Unit 4 Understanding Internal Control

Introduction to Auditing Page 1 of 60
“Not intended for publication. For classroom instruction purposes only”.

Unit IV – Understanding the Internal Control Environment
“Internal control as the process designed and effected by those charged with
governance, management, and other personnel to provide reasonable
assurance about the achievement of the entity's objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations
and compliance with applicable laws and regulations. “
Learning Outcomes
At the end of the unit, you will be able
 Describe the importance of internal control and to well equipped with knowledge
on how fraud can be prevented, detected and reduced if not fully eliminated in an
enterprise.
 Familia
Pretest
Thank you for answering the test. Please

see the back content for the answer key or you may
view it in the google class.
The next section is the content of this unit. It

contains vital information. Please read the content.
Content
AUDITOR'S RESPONSIBILITY
The fair presentation of the financial statements in accordance with the applicable financial
reporting framework is the responsibility of the client’s management. The auditor's
responsibility is to design the audit to provide reasonable assurance of detecting material
misstatements in the financial statements. These misstatements may emanate from
 Error,
 Fraud; or
 Noncompliance with Laws and Regulations

ERROR FRAUD
It refers to unintentional misstatements in Fraud refers to intentional act by one or
the financial statements, including the more individuals among management,
omission of an amount or a disclosure, those charged with governance,
such as: employees, or third parties, involving the
 Mathematical or clerical mistakes in use of deception to obtain an unjust or
the underlying records and illegal advantage. Although fraud is a
accounting data, broad legal concept, the auditor is
 Incorrect accounting estimates primarily concerned with fraudulent acts
arising from oversight or that cause material misstatements in the
misinterpretation of facts; or financial statements
 Mistakes in the application of
accounting policies.
Types of Fraud
There are two types of fraud that are relevant to financial statement audit- misstatements
resulting from fraudulent financial reporting and misstatements resulting from
misappropriation of assets.
Fraudulent financial reporting involves intentional misstatements or omissions of amounts
or disclosures in the financial statements to deceive financial statement users. This type
of fraud is also known as management fraud because it usually involves members of
management or those charged with governance. This may involve
 Manipulation, falsification or alteration of records or documents
 Misrepresentation in or intentional omission of the effects of transactions from
records or documents,
 Recording of transactions without substance, or
 Intentional misapplication of accounting policies
Misappropriation of assets involves theft of an entity's assets committed by the entity's
employees. This is also called employee fraud because it is often perpetrated by
employees in relatively small and immaterial amounts. This may include:
 Embezzling receipts
 Stealing entity's assets such as cash, marketable securities, and inventory; or
 Lapping of accounts receivable
Employee fraud is often accompanied by false or misleading records or documents in

order to conceal the fact that the assets are missing.
Fraud involves motivation to commit the act and perceived opportunity to do so. For
example, an employee might be motivated to steal company's assets because this
employee lives beyond his means. AIso, a member of management may be forced to
manipulate financial statements in order to meet an overly optimistic projection.
A perceived opportunity to commit fraud may exist when an individual believes that he can
get away with it. This is usually the case when there is no proper segregation of duties

among employees or when management believes that internal control can be easily
circumvented.
The primary factor that distinguishes fraud from error is whether the underlying cause of
misstatement in the financial statements is intentional or unintentional. Although the
auditor may be able to identify opportunities for fraud to be perpetrated, it is often difficult,
if not impossible, for the auditor to determine intent, particularly in matters involving
management judgment, such as accounting estimates and the appropriate application of
accounting principles. Consequently, the auditor's responsibility for the detection of fraud
and error is essentially the same.
Responsibility of Management and Those Charged with Governance
The responsibility for the prevention and detection of fraud and error rests with both
management and those charged with the governance of the entity. In this regard, PSA
240 requires
 Management to establish a control environment and to implement internal control
policies and procedures designed to ensure, among others, the detection and
prevention of fraud and error.
 Individuals charged with governance of an entity to ensure the integrity of an

entity's accounting and financial reporting systems and that appropriate controls
are in place.
Auditor's Responsibility
Although annual audits of financial statements may act as deterrent to fraud and error, the
auditor is not and cannot be held responsible for the prevention of fraud and error. The
auditor's responsibility is to design the audit to provide reasonable assurance that the
financial statements are free from material misstatements whether caused by error or
fraud.
Planning Phase
1. When planning an audit, the auditor should make inquiries of management about the
possibility of misstatements due to fraud and error. Such inquiries may include
 Management's assessment of risks due to fraud,
 Controls established to address the risks, or
 Any material error or fraud that has affected the entity or suspected fraud that
the entity is investigating
The auditor's inquiries of management may provide useful information concerning the risk
of material misstatements in the financial statements resulting from employee fraud.
However, such inquiries are unlikely to provide useful information regarding the risk of
material misstatements in the financial statements resulting from management fraud.
Accordingly, the auditor should also inquire of those individuals in charge of governance

to seek their views on the adequacy of accounting and internal control systems in place,
the risk of fraud and error, and the integrity of management.
2. The auditor should assess the risk that fraud or error may cause the financial
statements to contain material misstatements. In this regard, PSA 240 requires the
auditor to specifically assess the risk of material misstatements due to fraud both at
the financial statement level and assertions level.
The fact that fraud is usually concealed can make it very difficult to detect it.
Nevertheless, using the auditor knowledge of the business, the auditor may identify
events or conditions that provide an opportunity, a motive or a means to commit fraud,
or indicate that fraud may already have occurred. Such events or conditions are
referred to as "fraud risk factors".
Fraud risk factors do not necessarily indicate the existence of fraud, however, they
often have been present in circumstances where frauds have occurred. Examples of
fraud risk factors taken from PSA 240 are set out at the end of this topic.
Judgments about the increased risk of material misstatements due to fraud may
influence the auditor's response and professional judgments in the following ways:
 The auditor may approach the audit with a heightened level of professional
skepticism;
 The audit team may be selected in ways that ensure that the knowledge, skill,
and ability of personnel assigned significant responsibilities are commensurate
with the auditor s assessment or risk, or
 The auditor may design more effective audit procedures or may increase the
extent of the procedures to be performed.
Testing Phase
3. During the course of the audit, the auditor may encounter circumstances that may
indicate the possibility of fraud or error. For example, there are discrepancies found in
the accounting records, conflicting or missing documents, or lack of cooperation from
management. In these circumstances the auditor should perform procedures
necessary to determine whether material misstatements exist.
4. When material misstatement in the financial statements are identified, the auditor
should consider whether such a misstatement resulted from a fraud or an error This is
important because errors will only result to an adjustment of financial statements but
fraud may have other implications on an audit If the auditor believes that the
misstatement is, or may be the result of fraud, but the effect on the financial statements
is not material, the auditor should:
 Report the matter to the appropriate level of management at least one level
above those involved, and

 Be satisfied that, given the position of the likely perpetrator, the fraud has no
other implications tor other aspects of the audit or that those implications have
been adequately considered.
However, it the auditor detects a material fraud or has been unable to evaluate whether
the effect on financial statement is material or immaterial, the auditor should:
 Consider implication for other aspects of the audit particularly the reliability of
management representations
 Discuss the matter and the approach to further investigation with an

appropriate level that is at least one level above those involved, and
 Attempt to obtain evidence to determine whether a material fraud in fact exists

and, if so, their effect, and
 Suggest that the client consult with legal counsel about questions of law
Completion Phase
5. The auditor should obtain a written representation from the client's management that:
 the management acknowledges its responsibility for the implementation and

operations of accounting and internal control systems that are designed to
prevent and detect fraud and error;
 it believes the effects of those uncorrected financial statement misstatements

aggregated by the auditor during the audit are immaterial, both individually and
in the aggregate, to the financial statements taken as a whole. A summary of
such items should be included in or attached to the written representation;
 it has disclosed to the auditor all significant facts relating to any frauds or
suspected frauds known to management that may have affected the entity; and
 it has disclosed to the auditor the results of its assessment of the risk that the
financial statements may be materially misstated as a result of fraud:
Reporting Phase
6. When the auditor believes that material error or fraud exists, the auditor should request
the management to revise the financial statements. Otherwise, the auditor will express
a qualified or adverse opinion.
7. If the auditor is unable to evaluate the effect of fraud on the financial statements
because of a limitation on the scope of the auditor's examination, the auditor should
either qualify or disclaim opinion on the financial statements.

Because of the inherent limitations of an audit there is an unavoidable risk that material
misstatements in the financial statements resulting from fraud and error may not be
detected. Therefore, the subsequent discovery of material misstatement in the financial
statements resulting from fraud or error does not, in and of itself, indicate that the auditor
has failed to adhere to the basic principles and essential procedures of an audit.
The risk of not detecting a material misstatement resulting from fraud is higher than the
risk of not detecting misstatements resulting from error. This is because fraud may involve
sophisticated and carefully organized schemes designed to conceal it, such as forgery,
deliberate failure to record transactions, or intentional misrepresentation being made to
the auditor. Hence, audit procedures that are effective for detecting material errors may
be ineffective for detecting material fraud, especially those concealed through collusion.
Furthermore, the risk of the auditor not detecting a material misstatement resulting from
management fraud is greater than for employee fraud. This is because members of
management are often in a position that assumes their integrity and enables them to
override the formally established control procedures. Certain levels of management may
be in a position to override control procedures designed to prevent similar frauds by other
employees, for example, by directing subordinates to record transactions incorrectly or to
conceal them. Given its position o authority within an entity, management has the ability
to either direct some employees to do something or solicit their help to assist management
in carrying out a fraud, with or without the employee’s knowledge.
NONCOMPLJANCE WITH LAWS AND REGULATIONS
Noncompliance refers to acts of omission or commission by the entity being audited, either
intentional or unintentional, which are contrary to the prevailing laws or regulations. Such
acts include transactions entered into by, or in the name of, the entity or on its behalf by
its management or employees. Common examples include
 Tax evasion,
 Violation of environmental protection laws, and
 Inside trading of securities.
Noncompliance with laws and regulations may result in fines, litigations or other
consequences for the entity that may have a material effect on the financial statements.
Responsibility of Management
It is the responsibility of management, with the oversight of those charged with
governance, to ensure that the entity's operations are conducted in accordance with laws
and regulations. The responsibility for the prevention and detection of noncompliance
rests with the entity's management.
An audit cannot be expected to detect noncompliance with all laws and regulations.
Nevertheless, the auditor should recognize that noncompliance by the entity with laws and
regulations may materially affect the financial statements.
Planning Phase

1. In order to plan the audit, the auditor should obtain a general understanding of the
legal and regulatory framework applicable to the entity and the industry and how the
entity is complying with that framework. To obtain the general understanding of laws
and regulations, the auditor would ordinarily:
 Use the existing knowledge of the entity’s industry and business,

 Inquire of management concerning the entity’s policies and procedures
regarding compliance with laws and regulations
 Inquire of management as to the laws or regulations that may be expected to
have a fundamental effect on the operations of the entity;
 Discuss with management the policies or procedures adopted tor identifying,
evaluating and accounting for litigation claims and assessments, and
 Discuss the legal and regulatory framework with auditors of subsidiaries in
other countries (for example, if the subsidiary is required to adhere to the
securities regulations of the parent company
2. After obtaining a general understanding, the auditor should design procedures to help
identify instances of noncompliance with laws and regulations such as:
 Reading minutes of meetings;

 Inquiring of management as to whether the entity is in compliance with such
laws and regulation; or
 Inspecting correspondence with the relevant licensing or regulatory authorities.
3. The auditor should also design audit procedures to obtain sufficient appropriate audit
evidence about compliance with those laws and regulations generally recognized by
the auditor to have an effect on the determination of material amounts and disclosures
in financial statements.
Testing Phase
4. When the auditor becomes aware of information concerning a possible instance of
noncompliance, the auditor should obtain an understanding of the nature of the act
and the circumstances in which it has occurred, and sufficient other information to
evaluate the possible effect on the financial statements. When evaluating the possible
effect on the financial statements, the auditor considers:
 The potential financial consequences, such as fines, penalties, damages,

threat of expropriation of assets, enforced discontinuation of operations and
litigation;
 Whether the potential financial consequences require disclosure; and
 Whether the potential financial consequences are so serious as to call into
question the fair presentation given by the financial statements.
5. When the auditor believes there may be noncompliance, the auditor should document
the findings, discuss them with management, and consider the implication on other
aspects of the audit.
Completion Phase

