
2. Explain and apply the use of assertions in assessing the risks of material misstatement at the
financial statement level and at the assertion level.
Audit assertions are important, as they help the auditor identify the specific characteristics of
the items in the financial statements that are likely to be materially misstated.
Underlying all account balances included in the financial statements by an entity’s management
are a number of implicit assertions (ISA 315 (Revised) para. A123). For example, a recorded cash
balance of $1,520,000 includes the implicit assertions that the cash balance:
•• Is complete (i.e. all cash belonging to the entity has been included).
•• Is valued in the appropriate currency.
•• Exists (i.e. no fictitious amounts are included).
•• Is actually the property right of the entity (i.e. the cash doesn’t belong to another entity).
All classes of transactions, account balances and disclosures in the financial statements contain
similar implicit assertions, and part of the auditor’s role is to assess the risks of material
misstatement at the assertion level.
Required reading
ISA 315 (Revised) paras 4(a) and A123.
Categories of audit assertions

The audit assertions referred to in this module are prescribed and grouped in accordance
with ISA 315 (Revised) para. A124. Some publications (e.g. textbooks, audit firm manuals,
etc.) describe and group the assertions a little differently. While this is permitted by ISA 315
(Revised), as long as all the relevant characteristics of the financial information are covered, for
the purposes of the AAA module use the ISA 315 (Revised) terminology.
(Note: ISA 315 (Revised) para. A124 is equivalent to ASA 315 para. A124 and ISA (NZ) 315 (Revised)
para. A124. Candidates must use these assertions in the exam.)
The assertions are divided into three categories, which relate to:
•• Classes of transactions (i.e. items in the statement of profit or loss, such as revenue).
•• Account balances (i.e. items in the statement of financial position, such as trade receivables
and payables).
•• Presentation and disclosure.

CC
The three categories of assertions prescribed by ISA 315 (Revised) para. A124 are shown in the
following table:
ISA 315 (Revised) categories of assertions
Category Assertion Explanation
Classes of transactions Occurrence Transactions and events that have been recorded have occurred
and events for the and pertain to the entity
period
Completeness All transactions and events that should have been recorded have
been recorded
Accuracy Amounts and other data relating to recorded transactions and

events have been recorded appropriately
Cut-off Transactions and events have been recorded in the correct

accounting period
Classification Transactions and events have been recorded in the proper

account
Account balances Existence Assets, liabilities and equity interests exist
Rights and The entity holds or controls the rights to assets, and liabilities are
obligations the obligations of the entity
Completeness All assets, liabilities and equity interests that should have been
recorded have been recorded
Valuation and Assets, liabilities and equity interests are included in the financial
allocation statements at appropriate amounts and any resulting valuation or
allocation adjustments are appropriately recorded
Presentation and Occurrence Disclosed events, transactions and other matters have occurred
disclosure and rights and and pertain to the entity
obligations
Completeness All disclosures that should have been included in the financial
statements have been included
Classification and Financial information is appropriately presented and described,

understandability and disclosures are clearly expressed
Accuracy and Financial and other information are disclosed fairly and at
valuation appropriate amounts
Required reading
ISA 315 (Revised) para. A124.

CC
Identifying assertions at the greatest risk of material misstatement

Some assertions would generally be more at risk of being misstated than others. For example,
auditors usually assume that there is a greater risk of material misstatement in relation to
revenue cut-off than to completeness of revenue. Similarly, auditors generally assume there
is a greater risk of material misstatement in relation to existence of trade receivables than to
completeness of trade receivables. This is because auditors generally assume (unless there
is evidence to the contrary) that an entity will want to present its financial statements in as
positive light as possible – that is, an entity will be inclined to:
Overstate assets and/or understate liabilities To improve entity’s net asset position
Overstate revenue and/or understate expenses To increase entity’s reported profit
This general assumption can help the auditor to identify the assertions that are at greatest risk
of material misstatement at the risk assessment stage of the audit, as illustrated by the table
below:
Account type Auditor’s Key assertions at greatest risk of material misstatement

assumption
Revenues Overstated Occurrence – are the entity’s recorded revenue transactions genuine?
Accuracy – are the entity’s revenue transactions recorded appropriately
(e.g. at the correct dollar amount)?
Cut-off – are the entity’s revenue transactions recorded in the correct
accounting period (e.g. next period’s revenue is not incorrectly recorded in
the current period and, similarly, last period’s revenue was not carried over
and included in the current period)?
Expenses Understated Completeness – has the entity recorded all its expenses?
Accuracy – are the entity’s expenses recorded appropriately (e.g. at the
correct dollar amount)?
Cut-off – are the entity’s expenses recorded in the correct accounting period
(i.e. this period’s expenses are not incorrectly recorded in another period)?
Assets Overstated Existence – do the entity’s recorded assets exist?

Rights and obligations – do the recorded assets belong to the entity?
Valuation and allocation – are the entity’s recorded assets properly valued?
Liabilities Understated Completeness – has the entity recorded all its liabilities?
Valuation and allocation – are the entity’s liabilities recorded at the proper
amount?
Therefore, while it is true that the auditor needs to obtain audit evidence in relation to all
the assertions that are applicable to each class of transaction, account balance and disclosure,
having a knowledge of the assertions that are at the greatest risk of misstatement helps the
auditor to direct effort to where it is most needed.
It is also important to understand the linkages between related accounts and assertions. For
example, there is a an interrelationship between revenue and trade receivables: being opposite
sides of a journal entry (i.e. a trade receivable is generally created by a revenue transaction).
If the auditor determines that there is a risk of material misstatement in a class of transactions,
there will be a corresponding risk of material misstatement in the related account balance. For
example, a risk of material misstatement in revenue that is due to an inaccurate cut-off also
means there is a corresponding risk that trade receivables are materially misstated (i.e. do the
year-end trade receivables exist and are they complete?).

CC
The relationships between classes of transaction and account balance assertions and the
potential extent of errors arising are represented in the diagram below:
Related assertions Extent of monetary error
Correctly stated amount for transaction/balance

Completeness
(missing transactions)
Existence/Occurrence
(invalid transactions)
Rights and obligations/Accuracy/

Cut-off/Classification
(inaccurate; recording, cut-off or
rights/obligations)
Valuation and allocation

(recorded at incorrect value)
Understated – + Overstated
Link between assertions and testing

In addition to helping the auditor identify the characteristics of financial information most at
risk of material misstatement, assertions are also important in providing a link between tests of
controls (which are generally directed to classes of transactions) and substantive tests (which
are generally directed to account balances).
For example, if the auditor has evidence from tests of controls that purchases are complete,
they also then have evidence that trade creditors are complete and therefore, the extent of
substantive procedures that are performed on completeness of trade creditors can be reduced.
Similarly, if the auditor attains evidence from substantive procedures that trade receivables
exist at a point in time, they also have evidence that the related revenue transactions occurred.
The two units on responding to assessed risks – controls testing and substantive testing, explain
how to use controls testing and substantive testing to obtain evidence of misstatements at the
assertion level in further detail.
Worked example 5.1: Identifying risks at the assertion level

Worked example 5.2: Identifying risk at the financial statements level

Activity 5.1: Identifying risks at the assertion level

Activity 5.2: Identifying risk at the financial statements level


CC
Initial audit engagements
Learning outcome
3. Describe and explain the steps that the auditor shall take in order to obtain sufficient,
appropriate audit evidence in regard to opening balances.
As stated in the introduction to this unit, auditors have additional responsibilities when dealing
with an initial audit engagement. Such an engagement is defined in ISA 510 para. 4(a) as being
one in which either:
•• ‘The financial statements for the prior period were not audited’ – this may occur, for
example, when a company grows and meets audit requirements for the first time, for
example, in Australia becoming a ‘large proprietary’ company under the Corporations Act
for the first time.
•• ‘The financial statements for the prior period were audited by a predecessor auditor’ – this
may occur, for example, when an entity puts its audit out to tender and selects a new audit
firm.
Initial audit engagements present a particular challenge for the auditor because there is no
evidence from the prior year’s audit regarding the opening balances (and disclosures) on which
the current year’s financial statements are based.
The auditor must perform specific audit procedures, as prescribed by ISA 510, to gather
sufficient appropriate audit evidence about whether:
•• Opening balances contain misstatements that materially affect the current period’s financial
statements.
•• Appropriate accounting policies have been consistently applied to the current period’s
These specific audit procedures prescribed by ISA 510 are discussed below.
Required reading
Audit procedures – opening balances

ISA 510 requires the auditor to perform the following procedures in relation to opening
balances:
•• Determine whether the prior period closing balances have been correctly brought forward
(ISA 510 para. 6(a)).
•• Determine whether appropriate accounting policies have been applied (ISA 510 para. 6(b)).
The auditor also needs to perform one or more of the following procedures:
•• If the prior period financial statements were audited, obtain evidence regarding the opening
balances for that audit by reviewing their predecessor auditor’s working papers (ISA 510
para. 6(c)(i)).
Taking this step requires the auditor to follow specific ethical and professional
requirements. For example, APES 110 Code of Ethics for Professional Accountants (in Australia)
and PES 1 (Revised) Code of Ethics for Assurance Practitioners (in New Zealand) detail specific
procedures for communicating with a predecessor auditor.
•• Evaluate whether audit procedures performed in the current period will provide evidence
that is relevant to the opening balances (ISA 510 para. 6(c)(ii)).
•• Perform specific procedures to obtain evidence regarding opening balances
(ISA 510 para. 6(c)(iii)).

CC
Audit guidance on opening balances

While it is possible for an auditor to obtain sufficient appropriate audit evidence related to some
opening balances, it is often not possible for an auditor to obtain such evidence to support all
account balances or cash flows.
For example, if opening trade receivables are collected during the current audit period, this may
provide sufficient evidence to allow the auditor to conclude the opening balance was materially
correct. The auditor may be able to verify opening trade payables in a similar way. To verify the
opening balances of both investments and long-term debt, the auditor might obtain third-party
confirmations to verify the relevant amounts.
However, balances such as inventory are generally more difficult to verify. The auditor may, for
example, need to observe a current inventory count and reconcile it with the opening inventory
quantities.
The following guidance is provided by the Australian Auditing Standards Board’s explanatory
guide Opening Balances (para. 4):
In performing an initial audit engagement, it is not uncommon for the auditor to be faced with
difficulties in obtaining sufficient appropriate audit evidence in relation to opening balances. Such
difficulties may be due to the following circumstances:
(a) The auditor was appointed after the commencement of the current financial reporting period and
accordingly was unable to attend the physical counting and inspection of inventory or other assets.
(b) The prior financial reporting period was not audited.
(c) The prior financial reporting period was audited and the predecessor auditor:
(i) qualified the opinion; or
(ii) issued an adverse opinion; or
(iii) disclaimed an opinion.
(d) the predecessor auditor does not, or cannot, provide access to the audit working papers for the
previous reporting period.
(e) The auditor cannot obtain sufficient appropriate audit evidence through:
(i) audit procedures performed in the current year; or
(ii) specific procedures designed to obtain audit evidence regarding opening balances.
The overall objectives of the auditor include obtaining reasonable assurance about whether
the financial statements as a whole are free of material misstatement. Accordingly, where the
auditor is faced with any of the circumstances outlined above, they are required to determine
the effect of those circumstances on the financial statements as a whole. The auditor then
expresses an opinion on the financial statements as a whole, as they cannot express separate
opinions on each element of the financial statements.
Required reading
ISA 510 paras 5–7, 9 and A1–A7.


CC
Audit procedures – accounting policies

In relation to accounting policies, ISA 510 para. 8 requires the auditor to determine whether the
policies used by the entity in the previous period have been consistently applied in the current
period’s financial statements. Where material changes have occurred, the auditor needs to
determine that adequate disclosures have been made.
Required reading
ISA 510 para. 8.
Implications of insufficient evidence on the audit report

Where the auditor in an initial audit engagement:
•• is unable to obtain sufficient appropriate audit evidence regarding opening balances, or
•• has sufficient appropriate evidence that the opening balances contain a material
misstatement,
then ISA 510 paras 10–11 require the auditor to issue a modified opinion on the financial
statements.
Similarly, if the entity’s accounting policies are not consistently applied or a change in policy
is not properly accounted for, presented or disclosed, ISA 510 para. 12 requires the auditor to
issue a modified opinion.
If the predecessor auditor’s opinion included a modification that remains relevant to the current
period’s financial statements, the auditor also needs to modify the audit opinion. For example,
the entity may not have valued inventory in accordance with Accounting Standards in either the
prior or current period.
The ISA 510 appendices give examples of auditors’ reports with modified opinions in relation to
issues that are uncovered during initial audit engagements. Different types of auditors’ reports
are covered in the unit on forming an opinion and issuing an auditor’s report.
Required reading

CC
Auditing accounting estimates
Learning outcome
4. Describe and explain the objectives and responsibilities of the auditor with respect to
Accounting estimates are defined in ISA 540 para. 7(a) as ‘an approximation of a monetary
amount in the absence of precise means of measurement’. ISA 540 uses this term to describe:
•• Fair value accounting estimates. The measurement of a fair value estimate is prescribed by
the relevant financial reporting framework, and is often based on an assumed hypothetical
transaction between knowledgeable, willing parties in an arm’s-length transaction.
Examples of fair value accounting estimates include (ISA 540 para. A7):
–– Complex financial instruments that are not traded in an active and open market.
–– Property or equipment that is held for disposal.
–– Certain assets or liabilities that have been acquired in a business combination, including
goodwill and intangible assets.
–– Impairment testing of assets. This is an additional example provided by ASA 540
para. Aus A7.1 and ISA 540 (NZ) para. NZ.A.7.1.
•• Other accounting estimates that do not require a fair value determination (ISA 540 para. A6).
Examples include:
–– Allowance for doubtful accounts.
–– Inventory obsolescence.
–– Warranty obligations.
–– Depreciation or useful life of assets.
–– Costs arising from the settlement of litigation.
Accounting estimates can cause particular issues for the auditor because of the degree of
judgement and uncertainty involved in their measurement, which, in turn, increases the risks
of material misstatement. For example, it is generally much easier for the auditor to obtain
sufficient appropriate audit evidence in relation to an entity’s cash balance than for warranty
provision.
The auditor’s objective in relation to accounting estimates is to obtain sufficient appropriate
audit evidence about whether:
•• The accounting estimates, whether recognised or disclosed, are reasonable.
•• The disclosures related to the accounting estimates are adequate.

CC
The following diagram gives an overview of the procedures that ISA 540 requires the auditor to
perform in order to achieve this objective:
Risk assessment Risk response
What estimates are required? Have estimates been prepared properly

How were the estimates prepared? using consistent methodology?
How significant are the estimates? Is the supporting evidence reliable?
Is an auditor’s expert required? Is there any evidence of fraud?
How accurate were the prior year’s
estimates?
Is there any evidence of management bias?
Extent of estimation uncertainty involved?
Reporting
Are financial statement disclosures of

accounting estimates in accordance with
the financial reporting framework?
If a significant risk, has disclosure been
made of the estimation uncertainty?
Obtain management representations
Adapted from: IFAC Guide, vol. 1, Exhibit 11.0-1, p. 142.
These procedures are described in further detail below.
Required reading
Risk assessment procedures and accounting estimates

While performing the risk assessment procedures, and related activities to obtain an
understanding of the entity and its environment, the auditor needs to assess the risk of material
misstatement (RMM) that is due to the accounting estimates that the entity has used. A number
of factors need to be considered, including:
•• The requirements of the applicable financial reporting framework (ISA 540 para. 8(a)).
For example, the national equivalent of IFRS 13 Fair Value Measurement forms part of the
applicable financial reporting framework in both Australia and New Zealand.
•• How management identifies circumstances that may give rise to the need for accounting
estimates to be included in the financial statements (ISA 540 para. 8(b)).
For example, management may identify the need for recognition and disclosure of
accounting estimates through the entity’s formal risk management process.
•• How management makes accounting estimates, including (ISA 540 para. 8(c)):
–– The method used to determine the estimates. This may, for example, be prescribed by
Accounting Standards.
–– Relevant controls. For example, there may be controls in place in relation to the review
and approval of accounting estimates.
–– Whether management has used an expert.
–– The underlying assumptions used, and whether these are reasonable.

CC
•• The outcome of accounting estimates included in the prior period financial statements
(ISA 540 para. 9). For example, the auditor might compare the prior year’s warranty
provision with the actual warranty expense in that year to gain information about the
effectiveness of management’s estimation process.
As part of identifying and assessing the RMM, the auditor also needs to consider estimation
uncertainty. ISA 540 para. 7(c) defines this as ‘the susceptibility of an accounting estimate and
related disclosures to an inherent lack of precision in its measurement’. Items with a low level of
estimation uncertainty give rise to a relatively low risk of material misstatement and vice versa
(ISA 540 para. 10).
Examples of items that display low and high estimation uncertainty are shown in the table below:
Level of estimation uncertainty involved
Low level of uncertainty (lower RMM) High level of uncertainty (higher RMM)
Business activities that are not complex Highly dependent on judgement, such as the outcome of
litigation or the amount and timing of future cash flows,
dependent on uncertain events many years in the future
Relate to routine transactions Not calculated using recognised measurement

techniques
Derived from data (referred to as ‘observable’ in Results of the auditor’s review of similar accounting
the context of fair value accounting) that is readily estimates made in the prior period financial statements
available, such as published interest rate data or indicate a substantial difference between the original
exchange-traded prices of securities accounting estimate and the actual outcome
The method of measurement prescribed by the Fair value accounting estimates for derivative financial
applicable financial reporting framework is simple instruments that are not publicly traded
and easily applied
Fair value accounting estimates, where the model Fair value accounting estimates for which a highly
used to measure the accounting estimate is well specialised entity-developed model is used, or for which
known or generally accepted, provided that the there are assumptions or inputs that cannot be observed
assumptions or inputs to the model are observable in the marketplace
Required reading
Responding to assessed risks of material misstatement

Based on the assessed risks of material misstatement concerning accounting estimates in the
financial statements, the auditor needs to determine:
•• Whether management has applied the financial reporting framework appropriately
(ISA 540 para. 12(a)). For example, have the requirements of the relevant Accounting
Standards been met?
•• Whether the methods used in making the estimates are appropriate and have been
consistently applied (ISA 540 para. 12(b)).
The auditor must use one or more of the following audit procedures in responding to assessed
risks of material misstatement with regard to an accounting estimate:
•• Determine whether events after the reporting date (i.e. events up to the date of the audit
report) provide evidence regarding the estimate (ISA 540 para. 13).
•• Test how management made the estimate, including whether the method is appropriate and
the assumptions used in estimation are reasonable.

CC
For example, in relation to a warranty provision, the auditor might:
–– Test the data on which the warranty is based (sales levels, or average cost of repair).
–– Test the assumptions underlying the provision (e.g. whether future warranty expenses
are likely to be higher or lower than existing expenses, and why management has
reached this conclusion).
•• Test the controls over how management made the estimate.
The auditor only needs to perform this procedure when they intend to rely on controls, or
where substantive procedures alone do not provide enough evidence (though the latter is
rare). Tests of controls are covered in detail in the unit on responding to assessed risks –
controls testing.
•• Perform substantive procedures.
For example, the auditor might verify the proceeds from the sale of equipment held for
disposal and sold after year end by agreeing the amount received to the entity’s bank
statements. Substantive procedures are covered in detail in the unit on responding to
assessed risks – substantive testing.
•• Develop a point estimate or a range to evaluate management’s point estimate.
A point estimate is a single amount (e.g. an allowance for doubtful accounts of $1 million),
whereas a range covers a number of points (e.g. where the amount expected to be paid in
the event of losing a court case is in the range of $1.5 million–$2 million).
In performing this type of test, the auditor can either use management’s assumptions and
methods or develop their own, providing the relevant variables are taken into account.
In undertaking the procedures described above, the auditor needs to consider whether
specialised skills are required that are additional to those possessed by the audit team. For
example, the auditor may need to engage an expert to provide an estimate of the extractable ore
remaining in a mineral deposit.
The auditor also needs to obtain appropriate written representations from management,
and where appropriate, those charged with governance whether they believe significant
assumptions used in making accounting estimates are reasonable. In New Zealand, the auditor
obtains the written representations from those changed with governance (ISA 540 (NZ)
para. NZ22.1)
Further information on using the work of an expert and obtaining written representations is
provided in the unit on responding to the assessed risk – using the work of others, external
confirmations and written representations.
Management bias
Finally, the auditor needs to determine whether there is evidence of management bias in any/all
of the accounting estimates. Estimates are at particular risk of management bias because of the
inherent uncertainty that is involved in arriving at a reasonable amount. Management could,
for example, make small adjustments in the assumptions that are used to arrive at a number of
provisions (e.g. inventory obsolescence or allowance for doubtful accounts) in order to achieve a
target profit figure, thereby triggering a bonus payment.
Indicators of possible management bias include:
•• Changes in the method used to make an accounting estimate that do not appear to be valid
changes.
•• Use of assumptions for fair value accounting estimates that are inconsistent with general
marketplace assumptions.
•• A selection of assumptions that yield an estimate that is favourable to management’s
objectives.

CC
Required reading
ISA 540 paras 12–14, 21, 23, A52–A101, A125 and A128.
How to respond when accounting estimates are significant risks

The need to assess the risks of material misstatement due to the entity’s use of accounting
estimates was discussed above. As part of this risk assessment, the auditor needs to determine
whether any of the estimates identified as having a high estimation uncertainty give rise to a
significant risk. Significant risks are risks:
•• That are highly dependent on judgement – for example, where management has to estimate
the timing and amount of future cash flows that are dependent on uncertain future events.
•• That are not calculated using recognised measurement techniques.
•• For which the results of the auditor’s review of similar estimates made in the prior period
show a substantial difference between the original estimate and actual outcome.
It is also important to recognise that a seemingly immaterial accounting estimate may have
the potential to result in a material misstatement that is due to estimation uncertainty. That is,
the amount shown in the financial statements may be small but the potential error, due to
estimation uncertainty, may be large.
Where the auditor determines that an accounting estimate with a high estimation uncertainty
is a significant risk, ISA 540 requires the auditor to perform certain procedures in addition to
those prescribed by ISA 315 (Revised) in relation to significant risks. These procedures are set
out below.
Procedures where estimation uncertainty led to significant risks

Under ISA 540 paras 15–17, the auditor needs to evaluate:
•• The way in which management has considered alternative assumptions or outcomes, and
why it has rejected them.
In order to arrive at a reasonable accounting estimate, it is important that management
considers alternative assumptions as well as the effect that variations in assumptions have
on the estimate. For example, a small change in the percentage of items sold that may
require warranty repairs may have a large impact on the estimated warranty provision.
•• Whether the significant assumptions used by management are reasonable. Significant
assumptions are those where a reasonable variation to the assumption would materially
affect the accounting estimate.
•• Where relevant, management’s intention to carry out specific courses of action and its
ability to do so.
For example, the estimated value of a mineral deposit may be dependent on management
resolving the entity’s breach of environmental laws related to the mineral’s extraction to
meet the conditions of its mining licence.
Recognition and measurement criteria

The auditor needs to obtain sufficient appropriate audit evidence on whether the following are
in accordance with the requirements of the applicable financial reporting framework:
•• Management’s decision to recognise or not recognise an accounting estimate in the financial
statements.
For example, IFRS 6 Exploration for and Evaluation of Mineral Resources requires that an
exploration and evaluation asset only be recognised when a number of conditions are met,
including the entity having the current right to tenure of the area.

CC
•• Management’s selected measurement basis for the accounting estimates (e.g. fair value
estimates).
Required reading
ISA 540 paras 10–11, 15–17, A45–A51 and A102–A115.
Reporting
Once the auditor has gathered sufficient appropriate audit evidence, they need to evaluate
whether the accounting estimates are reasonable and appropriately disclosed, in accordance
with the applicable financial reporting framework.
The next step is to determine whether the misstatement is material and its effect, if any, on
the auditor’s report. These topics are covered in the units on responding to assessed risks –
evaluating audit evidence, and forming an opinion and issuing an auditor’s report.
Documentation
In documenting the work performed and conclusions reached, the auditor needs to include in
audit documentation:
•• The basis for the auditor’s conclusions about the reasonableness of accounting estimates,
and their disclosure, that give rise to significant risks.
•• Indicators of possible management bias, if any.
In Australia, audit documentation must also include the auditor’s evaluation of any indicators
of possible management bias in making accounting estimates, including whether the
circumstances giving rise to the indicators of bias represent a RMM due to fraud (ASA 540.Aus
23.1).
Required reading
ISA 540 paras 18–20, 22–23 and A116–A123.

Activity 5.3 : Identifying risks in accounting for estimates


5.1: Three categories of assertions (ISA 315 para. A124)
Quiz


Readings

Standards.
Required reading
ISA 250 Consideration of Laws and ASA 250 Consideration of Laws and ISA (NZ) 250 Consideration of Laws
Regulations in an Audit of Financial Regulations in an Audit of a Financial and Regulations in an Audit of
Statements Report Financial Statements
•• Paragraphs 1–29 and A13–A21 •• Paragraphs 1–29, A13–A18, •• Paragraphs 1–29 and A13–A21
Aus A18.1, A19, Aus A19.1 and
A20–A21
A6– A23, A74, A118–A126, A6– A23, A74, A118–A126, A6– A23, A74, A118–A126,
A129–A139 and Appendix 2 A129–A139 and Appendix 2 A129–A139 and Appendix 2
ISA 510 Initial Audit Engagements – ASA 510 Initial Audit Engagements – ISA (NZ) 510 Initial Audit
Opening Balances Opening Balances Engagements – Opening Balances
•• Paragraphs 1–13 and A1–A9 •• Paragraphs 1–13 and A1–A9 •• Paragraphs 1–13 and A1–A9
ISA 540 Auditing Accounting ASA 540 Auditing Accounting ISA (NZ) 540 Auditing Accounting
Estimates, Including Fair Value Estimates, Including Fair Value Estimates, Including Fair Value
Accounting Estimates, and Related Accounting Estimates, and Related Accounting Estimates, and Related
Disclosures Disclosures Disclosures
•• Paragraphs 1–23, A6–A7, •• Paragraphs 1–23, Aus 23.1, A6– •• Paragraphs 1–23, A6–A7,
A45–A123, A125 and A128 A7, A45–A123, A125 and A128 A45–A123, A125 and A128
ISA 570 Going Concern ASA 570 Going Concern ISA (NZ) 570 Going Concern
•• Paragraphs 10 and A2 •• Paragraphs 10 and A2 •• Paragraphs 10 and A2

Further reading

References
International Federation of Accountants 2011, Guide to using ISAs in the audits of small and
medium-sized entities, 3rd edn (IFAC Guide), vol. 1, Exhibit 6.0-1, p. 80; Exhibit 8.0-1, p. 99;
Exhibit 11.0-1, p 142; Exhibit 11.1-1, p. 144; vol.2, Exhibit 10.3-1, p. 121.
Australian Auditing Standards Board, Opening Balances, Explanatory Guide, May 2012.

ACT
Activity 5.1
Identifying risk at the assertion level
Introduction
An auditor can use risk assessment procedures, including analytical procedures, during the
planning stage of the audit to identify areas of the financial statements at risk of material
misstatement.
•• Explain and apply the process of risk identification.
•• Explain and apply the use of assertions in assessing the risks of material misstatement at the
At the end of this activity, you will be able to identify risks at the assertion level, in accordance
with ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through
Scenario
You are an audit senior at AuditUs Partners Chartered Accountants (AuditUs). Gianni Corti, the
audit partner, has asked you to begin planning for the 30 June 20X3 audit of The Beauty Spot
Limited (TBS), a listed company whose main activities are the marketing and distribution of a
range of men and women’s cosmetics and toiletries.
Due to the company’s market diversification, sales do not have a significant seasonal trend.
Price structures and terms of trade are the same for all segments of TBS’s market.
From discussions with management, you have obtained the following information:
•• The company’s market comprises pharmacies/chemists, supermarkets and, more recently,
upmarket boutique perfumeries.
•• The company has acquired a reputation for always having the latest and most fashionable
brands and products available, purchased from both local and overseas suppliers.
•• From the beginning of June 20X3, at the request of TBS’s suppliers, most local purchases
have been on a cash on delivery (COD) basis.

ACT
The two previous financial statements were given unmodified audit opinions by AuditUs.
Half‑year management financial statements (unaudited), together with the comparative figures
for the two previous years (audited), are as follows:
TBS half-year management financial statements
Statement of financial position as at:
31 December 20X2 30 June 20X2 30 June 20X1

(unaudited) (audited) (audited)
$’000 $’000 $’000
Current assets
Cash and equivalents 312 189 309
Trade receivables 4,817 4,447 4,089
Inventory 5,541 4,160 3,879
10,670 8,796 8,277
Non-current assets
Property, plant and equipment 3,420 3,480 3,419
Total assets 14,090 12,276 11,696
Current liabilities
Trade payables 5,197 3,480 3,261
Borrowings and other liabilities 5,292 4,483 4,609
10,489 7,963 7,870
Non-current liabilities
Total liabilities 12,389 10,614 10,138
Net assets 1,701 1,662 1,558
Capital and reserves
Share capital 1,500 1,500 1,500
Retained earnings 201 162 58
Total equity 1,701 1,662 1,558

ACT
Statement of profit or loss for the period:
Six months % of net 30 June % of net 30 June % of net

31 December sales 20X2 sales 20X1 sales
20X2 (audited) (audited)
(unaudited)
$’000 $’000 $’000
Income
Gross sales 13,910 102.3 27,784 101.0 25,561 101.0
Returns (312) (2.3) (281) (1.0) (261) (1.0)
Net sales 13,598 100.0 27,503 100.0 25,300 100.0
Cost of sales
Opening stock 4,160 3,879 3,060
Purchases 11,400 20,780 19,749
Closing stock (5,541) (4,160) (3,879)
10,019 73.7 20,499 74.5 18,930 74.8
Gross profit 3,579 26.3 7,004 25.5 6,370 25.2
Expenses
Selling 1,641 12.1 3,071 11.2 2,730 10.8
Distribution 696 5.1 1,285 4.7 1,106 4.4
Admin – bad debts 190 1.4 940 3.4 859 3.4
– other 821 6.0 1,488 5.4 1,271 5.0
3,348 24.6 6,784 24.7 5,966 23.6
Profit before tax 231 1.7 220 0.8 404 1.6
Tasks
For this activity, in relation to trade receivables and inventory, you are required to:
•• Perform relevant analytical procedures.
•• Identify the key assertion at risk and justify your selection.

ACT
Activity 5.2
Identifying risk at the financial statement
level
Introduction
An auditor can use risk assessment procedures, including analytical procedures, during the
planning stage of the audit to identify areas of the financial statements at risk of material
misstatement.
At the end of this activity, you will be able to identify risk at the financial statement level, in
accordance with ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and Its Environment (ISA 315 (Revised)) and ISA 570 Going
Concern (ISA 570).
Scenario
This activity is related to Activity 5.1 ‘Identifying risk at the assertion level’.
You are an audit senior at AuditUs Partners Chartered Accountants (AuditUs). Gianni Corti, the
audit partner has asked you to begin planning for the 30 June 20X3 audit of The Beauty Spot
Limited (TBS), a listed company whose main activities are the marketing and distribution of a
range of men’s and women’s cosmetics and toiletries.
Due to the company’s market diversification, sales do not have a significant seasonal trend.
Price structure and terms of trade are the same for all segments of TBS’s market.
From discussions with management, you have obtained the following information:
1. The company’s market comprises pharmacies/chemists, supermarkets and, more recently,
upmarket boutique perfumeries.
2. The company has acquired a reputation for always having the latest and most fashionable
brands and products available, purchased from both local and overseas suppliers.
3. From the beginning of June 20X3, at the request of TBS’s suppliers, most local purchases
have been on a cash on delivery (COD) basis.

ACT
The two previous financial statements were given unmodified audit opinions by AuditUs.
Half‑year management financial statements (unaudited) together with the comparative figures
for the two previous years (audited) are as follows:
Statement of financial position as at:
31 December 20X2 30 June 20X2 30 June 20X1

(unaudited) (audited) (audited)
$’000 $’000 $’000
Current assets
Cash and equivalents 312 189 309
Trade receivables 4,817 4,447 4,089
Inventory 5,541 4,160 3,879
10,670 8,796 8,277
Non-current assets
Property, plant and equipment 3,420 3,480 3,419
Total assets 14,090 12,276 11,696
Current liabilities
Trade payables 5,197 3,480 3,261
10,489 7,963 7,870
Total liabilities 12,389 10,614 10,138
Net assets 1,701 1,662 1,558
Capital and reserves
Share capital 1,500 1,500 1,500
Retained earnings 201 162 58
Total equity 1,701 1,662 1,558

ACT
Statement of profit or loss for the period:
Six months % of net 30 June % of net 30 June % of net

31 December sales 20X2 sales 20X1 sales
20X2 (audited) (audited)
(unaudited)
$’000 $’000 $’000
Income
Gross sales 13,910 102.3 27,784 101.0 25,561 101.0
Returns (312) (2.3) (281) (1.0) (261) (1.0)
Net sales 13,598 100.0 27,503 100.0 25,300 100.0
Cost of sales
Opening stock 4,160 3,879 3,060
Purchases 11,400 20,780 19,749
Closing stock (5,541) (4,160) (3,879)
10,019 73.7 20,499 74.5 18,930 74.8
Gross profit 3,579 26.3 7,004 25.5 6,370 25.2
Expenses
Selling 1,641 12.1 3,071 11.2 2,730 10.8
Distribution 696 5.1 1,285 4.7 1,106 4.4
Admin – bad debts 190 1.4 940 3.4 859 3.4
– other 821 6.0 1,488 5.4 1,271 5.0
3,348 24.6 6,784 24.7 5,966 23.6
Profit before tax 231 1.7 220 0.8 404 1.6
Task
For this activity, you are required to extend your analysis to encompass risk at the financial
statements level. Outline factors in the information you have gathered that may indicate that
TBS has a going concern problem.

ACT
Activity 5.3
Identifying risks in accounting for estimates
Introduction
During the planning phase of an audit, the auditor has certain objectives and responsibilities
when identifying risks in accounting for estimates. These objectives and responsibilities are laid
down in ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement through
Understanding the Entity and Its Environment (ISA 315 (Revised)) and ISA 540 Auditing Accounting
Estimates, Including Fair Value Accounting Estimates, and Related Disclosures (ISA 540).
•• Describe and explain the objectives and responsibilities of the auditor with respect to
At the end of this activity, you will be able to identify account balances that include estimates
and related assertions at risk of material misstatement and assess the impact on the audit plan,
in accordance with ISA 315 (Revised) and ISA 540.
Scenario
You are an audit senior with AuditUs Partners Chartered Accountants (AuditUs) and assigned
to the Global Entertainment Network Limited (GEN) audit for the year ended 30 June 20X3.
GEN is an Australian company listed on the Australian Securities Exchange (ASX).
In January 20X3, GEN changed the payroll system to a new off-the-shelf system. Since this
‘go‑live’ date, there have been some complaints by staff about underpayment of wages and
annual leave entitlements due to incorrect salary packages and hourly rates being recorded in
the system.
Task
•• Identify GEN’s key accounts that are most at risk of misstatement if the new payroll system
does not operate as expected, and explain the reasons for identifying each account.
•• Identify and explain the key assertions at risk related to the accounts identified.
•• Outline how the change in the payroll system could impact GEN’s 30 June 20X3 audit plan.


CC
Core content
Unit 6: Analysing audit risks – fraud
Learning outcomes
1. Explain and identify the characteristics of fraud in the context of an audit.
2. Identify who has primary responsibility for fraud prevention and detection.
3. Demonstrate the objectives and responsibilities of an auditor with respect to fraud.
4. Identify and assess the risks of material misstatement in financial statements due to fraud.
5. Identify and assess fraud risk factors arising from related party relationships and
transactions.
Introduction
As discussed in earlier units of the Audit & Assurance (AAA) module, one of the objectives of
the auditor in conducting a financial statements audit is to ‘obtain reasonable assurance about
whether the financial statements as a whole are free from material misstatement, whether due
to fraud or error, thereby enabling the auditor to express an opinion on whether the financial
statements are prepared, in all material respects, in accordance with an applicable financial
reporting framework’ (ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an
Audit in Accordance with International Standards on Auditing (ISA 200) para. 11(a)).
To be able to form an opinion on the financial statements, the auditor must consider the many
risks that may lead to a material misstatement, including fraud risk. This unit discusses the
importance of identifying and evaluating the risks of material misstatement due to fraud, and
the appropriate responses to such risks. In addition, it looks at specific risks arising from related
party relationships and transactions.
The unit also examines the audit procedures required in all three phases of the audit process
(i.e. planning, risk response and reporting) in relation to fraud, and clarifies the responsibilities
of the auditor and those charged with governance and management regarding fraud.
aaa11606_csg

CC
In addition to ISA 200, the following Standards are central to this unit:
•• ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
(ISA 240).
Understanding the Entity and Its Environment (ISA 315).
•• ISA 330 The Auditor’s Responses to Assessed Risks (ISA 330).
•• ISA 550 Related Parties (ISA 550).
Types and characteristics of fraud
Learning outcome
1. Explain and identify the characteristics of fraud in the context of an audit.
Fraud can have different meanings depending on the legal definitions in particular jurisdictions.
This unit only looks at fraud as defined in ISA 240.
Fraud is defined in ISA 240 para. 11(a) as ‘an intentional act by one or more individuals among
management, those charged with governance, employees, or third parties, involving the use of
deception to obtain an unjust or illegal advantage’.
The distinction between ‘fraud’ and ‘error’ lies in whether the underlying action that results in
the misstatement of the financial statements is intentional or unintentional (ISA 240 para. 2).
Drivers of fraud
ISA 240 para. A1 identifies the conditions that can lead to fraud:
Drivers Explanation
Incentive or pressure Pressure from sources outside or inside the entity to achieve unrealistic financial results
For example, management is put under pressure to achieve an expected earnings
target or financial outcome
Opportunity A perceived opportunity for an individual to commit fraud

For example, when an individual believes internal controls can be overridden because
they are in a position of trust or have knowledge of specific deficiencies in controls
Rationalisation The ability or capacity that enables people to justify or rationalise committing fraud
For example, some people rationalise fraudulent acts as ‘this is not a big deal’ or
‘I am only taking what I deserve’, because their attitude, character or ethical values
allow them to knowingly and intentionally commit a dishonest act
Collectively, these drivers are commonly referred to as the ‘fraud triangle’ because, when all
three are present, it is highly likely that fraud is occurring.
Ra
tio
re
ssu
na
lisa
Pre
tio
n
Opportunity

CC
Example – Drivers of fraud

This example illustrates the application of the fraud triangle.
Sam, an owner-manager of a construction company, has been offered a job to build a

significant addition to a friend’s house. Sam has accepted the job on the condition that the
friend pays for the work in cash and that the company does not issue any paperwork relating
to the work. Sam believes that, as there is no physical evidence of the construction work in the
financial records, the company does not have to declare the income received in the annual
income tax return.
Consider the three drivers of fraud:
Incentive or pressure: Sam has an incentive to reduce taxes that would otherwise be payable.
Opportunity: Sam, as the owner-manager, is able to override the internal controls over
revenue recognition and not record the income from this service.
Rationalisation: Sam could justify this to himself as just being work for a friend and that he is
entitled to the money, and also that it is acceptable for him not to record the revenue from this
service as he already pays too much in taxes.
Adapted from: IFAC Guide, vol. 2, pp. 90–91.
Types of fraud
Although fraud is a broad legal concept, in the context of an audit, the auditor is mainly
concerned with fraud that causes a material misstatement in the financial statements.
There are two types of intentional misstatements that are relevant to the auditor (ISA 240
para. 3):
•• Fraudulent financial reporting.
•• Misappropriation of assets.
Fraudulent financial reporting

Fraudulent financial reporting is often perpetrated by someone who has a vested interest in,
or who is held accountable for, the financial performance and position of an entity (ISA 240
para. A2).

CC
Misappropriation of assets
‘Misappropriation of assets involves the theft of an entity’s assets and is usually perpetrated by
employees in relatively small and immaterial amounts’ (ISA 240 para. A5). However, even these
amounts can become material when the misappropriation is perpetrated over a period of time.
When the transactions are disguised or concealed, misappropriations can be difficult to detect.
As set out in ISA 240 para. A5, misappropriation of assets can be accomplished in a variety of
ways, including:
Misappropriation via Examples
Embezzlement Misappropriating collections of accounts receivable

Diverting receipts in respect of written-off accounts to personal bank accounts
Theft of physical assets or Stealing inventory for personal use or for sale
intellectual property
Stealing scrap for resale
Colluding with a competitor by disclosing technological data in return for payment
Inappropriate payments Payments to fictitious vendors

for goods and services
Kickbacks paid by vendors to the entity’s purchasing agents in return for
not received
inflating prices
Payments to fictitious employees
Inappropriate use of Using the entity’s assets as collateral for a personal loan or a loan to a related party
an entity’s assets for
personal use
ISA 240 para. A5 notes that the misappropriation of assets is ‘often accompanied by false or
misleading records or documents in order to conceal the fact that the assets are missing or have
been pledged without proper authorisation’.
Fraud risk factors

ISA 240 para. 11(b) defines the term ‘fraud risk factors’ as ‘events or conditions that indicate an
incentive or pressure to commit fraud or provide an opportunity to commit fraud’.
In the planning phase of the audit, the auditor analyses the information gathered about the
entity to identify whether there are any events or conditions that may indicate fraud.
ISA 240 Appendix 1 provides examples of fraud risk factors, and guidance on the conditions,
opportunities and attitudes that may lead to someone committing fraud.
Characteristics of fraud in the context of an audit

As mentioned earlier, the distinguishing factor between fraud and error lies in whether the
underlying action that results in a misstatement is intentional or unintentional. Referring to the
definition in ISA 240 para. 11(a), fraud must be ‘an intentional act’.
Misstatements due to fraud are often harder for the auditor to find than those arising from
errors. As per ISA 240 para. 6:
… The risk of not detecting a material misstatement resulting from fraud is higher than the risk of
not detecting one resulting from error. This is because fraud may involve sophisticated and carefully
organised schemes designed to conceal it, such as forgery, deliberate failure to record transactions, or
intentional misrepresentation being made to the auditor. Such attempts at concealment may be even
more difficult to detect when accompanied by collusion …
The risk of an auditor not detecting a material misstatement due to fraud is even greater when
the fraud is perpetrated by management rather than other employees. Management often has
the ability to manipulate accounting records and override control procedures designed to
prevent misstatements being made by other employees (ISA 240 para. 7).

CC
ISA 240 para. A4 states that ‘fraudulent financial reporting often involves management override
of controls that otherwise may appear to be operating effectively’. Management override is the
deliberate interference with internal controls by managers in the processing or treatment of
financial information. The risk that management may override existing controls is particularly
relevant when assessing the risk of fraudulent financial reporting.
ISA 240 para. A4 provides examples of techniques used by management to override controls:
• Recording fictitious journal entries, particularly close to the end of an accounting period, to
manipulate operating results or achieve other objectives.
• Inappropriately adjusting assumptions and changing judgments used to estimate account balances.
• Omitting, advancing or delaying recognition in the financial statements of events and transactions
that have occurred during the reporting period.
• Concealing, or not disclosing, facts that could affect the amounts recorded in the financial
statements.
• Engaging in complex transactions that are structured to misrepresent the financial position or
financial performance of the entity.
• Altering records and terms related to significant and unusual transactions.
Fraud risk and the size of an organisation

When assessing fraud risk factors, the auditor needs to consider the size and complexity of an
organisation. For example, in a large organisation the auditor may find factors that mitigate
fraud risk, such as (ISA 240 para. A26):
• Effective oversight by those charged with governance.
• An effective internal audit function.
• The existence and enforcement of a written code of conduct.
Smaller entities may not necessarily have a written code of conduct, an internal audit function,
or even a dedicated audit committee; however, the auditor would consider the tone set by
senior management (or owners) regarding honest and ethical conduct and the degree of
authorisation required for transactions (ISA 240 para. A27).
Consequently, the auditor must maintain professional scepticism throughout the entire audit
process. At all phases of the audit, the auditor must consider the potential for management
override and also recognise that standard procedures for detecting errors may not be effective
in detecting fraud. The requirements of ISA 240 are intended to assist auditors to identify and
assess fraud risks, and design audit procedures to address such risks (ISA 240 para. 8).
The news articles listed in the further reading below highlight how misleading accounting
practices can result in extreme consequences.
The article on Melbourne Storm highlights fraudulent financial reporting, while those on
Leighton and the IRD discuss the consequences of misappropriation of assets. The article on
Sims Metal highlights the consequences of management overriding controls.
Required reading
ISA 200 para. 11(a).
ISA 240 paras 2–3, 6–11, A1–A6, A23, A26–A27 and Appendix 1.

Worked example 6.1: Identifying fraud risk factors


CC
Responsibility in fraud prevention and detection
Learning outcome
2. Identify who has primary responsibility for fraud prevention and detection.
Management and those charged with governance have primary responsibility for not only
detecting, but also preventing, fraud within the entity (ISA 240 para. 4). This includes creating
a culture of integrity and honesty, so that people understand how they are expected to act in
circumstances where potential conflicts of interest or other ethical matters may arise.
Management should lead by example. A weak ethical culture increases the risk that employees
will bypass, override or breach any controls that an entity has in place because employees
perceive that management is doing the same. In other words, a good system of controls is at risk
of failing if the ethical culture is weak.
ISA 240 acknowledges that while an auditor may suspect fraud, the likelihood of an auditor
identifying its occurrence is low. This is generally because fraud is a crime and, although the
auditor may suspect or, in rare cases, identify the occurrence of fraud, they are neither trained
nor responsible for making a legal determination (ISA 240 para. 3) of whether fraud has actually
occurred. Nonetheless, the incidence of corporate fraud is quite high.
The auditor obtains evidence about the ethical culture of an entity, and of management’s
attitude to fraud risk from a variety of sources, including written policies and procedures
regarding conduct, whistleblower protection, the overall control environment and the auditor’s
experience with management.
Oversight of financial reporting

Effective oversight by both an entity’s management and those charged with governance is
critical to sound financial reporting. This means that those charged with governance should
have sufficient understanding of the entity’s operations and risks, and management must have
in place controls over the financial reporting process. A culture of integrity and honesty is
integral to ensuring controls are adhered to. This is discussed in more detail later in this unit.
Required reading


CC
Auditor’s responsibilities with respect to fraud
Learning outcomes
3. Demonstrate the objectives and responsibilities of an auditor with respect to fraud.
4. Identify and assess the risks of material misstatement in financial statements due to fraud.
The auditor is responsible for planning and performing the audit to obtain reasonable assurance
that the financial statements are free from material misstatement relating either to error or
fraud. This means that the auditor needs to understand the risks of fraud when planning and
conducting the audit. However, as noted in ISA 240 para. 5, due to ‘the inherent limitations
of an audit, there is an unavoidable risk that some material misstatements of the financial
statements may not be detected, even though the audit is properly planned and performed’.
The responsibilities of the auditor and the potential effects of the audit’s inherent limitations are
discussed in ISA 240 paras 6–8.
ISA 240 para. 10 lists the objectives of the auditor in relation to fraud in a financial statement
audit, as follows:
(a) To identify and assess the risks of material misstatement of the financial statements due to fraud;
(b) To obtain sufficient appropriate audit evidence regarding the assessed risks of material
misstatement due to fraud, through designing and implementing appropriate responses; and
(c) To respond appropriately to fraud or suspected fraud identified during the audit.
It is therefore important that the auditor consider fraud throughout the three phases of the audit
process.
Phase of the audit Summary of audit procedures

process
Planning The auditor:

•• Identifies how those within the entity might perpetrate fraud based on its
understanding of the entity, discussions with other members of the audit team and
members of the client management team, and obtain an understanding of how
fraud has been committed in other entities
•• Designs specific tests tailored to the client’s accounting environment, to address
where in the client’s financial statements material misstatement due to fraud is
likely to occur
Risk response The auditor executes the tests designed to detect material misstatement
Reporting If a misstatement is detected:

•• The auditor then quantifies the known or likely misstatement and reports it to the
appropriate level of management to request confirmation and correction
•• Where appropriate or legally bound, the auditor may also report a detected or
suspected fraud to external authorities
Required reading
ISA 240 paras 5–8 and 10.

CC
Responsibilities in the planning phase

This section discusses the process in identifying and assessing fraud risk factors in the planning
phase of the audit.
Fraud risk assessment procedures
The audit team discusses the potential for material misstatement in financial statements due
to fraud
One of the specific planning procedures mandated by both ISA 315 and ISA 240 is a team
discussion that places emphasis on how and where the audit client’s financial statements might
be susceptible to material misstatement – in the case of ISA 240, due to fraud (ISA 240 para. 15).
This discussion is a critical part of the audit planning process, as it helps to direct and focus the
audit team’s attention to areas where material misstatement may lie. In addition, there are three
other benefits that arise from this discussion (ISA 240 para. A10):
1. It provides an opportunity for more junior audit team members to gain insights from senior
team members about how and where financial statements may be susceptible to material
fraud.
2. It enables the audit partner to consider the appropriate responses to areas of susceptibility,
and which team members should perform certain audit procedures.
3. It helps the audit partner determine how the results of the audit procedures are to be
communicated among the team, and how to address any allegations of fraud that may arise.
ISA 240 para. A11 provides guidance on matters that could be discussed at this audit team
discussion.
As noted in the IFAC Guide, vol. 2, s. 8.8 (discussion on fraud risk), members of the audit
team may identify a fraud risk factor that relates to one or more of the fraud triangle elements.
However, it is less likely that any one audit team member will identify all three of the drivers
together. It is therefore important for the audit team to continually discuss their findings
throughout the engagement. This process is illustrated in the diagram below.
The audit partner finds

that the owner-manager
has occasionally strayed The audit junior was told by a
close to ethical boundaries puzzled staff member that some
material purchases had been
shipped directly to friends
The audit senior discovers

in talking to the sales manager
that the owner handles certain
clients exclusively

CC
Enquiries of management
Management bears primary responsibility for fraud. Therefore, as part of the planning process,
the auditor will make enquiries of management, specifically in relation to fraud.
ISA 240 para. 17 requires the auditor to make enquiries of management regarding:
•• Management’s assessment of the risk of material misstatement due to fraud, including the
nature and frequency of such assessments.
•• Management’s process for identifying and responding to the risks of fraud, including
specific risks identified, or brought to their attention, or classes of transactions, account
balances, or disclosures for which the risk of fraud is likely to exist.
•• Management’s communication with those charged with governance relating to its processes
for identifying and responding to fraud risks; and
•• Management’s communications to employees regarding its views on business practices and
ethical behaviour.
The regularity and scope of management’s assessments are relevant to the auditor’s
understanding of the entity’s control environment and attitude towards fraud prevention and
detection. While not conclusive evidence, an entity that performs detailed regular assessments
may provide the auditor with more confidence in the appropriateness of management’s attitude
regarding fraud prevention and detection than an entity that performs ad hoc, surface-level
assessment of the risk of material misstatement due to fraud. However, the auditor also needs
to understand that the formality and regularity of assessments will vary depending on the size
and complexity of each entity (ISA 240 para. A12).
Because management is usually in the best position to perpetrate fraud, the auditor may decide
to corroborate management’s responses with other information (ISA 240 para. A17).
Enquiry of others within the entity

As mentioned earlier, fraud can result from management overriding controls. Enquiries
of management are not likely to provide useful insights regarding material misstatements
resulting from management fraud. Therefore, the auditor should consider making enquiries of
others within the entity who may have information about fraud (ISA 240 para. 18), including
(ISA 240 para. A16):
• Operating personnel not directly involved in the financial reporting process.
• Employees with different levels of authority.
• Employees involved in initiating, processing or recording complex or unusual transactions and

those who directly monitor these employees.
• In-house legal counsel.
• The person or persons charged with dealing with allegations of fraud.
Enquiry of the internal auditors

Where an internal audit function exists, its activities should include consideration of risks and
controls in relation to fraud. ISA 240 requires the auditor to specifically enquire with internal
audit whether it has knowledge of any actual, suspected or alleged fraud relating to the entity,
and its views about the risk of fraud within the entity (ISA 240 para.19).

CC
Enquiry of those charged with governance

The role of those charged with governance is to oversee management. It is therefore important
for the auditor to obtain an understanding of how those charged with governance carry out
their oversight function within the entity (ISA 240 para. A19).
Where those charged with governance are separate to management of the entity, the auditor is
required to:
•• Obtain an understanding of how those charged with governance exercise oversight of
management’s processes for identifying and responding to the risk of material misstatement
due to fraud (ISA 240 para. 20).
•• Enquire whether those charged with governance have any knowledge of actual, suspected
or alleged fraud. These queries also serve the purpose of corroborating management’s
responses to the same query (ISA 240 para. 21).
Obtaining an understanding of the oversight exercised by those charged with governance

may give the auditor an insight into the susceptibility of the entity to management fraud.
The auditor’s understanding is obtained by reading board minutes, attending meetings and
making direct enquiries of those charged with governance (ISA 240 para. A20).
Identify fraud risk factors arising from related party relationships and transactions
As related parties are not independent of each other, related party relationships and
transactions may carry higher risks of material misstatement due to fraud than transactions
with unrelated parties. ISA 550 requires the auditor to assess fraud risk factors from related
party relationships and transactions. Details of these procedures are discussed later in this unit.
Perform analytical procedures and evaluate unusual or unexpected relationships identified

Analytical review of the unaudited, interim financial statements or the most recent management
accounts is a quantitative procedure required in the planning phase of the audit.
ISA 240 para. 22 states:
The auditor shall evaluate whether or not unusual or unexpected relationships that have been identified
in performing analytical procedures, including those related to revenue accounts, may indicate risks of
material misstatement due to fraud.
While the analytical procedures are not specified, they generally involve ratio analysis and
benchmarking. Analytical review is usually performed by comparing year-on-year fluctuations
within the entity itself. Where fluctuations are not consistent with the auditor’s understanding
of the entity or of the audit client’s industry, the auditor needs to investigate further by
obtaining explanations of variances from management.
Evaluation of fraud risk factors

On completing the fraud risk assessment procedures discussed above, the auditor needs to
evaluate whether the information obtained indicates that one or more fraud risk factors are present.
The presence of a fraud risk factor does not necessarily mean that fraud has occurred; however,
it may present risks of material misstatement due to fraud.
Identification and assessment of the risks of material misstatement due to fraud

On assessing fraud risks and evaluating fraud risks factors, the auditor needs to assess the risks
of material misstatement arising from these risks.
Under ISA 240 para. 25, the auditor needs to assess the risks of material misstatement at both
the financial statement level and at the assertion level.
ISA 240 para. 27 states that the auditor is required ‘to treat those assessed risks of material
misstatement due to fraud as significant risks and accordingly, to the extent they have not
already done so, the auditor shall obtain an understanding of the entity’s related controls,
including control activities, relevant to the risks’.

CC
Risk of fraud in revenue recognition

Fraudulent financial reporting often involves overstatement of revenue, which is a common
key financial performance indicator with which users of the financial statements are concerned.
Revenue recognition is therefore considered particularly susceptible to fraud.
ISA 240 requires the auditor to presume that there is a risk of fraud in revenue. The auditor
must evaluate the types of revenue, revenue transactions and assertions that give rise to this
fraud risk (ISA 240 para. 26). This means that the auditor will always plan to address fraud risk
within revenue recognition unless the assumption can be rebutted – for example, where there is
a single type of revenue transaction (ISA 240 para. A30).
Required reading
ISA 240 paras 12–27, 47 and A7–A32.
Worked example 6.2: Using CAATs and data tools to identify risks of fraud in management
override of controls
Responsibilities during the risk response phase

ISA 240 Appendix 3 provides examples of circumstances during the audit that may indicate
that fraud exists. These include examples of discrepancies in accounting records, conflicting or
missing evidence and concerns about the relationship between the auditor and management.
The evaluation of such facts and circumstances that arise during the audit are qualitative
in nature and rely heavily on the auditor’s professional judgement. Nonetheless, where the
evaluation leads to the identification and presence of new risks of material misstatement due
to fraud, the auditor must ‘design and perform further audit procedures whose nature, timing,
and extent are based on and are responsive to the assessed risks of material misstatement at the
assertion level’ (ISA 330 para. 6).
The auditor must determine an overall response to address the risk of material misstatement
due to fraud at the financial statement level (ISA 240 para. 28) and at the assertion level
(ISA 240 para. 30).
Responses to fraud risk at the financial statement level

‘Risks of material misstatement at the overall financial statement level refer to the risks of
material misstatement that relate pervasively to the financial statements as a whole and
potentially affect many assertions’ (ISA 200 para. A35).
In deciding how to address assessed fraud risks at the financial statement level, the auditor
will consider how to increase the level of professional scepticism in the overall audit approach.
This could be by selecting more reliable documentation and obtaining additional corroboration
of management explanations (ISA 240 para. A33). The auditor should also consider the general
approach to the audit when addressing fraud at the financial statement level. This will include
(ISA 240 paras 29 and A34–A35):
•• Assigning and supervising staff appropriately, or assigning more experienced staff or
specialists – for example, IT or forensic specialists.
•• Evaluating accounting policies selected by management, particularly those that relate to
subjective measurements and complex transactions, that may be indicative of management’s
attempt to manage earnings.
•• Incorporating unpredictability in the selection of the nature, timing and extent of audit
procedures.

CC
Responses to fraud risk at the assertion level

In presenting the financial statements, management and the directors are making assertions
about the organisation’s position and performance. Having considered the risks of material
misstatement due to fraud at the overall financial statement level, the auditor is required to
undertake further audit work directed at the assessed risks of material misstatement due to
fraud at the assertion level (ISA 240 para. 30).
The key points to note about this requirement are:
•• Further audit procedures are required where there is an assessed risk of fraud
(i.e. procedures over and above what the auditor would normally perform).
•• The procedures need to be responsive to the assessed risk in respect of the particular
assertion.
To help the auditor meet the above requirement, ISA 240 para. A37 suggests changing the
procedures as follows:
•• Changing the nature of audit procedures to obtain more reliable and relevant audit
evidence – for example, by performing more detailed or targeted sample selection through
the use of computer-assisted audit techniques (CAATs), or by obtaining more extensive
corroborative evidence, such as obtaining third-party confirmations of account balances.
•• Modifying the timing of audit procedures – for example, by performing some substantive
procedures at year end, rather than at the interim stage, if better able to address an
identified fraud risk.
•• Changing the extent of the audit procedures – for example, increasing the test sample sizes
for accounts or transactions concerned.
Transactions and balances that require the application of estimates and judgements may present
a particular fraud risk, as management may have the opportunity to manipulate financial
reporting through bias in selecting estimates and assumptions.
ISA 240 Appendix 2 includes examples of responses and changes to audit procedures that
the auditor can make where there are identified fraud risks relating to fraudulent financial
reporting and misappropriation of assets.
Responses to risks related to management override of controls

Journals testing
As discussed above, a common method for fraudulent financial reporting is for management
to override internal controls by posting fraudulent general ledger journals. Therefore, the
auditor is required to perform specific audit procedures in respect of journal entries, as follows
(ISA 240 para. 32(a)):
(i) Make inquiries of individuals involved in the financial reporting process about inappropriate or
unusual activity relating to the processing of journal entries and other adjustments;
(ii) Select journal entries and other adjustments made at the end of a reporting period; and
(iii) Consider the need to test journal entries and other adjustments throughout the period.
Selecting journal entries for testing

The auditor needs to use professional judgement in selecting journals for testing, and in
choosing the appropriate methods of examining the journals selected. The key considerations
include (ISA 240 para. A43):
•• The assessment of the risks of material misstatement due to fraud, to help identify the
specific classes of journal entries for selection.
•• Controls that have been implemented for journals and adjustments that the auditor has
tested.

CC
•• Financial reporting processes and the nature of evidence that can be obtained – that is,
whether the journals are automated or manual, the nature of controls and the audit trail.
•• Characteristics of fraudulent journals or adjustments. CAATs are commonly used by
auditors for testing journal entries. The auditor may use CAATs to select entries that are:
–– made to unrelated, unusual, or seldom used accounts
–– made or requested by those who do not usually post journal entries
–– posted around period end without adequate explanation
–– made in preparing the financial statements, without identifying the relevant general
ledger accounts
–– round numbers.
•• The nature and complexity of the accounts. The auditor may select journals and adjustments
from specific accounts that are complex or unusual, contain significant estimates, have been
misstated in the past, or are not regularly reconciled.
•• Journal entries or other adjustments processed outside the normal course of business.
The auditor may direct journal testing towards accounts that have specific fraud risk factors.
For example:
•• Complex, unbilled revenue accounts based partly on estimates.
•• Significant business combinations.
•• Journals to accounts where a specific fraud risk has been identified – for example, sales.
The auditor is specifically required to select journal entries made at the end of the reporting
period (ISA 240 para. 32(a)(ii)), because this is when fraudulent entries are often made.
However, there is also a requirement to consider the need to test journal entries and other
adjustments made throughout the period (ISA 240 para. 32(a)(iii)).
ISA 240 para. A44 reminds us that perpetrators of fraud can exert extensive efforts to conceal
how the fraud is accomplished, which may involve posting a series of entries across a number
of months throughout the period. Therefore, where the risk of fraud arising from management
override and the use of journal entries is high, the auditor should consider extending the journal
entry testing procedures to journals posted throughout the period.
Accounting estimates review

One of the best ways for management to manipulate the financial statements is through
intentional misstatement of accounting estimates. As per ISA 240 para. A45, this ‘may be
achieved by, for example, understating or overstating all provisions or reserves in the same
fashion so as to be designed either to smooth earnings over two or more accounting periods,
or to achieve a designated earnings level’.
The auditor is required to review accounting estimates for biases and evaluate whether the
circumstances producing any bias represent a risk of material misstatement due to fraud.
In making this review, the auditor must (ISA 240 para. 32(b)):
•• Evaluate whether management’s judgements and estimates (either individually or in
aggregate) indicate a possible bias and, if so, re-evaluate the estimates as a whole.
•• Perform a retrospective review of significant management judgements and assumptions
made in the prior period.
The auditor needs to be aware that individual estimates may not show signs of bias, but when
a number of estimates are examined together, a pattern of bias may emerge. For example,
management may make a downward adjustment in its estimation of a make-good provision
while at the same time making a change in its estimate of doubtful debts that reduces
the balance of doubtful debts. The net impact of the two changes may result in a material
overstatement of the net assets of the company.

CC
Unusual transactions
As part of the procedures to address fraud risk arising from the potential for management
override, the auditor is required to evaluate the business rationale regarding unusual
transactions, or transactions made outside the normal course of business (ISA 240 para. 32(c)).
If a transaction lacks an appropriate business rationale, it may indicate that the transaction was
entered into for the purpose of fraudulent financial reporting or to hide the misappropriation of
assets.
ISA 240 para. A48 provides guidance to assist the auditor in evaluating whether unusual
transactions may have been entered into for fraudulent purposes. Indicators of potential fraud
include:
•• Overly complex transactions – for example, transactions that involve multiple entities.
•• Where those charged with governance have not been made aware of the unusual
transaction.
•• Where management places an emphasis on a particular accounting treatment rather than
on the substance of the transaction.
•• Transactions that involve non-consolidated related parties.
•• Transactions involving previously unidentified related parties.
•• Transactions involving parties that do not have the financial strength to support the
transaction without the assistance of the entity under audit.
Required reading
ISA 240 paras 28–33, 39–47 and A33–A49, and Appendices 2 and 3.
ISA 200 para. A35.
ISA 315 para. A124.
ISA 330 para. 6.
Use of CAATs, data analysis and data assurance tools in response to fraud risk
Introduction
As discussed in an earlier unit, advancements in technology and the exponential growth in
data are transforming the audit, ushering in new audit tools such as CAATs and data assurance
techniques. These tools enable auditors to better identify not only financial reporting risks and
operational business risks but also fraud risks. They also deliver a more relevant audit through
tailoring of the approach. Such tools are effectively changing the core approach to the audit.
Data analysis
In the unit on auditing standards and quality control, you were introduced to the difference
between data analysis and obtaining assurance from data. Before responding directly to the risk
of ‘management override of controls’ under Auditing Standards, data analysis can assist the
auditor by highlighting results that may be indicative of fraudulent activity.
For example, by using a combination of visualisation technology and exploration tools, an
auditor can derive a lot of useful information very quickly from client systems, including
unusual patterns or trends across general ledger accounts, frequency of general ledger postings
by individuals and the timing of postings.
According to the Technical Query Home website (tech.queryhome.com → Tags → Search for:
data visualisation), data visualisation is:
…a general term that describes any effort to help the user understand the significance of data by placing
it in a visual context. Patterns, trends and correlations that might go undetected in text-based data can
be exposed and recognized easier with data visualization software and exploration tools

CC
A high volume of manual journal entries may be a leading indicator that your finance system
and processes are inefficient or overly complex. Other key insights that can be uncovered
include:
•• A high amount of journal postings just below authorisation limits.
•• Analysis of gender pay by grade/function.
•• Someone outside the finance department posting journals.
•• Time wasted by posting entries twice, or reversing them.
In short, a data-driven audit process cannot only provide assurance, but also deliver business-
ready information and feedback that may not have previously been available to the company.
While the use of such tools does not directly respond to the risk of fraud, it may assist the
auditor in assessing the risk of fraud and help shape further audit procedures where an
assessed risk of fraud exists.
CAATs, data assurance and journals testing

As mentioned earlier, a common method for fraudulent financial reporting is for management
to override internal controls by posting fraudulent general ledger journals. In such cases, the
auditor is required to perform specific audit procedures in respect of these journal entries.
CAATs and data assurance techniques allow auditors to more efficiently and accurately carry
out these audit procedures. Ways in which data assurance tools can assist the auditor include:
•• Reconciliation of 100% of general ledger postings from opening trial balance to closing
trial balance, ensuring a complete listing of manual journals is obtained for the audit
(see Worked example 6.2).
•• Able to interrogate, test and analyse every transaction recorded by a company’s systems
selected for audit, presenting the auditor with a much wider set of data from which to
choose.
•• Able to sort, filter and display manual journal postings based on specific criteria, for
example:
–– the dollar value
–– who posted it
–– who authorised it
–– posting date
–– weekend postings
–– inclusion of specific words (e.g. ‘error’ or ‘reversal’) in its description
–– specific GL accounts
–– period end postings
–– round number journals
–– journals outside normal business hours.
Based on the output for a given parameter, the auditor would then have a broad, yet tailored
range of accurate and complete data from which they can direct their journal entry testing.
In addition to responding to the fraud risk, the auditor can also use these outputs to offer
value‑adding insights to the company. Refer to the unit on responding to assessed risk –
substantive testing for further discussion on how CAATs, data analysis and data assurance can
be used from a substantive testing perspective.
Worked example 6.3: Identifying audit procedures in response to assessed fraud risks

CC
Responsibilities during the reporting phase
Evaluation of audit evidence

ISA 240 paras 34–37 require the auditor to specifically evaluate audit evidence from the:
•• Final analytical review.
•• Misstatements found during the audit.
Final analytical review

ISA 520 Analytical Procedures (520) para. 6 requires the auditor to perform analytical procedures
near the end of the audit in order to conclude whether the financial statements are consistent
with the auditor’s understanding of the entity. ISA 240 para. 34 requires the auditor to evaluate
whether these analytical procedures indicate a previously unrecognised risk of material
misstatement due to fraud.
In performing this review, the auditor must be alert to any unusual relationships, especially
those involving year-end revenue and income, for example (ISA 240 para. A50):
•• Uncharacteristically large amounts of income being reported in the last few weeks of the
reporting period.
•• Unusual transactions that result in increased revenues.
•• Income that is inconsistent with trends in cash flows from operations.
Where the auditor identifies any unusual relationships, they must obtain, in the first instance,
an explanation for variances from expectations. Where necessary, the auditor may also need
to obtain further audit evidence to support the amounts presented in the financial statements.
The implications of not being able to obtain sufficient appropriate audit evidence are discussed
below. The use of final analytical procedures is discussed further in the unit reviewing the
financial statements and audit results.
Misstatements found during the audit

ISA 240 para. 35 requires the auditor to evaluate individual misstatements found during the
audit for indications of fraud. Where such indications exist, the auditor must consider the
implications in relation to other aspects of the audit.
ISA 240 para. A51 provides additional guidance by reminding the auditor that an instance
of fraud is unlikely to be an isolated incident. It also indicates that the auditor should be
alert to patterns arising from identified misstatements. For example, if there are ‘numerous
misstatements at a specific location even though the cumulative effect is not material, [it] may
be indicative of a risk of material misstatement due to fraud’.
Where the auditor identifies a misstatement and suspects that it arises from fraud in financial
reporting involving management, the auditor must (ISA 240 para. 36):
•• Re-evaluate the risk assessment of material misstatement due to fraud.
•• Assess whether audit procedures employed throughout the audit were appropriate to
address the risk in light of the new risk(s) identified.
•• Consider the possibility of collusion between employees, management and third parties.

CC
Written representations
Under ISA 240 para. 39, the auditor is required to obtain a written representation from
management and, where appropriate, those charged with governance that they:
•• Acknowledge their responsibility for the design, implementation and maintenance of
controls to prevent and detect fraud.
•• Confirm they have disclosed to the auditor the results of management’s assessment
regarding the risk of material misstatement in the financial statements due to fraud.
•• Confirm they have disclosed to the auditor their knowledge of fraud or suspected fraud
involving either management, employees with significant roles in internal control, or others
where the fraud could have a material impact on the financial statements.
•• Confirm they have disclosed to the auditor any allegations of fraud or suspected fraud
communicated by current or past employees, analysts, regulators or others.
Communicating with regulatory and enforcement authorities

Auditors are generally bound by professional ethical requirements to maintain client
confidentiality. However, despite this general principle, ISA 240 para. 43 recognises that, in the
case of identified or suspected fraud, the auditor may have legal responsibilities (that override
their professional duty of maintaining client confidentiality) to report the fraud to external
parties. For example, in Australia, the Corporations Act 2001 (the Act) s. 311 requires the auditor
of an entity to report a contravention or suspected contravention of the Act’s requirements by
the entity to the Australian Securities and Investments Commission.
The Standard notes there may be circumstances where maintaining client confidentiality may
conflict with the public interest principles of professional conduct. Where there is not a clear
legal obligation to report externally identified fraud, the auditor is guided to consider obtaining
appropriate legal advice (ISA 240 para. A66).
Evaluate the impact on the auditor’s opinion

If the auditor confirms that, or is unable to conclude whether, the financial statements are materially
misstated as a result of fraud the auditor shall evaluate the implications for the audit.
ISA 240 para. A53 refers the auditor to ISA 450 Evaluation of Misstatements Identified during
the Audit and ISA 700 for guidance on the evaluation of misstatements and the effect on the
auditor’s opinion. The requirements of ISA 700 Forming an Opinion and Reporting on Financial
Statements (ISA 700) are discussed in more detail in the unit on forming an opinion and issuing
an auditor’s report. Under ISA 700 para. 11, the auditor must attempt to obtain sufficient
appropriate audit evidence to support the financial statement assertions, in accordance with
ISA 330.
In accordance with ISA 330, the auditor is also required to evaluate whether the initial
assessments of the risks of material misstatement remain appropriate at the end of the audit
(ISA 240 para. A49). This assessment includes risks of material misstatement due to fraud.
Required reading
ISA 240 paras 34–39, 43 and A49–A66.
ISA 520 para. 6.
ISA 700 para. 11.

CC
Continuous responsibilities throughout the audit
Professional scepticism
Professional scepticism, as introduced in the unit on assurance purpose and framework,
is particularly important when assessing the risk of fraud. This is due to the characteristics of
fraud, including the likelihood of concealment and the intentional nature.
ISA 240 para. A7 articulates the meaning of professional scepticism:
Maintaining professional skepticism requires an ongoing questioning of whether the information
and audit evidence obtained suggests that material misstatement due to fraud may exist. It includes
considering the reliability of the information to be used as audit evidence and the controls over
its preparation and maintenance where relevant. Due to the characteristics of fraud, the auditor’s
professional skepticism is particularly important when considering the risks of material misstatement
due to fraud.
Irrespective of an auditor’s prior experience of the honesty and integrity of management or

directors, ISA 240 para. 12 requires the auditor to maintain their professional scepticism.
In particular, changes in circumstances, such as an economic downturn, increased competition
and personal situations may lead to an increased risk of fraud (ISA 240 para. A8).
Maintaining professional scepticism is not intended to mean that the auditor must doubt every
piece of information presented to them. In fact, ISA 240 para. 13 specifically states that unless
there is reason to believe otherwise, the auditor may accept records and documents as genuine.
However, ‘… If conditions identified during the audit cause the auditor to believe that a
document may not be authentic or that terms in a document have been modified … the auditor
shall investigate further’.
In particular, if the auditor receives inconsistent responses to enquiries of management, they
must investigate further (ISA 240 para. 14). This may include confirming with third parties, or
using the work of an expert to assess the authenticity of a document (ISA 240 para. A9).
Communication with management and those charged with governance

ISA 240 paras 40 and A60 require the auditor to communicate matters of fraud ‘on a timely
basis to the appropriate level of management in order to inform those with primary
responsibility for the prevention and detection of fraud of matters relevant to their
responsibilities’ (ISA 240 para. 40). It is important for the matter to be reported to the
appropriate level of management as soon as practicable.
The auditor does not need to be certain that fraud exists, as there only needs to be an indication
of fraud in order to trigger the reporting requirements of ISA 240 para. 40. Therefore, the
engagement partner exercises professional judgement, not only with respect to whom to
report the matter, but also when and how to report the matter. ISA 260 para. A38 provides the
engagement partner with additional guidance on how the matter should be communicated to
management and those charged with governance.
Nonetheless, ISA 240 para. A61 indicates that where the fraud involves senior management,
or results in material misstatement, the auditor should consider whether the communication
should be in writing rather than through oral representation.
ISA 240 para. A60 requires all fraud matters be communicated to the appropriate level of
management, even if the matter is considered to be inconsequential. This is because an apparent
inconsequential incidence of fraud could in fact be material when investigated further by those
within the entity. The appropriate level is usually at least one level above those who appear to
be involved.

CC
Communicating directly with those charged with governance

The auditor should use their professional judgement in deciding whether to report
fraud‑related matters to those charged with governance.
In certain circumstances, ISA 240 requires the auditor to communicate directly to those charged
with governance rather than to management (paras 41 and A62). This is the case where fraud or
suspected fraud involves:
•• Management.
•• Employees with significant roles in internal control.
•• Others, where the fraud results in material misstatement.
In addition, ISA 240 para. 42 mandates the auditor to communicate with those charged with
governance ‘any other matters related to fraud that are, in the auditor’s judgment, relevant
to their responsibilities’. ISA 240 para. A64 includes examples of matters the auditor may
communicate directly to those charged with governance, and broadly covers concerns regarding
management’s performance relevant to fraud and authorisation of transactions outside the
normal course of business.
Communication of fraud matters to members of management or those charged with governance
is a sensitive area and one that is usually handled by the engagement partner or the next most
senior member of the audit team. Any evidence supporting or indicating fraud is thoroughly
reviewed, and careful consideration is given as to how the communication is made.
Documentation
ISA 240 para. 44 requires that the following information be included in the audit documentation
of the auditor’s understanding of the entity and its environment and the assessment of the risks
of material misstatement, as required by ISA 315:
(a) The significant decisions reached during the discussion among the engagement team regarding the
susceptibility of the entity’s financial statements to material misstatement due to fraud; and
(b) The identified and assessed risks of material misstatement due to fraud at the financial statement
level and at the assertion level.
Further, ISA 240 para. 45 requires that the following is included in the audit documentation of
the auditor’s responses to the assessed risks of material misstatement, as required by ISA 330:
(a) The overall responses to the assessed risks of material misstatement due to fraud at the financial
statement level and the nature, timing and extent of audit procedures, and the linkage of those
procedures with the assessed risks of material misstatement due to fraud at the assertion level; and
(b) The results of the audit procedures, including those designed to address the risk of management
override of controls.
The auditor is also required to include in the audit documentation communications about fraud
made to management, those charged with governance, regulators and others (ISA 240 para. 46).
Required reading
ISA 240 paras 12–14, 40–42, 44–46, A7–A9 and A60–A64.
ISA 260 para. A38.

CC
Fraud risk factors arising from related party relationships and

transactions
Learning outcome
5. Identify and assess fraud risk factors arising from related party relationships and transactions.
As mentioned earlier, as part of the planning process, the auditor needs to assess fraud risk
factors arising from related party relationships and transactions.
Related party relationships involve control or significant influence by one party over another.
As related party relationships may present a greater opportunity for collusion, concealment or
manipulation by management, their existence increases the opportunity for fraud and errors.
There is an inherent limitation on the auditor’s ability to detect other undisclosed, related
party transactions because management may be unaware of the existence of all related party
relationships and transactions. Therefore, professional scepticism is particularly important
(ISA 550 Related Party Disclosures (ISA 24) paras 6–7).
Defining related parties and related party transactions

ISA 550 para. 10 defines ‘related parties’ as those that are defined in the applicable financial
reporting framework. In Australia and New Zealand, the definition of related parties is found in
IAS 24 Related Party Disclosures (IAS 24) para. 9.
While the definition of a related party in IAS 24 para. 9 is factual, it is important to note that it is
the substance of the relationships between parties that determines whether they are related, and
not merely the legal form (IAS 24 para. 10). A party that is related to an entity can be either an
individual or another entity.
The following diagram provides examples of where related party relationships do and do
not exist.
A person (or close family member) who has control of the reporting entity
A person (or close family member) who has joint control of the reporting entity
A person (or close family member) who has significant influence over the reporting entity
Key managers of the reporting entity
Key managers of the parent entity
DO EXIST
Parent entities
Subsidiaries
Fellow subsidiaries
Two entities simply because they have a common director/key manager

Two joint venturers simply because they share joint control of a joint venture
Providers of finance
Trade unions
Public utilities
DO NOT Customers
EXIST Suppliers
Franchisors
Distributors

CC
Nature of related party transactions

A related party transaction is ‘a transfer of resources, services or obligations between a
reporting entity and a related party, regardless of whether a price is charged’ (IAS 24 para. 9).
Even though many related party transactions are conducted in a legitimate manner in the
normal course of business, special consideration is given to related party transactions by the
auditor due to the inherent risk associated with related parties generally. Risks of material
misstatement due to related party transactions result from the following:
Type of transaction Explanation
Overly complex •• Related parties may operate through an extensive and complex range of
transactions relationships and structures
Relationships and •• Related party relationships may be concealed, as they present a greater
transactions not identified opportunity for collusion, concealment or manipulation by management
•• The entity’s information systems may be ineffective at identifying or
summarising transactions and outstanding balances between the entity and its
related parties
•• Management may be unaware of the existence of all related party relationships
and transactions
Transactions not •• Related party transactions may not be conducted under normal market terms
conducted in the normal and conditions, such as above or below fair values or even with no exchange of
course of business consideration at all
Related parties fraud risk and the audit

ISA 550 para. 5 recognises that fraud may be more easily perpetrated through related parties.
Examples include:
•• Financial reporting fraud:
–– Recording fictitious sales to unconsolidated related parties.
–– Disposing of unwanted liabilities and poor quality assets from the statement of financial
position to a related party while at the same time recording revenue.
–– Misrepresenting receipts as revenue from related parties (by way of common board
members), when side agreements obligate the reporting entity to repay the money to
the lending related party.
–– Misrepresenting receipts as revenue, where the receipt is actually an injection of capital.
–– Improperly recognising revenue for sales made to secret related party distributors,
where the sales may also be contingent on on-sale by the distributor.
•• Misappropriation of assets:
–– Causing the reporting entity to pay for goods and services not received by raising
fictitious invoices from an unconsolidated related party.
–– Using the reporting entity’s assets as collateral for bank loans made to a related party.
Indicators that fraud may have occurred through the use of related parties include:
•• Transactions that involve non-consolidated related parties, including special purpose
entities that have not been properly reviewed or approved by those charged with
governance of the entity (ISA 240 para. A48).
•• Transactions involving previously unidentified related parties or parties that do not have
the substance or the financial strength to support the transaction without assistance from
the entity under audit (ISA 240 para. A48).
•• Significant related party transactions not in the ordinary course of business or with related
entities not audited, or audited by another firm (ISA 240 Appendix 1).

CC
Override of related party controls

Related party relationships generally involve control or significant influence and may provide
management with increased financial incentive, and opportunity, to perpetrate fraud. Methods
could include:
•• Directing the reporting entity to settle transactions for the benefit of the related party
entities in which the perpetrator has financial interest.
•• Colluding with, or controlling, a related party’s actions to hide large liabilities and/or
recognise fictitious revenue.
•• Creating fictitious terms of trade with the related party in order to misrepresent the
business rationale behind the transactions.
•• Transferring assets to or from management, or others, at amounts that are not commercially
viable.
Maintaining alertness for related party information

As well as identifying and assessing the risks of material misstatement at the planning stage
of the audit, the auditor must also remain alert for other information during the audit that
indicates related party relationships or transactions not previously identified (ISA 550 para. 15).
If the auditor identifies related parties or significant related party transactions that management
has not previously identified or disclosed, then ISA 550 para. 22 sets out the work that the
auditor must undertake. Further, it states that the auditor needs to determine whether the
non‑disclosure appears to be intentional, as this would be indicative of a fraud risk, the
implications of which the auditor needs to evaluate for the audit.
Required reading
ISA 550 paras 2–22 and A9.
ISA 240 paras A5, A48 and Appendix 1.
IAS 24 paras 9–10 and 13–24.
Activity 6.1: Identifying fraud risks

Activity 6.2: Assessing fraud risks


6.1: Audit Risks – Fraud (ISA 240)
Quiz

Readings

Standards.
Required reading
Relevant International Standards on Auditing and International Accounting Standards, and

national equivalents
with International Standards on with Australian Auditing with International Standards on
Auditing Standards Auditing (New Zealand)
•• Paragraphs 11(a) and A35 •• Paragraphs 11(a) and A35 •• Paragraphs 11(a) and A35)
ISA 240 The Auditor’s ASA 240 The Auditor’s ISA (NZ) 240 The Auditor’s
Responsibilities Relating to Responsibilities Relating to Fraud Responsibilities Relating to
Fraud in an Audit of Financial in an Audit of a Financial Report Fraud in an Audit of Financial
Statements Statements
•• Paragraphs 2–47, A1–A66, •• Paragraphs 2–47, A1–A66, •• Paragraphs 2–47, A1–A66,
Appendices 1, 2 and 3 Appendices 1, 2 and 3 Appendices 1, 2 and 3
ISA 260 Communication with ASA 260 Communication with ISA (NZ) 260 Communication with
Those Charged with Governance Those Charged with Governance Those Charged with Governance
•• Paragraph A38 •• Paragraph A38 •• Paragraph A38
•• Paragraph A124 •• Paragraph A124 •• Paragraph A124
ISA 330 The Auditor’s Responses to ASA 330 The Auditor’s Responses ISA (NZ) 330 The Auditor’s
Assessed Risks to Assessed Risks Responses to Assessed Risks
ISA 520 Analytical Procedures ASA 520 Analytical Procedures ISA (NZ) 520 Analytical
Procedures
ISA 550 Related Parties ASA 550 Related Parties ISA (NZ) 550 Related Parties
•• Paragraphs 2–22 and A9 •• Paragraphs 2–22 and A9 •• Paragraphs 2–22 and A9

Relevant International Standards on Auditing and International Accounting Standards, and

national equivalents
ISA 700 Forming an Opinion and ASA 700 Forming an Opinion and ISA (NZ) 700 Forming an Opinion
Reporting on Financial Statements Reporting on a Financial Report and Reporting on Financial
Statements
IAS 24 Related Party Disclosures AASB 124 Related Party NZ IAS 24 Related Party
Disclosures Disclosures
•• Paragraphs 9–10 and 13–24 •• Paragraphs 9–10 and 13–24 •• Paragraphs 9–10 and 13–24

www.ifrs.org www.aasb.gov.au
Further reading

References
The following source was referred to in the preparation of content for this unit:
•• IFAC 2011, Guide to using ISAs in the audits of small- and medium-sized entities, 3rd edn, vols 1
and 2 (IFAC Guide).

ACT
Activity 6.1
Identifying fraud risks
Introduction
An auditor conducting an audit in accordance with the applicable Auditing Standards is
responsible for obtaining reasonable assurance that the financial statements taken as a whole
are free from material misstatement, whether caused by fraud or error. This requires the auditor
to firstly identify any fraud risks.
•• Explain and identify the characteristics of fraud in the context of an audit.
•• Identify and assess the risks of material misstatement in financial statements due to fraud.
•• Identify and assess fraud risk factors arising from related party relationships and
transactions.
At the end of this activity you will be able to identify fraud risk factors relating to an audit of
financial statements, in accordance with ISA 240 The Auditor’s Responsibilities Relating to Fraud in
an Audit of Financial Statements (ISA 240).
Scenario
You are a newly qualified Chartered Accountant working for X&Y Partners Chartered
Accountants (X&Y). You have been assigned to the audit of Zizzling Limited (Zizzling) for the
year ended 30 June 20X3 (FY 20X3) and are in the planning stage of the final audit.
Zizzling is a national fashion retail chain with stores located throughout Australia. The major
shareholders of Zizzling are the Bear siblings, Morgan, Lulu and Amy. The remaining minority
shares are held by independent third parties. Both Amy and Morgan Bear are employees of
Zizzling. Morgan is the chief executive officer (CEO), and is the only Bear sibling on the board.
All of the other board members are independent.
Zizzling specialises in expensive women’s swimwear and summer resort wear. Zizzling designs
its garments in Australia and manufactures them in China from Italian-sourced fabrics. The
only exception is the material for Zizzling’s resort wear, which is purchased at commercial rates
from Cherry Bear, the fourth Bear sibling, through her company Cherry Clothes Pty Ltd (CC).
The details of this arrangement are contained in a note in the financial statements.
Zizzling has been struggling to meet its projected profit forecasts in recent years due to an
influx of both local competitors and foreign imported products, increased competition from
online shopping, the increasingly high local dollar against the US dollar, and constant changes
in consumer trends due to the global financial crisis.
Senior employees are entitled to an annual bonus which can be up to 20% of their base salary
on the achievement of their KPIs. Their bonus entitlement reduces to 5% of their base salary if
profit forecasts are not met.

ACT
You have identified the following matters:
Matter 1
During the interim audit, Zizzling’s chief financial officer (CFO) confided that he suspected
Zizzling was in breach of its bank loan covenants during the course of FY 20X3. This would put
his bonus in jeopardy, as maintaining covenants is one of his KPIs. A refinancing with BigBank
was due to occur on 31 July 20X3. No refinancing documents had been provided by BigBank
as at 30 June 20X3 and Zizzling had not attempted to secure financing from other financial
institutions.
Matter 2
Since X&Y started auditing Zizzling four years ago, Zizzling has been plagued by poor internal
controls over accounts payable operations. In past audits, X&Y has brought this issue to
management’s attention. For example, Jamie Potts, one of the accounts payable clerks, is able
to approve and pay invoices of up to $50,000 per transaction. You have learned he is currently
having trouble paying his mortgage. Despite X&Y drawing these weaknesses to management’s
attention, processes at Zizzling remain unchanged.
Matter 3
Zizzling changed a key supplier of material in January 20X3. A cheaper overseas supplier was
sourced who happened to be an old friend of Lulu Bear’s and was used to save costs. However,
you notice that the number of product returns has significantly increased since March 20X3.
Initial discussions with management confirm the reason for the returns has been customer
complaints over fabric quality. Cost savings have not been as much as expected.
Matter 4
Zizzling owns 80% of its manufacturing operations in China, with the remaining 20% being
owned by a Chinese company, Yi. Morgan Bear’s wife is a clothing designer and has her fashion
line manufactured in Zizzling’s Chinese plant at a reduced rate. To help support his wife’s
business, Morgan has asked for the manufacturing costs incurred by his wife to be written off
as a bad debt. Yi is not aware of this arrangement.
Matter 5
Amy Bear is in charge of purchases, and in October 20X2, she renegotiated Zizzling’s contract
with CC. Amy and CC agreed that Zizzling would pay cash on delivery for all CC materials.
Zizzling’s normal creditor terms are 45-day settlement. No one outside the purchasing
department is aware of the renegotiation.
CC advises Zizzling’s purchasing department of its intended deliveries three days in advance
of any delivery to allow Zizzling time to withdraw cash to settle the deliveries. The value of the
deliveries is material to Zizzling.

ACT
Task
For this activity you are required to identify and explain how each matter is a fraud risk in
relation to the audit of Zizzling.
Present your solution in the following table format:
Matter Fraud risk Explanation

ACT
Activity 6.2
Assessing fraud risks
Introduction
When conducting an audit in accordance with the applicable Auditing Standards, an auditor is
responsible for obtaining reasonable assurance that the financial statements taken as a whole
are free from material misstatement, whether caused by fraud or error. This requires the auditor
to both identify fraud risks and assess their potential impact.
•• Identify and assess the risks of material misstatement in financial statements due to fraud.
•• Identify and assess fraud risk factors arising from related party relationships and
transactions.
At the end of this activity you will be able to assess fraud risk factors relating to an audit
of financial statements and recommend internal controls or procedures that could be
implemented, in accordance with ISA 240 The Auditor’s Responsibilities Relating to Fraud in an
Audit of Financial Statements (ISA 240).
Scenario
This activity follows on from Activity 6.1 ‘Identifying fraud risks’.
You are a newly qualified Chartered Accountant working for X&Y Partners Chartered
Accountants (X&Y). You have been assigned to the audit of Zizzling Limited (Zizzling) for the
year ended 30 June 20X3 (FY 20X3) and are in the planning stage of the final audit.
Zizzling is a national fashion retail chain with stores located throughout Australia. The major
shareholders of Zizzling are the Bear siblings, Morgan, Lulu and Amy. The remaining minority
shares are held by independent third parties. Both Amy and Morgan Bear are employees of
Zizzling. Morgan is the chief executive officer (CEO), and is the only Bear sibling on the board.
All of the other board members are independent.
Zizzling specialises in expensive women’s swimwear and summer resort wear. Zizzling designs
its garments in Australia and manufactures them in China from Italian-sourced fabrics. The
only exception is the material for Zizzling’s resort wear, which is purchased at commercial rates
from Cherry Bear, the fourth Bear sibling, through her company Cherry Clothes Pty Ltd (CC).
The details of this arrangement are contained in a note in the financial statements.
Zizzling has been struggling to meet its projected profit forecasts in recent years due to an
influx of both local competitors and foreign imported products, increased competition from
online shopping, the increasingly high local dollar against the US dollar, and constant changes
in consumer trends due to the global financial crisis.
Senior employees are entitled to an annual bonus, which can be up to 20% of their base salary,
on the achievement of their KP1s. Their bonus entitlement reduces to 5% of their base salary if
profit forecasts are not met.

ACT
You have identified the following matters as audit fraud risks:
Matter 1
During the interim audit, Zizzling’s chief financial officer (CFO) confided that he suspected
Zizzling was in breach of its bank loan covenants during the course of FY 20X3. This would put
his bonus in jeopardy, as maintaining covenants is one of his KPIs. A refinancing with BigBank
was due to occur on 31 July 20X3. No refinancing documents had been provided by BigBank
as at 30 June 20X3 and Zizzling had not attempted to secure financing from other financial
institutions.
Fraud risk
The CFO’s bonus is linked to the achievement of KPIs, which themselves are based
on calculations that are within his control to manipulate, including the maintenance of bank
loan covenants.
Matter 2
Since X&Y started auditing Zizzling four years ago, Zizzling has been plagued by poor internal
controls over accounts payable operations. In past audits, X&Y has brought this issue to
management’s attention. For example, Jamie Potts, one of the accounts payable clerks, is able
to approve and pay invoices of up to $50,000 per transaction. You have learned he is currently
having trouble paying his mortgage. Despite X&Y drawing these weaknesses to management’s
attention, processes at Zizzling remain unchanged.
Fraud risk
There is an inadequate separation of duties: an accounts payable clerk is able to both approve
and pay invoices.
Matter 3
Zizzling changed a key supplier of material in January 20X3. A cheaper overseas supplier was
sourced who happened to be an old friend of Lulu Bear’s and was used to save costs. However,
you notice that the number of product returns has significantly increased since March 20X3.
Initial discussions with management confirm the reason for the returns has been customer
complaints over fabric quality. Cost savings have not been as much as expected.
Fraud risk
The use of inferior materials in the production of swimwear and resort wear is based on
realising cost savings and meeting financial performance targets. However, the savings have not
been as much as expected.
Matter 4
Zizzling owns 80% of its manufacturing operations in China, with the remaining 20% being
owned by a Chinese company, Yi. Morgan Bear’s wife is a clothing designer and has her fashion
line manufactured in Zizzling’s Chinese plant at a reduced rate. To help support his wife’s
business, Morgan has asked for the manufacturing costs incurred by his wife to be written off as
a bad debt. Yi is not aware of this arrangement.
Fraud risk
There is a related party transaction that is not conducted under normal market terms and
conditions.