6. The auditor should obtain written representations that management has disclosed to
the auditor all known actual or possible noncompliance with laws and regulations that
could materially affect the financial statements.
Reporting Phase
7. When the auditor believes that there is noncompliance with laws and regulations that
materially affects the financial statements, the auditor should request the management
to revise the financial statements. Otherwise, the auditor will have to express either
qualitied or adverse opinion.
8. If a scope limitation has precluded the auditor from obtaining sufficient appropriate
evidence to evaluate the effect of noncompliance with laws and regulations, the auditor
should express a qualified opinion or a disclaimer of opinion.
An audit is subject to the unavoidable risk that some material misstatements in the
financial statements will not be detected, even though the audit is properly planned and
performed in accordance with PSAs. This risk is higher with regard to material
misstatements resulting from noncompliance with laws and regulations because:
 Noncompliance may involve conduct designed to conceal it, such as collusion,
forgery, deliberate failure to record transactions, senior management override of
controls or intentional misrepresentations being made to the auditor
 There are many laws and regulations relating principally to the operating aspects
of the entity that typically do not have a material effect on the financial statements
and are not captured by the accounting and internal control systems.
Auditors are primarily concerned with noncompliance that may cause the financial
statements to contain material misstatements. Accordingly, the auditor should design the
audit to provide reasonable assurance that noncompliance that has a material and direct
effect on the financial statements are detected.
Auditors do not normally design audit procedures to detect noncompliance that will not
directly affect the fair presentation of the financial statements unless the results of other
procedures that were applied cause the auditor to suspect that a material indirect effect
noncompliance may have occurred.
Ordinarily, the further removed non-compliance is from the financial statements, the less
likely the auditor is to become aware of it or to recognize the non-compliance.
The fraud risk factors identified below are examples of such factors typically faced by
auditors in a broad range of situations. The fraud risk factors listed below are only
examples; not all of these factors are likely to be present in all audits, nor is the list
necessarily complete. The auditor exercises professional judgment when considering
fraud risk factors individually or in combination and whether there are specific controls that
mitigate the risk.
Fraud Risk Factors Relating to Misstatements Resulting from Fraudulent Financial
Reporting

Fraud risk factors that relate to misstatements resulting from fraudulent financial reporting
may be grouped in the following three categories:
a. Management's Characteristics and Influence over the Control Environment.
b. Industry Conditions.
c. Operating Characteristics and Financial Stability.

For each of these three categories, examples of fraud risk factors relating to
misstatements arising from fraudulent financial reporting are set out below.
Fraud Risk Factors Relating to Management's Characters and influence over the Control
Environment
These fraud risk factors pertain to management's abilities, pressures, style, and attitude
relating to internal control and the financial reporting process. There is motivation for
management to engage in fraudulent financial reporting. Specific indicators might include
the following
 A significant portion of management's compensation is represented by bonuses,
stock options or other incentives, the value of which is contingent upon the entity
achieving unduly aggressive targets for operating results, financial position or cash
flow.
 There is excessive interest by management in maintaining or increasing the

entity’s stock price or earnings trend through the use of unusually aggressive
accounting practices.
 Management commits to analysts, creditors and other third parties to achieving

what appear to be unduly aggressive or clearly unrealistic forecasts.
 Management has an interest in pursuing inappropriate means to minimize reported

earnings tor tax-motivated reasons.
There is a failure by management to display and communicate an appropriate attitude
regarding internal control and the financial reporting process. Specific indicators might
include the following
 Management does not effectively communicate and support the entity's values or
ethics, or management communicates inappropriate values or ethics.
 Management is dominated by a single person or a small group without

compensating controls such as effective oversight by those charged with
governance.
 Management does not monitor significant controls adequately.
 Management tails to correct known material weaknesses in internal control on a

timely basis.

 Management sets unduly aggressive financial targets and expectations tor

operating personnel.
 Management displays a significant disregard tor regulatory authority.
 Management continues to employ ineffective accounting, information technology

or internal auditing stat.
Non-financial management participates excessively in, or is preoccupied with, the
selection of accounting principles or the determination of significant estimates.
There is à high turnover of management, counsel or board members.
There is a strained relationship between management and the current or predecessor
auditor. Specific indicators might include the following
 Frequent disputes with the current or a predecessor auditor on accounting,
auditing or reporting matters
 Unreasonable demands on the auditor, including unreasonable time constraints

regarding the completion of the audit or the issuance of the auditor’s report.
 Formal or informal restrictions on the auditor that inappropriately limit the auditor’s
access to people or information, or limit auditor's ability to communicate effectively
with those charged with governance
 Domineering management behavior in dealing with the auditors, especially

involving attempts to influence the scope of the auditor work.
There is a history of securities law violations, or claims against the entity or its
management alleging fraud or violations or securities laws. The corporate governance
structure is weak or ineffective, which may be evidenced by, for example:
 A lack of members who are independent of management.
 Little attention being paid to financial reporting matters and to the accounting and
internal control systems by those charged with governance.
Fraud Risk Factors Relating to Industry Conditions
These fraud risk factors involve the economic and regulatory environment in which the
entity operates.
 New accounting, statutory or regulatory requirements that could impair the
financial stability or profitability of the entity
 A high degree of competition or market saturation, accompanied by declining

margins.

 A declining industry with increasing business failures and significant declines in

customer demand.
 Rapid changes in the industry, such as high vulnerability to rapid changing

technology or rapid product obsolescence,
Fraud Risk Factors Relating to Operating Characteristics and Financial Stability
These fraud risk factors pertain to the nature and complexity of the entity and its
transactions, the entity's financial condition, and its profitability.
 Inability to generate cash flows from operations while reporting earnings and
earnings growth.
 Significant pressure to obtain additional capital necessary to stay competitive,
considering the financial position of the entity (including a need for funds to finance
major research and development or capital expenditures).
 Assets, liabilities, revenues or expenses based on significant estimates that
involve unusually subjective judgments or uncertainties, or that are subject to
potential significant change in the near term in a manner that may have a financially
disruptive effect on the entity for example, the ultimate collectability of receivables,
the timing of revenue recognition, the realizability of financial instruments based
on highly- subjective valuation of collateral or difficult-to-assess repayment
sources, or a significant deferral of costs).
 Significant related party transactions which are not in the ordinary course of
business.
 Significant related party transactions which are not audited or are audited by
another firm.
 Significant, unusual or highly complex transactions (especially those close to year-
end) that pose difficult questions concerning substance over form.
 Significant bank accounts or subsidiary or branch operations in tax haven
jurisdictions for which there appears to be no clear business justification.
 An overly complex organizational structure involving numerous or unusual legal
entities, managerial lines or authority or contractual arrangements without
apparent business purpose.
 Difficulty in determining the organization or person (or persons) controlling the
entity.
 Unusually rapid growth or profitability, especially compared with that of other
companies in the same industry.
 Especially high vulnerability to changes in interest rates.
 Unusually high dependence on debt, a marginal ability to meet debt repayment
requirements, or debt covenants that are difficult to maintain.
 Unrealistically aggressive sales or profitability incentive programs.
 A threat of imminent bankruptcy, foreclosure or hostile takeover.
 Adverse consequences on significant pending transactions (such as a business
combination or contract award) if poor financial results a reported.
 A poor or deteriorating financial position when management personally guaranteed
significant debts of the entity.

Fraud Risk Factors Relating to Misstatements Resulting from Misappropriation of

Assets
Fraud risk factors that relate to misstatements resulting from misappropriation of assets
may be grouped in the following two categories.
a. Susceptibility of Assets to Misappropriation.
b. Controls.
For each of these two categories, examples of fraud risk factors relating to misstatements
resulting from misappropriation of assets are set out below. The extent of the auditor's
consideration of the fraud risk factors in category 2 is influenced by the degree to which
fraud risk factors in category 1 are present.
Fraud Risk Factors Relating to Susceptibility of Assets to Misappropriation
These fraud risk tactors pertain to the nature of an entity's assets and the degree to which
they are subject to theft.
 Large amounts of cash on hand or processed.
 Inventory characteristics, such as small size combined with high value and high
demand.
 Easily convertible assets, such as bearer bonds, diamonds or computer chips.
 Fixed asset characteristics, such as small size combined with marketability and
lack of ownership identification.
Frand Risk Factors Relating to Controls
These fraud risk factors involve the lack of controls designed to prevent or detect
misappropriation of assets.
 Lack of appropriate management oversight (for example, inadequate supervision
or inadequate monitoring of remote locations).
 Lack of procedures to screen job applicants for positions where employees have
access to assets susceptible to misappropriation.
 Inadequate record keeping tor assets susceptible to misappropriation
 Lack of an appropriate segregation of duties or independent checks.
 Lack of an appropriate system of authorization and approval of transactions (for
example, in purchasing).
 Poor physical safeguards over cash, investments, inventory or fixed assets.
 Lack of timely and appropriate documentation for transactions (for example, credits
for merchandise returns).
 Lack of mandatory vacations for employees performing key control functions.
CONSIDERATION OF INTERNAL CONTROL
After the auditor has set the desired level of audit risk and assessed the level of inherent
risk, the next step is to assess the level of control risk. Assessing control risk is the process
of evaluating the design and operating effectiveness of an entity's internal control as to
how it prevents or detects material misstatements in the financial statements. The

conclusion reached as a result of assessing control risk is referred to as the assessed

level of control risk.
Nature of Internal Control
When an entity is small, its owner or manager can personally perform, or directly oversee,
all of its functions. However, as the entity grows larger it becomes necessary to delegate
functional responsibilities to employees. Once this occurs, mechanisms need to be
introduced which enable the performance of the employees to be checked, to ensure that
they are fulfilling their responsibilities as intended.
PSA 315 defines internal control as the process designed and effected by those charged
with governance, management, and other personnel to provide reasonable assurance
about the achievement of the entity's objectives with regard to
 reliability of the entity’s financial reporting, (auditor’s primary concern)
 effectiveness and efficiency of its operations and
 its compliance with applicable laws and regulations.
Note: Internal control structure varies with an entity’s size and complexity. Smaller entities
may use less structured means and simpler processes and procedures. An understanding
of internal control assists the auditor in identifying types of potential misstatements and
factors that affect the risk of material misstatements, and in designing the nature, timing,
and extent of audit procedures.
This definition embodies four essential concepts
 Internal control is a process. Internal control is not an end in itself. Instead, it is a
means of achieving the entity’s objectives
 Internal control is effected by those charged with governance, management and

other personnel. Internal control is accomplished by people at every level of
organization, including the management, those charged with governance, and
entity's staff personnel. It is the responsibility of the management to establish a
control environment and maintain policies and procedures to assist in achieving
the entity 's objectives. Those charged with governance, on the other hand, ensure
the integrity of accounting and financial reporting systems through oversight of
management. Staff personnel should also perform their respective functions in
order to accomplish the objectives of the entity.
 Internal control can be expected to provide reasonable assurance of achieving the

entity’s objectives. Internal control can only provide reasonable assurance (not
absolute assurance) that the entity's objectives will be achieved. This is because
there are inherent limitations that may affect the internal control's effectiveness.
These limitations include:
o Management's usual requirement that the cost of an internal control should

not exceed the expected benefits to derived,

o Most internal controls tend to be directed at routine transactions rather than

non-routine transactions.
o The potential for human error due to carelessness, distraction, mistakes of

judgment and the misunderstanding of instructions
o The possibility of circumvention of internal controls through the collusion

among employees,
o The possibility of management overriding the internal control, and
o The possibility that procedures may become inadequate due to changes in

conditions, and compliance with procedures may deteriorate.
 Internal control is designed to help achieve the entity's objectives.
Internal control is geared towards the achievement of the entity's objectives in the
following categories:
a. Operational Objective- Effectiveness and efficiency of operations,

b. Compliance Objective- Compliance with relevant laws and regulations, and
c. Financial Reporting Objective- Reliability of financial reporting
In the audit of financial statements, the auditor is only concerned with those
policies and procedures within the accounting and internal control systems that are
relevant to the financial statement assertions. Therefore, the objective that is most
relevant to the audit is the financial reporting objective.
Operational and compliance objectives may be relevant to the audit only if they
relate to data the auditor evaluates to determine the reliability of some financial
statement assertions. For example, controls pertaining to non-financial data that
the auditor uses in analytical procedures, such as production statistics, or controls
pertaining to detecting non-compliance with laws and regulations that may have a
direct and material effect on the financial statements, such as controls over
compliance with income tax laws and regulations used to determine the income
tax provision, may be relevant to an audit.
Components of internal control
The following are the five components of an effective internal control
 Control environment
 Risk assessment process
 Information system and communication
 Control activities
 Monitoring
Control Environment

The control environment includes the attitudes, awareness, and actions of management
and those charged with governance concerning the entity's internal control and its
importance the entity. The control environment also includes the governance and
management functions and sets the tone of an organization, influencing the control
consciousness or people. It is the foundation for effective internal control providing
discipline and structure. It is the “head and brains” of internal control.
The seven elements of the control environment are:
 Communication and enforcement of integrity and ethical values
 Commitment to competence
 Human resource policies and practices
 Assignment of authority and responsibility
 Management’s philosophy and operating style
 Participation of those charged with governance
 Organizational structure
Risk Assessment
Entity's business objectives cannot be achieved without some risks. Business risk is the
risk that the entity s business objectives will not be attained as a result of internal and
external factors such as technological developments, changes in customers demand and
other economic changes. Business risks are crucial to every organization. Management
should adopt policies and procedures that are designed to identity and analyze the risks
affecting the entity's business and to take the appropriate action to manage these risks.
For audit purposes, the auditor Is concerned only with those risks that are relevant to the
preparation of reliable financial statements. It is the “eyes and senses” of internal control.
Information and Communication Systems
Effective internal control must provide timely information and communication. The
information system relevant to financial reporting objectives, which includes the financial
reporting system, consists of the procedures and records established to initiate, record,
process, and report entity transactions (as well as events and conditions), and to maintain
accountability for the related assets and liabilities. It is the “blood and veins” of internal
control.
An information system encompasses methods and records that:
 Identify and record all valid transactions;
 Describe the transactions in sufficient detail and in a timely manner, in order to
permit proper classification of transactions for financial reporting
 Measure the value of transactions in a manner that permits recording their proper
monetary value in the financial statements
 Determine the time period in which transactions occur to permit recording of
transactions in the proper accounting period, and
 Present properly the transactions and related disclosures in the financial
statements properly.
Communication involves providing an understanding of individual roles and
responsibilities pertaining to internal control over financial reporting. Open communication

channels help ensure that exceptions are reported and acted. Communication can be
made electronically, verbally, and through the actions of management. It can take such
forms as policy manuals, accounting and financial reporting manuals, and memoranda.
Control Activities
Control activities are the policies and procedures that help ensure that management
directives are carried out. It is the “arms and legs” of internal control Examples of control
activities include policies and procedures on
a. Performance Reviews
b. Information Processing
c. Physical Controls; and
d. Segregation of duties
A. Performance reviews. These control activities include reviews and analyses of

actual performance versus budgets, forecasts, and prior period performance;
relating different sets of data to one another, together with analyses of the
relationships and investigative and corrective actions.
B. Information processing. A variety of controls are performed to check accuracy,

completeness, and authorization or transactions. When computer processing is
used in significant accounting applications, internal control procedures can be
classified into wo types: general and application controls.
C. Physical controls. These activities encompass the physical security of assets,

including adequate safeguards such as secured facilities over access to assets
and records, authorization tor access to computer programs and data files, and
periodic counting and comparison with amounts shown on control records.
D. Segregation of duties. Assigning different people, the responsibilities of

authorizing transactions, recording transactions, and maintaining custody of
assets is intended to reduce the opportunities to allow a person to be in a position
to both perpetrate and conceal errors or fraud in the normal course of the person's
duties. Examples of segregation of duties include reporting reviewing and
approving reconciliations, and approval and control of documents.
Monitoring
Monitoring is a process of assessing the quality of internal control performance over time.
It involves assessing the design and operation of controls on a timely basis and taking
necessary corrective actions. Monitoring is done to ensure that controls continue to
operate effectively.
The types of monitoring activities are:
 Ongoing monitoring activities are built into the normal recurring activities of an
entity and include regular management and supervisory activities such as
preparation of monthly bank reconciliation.

 Separate evaluations monitoring activities that are performed on a non-routine

basis such as functions performed by internal auditors.
 A combination of the two above.
Internal control for a small business
In small businesses, with very few office employees, it is difficult to have proper
segregation of duties or maintain a separate internal audit department. Consequently,
internal control systems in small businesses tend to be weak compared to the internal
control system of larger entities. These weaknesses, however, can be compensated if the
owner/manager actively participates in the operations of the business.
Consideration of Internal Control
Auditors are not responsible for establishing and maintaining an entity accounting and
internal controls systems: that is the responsibility of the entity's management.
Nevertheless, the auditors should give adequate consideration to these controls because
the condition of the entity's internal control systems can have a significant impact on the
audit. Consideration of the entity's internal control systems involves the following steps:
a. Obtaining understanding of the internal control;
b. Documenting the understanding of accounting and internal control systems;
c. Assessing the level control risk;
d. Performing tests of controls; and.
e. Documenting the assessed level of control risks
A. Understanding Internal Control
The auditor should obtain sufficient understanding of the components of the entity's
internal control relevant to the audit. Obtaining an understanding of internal control
involves
 evaluating the design of a control, and
 determining whether it has been implemented.
Evaluating the design of a control involves considering whether the control, individually or
in combination with other controls, is capable of attentively preventing, or detecting and
correcting material misstatements. Implementation of a control means that the control
exists and that the controls have been placed in operation.
An initial understanding of the design of the entity's internal control systems is ordinarily
obtained by:
 Making inquiries of appropriate individuals;
 Inspecting documents and records; and
 Observing of entity’s activities and operations.
After obtaining sufficient knowledge about the design of the system, the auditor should
determine whether these controls have been implemented. This is accomplished by
performing a "walk through" test. This task involves tracing one or two transactions through
the entire accounting systems, from their initial recording at source to their final destination
as a component of an account balance in the financial statements. Walk-through test also

confirms the auditor’s understanding of how the accounting systems and control
procedures function. It is to be emphasized that the auditor is not required to obtain
knowledge about the operating effectiveness of the internal control when obtaining an
understanding of the entity's internal control system. At this stage of the audit, the auditor
is basically concerned about the design of relevant control policies and procedures and
whether such controls are actually being applied.
The auditor's understanding of internal control should be adequate enough to:
 Identify types of potential misstatements that can occur
 Consider factors that affect the risk of material misstatement and
 Design the nature, timing, and extent audit procedures to be performed.
B. Documenting the auditor's understanding of internal control

Subsequent to obtaining sufficient knowledge about the design and implementation of the
internal control, the auditor is required to document his understanding of accounting and
internal control systems. This documentation need not be in any particular form. The
extent of documentation may vary depending on the size and complexity of the entity and
nature of the entity's internal control systems. Some commonly used forms of
documentation include
 Narrative description of the entity's internal control,
 Flowchart that diagrams the flow of transactions and documents, and
 Internal control questionnaire providing management's responses to questions
about internal control
C. Assessment of Control Risk

Atter obtaining and documenting the auditor's understanding of the accounting and
internal control systems, the auditor should make a preliminary assessment of control risk,
at the assertion level, tor each material account balance or class transactions. The
auditor's preliminary assessment of control risk may be at a high level (100%) or less than
high level.
When the auditor's knowledge of the entity's internal control indicates that internal controls
related to a particular assertion are not effective, the auditor may simply assess control
risk at a high level. Hence, no tests of controls need to be performed and the auditor will
rely primarily on substantive tests. On the other hand, if the auditor believes that controls
appear to be reliable, the auditor should determine whether it is efficient to obtain the
evidence to justify an assessment of control risk at a lower level.
If the auditor concludes that it is more efficient to rely on the entity's internal control
systems, the auditor would plan to assess control risk at less than high level. For this
purpose, the auditor should
 Identify specific internal control policies or procedures that are likely to prevent or
detect and correct material misstatement relevant to financial statement assertion;
and
 Perform tests of control to determine the effectiveness of such policies or
procedures.

D. Performing tests of controls

Irrespective of how effective internal control procedures may appear to be in preventing
material misstatements from occurring n the financial statements, before the auditor can
rely on them to reduce substantive tests, the auditor must test these controls to obtain
evidence that they are working effectively as the preliminary assessment suggests.
Tests of controls are performed to obtain evidence about the effectiveness of the:
 Design of the accounting and internal control systems, or
 Operation of the internal controls throughout the period.
It is important to note that the auditor will only test the operating effectiveness of controls
that are likely to detect or prevent material misstatements. That is, the auditor will only test
those controls that he or she plans to rely upon.
According to PSA, the auditor should obtain audit evidence through tests of control to
support any assessment of control risk at less than high level. The lower the assessment
of control risk, the more support the auditor should obtain that the internal control is
suitably designed and operating effectively. Thus, the greater the reliance the auditor
plans to place on internal control, the more extensive the tests of those controls that need
to be performed.
Nature of tests of control
Tests of controls generally consist of one (or a combination) or the following evidence
gathering techniques- (1) Inquiry, (2) observation, (3) inspection, and (4) reperformance
Inquiry consists of searching for the appropriate information about the effectiveness of
internal control from knowledgeable persons inside or outside the entity.
Observation refers to looking at the process being performed by others. For example, the
auditor may observe the payroll payoff procedures or the performance of internal control
procedures that leave no evidence of performance.
Inspection involves the examination of documents and records to provide evidence of
reliability depending on their nature and source and the effectiveness of internal control
over their processing
Reperformance involves repeating the activity performed by the client to determine
whether proper results were obtained. For example, the auditor may reperform the
procedure by tracing the sales prices to the authorized price list in effect at the date of the
transaction. If no errors are found, the auditor can conclude that the procedure is operating
as intended. For certain controls such as segregation of duties, documentary evidence
(audit trail) may not exist. In this case, the auditor will have to test the effectiveness of the
control procedure by making inquiry of appropriate client personnel and observing the
application of the control procedures.
There is a significant overlap between the procedures used to obtain understanding and
tests of controls. Notice that inquiry of client personnel, observation or procedures and
inspection of documents are also used when obtaining understanding about the entity's

internal control system. In fact, many of the procedures used to understand the design of
internal control may provide evidence about the reliability of the client's accounting and
internal control systems. Consequently, obtaining understanding of the entity's internal
control system and assessing control risks are often done simultaneously
Timing of tests of controls
Auditors usually perform tests of controls during an interim visit in advance of period end.
However, auditors cannot rely on the results of such tests without considering the need to
obtain further evidence relating to the remainder of the period. This evidence may be
obtained by performing tests of control for the remaining period or by reviewing whether
there are changes affecting the entity's internal control system. In determining whether or
not to test the remaining period, the following factors must be considered:
 The results of the interim tests,
 The length of the remaining period, and
 Whether changes have occurred in the accounting and internal control systems
during the remaining period
Extent of tests of control
The auditor cannot possibly examine all transactions related to certain control procedures.
In an audit, the auditor should determine the size of a sample sufficient to support the
assessed level of control risk.
Using the results of tests of control
Based on the results of the tests of control, the auditor should evaluate whether the internal
controls are designed and operating as intended. The conclusion reached as a result of
this evaluation is called the assessed level of control risk. The auditor uses the assessed
level of control risk (together with the assessed level of inherent risk) to determine the
acceptable level of detection risk. There is an inverse relationship between detection risk
and the combined level of inherent and control risks. For example, if the combined
assessed level of inherent and control risk is high, detection risk needs to be low to reduce
audit risk to an acceptably low level. In this regard, the auditor may consider modifying:
 The nature of substantive tests from less effective to more effective procedures,
 The timing of substantive tests by performing them at year- end rather than at
interim; or
 The extent of substantive tests from smaller to larger sample size.
Operating effectiveness vs. implementation
Testing the operating effectiveness of controls is different from obtaining audit evidence
that controls have been implemented. When obtaining audit evidence of implementation
by performing risk assessment procedures, the auditor determines that the relevant
controls exist and that the entity is using them. When performing tests of the operating
effectiveness of controls, the auditor obtains audit evidence that controls operate
effectively. This includes obtaining audit evidence about how controls were applied at
relevant times during the period under audit, the consistency with which they were applied,
and by whom or by what means they were applied.