ACT
Matter 5
Amy Bear is in charge of purchases, and in October 20X2, she renegotiated Zizzling’s contract
with CC. Amy and CC agreed that Zizzling would pay cash on delivery for all CC materials.
Zizzling’s normal creditor terms are 45-day settlement. No one outside the purchasing
department is aware of the renegotiation.
CC advises Zizzling’s purchasing department of its intended deliveries three days in advance
of any delivery to allow Zizzling time to withdraw cash to settle the deliveries. The value of the
deliveries is material to Zizzling.
Fraud risk
The non-arm’s length contract between Zizzling and CC. CC is an entity controlled by a family
member of senior Zizzling management.
Zizzling also holds significant amounts of cash on hand to pay cash on delivery for materials.
Task
For this activity you are required to describe internal controls or processes that you would
recommend Zizzling implement in order to minimise the fraud risk identified for each matter.

CC
Core content
Unit 7: Materiality in planning and
performing an audit
Learning outcomes
1. Define materiality and explain factors that impact its determination.
2. Apply the concept of materiality appropriately in planning an audit and in determining audit
procedures to be performed in an audit.
3. Describe how materiality influences the nature, timing and extent of audit procedures.
4. Explain how revisions to materiality can occur during the course of an audit.
Introduction
In auditing, the concept of materiality recognises that some matters, either individually or in
aggregate, are important to users making economic decisions based on an entity’s financial
statements. This could include decisions that involve investing in, purchasing, doing business
with or lending money to, an entity. When a misstatement or omission of information in the
financial statements is significant enough to change or influence such a decision, a material
misstatement has occurred.
This unit explores how an auditor expresses materiality or materiality levels numerically.
However, materiality when quantified is not black and white; rather, it represents a ‘grey’
area between what is very likely to be material and what is very likely not to be material.
Consequently, the assessment of what is ‘material’ is always a matter of professional judgement.
In practice, it is not realistic for auditors to test, examine or verify every single transaction,
account balance or operational process of an entity to identify all misstatements or omissions.
Applying the concept of materiality appropriately enables the auditor to focus their attention
and effort on the high risk areas of the entity’s financial statements. ISA 320 Materiality in
Planning and Performing an Audit (ISA 320) provides guidance on how auditors should apply the
concept of materiality in planning and performing an audit.
aaa11607_csg

CC
Defining materiality
Learning outcome
1. Define materiality and explain factors that impact its determination.
Materiality relates to a misstatement that could reasonably be expected to influence the

economic decisions of users taken on the basis of the financial statements (ISA 320 para. 2).
Misstatements
A misstatement is any difference between the actual amount, classification, presentation or
disclosure of a reported financial statement item and the required amount, classification,
presentation or disclosure in accordance with the applicable financial reporting framework
(ISA 450 Evaluation of Misstatements Identified during the Audit (ISA 450) para. 4(a)).
Examples – Typical misstatements

These examples illustrate some common types of misstatements:
•• Errors and fraud identified in the preparation of financial statements.
•• Departures from the requirements of the applicable financial reporting framework.
•• Employee or management fraud.
•• Management error.
•• Inaccurate or inappropriate estimates.
•• Inappropriate or incomplete descriptions of accounting policies or note disclosures.
Materiality and misstatements

When a misstatement (or the aggregate of more than one misstatement) is significant enough
to influence the economic decisions of users of the financial statements, the financial statements
are considered to be materially misstated.
The auditor’s assessment of materiality is a matter of professional judgement. The auditor’s
judgement is affected by their perception of the common financial information needs of the
users as a group. The potential effect of misstatements on specific users is not considered.
When assessing misstatements in financial statements, an auditor must consider both the
quantitative and qualitative aspects of the misstatement, including:
•• Size of the misstatement – that is, monetary amount involved (quantitative).
•• Nature of the item (qualitative).
•• Circumstances surrounding its occurrence (qualitative).
In some situations, a misstatement with a value that is well below the materiality level set
(based on size) for the financial statements may be determined as material based on the
nature of the item or the circumstances related to its occurrence. For example, information on
transactions with related parties may be very significant to a person making a decision based on
an entity’s financial statements.

CC
The diagram below illustrates how misstatements relate to materiality:
Extent of misstatements
(Quantitative and qualitative)
Subject matter Reasonable user

information
Misstatements Decision would be

are material changed or influenced
Financial
Statements
Materiality
threshold
Misstatements Decision would not be

are immaterial changed or influenced
Adapted from: Australian audit manual and toolkit 2015 for small and medium sized entities, Exhibit 5.3-2, p. 87.
Required reading

CC
Materiality in planning an audit
Learning outcome
2. Apply the concept of materiality appropriately in planning an audit and in determining audit
procedures to be performed in an audit.
An auditor is required to apply the concept of materiality throughout the audit process (ISA 320
para. 5):
•• In planning the audit.
•• In performing the audit.
•• In evaluating the effect of identified misstatements on the audit.
•• In evaluating the effect of uncorrected misstatements on the financial statements and in
forming the audit opinion.
The diagram below illustrates how materiality is used throughout an audit:

Determining: Determining the nature, timing,
• Materiality for the financial and extent of further audit
statements as a whole procedures
• Performance materiality Revisions to materiality as a
Planning what risk assessment result of a change in
procedures to perform circumstances during the audit
Identifying and assessing the
risks of material misstatement
Reporting
Evaluating the effect of
uncorrected misstatements
Forming the opinion in the
auditor’s report
Adapted from: Australian audit manual and toolkit 2015 for small and medium-sized entities, Exhibit 5.0-1, p. 83.
This unit looks at ISA 320, which specifically deals with how an auditor determines and applies
materiality in the first two phases (risk assessment and risk response) of an audit.
During the audit reporting phase at the conclusion of an audit, overall materiality is applied
to evaluate the effect of any identified misstatements on the financial statements and the
appropriateness of the auditor’s opinion, as discussed in the unit on responding to assessed
risks – evaluating audit evidence.

CC
Levels of materiality
As part of planning the audit, an auditor makes judgements about the size of misstatements
that will be considered material (ISA 320 para. 6). This includes establishing various materiality
levels.
ISA 320 describes four materiality levels, which can be broadly categorised as:
•• Overall materiality.
•• Performance materiality.
•• Specific materiality.
•• Specific performance materiality.
Each materiality level is discussed in further detail in this unit. The definitions of the different
materiality levels and the relationships between them are illustrated in the following diagram:
ISA 320 Materiality in Planning

and Performing an Audit
Materiality set for financial Materiality set for class of

statement level transactions, account balance
and disclosure level
Overall materiality Specific materiality

Materiality for the financial Materiality for particular:
statements as a whole, with • Classes of transactions
reference to the needs of users of • Account balances
financial statements • Disclosures
(para. 10) (paras 10 and A10)
Performance materiality Specific performance materiality

Based on overall materiality but Based on specific materiality but
set at a lower amount. set at a lower amount. To reduce the
To reduce the probability that probability that uncorrected and
uncorrected and undetected undetected misstatements for the
misstatements exceed overall specific class of transactions,
materiality account balance or disclosure
(paras 9 and A12) exceed specific materiality
(paras 9 and A12)
Note: The terms ‘overall materiality’ and ‘specific materiality’ are used here only for the
purpose of this unit. These terms are not used in ISA 320.

CC
Overall materiality
Overall materiality refers to ‘materiality for the financial statements as a whole’ (ISA 320
para. 10). It is the dollar amount that the auditor sets for the financial statements above which
any misstatement (individual or in aggregate) would result in the financial statements being
materially misstated.
The auditor establishes overall materiality based on their understanding of the financial
information needs of the users, as a group, of the financial statements. In doing so, the
auditor assumes that users have a reasonable knowledge of business, economic activities and
accounting, and use reasonable diligence in studying and making reasonable decisions based on
the financial statements (ISA 320 para. 4).
Example – Overall materiality

This example illustrates what overall materiality is.
Assume that the economic decisions of a financial statements user group would be influenced
by a misstatement of $200,000 in the financial statements. This amount would be the overall
materiality set by the auditor. Any individual misstatement or aggregate of individually
immaterial misstatements that exceeds this $200,000 amount would result in the financial
statements being materially misstated.
Determining overall materiality

A numerical threshold (benchmark) is used as a starting point. A percentage is then applied
to the chosen benchmark in the determination of overall materiality. The benchmark and the
percentage to be applied are both based on the auditor’s professional judgement (ISA 320
para. A3).
Selecting an appropriate benchmark

The benchmark selected should be appropriate to the circumstances of the entity. Examples of
potential benchmarks include (ISA 320 para. A4):
•• Profit before tax.
•• Total revenue.
•• Gross profit.
•• Total expenses.
•• Net assets.

CC
When identifying an appropriate benchmark to use, an auditor would determine who are the
likely users of the financial report and would consider matters such as those outlined in the
following table:
Factors to consider when choosing an appropriate benchmark
Factors Considerations
Users’ primary Identify what information in the financial statements items is of the most interest to users
focus
For example:
•• Users interested in evaluating financial performance will focus on profits, revenues
or net assets. Profit before tax from continuing operations is commonly used as a
benchmark for profit-focused entities
•• Users interested in the resources utilised to achieve certain goals will focus on the nature
and extent of revenues and expenditures – for example, not-for-profit entities
Relevant elements Identify what major elements of the financial statements will be of interest to users of the
of financial financial statements (e.g. assets, liabilities, equity, income, and expenses)
statements
Nature of the Consider the nature of the entity, where it fits in the life cycle (i.e. whether growing,
entity mature, declining, etc.), and the industry and economic environment in which the entity
operates
Financing Identify how the entity is financed

If it is financed solely by debt (rather than equity capital), users of the financial statements
may put more emphasis on the pledged assets, cash flows and any claims rather than on
the entity’s earnings
Volatility Determine the volatility of the proposed benchmark

For example, a benchmark based on earnings might normally be an appropriate choice,
but if the entity is operating close to its break-even point each period (e.g. making small
profits or losses) or its results fluctuate widely, this benchmark may not be an appropriate
base for determining materiality
Alternatives Assess whether an alternative benchmark is necessary to address special circumstances

Alternative benchmarks could include: current assets, net working capital, total assets,
total equity, and cash flow from operations
Adapted from: Australian audit manual and toolkit 2015 for small and medium-sized entities, Exhibit 21.2-2, pp. 347–8.
Once an appropriate benchmark is identified, relevant financial data is considered. This might
be, for example, prior period financial results, forecasts for the current period or period to
date results. Circumstances might cause an exceptional variation that may lead the auditor
to conclude that they should use a ‘normalised’ benchmark base. For example, income from
continuing operations could be adjusted for:
•• Unusual or non-recurring revenue/expense items.
•• Items such as management bonuses, which may be based on profits before the bonuses or
simply paid out to reduce any income left in the company.
Selecting an appropriate percentage

The selection of an appropriate percentage to be applied to the nominated benchmark also
requires professional judgement. The percentage applied to a profit-based benchmark would
generally be higher than that applied to a revenue-based benchmark.

CC
Benchmarks and percentages that are commonly used to determine overall materiality
in practice are included in the table below:
Benchmarks and percentages commonly used to determine materiality
Type of entity Possible benchmarks Possible range of

overall materiality
(%)
Publicly listed entities Profit before tax from continuing activities 3–10
Privately owned entities Total revenue 0.5–2

or
Profit before tax 3–10
Not-for-profit entities Income 0.5–2

or
Total expenses 0.5–2
Owner-managed entities Profit before owner remuneration and tax 3–10
Asset/investment-based entities Total assets 0.5–2
Example – Determining overall materiality

This example illustrates how an auditor determines overall materiality.
For a listed for-profit entity, users of its financial statements are likely to be focused on profit.
Therefore, ‘profit from continuing activities’ is likely to be an appropriate benchmark to use.
In deciding the percentage to be applied to this benchmark, the auditor would consider that,
because it is a listed entity, there is a larger volume of users (shareholders), more regulation and
a higher pressure to meet financial expectations. These three factors would tend to drive down
the percentage that the auditor would apply to the chosen benchmark. Therefore, the example
of 5% provided in ISA 320 para. A7 may be a reasonable percentage to use in calculating overall
materiality for this entity.
Required reading
Worked example 7.1: Identifying materiality factors and benchmarks

Activity 7.1: Identifying materiality factors and benchmarks


CC
Performance materiality
Performance materiality is established based on overall materiality but set at a lower amount
(ISA 320 para. 9). The auditor uses this lower level of materiality to determine the nature and
extent of audit procedures to be performed. Using this lower level of materiality instead of
overall materiality when determining the nature and extent of audit procedures means that
more audit procedures are performed. This reduces the probability that the total amount of
uncorrected and undetected misstatements exceeds overall materiality, resulting in the financial
statements being materially misstated. It also increases the chance of detecting misstatements, if
they exist.
Example – Performance materiality

This example illustrates the benefit of applying performance materiality.
Assume that overall materiality for an audit is set at $200,000 and audit procedures are planned
to detect all misstatements in excess of $200,000. It is quite possible that a misstatement of
$130,000, for example, will go undetected. If three misstatements of $160,000, $60,000 and
$50,000 respectively exist (i.e. $270,000 in total), the financial statements would be materially
misstated.
However, if performance materiality is set at $160,000 (80% x $200,000), it is much more likely
that at least the $160,000 error will be detected. Even if only the $160,000 error is identified and
corrected, the remaining misstatement of $110,000 will be less than the overall materiality level
and the financial statements as a whole would not be materially misstated.
Determining performance materiality

As stated above, performance materiality is based on overall materiality but set at a lower
amount. ISA 320 provides no specific guidance on how to calculate performance materiality
(i.e. the extent of this reduced amount). This is left to the auditor’s professional judgement, and
is affected by issues such as the:
•• Auditor’s understanding of the entity.
•• Auditor’s experience in prior year audits.
•• Nature and extent of misstatements identified in prior year audits.
•• Auditor’s expectations in the current year.
•• Risk assessment.
The table below provides some percentages that are commonly used in practice to calculate
performance materiality:
Percentages commonly used to calculate performance materiality
Risk of material misstatement Performance materiality as a

percentage of overall materiality
%
High 50–60
Medium 65–75
Low 80–90
Note: These percentages are only guidelines. In practice, different audit firms would have
different guidance in their audit manuals.
Required reading

CC
The relationship between the risk of material misstatement and performance

materiality
The risk of material misstatement (RMM) consists of inherent risk and control risk (discussed in
the unit on understanding the entity and its environment). Assessing RMM enables the auditor
to identify the account balances, classes of transactions and disclosures in which misstatements
are likely to occur. This would enable the auditor to establish a level of detection risk that
supports their determined audit risk, given the inherent and control risk particular to the audit,
and set performance materiality accordingly.
While assessing RMM enables the identification of problem areas, performance materiality
determines the volume of audit procedures that the auditor will carry out in those areas.
There is an inverse relationship between the acceptable performance materiality level and
RMM: if RMM is reduced, acceptable performance materiality is raised, and vice versa.
RISK OF MATERIAL
PERFORMANCE
MISSTATEMENT PERFORMANCE MATERIALITY
MATERIALITY RISK OF MATERIAL
MISSTATEMENT
Examples – Performance materiality and RMM

These examples illustrate the inverse relationship between performance materiality and RMM.
Example 1 – Low RMM, high performance materiality
Where an entity has a history of unmodified audit opinions, operates in a stable industry and
has strong internal controls, then, excluding other factors, it is likely that the auditor would
assess the entity as having low RMM. This low risk assessment would lead the auditor to set
the performance materiality higher than they would for a similar entity with weaker internal
controls.
Example 2 – High RMM, low performance materiality
If an entity operates in a volatile industry such as the oil and gas exploration industry, has a
history of weak internal controls and requires adjustments to its financial statements each year
as a result of audit findings, it is likely that the auditor would assess the entity as having high
RMM. The auditor would therefore set performance materiality low enough to ensure that audit
risk is reduced to an acceptable level.
Specific materiality
Specific materiality refers to the ‘materiality of particular classes of transactions, account
balances or disclosures’ as described in ISA 320 para. 9. In some audit engagements, there may
be a need to identify misstatements of amounts that are less than overall materiality that would
affect economic decisions of users of the financial statements. Such misstatements could relate
to sensitive areas, such as particular note disclosures regarding senior executives’ remuneration.
The auditor would consider the existence of specific matters, such as the examples provided in
the following table, which indicate a need to establish a specific materiality level for a particular
class of transactions, account balance or disclosure.

CC
Factors impacting on specific materiality
Factors Examples
Laws, regulations, and accounting •• Sensitive financial statements disclosures, such as the
framework requirements remuneration of management and those charged with
governance
•• Related party transactions
•• Non-compliance with loan covenants, contractual agreements,
regulatory provisions and statutory/regulatory reporting
requirements
•• Certain types of expenditure, such as illegal payments or
executives’ expenses
Key industry disclosures •• Reserves and exploration costs for a mining entity
•• Research and development costs for a pharmaceutical entity
Disclosures of significant events and •• Newly acquired businesses or expansion of operations

important changes in operations •• Discontinued operations
•• Unusual events or contingencies (i.e. lawsuits)
•• Introduction of new products and services
Example – Identifying the need for a specific materiality level

This example illustrates how a need for a specific materiality level is identified.
When an auditor becomes aware that the users of an entity’s financial statements are
concerned about travel and entertainment expenses incurred by the entity’s management and
personnel, the auditor may decide to set a specific materiality level for auditing those expenses.
This concept of applying professional judgement is not an exact science, and therefore requires
careful consideration of the facts and circumstances in each case.
Required reading
Specific performance materiality

Specific performance materiality is set in the same way as performance materiality, discussed
above, except that specific performance materiality would be set at a lower amount than specific
materiality. This is to ensure that sufficient audit work is performed to reduce the probability
to an appropriately low level that the amount of uncorrected and undetected misstatements
exceeds the specific materiality set for those particular accounts or disclosures.
Specific performance materiality may also be required in areas that are sensitive due to the
nature of potential misstatements and their occurrence, rather than their monetary size.
Example – Specific performance materiality level

This example illustrates when specific performance materiality levels may be required.
Following on from the previous example, the auditor may decide to set a lower materiality
amount for auditing travel and entertainment expenses to ensure that additional audit work
is performed in order to reduce the probability that the total amount of uncorrected and
undetected misstatements in the expenses would exceed the specific materiality set for travel
and entertainment expenses.

CC
Worked example 7.2: Specific materiality for classes of transactions, account balances or
disclosures
Determining materiality levels in a financial statements audit

The following example shows how the auditor determines materiality levels.
Determine materiality for a listed entity in a stable environment

This example illustrates how materiality levels are determined for a listed entity in a stable
environment.
A listed for-profit entity in the manufacturing industry that has strong internal controls and
a history of unmodified auditor’s reports produces the following key results:
•• Gross revenue = $120 million.
•• Net profit before tax from continuing operations = $20 million.
•• Total assets = $150 million.
•• Net assets = $80 million.
The current economic climate is stable and the entity’s results are comparable with other
competitors in its industry.
The entity comprises four main divisions. Since the last reporting period, the entity has
commenced restructuring one of these divisions and recognised a restructuring provision of
$800,000, to take advantage of synergies within the group.
When determining materiality levels, the auditor would be likely to consider the following
factors:
Materiality for financial statements level
Overall materiality
Given that the entity is a listed for-profit entity, users of its financial statements are likely to be
focused on profit. Therefore, ‘net profit before tax’ appears to be an appropriate benchmark to
use. The stable economic environment and the fact that the company’s results are comparable
to its competitors both support using this benchmark, which is unlikely to be volatile.
Being a listed entity, there is a larger volume of users (shareholders), more regulation and a
higher pressure to meet financial expectations, and the auditor may decide to apply a low
percentage to the chosen benchmark. Using their professional judgement, the auditor may
decide to apply 5% to net profit before tax.
This would result in an overall materiality amount of $1 million (i.e. $20 million × 5% = $1 million).
Given the stable economic environment, its strong internal controls and history of unmodified
auditor’s reports, the entity’s preliminary risk assessment may be quite low. However, the
auditor would still set a performance materiality level at less than the overall materiality level to
increase the chance of detecting misstatements.
Using their professional judgement, the auditor may decide to set performance materiality at
80% of overall materiality. Therefore, the auditor will use performance materiality of $800,000
(i.e. $1 million × 80%) to determine the nature, timing and extent of further audit procedures.

CC
Materiality for a particular account balance

Specific materiality
The auditor may determine that the entity’s restructuring of one of its main divisions is a
significant operational change and, as such, would be a key focus area for users of the financial
statements. Therefore, in addition to overall materiality of $1 million, the auditor may also
determine a specific materiality level for the restructuring provision. Using their professional
judgement, the auditor may decide to set specific materiality at 10% of the restructuring
provision, or $80,000 (i.e. $800,000 × 10%).
There may also be legislative or regulatory requirements regarding specific items in the
financial statements (e.g. related party transactions and remuneration disclosures). If so, the
auditor would determine specific materiality levels with regard to these other items as well.
Specific performance materiality
If the auditor set a specific materiality level for the restructuring provision, they may also set a
specific performance materiality level for this account balance to ensure that additional audit
work is performed to increase the chance of detecting misstatements, which reduces the
probability that the aggregate of uncorrected and undetected misstatements would exceed
the specific materiality set for restructuring provision.
Using their professional judgement, the auditor may decide to set specific performance
materiality at 60% of the specific materiality set for restructuring provision. Therefore, specific
performance materiality would be set at $48,000 (i.e. $80,000 × 60%).
Documenting materiality
As materiality is based on the auditor’s professional judgement, it is important that the auditor
document not only the amounts determined for various levels of materiality, but also the factors
considered in their determination (ISA 320 para. 14).
This will occur:
•• During the planning phase.
•• During the audit if revisions are required to any of the performance levels.
Required reading
ISA 320 para. 14.

CC
Materiality and the nature, timing and extent of audit

procedures
Learning outcome
3. Describe how materiality influences the nature, timing and extent of audit procedures.
In planning an audit, the nature, timing and extent of audit procedures designed by the auditor
are based on the entity’s assessed risk of material misstatement. Determining materiality levels
directly impacts on this process, since the overall materiality level quantifies exactly what
classifies as a ‘material misstatement’ for an audit.
The nature, timing and extent of audit procedures are defined in ISA 330 paras A5–A7 as
follows:
•• Nature refers to a procedure’s purpose (i.e. tests of controls or substantive procedures) and
type (i.e. inspection, observation, analytical procedures, etc.).
•• Timing refers to when a procedure is performed, or the period or the date when audit
evidence applies.
•• Extent refers to the quantity of audit procedures to be performed (i.e. a sample size).
Performance materiality directly affects the extent of audit procedures that the auditor will
carry out in an audit. There is an inverse relationship between performance materiality
and the extent of audit procedures that will be performed: the lower the performance
materiality, the more procedures that will be performed, and vice versa.
Specifically, materiality can be used to:

•• Identify what further audit procedures are necessary.
•• Determine which items in the financial statements to select for testing and whether to use
sampling techniques.
•• Assist with determining sample sizes.
•• Evaluate representative sampling errors by extrapolating across the population for ‘likely’
misstatements.
•• Evaluate the aggregate amount of total errors at the account level up to the financial
statements level.
•• Evaluate the aggregate amount of total errors including the net effect of uncorrected
misstatements in opening retained earnings.
•• Assess results of procedures.
Source: Australian audit manual and toolkit 2014 for small and medium sized entities, Exhibit 21.4-1, p. 352.
Example – Impact of materiality on the extent of audit procedures

This example illustrates the impact of materiality on determining the extent of audit
procedures.
If an auditor determines that there is a high risk of an entity’s assets being incorrectly
capitalised, and that ‘repairs and maintenance expense’ would be an area that users of the
financial statements would focus on, the auditor would most likely set a lower specific
performance materiality for testing ‘repairs and maintenance expense’. This directly increases
the quantity of audit procedures that will need to be performed for repairs and maintenance
expenses.
Required reading
ISA 320 paras 5, 6 and A1.

CC
Revising materiality during an audit
Learning outcome
4. Explain how revisions to materiality can occur during the course of an audit.
It is important to understand that the overall materiality calculated at the planning stage of an
audit may not necessarily remain unchanged throughout the audit. During the course of the
audit, information may come to light that requires the auditor to revise the original overall
materiality level.
For example, overall materiality might be revised when:
•• A change in circumstances occurred during the audit that would impact on the decisions of
users, such as the sale of a part of the business.
•• There is a change in the auditor’s understanding of the entity and its operations, such as
actual financial results being very different from anticipated results.
Similarly, performance materiality may have to be revised at any time during an audit (without
impacting on overall materiality) to reflect revised risk assessments, audit findings and any new
information obtained. Changes in performance materiality will, in turn, result in the nature,
timing and extent of audit procedures being modified. Further, if overall materiality is revised,
a corresponding change is likely to be required to performance materiality.
Required reading
ISA 320 paras 12, 13 and A13.
Worked example 7.3: Revisions to materiality

Activity 7.2: Revising materiality


7.1: Materiality (ISA 320)
Quiz


Readings

Standards.
Required reading
ISA 320 Materiality in Planning and ASA 320 Materiality in Planning and ISA (NZ) 320 Materiality in Planning
Performing an Audit Performing an Audit and Performing an Audit
Further reading
References
Chartered Accountants Australia and New Zealand 2015, Australian audit manual and toolkit 2015
for small and medium sized entities, 5th edn, Thomson Reuters, (Professional) Australia, Exhibit
5.01, p. 83; Exhibit 5.3-2, p. 87; Exhibit 21.2-2, pp. 347–8.


ACT
Activity 7.1
Identifying materiality factors and
benchmarks
Introduction
An auditor is engaged to provide only reasonable or limited assurance, not absolute assurance.
Materiality assists in planning and performing audit work, and in assessing the impact of
identified misstatements in the financial statements.
In setting levels of materiality for an audit, the auditor applies professional judgement, taking
into account their knowledge of the entity and its environment, the needs of users of the
financial statements and the assessed risks.
• Define materiality and explain factors that impact its determination.
• Apply the concept of materiality appropriately in planning an audit and in determining
audit procedures to be performed in an audit.
At the end of this activity, you will be able, in accordance with ISA 320 Materiality in Planning
and Performing an Audit (ISA 320), to:
• Select an appropriate benchmark to use when determining overall materiality in planning
an audit.
•• Identify qualitative or quantitative factors from information about an entity and its
environment that should be considered when determining performance materiality during
planning of an audit.
•• Assess the impact of each qualitative or quantitative factor on the risk of material
misstatement.
Scenario
Hammer and Nail (HN) is a listed entity operating in the hardware store industry, with a
network of large warehouse stores and trade centres. HN caters to both the general public and
commercial customers. Assurance Advantage Chartered Accountants (AA) is HN’s auditor.
AA’s years of experience with HN have shown that its forecasts are generally reliable.

ACT
Further information about HN
1. How it began
Terry Carpenter, a former builder, started HN as a family partnership in 19W6 with his three
brothers. The brothers began by converting a warehouse into a showroom, and used their
networks to source reliable products. For the first 10 years, the company sold exclusively to
commercial customers. However, in response to increasing requests from home owner-builders
and renovators, the brothers decided to expand the entity’s client base and began selling to the
general public in 19X5.
2. Incorporation and listing

HN was incorporated as a private company, at which time Terry was appointed chief executive
officer (CEO) and his three brothers to seats on the board of directors. In 20W0, HN listed on
the Australian Securities Exchange (ASX), with each brother retaining a 10% shareholding.
They appointed an additional five directors to the board, including four independent directors,
all of whom had extensive experience on listed entity boards. On listing, HN adopted robust
corporate governance policies and established an audit committee, a remuneration committee
and an internal audit division. AA was appointed as the auditor, responsible for the audit of
HN’s annual financial statements and review of its interim financial statements.
3. Review of financial results

Since incorporation, profits have increased. The capital injection from listing enabled HN to
launch a successful marketing campaign, and from there the company expanded rapidly,
opening new stores across the country. In early 20W2, HN acquired interests in several local
tool manufacturing entities. Over the past 10 years, it has also sourced a number of reliable and
affordable suppliers from overseas. Currently, HN sources 80% of its products from China and
pays for most purchases in US dollars.
4. Current developments and future plans

HN’s current focus is to penetrate the global market. In an effort to strengthen its position and
build further brand awareness, the company plans to acquire interests in similar businesses
overseas to distribute HN’s current range of products. Since the last reporting date, the
company has acquired shares in two significant US companies to launch its overseas expansion.
Market confidence in HN has grown following news of these expansion plans, and the
company’s share price has increased by 5% in the past six months.
HN’s forecast 30 June 20X3 consolidated statements

The following forecast statements were updated by the HN accounting and finance team as at
30 April 20X3:
HN’s consolidated statement of financial position
Forecast Audited
30 June 20X3 30 June 20X2
$’000 $’000
Assets
Cash and cash equivalents 1,505 1,850
Trade and other receivables 19,651 17,999
Inventories 9,967 12,119
Other investments (including derivatives) 907 1,172

ACT
HN’s consolidated statement of financial position
Forecast Audited
$’000 $’000
Current tax assets − 228
Prepayments 330 1,200
Total current assets 32,360 34,568
Other investments (including derivatives) 3,844 3,525
Investments in equity-accounted investees 4,095 2,608
Deferred tax assets − 1,376
Property, plant and equipment 16,936 15,059
Intangible assets (includes goodwill) 5,826 4,661
Total non-current assets 30,701 27,229
Total assets 63,061 61,797
Liabilities
Bank overdraft 334 282
Trade and other payables, including derivatives 20,009 24,370
Loans and borrowings 4,390 4,386
Current tax payable 762 −
Provisions 660 1,200
Deferred income 178 168
Total current liabilities 26,333 30,406
Loans and borrowings 17,878 19,206
Employee benefits 1,002 846
Deferred income 1,424 1,462
Provisions 810 400
Deferred tax liabilities 2,239 1,567
Total non-current liabilities 23,353 23,481
Total liabilities 49,686 53,887
Net assets 13,375 7,910
Equity
Share capital 8,916 5,273
Reserves 445 263
Retained earnings 3,566 2,109
Total equity attributable to equity holders of HN 12,927 7,645
Non-controlling interest 448 265
Total equity 13,375 7,910

ACT
HN’s consolidated statement of profit or loss and other comprehensive income
Forecast Audited
$’000 $’000
Revenue 100,160 96,636
Cost of sales (55,708) (56,186)
Gross profit 44,452 40,450
Other income 1,095 315
Distribution expenses (17,984) (18,012)
Administrative expenses (17,142) (15,269)
Research and development expenses (1,109) (697)
Other expenses (860) (30)
Results from operating activities 8,452 6,757
Finance income 1,161 480
Finance costs (1,707) (1,646)
Net finance costs (546) (1,166)
Share of profit of equity-accounted investees (net of tax) 467 587
Net profit before tax 8,373 6,178
Income tax expense (2,549) (1,861)
Net profit for the period, after tax 5,824 4,317
Other comprehensive income

Foreign currency translation differences – foreign entities 480 −
Foreign currency translation differences – equity-accounted 21 −
investees
Revaluation of property, plant and equipment 200 –
Effective portion of changes in fair value of cash flow hedges (62) 107
Net change in fair value of cash flow hedges transferred to profit or (31) (11)
loss
Net change in fair value of available for sale financial assets 199 394
Net change in fair value of available for sale financial assets (64) −
transferred to profit or loss
Income tax on other comprehensive income (104) (48)
Other comprehensive income for the period, net of income tax 639 442
Total comprehensive income for the period 6,463 4,759

ACT
Tasks
You are a senior accountant working at AA. You are planning the audit of HN and have been
asked to assist with the determination of materiality levels for the audit.
1. Select an appropriate benchmark to be used for determining the overall materiality in the
planning phase of the audit. Justify your response.
2. Identify three (3) qualitative or quantitative factors that should be considered when
determining performance materiality for the HN audit engagement.
3. For each qualitative or quantitative factor identified above, determine whether it would
increase, decrease or have no effect on the assessed risk of material misstatement. Justify
your answer with reference to the facts of the scenario.
4. For each qualitative or quantitative factor identified above and its subsequent effect on the
assessed risk of material misstatement, outline whether it would increase, decrease or have
no effect on the performance materiality figure you are setting in the planning phase of the
audit.
You may wish to present your answers to Tasks 2 – 4 in the form of a table, as follows:
Task 2: Task 3: Task 4:

Qualitative or quantitative Effect on assessed risk of Effect on performance
factors material misstatement materiality set in the planning
phase of the audit

ACT
Activity 7.2
Revising materiality
Introduction
In planning an audit, the auditor makes judgements about the size of misstatements that will be
considered material. In addition, revision of materiality levels may be necessary if the auditor
becomes aware, as work progresses, of information that would have led to different materiality
levels during audit planning.
•• Define materiality and explain factors that impact its determination.
•• Explain how revisions to materiality can occur during the course of an audit.
At the end of this activity, you will be able to:

•• Determine the impact of any new facts and circumstances that may be discovered during
the audit, on set levels of materiality.
•• Determine when the auditor should set specific materiality levels for account balances,
classes of transactions, or disclosures.
Scenario
This activity follows on from Activity 7.1. It is now August 20X3. You are a senior accountant
working at Assurance Advantage Chartered Accountants (AA), assigned to the Hammer and
Nail (HN) audit engagement. Your manager calculated the following materiality levels using
information gathered during planning, and by applying his professional judgement:
•• Overall materiality at $669,840 (8% of forecast net profit before tax, as of 30 April 20X3).
•• Performance materiality at $535,872 (80% of overall materiality).
During audit planning work, your manager did not deem it necessary to determine specific
materiality for any account balances, classes of transactions or disclosures. Assume that actual
net profit before tax for the 20X3 financial year equals the 30 April 20X3 forecast net profit
before tax.
During the course of the audit, your testing has not uncovered any unusual or unexpected
outcomes, and internal controls appear to be operating effectively. You have, however,
identified three matters resulting from audit procedures and enquiries.
The following three matters have been uncovered as a result of audit procedures and enquiries:
1. New CIO and IT system

The company has appointed a new chief information officer (CIO), Alisha Chenny. Alisha has
over 25 years’ experience in the industry and is planning to purchase and implement a new
information technology (IT) system to integrate HN’s overseas operations with its local ones.
Alisha plans to engage a reputable international consulting group to facilitate the purchase and
implementation, and hopes to have the IT system fully functioning by 31 December 20X3.

ACT
2. Settlement of legal claim

HN’s lawyers have advised that a claim from a former employee, who had commenced
proceedings in March 20X3, was settled in August 20X3 for $1.2 million. Management reveals
that a provision for the claim was not recorded as a liability in the 20X3 forecast consolidated
statement of financial position (shown in Activity 7.1), even though the legal proceedings were
in progress during the 20X3 financial year. As a result, a $1.2 million current liability needs to be
recognised in the 20X3 financial statements. Your investigations into this matter have revealed
that this was a ‘one-off’ incident that does not change the auditor’s overall risk assessment of
the entity.
3. New loan with a debt covenant

In early February 20X3, HN took out a substantial loan from ABC Bank to help fund overseas
expansion. The loan is repayable in five (5) years, and includes a strict debt covenant that the
consolidated entity’s working capital ratio (current assets over current liabilities) must not fall
below 1.10. If the ratio does fall below 1.10, ABC Bank has the right to recall the loan, and HN
will be required to pay it back in full immediately.
During planning work HN’s management informed AA of the new loan, but did not mention
the debt covenant’s requirements as management thought the debt covenant was an operational
matter only and would not interest the auditor.
Tasks
You have been asked to determine whether the materiality levels set during audit planning
for the HN audit need to be revised, as a result of the matters uncovered during audit work
performed in August 20X3.
1. Explain the impact (if any) of each matter uncovered on the overall and performance
materiality levels set for the HN audit during planning. Justify your answer.
You may wish to present your answer in the form of a table:
Audit discovery Impact on overall materiality Justification

and performance materiality
1. New CIO and IT system
2. Settlement of legal claim
3. New loan with a debt covenant
2. As a result of the three matters uncovered during audit work performed, determine
whether the auditor should establish specific materiality levels for any account balances,
classes of transactions, or disclosures. Explain your answer.


CC
Core content
Unit 8: Developing an overall audit plan
Learning outcomes
1. Outline the auditor’s responsibilities with respect to documenting the overall audit plan.
2. Explain how to develop an overall audit plan to ensure an effective and efficient audit.
3. Assess how the nature, timing and extent of tests of controls and substantive procedures
are impacted by factors discovered in the audit planning process.
Introduction
Audit planning is important as it ensures that the audit engagement is performed in an efficient
and effective manner and that audit risk has been reduced to an acceptably low level. A well-
planned audit ensures that:
•• The audit effort is directed to address high-risk areas.
•• Audit procedures performed are relevant in addressing the identified risks.
•• Audit staff is well-informed and knows what is expected of them.
The previous units covered performing risk assessment procedures to identify and assess risks
of material misstatement (RMM) at both the financial statement level and the assertion level.
This unit focuses on examining how the auditor uses this information in developing an audit
strategy and an audit plan.
This unit focuses on the auditor’s requirements under the following International Standards on
Auditing (ISAs):
•• ISA 300 Planning an Audit of Financial Statements (ISA 300).
•• ISA 320 Materiality in Planning and Performing an Audit (ISA 320).
•• ISA 500 Audit Evidence (ISA 500).
•• ISA 520 Analytical Procedures (ISA 520).
aaa11608_csg

CC
Overall audit strategy and audit plan
Learning outcome
1. Outline the auditor’s responsibilities with respect to documenting the overall audit plan.
As a result of pre-engagement activities and audit planning and risk assessment procedures the
auditor establishes an overall audit strategy and develops an audit plan that is tailored to the
entity and to the audit engagement.
Overall audit strategy

The overall audit strategy is a record of the key decisions considered necessary to properly
plan the audit and to communicate significant matters to the engagement team. The purpose of
establishing the audit strategy is to set the scope, timing and direction of the audit engagement
(ISA 300 paras 7 and A16).
In developing the overall audit strategy of an audit engagement, ISA 300 para. 8 requires the
auditor to perform the following:
(a) Identify the characteristics of the engagement that define its scope;
(b) Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature
of the communications required;
(c) Consider the factors that, in the auditor’s professional judgment, are significant in directing the
engagement team’s efforts;
(d) Consider the results of preliminary engagement activities and, where applicable, whether
knowledge gained on other engagements performed by the engagement partner for the entity is
relevant; and
(e) Ascertain the nature, timing and extent of resources necessary to perform the engagement.
Audit plan
The audit plan is a record of all the audit procedures the auditor intends to perform in order to
obtain sufficient appropriate audit evidence in an audit engagement.
It is developed based on the overall audit strategy, and includes a description of (ISA 300
para. 9):
•• The nature, timing and extent of planned risk assessment procedures.
•• The nature, timing and extent of planned further audit procedures.
•• Other planned audit procedures that are required to be carried out so that the engagement
complies with the relevant ISAs.
Required reading
ISA 300 paras 7–9, A12 and A16–A17.

CC
Auditor’s responsibilities in documenting the audit strategy and audit plan

In addition to performing the planning activities, the auditor is required to document the details
and results of these activities. Under ISA 300 para. 12, the auditor is required to document:
•• The overall audit strategy.
•• The audit plan.
•• Significant changes made to the audit strategy or the audit plan during the audit, and the
reasons for such changes.
The auditor usually documents this information in the relevant screens of their audit software
or an ‘audit planning document’.
Benefits of audit planning

As per ISA 300 para. 4, ‘the objective of the auditor is to plan the audit so that it will be
performed in an effective manner’. Having adequate, well-documented planning benefits the
audit in many ways, as it (ISA 300 para. 2):
•• Allows the engagement to be properly organised, staffed and managed.
•• Directs appropriate attention to important areas of the audit.
•• Helps the audit team to identify and resolve potential problems on a timely basis.
•• Allows the auditor to provide sufficient direction and supervision of engagement team
members and to ensure audit file documentation is reviewed on a timely basis.
•• Assists in the coordination of work done by auditors of components and experts.
It is therefore essential for the auditor to plan the audit so that it will be performed in an
effective manner.
Required reading

CC
Developing an overall audit strategy and audit plan
Learning outcome
2. Explain how to develop an overall audit plan to ensure an effective and efficient audit.
This section discusses how the auditor uses the information gathered in the planning phase
of an audit to establish the overall audit strategy and develop the audit plan, which includes
the overall responses and further audit procedures. Using the example of an audit planning
document of a fictitious audit engagement, the section also shows how an auditor documents
these procedures.
The relationship of the planning and risk assessment activities and the documentation of the
audit strategy and audit plan can be shown diagrammatically, as follows:
COVERED IN
DETAIL IN Performing risk assessment procedures
PREVIOUS
UNITS AND • Obtain an understanding of the entity and its environment
REVISITED IN • Obtain an understanding of the entity’s internal controls
THIS UNIT • Determine materiality levels for the audit engagement
• Perform preliminary analytical procedures
• Assess the RMM
Document overall
audit strategy and
audit plan
COVERED IN
THIS UNIT
Developing overall
Determining further
responses
procedures
(financial statement
(assertion level)
level)
The planning and risk assessment activities were discussed in detail in earlier units of the
Audit & Assurance (AAA) module. This unit summarises these activities and, using an overall
example of an audit planning document (in Examples 1–10 below), explains how they are
documented and link to the development of overall responses and further audit procedures.
Obtaining an understanding of the entity and its environment

Understanding the entity allows the auditor to identify possible sources of inherent risks.
As discussed in the unit on understanding the entity and its environment, ISA 315 (Revised)
para. 11 requires the auditor to obtain an understanding of the following factors about the
entity:
•• Industry, regulatory and other external factors, including the financial reporting framework.
•• Nature of the entity.
•• Selection and application of accounting policies.
•• Objectives and strategies, and related business risks.
•• Measurement and review of financial performance.

CC
Example 1 – Documenting the auditor’s understanding of the entity

This example illustrates how the auditor’s understanding of the entity relates to the overall
audit strategy, and how this is documented in the audit planning document.
Jenny is a senior auditor at AA Chartered Accountants (AA). AA has been the auditor of Funky
Furniture (FF), a family-owned furniture manufacturing company, for the past five years. Jenny
has been asked to work on the audit of FF’s 30 June 20X3 financial statements.
Jenny has obtained an understanding of FF by discussing and making enquiries of FF’s
management and other employees, and performing observation and inspection procedures.
Jenny documents her findings in the ‘Identifying risks through understanding the entity’
section of AA’s audit planning document.
Identifying risks through understanding the entity
Objective: To obtain or update our understanding of FF for the purpose of identifying potential
risks.
Requirements Information noted
General FF is a family-owned furniture manufacturing company

information about
the entity
Industry The furniture industry is currently experiencing challenging times due to:
information
•• Declining economy as a result of the recession
•• Increased competition from overseas manufacturers selling at lower prices
•• Some furniture retailers, including a few of FF’s customers, are going out of
business
Regulatory and No specific regulatory requirements

other external
FF prepares financial statements under the International Financial Reporting
factors, including
Standards (IFRS). There have been no changes to the Accounting Standards that
the financial
affect FM this year. FF’s management indicated that there have been no changes to
reporting
FF’s accounting policies since the previous year’s audit
framework
Nature of the Operations

entity FF has three major product lines: beds, dining sets and cupboards
During the year, FF has set up a website where customers, including overseas
customers, can purchase products and pay online by credit card
FF has entered into a contract with Cheap Furniture Retailer (CFR). The terms of the
contract require FF to hold additional inventories
FF’s most significant current assets are inventories and its most significant current
liabilities are accounts payable
Ownership
FF is owned by the Smith family. The shareholding structure is as follows:
•• Sam Smith, the founder, owns 50% of the shares. Sam retired two years ago
•• Mark Smith, the managing director and Sam’s son, owns 10% of the shares
•• Daniel Smith, the head of production and another son of Sam, owns 10% of the
shares
•• 10 other independent persons own 30% of the shares

CC
Nature of the Sales composition

entity (cont.)
Showroom 10%
Internet 15%
SALES
Custom-made 15%
Retailers 60%
Organisational chart
Mark Smith
Managing director
Alan White Joe Talbot Daniel Smith

Head of sales Head of finance and IT Head of production
Finance and IT Production

Sales staff staff staff
Management’s During the financial year, FF:

objectives and
•• Started selling furniture online, which includes trading overseas and thus
strategies and the
exposes the business to foreign exchange fluctuations
related business
risks •• Initiated a bonus scheme – the managing director and all department heads
will be awarded 5% of their base pay as a bonus if FF achieves 10% growth in its
gross revenue
Measurement and FF uses revenue and profit before tax as its main indicators and benchmarks for
review of financial measuring performance
performance
FF conducts monthly financial reviews
Obtaining an understanding of the entity’s internal controls

It is the auditor’s responsibility to gain an understanding of the entity’s internal controls, as this
enables the auditor to then evaluate control risk. As discussed in the unit on understanding the
entity and its environment, ISA 315 (Revised) para. A58 lists the following five components as a
framework for understanding how internal controls may affect the audit:
•• Control environment.
•• Risk assessment process.
•• Information system.
•• Control activities.
•• Monitoring of controls.

CC
Example 2 – Documenting the auditor’s understanding of the entity’s internal controls

This example follows on from Example 1 and illustrates how the auditor’s understanding of the
entity’s internal controls relates to the overall audit strategy, and how it is documented in an
audit planning document.
Having assessed FF’s internal controls, Jenny continues to document her findings in the
‘Assessing internal controls relevant to the audit’ section of AA’s audit planning document:
Assessing internal controls relevant to the audit
Control •• The managing director, Mark Smith, and the management team consistently
environment reinforce the need for complying with safety and ethical standards through daily
(entity-level communication with employees
controls) •• A copy of a written code of conduct is given to each employee when they are hired
•• Employees have been disciplined in the past for improper behaviour
•• Mark ensures that all production staff are trained on the job and instructed on safety
measures when using machinery
•• New employees work with a mentor during their first week on the job to ensure
they have adequate supervision and direction while learning to use the machines
Control •• No formal IT policies and procedures
environment •• Joe Talbot manages all aspects of the entity’s IT needs
(general IT •• IT expenses and capital purchases are part of annual budget (if foreseen)
controls)
•• Joe ensures that computer software is up to date
•• The computer runs weekly backups of the accounting system on an external hard
drive that is kept outside of FF’s premises
•• There is evidence of a firewall and password protection. The system prompts regular
password changes
Entity’s risk Emerging risk factors and how to manage them are discussed monthly at the
assessment shareholder meetings
process FF’s managing director and department heads are aware of FF’s business risks.
(including Management is actively seeking ways to mitigate these risks, such as establishing an
fraud) online sales facility and sustaining business with retailers
Financial Joe Talbot prepares monthly management accounts that compare actual monthly
results results to the budgeted monthly results that were set at the beginning of the year. This
reporting report is then reviewed by the managing director, Mark Smith
Control As a result of the inherent risk assessment, the audit team has identified certain high-
activities risk account balances and processes. The audit team gained an understanding of
(transactional control activities that relate to each of these, as follows:
controls) Accounting and finance – all bank payments must be approved by both Joe Talbot,
head of finance and IT and Mark Smith, managing director
Inventory – inventory counts are conducted at the end of each quarter. This is monitored
by Daniel Smith, head of production. There are no controls in place to identify inventory
that might be obsolete
Sales and receivables – sales staff generate sales orders from the system when
a retailer calls in or emails orders. The price of each product is set and updated by
Alan White, head of sales following monthly discussions with the managing director,
Mark Smith. The price of each product is usually based on costs plus a small margin.
Sales staff monitor the online sales at the end of each day and generate sales orders
accordingly. Alan generates a summary sales report from the point-of-sale system at
the end of each business day for review. Alan also reviews the accounts receivable
ageing report monthly and follows up customers with accounts over 90 days
Purchasing and production – Daniel Smith generates a summary sales report from
the system every morning (showing the previous day’s sales) and organises production.
Daniel also monitors the supply orders to ensure that FM has sufficient supplies to
meet delivery schedules

CC

Monitoring of FF does not have an internal audit function
controls Mark Smith and management are heavily involved in day-to-day operations and
monitor all activities
The accounting system can produce reports that management sometimes uses for
monitoring areas such as sales margins and variances to budget
Overall conclusion: The entity-level controls at FF are effective and can be relied on to reduce
the RMM at the financial statement level
Determining the materiality levels for the engagement

Determining and setting the materiality levels for the audit engagement allows the auditor
to quantify the amount above which it is considered to be significant enough to change or
influence the economic decisions of a user of the financial statements.
The unit on materiality in planning and performing an audit explained the auditor’s
responsibilities in determining ‘overall materiality’ and ‘performance materiality’ when
planning the audit.
Example 3 – Documenting materiality levels

This example follows on from Examples 1 and 2. It illustrates how an auditor determines
materiality levels, and how this is documented in the audit planning document.
In reviewing AA’s audit manual, Jenny noted that the common benchmark and percentages
used in setting overall materiality for a trading company are 3–10% of profit before tax. She also
notes that AA’s usual practice is to set performance materiality at 75% of overall materiality. FF’s
profit before tax for the financial year ending 30 June 20X3 is $2,500,000.
Jenny documents her calculations in the ‘Determining materiality’ section of AA’s audit
planning document:
Determining materiality
Objective: To determine both the overall materiality and the performance materiality required
to reduce to an acceptably low level the probability that the aggregate of uncorrected/
undetected misstatements exceeds overall materiality.
Principal users of financial Factors that would influence the user’s decision‑making
statements
Bank Profitability, compliance with bank covenants and cash flows to repay
loans
Shareholders Profitability, sales growth
Based on the guidance in AA’s audit manual, and on an assessment of the needs of the likely
users of the financial statements, materiality for planning purposes has been set as follows:
•• Overall materiality – 5% of profit before tax = $125,000.
•• Performance materiality – 75% of overall materiality = $93,750.

CC
Performing preliminary analytical procedures

‘Analytical procedures’ is defined as ‘evaluations of financial information through analysis of
plausible relationships among both financial and non-financial data’ (ISA 520 para. 4).
Performing analytical procedures at the planning stage of the audit (commonly known as
preliminary analytical procedures) allows the auditor to identify specific financial statement
items and assertions that are at risk. Preliminary analytical procedures were discussed in an
earlier unit.
Example 4 – Performing preliminary analytical procedures

This example follows on from Examples 1–3 and illustrates how the auditor uses the preliminary
analytical procedures to determine potential risks at the assertion level and how this is
documented in the audit planning document.
When performing her preliminary analytical procedures, Jenny compared the 30 June 20X3
financial information to that of 30 June 20X2, and noted the following significant movements:
•• Revenue increased 8%.
•• Accounts receivable increased 12%.
Note: Only significant movements have been documented in this example.
Jenny then assesses these movements and evaluates whether they agree with her
understanding of FF. She documents her assessments in the ‘Results of preliminary analytical
procedures’ section of AA’s audit planning document:
Results of preliminary analytical procedures
Preliminary analytical procedures have been performed by comparing the 30 June 20X3
financial information to that of 30 June 20X2, and evaluating movements from one year to the
next. Significant movements are as follows:
Significant Assessment Explanation

movements of movement
Revenue Not Revenue is expected to decrease as there is a downturn in the

increased 8% reasonable furniture industry and increased competition from overseas
competitors
There is a risk of fraud as management has an incentive to
manipulate figures to obtain bonus payments by recognising sales
that relate to the next financial period
Accounts Not Some retailers are going out of business due to the industry
receivable reasonable downturn. The recoverability of accounts receivable could be in
increased 12% doubt

CC
Assessing the RMM

Before designing audit procedures, the auditor needs to assess the RMM at both financial
statement and assertion levels.
The unit on understanding the entity and its environment explained the theory of RMM
consisting of inherent and control risks, and explained the relationship between RMM,
detection risk and audit risk, as represented by the audit risk model:
Inherent risk Control risk Detection risk Audit risk
IR × CR × DR = AR
Determined from the auditor’s

understanding of the entity,
including its internal controls
In order to assess both the inherent and control risks, the auditor consolidates all the
information obtained throughout the risk assessment procedures performed – that is, obtaining
an understanding of the entity and its environment, obtaining an understanding of the entity’s
internal controls and performing preliminary analytical procedures.
Example 5 – Assessing the RMM at the financial statement level

This example follows on from Examples 1–4 and illustrates how an auditor assesses the RMM at
the financial statement level.
Jenny uses the information gathered so far to assess the RMM at the financial statement
level. She does this by evaluating both the inherent and control risks. Jenny documents
her assessment in the ‘RMM at the financial statement level’ section of AA’s audit planning
document:
RMM at the financial statement level
Inherent risk Control risk RMM
The following risk factors have been identified at FM appears to have a strong Low
the financial statement level: internal control environment
and effective entity-wide
•• Declining economy as a result of the worldwide
controls
recession
•• Increased competition from overseas Refer to ‘Assessing internal
manufacturers selling at lower prices controls relevant to the audit’
section
•• Some furniture retailers, including a few of FF’s
customers, are going out of business
Refer to ‘Identifying risks through understanding
the entity’ section

CC
The auditor also needs to assess the RMM at the assertion level in order to design appropriate
audit procedures. Assessing the RMM at the assertion level was discussed in the unit on
analysing audit risks, financial statement assertions and initial audit engagements.
Example 6 – Assessing the RMM at the assertion level

This example follows on from Examples 1–5 and illustrates how the auditor assesses the RMM
at the assertion level.
Jenny now evaluates both the inherent and control risks associated with each assertion of
financial statement items to assess the RMM.
Note: This example only includes the assessment of four material accounts and the key
assertions at risk.
Jenny documents the results of her assessment in the ‘RMM at the assertion level’ section of
AAA’s audit planning document:
RMM at the assertion level
Ratings: High (H), Moderate (M), Low (L).
Account Assertion Inherent Control RMM Explanation

balance risk risk
Revenue Occurrence H H H There is a 8% increase in revenue compared

to the previous year despite a downturn
Cut-off H H H in the industry. This does not appear to be
reasonable. There is a risk that fictitious
sales have been recorded and that internal
controls may not be effective in preventing
or detecting fictitious sales
There is a risk of fraud as management has
an incentive to manipulate sales to obtain
bonus payments by recognising sales that
relate to the next financial period
Accounts Existence H H H The 12% increase in accounts receivable

receivable does not appear reasonable when taken
Valuation and H H H in conjunction with 8% increase in sales in
allocation an industry in decline. There is a risk that
controls may not be effective in preventing
or detecting transactions with fictitious
customers and in ensuring appropriate
impairment is recognised on amounts that
may not be recoverable
Some retailers are going out of business
due to the downturn in the industry. The
recoverability of accounts receivable could
be in doubt. There are controls in place
over ‘valuation and allocation’ of accounts
receivable that are expected to be effective
Inventory Valuation and L H M FF does not have controls in place to

allocation identify inventory that might be obsolete
Accounts Completeness L L L There is an expectation that controls around

payable accounts payable are effective

CC
Establishing the overall audit strategy

After performing the required preliminary engagement activities, developing an understanding
of the engagement and the entity, and having assessed its risks by performing the risk
assessment procedures described above, the auditor can establish the overall audit strategy.
The purpose of establishing the audit strategy is to set the scope, timing and direction of the
audit engagement (ISA 300 para. 7). An earlier section of this unit discussed that the auditor
needs to perform the five activities outlined in ISA 300 para. 8 when establishing the overall
audit strategy. The Appendix to ISA 300 provides examples of factors relating to these activities
that the auditor could consider, summarised as follows:
ISA 300 para. 8 requirement Example considerations provided by Appendix to ISA 300
Engagement characteristics, •• The financial reporting framework to be used (e.g. IFRS)

including scope •• Additional reports required such as stand-alone financial and industry-
specific requirements (e.g. those that are required in the financial services
industry or the insurance industry)
•• Any need for specialised knowledge or expertise to address complex,
specific and high-risk audit areas
•• Evidence required from service organisations
•• The use of evidence obtained in previous audits (such as risk assessment
procedures and tests of controls)
•• The effect of information technology on audit procedures (availability of
data and use of computer-assisted audit techniques (CAATs))
•• The need to introduce some unpredictability in performing audit
procedures (ISA 300 para. A3)
•• The availability of client personnel and data
Reporting objectives •• The entity’s timetable for reporting

•• The timing of meetings with management and those charged with
governance to discuss:
–– The nature, timing and extent of the audit work
–– The dates to perform required procedures such as inventory counts and
sending external confirmations
–– Status of audit work throughout the engagement
–– The auditor’s report and other communications such as management
letters
•• The timing of meetings/communications among engagement team
members to discuss:
–– Entity risk factors (business and fraud)
–– The nature, timing and extent of work to be performed
–– The review of work performed
–– Other communications with third parties

CC
ISA 300 para. 8 requirement Example considerations provided by Appendix to ISA 300
Significant factors •• Materiality (overall, individual financial statement areas and performance
materiality)
•• Preliminary assessment of risk at the overall financial statement level and
the impact on the audit
•• Preliminary identification of:
–– Significant and material classes of transactions, account balances at
period end and disclosures
–– Areas where there may be a higher risk of material misstatement
•• How engagement team members are reminded to maintain a questioning
mind and to exercise professional scepticism in gathering and evaluating
audit evidence
•• Relevant results of previous audits, including identified control deficiencies
and action taken by management to address them
•• Discussions with personnel who provided other services to the entity
•• Evidence of management’s attitude towards internal controls and the
importance attached to internal controls generally throughout the entity
•• Volume of transactions, which may determine whether it is more efficient
for the auditor to rely on internal controls
Result of preliminary •• Significant business developments affecting the entity, including changes
engagement activities and in information technology and business processes, changes in key
knowledge gained on other management personnel, and acquisitions and mergers
engagements •• Significant industry developments, such as changes in industry regulations
and new reporting requirements
•• Significant changes in the financial reporting framework, such as changes
in Accounting Standards
•• Other significant relevant developments, such as changes in the legal
environment affecting the entity (e.g. the introduction of a new tax)
Nature, timing and extent of •• The selection of the engagement team (including, where necessary, the
resources necessary engagement quality control reviewer)
•• The assignment of audit work (assign appropriately experienced team
members to areas where the RMM is perceived to be higher)
•• Engagement budgeting, including considering the appropriate amount of
time set aside for areas of higher risk of material misstatement
Adapted from: IFAC Guide, vol. 2, Exhibit 5.2-2, pp. 48 and 49.
The following example illustrates how the auditor uses the individual planning risk assessment
activities and pulls them together to establish the overall audit strategy.

CC
Example 7 – Establishing the overall audit strategy

This example follows on from Examples 1–6 and illustrates how an auditor establishes the
overall audit strategy.
Jenny is now in a position to establish the overall audit strategy. She documents this in the
‘Overall audit strategy’ section of AA’s audit planning document:
Requirement Overall audit strategy Reference
Engagement The scope of this engagement is to audit the financial statements of Engagement
characteristics, FF prepared in accordance with IFRS letter
including
scope
Reporting As per discussions with the managing director, Mark Smith, the Engagement
objectives board of directors wants to finalise the financial statements on letter
30 September 20X3. AA’s audit team should aim to complete all audit
work by 20 September 20X3
The following needs to be discussed at the audit team planning
meeting to be held on 15 March 20X3:
•• Organising audit staff to attend the year-end inventory counts
•• The scope and timing of interim audit
Significant Based on guidance in AA’s audit manual, materiality for planning ‘Determining
factors – purposes has been set at the following levels: materiality’
materiality section of this
•• Overall materiality – 5% of profit before tax = $125,000
document
•• Performance materiality – 75% of overall materiality = $93,750
Significant RMM at the financial statement level: Low ‘RMM at the
factors – financial
assessment statement level’
of risk at the section of this
financial document
statement
level
Result of Changes in industry ‘Identifying
preliminary risks through
The furniture industry is currently experiencing challenging times
engagement understanding
due to:
activities and the entity’
knowledge •• Declining economy as a result of the worldwide recession section of this
gained •• Increased competition from overseas manufacturers selling at document
on other lower prices
engagements
•• Some furniture retailers, including a few of FF’s customers, are
going out of business
Changes in operations
During the year FF has:
•• Started selling furniture online, which includes trading overseas
and thus exposes the business to foreign exchange fluctuations
•• Initiated a bonus scheme – the managing director and all
department heads will be awarded 5% of their base pay as a
bonus if FF achieves 10% growth in its gross revenue
•• Entered into a contract with Cheap Furniture Retailer (CFR). The
terms of the contract require FF to hold additional inventories
Nature, timing Aim to use the same audit staff as for the prior year audit
and extent
of resources
necessary

CC
Required reading
ISA 300 paras 7–8, A1, A3–A4, A8–A11, A16 and Appendix.
Developing the audit plan

After establishing the overall audit strategy, the auditor develops a detailed audit plan
for the audit engagement. The purpose of the audit plan is to document all intended audit
procedures designed to obtain sufficient appropriate audit evidence to address risks of material
misstatement both at the financial statement level and assertion level.
Developing overall responses

The auditor develops overall responses to address the risks at the financial statement level.
These are risks such as going concern, a deficient control environment and/or fraud that may
affect many assertions.
Auditor’s responses to address these financial level risks may include determining:
•• The extent to which the audit team needs to be reminded about the use of professional
scepticism.
•• Which staff to assign to specific tasks, including those with special skills.
•• Whether to use component auditors or experts.
•• The extent of supervision that may be required throughout the audit.
•• The need for incorporating some elements of unpredictability in the selection of further
audit procedures to be performed.
Example 8 – Determining overall responses to the assessed RMM at the financial statement level
This example follows on from Examples 1–7 and illustrates how the auditor determines audit
procedures to address the assessed RMM at the financial statement level.
Now that Jenny has determined the RMM at the financial statement level, she proceeds to
document her overall responses to address these risks. ‘Overall response’ refers to procedures
that address the broader design and management of the entire audit engagement (as distinct
from further audit procedures, which relate to specific assertions). She documents her findings
in the ‘Overall responses’ section of AA’s audit planning document:
Overall responses
Summary of the Comments

assessed risks
Key factors in The following risk factors have been identified at the financial statement level:
assessing risk
•• Declining economy as a result of the worldwide recession
•• Increased competition from overseas manufacturers selling at lower prices
•• Some furniture retailers, including a few of FF’s customers, are going out of
business
FM appears to have a strong internal control environment and effective entity-wide
controls. RMM at the financial statement level has been assessed as low
Potential for fraud Management bonuses are based on financial results
Controls over Minimal anti-fraud controls. However, all non-routine journal entries have to be
fraud approved (by signature) and supported by appropriate documentation

CC
Overall response Audit procedures

to risk
Addressing fraud The audit team has been reminded to remain alert for instances of management
override of controls or manipulation, specifically the use of related parties and when
reviewing the reasonableness of estimates and assumptions used (e.g. provision for
doubtful debts). The audit team will also use CAATs to perform journal entry testing.
Composition of The majority of the audit team has worked on last year’s engagement, and is familiar
audit team with the industry and FF’s operations
Given the team’s experience and the nature of the identified fraud risks, no
specialists are required in the audit
The audit team has been briefed on the potential impact of related parties and the
need for professional scepticism at the planning meeting
Developing responses at the assertion level

In order to achieve an efficient and effective audit, the auditor must design audit procedures
that address the assessed RMM at the assertion level.
The auditor considers the nature, timing and extent of audit procedures and evaluates the
sufficiency and appropriateness of audit evidence.
The following diagram illustrates how the auditor’s response to risks fits in with the audit risk
model introduced earlier:
Tests of control used to Substantive procedures used

When responding to risks by designing further audit procedures, the auditor needs to
determine the audit approach – that is, whether to perform tests of control together with
substantive procedures, or substantive procedures alone.
Nature, timing and extent of audit procedures
To ensure sufficient appropriate audit evidence is obtained, the auditor needs to consider the
nature, timing and extent of audit procedures. ISA 330 paras A5–A7 state that:
A5. The nature of an audit procedure refers to its purpose (that is, test of controls or substantive
procedure) and its type (that is, inspection, observation, inquiry, confirmation, recalculation,
reperformance, or analytical procedure). The nature of the audit procedures is of most importance
in responding to the assessed risks.
A6. Timing of an audit procedure refers to when it is performed, or the period or date to which the
audit evidence applies.
A7. Extent of an audit procedure refers to the quantity to be performed, for example, a sample size or
the number of observations of a control activity.
Required reading
ISA 330 paras 5-7, A4–A15 and A19.

CC
Types of audit procedures
There are two main types of audit procedures that auditors use to obtain audit evidence – tests
of controls and substantive procedures. These are illustrated in the following diagram:
Audit procedures
(see unit on responding to assessed (see unit on responding to assessed

risks – controls testing) risks – substantive testing)
Tests of details
procedures
A brief summary of the types of audit procedures and guidance on when to use them is
provided below:
Type of Description and guidance on when to use this procedure ISA

audit reference
procedure
Test of Test of controls is an audit procedure designed to obtain evidence relating to the ISA 330
controls operating effectiveness of controls designed and implemented by management to paras 4(b)
prevent, or detect and correct, material misstatements at the assertion level and 8
Tests of controls assess whether a transaction has gone through a process
designed to reduce the chance of material misstatement occurring in the financial
statements
Use when:
•• The auditor expects that controls are operating effectively
•• Substantive procedures alone cannot provide sufficient appropriate audit
evidence
Substantive Substantive procedures (i.e. either tests of details or substantive analytical ISA 330
procedures procedures (SAPs), or both) must be performed for all material classes of paras 18
transactions, accounts balances and disclosures and 21
Substantive procedures must be specifically designed in response to a significant
risk at the assertion level
Tests of Use when direct evidence of the items that comprise amounts in the financial ISA 330
details statements is required para. 21
If only substantive procedures are used to respond to a significant risk, those
procedures must include tests of details

CC
Type of Description and guidance on when to use this procedure ISA

audit reference
procedure
Substantive Provide evidence by analysing relationships between: ISA 520
analytical paras 4,
•• financial data, and
procedures A6
(SAPs) •• financial and non-financial data and A12
to support tests of details that address the same assertions
Where controls are strong, SAPs are often used in combination with tests of controls
SAPs can be a more efficient way of achieving the required assurance in auditing
accounts with high volumes of transactions that would require a large number of
samples if using tests of details only
The more predictable the outcome of the procedure, the more assurance can be
obtained from a SAP
SAPs rely on the data they use; therefore, poor controls over the data will reduce
the reliance that can be placed on SAPs
Required reading
ISA 330 paras 4–12, 18 and 20–23.
ISA 520 paras 4–5, A4, A6, A12–A13 and A16.
The following example illustrates the difference between a test of controls and a substantive test
of details:
Example – Difference between a test of controls and a test of details
Class of Applicable Example audit procedure Type of audit

transaction assertion procedure
at risk
Purchases Accuracy Select a sample of purchase transactions during the Test of

financial year and check that suppliers’ invoices have been controls
matched to purchase orders and goods received notes by
the accounts clerk, and signed as evidence of this review
This test of controls is providing evidence that the control
over purchases process in operating effectively. The
purpose of the control is to ensure that only valid and
accurate purchase invoices will be processed for payment
Purchases Accuracy Select a sample of purchase transactions during the Test of details
financial year in the general ledger, and agree the
amounts of purchases to suppliers’ invoices
This test of details is providing evidence that amounts
recorded in the financial statements are appropriate

CC
Developing an audit approach

As discussed above, when responding to risks by designing further audit procedures, the
auditor needs to determine the audit approach – that is, whether to perform tests of controls
together with substantive procedures or substantive procedures alone. This determination is a
matter of professional judgement and depends on the assessed RMM. In addition, ISA 330 sets
out some rules and guidance in determining the audit approach.
For some audits, the substantive procedures are reduced by the auditor by testing controls
in order to place reliance on them. This can be called a ‘controls-based approach’, ‘combined
approach’ or ‘mixed approach’.
However, note that substantive procedures are required to be performed for each material class
of transactions, account balance and disclosure (ISA 330 para. 18), even when tests of controls
have been performed.
If the auditor decides not to perform tests of controls – either because controls do not exist or
because controls are not likely to be effective – the auditor will perform substantive procedures
only. This is called a ‘substantive approach’.
The following diagram summarises some of the considerations in developing the appropriate
audit approach for an account balance or class of transactions:
Would substantive tests alone

NO provide sufficient appropriate audit YES
evidence at the assertion level?
Tests of controls Would it be more

efficient to obtain the
YES audit evidence through
tests of controls (such as
Substantive procedures reducing the extent of
NO
substantive procedures)?
Adapted from: IFAC Guide, vol. 2, p. 116.
Example 9 – Determining the nature, timing and extent of audit procedures

This example follows on from Examples 1–8 and illustrates how the auditor determines audit
procedures to address the assessed RMM at the assertion level.
Now that Jenny has determined the level of RMM of each financial statement assertion, she
can design audit procedures to address these risks. For those assertions that she has classified
as having a high RMM, the audit team will need to perform more audit procedures to obtain
sufficient appropriate audit evidence.
Note: This example illustrates some possible procedures for the four material accounts
identified in Example 6.
Jenny documents possible procedures in the ‘Further audit procedures’ section of AA’s audit
planning document:

CC
Further audit procedures
Account Assertion RMM Nature, timing and extent of audit procedures

balance
Revenue Occurrence H Tests of controls to be performed:
Cut-off H •• Select a sample of invoices from the sales ledger and determine
that the invoice was agreed to the customer order and shipping
document by the person approving the invoice. Test some
samples at interim and the remaining samples at year end
Substantive proceedures to be performed at year end
•• Select a sample of sales invoices before and after year end and
agree to related delivery note, ensuring sale was recorded in the
correct period
Accounts Existence H Tests of controls – same procedure as for revenue

receivable
Valuation and H Substantive proceedures to be performed at year end:
allocation •• Send external confirmation requests to customers with large
amounts owing at 30 June 20X3. Follow up any differences
•• Obtain receivables ledger and select a sample of items for
testing. Vouch cash receipts subsequent to period end to bank
statements and agree the receipts to customer invoices
Inventory Valuation and M Substantive procedures only to be perfomed at year end

allocation
•• Attend the stocktake and note any damaged stock – if
damaged, ensure they are written down to net relisable value
•• Enquire as to the method for determining the value of stock on
hand, especially finished goods
•• Select a sample of items for testing. Ensuring the value of
selected items is less than or equal to sale prices achieved on
sales made subsequent to year end
Accounts Completeness L Substantive procedures only to be performed at year end:

payable
•• Select a sample of unpaid invoices at year end and a sample of
invoices paid subsequent to year end
•• Vouch to relevant documentation, such as corresponding
invoices and goods received notes
•• Check whether transactions related to the financial year under
audit have been correctly recognised at the reporting date

CC
In addition to performing procedures focused on the account balance and class of transaction
assertions, the auditor must evaluate whether the overall presentation of the financial
statements is in accordance with the reporting framework (ISA 330 para. 24).
Required reading
ISA 330 paras 18, 21, 24, A42–A44 and A53.
Sufficient appropriate audit evidence

In designing audit procedures, the auditor must consider if they have obtained sufficient
appropriate audit evidence required in line with the assessed detection risk, in order to reduce
audit risk to an acceptably low level.
•• Sufficiency – ‘the measure of the quantity of audit evidence’ (ISA 500 para. 5(e)).
•• Appropriateness – ‘the measure of the quality of audit evidence; that is, its relevance and its
reliability in providing support for the conclusions on which the auditor’s opinion is based’
(ISA 500 para. 5(b)).
Sufficient appropriate audit evidence is further discussed in the unit on responding to assessed
risks – evaluating audit evidence.
Required reading
ISA 500 paras 4–9, A1–A10, A27 and A31.

CC
Updating the overall audit strategy and audit plan
Learning outcome
3. Assess how the nature, timing and extent of tests of controls and substantive procedures are
impacted by factors discovered in the audit planning process.
ISA 300 para. 10 requires the auditor to ‘update and change the overall audit strategy and the
audit plan as necessary during the course of the audit’. This section discusses how additional
information obtained during the audit process impacts the overall audit strategy and audit plan.
Revising the risk assessment

As discussed in the earlier units, the initial risk assessment is completed at the planning stage
of the audit, before most audit procedures are performed. However, risk assessment is a
continuous activity throughout the audit. As the auditor obtains new information and audit
evidence during the audit, the initial risk assessment may change. The auditor may discover
unidentified risks or information that leads to the identified risks being reassessed. In these
instances, the audit planning and audit responses should be amended appropriately (ISA 315
(Revised) paras 31 and A143).
The following diagram illustrates how risk assessment continues throughout the audit process:
Planning – initial Finalising the

Pre-engagement Response to risk
risk assessment audit
RISK ASSESSMENT CONTINUES THROUGHOUT THE AUDIT PROCESS
REASSESS RISKS FOR NEW INFORMATION
Examples – Matters that would cause the auditor to reassess risks during an audit
Matter Reassessment of risk
The number of errors The auditor may then determine that the controls cannot be relied on and
when testing controls therefore:
may be higher than
•• Increase the assessment of control risk
expected
•• Plan additional substantive audit procedures
While attending a stock The auditor would:

count, the auditor
•• Increase the assessment of risk in respect of inventory being
may discover material
appropriately valued
obsolete inventory that
management had not •• Perform additional audit procedures in respect of inventory carrying
identified values
The auditor may discover The auditor would:

material liabilities that
•• Increase the assessment of risk associated with unrecorded liabilities
have not been recorded,
due to a weakness in •• Plan additional audit procedures designed to address the weakness
management’s process identified
for identifying accrued
expenses

CC
Impact of new information on the overall audit strategy and audit plan
On reassessing the RMM at the financial statement and assertion levels, the auditor needs to
determine whether audit procedures determined in the audit plan require amendment; that
is, determine the impact of the new information on the nature, timing and extent of tests of
control and substantive procedures. These would depend on the circumstances in each instance,
including the auditor’s knowledge of other risks relating to the entity being audited. The
auditor could extend audit procedures that have already been planned, if these are suitable, or
might plan different, additional procedures to specifically address the risk.
The following example illustrates how the audit plan may be impacted as a result of new
information obtained during the audit process.
Example – Revising the risk assessment: unrecorded liabilities

To test for unrecorded liabilities, the auditor reviews payments of $10,000 or more made in the
two weeks immediately after balance date. This audit procedure identifies material unrecorded
liabilities as at balance date. On this basis, the auditor decides to extend the audit procedures
to review payments of $5,000 or more for the month immediately after balance date.
The important point to note is that the auditor must reassess the RMM when appropriate
during the audit, and amend the audit planning and audit responses accordingly.
Required reading
ISA 315 paras 4(b), 30–31, A30, A32, A37, A38, A118–A121, A127–A128, A140–A143 and
Appendix 2.

CC
Example 10 – How new information impacts on the risk assessment

This example follows on from Examples 1– 9 and illustrates how additional information
obtained during the audit process impacts on the risk assessment of the audit.
It is now 30 July 20X3 and Jenny and the audit team are conducting audit procedures as per
the audit planning document. While reviewing the board of directors’ meeting minutes, Jenny
notes the following:
FF has failed to comply with the debt covenant requirements in May 20X3. On 10 June 20X3, FF received
a warning notice from the bank stating that, in addition to the current ratio, FF also needs to comply
with a new covenant requirement. The new covenant requires FF to sustain a cash ratio of at least 1 at
the end of each month (cash ratio = cash and cash equivalents ÷ current liabilities).
From her understanding of the business, Jenny notes that this loan is crucial to FF’s ability to
continue its operations, and that FF does not have sufficient cash flow to repay the bank loan
as at 30 June 20X3 in the event that the bank were to call the loan. She also notes that ‘cash and
cash equivalents’ has been assessed as having a low RMM in AA’s audit planning document.
Impact on the assessed RMM at the financial statement level
The fact that FF would not be able to continue business in the event the bank calls the loan
and that it does not have the cash flow to repay the bank loan indicate going concern risks. This
impacts the RMM at the financial statement level, which has been reassessed as high.
Impact on the assessed RMM at the assertion level
In order to comply with the new covenant requirement, FF needs to have at least the same
amount of cash and cash equivalents as its current liabilities at the end of each month.
Management could manipulate its operating cash flow figure by reclassifying amounts that
don’t meet the definition of cash as ‘cash’ – for example, by claiming amounts that it does
not have control over (such as trust accounts) as its own. Alternatively, management could
understate current liabilities by not accounting for them at month end.
This increases the inherent risk of ‘cash and cash equivalents’ and current liabilities as there is
pressure from management to meet the increased covenant requirements. Jenny has revised
the RMM of ‘cash and cash equivalents’ and current liabilities as follows:
Ratings: High (H), Moderate (M), Low (L).

balance area risk risk
Cash and cash Existence H H H There is risk of fraud as there is

equivalents pressure to overstate cash
Rights and M M M
obligations
Completeness L L L
Valuation and H H H
allocation
Current Existence L L L There is risk of fraud as there is

liabilities pressure to understate current
Rights and M M M liabilities
obligations
Completeness H H H
Valuation and M M M
allocation
Note: Only the amended section of the ‘Overall audit strategy’ has been included in this example.
Jenny now needs to design appropriate audit procedures to address the new RMM assessment.
She updates the ‘Overall audit strategy’ section of AA’s audit planning document (shown in
underline) to reflect the changes in the RMM at the financial statement level:

CC
Requirement Overall audit strategy
Assessment Inherent risk

of significant Inherent risk at the financial statement level has been assessed as high since FF:
factors noted
in preliminary •• Has going concern risk (does not have ability to continue business if the bank
engagement loan is called, and does not have sufficient funds to repay the loan)
activities and •• Is exposed to foreign exchange fluctuations
knowledge
•• Faces pressure from increased competition
gained on other
engagements Also, there is pressure to manipulate financial information to:
•• Meet new debt covenant requirements
•• Obtain bonus payments (this also indicates fraud risk arising from management)
Control risk
FF appears to have a strong internal control environment and therefore has a low
control risk
RMM at the financial statement level

RMM at the financial statement level has been assessed as high since FF has going
concern risks:
Jenny then updates the ‘Further audit procedures’ section of AA’s audit planning document to
reflect the changes in the RMM at the assertion level.
The audit team needs to assess management’s use of the going concern assumption, including
consideration of any mitigating factors, and to evaluate whether there is significant doubt
about FF’s ability to continue as a going concern
Further audit procedures

Rating: High (H), Moderate (M), Low (L).

balance area
Cash and cash Existence H Substantive proceedures to be performed at year end:

equivalents
Rights and M •• Obtain external confirmations from all banks used by FF
obligations during the year
•• On receipt of the confirmations, vouch the confirmed
Completeness L
balances to FF’s bank reconciliations
Valuation and H Note any encumbrances or limitations over cash that might
allocation result in FF not being able to establish control over balances,
or that might prevent FF from being liquidated
Current Existence L Substantive proceedures to be performed at year end:

liabilities
•• Confirm the amounts and terms of significant liabilities
Rights and M – specifically checking allocation between current and
obligations non-current liabilities
Completeness H
Valuation and M
allocation

CC
Required reading
ISA 300 paras 10, 12, A2, A13 and A18.
Worked example 8.1: Evaluating the impact on the audit plan of information obtained
during audit planning
Worked example 8.2: Developing the audit plan for accounts receivable
Activity 8.1: Outlining the nature and timing of audit procedures

Activity 8.2: Updating the audit strategy and audit plan


8.1: Audit risk model and audit plan
8.2: Preliminary assessment of control risk (CR)
8.3: Control risk and impact on audit plan
Quiz

Readings

Standards.
Required reading
ISA 300 Planning an Audit of ASA 300 Planning an Audit of a ISA (NZ) 300 Planning an Audit of
Financial Statements Financial Report Financial Statements
•• Paragraphs 11, 32, A58 and •• Paragraphs 11, 32, A58 and •• Paragraphs 11, 32, A58 and
A144–A147 A144–A147 A144–A147
ISA 320 Materiality in Planning ASA 320 Materiality in Planning ISA (NZ) 320 Materiality in
and Performing an Audit and Performing an Audit Planning and Performing an Audit
•• Paragraphs 10–11 •• Paragraphs 10–11 •• Paragraphs 10–11
ISA 330 The Auditor’s Responses to ASA 330 The Auditor’s Responses ISA (NZ) 330 The Auditor’s
Assessed Risks to Assessed Risks Responses to Assessed Risks
•• Paragraphs 4–12, 18, 20–24, •• Paragraphs 4–12, 18, 20–24, •• Paragraphs 4–12, 18, 20–24,
A1–A15, A19, A42–A44 and A1–A15, A19, A42–A44 and A1–A15, A19, A42–A44 and
A53 A53 A53
ISA 500 Audit Evidence ASA 500 Audit Evidence ISA (NZ) 500 Audit Evidence
•• Paragraphs 4–9, A1–A10, A27 •• Paragraphs 4–9, A1–A10, A27 •• Paragraphs 4–9, A1–A10, A27
and A31 and A31 and A31
ISA 520 Analytical Procedures ASA 520 Analytical Procedures ISA (NZ) 520 Analytical
Procedures
•• Paragraphs 4–5, A1–A2, A4, •• Paragraphs 4–5, A1–A2, A4, •• Paragraphs 4–5, A1–A2, A4,
A6, A12–A13 and A16 A6, A12–A13 and A16 A6, A12–A13 and A16

Further reading
References
Ideas for this unit were sourced from the following reference:
•• IFAC 2011, Guide to using ISAs in the audits of small- and medium-sized entities, 3rd edn,
vols 1 and 2 (IFAC Guide), Exhibit 5.2-2 on pp. 48 and 49.

ACT
Activity 8.1
Outlining the nature and timing of audit
procedures
Introduction
During the audit planning process, the auditor must identify and assess risks of material
misstatement and their potential impact on the financial statements. The information obtained
during this risk assessment is used to establish an overall audit strategy and develop an audit
plan.
•• Explain how to develop an overall audit plan to ensure an effective and efficient audit.
•• Assess how the nature, timing and extent of tests of controls and substantive procedures are
At the end of this activity, you will be able to design appropriate audit procedures, in
accordance with:
Scenario
You are a senior auditor at Crank & Turn Chartered Accountants (CT). One of CT’s major clients
is Triple Y, a wholesaler of electronic consumer goods and a listed company.
Triple Y has a financial year end of 31 December. All procedures regarding ethics and auditor
independence for the 31 December 20X3 audit were completed in September 20X3, and an
engagement letter has been issued and signed by all parties.
It is now October 20X3, and the audit manager has already established the overall audit
strategy. You are performing the interim audit, including audit planning activities, at Triple Y’s
office.
During the visit, you obtain the following information:
•• Triple Y performs regular cyclical inventory stocktakes. You attend one of these stocktakes
and, during your inspection of the warehouse, note that Triple Y’s inventory includes a large
number of notebook computers from a well-known brand. Having recently purchased the
same notebook, you are aware that the model held by Triple Y was superseded by a more
recent model some time ago.
•• When you raise this issue with management, you are informed that there are no controls in
place to identify superseded models or their impact on potential sales values.

ACT
•• Triple Y uses a high number of casual employees in the warehouse and for administration,
particularly during peak seasonal periods. Demand for casual staff varies considerably and
can be unpredictable. Casual staff are paid on an hourly basis.
•• Controls over payroll in general are reasonably strong. In addition, you have identified
specific weekly controls over the authorisation of casual employees’ hours worked.
CT’s audit manual provides guidance on sample sizes for tests of controls:
Sample sizes for tests of controls
Control operates Suggested minimum

number of samples
Daily 40
Weekly 10
Monthly 2–4
Quarterly 2
Yearly 1
Task
For this activity, for both inventory and payroll expenses, you are required to:
•• Identify the key assertion at risk.
•• Assess the risk of material misstatement.
•• Outline the nature and timing of audit procedures to obtain sufficient appropriate audit
evidence.
•• Outline the extent of any tests of controls.
You are not required to determine the extent of any substantive procedures, as appropriate
sample sizes can only be finalised at year end.

ACT
Activity 8.2
Updating the audit strategy and audit plan
Introduction
Audit planning is a continual and iterative process. As an audit progresses, additional
information may come to light that impacts on the nature, timing and extent of the audit
procedures. The auditor has a responsibility to update and change the overall audit strategy
and the audit plan as necessary throughout the course of the audit.
•• Assess how the nature, timing and extent of tests of controls and substantive procedures are
At the end of this activity, you will be able to design appropriate audit procedures in response
to additional information obtained during the audit process, in accordance with:
Scenario
You are a senior auditor at AAA Chartered Accountants (AAA), an Australian professional
accounting firm that has affiliate offices in every major country around the world. One
of AAA’s major clients is Pretty Clothing (PC), an Australian company that specialises in
manufacturing and distributing general apparel.
PC has a financial year end of 31 December. All procedures regarding ethics and auditor
independence for the 31 December 20X3 audit were completed in September 20X3, and an
engagement letter has been issued and signed by all parties.
It is now October 20X3, and you are performing the interim audit at PC’s office in accordance
with the initial overall audit strategy and the audit plan developed by the audit manager.
While performing your preliminary analytical procedures, you noted that the property, plant
and equipment (PPE) balance as at 30 September 20X3 was $2 million, which is an increase
of $500,000 (rounded) compared to the PPE balance at 31 December 20X2. When you query
PC’s financial controller, Frank, about the significant increase in PPE, he informs you that
PC purchased land in rural China on 30 July 20X3, with a view to building a factory that
will manufacture goods at a cheaper cost. He also mentions that PC has not yet commenced
construction of the factory. It only intends to begin construction in two years’ time, as it
currently does not have the required cash flow for the construction.
When you ask for evidence of the acquisition of the land in China, Frank shows you a document
written in Chinese, which neither you nor any of the audit team members can understand.
Frank tells you that this is the only evidence PC has of the acquisition of the land. He also

ACT
adds that the purchase was settled in American dollars (USD) for an amount equivalent to
$500,000 Australian dollars (AUD). The purchase price is the value that PC intends to recognise
in the 31 December 20X3 financial statements, as its management believes this price is a
good indication of the land’s fair value. In future years, on the completion of the factory’s
construction, PC will engage a property valuer to obtain independent valuations of the land and
factory.
In a recent newspaper article, you also noted that the Chinese Government has tightened its
monetary policy, which has adversely impacted on the property market in China.
You review the risk of material misstatement (RMM) assessment and planned audit procedures
for PPE, as well as the overall audit strategy that was completed by the audit manager prior to
AAA finding out about PC’s acquisition of the land. The relevant extracts of the audit planning
document are tabled as follows:
Requirement Overall audit strategy Reference
Engagement The scope of this financial statements audit engagement Engagement

characteristics, is consistent with that of the previous audits – that is, to letter
including scope comply with the applicable ISAs in conducting an audit of
the financial statements, which are prepared in accordance
with International Financial Reporting Standards (IFRS).
There have been no changes in IFRS that affect PC this year
Reporting objectives As discussed with Frank, the board of directors wants to Engagement
finalise the financial statements on 20 March 20X4. AAA’s letter
audit team should aim to complete all audit work by
10 March 20X4
The following needs to be discussed at the team planning
meeting to be held on 25 October 20X3:
•• Organising audit staff to attend the year-end inventory
counts
Materiality Based on the guidance in AAA’s audit manual, materiality ‘Determining

for planning purposes has been set at the following levels: materiality’
section of the
•• Overall materiality – 5% of profit before tax =
audit planning
$100,000
document
•• Performance materiality – 75% of overall materiality
= $75,000
Assessment of Inherent risk: Low ‘RMM at the

significant factors financial
•• PC’s transactions are limited to Australia
noted in preliminary statement level’
engagement activities •• The clothing industry is booming section of the
and knowledge •• PC has continued to make profits audit planning
gained on other Control risk: Low document
engagements
•• PC has very strong internal controls, including
pervasive entity level and general IT controls
RMM at the financial statement level: Low
Overall audit approach: Mix of tests of controls (TOCs)
and substantive procedures
Nature, timing and •• Aim to use the same audit staff as per the prior year
extent of resources audit
necessary •• Audit team will commence TOCs and some substantive
testing procedures in the October 20X3 interim audit

ACT
Audit plan – extract

Rating: High (H), Low (L), Moderate (M)

balance risk risk
Property, Existence L L L PC’s PPE consists of its premises, which

plant and includes its factory, machinery and computers
equipment Rights and L L L
(PPE) obligations Factory
Completeness L L L PC recognises its factory using the revaluation
model (i.e. the carrying value is adjusted
Valuation and H L M each balance date to its fair value). PC’s
allocation management obtains an independent
valuation from a registered property
valuer, every year. AAA has evaluated the
competence, capabilities and objectivity
of this valuer and has determined that the
valuations provided will comply with the
fair value measurement requirements of the
Accounting Standards and can be relied on
The valuer also inspects the property for
indications of impairment and provides
details to PC annually
Machinery and computers

Machinery and computers are recognised
using the cost model (i.e. cost less
accumulated depreciation and impairment).
These assets are depreciated based on their
useful lives
AAA has performed procedures in previous
audits and noted that the useful lives used in
depreciation calculations are reasonable
PC’s accountants calculate depreciation on a
monthly basis

ACT
Nature, timing and extent of audit procedures

Rating: High (H), Low (L), Moderate (M)

balance
Property, Existence L Nature: Perform substantive procedures only

plant and
Rights and L Timing: Procedures to be performed at interim audit:
equipment
(PPE) obligations •• Evaluate the competence, capabilities and objectivity of the
Completeness L valuer
•• Obtain the instructions PC issued to the valuer and check that
Valuation and M they are adequate to ensure an appropriate valuation
allocation
•• Inspect PPE for evidence of existence and possible indicators
of impairment
Timing: Procedures to be performed at year end:
•• Test of details (TOD): Obtain the 20X3 independent valuation
of the factory, and check that the recommended value has
been correctly reflected in the financial statements
•• TOD: Obtain PC’s PPE register and reperform depreciation
calculations
Extent: Audit team needs to determine the appropriate sample
sizes at year end, based on the guidance in AAA’s audit manual
Task
For this activity, you are required to update the audit strategy and the audit plan. Outline the
required update to the overall audit strategy, RMM at the assertion level, and the nature and
timing of additional audit procedures to obtain sufficient appropriate audit evidence relating to
PC’s PPE.

CC
Core content
Unit 9: Responding to assessed risks –
controls testing
Learning outcomes
1. Design, perform and evaluate the results of controls testing.
2. Design, implement and evaluate tests of controls, using computer-assisted audit
techniques (CAATs).
3. Apply audit sampling during controls testing in order to provide a reasonable basis for the
auditor to draw conclusions.
4. Explain the importance of evaluating controls and continually evaluating the results of
testing work throughout an audit.
Introduction
Understanding an entity’s internal controls allows the auditor to assess where material
misstatements are likely to occur. This makes consideration of controls an important part of the
audit, and forms part of the risk assessment phase. The unit on understanding the entity and its
environment discussed an entity’s system of internal controls and its importance to the auditor.
In the risk response phase, the auditor performs audit procedures to provide reasonable
assurance that the financial statements are not materially misstated. These procedures include
tests of control and substantive tests. This unit considers tests of controls.
aaa11609_csg

CC
The following diagram illustrates the steps in the risk assessment process and how the auditor
designs procedures to respond to the identified risks (and includes the relevant International
Standards on Auditing (ISAs) that cover the two phases):

ISA 315 ISA 330
Reassess risk of material misstatement where deviations

from expected results are identified
This unit focuses on testing controls, and covers the following:

•• What tests of controls are.
•• How to evaluate the design and implementation of controls.
•• How to perform tests of operating effectiveness of controls, including using CAATs.
•• How to determine the extent of controls testing.
•• How to evaluate the results of tests of controls.
The ISAs discussed in this unit are:
•• ISA 230 Audit documentation (ISA 230).
•• ISA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and
Management.
•• ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement Through
•• ISA 530 Audit Sampling (ISA 530).

CC
Controls testing
Learning outcome
1. Design, perform and evaluate the results of controls testing.
2. Design, implement and evaluate tests of controls, using computer-assisted audit techniques
(CAATs).
What are tests of controls?

Internal controls work by preventing, or detecting and correcting, errors. When designing
controls, an entity’s management considers the possible risks and ‘what could go wrong’.
Management then designs and implements controls to prevent, or detect and correct the possible
errors.
The auditor relates the risks they have identified in the risk assessment phase to ‘what could
go wrong’, and identifies the relevant controls that management has put in place to prevent or
detect and correct errors. (This was considered in the unit on understanding the entity and its
environment.) The auditor then designs audit procedures to test the operating effectiveness of
controls that are designed and implemented effectively.
The following diagram illustrates controls designed to either prevent or detect and correct
errors that the auditor can test:
Controls
Prevent errors Detect errors
Correct errors
Examples – Controls
The following examples illustrate controls that either detect and correct or prevent errors:
•• A bank reconciliation is performed monthly and checked and approved by a manager
(detect and correct).
•• All purchase orders of $10,000 or more must be approved by two senior managers
(prevent).
•• The computer system restricts access to the general ledger journals function to specific
staff members (prevent).
Types of controls
As discussed in the unit on understanding the entity and its environment, controls can operate
on an entity-wide level or they can be specific to a particular process where they relate to
the initiation, processing or recording of a particular transaction. The focus of this unit is on
the transactional controls. These controls can be manual or automated. The different types of
controls are often interrelated. That is:
•• Manual controls often rely on automated controls – for example, a review of payroll
exception reports is reliant on automated controls (both general and application controls) to
process payroll data and generate the exception reports.

CC
•• IT application controls (ITACs) rely on general IT controls (GITCs) – for example, if GITCs
fail to prevent unauthorised programming changes, the application controls could be
changed or disabled.
Manual controls
Manual controls operate over the manual elements of the accounting system. Manual controls
may be independent of IT, use information produced by IT, or be limited to monitoring the
effective functioning of IT and automated controls. Manual controls often involve handling
exceptions.
Examples of manual controls include:
•• A signature providing evidence of the authorisation of purchase orders.
•• Review of payroll exception reports.
•• Preparation of monthly bank reconciliations.
IT application controls (ITACs)

ITACs are automated controls that are designed to ensure complete and accurate processing
of data. ITACs relate to particular software applications used at the business process level.
Auditors are concerned with ITACs that relate to the initiation, recording, processing and
reporting of transactions. When operating effectively, these controls provide audit evidence to
support the assertions relating to classes of transactions, account balances, and assertions about
presentation and disclosure (ISA 315 (Revised) para. A124).
Examples − Types of ITACs

The following examples illustrate types of ITACs.
Type of ITAC Description Examples
System access System permissions are Only authorised payroll staff have access to the
controls configured to prevent payroll system. Only the payroll manager has the
unauthorised access to ability to change pay rates
data or a particular system
Assigning different staff members the ability to
authorise and process transactions (segregation of
duties)
Exception reports Reports are automatically Reports showing rejected sales transactions
generated to show
Reports showing unbalanced journal entries
transactions that fall
outside a set of parameters Note: Follow up of an exception report is a manual
control that relies on an automated control (the
report)
Interface/conversion Ensure transactions are Sales information is transferred daily from electronic
controls transferred from one point of sale (EPOS) to financial accounting
system to another timely application
and accurately
System Include input, edit and Pre-set unit sales prices are automatically applied to
configuration validation controls sales invoices
controls
Only valid customer references can be entered
when creating sales invoices
Automated three-way match control for purchases
that includes automated comparison of the supplier
invoice, purchase order and goods received note
Required reading
ISA 315 (Revised) paras A105 and A124.

CC
Control design and implementation

ISA 315 (Revised) paras 12 and 13 require the auditor to obtain an understanding of controls
that are relevant to the audit, evaluate their design, and determine whether they have been
implemented.
The following diagram summarises the differences between control design, control
implementation and tests of controls, as well as the auditor’s responsibilities to perform
procedures:
Control design Control implementation Test of controls
Performed as part of risk Performed as part of risk Performed as part of risk

assessment phase assessment phase response phase
of the audit of the audit of the audit
Have controls been Did the controls operate

Are the designed controls
designed that will mitigate effectively over a specified
actually in operation?
the inherent risks? period of time?
Mandatory Mandatory Optional –

professional judgement
Walk-through tests
ISA 315 (Revised) para. A74 recommends that the following procedures be performed to assess
the design and implementation of controls:
•• Make enquiries of entity personnel (note, however, that enquiry alone is not sufficient).
•• Observe or reperform the application of specific controls.
•• Inspect documents and reports.
•• Trace one or two transactions through the information system that is relevant to financial
reporting.
Together, the above procedures are often referred to as a ‘walk-through test’, as the auditor
follows, step by step, the design and operation of a control.
The walk-through test determines that a control:
•• Is effective in the prevention, or detection and correction, of material misstatements.
•• Has been implemented at a given point in time.
Required reading
ISA 315 (Revised) paras 12−13 and A74.
Worked example 9.1: Performing a walk-through


CC
Indirect controls
Before testing controls, the auditor must consider whether the controls to be tested are
dependent on the effective operation of other controls − that is, indirect controls. If so, it
may be necessary to obtain evidence of the operating effectiveness of those indirect controls.
(e.g. GITCs). GITCs were discussed in the unit on understanding the entity and its environment.
Required reading
ISA 330 paras 10 and A30−A31.
Designing tests of controls

A test of controls focuses on whether a transaction has gone through a process that is designed
to reduce the chance of material misstatement occurring in the financial statements. When
testing the operating effectiveness of a control, the auditor is seeking sufficient appropriate
audit evidence that the control has operated effectively throughout the period.
The auditor only designs and performs tests of controls:
•• when they have an expectation that the controls are operating effectively and can be relied
on, or
•• when substantive procedures alone cannot provide the evidence required at the assertion
level (ISA 330 para. 8).
Having effective controls in place that are tested by the auditor will reduce control risk. Lower
control risk means a lower risk of material misstatement and, consequently, a reduction in the
required reliance on substantive procedures.
Required reading
ISA 330 para 8.
Nature of controls
Typically, a test of controls includes the selection of a representative sample of transactions or
supporting documentation to:
•• Observe the operation of an internal control procedure being performed.
•• Inspect evidence that the control procedure was performed.
•• Enquire of relevant personnel about how and when the control procedure was performed.
•• Reperform the control procedure (e.g. within an IT system).
As the types of audit procedures used to obtain an understanding of controls are also used
to test their operating effectiveness, the auditor may decide it is efficient and effective to
test the operating effectiveness of controls at the same time as evaluating their design and
implementation.
Enquiry alone is not sufficient to test the operating effectiveness of controls − the auditor must
perform other procedures in conjunction with enquiry. Enquiry performed together with either
reperformance or inspection provides greater assurance than enquiry together with observation.
This is because observations are only relevant at the point in time at which they occur. Another
reason why observation provides less assurance than reperformance or inspection is because
when a person performing a control activity knows they are being observed, they are less likely
to bypass certain activities or cut corners.

CC
The design of a test of controls is further influenced by the nature of the control being
tested. If the control (e.g. a reconciliation) produces documentary evidence of its operating
effectiveness, the auditor is likely to choose enquiry combined with inspection of the
documentation to gather evidence that supports the effective operation of the control. However,
documentary evidence of a control’s operating effectiveness may not always exist, which can
often be the case with automated controls. In these situations, evidence of a control’s operating
effectiveness may be obtained through a combination of enquiry and observation, or the use of
CAATs. Where controls are automated within an entity’s IT finance application, it is generally
appropriate to run a CAAT to test the operating effectiveness of IT application controls.
For example, if exception reports are automatically generated by the finance application, it may
be appropriate to use a CAAT to reperform transactions that should appear on the exception
report through the finance application (in a test environment using an up-to-date version of the
client’s software).
CAATs can also provide an effective and efficient way to perform tests of controls when the
auditor decides to increase the extent of tests of controls (ISA 330 para. A16).
Examples − Automated controls that do not generally provide documentary evidence of their operation
The following examples illustrate automated controls that do not necessarily produce
documentary evidence of their operation:
•• Authorisation controls whereby the finance application only allows transactions to be
entered or authorised by particular users – for example, where accounts payable/receivable
staff are not able to approve purchase orders.
•• Input controls that are designed to ensure the completeness and accuracy of transactions
being entered – for example, a field sign test that only allows positive numbers to be
entered in a quantity field in a sales order.
•• Validity tests – for example, where the finance system automatically checks that a vendor’s
name entered on a new purchase order also exists in the approved vendor master file.
•• Duplicate tests – for example, when entering a new sales transaction with an existing
customer, the system checks the data file associated with that customer to ensure the
customer’s purchase order number is not already recorded in the customer’s transaction
history.
There are various CAATs that can be performed on an entity’s finance IT application, or the data
contained in that application. The table below identifies typical methods that are used as part of
audit procedures performed using CAATs, and that could form part of a test of controls:
A CAAT could be used to:
Match data across files (i.e. trace transactions through the accounting system)
Reperform automated controls
Test authorisation controls (e.g. only accounts payable staff have access to accounts payable finance
module)
Identify missing and duplicate records
Select sample transactions from electronic files that match predetermined parameters or criteria
Sort transactions with specific characteristics
Recalculate the total monetary amount of records in a file (e.g. inventory)
Stratify, summarise and age information (e.g. accounts receivable ageing report)
Select, extract and evaluate a statistical sample

CC
Examples of tests of controls using CAATs

The following three examples illustrate how CAATs can be used to test controls relating to
assertions over information recorded in an entity’s IT finance application.
Example 1 – CAATs: Duplicate invoices

Most finance applications will not allow the use of individual numbers more than once in
a sequence of numbers. The existence of duplicate invoice numbers in an entity’s financial
records could indicate that there are control issues in the application.
From the auditor’s perspective:
•• Duplicate invoices could indicate that revenue has been overstated.
•• The assertion at risk is occurrence of revenue.
To test controls over the occurrence of revenue, the auditor may:
•• Obtain a list of all sales transactions from the sales ledger for the period under audit. Use
a CAAT to identify whether there are any duplicate invoice numbers in the list, which
indicates that revenue related to these duplicate invoices has been recorded more than
once.
Example 2 – CAATs: Missing invoices

Most finance applications allocate numbers to individual transactions in sequential order.
A missing invoice number could indicate that there are control issues in the application.
•• Missing invoices could indicate that revenue is understated.
•• The assertion at risk is completeness of revenue.
To test controls over the completeness of revenue, the auditor may:
•• Obtain a list of all sales transactions from the sales ledger for the period under audit. Use a
CAAT to identify whether there are any invoice numbers missing in the list, which indicates
that revenue related to these missing invoices has not been recorded.
Example 3 – CAATs: Duplicate bank accounts

When entering bank account details for a new employee or vendor, a strong IT application
control may check that the bank account number does not already exist in the vendor or
employee master files. If a duplicate bank account number shows up, an exception report may
be generated. A specific investigation into the validity of the duplicate bank account number
may be required (note that there are valid reasons why a duplicate bank account may be
recorded, e.g. a husband and wife working for the same company).
•• Duplicate bank account numbers are an indicator that fraud may exist (especially where the
duplicated numbers relate to both an employee and a vendor, or to apparently unrelated
staff members).
•• The assertion at risk is occurrence of expenses.
To test for controls over the occurrence assertion relating to expenses, the auditor may, in a test
environment using an up-to-date version of the entity’s IT finance application:
•• Use a CAAT to create fictitious employees and vendors with identical bank account
numbers to those of the employees and vendors that already exist, and then generate
an exception report. The auditor would be looking to obtain evidence that the exception
report includes all duplicate account numbers for the fictitious employees and vendors
created by the CAAT.

CC
•• In this situation, the control is a combination of an ITAC (creation of exception report) and
a manual control (appropriate investigation arising from the exception report). To test
the effective operation of both these controls, the auditor may use a CAAT to compare
the bank account numbers both in and between the employee and vendor master files.
For duplicates created throughout the year, the auditor may select a sample and obtain
documentary evidence that indicates whether the control is operating effectively (e.g.
obtain copies of duly authorised exception reports that contain annotations as to the
validity of the duplicate bank accounts).
Required reading
ISA 330 paras A16, A24 and A27.
Required reading
ISA 330 paras 10, A21, A26−27.

CC
Tests of controls and assertions

Fundamental to the concept of controls testing is the auditor’s expectation that the controls are
operating effectively at the assertion level (ISA 330 para. 8(a)).
The auditor is interested in controls that help the entity produce financial information that is
free from material misstatement. A primary objective of all entities is financial security. It is
therefore within an entity’s interests to design and implement controls to help ensure that:
•• transactions recorded are valid, complete, accurate, recorded in the correct period, and
classified appropriately
•• account balances recorded exist, are complete, belong to the entity, and are recorded at the
appropriate value.
As discussed in previous units, these objectives regarding transactions and account balances are
assertions (refer to ISA 315 (Revised) para. A124).
Auditors design tests of controls to gain reasonable assurance that the controls designed and
implemented by management are effective in addressing specific assertions.
Examples − Tests of controls to address specific risks and assertions

The following table provides examples of controls that may be implemented to address specific
risks over assertions, and the types of tests of controls that an auditor would undertake to
obtain reasonable assurance that each control is operating effectively:
Examples of how controls address specific risks and assertions, and tests of controls to provide
reasonable assurance of each control’s effectiveness
Risk Account Assertion(s) Control Test of control
Unauthorised Sales Occurrence – Goods are shipped Select a sample of sales

sales are transactions that only if there is an transactions from the
shipped have been recorded authorised sales sales ledger and agree
have occurred and invoice for all goods to shipping documents
pertain to the entity shipped and authorised sales
invoices
Credit notes Accounts Existence and Supplier statements Select a sample of

are not payable completeness – are reconciled supplier balances
recorded in transactions have monthly to the recorded at the
the correct been recorded in the supplier’s account end of each month
period correct period balance recorded in throughout the audit
the accounts payable period and inspect the
ledger documentation that
provides evidence that
the reconciliations have
been performed
Fixed assets Property, Existence – assets A periodic count Attend fixed asset
are overstated Plant and recorded exist of fixed assets count to observe the
or understated Equipment is performed, count procedure and
Completeness – all
with subsequent obtain evidence of
assets that exist have
reconciliation to the reconciliation of the
been recorded
fixed asset register asset count sheets to the
fixed asset register
Required reading
ISA 315 (Revised) para. A124.
ISA 330 para. 8.

CC
Timing of tests of controls

The auditor is required to test controls for the particular time, or throughout the period, for
which the auditor intends to rely on the controls. For example, if the control activity is only
performed once a year (e.g. an inventory count), the auditor would observe the operation of that
control. However, if the control is performed many times throughout the period, the auditor
would generally need to obtain evidence of its effective operation at various times throughout
the year.
If the auditor performs tests of controls during an interim period, they must evaluate whether
there have been significant changes in operational effectiveness since the interim period, and
determine whether further evidence needs to be obtained for the remaining period until year end.
Reliance on prior period controls

The auditor may also be able to use audit evidence relating to the operating effectiveness of
controls from previous years. When doing so, the auditor must obtain evidence as to whether
significant changes in the operation of those controls have occurred since the last audit. If
there have been significant changes that affect the relevance of the previously obtained audit
evidence, the auditor must test those controls again in the current year. Irrespective of any
change in the operation of the controls, the auditor must test the operating effectiveness of the
controls at least once every third audit. The auditor must also perform some tests of controls in
the current year. However, if the auditor plans to rely on controls for an assertion over risk that
they have determined is significant, the auditor must test those controls in the current year.
Example – Test of controls where a significant risk of material misstatement has been identified
The following example illustrates a test of controls where a significant risk of material
misstatement has been identified.
The auditor has determined that it is a significant risk that goods are sold to customers who
cannot or will not pay.
The specific assertion at risk is the valuation and allocation of trade receivables. However,
management has designed and implemented a control to mitigate this risk: credit is authorised
before a credit sale is approved.
If the auditor decided to rely on this control and tested the operating effectiveness of this
control during the previous year’s audit, the control still must be tested during the current
year’s audit because the auditor intends to rely on it to mitigate a significant risk.
Required reading

CC
Documentation
Under ISA 330, the auditor must document their responses to assessed risks of material
misstatements at the financial statement level. This must include the nature, timing and extent
of further audit procedures performed; the linking of those procedures with the assessed risks
at the assertion level; and the results of the audit procedures.
Below is a list of items that would normally be documented regarding controls testing.
It enables another experienced auditor to understand and replicate the work done, and reach
the same conclusions simply by following the documented information:
•• The relevant control activities, their purpose and associated assertions.
•• The period covered by the test of controls.
•• The population(s), subject to the control activities tested.
•• The size of the sample tested, including the judgements applied or procedures performed
in determining the sample size.
•• The method used in selecting samples.
•• A description of the test of controls performed.
•• The results, including the evidence obtained and result of investigations into any deviations.
•• Conclusions arising from the test of controls.
•• Names of personnel who performed the test of controls and when it was completed.
•• Names of personnel who reviewed the audit work relating to the test of controls, the extent
of that review and when it was completed.
Required reading
ISA 230 paras 8−9.
ISA 330 para. 28.
Activity 9.1: Identifying risks, controls and appropriate tests of controls

Worked example 9.2: Designing tests of controls

Worked example 9.3: Designing tests of controls using CAATs


CC
Audit sampling
Learning outcome
3. Apply audit sampling during controls testing in order to provide a reasonable basis for the
Selecting items for testing

ISA 500 requires that the auditor determines effective means for selecting items to meet the
purpose of the audit procedure. In most cases, it will not be practical to select all items within
a population. As a result, the auditor will need to determine the most appropriate method
by which to select items. The different selection methods with supporting explanations are
summarised in the table below:
Methods of selecting items for controls testing
Method Explanation
Select all items in a This is appropriate when:

population
•• The population constitutes a small number of large-value items
•• There is a significant risk, and other means do not provide sufficient
appropriate audit evidence
•• CAATs can be used in a larger population to electronically test a repetitive
calculation or other process
Select specific items in a This is appropriate for:

population
•• High-value or key items that could individually result in a material
misstatement
•• All items over a specified value
•• Any unusual or sensitive items, or financial statement disclosures
•• Any items that are highly susceptible to misstatement
•• Items that will provide information about matters such as the nature of the
entity and transactions, and internal control
•• Items to test the operation of certain control activities
Select a sample of items This is appropriate for reaching a conclusion about an entire set of data
from a population (audit (population) by selecting and examining a representative sample of items in the
sampling) population
Sampling enables the auditor to obtain and evaluate audit evidence about
specified characteristics. The determination of the sample size may be made
using either statistical or non-statistical methods
Adapted from: IFAC Guide, Exhibit 17.1, vol. 2, pp 222−3.
When choosing the most appropriate way to select items for testing, it is important to consider
the type of conclusion that the auditor intends to draw. When all items within the population
are tested, or audit sampling is applied, the auditor may be able to draw conclusions about the
entire population.
When specific items within a population are selected (e.g. high-value or key items), the results
of the test cannot be applied to the entire population. This is because when selecting items
judgementally, the population is divided into items that meet certain criteria and items that do
not. As a result, items that meet the criteria do not provide evidence regarding those items that
do not.
Required reading
ISA 500 paras 10 and A52−A55.

CC
What is audit sampling?

Audit sampling allows the auditor to test a subset of the population that can be considered
representative of the entire population, allowing the auditor to draw conclusions that can then
be applied to the entire population.
Audit sampling is defined by ISA 530 para. 5(a) as:
… the application of audit procedures to less than 100% of items within a population of audit relevance
such that all sampling units have a chance of selection in order to provide the auditor with a reasonable
basis on which to draw conclusions about the entire population.
ISA 530 establishes the requirements and provides guidance for situations where the auditor
uses audit sampling in performing audit procedures (the third testing method in the table
above).
This unit discusses how the auditor applies audit sampling during tests of controls. The
application of audit sampling for tests of details is discussed in the unit on responding to
assessed risks – substantive testing.
Required reading
ISA 530 paras 1−5.
Why does the auditor use sampling?

Audit sampling is used to select items for testing ‘to provide a reasonable basis for the auditor
to draw conclusions about the population from which the sample is selected’ (ISA 530 para. 4).
The use of audit sampling is a matter of professional judgement, and the Auditing Standards do
not specify where sampling is more appropriate to use than other methods of selecting items
for testing in obtaining audit evidence. When testing the operating effectiveness of a control,
for example, the auditor is seeking sufficient appropriate audit evidence that the control has
operated effectively throughout the period. For this reason, selecting specific items generally
will not be appropriate, as the results of the test will not allow the auditor to draw a conclusion
on operating effectiveness regarding the entire population, which, in this case, is the population
of transactions to which the control is expected to have been applied.
When a control operates infrequently − for example, annually − it may be practical to test the
entire population. In most cases, the auditor will not require this level of audit evidence and
will apply audit sampling.
Sampling is appropriate when the auditor is able to obtain and evaluate evidence about a
particular characteristic of the items selected, and is forming a conclusion about the population
from which the sample is drawn.
Procedures that lend themselves to audit sampling include:
•• Inspection of documentary evidence.
•• Confirmations.
•• Physical sighting of tangible assets.
•• Recalculations.

CC
Sampling risk
Whenever the auditor intends to draw a conclusion about a population by testing less than the
entire population, sampling risk is created. Sampling risk is the risk that the conclusion reached
on the operating effectiveness of internal controls implemented by management by testing a
sample is not the same as the conclusion that the auditor would reach if the entire population
was tested (ISA 530 para. 5(c)).
The auditor could conclude that the controls are less effective than they actually are. This would
create audit inefficiency as unnecessary additional audit procedures would then need to be
performed.
Alternatively, the auditor may conclude that the controls are more effective than they
actually are across the entire population. This reduces the effectiveness of the audit and could
potentially lead to an inappropriate audit opinion being issued. This second form of sampling
risk is of much more concern to the auditor, who, as a result, is required to determine a sample
size sufficient to reduce the sampling risk to an acceptably low level (ISA 530 para. 7). The
factors that the auditor considers in determining the sample size are considered below.
Designing an audit sample

When designing the audit sample, the auditor:
•• Considers the purpose of the audit procedure and the characteristics of the population from
which the sample is drawn.
•• Determines the sample size that is sufficient to reduce sampling risk to an acceptably low
level.
•• Selects sample items in such a way that each sampling item in the population (e.g. all sales
transactions) has a chance of selection.
When designing the test of controls, it is important that the auditor considers the nature of
the audit evidence that they are seeking, and, in the context of the specific test, what would
constitute an error or deviation.
Tolerable rate of deviation

A tolerable rate of deviation is the highest deviation rate the auditor could accept and still
conclude that the design and operation of an internal control is effective. It is important that
the auditor establishes what the deviation would be in terms of the specific test that is being
performed.
Understanding what is a deviation, as well as establishing an expectation of the rate of
deviation, allows the auditor to design the sample and set the sample size. The expected rate of
deviation is the auditor’s best estimate of the population deviation rate. This rate of deviation is
normally based on previous experience with the client.
It is important to note that when choosing audit sampling as an appropriate method of
testing, the auditor assumes that the expected rate of deviation in the population is below the
tolerable rate of deviation. If the expected rate of deviation was greater than the tolerable rate
of deviation, the auditor would expect the test to fail, and would not test the controls. This is
because the sample is used to confirm the auditor’s expectations regarding the population and
provide evidence that would allow the auditor to rely on the control.
As a result, the expected rate of deviation that the auditor would find acceptable to be able to
conclude that the control was operating effectively is known as the tolerable rate of deviation.
The auditor may assess the tolerable rate of deviation based on the assessment of audit risk
associated with the specific control being tested.

CC
Example – Setting a tolerable rate of deviation

The following example illustrates the setting of a tolerable rate of deviation.
The auditor sets a tolerable rate of deviation at 5% in testing that payments were appropriately
authorised. A rate of deviation of 5% means that 5% of payments were not appropriately
authorised. The auditor defines a deviation as being one of the following events:
•• The payment was not authorised.
•• The payment was not appropriately authorised − for example, company policy requires two
authorisations, but only one was provided.
•• The payment was authorised for a certain amount, while a different amount was paid.
Required reading
ISA 530 paras 5, 6, 8, A4, A7, A9 and A12.
Determining the sample size

ISA 530 requires that the size of the sample is sufficient to reduce sampling risk to an acceptably
low level, and that each item in the population has a chance of selection.
Sample size is a function of sampling risk. That is, the level of sampling risk that the auditor is
willing to accept directly impacts on the sample size – the lower the risk the auditor is willing to
accept, the higher the sample size will need to be.
ISA 530 allows the auditor to determine the sample size through the application of a statistically
based formula or professional judgement. A statistically based formula will use probability
distributions, the tolerable rate of deviation and the expected rate of deviation to statistically
determine an appropriate sample size, and then allow a statistical evaluation of the sample.
Irrespective of which method is adopted, ISA 530 Appendix 2 contains a list of the factors that
have a direct influence on sample size when performing tests of controls. The table below
discusses some of these factors:
Factors influencing sample size – tests of controls
Factor Effect on Explanation

sample size
An increase in the extent Increase The greater the reliance the auditor places on the operating
to which the auditor’s risk effectiveness of controls, the greater the extent of the auditor’s
assessment takes into tests of controls and, therefore, the sample size
account relevant controls
An increased sample size provides greater evidence by lowering
the sampling risk, as the auditor is using a larger subset of the
population in order to draw a conclusion over the population
An increase in the Increase The higher the expected rate of deviation in the population,
expected rate of deviation the larger the sample size needs to be, so that the auditor is
of the population to be in a position to make a reasonable estimate of the actual rate
tested of deviation. This is because as the expected rate of deviation
increases and approaches the tolerable rate of deviation, the
auditor cannot tolerate the same levels of sampling risk
Factors relevant to the auditor’s consideration of the expected rate
of deviation include the auditor’s understanding of the business,
changes in personnel or internal control, and the results of audit
procedures applied in previous periods as well as other audit
procedures

CC
Factors influencing sample size – tests of controls
Factor Effect on Explanation

sample size
An increase in the desired Increase The larger the sample size, the greater the level of assurance the
level of assurance that the auditor receives that results of the sample are, in fact, indicative of
actual rate of deviation the population. This means that if the auditor desires an increased
in the population is not level of assurance, the sample size will need to be increased
more than the tolerable
rate of deviation
An increase in the Decrease Assuming there is no change to the auditor’s expected rate of
tolerable rate of deviation deviation in the population, where the auditor is willing to tolerate
a higher rate of deviation, less evidence is required from the sample
in order to reach a conclusion
By contrast, the lower the tolerable rate of deviation, the larger the
sample size needs to be
An increase in the number Negligible For large populations, the actual size of the population has little,
of items in the population effect if any, effect on sample size. For small populations, however, audit
sampling may not be as efficient as alternative means of obtaining
sufficient appropriate audit evidence
Adapted from: ISA 530 Appendix 2.
ISA 530 does not prescribe the sampling items or units to be drawn from a population regarding
tests of controls. The actual sample sizes used should always be based on professional
judgement. When testing a control that operates on less than a daily basis, the IFAC Guide
provides the following guideline:
Control operates Suggested minimum sample Coverage percentage of test
Weekly 10 19%
Monthly 2–4 25%
Quarterly 2 50%
Yearly 1 100%
Source: IFAC Guide, Exhibit 17.5-6, vol. 2, p. 240.
Example – Sample size for tests of controls performed less than daily
This example illustrates the application of IFAC’s sampling guideline.
Bank reconciliations are an important control over cash balances in terms of the valuation and
allocation assertion, and the completeness assertion in respect of transactions affecting cash
balances. The frequency of performing bank reconciliations varies from entity to entity – for a
medium-sized entity, it would be common for bank reconciliations to be performed weekly.
You are auditing a medium-sized entity with three trading bank accounts, one term deposit
account and one surplus cash account. The trading accounts reconciliations are performed
weekly, the term deposit account is reconciled quarterly and the surplus cash account is
reconciled monthly.
Applying the approach recommended by IFAC Guide, you would draw the following samples:
•• 10 copies of the reconciliations performed for each of the trading accounts (i.e. 30 sample
items in total).
•• Between two and four copies of the reconciliations for the surplus cash account.
•• Two copies of the reconciliations performed on the term deposit account.
Required reading
ISA 530 paras 7–8, A10–A11 and Appendix 2.

CC
Selecting an audit sample

Once the sample size has been determined, the individual sample items then need to be
selected.
Sampling approaches
An audit sample can be selected using one of the following two approaches to audit sampling
(ISA 530 para. A4):
•• Statistical sampling.
•• Non-statistical sampling (often referred to as judgemental sampling).
Statistical sampling is defined in ISA 530 para. 5(g) as:

… [a]n approach to sampling that has the following characteristics:
(i) Random selection of the sample items; and
(ii) The use of probability theory to evaluate sample results, including measurement of sampling risk.
Non-statistical sampling is a sampling approach that does not have the characteristics of
statistical sampling.
For example, a statistical sample is commonly obtained using audit sampling software, through
which the auditor determines an estimate of the level of deviation in the population as well as
the tolerable rate of deviation. The audit software will use the characteristics of the population
to determine the appropriate sample size, and also select the sample using random selection
(discussed below). Once the auditor has performed the testing, and identified the level of
deviation in the sample, audit software can then be used to apply those sample results to the
population, producing an expected (but unknown) level of deviation in the population and,
based on probability distributions, determine how high the error rate in the population may be.
This helps the auditor to control the level of sampling risk in the population.
A non-statistical sample may be selected haphazardly, rather than randomly, even if the sample
is then evaluated statistically, or the sample size is determined judgementally. For example, a
sample size of 10 items is determined using audit software, and judgmentally increased by two
items by the auditor, as the sample size is below that recommended by the audit firm’s internal
guidance. In relation to a non-statistical sample, the assessment of sampling risk will require
professional judgement.
The choice between statistical and non-statistical sampling is driven by the auditor’s
professional judgement based on the purpose of the audit procedure and the characteristics of
the population from which the sample is taken (ISA 530 paras 6 and A9).
Since the purpose of audit sampling is to provide a reasonable basis on which the auditor can
draw conclusions about the population from which the sample is selected, it is important that
the auditor selects ‘items for the sample in such a way that each sampling unit in the population
has a chance of selection’ (ISA 530 para. 8). To avoid bias, the auditor selects a representative
sample by choosing items that have characteristics typical of the population (ISA 530 para. A12).
Audit sampling, therefore, requires the auditor to exercise professional judgement in designing
and performing the sampling procedure, and evaluating the results of the sample. Judgement
is particularly important when choosing items using a non-statistical sampling method. When
applying statistical sampling, the use of professional judgement is limited in terms of sample
selection, as items are selected in such a way that each sampling unit has a known probability of
being selected (ISA 530 para. A12).

CC
Sample selection methods

As mentioned above, when the auditor applies sampling techniques, items must be selected
in such a manner that each sampling unit within a population has a chance of being selected
(ISA 530 para. 8). ISA 530 para. A13 provides the following three primary methods of sample
selection:
•• Random selection – a statistical sampling selection method using one of a variety of
randomisation techniques. In practice, this is done using a computerised random number
generator, random number tables, or audit software.
•• Systematic selection – a statistical sampling method that divides the number of items
in the population by the sample size to calculate a sampling interval, and then uses this
sampling interval to select items (sampling units). A random starting point is determined to
select the first item. When using systematic selection, the auditor should consider whether
patterns exist within the population that may unintentionally cause the sample to be biased.
For example, the calculated sampling interval may result in selection of items posted at a
similar time each month. Therefore, the auditor will commonly apply some form of random
selection to the population before applying systematic selection.
Example – Systematic selection

The following example illustrates systematic selection.
The population of sales invoices is 2,400 items. The sample size has been determined as 40
items. The sampling interval is calculated as:
2,400 ÷ 40 = Every 60th item in the population
The auditor needs to determine a starting point for selecting the first item within the first
60 items. A random number generator gives the auditor with a starting point of 25.
The auditor selects the following items in the population for the audit sample:
25th, 85th, 145th, 205th, 265th, 325th, 385th, 445th … 2,365th.
•• Haphazard selection – a non-statistical sampling method that does not use a structured
technique to select items. Although the auditor should avoid bias, there is a risk of
unconscious bias when using haphazard selection. For example, the auditor’s selection may
be unconsciously biased towards selecting higher value items, or easily located items. This
method can, however, be useful when the population is not stored in a systematic manner.
ISA 530 Appendix 4 describes these and other methods of selecting samples.
Required reading
ISA 530 paras 8 and A12–A13, and Appendix 4.

CC
Testing the sample

Each item selected as part of the sample should be tested in accordance with the designed audit
procedure. However, where the designed audit procedure is not applicable to a selected item,
the auditor must select a replacement item for testing. This does not mean that sample items are
readily interchangeable. The reason for exchanging a selected sample item must be valid.
Example - Selecting a replacement item for testing

The following example illustrates a situation where it is appropriate to select a replacement
item for testing
A purchase order has been selected for tracing through a controls process to ensure it was
matched to a supplier invoice before payment, but due to a supplier’s inability to deliver the
goods or service the purchase order was not completed.
If the auditor is not able to perform the audit procedure as designed, the auditor may be able
to perform alternative substantive procedures. If alternative procedures cannot be performed,
the auditor must treat that item as a deviation. Going back to the example above of tracing
a purchase order through a controls process, if the purchase order was not able to be traced
to an invoice, and alternative procedures could not be performed, the auditor would record a
deviation.
Required reading

CC
Evaluating the results of controls testing
Learning outcome
4. Explain the importance of evaluating controls and continually evaluating the results of testing
work throughout an audit.
When evaluating the results of tests of controls, the auditor must determine whether the
tests performed provide a reasonable basis for reliance on those controls. The auditor must
investigate the nature and cause of any deviations found, and evaluate their effect on the test
or other areas of the audit. Considering the consequences of a control deviation requires the
auditor to use professional judgement.
When evaluating the results of a sample relating to testing controls, it is important to note that
materiality does not apply. For each sampling unit selected, the control has operated effectively
or it has not. However, this does not mean that the detection of a control breakdown or deviation
automatically results in the control being ineffective.
Where no deviation from the designed control has occurred, the auditor can conclude that the
control is operating effectively.
On the other hand, where the testing discovers a deviation, the control has not operated
effectively for the item sampled. Similarly, if an auditor is unable to apply the designed
procedure to the selected item (or a replacement item) and is unable to perform an alternative
procedure, this would be a deviation.
ISA 330 para. A41 recognises that deviations in controls can occur due to a variety of factors,
such as changes in key personnel, significant seasonal fluctuations in volume of transactions
and human error.
ISA 530 para. 13 recognises that only rarely is a deviation from a prescribed control in audit
sampling considered an anomaly. In these cases, the auditor may conclude that the sampling
unit is not representative of the population, and, therefore, exclude the result of that sampling
unit from the overall assessment of the effectiveness of the control. However, in order to
conclude that the sampling unit is an anomaly, the auditor must perform additional procedures
to obtain a high degree of certainty that the sampling unit is not representative of the
population. Where the auditor concludes that a deviation is an anomaly, they would normally
extend the sample by selecting a replacement item (ISA 530 para. 10).
The process for evaluating deviations is summarised below:
Step Action by the auditor
1. Identify deviations Place each sample item into one of two classifications: ‘deviation’
or ‘no deviation’
2. Consider the nature and cause Carefully consider the nature and cause of each deviation. For
of each deviation example, is there an indication of management override of
controls or possible fraud or was the problem simply a result of
the person responsible being on vacation?
3. Consider sampling risk If deviations have been found, consider if reliance on control
effectiveness should be reduced, the sample size extended or
alternative procedures performed
Adapted from: IFAC Guide, vol. 2, Exhibit 17.6-1.

CC
Where a statistical sample has been tested, the auditor may also perform a statistical evaluation
of the sample to quantify both the sampling risk and projected population deviation rate. It is
important to note that the auditor also uses professional judgement when evaluating the sample
results, even when a statistical evaluation has been obtained, and will assess and respond to the
nature and cause of the deviations identified as part of the overall evaluation of the test.
When deviations are detected, is it often more effective to perform alternative substantive
procedures instead. However, in some circumstances (especially where the volume of
transactions in the particular population is high), it may be more efficient to extend the sample
or select an alternative control to test.
Regardless of the deviation rate, for deviations detected in controls that the auditor intends to
rely on, ISA 330 para. 17 requires the auditor to understand why the deviation(s) occurred, and
then to decide whether:
•• the evidence obtained supports reliance on the controls,
•• additional tests of controls are required, or
•• a substantive approach is required to address the potential risks of misstatement.
Required reading
ISA 330 para. 17.
ISA 530 paras 9–13, 15, A14, A15 and A23.
Re-evaluation of controls after substantive procedures

If an auditor has relied on controls relative to a particular assertion, account balance or
disclosure, and a misstatement is subsequently detected through performing substantive
procedures, the auditor must assess whether the misstatement indicates that the control is not
operating effectively.
ISA 330 para. A40 provides further guidance: ‘A material misstatement detected by the auditor’s
procedures is a strong indicator of the existence of a significant deficiency in internal control’.
Example – Impact of a material misstatement detected through substantive testing

This example illustrates the application of ISA 330 para. A40.
In responding to the risks stage of the audit of BlueWave Limited for the financial year ended
30 June 20X3, the auditor tested the entity’s controls to ensure that all expenses and accounts
payable were complete. The results of the controls testing did not detect any deviations,
and the auditor planned the level of substantive testing based on a reliance on controls over
completeness of recognised expenses and accounts payable.
At year end, the auditor received a number of accounts payable confirmations that indicated
a material understatement of accounts payable.
In these circumstances, the auditor would need to reassess the reliance on the controls over
accounts payable. In accordance with ISA 315 (Revised) and ISA 330, they would also need to
address the risks of material misstatement by changing the nature, and increasing the extent,
of substantive testing.
Required reading
ISA 330 para 16 and A40..

CC
Communicating deficiencies in internal control

When evaluating and testing controls, the auditor may discover control deficiencies.
A deficiency in internal control exists when:
•• a control is designed, implemented or operated in such a way that it is unable to prevent, or
detect and correct, misstatements in the financial statements on a timely basis, or
•• a control necessary to prevent, or detect and correct, misstatements in the financial
statements on a timely basis is missing.
ISA 265 requires the auditor to ‘communicate in writing significant deficiencies in internal
control identified during the audit to those charged with governance on a timely basis’
(ISA 265 para. 9).
The auditor is also required to communicate to management significant deficiencies and other
deficiciencies in internal control that have been identified during the audit. The auditor uses
professional judgement to determine which other deficiencies in internal control should be
communicated to management. Communicating deficiencies in internal control is discussed in
detail in the unit on reviewing the financial statements and audit results.
Required reading
ISA 265 paras 9–10 and A5-A7.
Activity 9.2: Evaluating results of tests of controls

Activity 9.3: Evaluating the sufficiency and appropriateness of tests of controls

Worked example 9.4: Perform and evaluate tests of controls


9.1: Testing controls
9.2: Types of controls and testing controls
9.3: Selecting items for testing
Quiz


Readings

Standards.
Required reading
ISA 265 Communicating ASA 265 Communicating ISA (NZ) 265 Communicating
Deficiencies in Internal Control to Deficiencies in Internal Control to Deficiencies in Internal Control to
Those Charged with Governance Those Charged with Governance Those Charged with Governance
and Management and Management and Management
• Paragraphs 9–10 and A5- • Paragraphs 9–10 and A5- • Paragraphs 9–10 and A5-
A7. A7. A7.
•• Paragraphs 11–24, 31, A60–A66, •• Paragraphs 11–24, 31, A60–A66, •• Paragraphs 11–24, 31, A60–A66,
A73–A75, A103–A105, A124 and A73–A75, A103–A105, A124 and A73–A75, A103–A105, A124 and
A143 A143 A143
•• Paragraphs 3, 4(b), 8–17, 25–28, •• Paragraphs 3, 4(b), 8–17, 25–28, •• Paragraphs 3, 4(b), 8–17, 25–28,
A16, A20–A27, A31–A32, A40–A41 A16, A20–A27, A31–A32, A40– A16, A20–A27, A31–A32, A40–A41
and A60–A62 A41 and A60–A62 and A60–A62
•• Paragraphs 1 0 , A52–A55 •• Paragraphs 1 0 , A52–A55 •• Paragraphs 1 0 , A52–A55
ISA 530 Audit Sampling ASA 530 Audit Sampling ISA (NZ) 530 Audit Sampling
•• Paragraphs 1–13, 15, A4, A7, •• Paragraphs 1–13, 15, A4, A7, •• Paragraphs 1–13, 15, A4, A7,
A9–A15 and A23 A9–A15 and A23 A9–A15 and A23
•• Appendices 2 and 4 •• Appendices 2 and 4 •• Appendices 2 and 4
www.ifrs.org www.aasb.gov.au www.xrb.govt.nz

Further reading
There is no further reading for this unit
References
IFAC 2011, Guide to using ISAs in the audits of small and medium-sized entities, 3rd edn
(IFAC Guide), vols 1 and 2, Exhibit 10.5-4, p. 138; Exhibit 17.1, pp 222-3; Exhibit 17.5-6, p. 240.
for small and medium sized entities, Thomson Reuters, Australia.

ACT
Activity 9.1
Identifying risks, controls and appropriate
tests of controls
Introduction
Auditors are interested in the controls that an entity’s management designs and implements
to prevent or detect material misstatements in the financial statements. Where the auditor
plans to adopt a controls-based approach to the audit, they must identify the risks of material
misstatements and related controls that are relevant to the audit client. Once identified, the
auditor must then design appropriate tests of controls to obtain evidence as to the effective
operation of the client’s controls.
•• Design, perform and evaluate the results of controls testing.
At the end of this activity, you will be able to identify risks and related controls, and design tests
of controls, in accordance with ISA 315 (Revised) Identifying and Assessing the Risks of Material
Misstatement through Understanding the Entity and Its Environment (ISA 315 Revised) and ISA 330
The Auditor’s Responses to Assessed Risks (ISA 330).
Scenario
You are a senior auditor working for Eastern Partners. One of your clients is SunToy Limited
(SunToy), a listed company that has been operating for a number of years as a producer of
Australian-themed toys. SunToy’s clients are local and international wholesalers. SunToy’s
audit partner, Charles Yondi, has assigned you the task of understanding both the revenue and
employee benefits cycles during the 30 June 20X3 audit.
In reading through the previous year’s audit work papers, which are relevant to understanding
the business, you identify the following information about SunToy.
Revenue cycle
SunToy’s customers only accept liability for goods they order from SunToy when the goods
are physically delivered to their warehouses. For some international customers, shipments of
SunToy’s products to their warehouses can take up to six weeks to be delivered.
The transaction flow for revenue and cost of goods sold (COGS) recognition is as follows:
1. On receipt of a customer order, goods are dispatched from SunToy’s warehouse to the
customer via various shipping companies. Shipments are accompanied by sequentially
numbered delivery dockets. The delivery dockets are duplicated, with one form being
retained by the warehouse manager and the other going to the customer along with the
goods dispatched. At the time of dispatch, the accounting department is sent a dispatch
notice (also sequentially numbered) that identifies the goods shipped, the sale price per unit
and the associated delivery docket number. Based on this dispatch notice, the accounting
department credits the finished goods account and debits the goods in transit account.

ACT
2. When goods arrive at a customer’s warehouse, its receiving clerk signs the delivery docket.
The shipping company sends this customer-signed copy of the delivery docket back to
SunToy’s accounting department.
3. Once the signed delivery docket is received, SunToy’s accounting department raises an
invoice and sends it to the customer. The transactions processed in the finance system at this
point are:
Recognition of cost of sale
Account description Dr Cr
$ $
COGS XX
Goods in transit XX
Recognition of sale
Account description Dr Cr
$ $
Accounts receivable XX
Sales XX
SunToy’s dispatch notice, the signed delivery docket returned by the customer and a copy of
SunToy’s customer invoice are filed alphabetically by customer name in SunToy’s manual filing
system.
Bernie Tonka, SunToy’s financial controller, maintains that all dispatch notices are processed by
the accounting department within 24 hours of receipt. They are filed numerically in an ‘invoice
pending’ file. This file is checked once a week for all notices that are older than six weeks, which
are then investigated by contacting both the shipping company and customer to check if the
relevant shipments have arrived. Pending an outcome of this investigation, the dispatch notices
and accompanying notes of inquiry are either retained in the ‘invoice pending’ file, or removed
and used to support shrinkage expenses (i.e. if goods in transit are lost and their delivery cannot
be confirmed by either the customer or the shipping company, the relevant goods are then
written off to shrinkage expense).
Employee benefits cycle

Due to the seasonal nature of the toy industry, SunToy’s manufacturing staff is predominantly
made up of casual and part-time workers. Manufacturing wage expense is a major expense
item, especially in the lead-up to Christmas when an additional 40 staff are employed.
To keep track of casual and part-time wages, SunToy’s production manager prepares a weekly
roster, which includes the following details:
•• Employee name.
•• Position of employment (e.g. assembler, finisher, packager ).
•• Hourly rate.
•• Days and hours rostered for the week.
•• Any additional amounts paid (e.g. meal allowance, shift penalties).
Each employee’s immediate supervisor is required to sign a hard copy of the roster on a daily
basis as evidence that the rostered hours were worked. Any adjustments (e.g. additional
or reduced hours worked) are noted daily on the roster and recorded in detail on a payroll
adjustment form (PAF) that must be signed by both the supervisor and employee. The hard
copy of the roster plus any PAFs are forwarded to the payroll officer each Friday and used as
the basis for the employee’s casual and part-time wages for that week.

ACT
Charles Yondi has decided that it is appropriate to test controls over the relevant transactions
for both the revenue and employee benefits cycles. The planned audit approach is to rely on
controls over the revenue and employee benefits cycles regarding the assertions identified.
Tasks
For this activity, in relation to the revenue and employer benefits cycles, you are required to:
1. Identify and explain key accounts at risk of material misstatement.
2. Identify key assertions at risk of material misstatement for each key account.
3. Identify a related control that SunToy has in place to address each assertion at risk.
4. Design a test of control to test the control activity identified above.

ACT
Activity 9.2
Evaluating results of tests of controls
Introduction
When an auditor plans to rely on identified controls that are appropriately designed and
implemented to address assessed risks, the auditor must obtain sufficient appropriate audit
evidence regarding the effective operation of those controls. Often the volume of transactions is
so high that it is more efficient to test the controls using computer-assisted audit techniques.
•• Design, perform and evaluate the results of controls testing.
•• Design, implement and evaluate tests of controls, using computer-assisted audit techniques
(CAATs).
•• Apply audit sampling during controls testing in order to provide a reasonable basis for the
At the end of this activity, you will be able to evaluate the sufficiency and appropriateness
of audit evidence documented, as well as the effects of deviations from control activities, in
accordance with ISA 330 The Auditor’s Responses to Assessed Risks (ISA 330) and ISA 530 Audit
Sampling (ISA 530).
Scenario
You are a senior auditor working for Green Tick, an accounting firm, on the audit of BlueWave
Limited (BlueWave), for the financial year ended 30 June 20X3 (FY 20X3). You are reviewing
documentation prepared by a junior auditor, Vincent Bower, relating to tests of controls work
that was performed on BlueWave’s purchasing system.
The following work paper, developed by Vincent, is the subject of your review.
Purchasing system controls testing work paper

File Document Ref: WP059
Date: 12 April 20X3
Prepared by Vincent Bower
Background
A material amount of BlueWave’s supplies arrives in its Sydney warehouse both two weeks
before and two weeks after the 30 June year end.
When goods from suppliers are delivered to BlueWave’s Sydney warehouse, a goods received
note (GRN) is completed and signed by the warehouse foreman. The GRN includes details about
the type of goods received and date they were received. The warehouse foreman then sends
a signed copy of the GRN and associated supplier’s invoice to BlueWave’s accounts payable
department. An accounts payable clerk matches each GRN to the purchase order that was
raised when the goods were originally ordered.

ACT
The clerk then enters the GRN details (GRN number and date, quantities received etc.) into
BlueWave’s purchasing system, which creates a transaction to update both the inventory
and accounts payable records. The date the GRN is entered into the system by the accounts
department is the posting date for the transaction. At the end of each work day, the clerk
checks with the warehouse to confirm the range of GRNs that have been created that day, and
that they have all been recorded in the purchasing system on the same day as the goods have
been physically received.
Mick Ghatas, BlueWave’s financial controller, provided evidence by way of copies of supplier
contracts indicating that BlueWave becomes liable for goods ordered on receipt of the goods,
not on the date the invoices are received.
Key control to be tested in the purchasing process
The control to be tested is the check to ensure the GRN date and date of entry into the
purchasing system is the same for every transaction on a given day. The performance of this
control can be assessed electronically by comparing the GRN date in the system with the
posting date of the accounting entry. This control is to ensure the completeness of the accounts
payable balance as well as the cut-off of purchases. The sample of GRNs is to be tested around
year end using CAATs due to the higher level of transactions at this time and to give extra
comfort over the year-end balance.
Design and implementation of control
Design assessment
The date that the GRN is entered into the purchasing system by the accounts payable
department is the posting date for the transaction. Based on information received from Mick
Ghatas, the GRN date, being the date goods are received, is the date that BlueWave becomes
liable for the goods received. Therefore, entering the GRN on the date of receipt and creating
a transaction in both inventory and accounts payable ensures transactions are recorded in the
correct period.
Implementation assessment
One GRN, recorded in the purchasing system, was selected and compared to the transaction
recorded in the accounts payable subsidiary ledger, as follows:
GRN number GRN date Accounts Transaction Amount Do the

recorded recorded payable (AP) date transaction
in payment in payment transaction date and GRN
system system number tested $ date match?
GRNX3249 31 March 20X3 AP09169 31 March 20X3 12,560.00 Yes
Conclusion
Control appears to be appropriately designed and implemented. VB 12.04.X3
Tests of controls performed
Date: 15 August 20X3
Prepared by Vincent Bower
Audit work steps performed:
1. With the assistance of Green Tick’s IT audit team, the firm’s generalised audit software
program was used to run a CAAT on a copy of BlueWave’s purchasing system software,
including the transaction data recorded throughout the period under audit. The CAAT was
designed to produce an exception report where recorded GRN and transaction dates do
not match.
2. From a population of 300 GRN transactions raised between 1 July 20X2 and 15 August 20X3,
60 transactions on either side of the 30 June 20X3 year end were selected. A tolerable
deviation rate of 5% was established.

ACT
Results
Five deviations were identified:
GRN number GRN date Accounts Transaction Amount Do the

recorded recorded payable (AP) date transaction date
in payment in payment transaction and GRN date
system system number tested $ match?
GRNX3050 1 July 20X3 AP08975 1 August 20X3 5,254.10 No
GRNX3075 25 July 20X3 AP09000 27 July 20X3 1,203.55 No
GRNX3078 29 July 20X3 AP09003 2 August 20X3 2,013.15 Ref. Note A
GRNX3355 27 June 20X3 AP09350 1 July 20X3 15,055.15 Ref. Note A
GRNX3357 29 June 20X3 AP09352 2 July 20X3 30,459.78 No
Note A: BlueWave’s purchasing manager, Simon Shade, advised that these GRNs had been
cancelled and replaced, so they are not valid deviations.
Conclusion
Three valid deviations were noted from a sample of 60. The deviation rate is 5% and the
tolerable deviation rate is 5%; therefore, this is acceptable.
The controls around GRN transactions are reliable. VB 15.08.20X3
Task
For this activity, as Vincent’s senior auditor, you must evaluate the evidence he has obtained to
assess if the tests of controls performed are sufficient and appropriate, as well as the effects of
deviations from control activities. You will need to raise appropriate review notes on the work
performed and highlight any deficiencies in the documentation provided, with reference to the
appropriate requirements under the Standards. Discussion points to explain your review notes
must also be documented.

ACT
Activity 9.3
Evaluating the sufficiency and
appropriateness of tests of controls
Introduction
An entity designs and implements internal controls in order to help it achieve its business
and operational objectives. Such controls often relate to operations, financial reporting, or
compliance with laws and regulations. Auditors are primarily interested in those controls that
prevent and detect and correct material misstatements in the financial statements.
When auditors perform tests of controls, they are seeking to obtain reasonable assurance over
the operating effectiveness of controls to be able to draw the conclusion that they are able to rely
on the controls tested. A conclusion that enables reliance on particular controls for a relevant
assertion allows the auditor to perform less substantive procedures relating to that assertion.
Reducing the amount of substantive testing promotes an efficient and effective audit.
•• Explain the importance of evaluating controls and continually evaluating the results of
testing work throughout an audit.
At the end of this activity, you will be able to evaluate the sufficiency and appropriateness of
control activities identified and tested, in accordance with ISA 315 (Revised) Identifying and
Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment
(ISA 315 (Revised)), ISA 330 The Auditor’s Responses to Assessed Risks (ISA 330) and ISA 500 Audit
Evidence (ISA 500).
Scenario
You are a senior auditor working for the accounting firm Granger & Beatty Australia. As a result
of another senior auditor, Betty Jones, breaking her leg on a weekend skiing trip, you have been
reassigned to work on the audit engagement of a custom book printer, ABKO Pty Ltd (ABKO),
for the financial year ended 30 June 20X3.
Your manager, Diego Dante, has asked you to finish the audit work related to ABKO’s revenue
cycle, which Betty had started. It is 15 July 20X3, and the audit team (including you) has just
arrived at the client’s offices to complete audit testing for the financial year ended 30 June 20X3.
You begin by reviewing the work Betty has already done to determine what is outstanding.
ABKO has four types of clients: small publishers, self-publishers, educational institutions
and traditional publishing houses (collectively described as ‘publishers’). You note that at the
interim audit visit during April 20X3, Betty identified and documented ABKO’s sales process:
•• Publishers email their book files to ABKO in PDF format. ABKO stores the books on its
servers, ready for each new print run that the publishers order.
•• ABKO sets up a username and password for new publishers when they send their first
book order through the printer’s online ordering system. In order to activate its account,
a publisher must log in to ordering system and reset the password. At initial login, the
publisher must specify its billing and shipping addresses and accept ABKO’s terms of trade,
which includes ABKO’s right to perform a credit check through a credit rating agency.

ACT
•• Publishers use the online ordering system to order print runs. The ordering system requires
the publisher to specify quantity, book size, paperback or hardcover format, and paper type
and colour.
•• The online ordering system is integrated with the accounting system. The accounting
system automatically stops orders being made by any publishers who have exceeded their
credit terms and limits.
•• ABKO has set the following credit limits based on their customer profiles:
– Small publishers $10,000
– Self-publishers $10,000
– Educational institutions $100,000
– Publishing houses $200,000
•• When printing is finished, the accounts receivable department issues an invoice and the
books are shipped to the publisher’s nominated delivery address.
•• All sales are payable 30 days from the date of the invoice.
Based on this information, Betty identified and documented the following control activities,
tests of controls, and results of tests of controls:
Revenue cycle control activities Tests of controls Results
1. New publishers must log in to In a test environment (copy of the Performed test on 16/04/20X3.
ABKO’s online ordering system accounting system), create four Observed that dummy publisher
and complete mandatory dummy publisher accounts (one for accounts were added to the
detail fields for invoicing. They each credit limit profile) by filling customer master file within the
must also reset their password out the required fields to create a accounting system. Credit limits
and accept the terms of trade, new customer were established in accordance
including the fact that a credit with profiles of each customer
Leave mandatory fields blank in
check may be carried out on group, but not activated for usage
some of the dummy publisher
them by ABKO on acceptance of by customers
online application forms
the terms of trade
Where mandatory fields were left
Accounts are not activated until blank, the online system did not let
credit checks are completed the application proceed
Conclusion: Control appears to be
operating as expected
BJ 18.04.20X3
2. For new publishers, ABKO Test 1: Using the customer creation For each month from July 20X2 to
performs a credit check through date field in the customer master April 20X3, the audit team:
a credit rating agency and sets file, select one customer added
•• Selected one publisher added
the appropriate credit limit for each month and trace it to the
to the customer master file
credit report received from the
and traced it to a credit report
credit rating agency
received from Credit 2 U credit
Test 2: Using the sample selected agency
for Test 1, assess whether the credit •• Assessed the credit limit applied
limits were appropriately applied based on the profile of the
customer
Conclusion: No exceptions noted.
Control appears to be operating as
expected
BJ 18.04.20X3

ACT
Revenue cycle control activities Tests of controls Results
3. The online ordering system is In a copy of ABKO’s accounting ABKO’s chief financial officer
integrated with the accounting system’s testing environment: has requested that the tests be
system. The accounting system performed only once, due to the
•• Test 1 – select a number of
automatically stops orders made disruption caused by audit staff to
customers with a predetermined
by any publishers who have the IT staff in establishing the test
credit limit. Process a dummy
exceeded their credit terms and environment. In addition, she has
order for an amount that will
limits requested that the tests of controls
result in credit limits being
be performed only during July
exceeded. Observe whether
20X3, as this is traditionally the
the transaction is permitted to
quietest time of the year for ABKO
continue
•• Test 2 – select a customer who BJ 31.04.20X3
has exceeded their payment
terms (i.e. whose balance is
overdue). Process a dummy
order for any amount. Observe
whether the transaction is
permitted to continue
Tasks
1. Identify what remains outstanding in relation to the tests of controls documented.
2. Assuming no further deviations in controls are detected, evaluate whether the control
activities can be relied on.
3. For each of the control activities, identify the key assertions relating to revenue transactions
and associated account balances at period end that have been addressed through tests of
controls. Justify your response.
4. Identify the assertions relating to revenue transactions and associated account balances
at period end that have not been addressed by the controls activities and testing noted in
Betty’s documentation. Justify your response.


CC
Core content
Unit 10: Responding to assessed risks
– substantive testing
Learning outcomes
1. Apply audit sampling during substantive testing in order to provide a reasonable basis for
the auditor to draw conclusions.
2. Design, perform and evaluate the results of substantive testing.
3. Design, implement and evaluate substantive testing using computer-assisted audit
techniques (CAATs).
Introduction
In the risk response phase, the auditor performs audit procedures to provide reasonable
assurance that the financial statements are not materially misstated. Substantive procedures, as
addressed in ISA 330 The Auditors Responses to Assessed Risks (ISA 330), are part of the auditor’s
response to risk. They provide direct evidence about amounts in the financial statements by
testing the underlying data.
The following diagram illustrates the stages of the audit that relate to risk assessment and
responses to assessed risks, and identifies the Standards that apply to those stages:

ISA 315 ISA 330
Reassess risk of material misstatement where deviations

As discussed in previous units,
fromthere are results
expected two categories of audit procedures that auditors use in
are identified
responding to risk:
•• Tests of controls.
•• Substantive procedures, which comprise:
–– substantive analytical procedures (SAPs), and
–– tests of details.
aaa11610_csg

CC
These are illustrated in the following diagram:
Audit procedures
(see unit on responding to

assessed risks − controls testing)
Tests of details
procedures
This unit focuses on substantive procedures and considers the requirements of the following
International Standards on Auditing (ISAs) that relate to substantive testing:
•• ISA 501 Audit Evidence – Specific Considerations for Selected Items (ISA 501).
•• ISA 505 External Confirmations (ISA 505).
•• ISA 530 Audit Sampling (ISA 530).
This unit covers how to apply audit sampling during substantive testing and how to design,
perform and evaluate substantive procedures, including how to use Computer-assisted audit
techniques (CAATs) in performing those substantive procedures.

CC
Substantive procedures and audit sampling
Learning outcome
1. Apply audit sampling during substantive testing in order to provide a reasonable basis for the
Selecting items for testing

As discussed in the unit on responding to assessed risks – controls testing, ISA 500 requires
the auditor to determine effective means for selecting items to meet the purpose of the audit
procedure. In most cases, it will not be practical to select all items within a population. Similar
to selecting items for controls testing, the auditor can use different methods for selecting a
sample to test when designing tests of details. This unit focuses on selecting items using audit
sampling, but it is important to note that instead of audit sampling, auditors commonly use the
following two alternative approaches (ISA 500 paras 10 and A52–A56):
•• Testing 100% of items – CAATs can be used to test 100% of items. Alternatively, this
approach can be used when there is a relatively small number of high-value items. Auditors
may also examine all items in an account balance or class of transactions for which inherent
risk and control risk have been assessed as high.
•• Testing specific items – Auditors may select specific items based on certain characteristics
(e.g. those with high values), or unusual items, or those where, as indicated by previous
experience, misstatements are more likely. CAATs can be used to extract and filter data to
the auditor’s specifications. However, this is not audit sampling, which means the results
cannot be projected to the entire population.
Example – Identifying data that meets specific criteria

The auditor of Purple identified a risk that Purple’s inventories may be obsolete. Using a CAAT,
all inventory lines that have a total value of $5,000 or more, where sales have not been recorded
in the previous six months, are identified and extracted from Purple’s financial records.
Example – Alternative to audit sampling: Testing specific items

Mauve’s list of prepaid expenses is below:
Item Prepaid expenses $
1. Building insurance 10,000
2. Workers’ compensation insurance 26,000
3. Advertising 110,000
4. Office rent 65,000
5. Motor vehicle insurance 14,000
6. Equipment rental 10,000
7. Sundry expenses 9,000
Total 244,000
Mauve’s auditor, Goodadds Chartered Accountants (Goodadds), has determined Mauve’s

performance materiality to be $50,000.
By performing tests of details on Items 2, 3 and 4, Goodadds has tested $201,000 of the prepaid
expenses population. The untested Items (1 and 5–7) total $43,000, which is less than Mauve’s
performance materiality. Therefore, Goodadds concludes that no further testing will be necessary.

CC
When is audit sampling used for substantive procedures?

To understand when audit sampling is likely to be effective and efficient for substantive
procedures, consider the definition of ‘audit sampling’ in ISA 530 para. 5(a):
… the application of audit procedures to less than 100% of items within a population of audit relevance
such that all sampling units have a chance of selection in order to provide the auditor with a reasonable
basis on which to draw conclusions about the entire population.
Sampling involves applying audit procedures to a sample of items from the defined population.
Therefore, sampling is applicable to tests of details, which examine the items that comprise
amounts in the financial statements.
Sampling is not suitable for substantive analytical procedures (SAPs) because these procedures
do not directly examine items that comprise amounts in the financial statements.
Many of the basic concepts relating to audit sampling were discussed in the unit on responding
to assessed risks – controls testing. Most of these concepts are the same when applied to audit
sampling for tests of details. The main differences relate to how the results of audit sampling
are evaluated:
•• When evaluating sampling results for tests of details, the auditor projects misstatements in
the sample to the population to give a best estimate of the misstatement in the population
(ISA 530 para. 14).
•• When evaluating sampling results for tests of controls, the auditor compares deviations
in the sample to a tolerable rate of deviation, and can obtain a best estimate of the rate of
deviation in the population (ISA 530 para. 5(j)).
This section will examine audit sampling through the following phases in a test of details:
Design Determine Select Test Evaluate the

the test the sample the the results of
of details size sample sample the sample
Audit sampling terminology

ISA 530 para. 5 defines the key terms that apply in audit sampling. Some of the key terms are:
•• Population – the entire set of data the auditor is examining (para. 5(b)).
•• Sampling unit – individual items in the population (para. 5(f)).
Example – Audit sampling terminology

The auditor of Blue uses audit sampling when performing a test of details in respect of the sales
transaction stream. The population is the total number of sales transactions during the financial
period. The sampling unit is each individual sale.
Required reading
ISA 530 paras 1–5, 14 and A1–A3.
ISA 500 paras 10 and A52–56

CC
Examples of audit sampling

Audit sampling is commonly used for tests of details where there is a large number of items that
comprise an account balance. Therefore, the following account balances and transaction streams
(and related assertions) are commonly sampled for audit testing:
•• Accounts receivable balances (existence, and valuation and allocation).
•• Sales transactions (occurrence, and accuracy).
•• Purchases and expenses transactions (occurrence, accuracy, and classification).
•• Inventories (existence, and valuation and allocation).
•• Plant and equipment (existence, and valuation and allocation).
It is often the occurrence and existence assertions that are tested, as applicable. This is because
audit sampling is often applied to a population of recorded items, which are then verified
against evidence to confirm that the transactions occurred during the period, or that the account
balances existed at period end. This concept will be discussed further below.
Determining the sample size

To understand how sample sizes are determined, the following terms that were introduced in
the unit on responding to assessed risks – controls testing are recapped:
•• Sampling risk – the risk that, by testing only a sample of items, the auditor’s conclusion
will be incorrect. For a test of details, this would be concluding there is no material
misstatement, when in fact there is (ISA 530 para. 5(c)).
•• Tolerable misstatement – the amount that the auditor is prepared to accept
as a misstatement in a population, and which is related to performance materiality
(ISA 530 para. 5(i)).
Different auditing firms use different sample sizes and sampling methodology.
However, sample size, when performing tests of detail, is impacted by factors set out in
ISA 530 Appendix 3. These factors are summarised in the following table:
Factors influencing sample size for tests of details – ISA 530 Appendix 3
Factor Effect on Comments

sample size
Increased risk of material Increase RMM has two components:

misstatement (RMM)
•• Inherent risk
•• Control risk
For example, if the auditor does not perform tests of controls,
the auditor’s risk assessment cannot be reduced for the
effective operation of controls. Therefore, to reduce audit risk
to an acceptably low level, the auditor needs a low detection
risk and will rely more on substantive procedures
Increased use of other Decrease If the auditor performs other substantive procedures on the
substantive procedures same amounts and assertions, this reduces the sample size.
The other substantive procedures could be SAPs
Increase in desired level of Increase The larger the sample size, the more assurance there is that
assurance that misstatement in the results of the sample are indicative of the misstatement
the population is not more than in the population. Increased sample sizes will result in
tolerable misstatement increasingly precise results
Increase in tolerable Decrease If the auditor accepts a high tolerable misstatement,

misstatement the sample size can be smaller

CC
Factors influencing sample size for tests of details – ISA 530 Appendix 3
Factor Effect on Comments

sample size
Increase in expected Increase If the auditor expects a greater misstatement, then the
misstatement sample size must be increased, to provide more results on
which to base the auditor’s estimate of the misstatement
Stratification of the population Decrease Auditors often stratify (i.e. divide) populations into
subpopulations with different characteristics (e.g. monetary
size), and then sample each subpopulation separately. Doing
this will reduce the overall sample size
Number of items in the Negligible This makes sampling an efficient tool when examining large
population effect populations
Adapted from: ISA 530 Appendix 3.
Required reading
ISA 530 paras 5(c), 5(i), 6–7, A1–A11, Appendix 1 and Appendix 3.
Selecting the sample

Having determined the size of the sample, the next step is to physically select the sample of
items or sampling units that are to be drawn and tested from the total population. This selection
must be done in such a way that each item in the population has a chance of being selected
(ISA 530 para. 8). In other words, the selection method must not be biased.
In the unit on responding to assessed risk – controls testing, the following three primary
methods of sample selection were discussed, and are also appropriate for tests of details
(described in more detail in ISA 530 Appendix 4):
•• Systematic selection (where the number of items (sampling units) in the population is
divided by the sample size to give a sampling interval).
•• Random selection (applied using random number generators).
•• Haphazard selection (the sample is selected without structure but avoiding bias).
In addition, another method, monetary unit sampling, is often used when designing tests of
details:
•• Monetary unit sampling (MUS) – this method replaces the number of items in the
population and sample with their monetary values. MUS is used to increase the chances of
high-value items being selected for testing, as the individual monetary units (i.e. individual
dollars) are selected, meaning that higher value items have more individual monetary units
available for selection. Therefore, MUS is commonly used when testing for overstatement.
Example – Using CAATs to select a sample

The accounting software of the entity being audited allows reports to be exported to Excel. The
auditor uses this feature to export all accounts receivable balances to a spreadsheet. Using this
spreadsheet, the auditor is able to select a sample of balances for testing using monetary unit
sampling.

CC
Unacceptable methods of selection

Block selection is where a block of sequential items is selected – for example, all sales invoices
in May. Block selection does not allow conclusions to be drawn about the entire population
from testing the items selected. This does not mean that selecting a ‘block’ of items is never
appropriate; for example, when testing the cut-off assertion, an auditor may examine a block of
sales transactions immediately before and after period end.
Required reading
ISA 530 paras 8, A12–A13 and Appendix 4.
Testing the sample

The auditor performs the designed audit procedure on each item selected in the sample.
It is quite common for the auditor to encounter difficulties in testing individual items in a
sample; for example, differences between value observed for audit testing and book value. It is
important for the auditor to clearly define what constitutes a difference, and to ensure these are
dealt with in accordance with ISA 530, because the results of testing the sample are used to form
a view on the entire population.
When items are not applicable to the audit procedure

Some items in a sample may not be applicable to the audit procedure – for example, a cancelled
cheque. In this case, a replacement item is selected for testing. However, the auditor must also
obtain evidence that the cheque is cancelled and that there is no misstatement (ISA 530 paras 10
and A14).
When the audit procedure cannot be performed

Sometimes an auditor is unable to perform the designed audit procedure on a particular item –
for example, where documentation has been lost, or an external party does not respond to the
auditor’s request for information.
The next step is to identify a suitable alternative procedure. However, the auditor needs to use
their professional judgement to ensure that the alternative procedure will provide an acceptable
level of assurance. If an alternative procedure cannot be performed, the item is treated as a
misstatement (ISA 530 para. 11).
Example – Alternative procedure for audit sampling

The auditor writes to a sample of customers requesting written confirmation of their
accounts receivable balances. One customer does not respond despite several follow-up
communications from the auditor.
As a suitable alternative procedure, the auditor instead verifies the sales invoices comprising
that customer’s balance against external shipping documents, bank receipts after the financial
period end, customer remittance advices and sales invoices.
Required reading

CC
Evaluating the results of testing a sample

As mentioned above, it is when evaluating the results of testing an audit sample that a key
difference arises between tests of details and tests of controls:
•• The results of a sample for a test of controls are compared to the tolerable rate of deviation
and may be used to calculate the expected rate of deviation in the population.
Whereas:
•• The results of a sample for a test of details are projected to the population in order to
calculate a monetary misstatement amount (where applicable).
When assessing the results of testing a sample, the objectives are to evaluate:
•• The results of the sample (ISA 530 para.15(a)).
•• Whether the sample provides a reasonable basis for concluding on the population
(ISA 530 para. 15(b)).
Evaluating the results of a sample

For a test of details, the auditor must investigate all misstatements in the sample. This
will identify any additional necessary audit procedures and further audit evidence that is
needed. The investigation will also identify the rare circumstances when a misstatement
can be demonstrated to be an anomaly – that is, the misstatement is a one-off event (ISA 530
paras 12–13).
Having identified all the misstatements in the sample tested, the next step in the evaluation
is to project the sample results to the population. This is done to obtain a best estimate of
the misstatement in the population (ISA 530 paras 14 and A18), which is what the auditor is
interested in.
This projection excludes any anomalies, because, as stated above, these are ‘one-off’ events;
however, in practice, true anomalies are rare.
A common method of projection is to take the ratio of the population value to the sample value,
and apply this ratio to the value of misstatements in the sample as follows:
Misstatements in Population Sample Projected

the sample × value ÷ value = misstatement
$ $ $ $
Example – Projecting the results of a sample to the population

From an inventory population of $500,000 comprising 600 inventory lines, the auditor selects
a sample of 25 lines for testing, which have a total value of $100,000. One item is found to be
misstated to the value of $5,000. The projected misstatement is calculated as:
$5,000 × $500,000 ÷ $100,000 = $25,000

CC
Determining whether the sample provides a reasonable basis for concluding on the
population
If the projected misstatement, and any misstatements from anomalies, exceeds the auditor’s
tolerable misstatement, the sample does not provide a reasonable basis for conclusions about
the population (ISA 530 para. A22). In this event, the auditor needs to:
•• request that management investigates the identified misstatements and makes any
necessary adjustments, or
•• obtain evidence using other audit procedures.
Required reading
ISA 530 paras 12–15, A17–A19 and A21–A23.
Documentation of audit sampling

Documentation of audit sampling is governed by the general requirements of ISA 230 Audit
Documentation (ISA 230), as well as ISA 330 and ISA 450 Evaluation of Misstatements Identified
during the Audit (ISA 450).
In documenting the nature, timing and extent of substantive audit procedures that have been
performed and the results of those audit procedures, the documentation should demonstrate
how a sample has been determined and selected, and how the results of testing that sample
have been evaluated.
Required reading
ISA 230 para. 9.
ISA 450 para. 15.
Worked example 10.1: Evaluating the results of audit sampling for a test of details

CC
When audit sampling is not used

Audit sampling may not always be appropriate. For example, when the completeness assertion
is being examined, substantive procedures will often be used to find out whether items have not
been recorded. This means that the auditor may not start their examination with a list of items
from which to select a sample – that is, there is sometimes no clear population as such. When
the auditor is testing for completeness, the auditor is looking for items that are not included in
the population, but should be. Therefore, sampling of the population has no chance of selecting
such items.
In other circumstances, a relatively small number of items means that selecting specific items
or testing 100% of items may be more efficient than sampling. Therefore, audit sampling is
generally not used for:
•• Accounts payable – testing for completeness by searching for unrecorded liabilities
(see example below).
•• Cash at bank (obtaining written confirmation of balances from the bank).
•• Accounts receivable (review of aged balances for evidence of impairment).
•• Goodwill (review of cash flow forecasts used to test impairment).
•• Discussions with management to identify material events subsequent to the balance date.
Example – Testing the completeness assertion of accounts payable

This example illustrates when audit sampling is not used.
Purple’s auditor, Quickadd Chartered Accountants, has identified a risk that Purple’s accounts
payable liabilities may be understated at period end (completeness assertion). The following
test of details has been designed to respond to this risk:
Review the bank statements and the cash journal after the period end and
select all payments of $50,000 or more. Obtain supporting documentation in
respect of these payments. Where the payments relate to liabilities that existed
at the period end, ensure that the transaction was recorded as a liability in
accounts payable or accrued liabilities.
It may be possible to obtain a reciprocal population (e.g. a population of payments after year
end, when testing for completeness of the accounts payable balance); however, it is important
to note that sampling is generally less effective when testing completeness, and professional
judgement is required to plan test and interpret results.
Required reading
ISA 530 para. 5(a).

CC
Substantive testing
Learning outcome
2. Design, perform and evaluate the results of substantive testing.
3. Design, implement and evaluate substantive testing using computer-assisted audit
techniques (CAATs).
This section covers how to design substantive procedures that address the residual risk after
any tests of controls have been performed. The following diagram illustrates how the auditor’s
response to risks fits in with the audit risk model, which was introduced in the unit on
understanding the entity and its environment:
Tests of controls used to Substantive procedures used

When to use substantive procedures

The quantity and quality of audit evidence that is required from substantive procedures
depends on the auditor’s risk assessment and whether tests of controls are performed.
However, some audits predominantly use only substantive procedures.
As discussed in the unit on developing an overall audit plan, the mix and number of tests of
details and SAPs the auditor performs is a matter of professional judgement. However, ISA 330
does contain some rules for when the auditor needs to perform substantive procedures:
•• Substantive procedures (i.e. either tests of details or SAPs, or both) must be performed for
all material classes of transactions, accounts balances and disclosures (ISA 330 para. 18).
•• The auditor must consider whether external confirmations are used as an audit procedure
(ISA 330 para. 19).
•• Substantive procedures must include procedures relating to financial statement closing
process, such as agreeing or reconciling the financial statements with underlying accounting
records and examining material journal entries and other adjustments made during the
preparation of financial statements (ISA 330 para. 20).
•• Substantive procedures must be specifically designed in response to a significant risk at the
assertion level (ISA 330 para. 21).
•• If only substantive procedures are used to respond to a significant risk, they must include
tests of details (ISA 330 para. 21).
Required reading
ISA 330 paras 1–5, 18–21, A1–A3, A42–A43 and A52–A53.

CC
Nature, timing and extent of substantive procedures

The objective in responding to assessed risks is to ‘design and perform procedures whose
nature, timing and extent are based on and are responsive to the assessed risks …’ (ISA 330
para. 6). The nature of an audit procedure refers to its purpose (i.e. test of controls or
substantive procedure) and its type (i.e. inspection, observation, inquiry, confirmation,
recalculation, reperformance or analytical procedure). The nature of the audit procedure is the
most important factor in responding to the assessed risks.
The following diagram illustrates what nature, timing and extent mean for any audit procedure,
including substantive procedures:
Purpose: Type:
TODs or Inspection
SAPs Nature Observation
Inquiry
Confirmation
Recalculation
Reperformance
Analytical procedures
Procedure
Timing Extent
When the Period the Quantity

procedure is evidence e.g. sample size
performed applies to
Each of these elements is important in meeting the auditor’s overall objective to ‘obtain
sufficient appropriate audit evidence’. For example, the auditor can obtain more assurance
by either increasing the sample size for a particular test of details, or by changing the type of
procedure in order to obtain more reliable or appropriate audit evidence.
Required reading
ISA 330 paras A4–A8 and A59.
ISA 500 paras A14–A25.
Substantive analytical procedures (SAPs)

Analytical procedures are used to evaluate amounts in the financial statements by:
•• analysing relationships among financial and non-financial information, and
•• investigating unexpected variances in these relationships.
Analytical procedures are used at three stages of the audit:

•• Planning stage – as a risk assessment procedure (i.e. identify and assess risks).
•• Response to assessed risk stage – as a substantive procedure.
•• Final stage – to assist in forming an overall conclusion.

CC
This unit discusses SAPs that are used at the response to assessed risk stage of the audit, to
obtain audit evidence. When using SAPs as a substantive procedure, the auditor develops an
expectation of the recorded amounts or ratios, evaluates the reliability of the data from which
the expectation is developed and determines an acceptable difference. This is different to SAPs
used as planning and final analytical procedures.
Example – Substantive analytical procedure

The auditor develops an expectation of the gross profit percentage, using prior financial
periods’ reported figures and known industry trends. This expectation is compared to the
calculated gross profit percentage for the financial period being audited.
When to use SAPs

Because SAPs do not provide the type of direct evidence on individual items that tests of details
provide, they are generally considered to provide less assurance than tests of details.
As a consequence, SAPs are often used:
•• As the only substantive procedures, where the risks of material misstatement are assessed
as low and tests of controls have been successfully performed.
•• To support tests of details that address the same financial statements’ account and assertion.
Despite the generalisation that SAPs provide less assurance than tests of details, there are
circumstances when they can be particularly effective, as well as efficient. For example, when
conducting an audit on a property company that manages multiple properties, it may be
possible to perform a SAP with a high degree of accuracy because the number of properties and
rentals may be highly predictable.
SAPs are most suited to:
•• Large volumes of transactions that are predictable over time (ISA 520 para. A6).
•• Analyses that can be performed with a high degree of accuracy (ISA 520 para. A7).
It is also possible to design more effective SAPs by basing them on more disaggregated data –
for example, by analysing revenue by month, division, and product group.
Example – SAPs and tests of details that address the same assertion
To address the risk that the accounts receivable balance is overstated (existence assertion), the
auditor of Brown Co. plans the following substantive procedures:
SAP:
Calculate debtor days and compare to expectations developed from terms of trade, industry
averages, prior years’ reported amounts, and Brown Co.’s forecasts.
Test of details:
Verify a sample of customer balances by tracing to sales invoices prior to period end and
external shipping documents and cash receipts subsequent to the period end.

CC
Designing, performing and evaluating SAPs

The following diagram illustrates the steps involved in designing, performing and evaluating a
SAP:
Design SAP Evaluate Determine Evaluate

Develop an Perform
to address reliability what variance results
expectation the SAP
assertions of data is acceptable of SAP
These steps are discussed in detail below:
1. Design SAP to address assertions

The auditor needs to determine the suitability of particular SAP for given assertions, taking
into account of the assessed risks of material misstatement and tests of detail, if any, for these
assertions. Where assertions are associated with significant risks, it may not be effective to
perform SAPs due to potential complexity of the issues.
SAPs are often suitable for assertions associated with classes of transactions (accounts in the
statement of profit and loss), for example:
•• Revenue (occurrence and accuracy).
•• Payroll expense (completeness and accuracy).
•• Depreciation expense (completeness and accuracy).
2. Evaluate reliability of data

The reliability of SAPs depends on the reliability of the data used to conduct the analysis
(ISA 520 para. 5(b)). Reliability, in turn, is influenced by the source and nature of the data
(ISA 520 para. A12).
The auditor needs to consider the reliability of data (internal and external) from which the
expectation of recorded amounts or ratios is developed. This will require tests of the accuracy,
existence and completeness of underlying information, such as tests of controls or performing
other specific audit procedures, including the use of CAATs.
For example:
•• If the auditor has successfully performed tests of controls over data preparation, this
increases its reliability.
•• Data from independent (external) sources is generally more reliable than internally
produced data.
Required reading
ISA 520 paras 1–5(b), A1–A10 and A11–A14.
ISA 330 para. A44.
3. Develop an expectation and determine acceptable variance

It is important that a realistic expectation of ratios or recorded amounts is developed based
on all relevant information. This expectation should be precise enough for the auditor to
determine what would be an acceptable or unacceptable variance when the SAP is performed.
A common fault with poorly designed SAPs is that the auditor’s expectation of their results is
not adequately developed.
In developing an expectation, the auditor needs to identify whether there are plausible
relationships which they could use to develop an expectation of the recorded amounts. In
establishing meaningful relationships between information, the auditor considers the following:

CC
Questions to address
Establishing meaningful Are the relationships developed from a stable environment?

relationships between
Reliable and precise expectations may not be possible in a dynamic or unstable
information
environment
Are the relationships considered at a detailed level?

Disaggregation of amounts can provide more reliable and precise expectations
than an aggregated level
Are there offsetting factors or complexity among highly summarised components

that could obscure a material misstatement?
Do the relationships involve items subject to management discretion?

If so, they may provide less reliable or less precise expectations
Adapted from: Australian audit manual and toolkit 2015 for small and medium sized entities, pp. 133–134
When designing a SAP, it is necessary that the auditor determines the size of variances from
expectations that they are willing to accept. This is influenced by materiality and the level of
assurance planned (ISA 520 para. A16). The auditor also needs to consider how precise the SAP
is expected to be.
Required reading
ISA 520 paras 5(c) and A15.
4. Perform the SAP and evaluate its results

All variances over the auditor’s acceptable limit must be investigated by (ISA 520 para. 7):
•• Discussing the variance with management.
•• Obtaining evidence to confirm management’s explanations.
•• Performing other procedures if necessary.
Required reading
ISA 520 paras 5(d), 7, A16 and A20–A21.
Example – Performing substantive analytical procedures

James, an audit senior with Quickadds Chartered Accountants, proposes the following SAP for
overhead expenses to his manager, Mary:
•• Compare office rental and sales commission expenses to the previous financial year.
Mary explains to James that he needs to develop realistic expectations for each of these
expenses, rather than simply comparing them to the previous financial year. This is because
the actual expenses are dependent on more than just the previous financial year’s reported
expenses.
She suggests the following:
•• Office rental – develop an expectation of the office rental expense using the rental
contracts from the current and previous years, any changes in floor space, any expected
rental increases under those contracts, management’s forecasts, and the previous financial
year’s rental expense. Compare this expectation to the recorded rental expense for the
current financial year. Follow up any unexpected variances with management and obtain
supporting documentation.
•• Sales commission – develop an expectation of the sales commission expense using the
sales commission agreements, recorded sales, management’s forecasts, and the previous
financial year’s sales commission expense. Compare this expectation to the recorded sales
commission expense for the current financial year. Follow up any unexpected variances
with management and obtain supporting documentation.

CC
Worked Example 10.2: Designing substantive procedures

Activity 10.1: Designing substantive analytical procedures

Tests of details
Tests of details involve obtaining direct evidence on items that comprise amounts in the
financial statements. Often the auditor will perform tests of details on sample of items as
discussed above in the section on audit sampling.
The assurance provided by a test of details therefore depends on the:
•• Relevance and reliability of the audit evidence obtained.
•• Quantity of audit evidence obtained.
Designing tests of details

In determining the type of procedure (test of details or SAP) for the account or disclosure being
tested, and designing that procedure, the auditor considers the following factors:
•• Risk of material misstatement.
•• Relevant assertion.
•• Sufficient appropriate audit evidence.
These factors are relevant when designing any type of audit procedure – test of controls or
substantive procedure.
Many audit firms use audit software or audit program templates that include lists of most
common audit procedures. When using these lists of audit procedures, it is important to
customise the procedure to address the specific risk and explain the evidence obtained,
including source documentation required and details checked.

The design of a substantive procedure should take into account the reasons underlying the risk
assessment. The assessed risk affects both the types of audit procedures and their combination.
ISA 330 includes the following rules:
• Substantive procedures must be specifically designed in response to a significant risk at the
assertion level.
• If only substantive procedures are used to respond to a significant risk, they must include
tests of details.
Example – Impact of reasons underlying the risk

The auditor of Purple has identified a risk that Purple’s inventory may be overstated (valuation
and allocation assertion). This is due to the release of a new line of products by a major
competitor that may cause some of Purple’s products to be obsolete.
The auditor designs an audit procedure to compare the recorded inventory unit carrying values
to evidence of their net realisable values. The procedure is performed on all those inventory
lines that correspond to the competitor’s new product lines.

CC
As the assessed risk increases, so does the quality and quantity of evidence that is required. For
example, the auditor may place more emphasis on obtaining third party evidence which is more
reliable, or by obtaining corroborative evidence from a number of independent sources.
Example – Procedures responsive to a significant risk

The auditor of Purple has identified that Purple’s management is under pressure to meet
earnings expectations. There is a risk that management is inflating sales by improperly
recognising sales revenue by having in place sales agreements with terms that allow invoicing
before goods have been shipped. Therefore, the auditor is designing external confirmation
procedures that not only confirm the outstanding amounts, but also confirm the details of sales
agreements, including dates, any rights of return and delivery terms. In addition, they inquire
legal personnel about any changes in sales agreements and delivery terms.
Required reading
ISA 330 paras 6–7 A9–A19 and A44–A47.
ISA 500 paras 4, 6, A1–A3, A6 , A12–A13 and A27.
Relevant assertion
When determining the relevant assertion, the auditor considers the risk, that is, which aspect
of the account ‘could go wrong’ and therefore which assertion is the most at risk of being
misstated.
The substantive procedure needs to be designed to address the assertion being examined
(ISA 330 para. 6). This means obtaining audit evidence that is relevant, or linked, to that
assertion (ISA 500 para. A27). This can often relate to the ‘direction’ of the procedure, or starting
point for the procedure.
When testing the existence or occurrence assertions, the auditor is interested in whether
items that are recorded in the financial statements actually did occur during the period or do
exist at period end (i.e. risk of overstatement). Therefore, a test of details will select a sample
of recorded items and then seek to obtain evidence to verify them.
Example – Testing existence assertion of accounts receivable

This example illustrates how the auditor designs a test of detail to address existence assertion.
receivable balance may be overstated at period end (existence assertion). The following test of
details has been designed to respond to this risk:
Obtain accounts receivable subledger and select a sample of items for
confirmation to ensure the receivable existed at period end. Request
positive confirmation of the balance from the selected customers. Where the
confirmed amount is different to the recorded amount, vouch to supporting
documentation.
In this example, the starting point of the procedure is the amount recorded in the financial
records (the accounts receivable balance in the accounts receivable subledger) and the auditor
is obtaining evidence from supporting documents to verify the existence of the amount.

CC
When testing the completeness assertion, the auditor is concerned with whether transactions
or balances that should have been recorded have been missed (i.e. risk of understatement).
Therefore, a test of details will start by examining evidence of items that should be recorded,
and then investigate whether these items are included in the relevant account balance.
Example – Testing the completeness assertion of accounts payable

Going back to the example discussed in the previous section on audit sampling, this example
now considers how an auditor designs a test of details to address the completeness assertion.
payable liabilities may be understated at period end (completeness assertion). The following
test of details has been designed to respond to this risk:
Review the bank statements and the cash journal after the period end and
select all payments of $50,000 or more. Obtain supporting documentation in
respect of these payments. Where the payments relate to liabilities that existed
at the period end, ensure that the transaction was recorded as a liability in
accounts payable or accrued liabilities.
In this example, the starting point of the procedure is the items outside financial records (i.e.
the auditor is starting with the supporting documentation to obtain evidence that all amounts
that should have been recorded, have been recorded).

Deciding what is sufficient appropriate audit evidence requires the auditor to exercise
The auditor will often obtain evidence on a particular account balance and assertion from the
use of several audit procedures. However, the higher the residual risks of material misstatement
after performing tests of controls, the higher the quality and quantity of evidence from
substantive testing required.
The characteristics of sufficient appropriate audit evidence can be summarised as follows:
Sufficiency Appropriateness
Quantity of audit Relevance of audit Reliability of audit

evidence evidence evidence
(ISA 500 para. 5(e)) (ISA 500 para. 5(b)) (ISA 500 para. 5(b))
Connection between Influenced by source

the audit procedure of evidence and its
and the assertion nature
being considered (ISA 500 para. A31)
(ISA 500 para. A27)
As the auditor’s objective is to obtain ‘sufficient appropriate audit evidence’, a practical

consideration is what evidence is available. There is often a cost-versus-benefit balance to
obtaining more reliable evidence. However, the cost of performing a procedure alone is not a
reason to omit the procedure.
Some procedures, such as confirmation, will often provide more reliable evidence than, say,
inquiry. The relevance and reliability of audit procedures will be discussed in detail on the unit
on evaluating audit evidence.

CC
Required reading
ISA 500 paras 1–5, 7–10 and A1–A56.
Activity 10.2: Designing tests of details

Timing of substantive procedures

The timing of substantive procedures has two aspects (ISA 330 para. A6):
•• The time at which the procedure is performed.
•• The period to which the audit evidence applies.
Time at which the procedure is performed

The timing of substantive procedures may be affected by practical considerations, such as
when reports are available, or the date that stocktakes take place. The auditor may also want to
perform procedures before the end of the financial period so as to spread the workload.
Period to which the audit evidence applies

Performing procedures on the period-end balances provides the most direct evidence of
amounts in the statement of financial position. Sometimes audit procedures are conducted on
balances at a date earlier than the period end for reasons of efficiency. In such cases, additional
procedures need to be performed on the period between that date and the period end (ISA 330
para. 22).
When audit risk has been assessed as high, it is better to perform substantive procedures on the
period-end balances (ISA 330 para. A11).
Required reading
ISA 330 paras 22–23, A6, A11–A14 and A54–A58.
Extent of substantive procedures

The extent of a substantive procedure relates to the number of times that a particular procedure
is to be performed – for example, the sample size (ISA 330 para. A7). The extent of a procedure
generally increases as the risk of material misstatement increases (ISA 330 para. A15).
The options available to auditors when deciding how many items to test were discussed in the
section on audit sampling above.
Combining substantive procedures

The objective of audit procedures includes obtaining sufficient audit evidence, which is directly
related to the extent of the audit procedure. However, sufficient evidence can also be obtained
by performing multiple procedures that address the same risk. In fact, if the auditor uses
different procedures to obtain different evidence regarding the same risk, the corroborating
evidence can provide useful assurance.
Example – Multiple procedures that address the same risk

The audit senior, Lee, notes from the board minutes, that Purple is involved in a legal claim with
an estimated liability of $100,000. Management provides Lee with the calculation of the basis
for the estimate, including their assumptions.
Lee reviews the reasonableness of management’s assumptions, and checks the calculations. He
also reviews correspondence from Yellow’s solicitors that confirms the estimate is reasonable.

CC
Required reading
ISA 330 paras A7 and A15.
ISA 500 para. A8.
External confirmations
ISA 330 para. 19 requires the auditor to ‘consider whether external confirmation procedures
are to be performed as substantive audit procedures’. The requirements for how to perform
external confirmations are contained in ISA 505, which is discussed later in the unit on
responding to assessed risk – using the work of others, external confirmations and written
representations. However, for the purposes of this unit, it is important to understand when
external confirmations can be used by the auditor in designing substantive procedures.
Since they come from external parties, external confirmations can provide highly reliable
evidence. The nature of external confirmations means that the evidence is particularly relevant
for testing the existence and occurrence assertions. Confirmations are commonly used to
confirm (ISA 330 para. A48):
•• Bank balances.
•• Trade receivables.
•• Borrowings.
•• Property ownership.
•• Inventories held by third parties.
•• Investments.
Required reading
ISA 505 paras 1–6, 12–14 and A18–A22.
Specified procedures for selected items

Some areas of an audit are considered sufficiently unique that the auditor is required to perform
specific procedures on these items. The specific procedures are contained in separate Standards,
which must be applied in addition to the other Standards that apply to substantive testing.
Some of these areas and the specific requirements are considered here:
•• Inventory.
•• Litigation and claims.
•• Segment reporting.