E. Documenting the assessed level of control risk

After evaluating the results of tests of control and assessing the control risk, the auditor
should document his assessment of control risk. If the control risk is assessed at a high
level, the auditor should document his conclusion that control risk is at a high level.
If control risk is assessed at less than high level, the auditor should document his
conclusion that control risk is less than high and the basis for that assessment. This basis
is actually the results of tests of control. Hence, the auditor cannot assess control risk at
less than high level without performing tests of control.
The following table summarizes the documentation requirements for auditors when
considering internal control:
Control Risk at High Control Risk at Less

level High Level
1. Understanding of Internal Control Required Required
2. Conclusion Required Required
3. Basis for the Conclusion Required Not Required
Communication of Significant Deficiencies in Internal Control

As a result of the auditor s consideration of the accounting and internal control systems,
the auditor may become aware of significant deficiencies in the entity's internal control
systems. In this regard, the auditor is required to report to the appropriate level of
management and those charged with governance, any significant deficiencies in the
internal control systems, which have come to the auditor's attention. This communication
should be in writing and can be done either before or after the auditor's report on the
financial statements is issued. Regardless of the timing of the written communication of
significant deficiencies, the auditor may communicate these orally in the first instance
management and, when appropriate, to those charged with governance assist them in
taking timely remedial action to minimize the risks material misstatement. Doing so,
however, does not relieve the auditor of the responsibility to communicate the
significant deficiencies in writing. It is to be emphasized that auditors are not required
to search for and/or identify internal control deficiencies. The auditors must, however,
communicate significant deficiencies in internal control to the client when they come to
their attention during the course of the audit. These internal control deficiencies, together
with other matters of concern, are ordinarily communicated to the client in a formal report
called management letter.
PERFORMING SUBSTANTIVE TESTS
After considering inherent risk and control risk, the auditor performs substantive tests to
reduce the level of detection risk to an acceptably low level. Substantive tests are audit
procedures designed to substantiate the account balances or to detect material
misstatements in the financial statements. The auditor's substantive procedures may be
either tests of details or substantive analytical procedures. The decision about which audit
procedures to perform, including whether to use substantive analytical procedures, is
based on the auditor's judgment about the expected effectiveness and efficiency of the
available audit procedures to reduce audit risk to an acceptably low level.

Substantive Analytical Procedures

The nature of analytical procedures was discussed in previous topic. It was mentioned
that analytical procedures may be used in the planning, testing, and overall review stages
of the audit. Analytical procedures applied as substantive tests are performed to enable
the auditor to obtain corroborative evidence about a particular assertion. Substantive
analytical procedures involve comparison of financial information with auditor's
expectation to determine the reasonableness of an account reported in a financial
statement.
When analytical procedures identify significant fluctuations, the auditor should conduct
further investigation to determine whether the financial statements are materially
misstated. This investigation ordinarily begins with inquiries of management followed by
corroboration of management’s responses and other audit procedures, based on the
results of these inquiries.
The auditor’s determination of the amount of difference from the expectation that can be
accepted without further investigation is influenced by materiality and the desired level of
assurance, taking account of the possibility that a misstatement, individually or when
aggregated with other misstatements, may cause the financial statements to be materially
misstated.
 Suitability of Substantive Analytical Procedures
The effectiveness of analytical procedures applied as substantive tests is affected by
many factors such as the nature of the assertions, reliability of data used to develop
expectations, precision of expectations, and predictability of the account balances.
Substantive analytical procedures are generally more applicable to large volumes of
transactions that tend to be predictable over time. The application of analytical procedures
is based on the expectation that relationships among data will exist and continue in the
absence of known conditions to the contrary. It is for this reason that auditors should focus
on those accounts that are predictable when using substantive analytical procedures. The
following generalizations may be helpful in assessing the predictability of the accounts
 Income statement accounts are likely to be more predictable compared to
statement of financial position accounts. This is because income statement
accounts involve accumulation of transactions while statement of financial position
accounts represent balances as of a given date that can fluctuate at any given
time.
 Accounts that ate not subject to management discretion such as payroll expense
are generally considered more predictable than those accounts that involve
management discretion like advertising expense or research & development
expense.
 Relationships in a stable environment are more predictable than those in a

dynamic or unstable environment.
Test of details

Test of details involves examining the actual details making up the various account. This
approach may take form of test of details of balances or test of details of transactions.
Test of details of balances involves direct testing of the ending balance of an account,
while test of details of transactions involves testing the transaction which give rise to the
ending balance of an account.
To illustrate the difference between the two, assume that the auditor wants to examine the
existence of the cash account.
Cash
Cash Beginning balance 1,000,000
Cash receipts during the year 12,000,000 Cash disbursements during the year
11,500,00
Ending balance 1,500,000
To substantiate the validity of the cash account, the auditor may directly test the ending
balance of cash (P1,500,000) by counting the cash on hand and testing the bank
reconciliation prepared by the client.
Alternatively, the auditor may obtain evidence about the validity of the cash account
balance by testing the details of the transactions (receipts P12,000,000 and
disbursements of P11,500,000) affecting the account during the year. This approach,
however, will be impractical because of the sheer volume of transactions involving cash
receipts and disbursement and most of these transactions are probably immaterial to the
financial statements taken as a whole.
In general, test of details of balances will be used when account balances are affected by
large volume of relatively immaterial transactions. Examples of accounts of this type
include cash, accounts receivable and inventory.
On the other hand, test of details of transactions is useful if account balances are
comprised of a of transactions representing relatively material amounts. Examples of
these accounts are property and equipment, intangibles, bonds payable, and
stockholder’s equity accounts.
 Effectiveness of Substantive Tests
The potential effectiveness of the auditor's substantive test is affected by its nature, timing,
and extent.
 Nature of substantive test
The nature of substantive test relates to the quality of evidence. The auditor should
determine the appropriate quality of evidence needed to support the desired level of
detection risk. Although the auditor would normally prefer high quality evidence, it is
important to remember that high quality evidence would also Involve high cost.
 Timing of substantive test

Substantive tests may be performed at interim dates or at year end. Interim procedures
are generally considered less ettective due to incremental audit risk involved when
auditing interim balances. Thus, the higher the risk of material misstatement, the more

likely it is that auditor may decide to perform substantive tests closer to year-end.
Pertorming audit procedures at interim dates assists the auditor in identifying
significant matters at an early stage of the audit, and Consequently resolving them
with the help of management or developing an effective audit approach to address
such matters. Additionally, performing interim procedures allows the auditor to spread
the work throughout the year thereby minimizing the load during the peak period.
 Extent of substantive test

The extent of substantive test relates to the amount of evidence needed to satisfy a
particular objective. The extent of substantive tests is based on the auditor's judgment
after considering the materiality, the assessed risk, and the degree of assurance the
auditor plans to obtain. In particular, the auditor ordinarily increases the extent of
substantive procedures as the risk of material misstatement increases.
Relationship between Substantive Test and Test of Control
It is essential to understand the nature of substantive tests and test of control in order to
appreciate the relationship between the two tests. Test of control provides evidence that
indicates a misstatement is likely to occur. Substantive test, on the other hand, provides
evidence about the existence of misstatement in an account.
For example, if the results of tests of control indicate that the internal control procedures
are not functioning effectively, the auditor will assume that material misstatements are
likely to occur. The auditor will then perform extensive substantive tests to confirm whether
material misstatements actually do exist. In expressing an opinion on the financial
statements, the auditor relies on the results of tests of control and substantive tests. If
tests of controls indicate that the internal control is effective in preventing and detecting
and correcting material misstatements that may occur, the auditor may perform less
substantive tests. Conversely, if the internal control is not reliable, the auditor will have to
compensate the weakness in internal control by performing more extensive substantive
tests. Thus, the result of tests of control is a major factor in determining the nature, timing,
a extent of the auditor's substantive tests.
When auditing financial statements, the auditor may design a test of controls to be
performed concurrently with a test of details on the same transaction. Although the
purpose of a test of controls is different the purpose or a test of details of transaction, both
may be accomplished concurrently by performing a test of controls and a test of details on
the same transactions, also known as a dual-purpose test. For example, auditor may
design an audit procedure to examine an invoice to test whether it has been properly
approved while at the same time the same providing substantive audit evidence about the
validity of a transactions.
AUDIT EVIDENCE
The auditor should obtain sufficient appropriate evidence to be able to draw reasonable
conclusions on which to base the audit opinion. Evidence refers to the information
obtained by the auditor in arriving at the conclusions on which the audit opinion is based.
Audit evidence consists of underlying accounting data and corroborating information.

 Underlying accounting data refers to the accounting records underlying the

financial statements. These include books of accounts, related accounting
manuals, worksheet supporting cost allocations and reconciliations prepared by
the client personnel.
 Corroborating information refers to the documents and other information

supporting the entity's accounting data obtained from client and other sources.
This includes documents such as invoices, bank statements, purchase orders,
contracts, checks and other information obtained or developed by the auditor
through confirmation, recalculation, observation and reconciliation.
Accounting data alone cannot be considered sufficient evidence to support an opinion on
the financial statements. Accordingly, the auditor must obtain corroborative information,
besides the accounting data, in order to support the auditor's report.
 Qualities of evidence
Audit evidence is typically obtained as a result of performing tests of control and
substantive tests. In cases where controls cannot be relied upon, evidence may be
obtained entirely from substantive tests. When obtaining audit evidence from either tests
of control or substantive tests, the auditor should consider the sufficiency and
appropriateness of audit evidence obtained.
When performing tests of control, audit evidence must support the assessed level of
control risk. When performing substantive tests, audit evidence must support the
acceptable level of detection risk. At the conclusion of the audit, the auditor should
evaluate whether the sufficiency and appropriateness or evidence from substantive tests
a test of control supports the financial statement assertions.
 Sufficiency refers to the amount of evidence that the auditors should accumulate.
Because of the cost/ benefit consideration auditors do not examine normally all
evidence available. The auditors use their professional judgment to determine the
amount of evidence needed to support the opinion expressed on the financial
statements. The following factors may be considered in evaluating the sufficiency of
evidence
 The competence of evidence
The amount of evidence that is sufficient in a given situation varies inversely with
the competence of evidence. Thus, the more competent the evidence is, the less
amount of evidence will be needed to support the auditor's opinion.
 The materiality of the item being examined.
The more material the financial statement amount being examined is, the more
evidence will be needed to support its validity. Conversely, if the account is not
material to the financial statements, the auditor does not have to perform any
procedure related to that account.