CC
There are a number of differences between the international, Australian and New Zealand
Standards that cover these areas, listed in the following table:
International, Australian and New Zealand Standards that apply to specified substantive procedures
on selected items
International and New Zealand Standards
International Standards on Auditing (ISAs) and International Standards on Auditing (New Zealand) (ISAs (NZ))
cover all specific considerations for inventory, segment reporting, and litigation and claims, in a single
respective Standard, ISA 501 Audit Evidence – Specific Considerations for Selected Items
Australian Standards
However, in Australia, litigation and claims is covered by a separate Standard. The relevant Standards are:
•• ASA 501 Audit Evidence – Specific Considerations for Inventory and Segment Information (ASA 501).
•• ASA 502 Audit Evidence – Specific Considerations for Litigation and Claims (ASA 502).
ASA 502 contains some additional Australian-specific requirements and guidance, including a requirement to
make enquiries of management regarding litigation and claims that arise after the initial external enquiry
Here we will briefly discuss the requirements relating to inventories and litigation and claims.
Inventory
The main requirement in ISA 501 is that, if inventory is material to the financial statements, the
auditor must attend a physical inventory count. ISA 501 para. 4(a) requires this attendance, at a
minimum, to include:
•• Evaluating management’s stocktake instructions.
•• Observing inventory counts.
•• Inspecting inventory.
•• Performing test counts.
The final inventory records must then be tested to ensure they reflect the counts
(ISA 501 para. 4(b)).
ISA 501 also contains requirements that apply when the auditor does not attend the physical
inventory count. If this non-attendance is due to unforeseen circumstances, the auditor
must organise an alternative time to observe or make counts (ISA 501 para. 6). In the rare
circumstances where it is not practical for the auditor to attend a count at any time, alternative
procedures are required (ISA 501 para. 7).
Litigation and claims

There is a mandatory requirement to perform the following procedures to identify whether an
entity is involved in litigation and claims (ISA 501 para. 9):
•• Enquiries of management, including in-house legal counsel.
•• Reviewing minutes of meetings of those charged with governance.
•• Reviewing correspondence between the entity and external legal counsel.
•• Reviewing legal expense accounts.
External legal communication

If a risk of material misstatement is assessed at the planning stage, or if information arises
during the audit to indicate the entity’s involvement in litigation or claims, the auditor must
communicate with the entity’s external legal advisors. This is done through an enquiry letter,
sent by management, but with responses directed to the auditor (ISA 501 para. 10). In many
audits, these types of letters are sent as a matter of course.

CC
Required reading

Performing and evaluating substantive procedures

Having designed substantive procedures, the auditor now performs the procedures. In practice,
substantive procedures can be performed at different stages of the audit. For example:
•• At the planning stage, when the auditor may inspect significant contracts that impact on the
•• During an interim audit, which is often performed before the period end. This can
be particularly efficient when testing classes of transactions that have been recorded to that
point in time.
•• At the final audit stage, which generally occurs sometime after the end of the financial
period. This allows management time to ‘close the books’.
It is important to remember that evidence obtained from substantive procedures at any stage of
an audit may require the auditor to revise the initial risk assessment or materiality.
Evaluating the results of audit procedures requires the auditor to determine whether sufficient
appropriate audit evidence has been obtained. This is discussed in the unit on responding to
assessed risks – evaluating audit evidence.
Activity 10.3: Evaluating the impact of the results of tests of controls on substantive
procedures
Worked example 10.3: Using computer-assisted audit techniques (CAATs) to perform tests
of details

10.1: Substantive procedures – SAPs and Tests of detail
10.2: Substantive testing approach for common account balances and related transactions
(including consideration of key assertions)
Quiz

Readings

Standards.
Required reading
ISA 330 The Auditor’s Responses ASA 330 The Auditor’s Responses ISA (NZ) 330 The Auditor’s Responses
to Assessed Risks to Assessed Risks to Assessed Risks
•• Paragraphs 1–7, 18–24, A1–A19 •• Paragraphs 1–7, 18–24, A1–A19 •• Paragraphs 1–7, 18–24, A1–A19
and A42–A59 and A42–A59 and A42–A59
ISA 501 Audit Evidence – Specific ASA 501 Audit Evidence – Specific ISA (NZ) 501 Audit Evidence –
Considerations for Selected Items Considerations for Inventory and Specific Considerations for Selected
Segment Information Items
ASA 502 Audit Evidence – Specific

Considerations for Litigation and
Claims
ISA 505 External Confirmations ASA 505 External Confirmations ISA (NZ) 505 External Confirmations
•• Paragraphs 1–6, 12–14 and •• Paragraphs 1–6, 12–14 and •• Paragraphs 1–6, 12–14 and
A18–A22 A18–A22 A18–A22
ISA 520 Analytical Procedures ASA 520 Analytical Procedures ISA (NZ) 520 Analytical Procedures
•• Paragraphs 1–5, 7, A1–A10, •• Paragraphs 1–5, 7, A1–A10, •• Paragraphs 1–5, 7, A1–A10,
A12–A16 and A20–A21 A12–A16 and A20–A21 A12–A16 and A20–A21
ISA 530 Audit Sampling ASA 530 Audit Sampling ISA (NZ) 530 Audit Sampling
•• Paragraphs 1–15, A1–A19, •• Paragraphs 1–15, A1–A19, •• Paragraphs 1–15, A1–A19,
A21–A23 and Appendices 1, 3–4 A21–A23 and Appendices 1, 3–4 A21–A23 and Appendices 1, 3–4
ISA 450 Evaluation of Misstatements ASA 450 Evaluation of Misstatements ISA (NZ) 450 Evaluation of
Identified During the Audit Identified during the Audit Misstatements Identified During the
Audit

Further reading

References
for small and medium sized entities, 5th edn, Thomson Reuters (Professional) Australia Limited
(Australian audit manual and toolkit 2015).

ACT
Activity 10.1
Designing substantive analytical procedures
Introduction
Substantive analytical procedures (SAPs) are types of substantive procedure that use plausible
relationships between financial and non-financial data to obtain audit evidence. Chartered
Accountants performing audits should be able to design SAPs that are appropriate to the
assessed risks of material misstatement and understand how they are used as part of an audit
strategy.
This activity links to the following learning outcome:
•• Design, perform and evaluate the results of substantive testing.
At the end of this activity, you will be able to respond to assessed risks of material
misstatement, in accordance with:
Scenario
Levart Pty Ltd (Levart) is an Australian travel agency that specialises in package holidays
abroad for families and couples. Accurate Auditors Australia (AAA) has been the external
auditor of Levart for a number of years and was appointed auditor for the 30 June 20X5 year
end. Christopher Briggs (Chris) is the audit senior in charge of the upcoming Levart audit and
Daniel Footer (Dan) is the audit manager.
With the diminishing value of the Australian dollar, lavish and expensive holidays abroad are
becoming less popular for Australians, with domestic travel becoming the norm. In recent years,
Levart has had relatively static operating costs, with payroll costs continuing to be the largest
expense item in the profit and loss.
In prior audit engagements, AAA performed SAPs over Levart’s payroll costs. With minimal
employee turnover, static salaries and wage increments for the Consumer Price Index only,
setting a reliable expectation was straightforward for Chris and Dan. Also, there has been no
history of material misstatements as a result of this procedure. Tests of controls have also been
performed across the payroll process with no exceptions or issues arising.
Reflective of the continuing downturn in the Australian dollar and the subsequent decrease in
demand for holidays abroad, the 20X5 financial year has been challenging for Levart and has
resulted in significant changes in its headcount and overall payroll expense.
During the 20X5 audit, Chris held a meeting with Levart’s payroll manager to gain an
understanding of the headcount and payroll expense changes, and took the following notes:
1. Levart continues to operate seven outlets – its headquarters in Sydney and six outlets
nationwide.
2. Levart employs no part-time workers.

ACT
3. No bonus payments were paid during the year.
4. A number of employees were made redundant from 1 January 20X5 across Levart’s outlets.
5. Consumer Price Index increases of 3% were incorporated in all salaries at Levart at the
beginning of the 20X5 financial year.
6. Salaries are paid monthly to all Levart employees.
7. Redundancy costs are disclosed separately on the face of the profit and loss and do not form
part of the payroll expense.
Following on from this meeting, Chris obtained the following information from the payroll clerk:
No. of employees on payroll records Average salary

at 30 June 20X4
1 July 20X4 30 June 20X5 ($)
Sydney HQ 14 11 120,000
Sydney West 7 6 80,000
Melbourne 10 8 75,000
Adelaide 8 7 72,500
Perth 9 7 78,500
Canberra 6 6 76,000
Brisbane 8 6 78,500
Total 62 51
In determining the size of the variance that is acceptable, Chris took into consideration
materiality, the level of planned assurance (ISA 520 para. A16) and how precise the SAP was.
Taking this into account, and due to a history of no misstatements and effective controls across
the payroll process, Chris proposed an acceptable variance at performance materiality of
$325,000. This variance was approved by the audit partner.
In the draft financial statements and trial balance for Levart, total payroll costs for 20X5 was
$4,843,093.
Task
Dan has asked Chris to design and perform SAPs for the audit of payroll costs, and to document
his workings and conclusions.

ACT
Activity 10.2
Designing tests of details
Introduction
A key feature of an audit is the design of substantive procedures that are responsive to the risks
of material misstatements. Many audit firms use audit software or audit program templates
that include common audit procedures. Chartered Accountants performing audits must use
their professional judgement when selecting and customising procedures to design substantive
procedures suitable for the assessed risks and assertions to obtain sufficient appropriate audit
evidence.
At the end of this activity, you will be able to design tests of details that are appropriate to the
assessed risks of material misstatement in accordance with:
Scenario
You are an audit senior working for Redtik Chartered Accountants (Redtik). Redtik is the
auditor of Darper Electronics (DE), a listed company that operates and owns 160 electronics
stores across Australia and New Zealand. Each store is designed and operated to a standardised
format, with some minor variations.
You are assigned to the team performing the audit of DE for the year ending 30 June 20X3.
The audit team has determined the following in respect of store refurbishments.
Store refurbishments
Stores undergo periodic refurbishments under a program approved annually by the board
of directors. It can be difficult to distinguish between capital improvements and maintenance
expenditure, and, in previous audits, Redtik has found instances where maintenance expenses
have been incorrectly capitalised against an existing asset.
Redtik has also noted instances where existing plant and equipment has not been appropriately
written off when new refurbishments occurred that replaced those existing items.
Based on the matters above, Redtik has identified the following risks of material misstatement:
Table of assessed risks
Account balance and key Risk of material misstatement

assertions
Plant and equipment – Valuation There is a risk that store maintenance costs are incorrectly capitalised
and allocation against an existing asset
Plant and equipment – Existence There is a risk that plant and equipment is not appropriately written off
when replaced by refurbishments

ACT
Redtik has obtained from DE schedules of plant and equipment incorporating additions,
disposals, accumulated depreciation and amortisation.
Redtick uses audit software that includes the below procedures for property, plant and
equipment (PPE):
Substantive proceedures for PPE
EDIT SAVE CANCEL

Obtain schedules of property, plant and equipment incorporating additions, disposals, and
refinancing for the period, accumulated depreciation, and amortisation where applicable.
Review the asset register and register of charges.
Vouch sample of material additions and disposals to appropriate source documentation.
Inspect material items of property, plant and equipment and other non-current assets.
Review repairs accounts to determine whether any item should be reclassified as property,
plant and equipment.
Test calculations of additions/disposals and depreciation/amortisation. Trace depreciation/

amortisation to profit and loss statement and the tax working papers.
Check movements and depreciation to the minute book or other appropriate sources,
confirming transactions are authorised and reasonable.
Determine whether the depreciation rates used are appropriate and consistent with prior
periods.
Enquire whether any items have been scrapped or destroyed and confirm appropriate records
have been kept.
Determine whether all assets are adequately insured.
Search land titles and record any mortgage details.
Confirm that the carrying values of assets are, in respect of corporate entities, in accordance
with the applicable Accounting Standards. Review the bases of valuation and discuss current
realisation expectations with the client. Consider the effects of IFRS on carrying values,
particularly IAS 16 Property, Plant and Equipment and IAS 36 Impairment of Assets.
Assess the impact of any impairment indicators that may indicate impairment.
Cross reference additions, disposals and revaluations to the tax working papers where
relevant.
Sight the registration certificates of motor vehicles.
Confirm that property, plant and equipment are grouped appropriately in the financial
statements, and that additions, disposals and other movements during the period are
disclosed in accordance with the requirements of applicable Accounting Standards.
Review ledger accounts, note unusual items, and agree to property, plant and equipment
schedules.
Review the accounting for deferred expenses for compliance with IFRS.
Task
For this activity, you are required to design tests of details to address the specific risks identified
in the table of assessed risks.

ACT
Activity 10.3
Evaluating the impact of the results of tests
of controls on substantive procedures
Introduction
The auditor’s assessment of the risks of material misstatement affects the nature, timing and
extent of substantive procedures. Where the auditor’s assessment of risk includes an expectation
that controls are operating effectively, the results of tests of controls will affect substantive
procedures.
At the end of this activity, you will be able to evaluate the impact of the results of tests
of controls on substantive procedures, in accordance with:
•• ISA 530 Auditing Sampling (ISA 530).
Scenario
AquaFun is a listed company that operates three theme parks on the Australian east coast.
White & Barrie Chartered Accountants (WB) has been AquaFun’s auditor for the past three
years. You are an audit senior at WB assigned to the audit of AquaFun for the year ending
30 June 20X3. WB’s audit manager assigned to the AquaFun audit is James Green.
WB has obtained the following information from the audit planning, including reviews of audit
working papers for previous financial years.
Theme parks are a highly seasonal business, with the busiest months being December to March.
During these busy times, AquaFun employs casual staff to assist at all three theme parks.
All parks close during August as this is the quietest period of the year. In total, there are 107
full‑time staff (paid fortnightly), 38 part-time staff (paid fortnightly) and 42 casual employees
(paid on the Friday of their allocated working week) across the three theme parks.
Full-time staff are paid an annual salary and are not entitled to overtime, but are entitled to
four weeks’ annual leave with 17% leave loading paid when they take that leave. AquaFun’s
policy is that all full-time staff must take their four weeks’ leave during the August shutdown
period. Leave outside August can only be taken with the written approval of the CEO. During
the shutdown period, it is company policy to employ only part-time employees to perform
the various necessary tasks to ensure that the park can reopen in time for the start of school
holidays in September.
Part-time staff are paid on an hourly basis, and are entitled to overtime and accumulated annual
leave (without leave loading) on a pro rata basis. All part-time staff rates are set out in their
individual employment agreements with AquaFun.

ACT
Casual staff are paid on an hourly basis and receive no leave entitlements. Rates are as per the
relevant statutory award rate. Casual staff positions are mostly filled by school and university
students.
As part of the audit planning process, WB evaluated the design of control activities around
payroll and assessed that they were capable of effectively preventing, detecting and correcting
material misstatements (i.e. controls exist and AquaFun was using these controls).
These control activities include controls over the following risks:
1. Part-time staff are paid at incorrect rates (accuracy assertion).
2. Casual staff are incorrectly paid during the August shutdown period (occurrence assertion).
3. Full-time staff are incorrectly paid holiday leave loading outside the August shutdown
period (occurrence assertion).
As a result of this evaluation, WB intended to rely on the operating effectiveness of controls
around payroll by performing relevant tests of controls, supported by substantive analytical
procedures (SAPs) and tests of details.
WB established a tolerable deviation rate for testing controls over each risk and noted the
following exceptions from the tests of controls:
Controls Sample Tolerable Exceptions

over risk size deviation rate
%
1. 40 5 One instance of part-time staff paid an incorrect hourly rate
2. 85 5 Seven instances of payment for casual staff reflected in August

payroll transactions
3. 50 5 Eight instances of full-time staff paid holiday leave loading in

January and February
Task
For this activity, you are required to respond to James’s request to evaluate how the results of
the tests of controls will impact on the nature, timing and extent of substantive procedures.
He also asks you to design a test of details to obtain reasonable assurance in respect of each
assessed risk of material misstatement listed above. He suggests you present your findings in
the following table, and tells you to assume that the sample sizes for the tests of controls will
not be increased.
Risk Impact on substantive procedures Test of details
Nature Timing Extent
1.

CC
Core content
Unit 11: Responding to assessed risks
– evaluating audit evidence
Learning outcomes
1. Apply the auditor’s requirements if there is inconsistency in, or doubts over, the reliability
of audit evidence.
2. Determine whether sufficient appropriate audit evidence has been obtained on which to
base conclusions and auditor’s reports.
3. Evaluate the effect of identified misstatements on the audit, and of uncorrected
misstatements on the financial statements.
Introduction
Up to this point in the Audit & Assurance (AAA) module, units have examined the audit process,
from the pre-engagement stage through to designing further audit procedures that respond to
risks the auditor has identified and assessed. This unit discusses how the auditor evaluates the
audit evidence obtained from audit procedures.
The following diagram is an illustrative summary of the audit process stages covered so far in
the module:
Pre-engagement activities
Understanding the entity
Identifying the risks
Assessing the risks
Responding to the risks Evaluating audit evidence

aaa11611_csg

CC
Many reviews by audit regulators have highlighted the need for auditors to maintain a
heightened level of professional scepticism, particularly in areas that involve significant
estimation or judgement by management. Professional scepticism, together with evaluating
audit evidence and responding to misstatements, will be discussed in this unit.
The following International Standards on Auditing (ISAs) are covered in this unit:
•• ISA 230 Audit Documentation (ISA 230).
•• ISA 450 Evaluation of Misstatements Identified during the Audit (ISA 450).

CC
Evaluating audit evidence
Learning outcomes
1. Apply the auditor’s requirements if there is inconsistency in, or doubts over, the reliability of
audit evidence.
2. Determine whether sufficient appropriate audit evidence has been obtained on which to base
conclusions and auditor’s reports.
Having responded to assessed risks by performing further audit procedures, the auditor needs
to evaluate the results of audit procedures. The audit evidence comprises the results of audit
procedures. Under ISA 200 para. 17, the auditor is required to obtain reasonable assurance,
by obtaining ‘sufficient appropriate audit evidence to reduce audit risk to an acceptably low
level’. This enables the auditor to ‘draw reasonable conclusions on which to base the auditor’s
opinion’.
The requirement to evaluate audit evidence is contained in ISA 330 and what constitutes
sufficient, appropriate audit evidence is explained in ISA 500. It is important to apply the
following key auditing concepts when evaluating audit evidence:
•• Professional scepticism, which must be applied to critically evaluate the audit evidence.
•• Professional judgement, which must be exercised to recognise that only reasonable, not
absolute, assurance is provided, and that audit evidence is often persuasive rather than
conclusive.
The importance of professional scepticism and professional judgement have been discussed
throughout the audit and assurance module.

The following diagram illustrates what, sufficient appropriate, audit evidence means and the
source of these terms’ definitions in ISA 500:
Sufficiency Appropriateness
Quantity of audit Relevance of audit Reliability of audit

evidence evidence evidence
(ISA 500 para. 5(e)) (ISA 500 para. 5(b)) (ISA 500 para. 5(b))
Connection between Influenced by source

the audit procedure of evidence and its
and the assertion nature
being considered (ISA 500 para. A31)
(ISA 500 para. A27)
Sufficiency, relevance and reliability of audit evidence is further explained in the table below.
Relevance and reliability are considered together, because appropriate evidence must be both
relevant and reliable. For example, discussions with management may provide evidence that is
highly relevant to the matter being examined, but oral evidence is not particularly reliable.
On the other hand, obtaining highly reliable evidence, such as confirmation of the existence of
investments from external parties, will not provide evidence that is relevant to examining the
valuations of those investments.

CC
Characteristic Explanation Reference

of audit
evidence
Sufficiency Sufficiency relates to the quantity of audit evidence ISA 500
para. 5(e)
It is affected by the assessed risk of material misstatement and the quality
of audit evidence
Relevance Relevance deals with the logical connection between the audit procedure and ISA 500
the assertion under consideration para. A27
This means that the auditor needs to evaluate whether the evidence meets the
objective of the audit procedure in each case
Reliability The reliability of information is influenced by its source, nature and the ISA 500
circumstances under which it is obtained para. A31
Example – relevance and reliability of audit evidence

Evidence of the recorded accounts receivable balances in the form of written confirmations
from customers is:
•• Relevant to the objective of testing the existence assertion for accounts receivable.
•• Not relevant to the objective of testing whether the accounts receivable balances are
recoverable (valuation and allocation assertion).
Consider the general statements below about the reliability of audit evidence:
General statements about the reliability of audit evidence (ISA 500 para. A31)
Generalisation Example
Reliability is increased when evidence is Confirmation of bank balances obtained directly from the bank
obtained from independent external sources
Reliability is increased when controls over the Effective controls relating to the preparation of aged accounts
preparation of evidence are effective receivable reports, which the auditor then uses when
examining the recoverability of accounts receivable balances
Evidence obtained directly by the auditor Physical inspection of an item of plant and equipment is more
is more reliable than evidence obtained reliable than an enquiry regarding the item’s condition or
indirectly or by inference existence
Documentary evidence is more reliable than Approved and signed minutes of a meeting are more reliable
oral evidence than an oral representation of the matters discussed at that
meeting
Original documents are more reliable than Written confirmations of accounts receivable balances from
photocopies or facsimiles customers that are received by facsimile present a risk that the
confirmation has been altered or not sent by the correct party
Note: Care needs to be taken in making generalisations about the reliability of different types of audit evidence because
specific circumstances can greatly affect reliability.

CC
Audit procedures and reliability

Consider the relationship between the common types of audit procedures that are used to
obtain audit evidence (ISA 500 paras A10–A25) and the reliability of that evidence:
•• Inspection – inspecting documents, records or assets. Reliability of documents and
records depends on the source and nature of the evidence. For example, a direct written
confirmation of a bank balance from the bank is more reliable than a bank reconciliation
prepared by an accounts clerk.
•• Observation – for example, observing the operation of a control or observing the inventory
stocktake. The reliability of this evidence is increased as the auditor obtains the evidence
directly.
•• External confirmation – obtaining written confirmations from external parties has a
high level of reliability, assuming those parties have been assessed as reliable. Auditors
commonly obtain external confirmations from banks, legal counsel, customers and lenders.
•• Recalculation – checking the calculations in documents and records. As the auditor is
recalculating, the reliability is increased.
•• Reperformance – executing procedures or controls originally performed as part of the
internal control of the entity being audited increases the reliability of the evidence.
•• Analytical procedures – evaluating financial information by analysing plausible
relationships among financial and non-financial data. The reliability of the evidence
is impacted by the effectiveness of the controls over the preparation of the underlying
information.
•• Enquiry – making enquiries of management and external parties, which can provide
corroborating evidence or evidence of matters that the auditor was not previously aware of.
While obtained directly by the auditor, enquiry is not as reliable as documentary evidence.
The auditor cannot rely on enquiry alone to provide sufficient, appropriate audit evidence.
Information produced by the entity used for audit purposes

In order for the auditor to obtain reliable audit evidence, information produced by the entity
needs to be sufficiently complete and accurate – for example, reports generated by the entity’s
systems, such as sales exception reports and aged receivables reports. If underlying data
collated in the report is inaccurate, the report will not be accurate and therefore evidence
obtained by the auditor cannot be relied on.
The auditor relies on the information produced by the entity when testing controls, or they
may use it as a basis for substantive testing. Evidence about the accuracy and completeness
of information produced by the entity can be obtained when performing the actual audit
procedure, or it can be obtained by testing controls over the preparation and maintenance of the
information.
Example
This example illustrates how an auditor may test the completeness and accuracy of a system-
generated aged receivables report
An auditor has identified management’s review of aged receivables report as one of the
controls they intend to rely on. To test the completeness of data included in the aged
receivables report, the auditor agrees the total of the amounts in the report to the trial balance.
To test the accuracy of the report, the auditor recalculates the totals in each of the categories to
ensure the amounts in the report add up correctly.

CC
Relationship between risk and audit evidence

As the risk of material misstatement increases, the auditor needs to obtain more, and better
quality, audit evidence:
Risk of
material
misstatement
Quantity and quality of audit evidence
Again, professional judgement is needed to determine the required balance between quality
and quantity. By increasing the quality of evidence, the auditor will often be able to reduce
the quantity. However, if the quality is poor, increasing the quantity will not necessarily
compensate for this (ISA 500 para. A4).
Required reading
ISA 500 paras 5–7, A1–A33 and A49–51.
Process of evaluating audit evidence

The requirements for evaluating the sufficiency and appropriateness of audit evidence are
contained in ISA 330 paras 25–27.
Risk assessment – a continuous process

Previous units have discussed how risk assessment is a process that continues throughout the
audit. When evaluating the results of audit procedures and audit evidence obtained, the auditor
must also consider whether the findings change the initial risk assessment at the assertion level
(ISA 330 para. 25).
Examples – Audit evidence changing the initial risk assessment

These examples illustrate how audit evidence can change the initial risk assessment for an
audit.
Example 1 – Substantive analytical procedure (SAP) identifies increased risk
The auditor performs a substantive analytical procedure (SAP) regarding revenue. The SAP
analyses revenue by month and compares this to both the previous financial year’s revenue
by month and budgeted revenue by month. The results of the SAP indicate a significant and
unexpected increase in revenue in the last month of the financial year being audited, which
management cannot adequately explain.
Therefore, the auditor increases the inherent risk that revenue has been recorded in the wrong
financial year (i.e. cut-off assertion). As a consequence, the level of tests of details (TODs) for
revenue cut-off is increased.
Example 2 – Tests of controls increase control risk
The auditor plans to perform tests of controls (TOCs) and SAPs in respect of payroll. The results
of the tests of controls indicate that deviations exceed the tolerable deviation rate set by the
auditor. The auditor subsequently concludes that controls are not operating effectively, and
therefore increases the assessment of control risk, and plans TODs. SAPs will no longer be
performed.

CC
Conclude whether sufficient appropriate audit evidence has been obtained

The auditor considers all relevant audit evidence in concluding whether sufficient appropriate
audit evidence has been obtained (ISA 330 para. 26). Audit evidence obtained from different
sources that is consistent increases the overall reliability of the evidence.
If the auditor concludes that sufficient appropriate audit evidence has not been obtained, then
actions must be taken to obtain further audit evidence. Where this is not possible, the auditor
will issue either a qualified opinion or a disclaimer of opinion (ISA 330 para. 27). Audit opinions
are discussed in the unit on forming an opinion and issuing an auditor’s report.
The following diagram illustrates what the auditor considers when evaluating the sufficiency
and appropriateness of audit evidence, in accordance with ISA 330 paras 25–27:
Reassess risk at the Design response to

assertion level assessed risks
Perform further
NO audit procedures
Do risk assessments Has sufficient appropriate audit

remain appropriate? evidence been obtained?
YES NO
YES
Continue through
audit process Attempt to obtain further
audit evidence
If unable to obtain further audit

evidence, express a qualified
opinion or disclaim an opinion
Form the audit opinion
Required reading

CC
Documenting the response to risk

Documentation was discussed in the unit on Auditing Standards and quality control. That unit
identified the benchmark requirement in ISA 230 para. 8 to ‘prepare documentation that is
sufficient to enable an experienced auditor, having no previous connection with the audit, to
understand’:
•• The nature, timing and extent of audit procedures.
•• The results of audit procedures.
•• Significant matters arising from audit procedures.
ISA 330 expands on the ISA 230 requirements as they relate to documentation specific to the
auditor’s responses to assessed risks. This documentation must include (ISA 330 para. 28):
(a) The overall responses to address the assessed risks of material misstatement at the financial
statement level, and the nature, timing and extent of the further audit procedures performed;
(b) The linkage of those procedures with the assessed risks at the assertion level; and
(c) The results of the audit procedures, including the conclusions where these are not otherwise clear.
The auditor is also required to document that the financial statements reconcile to the
underlying records (ISA 330 para. 30).
To ensure that these requirements are met, auditors will often include standard items in their
working papers, such as:
•• Headings – for example, client, financial period and working paper subject.
•• Objectives and results of audit procedures, including references to assertions.
•• Conclusions for each audit procedure.
•• Names and initials of preparers and reviewers.
•• Dates of completion and reviews.
•• Working paper references.
•• Cross-references to other working papers.
In order to ‘enable an experienced auditor, having no previous connection with the audit, to
understand’ the matters above (ISA 230 para. 8), it is important that the documentation includes
sufficient details of the audit procedures performed. Typically, audit working papers include
details of the individual items tested, and the audit evidence obtained.
Required reading
Professional scepticism, introduced earlier in the AAA module in the unit on assurance purpose
and framework, is applicable to all phases of an audit. It is particularly important when
evaluating audit evidence.
ISA 200 para. 13(l) defines professional scepticism as:
… an attitude that includes a questioning mind, being alert to conditions which may indicate possible
misstatement due to error or fraud, and a critical assessment of audit evidence.
Professional scepticism is essentially an attitude or mindset that the auditor applies in

exercising professional judgement. It is linked to the ethical principles of objectivity and
independence. The definition includes ‘a critical assessment of audit evidence’, which means
that an auditor must specifically exercise professional judgement in determining whether
sufficient appropriate audit evidence has been obtained.

CC
Applying professional scepticism

The application of professional scepticism is important, because the ISAs are principles-based
and therefore require an auditor to exercise professional judgement in applying them in an
audit.
ISA 200 para. 15 requires the auditor to:
… plan and perform an audit with professional skepticism recognizing that circumstances may exist
that cause the financial statements to be materially misstated.
Practising professional scepticism

The auditor should be alert to matters that might indicate the existence of material
misstatements. This includes considering all available evidence, and not only the evidence that
supports management’s assertions. For example, the auditor should:
•• Be alert to audit evidence that might contradict other audit evidence obtained, and, where
there is contradictory evidence, perform further procedures (ISA 200 para. A18).
•• Be prepared to question whether documents are genuine. This does not mean questioning
documents in every instance, but it does mean considering the reliability of those
documents that the auditor has cause to believe may not be genuine, and investigating
further in such instances (ISA 200 para. A21).
•• Critically assess the audit evidence. This includes not always accepting the most readily
available audit evidence.
•• Challenge management’s assumptions and judgements.
•• Remain alert to conditions that could indicate risk of fraud.
Applying professional scepticism requires the auditor to take an objective view when
evaluating audit evidence, and not assume that the evidence will support, or contradict,
management’s assertions.
Example – Professional scepticism in practice

A member of the sales staff tells the auditor that they think a side agreement may have been
made with a customer which varies the terms of trade established in the main contract. Based
on this conversation, the auditor is concerned that such a contract could impact on reported
revenue. When the auditor asks the entity’s financial controller about the side agreement, the
financial controller says they are not aware of any such agreement.
The auditor decides to ask management for permission to write to the customer to enquire
about the existence of side contracts between the customer and the entity.

CC
Documenting professional scepticism

Although professional scepticism relates to the auditor’s mindset, this does not mean it cannot
be documented. The auditor should document how professional scepticism has been applied,
as part of the documentation of the item being examined. For example, documentation should
include:
•• Discussions of significant matters – with management, those charged with governance,
third parties, and within the audit team.
•• All sources of evidence, including evidence that contradicts the auditor’s conclusions and
how the inconsistency was addressed.
•• The rationale for the auditor’s conclusions, based on the evidence available.
•• Alternatives considered by the auditor and the reasons for these not being adopted.
Areas of focus for professional scepticism

As discussed earlier, professional scepticism is applicable to all phases of an audit. It is
particularly important when addressing areas of an audit that are complex or involve a high
level of management judgement. These areas often contain a large number of variables or
alternatives, requiring the auditor to exercise a considerable amount of professional judgement.
These areas are frequently the focus of corporate regulators, and include the following:
•• Fair value assessments and impairment testing are particular risk areas in the current
economic environment, with increased uncertainty regarding asset values. Models of future
cash flows contain many assumptions, such as discount rates, growth rates and forecast
cash flows. The auditor needs to critically assess and test these assumptions.
•• Going concern requires an auditor to exercise a considerable amount of professional
judgement when evaluating management’s future plans. The auditor needs to obtain
sufficient appropriate audit evidence to demonstrate that going concern has been
adequately considered.
•• Related parties are an important disclosure in the financial statements, and there is an
elevated risk that an entity will use transactions with related parties to manipulate its
financial results. The auditor needs to be alert to undisclosed related party transactions,
and should question the business rationale of related party transactions that are outside the
normal course of business.
•• Accounting estimates, by their nature, are subjective. The auditor needs to challenge
management’s assumptions and judgements to identify possible management bias.
Required reading
ISA 200 paras 13(l), 15, 17, A18–A22 and A28–A52.


CC
Inconsistency in, or doubts over, the reliability of audit evidence

As discussed above, the auditor evaluates the reliability of audit evidence, being one of the
elements of appropriateness. ISA 500 contains specific requirements where:
•• Audit evidence from one source is inconsistent with the audit evidence from another.
•• The auditor has doubts about the reliability of information that is to be used as audit
evidence.
Responding to inconsistencies in audit evidence

In circumstances where the audit evidence is inconsistent or there are doubts over its reliability,
in accordance with ISA 500 para. 11, the auditor is required to:
1. Resolve the matter by modifying the audit procedures or by performing additional
procedures.
2. Consider whether there is any impact on other aspects of the audit.
As regards requirement (1), the auditor should follow up the initial audit procedures with
modified or additional procedures to determine the reasons for the inconsistency and which
evidence is correct.
Example – Inconsistency in audit evidence: performing additional procedures

The auditor of Blue compares the recorded accounts payable balances to suppliers’ statements
in order to test the valuation and allocation assertion. The recorded balance for the supplier
Red is $250,000; however, the statement from Red shows a balance of $350,000.
The auditor identifies two invoices on Red’s statement that are not recorded in Blue’s accounts
payable ledger. On further examination of the ledger, the auditor notes that these invoices
were marked as paid by a single cheque for $100,000 on the last day of the financial year. The
auditor inspects the bank statements and discovers that the cheque was cleared five working
days after year end. The cheque was also included on the list of outstanding cheques on Blue’s
bank reconciliation at year end. The auditor obtains Red’s statement for the subsequent month,
and notes that the two invoices have been marked as paid.
The auditor concludes that the recorded balance of $250,000 for Red is correct.
As regards requirement (2), the auditor needs to consider whether concerns about the reliability
of audit evidence will affect other areas of the audit. As the reliability of evidence is linked to
its source, concerns about its reliability will lead the auditor to consider whether other evidence
from the same source needs to be re-evaluated.
Example – Consider the impact of unreliable audit evidence

The auditor of Brown asks Brown’s financial controller whether there have been any potentially
significant events that have occurred after the balance date. The financial controller responds
that there have been none. However, the minutes of a meeting at which the financial controller
was present state that a major customer went into administration after year end while owing a
material amount to Brown.
As well as investigating the inconsistency between the financial controller’s response and the
minutes of the meeting (by obtaining further evidence relating to the customer’s ability to
pay the amount owing to Brown), the auditor will also consider whether the reliability of other
representations made by the financial controller need to be re-evaluated.

CC
Documenting inconsistencies in audit evidence

The auditor must document how an inconsistency between information received and the audit
conclusion on a significant matter was addressed (ISA 230 para. 11). This provides evidence of
the auditor’s exercise of professional scepticism and professional judgement.
Required reading
ISA 230 para. 11.
Worked example 11.1: Determining if sufficient appropriate audit evidence has been
obtained
Activity 11.1: Professional scepticism

Activity 11.2: Determining whether sufficient appropriate audit evidence has been obtained

CC
Evaluating misstatements
Learning outcome
3. Evaluate the effect of identified misstatements on the audit, and of uncorrected
A key element of the overall objective of auditing financial statements is to ‘obtain reasonable
assurance about whether the financial statements as a whole are free from material
misstatement’ (ISA 200 para. 11(a)).
Therefore, an important part of evaluating the results of audit procedures and audit
evidence is the identification and evaluation of misstatements. Where the auditor discovers
misstatements and these are not subsequently corrected, the auditor will need to consider these
uncorrected misstatements when forming the audit opinion. Misstatements can also have other
implications for the audit as discussed later in this section. The relevant Standard for evaluating
misstatements is ISA 450.
Definition of ‘misstatement’
‘Misstatement’ is defined in ISA 450 para. 4 as:
… a difference between the amount, classification, presentation, or disclosure of a reported financial
statement item and the amount, classification, presentation, or disclosure that is required for the item to
be in accordance with the applicable financial reporting framework. Misstatements can arise from error
or fraud.
It is important to understand that misstatements do not just arise when an amount is recorded
inaccurately. Misstatements can also relate to:
•• Omitted amounts or disclosures.
•• Incorrect estimates, or estimates that are based on unreasonable assumptions.
•• Treatments that do not follow the accounting policy or Accounting Standard.
•• Judgements made by management on how amounts are presented in the financial
statements.
Examples – Misstatements
Example 1 – Amount recorded in the wrong period
The amount invoiced for a service performed at the start of the 20X4 financial year is recorded
as revenue close to the end of the 20X3 financial year.
Example 2 – Incorrect estimates
The depreciation of items of plant and equipment is based on excessive estimates of each
asset’s useful life.
Example 3 – Treatment that does not follow the Accounting Standard
Research costs are treated as an intangible asset instead of being recognised as an expense, in
contravention of International Accounting Standard IAS 38 Intangible Assets.
Required reading
ISA 200 para. 11(a).

CC
Audit objectives
Where the auditor identifies misstatements, they must consider the potential impact of these
on the audit. If management does not correct any identified misstatements, the auditor will
also need to evaluate the effect of the uncorrected misstatements on the financial statements
(ISA 450 para. 3).
The following diagram illustrates the decisions the auditor needs to make:
Identify misstatements
Impact on the Impact on the

conduct of audit financial statements
Do the audit strategy and Did management correct

audit plan need to be the misstatements?
revised?
NO YES
Evaluate whether Financial

uncorrected statements
misstatements adjusted by
are material management
Required reading
Accumulation of misstatements
Auditors track (i.e. document) all misstatements identified throughout the audit process, with
the exception of those that are ‘clearly trivial’ (ISA 450 para. 5). The auditor generally sets an
amount for what constitutes a ‘clearly trivial’ misstatement. Misstatements below this amount
are not recorded.
This record of accumulated misstatements in a single document facilitates both the auditor’s
communications with management and evaluation of the impact of the misstatements on the
The record of accumulated misstatements is known by a number of common names, including
‘summary of misstatements’, ‘potential audit journal entries’ and ‘potential audit adjustments’.
The following is an example:

Example of summary of misstatements working paper
Description of misstatement W/P Dr Cr Profit or Current Non-current Current Non-current Equity Corrected
ref. loss assets assets liabilities liabilities Yes/No
$ $ Dr/(Cr) $ Dr/(Cr) $ Dr/(Cr) $ Dr/(Cr) $ Dr/(Cr) $ Dr/(Cr) $ Dr/(Cr) $
1. Dr Administration expenses R20 125,000 125,000
Unit 11 – Core content

Cr Accounts payable/accruals 125,000 (125,000)
Suppliers’ invoices not recorded, found in search

for unrecorded liabilities
Chartered Accountants Program
2. Dr Amortisation expense G30 65,000 65,000

Cr Intangibles – accumulated amortisation 65,000 (65,000)
Amortisation of intangibles based on excessive

useful life
3. Dr Cost of sales H50 142,000 142,000

Cr Inventories 142,000 (142,000)
Projected misstatement for inventories

costing test
4. Dr Employee benefits provision L10 56,000 56,000

Cr Annual leave expense 56,000 (56,000)
Overstatement of annual leave provision due to

spreadsheet error
5. Dr Borrowings – non-current S30 250,000 250,000

Cr Borrowings – current 250,000 (250,000)
Misclassification of loan between current and

non-current liabilities
Total misstatements 638,000 638,000 276,000 (142,000) (65,000) (319,000) 250,000 –
Draft financial statements 1,225,000 3,535,000 4,550,000 (2,650,000) (1,750,000) (3,685,000)

CC
Page 11-15
Audit & Assurance
CC
It is important for the auditor to record all misstatements because, ultimately, all uncorrected
misstatements must be evaluated, both individually and in aggregate.
Types of misstatements
ISA 450 suggests that it may be useful to consider misstatements in the following categories,
for the purposes of both evaluating their impact and communicating them to management
(ISA 450 para. A3):
•• Factual misstatements – misstatements about which there is no doubt.
•• Judgemental misstatements – misstatements that arise from subjective decisions made by
management regarding accounting estimates that the auditor considers unreasonable, or the
selection or application of accounting policies that the auditor considers inappropriate.
•• Projected misstatements – the auditor’s best estimate of misstatements in given populations
based on the projection of misstatements from audit samples.
Required reading
Potential impact of misstatements on an audit

As indicated in the diagram under ‘Audit objectives’ above, the auditor’s first objective is
to evaluate the effect of misstatements on the conduct of the audit (ISA 450 para. 3(a)). In
accordance with ISA 450 para. 6, the auditor needs to consider whether the overall audit
strategy or audit plan will need to be revised where:
•• The nature or circumstances of a misstatement indicate that other misstatements may exist.
•• The aggregated misstatements are approaching the level of materiality determined by the
auditor.
Examples – Impact of misstatements on an audit

Example 1 – Breakdown in controls
The auditor planned to rely on controls over changes to employee pay rates. However, during
substantive testing, the auditor identifies a misstatement resulting from the use of incorrect
pay rates following the rate change. On further investigation, it is found that the controls the
auditor was planning to rely on broke down over a three-month period during the financial
year being audited, due to changes in the human resources department.
The auditor decides that the controls for the three-month period cannot be relied on, and that
additional substantive procedures should be performed for that period.
Example 2 – Estimate based on incorrect data
Greenmach has estimated its warranty provision using its historical record of sales and claims
for each product that it sells. Greenmach’s auditor performs a test of details (TOD) on the
warranty provision, which includes verifying historical sales and claims for a sample of products.
The auditor discovers a number of misstatements, which are due to Greenmach drawing the
data for the estimate from the wrong reports.
The auditor asks Greenmach’s management to check the sales and claims reports that were
used for each product’s warranty claims provision. The auditor also increases the sample of
products lines covered by the TOD.

CC
Evaluating the effect of misstatements on the audit is also required by the following Standards:
•• ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements
(ISA 240), requires the auditor to evaluate whether each misstatement is indicative of fraud
(ISA 240 para. 35).
Understanding the Entity and Its Environment (ISA 315 (Revised)), requires the
auditor to revise the initial risk assessment as additional audit evidence is obtained
(ISA 315 (Revised) para. 31). For example, frequent misstatements may cause the auditor
to revise the assessed level of risk.
Required reading
ISA 450 paras 3(a), 6–7 and A4–A6.
ISA 240 para. 35.
ISA 315 para. 31.
Communicating misstatements
Misstatements are communicated on two levels, and at two different points in an audit:
1. To management during the audit. Misstatements that are identified by the auditor should
be communicated to the appropriate level of management on a timely basis during the
audit, unless prohibited by law or regulation (ISA 450 para. 8). Timely communication
of misstatements provides management with the opportunity to consider whether the
issues are actually misstatements, and to conduct its own investigations and obtain further
evidence.
2. To those charged with governance during the final stage of the audit. The auditor will
also communicate with those charged with governance (typically, the board of directors)
towards the conclusion of the audit. This communication contains the uncorrected
misstatements – that is, those misstatements that have not been corrected by management
during the audit – and also indicates the effect these uncorrected misstatements may have
on the auditor’s opinion (ISA 450 para. 12).
In both these communications, the auditor must request that the uncorrected misstatements are
corrected in the financial statements.
Required reading

CC
Evaluating the effect of misstatements on the financial statements

Referring again to the diagram under ‘Audit objectives’ above, the auditor needs to consider
the effect of uncorrected misstatements on the financial statements. This requires evaluating
whether the uncorrected misstatements are material to the financial statements. Before doing
this, the auditor must reassess materiality.
Reassessing materiality before evaluating uncorrected misstatements

Before evaluating any uncorrected misstatements, the auditor should reassess materiality levels
for the financial statements as a whole, as materiality is often based on estimated financial
results at the planning stage, before actual results are known (ISA 450 paras 10 and A11–A12).
Evaluating the effect on the financial statements – individually and in aggregate

The auditor is required to determine whether uncorrected misstatements are material
individually and in aggregate. Under ISA 450 para. 11(a), this evaluation should consider both
the:
•• Size of a misstatement.
•• Nature of a misstatement.
Size of a misstatement
In evaluating the size of misstatements, the auditor considers the impact on each class of
transaction, account balance and disclosure, as well as on the financial statements as a whole
(ISA 450 para. 11(a)). This is because misstatements may be material to one item, but not
to another. For example, a misstatement that is not material to the profit before tax may be
material to the disclosure of key management personnel remuneration.
The auditor will use the record of accumulated misstatements to assist with this evaluation.
Refer to the example of a summary misstatements working paper under ‘Accumulation of
misstatements’, above, and see how each misstatement and the aggregate misstatements in the
example have been allocated between the statement of profit or loss, and between the main
components of the statement of financial position. In practice, the auditor will also consider
the impact of misstatements on the amounts and disclosures that make up each of these
components.
Using this approach enables the auditor to consider the effect of misstatements on multiple
elements of the financial statements.
Nature of a misstatement
The auditor should also consider the nature of the uncorrected misstatements and the particular
circumstances of their occurrence (ISA 450 para. 11(a)). In some instances, misstatements can
be material to the financial statements, even if the amount of the misstatement is less than the
amount that has been set for materiality.
This means the auditor will consider matters such as whether a misstatement affects key
financial ratios, contractual covenants or other amounts that users of the financial statements
are likely to focus on. ISA 450 para. A16 lists a number of circumstances that the auditor would
consider when evaluating whether misstatements are material.
Required reading

CC
Misstatements from prior financial periods

Misstatements identified in one financial period can sometimes affect the following financial
period. Where misstatements in prior periods were not corrected, the auditor must bring these
into the consideration of the current financial period’s misstatements (ISA 450 para. 11(b)).
Example – Previous period misstatements that affect the current financial period
The auditor of Big Toys identified a misstatement in the financial year ended 30 June 20X2. Big
Toys had not recorded an accrued liability for occupancy expenses. The journal required to
correct the misstatement, which was not posted, was:
Dr Cr
$ $
Occupancy expenses 100,000
Accrued liabilities 100,000
Without recognising this adjustment, both the profit for the 30 June 20X2 financial year and net
assets as at 30 June 20X2 were overstated by $100,000.
The auditor is now completing Big Toys’ audit for the year ended 30 June 20X3. As Big Toys
would have incorrectly recognised the occupancy expense in 30 June 20X3 financial year
instead of 30 June 20X2, occupancy expense in 20X3 is overstated by $100,000. As the profit for
the 30 June 20X2 financial year was overstated, the opening retained earnings for the 30 June
20X3 financial year is also overstated by $100,000.
The following journal would be required to correct the effect of the above misstatement on the
30 June 20X3 financial statements:
Dr Cr
$ $
Retained earnings 100,000
Occupancy expenses 100,000
Required reading
ISA 450 paras 11(b) and A18.

CC
Documentation
As set out in ISA 450 para. 15, the auditor must document:
•• The amount set for ‘clearly trivial’ misstatements.
•• All misstatements found during the audit and whether they have been corrected.
•• The auditor’s conclusion, and the basis for that conclusion, as to whether uncorrected
misstatements are material individually or in aggregate.
Considering misstatements involves the auditor interacting with the entity’s management and
those charged with governance. Therefore, in accordance with ISA 450 para. 14, the auditor is
required to:
… request a written representation from management and, where appropriate, those charged with
governance whether they believe the effects of uncorrected misstatements are immaterial, individually
and in aggregate, to the financial statements as a whole.
A summary of the uncorrected misstatements must be attached to or included in this written

representation (ISA 450 para. 14).
Required reading
Worked example 11.2: Determining whether sufficient appropriate audit evidence has been
obtained and identifying misstatements
Worked example 11.3: Evaluating the impact of uncorrected misstatements

Activity 11.3: Evaluating the impact of uncorrected misstatements


11.1: Evaluating audit evidence (ISA 500)
11.2: Evaluating misstatements (ISA 450)
Quiz

Readings

All references to Auditing and Assurance Standards in the learning elements in the Audit and
Assurance module are to International Standards, except where they relate to jurisdiction-
specific content.
The table below provides a summary of the readings from the International Pronouncements
together with the equivalent Australian and New Zealand Pronouncements.
In the exam, candidates can refer to the International Standards or the Australian or New
Zealand Standards.
Required reading
with International Standards on with Australian Auditing Standards with International Standards on
Auditing Auditing (New Zealand)
•• Paragraphs 11(a), 13(j)–13(l), 15, •• Paragraphs 11(a), 13(j)–13(l), 15, •• Paragraphs 11(a), 13(j)–13(l), 15,
17, A18–A22 and A28–A52 17, A18–A22 and A28–A52 17, A18–A22 and A28–A52
•• Paragraphs 8–11 and A2–A17 Paragraphs 8–11 and A2–A17 •• Paragraphs 8–11 and A2–A17
ISA 240 The Auditor’s Responsibilities ASA 240 The Auditor’s ISA (NZ) 240 The Auditor’s
Relating to Fraud in an Audit of Responsibilities Relating to Fraud in Responsibilities Relating to Fraud in
Financial Statements an Audit of a Financial Report an Audit of Financial Statements
Material Misstatement Through through Understanding the Entity Material Misstatement Through
ISA 450 Evaluation of Misstatements ASA 450 Evaluation of ISA (NZ) 450 Evaluation of
Identified During the Audit Misstatements Identified during the Misstatements Identified During the
Audit Audit
•• Paragraphs 4–7, 11, A1–A33 and •• Paragraphs 4–7, 11, A1–A33 and •• Paragraphs 4–7, 11, A1–A33 and
A57 A57 A57

Further reading


ACT
Activity 11.1
Introduction
The quality of an audit is important in maintaining market confidence in financial statements.
Professional scepticism is a state of mind that is critical to the performance of quality audits.
This activity will assist candidates to understand the concept of professional scepticism.
•• Apply the auditor’s requirements if there is inconsistency in, or doubts over, the reliability
of audit evidence.
•• Determine whether sufficient appropriate audit evidence has been obtained on which to
At the end of this activity, you will be able to understand how professional scepticism is
addressed in the International Standards on Auditing (ISAs), and the importance of professional
scepticism in particular circumstances.
Scenario
You are an audit junior at Smith & Smith Chartered Accountants. Your audit manager, Jenny
Chexem, wants to discuss the importance of professional scepticism when performing an audit.
She suggests that you consider this in the context of the audit procedures you would perform
when obtaining evidence to support the key assumptions around cash flows, growth rates and
discount rates that management would use in a discount cash flow model, supporting the fair
value of an asset.
Task
Outline how you would provide evidence that professional scepticism has been appropriately
exercised whilst performing audit procedures on a discounted cash flow forecast to measure the
fair value of an asset.

ACT
Activity 11.2
Determining whether sufficient appropriate
audit evidence has been obtained
Introduction
Understanding what constitutes sufficient appropriate audit evidence and using professional
judgement to evaluate audit evidence are both critical to performing audits. Chartered
Accountants should be able to determine whether audit evidence is sufficient and appropriate
to particular circumstances.
•• Apply the auditor’s requirements if there is inconsistency in, or doubts over, the reliability
of audit evidence.
At the end of this activity, you will be able to determine whether sufficient appropriate audit
evidence has been obtained in particular scenarios, whether further evidence is required, and
identify the impact of audit findings on the initial risk assessment, in accordance with ISA 330
The Auditor’s Responses to Assessed Risks (ISA 330) and ISA 500 Audit Evidence (ISA 500).
Scenario
Louiseton Enterprises (LE) is a large private company that designs and builds exhibition display
stands. Tingle & Tangle Chartered Accountants (T&T) has been LE’s auditor for the past three
years. You are an audit senior assigned to the audit of LE’s financial statements for the year
ended 30 June 20X3. The manager assigned to the LE audit is Gaye Blazit. As the audit senior,
one of your responsibilities is to review the working papers of an audit junior, Susan Shoman.
It is September 20X3 and T&T’s audit team is at LE’s offices undertaking the final audit. You
have obtained the following information from discussions with Susan and from reviewing the
audit working papers prepared by her.

ACT
Matter 1 – Accounts receivable

To test accounts receivable for the existence assertion, Susan selected a sample of accounts
receivable balances to agree to LE’s cash journal subsequent to the year end.
When you review Susan’s working paper, you note that she has listed each customer balance
from her sample, next to which she has recorded the receipts for that customer since the year
end. The following is an extract from the audit working papers showing the first three balances
in Susan’s sample:
Customer ref. Balance Receipts after year end Auditor’s comments

$ $
A145 225,000 110,000 Agreed to cash journal 15.07.X3

50,000 Agreed to cash journal 16.08.X3
D239 140,000 40,000 Agreed to cash journal 12.07.X3
H191 340,000 210,000 Agreed to cash journal 25.07.X3

Discussing this procedure, Susan tells you that she examined the cash journal for the months
of July to September 20X3 and noted any receipts from customers in her sample. She expected
accounts to have been settled by September, because LE’s terms of trade are 60 days from
the invoice date. She then listed the receipts in date order until the total receipts equalled or
exceeded the balance at 30 June 20X3. Susan was unable to fully test some of the balances
because they had not all been settled in full at the time she completed the test. She did no
further work.
Matter 2 – Accounts payable

To test the valuation and allocation of accounts payable, Susan selected a sample of balances
and compared these to suppliers’ statements. When you review Susan’s working paper, you
find that all of the balances selected agree to the suppliers’ statements with the exception of the
following:
Supplier Balance Supplier’s Difference Auditor’s comments

ref. statement
$ $ $
A169 135,000 190,000 55,000 Discussed with LE’s financial controller. Cheque for
$55,000 was sent on 30.06.X3, and was not recorded by
supplier until 05.07.X3
C112 255,000 295,000 40,000 Discussed with LE’s financial controller. Supplier used
the wrong price on a June delivery of goods and has
agreed that LE will be credited for the difference

ACT
Tasks
Task 1
Gaye asks you to review the audit procedures performed by Susan and evaluate whether
sufficient appropriate audit evidence has been obtained. Where it has not, you have been asked
to identify what further audit evidence should be obtained.
Task 2
Gaye also requests that you determine whether the results of these audit procedures will
increase the risk of material misstatement (RMM), assuming the further audit evidence obtained
confirms the evidence in the working papers to date. Where the RMM is increased, you should
identify the key assertions at risk and outline the impact on the audit, including additional
audit procedures (or increases in extent).

ACT
Activity 11.3
Evaluating the impact of uncorrected
misstatements
Introduction
Where misstatements identified during the audit are not corrected, the auditor must determine
whether these uncorrected misstatements are material to the financial statements. Chartered
Accountants working on audits will be involved in evaluating misstatements as part of forming
the audit opinion.
•• Evaluate the effect of identified misstatements on the audit, and of uncorrected
At the end of this activity, you will be able to determine whether uncorrected misstatements are
material, individually or in aggregate, in accordance with ISA 450 Evaluation of Misstatements
Identified during the Audit (ISA 450).
Scenario
You are an audit senior at Bean and Sons Chartered Accountants (Bean) currently working on
the audit of Lanvale Fashion (LF) for the year ended 30 June 20X3.
LF is a listed company involved in the manufacture and sale of licensed fashion goods in
Australia and New Zealand. LF has outsourced its manufacturing to suppliers in China. When
LF’s suppliers load the manufactured goods on the ship, the risks and rewards related to the
goods transfer to LF. The suppliers ship the fashion goods from the port of Shangdong to LF’s
warehouse and distribution centre in Sydney. Shipping times are typically six weeks. Once the
goods are received in Sydney, inspected by LF’s quality control department and checked into the
warehousing stock control system, approval is given to accounts payable to pay the supplier’s
invoice in full, provided the quantities and quality are as per the invoice and the purchase order.
LF orders its inventory for each season on the basis that the stock needs to be in its distribution
warehouse two weeks prior to going on sale at its 250 retail stores. As a fashion company, LF’s
inventory is seasonal, manufacturing for two seasons a year – summer and winter. Stock for
each season is refreshed with new styles twice a season.
Matter 1
On 30 June 20X3, you attended the stocktake of LF at its Sydney distribution centre. During the
stocktake, you observed that there were 4,400 items of stock with an ageing in excess of 365 days
and carried at a cost of $204,540. In addition, there were a further 940 items of stock with an
ageing of 180 to 364 days at a cost of $68,000. The warehouse manager confirmed that stock in
excess of 365 days is unlikely to be sold and stock in excess of 180 days will be sold at half of its
cost price. Bean has performed audit procedures to check LF’s management’s assessment of the
net realisable value of these slow-moving items and agrees with the warehouse manager’s view.
However, in the year-end financial statements, management has not written down the aged
stock to its net realisable value.

ACT
Matter 2
On 1 January 20X3, an office insurance premium of $248,082 was paid for the 12 months ending
31 December 20X3. You note that this full amount still appears in prepayments at 30 June 20X3
and therefore represents a misstatement.
Matter 3
Your testing of depreciation expense for the financial year shows that the depreciation expense
relating to plant and equipment is understated by $195,000.
Further audit procedures have confirmed that the above matters are the misstatements arising
and did not identify any additional misstatements.
LF’s management has not changed the financial statements to reflect the above matters. Selected
line items from LF’s statement of profit or loss and statement of financial position are shown
below:
Selected line items from statement of profit or loss $
Revenue from sale of goods 155,457,451
Cost of sales 112,374,790
Depreciation expense 4,453,867
Lease and occupancy costs 22,453,980
Administrative expenses 10,873,905
Net profit before tax 5,300,909
Selected line items from statement of financial position $
Cash 2,658,567
Inventory 11,000,000
Trade receivables 8,212,000
Prepayments 7,000,940
Total current assets 32,528,507
Plant and equipment – cost 25,240,000
Plant and equipment – accumulated depreciation 17,309,600
Plant and equipment – carrying amount 7,930,400
Total non-current assets 8,715,800
Total assets 41,244,307
Trade payables 23,780,600
Interest-bearing liabilities 2,250,000
Accrued expenses 1,876,005
Total current liabilities 27,906,605
Interest-bearing liabilities 5,000,000
Total non-current liabilities 5,865,000
Total liabilities 33,771,605
Net assets 7,472,702

ACT
Task
For this activity, you are required to determine whether the misstatements are material,
individually or in aggregate, from a quantitative perspective by completing a summary of
misstatements (SOM) for the year ended 30 June 20X3.
In completing the above task, you are required to comply with Bean’s audit manual guidelines
in relation to evaluating whether misstatements are material from a quantitative perspective, as
follows:
Threshold Evaluation of materiality
< 5% of relevant amount Generally not material, subject to

qualitative considerations
5–10% Evaluation based on professional

judgement
> 10% of relevant amount Generally material, subject to qualitative

considerations
Note: Ignore tax considerations for this task.



CC
Core content
Unit 12: Responding to assessed risk – using
the work of others, external confirmations
and written representations
Learning outcomes
1. Demonstrate an understanding of the auditor’s use of external confirmation procedures to
obtain relevant and reliable audit evidence.
2. Demonstrate an understanding of the purpose of written representations and the
objectives of an auditor in obtaining written representations from management.
3. Explain the special considerations that apply to group audits, in particular those that
involve component auditors.
4. Demonstrate the steps involved in determining whether and to what extent an external
auditor can use the work of internal auditors.
5. Explain the auditor’s responsibilities relating to using the work of an expert.
Introduction
The first part of this unit describes two important sources of audit evidence:
•• External confirmations, which are generally considered to be reliable audit evidence, being
obtained from independent sources outside the entity.
•• Written representations, which are particularly important when considered in conjunction
with other audit evidence. Management is required to provide written representations as
part of every audit engagement.
The second part of this unit describes the audit procedures to be carried out when using the
work of others, namely another auditor, an internal auditor or an expert. Regardless of whether
the work of these other auditors or experts is used or not, the principal auditor retains sole
responsibility for the auditor’s opinion expressed.
This unit addresses the requirements of the following International Standards on Auditing
(ISAs):
•• ISA 505 External Confirmations (ISA 505).
•• ISA 580 Written Representations (ISA 580).
aaa11612_csg

CC
•• ISA 600 Special Considerations – Audits of Group Financial Statements (Including the Work of
Component Auditors) (ISA 600).
•• ISA 610 (Revised 2013) Using the Work of Internal Auditors (ISA 610 (Revised)).
•• ISA 620 Using the Work of an Auditor’s Expert (ISA 620).
Learning outcome
1. Demonstrate an understanding of the auditor’s use of external confirmation procedures to
An effective audit plan is based on an appropriate mix of tests of controls and substantive
procedures that collectively reduce audit risk to an acceptably low level. There are a number of
substantive audit procedures that can be undertaken to address audit risk at the assertion level.
This section addresses the use of external confirmations as a substantive procedure to obtain
relevant and reliable audit evidence, as described in ISA 505.
The reliability of audit evidence is influenced by both its source and its nature. Under
ISA 505 para. 2, audit evidence is considered to be more reliable when it is:
•• Obtained from independent sources outside the entity.
•• Obtained directly by the auditor, rather than indirectly.
•• In documentary form, whether paper, electronic or other medium.
Accordingly, external confirmations, being ‘audit evidence obtained as a direct written response
to the auditor from a third party (the confirming party), in paper form, or by electronic or other
medium’ (ISA 505 para. 6(a)), may be more reliable than evidence that is generated internally by
the entity.
External confirmation requests

There are two alternative methods of requesting an external confirmation:
•• Positive confirmation request.
•• Negative confirmation request.
Positive confirmation request

A positive confirmation request refers to a request where the confirming party responds directly
to the auditor, either (ISA 505 para. 6(b)):
•• indicating whether they agree or disagree with the information requested, or
•• providing the requested information.
An example of a positive confirmation is a bank confirmation request, where the auditor asks
the bank to confirm the audited entity’s account balances that are held by the bank at year end.
The auditor may also request confirmation of other information, such as securities and leases
held, accounts opened and/or closed during the year, lists of authorised signatories, as well as
unused limits/facilities and breaches of those facilities.

CC
Negative confirmation request

A negative confirmation request refers to a ‘request where the confirming party responds
directly to the auditor only if the confirming party disagrees with the information provided in
the request’ (ISA 505 para. 6(c)).
Negative confirmations provide less persuasive audit evidence than positive confirmations
(ISA 505 para. 15). This is because the intended confirming party only needs to respond if they
disagree with the information provided in the request. There may also be other reasons why no
response is received to a negative confirmation request. For example, the intended confirming
party may not have received the negative confirmation request, or the intended confirming
party may not be able or willing to respond to the auditor.
Accordingly, under ISA 505 para. 15, an auditor can use a negative confirmation request as the
sole substantive procedure to address an assessed risk of material misstatement at the assertion
level, if all of the following specific circumstances are present:
(a) The auditor has assessed the risk of material misstatement as low and has obtained sufficient
appropriate audit evidence regarding the operating effectiveness of controls relevant to the
assertion;
(b) The population of items subject to negative confirmation procedures comprises a large number of
small, homogeneous account balances, transactions or conditions;
(c) A very low exception rate is expected; and
(d) The auditor is not aware of circumstances or conditions that would cause recipients of negative
confirmation requests to disregard such requests.
Required reading
ISA 505 paras 1–6, 15 and A23.
External confirmation procedures

In practice, external confirmations are often used to provide audit evidence of the existence of
an asset or the completeness of a liability balance. They can also provide evidence of whether
an amount has been accurately recorded in the accounting records (accuracy assertion) and in
the appropriate period (cut-off assertion). They tend to provide less evidence for valuation and
allocation assertion of assets, such as recoverability of accounts receivable.
Under ISA 505 para. 7, the auditor needs to maintain control over the external confirmation
process, which includes:
(a) Determining the information to be confirmed or requested;
(b) Selecting the appropriate confirming party;
(c) Designing the confirmation requests, including determining that requests are properly addressed
and contain return information for responses to be sent directly to the auditor; and
(d) Sending the requests, including follow-up requests when applicable, to the confirming party.
External confirmation procedures are commonly used to provide relevant audit evidence of:
•• Bank balances and other information relevant to banking relationships.
•• Accounts payable and receivable balances and terms.
•• Inventories held by third parties or on consignment.
•• Property title deeds held by the entity’s lawyers or financiers for safe custody or as security.
•• Investments held for safekeeping by third parties.
•• Amounts owed to lenders, including the relevant terms of repayment and any restrictive
covenants.

CC
Australia-specific
The AUASB has issued a Guidance Statement, GS 016 ‘Bank Confirmation Requests’ (GS 016),
which provides guidance to ‘auditors on the enquiry and confirmation methods for obtaining
audit evidence regarding an entity’s bank accounts and transactions’.
Major Australian banks, such as Westpac and National Australia Bank, are using the online
audit confirmation service Confirmation.com to provide customers and their auditors with an
efficient and secure solution for obtaining audit confirmations. Confirmation.com is the world’s
leading provider of online audit confirmations and is widely used by the international banking
and audit industry. More information can be found on the Confirmation.com website at www.
confirmation.com.

Please check the Further reading and resources sections in myLearning for up-to-date
videos and further reading material.
Example – External confirmation procedures

This example illustrates how an auditor can obtain evidence of a number of different account
balances using external confirmation procedures.
An extract of the financial information for an entity being audited at year end is as follows:
Account Dr (Cr)
$
Cash at bank 87,000
Accounts receivable 345,000
Inventories 317,000
Land 66,000
Buildings (net of depreciation) 350,000
Plant and equipment (net of depreciation) 325,000
Accounts payable (210,000)
Borrowings (350,000)
Sales (3,130,000)
Cost of sales 2,300,000
General and administration expenses 622,000
Interest expense 35,000
At year end, the entity has no inventories consigned either in or out.

When reviewing the entity’s financial information as part of planning the audit engagement,
the auditor would consider the following:
•• The accounts that require confirmation.
•• The assertion(s) that the confirmation addresses.
•• The recipient of the request (the confirming party).
•• The information that needs to be confirmed.

CC
Account Assertion(s) Confirming Information to be confirmed

party
Accounts Existence Individual Balance owed at year end by the debtor

receivable debtors
Accounts Completeness, Individual Balance owed at year end

payable valuation and creditors
allocation
Cash at bank Existence, All banks and Account balances at year end (including current
completeness, other financial accounts, interest-bearing deposits, foreign
valuation and institutions currency accounts and money market deposits)
allocation used by the
Accounts opened and closed by the entity
entity
during the period
Authorised signatories to the accounts
Used and unused facilities
Borrowings Completeness, All banks and •• Information about everyday banking

valuation and other financial activities, such as:
allocation institutions –– Account balances at year end for overdraft
used by the accounts, bank loans and term loans
Interest expense Completeness, entity
accuracy –– Interest rates and terms of liabilities
–– Items held as security for the entity’s
liabilities to banks/financial institutions
–– Unused limits and facilities
•• Information about treasury operations, such
as:
–– Forward rate agreements
–– Foreign currency contracts
–– Interest rate swaps
–– Options
•• Information on any other contractual
arrangements
In this example, the auditor would not send out external confirmation requests for information
on the following:
Account Reason for not requesting external confirmation
Inventories There is no inventory consignment as at year end – that is, all inventory is
held by the entity. Therefore, there is no external party that can confirm the
inventory balances
Land The key assertions at risk for land, buildings, and plant and equipment
would be existence and valuation and allocation. For significant balances
Buildings generally the entity obtains an independent valuation, and the auditor
Plant and equipment will evaluate this valuation. The auditor could engage an expert valuer to
provide an independent valuation of these assets, but would not request
external confirmation
Sales These classes of transactions are recognised in accordance with the

Accounting Standards. There is no external party that can confirm the total
Costs of sales balance of these transactions
General and
administration expenses

CC
Assessing the results of external confirmation procedures

The procedures that an auditor should follow in relation to obtaining external confirmations
under ISA 505 are summarised in the following table:
External confirmation procedures
External confirmation Procedure

requirement
Maintain control over This includes:

confirmation process •• Considering information to be confirmed or requested
•• Selecting appropriate confirming party
•• Evaluating reasons for any refusal by management to allow sending of
confirmations. This includes consideration of the implications on assessed risks,
the possibility of fraud and what further audit procedures will now be required
•• Designing the confirmation requests
•• Determining that requests are promptly addressed and contain return
information for responses to be sent directly to the auditor
•• Sending the requests, including follow-up requests, when applicable to the
confirming party
Are responses reliable? If factors give rise to doubts about the reliability of a response:
•• Obtain further audit evidence to resolve or confirm these doubts
•• Consider fraud and other issues that impact on assessed risks; and
•• Investigate exceptions to determine if these are indicative of misstatements
When no response is Perform alternative audit procedures (if possible) to obtain relevant and reliable
received audit evidence
Evaluate overall results Did the external confirmation procedures provide the relevant and reliable
audit evidence required? If the confirming party disagrees with the balance
then alternative audit procedures will be required to determine what the correct
balance is
Adapted from: Australian audit manual and toolkit 2015 for small and medium sized entities, Exhibit 8.3–2, pp. 130–1.
If the auditor determines that a positive confirmation request is necessary to obtain sufficient
appropriate audit evidence, and alternative audit procedures will not provide the required
audit evidence, the auditor needs to determine the implications this will have for the audit and
the auditor’s opinion if this confirmation is not received (ISA 505 para. 13).
Required reading
ISA 505 paras 7–14, 16, A1–A22 and A24–A25.
When management refuses to allow the auditor to send an external confirmation

request
If management refuses to allow the auditor to send an external confirmation request, the
auditor must:
•• Inquire as to management’s reasons for this refusal, and seek audit evidence as to their
validity and reasonableness (ISA 505 para. 8(a)).
•• Evaluate what implications management’s refusal will have on the assessed risks of material
misstatement and the possibility of fraud, as well as on the nature, timing and extent of
other audit procedures (ISA 505 para. 8(b)).
•• Perform alternative audit procedures that are ‘designed to obtain relevant and reliable audit
evidence’ (ISA 505 para. 8(c)).
•• Determine the implications of management’s refusal on the audit and the auditor’s opinion
under ISA 705 Modifications to the Opinion in the Independent Auditor’s Report (ISA 705)
(ISA 505 para. 9).

CC
If the auditor concludes that management’s refusal is unreasonable, or they cannot obtain
relevant and reliable audit evidence from other audit procedures, the auditor must
communicate this to those charged with governance, pursuant to ISA 260 Communication with
Those Charged with Governance (ISA 505 para. 9).
Required reading
Worked example 12.1: Using external confirmations as audit evidence

Activity 12.1: Obtaining audit evidence using external confirmations

Learning outcome
2. Demonstrate an understanding of the purpose of written representations and the objectives
of an auditor in obtaining written representations from management.
Management and the auditor agree on the terms of the audit engagement prior to the
commencement of an audit. These terms include management’s responsibilities, as set out in
ISA 210 Agreeing the Terms of Audit Engagements (ISA 210). One of these responsibilities is to
provide written representations to the auditor in respect of the audit.
A written representation is a ‘written statement by management provided to the auditor to
confirm certain matters or to support other audit evidence’ (ISA 580 para. 7). The written
representation usually takes the form of a letter addressed to the auditor (ISA 580 para. 15).
This section addresses the auditor’s responsibility to obtain such written representations from
management as audit evidence. It should be noted that while written representations provide
‘necessary audit evidence’, they ‘do not provide sufficient appropriate audit evidence on their
own’ (ISA 580 para. 4). They should therefore be considered in combination with other evidence
obtained.
The auditor requests written confirmations from management which state that management
‘believe that they have fulfilled their responsibility for the preparation of the financial
statements and for the completeness of the information provided to the auditor’ and ‘to support
other audit evidence’ (when considered necessary by the auditor or as required by other ISAs)
(ISA 580 paras 6(a) and (b)).
The auditor must ‘respond appropriately’ to written representations that are provided by
management, or when management does not provide the requested written representations
(ISA 580 para. 6(c)).
Written representations as audit evidence

The auditor requests written representations from those who are responsible for the preparation
of the financial statements, which is usually management.
During the course of an audit, management will make verbal representations to the auditor,
and these can also be used as audit evidence to support other audit procedures. At the end of
the engagement, these verbal representations, along with those that are specifically required
(outlined below) should be included in a written representation letter from management that is
addressed to the auditor (ISA 580 para. 15).

CC
The written representation letter should be obtained ‘as near as practicable to, but not after,
the date of the auditor’s report on the financial statements’. It should cover all the financial
statements and period(s) that are referred to in the auditor’s report (ISA 580 para. 14).
Written management representations are audit evidence, but cannot be used as:
•• A substitute for performing other audit procedures.
•• The sole source of evidence on significant audit matters.
An example of a management representation letter is included in ISA 580 Appendix 2.
Required reading
ISA 580 paras 1–9, 14–15, A1–A6, A15–A21 and Appendix 2.
Types of written representations

This section covers the different types of written representations, being:
•• Written representations regarding management’s responsibilities under ISA 580.
•• Other written representations under ISA 580, including those that are required:
–– under ISAs other than ISA 580, and
–– to support other audit evidence.
Written representations regarding management’s responsibilities

Management has defined responsibilities with regard to the preparation of the financial
statements and the audit. The auditor therefore requests management to confirm that it has
fulfilled those requirements, by providing written representations confirming that:
•• Management ‘has fulfilled its responsibility for the preparation of the financial statements,
in accordance with the applicable financial reporting framework’ (ISA 580 para. 10).
•• Management ‘has provided the auditor with all relevant information and access as agreed in
the terms of the audit engagement’ (ISA 580 para. 11(a)).
•• ‘All transactions have been recorded and are reflected in the financial statements’
(ISA 580 para. 11(b)).
In Australia, the Corporations Act 2001 (Cth) (Corporations Act) requires management to provide
all requested information, explanations and assistance to auditors for the purpose of financial
statements audit (Corporations Act s. 312).
The auditor must ask those in management who are responsible for the preparation and
presentation of the financial statements and have knowledge of the matters involved, to provide
written representations (ISA 580 para. 9). Usually, this will be the entity’s chief executive
officer and the chief financial officer, or others with an equivalent level of responsibility
(ISA 580 para. A2), such as the owner-manager.
In New Zealand, the auditor must request written representations from those charged with
governance with appropriate responsibilities for the financial statements and knowledge of the
matters concerned (ISA (NZ) 580 para 9.1).
Required reading
ISA 580 paras 9–12, A2, A7–A9, A14 and A22.
Other written representations

In addition to the representations that are required regarding management’s responsibilities
(outlined above), the auditor also has obligations under other Auditing Standards that require
them to request written representations. The auditor may also deem it necessary to obtain

CC
written representations to support ‘other audit evidence’ that is pertinent to the financial
statements, or to specific assertion(s) in the financial statements (ISA 580 para. 13).
These other written representations include those required:
•• under ISAs other than ISA 580, and
•• to support other audit evidence.
Written representations required under other ISAs

ISA 580 Appendix 1 contains a list of ISAs that have requirements for the auditor to request
subject-matter specific written representations, as follows:
ISA 580 Appendix 1 – Written representation requirements under other ISAs
ISA Specific
paragraphs
ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements 39
ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements 16
ISA 450 Evaluation of Misstatements Identified during the Audit 14
ISA 501 Audit Evidence – Specific Considerations for Selected Items 12
ISA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related 22
Disclosures
ISA 550 Related Parties 26
ISA 560 Subsequent Events 9
ISA 570 Going Concern 16(e)
ISA 710 Comparative Information — Corresponding Figures and Comparative Financial 9

Statements
Written representations to support other audit evidence

ISA 580 paras A10–A13 provide examples of written representations that management may
need to provide to support other audit evidence about:
•• Application and selection of accounting policies.
•• Recognition, measurement and disclosure of other matters relevant under the applicable
financial reporting framework.
•• Communication to the auditor of all deficiencies in internal control of which management is

aware to the auditor.
•• Communication to the auditor of all the entity’s reasons for choosing a particular course of
action.
•• Management’s plans or intentions in relation to specific matters regarding the financial
statements.
Required reading
ISA 580 paras 13, A10–A13, A22 and Appendix 1.
Responding to written representations

One of the auditor’s objectives is to respond appropriately to written representations that are
provided by management, or when management does not provide the written representations
requested by the auditor.

CC
The following table outlines the appropriate responses required of the auditor in respect of
management’s written representations:
Responses to management’s written representations
Status of Procedure ISA 580

written reference
representation
Management Evaluate the integrity of the written representations by: Paras 16, 18 and
provides the 20(a)
•• Considering whether the person making the representation is
requested
expected to be objective and knowledgeable on the subject matter
written
representations •• Assessing whether the representation is reasonable in light of the
auditor’s understanding of the entity and its environment, and other
evidence obtained
•• Considering whether further audit procedures are required to
corroborate the representations (e.g. to corroborate management’s
intent and consider sources of evidence, such as minutes of directors’
meetings, minutes of investment committees, legal documents or
internal correspondence and emails)
•• In the event that the auditor determines that management is
incompetent or lacking integrity or ethical values, the auditor should:
–– Determine the effect that such concerns may have on the reliability
of representations (oral or written) and audit evidence in general
–– Disclaim an opinion on the financial statements where they
conclude that ‘there is sufficient doubt about the integrity of
management’ to show that the required written representations
cannot be relied on
Management •• Perform additional audit procedures to attempt to resolve the matter Para. 17
representations •• If the matter remains unresolved, reconsider the assessment of the
are inconsistent competence, integrity, ethical values or diligence of management,
or contradict or of management’s commitment to or enforcement of these,
other audit and determine the effect that this may have on the reliability of
evidence representations (oral or written) and the audit evidence in general
obtained
•• Determine whether there is reason to doubt management’s integrity.
If so, discuss the matter with those charged with governance and
consider the impact on the risk assessment as well as the need for
further audit procedures
•• Consider whether continued reliance on any other management
representations is appropriate
Requested •• Discuss the matter with management Paras 19

representations •• Re-evaluate the integrity of management, and evaluate the effect that and 20(b)
not provided this may have on the reliability of the representations (oral or written)
and on the audit evidence in general
•• Take appropriate actions, including determining the possible effect on
the opinion in the auditor’s report, in accordance with ISA 705
•• Disclaim an opinion on the financial statements
Adapted from: Australian audit manual and toolkit 2015 for small and medium sized entities, pp. 588–93.
Required reading
Worked example 12.2: Obtaining written representations as audit evidence

Activity 12.2: Requesting written representations from management


CC
Group audits
Learning outcome
3. Explain the special considerations that apply to group audits, in particular those that involve
component auditors.
In engagements where the audited entity comprises of one or more divisions, branches or
subsidiaries (components), the group engagement team may need the audit work to be
undertaken by several different auditors. ISA 600 provides requirements for when an auditor
decides to use the work of another auditor in the audit of group financial statements.
Group auditor’s responsibilities

The auditor who is responsible for signing the auditor’s report on the group financial
statements is the group engagement partner. When the initial client acceptance and continuance
decisions are made, the group engagement audit team (group auditor) considers their firm’s
capacity to undertake the audit and determines what proportion of the work on the group’s
financial statements they will need to assign to other auditors (component auditors).
When assigning work to a component auditor, the group engagement partner remains
‘responsible for the direction, supervision and performance of the group audit engagement’
(ISA 600 para. 11). The group engagement partner must be satisfied that the component
auditor(s) is/are independent and competent, and that their work provides satisfactory evidence
to support the group engagement partner’s opinion on the group financial statements.
The group auditor also needs to obtain sufficient appropriate audit evidence for the
consolidation process to allow them to express an opinion on the group’s financial statements.
Required reading
Understanding the group and its components

Auditing a group can be a large undertaking; however, the group auditor needs to design an
audit plan that will identify and assess the risks of material misstatement regardless of the
group’s size or complexity. Part of managing this is to identify components of the group that are
‘significant’.
A component is considered to be a significant component if it is:
•• of ‘individual financial significance to the group’, or
•• ‘likely to include significant risks of material misstatement’ for the group ‘due to its specific
nature or circumstances’ (ISA 600 para. 9(m)).
Group audit procedures for significant components will differ from those used for components
that are not identified as significant.
Materiality and procedures involving components

The group auditor will develop a strategy and plan for the group audit (ISA 600 paras 15–16),
which will reflect their understanding of the group and its environment (ISA 600 para. 17).

CC
Materiality
Materiality in a group audit will be set for the whole group and for particular classes of
transactions, account balances or disclosures – just as it would in any audit of financial
statements. In addition, the group auditor will set ‘component materiality’, which is the
materiality level that component auditors will use in performing an audit or review of the
component’s financial information for the purposes of a group audit (this may be a different
figure to the one they might use when performing an audit under local reporting requirements).
The component materiality will be less than the materiality set for the group. The group auditor
will also advise the materiality level above which misstatements could not be regarded to be
clearly trivial (ISA 600 para. 21).
Procedures
The auditor is required to design procedures to address the risks of material misstatement
identified in the financial statements. In a group engagement, it is the group auditor who
determines the work that will be performed by the component auditors.
For a significant component, under ISA 600 para. 27 this could involve:
•• An audit of the financial information of the component using component materiality.
•• An audit of specified account balances at period end, classes of transactions or disclosures.
•• Specified audit procedures.
This differs from audit work that may need to be performed to meet any statutory or reporting
obligations of the component.
When an audit of the financial information of a component is performed, the group auditor
would be involved in the risk assessment to understand its potential implications for the group
financial statements (ISA 600 para. 30).
For components that are not significant, the group engagement team should perform, at a
minimum, analytical procedures at a group level, although it may still be necessary to perform
further procedures depending on the requirements for evidence on which to base the group
audit opinion (ISA 600 paras 28 and 29).
When significant risks of material misstatement are identified in a component, it is the group
auditor who determines the appropriateness of further audit procedures (ISA 600 para. 31).
Both the group auditor and the component auditor shall perform procedures to identify
subsequent events that might require adjustment of, or disclosure in, the group financial
statements (ISA 600 paras 38 and 39).
Using component auditors

Under ISA 600 para. 19, as the group auditor relies on the work performed by the component
auditors, they need to gain an understanding of the component auditors by considering:
(a) Whether the component auditor understands and will comply with the ethical requirements that
are relevant to the group audit and, in particular, is independent.
(b) The component auditor’s professional competence.
(c) Whether the group engagement team will be able to be involved in the work of the component
auditor to the extent necessary to obtain sufficient appropriate audit evidence.
(d) Whether the component auditor operates in a regulatory environment that actively oversees
auditors.
If the group auditor has any concerns about the component auditor’s ethics, competence or
independence, they shall not request the component auditor to perform work (ISA 600 para. 20).

CC
In order to rely on a component auditor’s work, the group auditor should review the main
conclusions drawn in the component auditor’s working papers and discuss the significant
matters they have identified. The group auditor’s review should focus on areas relative to the
significant risks of material misstatement in the group financial statements.
If the group auditor is concerned that a component auditor has not been able to gather sufficient
appropriate audit evidence, the group auditor shall determine what additional procedures are
to be performed and whether they shall be performed by the component auditor or the group
engagement team (ISA 600 para. 43).
It is the group engagement partner’s responsibility to evaluate the effect on the group audit
opinion of any uncorrected misstatements, and of any instances in which sufficient appropriate
audit evidence has not been obtained (ISA 600 para. 45).
The group engagement team is required to document its interactions with the component
auditors. Information that should be documented includes the analysis of whether a component
is significant, the type of work required on the component financial information and written
communications about the group engagement team’s involvement (ISA 600 para. 50).
Communicating with component auditors

Communication between the group auditor and component auditor is crucial in the audit of
group financial statements. The group auditor must communicate their requirements, which
are outlined in ISA 600 para. 40. Likewise, the component auditor is required to communicate
to the group auditor on all matters concerning the components relevant to the group audit
(as specified in ISA 600 para. 41), including:
•• Whether the component auditor has complied with the requirements of the group audit.
•• Whether the component auditor has complied with the ethical requirements that are
relevant to the group audit.
•• The identification of the financial information the component auditor is reporting on.
•• Instances of non-compliance with laws and regulations that could give rise to a material
misstatement in the group financial statements.
•• A list of uncorrected misstatements of the relevant component.
•• Indicators of possible management bias.
•• The identification and description of deficiencies in internal controls.
•• The component auditor’s overall findings, including:
–– any other significant matters that should be communicated to those charged with
governance
–– other matters relevant to the group audit, and
–– their conclusions or opinion.
Required reading

CC
Consolidation process
The auditor is required to identify and assess risks of material misstatement. In order to achieve
this in a group audit, the auditor must consider the consolidation process in addition to the
audit of each component.
In this regard, the auditor is required to understand, and consider the impact on the audit
procedures of, the following:
•• The consolidation process, including group management’s instructions issued to the
components (ISA 600 para. 17(b)).
•• Group-wide controls and their impact on the audit plan (ISA 600 paras 17(a) and 32).
•• Whether all components have been included in the consolidation process (ISA 600 para. 33).
•• Consolidation adjustments and reclassifications (ISA 600 para. 34).
•• The consistency of accounting policies across the group (ISA 600 para. 35).
•• The impact of a component that has a different reporting period end to the group
(ISA 600 para. 37).
Required reading
ISA 600 paras 17, 32–37 and A56.
Communication with group management

The group auditor is required to communicate any identified deficiencies in internal control
and fraud at a group level to those charged with governance or to group management.
Additionally, the group auditor needs to consider whether those deficiencies in internal
controls of components identified by component auditors should be brought to their attention
(ISA 600 para. 46).
In addition, as part of a group audit, the group auditor needs to ensure that those charged with
governance are provided with an overview of the work that will be performed by component
auditors as well as an understanding of the group auditor’s involvement in that work
(ISA 600 para. 49).
Required reading
Activity 12.3: Using the work of component auditors in audits of group financial statements

CC
Using the work of internal auditors
Learning outcome
4. Demonstrate the steps involved in determining whether and to what extent an external
In larger entities, an internal audit department is often established to monitor the effectiveness
of various aspects of their operations. Some of the work performed by this internal audit
function may be relevant to an entity’s external auditor. This may mean that the external
auditor could modify the nature and timing of their own audit procedures, or reduce the extent
of the audit procedures that they plan to perform, and instead rely on the work of the internal
audit function. ISA 610 (Revised) outlines when it is permissible to utilise the work of internal
auditors and, if so, to what extent.
Even when using the work of internal audit, the external auditor remains solely responsible for
the audit opinion that is expressed in the auditor’s report on the financial statements.
Required reading
ISA 610 (Revised) paras 1–14 and A1–A4.
Assessing whether and to what extent an external auditor can use the work of
internal audit
Before any specific review of detailed work performed by internal audit, the external auditor
has to determine ‘whether the work of the internal audit function can be used, and if so, in
which areas and to what extent’ (ISA 610 (Revised) para. 13(a)).
Evaluating the internal audit function

The first step for the external auditor in determining whether they can use the work of internal
audit is to evaluate the internal audit function using the basis outlined in ISA 610 (Revised)
para. 15:
Evaluating the work of internal audit function under ISA 610 (Revised)
Evaluation basis Factors to consider
Objectivity of the •• The status of the internal audit function within the entity, and the effect this status
internal audit function has on the ability of the internal auditors to be free from bias, conflict of interest or
undue influence of others
(ISA 610 (Revised)
para. A7) •• Whether the internal audit function reports to those charged with governance or
an officer with appropriate authority, or to management, and whether it has direct
access to those charged with governance
•• Whether internal audit is free of any conflicting responsibilities
•• Whether those charged with governance have oversight of employment decisions
that are related to the internal audit function
•• Whether management or those charged with governance place any constraints or
restrictions on the internal audit function
•• Whether the internal auditors are members of relevant professional bodies that
oblige them to comply with relevant professional standards relating to objectivity
Technical competence •• Whether the internal audit function is adequately resourced

of the internal auditors •• Whether the entity has established policies for hiring and training internal auditors
(ISA 610 (Revised) •• Whether the internal auditors have adequate technical training and proficiency as
para. A8) internal auditors
•• Whether the internal auditors possess the required skills to perform work in
relation to the entity’s financial statements
•• Whether the internal auditors are members of relevant professional bodies that
oblige them to comply with continuing professional development requirements

CC
Evaluating the work of internal audit function under ISA 610 (Revised)
Evaluation basis Factors to consider
Use of a systematic •• Whether there are documented procedures which address risk assessments, work
and disciplined programs, documentation and reporting, which are appropriate to the size and
approach (including circumstances of the entity
quality control) •• Whether there are appropriate quality control policies and procedures
(ISA 610 (Revised)
para. A11)
The auditor should not use the work of the internal audit function if it has concerns about any
of these factors.
Required reading
Worked example 12.3: Using the work of internal auditors

Determining the nature and extent of the work that can be used
After assessing the internal audit function, the external auditor then needs to assess the
nature and scope of the work it performs and consider how that relates to the audit plan. As
the external and internal audit functions work to different objectives, the work performed by
internal audit may not provide the evidence that is required by the external auditor.
The external auditor is required to make all significant judgements during the audit
engagement, and would need to adjust their level of reliance on the work of internal audit if:
•• there is an increased risk of material misstatement at the assertion level
•• a significant judgement is involved in planning or performing audit procedures, or in
evaluating the evidence obtained, or
•• there is the potential for either the objectivity or competency of the internal audit team to be
compromised (ISA 610 (Revised) para. 18).
ISA 610 para. A16 provides examples of work performed by the internal audit function that
could be used by the external auditor. These include:
•• Testing the operating effectiveness of the entity’s controls.
•• Conducting substantive procedures that involve the application of limited judgement.
•• Observing inventory counts.
•• Tracing transactions that are relevant to the entity’s financial reporting through its
information system.
•• Testing the entity’s compliance with statutory and regulatory requirements.
Required reading

CC
Using the work of internal audit

When an external auditor determines that they will use specific work performed by internal
audit, they need to determine whether that work is adequate for the purposes of the audit
engagement.
ISA 610 (Revised) paras 21–25 outline the specific procedures the external auditor should
undertake, including:
•• Discussing the planned use of the work with those responsible for both the internal and
external audit functions (ISA 610 (Revised) para. 21).
•• Reading the reports completed by the internal audit function to confirm the external
auditor’s understanding of the work of the internal audit function performed and to review
its findings (ISA 610 (Revised) para. 22).
•• Evaluating whether the work of the internal audit function was properly planned,
performed, supervised, reviewed and documented; that sufficient evidence was obtained,
and the conclusions drawn were appropriate (ISA 610 (Revised) para. 23).
•• Reperforming some of the testing work carried out by the internal audit function
(ISA 610 (Revised) para. 24). This could involve reperforming some of the same sample
items selected by internal audit, or selecting a smaller sample of similar items and
reperforming the same procedures (ISA 610 (Revised) para. A30).
The level of work the external auditor would perform requires professional judgement and
should reflect the assessed risk of material misstatement, and their assessment of the objectivity
and competency of the internal audit function.
The diagram below summarises the key requirements of ISA 610 (Revised), and illustrates the
audit procedures required by the external auditor in considering using the work of internal
audit.
Is the work of internal audit Determine the effect on the nature,

adequate for financial YES timing or extent of audit procedures
statements audit purpose? in using the work of internal audit
NO
Stop Perform audit procedures on the

work performed by internal audit
and evaluate its adequacy for the
financial statements audit
Document conclusions reached
Adapted from: Australian audit manual and toolkit 2015 for small and medium sized entities, Exhibit 13.8–1, p. 224.
Required reading
ISA 610 (Revised) paras 21–25, 36 and A24–A30.
Activity 12.4: Assessing the adequacy of internal audit work for use in the financial
statements audit

CC
Direct assistance
In some jurisdictions where it is not prohibited by law or regulation, an external auditor may
obtain ‘direct assistance from internal auditors’. Direct assistance is defined as ‘the use of
internal auditors to perform audit procedures under the direction, supervision and review of
the external auditor’ (ISA 610 para. 14(b)). ISA 610 paras 27–35 and 37 provide specific guidance
on the use of internal auditors to provide direct assistance.
Note that the Australian Auditing Standards prohibit the use of internal auditors to provide
direct assistance in an audit or review of financial statements. The New Zealand Auditing
Standards allow the use of internal auditors to provide direct assistance in line with the
international Standard.
Required reading
ISA 610 paras 14(b) and 26.