 The risk involved in a particular account.
As the risk of misstatement in a particular account increase the more evidence will
be needed.
 Appropriateness is the measure of the quality of audit evidence and its relevance to
a particular assertion and its reliability.
Relevance relates the timeliness of evidence and its ability to satisfy the audit
objective. Reliability relates to the objectivity evidence and is influenced by its source
and by its nature.
While reliability of audit evidence is dependent on individual circumstance, the following
generalizations may help the auditor in assessing the reliability of audit evidence:
 Audit evidence obtained from independent sources outside the entity (for example,
confirmation received from a third party) is more reliable than that generated
internally;
 Audit evidence generated internally is more reliable when the related accounting
and internal control systems are effective
 Audit evidence obtained directly by the auditor is more reliable than that obtained
indirectly; and
 Audit evidence in the form of documents and written representations is more
reliable than oral representations.
 Cost/benefit consideration when obtaining evidence

An auditor works within economic limits. The auditor's opinion to be economically useful
must be formed within a reasonable period of time and based on evidence obtained at a
reasonable cost. As a guiding rule, there should be a rational relationship between the
cost of obtaining evidence and the usefulness of the information obtained. Determining
the appropriate type of evidence that should be obtained is a matter of professional
judgment.
Audit evidence does not have to be conclusive to be useful. Ordinarily, auditor finds it
necessary to rely on audit evidence that is persuasive rather than conclusive in nature,
and will often seek audit evidence from different sources or of a different nature to support
the same assertion.
AUDIT DOCUMENTATION/ WORKING PAPERS
The sufficient appropriate evidence required by the professionals’ standards must be
clearly documented in the auditor’s working papers. Working papers are records kept by
the auditor that documents the procedures applied, information obtained and conclusions
reached PSA 230 requires the auditor to document matters that are important to support
an opinion on financial statements, and evidence that the audit was conducted in
accordance with PSA.
Functions of the working papers
Working papers are prepared primarily to:

 Support the auditor's opinion on financial statements,

 Support the auditor's representation as to compliance with PSA, and
 Assist the auditor in the planning, performance, review and supervision of the
engagement.
Secondarily, working papers also assist the auditor in:
 planning future audits;
 providing information useful in rendering other services (MAS or tax consultancy);
and
 providing adequate defense in case of litigation.
Form, Content and Extent of Audit Documentation
It is neither necessary nor practicable to document every matter the auditor considers
during the audit. In deciding on the form, content and extent of audit documentation, the
auditor should consider what would enable an experienced auditor, having no previous
connection with the audit, to understand:
a. The nature, timing, and extent of the audit procedures performed to comply with
PSAs and applicable legal and regulatory requirements:
b. The results of the audit procedures and the audit evidence obtained; and
c. Significant matters arising during the audit and the conclusions reached thereon.
The form, content and extent of audit documentation depend on factors such as:
 The nature of the audit procedures to be performed
 The identified risks of material misstatement,
 The extent of judgment required in performing the work and evaluating the results:
 The significance of the audit evidence obtained;
 The nature and extent of exceptions identified
 The need to document a conclusion or the basis for a conclusion not readily
determinable from the documentation of the work performed or audit evidence
obtained; and
 The audit methodology and tools used.
Although audit documentation depends upon the auditor's judgment, the following
important items would normally require audit documentation:
 Discussions of significant matters with management and others in a timely manner
 In exceptional circumstances, when the auditor judges it necessary to depart from
a basic principle or an essential procedure that is relevant in the circumstances of
the audit, the auditor should document how the alternative audit procedures
performed achieve the objective of the audit, and, unless otherwise clear, the
reasons for the departure.
 In documenting the nature, timing and extent of audit procedures performed, the
auditor should record:
a. Who performed the audit work and the date such work completed; and
b. Who reviewed the audit work performed and the date and extent of such
review

Classification of working papers

In a continuing engagement, working papers are typically classified into permanent file or
current working paper file
Permanent file contains information of continuing significance to the auditor in performing
recurring audits. This file would most likely include:
o copies of the articles of incorporation and by'-laws;
o major contracts
o engagement letters;
o organizational charts;
o analyses of long-term accounts such as plant assets, long-term liabilities and
stockholders' accounts; and
o internal control analyses.
Current file contains evidence gathered and conclusions reached relevant to the audit of
a particular year. This file would normally include
o a copy of the financial statements;
o audit program,
o working trial balance,
o lead schedules;
o detailed schedules; and
o correspondence with other parties such as lawyers, customers banks, and
management.
Ownership of working papers
Working papers are the property of the auditor and the client has no right to the working
papers prepared by the auditor. Working papers may sometimes serve as a reference
source for the client (at the discretion of the auditor) but they should not be considered as
part or as a substitute for the client's records.
Confidentiality of working papers
Although the working papers are the personal property of the auditor, these working
papers cannot be shown to third parties without the client's permission. The Code of Ethics
for Professional Accountants requires the CPA to respect the confidentiality of information
obtained during the course of performing professional services. However, in some
instances the duty of confidentiality is overridden by the statute of law. For example, the
auditor can disclose confidential information to third parties even without the client’s
consent under the following circumstances:
a. When disclosure is required by law or when the working papers are subpoenaed
by a court, or
b. When there is a professional right to disclose information such as when the auditor
uses the working papers to defend himself when sued by the client for negligence.
Retention of working papers

Working papers should be retained by the auditor for a period of time sufficient to meet
the needs of his practice and to satisfy any pertinent legal requirements of record retention.
Guidelines for the preparation of working papers
Working papers should be properly organized to facilitate their review. The following
techniques may be used by the auditor when preparing working papers.
 Heading
Each working paper must be properly identified with such information as the name
or the client, type of working paper, a description of its content, and the date or
period covered by the examination.
 Indexing
Indexing refers to the use of lettering or numbering system (for example "A" for
Cash lead schedule), Each working paper must be indexed to aid in cross-
referencing essential information.
 Cross-indexing/ cross referencing

Cross-referencing is important to provide a trail useful to supervisors in reviewing
the working papers. to
 Tick marks
Working papers must include symbols that describe the audit procedures
performed.
ATTENDANCE AT PHYSICAL INVENTORY COUNT
If inventory is material to the financial statements, the auditor is required under PSA 501
to attend at physical inventory counting, and to test the accuracy of the entity's final
inventory records. Attendance at physical inventory counting involves:
 Inspecting the inventory to ascertain its existence and evaluate is condition, and
 performing test counts;
Inspecting inventory when attending physical inventory counting assists the auditor in
ascertaining the existence of the inventory, and identifying obsolete, damaged or aging
inventory. Performing test counts by tracing items selected to and from inventory records
to the physical inventory provides audit evidence about the completeness and validity of
the inventory.
Physical Count Conducted Before or After Year end
In some instances, the physical inventory count is conducted at the date other than the
date of the financial statements. When this occurs, the auditor should perform additional
audit procedures to obtain audit evidence about whether changes in inventory during the
intervening periods are properly recorded. These procedures would normally involve
testing the effectiveness of the design, implementation and maintenance of controls
designed to ensure that all inventory transactions are captured and recorded accurately
Attendance at Physical Count is Impracticable

There may be cases when attendance at physical inventory count may be impracticable.
This may be due to factors such as the nature and location of the inventory, for example,
where inventory is held in a location that may' pose threats to the safety of the auditor. If
attendance at physical inventory counting is impracticable, the auditor should perform
alternative audit procedure to obtain sufficient appropriate audit evidence regarding the
existence and condition of inventory. For example, inspection of documentation of the
subsequent sale of specific inventory items purchased prior to the physical inventory
counting, may provide sufficient appropriate audit evidence about the existence and
condition of inventory.
Failure to obtain sufficient appropriate evidence about the existence and condition of the
inventory will cause the auditor to express either a qualified or a disclaimer of opinion in
the auditor's report in accordance with PSA 705.
Inventory held by a third party
If inventory is under the custody and control of a third party and the auditor believes it is
material to the financial statements, the auditor should obtain sufficient appropriate audit
evidence regarding the existence and condition of that inventory by obtaining confirmation
from the third party and/or inspecting documentation regarding inventory held by third
parties, such as, delivery receipts or receiving reports.
AUDITING ACCOUNTING ESTIMATES
As defined by PSA 540, accounting estimate means an approximation of the amounts of
an item in the absence or a precise means of measurement. Accounting estimates are
often made in conditions of uncertainty regarding the outcome of events that have
occurred or are likely to occur and involve the use of judgment. Examples include:
 Allowance for credit losses;
 Warranty obligation,
 Inventory obsolescence,
 Depreciation and amortization,
 Loss contingencies,
 Percentage of completion income on construction contracts, and
 Fair value of securities that are not publicly traded.
The auditor must be specifically careful in considering accounts that are affected by
accounting estimates because the risk of material misstatement is greater when
accounting estimates are involved.
Management is responsible for making accounting estimates included in the financial
statements. The auditor's responsibility is to obtain sufficient appropriate evidence as to
whether
 Accounting estimate is properly accounted for and disclosed and
 Accounting estimate is reasonable in the circumstances

Determining whether accounting estimates are properly accounted for and disclosed
requires knowledge of the client's business application of applicable financial reporting
framework.
When evaluating reasonableness, the auditor concentrates on assumptions or factors that
are:
 Significant to the estimate
 Sensitive to variation
 Apparent deviations from historical patterns
 Subjective and susceptible to bias or misstatement
The auditor should obtain an understanding of the procedures and methods, including the
accounting and internal control systems, used by management in making the accounting
estimates. The auditor can obtain satisfaction about the reasonableness of the accounting
estimates through:
1. Review and test the process used by management to develop the estimate. This will
often involve:
 evaluating data and management assumptions,
 testing of calculations;
 comparing prior periods estimates with actual results; and
 considering management approval procedures.
2. Make an independent estimate
The auditor may make or obtain an independent estimate and compare it with the
accounting estimate prepared by management.
3. Review subsequent events which confirm the estimate made.
Transactions and events which occur after period end, but prior to completion of the
audit, may provide sufficient appropriate evidence regarding an accounting estimate
made by management.
The auditor should also gain an understanding of how management develops its fair value
measurements and disclosures including the qualifications of the persons involved, the
significant assumptions made, and relevant market information used to develop the
estimates. The auditor must obtain evidence that the methods used for estimating fair
values are in accordance with the applicable financial reporting framework and that any
risks associated with the use of estimates that could result in misstatement, have been
reduced to an acceptable level.
RELATED PARTIES
The term related party refers to persons or entities that may have dealings with one
another in which one party has the ability' to exercise significant influence or control over
the other party in making financial and operating decisions. Related party includes:
 Any person or other entity that has control or significant influence directly or
indirectly through one or more intermediaries, over the reporting entity,

 Another entity over which the reporting entity has control or significant, influence,
directly or indirectly through one or more intermediaries, and
 Another entity that is under common control with the reporting entity through
having
o Common controlling ownership;
o Owners who are close family members; or
o Common key management.
While the existence of related parties and transactions between such parties are
considered ordinary features of business, the auditor needs to be aware of them because:
 Most financial reporting frameworks require disclosure in the financial statements
of certain related party relationship transactions,
 A related party transaction may be motivated by other than ordinary business
considerations such as profit sharing or even fraud, and
 The nature of related party relationships and transactions may, in some
circumstances, give rise to higher risks of material misstate of the financial
statements than transactions with unrelated parties
Management's responsibility
Management is responsible for the identification and disclosure of related parties and
transactions with such parties. This responsibility requires management to implement
adequate accounting and internal control systems to ensure that transactions with related
parties are appropriately identified in the accounting records and disclose in the financial
statements.
Auditor's responsibility
The auditor needs to obtain an understanding of the entity's related party relationships
and transactions sufficient to be able to assess the risk of material misstatement and
conclude whether the financial statements are fairly presented.
Related party transactions may cause the financial statements to contain material
misstatements if the economic reality of such transactions is not appropriately reflected in
the financial statements. For instance, fair presentation may not be achieved if the sale of
a property by the entity to a controlling shareholder at a price above or below fair market
value has been accounted for as a transaction involving a profit or loss for the entity when
it may constitute contribution or return of capital or the payment of a dividend. The auditor
initially obtains information about related party relationship and transactions by making
inquiry from management regarding:
 The identity of the entity's related parties, including changes from the prior period,
 The nature of the relationships between the entity and these related parties, and
 Whether the entity entered into any transactions with these related parties during
the period and, if so, the type and purpose of the transactions.
During the audit, the auditor should remain alert, when inspecting records or documents,
for arrangements or other information that may indicate the existence of related party
relationships or transactions. Examples or conditions in which related party transactions
are likely would include:

 Transactions which have abnormal terms of trade, such as unusual prices, interest
rates, guarantees and repayment terms;
 Transactions which lack an apparent logical business reason for related party
unusual their occurrence,
 Transactions in which substance differs from form;
 Transactions not processed in an unbiased manner,
 High volume or significant transactions with certain customers or suppliers as
compared with others; and
 Unrecorded transactions such as the receipt or provision of management services
at no charge.
When related party transactions are identified, the auditor should obtain sufficient
appropriate evidence that these are properly accounted for and disclosed in the financial
statements. If the auditor identifies significant transactions outside the entity's normal
course of business, the auditor should:
 Obtain understanding of the business rationale as well as the terms or the
transactions, to evaluate whether the transactions have been properly accounted
for and disclosed; and
 Obtain audit evidence that the transactions have been appropriately authorized
and approved;
A business rationale of a significant related party transaction that is not consistent with the
entity's normal course of business or those transaction that have unusual terms may
represent a fraud risk factor. In addition, obtaining evidence that the related party
transactions have been properly authorized and approved is important to ensure that
these have been duly considered at the appropriate levels within the entity and that their
terms and conditions have been appropriately reflected in the financial statements. The
absence of such authorization and approval indicates risk of material misstatement in the
financial statements.
Written Representation
The auditor should obtain a written representation from management concerning the
completeness of information provided regarding the identification of related parties and
the adequacy of related party disclosures in the financial statements.
USING THE WORK OF AN EXPERT
The auditor's education and experience enable the auditor to be knowledgeable about
business matters in general. However, the auditor is not expected to have the expertise
required to practice other profession or occupation. During the audit, the auditor may need
to obtain audit evidence in the form of reports, opinions, valuations, and statements of an
expert. An expert is a person or firm possessing special skill, knowledge and experience
in a particular field other than accounting and auditing. Common examples of an expert's
work include:
 Valuation of precious stones, works of arts, real estate, and other specialized
assets;
 Determination of amounts using specialized techniques like actuarial
computations; and

 Interpretation of technical requirements, regulations, or contracts such as legal

documents or legal title to property
PSA 620 identifies two kinds of experts, namely:
Auditor's Expert
An individual or organization possessing expertise in a field other whose work in that field
is used by the than acc0unting or aua auditor to assist the auditor in obtaining sufficient
appropriate audit evidence. An auditor s expert may be ether an auditor's internal expert
(who is a partner or start, including temporary staff, of the auditor's firm or a network firm),
or an auditor’s external expert.
Management's Expert
An individual or organization possessing expertise in a field other than accounting or
auditing, whose work in that field is used by the entity to assist the entity in preparing the
financial statements
 Determining the need for an Auditor's Expert Not all engagements would require the
help ot an expert. Usually, the auditor will be able to obtain sufficient appropriate
cvIdence about an account balance or transaction class even without the help ot an
expert. In some instances however, the auditor cannot Obtain satistaction about an
2ssertion without seeking the assistance ot an cxpert. When determining the need to
use the work ot an expert, the auditor would constder Whether management has used
a managenment's expert in preparing the financ1al statements The nature and
significance of the matter, Including its complexITy, The riIsks of material
misstatement in the matter, and The expected nature of procedures to respond to
identified risks, including the auditor's knowledge of and experience with the work of
experts in relation to such matters; and the availability o alternative sources of audit
evidence.
 Evaluating the Auditor's Expert
After concluding that the help of the auditor's expert is needed to assist the auditor in
obtaining sufficient appropriate evidence, the auditor must:
1. Assess the competence and objectivity of the expert.
The following factors must be considered when assessing competence of the expert
 Professional certification or licensing by, or membership, in appropriate

professional body; and
 Experience and reputation in the field in which the auditor is seeking audit
evidence.
The evaluation of expert's objectivity shall include inquiry regarding interests and
relationships that may create a threat to the expert s objectivity.
2. Understand the field of the expertise of auditor's expert.

This understanding should enable the auditor to determine the nature, scope and
objectives of that expert's work; and evaluate the adequacy of that work for the
auditor's purposes.
3. Establish the terms of the agreement with the expert.
The auditor and the expert should agree on matters such as the nature, scope, and
objectives of the expert's work; their duties and responsibilities; timing of completion;
and the need for the auditor's expert to observe confidentiality requirements. If
appropriate, such agreement must be in writing.
4. Evaluate the results of the work of the expert.
The auditor should assess the appropriateness of the expert's work as audit evidence
regarding the financial statement assertion being considered. This would require
consideration of the expert's source or data, assumptions and methods, and the
results of expert's work in light of the auditor's knowledge of the client's business and
the results of other audit procedures Ordinarily, the auditor's expert work should
enable the auditor to satisfy the auditor's objectives. If the auditor determines that the
work of the auditor's expert is not adequate for the auditor's purpose, the auditor
should agree with the expert on the nature and extent of additional work to be
performed, or the auditor may perform further audit procedures appropriate in the
circumstances.
Evaluating Management's Expert

The preparation of an entity’s financial statements may require expertise in a field other
than accounting or auditing, such as actuarial calculations, valuations, or engineering
data. The entity may employ or engage experts in these fields to obtain the needed
expertise relevant to the preparation of the financial statements. Failure to do so may
increase the risks of material misstatements in the financial statements. Similar to
evaluation of the auditor’s expert work in the preceding section, auditor is required to
perform certain steps to evaluate the management's expert work. In this regard, PSA 500
requires the auditor to:
1. Evaluate the competence, capabilities and objectivity of that expert, The competence,
capabilities and objectivity of a management’s expert, and any controls within the entity
over that expert’s work, are important factors in relation to the reliability of any
information produced by a management’s expert. Accordingly, steps should be
undertaken to assess the qualifications and objectivity of the expert whether engaged
or employed by the management.
2. Obtain an understanding expert's field. An understanding of expert’s relevant field

enables the auditor to determine the nature, scope and objectives of the experts work
and evaluate the adequacy of the work as audit evidence. Reading the engagement
letter between the management and the expert making inquiries from the expert and

management are procedures that may be performed by the auditor to obtain this
information
3. Evaluate the appropriateness of that expert's work as audit evidence for the relevant
assertion. Evaluating the appropriateness of the management's experts work as audit
evidence involves considering the relevance expert's findings as well as the reliability
of the report. The work of the expert should be able to support the assertion in the
financial statements. Moreover, the methods and assumptions used must be
appropriate in light of the auditor's overall understanding of the entity and other
evidence obtained.
Effect of the Reliance on Expert's Work on the Audit Report
The auditor has sole responsibility for the audit opinion expressed, and that responsibility
is not reduced by the auditor's use of the work of an expert. Thus, the auditor should not
refer to the work of an expert in an auditor's report containing an unmodified opinion When
an auditor’s report contains a modified opinion, the auditor can make reference to the
expert's work if the auditor believes that such reference is necessary in order for the
readers to understand the reason for expressing a modified opinion. When this happens,
the auditor should clearly indicate in the report that such reference does not reduce the
auditor's responsibility for that opinion.
CONSIDERING THE WORK OF INTERNAL AUDITORS
Internal audit is a function of an entity that performs assurance and consulting activities
designed to evaluate and improve the effectiveness of the entity's governance, risk
management and internal control processes. The external auditor should obtain sufficient
understanding of the internal audit function to assist in planning the audit and developing
an effective audit approach. An effective internal audit function will often affect the nature
timing and extent of the external auditor 's procedures.
Considering the work of internal auditor involves two important phases:
 Making a preliminary assessment of internal auditing; and
 Evaluating and testing the work of internal auditing

Preliminary Assessment of the Internal Audit Function
When planning the audit, the external auditor should make a preliminary assessment of
the internal audit function when it appears that it is relevant to the external audit of the
financial statements in specific audit areas. For this purpose, the external auditor consider
the internal auditor’s:
Competence
Competence refers to the attainment and maintenance of knowledge and skills at the level
required to enable assigned tasks to be performed diligently and in accordance with
applicable professional standards. In evaluating the competence of the internal audit
function, the external auditor may consider the professional qualifications and experience
of the entity's internal auditors. In addition, entity's policy on hiring, training and

professional development of its employees may also contribute to the auditor's

assessment of the competence of the internal audit function.
Objectivity
Objectivity refers to the ability to perform those tasks without allowing bias, conflict of
interest or undue influence of others to override professional judgments. In evaluating the
internal auditor’s objectivity, the external auditor may consider the organizational level to
which the internal auditors report results of their work. In general, internal auditor’s
objectivity is strengthened when it reports to the "audit committee” of the board of
directors.
Due professional care
Due professional care is achieved when the internal audit function has a systematic and
disciplined approach to planning, performing, supervising, reviewing and documenting the
internal audit activities. For this purpose, the external auditor may evaluate whether
internal auditors have documented internal audit procedures or program and documented
quality control policies and procedures.
Evaluating and Testing the Work of Internal Auditors
If based on the foregoing assessment, the external auditor decides to use the work of the
internal auditor, the external auditor will have to evaluate and test the internal auditor's
work to confirm its adequacy for the external auditor's purposes. This evaluation may
include considering whether the work is performed by competent persons sufficient
appropriate evidence is obtained; appropriate conclusions are reached; and exceptions
are properly resolved. For this purpose, PSA 620 requires the external auditor to:
 read the reports of the internal audit function relating to the work of the function
that the external auditor plans to use to obtain an understanding of the nature and
extent of audit procedures it performed and the related findings, and
 perform sufficient audit procedures to determine the adequacy of the internal audit
work for purposes of the audit.
The nature and extent of the external auditor’s audit procedures shall be responsive to the
external auditor’s evaluation of the amount of judgment involved, the risk of material
misstatements, and the auditor's assessment of the competence and objectivity of the
internal audit function.
Aside from using the work performed by the internal auditors, the external auditor may
also request the assistance of the internal auditors in performing routine or mechanical
audit procedures. This is an acceptable practice provided the external auditor supervises
and reviews the work performed by the internal auditors.
It is important to remember that all judgement relating to the audit of financial statements
are those of the external auditor. The auditor’s responsibility for audit opinion is not
reduced by any use made of internal auditing. Accordingly, the auditor’s report on financial
statements should not include ant reference to the work performed by internal auditor.
AUDIT SAMPLING

The professional standards require the auditor to obtain sufficient appropriate evidence to
De able to draw reasonable conclusions on which to base the audit opinion. In forming the
opinion on the financial statements, the auditor does not normally examine all evidence
available. Auditors usually draw conclusions about the account balance or transaction
class by examining only a sample of evidence.
PSA 530 defines audit sampling as,
“The application of audit procedures to less than 100% of the items within an
account balance or class of transactions such that all sampling units have a
chance of selection.”
Audit sampling is performed on the assumption that the sample selected for testing is
representative of the population. Thus, an inference or conclusion can be drawn about the
characteristics of the population based on the sample results.
NOTE: Not all testing procedures performed by auditors involve audit sampling. For
example, the auditor may decide that it would be more appropriate to examine the entire
population (100% examination) of items that make up an account balance since the
population constitutes a small number of large value items.
Likewise, the auditor may decide to apply audit procedures only to those items which have
particular significance (selective testing) (e.g. all items Over a certain amount). Regardless
of the approach used, the auditor needs to be satisfied that sufficient appropriate evidence
is obtained to meet the objectives of the test.
Risks in Sampling
When performing audit procedures, the auditor is faced with uncertainty of not detecting
material errors in an account balance or class of transactions. This uncertainty arises
because of sampling and non-sampling risks.
 Sampling risk
Sampling risk refers to the possibility that the auditor’s conclusion, based on a
sample, may be different from the conclusion reached if the entire population
were subjected to the same audit procedures.
NOTE: This exists because the sample selected for testing may not be truly representative
of a population.
There are two types of sampling risk that could adversely affect the audit. The alpha risk
and the beta risk.
a. Alpha Risk is the risk the auditor will conclude:
 in the case of tests of control, that internal control is not reliable when in
fact it is effective and can be relied upon (risk of under reliance); or

 in the case of substantive test, that material misstatement exists in an

account balance or transaction class when in fact such misstatement does
not exist (risk of incorrect rejection).
This type of sampling risk results in an auditor performing audit procedures

more than what is necessary, thus affecting aua efficiency
b. Beta Risk is the risk the auditor will conclude,
 in the case of tests of control, that internal control is reliable when in fact it
is not effective and cannot be relied upon (risk of overreliance); or
 in the case of substantive test, that material misstatement does not exist
when in fact material misstatement does exist (risk of incorrect acceptance)
This type of sampling risk results in an auditor performing audit procedures

less than what is necessary, thereby affecting the auditor' s ability to detect
material misstatements in the financial statements. Hence, beta risk affects
the audit effectiveness.
 Non-sampling risk
Refers to the risk that the auditor may draw incorrect conclusions about the
account balance or class or transactions because of human errors such as,
application or inappropriate audit procedures, failure to recognize errors in the
sample tested, and misinterpretation of evidence obtained. This includes all
aspects of audit risk that are not due to sampling.
Controlling the Risks