CC
Using the work of an expert
Learning outcome
5. Explain the auditor’s responsibilities relating to using the work of an expert.
For certain engagements, an auditor may require expertise outside of accounting or auditing,
in order to obtain sufficient appropriate audit evidence. This may involve using the work of an
auditor’s expert, who would provide audit evidence in the form of reports, opinions, valuations
and/or statements.
It is important to note that even when the work of an expert is used, the auditor retains sole
responsibility for the audit opinion expressed.
ISA 620 outlines the process the auditor must follow when considering using the work of an
expert as audit evidence.
Implications of using the work of an expert on the audit process

The decision to engage an expert in order to obtain audit evidence related to an area outside the
auditor’s own area of expertise is not a simple one – there are a number of steps that an auditor
must take before they can rely on the work of an expert.
The diagram below summarises the key requirements of ISA 620, and illustrates how using the
work of an expert is considered throughout the audit process:
Is an expert needed to obtain audit Evaluate adequacy of work performed by

evidence? If yes: the expert including findings, conclusions,
• What procedures will be required? assumptions used, and sources of data
• Is the expert selected competent, Determine if any further audit work
capable and objective? required
Can we understand the nature of work
performed by the expert?
Agree on terms of engagement with the
expert
Reporting
Do not make reference to work of an

expert unless auditor’s report has been
modified or required by law or regulation
If insufficient appropriate audit evidence
was obtained, modify the auditor’s report
Examples of areas in which the auditor may need to consider using the work of an expert
include:
•• Valuations of assets, such as land and buildings, plant and machinery, works of art, precious
stones, inventory and complex financial instruments.
•• Determination of quantities or the physical condition of assets, such as stockpiles of stored
minerals, underground mineral and petroleum reserves, and the remaining useful life of
different pieces of plant and machinery.

CC
•• Determination of amounts using specialised techniques or methods, such as actuarial
valuation.
•• Analysis of complex or unusual tax compliance issues.
•• Measurement of work completed, and to be completed, on contracts in progress.
•• Specialised inventory counters.
•• Legal opinions concerning interpretations of agreements, statutes and regulations.
Required reading
Engaging an expert
Audit considerations regarding engaging an auditor’s expert are summarised in the flow chart
and table below:
Is an expert needed to
YES
obtain audit evidence?
NO What audit procedures are

required? (Nature/timing/extent)
Is the chosen expert competent,

capable and objective? YES
NO
Does the auditor understand
the expert’s field of expertise? YES
NO
Agree on the terms
of the engagement
NO
Plan alternative audit procedures appropriate to the circumstances
Audit considerations and procedures relating to engaging an expert
Consideration Audit procedures
Is an expert needed The auditor should consider the need for an expert in relation to:
to obtain audit
•• Obtaining an understanding of the entity, including its internal control(s)
evidence?
•• Identifying/assessing the risks of material misstatement
(ISA 620 paras 7 and
•• Determining/implementing overall responses to assessed risks at the financial
A4–A9)
statement level
•• Designing/performing further audit procedures to respond to assessed risks at the
assertion level
•• Evaluating the sufficiency/appropriateness of audit evidence obtained in order to
form an opinion

CC
Audit considerations and procedures relating to engaging an expert
Consideration Audit procedures
What audit The auditor should consider:

procedures are
•• The nature of the matter and the risks of material misstatement
required?
•• The significance of the expert’s work in the context of the audit
•• Previous work (if any) performed by the expert
A10–A13)
•• Whether the expert is subject to the auditor’s quality control policies and
procedures
Is the chosen expert The auditor should consider the following issues in relation to the expert:
competent, capable,
•• Competence, which relates to the nature and level of expertise of the auditor’s
and objective?
expert
(ISA 620 paras 9 and •• Capability, which relates to the ability of the auditor’s expert to exercise that
A14–A20) competence in the circumstances of the engagement (e.g. the expert’s geographic
location, and the availability of time and resources)
•• Objectivity, which relates to the possible effect that bias, conflict of interest, or the
influence of others may have on the professional or business judgement of the
auditor’s expert
Other factors to consider include:
•• The auditor’s personal experience with previous work by the expert
•• Discussions with the expert
•• Discussions with others that are familiar with the expert’s work
•• Knowledge of the expert’s qualifications, membership of a professional body or
industry association, licence to practice, or other forms of external recognition of
the expert
•• Published papers or books by the expert
•• The audit firm’s quality control policies and procedures
Does the auditor The auditor must consider whether they have sufficient understanding of the expert’s
understand the field of work to:
expert’s field of
•• Plan the audit
expertise?
•• Review the results of work performed
A21–A22)
Agree on the terms of In establishing the terms of the engagement, the auditor must consider factors such
the engagement as:
(ISA 620 paras 11 and •• Access of the expert to sensitive or confidential entity information
A23–A31) •• The respective roles or responsibilities of the auditor and the auditor’s expert
•• Any multi-jurisdictional legal or regulatory requirements
•• The complexity of the work involved
•• The expert’s previous experience(s) with the entity
•• The extent of the expert’s work, and its significance in the context of the audit
The written agreement should address the:
•• Nature, scope, and objectives of the expert’s work
•• Respective roles and responsibilities
•• Nature, timing, and extent of communication, including the report format
•• Need for confidentiality
•• Appendix to ISA 620, which sets out matters that the auditor may consider for
inclusion in any written agreement with an auditor’s external expert
Adapted from: Australian audit manual and toolkit 2015 for small and medium sized entities, Exhibit 13.9–4, pp. 232–4.
Required reading

CC
Evaluating the adequacy of the work performed by an expert

Once the auditor has decided to use the work of an expert, they are required to evaluate
whether that work is adequate for the purposes of the audit – that is, does it provide the auditor
with sufficient appropriate audit evidence?
The auditor should consider the following factors when evaluating the adequacy of an expert’s
work:
•• The expert’s findings and whether they are consistent with other audit evidence.
•• The methods and assumptions used.
•• The source data used, and whether it is accurate.
If the results of the expert’s work are unsatisfactory or inconsistent with other audit evidence,
the auditor can resolve the matter through one or more of the following courses of action, as
appropriate:
•• Having discussions with the entity and the expert.
•• Performing additional audit procedures.
•• Engaging another expert.
•• Modifying the auditor’s report.
Required reading
Reporting considerations
ISA 620 para. 14 specifies that an auditor’s report containing an unmodified opinion should not
refer to the work of an expert.
However, if the auditor decides to issue a modified auditor’s opinion, it may be appropriate to
refer to, or describe the work of, the expert in order to explain the nature of the modification.
In these circumstances, the auditor would obtain the permission of the expert before making
such a reference. If permission is refused and the auditor believes a reference is necessary, the
auditor may need to seek legal advice (ISA 620 paras 15 and A42).
Required reading
Activity 12.5: Using the work of an expert


12.1: External confirmations (ISA 505)
12.2: Written representations (ISA 580)
12.3: Group audits (ISA 600)
12.4: Using the work of others (ISA 600)
Quiz

Readings

Standards.
Required reading
International Australia* New Zealand
ISA 505 External Confirmations ASA 505 External Confirmations ISA (NZ) 505 External Confirmations
ISA 580 Written Representations ASA 580 Written Representations ISA (NZ) 580 Written Representations
ISA 600 Special Considerations— ASA 600 Special Considerations— ISA (NZ) 600 Special Considerations –
Audits of Group Financial Audits of a Group Financial Report Audits of Group Financial Statements
Statements (Including the Work of (Including the Work of Component (Including the Work of Component
Component Auditors) Auditors) Auditors)
ISA 610 (Revised 2013) Using the ASA 610 Using the Work of ISA (NZ) 610 (revised 2013) Using the
Work of Internal Auditors Internal Auditors Work of Internal Auditors
•• Paragraphs 1–26, 36 and •• Paragraphs 1–26, 36 and •• Paragraphs 1–26, 36 and A1–A30
A1–A30 A1–A30
ISA 620 Using the Work of an ASA 620 Using the Work of an ISA (NZ) 620 Using the Work of an
Auditor’s Expert Auditor’s Expert Auditor’s Expert
•• www.ifac.org •• www.auasb.gov.au •• www.xrb.govt.nz
* Excluding paragraphs starting with ‘Aus’ prefix.

Further reading

References
The following sources were referred to in the preparation of content for this unit:
•• Chartered Accountants Australia and New Zealand 2015, Australian audit manual and
toolkit 2015 for small and medium sized entities, (5th Edition) Thomson Reuters (Professional)
Australia.
•• GS 016 ‘Bank Confirmation Requests’.
•• Corporations Act 2001 (Cth).

ACT
Activity 12.1
Obtaining audit evidence using external
confirmations
Introduction
The role of the auditor includes obtaining sufficient appropriate audit evidence in order to draw
conclusions on which to base their auditor’s opinion. External confirmations generally provide
evidence which is more reliable than internally generated evidence, as they are obtained from
independent sources directly by the auditor.
•• D
emonstrate an understanding of the auditor’s use of external confirmation procedures to
At the end of this activity, you will be able to design confirmation requests, assess the
results of external confirmation procedures, evaluate the evidence obtained and respond to
management’s refusal to send requests, in accordance with ISA 505 External Confirmations
(ISA 505).
Scenario
You are an audit senior at Anston & West (A&W), currently working on the 30 June 20X3
financial statements audit of Kanon Bros Limited (Kanon), an abattoir. As one of the largest
cattle abattoirs in the country, Kanon supplies meat to both the major supermarket chains as
well as a large number of butcher shops.
Kanon buys the majority of the cattle it requires and sends them directly to the abattoir for
slaughter. However, it also maintains its own livestock for breeding. The livestock is held on
two third-party owned and managed breeding farms, where the calves are grass-fed for a
period of 45–60 days before being transferred to the abattoir.
Trading conditions for Kanon have been challenging, with weather conditions such as drought
and flood impacting on the price of beef. Purchasing cattle has become very expensive and this
cost is being reflected in the retail selling price of beef products. As a result, consumers have
been substituting beef with other, more affordable meat products. Kanon management receives
bonuses based on the achievement of sales and profit targets for the year.
Your audit manager, Chuck Danson, has provided you with the audit plan which indicates that
accounts receivable and inventory – livestock are material balances. A&W plans to use external
confirmation procedures to obtain audit evidence for both these accounts.

ACT
You have discussed the confirmation process for the two account balances with Kanon’s
financial controller, Tim Kang. Tim has indicated that:
•• For accounts receivable – it would be a ‘waste of time’ sending confirmation requests to
the major supermarkets as they will not respond, but he is happy to organise confirmation
requests to be sent out to a number of butcher shops. He has warned you that not all of the
butcher shop owners will respond, and that for those who do, some confirmations will not
match Kanon’s records. Tim believes that this is because they are small business owners
who do not have the resources to maintain up-to-date accounting records.
•• For inventory – livestock – he does not want to send a confirmation request to one of the
property owners as they are under significant pressure due to a drought affecting their
property. Tim has already arranged for a confirmation from the other property, and he has
provided a copy of the confirmation to you.
Tasks
1. Determine whether sending external confirmation requests provides sufficient appropriate
audit evidence that the accounts receivable and inventory – livestock balances are not
materially misstated at 30 June 20X3.
2. For the account receivable – external confirmation requests, outline the information that
should be included.
3. Discuss how you would respond to Tim’s comments on the livestock confirmations.
4. Describe any other audit procedures you believe will be required for accounts receivable.

ACT
Activity 12.2
Requesting written representations from
management
Introduction
Auditors are required to request written representations from management as part of their
gathering of audit evidence. The written representations from management may cover many
aspects of the preparation of the financial statements, internal control or specific assertions. This
activity deals with the requirements of these written representations.
•• Demonstrate an understanding of the purpose of written representations and the objectives
of an auditor in obtaining written representations from management.
At the end of this activity, you will be able to outline the written representations that the auditor
should request from management or those charged with governance, in accordance with
ISA 580 Written Representations (ISA 580).
Scenario
You are an audit senior at Beecham Accountants (Beecham) and currently finalising the audit
for the year ended 30 June 20X3 of TWB Limited (TWB), a manufacturer and distributor of
bathroom and kitchen fittings. Under instructions from your audit manager, you requested
from TWB’s management a written representation that it has fulfilled its responsibilities in
regard to preparing the financial statements and that it has provided Beecham with access to
information as was agreed in the terms of the engagement.
TWB’s chief financial officer (CFO), Toby Smith, drafted a representation letter which includes
the following details:
Management has fulfilled its responsibilities, as set out in the terms of the audit engagement
letter dated 28 February 20X3, for the preparation of the financial statements in accordance
with International Financial Reporting Standards. In particular, the financial statements are
fairly presented in accordance therewith.
All transactions have been recorded in the accounting records and are reflected in the
We have disclosed to you all information in relation to fraud or suspected fraud that we are
aware of and that affects the entity and involves:
•• Management;
•• Employees who have significant roles in internal control; or
•• Others where the fraud could have a material effect on the financial statements.
Toby joined TWB part-way through the period to which the financial statements relate and has
indicated that he can only make representations for the period subsequent to his appointment.
He is the only member of TWB’s management who is required to sign the representation letter,
and will only provide the letter to you once you have provided the auditor’s report for the year
ended 30 June 20X3.

ACT
Task
For this activity, you are required to review Toby Smith’s proposed inclusions in the draft
management representation letter.
Outline any amendments to the letter and other factors that need to be addressed under
guidance from ISA 580. Cite references to support your answer.

ACT
Activity 12.3
Using the work of component auditors in
audits of group financial statements
Introduction
Many entities prepare financial statements on a group, rather than an individual, basis
(e.g. a head company with one or more subsidiaries and/or associates). The group auditor
(or group audit engagement team) is responsible for obtaining sufficient appropriate audit
evidence regarding the components (e.g. the subsidiaries) of the group financial statements
as well as the consolidation process. They will often use component auditors to do this,
particularly if the components are in different geographical locations. The use of component
auditors requires the group auditor to communicate clearly with the component auditors about
the timing and scope of their work, as well as their findings.
•• Explain the special considerations that apply to group audits, in particular those that
involve component auditors.
At the end of this activity, you will be able to outline the key requirements of the group audit
engagement team in respect of a group financial statements audit, in accordance with ISA 600
Special Considerations – Audits of Group Financial Statements (Including the Work of Component
Auditors) (ISA 600).
Scenario
You are a senior auditor at The Audit Group (TAG), an Australian professional accounting
firm with affiliate offices across the world. TAG is the group auditor of Multi Software Limited
(MSL), a multinational software development company.
MSL’s main operation and head office is in Australia, and TAG has been the group auditor of
the MSL group for the past three years. The MSL group consists of MSL’s Australian operation
and all of its overseas operations. MSL has operations in Singapore, the United Kingdom (UK)
and Hong Kong. TAG engages its affiliate offices overseas to assist in auditing MSL’s
international operations.
MSL’s Singapore operation has been growing rapidly, and this is the first year that the
Singapore operation has been considered material for the MSL group audit. Local audit
procedures performed by TAG’s Singapore affiliate office last year (for the purpose of Singapore
local statutory reporting and filing), noted that revenue recognition was incorrect. This was a
significant matter to the Singapore operation, and MSL’s Singapore management processed the
audit adjustments proposed by last year’s audit team.
Sally, an audit partner at TAG, is the group engagement partner responsible for the direction,
supervision and performance of the 30 June 20X3 MSL group financial statements audit
engagement. She has determined that MSL’s Singapore and UK operations are significant to
the MSL group audit and has engaged TAG’s Singapore and UK affiliate offices as component
auditors to audit these operations. MSL’s Hong Kong operation is a small office and not
material to the group.

ACT
Sally’s team needs to draft group audit instructions for all audit teams undertaking work on the
MSL group audit. You have been assigned to this year’s MSL group financial statements audit
team.
Tasks
1. Discuss the key responsibilities of the group audit engagement team.
2. Outline information that TAG would request from the component auditors for the MSL
group financial statements audit.
3. Outline the audit approach that should be taken to address the revenue recognition issue in
MSL’s Singapore operation.
4. Summarise the audit approach for MSL’s Hong Kong operation.

ACT
Activity 12.4
Assessing the adequacy of internal audit
work for use in the financial statements audit
Introduction
Where an entity has an internal audit function, the external auditor may seek to use the work of
internal auditors to modify the nature and timing, or reduce the extent of the audit procedures
performed directly by the external auditor. However, the external auditor remains solely
responsible for the auditor’s opinion expressed in the financial statements.
•• Demonstrate the steps involved in determining whether and to what extent an external
At the end of this activity, you will be able to identify when and to what extent the external
auditor can use the work of internal auditors and what procedures are necessary to obtain
sufficient appropriate evidence that the work of the internal audit function is adequate for the
purposes of the financial statements audit, in accordance with ISA 610 (Revised 2013) Using the
Work of Internal Auditors (ISA 610 (Revised)).
Scenario
You are the audit senior at OneAcc Chartered Accountants (OneAcc). You are currently working
on the 31 December 20X3 financial statements audit of Reed Books Limited (Reed Books), a
large book publisher and the local subsidiary of a US publishing house.
Reed Books has been one of OneAcc’s audit clients for a number of years and is considered to
have strong internal controls, and an effective internal audit function.
OneAcc expects to use the work of Reed Books’ internal audit team to reduce the extent of audit
procedures to be performed directly by them. OneAcc has assessed the status, policies and
procedures, competency and approach of Reed Books’ internal audit team and has determined
that their work can be relied on.
OneAcc would like to use the following work performed by Reed Books’ internal audit
function:
1. Tests of control procedures for purchases and payments

The internal audit team has an audit program that has seen them perform the following tests of
control procedures:
•• Selecting a sample of payment request forms to ensure that they are authorised by
a member of management with the appropriate level of authority to approve purchases for
the dollar amount requested.
•• Selecting a sample of payments and checking that those payments are supported
by an appropriately authorised requisition form, that the invoice matches the payment
authorisation request, that those payments have been correctly recorded in the general
ledger and that the payment of the invoice has been approved by two bank signatories.

ACT
2. Substantive procedures on provision for legal claims

The internal audit team, based on their knowledge of the business and past legal claims history,
has reviewed the provision for legal claims to ensure that all known and likely claims have been
included and the provision is sufficient to cover expected payments.
Task
For this activity, you are required to assess whether work performed by Reed Books’ internal
auditors is adequate for the purpose of the 31 December 20X3 financial statements audit. If so,
outline the procedures OneAcc should perform, if any.

ACT
Activity 12.5
Using the work of an expert
Introduction
Expressing an opinion on a financial statements audit it is solely the auditor’s responsibility.
There are circumstances during an audit where the auditor may use the conclusions of an
expert in a particular field as appropriate audit evidence; however, the use of an expert does not
diminish the auditor’s responsibility for the opinion expressed.
•• Explain the auditor’s responsibilities relating to using the work of an expert.
At the end of this activity, you will be able to determine when to use the work of an expert and
to assess whether their work is adequate for the financial statements audit, in accordance with
ISA 620 Using the Work of an Auditor’s Expert (ISA 620).
Scenario
Colstone Limited (Colstone) buys uncut coloured gemstones from miners, then cuts and
polishes them and on-sells them to jewellery manufacturers. Colstone is considered a market
leader, renowned particularly for the quality of its rubies.
You are a senior accountant at ABC Chartered Accountants (ABC), a professional accounting
firm. You are working on the 30 June 20X3 financial statements audit of Colstone. ABC has been
Colstone’s auditor for the past two years.
Inventory as at 30 June 20X3 has been identified as a material account balance. It comprises both
cut and uncut gemstones, with rubies being 75% of the inventory balance. The value of a ruby is
primarily determined by its colour – the more intense the red, the higher the price. Cut, clarity
and carats (size) also impact on the price. When viewing Colstone’s inventories, you note that
uncut gemstones look very much like ordinary rocks.
Colstone’s managing director, Paul, advises you that the inventory account balance in the
30 June 20X3 financial statements was determined by Colstone’s employees, who are registered
gemstone valuers.
Paul then provides you with the contact details of an expert gemstone valuer who could be
engaged to report on the value of Colstone’s inventories, and with whom he has a long-standing
relationship. The expert is a registered valuer with many years experience, qualifications in
gemology, and certificates in grading and valuations. He also has access to laboratory testing
equipment if required.
Task
For this activity, you are required to determine whether to engage an expert gemstone valuer
for the 30 June 20X3 financial statements audit.
If an expert is engaged, outline how you would assess their competency, capability and
objectivity. Specifically address whether the expert would be the one recommended by Paul in
your response.


CC
Core content
Unit 13: Subsequent events and going
concern
Learning outcomes
1. Apply the ‘Events after the Reporting Period’ Accounting Standard in relation to subsequent
events audit requirements.
2. Discuss and explain the auditor’s responsibilities relating to subsequent events.
3. Explain the going concern assumption.
4. Demonstrate the auditor’s responsibilities relating to management’s use of the going
concern assumption.
5. Determine the implications for the auditor’s report in the context of going concern
considerations.
Introduction
The auditor’s responsibilities with respect to the audit of an entity’s financial statements
extend beyond the period that the financial statements relate to. Accordingly, the auditor has
an obligation to perform procedures to ensure that all material subsequent events have been
identified and appropriately reflected within the financial statements before the auditor’s report
is signed.
Additionally, the auditor has responsibility, until the date the auditor’s report is signed, to
determine whether a material uncertainty exists in relation to events or conditions that may cast
significant doubt on an entity’s ability to continue as a going concern.
With reference to International Accounting Standards (IAS) and International Standards on
Auditing (ISAs), this unit discusses the:
•• Recognition and disclosure requirements of subsequent events under IAS 10 Events after the
Reporting Period (IAS 10).
•• Auditor’s responsibilities relating to subsequent events under ISA 560 Subsequent Events
(ISA 560).
•• Going concern requirements under IAS 1 Presentation of Financial Statements (IAS 1).
•• Auditor’s responsibilities relating to going concern under ISA 570 Going Concern (ISA 570).
aaa11613_csg

CC
Events after the reporting period
Learning outcome
1. Apply the ‘Events after the Reporting Period’ Accounting Standard in relation to subsequent
Timing of events
Inevitably, there is a ‘gap’ between the end of the accounting (reporting) period and completion
of the financial statements. Events that occur during this period may need to be reflected in the
financial statements for the period just ended.
IAS 10 provides guidance as to when such events should be reflected in the financial statements
and how to treat them. IAS 10 applies to events that occur after the reporting date and before
the date the financial statements are authorised for issue (IAS 10 para. 3).
Accounting for events after the reporting period

There are two types of events that occur after the reporting period. These events are classified as
either:
•• Adjusting events.
OR
•• Non-adjusting events.
Accounting for these types of events is summarised in the following diagram:
Events occurring
after reporting date
Provides evidence of Indicative of conditions that

conditions that existed at arose after reporting date
end of reporting period
‘Adjusting events’ ‘Non-adjusting events’
Adjust financial Disclose nature of financial

statements for period effect of material
just ended non-adjusting events

CC
The difference between an ‘adjusting event’ and a ‘non-adjusting event’ is key to applying
IAS 10, and is discussed below.
Adjusting events
An adjusting event confirms the existence of a condition that existed at the end of the reporting
period, or provides more evidence about such a condition (IAS 10 para. 3(a)). Therefore, the
amounts recognised in the financial statements are adjusted to reflect adjusting events after the
reporting period (IAS 10 para. 8).
Common examples of adjusting events are:
•• Legal disputes and court cases that are settled after the reporting date, but which confirm
the existence of a present obligation (‘a condition’) at the reporting date.
•• Information received after the end of the reporting period that indicates an asset was
impaired at the reporting date – for example, an entity finds out that a customer with a
trade receivables balance at the reporting date went bankrupt after the reporting date
usually confirms that a loss existed at the end of the reporting period.
•• Bonuses or profit shares that were determined after the reporting date, but for which a legal
or constructive obligation existed at the reporting date.
Non-adjusting events
Non-adjusting events are indicative of conditions that arose after the end of the reporting period
and therefore do not relate to a condition that existed at the reporting date (IAS 10 para. 3(b)).
The amounts recognised in the financial statements are therefore not adjusted to reflect these
events (IAS 10 para. 10).
However, material non-adjusting events could influence users of the financial statements.
Therefore, as stated in IAS 10 para. 21, the following relevant information should be disclosed:
(a) Nature of the event.
(b) Estimate of the financial effect, or a statement that such an estimate cannot be made.
Common examples of non-adjusting events are:

•• An abnormally large decline in the fair value of investments.
•• A major business combination.
•• Announcement of a major restructure.
Examples – Adjusting and non-adjusting events

These examples illustrate adjusting and non-adjusting events.
In these examples, assume that the financial reporting period ended at 30 June 20X3 and the
financial statements are due to be issued on 31 August 20X3.
Example 1
At 30 June 20X3, Company A is owed $1,000 by Company B from the sale of goods supplied in
March 20X3. On 12 August 20X3, Company A receives a letter from Company B’s administrators,
which indicates that Company B is likely to enter liquidation and Company A is unlikely to
receive payment for the amount it is owed.
This is an adjusting event. The condition that existed at 30 June 20X3 was that the trade
receivables balance for Company B was probably already impaired.

CC
Example 2
Company X has an investment of shares in a listed company. The fair value of the shares at 30
June 20X3, based on the listed market price at that time, was $2,500. By 30 August 20X3, the
listed market price of the shares fell significantly and the fair value of the investment is $1,700.
This is a non-adjusting event. The shares trade publicly, so the fall in value is assumed to relate
to circumstances that have arisen after the reporting date. This event would only require
disclosure if it is considered to be material.
Example 3
Company Z received a complaint from one of its customers regarding the performance of a
contract on 2 October 20X2, together with a claim for damages of $1,500,000. As at 30 June
20X3, Company Z had received legal advice that indicated it had a strong defence against this
claim, and estimated that it would cost $500,000 in damages and $100,000 in legal fees to settle
the matter out of court.
On 29 August 20X3, a court rules against Company Z and orders damages of $1,200,000 be paid
to the customer, plus costs of $300,000. Company Z’s own legal costs are $400,000.
This is an adjusting event. Company Z had a present obligation at 30 June 20X3, by way of the
contract with the customer. The court ruling provided information regarding the amount of the
obligation. Therefore, the liability to be recognised at 30 June 20X3 is $1,900,000.
Required reading
IAS 10 paras 3, 8, 10 and 12.
Disclosures
The disclosure requirements of IAS 10 are detailed in paras 17–22.
Required reading
IAS 10 paras 17–22.
Worked example 13.1: Accounting for events after the reporting date
Directors’ responsibilities relating to subsequent events

The directors of an entity have a responsibility to ensure that the financial statements comply
with IAS 10, and that events after the reporting period have been considered in preparing
those financial statements. This responsibility is normally delegated to management.
The auditor confirms that the requirements of IAS 10 have been addressed by requesting
written representations from management to this effect, as part of its audit evidence. Such
representations usually state that all events occurring subsequent to the date of the financial
statements and up to the date that the financial statements are finalised have been considered
and, where required by IAS, adjusted or disclosed in the subsequent events note in the financial
statements (ISA 560 para. 9).
Having established an understanding of subsequent events and management‘s responsibility in
accounting for them, the auditor’s responsibility in this regard is now discussed.

CC
Auditor’s responsibilities relating to subsequent events
Learning outcome
2. Discuss and explain the auditor’s responsibilities relating to subsequent events.
ISA 560 requirements

ISA 560 outlines the responsibilities of the auditor in respect of subsequent events in an audit.
The objectives of the auditor vary depending on the timing of the subsequent event and the date
of the auditor’s report:
•• For events occurring between the date of the financial statements and the date of the
auditor’s report, the auditor is required to obtain ‘sufficient appropriate audit evidence’ as
to whether those events are appropriately adjusted or disclosed in the financial statements
‘in accordance with the applicable financial reporting framework’ (ISA 560 para. 4(a)).
•• When facts ‘become known to the auditor after the date of the auditor’s report, that, had
they been known to the auditor at that date, may have caused the auditor to amend the
auditor’s report’, the auditor must respond appropriately (ISA 560 para. 4(b)).
The timeline below demonstrates the auditor’s objectives regarding subsequent events
at various points after the date of the auditor’s report:
Directors’ declaration Distribution of

Reporting date: and auditor’s report signed: financial statements:
30 June 20X3 1 September 20X3 15 September 20X3
Time period 1 Time period 2 Time period 3
Obtain evidence about subsequent events
Respond to new facts that become known
Note: In this example, the financial statements have been approved on the same date that the
auditor’s report has been issued. Most audit firms sign the auditor’s report on the same date
that the financial statements are authorised by the entity’s directors.

CC
The table below outlines the auditor’s responsibilities at various points along this timeline:
Auditor’s responsibilities regarding subsequent events in different time periods
Time period ISA 560 Audit procedures and potential impact on the auditor’s report
in which requirements
subsequent
event occurs/
facts become
known to
auditor
Time period 1 The auditor Examples of procedures that can be performed during this period are
Between the must perform provided in ISA 560 paras 7 and A8, including:
reporting date procedures
•• Obtaining an understanding of procedures that management has in
and the date the designed to place to identify subsequent events
auditor’s report is obtain sufficient •• Asking management about the occurrence of any subsequent events
signed appropriate
audit evidence •• Reading minutes of directors’ or management meetings held after
that all events the reporting date (if any)
during this •• Reading the latest available interim financial statements
time period (e.g. management accounts)
that require
•• Reading the latest budgets, cash flow forecasts and management
adjustment of,
reports for periods after the reporting date
or disclosures
in, the financial •• Making enquiries of the entity’s legal counsel concerning any
statements have litigation or claims
been identified When the auditor becomes aware of any subsequent events that
(ISA 560 para. 6) materially impact on the financial statements, they need to consider
whether these have been appropriately reflected (i.e. properly
accounted for, adjusted or adequately disclosed) in the financial
statements (ISA 560 para. 8)
Where management does not amend the financial statements, the
auditor would issue a modified auditor’s opinion

CC
subsequent
event occurs/
facts become
known to
auditor
Time period 2 The auditor has As per ISA 560 para. 10:
After the date no obligation
[If ] … a fact becomes known to the auditor that, had it been
of the auditor’s to perform
any audit known to the auditor at the date of the auditor’s report, may have
report but before caused the auditor to amend the auditor’s report, the auditor shall:
the date that procedures
the financial regarding (a) Discuss the matter with management and, where
statements are the financial appropriate, those charged with governance;
issued statements
after the date (b) Determine whether the financial statements need
of the auditor’s amendment and, if so,
report (ISA 560
para. 10). It is (c) Enquire how management intends to address the matter in
management’s the financial statements
responsibility to When the financial statements are amended by management
identify these as a result of such events, the auditor shall carry out the audit
subsequent procedures that are necessary to obtain sufficient appropriate
events and audit evidence (ISA 560 para. 11(a)). Audit procedures in relation to
inform the subsequent events should be extended up to the revised date of the
auditor (ISA 560 auditor’s report (ISA 560 para. 11(b))
para. A11)
If facts become Impact on the auditor’s report
known to the Under ISA 560 para. 13(b), if the auditor’s report has been provided
auditor in this to the entity, the auditor shall notify management not to issue the
time period then financial statements to third parties before all ‘necessary amendments’
the auditor’s have been made
requirements
If the entity fails to amend the financial statements and makes them
are outlined in
available to third parties, the auditor has to take appropriate action to
ISA 560 para. 10
seek to ‘prevent reliance on the auditor’s report’. This course of action
by the auditor depends on the auditor’s legal rights and obligations
in the relevant jurisdiction – in such circumstances, the auditor would
normally seek legal advice (ISA 560 para. A16)

CC
subsequent
event occurs/
facts become
known to
auditor
Time period 3 The auditor has Similar to time period 2:

After the no obligation
[if ] … a fact becomes known to the auditor that, had it been
financial to perform
any audit known to the auditor at the date of the auditor’s report, may have
statements have caused the auditor to amend the auditor’s report, the auditor shall:
been issued procedures
regarding (a) Discuss the matter with management and, where
the financial appropriate, those charged with governance;
statements
(b) Determine whether the financial statements need
after the date
amendment; and,
of the auditor’s
report (ISA 560 if so,
para. 14) (c) Inquire how management intends to address the matter in
If facts become the financial statements
known to When the auditor determines that the financial statements need
the auditor amendment as a result of events occurring after the financial
in this time statements are issued, the auditor should request management recall
period, then the financial statements for revision, if they have not already done so
the auditor’s
If management amends the financial statements, the auditor would
requirements
then carry out audit procedures that are necessary in the circumstances
are outlined in
of the amendment to obtain sufficient appropriate audit evidence with
ISA 560 para. 14
regard to the subsequent event
Audit procedures in relation to subsequent events should be extended
up to the revised date of the auditor’s report (ISA 560 para. 15)
Impact on the auditor’s report

If management makes the necessary amendment to the financial
statements, the auditor should amend the auditor’s report or issue a
new auditor’s report to include an Emphasis of Matter (EOM) paragraph
or Other Matter (OM) paragraph that makes specific reference to a
note in the financial statements that discusses the reason for the
amendment of the previously issued financial statements and to the
auditor’s report provided by the auditor earlier (ISA 560 para. 16)
If management does not amend the financial statements, the auditor
takes appropriate action to ‘seek to prevent reliance on the auditor’s
report’ (ISA 560 para. 17)
Required reading
Activity 13.1: Understanding the auditor’s responsibilites relating to subsequent events


CC
Going concern
Learning outcome
3. Explain the going concern assumption.
Going concern assumption

There is an underlying assumption in the preparation of financial statements that they are
prepared on the going concern basis. This means that an entity will continue in business for
the foreseeable future and that the entity has neither the need nor the intention to liquidate or
curtail materially the scale of its operations.
It is important to understand that the going concern assumption is an assumption about the
future – that is, that the entity will be able to continue in business for a period that is at least,
but is not limited to, 12 months from the end of the reporting period (IAS 1 para. 26 and ISA 570
para. 13).
When using the going concern assumption, assets and liabilities are recorded on the basis that
the entity will be able to realise its assets and discharge its liabilities in the normal course of
business (ISA 570 para. 2).
If the entity intended, or needed, to curtail or liquidate its operations, the financial statements
may need to be prepared on a different basis. This basis would need to be disclosed and it may
impact on the recognition and measurement of assets and liabilities in the financial statements
(IAS 1 para. 25, ISA 570 para. 2).
Management’s responsibilities relating to the going concern assumption

When preparing financial statements, management is responsible for assessing an entity’s
ability to continue as a going concern and hence whether the going concern assumption is
appropriate (IAS 1 para. 25.)
In addition, there may be local regulatory requirements related to this. For example, in Australia
entities that prepare financial statements under the Corporations Act 2001 (Cth) (Corporations
Act) also need to make an explicit declaration that the entity will be able to comply with its
financial obligations as and when they fall due (s. 295(4)(c) Corporations Act). New Zealand’s
Companies Act 1993 has a similar requirement that a company satisfies the solvency test
immediately after certain types of transactions occur.
Required reading
ISA 570 paras 2 and 13.


CC
Auditor’s responsibilities relating to management’s use of the

going concern assumption
Learning outcome
4. Demonstrate the auditor’s responsibilities relating to management’s use of the going concern
assumption.
ISA 570 outlines the auditor’s responsibilities relating to management’s use of the going concern
assumption, which includes:
•• Obtaining sufficient appropriate audit evidence regarding the appropriateness of
management’s use of the going concern assumption (ISA 570 para. 9(a)).
•• Concluding, based on the audit evidence obtained, whether a material uncertainty exists
that may cast significant doubt on the entity’s ability to continue as a going concern
(ISA 570 para. 9(b)).
•• Determining the implications for the auditor’s report (ISA 570 para. 9(c)).
An auditor needs to assess the entity’s ability to continue as a going concern throughout the
three phases of the audit process (risk assessment, risk response and reporting). The procedures
the auditor should undertake in the risk assessment and risk evaluation phases are discussed
below. The auditor’s responsibilities in the reporting phase are discussed in the next section of
this unit.
Required reading
ISA 570 paras 1, 6 and 9.

CC
Assessing the going concern assumption during the risk assessment phase
When performing risk assessment procedures (as discussed in the unit on analysing audit risks,
financial statement assertions and initial audit engagements), the auditor should consider the
entity’s ability to continue as a going concern. The procedures undertaken by the auditor will
vary depending on whether management has already performed a preliminary assessment of
the appropriateness of the going concern assumption, as outlined in the diagram below (see
ISA 570 para. 10):
Any events that may Has management Identify any

cast significant doubt performed a preliminary events/conditions and
on entity’s ability to ASK assessment of the entity’s YES obtain management’s
continue as a going ability to continue as a action plans in
concern? going concern? response
NO
Discuss existence of any Evaluate

events/conditions with management’s plan of
management and obtain action and/or
their response supporting
documentation
Remain alert throughout audit for evidence of Conclude if a material

events/conditions that may cast significant doubt on uncertainty exists or if
entity’s ability to continue as a going concern the use of the going
concern assumption is
inappropriate
Source: Australian audit manual and toolkit 2015 for small and medium sized entities, Exhibit 12.2-1, p. 183.
Note: The auditor’s obligation to assess the going concern assumption is not limited to the risk
assessment phase. The auditors have an obligation throughout the audit to remain vigilant to
the possibility of conditions or events that could ‘cast significant doubt on the entity’s ability to
continue as a going concern’ (ISA 570 para. 11).
Required reading


CC
Indicators of going concern problems

Going concern problems can occur as a result of a particular event or can emerge over a period
of time due to a combination of internal and external factors. It is important for the auditor to
assess events or conditions that may cast doubt on an entity’s ability to continue operating.
ISA 570 para. A2 provides examples of events or conditions that, separately or together, may
cast significant doubt about the going concern assumption. This list is not all‑inclusive, nor does
the existence of one or more of these events always signify that a material uncertainty exists.
The examples are indicators that further evaluation and procedures need to be conducted.
Indicators of going concern problems
Types of indicators ISA 570 para. A2 examples
Financial indicators •• Net liability or net current liability position

•• Fixed-term borrowings approaching maturity without realistic prospects of renewal
or repayment; or excessive reliance on short-term borrowings to finance long-term
assets
•• Indications of withdrawal of financial support by creditors
•• Negative operating cash flows indicated by historical or prospective financial
statements
•• Adverse key financial ratios
•• Substantial operating losses or significant deterioration in the value of assets used to
generate cash flows
•• Arrears or discontinuance of dividends
•• Inability to pay creditors on due dates
•• Inability to comply with the terms of loan agreements
•• Change from credit to cash-on-delivery transactions with suppliers
•• Inability to obtain financing for essential new product development or other essential
investments
Operating indicators •• Management intends to liquidate the entity or to cease operations

•• Loss of key management without replacement
•• Loss of a major market, key customer(s), franchise, licence, or principal supplier(s)
•• Labour difficulties
•• Shortages of important supplies
•• Emergence of a highly successful competitor
Other indicators •• Non-compliance with capital or other statutory requirements

•• Pending legal or regulatory proceedings against the entity that may, if successful,
result in claims that the entity is unlikely to be able to satisfy
•• Changes in law or regulation or government policy expected to adversely affect the
entity
•• Uninsured or underinsured catastrophes when they occur
Required reading
Assessing the going concern assumption during the risk response phase
If events/conditions that ‘cast significant doubt’ over the entity’s ability to continue as a going
concern have been identified during the audit, the auditor must obtain sufficient appropriate
audit evidence to determine whether or not a material uncertainty does exist (ISA 570 para. 16).
Events or conditions that may cast doubt on the going concern assumption can often
be mitigated by other factors. For example, the effect of an entity being unable to make its
normal debt repayments may be counterbalanced by management’s plan to maintain adequate
cash flows by disposing of assets, obtaining additional capital or rescheduling loan repayments.

CC
When the auditor identifies going concern events/conditions, the next steps are to:
•• Ask management about its assessment of the entity’s ability to continue as a going concern
(ISA 570 para. 16(a)).
•• Evaluate management’s plans for ‘future actions’ relating to the going concern assessment
and assess ‘whether the outcome of these plans is likely to improve the situation’ and the
plans are ‘feasible in the circumstances’ (mitigating factors) (ISA 570 para. 16(b)).
Additional audit procedures to perform when going concern is in doubt

Where a cash flow forecast is used in management’s assessment of going concern, the auditor
must evaluate the reliability of the data and the level of support for assumptions that underlie
the forecast (ISA 570 para. 16(c)).
The auditor should also consider any additional facts or information that have become available
since management made its assessment, and obtain written representations from management
regarding their plans for action in response, as well as the feasibility of these plans (ISA 570
paras 16(d) and (e)).
When evaluating management’s plans – including assessing any mitigating factors – relating
to the going concern assessment, the auditor should consider the audit evidence they would
require to determine whether or not a material uncertainty regarding the going concern
assumption exists. Examples of additional audit procedures that may be relevant are outlined in
ISA 570 para. A15.
These procedures include:
• Analyzing and discussing cash flow, profit and other relevant forecasts with management.
• Analyzing and discussing the entity’s latest available interim financial statements.
• Reading the terms of debentures and loan agreements and determining whether any have been
breached.
• Reading minutes of the meetings of shareholders, those charged with governance and relevant
committees for reference to financing difficulties.
• Inquiring of the entity’s legal counsel regarding the existence of litigation and claims and the
reasonableness of management’s assessments of their outcome and the estimate of their financial
implications.
• Confirming the existence, legality and enforceability of arrangements to provide or maintain

financial support with related and third parties and assessing the financial ability of such parties to
provide additional funds.
• Confirming the existence, terms and adequacy of borrowing facilities.
• Determining the adequacy of support for any planned disposals of assets.
Required reading
Worked example 13.2: Assessing the going concern assumption


CC
Impact of going concern uncertainty on the auditor’s report
Learning outcome
5. Determine the implications for the auditor’s report in the context of going concern
considerations.
Based on the audit evidence obtained in the risk assessment and risk response phases, the
auditor should consider whether:
•• In the auditor’s judgement, a material uncertainty exists ‘that may cast significant doubt on
the entity’s ability to continue as a going concern’ (ISA 570 para. 17).
•• Management’s use of the going concern assumption is appropriate.
•• The financial statements fully describe any going concern events/conditions and disclose
any material uncertainty.
The auditor must consider not just whether management’s use of the going concern assumption
is appropriate but also whether a material uncertainty regarding the entity’s ability to continue
as a going concern exists and has been appropriately disclosed to the users of the financial
statements.
A material uncertainty exists when non-disclosure of the:
•• magnitude of an event or condition’s potential impact, and the
•• likelihood of the event or condition occurring
will lead to financial statements being misleading or impair their fair presentation (ISA 570
para. 17).
If the auditor concludes that management’s use of the going concern assumption is appropriate
and no material uncertainty exists, they would then express an unmodified opinion. However,
if a material uncertainty exists, the appropriateness and adequacy of its disclosure in the
financial statements has implications for the auditor’s report (ISA 570 paras 19 and 20).
The following table illustrates the implications for the auditor’s report of the auditor’s
assessment of management’s use of the going concern assumption and material uncertainty:
Impact of going concern and material uncertainty on the auditor’s report
Management’s use Material Adequate and Implication for the auditor’s

of going concern uncertainty exists appropriate report
assumption disclosure of material
uncertainty
Appropriate No Not required Unmodified audit opinion
Appropriate Yes Yes Unmodified audit opinion –

include an EOM paragraph in
the auditor’s report to highlight
the existence of a material
uncertainty and draw attention to
the note disclosure
(ISA 570 para. 19)
Appropriate Yes No Qualified or adverse audit opinion

(ISA 570 para. 20)
Inappropriate – – Adverse audit opinion

(ISA 570 para. 21)

CC
The following diagram shows the relationship between going concern considerations and types
of audit opinions and other implications on the auditor’s report:
Does the risk assessment identify Do the results of other

any events or conditions that may audit procedures
cast significant doubt on the support the risk Unmodified
NO YES
entity’s ability to continue as a assessment? opinion
going concern? (ISA 570 paras 10
(ISA 570 para. 10) and 11)
YES NO
Qualified or
Disclaimer of
Can the auditor obtain, through Is the lack of sufficient Opinion (Limitation
additional audit procedures appropriate audit YES of Scope)
(including considerations of evidence due to
(ISA 570 para. A27)
mitigating factors), sufficient management
appropriate audit evidence to NO unwilling to make, or
determine whether a material extend, their going Refer ISA 705 to
uncertainty exists? concern assessment? determine
NO
(ISA 570 para. 16) (ISA 570 para. 22) implications
(ISA 705 para. 13)
YES
Do additional procedures confirm

the existence of a material Unmodified
uncertainty? NO
opinion
(ISA 570 para. 16)
YES
Is management’s use of the Has management Adverse opinion

going concern assumption prepared the financial (going concern basis
appropriate? NO YES inappropriate)
report on a going
(ISA 570 para. 18) concern basis? (ISA 570 para. 21)
NO
Unmodified opinion
with Emphasis of
Matter paragraph
Is there adequate YES
disclosure in the (ISA 570 para. A26)
YES financial statements
of the alternative Refer ISA 705
NO
basis? to determine
implications
Unmodified opinion
with Emphasis of
Matter paragraph
Is there adequate disclosure of YES (ISA 570 para. 19)
the material uncertainty in the
financial statements?
(ISA 570 para. 18) NO Qualified or Adverse
opinion (inadequate
disclosure)
(ISA 570 para. 20)
Adapted from: ASA 570 Appendix 1.

CC
Required reading
ISA 570 paras 17–22, A19–A20 and A25–A27.

Worked example 13.3: Assessing material uncertainty in relation to going concern and audit
reports
Activity 13.2: Assessing going concern and its impact on the auditor’s report

13.1: Subsequent events (ISA 560)
13.2: Going concern (ISA 570)
Quiz

Readings

Standards.
Required reading
Relevant International Accounting Standards, Auditing Standards and national equivalents
IAS 10 Events after the Reporting AASB 110 Events after the Reporting NZ IAS 10 Events after the Reporting
Period Period Period
•• Paragraphs 3, 8, 10, 12 and •• Paragraphs 3, 8, 10, 12 and •• Paragraphs 3, 8, 10, 12 and
17–22 17–22 17–22
ISA 560 Subsequent Events ASA 560 Subsequent Events ISA (NZ) 560 Subsequent Events
ISA 570 Going Concern ASA 570 Going Concern ISA (NZ) 570 Going Concern
•• Paragraphs 1–2, 6, 9–22, A2–A6, •• Paragraphs 1–2, 6, 9–22, A2–A6, •• Paragraphs 1–2, 6, 9–22, A2–A6,
IAS 1 Presentation of Financial AASB 101 Presentation of Financial NZ IAS 1 Presentation of Financial
Statements Statements Statements

Further reading

References
for small and medium sized entities, 5th edn, Thomson Reuters (Professional) Australia Limited,
Sydney.


ACT
Activity 13.1
Understanding auditor’s responsibilities
relating to subsequent events
Introduction
This activity demonstrates the process that an auditor would follow in assessing subsequent
events and whether the financial statements need amendment as a result of those events.
•• Apply the ‘Events after the Reporting Period’ Accounting Standard in relation to subsequent
•• Discuss and explain the auditor’s responsibilities relating to subsequent events.
At the end of this activity, you will be able to identify subsequent events and determine the
impact of those events on the financial statements, in accordance with IAS 10 Events after the
Reporting Period (IAS 10) and ISA 560 Subsequent Events (ISA 560).
Scenario
You are the audit senior at AMPT, the external auditor of Nirvana Mining (Nirvana), an entity
involved in iron ore supply. Nirvana enters into ongoing contracts to purchase iron ore with
mineral dealers ensuring a sufficient supply of materials to sustain production. The cost of
these contracts is recognised at the point of shipment and is based on the percentage of mineral
content in the ore. For example, a 60% mineral content will cost $600 per kilogram, and 70% will
cost $700 per kilogram.
Nirvana has a 30 June 20X3 reporting date. You are aware of the following independent and
material events that have occurred in relation to Nirvana:
Event Description
1 On 10 June 20X3, Nirvana entered into a contract with Rough Diamond, a mineral dealer. The
minerals were shipped on 28 June 20X3. At the time of the shipment, the mineral content of the ore
was estimated to be 70%, and the liability calculated accordingly
However, when the shipment was received on 15 July 20X3, the mineral content was found to be
80%, resulting in the liability being understated
2 On 17 July 20X3, a plant owned by Nirvana was damaged by fire, resulting in a 20% cut to its
production for the next three months until the damaged plant can be replaced
3 On 28 July 20X3, Nirvana received notice that one of its customers was taking legal action in relation
to a warranty claim involving the quality of goods purchased in May 20X3. Nirvana informed AMPT of
significant problems with the goods on 26 June 20X3, when AMPT was undertaking some initial audit
procedures in respect of the 30 June 20X3 audit
4 On 7 August 20X3, Nirvana informed you that the government had imposed a tax on all iron ore
transactions. The tax is effective from 1 September 20X3

ACT
Other important dates

The financial statements were authorised for issue on 30 July 20X3 when the directors’
declaration and the auditor’s report were signed. Financial statements were released to
shareholders on 15 August 20X3.
Tasks
•• Assess how each of the four events would impact Nirvana’s 30 June 20X3 financial
statements, if at all.
•• Outline the auditor’s role in communicating any amendments required in the financial
statements.
•• Design appropriate audit procedures for each event which would provide you with
sufficient appropriate audit evidence to ensure that any required amendments to Nirvana’s
financial statements are in accordance with the financial reporting framework.

ACT
Activity 13.2
Assessing going concern assumption and its
impact on the auditor’s report
Introduction
As part of the audit process, under ISA 570 Going Concern (ISA 570) the auditor needs to obtain
sufficient appropriate audit evidence regarding the appropriateness of management’s use of the
going concern assumption in the preparation and presentation of the financial statements, and
to conclude whether there is a material uncertainty about the entity’s ability to continue as a
going concern.
•• Demonstrate the auditor’s responsibilities relating to management’s use of the going
concern assumption.
•• Determine the implications for the auditor’s report in the context of going concern
considerations.
At the end of this activity, you will be able to assess management’s use of the going concern
assumption in the preparation of the financial statements and understand its impact on the
audit opinion, in accordance with ISA 570.
Scenario
You are a senior accountant at ABC Accounting (ABC) and are currently working on the 30 June
20X3 audits of two different clients, Frenetic and Stonecraft. Consider each of the following
independent and material situations that have occurred within the two businesses.
Frenetic
Frenetic is an events management company that has incurred significant losses over the past
four years. As at 30 June 20X3, the company’s financial statements showed a net current liability
position. ABC is very concerned about the financial position of Frenetic; however, Frenetic’s
directors have provided ABC with updated forecasts and projections showing a return to
profitability and a positive net asset position in the year to 30 June 20X4.
ABC is not convinced that the forecasted positive financial position is achievable, and believes
that Frenetic’s future viability is dependent on the continued financial support of its parent
company. At the date of signing the auditor’s report, the parent company has provided Frenetic
with a written guarantee of its continued financial support, and this has been disclosed by the
directors of Frenetic in a note to the 30 June 20X3 financial statements.

ACT
Stonecraft
Stonecraft is an importer of high-quality natural stone, which is used to manufacture custom-
made stone benchtops for use in domestic kitchens and bathrooms. Over the past 12 months,
Stonecraft has been experiencing a gradual decline in profitability.
Your investigations after the year end reveal the existence of a key local competitor that
is substantially underpricing Stonecraft in order to gain a larger market share. Further
investigations reveal that, on 1 July 20X3, the government passed legislation imposing severely
restrictive import quotas on the amount of natural stone allowed into the country. As a result,
Stonecraft’s current inventories of natural stone are insufficient to cover existing orders.
Stonecraft’s management believes that the depressed economy is the sole reason for the current
poor results, and that the quality of its products will be sufficient to maintain demand in the
future. The directors of Stonecraft have not adequately disclosed their difficulties described
above in the 30 June 20X3 financial statements, and have prepared the financial statements on a
going concern basis. ABC believes that Stonecraft will have to liquidate the business within the
next financial year.
Tasks
1. Discuss whether there are conditions that may cast significant doubt on Frenetic and
Stonecraft’s ability to continue as a going concern.
2. Identify any mitigating factors.
3. Assess the use of the going concern assumption by the management of both Frenetic and
Stonecraft and determine the implications for the auditor’s report for the 30 June 20X3
financial statements, if any.

CC
Core content
Unit 14: Reviewing the financial statements
and audit results
Learning outcomes
1. Demonstrate the use of final analytical procedures in the audit of financial statements.
2. Explain and demonstrate how an auditor obtains an understanding of related party
relationships and transactions.
3. Demonstrate how to obtain sufficient appropriate audit evidence about comparative
information included in the financial statements.
4. Explain the auditor’s responsibilities in relation to other information in documents
containing audited financial statements.
5. Describe and apply the steps involved in communicating appropriately to those charged
with governance and management.
Introduction
The final stage of the audit process is the reporting stage, where the auditor evaluates the
evidence obtained and prepares the auditor’s report. This unit discusses the responsibilities
of the auditor in the final stages of gathering and evaluating evidence, prior to preparing the
auditor’s report. Some of these responsibilities were discussed in the previous units of the Audit
& Assurance module, including the unit on appropriateness of the going concern assumption.
This unit focuses on some of the other specific responsibilities of the auditor in the final stage of
the audit process, as outlined in the following Auditing Standards:
• ISA 710 Comparative Information – Corresponding Figures and Comparative Financial Statements

(ISA 710).
•• ISA 720 The Auditor’s Responsibilities Relating to Other Information in Documents Containing
Audited Financial Statements (ISA 720).
This unit also discusses the following Accounting Standards:

•• IAS 1 Presentation of Financial Statements (IAS 1).
•• IAS 24 Related Party disclosures (IAS 24).
aaa11614_csg

CC
The unit concludes with a discussion regarding the auditor’s responsibilities in communicating
the results of audit procedures, including any deficiencies in internal controls and
misstatements identified.
Final analytical procedures
Learning outcome
1. Demonstrate the use of final analytical procedures in the audit of financial statements.
At the final stage of an audit, before the auditor’s report is issued, the auditor needs to review
the financial statements in order to ensure they are consistent with the auditor’s understanding
of the entity. Using analytical procedures to do this is an efficient way to identify any
inconsistencies when forming the overall conclusion.
Objectives of final analytical procedures

Undertaking analytical procedures in the final stages of the audit assists the auditor ‘when
forming an overall conclusion as to whether the financial statements are consistent with the
auditor’s understanding of the entity’ (ISA 520 para. 6).
As per ISA 520 paras A17–A19, final analytical procedures are intended to:
•• Identify a previously unrecognised risk of material misstatement.
•• Corroborate conclusions formed during the audit on individual components or elements of
•• Assist in arriving at a reasonable conclusion on which to base the auditor’s opinion.
Performing final analytical procedures

The analytical procedures performed at the final stage of the audit are similar to those used
for risk assessment and substantive procedures in the earlier stages of the audit process, as
discussed in the unit on responding to assessed risks – substantive testing. These procedures
commonly include:
•• Comparing recorded amounts to expectations developed as a result of undertaking the
audit.
•• Calculating ratios and assessing whether they are in line with the auditor’s understanding
of the entity.
In performing these procedures, the auditor assesses if any fluctuation or variation

to expectations is of a significant amount that would require the auditor to undertake further
investigations (ISA 520 para. 7).
Investigating the results of final analytical procedures

The conclusions drawn from final analytical procedures are intended to corroborate conclusions
formed during the audit. If, in performing these procedures, new risks or unexpected
relationships between data are identified, the auditor needs to investigate any significant
differences. As per ISA 520 para. A16, the ‘auditor’s determination of the amount of difference
from the expectation that can be accepted without further investigation is influenced by
materiality ...’
Under ISA 520 para. 7, the investigation of such differences will require:
(a) Inquiring of management and obtaining appropriate audit evidence relevant to management’s
responses; and
(b) Performing other audit procedures as necessary in the circumstances. (Ref: Para. A20–A21)

CC
Required reading
ISA 520.
Worked example 14.1: Using final analytical procedures

Related party relationships
Learning outcome
2. Explain and demonstrate how an auditor obtains an understanding of related party
Related party relationships, by nature, are not independent relationships. This means that
there is potentially more risk of material misstatement in related party transactions than in
transactions involving unrelated parties. Accordingly, the International Accounting Standards
Board (IASB) has issued specific requirements for related party transactions, which are
contained in IAS 24.
Throughout the audit process, the auditor has a responsibility to consider related party
relationships, as well as transactions between related parties. ISA 550 addresses these
responsibilities at the various stages of the audit process.
In the risk assessment phase of the audit process (as discussed in the unit on analysing audit
risks – fraud), the auditor is required to undertake procedures to understand the entity’s related
party relationships and transactions when evaluating fraud risk factors, as fraud is more easily
committed through related parties. Additionally, during the risk response and reporting phases,
the auditor is required to identify related parties or significant related party transactions that
management has not previously identified or disclosed to the auditor (ISA 550 para. 21).
This unit focuses on the auditor’s specific responsibility for identifying, assessing and
responding to the risks of material misstatement arising from an entity’s failure to properly
account for or disclose related party relationships, transactions or balances in accordance with
the accounting framework (ISA 550 para. 3).
Identifying related party relationships and transactions

ISA 550 refers the definition of ‘related party’ to that defined in the ‘applicable financial
reporting framework’ (ISA 550 para. 10(b)(i)). IAS 24 para. 9 defines a ‘related party’ as:
… a person or entity that is related to the entity that is preparing its financial statements (in this
Standard referred to as the ‘reporting entity’).
(a) A person or a close member of that person’s family is related to a reporting entity if that person:
(i) has control or joint control of the reporting entity;
(ii) has significant influence over the reporting entity; or
(iii) is a member of the key management personnel of the reporting entity or of a parent of the
reporting entity.
(b) An entity is related to a reporting entity if any of the following conditions applies:
(i) The entity and the reporting entity are members of the same group (which means that each
parent, subsidiary and fellow subsidiary is related to the others).
(ii) One entity is an associate or joint venture of the other entity (or an associate or joint venture of
a member of a group of which the other entity is a member).

CC
(iii) Both entities are joint ventures of the same third party.
(iv) One entity is a joint venture of a third entity and the other entity is an associate of the third
entity.
(v) The entity is a post-employment benefit plan for the benefit of employees of either the
reporting entity or an entity related to the reporting entity. If the reporting entity is itself such
a plan, the sponsoring employers are also related to the reporting entity.
(vi) The entity is controlled or jointly controlled by a person identified in (a).
(vii) A person identified in (a)(i) has significant influence over the entity or is a member of the key
management personnel of the entity (or of a parent of the entity).
The following are other definitions in IAS 24 para. 9 that are needed to identify related parties:
Close members of the family of a person are those family members who may be expected to influence,
or be influenced by, that person in their dealings with the entity and include:
(a) that person’s children and spouse or domestic partner;
(b) children of that person’s spouse or domestic partner; and
(c) dependants of that person or that person’s spouse or domestic partner.
and
Key management personnel are those persons having authority and responsibility for planning,
directing and controlling the activities of the entity, directly or indirectly, including any director
(whether executive or otherwise) of that entity.
IAS 24 para. 9 defines a ‘related party transaction’ as:

… a transfer of resources, services or obligations between a reporting entity and a related party,
regardless of whether a price is charged.
It is important to note that it is the substance of the relationships between parties that
determines whether they are related, and not merely the legal form (IAS 24 para. 10). A party
that is related to an entity can be either an individual or another entity.
Throughout the audit, the auditor must remain alert for related party information.
Required reading
ISA 550 paras 2–10 and 20–21.
Responding to previously unidentified or undisclosed related parties

or transactions
As discussed in the earlier unit on analysing audit risks – fraud, the engagement team has an
obligation to identify an entity’s related parties, including changes from prior periods, and
to identity any related party transactions. If the auditor subsequently confirms that there are
related parties or significant related party transactions that have not previously been identified
or disclosed to them, then the auditor is required to determine whether the underlying
circumstances confirm the existence of those relationships or transactions (ISA 550 para. 21).
ISA 550 para. 22 requires the auditor to:
1. Promptly communicate this to other members of the audit team (ISA 550 para. 22(a))
to enable them to determine if this impacts on the results of, and conclusions drawn from,
the procedures performed, and whether risks need to be reassessed (ISA 550 para. A35).
2. Request management to provide a list of all transactions with the newly identified related
party (ISA 550 para. 22(b)(i)).
3. Enquire as to why the related party relationship or transaction was not disclosed (ISA 550
para. 22(b)(ii)).

CC
4. Perform substantive audit procedures, as appropriate, on the newly identified related
parties and transactions (ISA 550 para. 22(c)). This may include (ISA 550 para. A36):
•• Making enquiries regarding the nature of the relationship with the related party.
•• Reviewing accounting records for transactions with the related party.
•• Verifying the terms and conditions of the related party transactions.
5. Assess the risk that there may be further unidentified or undisclosed related parties or
transactions, and perform additional audit procedures as necessary (ISA 550 para. 22(d)).
6. Consider the possibility that the non-disclosure was intentional and evaluate any
implications for the audit (ISA 550 para. 22(e)).
Required reading
Related party transactions outside the normal course of business

The auditor has a responsibility to specifically consider related party transactions outside the
entity’s normal course of business, to evaluate the business rationale of the transactions, and to
determine whether they have been appropriately authorised and approved, accounted for and
disclosed in the financial statements (ISA 550 para. 23).
Required reading
Evaluating the accounting for and disclosure of related party relationships and
transactions
The auditor’s obligations regarding the presentation of related party relationships and
transactions in the financial statements are set out in ISA 550 paras 24–28. These obligations
include:
•• Where management discloses a particular related party transaction as an ‘arm’s length’
transaction, the auditor is required to obtain evidence to assess that assertion (ISA 550
para. 24).
•• When forming an opinion on the financial statements, the auditor must assess whether:
–– The identified related party relationships and transactions have been properly
accounted for and disclosed in accordance with the requirements of IAS 24.
–– The related party relationships and transactions prevent the financial statements from
‘achieving fair presentation’ or cause them to be misleading (ISA 550 para. 25).
In making this assessment, the auditor evaluates whether a misstatement is material. In the case
of related parties, the auditor must consider both the size and the nature of the misstatement,
and the particular circumstances of its occurrence, due to the interest in, and specific
requirements that can relate to, the related party transactions.
A written representation from management and, where appropriate, those charged
with governance, stating that they have disclosed and accounted for all the related party
relationships and transactions, as required by IAS 24, is also required as part of finalising the
audit (ISA 550 para. 26).
The auditor has the responsibility to communicate to those charged with governance any
significant matter in connection with related parties that have arisen over the course of the audit
(ISA 550 para. 27).

CC
Required reading
Worked example 14.2: Identify related party relationships and transactions

Activity 14.1: Responding to risks of material misstatement associated with related party
relationships and transactions

CC
Comparative information
Learning outcome
3. Demonstrate how to obtain sufficient appropriate audit evidence about comparative
information included in the financial statements.
The provision of comparative information relating to one or more prior periods is a common
financial reporting requirement, although the nature of the comparative information presented
in an entity’s financial statements depends on the requirements of the applicable financial
reporting framework. The main requirement to include comparative information in a set of
financial statements is included in IAS 1, which states:
Except when IFRSs permit or require otherwise, an entity shall present comparative information in
respect of the preceding period for all amounts reported in the current period’s financial statements. An
entity shall include comparative information for narrative and descriptive information if it is relevant to
understanding the current period’s financial statements. (IAS 1 para. 38)
An entity shall present, as a minimum, two statements of financial position, two statements of profit
or loss and other comprehensive income, two separate statements of profit or loss (if presented), two
statements of cash flows and two statements of changes in equity, and related notes. (IAS 1 para. 38A)
An entity shall present a third statement of financial position as at the beginning of the preceding
period in addition to the minimum comparative financial statements required in paragraph 38A if:
(a) it applies an accounting policy retrospectively, makes a retrospective restatement of items in its
financial statements or reclassifies items in its financial statements; and
(b) the retrospective application, retrospective restatement or the reclassification has a material effect
on the information in the statement of financial position at the beginning of the preceding period.
(IAS 1 para. 40A)
Requirements requiring the restatement of comparatives in specific circumstances are

included in IAS 8 Accounting Policies, Changes in Accounting Estimates and Errors (IAS 8). These
requirements deal with changes in accounting policies and the correction of material errors:
•• Accounting policies – as discussed in IAS 8 paras 19, 22 and 23, generally a change
in accounting policy is applied retrospectively. The opening balance of each affected
component for the earliest prior period presented and the other comparative amounts
disclosed are presented as if the new accounting policy had always been applied
(IAS 8 para. 22).
•• Errors – as discussed in IAS 8 paras 42–43, an entity shall correct material prior period
errors retrospectively in the first set of financial statements after their discovery by restating
the comparative amounts for the prior period(s) presented.
ISA 710 outlines the auditor’s responsibilities, in accordance with the relevant laws, regulations
and the terms of the engagement, in relation to comparative information in an audit of financial
statements.
Even when the auditor is not appointed for the corresponding period, they still have
responsibilities relating to that corresponding period, in addition to the requirements and
guidance in ISA 510 Initial Audit Engagements – Opening Balances (ISA 510). These responsibilities
were discussed in the earlier unit on analysing audit risks, financial statement assertions and
initial audit engagements.
Audit procedures relating to comparative information

During the opinion formulation and reporting stage of the audit, the auditor is required to
‘obtain sufficient appropriate audit evidence about whether the comparative information
included in the financial statements has been presented … in accordance with the requirements
for comparative information in the applicable financial reporting framework’ (ISA 710 para. 5).
In Australia and New Zealand, prior period financial information is included in the financial
statements in accordance with the financial reporting framework.

CC
The audit procedures relating to comparative information are summarised as follows:
Task/situation Procedures
Obtain necessary Evaluate whether:

audit evidence
•• The comparative information agrees with the amounts and other disclosures
presented in the prior period financial statements (ISA 710 para. 7(a))
•• The accounting policies reflected in the comparative information are consistent
with those applied in the current period, or, if there have been changes in
accounting policies, whether those changes have been properly accounted for,
presented and disclosed (ISA 710 para. 7(b))
When the auditor •• Perform ‘additional audit procedures as are necessary in the circumstances … to
becomes aware determine whether a material misstatement exists’ (ISA 710 para. 8)
of a potential •• Where the prior period financial statements are amended, confirm that the
misstatement in comparative information agrees with the amended financial statements (ISA 710
the comparative para. 8)
information during the
current audit
Obtain written Request written representations for all periods referred to in the auditor’s opinion.
representations This would include ‘specific written representation regarding any restatement made
to correct a material misstatement’ in the prior period financial statements (ISA 710
para. 9)
Approaches to comparative information – corresponding figures and

comparative financial statements
There are two broad approaches regarding comparative information – corresponding figures
and comparative financial statements:
Approach Explanation
Corresponding Amounts and other disclosures for the prior period are included as an integral part of the
figures current period’s financial statements, and are intended to be read only in relation to the
current period (ISA 710 para. 6(b))
The auditor’s opinion refers only to the current period, except in the circumstances described
in ISA 710 paras 11, 12 and 14 (ISA 710 para. 10)
As stated in ISA 710 para. A2:
The auditor’s opinion does not refer to the corresponding figures because the
auditor’s opinion is on the current period financial statements as a whole, including
the corresponding figures.
Comparative Amounts and other disclosures for the prior period are included for comparison with the
financial financial statements of the current period but, if audited, are referred to separately in the
statements auditor’s opinion. The level of information included in the comparative financial statements is
comparable with that of the current period (ISA 710 para. 6(c))
The auditor’s opinion refers to each period for which financial statements are presented
(ISA 710 para. 15)
As prior period financial information is not generally referred to in an auditor’s report

on financial statements in Australia and New Zealand, comparative information is generally
treated as ‘corresponding figures’ in Australia and New Zealand. This approach will be the
focus of this unit.

CC
Corresponding figures
As the prior period amounts and other disclosures for the prior period are included as an
integral part of the current period financial statements, the auditor’s opinion refers to the
current period only, except in the specific circumstances noted below (ISA 710 para. 10):
Situation Implication for the auditor’s opinion on the current

period’s financial statements
The prior period auditor’s report includes a qualified Modify the auditor’s opinion on the current period’s
opinion, a disclaimer of opinion or an adverse opinion, financial statements (ISA 710 para. 11)
and the matter that gave rise to the modification is
unresolved
The auditor identifies a material misstatement Express a qualified or adverse opinion on the
in the prior period financial statements on which an current period financial statements regarding the
unmodified auditor’s opinion has been issued, and corresponding figures (ISA 710 para. 12)
the corresponding figures have not been properly
restated, or appropriate disclosures have not yet been
made
Prior period financial statements are not audited In an Other Matter (OM) paragraph in the auditor’s
report, state that the corresponding figures are
unaudited
Obtain ‘sufficient appropriate audit evidence that
the opening balances do not contain misstatements
that materially affect the current period’s financial
statements’, in accordance with ISA 510 (ISA 710
para. 14)
Where the prior period figures were audited by another firm, and the auditor is not prohibited
by law or regulation from referring to the predecessor’s auditor’s report and decides to make
such a reference, the auditor would state the following in an OM paragraph in the auditor’s
report (ISA 710 paras 13 and A7):
•• That the financial statements of the prior period were audited by the predecessor auditor.
•• The type of opinion expressed by the predecessor auditor and, if the opinion was modified,
the reasons it was modified.
•• The date of that auditor’s report.
Required reading
IAS 1 paras 38-40D.
IAS 8 paras 19–23 and 42–44.

Worked example 14.3: Determining if comparative information has been appropriately

presented

CC
The auditor’s responsibilities relating to other information in

documents containing audited financial statements
Learning outcome
4. Explain the auditor’s responsibilities in relation to other information in documents containing
audited financial statements.
When an entity publishes additional information within documents containing the audited
financial statements (e.g. narrative reports from directors or analysts, or charts, graphs and
tables included in an annual report to shareholders), this places additional responsibilities on
the auditor of those financial statements. Generally, unless there is a specific requirement in an
audit engagement, the audit opinion does not cover such other information and the auditor has
no specific responsibility for determining whether it is fairly stated (ISA 720 para. 1). However,
the auditor does have an obligation to read the other information in order to identify any
information that would undermine the credibility of the financial statements and the auditor’s
report. ISA 720 outlines how the auditor should respond in such circumstances.
‘Other information’ in audited financial statements

‘Other information’ is defined in ISA 720 para. 5 as financial and non-financial information
(other than the financial statements) included in documents that contain the audited financial
statements and the auditor’s report thereon.
Australian considerations
In Australia, s. 295 Corporations Act 2001 (Cth) (Corporations Act) states that audited financial
statements (report) should include:
•• Financial statements for the year.
•• Notes to the financial statements (including notes required by Accounting Standards and
other information necessary to give a true and fair view).
•• The directors’ declaration about the statements and notes.
New Zealand considerations

In New Zealand, the contents of audited financial statements of a reporting entity is defined
by the Financial Reporting Act 1993 and the Financial Markets Conduct Act 2013, depending on
which Act the entity reports under. Both Acts require financial statements that comply with
Generally Accepted Accounting Practice. This includes:
•• A statement of financial position.
•• A statement of financial performance.
•• A statement of cash flows.
•• Other notes and information related to the above.
Other information may include information required by law, regulation or custom (ISA 720
para. 5(a)). Examples include:
•• Annual reports.
•• Prospectuses.
•• Financial summaries or highlights.
•• Financial ratios.
•• Names of officers and directors.

CC
The definition of ‘other information’ in the context of ISA 720, which the auditor is required to
read, does not include press releases, information contained in analyst briefings or information
contained on an entity’s website (ISA 720 paras A3–A4).
Required reading
ISA 720 paras 1–5(a), 6–7 and A1–A5.
Changes to the auditor’s responsibilities relating to other information

The IAASB has revised the auditor’s responsibilities for reporting on the financial and non-
financial information contained in financial reports, other than the audited financial statements,
through the release of ISA 720 (Revised) The Auditor’s Responsibilities Relating to Other Information
(ISA 720 (Revised)). The objective of the revised Standard is to ensure that it appropriately
reflects the context of current financial reporting environment, and that it continues to enhance
the credibility of financial statements.
ISA 720 (Revised) specifies and clarifies the auditor’s responsibilities relating to other financial
or non-financial information included in the entity’s annual report (other than financial
statements and the related auditor’s report). The Standard is applicable for audits of financial
statements for periods ending on or after 15 December 2016.
A summary of the changes highlighting key aspects of the ISA 720 (Revised) was outlined in an
April 2015 edition of the IAASB’s publication At a Glance.

Inconsistencies
One of the purposes of the requirement for the auditor to read the other information is so that
they can identify any material inconsistencies with the audited financial statements (ISA 720
para. 6).
An ‘inconsistency’ is where the other information contradicts the information contained in
the audited financial statements. A material inconsistency may raise concerns about the audit
conclusions drawn and, potentially, the basis on which the audit opinion is formed (ISA 720
para. 5(b)).
An example may be a graph that appears in an annual report that indicates increasing revenue,
whereas the figures presented in the audited financial statements show a decline in revenue.
Where a material inconsistency is identified, the auditor first needs to determine whether it is
the financial statements or the other information that requires revision (ISA 720 para. 8).
Required reading
ISA 720 paras 5(b), 8–13 and A6–A9.

CC
Misstatements of fact
When the auditor’s review of other information identifies information that is incorrectly stated
or presented, and such information is not included in the audited financial statements, this is
regarded as a ‘misstatement of fact’. Under ISA 720 para. 5(c), ‘[a] material misstatement of fact
may undermine the credibility of the document containing the audited financial statements’.
An example may be a comment in an annual report of a mining entity indicating that a
particular mine site has been assessed by engineers as being a viable drill site, when in fact no
such assessment has been made.
When the auditor identifies an apparent material misstatement of fact, they should discuss this
with management and, based on these discussions, then determine an appropriate course of
action, which may include discussing the matter with those charged with governance (ISA 720
paras 14–16).

Activity 14.2: Responding to inconsistencies in other information in documents containing

the auditor’s report

CC
Communicating appropriately to those charged with

governance
Learning outcome
5. Describe and apply the steps involved in communicating appropriately to those charged with
governance and management.
As part of the audit process, the auditor has an obligation to communicate their findings
to those charged with governance. This communication can assist management to fulfil its
obligations, assist those charged with governance to fulfil their oversight obligations, and allow
the opportunity for the financial statements to be adjusted prior to being finalised.
Communication between the auditor and the entity occurs throughout the audit process –
when assessing risks, performing procedures and gathering evidence, and when finalising the
auditor’s report. This section of the unit focuses on the communication between the auditor
and their audit client during the reporting period. As discussed in the unit on pre-engagement
activities, ISA 260 Communication with Those Charged with Governance (ISA 260) provides the
overarching framework for this communication.
The auditor’s obligations for communicating related party matters arising during the audit
have already been discussed earlier in the unit. This section discusses the auditor’s obligations
to communicate the following with either management, or those charged with governance,
or both:
•• Deficiencies in internal control identified during the audit, under ISA 265 Communicating
Deficiencies in Internal Control to Those Charged with Governance and Management (ISA 265).
•• Misstatements identified during the audit in accordance with ISA 450 Evaluation
of Misstatements Identified during the Audit (ISA 450).
Deficiencies in internal control

Internal control deficiencies could be identified throughout the audit process. In the planning
stage, the auditor is required to obtain an understanding of internal control relevant to
identifying and assessing the risks of material misstatement. In the risk response phase, the
auditor may evaluate the effectiveness of the entity’s internal controls, as discussed in the unit
on responding to assessed risks – controls testing.
In performing the audit, the auditor is required to determine whether, on the basis of the
procedures they have performed, they identified any deficiencies in internal controls (ISA 265
para. 7). As per ISA 265 para. 6(a), a deficiency in internal control can arise in two ways:
1. The design, implementation or operation of a control is such that it does not prevent, or
detect and correct, misstatements in the financial statements on a timely basis.
2. A control that would prevent, or detect and correct, misstatements in the financial
statements on a timely basis is not in place.
A deficiency in internal control is considered ‘significant’ when it, or a number of deficiencies
considered together, is of sufficient importance to warrant the attention of those charged with
governance (ISA 265 para. 6(b)).
The significance of a deficiency (or a combination of deficiencies) in internal control depends
not only on whether a misstatement has actually occurred, but also on the likelihood that
a misstatement could occur and the potential magnitude of the misstatement. Significant
deficiencies may therefore exist even though the auditor has not identified misstatements
during the audit.
The categorisation of control deficiencies as significant has communication implications.

CC
Communicating deficiencies in internal control

Any deficiencies identified throughout the audit process must be accumulated for subsequent
reporting to management, or, in some instances, those charged with governance. ISA 265
provides the auditor with guidance as to which identified deficiencies must be communicated,
to whom and in what manner.
The auditor is not restricted as to which control deficiencies can be communicated to those
charged with governance; however, they are required to communicate significant internal
control deficiencies in writing on a timely basis (ISA 265 para. 9).
The auditor is also required to communicate to an appropriate level of management on a timely
basis (ISA 265 para. 9):
(a) In writing, significant deficiencies in internal control that the auditor has communicated or
intends to communicate to those charged with governance, unless it would be inappropriate to
communicate directly to management in the circumstances; and (Ref: Para. A14, A20–A21)
(b) Other deficiencies in internal control identified during the audit that have not been communicated
to management by other parties and that, in the auditor’s professional judgment, are of sufficient
importance to merit management’s attention. (Ref: Para. A22–A26) (ISA 265 para. 10).
Significant internal control deficiencies must be communicated in writing to both management

and those charged with governance on a timely basis (ISA 265 para. 11). As such, it may be
appropriate for the auditor to report to those charged with governance during the course of the
audit because of the relative significance of the deficiency. Other items may be communicated
on or around the release date of the auditor’s report.
The flow chart below highlights the auditor’s requirements in communicating internal control
deficiencies identified throughout the audit process:
Control deficiency identified – is it significant?

(ISA 265 paras 7 and 8)
YES NO
Communicate in writing to those charged Communicate to management

with governance and management (ISA 265 para. 10(b))
(ISA 265 paras 9 and 10(a))
Content of written communications

ISA 265 para. 11 details what the auditor is required to communicate regarding significant
deficiencies in internal control, including:
•• A description of the deficiencies.
•• An explanation of their potential effects.
•• Sufficient information to enable management and those charged with governance
to understand the context of the communication. In particular, the auditor must highlight
that the control deficiencies were identified as part of the audit on the financial statements,
not as part of procedures designed to express an opinion on internal controls.
Required reading
ISA 265.

CC
Activity 14.3: Communicating internal control deficiencies

Communicating identified misstatements

The auditor is responsible for evaluating the effect of identified misstatements on the audit and
uncorrected misstatements on the financial statements. Under ISA 450 para. 5, the auditor is
required to ‘accumulate misstatements identified during the audit, other than those which are
clearly trivial’.
By communicating with management on a timely basis the accumulated misstatements,
management has the opportunity to correct those misstatements prior to the financial
statements and the auditor’s report being finalised.
Consideration of identified misstatements as the audit progresses

While the audit progresses, the auditor is required to determine whether identification of
misstatements requires the overall audit strategy and audit plan to be revised. The revision is
required when (ISA 450 para. 6):
•• the nature and circumstances of identified misstatements indicate that other misstatements
may exist that, when they are put together with the misstatements accumulated during the
audit, could be material; or
•• the aggregate of misstatements accumulated during the audit approaches materiality.
Correction of misstatements
Communicating all misstatements identified during the audit in a timely manner to the
appropriate level of management (ISA 450 para. 8) allows management to determine whether
it agrees with the auditor’s assessment and to correct the financial statements as deemed to be
appropriate (ISA 450 para. A7).
Management may refuse to correct some or all of the misstatements communicated. In such
cases, it is important for the auditor to understand management’s reasons for not making the
correction so that the auditor can take this into account when forming their overall evaluation of
whether the financial statements are free from material misstatement (ISA 450 para. 9).
Communicating the effect of uncorrected misstatements

The auditor is required to communicate with those charged with governance misstatements
that remain uncorrected following communication with management, and to request that they
be corrected (ISA 450 para. 12). They must also identify the effect these might have on the
audit opinion in the auditor’s report. Similarly, the auditor must also communicate the effect of
uncorrected misstatements relating to prior periods (ISA 450 para. 13).
The auditor is also required to request a written representation from management or those
charged with governance stating whether they believe the effects of uncorrected misstatements
are immaterial, individually and in aggregate, to the financial statements as a whole (ISA 450
para. 14).

CC

14.1: Analytical Procedures (ISA 520)
14.2: Related Parties (ISA 550)
14.3: Correcting Figures (ISA 710)
14.4: Other information in documents containing audited financial statements (ISA 720)
14.5: Communicating with those charged with governance
Quiz

Readings

Standards.
Required reading
Relevant International Standards on Auditing and International Accounting Standards and national
equivalents
ISA 520 Analytical Procedures ASA 520 Analytical Procedures ISA (NZ) 520 Analytical Procedures
ISA 550 Related Parties ASA 550 Related Parties ISA (NZ) 550 Related Parties
•• Paragraphs 2–10, 20–27 and •• Paragraphs 2–10, 20–27 and •• Paragraphs 2–10, 20–27 and
A35–A50 A35–A50 A35–A50
ISA 710 Comparative Information ASA 710 Comparative Information ISA (NZ) 710 Comparative
— Corresponding Figures and — Corresponding Figures and Information — Corresponding
Comparative Financial Statements Comparative Financial Reports Figures and Comparative Financial
Statements
ISA 720 The Auditor’s Responsibilities ASA 720 The Auditor’s ISA (NZ) 720 The Auditor’s
Relating to Other Information in Responsibilities Relating to Responsibilities Relating to
Documents Containing Audited Other Information in Documents Other Information in Documents
Financial Statements Containing an Audited Financial Containing Audited Financial
Report Statements
ISA 265 Communicating Deficiencies ASA 265 Communicating ISA (NZ) 265 Communicating
in Internal Control to Those Charged Deficiencies in Internal Control to Deficiencies in Internal Control to
with Governance and Management Those Charged with Governance and Those Charged with Governance and
Management Management
ISA 450 Evaluation of Misstatements ASA 450 Evaluation of ASA 450 Evaluation of
Identified during the Audit Misstatements Identified during the Misstatements Identified during the
Audit Audit
IAS 1 Presentation of Financial AASB 101 Presentation of Financial NZ IAS 1 Presentation of Financial
Statements Statements Statements
•• Paragraphs 38–40D •• Paragraphs 38–40D •• Paragraphs 38–40D
IAS 8 Accounting Policies, Changes in AASB 108 Accounting Policies, NZ IAS 8 Accounting Policies,
Accounting Estimates and Errors Changes in Accounting Estimates Changes in Accounting Estimates
and Errors and Errors
•• Paragraphs 19–23 and 42–44 •• Paragraphs 19–23 and 42–44 •• Paragraphs 19–23 and 42–44

Relevant International Standards on Auditing and International Accounting Standards and national
equivalents
IAS 24 Related Party Disclosures AASB 124 Related Party Disclosures NZ IAS 24 Related Party Disclosures

Further reading

References
IFAC 2011, Guide to using ISAs in the audits of small- and medium-sized entities, 3rd edn, vol. 2,
accessed 11 April 2015, www.ifac.org → Publications & Resources → ISA guide.

ACT
Activity 14.1
Responding to risks of material misstatement
associated with related party relationships
and transactions
Introduction
The auditor has a responsibility to obtain an understanding of an entity’s related party
relationships and transactions in order to conclude whether they have been presented
appropriately in the financial statements. In the risk response and reporting phase of the audit,
the auditor develops audit procedures to obtain sufficient appropriate evidence regarding
related party relationships and transactions.
•• Explain and demonstrate how an auditor obtains an understanding of related party
At the end of this activity, you will be able to identify related party relationships and
transactions, and the appropriate audit procedures required under ISA 550 Related Parties
(ISA 550).
Scenario
You are an audit senior at Wilburys Chartered Accountants (Wilburys). You are auditing the
30 June 20X3 financial statements of ABKO Engineering Limited (ABKO).  From your review of
the audit work performed thus far, you have noted that:
•• The minutes of directors’ meetings state that ABKO has entered into a contract with Gese
Limited (Gese) for management consulting services during the year. Gese is owned and
controlled by Greg, a director of ABKO. Greg has signed a ‘conflict of interest declaration’
stating that all transactions with Gese are on standard commercial terms.
•• Greg is not involved in the management or day-to-day operations of Gese.
•• Gese was not included in the list of related parties that ABKO’s management provided at
the planning stage of the audit.
•• Expenses incurred for management consulting services have been recognised in ABKO’s
30 June 20X3 financial statements; however, the fact that this transaction is with Gese, an
entity that is controlled by an ABKO director, has not been disclosed.
Task
For this activity, you are required to plan the audit work required under ISA 550.

ACT
Activity 14.2
Responding to inconsistencies in other
information in documents containing the
auditor’s report
Introduction
Some entities will publish an annual report or attach additional information to their audited
financial statements. In these instances, the auditor has a responsibility to read the other
information to assess whether the information could undermine the credibility of the financial
statements and the auditor’s report.
•• Explain the auditor’s responsibilities in relation to other information in documents
containing audited financial statements.
At the end of this activity, you will be able to determine the appropriate response when an
inconsistency is identified between the audited financial statements and other information
attached to the audited financial statements, in accordance with ISA 720 The Auditor’s
Responsibilities Relating to Other Information in Documents Containing Audited Financial Statements
(ISA 720).
Scenario
You are the senior auditor on the 30 June 20X3 financial statements audit of Chamarel Limited
(Chamarel). Chamarel is a company listed on a local stock exchange that specialises in the
manufacture and distribution of confectionery products. The audit has been substantially
completed, and the audit manager has asked you to review the final printers’ proof of
Chamarel’s annual report, prior to it being finalised and the issuing of the auditor’s report.
The annual report includes the following sections:
•• Chairman’s report.
•• CEO’s report.
•• Financial highlights.
•• Review of operations.
•• Outlook.
•• Board of directors.
•• Corporate governance statement.
•• Directors’ report.
•• Financial statements (including the auditor’s report).
•• Sustainability report.

ACT
You have read the annual report and have noted the following:
1. Directors’ information
The directors’ report included in the annual report lists the directors of Chamarel during the
year as being:
•• Pierre Martin (chairman).
•• Amel Dubois (managing director).
•• Gigi L’Amoroso.
•• Lara Leroy.
•• Henri Moreau (appointed June 20X2).
The financial statements contain a disclosure note regarding the directors of Chamarel;
however, Lara Leroy is not disclosed in that note to the financial statements. The audit
working papers confirm that Lara Leroy was not a director at any point during the year
ended 30 June 20X3.
The shareholders’ meeting minutes show that the directors’ information is an area that
shareholders continue to query.
2. Proportion of revenue invested in R&D activities
The financial highlights section of the annual report includes a graph that shows research
and development (R&D) expenditure as a percentage of revenue for each of the past five
years, including the most recent year ended 30 June 20X3.
The graph indicates that Chamarel spent 10% of revenue on R&D in the year ended 30 June
20X3; however, the financial statements show that this was only 1%. A review of the audit
files confirms that 1% of revenue was spent on R&D.
R&D has been identified as a material account balance.
In your initial discussion with Chamarel’s management regarding these matters, it has indicated
that it would be reluctant to make any amendments, given the costs involved in revising the
annual report at this late stage.
Task
For this activity, you are required to outline the appropriate response for each of the two
anomalies between the annual report and the financial statements.

ACT
Activity 14.3
Communicating internal control deficiencies
Introduction
The auditor has an obligation to communicate certain matters to management and those
charged with governance, including internal control deficiencies warranting their respective
attention and identified as part of the audit process. While this requires the auditor’s
professional judgement, ISA 265 Communicating Deficiencies in Internal Control to Those Charged
with Governance and Management (ISA 265) provides the auditor with guidance as to which
identified deficiencies must be communicated, to whom and in what manner.
•• Describe and apply the steps involved in communicating appropriately to those charged
with governance and management.
At the end of this activity, you will be able to identify control deficiencies that must be reported
to management and those that must be reported to those charged with governance, the form the
communication should take and the content of the communication.
Scenario
You are an audit senior at BJ Dove Accountants (BJ Dove), and have been part of the
engagement team on the audit of Smithfield Confectionery Limited (Smithfield). Smithfield,
a manufacturer and wholesaler of liquorice and chocolate products, has been an audit client
of BJ Dove for three years.
You are currently completing the audit of the 30 June 20X3 financial statements and your audit
manager asked you to collate a list of the internal control deficiencies identified during the
audit.
You reviewed the audit files and noted the following internal control deficiencies:
1. Lack of review of balance sheet reconciliations
As part of internal controls testing, a sample of balance sheet reconciliations was selected
to verify that the reconciliations had been completed by the finance staff and then reviewed
and approved by Smithfield’s financial controller. Of the initial four months selected, one
month had two reconciliations that had no evidence of a review by the financial controller.
This was over the period that there was a personnel change in the role of financial
controller. Further samples were selected and there was evidence of review by the financial
controller.
2. Lack of segregation of duties in accounts payable
As part of the review of accounts payable controls, it was noted that the creation of a vendor
file does not require authorisation within the system. This means that an accounts payable
clerk can create a new vendor, enter bank account details, and input invoices for payment.

ACT
3. Lack of approval in payroll
While testing the payroll function, it was identified that when employees’ weekly
timesheets are entered into the payroll system, there is no check in place to ensure that the
hours entered match those recorded on the timesheet. As a result, a number of employees
were overpaid during the period. The overpayments were identified as part of the audit
procedures.
4. Weak access controls in IT system
The IT system used by Smithfield requires users to log on with a unique ID and password.
However, the system does not require users to change their passwords on a regular basis,
and, as a result, most users had never changed their passwords since being granted access
to the system. This was noted in last year’s audit of the 20X2 financial statements and was
communicated to Smithfield. No changes to the password requirements were made in the
20X3 year.
Task
For this activity, you are required to prepare a communication plan for the control deficiencies
identified. This plan should specify which control deficiencies need to be communicated
to Smithfield, to whom they should be communicated (management or those charged
with governance), the form of the communication (written or oral) and the content of the
communication.
Assume that there is no local legislative requirement to express an opinion on the effectiveness
of the internal control in conjunction with the audit of the financial statements.


CC
Core content
Unit 15: Forming an opinion and issuing an
auditor’s report
Learning outcomes
1. Identify and explain the auditor’s responsibility to form an opinion and provide an auditor’s
report.
2. Describe and explain the different types of auditor’s reports that an auditor may issue.
3. Identify and justify the choice of the appropriate auditor’s report for an entity based on the
results of audit work conducted for that entity.
Introduction
All the audit work has been completed and the auditor now needs to determine the appropriate
content for the auditor’s report, including the auditor’s opinion.
For users of financial statements, the auditor’s report is the most important part of the audit.
It is the only part of the audit they see and is used to gauge the reliability of the financial
statements. The consequences of the auditor issuing an inappropriate auditor’s report can be
significant.
This unit focuses on the following:
•• Forming an opinion on the financial statements that have been audited.
•• Issuing an auditor’s report (containing the auditor’s opinion) on the financial statements.
Reports on review engagements, other assurance engagements and agreed-upon procedures

engagements are addressed in later units.
aaa11615_csg

CC
Audit frameworks and reporting – the relevant Standards
Learning outcome
1. Identify and explain the auditor’s responsibility to form an opinion and provide an auditor’s
report.
Applicable Auditing Standards

This unit concentrates on:
•• ISA 700 Forming an Opinion and Reporting on Financial Statements (ISA 700).
•• ISA 705 Modifications to the Opinion in the Independent Auditor’s Report (ISA 705).
•• ISA 706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s
Report (ISA 706).
These Standards set out the form and content to be followed when preparing auditor’s reports
– for example, the title, headings and wording of information that should be included. By doing
this, the International Standards on Auditing (ISAs) seek to:
•• Promote consistency in the auditor’s report, and therefore credibility in the global
marketplace, by making more readily identifiable those audits that have been conducted in
accordance with globally recognised Standards.
•• Help the user’s understanding and ability to identify unusual circumstances that are
pointed out in the auditor’s report (ISA 700 para. 4).
ISA 700, ISA 705 and ISA 706 all provide additional guidance, and include examples of auditor’s
reports for general purpose financial statement audits.
Auditor’s responsibility to report

The auditor has an overriding obligation to:
•• Form an opinion based on an evaluation of the conclusions drawn from the audit evidence
obtained.
•• Express the opinion in a written auditor’s report.
Fair presentation or compliance frameworks

Under either a general or special purpose framework, the financial statements can be prepared
with a financial reporting framework that is either a fair presentation framework or a
compliance framework.
The wording to be used in the ‘Opinion’ section of the auditor’s report differs when either a fair
presentation or a compliance framework is used to prepare financial statements.
The ‘Opinion’ section is covered by ISA 700 paras 34–37.
ISAs also prescribe standard wording for auditor’s reports; this will be covered in the ‘Standard
components of an auditor’s report’ section below.
Fair presentation framework

A fair presentation framework adds an element of judgement to the role of both the preparer of
the financial statements and the auditor. This element is absent in a compliance framework.
Under a fair presentation framework, the financial statements purport to ‘present fairly’ (or, in
the case of entities subject to the Australian Corporations Act 2001 (Cth) (the Corporations Act)

CC
or the New Zealand Financial Reporting Act 1993, give ‘a true and fair view’ of) the financial
position and financial performance of the entity. Note that the revision of legislation in New
Zealand has taken out the legislative requirement for a ‘true and fair’ view in legislation.
Instead, the requirement within Accounting Standards (e.g. IAS 1 Presentation of Financial
Statements (IAS 1)) will apply.
Fair presentation frameworks permit disclosures in addition to those specified or, in rare
circumstances, departures from the framework to achieve a ‘fair presentation’.
Under this kind of framework, management may decide to include additional information
beyond that which is required by the relevant Accounting Standards, so that the financial
statements more fairly present the entity’s financial position and performance. The auditor
will need to conclude whether the picture presented by the financial information as a whole
(including the additional information) is consistent with their knowledge of the entity’s
business, and is a fair presentation.
When expressing an unmodified opinion on financial statements prepared in accordance with a
fair presentation framework, that opinion must use one of two phrases (unless law or regulation
requires otherwise):
(a) ‘The financial statements present fairly, in all material respects, ... in accordance with [the
applicable financial reporting framework]’; or
(b) ‘The financial statements give a true and fair view of ... in accordance with [the applicable financial
reporting framework]’(ISA 700 para. 35).
Australian and New Zealand legal requirements
Australia-specific
In Australia, the Corporations Act (ss 295(3)(c) and 297) and the Australian Accounting
Standards both require financial reports to be prepared based on a fair presentation framework
(AASB 101 Presentation of Financial Statements para. 15). It is therefore likely that most, if
not all, financial statements you will review in your work will be based on a fair presentation
framework.
In New Zealand, the Financial Reporting Act 1993 (ss 11 and 14) requires that the financial
statements of a reporting entity or group give a ‘true and fair view’. Similarly, state sector
bodies and local authorities are required to prepare statements that ‘fairly reflect’ their financial
position and financial and non-financial performance. Under the Financial Markets Conduct
Act 2013 (FMCA) the legislative requirement for a true and fair view has been removed from
legislation. Instead, the requirement is that financial statements are prepared under generally
accepted accounting practice (GAAP) which means that the requirements within Accounting
Standards (e.g. IAS 1) will apply. IAS 1 requires that financial statements shall present fairly the
financial position, financial performance and cash flows of an entity.
Compliance framework
Under a compliance framework, the auditor forms an opinion as to whether the financial
statements are prepared in accordance with the framework. Compliance frameworks are
more common where, for example, an auditor might need to express an opinion on whether
the financial statements have been prepared in accordance with a specific accounting method
stipulated.
A compliance framework does not provide scope for additional disclosures or departures from
the requirements of the framework.
When expressing an unmodified opinion on financial statements prepared in accordance with
a compliance framework, alternative wording is required so that the auditor’s opinion shall
be that the ‘financial statements are prepared, in all material respects, in accordance with [the
applicable financial reporting framework]’ (ISA 700 para. 36).

CC
Applicable laws and regulations

Sometimes, local laws or regulations prescribe the layout or wording of the auditor’s report in
a form that is significantly different from the requirements of the relevant ISAs. Therefore, it is
important that the auditor determines which jurisdiction governs the audit being performed,
and whether any applicable laws or regulations prescribe a standard format for the auditor’s
report that differs from the requirements of the ISAs.
As per ISA 700 para. A42, where the auditor is required to change the wording of the auditor’s
report for local laws, their report may still refer to ISAs if:
•• The differences between the local laws and regulations and the ISAs only relate to minor
differences between the layout and wording of the auditor’s report.
•• The auditor’s report still contains each of the elements identified in ISA 700 paras 43(a)–(i).
Other reporting requirements

In particular countries, an auditor will have other reporting requirements to fulfil as a result
of regulatory requirements. For example, in Australia the Corporations Act sets out certain
additional reporting requirements, as does the Companies Act 1993 in New Zealand.
Required reading
International
ISA 700 paras 1–10, 34–37, 43(a)–(i) and A42.
Australia
AASB 101 para. 15.
Corporations Act ss 295(3)(c) and 297.
New Zealand
NZ IAS 1 Presentation of Financial Statements paras 5 and 7.

Alternatives to reporting
In general, an auditor is required to provide a written report containing their conclusions
on an audit. However, under certain circumstances, the ISAs provide for the withdrawal of
the auditor from the engagement where this is possible under local jurisdictional laws or
regulations (ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in
Accordance with International Standards on Auditing (ISA 200) para. 12).
Required reading
ISA 200 para. 12.

CC
Financial statements prepared in accordance with more than one framework

Under certain circumstances or in some jurisdictions, financial statements are prepared in
accordance with more than one framework, and therefore both are applicable; for example,
where financial statements not only comply with Australian or New Zealand Accounting
Standards (the national framework), but also with IFRS.
Where financial statements are prepared under two reporting frameworks, ISA 700 para. A8
states that the financial statements need to comply with each of the frameworks individually in
order to be regarded as having been prepared in accordance with both frameworks. In practice,
simultaneous compliance is likely when a jurisdiction has adopted the other framework as
its national framework, or has eliminated all barriers to compliance with it, as is the case in
Australia and New Zealand regarding IFRS.
Required reading
Accounting frameworks
The financial reporting framework applied in preparing the financial statements both prescribes
the presentation of the financial statements and provides the auditor with the appropriate
criteria to use.
The auditor shall form an opinion on whether the financial statements are prepared, in all material
respects, in accordance with the applicable financial reporting framework.
Financial reporting frameworks are classified as:

•• General purpose.
•• Special purpose.
General purpose financial reporting framework

ISA 700 para. 7(b) states that a general purpose financial framework is one that is:
… designed to meet the common financial information needs of a wide range of users …
Special purpose financial reporting framework

ISA 800 Special Considerations – Audits of Financial Statements Prepared in Accordance with Special
Purpose Frameworks (ISA 800) para. 6(b) states that a special purpose financial framework is one
that is:
… designed to meet the financial information needs of specific users …
Reporting for special purpose financial statements is discussed in the unit on other assurance
engagements and agreed-upon procedures engagements.
Overview of auditor’s reporting

Before concluding on which type of auditor’s report is appropriate to issue, the auditor needs to
consider the appropriate form of the auditor’s report. This is determined by:
•• The applicable financial reporting framework.
•• Applicable laws and/or regulations.
•• Applicable Auditing Standards.

CC
The diagram below provides a visual representation of the questions that need to be considered
when determining the type of auditor’s reporting required, and therefore the applicable
Auditing Standards:
Standard components of an auditor’s report

Irrespective of the type of auditor’s report (unmodified or modified), it should contain the
following sections providing the relevant information, as set out in ISA 700:
•• Title.
•• Addressee(s).
•• Introductory Paragraph.
•• Management’s Responsibility for the Financial Statements.
•• Auditor’s Responsibility.
•• Auditor’s Opinion.
•• Report on Other Legal and Regulatory Requirements.
•• Signature of the Auditor.
•• Date of the Auditor’s Report.
•• Auditor’s Address.
These sections, together with the information required in each, are set out in the following table:
Auditor’s report – required sections under ISA 700
Component Description
Title The title of the auditor’s report must clearly indicate that it is the report of an
independent auditor
(ISA 700 para. 21)
Addressee(s) The auditor’s report shall be addressed as required by the circumstances of the audit
engagement. Most commonly, for general purpose financial statements, this is the
(ISA 700 para. 22)
shareholders. However, it may also be the directors, the members, or even a funding
body

CC
Introductory Paragraph The introductory paragraph of an auditor’s report:

(ISA 700 para. 23) •• Identifies the entity whose financial statements have been audited
•• States that the financial statements have been audited
•• Identifies the title of each statement comprising those financial statements
•• Refers to the summary of significant accounting policies and other explanatory
information
•• Specifies the date or period covered by each financial statement
As noted in ISA 700 para. A19, the complete set of financial statements is defined by
the applicable financial reporting framework, and may vary between jurisdictions
Management’s This section of the auditor’s report describes management’s responsibility for the
Responsibility for the preparation of the financial statements. This includes management responsibility
Financial Statements for preparing the financial statements in accordance with the applicable financial
reporting framework, and for such internal control as management determines
(ISA 700 paras 24–27)
is necessary to enable the preparation of financial statements that are free from
material misstatement (whether due to fraud or error)
Specific wording may be required in the description above for financial statements
prepared in accordance with a fair presentation framework
Note: This section need not refer to management, but may use terms appropriate in
the context of the particular jurisdiction responsible for the preparation of financial
statements (e.g. ‘the committee’ or ‘the trustees’)
Auditor’s Responsibility The auditor’s report must include a section with the heading ‘Auditor’s responsibility’,
stating that it is the responsibility of the auditor to express an opinion on the
(ISA 700 paras 28–33)
financial statements based on the audit
It must also state that the audit was conducted in accordance with ISAs (or local
equivalents); that those Standards require the auditor to comply with ethical
requirements; that the auditor plan and perform the audit to obtain reasonable
assurance about whether the financial statements are free from material
misstatement, and whether the auditor believes that the audit evidence obtained is
sufficient and appropriate to provide a basis for the auditor’s opinion
This section also provides a description of the audit, and includes statements that:
•• An audit involves performing procedures to obtain evidence about the amounts
and disclosures in the financial statements
•• The procedures selected depend on the auditor’s judgement
•• While internal control may have been considered in selecting those procedures,
the auditor is not expressing an opinion on the effectiveness of the entity’s
internal control (this statement is omitted if the auditor does have the
responsibility to express an opinion on the effectiveness of internal control)
•• The audit also includes an evaluation of the appropriateness of the accounting
policies used, the reasonableness of accounting estimates made by management,
and the overall presentation of the financial statements
Specific wording may be required in the description above for financial statements
prepared in accordance with a fair presentation framework
Auditor’s Opinion The auditor’s report must include an ‘Opinion’ section, containing the Opinion
paragraph
(ISA 700 paras 34–37)
When expressing an unmodified opinion on financial statements that have been
prepared in accordance with a fair presentation framework, the report must use one
of two specific phrases (unless law or regulation requires otherwise) stated in ISA 700
para. 35
When expressing an opinion on financial statements prepared in accordance with a
compliance framework, alternative wording is required
If the applicable reporting framework is not an IFRS (or local equivalent) framework,
the opinion must identify the original jurisdiction of the framework

CC
Other Reporting Where an auditor addresses other reporting responsibilities in addition to the
Responsibilities financial statements, those other responsibilities are addressed in a separate section
of the report subtitled ‘Report on Other Legal and Regulatory Requirements’ (or
(ISA 700 paras 38–39)
otherwise, as appropriate to the content)
If such a section is added, the requirements of paras 24–37 discussed above are
contained in a section subtitled ‘Report on the Financial Statements’, which should be
included before ‘Report on Other Legal and Regulatory Requirements’
Signature of the Auditor The auditor’s report must be signed (certain jurisdictions may have requirements
relating to the auditor’s signature)
(ISA 700 para. 40)
Date of the Auditor’s The auditor’s report must be dated no earlier than the date on which the auditor has
Report obtained sufficient appropriate evidence on which to base their opinion. This must
include evidence that those with recognised authority have asserted they have taken
(ISA 700 para. 41)
responsibility for the financial statements
Other requirements may exist in certain jurisdictions
Auditor’s Address The auditor’s address must state the location in the jurisdiction where the auditor
practises
(ISA 700 para. 42)
This is generally understood not to be an exact address, but the name of the city
where the auditor’s primary office is located (e.g. Auckland, Sydney, Wellington or
Perth)
In practice, most audit firms insist on signing the auditor’s report on the same date that the
financial statements are authorised by the entity’s directors. This is due to additional audit
procedures that may be required should the auditor sign the auditor’s report at a later date.
Auditor’s opinion versus auditor’s report

There is often confusion surrounding the meaning and purpose of the auditor’s report and the
auditor’s opinion. Historically, there has been a tendency to use the terms interchangeably;
however, this is not correct. The difference in the terms is explained below.
Auditor’s opinion
An auditor forms an auditor’s opinion on financial statements following completion and
evaluation of audit work. As seen in the table above, the auditor’s opinion is a component of the
auditor’s report.
Auditor’s report
An auditor issues an auditor’s report on financial statements that have been audited. The
auditor’s report contains a number of components, as outlined in the table above, including the
auditor’s opinion.
Required reading
ISA 700 paras 7(b), 10, 20–47 and A13–A44.
ISA 800 para. 6(b).

CC
Additional components of an auditor’s report

In addition to the components of an auditor’s report required by ISA 700 identified in the table
above, other components may be required depending on the circumstances and findings of the
audit. That is, other Standards, such as ISA 705 and ISA 706, may require particular elements to
be included in some circumstances, such as when the auditor forms a modified opinion.
These elements will be discussed in detail later in the unit. However, a summary of them is
presented in the following table:
Auditor’s report – additional auditor’s report sections under ISA 705 and ISA 706
Basis for Modification When an auditor modifies their opinion on the financial statements, the
auditor’s report must include a paragraph that provides a description of the
(ISA 705 para. 16)
matter giving rise to the modification
The paragraph must be placed immediately before the section containing the
Opinion paragraph and be titled as appropriate for the type of modification; for
example, ‘Basis for Qualified Opinion’
Details of matters to be included in the paragraph and the impact on the
Opinion paragraph will be covered in more detail later in this unit
Emphasis of Matter If an auditor considers it necessary to include an Emphasis of Matter paragraph

paragraph in the auditor’s report, the auditor shall:
(ISA 706 para. 7) •• Include it immediately after the section containing the Opinion paragraph
•• Use the heading ‘Emphasis of Matter’ or other appropriate heading
•• Include a clear reference to the matter being emphasised, and where the
relevant disclosures can be found in the financial statements
•• Indicate that the auditor’s opinion is not modified in respect of the matter
emphasised
Other Matter paragraph If an auditor considers it necessary to include an Other Matter paragraph,
it must be included immediately after the section containing the Opinion
(ISA 706 para. 8)
paragraph and any Emphasis of Matter paragraph, or elsewhere if the content is
relevant to the Other Reporting Responsibilities section
Required reading
ISA 705 para. 16.

CC
Auditor’s opinions
Learning outcomes
Types of auditor’s opinions

The auditor expresses their assurance on an entity’s financial statements in an auditor’s report.
For ease of interpretation by users, the report follows a standard format, and conveys the
auditor’s opinion as to whether the financial statements fairly present the entity’s financial
position and financial performance.
The previous section discussed the Auditing Standards that must be taken into account
when working out the type of auditor’s opinion to express in the financial statements. How
the auditor determines the type of opinion they express on audited financial statements is a
multi-step process. To understand this, a clear explanation of all the different types of possible
auditor’s opinions is required.
The following diagram illustrates the types of auditor’s opinions that an auditor can form on
financial statements:
Types of auditor’s
opinions
Unmodified opinion Modified opinion

ISA 700 ISA 705
Qualified Adverse Disclaimer

opinion opinion of opinion
Unmodified opinions
An auditor expresses an unmodified opinion when they conclude that the financial statements
are prepared, in all material respects, in accordance with the applicable financial reporting
framework (ISA 700 para. 16).
In other words, where an auditor concludes that the financial statements fairly present the
entity’s financial position and results of operations, they can then issue an unmodified opinion
on the financial statements using the standard format described in ISA 700.

CC
Modified opinions
As per ISA 705 para. 6, an auditor expresses a modified opinion when:
•• The auditor determines, on the basis of the sufficient appropriate audit evidence gathered
and analysed during the audit, that there are material misstatements in the financial
statements.
•• The auditor is unable to obtain sufficient appropriate audit evidence to conclude that the
financial statements are free from material misstatement.
Types of modified opinions

There are three types of modified opinions (outlined in ISA 705 paras 7–10) that may be
expressed by an auditor:
1. A qualified opinion, resulting from either a material but not pervasive misstatement in
the financial statements, or an inability to obtain sufficient appropriate audit evidence
regarding a matter(s) which has the potential to result in a material but not pervasive
misstatement in the financial statements.
2. An adverse opinion, resulting from either the financial statements not being presented
fairly in accordance with the applicable financial reporting framework (fair presentation
framework), or the financial statements not being prepared in all material respects in
accordance with the applicable framework (compliance framework). The impact on the
financial statements is material and pervasive.
3. A disclaimer of opinion, resulting from an auditor not being able to obtain sufficient
appropriate audit evidence to provide a basis for an auditor’s opinion. The possible effect
on the financial statements is both material and pervasive.
The following table summarises the circumstances under which a modified opinion is issued:
ISA 705 para. A1 – Types of modified opinions
Nature of the matter giving rise to the Auditor’s judgement about the pervasiveness of the effects or
modification possible effects on the financial statements
Material but not pervasive Material and pervasive
Financial statements are materially Qualified opinion Adverse opinion

misstated
Inability to obtain sufficient appropriate Qualified opinion Disclaimer of opinion

audit evidence
Financial statements are materially misstated

Material misstatement refers to the amount of a misstatement, or to a difference between
the classification, presentation or disclosure of a reported item in the financial statements
and the classification, presentation or disclosure that is required for the item in accordance
with the applicable financial reporting framework. For example, if a material current liability
is presented as a non-current liability, this is likely to impact on the users of the financial
statements.
Material misstatement could result from:
•• The selection of an inappropriate accounting policy.
•• The incorrect application of a selected accounting policy.
•• Inappropriate or inadequate disclosures in the financial statements.

CC
Inability to obtain sufficient appropriate audit evidence

The auditor’s inability to obtain sufficient appropriate audit evidence (also referred to as
‘a limitation on the scope of the audit’) can result from:
(a) Circumstances beyond the control of the entity.
(b) Circumstances relating to the nature or timing of the auditor’s work.
(c) Limitations imposed by management (ISA 705 para. A8).
An inability to obtain sufficient appropriate audit evidence could either have a possible
‘material but not pervasive’ effect on the financial statements, or a possible ‘material and
pervasive’ effect. The fact that the effect on the financial statements is uncertain (a possible
effect), increases the degree of judgement to be applied by the auditor regarding their
determination as to whether the material impact is either ‘only’ material, or material and
pervasive.
Generally, a misstatement or possible misstatement that is undetected due to inability to
obtain sufficient appropriate audit evidence is considered to be ‘material’ if it could reasonably
be expected to influence the economic decisions of users of the financial statements whose
decisions are affected by the size or the nature of the misstatement.
The term ‘pervasive’ is referred to in ISA 705 para. 5(a) and is used to describe the effects on the
financial statements that:
(i) Are not confined to specific elements, accounts or items of the financial statements;
(ii) If so confined, represent or could represent a substantial proportion of the financial statements; or
(iii) In relation to disclosures, are fundamental to users’ understanding of the financial statements.
The example auditor’s reports set out in the ISA 705 Appendix show the key differences
between the three modified audit opinions. They can be summarised as follows:
Summary of Opinion paragraph wording for different types of modified opinions
Type of modified opinion Opinion paragraph in the auditor’s report
Qualified opinion resulting from material In our opinion, except for the effects of the matter described in the
misstatement Basis for Qualified Opinion paragraph, the financial statements
present fairly, in all material respects (or give a true and fair
(ISA 705 Appendix Illustration 1,
view of ) … in accordance with International Financial Reporting
ISA 705 para. 23)
Standards
Qualified opinion resulting from the In our opinion, except for the possible effects of the matter
inability to obtain sufficient appropriate described in the Basis for Qualified Opinion paragraph, the
audit evidence financial statements present fairly, in all material respects, (or
give a true and fair view of ) … in accordance with International
Financial Reporting Standards
ISA 705 para. 23)
Adverse opinion In our opinion, because of the significance of the matter discussed
in the Basis for Adverse Opinion paragraph, the consolidated
financial statements do not present fairly (or do not give a true
ISA 705 para. 24)
and fair view of ) … in accordance with International Financial
Reporting Standards
Disclaimer of opinion Because of the significance of the matters described in the Basis for
Disclaimer of Opinion paragraph, we have not been able to obtain
(ISA 705 Appendix Illustrations 4 and 5,
sufficient appropriate audit evidence to provide a basis for an
ISA 705 para. 25)
audit opinion. Accordingly, we do not express an opinion on the
financial statements

CC
Required reading
ISA 705 paras 1–15, 22–28, A1–A16, A21–A25 and Appendix.
Basis for Modification paragraphs

When the auditor determines that a modified auditor’s opinion is to be issued, a Basis for
Modification paragraph is included in the auditor’s report and the standard opinion wording is
modified (ISA 705 paras 16–27).
The Appendix to ISA 705 includes examples of circumstances that may result in modifications
to auditor’s opinions, and the wording that an auditor may use to describe the basis for the
modification.
The Basis for Modification paragraph provides a description of the matter giving rise to
the modification. It is positioned immediately before the section containing the Opinion
paragraph in the auditor’s report. The wording of the paragraph depends on the reason for the
modification. ISA 705 paras 16–21 outline the basis for modification paragraphs for all three
types of modified opinions.
The required inclusions are summarised in the following table:
Reason for the modification Basis for Modification paragraph includes
Material misstatement that relates A description and quantification of the material misstatement. If it is
to specific amounts or quantitative not practicable to do so, the auditor must state this
disclosures in the financial statements
Material misstatement that relates An explanation of how the narrative disclosure is misstated
to a narrative (i.e. non-numeric)
disclosure
Material misstatement that relates A description of the nature of the omitted information, after the
to the non-disclosure of information auditor has discussed this with those charged with governance.
that is required to be disclosed Unless prohibited by law or regulation, or impracticable to do so (if
the disclosures are not readily available to the auditor or if they are too
voluminous in relation to the auditor’s report), the auditor includes the
omitted disclosure, but only if sufficient appropriate audit evidence
about the omitted disclosure has been obtained
Inability to obtain sufficient A reason for the inability to obtain sufficient appropriate audit
appropriate audit evidence evidence
Adverse or disclaimer opinions and individual misstatements

There may be instances where the auditor expresses an adverse opinion or disclaims an opinion
(disclaimer of opinion) while also identifying material misstatements or a lack of sufficient
appropriate evidence regarding individual balances. Where these individual matters would
have led to a modified opinion on their own, they must also be included in the Basis for
Modification paragraph (ISA 705 para. 21).
Required reading
ISA 705 paras 5(a), 16–21, A8 and A17–A20.
Activity 15.1: Determining the appropriate auditor’s opinion


CC
Additional paragraphs in the auditor’s report
Learning outcomes
An auditor can include an additional paragraph(s) in an unmodified or a modified auditor’s

report. These paragraphs can take one of two forms:
•• An Emphasis of Matter paragraph.
•• An Other Matter paragraph.
Emphasis of Matter and Other Matter paragraphs, and the matters they relate to, are not
‘modified’ auditor’s opinions. They are used by the auditor to draw users’ attention to
particular matters, but do not affect whether the auditor’s opinion is unmodified or modified.
Emphasis of Matter (EOM) paragraph

An Emphasis of Matter paragraph highlights a matter that is appropriately presented or
disclosed in the financial statements, which, in the auditor’s judgement, is of such importance
that it is fundamental to users’ understanding of the financial statements (ISA 706 para. 5(a)).
A matter can only be included in an Emphasis of Matter paragraph if the auditor has obtained
sufficient audit evidence that it is not materially misstated in the financial statements. This
paragraph can be added to, but cannot replace a qualified or adverse opinion, or a disclaimer of
opinion (ISA 706 para. A3). ISA 706 para. A1 provides examples of circumstances in which the
auditor may consider it necessary to include this type of additional paragraph.
Certain other ISAs may also require the addition of an Emphasis of Matter paragraph to the
auditor’s report. These ISAs are listed in Appendix 1 to ISA 706. Two that commonly use these
paragraphs are ISA 570 Going Concern and ISA 800 Special Considerations – Audits of Financial
Statements Prepared in Accordance with Special Purpose Frameworks.
The Emphasis of Matter paragraph is included immediately after the section containing the
Opinion paragraph. It must:
•• Use the heading ‘Emphasis of Matter’ or other appropriate heading.
•• Include a clear description of the matter being emphasised.
•• Include the location in the financial statements where the matter is fully disclosed.
•• Indicate that the auditor’s opinion is not modified in respect of the matter emphasised
(ISA 706 para. 7).
Other Matter (OM) paragraph

An Other Matter paragraph is a paragraph included in the auditor’s report that refers
to a matter other than those presented or disclosed in the financial statements, which, in
the auditor’s judgement, is relevant to users’ understanding of the audit, the auditor’s
responsibilities or the auditor’s report (ISA 706 para. 5(b)).
Examples of when the auditor may include an Other Matter paragraph include the following:
•• Where ‘the auditor is unable to withdraw from an engagement even though the possible
effect of an inability to obtain sufficient appropriate audit evidence due to a limitation on
the scope of the audit imposed by management is pervasive’, the auditor may consider

CC
it necessary to include such a paragraph to explain their inability to withdraw from the
engagement (ISA 706 para. A5).
•• Where the entity has prepared two sets of financial statements, each in accordance with
an appropriate financial reporting framework, and the auditor issues an auditor’s report
on each of these financial statements, the auditor may include an Other Matter paragraph
referring to this fact (ISA 706 para. A8).
•• Where there is a restriction on the distribution or use of the auditor’s report. This could be
the case if financial statements are prepared for specific purposes (but still in accordance
with a general purpose framework ‘because the intended users have determined that
such general purpose financial statements meet their financial information needs’). The
auditor may consider it necessary to include a paragraph to state that the auditor’s report
‘is intended solely for the intended users, and should not be distributed to or used by other
parties’ (ISA 706 para. A9).
It is important to note that (as per ISA 706 para. A10) in an Other Matter paragraph the auditor
is not allowed to include:
•• Information that the auditor is prohibited from providing by law, regulation or other
professional Standards – for example, ethical Standards relating to confidentiality of
information.
•• Information that management is required to provide.
The Other Matter paragraph should have the heading ‘Other Matter’ or another appropriate
heading. It should be placed immediately after the Opinion paragraph or any Emphasis of
Matter paragraph, or elsewhere in the report if the content of the Other Matter paragraph is
relevant to the ‘Other Reporting Responsibilities’ section (ISA 706 para. 8).
For example, if it is a matter relating to ‘Other Reporting Responsibilities’ addressed in
the auditor’s report, the paragraph should be included in the ‘Report on Other Legal and
Regulatory Requirements’ section. If it is a matter relating to an auditor’s responsibilities or an
auditor’s report, the paragraph should be included in the ‘Other Matter’ section that follows
the ‘Report on the Financial Statements’ and the ‘Report on Other Legal and Regulatory
Requirements’ (ISA 706 para. A11).
Required reading
ISA 706.
Example – Additional paragraphs

In the following examples illustrate where an additional paragraph would be required. Assume
the auditor agrees with the relevant matters.
Scenario Additional paragraph
The financial statements contain a note describing Emphasis of Matter: Drawing users’ attention to
a material uncertainty that relates to the entity’s the material uncertainty that relates to the going
ability to continue as a going concern concern assumption
The financial statements contain a note describing Emphasis of Matter: Drawing users’ attention
an uncertainty regarding the future outcome of to the uncertainty regarding the exceptional
exceptional litigation that is fundamental to users’ litigation
understanding of the financial statements
The entity was not audited in the previous financial Other Matter: Drawing users’ attention to the
period fact that the corresponding figures in the
financial statements are unaudited

CC
The following flow chart may provide assistance in determining whether an additional
paragraph to the auditor’s report is required, and the type of additional paragraph (whether
Emphasis of Matter or Other Matter), if any, under International Standards on Auditing.
Are there any matters to which it is necessary to draw users’ attention

other than those already impacting on the auditor’s opinion?
YES NO
Is the matter presented or disclosed in the

financial statements?
If a matter is
presented or YES NO
disclosed in the
but not appropriately
(i.e. is not in Is the matter Is the matter relevant to
accordance with appropriately presented users’ understanding of
NO
relevant Accounting or disclosed in the the audit, the auditor’s
Standards), it should financial statements? responsibilities or the
be dealt with in the auditor’s report?
auditor’s opinion, not
in an additional
paragraph to the YES
auditor’s report
NO YES
Is the matter of such importance
that it is fundamental to users’
understanding of the financial
statements?
YES NO
Add an Emphasis of Matter Add an Other Matter

paragraph to the auditor’s No additional paragraph is paragraph to the auditor’s
report, whether the opinion required in the auditor’s report, whether the opinion
is modified or unmodified report is modified or unmodified
(ISA 706) (ISA 706)

CC
Worked example 15.1: Determining the impact of misstatements on the auditor’s report
Activity 15.2: Audit reporting – misstatements and inconsistencies between the financial
statements and documents containing the financial statements
Considerations in forming an auditor’s opinion

To be able to form the opinion required by ISA 700 para. 10, the auditor needs to consider
whether they have obtained reasonable assurance on whether the financial statements as a
whole are free from material misstatement, whether due to fraud or error.
To do this, the auditor needs to consider the following (ISA 700 paras 11–15):
•• Has sufficient appropriate audit evidence been obtained, as defined in ISA 330 The Auditor’s
Responses to Assessed Risks (ISA 330) para. 26? (Refer to the unit on responding to assessed
risks – evaluating audit evidence.)
•• Were the uncorrected misstatements identified during the audit material, individually or
in aggregate, as discussed in ISA 450 Evaluation of Misstatements Identified during the Audit
(ISA 450) para. 11? (Refer to the units on responding to assessed risks – evaluating audit
evidence and reviewing the financial statement and audit results.)
•• Do the financial statements appropriately reflect the requirements of the applicable financial
reporting framework, and is the framework adequately referred to?
•• Was there any (possible) bias in management’s judgement? (As discussed in ISA 540
Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related
Disclosures (ISA 540) para. 21 and ISA 260 Communication with Those Charged with Governance
(ISA 260) Appendix 2.)
•• If the financial statements have been prepared in accordance with a fair presentation
framework, do they achieve a fair presentation of underlying transactions and events?
•• Do the financial statements adequately disclose significant accounting policies and are these
consistent with the framework according to which they have been prepared?
•• Are the accounting estimates made by management reasonable?
•• Is the information presented relevant, reliable, comparable and understandable?
•• Have adequate disclosures been made to enable the intended users to understand the effect
of material transactions and events on the information conveyed in the financial statements?
•• Is the terminology used in the financial statements, including the title of each financial
statement, appropriate?
Required reading
ISA 260 Appendix 2.
ISA 330 para. 26.
ISA 450 para. 11.
ISA 540 para. 21.
ISA 700 paras 10–15, A1–A4, A45–A51 and Appendix.

CC
New and revised auditor reporting Standards

The IAASB has issued new and revised auditor reporting Standards, which will be effective for
audits of financial statements for periods ending on or after 15 December 2016. The changes will
also be reflected in the national standards issued by the AUASB in Australia and XRB in New
Zealand.
Enhanced auditor reporting was viewed by the IAASB as critical to the value of financial
statement audit and continued relevance of the auditing profession. The implementation of the
new and revised Standards will represent a significant change in practice.
The new and revised auditor reporting Standards include:
•• ISA 700 (Revised) Forming an Opinion and Reporting on Financial Statements.
•• ISA 701 (New) Communicating Key Audit Matters in the Independent Auditor’s report.
•• ISA 705 (Revised) Modifications to the Opinion in the Independent Auditor’s Report.
•• ISA 706 (Revised) Emphasis of Matter Paragraphs and Other Matter Paragraphs in the
Independent Auditor’s Report.
The IAASB is also making conforming amendments to other ISAs.

Expected benefits resulting from the new and revised auditor reporting Standards include:
•• Increased transparency and informational value of the auditor’s reports. This would give
the users of the auditor’s reports more insight into the audit.
•• Enhanced communication between the auditor and the investors, and the auditor and those
•• Increased attention by management and those charged with governance to the disclosures
in the financial statements to which the auditor’s report refers.
•• Increased focus of the auditor on matters to be reported. This could indirectly result in an
increase in the exercise of professional scepticism.
The new and revised auditor reporting Standards include a number of key enhancements
that are relevant to all entities. The content of the auditor’s report is reordered, with the audit
opinion now required to go first. The description of the responsibilities of management and
the auditor have been revised, and enhanced auditor reporting on going concern is being
introduced.
A key enhancement is the inclusion of a new section to communicate ‘key audit matters’.
This section will be mandatory for listed entities and voluntary for other entities. Key audit
matters are areas that the auditor views as most significant, and will be required to include an
explanation of how they were addressed in the audit.
In a January 2015 edition of its publication At a Glance, the IAASB summarises the changes to
the Standards, highlighting key aspects of the new and revised Standards.
The Standards can be early adopted. Downer EDI and its auditor, KPMG, was the first of the
ASX-listed companies to report under the new and revised auditor reporting Standards.
Required reading
IAASB 2015, At a Glance: New and revised auditor reporting standards and related conforming
amendments, 15 January, accessed 2 December 2015, www.ifac.org → About IFAC → Publications
and Resources, search for ‘At a glance’.


CC
Activity 15.3: Determining auditor’s reporting implications – subsequent events and going
concern
Activity 15.4: Issuing an auditor’s report when financial statements are not in accordance
with the applicable financial reporting framework

15.1: Express an appropriate opinion
15.2: Types of modified opinions (ISA 705)
Quiz


Readings

All references to Auditing and Assurance Standards in the learning elements in the Audit and
Assurance module are to International Standards, except where they relate to jurisdiction-
specific content.
The table below provides a summary of the readings from the International Pronouncements
together with the equivalent Australian and New Zealand Pronouncements.
In the exam, candidates can refer to the International Standards or the Australian or New
Zealand Standards.
Required reading
Relevant International Standards on Auditing and national equivalents and other relevant national
pronouncements
with International Standards on with Australian Auditing Standards with International Standards on
Auditing Auditing (New Zealand)
ISA 260 Communication with Those ASA 260 Communication with Those ISA (NZ) 260 Communication
Charged with Governance Charged with Governance with Those Charged with Governance
ISA 450 Evaluation of Misstatements ASA 450 Evaluation of ISA (NZ) 450 Evaluation of
Identified during the Audit Misstatements Identified during the Misstatements Identified during the
Audit Audit
ISA 540 Auditing Accounting ASA 540 Auditing Accounting ISA (NZ) 540 Auditing Accounting
Estimates, Including Fair Value Estimates, Including Fair Value Estimates, Including Fair Value
Accounting Estimates, and Related Accounting Estimates, and Related Accounting Estimates, and Related
Disclosures Disclosures Disclosures
ISA 700 Forming an Opinion and ASA 700 Forming an Opinion and ISA (NZ) 700 Forming an Opinion
Reporting on Financial Statements Reporting on a Financial Report and Reporting on Financial
Statements
ISA 705 Modifications to the Opinion ASA 705 Modifications to the ISA (NZ) 705 Modifications to the
in the Independent Auditor’s Report Opinion in the Independent Auditor’s Opinion in the Independent Auditor’s
Report Report

Relevant International Standards on Auditing and national equivalents and other relevant national
pronouncements
ISA 706 Emphasis of Matter ASA 706 Emphasis of Matter ISA (NZ) 706 Emphasis of Matter
Paragraphs and Other Matter Paragraphs and Other Matter Paragraphs and Other Matter
Paragraphs in the Independent Paragraphs in the Independent Paragraphs in the Independent
Auditor’s Report Auditor’s Report Auditor’s Report
ISA 800 Special Considerations ASA 800 Special Considerations – ISA (NZ) 800 Special Considerations
– Audits of Financial Statements Audits of Financial Reports Prepared – Audits of Financial Statements
Prepared in Accordance with Special in Accordance with Special Purpose Prepared in Accordance with Special
Purpose Frameworks Frameworks Purpose Frameworks
•• Paragraph 6(b) •• Paragraph 6(b) •• Paragraph 6(b)
Corporations Act 2001 (Cth) NZ IAS 1 Presentation of Financial

Statements
•• Sections 295(3)(c) and 297
•• Paragraphs 5 and 7
AASB 101 Presentation of Financial

Statements
•• Paragraph 15
www.ifac.org www.auasb.gov.au www.legislation.govt.nz

www.aasb.gov.au
www.austlii.edu.au
Further reading


ACT
Activity 15.1
Determining the appropriate auditor’s
opinion
Introduction
The auditor’s report is issued as the final step in the audit process. The auditor’s opinion is a
major component of the auditor’s report. A number of different types of auditor’s opinions can
be included in the auditor’s report, and the auditor needs to ensure that the correct opinion is
included, based on the results of the audit work performed.
•• Identify and justify the choice of the appropriate auditor’s report for an entity based on the
At the end of this activity, you will be able to determine the appropriate opinion to be included
in an auditor’s report.
Scenario
You are a senior auditor working for BLT Chartered Accountants (BLT), a firm of 10 partners.
Reece Kingston, your manager, has developed a training module on determining the
appropriate auditor’s opinion for auditors undertaking the Chartered Accountants Program.
He has developed four fictitious but realistic case studies for the candidates to use.
The case studies are:
1. Glenwood Limited (Glenwood)

You are the auditor of Glenwood for the year ended 31 December 20X8. Glenwood is a New
Zealand entity with a loan outstanding of $2,574,000, classified in its financial statements as a
non-current liability. On closer examination of the loan documentation, you see that the loan is
repayable on 30 November 20X9. Total liabilities of the company are $4,000,000, and Glenwood
made a profit of $152,780 for the year ended 31 December 20X8.
2. Oz Clothing Company Limited (Oz)

Oz is a distributor of middle-of-the-range fashion lines. The business has suffered as a result
of low consumer spending and increased competition in the last few years. You are the auditor
of Oz and have commenced work on the current year audit. Discussions with Oz personnel
reveal that the inventory stocktake was performed a few days ago at the warehouse without
prior notice. No documentation or feedback from that stocktake, except for a $70,000 stock
adjustment in the books, is able to be relayed to the auditors. You have discussed the issue with
senior management, and they are aware that audit evidence is missing regarding the $1,000,000
inventory balance held in the Oz warehouse. No alternative methods to validate the inventory
balance are available to the auditors at this time. Total assets of Oz are $3,800,000.

ACT
3. TuffLuck Limited (TuffLuck)

The audit of TuffLuck has proved extremely difficult, as the client did not maintain appropriate
financial records during the year. The financial records were not updated for the first 10 months
of the year as TuffLuck was without an accountant during this period. An accountant was
employed in May 20X3, and tried to reconstruct records from the details of receipts and
payments available. They were unable to reconcile the bank account, and the auditor is
not satisfied that all transactions that occurred during the year are reflected in the financial
statements. The operating loss recorded by TuffLuck in the current year is $22,190.
4. Dosory Limited (Dosory)

Dosory is a major management consulting firm in Melbourne and the audit for 30 June 20X3
is now complete. You have noticed some disturbing trends, with a 200% increase in revenue
and a slight decrease in expenses since last year despite the economy being relatively flat
year‑on-year. You have also noticed that management consulting projects are being accounted
for differently compared to last year, and include a much more aggressive revenue recognition
policy in place. You and the audit partner have spoken to senior management about the
inappropriateness of the accounting treatment; however, they have refused to change the
accounting treatment or make any disclosures relating to these accounting policy changes in
their financial statements. You estimate that if the accounting policy were to be changed to
comply with the appropriate financial reporting framework, a downward (debit) adjustment of
$450,000 would be required on the current profit of $600,000 for the year.
Note: All the entities prepare general purpose financial statements. Unless otherwise stated,
sufficient appropriate audit evidence has been obtained and the financial statements have been
prepared in accordance with the applicable financial reporting framework.
Task
For this activity, you are required to determine the most appropriate auditor’s opinion to be
included in the auditor’s report for each case study, and to justify your decisions.

ACT
Activity 15.2
Audit reporting – misstatements and
inconsistencies between the financial
statements and documents containing the
Introduction
The auditor’s report can include a description of matters relating to the auditor’s opinion or
other matters that, in the opinion of the auditor, should be brought to the attention of users of
•• Describe and explain the different types of auditor’s reports that an auditor may issue.
This activity demonstrates how to determine the appropriate form of auditor’s opinion where
financial statements contain material misstatements. It also demonstrates the impact on the
auditor’s report of inconsistencies between the financial statements and documents that contain
those financial statements, in accordance with:
Report (ISA 706).
Scenario
You are an audit senior with Hope & Tait Chartered Accountants (HT). Fluffit is a listed food
manufacturer specialising in bottled condiments, bake-at-home cakes and sandwich spreads.
HT has been the auditor of Fluffit for the last five years. You are a member of the HT team
performing the audit of Fluffit for the year ended 30 June 20X3.
The audit team is currently finalising the audit working papers in preparation for the audit
partner’s review. The audit manager has been reviewing the audit working papers and your
responsibility has been to ensure the working papers are complete, that you have reviewed the
work of junior auditors, and that sufficient appropriate audit evidence has been obtained for all
material amounts and disclosures.

ACT
You conclude that sufficient appropriate audit evidence has been obtained for all material
amounts and disclosures. However, you note the following:
Inventory
You attended the inventory stocktake on 30 June 20X3. During your attendance you inspected
the shelf life of stock items and noticed that some items had ‘best before’ dates that were
either past the date or had only a few weeks to go. When you raised the matter, management
responded that products can legally be sold after the ‘best before’ dates so long as the product is
not damaged, deteriorated or perished.
During the audit, you find that Fluffit’s customers will not accept goods with ‘best before’ dates
that expire within three months, and that such items have minimal sales value. Your audit work
has evaluated that inventory with a carrying value of $400,000 falls into this category, which
is material to Fluffit’s financial statements. Management has declined to adjust the financial
statements on the basis that the products are not legally expired.
Financial statements
Fluffit is required to prepare its financial statements in accordance with International Financial
Reporting Standards (IFRS). You have reviewed the draft financial statements and concluded
they have been materially prepared in accordance with IFRS, with the exception of the item
discussed above.
Annual report
HT has been provided with a draft of all other documents that will go into Fluffit’s annual
report, along with the audited financial statements. One of these documents, the chief
executive officer’s (CEO’s) report, contains a summary of financial performance together with
commentary. You have reviewed all the other documents, including the CEO’s report, and have
discovered that a chart presenting revenue and cost of sales is inconsistent with the revenue
and cost of sales amounts reported in the audited financial statements. The CEO’s commentary
discusses this chart, and presents a view that is inconsistent with Fluffit’s actual performance.
The audit manager has evaluated the inconsistencies as material and has concluded that the
CEO’s report should be amended. He has discussed this with the CEO, who responded that
the chart reflects adjustments to ‘normalise’ the results and is not the concern of the auditors;
therefore, Fluffit would decline to adjust inventory balance in the financial statements or the
CEO’s report.
Legislation requires HT to provide a written auditor’s report and does not permit withdrawal
from the audit.
Task
For this activity, the audit manager has asked you to assist her in preparing a memorandum of
significant audit issues for the audit partner to review. One section of the memorandum will
consider the audit reporting implications. For this activity you are required to:
•• Determine the appropriate auditor’s opinion.
•• Determine whether an Emphasis of Matter (EOM) or Other Matter (OM) paragraph
is required.

ACT
Activity 15.3
Determining auditor’s reporting implications
– subsequent events and going concern
Introduction
This activity demonstrates how events occurring subsequent to the reporting date can impact
the auditor’s opinion and the impact on the auditor’s report of uncertainties regarding going
concern, in accordance with:
•• ISA 560 Subsequent Events (ISA 560).
•• ISA 570 Going Concern (ISA 570).
Report (ISA 706).
In order to complete this activity, you will also need to understand the basic principles of
International Accounting Standard IAS 10 Events after the Reporting Period (IAS 10).
Scenario
You are an audit senior working at AAA Chartered Accountants (AAA). BookBooks (BB) is
a listed company. BB is a book wholesaler distributing books to customers in Australia and
New Zealand. You are part of the audit team performing the audit of BB for the year ended
30 June 20X3. BB is required to prepare general purpose financial statements in accordance with
International Financial Reporting Standards (IFRS).
It is 20 August 20X3 and you are working with the audit manager, Christine O’Malley, finalising
the audit. Aside from the matters discussed below, no other matters have been identified as a
result of the audit work.
1. Customer bankruptcy
On 20 July 20X3, BB received a letter from the administrators of a major customer. The letter
indicated that the customer was likely to go into liquidation and, as a result, BB is unlikely to
receive anything significant out of an amount of $1 million owed by the customer at 30 June
20X3.

ACT
2. Going concern
BB’s business has experienced poor trading conditions in recent years, which has put pressure
on the company’s cash flows. The company has a $20 million line of credit facility that is due
for renewal in early December 20X3, which it is hoping to increase to help meet working
capital requirements. There is some doubt whether the existing lender will renew or increase
the facility, and negotiations are in their early stages. If the negotiations are unsuccessful, the
directors believe there could be other lenders, but they have not yet identified a specific source
of alternative funds.
Management has prepared an assessment of the company’s ability to continue as a going
concern, including profit and cash flow forecasts for the period to October 20X4. Management’s
assessment indicates that the company would be unlikely to be able to continue trading beyond
January 20X4 if the company is not able to renegotiate the loan or find alternative funding. The
directors have therefore concluded that there is significant uncertainty regarding BB’s ability to
continue as a going concern.
3. BB’s financial statements

BB’s financial statements present a loss before tax of $6,241,000. BB’s directors have not adjusted
the accounts receivable balance of $4,542,000 in the 20X3 financial statements for the effects of
the customer bankruptcy, as they believe the effect should be recorded in the 20X4 financial
year.
The financial statements have been prepared on a going concern basis and the notes to the
financial statements include a prominent disclosure of the material uncertainties in respect of
the going concern assumption.
4. AAA’s audit
AAA has reviewed management’s assessment of going concern, obtaining sufficient appropriate
evidence in respect of the profit and cash flow forecasts and the underlying assumptions. AAA
agrees with the directors’ assessment of a material uncertainty regarding going concern and
with the related disclosures in the financial statements.
AAA has obtained sufficient appropriate audit evidence in respect of all other material
transaction streams, account balances and financial statements disclosures, and has concluded
that the financial statements have otherwise been appropriately prepared in accordance with
IFRS.
Task
For this activity, Christine has asked you to determine the impact of the customer bankruptcy
and the material uncertainty regarding the going concern assumption on the auditor’s report on
BB’s 30 June 20X3 financial statements.

ACT
Activity 15.4
Issuing an auditor’s report when financial
statements are not in accordance with the
applicable financial reporting framework
Introduction
The auditor’s report provides information about the auditor’s responsibilities, management’s
responsibilities, the scope of the auditor’s work, and the auditor’s opinion on the financial
statements. It can also include a description of matters that give rise to any modifications of the
auditor’s opinion, and any other matters that, in the auditor’s opinion, should be drawn to the
attention of users of the financial statements.
At the end of this activity, you will be able to understand how the auditor forms an auditor’s
opinion, and the impact on the auditor’s report of financial statements not prepared in
accordance with the applicable financial reporting framework, in accordance with the following
Auditing Standards:
Report (ISA 706).
Scenario
You are an audit senior working at Goodadds Chartered Accountants (Goodadds). Goodadds is
the auditor of Grafle, a listed company that manufactures components for specialist agricultural
machinery, and reports its consolidated financial statements under International Financial
Reporting Standards (IFRS). In March 20X3, Grafle acquired 100% of an agriculture machinery
manufacturer, Farmers’ Tools, to which it supplies a large portion of its products.
It is 20 September 20X3, and you are part of the Goodadds team finalising the audit of Grafle for
the year ended 30 June 20X3. During the audit you discovered the following:
•• The new Farmers’ Tools subsidiary has not been consolidated but has instead been
accounted for at cost in the financial statements of Grafle.
•• If the Farmers’ Tools subsidiary was to be consolidated under IFRS then it would have a
material effect on a number of the elements in the financial statements of Grafle.
Goodadds has obtained sufficient appropriate audit evidence and is satisfied that the financial
statements have been prepared in all material respects in accordance with IFRS, and present a
true and fair view, with the exception of the non-consolidation of Farmers’ Tools.

ACT
Task
For this activity, you are required to determine the impact of the non-consolidation of Farmers’
Tools on the auditor’s report on Grafle’s 30 June 20X3 financial statements.

CC
Core content
Unit 16: Review engagements
Learning outcomes
1. Identify the key differences between an audit and a review engagement.
2. Determine which Standards apply and the assurance practitioner’s responsibilities with
respect to various types of review engagements.
Introduction
There are many different types of assurance engagements that a Chartered Accountant may
be asked to undertake. The primary focus of the Audit & Assurance (AAA) module up to this
point has been on the audit of general purpose financial statements (GPFSs) that are completed
in accordance with the International Standards on Auditing (ISAs). This unit focuses on:
•• review engagements, and
•• how to distinguish between a limited assurance engagement (a review) and a reasonable
assurance engagement (an audit).
As well as addressing the difference between review and audit engagements, this unit
covers the:
•• Concept of assurance as it applies to different types of engagements.
•• Process of identifying specific engagements and the applicable Standards.
•• Assurance practitioner’s key responsibilities with regard to review engagements where
the subject matter is historical financial information.
The Standards covered in this unit include the following:

•• ISRE 2400 (Revised) Engagements to Review Historical Financial Statements (ISRE 2400
(Revised)).
•• ISRE 2410 Review of Interim Financial Information Performed by the Independent Auditor of
the Entity (ISRE 2410).
aaa11616_csg

CC
Overview of review engagements
Learning outcome
1. Identify the key differences between an audit and a review engagement.
What is a review engagement?

Audit and review engagements were introduced in the unit on assurance purpose and
framework. The term ‘audit’ denotes an engagement in which the auditor provides reasonable
assurance on the subject matter of the engagement. Reasonable assurance is the highest level of
assurance that an assurance practitioner can provide.
In contrast, a review engagement is an engagement in which a limited level of assurance is
provided. As indicated by the definition, limited assurance is a lower level of assurance than
reasonable assurance. Nonetheless, a review engagement is still an evidence-based engagement.
There are a number of reasons why an entity may elect to have a review engagement performed
instead of an audit. These include:
•• Law or regulation may only require, as a minimum, the provision of limited assurance
(e.g. in Australia and New Zealand, on the half-yearly financial statements of listed entities).
•• For non-listed entities, users of the financial statements may be satisfied with receiving
limited assurance over the financial statements, on the basis of cost versus benefit.
•• Potential investors or financial institutions may require a review to support a financing
proposal.
•• Government agencies may require a review to support an application for a government
grant.
•• Small subsidiaries of larger groups audited may be reviewed instead of audited.
Key differences between audit and review engagements

There are two primary distinctions between audit and review engagements. These distinctions
are based on the:
•• Level of assurance provided.
•• Nature and extent of procedures performed.
Key differences between an audit and a review engagements are summarised in the table below:
Consideration Audit Review
Level of assurance Reasonable Limited
Independence Required Required
Materiality Financial statements as a whole Financial statements as a whole

Engagement quality control review Listed entities and as required by As required by assurance firm
assurance firm policy policy
Obtaining an understanding of the Sufficient to identify and assess the Sufficient to identify areas in the
entity risk of material misstatement at financial statements where material
the financial statement level and misstatements are likely to arise
assertion levels

CC
Consideration Audit Review
Required procedures Plan and perform sufficient Address all material items in the
procedures to reduce the risk financial statements, including
of material misstatement in disclosures. Focus on financial
the financial statements to an statement areas where material
appropriately low level misstatements are likely to arise
Procedures performed: Procedures performed:

•• Risk assessment procedures •• Inquiry
•• Tests of controls (when planned •• Analytical procedures
reliance)
•• Substantive procedures
Evidence obtained Sufficient appropriate evidence to Sufficient appropriate evidence as

be able to draw conclusions on the the basis for a conclusion on the
financial statements financial statements as a whole
Uncorrected misstatements Accumulate, evaluate and request Evaluate and request correction by
correction by management management
Report Auditor’s opinion that contains Review conclusion that contains

positive assurance negative assurance
The extent of work performed in a review engagement is usually considerably less than that
performed in an audit. If a matter comes to the assurance practitioner’s attention that causes
them to believe that the financial information may be materially misstated, they may extend
the procedures employed in order to draw the appropriate conclusions on the financial
information.
Key differences in evidence-gathering procedures and assurance report conclusions can be
found in the International Framework for Assurance Engagements (International Framework)
paras 77–78 and 85 for reasonable assurance engagements (audits), and paras 79–80 and 86 for
limited assurance engagements (reviews).
Activity 16.1: Determining the difference between review and audit engagements within
the International Framework
Required reading
International Framework paras 2–21, 77–80 and 85–86.
ISRE 2400 (Revised ) Appendix 2.

CC
Identifying the appropriate review engagement Standards to

apply
Learning outcome
Where limited assurance is required, the practitioner will apply the International Standards on
Review Engagements (ISREs).
Having concluded that the ISREs apply, the assurance practitioner must then choose the correct
Standard from the ISRE suite of Standards to apply to the particular engagement.
In a review engagement on historical financial information, the key driver that determines
which Standard should be applied is whether the assurance provider is also the auditor of the
entity’s annual financial statements:
•• If the assurance practitioner is the auditor of the entity’s annual financial statements, the
assurance practitioner must apply ISRE 2410.
•• If the assurance practitioner is not the auditor of the entity’s annual financial statements, the
assurance practitioner must apply ISRE 2400 (Revised).

CC
Determining the relevant international Standard

The following diagram represents a decision tree that the practitioner can use to determine the
relevant Standards that apply to a review engagement in the international context:
Will the engagement International Standards

provide a level of NO on Related Services
assurance? (ISRSs)
YES
Is the focus of the International Standards on

subject matter historical NO Assurance Engagements
financial information? (ISAEs)
YES
International Standards
Is the engagement
AUDIT on Auditing
an audit or review?
(ISAs)
REVIEW
International Standards on
Review Engagements
(ISREs)
Assurance practitioner
Auditor of the entity who is not the auditor
of the entity
ISRE 2410 ISRE 2400
Required reading
ISRE 2400 (Revised) paras 1–2.
ISRE 2410 paras 1–3a.

CC
Australia-specific
Determining whether international or Australian Standards apply
A practitioner in Australia would apply the IAASB’s framework of ISAs, ISREs and ISAEs when
undertaking an engagement for an entity that operates under this international framework –
for example, when the parent entity of a group is based overseas.
If the entity is an Australian company based in Australia, then engagements are normally
performed under the Australian framework (i.e. Australian Auditing and Assurance Standards:
Australian Auditing Standards (ASAs), Australian Standards on Review Engagements (ASREs)
and Australian Standards on Assurance Engagements (ASAEs)).
The Australian Standards for review engagements (ASREs 2400, 2405, 2410 and 2415) are
broadly aligned to the international Standards for review engagements . The international
Standards have been adopted, with modifications, in Australia. These modifications have
arisen primarily as a result of inconsistencies between the Australian legislation regarding the
assurance practitioner’s responsibilities and the requirements of the international Standards.
The Australian and international Standards for review engagements are similar in that the
driver that determines which review Standard applies is whether the assurance practitioner is
the auditor of the entity’s annual financial statements
ASRE 2405 Review of Historical Financial Information Other than a Financial Report
ASRE 2400 and ASRE 2410 are restricted to historical financial information that comprises
financial statements. This restriction has not been placed on their international equivalent
Standards. To deal with this restriction, an additional Standard, ASRE 2405, has been developed
for Australia.
Note: ASRE 2405 is closely aligned to the review principles of ISRE 2400 (Revised) but is not
directly comparable to it.
ASRE 2415 Review of a Financial Report: Company Limited by Guarantee or an Entity Reporting under the
ACNC Act or Other Applicable Legislation or Regulation
An additional Australian-specific review Standard, ASRE 2415, has been developed as a result of
legislative changes regarding companies limited by guarantee and entities required to report
under the Australian Charities and Not-for-Profits Commission Act 2012 (Cth) (ACNC Act) .
Required reading
ASRE 2400 para. 1.
ASRE 2405 para. 1.
ASRE 2410 para. 1.
ASRE 2415 para. 1.

CC
Determining the relevant Australian Standard for a review engagement

Once it is determined that an engagement is a review of historical financial information, the
following decision tree can be used to determine the applicable national Standards:
ASRE Standards review engagements
Assurance practitioner
Auditor of the entity who is not the auditor
of the entity
Subject matter − Subject matter − Subject matter − Entity is limited by Entity is limited by
financial report other historical financial report guarantee and guarantee and
financial meets exemption meets exemption
information criteria of criteria of
Corporations Act or Corporations Act or
required to report required to report
under
underthe
theACNC
ACNCAct.
Act under the ACNC Act
ASRE 2405 ASRE 2415 ASRE 2415

ASRE 2410 No equivalent ASRE 2400 No equivalent No equivalent
ISRE ISRE ISRE
Other differences between the Australian and international Standards that apply to review
engagements are also discussed in this unit.
Determining the applicable Standards in New Zealand
XRB Au1 Application of Auditing and Assurance Standards (XRB Au1) sets out the applicable
Standards to be applied by assurance practitioners when conducting different types of
engagements in New Zealand. There are two Standards applicable to review engagements:
•• Review of Historical Financial Statements Performed by an Assurance Practitioner Who is Not
the Auditor of the Entity (ISRE (NZ) 2400).
•• Review of Financial Statements Performed by the Independent Auditor of the Entity
(NZ SRE 2410).
The ‘Conformity to International and Australian Standards on Review Engagements’ section of

NZ SRE 2410 sets out the differences between the New Zealand and international Standards on
review engagements, and summarises the additional mandatory requirements that apply to a
review of historical financial information in New Zealand.

CC
Required reading
XRB Au1.
ISRE (NZ) 2400 paras 1–3 and 14.
NZ SRE 2410 paras 1–5.
Assurance practitioner’s responsibilities with respect to review

engagements
Learning outcome
International review engagement Standards (ISREs)

The discussion and diagrams presented up to this point in the unit have focused on determining
which review Standards apply under particular circumstances. This section focuses on the
assurance practitioner’s responsibilities under the respective Standards.
It should be noted that each ISRE is intended to be a stand-alone Standard. This means
that a practitioner should be able to apply each review Standard in isolation from other
pronouncements (except where specifically directed to another pronouncement within the
text of the ISRE). This differs from the ISAs, which are intended to be applied to an audit
engagement as a suite of Standards.
Note that although ISRE 2400 (Revised) and ISRE 2410 contain many of the same requirements
and guidance paragraphs, there are a number of differences between these two Standards. It is
for this reason that the remainder of this unit focuses on describing and applying the principles
that are discussed in the respective Standards.
ISRE 2400 (Revised) Engagements to Review Historical Financial Statements

The purpose of ISRE 2400 (Revised) is to establish mandatory requirements and provide
explanatory guidance on:
•• The assurance practitioner’s professional responsibilities when undertaking an engagement
to review financial statements.
•• The form and content of the assurance practitioner’s review report.
The application of ISRE 2400 (Revised) is directed towards the review of financial statements
that comprise historical financial information, by an assurance practitioner who is not the
auditor of the entity. ISRE 2400 (Revised)’s requirements and guidance effectively cover similar
requirements in ISA 200–ISA 706 that are applicable to audits of financial statements, and
are designed to ensure that the assurance practitioner – who initially lacks the same level of
knowledge of the entity as that possessed by the auditor of the entity – undertakes procedures
to ensure they have a knowledge of the entity and its operations that is sufficient to meet the
objectives of the review engagement.
The objective of the practitioner in a review of financial statements (ISRE 2400 (Revised)
para. 14(a)) is to:
… obtain limited assurance, primarily by performing inquiry and analytical procedures, about
whether the financial statements as a whole are free from material misstatement, thereby enabling the
practitioner to express a conclusion on whether anything has come to the practitioner’s attention that
causes the practitioner to believe the financial statements are not prepared, in all material respects, in
accordance with an applicable financial reporting framework.

CC
A review of financial statements differs significantly from an audit of financial statements,
which is conducted in accordance with Auditing Standards.
Key difference between a review and an audit of financial statements

As discussed earlier in this unit, the key differences between a review and an audit of financial
statements is the level of assurance and the nature and extent of procedures performed.
ISRE 2400 (Revised) deals with the following aspects of a review engagement:
•• Compliance with the International Ethics Standards Board for Accountants (IESBA) Code of
Ethics for Professional Accountants (ISRE 2400 (Revised) para. 21).
•• Exercising professional scepticism and professional judgement (ISRE 2400 (Revised)
paras 22–23).
•• Engagement level quality control (ISRE 2400 (Revised) paras 24–28).
•• Agreeing the terms of review engagement (ISRE 2400 (Revised) paras 29–41).
•• Communication with management and those charged with governance
(ISRE 2400 (Revised) para. 42).
•• Conducting review procedures (ISRE 2400 (Revised) paras 43–68).
•• Conclusions and reporting (ISRE 2400 (Revised) paras 69–92).
•• Documentation (ISRE 2400 (Revised) paras 93–96).
The discussion below centres on the following two key aspects of those identified above:
•• Conducting review procedures.

•• Conclusions and reporting.
Conducting review procedures

Understanding the entity and its environment, including internal control
ISRE 2400 (Revised) para. 45 provides a basis on which the assurance practitioner can plan an
engagement that is effective in assessing and addressing areas in the financial statements where
material misstatements are likely to arise.
In order for a practitioner to assess these areas of risk in the financial statements, it is necessary
for the practitioner to obtain, or update, their understanding of the entity and the business,
including:
•• Industry, regulatory and other external factors.
•• The applicable financial reporting framework.
•• Nature of the entity.
•• The entity’s accounting systems and accounting records.
•• The entity’s selection and application of accounting policies.
Designing and performing review procedures

In designing and performing review procedures, the practitioner applies the same materiality
considerations that are applicable to an audit engagement. The guidance on materiality is stated
in ISRE 2400 (Revised) paras 43–44 and A70–A74.
ISRE 2400 (Revised) para. 47 requires the practitioner to design and perform enquiry and
analytical procedures:
(a) To address all material items in the financial statements, including disclosures; and
(b) To focus on addressing areas in the financial statements where material misstatements are likely to
arise.

CC
The auditor’s responsibilities with regard to enquiry, analytical and other review procedures
are as follows:
•• Enquiries
ISRE 2400 (Revised) para. 48 requires the practitioner to make enquiries of management and
others within the entity, to obtain specific information, including:
–– How management makes significant accounting estimates.
–– Related parties and related party transactions.
–– Significant, unusual or complex transactions, events or matters that have affected or
may affect the entity’s financial statements.
–– Significant changes in business activities, or to terms of contract that materially affect
the entity’s financial statements, including finance and debt contracts or covenants.
–– Significant journal entries or adjustments and significant transactions occurring or
recognised near the end of the reporting period.
–– Existence of any actual, suspected or alleged fraud or illegal acts affecting the entity and
non-compliance with the provisions of laws and regulations.
–– Whether management has identified and addressed subsequent events.
–– The basis of management’s assessment of the entity’s ability to continue as a going
concern and whether there are events or conditions that appear to cast doubt on the
entity’s ability to continue as a going concern.
–– Material commitments, contractual obligations or contingencies.
–– Material non-monetary transactions.
•• Analytical procedures
ISRE 2400 (Revised) para. 49 requires the practitioner to consider whether the data from the
entity’s accounting system is adequate for the purpose of analytical procedures.
Performing analytical procedures can assist the practitioner to:
–– Identify areas where material misstatements are likely to arise in the financial
statements.
–– Identify inconsistencies or variances from expected trends, values or norms in the
–– Corroborate evidence in relation to other enquiry or analytical procedures already
performed (ISRE 2400 (Revised) para. A89).
•• Other review procedures

While the nature, extent and timing of procedures performed is dependent on the
practitioner exercising their professional judgement, ISRE 2400 (Revised) provides clear
guidance on procedures to address specific circumstances in a review engagement,
including related party relationships and transactions, fraud and non-compliance with
laws or regulations, going concern, subsequent events, obtaining written representations
from management and evaluating evidence obtained from procedures performed. These
procedures are described in detail in ISRE 2400 (Revised) paras 50–68.
Note that the procedures outlined in ISRE 2400 (Revised) are review procedures. If, during
the course of the practitioner’s work, there is cause to believe that the financial statements
may be materially misstated, the practitioner should undertake additional procedures
(ISRE 2400 (Revised) para. 8).

CC
Conclusions and reporting

When preparing a report on a review of financial statements, the assurance practitioner should
ensure it contains the basic elements of the practitioner’s report for a review engagement as set
out in ISRE 2400 (Revised) para. 86. An unmodified review report shall contain a clear statement
that the report provides limited assurance and that an audit opinion is not expressed.
Unmodified conclusion
An unmodified conclusion is expressed when the practitioner states in the practitioner’s report
(under the heading ‘Conclusion’) that (ISRE 2400 (Revised) para. 74):
(a) “Based on our review, nothing has come to our attention that causes us to believe that the financial
statements do not present fairly, in all material respects (or do not give a true and fair view), … in
accordance with the applicable financial reporting framework,” (for financial statements prepared
using a fair presentation framework); or
(b) “Based on our review, nothing has come to our attention that causes us to believe that the financial
statements are not prepared, in all material respects, in accordance with the applicable financial
reporting framework,” (for financial statements prepared using a compliance framework).
Modified conclusion
If, based on the review procedures performed, the practitioner believes the financial statements
are materially misstated, or is unable to obtain sufficient appropriate evidence in relation to one
or more items in the financial statements that are material to the financial statements as a whole,
the practitioner would express a modified conclusion (ISRE 2400 (Revised) para. 75).
There are three types of modified conclusion:
•• Qualified conclusion.
•• Adverse conclusion.
•• Disclaimer of conclusion.
The following table summarises the circumstances under which a modified conclusion is issued:
ISRE 2400 (Revised) paras 77 and 81
Nature of the matter giving rise Practitioner’s judgement about the pervasiveness of the effects
to the modification or possible effects on the financial statements
Material but not pervasive Material and pervasive
Financial statements are materially Qualified conclusion Adverse conclusion

misstated
Inability to obtain sufficient appropriate Qualified conclusion Disclaimer of conclusion

audit evidence
To recap, ISRE 2400 (Revised) applies to a review of historical information that is not conducted
by the entity’s auditor. Further, ISRE 2400 (Revised) assumes that an assurance practitioner who
is not the entity’s auditor initially does not have the same level of knowledge of the entity as the
auditor.

CC
A summary of the key aspects of ISRE 2400 is tabled below:
ISRE 2400 (Revised) Key aspects
Topic Summary
Level of assurance Limited
Engagement •• Assurance practitioner is not the auditor of the entity

acceptance •• Subject matter is historical financial information
considerations
Special reporting Key elements of performing a review engagement include:

considerations
•• Relevant ethical requirements
•• Exercising professional scepticism and judgement
•• Materiality
•• Designing and performing enquiry and analytical procedures
Required reading
ISRE 2400 (Revised) paras 1–23, 30, 36–37, 42–96 and A89.
ISRE 2410 Review of Interim Financial Information Performed by the Independent Auditor
of the Entity
ISRE 2410 was originally introduced to provide a Standard for the performance of a review
of an entity’s interim financial information by an auditor who is also the auditor of the entity.
Interim financial information is financial information that is prepared in accordance with an
applicable financial reporting framework for a period that is shorter than the entity’s financial
year. Examples of interim financial information include half‑yearly financial statements that
are prepared by a publicly listed entity for lodgement with its respective stock exchange, such
as the Australian Securities Exchange (ASX) in Australia, or the New Zealand Exchange (NZX)
in New Zealand.
ISRE 2410 was subsequently amended to include the review of historical financial information
other than interim financial information of an audit client. Such a review is within the scope of
ISRE 2400 (Revised), which is applicable to an assurance practitioner who is not the auditor of
the entity. This means that ISRE 2410 can be applied to the review of financial information for
a financial year as well as a period shorter than a financial year, and includes a single financial
statement (or specific components of a financial statement), other information derived from
financial records, condensed financial statements and a complete set of financial statements
(ISRE 2410 para. 3a).
When conducting a review under ISRE 2410, the assurance practitioner does not provide
reasonable assurance that the historical financial information is free from material misstatement
as they would if conducting an audit of the GPFSs. A review in the context of ISRE 2410 is
similar to that of ISRE 2400 (Revised) (discussed earlier), and consists of making enquiries,
primarily of the persons responsible for financial and accounting matters at an entity, and
applying analytical and other review procedures.
Objective of a review engagement

Under ISRE 2410 para. 7, the objective of a review of interim financial information is to enable
the auditor to:
… express a conclusion whether, on the basis of the review, anything has come to the auditor’s attention
that causes the auditor to believe that the interim financial information is not prepared, in all material
respects, in accordance with [an] applicable financial reporting framework.

CC
The auditor does not provide ‘an opinion whether the financial information gives a true and
fair view’ or is fairly presented (ISRE 2410 para. 8), because the extent of procedures in a review
engagement does not facilitate the provision of such opinion.
Conducting review procedures

Through the performance of an audit of an entity’s annual financial statements, the auditor
obtains an understanding of the entity and its environment, including its internal control. When
the auditor is engaged to review the entity’s interim financial information, their understanding
of the entity is updated through enquiries made in the course of the review, and assists them to
focus on what enquiries to make, and which analytical and other review procedures to apply.
Understanding the entity and its environment, including internal control

As described in ISRE 2410 paras 12–18, the enquiry and analytical procedures carried out in the
course of a review of interim financial information should provide the auditor with an updated
understanding of the entity and its environment. These procedures may include:
•• Reading documentation of the previous year’s audit and interim reviews.
•• Consideration of significant risks and management override controls that were identified in
the previous year’s audit.
•• Reading the most recent annual report.
•• Consideration of materiality as it relates to interim financial information.
•• Considering the nature of any corrected material misstatements and unidentified
uncorrected immaterial misstatements in prior periods.
•• Assessing deficiencies in internal controls.
•• Considering the results of any internal audit performed.
•• Enquiring of management about:
–– The effect of changes to the entity’s business activities.
–– Changes in internal controls.
–– The preparation of interim financial information and reliability of underlying
accounting records.
Designing and performing review procedures

Under ISRE 2410 para. 19:
The auditor should make inquiries, primarily of persons responsible for financial and accounting
matters, and perform analytical and other review procedures to enable the auditor to conclude whether,
on the basis of the procedures performed, anything has come to the auditor’s attention that causes
the auditor to believe that the interim financial information is not prepared, in all material respects, in
accordance with the applicable financial reporting framework.
As the auditor is conducting a review, the auditor would not normally test the control
environment. However, the auditor may perform audit procedures on significant or
unusual transactions that have occurred during the period, such as business combinations,
restructurings or significant revenue transactions (ISRE 2410 para. 29).

When issuing a report on a review of historical financial information, the auditor should ensure
that the report contains the basic elements set out in ISRE 2410 paras 43(a)–(m). An unmodified
review report shall contain a clear written expression of limited assurance.

CC
ISRE 2410 also requires the auditor to include a statement:
•• ‘that the review was conducted in accordance with [ISRE 2410]’ and ‘that such a review
consists of making inquiries, primarily of persons responsible for financial and accounting
matters, and applying analytical and other review procedures’ (ISRE 2410 para. 43(g)), and
•• ‘that a review is substantially less in scope than an audit conducted in accordance with
[ISAs] and consequently does not enable the auditor to obtain assurance that the auditor
would become aware of all significant matters that might be identified in an audit and
accordingly no audit opinion is expressed’ (ISRE 2410 para. 43(h)).
If the auditor believes the historical financial statements are materially misstated, they can
express either a qualified conclusion or an adverse conclusion.
A summary of the key aspects of ISRE 2410 is tabled below:
ISRE 2410 – Key aspects
Topic Summary
Engagement •• Review is performed by the auditor of the entity

acceptance •• Subject matter is historical financial information
considerations
Special reporting Follows the set format of the auditor’s conclusion in ISRE 2410 to comply with the
considerations Standard
Required reading
ISRE 2410 paras 1–9, 12–33, 36–64 and Appendix 2.
Worked example 16.1: The assurance practitioner’s responsibilities in the review of financial
statements
Worked example 16.2: Reviewing engagements – documentation and reporting

Worked example 16.3: Reviewing other historical financial information

Activity 16.2: Reviewing financial statements


CC
Australia-specific
Australian review engagement Standards
The Australian suite of review engagements Standards comprises ASRE 2405, ASRE 2400,
ASRE 2410, and ASRE 2415.
ASRE 2400 and ASRE 2410 are broadly consistent with their equivalent ISREs. However, there
are some significant differences between the Australian and international Standards, notably:
•• the application of ASRE 2400 and ASRE 2410 is limited to a full set of financial statements
only, thus resulting in the need for ASRE 2405, for which there is no international
equivalent, and which applies to individual elements of historical financial information.
The ‘Conformity with International Standards on Review Engagements’ section of both ASRE
2400 and ASRE 2410 summarises the additional mandatory requirements, which apply to a
review of a financial report comprising historical financial information.
Required reading
ASRE 2400 paras Aus0.1, 1–3, Aus 3.1 and 14.
ASRE 2410 paras 1–4.
ASRE 2405 Review of Historical Financial Information Other than a Financial Report
Often an assurance practitioner is requested to review historical financial information other
than a financial report. ASRE 2405 was developed by the AUASB to review:
•• Specific components, elements, accounts or items of a financial report, for example:
–– Single financial statement, such as a statement of financial performance or statement
of financial position.
–– Single item, such as accounts receivable and inventory.
–– Asset grouping for impairment or valuation purposes.
•• Other information derived from financial records, for example:
–– Pension scheme’s schedule of externally managed assets and income.
–– Schedule of net tangible assets.
–– Property disbursements schedule for leased property.
–– Schedule of profit participation or employee bonuses.
•• Financial statements prepared in accordance with a financial reporting framework that is
not designed to achieve fair presentation – for example, condensed financial statements
or an entity’s internal management accounts.
The following discussion addresses the key elements of ASRE 2405.
Objective of a review
The practitioner’s objectives in a review of historical financial information other than a
complete set of financial statements are set out in ASRE 2405 para. 16. For an engagement
performed under ASRE 2405, the practitioner is required ‘to express a conclusion whether …
anything has come to [their] attention that causes [them] to believe that the historical financial
information … is not prepared, or prepared fairly, in all material respects’, in accordance with
the applicable reporting criteria.
Planning a review
Under ASRE 2405 para. 25, the practitioner needs to ‘plan the review so that an effective
engagement will be performed’. This will require the practitioner to obtain knowledge,
or update their knowledge, of the business, including its organisation, accounting systems,
operating characteristics and the nature of its assets, liabilities, revenues and expenses.
(See ASRE 2405 paras 25–27.)

CC
Procedures and evidence

Under ASRE 2405 para. 29, the assurance practitioner ‘shall apply judgement in determining
the specific nature, timing and extent of review procedures’, taking into account materiality
and the possible effect of misstatements.
The assurance practitioner needs to maintain professional scepticism during the review
in recognising that circumstances may exist that cause the historical financial information
to be materially misstated (See ASRE 2405 paras 29–37).
When issuing a report on a review of historical financial information other than a complete
set of financial statements, the assurance practitioner should ensure that the assurance report
contains the basic elements set out in ASRE 2405 paras 61(a)–(h).
An unmodified review report shall contain a clear written expression of limited assurance.
An unmodified conclusion is expressed when the practitioner states that (ASRE 2405
para. 62(a))
“on the basis of the review, nothing has come to the assurance practitioner’s attention that causes the
assurance practitioner to believe that the historical financial information is not prepared, or presented fairly,
in all material respects, in accordance with the applicable criteria” (limited assurance).
If the practitioner believes the historical financial information is materially misstated, they can
express either a qualified conclusion or an adverse conclusion.
How ASRE 2405 conforms with the International Standards on Review Engagements (ISREs)
In drafting ASRE 2405, the AUASB noted that ISRE 2400 (Revised) is applied to engagements
to review other historical financial information, and adapted as necessary in the circumstances.
In addition to ASRE 2400 and ASRE 2410, however, the AUASB decided that the nature of other
historical financial information warranted a separate Standard (i.e. ASRE 2405) to deal more
comprehensively with reviews of other historical financial information.
Therefore, ASRE 2405 is not intended to replicate ISRE 2400 (Revised), but is intended to conform
(with some exceptions) to ISRE 2400 (Revised) to the extent that it addresses reviews of historical
financial information other than a complete set of financial statements (ASRE 2405 para. 67).
The following table summarises the key aspects of ASRE 2405:
ASRE 2405 – Key aspects

Topic Summary

Engagement •• Is not a review of a complete set of financial statements
acceptance •• Applies to specific elements of a financial report or other information
considerations
•• ISRE 2400 (Revised) still applies to engagements, and is adapted as necessary
Special reporting Mandatory elements of the practitioner’s report on the review include:
considerations
•• Identification of the historical financial information reviewed
•• Statement of responsibility of those charged with governance
•• Statement of responsibilities of the assurance practitioner
•• Statement on the purpose of preparation and intended users of the report,
and any restrictions on relying on the report
•• Description of the nature of the review
•• Conclusion of limited assurance
Required reading
ASRE 2405 paras 3, 5, 16, 19–20, 24–27, 29–38, 58–64, 67 and Appendix 4.

CC
ASRE 2415 Review of a Financial Report: Company Limited by Guarantee or an Entity Reporting under the
ACNC Act or Other Applicable Legislation or Regulation
The Corporations Act 2001 (Cth) (Corporations Act) was amended in June 2010 to enable certain
companies to have their financial report for a financial year reviewed instead of audited. The
primary reason for the amendments was to reduce costs for companies limited by guarantee,
and certain not-for-profit entities.
Another key legislative change was that the review need not be undertaken by a registered
company auditor; however, the reviewer must hold a practising certificate.
As a result of the changes to the Corporations Act, a number of state governments also
amended their Incorporated Association Acts to allow an incorporated association to be
reviewed by an independent assurance provider, thus removing the obligation for such
associations to be audited.
To give effect to the legislative amendments and provide guidance to practitioners, the AUASB
issued ASRE 2415, which clarifies the appropriate review Standards that practitioners should
apply in particular situations.
ASRE 2415 para. 9 states:
When a company limited by guarantee, or an entity reporting under the ACNC Act, or an entity reporting
under other applicable legislation or regulation, elects to have its financial report reviewed instead of
audited, an auditor who has conducted an audit of the previous financial report of the company or entity in
accordance with the Australian Auditing Standards, shall, in the first financial reporting period under revised
legislation, conduct the review in accordance with ASRE 2410 Review of a Financial Report Performed by the
Independent Auditor of the Entity…
When a company limited by guarantee or an entity reporting under the Australian Charities
and Not-for-Profits Commission Act 2012 (Cth), or an entity reporting under other applicable
legislation or regulation, elects to have its financial statements reviewed instead of audited,
and the review is conducted by a practitioner who was not the auditor of the previous financial
statements, the practitioner must apply ASRE 2400 (ASRE 2415 para. 10).
The following table summarises the key aspects of ASRE 2415:
ASRE 2415 – Key aspects
Topic Summary
Engagement Entity must satisfy the Corporations Act and conditions of an incorporated
acceptance association to be eligible for a review
considerations
The reviewer must hold a practising certificate
Special application If the practitioner was the auditor of the previous period financial statements,
considerations they must apply ASRE 2410 to the current engagement
If the practitioner was not the auditor of the previous period financial
statements, they must apply ASRE 2400 to the current engagement
Required reading
ASRE 2415 paras 9–10.

CC

16.1: Common review engagements
Quiz

Readings

Standards.
Required reading
Relevant International Assurance pronouncements and national equivalents and guidance
International Framework for Framework for Assurance EG Au 1 – Overview of Auditing and

Assurance Engagements Engagements Assurance Standards issued by the
External Reporting Board
•• Paragraphs 2–16, 59 and the •• Paragraphs 2–16, 59 and the •• Paragraphs 1–2, 15–22, 80 and
Appendix Appendix the Appendix
ISRE 2400 (Revised) Engagements ASRE 2400 Review of a Financial ISRE (NZ) 2400 Review of Historical
to Review Historical Financial Report Performed by an Assurance Financial Statements Performed by
Statements Practitioner Who is Not the Auditor an Assurance Practitioner Who is Not
of the Entity the Auditor of the Entity
•• Paragraphs 1–23, 30, 36–37, •• Paragraphs AUS 0.1, 1–3, •• Paragraphs 1–23, 30, 36–37,
42–96, A89 and Appendix 2 AUS 3.1, 4–23, 30, 36–37, 42–96, 42–96, A89 and Appendix 2
A89 and Appendix 2
ISRE 2410 Review of Interim ASRE 2410 Review of a Financial NZ SRE 2410 Review of Financial
Financial Information Performed by Report Performed by the Statements Performed by the
the Independent Auditor of the Entity Independent Auditor of the Entity Independent Auditor of the Entity
•• Paragraphs 1–9, 12–33, 36–64 •• Paragraphs 1–10, 13–22, 25–44, •• Paragraphs 1–11, 14–23, 26–45,
and Appendix 2 A4, A11, A20 and Appendix 2 A4, A11, A20 and Appendix 2
ASRE 2405 Review of Historical

Financial Information Other than
a Financial Report
•• Paragraphs 1, 3, 5, 16, 19–20,
24–27, 29–38, 58–64, 67 and
Appendix 4
ASRE 2415 Review of a Financial

Report: Company Limited by
Guarantee or an Entity Reporting
under the ACNC Act or other
Applicable Legislation or Regulation
•• Paragraphs 1 and 9–10
XRB Standard Au1 Application of

Auditing and Assurance Standards

www.nzica.com

Further reading
There is no further reading for this unit.

ACT
Activity 16.1
Determining the difference between
review and audit engagements within the
International Framework
Introduction
Assurance practitioners are requested to perform different services for clients for a variety
of reasons. When considering client requests, practitioners must consider the wishes of the
client with reference to the International Framework for Assurance Engagements (International
Framework).
•• Identify the key differences between an audit and a review engagement.
At the end of this activity, you will be able to distinguish between review and audit
engagements, in accordance with the International Framework.
Scenario
You are a senior auditor working for Finch Dawson and Associates (FDA), a national accounting
firm. One of your largest clients, Magic Mick’s Electronics Limited (MME), has recently
embarked on a growth by acquisition program.
In 20X3, the board of MME decided to investigate the purchase of two separate entities:
•• Precision Chips Inc., a silicon chip manufacturer based in the United States (US).
•• New Technology Inc., an electronic research and development company, also based in
the US.
The directors of MME are anxious to ensure that they pay the lowest possible price for their
investment in these companies, and have asked FDA to help them conduct a ‘due diligence’
investigation of the entities.
MME intends to keep the entities running as separate concerns, it is therefore looking for some
assurance that the entities’ financial statements as at 31 March 20X3 have been prepared, in all
material respects, in accordance with the applicable financial reporting framework.
The engagement partner, Matt Graham, has agreed with MME’s board to perform a review
of the financial statements of Precision Chips Inc. and New Technology Inc. for the period
ending 31 March 20X3.
Matt has told you that this is an important engagement, which will involve flying the team to
the US to perform the two review engagements. The team members who are available to travel
to the US have only worked on audit engagements before; however, they are familiar with US
generally accepted accounting principles (US GAAP), due to their work with other clients who
are subsidiaries of US parent entities.
Matt has advised that these engagements are to be performed applying the International
Standards on Review Engagements (ISREs).

ACT
Task
For this activity, you are required, for the purposes of the initial team briefing, to summarise the
key differences between a review engagement and an audit.
Explain how this applies to the two review engagements that FDA is to perform for MME.

ACT
Activity 16.2
Reviewing financial statements
Introduction
Companies are required to prepare half-yearly financial statements for a variety of reasons.
Depending on jurisdictional legislation, or requirements of the users, half-yearly financial
statements may be reviewed by the auditor of the entity’s full-year financial statements.
•• Determine which Standards apply and the assurance practitioner’s responsibilities with
At the end of this activity, you will be able to determine the assurance practitioner’s
responsibilities with respect to review engagements, in accordance with the following relevant
Standards:

ISRE 2410 Review of Interim ASRE 2410 Review of a Financial •• NZ SRE 2410 Review of Financial
Financial Information Performed by Report Performed by the Statements Performed by the
the Independent Auditor of the Entity Independent Auditor of the Entity Independent Auditor of the Entity
(ISRE 2410) (ASRE 2410) (NZ SRE 2410)
Scenario
You are a senior accountant working for AAA Chartered Accountants (AAA), a successful
national accounting firm.
One of your clients is AquaFun, a privately owned business that operates one of the country’s
largest theme parks, Wild Water World (WWW). AquaFun engaged AAA for the first time for
the audit of its financial statements for the year ended 30 June 20X3. AAA completed the audit
in August 20X3.
It is now December 20X3, and AquaFun’s bank has requested that AquaFun supply its interim
general purpose financial statements for the six months ended 31 December 20X3, accompanied
by an assurance report from its auditor (i.e. AAA). The bank has requested that this information
be provided by the end of January 20X4.
AquaFun’s chief financial officer (CFO) is concerned about the cost of AAA providing assurance
on the 31 December 20X3 financial statements, and about the short time frame in which
AquaFun must attend to the bank’s request. The CFO has suggested to AAA that it won’t need
to perform any procedures on the comparative data, since it audited the financial report for the
year ended 30 June 20X3. He has also requested a discounted fee on the same grounds.
Task
For this activity, you are required to outline how AAA should respond to the concerns
of AquaFun’s CFO, as well as his suggestion regarding procedures relative to providing
assurance on the financial statements.


CC
Core content
Unit 17: Other assurance engagements and
agreed-upon procedures engagements
Learning outcomes
1. Determine which Standards apply to other assurance engagements.
2. Identify and explain the assurance practitioner’s responsibilities with respect to other
3. Outline the principles of an agreed-upon procedures engagement.
Introduction
There are many different types of other assurance engagements that a Chartered Accountant
may be asked to undertake. These engagements were briefly outlined in the unit on assurance
purpose and framework. The primary focus of the Audit & Assurance (AAA) module up to
this point has been on the most common engagements – that is, the audit of general purpose
financial statements (GPFS), which are completed under International Standards on Auditing
(ISAs), and review engagements, which were discussed in the previous unit.
In this unit, the scope of engagements is broadened to encompass other types of assurance
engagements that may be performed under ISAs or applicable national Standards, as well as
engagements that do not provide any level of assurance.
This unit addresses:
•• The concept of assurance as it applies to different types of engagements.
•• The process of identifying specific engagements and the Standards that apply to them.
•• An assurance practitioner’s key responsibilities with regard to different engagements.
The discussion will focus broadly on what an assurance practitioner can and cannot do under
the Standards covered in this unit.
aaa11617_csg

CC
Other assurance engagements
Learning outcomes
1. Determine which Standards apply to other assurance engagements.
2. Identify and explain the assurance practitioner’s responsibilities with respect to other
In the unit on assurance purpose and framework, the elements and objectives of an assurance
engagement were introduced. This unit expands on the material covered in earlier units by
specifically identifying the Standards that apply to other assurance engagements and outlining
the assurance practitioner’s responsibilities under each Standard.
Types of assurance engagements

The identification of the type of assurance engagement a client might request and the applicable
guidance is determined by both the level of assurance provided and subject matter of the
engagement.
Levels of assurance
According to the International Framework for Assurance Engagements (International Framework),
and as discussed in previous units, practitioners can provide two levels of assurance. These are:
•• Reasonable assurance.
•• Limited assurance.
The difference between a reasonable assurance engagement and limited assurance engagement
is reflected in the nature of the work that is performed, level of engagement risk, and type of
conclusion each engagement provides. Put simply, limited assurance conveys less confidence
than reasonable assurance. It is not possible for the auditor to provide absolute assurance.
Further, outside of the International Framework, pronouncements issued by the International
Auditing and Assurance Standards Board (IAASB) also include engagements of an audit nature
that do not provide any assurance.
These engagements are referred to as related services. An example of this type of engagement
is an agreed-upon procedures engagement, where an assurance practitioner performs selected
procedures as agreed with the client and then issues a report of factual findings outlining the
results of the work performed. Agreed-upon procedures engagements are discussed in the final
section of this unit.

CC
Determining which Standards to apply to an engagement

To determine which assurance Standards apply to an engagement, an understanding of the key
decision points that can be used for each engagement is required. These decision points are:
1. What level of assurance is being requested?
This depends on whether the engagement is an audit, a review, or one for which no
assurance is required.
2. Is the subject matter of the engagement historical financial information?
Historical financial information is information expressed in financial terms that is derived
primarily from an entity’s accounting system, about economic events occurring in past time
periods, or about economic conditions or circumstances at points in time in the past.
3. What is the specific subject matter of the engagement?
Identify the subject matter of the engagement so that you can refer to any specific Standards
relevant to the particular subject.
4. Am I the auditor of the financial statements of the entity?
An audit of summary financial statements (SFS) may only be performed by the auditor of
the financial statements from which the summary was derived.

CC
In addition to international Standards, the following flow chart includes Australian and New
Zealand Standards that are discussed in this unit:
Determining the relevant Standard
1 This is an agreed-upon procedures (factual

Will the engagement provide findings) engagement to which
a level of assurance? NO
ISRS 4400 applies
(ASRS 4400/APS-1 and APG-1)
YES
2 ISAE 3000** (Revised) applies to 1

Is the subject matter historical Reasonable
NO assurance engagements other assurance
financial information?
than the audit or review of EITHER
YES historical financial information
Limited
(ASAE 3000 (Revised)/ assurance
ISREs apply – 1 ISAE (NZ) 3000 (Revised))
refer to the unit Is the engagement
1
REVIEW an audit or review? Reasonable
on review
engagements
3 ASAE 3100/SAE 3100 assurance
AUDIT applies in Australia/NZ EITHER
to compliance Limited
engagements assurance
ISAs 200–720 apply to audits of a complete

No equivalent ISAE 1
Reasonable
set of financial statements or other historical assurance
financial information as appropriate ASAE 3500 applies in
EITHER
(ASAs 100–720/ISAs (NZ) 200–720) Australia to
performance Limited
assurance
engagements
3 ISA 800 applies to audits of No equivalent Not specified. The
financial statements prepared ISAE/ISAE (NZ) Auditor-General
under a special purpose reports findings,
AG-5 applies to public
framework recommendations and,
sector entities in New
(ASA 800/ISA (NZ) 800) where appropriate,
Zealand
conclusions
ISA 805 applies to audits of single 1
financial statements and specific Moderate assurance
elements, accounts or items of a ISAE 3400* applies to that is based on
financial statement the examination of assumptions
(ASA 805/ISA (NZ) 805) prospective financial
No assurance on the
4 information
achievement of
results
Am I the auditor ISA 810 applies to
ASAE 3150/SAE 3150
of the financial
statements of YES
audits of summary
applies in Australia/NZ 1
financial statements Reasonable
to engagements assurance
the entity? (ASA 810/ISA (NZ) 810)
on controls
EITHER
NO No equivalent ISAE
Limited
assurance
ISAE 3402 applies
Cannot perform
specifically to
an audit of the
assurance reports on
summary
controls at a service
financial
organisation Reasonable
statements assurance
(ASAE 3402/
ISAE (NZ) 3402)
Key ISAE 3420 applies to

1 What level of assurance is being requested? reporting on the Reasonable
compilation of pro assurance
2 Is the subject matter of the engagement
forma financial
historical financial information? information included
3 What is the specific subject matter of the in a prospectus 1
Reasonable
engagement? ISAE (NZ) 3420 assurance
4 Am I the auditor of the financial statements ASAE 3420 EITHER
of the entity? Limited
assurance
* No national equivalent in Australia or New Zealand.
However, Australia has ASAE 3450, which has a much
broader scope than ISAE 3400. Refer ASAE 3450 para. 8
for types of assurance
** Where inconsistencies are identified, the requirements of
ISAE 3000 (Revised) take precedence

CC
Audits of historical financial information not presented in GPFS

Up to this point, the AAA module has covered one broad subject: the audit or review of
historical financial information that is presented in GPFS prepared in accordance with a
financial reporting framework that is designed to meet the common financial information needs
of a wide range of users.
Audits of historical financial information not presented in GPFS are illustrated in the diagram
below:
Audits of historical financial information

not presented in GPFSs (under ISAs or
national equivalents)
Special purpose financial statements
Single financial statements or

components of financial statements
Summary financial statements
Audits of financial statements prepared in accordance with special purpose

frameworks (SPFS)
Special purpose financial statements (SPFS) are similar to GPFS in that they comprise a
complete set of financial statements, including notes. The key difference is that SPFS have been
prepared to meet the needs of a specific group of users. This means that SPFS are prepared in
accordance with reporting frameworks that are designed to meet the needs of their specified
users only (e.g. a financial report prepared on a tax basis for lodgement with the taxation
authority, or a financial report prepared on a cash basis for specific users). Frameworks may
vary between different SPFS.
Providing assurance on SPFS is probably the most common form of assurance engagement
other than the audit of GPFS.
Australia-specific
Example – Special purpose financial statements

This example illustrates the types of subject matter that may be included in SPFS.
XYL Limited (XYL) is a privately held Australian company that has no users of financial
statements who require GPFS. However, due to its size, XYL must lodge financial statements
with the Australian Securities and Investments Commission (ASIC).
XYL chooses to prepare SPFS to lodge with ASIC. The preparation of the SPFS is based on the
measurement and recognition requirements of the Accounting Standards. However, with
regard to disclosures, XYL decides to provide only those that are required by a small number of
Accounting Standards.
XYL’s financial statements therefore provide limited or no information about topics that are
not considered material to users of its financial statements – for example, information on the
company’s inventories, financial instruments, related parties or employee benefits – but still
present the primary financial statements and any notes that are considered to be material.