The only way to eliminate sampling risk is to examine the entire population. Doing this,
however, would not be feasible because of time and cost constraints. Accordingly, auditors
do not normally attempt to eliminate sampling risk. Instead, auditors control sampling risk
by
a. Increasing the sample size; and
b. Using an appropriate sample selection method.
By increasing the sample size and carefully selecting the sample, the sample becomes
more representative of the population, thus, decreasing the sampling risk.
Non-sampling risk, on the other hand, is something that cannot be eliminated even if the
auditor examines the entire population. This risk, however, can be minimized by
a. Proper planning and
b. Adequate direction, review, and supervision of the audit team.
General Approaches to Audit Sampling

There are two sampling approaches that can be used by the auditor. gather sufficient
appropriate evidence, the statistical and non-statistical sampling
 Statistical Sampling is a sampling approach that
 Uses random based selection of sample, and
 Uses statistics (law of probability) to measure sampling risk and evaluate
sample results.
 Non-statistical sampling, in contrast, is a sampling approach that purely uses auditor's
judgment in estimating sampling risks, determining sample size, and evaluating
sample results.
Both statistical and non-statistical sampling methods are acceptable. Both approaches will
require the use of auditor's judgment in designing and selecting the sample, in performing
audit procedures and in evaluating the results. Most of all, both approaches cannot assure
that the sample will be representative of the population. The only difference between the
two methods is that statistical sampling allows auditor to measure or quantify the sampling
risks by using mathematical formula. Thus, statistical sampling helps the auditor to
 Design an efficient sample,
 Measure the sufficiency of evidence obtained; and
 Objectively evaluate the sample results.
However, these benefits cannot be obtained without additional costs training audit staff,
designing sampling plans, and selecting items examination.
Audit Sampling Plans
Audit sampling may be used when performing tests of controls or substantive tests. When
statistical sampling is used, the auditor may use either attribute or variable sampling plan.
 Attribute sampling
This is a sampling plan used to estimate the frequency of occurrence of a certain
characteristic in a population (occurrence rate). It is generally used when performing tests
of controls to estimate the rate of deviations from prescribed internal control policies or
procedures.
 Variable sampling
This is a sampling plan used to estimate a numerical measurement of a population such
as peso value. It is generally used in performing substantive tests to estimate the amount
of misstatements in the financial statements
Basic Steps in Audit Sampling
Audit procedures carried out by means of sampling techniques require consideration of at
least the following basic steps.
1. Define the objective of the test. The audit objective largely determines the audit
procedures to be applied. Hence, before deciding on the nature of the audit procedure
to be performed, the auditor must define the specific objective of the test. For example.
when auditing accounts receivable, the auditor’s objective could be to determine
whether accounts receivable balances exist as of the financial statement date.

2. Determine the audit procedure to be performed. After defining the audit objective, the
next step is to determine the specific audit procedure that will be performed to satisfy
the objective. This step also involves defining the population and the characteristics to
be tested. Using the existence of accounts receivable as an objective, the audit
procedure may involve sending out confirmation letters to customers. The population
would be the customer’s account balances as of the balance sheet dale and the
characteristic to be tested would be the monetary amount of misstatement in an
account balance.
3. Determine the sample size. Once the auditor has decided to apply a certain audit
procedure to sample of items in a population, the auditor must decide how many
sampling units to include in the sample. The auditor may decide to examine only 100
out of the total 5,000 customers’ accounts in order to draw a conclusion whether the
total accounts receivable are actually existing as of the balance sheet date.
 When statistical sampling is used, the auditor determines the sample size
using statistically based formula.
 With non-statistical sampling, the sample size is determined by relying
primarily on the auditor's professional judgment.
4. Select the sample. Another problem the auditor faces after determining the sample
size is the method of selecting the sample from the total population. A sample selection
technique must be designed in such a way that all items in the population will have an
opportunity to be selected. Statistical sampling requires that sample items be selected
at random, so that each sampling unit has a chance of being selected. In selecting the
customers to whom confirmation letters will be sent, the auditor may use a computer
software that produces random numbers that match with the customer numbering
system.
5. Apply the procedures. After the sample items have been selected, the auditor applies
the planned audit procedure to the sample. The auditor sends out confirmation letters
to the customers selected to determine the validity of the recorded account balances.
6. Evaluate the sample results. Once audit procedures have been performed on all
sample items, the sample results must be evaluated to determine whether sufficient
evidence has been obtained to satisfy the objective. The auditor will have to
summarize customers’ confirmation replies and decide whether the account balance
is material misstated or whether additional audit procedures need to be performed.
It is to be emphasized that steps (1) defining the objective of the test (2) determining audit
procedures, (5) applying the procedures and (6) evaluation of results will be performed
regardless of whether the auditor uses audit sampling or not. Hence, the only difference
between audit sampling and 100% examination is that audit sampling involves:
a. Determination of sample size (Step 3);
b. Selection of sample (Step 4); and
c. Projection of errors in evaluating the sample results (Step 6).

The remaining sections of this chapter focus primarily on these three sampling-related
steps when performing tests of control and substantive tests.
Sampling for Tests of Controls
Audit sampling for tests of control is generally appropriate when application of the control
leaves evidence of performance. For those controls that leave no documentary evidence
of performance, non-sampling procedures, such as inquiries and observation, would be
more appropriate.
 Determination of sample size
There are three factors affecting the determination of sample size tests of controls.
These are the
 Acceptable sampling risk;

 Tolerable deviation rate, and
 Expected deviation rate
 Acceptable sampling risk
Sampling risk is inherent in an audit sampling application. A sample drawn can

only be expected to be representative of the population. The size of the sample is
affected by the level or sampling risk the auditor is willing to accept. There is an
inverse relationship between the acceptable sampling risk and sample size. The
smaller the sampling risk the auditor is willing to accept, the larger the sample size
would be (and vice versa).
 Tolerable deviation rate
Tolerable deviation rate is the maximum rate of deviations the auditor is willing to
accept, without modifying the planned degree of reliance on the internal control.
The tolerable deviation rate is inversely related to the sample size. Therefore, a
decrease in the tolerable deviation rate will cause the sample size to increase.
Establishing tolerable deviation rate and the acceptable sampling risks requires
professional judgment and involves consideration of:
 The importance of the control, and

 The degree of reliance to be placed on such control.
If the control is important in providing reliable financial statements, the auditor

would most likely decrease the acceptable level of sampling risk and the tolerable
deviation rate to obtain more evidence that such control is working effectively.
In addition, if the auditor wants to place more reliance on the control (lower
assessment of control risk), the auditor should justify that assessment by accepting
a smaller rate of deviation and a lower level of sampling risk

 Expected deviation rate
Expected deviation rate is the rate of deviation rate the auditor expects to find in
the population before testing begins. The auditor can develop this expectation
based on the prior year’s results or by examining few items in the population (pilot
sample).
The expected deviation rate has a direct effect on the sample size; the larger the
expected population deviation rate, the larger the sample size would be. It is
important to remember that the expected population deviation rate should not
exceed the tolerable deviation rate. If prior to testing, the auditor anticipates that
the actual population deviation rate is higher than the tolerable deviation rate, the
auditor generally omits testing of that control procedures and either seeks to obtain
assurance by testing other relevant internal control policies and procedures, or
assess control risk at a high level.
Sample size Acceptable Tolerable Expected

Sampling Risk Deviation Rate Deviation Rate
Small High High Low
Large Low Low High
 Sample selection method
The auditor should select items for the sample with the expectation that all sampling
units in the population have a chance of selection. PSA 550 has identified three
principal methods of selecting sample namely, (a) random number selection, (b)
systematic selection, and (c) haphazard selection.
 Random number selection
Under this method, the auditor selects the sample by matching random numbers,
generated by a random number table or a computer software generator, with the
population numbering system such as document number. An advantage of this
selection technique is that it gives each item in the population an equal opportunity
to be selected.
 Systematic selection
Another method of selecting sample that is easier to use, compared to random

number selection, is the system selection. This method involves determining a
constant sampling interval and then selects the sample based on the size of that
interval.
To illustrate the use of systematic selection, assume that the auditor wants to
examine a sample of 100 invoices from the population of 20,000 invoices. The first
step would be to compute the “sampling interval" by dividing the population size
by the sample size. Hence, the sampling interval would be:
20,000/100= 200

After determining the sampling interval, the auditor randomly selects the starting
point from the first 200 invoices. Assuming, for example, the 25th invoice happens
to be the first item drawn by the auditor, the auditor then selects the succeeding
items by taking the 225th (25th +200), 425th (225th + 200); 625th (425th +200);
825th (625th + 200); and so on.
When using systematic selection, the auditor should determine that the population
is not structured in such manner that the sampling interval corresponds with a
particular pattern in the population. An advantage of this type of selection is that it
is easy to use. Furthermore, in systematic selection, the population items do not
have to be pre-numbered in order for the auditor to use this technique.
 Haphazard selection
When using this method, the sample is selected without following an organized or
structured technique. Haphazard selection is useful for non-statistical sampling,
but it is not used for statistical sampling because the auditor cannot measure the
probability an item being selected when using this method.
In selecting the sample and applying the appropriate audit procedures, the audit
may encounter the following situations
 Voided documents. The auditor may occasionally select a voided or

cancelled document in a sample. If the document has been properly
voided, such document should be replaced by another sample item.
 Missing documents. If the auditor encounters missing document and he is
unable to determine whether the control has been properly performed, such
item should be treated as a deviation for the purpose of evaluating sample
results.
 Evaluation of results
When evaluating sample results, both the qualitative and the quantitative factors of
deviations should be considered. Here are some general guidelines that may be used
when evaluating sample results for tests of controls.
1. Determine the sample deviation rate
The sample deviation rate is computed by dividing the number of deviations found in
the sample by the sample size. For example, if the auditor found 4 deviations out of
the 200 sample items, the sample deviation rate is 4/200= 2%. This sample deviation
rate represents the auditor’s best estimate of the deviation rate in the population.
2. Compare the sample deviation rate with the tolerable deviation rate and draw an
overall conclusion about the population. The next step is to compare the sample

deviation rate with tolerable deviation rate. This comparison may result to the following
situations.
 The sample deviation rate exceeds the tolerable deviation rate. This means that the
sample results do not support the auditor's planned degree of reliance on internal
control. Hence, control risk will be assessed at a high level and more extensive
substantive tests should be performed.
 The sample deviation rate is less than the tolerable deviation rate. If the sample
deviation rate is less than the tolerable rate, the auditor should consider the allowance
for sampling risk- that is, the possibility that these sample results could have occurred
even if the actual population deviation rate is higher than the tolerable rate.
Hence, before making a conclusion, the auditor should determine how close the
sample deviation rate is to the tolerable deviation rate. As the sample deviation rate
approaches the tolerable deviation rate, the allowance for sampling risk decreases.
a. If the sample deviation rate is considerably lower than the tolerable deviation rate
(tor example, 2% as against tolerable rate of 10%), there is a low risk that the
actual population deviation rate will exceed the tolerable deviation rate. In this
case, the auditor can safely assume that the sample results supported the planned
degree of reliance on internal control.
b. However, it the sample deviation rate is barely lower than the tolerable deviation
rate (for example,8% as compared to tolerable rate of 10%), there is a high
possibility that the actual deviation rate will exceed the tolerable rate.
 When using non-statistical sampling, the auditor will most likely conclude
that the sample results do not justify the auditor's preliminary assessment
of control risk. Accordingly, control risk should be assessed at a high level.
 When statistical sampling is used, the auditor determines the maximum
population deviation rate as the sum of the sample deviation rate and the
allowance for sampling risk. with the help of sampling table or statistical
formula. The auditor then compares the maximum population deviation rate
with the tolerable rate to evaluate the sample results. As long as the
maximum deviation rate does not exceed the tolerable rate, the auditor can
safely rely on the control. However, it the maximum deviation rate exceeds
the tolerable rate, the auditor can conclude that the sample results do not
support the auditor's preliminary assessment of control risk and therefore
the scope of substantive tests should be increased.
 Other Sampling Applications for Tests of Controls
 Sequential Sampling
Sequential sampling can be used as an alternative form of testing controls when an
auditor expects very few deviations with the population.