CC
Example – Special purpose financial statements

This example illustrates the types of subject matter that may be included in SPFS.
XYL Foundation (XYL) is a New Zealand charitable trust founded by a wealthy philanthropist
that provides grant funding to entities that assist the needy. XYL has no users of financial
statements who require GPFS. However, its trustees publish annual results and have the
financial statements audited as part of demonstrating sound governance.
The preparation of the SPFS is generally based on the measurement and recognition
requirements of the Accounting Standards. However, XYL does not consolidate the results of
a subsidiary company as this information is not considered useful to the trustees or any other
parties. It also does not revalue its investment properties.
XYL’s SPFS, therefore, do not comply with generally accepted accounting principles (GAAP).
The trustees consider that this departure from GAAP is appropriate insofar as the required
treatment in respect of the above provides limited or no information that is material to users
of its financial statements. However, the SPFS still present the primary financial statements and
any notes that are considered to be material to the readers.
Relevant assurance Standards

The following Standards apply to audits of special purpose financial statements (SPFS)
engagements:
•• Generally, all ISAs (ISAs 200–720) that are discussed in earlier units of the AAA module, as
SPFS engagements still involve the audit of a complete set of financial statements.
•• Specifically, ISA 800 Special Considerations – Audits of Financial Statements Prepared in
Accordance with Special Purpose Frameworks (ISA 800).
ISA 800 addresses specific additional requirements that the auditor needs to fulfil for audits
of SPFS. However, all of the concepts covered in earlier units, such forming an opinion and
issuing an auditor’s report, also apply to an engagement under ISA 800, even though they were
discussed in the context of GPFS.
Australia-specific
In Australia, compliance with ASA 800 Special Considerations – Audits of Financial Reports
Prepared in Accordance with Special Purpose Frameworks (ASA 800) enables compliance with
ISA 800. However, please note that ASA 800 contains additional requirements that outline the
applicable framework for ‘non-reporting’ entities under the Corporations Act 2001 (Cth).

CC
The audit engagements for GPFS and SPFS are similar in many ways. However, additional
responsibilities apply to auditors performing audits of SPFS engagements, which are outlined in
the table below:
Auditor’s responsibilities – special purpose financial statements
Topic Summary
Level of assurance Reasonable
Engagement Before accepting an engagement under ISA 800, para. 8 of the Standard requires the
acceptance auditor to determine the acceptability of the special purpose framework that has been
considerations applied to the preparation of the SPFS
This includes obtaining an understanding of the:
•• Purpose for which the financial statements have been prepared
•• Intended users and their information needs
•• Steps taken by management to determine that the framework is acceptable
Certain frameworks, such as those established by a regulator, are presumed to be

acceptable, unless there is an indication to the contrary
Special reporting The auditor’s report on the SPFS must always include an Emphasis of Matter (EOM)
considerations paragraph alerting users that the financial statements have been prepared in
accordance with a special purpose framework and that, as a result, the SPFS may not
be suitable for another purpose (ISA 800 para. 14)
Required reading
ISA 800 paras 6–14, A5–A6 and A14 –A15.
Audits of single financial statements or components of financial statements

These engagements relate to the audit of only part of a set of financial statements. A single
financial statement or component (i.e. elements, accounts or items) of financial statements
may be prepared specifically for an engagement, or extracted from a complete set of financial
statements.
An example of a single financial statement is a statement of financial position (or balance sheet)
with notes that are applicable only to that statement, or it may comprise specific elements of
a financial statement – for example, only accounts receivable and payable, inventory or other
account balance(s) – with their related notes.
Example – Component of a financial statement

This example illustrates a component of a financial statement.
XYZ Limited (XYZ) applies for a new bank loan. Before providing the loan, the bank requires XYZ
to provide an audited schedule of its net tangible assets and related notes in order to assess
XYZ’s credit risk.

CC

The following Standards apply to the audits of single financial statements or components of
financial statements:
•• Generally, all ISAs (ISAs 200–720) that are discussed in earlier units of the AAA module,
as such engagements still involve the audit of single financial statements or components of
•• Specifically, ISA 805 Special Considerations – Audits of Single Financial Statements and Specific
Elements, Accounts or Items of a Financial Statement (ISA 805).
For auditors who perform audits of single financial statements or components of financial
statements, the key responsibilities outlined in the table below apply:
Auditor’s responsibilities – single financial statements or components of financial statements
Topic Summary
Engagement Before accepting an engagement under ISA 805, para. 8 of the Standard requires the
acceptance auditor to consider whether the financial reporting framework applied will provide
considerations adequate disclosure to enable the intended users to understand the information
conveyed, and the effect of material transactions and events on that information
In addition, while ISA 805 does not preclude an auditor who did not audit the entity’s
financial statements from conducting the audit of a single financial statement
or component of the financial statements, the auditor must determine whether
conducting the audit in accordance with Auditing Standards is practicable
Special reporting ISA 805 contains specific requirements that relate to the impact on the opinion
considerations for this type of engagement if the auditor’s report on the complete set of financial
statements is modified or the report includes an Emphasis of Matter (EOM) or Other
Matters (OM) paragraph (ISA 805 paras 14–17)
For instance, if an adverse opinion or disclaimer of opinion is formed on the complete
set of financial statements, it is not permitted to express an unmodified opinion on a
single financial statement forming part of those complete financial statements
Required reading
Engagements to report on summary financial statements (SFS)

Summary financial statements (SFS) are those statements derived (i.e. summarised) from
audited financial statements. SFS contain less detail than the financial statements, but still
provide a structured representation that is consistent with the financial statements.
This could mean presenting:
•• the main financial statements without the related notes
•• summarised versions of the main financial statements by combining line items in the
financial statements, or
•• a combination of both.

CC

The following Standards apply to audits of SFS engagements:
•• Generally, all ISAs (ISAs 200–720) that are discussed in earlier units of the AAA module.
•• Specifically, ISA 810 Engagements to Report on Summary Financial Statements (ISA 810).
Because SFS are derived from complete financial statements that have been audited, only the
auditors of those financial statements may undertake this type of engagement (ISA 810 para. 5).
This impacts on the auditor’s responsibilities in undertaking SFS, as outlined in the table below:
Auditor’s responsibilities – summary financial statements
Topic Summary
Engagement acceptance An engagement to audit SFS under ISA 810 may only be accepted where the
considerations auditor is also engaged to perform the audit of the financial statements (in
accordance with ISAs) from which the SFS are derived (ISA 810 para. 5)
In addition, the auditor must:
•• Determine whether the applied criteria are acceptable
•• Obtain management’s agreement that it acknowledges and understands its
responsibilities, and agree on the form of opinion to be expressed
Specific engagement ISA 810 para. 8 outlines a list of procedures that the auditor must perform in
procedures or issues addition to any other procedures they consider necessary (details of which are
outside the scope of this unit)
Special reporting The report on the SFS may be dated later than the report on the audited
considerations financial statements. Where this is the case, the auditor’s report must state that
the SFS (and audited financial statements, if applicable) do not reflect events
subsequent to the date of the audited financial statements
In addition, ISA 810 para. 14(c) also requires that the auditor’s report include an
introductory paragraph disclosing information that is specific to the SFS or the
audit to which they relate
If the SFS are not consistent with, or not a fair summary of, the audited financial
statements, the auditor will express an adverse opinion ( ISA 810 para. 19)
Required reading
ISA 810 paras 4–8, 12–19, A1 and A4–A5.
Assurance engagements other than audits or reviews of historical financial

information
The International Standards on Assurance Engagements (ISAEs) apply to assurance
engagements where the subject matter is not based on historical financial information.
Examples of non-financial information subject to assurance include:
• Non-financial performance or conditions (e.g. environmental performance, corporate social
responsibility reports or key performance indicators (KPIs)).
• Physical characteristics (e.g. the existence of mineral reserves or production capacity).
• Systems and processes (e.g. internal controls or outsourced activities).
• Behaviour (e.g. corporate governance, human resources practices, or compliance with laws
and regulations or labour policies).

CC
Elements of an assurance engagement

An assurance engagement contains five elements, as outlined in the International Framework
para. 26 and discussed in the unit on assurance purpose and framework. These elements are:
•• The three-party relationship involving an assurance practitioner, a responsible party and
intended users.
•• Appropriate underlying subject matter.
•• Suitable criteria.
•• Sufficient appropriate evidence.
•• Written assurance report.
Overarching Standard – ISAE 3000 (Revised)

ISAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial
information (ISAE 3000 (Revised)) is the overarching Standard that establishes a framework for,
and is applicable to, assurance engagements other than audits or reviews of historical financial
information, in addition to any specific Standards that apply to certain subject matter.
These engagements may be performed on a wide range of subject matter, some of which may
require specialised knowledge and skills beyond those ordinarily possessed by assurance
practitioners. An appropriate underlying subject matter is identifiable and can be subject to
procedures for gathering sufficient appropriate evidence to support a conclusion.
Criteria are the benchmarks that are used to evaluate or measure the subject matter. The criteria
can be selected in a variety ways. Criteria may be embodied in law or regulation, issued by
external authorised bodies or specifically designed for the purpose of preparing the subject
matter information in the particular circumstances of the engagement. An example of criteria
defined by an external organisation is the COSO Framework for internal controls.
The International Framework para. 44 and ISAE 3000 (Revised) para. A45 note that suitable
criteria for subject matters exhibit the following characteristics:
(a) Relevance: Relevant criteria result in subject matter information that assists decision-making by the
intended users.
(b) Completeness: Criteria are complete when subject matter information prepared in accordance
with them does not omit relevant factors that could reasonably be expected to affect decisions of
the intended users made on the basis of that subject matter information. Complete criteria include,
where relevant, benchmarks for presentation and disclosure.
(c) Reliability: Reliable criteria allow reasonably consistent measurement or evaluation of the
underlying subject matter including, where relevant, presentation and disclosure, when used in
similar circumstances by different practitioners.
(d) Neutrality: Neutral criteria result in subject matter information that is free from bias as appropriate
in the engagement circumstances.
(e) Understandability: Understandable criteria result in subject matter information that can be
understood by the intended users.
ISAE 3000 (Revised) discusses, in general, a number of concepts for an assurance practitioner
to consider or follow when applying specific ISAEs to a given engagement. These concepts
include:
•• Ethical requirements.
•• Engagement acceptance and continuance.
•• Quality control.
•• Application of professional scepticism, professional judgement and assurance skills and
techniques.
•• Planning.
•• Performing the engagement.

CC
•• Forming the assurance conclusion and preparing the assurance report.
•• Documentation.
The most important of these concepts are outlined in the table below:
Practitioner’s responsibilities – assurance engagements other than audits or reviews of historical

financial information
Topic Summary
Level of assurance Reasonable or limited
Engagement ISAE 3000 (Revised) para. 22 details a number of considerations that the practitioner needs
acceptance to consider before accepting an engagement. These include:
considerations
•• Meeting the ethical and independence requirements
•• Being satisfied that the persons performing the engagement collectively have the
appropriate competence and capabilities
•• Having an agreement on the basis on which the engagement is to be performed.
This includes establishing that preconditions for the engagement have been met and
the practitioner and the engaging party have agreed the terms of engagement and
reporting responsibilities. Preconditions for the engagement are listed in ISAE 3000
(Revised) para. 24 .
Planning The practitioner plans an assurance engagement so that it will performed in an effective
considerations manner, including setting the scope, timing and direction of the engagement, and
determining the nature, timing and extent of planned procedures
The practitioner sets materiality for planning and performing the engagement, and
to evaluate whether the subject matter is free from material misstatement (ISAE 3000
para. 44)
Engagement The practitioner obtains an understanding of the subject matter, identifies risks and
performance responds to those risks. The nature of procedures depends on the level of assurance
considerations provided
ISAE 3000 paras 46L–49L provide specific guidance for limited assurance engagements,
whereas paras 46R–48R include guidance for reasonable assurance engagements
Special reporting The output of an assurance engagement is a written report available to third parties
considerations
ISAE 3000 (Revised) para. 69 identifies basic elements to be included in the assurance
report. These include:
•• A title and an addressee
•• Level of assurance provided
•• Identification or description of the subject matter information
•• Identification of the applicable criteria
•• A statement that the engagement was performed under ISAE 3000 or a subject matter-
specific ISAE
•• A statement of compliance with ethical and quality control requirements
•• Summary of work performed
•• The practitioner’s conclusion (the form of which depends on the level of assurance
being provided)
Required reading
ISAE 3000 (Revised) paras 1–6, 12, 14, 20–22, 24, 32–33, 37–51, 64–77, A40 and A45.

CC
Prospective financial information

Prospective financial information differs from historical financial information in that it is not
based on events that have already taken place. While this may seem obvious, the fact that this
information is prepared based on assumptions about the future and possible future actions
means that it is, by nature, highly subjective information. This has implications for the work
that an assurance practitioner can perform on prospective financial information.
Under ISAE 3400 The Examination of Prospective Financial Information (ISAE 3400) para. 3, there
are two types of prospective financial information:
•• A forecast – prospective financial information that is prepared based on assumptions about
future events and actions that are expected, at the date the information is prepared, to take
place (ISAE 3400 para. 4). These assumptions are referred to as ‘best estimate assumptions’
and generally only cover a limited period – for example, 12 months ahead.
•• A projection – prospective information that is prepared on the basis of either hypothetical
assumptions about future events and actions that, at the date the information is prepared,
are not necessarily expected to take place (i.e. a ‘what if’ scenario), or are based on a
mixture of best-estimate and hypothetical assumptions (ISAE 3400 para. 5).
Prospective financial information takes many forms, but is commonly seen in documents such
as prospectuses, cash flow forecasts and information provided to stock exchanges by listed
entities, such as revenue or profit forecasts.
The following example illustrates prospective financial information in the form of a graph,
presenting XYZ Limited (XYZ)’s past and future annual revenue, which might be included in its
prospectus:
Annual
Historical Prospective
revenue
financial information financial information
$’000
Projection of XYZ’s revenue

prepared under a ‘what if’
scenario where XYZ expands its
5,000 operations to another country
Information derived
4,000 from XYZ’s past
economic events
3,000
XYZ’s reasonable estimate of

20X4’s annual revenue based on
current economic conditions
and management plans for the
next 12 months as at the date of
preparation
Forecast Projection
20X0 20X1 20X2 20X3 20X4 20X5 20X6 20X7 20X8 20X9
Year

CC

In some cases, an entity may wish (or be asked) to have assurance provided on prospective
financial information. ISAE 3400 includes the requirements and provides guidance for such
engagements.
As discussed earlier, prospective financial information is based on assumptions about the
future. These assumptions may be highly subjective, and have implications for the assurance
practitioner’s responsibilities and whether the practitioner can provide any level of assurance,
as outlined in the table below:
Practitioner’s responsibilities – prospective financial information
Topic Summary
Level of assurance •• Provides moderate* assurance that the financial information is properly based on
the assumptions and:
– When based on best estimate assumptions, that the assumptions are not
unreasonable
– When based on hypothetical assumptions, that the assumptions are consistent
with the purpose of the information
•• No opinion is expressed on whether the results shown in the prospective financial
information will be achieved
* Moderate assurance as referred to in this Standard has the same meaning as limited assurance in
the Auditing Standards
Engagement While the Standards detail a number of items that the practitioner would consider
acceptance before accepting an engagement, the overriding principle, in both the international
considerations and national Standards, is that an engagement should not be accepted ‘when the
assumptions are clearly unrealistic or the practitioner believes that the prospective
financial information will be inappropriate for its intended use’ (ISAE 3400 para. 11)
Specific engagement At a high level, the type of procedures that would be conducted include:
procedures or issues
•• Obtaining a sufficient level of knowledge of the business to evaluate the
assumptions, including knowledge obtained in any previous engagements
•• Assessing the extent to which reliance on the entity’s historical financial information
is justified
•• Considering the period of time covered by the prospective financial information
•• Assessing management’s competence with regard to the preparation of prospective
financial information, and the extent to which the information is affected by
management’s judgement
•• Considering the adequacy and reliability of the underlying data
Special reporting In an assurance engagement on prospective financial information, the assurance

considerations practitioner is expressing an opinion on whether the prospective financial information
is ‘properly prepared on the basis of the assumptions and is prepared in accordance
with the relevant financial reporting framework’ (ISAE 3400 para. 27(h))
The auditor’s report on an examination of prospective financial information contains
many of the same elements as a normal auditor's report, but includes appropriate
caveats concerning the achievability of results indicated by the prospective information
(ISAE 3400 para. 27)
Required reading
ISAE 3400 paras 1–5, 8–9, 11, 13–17 and 26–29.

CC
Australia-specific
In Australia, ASAE 3450 Assurance Engagements involving Corporate Fundraisings and/or
Prospective Financial Information (ASAE 3450) deals with engagements that involve corporate
fundraisings and/or prospective financial information.
Despite apparent similarities in the topic titles in ASAE 3450 and ISAE 3400, ASAE 3450 is much
broader in scope than ISAE 3400. It also contains mandatory requirements for the assurance
practitioner that ISAE 3400 does not. Accordingly, ASAE 3450 states that there is no equivalent
ISAE issued by the IAASB.
Some of the significant differences between the two Standards are noted below:
•• Scope – ASAE 3450 deals with engagements that involve corporate fundraisings and/or
prospective financial information. ASAE 3450 includes engagements involving historical
financial information, pro forma historical financial information, projection and pro forma
forecast, as well as engagements that involve prospective financial information. ISAE 3400,
however, only deals with engagements involving prospective financial information.
•• Level of assurance – under ASAE 3450 para. 8, an assurance practitioner can provide the
following types of assurance on the different types of financial information:
–– Historical financial information – limited or reasonable assurance.
–– Pro forma historical financial information – limited or reasonable assurance.
–– Prospective financial information assumptions – limited assurance.
–– Prospective financial information basis of preparation – limited or reasonable
assurance.
–– Prospective financial information (overall) – limited assurance.
•• Examples of an assurance practitioner’s report – examples of an assurance practitioner’s
report on an examination of prospective financial information, or extracts of such reports,
can be found in ASAE 3450 Appendix 3.
Required reading
ASAE 3450 paras 1, 3, 5–9, 12–16, 49, 95, 104, 106, 118, 127, 136 and A85.

New Zealand does not have a national equivalent of ISAE 3400.
Assurance engagements on prospective financial information are conducted in accordance
with ISAE (NZ) 3000 (Revised).
Worked example 17.1: Accepting or performing engagements on other financial

information

CC
Compliance engagements
Many entities have obligations to comply with externally or internally imposed requirements
that relate to their operations. A compliance engagement reports on whether an entity has met
those requirements.
These obligations are often regulatory or legal – for example, the obligations of certain entities
under corporations regulations, or charities under fundraising legislation. Alternatively,
compliance engagements may be completed on internally imposed requirements – for example,
when a company board requests an engagement to ascertain whether management has
complied with policies that the board has set, such as a risk management framework.
Therefore, the subject matter of a compliance engagement may be quite broad. The subject
matter must be identifiable and can be subject to procedures for gathering sufficient appropriate
evidence. There is no specific International Standard on Assurance Engagements (ISAE) on
compliance engagements, therefore ISAE 3000 (Revised), if applying international Standards, is
the most appropriate.
Australia and New Zealand-specific

In Australia, compliance engagements are performed under ASAE 3100 Compliance
Engagements. In New Zealand, the equivalent standard is SAE 3100 Compliance Engagements.
In performing a compliance engagement, an assurance practitioner forms a conclusion on
whether the entity has met its specified compliance requirements. The practitioner’s key
responsibilities in a compliance engagement are outlined in the table below:
Practitioner’s responsibilities – compliance engagements
Topic Summary
Specific The relevant Standards provide guidance on what may be appropriate subject
engagement matter and suitable criteria used in a compliance engagement (which include
procedures or internally and externally imposed criteria). Where criteria are prescribed by
issues legislation or regulation, they are deemed suitable if they meet the definition
(including examples) under ASAE 3100 paras 11(m) and 38/SAE 3100 paras A3 and A9
If any compliance breach is identified, the assurance practitioner, under ASAE 3100
paras 49–50/SAE 3100 paras A43–A44, must:
•• Assess whether the breach is material in the context of the criteria used
•• Consider any materiality specified in the terms of engagement
•• Consider relevant legislative, regulatory or other requirements that may apply
•• Consider the interests of intended users
Special reporting ASAE 3100 para. 80/SAE 3100 para. 58 identifies the basic elements of the
considerations compliance report, many of which are consistent with other assurance reports
Key elements that are specific to compliance reports include the:
•• Identification and description of the requirements
•• Identification of the suitable criteria
•• Level of assurance being provided under ASAE 3100
•• Summary of the work performed
•• Assurance practitioner’s conclusion (the form of which depends on the level of
assurance being provided)
In addition to the compliance report, ASAE 3100 para. 68/SAE 3100 para. 48 requires
the assurance practitioner ‘as soon as practicable’ to inform the responsible party of
any ‘material deficiencies and/or compliance breaches’

CC
Australia-specific
Example – Compliance engagement

This example illustrates a compliance engagement in Australia.
Australian-registered superannuation entities must provide certain reports to the relevant
regulator, and have them audited. In addition to forming an opinion on the financial
statements, the auditor must also form an opinion as to whether the entity has complied with
the requirements of particular sections of the Superannuation Industry (Supervision) Act 1993
(Cth). This second opinion is an example of a compliance engagement.
Required reading
ASAE 3100 paras 1–12, 17–19, 33, 36–38, 49–50, 64, 68 and 80.
This example illustrates a compliance engagement in New Zealand.
Example – Compliance engagement

This example illustrates a compliance engagement.
In New Zealand, registered private training establishments must provide the New Zealand
Qualifications Authority (NZQA) with an annual Chartered Accountant’s attestation that
includes a limited or reasonable assurance report on the financial statements, as well as a
separate audit opinion that provides assurance on whether the entity has complied with its
student fee protection requirements.
Alternatively, compliance engagements may be completed on internally imposed requirements
– for example, when a company’s board requests that an engagement be conducted to
determine whether management has complied with policies that the board has set, such as a
risk management framework.
Required reading
SAE 3100 paras 1–14, 17–18, 26–28, 47–49, 58, A7–A9, A43–A44 and A53.
Activity 17.1: Identifying the assurance practitioner's responsibilities in a compliance

engagement

CC
Performance engagements
In a performance engagement, an assurance practitioner reports on or more of the economy,
efficiency and effectiveness of the activities or a particular entity against identifiable criteria.
There is no specific ISAE on compliance engagements, therefore ISAE 3000 (Revised), if
applying international Standards, is the most appropriate.
Examples – performance engagements

These examples illustrate a performance engagement:
•• An assessment of an entity’s inventory purchasing history to determine whether the
quality, quantity and timing of purchases were appropriate and at the lowest cost
(economy).
•• An assessment of the average fixed and variable costs required to deliver a particular
service to customers (efficiency).
•• An assessment of a particular corporate program, such as a customer retention program, to
ascertain whether it has met its objectives (effectiveness).
Performance engagements are common in the public sector and will be discussed in more detail
in the following unit on internal audit and public sector auditing.
Australia-specific
Relevant assurance Standard

In Australia, ASAE 3500 applies to performance engagements.
In general terms, the assurance practitioner’s key responsibilities for performance engagements
are outlined in the table below:
Practitioner’s responsibilities – performance engagements
Topic Summary
Specific engagement The two key requirements for practitioners in a performance engagement are
procedures or issues the:
•• Need for the assurance practitioner to assess the appropriateness of the
activity
•• Suitability of the criteria being used to evaluate or measure the activity
Evaluation of any deficiencies or variations identified may require the exercise
of significant professional judgement
Special reporting ASAE 3500 para. 83 identifies the basic key elements of the assurance report,
considerations many of which are consistent with other assurance reports.
Key elements specific to performance engagements include the:
•• Identification and description of the activity (including whether the
economy, efficiency or effectiveness of the activity is the subject matter of
the engagement)
•• Identification of the suitable criteria
•• Level of assurance being provided under ASAE 3500
•• Summary of the work undertaken
•• Assurance practitioner’s conclusion (the form of which will depend on the
level of assurance being provided)

CC
Required reading
ASAE 3500 paras 1–10, 12, 15, 17–18, 28, 36–37, 40, 44–48 and 83.
There is no international Standard or ISAE (NZ) that relates to performance engagements in
the private sector. The concepts of ISAE (NZ) 3000 would prevail. Performance engagements
performed in the public sector by the Auditor-General are performed under AG-5 Performance
audits, other auditing services and other work carried out by or on behalf of the Auditor-General.
Assurance engagements on controls

The impact of internal controls on the audit of GPFS, where the auditor needs to gain an
understanding of internal controls that are relevant to the audit, was discussed earlier in the
unit on understanding the entity and its environment. However, the auditor does not form or
express an opinion on those internal controls to users of the GPFS.
An assurance practitioner may be engaged to report on internal controls at an entity, and
usually in a separate engagement from the audit of GPFS. In such an engagement, the controls
that will be considered will depend on the particular engagement, and may be broader or
narrower than those that are relevant to an audit of GPFS.
Examples – Reporting on the effectiveness of control procedures

These examples illustrate reporting on the effectiveness of control procedures:
•• Reports on the effectiveness of control procedures at a service organisation
(e.g. outsourced payroll, IT or custodian services) for use by its customers and their auditors.
•• Reports on the effectiveness of internal controls in particular areas of an entity – such as the
controls placed over cash or the authorisation of purchases – which have been requested
by the entity’s board or senior management.

For engagements that involve reporting on controls at organisations other than service
organisations, ISAE 3000 (Revised) is the relevant Standard. The relevant national Standard in
Australia is ASAE 3150 Assurance Engagements on Controls (ASAE 3150). The relevant Standard
in New Zealand is SAE 3150 Assurance Engagements on Controls (SAE 3150).
ISAE 3402 Assurance Reports on Controls at a Service Organization (ISAE 3402) is relevant to
engagements involving reporting on control procedures at a service organisation. Note that
ISAE 3402 is different from ISA 402 Audit Considerations Relating to an Entity Using a Service
Organization (ISA 402), which was discussed in the unit on understanding the entity and its
environment. ISA 402 specifies the audit procedures that an auditor (the user auditor, as
defined in ISAE 3402 para. 9(r )) needs to undertake in an audit of financial statements where
the entity uses a service organisation as part of its business processes. ISAE 3402 is applied
when an assurance practitioner (the service auditor, as defined in ISAE 3402 para. 9(l)) is
engaged by a service organisation to report on its control procedures.

CC
Key responsibilities of the service auditor in an engagement reporting on control procedures at
a service organisation are outlined in the table below:
Practitioner’s responsibilities – ISAE 3405 reporting on effectiveness of control procedures at a service

organisation
Topic Summary
Level of Reasonable
assurance
Specific The engagement may also cover one or both of the following aspects (ISAE 3402 para. 8):
engagement
•• Evaluating whether the service organisation’s description of its system ‘fairly presents the
procedures or
system as designed and implemented throughout the specified period’, and evaluating
issues
the design effectiveness of the control procedures
•• Testing the operating effectiveness of the control procedures
Where the engagement covers operating effectiveness over a period of time, the tests
need to be performed over a period of time that is sufficient to determine whether the
procedures were operating effectively throughout the given period
Special reporting Under ISAE 3402, two types of reports can be issued (ISAE 3402 paras 9(j) and 9(k)):
considerations
•• Type 1 report – a report about whether the service organisation’s description of its
system ‘fairly presents the system as designed and implemented’ at the specified date,
and the suitability of the design at the specified date
•• Type 2 report – a report about whether the service organisation’s description of
its system ‘fairly presents the system as designed and implemented throughout
the specified period’, and the suitability of the design and the system’s operating
effectiveness throughout the specified period
Note that these are the same Type 1 and Type 2 reports referred to in ISA 402, and which
were discussed in the unit on understanding the entity and its environment
ISAE 3402 paras 53–54 outlines the required elements of a report on the effectiveness of
control procedures, which include:
•• Identification of the service organisation’s description of its system and the assertion by
the service organisation regarding its system
•• Identification of those parts of the service organisation’s description of its system, if any,
that are not covered by the practitioner’s opinion
•• Identification of the criteria and the party specifying the control objectives
•• A statement of the limitations of the controls and, in the case of Type 2 reports, of the
risk of projecting into future periods any evaluation of the operating effectiveness of the
controls
Required reading
ISAE 3402 paras 1–5, 8–9, 15, 23–24 and 53–56.
Australia and New Zealand-specific

In Australia, ASAE 3150 Assurance Engagements on Controls applies to assurance engagements
on controls except those to which ASAE 3402 (discussed above) applies. The New Zealand
equivalent to ASAE 3150 is SAE 3150 Assurance Engagements on Controls.

CC
A practitioner’s key responsibilities when reporting on the effectiveness of control procedures

are outlined in the table below:
Assurance practitioner’s responsibilities – ASAE 3150 / SAE 3150 assurance engagements on
controls
Topic Summary
Level of Reasonable or limited

assurance
Specific In performing engagements over entity’s controls, the assurance practitioner first
engagement concludes whether the controls are suitably designed. In order to evaluate the design
procedures or of controls, the control objectives need to be developed or identified. If applicable,
issues the practitioner may report on fair presentation of the description of the system,
implementation of the controls as designed and/or that controls are operating as
designed
Assurance engagements on controls may include, for example:
• Compliance with requirements agreed with customers, for controls to

achieve identified control objectives at an entity; for example, controls
over privacy and security of data
• Compliance with regulatory requirements such as Australian Prudential
Regulation Authority (APRA) reporting requirements, for limited
assurance on controls over compliance, data reliability and other
specified matters
• Voluntary engagements initiated by the entity on its own controls over
services, activities or functions it provides
In performing an assurance engagement on controls, the nature of procedures to
be performed to obtain sufficient appropriate evidence depends on the level of
assurance provided. ASAE 3150/SAE 3150 includes guidance on the procedures
required, at a minimum, in a reasonable and limited assurance engagement.
These procedures are summarised in the table below:
Scope of engagement Limited assurnce Additional procedures

minimum procedures to obtain reasonable
assurance
Design •• Enquiries of •• Understanding of

management and control environment
others •• Consider other
•• Examination of design components of control
specifications and
documentation
Description •• Enquiries •• Inspection of records

and documentation
Implementation •• Enquiries •• Inspection of records

•• Observation and documentation
Operating Effectiveness •• Discussion with entity •• Re-performance or

personnel examination of the
•• Observation of the application of controls
system in operation on a test basis
•• Walk-throughs
OR
•• Examination of the
results of exception
reporting monitoring
or other management
controls
Source: CA ANZ, Perspective series: Controls Assurance clarified

CC
Assurance practitioner’s responsibilities – ASAE 3150 / SAE 3150 assurance engagements on

controls
Topic Summary
Special The assurance practitioner forms a conclusion and prepares the assurance report in
reporting accordance with ASAE 3000. In addition, ASAE 3150 para. 89 includes a number of
considerations elements that must be included in the assurance report
Required reading
ASAE 3150 / SAE 3150 paras 1–9 ,15, 18–25, 37, 39, 45–61, 63, 84, 88–89.
Reporting on the compilation of pro forma financial information included in a

prospectus
An entity seeking to access capital markets commonly includes pro forma financial information
in its prospectus as a key element to enable investors and others to better assess investment
opportunities presented by the entity.
Pro forma financial information included in an entity’s prospectus illustrates the impact of a
significant event or transaction on the entity’s unadjusted financial information, as if the event
had occurred or the transaction had been undertaken at an earlier date selected for purposes of
the illustration. This impact is illustrated by applying pro forma adjustments to the unadjusted
financial information. The resulting pro forma financial information does not, however,
represent the entity’s actual financial position, financial performance, or cash flows.
Relevant assurance Standard

Engagements to provide assurance over the process of compilation of pro forma financial
information included in a prospectus are conducted under ISAE 3420 Assurance Engagements to
Report on the Compilation of Pro Forma Financial Information Included in a Prospectus (ISAE 3420).
ISAE 3420 includes the requirements relative to, and provides comprehensive guidance on, the
nature and extent of a practitioner’s work when they are engaged to report on the process of
compilation of pro forma financial information. Among other things, it establishes minimum
benchmarks for suitable criteria for the compilation of such information. It also covers related
engagement acceptance and reporting considerations.
Australia-specific
In Australia, ASAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma
Historical Financial Information Included in a Prospectus or other Document (ASAE 3420) was
reissued and is operative for reporting periods commencing on or after 1 January 2015.
Early adoption of this Standard is permitted only in conjunction with the early adoption of
ASAE 3000 (Revised).
For a practitioner in Australia conducting such an engagement, ASAE 3420 enables compliance
with ISAE 3420 to the extent that the engagement is conducted as a reasonable assurance
engagement.
It is important to note when ASAE 3420 or ASAE 3450 applies. ASAE 3420 applies when an
assurance practitioner’s sole responsibility is to report on whether the pro forma financial
information has been compiled, ‘in all material respects, by the responsible party on the basis of
the applicable criteria’ (ASAE 3420 para. 2). ASAE 3450, however, deals with the responsibilities
of an assurance practitioner undertaking an engagement to report on the preparation of
financial information related to corporate fundraising, or, in the case of prospective financial
information, prepared for another purpose

CC
A practitioner’s key responsibilities when reporting on the process of compilation of pro forma
financial information included in a prospectus under ISAE 3420 are outlined in the table below:
Practitioner’s responsibilities – reporting on the compilation of pro forma financial information included
in a prospectus
Topic Summary
Engagement acceptance To accept an engagement to report on the compilation of pro forma financial
considerations information that is included in a prospectus, the practitioner, among other
things, must (ISAE 3420 para. 13):
•• Determine that the practitioner has the appropriate capabilities and
competence within the team to perform the engagement
•• Determine the suitability of the applicable criteria being used, and that it is
unlikely that the pro forma financial information will be misleading for its
intended purpose.
•• Consider ‘whether or not the relevant law or regulation permits the use of, or
reference in the practitioner’s report to, the modified audit opinion or review
conclusion, or the report’ that contains the EOM paragraph, with respect to
the source from which the unadjusted financial information is extracted
•• Obtain the agreement of the responsible party that it acknowledges and
understands its responsibility in respect of specified matters (ISAE 3420
para. 13(g))
Specific engagement ISAE 3420 contains a number of specific procedures that must be performed
procedures or issues depending on the scope of the engagement (details of which are outside the
scope of this unit)
Special reporting The assurance report must include, among others, the following main elements:
considerations
•• A title that clearly indicates the report is an independent assurance report
(ISAE 3420 para. 35(a))
•• Introductory paragraphs that identify (ISAE 3420 para. 35(c)):
(i) The pro forma financial information;
(ii) The source from which the unadjusted financial information has
been extracted, and whether or not an audit or review report on
such a source has been published;
(iii) The period covered by, or the date of, the pro forma financial
information; and
(iv) A reference to the applicable criteria on the basis of which the
responsible party has performed the compilation of the pro forma
financial information, and the source of the criteria;
•• An EOM paragraph, if required (ISAE 3420 para. 34)
Required reading
ISAE 3420 paras 1–7, 10–15, 17–22 and 29–35.

CC
Engagements to provide assurance over GHG statements
A greenhouse gas (GHG) statement quantifies an entity’s GHG emissions for a period along
with providing explanatory material. Entities may prepare a GHG statement voluntarily, or,
more often, to comply with a regulatory regime.
Engagements to provide assurance over GHG statements are conducted under ISAE 3410
Assurance Engagements on Greenhouse Gas Statements (ISAE 3410). The equivalent national
Standards are ASAE 3410 in Australia and ISAE (NZ) 3410 in New Zealand. These Standards
are outside the scope of AAA module.
Activity 17.2: Identifying other assurance engagements

Activity 17.3: Accepting other assurance engagements

Activity 17.4: Identifying the most appropriate assurance engagement and performing the
engagement

CC
Agreed-upon procedures engagements
Learning outcome
3. Outline the principles of an agreed-upon procedures engagement.
In some circumstances, an entity may not necessarily require a report that provides assurance
on a given subject matter but still want a third party to carry out certain procedures on the
subject matter. In such a case, the entity can request an agreed-upon procedures engagement.
Level of assurance
In an agreed-upon procedures engagement, an assurance practitioner carries out procedures of
an audit nature as agreed with the engaging party, but does not provide or imply a conclusion
or assurance.
Instead, the practitioner completes only those procedures that are outlined in the engagement
letter, and reports only the factual findings of those procedures. Users of the engagement report
must then assess the procedures and findings for themselves and draw their own conclusions.
Types of agreed-upon procedures engagements

Because the distinguishing feature of an agreed-upon procedures engagement is that no
assurance is provided, the range of possible subject matters is extremely broad, provided that
the procedures involved are of an audit nature. Agreed-upon procedures engagements may
cover many of the subject matters of other assurance engagements discussed earlier in this unit,
provided that no assurance is required (e.g. compliance type engagements where no assurance
is provided). Other common agreed-upon procedures engagements include turnover lease
agreements, leave provisions or loan securitisations.

ISRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information
(ISRS 4400) applies only to historical financial information, although it can be used to provide
guidance in relation to other areas.

CC
The practitioner’s responsibilities in an agreed-upon procedures engagement are outlined in the
table below:
Practitioner’s responsibilities – agreed-upon procedures engagements
Topic Summary
Specific engagement In performing the engagement, the practitioner must carry out only those
procedures or issues procedures agreed on, and use the results to provide a report of factual findings
Special reporting The report on the agreed-upon procedures engagement describes both the
considerations purpose and agreed-upon procedures of the engagement ‘in sufficient detail
to enable the user to understand the nature and extent of the work performed’
(ISRS 4400 para. 17)
ISRS 4400 para. 18 outlines the elements that a report should contain to achieve
this. The most significant of these elements are:
•• A statement that the procedures performed were those agreed upon with’
the engaging party
•• Identification of the purpose for which the agreed-upon procedures were
performed’
•• A list ‘of the specific procedures that were performed’
•• A description of the practitioner’s factual findings, including sufficient details
of any errors and exceptions that they found
•• A statement that the procedures performed ‘do not constitute either an audit
or a review, and, as such, no assurance is expressed’
Example of report of factual ISRS 4400 Appendix 2

findings
Required reading
ISRS 4400 paras 2, 4–6 and 15–18.

Australia-specific
In Australia, compliance with ASRS 4400 Agreed-Upon Procedures Engagements to Report Factual
Findings (ASRS 4400) enables compliance with ISRS 4400.
Comparing ISRS 4400 to ASRS 4400

ASRS 4400 differs from ISRS 4400 in that it:
•• Applies also to non-financial information.
•• Outlines detailed engagement acceptance requirements that may prevent acceptance of
engagements that would otherwise be permitted under ISRS 4400.
•• Limits the procedures that may be performed – for example, the assurance practitioner
may not:
–– Extend planning past the procedures agreed on in the terms of the engagement.
–– Perform a risk assessment.
–– Apply materiality to design procedures.
–– Evaluate the findings, or provide a conclusion or opinion.

CC
Engagement acceptance considerations

As noted above, ASRS 4400 includes specific requirements for acceptance of an agreed-upon
procedures engagement. Conditions for non-acceptance under ASRS 4400 include, but are not
limited to:
•• Agreed-upon procedures that are unlikely to meet the needs of intended users, or users are
likely to construe the outcome as providing assurance.
•• Where the circumstances of the engagement indicate that it will be necessary for the
auditor to:
–– Determine the sufficiency of the procedures.
–– Perform a risk assessment.
–– Evaluate the findings.
–– Reach a conclusion or form an opinion.
Required reading
ASRS 4400 paras 4–6, 11, 21, 23, 28–30 and A15.
In New Zealand, the following NZICA statement and guideline apply in relation to agreed-upon
procedures engagements:
•• APS-1 Statement of Agreed-Upon Procedures Engagement Standards (APS-1).
•• APG-1 Guideline on Performance of an Agreed-Upon Procedures Engagement (APG-1).
Comparing APS-1 and APG-1 to ISRS 4400

APS-1 and APG-1 differ from ISRS 4400 in that they:
•• Apply also to non-financial information.
•• Are more general and less prescriptive.
Further, APG-1 is a guideline and, therefore, not enforceable. However, best practice would
require a practitioner to apply the guidance where appropriate.
Required reading
APS-1 paras 4–8 and 8.1–8.3.
APG-1 paras 1–3, 5, 8 and 11.

CC
Difference between agreed-upon procedures engagements and assurance

engagements
ISRS 4400 and New Zealand’s APS-1 and APG-1 do not provide a summary of the key
differences between the two types of engagements.
Australian Standard ASRS 4400 Appendix 1 ‘Differentiating Factors between Agreed-Upon
Procedures Engagements and Assurance Engagements’, which is reproduced in the table below,
provides a summary of the key differences between the two types of engagements:
ASRS 4400 Appendix 1
Differentiating factor Agreed-upon procedures Assurance engagement

engagement
Nature, timing and extent of Engaging party Assurance practitioner

procedures the responsibility of:
Nature, timing and extent of Terms of the engagement Engagement plan

procedures determined in:
Changes to the nature, timing Terms of the engagement Engagement plan

and extent of procedures are
documented in:
Extent of assurance practitioner’s Professional judgement may be Professional judgement exercised

professional judgement exercised exercised in assisting the engaging in selecting procedures
in selecting procedures: party to identify procedures
when agreeing the terms of the
engagement, but only professional
competence is exercised when
conducting the agreed-upon
procedures
Sufficiency and appropriateness of Intended user Assurance practitioner

evidence assessed by:
Form and content of report: Factual findings, no conclusion or Conclusion providing assurance
assurance provided
Reporting of procedures Details of the exact nature, timing Summary of work performed
performed: and extent of all procedures
performed are reported
Reporting of findings: Details of exact findings resulting No detail of findings, unless a

from each procedure performed, modified report is to be issued
including errors and exceptions when the basis for modification
identified, even if rectified is provided or if a management
letter is provided in addition to the
assurance report
Required reading
ASRS 4400 Appendix 1.
Worked example 17.2: Assessing an agreed-upon procedures engagement


CC
Other services
Assurance practitioners can apply assurance skills and techniques to wide range of services.
These can include engagements or services that are not of an audit nature – such as advisory,
accounting or taxation services.
Some of these other services are discussed below.
Due diligence engagements

Due diligence engagements are performed to investigate financial results or operational
activities or an organisation that is, for example, a target for acquisition. In performing a
financial due diligence engagement, the assurance practitioner uses their assurance skills in
reviewing documentation, conducting discussions with senior management and analysing both
historical and forecast financial information.
The scope of work performed is determined by agreement with the practitioner and the client.
The applicable Standard depends on the agreed scope and may include ISRE 2400 Engagements
to Review Historical Financial Statements or ISAE 3000 (Revised). If the scope of the engagement
includes only agreed-upon procedures, the relevant standard is ISRS 4400.
Consulting or advisory engagments

Consulting or advisory engagements typically relate to the design and development of new
methods, approaches and strategies, and may include the implementation of new systems
and processes. Consulting and advisory services do not provide assurance are they are not
not within the scope of the IAASB pronouncements, even when completed by an assurance
practitioner.
In a consulting or advisory engagement, the practitioner applies their professional skills and
knowledge in a consulting process. Consulting engagements involve some combination of
activities related to:
• Setting objectives and defining problems or opportunities.
• Fact-finding, evaluation of alternatives and development of recommendations.
• Communication of results.
• Implementation and follow-up.

17.1: Other assurance engagements and agree-upon procedures engagements
17.2: Other assurance engagements: Audits of historical financial information not presented
in GPFS
17.3: Other assurance engagements – common engagements
17.4: Agreed-upon procedures engagements
Quiz

Readings

Standards.
Required reading
Relevant International Standards on Auditing and assurance pronouncements and national equivalents
and guidance
ISA 800 Special Considerations ASA 800 Special Considerations – ISA (NZ) 800 Special Considerations
– Audits of Financial Statements Audits of Financial Reports Prepared – Audits of Financial Statements
Prepared in Accordance with Special in Accordance with Special Purpose Prepared in Accordance with Special
Purpose Frameworks Frameworks Purpose Frameworks
•• Paragraphs 6–14, A5–A6 and •• Paragraphs 6–14, A5–A6 and •• Paragraphs 6–14, A5–A6 and
A14–A15 A14–A15 A14–A15
ISA 805 Special Considerations – ASA 805 Special Considerations – ISA (NZ) 805 Special
Audits of Single Financial Statements Audits of Single Financial Statements Considerations – Audits of Single
and Specific Elements, Accounts or and Specific Elements, Accounts or Financial Statements and Specific
Items of a Financial Statement Items of a Financial Statement Elements, Accounts or Items of a
Financial Statement
ISA 810 Engagements to Report on ASA 810 Engagements to Report on ISA (NZ) 810 Engagements to Report
Summary Financial Statements Summary Financial Statement on Summary Financial Statements
•• Paragraphs 4–8, 12–19, A1 and •• Paragraphs 4–8, 12–19, A1 and •• Paragraphs 4–8, 12–19, A1 and
A4–A5 A4–A5 A4–A5
ISAE 3000 (Revised) Assurance ASAE 3000 (Revised) Assurance ISAE (NZ) 3000 (Revised) Assurance
Engagements Other than Audits Engagements Other than Audits Engagements Other than Audits
or Reviews of Historical Financial or Reviews of Historical Financial or Reviews of Historical Financial
Information Information Information
•• Paragraphs 1–6,12, 20–22, 24, •• Paragraphs 1–6, 12, 20–22, 24, •• Paragraphs 1–6, 12, 20–22, 24,
32–33, 37–51, 64–77 and A45 32–33, 37–39, 64–77 and A45 32–33, 37–39, 64–77 and A45
N/A - refer to ISAE 3000 (Revised) ASAE 3100 Compliance SAE 3100 Compliance Engagements
Engagements
•• Paragraphs 1–12, 17–19, 33, •• Paragraphs 1–14, 17–18, 26–28,
36–38, 49–50, 64, 68 and 80 47–49, 58, A7–A9, A43–A44
and A53
N/A - refer to ISAE 3000 (Revised) ASAE 3150 Assurance engagements SAE 3150 Assurance engagements
on Controls on Controls
•• Paragraphs 1–9 ,15, 18-25, 37, •• Paragraphs 1–9 ,15, 18-25, 37,
39, 45-61, 63, 84 and 88–89 39, 45-61, 63, 84 and 88–89

Relevant International Standards on Auditing and assurance pronouncements and national equivalents
and guidance
ISAE 3400 The Examination of ASAE 3450 Assurance Engagements N/A
Prospective Financial Information involving Corporate Fundraisings
and/or Prospective Financial
Information
•• Paragraphs 1, 3, 5–9, 12–16,
•• Paragraphs 1–5, 8–9, 11, 13–17
49, 95, 104, 106, 118, 127, 136
and 28–29
and A85
ISAE 3402 Assurance Reports on ASAE 3402 Assurance Reports on ISAE (NZ) 3402 Assurance Reports on
Controls at a Service Organization Controls at a Service Organisation Controls at a Service Organisation
•• Paragraphs 1–5, 8–9, 15, 23–24 •• Paragraphs 1–5, 8–9, 15, 23–24 •• Paragraphs 1–5, 8–9, 15, 23–24
and 53–56 and 53–56 and 53–56
ISAE 3410 Assurance Engagements ASAE 3410 Assurance Engagements ISAE (NZ) 3410 Assurance
on Greenhouse Gas Statements on Greenhouse Gas Statements Engagements on Greenhouse Gas
Statements
•• Paragraphs 1–5, 9, 13, 15–17, •• Paragraphs 1–5, 9, 13, 15–17, •• Paragraphs 1–5, 9, 13, 15–17,
72–77 and A18 72–77 and A18 72–77 and A18
ISAE 3420 Assurance Engagements ASAE 3420 Assurance Engagements ISAE (NZ) 3420 Assurance
to Report on the Compilation of To Report on the Compilation of Engagements to Report on the
Pro Forma Financial Information Pro Forma Historical Financial Compilation of Pro Forma Financial
Included in a Prospectus Information included in a Prospectus Information Included in a Prospectus
or other Document
•• Paragraphs 1–7, 10–15, 17–22 •• Paragraphs 1–7, 10–15, 17–22 •• Paragraphs 1–7, 10–15, 17–22
and 29–35 and 29–35 and 29–35
N/A ASAE 3500 Performance AG-5 Performance audits, other

Engagements auditing services and other work
carried out by or on behalf of the
Auditor-General
•• Paragraphs 1–10, 12, 15, 17–18, •• Paragraphs 1, 4, 7–9, 12–15, 18,
28, 36–37, 40, 44–48 and 83 20–23, 25 and 27
ISRS 4400 Engagements to Perform ASRS 4400 Agreed-Upon Procedures APS-1 Statement of Agreed-Upon
Agreed-Upon Procedures Regarding Engagements to Report Factual Procedures Engagement Standards
Financial Information Findings
•• Paragraphs 2, 4–6 and 15–18 •• Paragraphs 4–6, 11, 21, 23, •• Paragraphs 4–8 and 8.1–8.3
28–30, A15 and Appendix 1
APG-1 Guideline on Performance
of an Agreed-Upon Procedures
Engagement
•• Paragraphs 1–3, 5, 8 and 11

www.oag.govt.nz
Further reading


ACT
Activity 17.1
Identifying the assurance practitioner’s
responsibilities in a compliance engagement
Introduction
Chartered Accountants may be asked to undertake a wide variety of other assurance
engagements. Some of these engagements may involve circumstances that are not permitted
under International Standards on Auditing and Assurance, and it is therefore vital that
Chartered Accountants understand their responsibilities in relation to accepting, performing
and reporting on these engagements.
•• Identify and explain the assurance practitioner’s responsibilities with respect to other
At the end of this activity, you will be able to determine the impact on a compliance
engagement of any exceptions the auditor identifies, in accordance with the following relevant
Standards:

ISAE 3000 (Revised) Assurance ASAE 3100 Compliance SAE 3100 Compliance Engagements
Engagements Other than Audits Engagements
or Reviews of Historical Financial
Information
Scenario
You are a senior accountant at a successful accounting firm, ABC Chartered Accountants (ABC),
which has a wide range of clients.
During the 20X2 year, ABC succeeded in obtaining a new audit client, OnCare Health Group
(OnCare), a listed entity. OnCare wholly owns Cancer Care Limited (Cancer Care), a private
oncology clinic specialising in the treatment of cancer.
In addition to providing treatment, Cancer Care also operates nursing home facilities for
terminally ill cancer patients. On entry to a Cancer Care nursing home, all patients pay a $900
deposit that is used to meet the incidental costs incurred during their stay. Under nursing
homes legislation, Cancer Care must maintain a separate trust account for these monies.
Specifically:
•• All funds received from patients must be banked in a separate bank account that is tied to
the trust account.
•• The balance of the bank account must equal the balance of the trust account at all times.
Each financial year, Cancer Care must provide a statement to the Department of Ageing
confirming that it has adhered to the provisions of the legislation regarding the trust account.
Cancer Care requested ABC to provide reasonable assurance on its statement to the Department
of Ageing. During its compliance testing, ABC’s engagement team identified several exceptions

ACT
to Cancer Care’s adherence to the provisions of the legislation and informed those charged with
governance at Cancer Care of its findings.
One member of the ABC engagement team has suggested that it may be easier if ABC provides
limited assurance instead of reasonable assurance as a way of dealing with the exceptions.
Task
•• Determine any implications for the engagement of the exceptions identified.
Outline any implications of the proposed changes to the level of assurance provided.

ACT
Activity 17.2
Identifying other assurance engagements
Introduction
Appropriate identification of the type and limitations of an engagement that an assurance
practitioner is being asked to undertake is an important step in ensuring compliance with the
relevant International Standards on Auditing (ISAs) and/or local Standards.
•• Determine which Standards apply to other assurance engagements.
At the end of this activity, you will be able to identify the type of engagement and the applicable
Standards, and determine the level of assurance that can be provided.
Scenario
Power Limited (Power) is a large coal-fired electricity generator. You are a manager at
Assurance Advantage (AA), Power’s external auditor.
Power is required to prepare, and have audited, general purpose financial statements (GPFS).
The company is currently in the process of renewing its electricity generation licence with the
energy regulator (the regulator).
Included in the proposed new licence are four conditions relating to information to be provided
to the regulator each year.
The licence conditions are as follows:
Regulator licence conditions
Condition Details
1 Provide a schedule of electricity derivative assets and liabilities as at each reporting date. The
schedule must be certified as correct by Power’s external auditor
2 Provide high level of assurance on a list of the entity’s electricity generation infrastructure assets,
a description of each asset, the replacement value of each asset, and the remaining life of the
asset as at each reporting date
3 Provide a review report on the operating effectiveness of controls in the electricity trading unit
of Power for each financial year
4 Provide audited financial statements prepared in accordance with International Financial

Reporting Standards (IFRS) amended by the regulator’s financial instruments recognition and
measurement policy
Power does not want to agree to the proposed licensing conditions before finding out whether
AA can provide the reports or opinions requested.

ACT
Tasks
For this activity, you are required to treat each licence condition as a separate engagement and:
1. With reference to Auditing and Assurance Standards, identify the appropriate type of
assurance engagement that AA should undertake for each licence condition. Justify your
response with reference to the scenario.
2. Determine the level of assurance that AA will provide for each engagement. Where this
differs from the level of assurance requested by the client (implicitly or explicitly), outline
the course of action that AA should take.

ACT
Activity 17.3
Accepting other assurance engagements
Introduction
Chartered Accountants may be asked to undertake a wide variety of other assurance
engagements. Some of these engagements may involve circumstances that are not permitted
under International Standards on Auditing (ISAs), and it is therefore vital that Chartered
Accountants understand their responsibilities relating to accepting or performing these
engagements.
At the end of this activity, you will be able to determine whether an other assurance
engagement can be accepted or performed based on the assurance practitioner’s responsibilities
in the context of the proposed engagement.
Scenario
This activity is based on the scenario from Activity 17.2 on Power Limited (Power), a large coal-
fired electricity generator.
You are a manager at Assurance Advantage (AA), a mid-tier Chartered Accounting firm and
Power’s external auditor.
Power is required to prepare, and have audited, general purpose financial statements (GPFS).
Power is currently in the process of renewing its electricity generation licence with the energy
regulator (the regulator).
Included in the proposed new licence are four conditions relating to the provision of
information to the regulator each year. Following the feedback you provided to Power,
Condition 1 in the proposed licence has been amended:
Regulator conditions
Licence Details
conditions
1 Provide a schedule of electricity derivative assets and liabilities at each reporting date. The
schedule must be audited by Power’s external auditor
2 Provide assurance on a list of the entity’s electricity generation infrastructure assets; a

description of each asset; the replacement value of each asset; and the remaining life of the asset
at each reporting date. The list must be audited by the entity’s external auditor, and include an
opinion regarding whether the list is, in all material respects, true and fair
3 Provide a review report on the operational effectiveness of controls in the electricity trading unit
of Power for each financial year
4 Provide audited financial statements prepared in accordance with International Accounting

Standards, and amended by the regulator’s financial instruments recognition and measurement
policy

ACT
Power does not want to agree to the proposed licensing conditions before finding out whether
AA can provide the reports or opinions requested.
Power’s chief financial officer (CFO) suggests that because AA looks at the electricity trading
unit’s controls as part of its audit of the GPFS, it will not need to perform any further
procedures in order to issue its review report on the operating effectiveness of internal controls.
A junior auditor, Ben, has prepared an engagement letter, which includes a draft of the
auditor’s report to be issued on the financial statements prepared for condition 4 of the licence
requirements. The example auditor’s report assumes that there were no material misstatements
identified during the audit. Ben has therefore included AA’s standard auditor’s report, based
on ISA 700 Forming an Opinion and Reporting on Financial Statements (ISA 700) in the engagement
letter; however, he is not sure he has drafted the report correctly.
Tasks
For this activity, for each engagement associated with a licence condition, you are required to:
• Identify whether AA can undertake the engagement under the current circumstances, and
justify your answer.
• Where AA cannot undertake the engagement, determine what actions would enable AA to
undertake the engagement.
With regard to licence condition 4, describe any issues that may arise with Ben’s draft report.

ACT
Activity 17.4
Identifying the most appropriate assurance
engagement and performing the
engagement
Introduction
As a Chartered Accountant, it is important to be able to identify the most appropriate
engagement and the relevant Standard under which the engagement should be performed, and
to be able to explain the practitioner’s responsibilities in respect to performing the engagement.
•• Determine which Standards apply to other assurance engagements.
At the end of this activity, you will be able to identify the most appropriate assurance
engagement to be performed, the Standard that applies to a particular engagement, and explain
the assurance practitioner’s responsibilities in respect to performing the engagement.
Scenario
AltiAir Limited (AltiAir) is a large, unlisted public company operating a trans-Tasman airline
based in Sydney, Australia. Its licence to operate as an airline was issued by the Civil Aviation
Safety Authority (CASA). Baritone Chartered Accountants (Baritone) is AltiAir’s auditor for its
general purpose financial statements (GPFS).
Increased competition in the airline industry, together with increasing operating costs, has put
considerable pressure on AltiAir’s financial viability. The company generated total revenue of
$460 million in the year end 30 June 20X3, but made a loss of $20 million.
Consider the two situations below:
Situation 1
AltiAir’s licence requires it to submit to CASA a summarised list of in-flight incidents each
quarter (every three months). CASA defines an in-flight incident as ‘anything that did, or could
have if the incident was not prevented, caused injury or death to a passenger or crew member
during an aircraft’s flight’.
The list must include the following details of each incident: date, time, flight number, category
of incident, number of passengers involved and number of crew members involved. The
summarised list must be certified by an independent assurance practitioner to ensure it is
accurate and complete. The licence specifically states the assurance engagement must be
performed in accordance with Auditing and Assurance Standards.
AltiAir has requested Baritone perform these engagements, and the company is preparing for
the assurance engagement for the quarter ending 30 September 20X4.

ACT
Situation 2
AltiAir’s loan agreement with its bank requires it to submit the following abbreviated financial
information to the bank one month after the general purpose financial report has been audited:
1. Abbreviated statement of profit or loss and other comprehensive income.
2. Abbreviated statement of financial position.
3. Abbreviated statement of cash flows.
4. Summary of significant accounting policies.
The bank requires assurance that the abbreviated financial information is consistent with
AltiAir’s GPFS.
Following the audit of AltiAir’s 30 June 20X4 GPFS, Baritone issued an unmodified auditor’s
report.
Two weeks after Baritone issued its auditor’s report on AltiAir’s 30 June 20X4 GPFS, two of
AltiAir’s aircraft crashed near Brisbane Airport. AltiAir’s management confirms that the two
aircraft have to be written off, which will significantly impact on the company’s ability to
generate revenue.
Baritone concluded that AltiAir’s abbreviated financial information was materially consistent
with its general purpose financial statements.
Task
For this activity, for each of the two situations, you are required to:
1. With reference to Auditing and Assurance Standards, identify the type of assurance
engagement and the level of assurance provided. Justify your answer.
2. With regard to Situation 1 only:
•• Design one relevant and practical control that AltiAir should have implemented to
ensure all in-flight incidents were reported and included in the list submitted to CASA.
•• Design one (1) relevant and practical substantive test that Baritone could perform to test
that the list submitted to CASA was accurate and complete.
3. With regard to Situation 2 only:
•• Explain Baritone’s obligations to consider the events following the aircraft crash when
undertaking the engagement. Justify your response.
•• Identify the appropriate opinion Baritone should express.

CC
Core content
Unit 18: Internal audit and public sector
auditing
Learning outcomes
1. Compare and contrast the role of internal audit and external audit.
2. Explain the features of the public sector accountability environment and how it differs from
the private sector.
3. Discuss the role and the importance of non-financial reporting in the public sector.
4. Apply the appropriate assurance process to public sector engagements.
Introduction
During the course of their career, a Chartered Accountant may choose to work in an internal
audit role or on a public sector audit engagement, either directly for an Auditor-General or
through an outsourced public sector engagement.
This unit will:
•• Explore the role of internal audit in organisations.
•• Examine the ways in which the internal audit function can contribute to good corporate
governance.
•• Compare internal audit’s role to that of external audit.
This unit also considers the public sector accountability environment, and the key differences
between the public and private sectors. Concepts that have been covered in the earlier units of
Audit & Assurance (AAA) module are explored in the context of applying the assurance process
to public sector engagements.
aaa11618_csg

CC
Role of internal audit
Learning outcome
1. Compare and contrast the role of internal audit and external audit.
Internal audit plays a crucial role in many organisations. The Institute of Internal Auditors (IIA)
defines the internal audit activity (or function) as:
…[An] independent, objective assurance and consulting activity designed to add value and improve
an organization’s operations. The internal audit activity helps an organization accomplish its objectives
by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk
management, control, and governance processes.
The objective of the internal audit function is to provide assurance to those charged with
governance that the following processes are operating effectively and as intended:
•• Corporate governance process.
•• Risk management process.
•• Internal controls.
Ethical considerations
While the IESBA Code applies to external auditors, the IIA’s Code of Ethics (IIA Code) is
specifically designed to promote an ethical culture in the profession of internal auditing.
Both the IESBA Code and IIA Code share common fundamental principles such as integrity,
objectivity, confidentiality, professional competence and due care. The key distinction between
them is that the IESBA Code extensively explores the concept of independence for assurance
engagements.
The concept of independence for internal auditors is different from that for external auditors,
as internal auditors are usually employed directly by the organisation. Many of the safeguards
and specific independence requirements explored in the unit on pre-engagement activities are
not logical when applied to the internal audit function. While the IIA Code is not mandatory
for internal auditors who are not members of the IIA, those who are members of Chartered
Accountants Australia and New Zealand are required to comply with the relevant ethical
Standards.
The IIA’s International Standards for the Professional Practice of Internal Auditing (IIA Standards)
provide guidance to internal auditors on maintaining their independence. A key element of
independence for internal auditors is an appropriate reporting line. The IIA Standards (s. 1100)
state:
… To achieve the degree of independence necessary to effectively carry out the responsibilities of the
internal audit activity, the chief audit executive has direct and unrestricted access to senior management
and the board. This can be achieved through a dual-reporting relationship …
This dual reporting line usually takes the form of a:

•• reporting line to the board (functional reporting line), often through a subcommittee (i.e. the
chair of the audit and risk committee), and
•• reporting line to a member of senior management (i.e. the chief executive officer (CEO))
(administrative reporting line).
The functional reporting line to the board is the ultimate source of independence and authority,
while the administrative reporting line to management helps internal audit’s day-to-day
operations. Regardless of the reporting lines, the internal auditors are accountable to the board
of directors.

CC
Having an appropriate functional reporting line to the board enhances the independence of the
internal audit function and should be ingrained in the organisation’s internal audit charter.
Required reading
IESBA Code paras 300.1–300.15.

Internal audit charter

The internal audit charter (the charter) is a board-approved document that defines the internal
audit team’s purpose, authority and responsibilities. The charter is a requirement of internal
audits under s. 1000 of the IIA Standards.

Relationship between corporate governance and internal audit

Good corporate governance requires boards to ensure that an effective system of controls exists
across an organisation and that senior management governs and manages the organisation
properly.
There is growing pressure on the boards of organisations to improve corporate governance.
This has had a considerable effect on the role and expectations of internal audit. Boards are
increasingly forced to rely on their subcommittees (particularly the audit and risk committee),
which, in turn, rely heavily on internal audit. Hence, such subcommittees often have an
important relationship with the internal audit function in an organisation.
Australia-specific
The Australian Securities Exchange (ASX)’s Corporate Governance Principles and
Recommendations (ASX principles) defines corporate governance as ‘the framework of rules,
relationships, systems and processes within and by which authority is exercised and controlled
in corporations’ (3rd edn, p. 3).
Corporate governance influences how a company sets and achieves its goals, monitors and
assesses risk and optimises performance. Good governance encourages companies to create
value, provide accountability and provide control systems that are appropriate for the level of
risk involved.
While the ASX principles directly apply to listed corporations, they are widely seen as best
practice for all entities.


CC
The Financial Markets Authority (FMA)’s Corporate Governance in New Zealand – Principles and
Guidelines (the Principles) (revised and published in December 2014) sets out nine principles for
establishing and maintaining high standards of corporate governance.
Corporate governance influences how a company sets and achieves goals, monitors and
assesses risk, and optimises performance. Good governance encourages companies to create
value, provide accountability, and establish control systems that are appropriate for the level of
risk involved.
The Principles apply most directly to FMA-reporting entities. However, they are written in a
way that allows them to be applied across a range of organisations, and the FMA encourages
all entities to look at reporting in accordance with the Principles. Listed entities are required,
pursuant to the New Zealand Exchange (NZX)’s NZAX Listing Rules (Listing Rules) s. 10.5.5(i),
to state how their corporate governance processes differ materially from the NZX’s Corporate
Governance Best Practice Code.

The IIA Standards s. 2110 states that an organisation’s internal audit function ‘must assess and
make appropriate recommendations for improving the governance process’ by achieving the
following objectives:
• Promoting appropriate ethics and values within the organization;
• Promoting effective organizational performance management and accountability;
• Communicating risk and control information to appropriate areas of the organization; and
• Coordinating the activities of and communicating information among the board, external and
internal auditors, and management.
Regardless of its precise roles and objectives, internal audit plays an important role in the
corporate governance framework of an entity.

Risk management in relation to internal audit

The risk assessment process differs between internal audit and external audit.
In the external audit process, the external auditor examines what risk assessment processes are
already in place. ISA 315 (Revised) Identifying and Assessing the Risks of Material Misstatement
through Understanding the Entity and Its Environment (ISA 315) states that the external auditor
only needs to understand the risk assessment process to the extent that it is relevant to financial
reporting objectives. External audit examines risks by performing risk assessment procedures
to provide a basis for the identification and assessment of risks of material misstatement at the
financial statement and assertion levels.
The focus of internal audit is on how risk impacts the organisation’s ability to achieve its
objectives. It is part of internal audit’s role to assess whether the risk assessment process is
sufficiently robust and up to date to deal with the circumstances currently facing the entity, and
to recommend improvements where necessary.

CC
The IIA Standards s. 2120 states that the internal audit function must evaluate the effectiveness
of risk management processes and contribute to their improvement. In doing so, the function
must examine whether:
• Organizational objectives support and align with the organization’s mission;
• Significant risks are identified and assessed;
• Appropriate risk responses are selected that align risks with the organization’s risk appetite; and
• Relevant risk information is … communicated … across the organization …

Internal controls
As discussed in earlier units, ISA 315 para. 4(c) defines internal control as:
… the process designed, implemented and maintained by those charged with governance, management
and other personnel to provide reasonable assurance about the achievement of an entity’s objectives
with regard to reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations.
The process of establishing internal controls starts with those charged with governance and
typically follows the sequence outlined below:
1. Those charged with governance (generally the board of directors) establish the criteria
for the design of the internal controls that they consider appropriate both to manage the
risks facing the organisation and to ensure compliance with regulatory and legislative
requirements.
2. Those charged with governance employ a senior management team to run the organisation
and establish internal control systems. Senior management does not directly manage the
internal controls, but rather oversees them.
3. Operational management runs the organisation. Operational management:
•• Undertakes day-to-day supervision of the risk control framework
•• Monitor operations, including the results of key performance indicators (KPIs).
•• Ensure adherence to policies about structure, segregation of duties, and roles.
•• Utilise specialised resources in relation to the risk management framework
(e.g. compliance, tax and HR training).
4. Those charged with governance establish the internal audit function by developing
an internal audit charter that formally establishes the position of internal audit in the
organisation’s governance framework. The charter outlines internal audit’s role,
responsibilities, authority, the standards it must adhere to, and to whom it is accountable.
5. The internal audit function performs audit procedures that assess the design and
effectiveness of the organisation’s internal controls, and provides assurance to the board of
directors that the entity is complying with established internal controls.
External audit plays a somewhat limited role in auditing the design, implementation and
maintenance of internal controls. ISA 315 para. 12 states that the external auditor only needs
to understand the internal controls that are relevant to the audit, since the focus of external
audit is on how internal controls affect the reliability of financial reporting. The other aspects
of an organisation that are affected by internal controls (i.e. the effectiveness and efficiency
of operations, and compliance with applicable laws and regulation) are examined only in the
context of how these aspects impact on the reliability of financial reporting.

CC
Internal audit’s focus is much broader than external audit. IIA Standards para. 2120.A1 states
that the internal audit function:
… must evaluate risk exposures relating to the organization’s governance, operations, and information
systems regarding the:
• Achievement of the organization’s strategic objectives;
• Reliability and integrity of financial and operational information;
• Effectiveness and efficiency of operations and programs;
• Safeguarding of assets; and
• Compliance with laws, regulations, policies, procedures, and contracts.

Annual internal audit plan

Like many other business units in an organisation, the internal audit function develops a plan
of work for its operations. This internal audit plan may be annual or cyclical depending on the
methodology employed; however, annual plans are the most common. An annual plan sets
out a strategy for the forthcoming year for the internal audit function to meet its obligations,
and translates the outcomes of the risk assessment process into a program of audit and other
assurance activities (e.g. workshops and investigations). This program focuses on areas and
issues that include:
•• Areas identified as high-risk.
•• Areas that management has requested internal audit to review.
•• Issues identified in previous work programs which require follow-up or further
examination.

CC
External audit versus internal audit

The table below provides a comparison between the key aspects of external audit and internal
audit:
External audit versus internal audit – comparison of key aspects
Key aspect External audit Internal audit
Primary objective The purpose of external audit is According to the definition of ‘internal audit
to enhance the degree of confidence activity’ provided by the Glossary in the IIA
in the financial statements. This is Standards, the objective of the internal audit
achieved by the expression of an function is to provide:
opinion by the auditor on whether
… independent,objective assurance and
the financial statements have been
consulting services designed to add value
prepared, in all material respects,
and improve an organization’s operations.
in accordance with the applicable
The internal audit activity helps an
financial reporting framework.
organization accomplish its objectives
In the case of most general purpose
by bringing a systematic, disciplined
reporting frameworks, that opinion
approach to evaluate and improve
is on whether the financial statements
the effectiveness of governance, risk
are presented fairly, in all material
management and control processes
respects, or give a true and fair view in
accordance with the framework
Applicable International Auditing and Assurance IIA Standards

professional Standards Standards Board (IAASB) Standards,
including International Standards
on Auditing (ISAs)
Reporting line Independent auditor’s report to the Audit reports, including conclusions, findings
organisation’s members/owners and recommendations, are issued to those
charged with governance (chair of the board,
Reporting of other matters (not
or chair of the audit and risk committee)
leading to a modification to the
independent auditor’s report) directly
to those charged with governance
Australia: Breaches of the
(Corporations Act) reported to the
Australian Securities and Investments
Commission (ASIC)
Reporting format Independent auditor’s report is issued Reports vary in format and content
in the form of a written report which depending on the nature of the engagement
contains elements specified in ISA 700 and the needs of the business (see IIA
Forming an Opinion and Reporting on Standards para. 2410.C1)
Financial Statements or uses a layout
Reports are tabled at board meetings, or at
and wording required by law or
audit and risk committee meetings
regulations of a specific jurisdiction
Reports are communicated to senior
management for information, and to allow
the implementation of agreed actions
Skills and Appropriate competence in the Knowledge of business processes, comprising

competencies of application of financial reporting and both:
auditor Auditing Standards
•• financial, IT and operational, and
•• risk management processes

CC
External audit versus internal audit – comparison of key aspects
Key aspect External audit Internal audit
Terms of audit Agreed upfront with management or Contained in the internal audit charter and in
engagement those charged with governance and the annual audit plan, which is determined by
recorded in an engagement letter the board of directors
or other suitable form of written
agreement, in accordance with
ISA 210 Agreeing the Terms of Audit
Engagements (ISA 210)
Scope of audit Agreed on by the external auditor and The scope of an internal audit engagement
engagement those charged with governance can cover both financial and operational
areas
Normally limited to performing
procedures to obtain audit evidence The head of internal audit determines the
on the amounts and disclosures in the scope of individual audits, ensuring these are
financial statements consistent with the board-approved internal
audit plan and internal audit charter
Australia: The minimum scope of an
external audit is set out in Australian
Auditing Standards and, where
applicable, the requirements of the
Corporations Act
New Zealand: The minimum scope
of an external audit is set out in New
Zealand Auditing Standards and as
required by the Financial Markets
Conduct Act 2013 (s. 461F) or Financial
Reporting Act 1993 (FRA93)
Audit evidence and According to: According to IIA Standards, which require
documentation work papers documenting relevant
•• ISA 230 Audit Documentation
information to support the engagement’s
•• ISA 500 Audit Evidence conclusions and results
Employment and The organisation engages and Internal audit staffing depends on which
remuneration of remunerates an external audit firm, resource model the entity uses:
auditor which employs the members of the
•• In-house – internal audit staff is employed
audit team
and remunerated by the organisation
Members of the external audit team •• Outsourced staff of a professional services
are not employees of the organisation firm – professional services fees are paid to
an external firm, which then remunerates
the internal audit staff
•• Combination of in-house/outsourced
internal audit staff and staff of a
professional services firm – all in-house
internal audit staff is employed and
remunerated by the organisation, while
outsourced staff is remunerated by
the external professional services firm.
The organisation pays the external
professional services firm
Worked example 18.1: Internal audit planning considerations

[Available online at myLearning]

CC
Public sector accountability environment
Learning outcome
2. Explain the features of the public sector accountability environment and how it differs from
the private sector.
There are many differences between auditing in the private sector and auditing in the public
sector. One factor that differentiates planning, performing and reporting on audits in the
public sector is that Auditors-General act as a constitutional safeguard by giving assurance to
parliament and taxpayers that public sector resources are being appropriately managed and
accounted for in accordance with applicable laws. The breadth and scope of the public sector
audit can be wider relative to a private sector audit.
The size and complexity of the government sector means that the application of certain standard
audit procedures needs to be reviewed when planning an audit or assurance engagement. Take,
for example, the consideration of an appropriate materiality level for an audit engagement.
Applying the concept of materiality to the audit of some government entities might suggest
that misstatements of less than several billion dollars would be considered immaterial. Clearly,
such a misstatement would be regarded as material to the general public. Qualitative factors,
including the public’s interest in the figures, would influence the auditor’s determination of
materiality for the audit of the whole of the government.
To obtain more information about the government finances in Australia and New Zealand,
navigate to www.budget.com.au (Australia) and www.treasury.govt.nz (New Zealand).
Accountability environment
Parliament and the executive government:
•• provide authority for the acquisition and use of public financial resources
•• set the overall policy direction, and
•• are responsible for overseeing management’s administration of those resources.
There is a greater separation of owners and managers in the public sector than in the
private sector. The ‘owners’ are the taxpayers or people in the government’s jurisdiction, as
represented by parliament, and the ‘managers’ are the ministers and public servants. To oversee
accountability in the administration of resources, most parliaments have established standing
committees to monitor what are referred to as the ‘public accounts’.
Government functions are administered through various entities. These include government
departments, government businesses and public trading enterprises, statutory bodies and
companies. In addition, some public bodies established by parliament operate independently
and are not subject to close ministerial control. These bodies may include educational
institutions (e.g. universities), public bodies that manage financial resources of the public
(e.g. government insurance offices), and bodies that operate as agents (e.g. tourism marketing
board). In the absence of an explicit provision to the contrary, such bodies are still considered to
be accountable to the relevant parliament.
Role of Auditors-General
In the public sector, Auditors-General undertake the audit activity. Under the Westminster
system of government, the parliament appoints Auditors-General to monitor the accountability
of their respective government. The role of Auditors-General is vitally important, as they are in
a position to question how the government administers public finances.

CC
Auditors-General cannot generally question the merits of government policy, which is regarded
as the collective will of the people. Enacting government policy is the province of government.
An Auditor-General questioning government policy would be equivalent to a private sector
auditor questioning a company’s business strategies or whether it is appropriate for a business
to have a goal of making a profit.
Auditors-General can, however, conduct audits to identify inefficiency, waste, ineffectiveness, lack
of financial prudence or non-compliance with policies and directives in public sector agencies.
The reports of Auditors-General are tabled in parliament. Once tabled, these reports are public
documents and may be subject to parliamentary or media scrutiny.
Auditors-General are supported by audit offices in carrying out audit engagements and
fulfilling their reporting obligations to parliament. These audit offices employ professional staff
that includes Chartered Accountants.
A public sector audit office is very similar to a private sector accounting practice except that it
does not have a profit motive. Its operations are often like those of the assurance division of a
large accounting firm.
Auditors-General are able to contract private sector auditors to perform some of the
audit‑related services on public sector audit engagements that Auditors-General are required
to provide. In such cases, the responsibility to form an opinion and report on the results of the
audit usually still rests with the Auditor‑General.
An Auditor-General’s mandate is determined by the enabling legislation under which they
operate. The following table lists the relevant legislation by jurisdiction:
Legislation determining the powers of the Auditors-General (Australia and NZ)
Jurisdiction Legislation
New Zealand Public Audit Act 2001
Australia
Federal Auditor-General Act 1997
Tasmania Audit Act 2008
Queensland Auditor-General Act 2009
South Australia Public Finance and Audit Act 1987
Western Australia Auditor General Act 2006
Victoria Constitution Act 1975

Audit Act 1994
New South Wales Public Finance and Audit Act 1983
Northern Territory Audit Act 1901
Australian Capital Territory Auditor-General Act 1996

CC
Australia-specific
Government entities exist for a different purpose, and each of the different types of entities may
have a slightly different governance structure. However, under the government’s accounting
policies and governance rules, the management of each entity is required to report under the
applicable Australian Accounting Standards.
Local government reporting and audit requirements vary across Australia pursuant to the
different legislation in each jurisdiction. In some jurisdictions, local government is audited
by the state or territory Auditor-General. In others, the Auditor-General has no role in
local government audits. In others still, private sector auditors conduct the audits of local
government entities while the Auditor-General has an oversight role.
In a number of Australian jurisdictions, the Auditor-General can be requested by various
parties – such as the Legislative Assembly, the Treasurer or another minister – to conduct audits
on specific topics or to undertake audit-related activities. The nature of these audits or activities
will vary according to the request and the legislation operating in that jurisdiction.
In addition, Auditors-General often have the authority to provide other audit services
to government agencies; for example, providing auditor’s reports for the dispersal of
Commonwealth Government grants (for state or territory agencies), or oversight of lottery draws.
The Auditor-General audits all public sector entities (termed ‘public entities’) in New Zealand,
which total approximately 4,000. This includes state-owned enterprises (SOEs), government
ministries and departments, hospitals and schools.
Each of these public entities exists for a different purpose and each of the different types
of government entities has a slightly different governance structure. However, under the
government’s accounting policies and governance rules, the governing body of each entity
is required to report under the applicable New Zealand Financial Reporting Standards.
In New Zealand, in addition to auditing the financial statements and other information that
public entities require to be audited, the Auditor-General has further extensive powers. These
powers include the Auditor-General’s prerogative to examine:
• The efficiency and effectiveness of a public entity’s activities.
• Whether a public entity is complying with its statutory obligations.
• That waste is not occurring as a consequence of an action or inaction by a public entity.
• Whether a public entity has exercised appropriate probity and financial prudence.
‘Probity’ is defined in the NZ Auditor-General’s Auditing Standards ‘Glossary of terms’ and which
means:
... Parliament’s and the public’s expectations of an appropriate standard of behaviour.
The Auditor-General also has the authority to conduct enquiries on any matter concerning
a public entity’s use of its resources. The Auditor-General can, with the agreement of a public
entity, also carry out any other work that is reasonable for an auditor to perform.
Overseeing the Local Authorities (Members’ Interests) Act 1968 also falls to the Auditor‑General.
This requires the Auditor-General to oversee local government members to ensure their
judgement is not influenced by their own personal, financial or beneficial interests when
making decisions.

CC
Ethical considerations – independence of the Auditor-General
Australia-specific
Auditors-General must adhere to the professional requirements regarding independence
and, as such, in Australia they are bound by APES 110. However, APES 110 provides that in the
event of a conflict between APES 110 and Auditor-General legislation, the legislation takes
precedence. In addition, some public sector audit engagements are performed under the
Corporations Act. Therefore, for Auditors-General, these engagements must adhere to the
independence requirements of that Act.
As it is for auditors in the private sector, Auditors-General can be subject to the threats
to independence outlined in APES 110. The independence of Auditors-General is often
strengthened by legislation.
The independence of Auditors-General can be protected in the following ways:
•• The Auditor-General may be appointed for a fixed term, which enables them to report
adverse findings without fear of having their position terminated.
•• The Auditor-General may be prohibited from working in the public service of their
jurisdiction after the expiry of their fixed-term appointment. This eliminates any perception
of their being ‘looked after’ (i.e. being offered a favourable appointment by the government
after serving their term as Auditor-General).
•• The Auditor-General may only be removed by a resolution of Parliament, and not just
by the executive government (i.e. both the government and the opposition must agree
to remove the Auditor-General). If the Auditor-General could be removed solely by the
government of the day, this would make it difficult for the Audit-General to report without
fear or favour.
•• Legislation may be enacted that provides that the Auditor-General is the auditor of public
sector agencies and that limits the provision of non-audit services. This ensures that the
Auditor-General and their offices are not compromised in their role by the possibility
of losing clients or income. By narrowly defining the functions of the Auditor-General,
the legislation will help to restrict conflicts of interest that may arise from the provision
of non‑audit services.
•• A parliamentary committee, rather than the executive government, may appoint the
Auditor-General. This reduces the potential for conflicts of interest by ensuring that the
Auditor-General is not selected on party-political grounds.
•• The Auditor-General’s independence may be set out in legislation. Defining the
independence of the Auditor-General will create clear barriers to them performing actions
that may compromise their independence.
•• Subject to any particular requirements of their legislation, Auditors-General have complete
discretion in the performance or exercise of their functions or powers (for example, see s. 8
Auditor-General Act 1997 (Cth)).
•• The Auditor-General may be nominated an ‘Officer of the Parliament’, a title that denotes
that the Auditor-General’s role is to serve Parliament rather than the government of the day
(i.e. broadly, to serve the people).
•• Funding for the Auditor-General and their audit office may be automatically appropriated.
By having an automatic and guaranteed source of funding for the Auditor-General’s
activities, there is no incentive for the Auditor-General or their office to shape their findings
in certain ways in order to receive funding.
In the private sector, when threats to an auditor’s independence are so great that no safeguard
could reduce them to an acceptable level, the auditor must decline the audit engagement.
In contrast, an Auditor-General’s independence and the requirement to audit government
entities is established and protected by legislation.

CC
The Auditor-General has elected to adhere to the professional requirements on independence.
As such, they are bound by PES 1 Code of Ethics for Assurance Practitioners (Revised), and by the
Auditor-General’s own AG PES 1 (Revised) Code of Ethics for Assurance Practitioners.
As in the private sector, the Auditor-General can be subject to threats to independence.
The independence of the office is protected in the following ways:
•• The Auditor-General is appointed for a fixed term, which enables them to report adverse
findings without fear of having their position terminated.
•• The Auditor-General reports directly to the House of Representatives (and has the power
to report to anyone else). The power to report directly and to anyone strengthens the
Auditor‑General’s independence.
•• The Auditor-General is not entitled to be a Member of Parliament or a member of a local
authority. In addition, they must not take up any other government office unless the
Speaker of the New Zealand Parliament authorises the appointment in writing. This
mitigates the risk that the Auditor-General is subject to conflicts of interest.
•• The Auditor-General is prohibited from working in the public service after the expiry of
their fixed-term appointment. This eliminates any perception of their being ‘looked after’
(i.e. being offered a favourable appointment by the government after serving their term
as Auditor‑General).

CC
Government reporting
Learning outcome
3. Discuss the role and the importance of non-financial reporting in the public sector.
The aim of government as a whole is not to make a profit, even though it can control profit-
making entities. Its aim is broader and less clearly defined. Nonetheless, the government raises
revenue through taxes which it uses to provide services for the good of the community, such as
health, education, roads and other infrastructure.
Government reporting often supplements traditional financial statements with other
information, such as key performance indicators (KPIs) and service performance
outcomes. For example, when a government department is given $800 million to provide
financial assistance to local government councils in areas affected by a natural disaster, the
public is more concerned that all eligible local government councils received financial assistance
– not whether the entire $800 million was spent.
Due to the public sector accountability environment, governments often report, and auditors
are often required to provide assurance, on a broad range of matters in addition to the general
purpose financial statements (GPFS), such as KPIs. In addition, an Auditor‑General can carry
out discretionary work on:
•• Compliance with legislation, regulations, policies or contracts.
•• Internal controls.
•• Budgets and appropriations.
•• Reporting on the efficiency and effectiveness of a government agency’s performance
(by conducting performance audits).
The types of engagements listed above are generally performed as assurance engagements
separate to the audit of agencies’ financial statements. The nature and extent of these additional
engagements will depend on the Auditor-General’s specific legislative mandate. These
additional engagements are often not performed by the Auditor-General, but instead by private
audit firms engaged by the agencies.
The nature and extent of the additional information required in a public sector entity’s GPFS
depends on the jurisdiction and, often, on the type of public sector entity it is.

CC
Public sector assurance engagements
Learning outcome
4. Apply the appropriate assurance process to public sector engagements.
As for assurance engagements that are conducted in the private sector, the fundamental
processes for public sector assurance engagements are:
•• Agree on the terms of the engagement.
•• Plan the engagement.
•• Conduct planned engagement procedures.
•• Based on evidence obtained from the engagement procedures, reassess the planning
assumptions, and, if necessary, perform additional procedures.
•• Communicate with those charged with governance.
•• Form a conclusion or opinion.
•• Prepare a report.
These processes have been discussed in detail in previous units in the AAA module. However,
there are additional considerations that apply to an Auditor-General in executing these
processes, which are discussed in this section.
Note: In most jurisdictions, the Auditor-General is permitted by legislation to outsource
some of their engagements to private sector assurance providers. Nonetheless, when this
occurs, the Auditor-General usually retains the responsibility for issuing the auditor’s report.
Therefore, in this section, the auditor of a public sector entity (or agency) is referred to as the
Auditor‑General.
Agree on the terms of the engagement
Australia-specific
Each Auditor-General in Australia operates under different jurisdictional legislation, which
outlines their powers and responsibilities, and the scope of their audit engagements.
For example, the Commonwealth Auditor‑General’s functions and powers are largely set out
in Part 4 Auditor-General Act 1997 (Cth).
In New Zealand, the Auditor-General’s powers and responsibilities are mandated by the Public
Audit Act 2001 (PAA). Section 14 PAA states that the Auditor-General is the ‘auditor of every
public entity’ in New Zealand.
The PAA grants wide powers to the Auditor-General to conduct audits other than those
of financial statements, and other information that public entities require to be audited.
For example, the Auditor-General is empowered to conduct performance audits (s.16 PAA),
auditing work that is appropriate and reasonable for an auditor to perform, as well as enquiries,
either at the request of a public entity or on the Auditor-General’s own initiative, into any
matter involving the use of a public entity’s resources (ss 17 and 18 PAA).
Auditor-General’s Auditing Standard 5 Performance Audits, Other Auditing Services and Other
Work Carried Out by or on behalf of the Auditor-General (AG-5), Auditor-General’s Auditing
Standard 6 Inquiries Carried Out by or on behalf of the Auditor-General (AG-6) and other relevant
assurance engagement Standards apply to all engagements (other than annual audit of
financial statements) for the terms of the engagement. The Auditor-General must also ensure
that engagement terms are within the mandate of the relevant legislation.

CC

Planning a public sector engagement

The planning of a public sector financial statements audit engagement must take into account
the planning principles covered in earlier units. The Auditor-General must always consider the
scope of the engagement and obtain an understanding of the entity’s environment, just as an
auditor would in a private sector audit.
However, planning and obtaining an understanding of the public sector entity’s environment
must also take into account many additional considerations by comparison to the private sector.
For example, a private sector auditor conducting an audit on behalf of the Auditor-General
will need to be aware of the relevant legislative provisions in respect of the Auditor-General’s
responsibilities that are specific to the particular engagement. They must also be aware of
specific legislation pertaining to the entity that is subject to the audit. For example, legislation
may restrict an entity’s ability to sell its land holdings, restrict the types of investments it can
hold, or restrict the level of borrowings it can take on. Specific legislation may also detail the
delegated authority that entities can exercise without the need for ministerial approval.
Public sector engagements are concerned with the appropriate use of public resources.
For example, misuse of public resources is a special consideration when auditing public
entities. This requires auditors to understand the expectations and standards required for the
use of public resources and the additional processes/mechanisms put in place to address this
risk. For example, the audit team should consider requirements for tendering of major
contracts, approval and review of entertainment and travel expenses, use of corporate credit
cards, recruitment and selection of employees and the rules around the disposal of assets.
Where significant risks are identified, the auditor should perform additional procedures to
address these risks.
Performing a public sector engagement

The performance of a public sector audit is also similar to that of a private sector audit.
The Auditor-General’s objective is still to obtain reasonable assurance as to whether the
financial statements are free from material misstatement. Accordingly, Auditors-General obtain
sufficient appropriate audit evidence using tests of controls and substantive procedures, which
were discussed in earlier units.
Auditors-General prepare an independent auditor’s report and a management letter (which
may be referred to by different names depending on the jurisdiction). A management
letter will generally report significant findings from the audit, including difficulties
encountered during the audit, weaknesses identified in internal control, and opportunities
for business improvements. Auditors-General also communicate with those charged with
governance of the entity (e.g. secretary of the department, the board, the director-general or
chief executive officer, or the shareholding minister).
In addition to the independent auditor’s report and management letter, Auditors-General may
prepare:
• A statutory report, which is a report to the relevant treasurer, minister and those charged
with governance on major findings arising from the audit.
• A report to parliament that summarises the results of the financial audits performed
during the year. The report generally sets out the significant findings of the audits and any
other matters that, in their opinion, should be brought to the attention of parliament. The
content of the report varies greatly between jurisdictions due to differences in the enabling
legislation for each Auditor-General.

CC
Public sector audit reports – special consideration

It is common for legislation to contain specific reporting and assurance requirements for
public sector engagements. These legislative provisions often prescribe the form and content of
assurance reports. For example, as part of the audit of an entity’s annual financial statements,
the legislation may require the auditor to certify that an agency’s controls were operating
effectively throughout the entire period.
The use of the term ‘certify’ within legislation creates a conflict for some Auditors-General
between their obligations under the legislation and their ability to comply with Assurance
Standards. Providing certification may be misunderstood by the users of Auditor-Generals’
reports, in that certification can be likened to absolute assurance in the eyes of some
users. However, an auditor cannot provide absolute assurance under the Assurance Standards.
In circumstances where legislation prescribes wording that is significantly different from the
wording (or terminology) required by the Auditing Standards, ISA 210 para. 21 requires the
auditor to evaluate:
(a) whether users might misunderstand the assurance obtained ... and, if so,
(b) whether additional explanation in the auditor’s report can mitigate possible misunderstanding.
If the auditor concludes that additional explanation in the auditor’s report cannot prevent
possible misunderstanding, the auditor shall not accept the audit engagement unless required
by law or regulation to do so. However, the option to decline an audit engagement is generally
not available to Auditors-General.
An option to resolve the conflict between legislative requirements and the abilities of the
Auditor-General under Assurance Standards may be for the Auditor-General to discuss
alternative reporting (which complies with the IAASB’s International Framework for
Assurance Engagements) with the administrator of the legislation. The administrator may
have the legislative power to alter the form and content of the reporting and assurance
requirements. Should this not be an option, the Auditor-General will then be unable to include
any reference within the assurance report to the engagement having been conducted in
accordance with ISAs.
Required reading
ISA 210 para. 21.
Worked example 18.2: Planning public sector engagements


CC
Additional audit or assurance requirements for public sector entities

It is common for public sector entities to have to satisfy additional audit or assurance
requirements beyond that of the audit of their financial statements. These obligations are
generally prescribed in legislation.
Additional audit or assurance Reason Relevant Auditing or Assurance

requirement Standard(s)
Note: Refer to note below for the full

titles of these Standards
Report on the appropriateness Public sector entities often measure International

of the entity’s KPIs, and its actual (and publicise) their success ISAE 3000 (Revised)
results against these KPIs through the use of KPIs. A report
Australia
that specifically reviews these
ASAE 3500
KPIs provides stakeholders with
assurance that the KPIs are New Zealand
appropriate for the entity, and that AG-4 (Revised)
the results reported against the AG-5
KPIs are accurate
Report on the design, As is common in the private International

implementation, and operating sector, a strong internal control ISAE 3000 (Revised)
effectiveness of the entity’s internal system underpins effective
Australia
controls financial management. A report
ASAE 3150
that specifically reviews internal
controls provides stakeholders with New Zealand
assurance that goes far beyond SAE 3150
the traditional audit report on the
Report on the reasonableness The budget underpins responsible International

of the entity’s budget, and the fiscal management. Public sector ISAE 3400
assumptions underpinning the entities need to ensure that
Australia
budget they have sufficient funds to
ASAE 3450
cover their expenditure. A report
that specifically reviews the New Zealand
robustness of the budget provides ISAE (NZ) 3000 (Revised)
stakeholders with assurance that AG-5
the entity has conducted effective
planning and management of its
finances
Report on the acquittal of Public sector entities often receive International

government funding provided for a government funding (from the Depending on the form and
specific purpose state or federal governments) for a content of the acquittal:
specific purpose. The government ISA 800
needs to satisfy itself that the ISA 805
funding has been appropriately ISA 810
spent and only for the specified ISRE 2400, or
purpose. A report on the acquittal ISRS 4400
of government funding provides
Australia
stakeholders with assurance
ASA 800
that the public sector entity has
ASA 805
appropriately spent the funding
ASA 810
ASRE 2400
ASRE 2405, or
ASRS 4400
New Zealand
AG-2
AG-4 (Revised)

CC


Report on compliance with key Public sector entities face a large International
legislation/central government number of requirements that ISAE 3000 (Revised)
pronouncements direct the way they undertake their
Australia
activities. These can be financial
ASAE 3100
and non-financial in nature.
For example, entities may only be New Zealand
permitted to borrow funds from SAE 3100
a certain financing corporation. AG-5
A report on whether an entity AG ISA (250)
has complied with particular key
legislation or central government
pronouncements provides
stakeholders with assurance that
government-wide requirements are
being met
Report on the summary of major Public sector entities are International

contracts responsible for delivering ISAE 3000 (Revised)
significant infrastructure and
Australia
services to the public, and
ASAE 3000 (Revised)
sometimes engage the private
sector to help achieve them. New Zealand
Underpinning these arrangements ISAE (NZ) 3000 (Revised)
are complex contracts that are AG-5
generally not available for public
scrutiny due to their commercially
sensitive content that would be
prejudicial to the private sector
partners should the details
be released. Reports summarising
the main elements of these
contracts provide stakeholders with
sufficient information to scrutinise
public sector arrangements
Report on the economy, efficiency Public sector entities are International

or effectiveness of an entity, or of responsible for the delivery of ISAE 3000 (Revised)
an activity within an entity goods and services. A report on the
Australia
performance of an entity, or on an
ASAE 3500
activity within an entity, provides
stakeholders with assurance New Zealand
that the entity is undertaking its AG-5
activities economically, efficiently
and effectively

CC


Additional information in the Some public sector entities are Australia

public sector entity’s GPFSs: required to include additional No specific Auditing or Assurance
information in their GPFSs. This Standard. Additional information
•• Appropriations
additional information may be a: audited within the context of the
•• Administered items normal audit of GPFSs
•• legislative requirement
•• Variations between budget and
•• requirement mandated by a New Zealand
actual financial information
central agency (e.g. Treasury), or AG-2
•• Program/service group AG-4 (Revised)
statements/statements •• requirement contained within
of service performance a specific Accounting Standard
(e.g. in Australia, AASB 1052; in
New Zealand, PBE IPSAS 22)
This additional information
provides stakeholders with
assurance over particular additional
information they would not
normally receive through the
application of non-public sector
specific Accounting Standards
Note: The abbreviated Standards referred to in the table above that have not been previously mentioned in this unit’s
core content are listed below:
International
•• ISA 800 Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks
(ISA 800).
•• ISA 805 Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a
Financial Statement (ISA 805).
•• ISA 810 Engagements to Report on Summary Financial Statements (ISA 810).
•• ISRE 2400 Engagements to Review Historical Financial Statements (ISRE 2400).
•• ISAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ISAE 3000
(Revised)).
•• ISAE 3420 Assurance Engagements to Report on the Compilation of Pro Forma Financial Information Included
in a Prospectus (ISAE 3420).
•• ISRS 4400 Engagements to Perform Agreed-Upon Procedures Regarding Financial Information (ISRS 4400).
Australia
•• ASA 800 Special Considerations – Audits of Financial Reports Prepared in Accordance with Special Purpose Frameworks
(ASA 800).
•• ASA 805 Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a
Financial Statement (ASA 805).
•• ASA 810 Engagements to Report on Summary Financial Statements (ASA 810).
•• ASAE 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial Information
(ASAE 3000).
•• ASAE 3100 Compliance Engagements (ASAE 3100).
•• ASAE 3150 Assurance Engagements on Controls (ASAE 3150).
•• ASAE 3450 Assurance Engagements involving Corporate Fundraisings and/or Prospective Financial Information
(ASAE 3450).
•• ASAE 3500 Performance Engagements (ASAE 3500).
•• ASRS 4400 Agreed-Upon Procedures Engagements to Report Factual Findings (ASRS 4400).
•• ASRE 2400 Review of a Financial Report Performed by an Assurance Practitioner Who is Not the Auditor of the Entity
(ASRE 2400).
•• ASRE 2405 Review of Historical Financial Information Other than a Financial Report (ASRE 2405).

CC
New Zealand
•• AG-2 The Appropriation Audit and the Controller Function (AG-2).
•• AG-4 (Revised) The Audit of Service Performance Reports.
•• AG ISA (NZ) 250 The Auditor-General’s Statement on Consideration of Laws and Regulations (AG ISA (NZ) 250).
•• ISAE (NZ) 3000 (Revised) Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ISAE (NZ)
3000).
•• SAE 3100 Compliance Engagements (SAE 3100).
•• SAE 3150 Assurance Engagements on Controls (SAE 3150)
While some of the Standards identified in the right-hand column above have been introduced
in the unit on other assurance engagements and agreed-upon procedures, the discussion that
follows examines the application of these Standards in the context of public sector engagements.
ISAE 3000 (Revised) Assurance Engagements other than Audits or Reviews of

As discussed in the unit on other assurance engagements and agreed-upon procedures
engagements, ISAE 3000 (Revised) is the overarching International Standard on Assurance
Engagements (ISAE) that applies to assurance engagements where the focus of the subject
matter is other than audits or reviews of historical financial information.
ISAE 3000 provides guidance on the key stages of an assurance engagement, including:
•• ethical requirements and quality control
•• engagement acceptance
•• planning
•• using the work of an expert
•• obtaining evidence
•• documentation, and
•• preparing the assurance report.
While these stages are still relevant to public sector engagements, how each step is performed is
likely to vary.
ISAE 3000 (Revised) also addresses the requirements of an assurance engagement to assess the:
• Appropriateness of the subject matter.
• Suitability of the criteria to evaluate or measure the subject matter.
Required reading
ISAE 3000 paras 1–4.
Compliance engagements in the public sector

In contrast to considering relevant laws and regulations for the purposes of conducting an
audit of financial statements, the Auditors-General may also be required to report on an entity’s
compliance with specified laws, regulations or other requirements. Compliance engagements
are frequently performed in the public sector. Auditors-General may conduct compliance
engagements as an additional component of their financial statements audit or as a separate
engagement.
The objective of a compliance engagement is to enable the assurance practitioner to express
a conclusion on whether an entity has complied, in all material respects, with certain
requirements. The assurance practitioner assesses aspects of the entity (i.e. the subject matter of

CC
the engagement) against suitable criteria. The subject matter of a compliance engagement must
be identifiable, and can be subject to procedures for gathering sufficient appropriate evidence.
The purpose of ASAE 3100 Compliance Engagements (ASAE 3100) in Australia, and SAE 3100
Compliance Engagements (ASAE 3100) in New Zealand is to establish mandatory requirements
and provide explanatory guidance for performing and reporting on compliance engagements
other than audits or reviews of historical financial information. There is no corresponding ISAE.
In the public sector, compliance engagements involve commonly assessing subject matter for
compliance with:
•• Procurement guidelines mandated by a central agency.
•• Recruitment guidelines mandated by a central agency.
•• Asset management planning guidelines mandated by a central agency.
Determining whether an entity has complied, in all material respects, with certain requirements
is a matter of professional judgement. Determining whether instances of non-compliance are
material requires considering qualitative factors (i.e. the nature of non-compliance) and, to a
lesser extent, quantitative factors. ASAE 3100 para. 50/SAE 3100 para. A43 suggests this would
include considering:
(a) the size, complexity and nature of the entity’s activities;
(b) the nature of the breach – one off or systemic;
(c) evidence of a robust compliance system and related controls to detect, rectify and report
compliance breaches;
(d) commonly accepted practice within the relevant industry;
(e) regulatory, legislative or contractual requirements;
(f) the impact on the decisions of the intended users and stakeholders of the entity; and
(g) the specific terms of the compliance engagement.
Australia-specific
As noted above, the applicable Standard in Australia is ASAE 3100.
Required reading
ASAE 3100 paras 1–4, 19, 28, 31, 33–34, 36–38, 40–42, 49–60, 64–80 and 85.
As noted above, the applicable Standard in New Zealand is SAE 3100.
In determining whether an entity has complied, in all material respects, with certain
requirements, the Auditor-General may also apply their own Standards to add to the scope
of a compliance audit. For example, where a party is the subject of proposed criticism in the
compliance engagement report, under AG-5 paras 22–23, the Auditor-General will provide that
party with the opportunity to review the material and provide comment to ensure the report is
accurate and balanced.
Required reading
SAE 3100 paras 1–3, 14–20, 23–24, 29–31, 37, 45, 47–57, 61, A4–A9, A30–A35, A40–A41 and
A43–A53.
AG-5 paras 22–23.

CC
Worked example 18.3: Compliance engagement procedures

Activity 18.1: Assessing results of compliance engagements

Performance engagements in the public sector

Performance engagements are a crucial accountability mechanism in the public sector because
of the important role that service delivery plays. An audit of a public sector entity’s financial
statements will provide information on what the entity has spent its funds on, but it does
not provide information on how effectively the agency has used those funds to achieve its
objectives. Performance engagements help provide this additional assurance, which is not
provided through traditional financial statement audits.
Performance engagements in the public sector cover a diverse range of topics. However, a
common theme is the examination of how well (in terms of efficiency and effectiveness) public
sector entities manage their responsibilities and deliver goods and services to the public.
Performance engagements generally assess an entity’s performance against the following
performance-based assertions:
• Economy – minimising cost.
• Efficiency – maximising the ratio of outputs to inputs.
• Effectiveness – the extent to which intended outcomes were achieved.
In Australia, performance engagements are performed under ASAE 3500 Performance
Engagements (ASAE 3500). In New Zealand, performance audits performed by the Auditor-
General are performed under AG-5. There is no corresponding ISAE.
Australia-specific
In Australia, performance engagements are performed under ASAE 3500, with reference (and
as an adjunct Standard) to the overarching Standard, ASAE 3000, discussed above. The purpose
of ASAE 3500 is to establish mandatory requirements and provide explanatory guidance for
undertaking and reporting on performance engagements.
Under ASAE 3500 para. 17(h), performance audits (or reviews) involve assessing the ‘economy,
efficiency or effectiveness’ of ‘all or part of the activities of an entity or entities’. According to
ASAE 3500 para. 17(h), performance (audit or review) engagements are directed to assess:
(i) the adequacy of an internal control structure or specific internal controls, in particular those intended to
safeguard assets and to ensure due regard for economy, efficiency or effectiveness;
(ii) the extent to which resources have been managed economically or efficiently; and
(iii) the extent to which activities have been effective.
Performance engagements usually address a range of activities, which include (ASAE 3500

para. 15):
• Systems for planning, budgeting, authorisation, control and evaluation of resource allocation.
• Systems established and maintained to ensure compliance with an entity’s mandate as expressed in
policies or legislation.
• Appropriateness of resource management.

CC
• Measures aimed at deriving economies of scale, such as centralised resource acquisition, sharing
common resources across a number of business units.
• Measures aimed at improving economy, efficiency or effectiveness.
• Appropriateness of the assignment of responsibilities, and accountability.
• Measures to monitor outcomes against predetermined objectives and performance benchmarks.
Assertions and performance engagements

ASAE 3500 paras 12 and 18 identify and define the relevant performance-based assertions
as follows:
•• Economy – ‘the acquisition of the appropriate quality and quantity of resources at the
appropriate times and at the lowest cost’.
•• Efficiency – ‘the use of resources such that output is optimised for any given set
of resource inputs, or input is minimised for any given quantity and quality of output’.
•• Effectiveness – ‘the achievement of the objectives or other intended effects of activities
at a program or entity level’.
These assertions are considered separately during a performance audit, in accordance with
ASAE 3500. Auditors-General may consider these assertions in a separate performance
engagement or in the context of their audit of the financial report.
Subject matter of performance engagements
In order to undertake a performance engagement, the auditor is required to assess the
appropriateness of the subject matter, as well as the suitability of the criteria to evaluate
or measure the subject matter. In effect, the auditor is establishing an appropriate benchmark
against which to assess the entity’s performance.
According to ASAE 3500, an appropriate subject matter demonstrates the following
characteristics (ASAE 3500 para. 40):
(a) being identifiable, and its performance capable of consistent assessment against identified criteria; and
(b) ensuring the information about it is capable of being subjected to procedures for gathering sufficient
appropriate evidence to support a reasonable assurance or limited assurance conclusion, as appropriate.
Suitable criteria
According to ASAE 3500 para. 17(d), suitable criteria in relation to a performance engagement
demonstrate the following characteristics:
(i) relevance: relevant criteria contribute to conclusions that assist decision-making by the intended users.
(ii) completeness: criteria are sufficiently complete when relevant factors that could affect the conclusions in
the context of the performance engagement circumstances are not omitted.
(iii) reliability: reliable criteria allow reasonably consistent evaluation or measurement of the activity.
(iv) neutrality: neutral criteria contribute to conclusions that are free from bias.
(v) understandability: understandable criteria contribute to conclusions that are clear, comprehensive, and
not subject to significantly different interpretations.
Depending on the subject matter, the criteria will range from the general to the very
specific. General criteria are broad statements of acceptable and reasonable performance.
Specific criteria are derived from general criteria and are more closely related to an entity’s
enabling legislation or mandate, objectives, programs, systems and controls.
Examples of general criteria could include the following:
•• Has the agency introduced practical programs that are effective in contributing to the
government’s environment protection policy?
•• Has the agency introduced policies that are effective in contributing to the government’s
carbon footprint reduction plan?

CC
Examples of specific criteria could include the following:

•• Was the agency’s road safety advertising campaign effective in reducing the number of
deaths from motor vehicle accidents?
•• Is the agency’s vulnerable persons program efficiently and effectively reducing the number
of people on the public housing waiting list?
•• Is the agency’s procurement software economical in managing prescription drug inventory
within the public hospital network?
Suitable criteria for evaluating performance can be derived from the following sources:
•• Regulatory bodies, legislation or policy statements.
•• Standards of good practice developed by professions, associations or other recognised
authorities.
•• Statistics or practices that have been developed within the entity, or among similar entities.
•• Criteria that have been identified in similar circumstances.
There are certain circumstances in which criteria will need to be specifically developed by the
auditor. In developing these criteria, the auditor needs to:
•• Consider whether specifically developed criteria may result in an assurance report that
would be misleading to the intended users of that report.
•• Attempt to have the intended users of the report or the engaging party (e.g. the Premier’s
Department) acknowledge that specifically developed criteria are suitable for the intended
users’ purposes.
•• Consider how the absence of such an acknowledgement may affect how the suitability
of the identified criteria is assessed as well as the information that is provided about the
criteria in the assurance report.
Specific performance audits
As identified earlier, performance engagements focus on three assertions: efficiency, economy,
and effectiveness. ASAE 3500 acknowledges the possibility for broader application of the
assertions in the public sector, and therefore the Standard should not be seen as limiting an
agency’s existing legislative arrangements or customs. For example, Auditors‑General may
consider more specific aspects of these three assertions, such as:
•• Waste (i.e. the misuse of resources).
•• Financial prudence (i.e. being careful with money).
•• Probity (i.e. the high standard of ethical behaviour that is expected of the staff,
management and governing bodies of public sector entities).
•• Propriety (e.g. the appropriateness of granting a contract to a particular non-government
entity).

CC
The following table lists examples of subject matter that are assessed by Auditors-General
through performance engagements:
Examples of subject matter assessed by Auditors-General through performance engagements

Subject matter Performance assessed
Transport of dangerous goods How well agencies undertake their licensing and
regulatory functions to ensure the safe transport
of dangerous goods
Improving road safety among young The effectiveness of the agency’s driver licence testing
drivers and regulation (i.e. licensing practices) in ensuring young
people drive safely
Managing IT services contracts Whether agencies effectively manage IT services contracts
after they have been awarded
Administration of the National The effectiveness of the agency’s implementation and
Greenhouse and Energy Reporting administration of NGERS
Scheme (NGERS)
Administration of grant reporting Agencies’ implementation of the enhanced grants
obligations administration (reporting) requirements, and their
effectiveness
Services provided by visiting medical That the services provided by visiting medical officers
officers and staff specialists and staff specialists in the public health system are well
managed and deliver the agreed services
Managing contaminated sites How well contaminated and potentially contaminated
sites are managed, particularly where a sensitive use of the
land is involved
Management of road bridges Whether agencies effectively manage road bridges to
deliver an accessible, efficient and safe road network
Tourism Tasmania: Is it effective? The effectiveness of the organisation with respect
to promotions and advertisements, website and
implementation of planned strategies and initiatives
designed to drive benefits for Tasmania from domestic and
international tourism
Children in out-of-home care Assessed the effectiveness and efficiency of out‑of‑home
care as an element of child protection
Required reading
ASAE 3500 paras 1–10, 12, 15–19, 23, 27–28, 32, 36–38, 40–48, 53–54, 61–63, 66–71, 74–76,
79–83 and 89–91.

CC
While the Auditor-General will be mindful of Auditing Standards that are applicable to other
audit practitioners, it is important to remember that such Standards – for example, those issued
by the External Reporting Board (XRB) – do not always take full account of the requirements of
public entity audits. These requirements will often be established by legislation, and frequently
relate to the performance of a public entity in carrying out its statutory function.
Performance audit engagements performed by the Auditor-General are performed under
AG-5. Performance audit engagements (whether audits or reviews) may involve assessing the
efficiency or effectiveness of all or a part of the activities of an entity or entities (AG-5 para. 6).
The Auditor-General’s power to undertake performance audits is derived from the PAA (s. 16 –
see the definition of ‘performance audit’ in the Auditor-General’s Auditing Standards ‘Glossary
of terms’ p. 3-103 and the scope of AG-5 para. 1). In conducting a performance audit or other
engagement pursuant to AG-5, the Auditor-General may have regard to the ‘effectiveness and
efficiency’ (AG-5 para. 6) of the entity that is the subject of the engagement.
‘Effectiveness’ and ‘efficiency’ are defined in the Auditor-General’s Auditing Standards ‘Glossary
of terms’ p. 3-102:
Effectiveness ‘means the extent to which objectives are achieved, and relates to the actual
effect of an activity against the intended effect’.
Efficiency ‘means that minimum resources are used to achieve a given quantity and quality
of output, or a maximum output is gained with a given quantity and quality of resources
and relates to resources being used to produce outputs or objectives’.
It is important to note that effectiveness and efficiency in the context of a public sector
performance audit are not audit assertions as commonly used in financial audits, but reflect
the Auditor-General’s audit mandates, on which the Auditor-General will measure the
performance of an activity or entity.
The Auditor-General may also undertake performance audits regarding compliance with:
•• Statutory obligations.
•• Use of public resources.
•• Probity (i.e. the high standard of ethical behaviour that is expected of staff, management
and governing bodies of public sector entities).
•• Financial prudence (i.e. being careful with money).
The Auditor-General may consider the effectiveness and efficiency audit mandates in a separate
performance audit engagement, or in the context of their audit of the relevant public entity’s
financial report.
The Office of the Auditor-General, like all organisations, does not have unlimited resources.
Accordingly, the Auditor-General is required to determine which activities or entities will be
subject to performance audits. AG-5 para. 12 sets out these criteria. The decision on which
performance audits will be carried out is made through the process for developing the Auditor-
General’s work program required under the PAA. The proposed performance audits are set
out in the Auditor-General’s annual audit plan; however, the Auditor-General may choose to
undertake performance audits that arise on an unplanned basis.
AG-5, like other Auditing Standards, requires the Auditor-General to:
•• Formulate the work.
•• Undertake appropriate planning.
•• Obtain relevant evidence.
•• Keep sufficient documentation as evidence that the engagement was conducted
in accordance with the appropriate Standards and thus support the findings,
recommendations and, if appropriate, the conclusions reached by the Auditor-General.

CC
When reporting their findings, recommendations and conclusions, the Auditor-General may, if
appropriate, include criticism of the Department and members of its staff. Pursuant to AG‑5, it is
necessary for the Auditor-General to provide the parties subject to the criticism with sufficient
information for them to comment on the factual accuracy, completeness, fairness and balance
of the findings, recommendations and, if appropriate, the Auditor-General’s conclusions. The
Auditor-General must consider any response from the parties and determine what, if any,
modifications to the report are necessary.
Required reading
AG-5.
Worked example 18.4: Performance engagements

Activity 18.2: Performance engagement criteria


18.1: Internal auditors
18.2: Public sector assurance engagements
Quiz

Readings

Standards.
Required reading
Relevant International Auditing and Assurance pronouncements and national equivalents and guidance
Code of Ethics for Professional APES 110 Code of Ethics for NZICA Code of Ethics
Accountants (IESBA Code) (2015) Professional Accountants
•• Paragraphs 300.1– 300.15 •• Paragraphs 300.1–300.15 •• Paragraphs 300.1–300.15
ISA 210 Agreeing the Terms of ASA 210 Agreeing the Terms of ISA (NZ) 210 Agreeing the Terms of Audit
Audit Engagements Audit Engagements Engagements
and Assessing the Risks of the Risks of Material Misstatement and Assessing the Risks of Material
Material Misstatement through through Understanding the Entity Misstatement through Understanding the
Understanding the Entity and Its and Its Environment Entity and Its Environment
Environment
•• Paragraphs 4(c) and 12 •• Paragraphs 4(c) and 12 •• Paragraphs 4(c) and 12
ISAE 3000 (Revised) Assurance ASAE 3000 Assurance ISAE (NZ) 3000 Assurance Engagements
Engagements Other than Audits Engagements Other than Audits Other than Audits or Reviews of Historical
or Reviews of Historical Financial or Reviews of Historical Financial Financial Information
Information Information
•• Paragraphs 1-8, 10-12, 14, •• Paragraphs 1–9, 12–26, 28–30, •• Paragraphs 1–4, 6–12, 14–15, 18–19,
20-22, 24, 31-33, 37-51, 64-77 33–37, 40, 43, 56–57, 64–65, 22, 33, 38, 41–42, 45–46, 49 and
and A45 68–70, 73–75, 78 and 82–84 51–52
N/A – ISAE 3000 (Revised) ASAE 3100 Compliance SAE 3100 Compliance Engagements
applies Engagements
•• Paragraphs 1–4, 19, 28, 31, •• Paragraphs 1–3, 14–20, 23–24, 29–31,
33–34, 36–38, 40–42, 49–60, 37, 45, 47–57, 61, A4–A9, A30–A35,
64–80 and 85 A40–A41 and A43–A53
N/A – ISAE 3000 (Revised) ASAE 3500 Performance AG-5 Auditor-General’s Auditing
applies Engagements Standard 5 Performance Audits, Other
Auditing Services and Other Work Carried
Paragraphs 1–10, 12, 15–19, 23, Out by or on behalf of the Auditor-General
27–28, 32, 36–38, 40–48, 53–54,
61–63, 66–71, 74–76, 79–83 and
89–91
N/A N/A AG-4 (Revised) Auditor-General’s
Auditing Standard 4 The Audit of Service
Performance Reports
•• Paragraph 4

Relevant International Auditing and Assurance pronouncements and national equivalents and guidance
N/A N/A Public Audit Act 2001
•• Sections 5, 14, 16–18, 20–22,
Schedule 3 Item 4
www.oag.govt.nz
Further reading


ACT
Activity 18.1
Assessing results of compliance engagements
Introduction
Compliance engagements can be performed in both the private and public sectors. However,
these types of engagements are regularly performed by auditors in the public sector. Some
Auditors-General build in a compliance engagement with their audit of annual financial
statements.
•• Apply the appropriate assurance process to public sector engagements.
At the end of this activity, you will be able to evaluate the results of a compliance engagement,
in accordance with:

ISAE 3000 (Revised) Assurance ASAE 3100 Compliance SAE 3100 Compliance Engagements
Engagements Other than Audits Engagements
or Reviews of Historical Financial
Information
Scenario
You are an audit manager working for the Auditor-General. You have taken over from another
audit manager who is on long service leave. The engagement you are currently completing
is an investigation into whether the Department of Information (DI) is complying with the
government-wide recruitment policy established by the Department of Human Capital.
The following is an extract of key requirements of the policy:
Recruitment policy extract
Policy Requirement
paragraph
reference
12 The head of a government agency must advertise all vacancies on the government recruitment
website and in at least one major newspaper, as determined by the department head for that
agency
14 A selection committee shall be established to assess the merit of all applicants for appointment
to a vacant position
18 Appointments to vacant positions are to be made by the department head for that agency
The department head is not required to appoint the applicant recommended by the selection
committee; however, they may only fill the vacant position from the pool of applicants

ACT
Recruitment policy extract
Policy Requirement
paragraph
reference
74 For appointments made by the department head through exercise of the para. 18 exemption:
•• The department head must provide a written report to the selection committee prior to the
applicant’s appointment
•• The written report must outline the reasons for the department head’s decision to appoint
an applicant not recommended by the selection committee
•• The department head must receive acknowledgement from the selection committee
members prior to making the appointment
The engagement team has already completed the field testing work regarding the DI’s
compliance with the recruitment policy.
From a sample of 15 appointments made throughout the period, the audit engagement team
found only one very senior appointment where the DI had failed to advertise the position in a
major newspaper, but had advertised the position on the government recruitment website. All
other aspects of the recruitment policy had been complied with for all 15 appointments selected.
Task
For this activity, you are required to outline what work is required to complete the
DI compliance engagement and assess the impact of any compliance breaches.

ACT
Activity 18.2
Performance engagement criteria
Introduction
Planning is the key to a well-organised performance engagement. Part of the planning process
is to clearly identify the subject matter and the suitable criteria by which the subject matter is
evaluated.
•• Apply the appropriate assurance process to public sector engagements.
At the end of this activity, you will be able to evaluate the suitability of criteria, identify relevant
assertions, and determine appropriate engagement procedures in a performance engagement,
in accordance with:

ISAE 3000 (Revised) Assurance ASAE 3500 Performance AG-5 Performance Audits, Other
Engagements Other than Audits Engagements Auditing Services and Other Work
or Reviews of Historical Financial Carried Out by or on behalf of the
Information Auditor-General
Scenario
You are an audit manager working for the Auditor-General. The role of the Department of
Industrial Development (DID) is to distribute government grants to eligible businesses. All
agricultural and manufacturing businesses that donate products to the country’s prisons,
hospitals and orphanages free of charge are eligible to apply for government grants, as the
government wants to support these businesses so that they can continue to support the
underprivileged.
Not all applicants will be allocated grants due to limited government funding. Grants will
be allocated based on applicants’ support of the underprivileged. The government has
budgeted $10 million to DID’s grant program for the 30 June 20X3 financial year. Your team is
undertaking an audit engagement on DID’s performance for the year ended 30 June 20X3.
During planning for the engagement, the audit team sets the following questions to assess
DID’s performance:
1. Is the grant program aligned to government priorities?
2. Are grants allocated appropriately?
3. Have grants achieved results?
The audit team then formulates the following performance engagement criteria:
1. Alignment of grant program to government priorities
1.1 Is the grant program aligned to the government’s core business?
1.2 Has DID developed reasonable guidelines and criteria for the grant program?

ACT
2. Appropriate allocation of grants
2.1 Are grants allocated based on the support of the underprivileged regardless of political
and regional characteristics?
2.2 Has DID considered the applicant’s forecast output available for donation in granting
funds?
3. Achievement of results
3.1 Does DID ensure funds are used for good purposes?
3.2 Does DID evaluate its grant program?
The Auditor-General is interested in your team’s work and would like to know the results.
Task
•• Assess the suitability of the six audit criteria against the relevant Assurance Standard.
•• Identify and explain which performance-based assertion each of the six audit criteria is
aimed at testing.
•• Design appropriate assurance procedures to test the relevant assertion for audit criteria
2.1 and 2.2.

CC
Core content
Unit 19: Case study, and current and future
trends
Learning outcomes
1. Apply the ethical requirements and the audit process to a financial statements audit
engagement.
2. Describe current and future trends that are relevant and important to the practice of
auditing and assurance in all jurisdictions.
3. Explain where to go to keep up to date with assurance Standards and guidance, and
regulatory requirements.
Introduction
All earlier units of the Audit & Assurance (AAA) module have addressed the obligations that an
auditor has under the Auditing and Assurance Standards, and what the auditor is required to
do to meet those obligations. Completion of this unit requires an integrated knowledge of many
of the concepts covered so far in the AAA module. Therefore, completion of all previous units is
recommended before attempting to work through the unit.
This unit also looks at some contemporary audit and assurance issues and explains where to
find current assurance Standards and guidance, and regulatory requirements.
Standards referred to in this unit

The following International Standards on Auditing (ISAs) are referred to in this unit:
•• ISA 580 Written Representations (ISA 580).
•• ISA 710 Comparative Information – Corresponding Figures and Comparative Financial Statements
(ISA 710).
aaa11619_csg

CC
Auditor’s objective
Learning outcome
1. Apply the ethical requirements and the audit process to a financial statements audit
engagement.
The auditor’s ultimate objective in an audit of financial statements is to obtain reasonable

assurance as to ‘whether the financial statements as a whole are free from material
misstatement’, enabling the auditor to express an opinion on ‘whether the financial statements
are prepared, in all material aspects, in accordance with an applicable financial reporting
framework’ (ISA 200 para. 11).
To obtain reasonable assurance, the auditor needs to ‘obtain sufficient appropriate audit
evidence to reduce audit risk to an acceptably low level’ (ISA 200 para. 17).
This section looks at how the auditor works through the audit process to obtain sufficient
appropriate audit evidence, using the Monty Travel Limited (MT) case study provided
specifically for this unit. Following the audit process stage by stage, Activities 19.1–19.7 build
on the MT case study progressively. Therefore, the activities in this unit must be worked
through in the order in which they are presented.
The audit process can be summarised in four stages:
•• Stage 1 – Prior to the audit.
•• Stage 2 – Planning the audit.
•• Stage 3 – Responding to assessed risk – undertaking the audit.
•• Stage 4 – Finalising the audit.
As well as these stage-specific activities, continuous audit activities must also be performed
throughout the audit process. These include addressing going concern, documenting audit
evidence, and reviewing and revising the audit plan, strategy and materiality levels.

CC
The diagram below provides an overview of these stages:
AUDIT PROCESS

Overall framework Assurance purpose and framework
Auditing Standards and quality control
AUDITS OF FINANCIAL STATEMENTS

Prior to the audit
• Consider engagement
independence and ethical Pre-engagement activities
considerations
• Direction, supervision and
performance of the audit Planning the audit
• Assess continuing Understanding the entity and its environment
relationship with client Analysing audit risks, financial statement assertions and initial audit
• Communicate with those engagements
charged with governance Analysing audit risks – fraud
and management Materiality in planning and performing an audit
• Consult with appropriate Developing an overall audit plan
persons on difficult or
contentious matters
• Document work
Responding to assessed risk – undertaking the audit
performed, findings and
conclusions in appropriate Responding to assessed risks – controls testing
working papers Responding to assessed risks – substantive testing
• Revisit planning Responding to assessed risks – evaluating audit evidence
assumptions Responding to assessed risks – using the work of others, external
• Consider going concern confirmations and written representations
and fraud Subsequent events and going concern

Stage 1 – Prior to the audit

The first stage of the audit process involves determining whether the auditor can accept an
audit engagement. There are specific activities and processes the auditor must undertake
prior to accepting an engagement, which are collectively known as pre-engagement activities.
The unit on pre-engagement activities discusses these requirements in detail.
A key activity the auditor must undertake before accepting the engagement is to identify and
evaluate threats to independence.
Activity 19.1: Identifying and evaluating threats to independence


CC
Stage 2 – Planning the audit

Once the terms of the audit engagement have been agreed, the auditor can start planning the
engagement. Planning and risk assessment are addressed in a number of units in the AAA
module. The planning stage of an audit also includes establishing the overall audit strategy
and developing the audit plan. Audit strategy and audit plan are discussed in the unit on
developing an overall audit plan.
Planning and risk assessment activities are summarised in the following diagram:
Performing risk assessment procedures

• Obtain an understanding of the entity and its environment
• Obtain an understanding of the entity’s internal controls
• Determine materiality levels for the audit engagement
• Perform preliminary analytical procedures
• Assess the risks of material misstatement (RMM)
Document in overall
audit strategy and
audit plan
Developing overall Determining further

responses (financial procedures (assertion
statement level) level)
As the aim of the auditor is to obtain sufficient appropriate audit evidence to reduce audit risk
to an acceptably low level (in order to obtain reasonable assurance on the RMM in the financial
statements), the auditor must design audit procedures in accordance with the risk assessment.
The first step in the planning stage is, therefore, performing risk assessment procedures.
Risk assessment procedures

As outlined in the above diagram, risk assessment procedures begin with obtaining an
understanding of the entity and its environment, including its internal controls; this is discussed
in the unit on understanding the entity and its environment.
Applying professional scepticism in obtaining an understanding of the entity allows the auditor
to identify business risks impacting on the entity, such as fraud risk and going concern issues,
as well as possible sources of inherent risk to the financial statements assertions. Understanding
the entity’s internal controls allows the auditor to evaluate the design and implementation of
those controls in order to assess control risk.
Fraud risk
As the auditor’s main objective is to express an opinion about whether the financial statements
are free from material misstatement, whether due to fraud or error, the auditor must therefore
consider fraud risk in their audit planning.
In particular, the auditor needs to assess whether there are any indicators of fraud risk arising
from related party relationships and transactions, due to the inherent risk associated with
related parties.
Audit requirements regarding fraud risk are discussed in the unit on analysing audit risks –
fraud.

CC
Activity 19.2: Identifying risks

Determining materiality levels for the engagement

Determining materiality levels allows the auditor to quantify the amount above which it is
considered to be significant enough to change or influence the economic decisions of users of
the entity’s financial statements. The concept of materiality requires the auditor to exercise
During the course of the audit, information may come to light that requires the auditor to revise
the initial materiality levels set during the planning stage. Where risk is increased, the auditor
would lower the level of materiality.
Materiality is discussed in detail in the unit on materiality in planning and performing an audit.
Performing preliminary analytical procedures

Having obtained an understanding of the audit client, its environment and internal controls,
the auditor applies their professional judgement in developing a number of expectations about
plausible relationships among the various sources of information.
Continuing the planning and risk assessment process, the auditor then performs preliminary
analytical procedures to assess whether the financial statements are consistent with their
expectations. This allows the auditor to identify specific financial statement items that are not
in line with expectations, as well as possible fraud risks. The use of preliminary analytical
procedures is discussed in detail in the unit on developing an overall audit plan.
Performing the risk assessment procedures allows the auditor to identify the sources of RMM in
the entity’s financial statements.
Assessing the RMM

On identifying the sources of RMM in the financial statements, the auditor needs to assess these
risks at both the financial statement and assertion levels. That is, the auditor needs to apply
their professional judgement to analysing the impact of the identified sources of RMM on the
financial statements as a whole, and also on individual items in the financial statements. This is
discussed in detail in the unit on analysing audit risks, financial statement assertions and initial
audit engagements.
Analysing risks and assessing the RMM enables the auditor to direct effort and resources to
where they are most needed – that is, to areas where the RMM is assessed to be highest.
Developing overall responses

The auditor exercises their professional judgement in developing ‘overall responses’ to address
the assessed RMM at the financial statement level – for example, assigning more experienced
staff to areas where the RMM is assessed as high, or determining whether component auditors
or experts are required to assist in obtaining sufficient appropriate audit evidence.
Determining further audit procedures

In the last step of the planning and risk assessment stage, the auditor needs to determine
‘further audit procedures’ to address the RMM at the assertion level. This entails determining
the audit approach – that is, whether to predominantly perform tests of controls or substantive
procedures, or a mixture of both. The auditor must also consider the quality and quantity of
audit evidence required that is consistent with the assessed RMM, in order to reduce audit risk
to an acceptably low level.
Overall responses and further audit procedures are discussed in detail in the unit on developing
an overall audit plan.

CC
Stage 3 – Responding to assessed risks – undertaking the audit

This third stage of the audit process is the evidence-gathering stage. This process involves
performing the tests of controls and substantive procedures in accordance with the overall audit
strategy and audit plan.
Tests of controls
The purpose of tests of controls is to obtain evidence relating to the operating effectiveness
of the internal controls designed and implemented by management to prevent, or detect and
correct, material misstatements at the assertion level (ISA 330 para. 4(b)).
Tests of controls are discussed in detail in the unit on responding to assessed risks – controls
testing.
Activity 19.3: Designing tests of controls

Substantive procedures
The purpose of substantive procedures is to detect material misstatements in financial statement
items (i.e. at the assertion level – ISA 330 para. 4(a)). Substantive procedures include tests of
details and substantive analytical procedures (SAPs). Substantive procedures are discussed in
detail in the unit on responding to assessed risks – substantive testing.
Note that an audit cannot be completed solely by performing tests of controls. Substantive
procedures are required to be performed ‘for each material class of transactions, account
balance [at period end], and disclosure’ (ISA 330 para. 18). ISA 330 and ISA 520 both include
specific guidance on when to use substantive procedures.
Evaluating audit evidence
Having responded to assessed risks by performing further audit procedures, the auditor
needs to evaluate the results of those audit procedures – that is, to evaluate the audit evidence,
and in doing so, exercise their professional judgement to determine the sufficiency and
appropriateness of the audit evidence.
Where the auditor determines that sufficient appropriate audit evidence has not been obtained
by performing the audit procedures originally designed in the audit plan, they are required to
design additional procedures to ensure sufficient appropriate audit evidence is obtained, and
update the audit plan accordingly.
Evaluating the effect of misstatements on the financial statements

At the conclusion of an audit, overall materiality is applied to evaluate the:
•• Effect of any identified misstatements on the financial statements.
•• Appropriateness of the auditor’s opinion.
This is discussed in the unit on responding to assessed risks – evaluating audit evidence.
Activity 19.4: Evaluating audit evidence and determining further audit procedures
Using the work of others, external confirmations and written representations

Throughout the audit process, the auditor needs to identify ways to achieve an effective and
efficient audit and to assess whether sufficient appropriate audit evidence has been obtained.
This includes determining whether work performed by others outside of the engagement audit
team can be used as audit evidence, and whether audit evidence can be obtained directly from
independent sources.

CC
It is important to note, when using the work of others, that the auditor (being the engagement
partner) retains sole responsibility for the audit opinion expressed.
Using the work of others, external confirmations and written representations are all discussed
in detail in the unit on responding to assessed risk – using the work of others, external
confirmations and written representations.
Using the work of others

In some audit engagements, the engagement audit team may use the work of component
auditors, where the audited entity comprises branches or subsidiaries in various locations. The
work of the audit client’s internal auditors may potentially be used to modify the nature, timing
and extent of audit procedures to achieve an efficient and effective audit. Additionally, the
reports, valuations or opinions of an expert may provide audit evidence.
The ISAs set out specific audit procedures the engagement audit team needs to perform in
order to determine whether work performed by other auditors or experts can be relied on and is
appropriate for the financial statements audit.
Activity 19.5: Using the work of internal auditors

In performing audit procedures and evaluating the results, it is important that the auditor
considers the reliability of audit evidence that has been obtained.
Audit evidence is considered to be more reliable when it is obtained:
•• From independent sources outside the entity that is being audited.
•• Directly by the auditor.
•• In documentary form.
In light of this, auditors often send external confirmation requests to obtain audit evidence.
External confirmations are considered more reliable than evidence that is provided by the entity
itself.
The entity’s management has a responsibility to provide written representations to the auditor
in respect of the audit. Specifically, management needs to provide a written statement to the
auditor that management and ‘those charged with governance … believe that they have fulfilled
their responsibility for the preparation of the financial statements and for the completeness
of the information provided to the auditor’, as well as provide other statements considered
‘necessary by the auditor or as required by other ISAs’ to ‘support other audit evidence’
(ISA 580 paras 6(a) and (b)).
It is important to note that although written representations provide ‘necessary audit evidence’,
they ‘do not provide sufficient appropriate audit evidence on their own’ (ISA 580 para. 4). They
should, therefore, always be considered in combination with the other evidence obtained.
Subsequent events and going concern

Stage 3 of the audit process also includes assessing the effect of subsequent events. The auditor
has an obligation to perform procedures to ensure that all subsequent events material to the
financial statements have been identified and are appropriately reflected in the financial
statements, before the auditor’s report is signed.

CC
Additionally, the auditor has a responsibility to assess the issue of going concern throughout
the audit process, and, based on their professional judgement, to:
•• Evaluate whether management’s use of the going concern assumption is appropriate.
•• Conclude whether a material uncertainty exists in relation to the entity’s ability to continue
as a going concern.
This topic is discussed in detail in the unit on subsequent events and going concern.
Activity 19.6: Assessing subsequent events

Continuous audit activities

In addition to the specific activities required to be performed at each stage of the audit process,
auditors must also perform other ongoing activities throughout the process – these activities are
referred to as continuous audit activities, and include:
•• Documenting audit evidence.
•• Reviewing and revising the audit plan, overall strategy and materiality levels of the audit.
Documenting audit evidence

The auditor is required to document the audit evidence gathered to support the conclusions
formed, and to communicate with those charged with governance throughout the audit process.
Updating audit strategy and audit plan

Moreover, as ‘planning is not a discrete phase of an audit, but rather a continual and iterative
process’ (ISA 300 para. A2), the auditor is required to ‘update and change the overall audit
strategy and the audit plan as necessary during the course of the audit’ (ISA 300 para. 10).
This may include revising materiality levels and the nature, timing and extent of audit
procedures to obtain sufficient appropriate audit evidence. This is covered in more detail in the
unit on materiality in planning and performing an audit.
Stage 4 – Finalising the audit

In the final stage of an audit and before the auditor’s report is issued, the auditor is required to:
•• Review the financial statements and audit results.
•• Form an opinion and issue the auditor’s report.

In reviewing the financial statements, the auditor needs to:
•• Perform final analytical procedures.
•• Confirm that related party relationships have been properly identified and dealt with in the
•• Obtain evidence that comparative information has been properly presented in the financial
statements.
•• Review any additional information included in documents containing the audited financial
statements.
These topics are discussed in more detail in the unit on reviewing the financial statements and
audit results.

CC
Final analytical procedures

As the auditor’s ultimate objective is to obtain reasonable assurance as to ‘whether the financial
statements as a whole are free from material misstatement’, thus enabling the auditor to express
an opinion on whether the financial statements have been prepared, ‘in all material respects,
in accordance with an applicable financial reporting framework’ (ISA 200 para. 11), the auditor
needs to review the financial statements at the final stage of the audit process.
The purpose of this review is to ensure that the financial statements are consistent with the
audit results and the auditor’s understanding of the entity prior to issuing the auditor’s opinion.
ISA 520 para. 6 requires the auditor to ‘design and perform analytical procedures near the end
of the audit’ to identify any inconsistencies when forming the overall conclusion.
Related party relationships

The auditor also need to confirm that related party relationships and transactions have been
appropriately identified, accounted for and disclosed in the financial statements, in accordance
with ISA 550.
Comparative information and other information in documents containing audited financial

statements
In an audit of financial statements, ISA 710 para. 5 requires the auditor:
… to obtain sufficient appropriate audit evidence about whether the comparative information included
in the financial statements has been presented … in accordance with the requirements for comparative
information in the applicable financial reporting framework.
Additionally, when an entity publishes additional information in documents containing the

audited financial statements (e.g. narrative reports from directors included in an annual report
to shareholders), the auditor has an obligation to read this ‘other information’ in order to
identify any information that would undermine the credibility of the financial statements and
the auditor’s report (ISA 720 para. 6).

The final step of Stage 4 (and the audit process) is to form an opinion on the audited financial
statements (i.e. the audit opinion) and issue the auditor’s report (containing the auditor’s
opinion) on those financial statements.
To form an opinion, the auditor needs to consider whether they have obtained reasonable
assurance on ‘whether the financial statements as a whole are free from material misstatement’,
whether due to fraud or error, ‘in all material respects, in accordance with an applicable
financial reporting framework’ (ISA 200 para. 11), and decide whether any modifications are
required to the auditor’s opinion.

CC
Contemporary audit and assurance issues
Learning outcomes
2. Describe current and future trends that are relevant and important to the practice of auditing
and assurance in all jurisdictions.
3. Explain where to go to keep up to date with assurance Standards and guidance, and
regulatory requirements.
International developments
A number of important developments have occurred at an international level. The most
prominent current development, which will be effective for audits of financial statements for
periods ending on or after 15 December 2016, is the implementation of new and revised ISAs
relating to auditor reporting. These developments are discussed in the unit on forming an
opinion and issuing an auditor’s report. The implementation of these Standards will represent a
significant change in practice.
Other current developments that will also be effective for periods ending on or after
15 December 2016 relate to the work of the International Auditing and Assurance Standards
Board (IAASB), and affect the following audit areas:
•• The auditor’s responsibilities relating to other information. These developments are
discussed in the unit on reviewing the financial statements and audit results.
•• Going concern. ISA 570 (Revised) Going Concern will include revisions to the work that
auditors will be required to perform in this regard, with greater emphasis being placed
on going concern disclosures. There will also be changes in how auditors report on going
concern issues. The reporting changes are discussed in the unit on forming an opinion and
issuing an auditor’s report.
•• Communications. ISA 260 (Revised) Communication with Those Charged with Governance will
include guidance on the communication of matters to be included in the auditor’s report,
which is currently located in other Auditing Standards. The revised Standard will also
include guidance relating to communicating key audit matters under the new Auditing
Standard ISA 701 Communicating Key Audit Matters in the Independent Auditor’s Report.
Data analytics in audit

The use of Big Data and data analytics is rapidly transforming the way audits are conducted
and has been discussed in previous units. The Big 4 and other audit firms have projects around
transforming their audits through the use of technology.
Data analytics is also informing the work of the IAASB. The IAASB has formed a working
group to monitor the various applications of data analytics and how to respond to these
developments. It is monitoring the impact of data analytics on risk assessment, testing
approaches, analytical procedures and other evidence. The IAASB’s focus is on information
and data areas that are relevant to the audit. It is also considering where changes to Auditing
Standards may be helpful to acknowledge the use of data analytics.


CC
Information on the scope and intent of all the IASB’s current and future projects can be found
on its website (www.ifac.org → Independent Standard-setting Boards → IAASB® Auditing &
Assurance → Projects).
Many contemporary auditing and assurance developments are linked to developments in
reporting on financial and other information. Some of these are discussed below.
Disclosures
In July 2015, the IAASB issued a final pronouncement Addressing Disclosures in the Audit
of Financial Statements – Revised ISAs and Related Conforming Amendments. The focus of the
disclosure project was to ‘enhance the requirements in various ISAs to drive changes in the
auditor’s approach’ to disclosures (Basis for Conclusions, Addressing Disclosures in the Audit of
Financial Statement and Related Conforming Amendments, July 2015 para. 12(b)).
One of these changes in approach will include the integration of assertions for presentation and
disclosure with assertions relating to account balances, classes of transactions and events. The
change has been made to encourage auditors to address the related disclosures at the same time
that they are performing other audit procedures.
The IAABS’s disclosure project was part of a wider project that looked at the complexity
of financial reports and initiatives for the purpose of reducing and simplifying disclosures.
Current discussions on the topic suggest that there is scope for entities to improve the clarity of
financial reports under existing disclosure requirements by highlighting key information, re-
ordering content into logical sections and removing unnecessary disclosures.

Sustainability reporting
The Global Reporting Initiative (GRI) is an independent international organisation that
promotes the use of sustainability reporting as a way for entities to become more sustainable
and contribute to sustainable development. Sustainability issues include issues such as climate
change, human rights and corruption.
The GRI framework includes reporting guidelines, sector guidance and other resources.
The GRI is supportive of integrated reporting as it is an important and necessary innovation of
corporate reporting.
Assurance practitioners can be engaged to provide assurance over sustainability reporting.
Fundamental assurance skills and knowledge are applicable to the broader sets of information
that are presented in sustainability reports. ISAE 3000 Assurance Engagements Other Than Audits
or Reviews of Historical Financial Information (ISAE 3000) is the relevant Standard for this type of
work.


CC
Integrated reporting
The International Integrated Reporting Council (IIRC) is a ‘global coalition of regulators,
investors, companies, standard setters, the accounting profession and [non-government
organisations]’ (see www.integratedreporting.org).
While many companies prepare traditional financial reports and separate sustainability
reports, integrated reports attempt to serve as the reporting ‘centrepiece’ of integrated thinking
within an organisation. They extend the traditional view of capital beyond financial capital, to
incorporate manufactured capital, human capital, social and relationship capital, intellectual
capital and natural capital.
An integrated approach argues that the interrelationships between all forms of capital act to
create short-, medium- and long-term value, and that examining the integrated whole and
embedding this practice in an entity’s decision-making processes is key to understanding the
entity’s value creation over time.
Assurance practitioners have a role in strengthening the credibility of integrated reports.

Australian and New Zealand developments
Australia and New Zealand-specific developments in Auditing and Assurance Standards

As discussed in the unit on assurance purpose and framework, the Auditing and Assurance
Standards Board (AUASB) issues the local Standards in Australia, and the New Zealand Auditing
and Assurance Standards Board (NZAuASB) issues the local Standards in New Zealand. The
Standards issued by both the AUASB and NZAuASB include those that are based on the
international Standards, and those that are specific to Australia and New Zealand. Many
changes to auditing and assurance are directed from the international level.
However, there are also local developments and Standards that are developed for the purpose
of public interest in Australia or New Zealand. A recent example of a national standard that was
developed in Australia and New Zealand is ASAE/SAE 3150 Assurance Engagements on Controls.
Another example includes ASAE 3610 Assurance Engagements on General Purpose Water
Accounting Reports, which was made for Australian public interest purposes.
Further information about the current work program and thought leadership on topical and
emerging issues in auditing and assurance can be found on the local standard-setters websites
at www.auasb.gov.au and www.xrb.govt.nz.
Chartered Accountants Australia and New Zealand (CA ANZ)

The Chartered Accountants Australia and New Zealand (CA ANZ) website provides guidance as
well as a platform for auditors to provide input on CA ANZ’s responses to audit and assurance-
related issues. It has a specific technical area that is dedicated to audit and assurance issues,
which keeps members updated on changing audit requirements and local and international
auditing and assurance developments.
The resources provided include:
•• Thought leadership informational material.
•• CA ANZ submissions on auditing matters.
•• A weekly newsletter, Accounting & Assurance News Today (ANT), which addresses both
financial reporting and audit and assurance issues.

CC
•• Resource materials on assurance-related issues.

•• A blog maintained by CA ANZ’s head of audit, which discusses current topical audit-related
issues.
•• Acuity magazine, which provides informed independent analysis, commentary and news
on contemporary issues from the leaders in business.
To access these resources, go to: www.charteredaccountantsanz.com.
Australia-specific
Australian Securities and Investments Commission (ASIC)

As discussed in the unit on assurance purpose and framework, ASIC is responsible for
administering the requirements of the Corporations Act 2001 (Cth) as it relates to auditor
independence and audit quality. ASIC’s audit oversight activities are intended to help maintain
and raise the standard of conduct in the auditing profession.
The outcomes of ASIC’s most recent round of audit inspections were published in June 2014,
and are found in ASIC media release 14-140MR ‘ASIC’s audit inspection findings for 2012–13’. In
these inspections, ASIC reported that in 20% of the total 454 key audit areas reviewed, across
107 audit files, auditors ‘did not have a sufficient basis to support their opinion on the financial
statements’ (i.e. auditors did not obtain reasonable assurance). In this regard, ASIC identified
three areas in which improvement is required:
•• the sufficiency and appropriateness of audit evidence obtained by the auditor
•• the level of professional scepticism exercised by auditors, and
•• ensuring appropriate reliance on the work of experts and other auditors.


CC
Oversight of audit and assurance providers is undertaken by the Financial Markets Authority
(FMA). The FMA has responsibility for the oversight of engagements involving the audit of
financial statements. Its audit oversight activities are intended to help maintain and raise the
standard of conduct in the auditing profession. Information on the FMA’s regulatory work and
guidance on auditor requirements can be found on the FMA’s website (www.fma.govt.nz).
The latest FMA Audit Quality Review Report for the 12 months ended June 2014 can be found
on the FMA website. The report confirms that the majority of the profession in New Zealand
is meeting minimum compliance standards. The report highlights the following key areas
needing attention by audit firms:
•• Monitoring of audit quality.
•• Auditor independence.
•• Professional scepticism.
•• Going concern statements.
•• Use of management or audit experts.
•• Auditing of revenue.
•• Audit sampling.
•• Analytical procedures.
•• Level of audit evidence for audit opinion.


Readings

Standards.
Required reading
There are no required readings for this unit.
All Accounting and Auditing and Assurance Standards and guidance, and regulatory
requirements referred to in this unit are discussed in detail in Units 1–18.
Further reading



CS
[At the end of this case study, there are several activities]
Case study
Monty Travel Limited (MT)
Background
Monty Travel Limited (MT), a travel company, was established in 20W2 by Monty Swanson and
his wife, Millie. MT has been listed on the Australian Securities Exchange (ASX) since 20W8.
Marshall Barney Chartered Accountants (MBCA) is conducting the audit of MT’s 31 December
20X3 financial statements. MBCA has been MT’s auditor for the past five years.
Key personnel at MBCA working on the MT audit are:
•• Daniel Jones, audit partner in charge.
•• Sheena Soames, audit manager – she has been the manager of the MT audit engagements
for the past three years.
MT’s draft accounts for the year ended 31 December 20X3 are at the end of this case study.
Overall materiality has been calculated at 1% of revenue from operations, or $651,450.
Note: All monetary sums are denominated in Australian dollars (AUD) unless otherwise stated.
Company information
Branches
MT’s head office and management are located in Perth, Western Australia, and it has branches
throughout Australia, New Zealand and Asia. MT owns the head office premises and a number
of the company’s original branch offices, but the majority of branch offices are leased.
Directors
The directors of MT are:
•• Monty Swanson – chief executive officer (CEO).
•• Lily Swanson, Monty’s daughter – chief financial officer (CFO) and a Chartered Accountant
(CA).
•• Three other executive directors.
•• Millie Swanson – non-executive director.
These directors make up the current MT board of directors (the board), and have travel industry
experience. The CEO and CFO enjoy a substantial sales-related bonus provided they also meet
their specific objectives within the business.
Packaged holidays
Initially, MT provided packaged holidays in Australia and New Zealand. It carried on this
business for many years, but has recently expanded into packaged holidays in Asia and Europe.
MT offers three categories of holiday products: ‘Family’, ‘Explorer’ and ‘Couples’ holiday
packages.
Unit 19 – Case study Page 19-17

CS
Family packages
Family packages are packaged holidays that are attractive to families. These provide either all-
inclusive hotel accommodation (including some meals and drinks) or self-catered apartments
(no meals provided).
Explorer packages
Explorer packages are aimed at people aged between 18 and 30, and are relatively cheap
adventure holidays centred on activities such as sailing, trekking, climbing and cycling.
Couples packages
Couples packages are expensive luxury holidays, which are mainly attractive to honeymooners
and older couples. These prestige products are often customised holidays, and include only the
more upmarket hotel chains and resorts.
MT only sells its own packaged products and does not act as an agent for any other travel
companies. It uses instead the services of other travel industry providers, such as airlines and
hotels, which it pays directly on behalf of its customers. All packaged holidays offered by MT
include accommodation, flights and transfers between airports and hotels.
Marketing
MT procures business through brochures made available at its branches or online through its
website. Both sources include the prices of MT’s holiday packages. Prices are generally not
negotiable, and discounts are not routinely offered. MT does occasionally run last-minute
promotions of discounted packages, particularly in the family packages category, but this is
unusual.
Development of online booking facility

MT enjoyed steady growth until a few years ago, when its market share began to be eroded by
competitors offering online booking facilities. In recent years, there has been a dramatic increase
in the number of customers choosing to book holidays directly through the internet – many of
them believe the speed and convenience of booking holidays online far outweighs the benefits
of visiting a branch to discuss options with a holiday advisor.
Monty Swanson used to be of the opinion that the friendly and direct personal service offered
by the company through its branch network was a significant differentiating factor between
MT and its competitors. However, he was forced to concede that MT needed to establish its own
online booking facility, and five years ago, the MT website was launched.
The large software system investment required to develop the website involved significant
external funding. Although MT’s bank provided the finance, the loan requires MT to maintain,
at all times, a:
•• Current ratio of at least 1 (i.e. current ratio = current assets/current liabilities).
•• Gross profit margin ratio of at least 0.15 (i.e. gross profit margin ratio = gross profit/sales
revenue).
Despite MT’s investment in the online facility, Monty has found that customers prefer to
tailor their own holidays online by booking flights, transfers and accommodation directly
themselves, and bypassing travel agents completely. This trend has had a negative impact on
the performance of all three MT product ranges on offer, but especially on the Explorer range.
The target customer for this range prefers to travel unconstrained by a packaged offering.
Page 19-18 Case study – Unit 19

CS
Quality and safety

As stated above, MT’s holiday packages include accommodation, flights, and transfers between
airports and hotels. Based on the forecast demand for holidays, MT reserves blocks of rooms
with suppliers, which are usually operators with whom MT has had a long association.
However, due to MT’s expansion into overseas travel, particularly into Asia, several of the hotel
chains used for the coming season will be new. Although each hotel is responsible for the health
and safety of its guests, MT endeavours to monitor the quality and safety of hotels using an
on‑site representative.
Last year, one of MT’s guests was seriously injured when they fell from a balcony at a hotel
in Thailand. There have also been several incidents of illness in Asia, which were suspected
to be food poisoning. Although this was not proved, MT paid compensation to the affected
customers.
Booking procedures
Customers pay a deposit at the time of booking, and are issued with a booking reference
number. They are required to make the final payment eight weeks before the holiday’s
commencement. MT’s cash management is vital due to the seasonal nature of the holidays.
Holiday sales are transacted in AUD, but some hotels require payment in their local currency,
while airlines request payment in US dollars (USD).
Revenue recognition
MT’s revenue recognition policy is that revenue and direct expenses that relate to sold holidays
are recognised in the statement of profit or loss on customers’ departure. Payments received
from customers in advance of departure are recorded as deferred income. Amounts disclosed
as revenue are net of returns, trade allowances and rebates. This revenue policy is in accordance
with IAS 18 Revenue.
ERP system
In order to improve the quality of management information, MT implemented a new enterprise
resource planning (ERP) system in September 20X3, which fully integrates MT’s financial and
operational data. Implementation of this system was carried out by external consultants, and
although it was the first time they had installed such a large system, the project was completed
very quickly but on time.
The new ERP system is made up of separate components, which deal with:
•• General ledger.
•• Accounts receivable.
•• Accounts payable.
•• Purchasing.
•• Payroll.
•• Property, plant and equipment (PPE) register.
•• Management reporting.
These components are fully integrated, so that data only needs to be inputted once and all
relevant components are updated simultaneously. All MT’s branches use the ERP system and
are linked to the head office servers in real time. Bookings made over the internet are also
updated in real time.

CS
Purchasing process
MT’s purchasing department is managed by Vince Chow. Although he is not a director of
the company, he is eligible for profit-related bonus payments. Apart from overseeing the
purchasing department, Vince is also responsible for MT’s negotiations with hotels, including
sourcing new hotels. He takes great pride in this area of responsibility, and insists on
undertaking all negotiations personally.
Details of new suppliers of any type of purchase made by MT must be entered into MT’s
approved supplier list before transactions can be processed. All purchases over $2,000 must
be made through the purchasing department. Local branch managers have the authority to
make purchases below this amount to cover sundry expenses and refunds. Invoices received
are matched to purchase orders, and then sent to the relevant branch or head office manager
for approval. Invoices from hotels and airlines are approved for payment by Vince due to the
amounts involved.
Vince has been with MT since its early days and is a well-respected employee. Monty trusts
Vince and considers him part of the family – as such, Vince’s work is not reviewed by anyone
and he is only required to report to Monty. Monty does not require regular reports from Vince
outside of these discussions.
Internal audit
During 20X1, it was decided that an in-house internal audit department should be established
at MT. Lily Swanson contacted a respected ex-colleague of hers, Joe James, an audit partner
at Murphy Rochester (MR), the international accountancy firm where she trained, to see if
he would be interested in taking up the role of MT’s head of internal audit. He accepted the
position, and also brought over two of the brightest young members of his audit team at MR.
These appointments were all approved at an MT board meeting.
MT’s internal audit department was thus established in August 20X1, and comprises:
•• Joe James – head of internal audit and a CA, previously an assurance partner at an
international accountancy firm.
•• Emma White – an auditor and recently qualified CA with three years’ audit experience.
•• Sam Alexander – an auditor and currently undertaking the Chartered Accountants Program.
Joe reports directly to the board and on a daily basis to Lily Swanson, the CFO.
The internal audit department has unrestricted access to all parts of MT’s business and to all its
employees. It does not perform managerial or operational duties outside of its internal audit
function; however, Lily reserves the right to instruct Joe to undertake assignments that require
immediate attention.
The internal audit department is responsible for documenting all MT’s systems, and making
recommendations to the board on the adequacy of the company’s internal controls or any
improvements that could be made to these controls. Joe is authorised to discuss internal audit
matters arising at any time with Monty and the board of directors.
Joe has set up audit manuals, which include policies and procedures for objectivity and quality
controls, and work programs. Joe is responsible for planning and supervising the internal audit
department, and for reviewing Emma’s and Sam’s work. All work performed by the internal
auditors is documented. Joe conducts quarterly training to ensure Emma and Sam have the
required level of competence to perform their roles. This includes training on MT’s financial
reporting framework.
The introduction of the internal audit department initially met with some resistance from some
members of management at MT, who complained that their time would be wasted by having to

CS
deal with the internal audit team. Following these complaints, Lily issued a general instruction
to all branch and head office managers to cooperate fully with the internal audit team.
In addition to its regular activities, the internal audit team were recently asked by Lily to
undertake an audit of MT’s internet sales activity, given that this is a relatively new activity
for the business. While no significant issues were noted from this exercise, Joe did make some
recommendations in his report to the board, which were accepted and implemented.
Control environment for the accounts payable process

As previously stated, MT maintains an approved supplier list, and all purchases over $2,000
must be made through the purchasing department. These purchases are made using a purchase
requisition raised by the relevant branch or department and authorised by the departmental
manager. Purchasing staff must then select a supplier from the approved supplier list when
raising an order based on the requisition. Each purchase made through the purchasing
department is allocated a unique computer-generated order number. Local branch managers
are authorised to make purchases below $2,000 to cover sundry expenses and refunds.
For hotel room bookings, MT’s sales department produces a ‘forecast rooms’ requirement for
the following season, which the purchasing department will then source from hotels on MT’s
approved supplier list. A block of rooms is reserved at each hotel, and a 10% deposit paid
based on the number of rooms reserved. The deposit payments are recorded as prepayments
in the general ledger. When a reserved room is subsequently occupied by an MT customer, the
relevant hotel raises an invoice for the full amount of the room less the 10% deposit already
received.
When invoices are received by the finance department from any supplier:
1. The department’s staff will check that they have a corresponding purchase order (PO)
number. Any invoices that do not have a corresponding PO number are returned to the
relevant supplier immediately with a standard note explaining why the invoice has been
rejected. (All approved suppliers are aware of the requirement of a PO number.)
2. Invoice details are checked against the PO details, and the invoice initialled as evidence that
the checking has taken place.
3. Invoices are then logged as ‘awaiting authorisation’ in the system, and sent out to the
relevant manager to be approved for payment.
4. Goods received notes are held locally at branches, thus the finance department relies on
branch managers to confirm that goods or services have been received before signing the
relevant invoice.
5. Once the accounts payable department receives a returned authorised invoice, the invoice
is coded according to the relevant general ledger accounts. It is then transferred from the
‘awaiting authorisation’ file to the purchase ledger and paid automatically, in accordance
with MT’s pre-set credit terms. The payment is transferred electronically to the supplier’s
bank account (details of which are in the supplier’s file).
If an invoice relates to hotel accommodation:
1. As well as confirming that the PO number matches the correct hotel, finance staff will use
the booking reference number on the invoice to find the customer booking details on the
booking system, in order to confirm that the invoice details correspond with the details of the
holiday sold. Further, finance staff will also check that the daily rate charged on the invoice is
consistent with the registered room rate for the hotel on the approved supplier list.
2. A finance staff member then signs the invoice as evidence that these checks have been
completed, and the invoice is passed on to Vince Chow to authorise its payment.
3. Once authorised, these invoices are processed in the same way as general invoices,
described above.

CS
Supplier statements are reconciled each month and reviewed by Vince to ensure the processed
invoices have been paid. Lily Swanson checks that the weekly payments listing agrees with
the bank statements, and reviews any unusual payments on the listing. She also reviews the
purchase ledger control account for unusual items.
At the year end, an accruals list of invoices and credit notes received after year end that relate to
transactions that occurred before year end is prepared by Lily. This ensures that purchases are
recognised in the correct accounting period and that there are no unrecorded liabilities.
The finance department is required to retain and reconcile all supplier statements for the
purposes of the year-end audit.
Payroll process
All head office staff are paid salaries. Branch employees earn a basic salary plus commission on
holiday sales, and are also paid for any approved overtime. Commission often accounts for up
to 40% of branch employees’ remuneration.
Recruitment process
1. When a branch manager needs to recruit staff, they must first obtain written authorisation
from the human resources (HR) manager, Jilly Wong, at head office to do so.
2. Once the branch manager has recruited locally, they send the employee’s contract, personal
details and photo identification to the HR department at head office, along with a copy of
their authorisation to recruit.
3. Gurpreet Singh, the HR supervisor, then accesses the payroll system and adds the new
employee details to the employee data file (which is password-protected and can only be
accessed by HR staff.) The payroll system allocates the new employee a unique employee
number. Hardcopy documentation of the employee’s details is then filed in the HR
department.
4. Each month, the system generates a ‘New employees’ report for Jilly, who confirms the
employee’s details are consistent with those in the employee’s file.
Pay run process

Each month, MT’s branch managers send a completed ‘Summary of timesheet and commission’
form (the form) to the payroll department. This summary details each employee’s hours
worked (with overtime separately identified), any sick leave or holiday taken, unpaid absences,
commission due on sales, and any other relevant adjustments. This data forms the basis of MT’s
monthly pay run.
The payroll staff input the data from the form into the payroll system. Like the employee data
file, the payroll software is password-protected. Once the payroll data for a particular branch
has been inputted by a payroll employee, it is checked for accuracy by a different payroll
employee. In addition to this manual check, the computer itself will reject any data input
that does not correspond with a valid employee number. MT’s monthly pay run cannot be
performed until such issues are resolved.
Once all data from the form has been entered into the payroll system, both the payroll employee
inputting the data and the payroll employee checking the data’s accuracy sign the form, thus
acknowledging that the data has been inputted and checked. Lu Li, the payroll manager, checks
that all ‘Summary of timesheet and commission’ forms have been signed by the two payroll
employees, and then instructs the system to import these details into the payment system,
ready for the CFO’s review and approval. Only Lu and Lily have access to the password that is
required to import payroll details into the payment system.

CS
The payment system provides the following computer-generated information:
•• Payslips for each employee.
•• A payroll summary, which analyses each employee’s payments. Payments are broken down
into gross pay, net pay, commission and overtime, and deductions.
•• An exception report recording the number of employees on the payroll files for which no
pay was calculated.
•• An exception report recording which employees have been paid for more than 170 hours in
the month.
•• An electronic funds transfer report recording the transfer of net pay amounts into
employees’ bank accounts.
Lu checks the reported exceptions to ascertain if the payroll record needs to be corrected.
Lily reviews the payroll summary, agrees the total amount provided in the electronic funds
transfer report to that of the payment system, and signs her authorisation for the payment to
proceed. Once the electronic funds transfer has been processed by the bank, Lily checks that the
electronic funds transfer report’s total is the same as that on the bank statement.
Employment termination process

When an MT employee leaves the company, the branch or head office manager will inform HR
of the employee’s leaving date using a numbered ‘Leavers’ form. The HR supervisor, Gurpreet,
informs the payroll department of the employee leaving by email. Gurpreet then accesses the
payroll system and adds the employee’s leaving date to their record in the employee data file.
The payroll system automatically deletes the employee, which takes effect as of the leaving
date. The employee receives their final pay for the period up until their leaving date through the
normal monthly payroll. Each month, the computer generates a list of leavers that receive their
final pay in that month, which Gurpreet reviews and signs. A member of the HR team then
notes each leaver’s ‘Leavers form’ reference number against their corresponding entry in the
Leavers report.

CS
Monty Travel Limited – key personnel
BOARD OF DIRECTORS
Executive Executive CEO Executive Non-executive

director director Monty Swanson director director
Millie Swanson
CFO
Lily Swanson
Purchasing
manager
Vince Chow
Internal audit HR manager Payroll

manager Jilly Wong manager
Joe James Lu Li
Auditor HR
Emma supervisor
White Gurpreet Singh
Auditor
Sam
Alexander

CS
Financial information
Statement of profit or loss
31.12.20X3 31.12.20X2 31.12.20X1

(Unaudited)
$ $ $
Revenue from operations 65,145,000 83,615,000 105,272,000
Cost of providing tourism services (45,153,000) (63,886,000) (84,955,000)
Gross profit 19,992,000 19,729,000 20,317,000
Personnel expenses (12,024,000) (12,019,000) (12,221,000)
Depreciation (309,125) (279,375) (245,625)
Advertising and marketing expenses (2,531,000) (2,561,000) (2,536,000)
Rent and building maintenance expense (1,583,000) (1,530,000) (1,555,000)
Information technology and telecommunications (1,132,230) (1,198,560) (1,171,225)
Legal and consultancy fees (811,000) (518,000) (564,000)
Audit expense (63,000) (65,000) (62,750)
Insurance (460,000) (455,000) (450,000)
Training expenses (260,000) (225,000) (250,000)
Net foreign exchange gains 313,000 301,000 358,000
Other operating expenses (22,000) (27,000) (25,000)
Profit from operations 1,109,645 1,152,065 1,594,400
Finance income 42,000 68,000 55,000
Net income before interest and tax 1,151,645 1,220,065 1,649,400
Finance cost (450,000) (355,000) (369,000)
Profit before tax 701,645 865,065 1,280,400
Income tax (210,494) (259,520) (384,120)
Profit after tax 491,151 605,545 896,280

CS
Statement of financial position
Notes 31.12.20X3 31.12.20X2 31.12.20X1

(Unaudited)
$ $ $
Current assets
Cash and cash equivalents 1,701,000 1,850,000 1,785,000
Trade and other receivables 1 12,468,166 16,440,143 24,191,302
Inventories 31,950 33,075 32,750
Total current assets 14,201,116 18,323,218 26,009,052
Non-current assets
Property, plant and equipment 2 5,948,500 5,664,625 5,632,000
Total non-current assets 5,948,500 5,664,625 5,632,000
Total assets 20,149,616 23,987,843 31,641,052
Current liabilities
Trade payables 7,221,373 8,589,751 13,775,500
Revenue received in advance 1,225,000 3,086,000 5,112,500
Interest-bearing liabilities 700,000 675,000 565,750
Accruals and other payables 500,000 525,000 555,755
Total current liabilities 9,646,373 12,875,751 20,009,505
Interest-bearing liabilities 4,300,000 4,400,000 4,500,000
Total non-current liabilities 4,300,000 4,400,000 4,500,000
Total liabilities 13,946,373 17,275,751 24,509,505
Net assets 6,203,243 6,712,092 7,131,547
Equity
Contributed equity 3,500,000 3,500,000 3,500,000
Retained earnings 3 2,703,243 3,212,092 3,631,547
Total equity 6,203,243 6,712,092 7,131,547

CS
Notes to the financial statements
Note 31.12.20X3 31.12.20X2 31.12.20X1

(Unaudited)
$ $ $
1 Trade and other receivables
Trade debtors 1,403,166 2,300,143 3,811,302
Deposits and prepayments 11,065,000 14,140,000 20,380,000
12,468,166 16,440,143 24,191,302
2 Property, plant and equipment
Land and buildings 3,250,000 3,250,000 3,250,000
Accumulated depreciation (705,000) (612,000) (525,000)
2,545,000 2,638,000 2,725,000
Leasehold improvements 2,030,000 2,030,000 1,955,000
Office equipment 2,105,000 1,512,000 1,275,000
Accumulated depreciation (731,500) (515,375) (323,000)
3,403,500 3,026,625 2,907,000
5,948,500 5,664,625 5,632,000
3 Retained earnings
Retained earnings at start of the period 3,212,092 3,631,547 3,535,267
Profit after tax 491,151 605,545 896,280
Interim dividend paid (500,000 ) (525,000 ) (400,000 )
Final dividend paid (500,000 ) (500,000 ) (400,000 )
Retained earnings at end of the period 2,703,243 3,212,092 3,631,547


ACT
[All activities are related to the case study. Solutions to activities are available online.
Please access myLearning to view]
Case study – Activity 19.1

Identifying and evaluating threats
to independence
Introduction
In deciding whether to accept or continue an engagement, the auditor needs to identify and
evaluate threats to independence and ensure that the audit team is able to comply with relevant
ethical requirements.
•• Apply the ethical requirements and the audit process to a financial statements audit
engagement.
auditor independence (from the unit on pre-engagement activities).
At the end of this activity, you will be able to apply the International Ethics Standards Board
for Accountants Code of Ethics for Professional Accountants (IESBA Code) to identify and evaluate
threats to independence, and identify relevant safeguards to eliminate or reduce the identified
threats.
Scenario
You are a senior auditor at Marshall Barney Chartered Accountants (MBCA). You have been
assigned to work on MT’s 31 December 20X3 financial statements audit engagement.
Sheena Soames, the audit manager, has informed you that she intends to allocate six other
auditors to work on this engagement, including Bradley Spades, a first-year auditor, and Ruth
Rivers, another senior auditor who has been involved in the two previous audits of MT. Ruth
will be taking the lead role in this year’s audit team on site.
When talking to Bradley, he tells you that he is quite excited at the prospect of working on the
audit engagement as he has inherited some shares in MT. He is looking forward to seeing ‘behind
the scenes’ of a company he part owns.
Ruth is a good friend of yours, as you have worked on many audit engagements together. She
has confided to you that she is concerned about potential independence issues if she takes
the lead role in the audit engagement. This is due to her brother’s impending wedding to Lily
Swanson, the CFO of MT, to which she has been invited. The news came as a surprise to her as
she is close to her brother but didn’t know that he was in a relationship with Lily; however, it
appears that, after a whirlwind romance, they are set to marry.

ACT
Task
For this activity, you are required to identify and explain, in accordance with the IESBA Code:
•• key threats to independence
•• key fundamental principles that could be compromised, and
•• the most appropriate safeguard to eliminate the threats to independence, or reduce them to
an acceptable level.
with regard to the MT audit engagement, in relation to the new information you have obtained
about Bradley and Ruth.

ACT

Identifying risks
Introduction
The auditor must identify and assess the risks of material misstatement, whether due to fraud
or error, at both the financial statement level and the assertion level.
engagement.
•• Discuss and demonstrate the auditor’s responsibility to gain a thorough understanding

of the entity and its environment (from the unit on understanding the entity and its
environment).
material misstatement in financial statement (from the unit on understanding the entity and
its environment).
financial statement level and at the assertion level (from the unit on analysing audit risks,
financial statement assertions and initial audit engagements).
•• Explain and identify the characteristics of fraud in the context of an audit (from the unit on
analysing audit risks – fraud).
•• Explain the going concern assumption (from the unit on subsequent events and going
concern).
At the end of this activity, you will be able to identify risk factors and explain how they impact
on the financial statements, in accordance with ISA 315 (Revised) Identifying and Assessing the
Risks of Material Misstatement through Understanding the Entity and Its Environment (ISA 315) and
ISA 570 Going Concern (ISA 570). You will also be able to identify and explain fraud risk factors
specifically, in accordance with ISA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit
of Financial Statements (ISA 240).
Scenario
It is January 20X4 and the MT audit is at the planning stage. Sheena, the audit manager, has
asked you to identify the key risks to which MT is exposed.

ACT
Tasks
•• Identify key risk factors to which MT is exposed.
•• For financial statement level risks, explain the impact on the financial statements.
•• For assertion level risks, identify the key accounts and assertions at risk of material
misstatement whether due to fraud or error.

ACT

Evaluating controls and designing tests of
controls
Introduction
Testing the operating effectiveness of controls can reduce the amount of substantive testing
required, which leads to an efficient and effective audit.
engagement.
•• Design, perform and evaluate the results of controls testing (from the unit on responding to
assessed risks – controls testing).
•• Design, implement and evaluate tests of controls, using computer-assisted audit techniques
(CAATs) – (from the unit on responding to assessed risks – controls testing).
At the end of this activity, you will be able to identify risks and controls and design tests of
controls to test the operating effectiveness of internal controls, in accordance with ISA 315
(Revised) Identifying and Assessing the Risks of Material Misstatement through Understanding
the Entity and Its Environment (ISA 315) and ISA 330 The Auditor’s Responses to Assessed Risks
(ISA 330).
Scenario
You are a senior auditor at Marshall Barney Chartered Accountants (MBCA), and have been
When performing risk assessment procedures, you obtain an understanding of MT’s internal
controls around its payroll process designed to prevent or detect and correct material
misstatements regarding the occurrence and accuracy of payroll expenses and the existence,
completeness, and valuation and allocation of payroll liabilities.
Having evaluated the design and implementation of identified controls, you have an
expectation that they have been effectively designed and implemented, and you are now
planning to test the operating effectiveness of these controls. Your team has also tested the
IT general controls and have concluded they are effective.
MBCA’s audit manual provides the following guidelines on selecting sample sizes for tests of
controls:
Manual control frequency Suggested

minimum sample
Daily 25
Weekly 10
Monthly 2–4
Quarterly 2
Yearly – automated control 1

ACT
MBCA’s audit software includes the following tests of controls for payroll:
EDIT SAVE CANCEL

Select a sample of new starters from the new employees reports throughout the year. Trace
the employees to their employee file and ensure the file contains appropriate supporting
documentation. Inspect the report for evidence of review.
Input dummy employees without a valid number to ensure the pay run cannot be processed.
Select exception reports for payroll. Inspect for evidence of review. Through discussion with
the reviewer, determine that appropriate actions are taken by the reviewer with respect of the
exceptions.
Attempt to access the payroll employee data file and the payroll software to confirm access to
systems is appropriately restricted.
For a sample of pay runs, extract pay rates from the employee data file and have the system
recalculate the gross pay and confirm it matches the figure in the pay run.
Select a sample of time sheets. Inspect for appropriate authorisation.
Select a sample of electronic funds transfer reports and the corresponding bank statements.
Inspect the electronic funds transfer reports for evidence of authorisation.
Select a sample of employee leavers reports. Inspect for appropriate authorisation.
Tasks
1. Identify and explain the risks and relevant controls in MT’s payroll process, including
internal controls in the recruitment, pay run and employee termination processes.
2. Categorise the identified internal controls into manual controls and IT application controls
(ITAC).
3. From the list of possible tests of controls suggested by MBCA’s audit software, select tests of
controls that appropriately address the risks you have identified.
4. Customise the tests to MT’s circumstances in sufficient detail to enable a junior auditor to
perform them.

ACT

Evaluating audit evidence and determining
further audit procedures
Introduction
The auditor needs to analyse the results of the audit procedures performed and determine the
impact of the nature, timing and extent of further audit procedures required in order to obtain
sufficient appropriate audit evidence.
engagement.
•• Apply audit sampling during controls testing in order to provide a reasonable basis for
the auditor to draw conclusions (from the unit on responding to assessed risks – controls
testing).
•• Explain the importance of evaluating controls and continually evaluating the results of
testing work throughout an audit (from the unit on responding to assessed risks – controls
testing).
•• Design, perform and evaluate the results of substantive testing (from the unit on responding
to assessed risks – substantive testing).
base conclusions and auditor’s reports (from the unit on responding to assessed risks –
evaluating audit evidence).
At the end of this activity, you will be able to evaluate audit evidence and determine the nature,
timing and extent of further audit procedures required in order to obtain sufficient appropriate
audit evidence, in accordance with:
•• ISA 450 Evaluation of Misstatements Identified during the Audit (ISA 450).
Scenario
You are a senior auditor at Marshall Barney Chartered Accountants (MBCA) and have been
assigned to work on MT’s 31 December 20X3 financial statements audit engagement. Sheena
Soames is the audit manager.
Based on the information gathered by the audit team in the planning stage of the audit, Sheena
intends to adopt a combined audit approach. Her expectation is that all controls at MT are
operating effectively and, therefore, she intends to place a high reliance on these internal
controls. In accordance with MBCA’s audit manual, she has set the tolerable rate of deviation at
5% for her controls testing.

ACT
As per the audit plan that Sheena prepared, the audit team performed the following two tests
for the existence, completeness, and valuation and allocation of trade payables:
Test 1:
Test of controls – Valuation and allocation, completeness, and existence of trade payables
Procedures (steps) Results
Select a random sample of 25 Of the 25 invoices selected, 23 were tested without deviation. The following
invoices exceptions were noted:
Match each invoice to a
Invoice Result Comments
purchase order
number and
Confirm that each invoice has amount
been initialled as evidence
that the invoice details Inv124663 The invoice had not The client had no explanation
have been confirmed to the been initialled as for this. However, the financial
$63.97
purchase order by the finance evidence that the accountant commented that since
department invoice details had the amount was small, he did not
been checked against think it mattered
Check that each purchase the purchase order
order agrees to a related
purchase requisition and Inv128242 There was evidence This was discussed with the
delivery docket and confirm that the invoice agreed financial accountant. The invoice
$2,503.56
that the delivery docket was to the purchase order related to emergency plumbing
authorised by the appropriate and was authorised by work in one of the branches
departmental manager as the branch manager; following a flood. The financial
confirmation that the goods or however, the branch accountant was able to show
service have been received manager does not an email sent to him from the
have authority to branch manager the day after the
Ensure that the supplier’s approve for amounts emergency apologising for not
name on the purchase order is over $2,000 following the normal procedures
on the approved supplier list and explaining the circumstances
Test 2:
Test of details – Existence, completeness, and valuation and allocation of trade payables
Procedures (steps) Results
Select cash payments All selected subsequent cash payments were agreed to the trade payable balances
subsequent to 31.12.X3 where appropriate, except for the following:
greater than $2,000
and determine: Supplier Cash Trade Reason for difference
payment payable
Whether the payment
$ $
refers to a good
received or service
performed prior to 1. Cross 10,076.49 8,852.98 Goods delivered but uninvoiced
year end and therefore Stationery at year end
correctly recorded
as a trade payable at 2. Hooper 25,368.55 20,459.55 Services performed 14.12.X3 –
31.12.X3. Hotels invoice awaiting authorisation at
year end
3. Bounty 15,950.00 12,950.00 Goods delivered but uninvoiced

Hotels at year end
4. Paradise 12,966.00 12,696.00 Transposition error in posting

Plaza one invoice amount. This is a one-
off error.

ACT
Tasks
For this activity, you are required to evaluate the results of the two tests.

ACT

Using the work of internal auditors
Introduction
The external auditor may seek to use the work of an audit client’s internal auditors to modify
the nature and timing, or reduce the extent of, the audit procedures. However, the external
auditor needs to evaluate whether the work of internal auditors is adequate for the financial
statements audit.
engagement.
•• Demonstrate the steps involved in determining whether and to what extent an external
auditor can use the work of internal auditors (from the unit on responding to assessed risk –
using the work of others, external confirmations and written representations).
At the end of this activity, you will be able to evaluate whether the work of internal auditors can
be relied on by external auditors for the purpose of a financial statements audit, in accordance
with ISA 610 (Revised 2013) Using the Work of Internal Auditors (ISA 610).
Scenario
MT’s CEO, Monty Swanson, has recently emailed the audit partner, Daniel Jones, to express his
concern at the level of the audit fee quoted by MBCA for the 31 December 20X3 audit. His email
said:
Now our internal audit department is properly established, I assume that you will be able to rely on the
work the department does for your own purposes, so I expect that your fee for this year can be reduced
accordingly.
Task
For this activity, you are required to assess MT’s internal audit department and determine
whether its work can be relied on.

ACT

Assessing subsequent events
Introduction
The identification and, where applicable, recognition and disclosure of subsequent events form
part of the auditor’s assessment of whether the financial statements are materially misstated.
•• Apply the ethical requirements and the audit process to a financial statement audit
engagement.
•• Apply the ‘Events after the Reporting Period’ Accounting Standard in relation to subsequent
events audit requirements (from the unit on subsequent events and going concern).
At the end of this activity, you will be able to identify the impact of subsequent events
on financial statements, in accordance with ISA 560 Subsequent Events (ISA 560) and
IAS 10 Events after the Reporting Period (IAS 10).
Scenario
You are a senior auditor at Marshall Barney Chartered Accountants (MBCA) and have been
assigned to work on MT’s 31 December 20X3 financial statements audit engagement. Sheena
Soames is the audit manager.
The auditor’s report is due to be signed on 19 March 20X4. On 9 March 20X4, while finalising
the audit, the following additional information came to Sheena’s attention through the
application of audit procedures under ISA 560:
1. Hurricane Hubert closes Private Paradise

As part of its Couples holiday business, MT introduced to its 20X2 portfolio a new resort
called Private Paradise, located on a Pacific island. The resort offers all-inclusive, five-star
accommodation featuring over-water bungalows set on stilts. Private Paradise is one of MT’s
most exclusive and expensive destinations, and has proven very popular with honeymooners.
It contributed $2 million to turnover in 20X3, and advanced bookings for 20X4 were received
before the 20X3 year end.
As at 31 December 20X3, $1.2 million has been recorded in MT’s deferred income in respect of
deposits received from customers for holidays at Private Paradise in 20X4. MT has also made
advance payments of $2 million to the resort for the 20X4 bookings.
On 28 February 20X4, Hurricane Hubert unexpectedly hit the island, causing significant
damage to the resort. The owners were forced to close the resort as it was uninhabitable. MT
cancelled all bookings and refunded all deposits received to their customers.
Monty Swanson, MT’s CEO, informed Sheena that he has spoken to the owner of the resort, Bart
Biaggio, who confirmed that the advance payments MT made to the resort will be refunded.

ACT
2. Appreciation of the pound sterling

Within the ‘Explorer’ portfolio, MT offers a British adventure holiday in the Scottish Highlands,
known as ‘Bravehearts’. This holiday features all-inclusive accommodation in a Scottish castle,
with planned activities such as wilderness walking, sea kayaking, sailing, mountain biking and
canoeing. As at 31 December 20X3, there was £350,000 in trade payables relating to Bravehearts.
The turnover from the Bravehearts holidays for 20X3 was $1.1 million. Turnover was accounted
for during the year at the pound sterling spot rate at the time of the transaction. The trade
payable balance was retranslated at 31 December 20X3 using the year-end pound sterling
exchange rate of £0.60:$1, resulting in a translated amount of $583,333.
On 1 March 20X4, after a public announcement of a discovery of significant oil reserves in
the North Sea, the pound sterling suddenly rose to £0.4:$1, and remains at this level. At this
exchange rate, the trade payable balance translates to $875,000. The difference in translation
value of the £350,000 trade payables between the 31 December 20X3 and 1 March 20X4 exchange
rates is $291,667.
For each of the above events, Sheena has no concerns other than those described, and going
concern is not an issue.
Task
For this activity, you are required to identify and explain the impact, if any, of each event on
MT’s 31 December 20X3 financial statements, in accordance with ISA 560 and IAS 10.

Aaa116 CSG Au

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aaa116 CSG Au

Uploaded by

Copyright:

Available Formats

Audit & Assurance

Candidate Study Guide

Jason Dale FCA

Unit 1: Assurance purpose and framework

Unit 2: Auditing Standards and quality control

Unit 3: Pre-engagement activities

Unit 4: Understanding the entity and its environment

Unit 6: Analysing audit risks – fraud

Unit 7: Materiality in planning and performing an audit

Unit 8: Developing an overall audit plan

Unit 9: Responding to assessed risks – controls testing

Unit 11: Responding to assessed risks – evaluating audit evidence

Unit 13: Subsequent events and going concern

Unit 14: Reviewing the financial statements and audit results

Unit 15: Forming an opinion and issuing an auditor’s report

Unit 16: Review engagements

Unit 17: Other assurance engagements and agreed-upon procedures engagements

Unit 18: Internal audit and public sector auditing

Unit 19: Case study, and current and future trends

How the material is constructed

The following learning material is presented in the online environment (myLearning):

Introduction Page iii

Audit & Assurance overview

OVERALL FRAMEWORK, AUDIT PROCESS AND ETHICS

Understanding auditing and assurance

AUDITS OF GENERAL PURPOSE FINANCIAL STATEMENTS

ASSURANCE ENGAGEMENTS OTHER THAN AUDITS OF

Assessment Contribution Details

Exam 80% Four (4) compulsory multi-part written questions based on

Auditing, Assurance and Ethics Standards

Unit 1 – Core content Page 1-1

Audit and assurance

International framework for assurance engagements

Understanding the international regulatory regime

International regulatory bodies and their responsibilities

Page 1-2 Core content – Unit 1

Sets international Standards for: Sets international Standards for:

Unit 1 – Core content Page 1-3

ASIC ASX APESB

Corporations Act (2001) FRC Issues: Issues:

Page 1-4 Core content – Unit 1

Framework for assurance engagements

Five elements of an assurance engagement

• An appropriate underlying subject matter;

• Sufficient appropriate evidence; and

• A written assurance report in the form appropriate to a reasonable assurance engagement or a

Unit 1 – Core content Page 1-5

Attestation and direct engagements

Page 1-6 Core content – Unit 1

None − no opinion or Negative conclusion Positive opinion

Degree of confidence expressed to users

Unit 1 – Core content Page 1-7

Reasonable assurance Practitioner issues a Requires relatively

Limited assurance Practitioner issues a Requires relatively

Example – Identifying the appropriate level of assurance for a given engagement

Page 1-8 Core content – Unit 1

Other aspects of assurance engagements

International Framework – other aspects of assurance engagements

Key principle Requirement

Materiality An assurance practitioner applies the concept of materiality in order to

Unit 1 – Core content Page 1-9

Worked example 1.1: Identifying elements of an assurance engagement

Activity 1.1: Identifying assurance engagements

• A written assurance report in the form appropriate to a reasonable assurance engagement or a