Under this method, the auditor does not use fixed sample size. It is sometimes called
stop-or-go sampling because after testing the sample, the auditor makes a decision of
whether to stop or to go on with the sampling plan.
For example, if no deviations are found in the sample, the auditor may conclude that
the internal control procedure is reliable and therefore may stop the sampling plan.
Also, if the auditor observes many deviations, the auditor may terminate the sampling
plan and conclude that the planned degree of reliance on internal control is not
justified. On the other hand, if one or two deviations are found, the auditor may decide
to go on with the examination of another set of samples in an attempt to obtain more
evidence to support the planned assessed level of control risk.
 Discovery Sampling
This form of attribute sampling is most appropriate when no deviations are expected
in the population and therefore even one deviation would cause concern. This is
normally used when the auditor suspects that an irregularity might have been
committed. Under this method, the auditor determines a sample size sufficient to
discover at least one deviation to confirm whether an irregularity has occurred.
Sampling for Substantive Tests
Substantive tests are concerned with the amounts reported in the financial statements and
are of two types: substantive analytical procedures and tests of details. Substantive
Analytical procedures are performed by comparing the financial statements with the
auditor's expectations and these procedures do not involve sampling. Audit sampling is
used when performing tests of details to estimate the amount or misstatements in the
 Determination of sample size
When determining sample size tor substantive tests, the following factors must be
considered:
 Acceptable sampling risk
 Tolerable misstatement
 Expected misstatement
 Variation in the population
 Acceptable sampling risk
When determining the acceptable level of sampling risk for substantive test, the
auditor should consider the components of audit risk- inherent, control, and detection
risks. For practical purposes, the auditor uses the acceptable level of detection risk
as the acceptable sampling after giving adequate consideration to the risk that
analytical procedures may tail to detect material misstatement in account balance.
NOTE: There is an inverse relationship between the acceptable sampling risk and
the sample size: the lower the risk the auditor accepts, the larger the sample size
must be.

 Tolerable misstatement
Tolerable misstatement is the maximum amount of misstatement that the auditor will
permit in the population and still be willing to conclude that the account balance is
fairly stated. This is determined in the planning stage of the audit and it is related to
the auditor's preliminary estimate of materiality. There is an inverse relationship
between the tolerable misstatement and the sample size. A smaller measure of
tolerable misstatement will cause the sample size to increase.
 Expected misstatement
Expected misstatement is the amount of misstatement that auditor believes to exist

in the population. Like the expected deviation rate in tests of controls, the expected
amount of the misstatements may be determined based on the results of prior year's
substantive tests or pilot sample. As the expected misstatement draws near the
tolerable misstatement, the auditor needs more precise information from the sample.
There is a direct relationship between the expected misstatement and the sample
size. An increase in the amount of misstatement that the auditor expects to be present
in the population will cause the sample size to increase.
 Variation in the population
In most cases, the peso amount included in the population tends to vary significantly.
For example, an accounts receivable balance may be composed of more than 2,000
customers with individual account balances ranging from P10 to more than
P1,000,000. When using statistical sampling, this variability is measured by the
standard deviation. When a population consists of highly variable recorded amounts,
it is difficult to select a representative sample. Consequently, a larger sample size is
required as the degree of variability within the population increases. The auditor can
estimate the variation based on the prior year’s tests results or a pilot sample.
 Sample selection method

When selecting a sample tor substantive tests, the auditor may use any one of the samples
selection methods mentioned earlier. In addition to those methods, the auditor may also
use the following when performing substantive tests:
 Stratified sampling
Stratification is the process of dividing a population into sub- populations, each of

which is a group of sampling units which have similar characteristics. When
performing substantive tests, the auditor may stratify the population into meaningful
groups in order to decrease the effect of variance within the population.
When selecting a stratified sample, the sample size should be determined for each
stratum and selected from that stratum. For example, the customers’ accounts may
be stratified as follows:

Stratum Account balances No. of Sample size

customers
1 More than P1,000,000 40 100%% examination
2 P100,000 to P1,000,000 170 50 customers
2 Below P100,000 2040 100 customers
Stratification is useful to the auditor when performing substantive tests because
 It decreases the effect of variance in the population and as a result, decreases

the sample size, and
 It allows the auditor to give more emphasis to those items with higher
monetary value.
 Value weighted selection
Like the other sample selection methods, value weighted selection also allows each
item in the population to have an opportunity to be selected. However, the probability
of an item to be selected, in this method of selection, is directly proportional to the
monetary value of such item. This is the reason why this type of sampling is
sometimes called probability proportional to size sampling.
For example, if the auditor plans to select one customer from a total accounts
receivable balance of P1,000,000, a customer account balance of PI00,000 will have
a 10% (P100,000/ P1,000,000) probability of being selected.
The value weighted selection technique treats each peso, rather than each customer,
as one sampling unit. This is why it is sometimes called monetary unit sampling.
Value weighted selection is similar to stratified sampling in the sense that large
monetary values are given greater representation in the sample. These techniques
would be most appropriate when the auditor anticipates overstatement errors
because the greater the overstatement in an account, the greater the probability that
the account will be selected and the overstatements detected.
 Evaluating the results

Evaluating Sample results for substantive tests will involve the following steps:
1. Project the misstatements to the population. After performing the audit procedures to
the sample, the auditor may have identified misstatements in the sample selected. It
is important to note that such misstatements are valid only in so far as the sample
selected is concerned. Hence, the auditor should project these misstatements to the
population, to determine whether the account balance is materially misstated.
Projecting misstatements can be accomplished using:
a. Ratio estimation, or
b. Difference estimation

To illustrate, assume that the auditor sent out confirmation requests to verity the validity
or the accounts receivable. The following data are given
In terms of Value In terms of number Amount of misstatements

of customers found
Population P10,000,000 200 ?
Size P 1,000,000 24 P48,000
Using ratio estimation approach the projected misstatements is determined as follows

P 48,000 x (P10,000,000 ÷ P 1,000,000) = P 480,000
Under the difference estimation, the projected misstatements will be: P48,000 x (200
customers ÷ 24 customers) = P400.000
NOTE: Both methods basically follow the same formula:
Projected misstatement = Amount of misstatements (Population Size ÷Sample size)
The only difference between the two methods is that ratio estimation uses the book value
of the population size and sample size to project the misstatement, while difference
estimation uses the number of customers to project the misstatements to the population.
Hence, the use of ratio estimation is appropriate when the amount of misstatements found
is approximately proportional to the client's book amount.
2. Compare the projected misstatements with the tolerable misstatements and draw an
overall conclusion.
After projecting the sample misstatements to the population, the auditor will have to
compare the projected misstatement with the tolerable misstatement. If the projected
misstatement is greater than the tolerable misstatement, the auditor will conclude that
there is unacceptable risk that the account balance is materially misstated. In this case,
the auditor may:
 Examine additional sample;
 Perform suitable alternative procedures, or
 Request the client to adjust the account balance.
However, if the projected misstatement is less than the tolerable misstatement, the
auditor should consider the allowance for sampling risk. The auditor should
recognize that sampling risk increases as the projected misstatement approaches
the tolerable misstatement.
In some instances, the auditor may encounter anomalous errors. These are errors
or misstatements that arise from an isolated event that has not recurred other than
specifically identifiable occasions and are therefore not representative or errors in
the population. Such errors should be excluded when projecting sample errors to
the population. However, the effect of such errors must be considered, together
with projected errors, in order to determine the combined effect of the errors on the
account balance or transaction class.

A summary of the essential audit sampling steps is presented below
Tests of controls Substantive tests

Define the objective of the Specify the control Specify the purpose of the
test procedures to be tested. test and its relationship to
the financial statement
assertions.
Determine the procedures Determine the appropriate Determine the appropriate
to be performed audit procedures to be audit procedures to be
performed to satisfy the performed to satisfy the
objective. objective.
Define the population and Define the population and
the conditions that its characteristics
constitute a deviation.
Determine the sample size Consider the effect of the Consider the effects of the
following factors in following factors in
determining the sample determining the sample
size: size:
 Acceptable sampling  Acceptable sampling
risk (Inverse) risk (Inverse)
 Tolerable deviation rate  Tolerable misstatement
(Inverse) (Inverse)
 Expected population  Expected misstatement
deviation rate (Direct) and population variation
(Direct)
Select the sample Use any one of the Use any one of the
following techniques: following techniques and
 Random number stratify the population,
selection when appropriate:
 Systematic selection  Random number
 Haphazard selection selection
(applies only to non-  Systematic selection
statistical sampling)  Haphazard selection
(applies only to non-
statistical sampling)
 Value weighted
selection.
Apply the audit procedures Apply the audit procedures Apply the audit procedures
to the sample items. to the sample items.
Evaluate the sample results Decide whether the result Decide whether to accept
supported the planned account balance as fairly
degree of reliance stated or to require further
actions.
COMPLETING THE AUDIT and POST AUDIT RESPONSIBILITIES

After the fieldwork is almost complete, a series of procedures are generally carried out to
complete the audit. These procedures include:
 Identifying subsequent events that may affect the financial statements under audit;
 Identifying litigation and claims;

 Obtaining written management representation, and

 Performing wrap-up procedures.
Subsequent Events are those events or transactions that occur subsequent to the financial
statement date that may affect the financial statements and the auditor's report.
NOTE: For audit purposes, the auditor is only concerned with those events that occur
subsequent to the financial statement date, but before the date of the auditor's report.
Subsequent events may be classified as cither requiring adjustment or disclosure n the
 Requiring Adjustment- those that provide further evidence of conditions that
existed at the financial statement date such
o Settlement of litigation in excess of the recorded liability; or
o Loss on uncollectible receivables as a result of customer's deteriorating
financial condition.
 Requiring Disclosure- those that are indicative of conditions that arose after the
financial statement date. For example:
o Issuance of stocks or bonds after the financial state
o Loss on inventory due to fire that occurred in the subsequent period, or
o Loss on uncollectible receivable because of a major casualty suffered by
that customer after the financial statement
Procedures to identify subsequent events
According to PSA 560, "The auditor should perform procedures designed to obtain
sufficient appropriate evidence that all events up to the date of the auditor's report that
may require adjustment of, or disclosure in, the financial statements have been identified."
These procedures would ordinarily include:
1. Inquiring of management as to the occurrence of subsequent events,
2. Reviewing procedures management has established to ensure that subsequent
events are identified,
3. Reading the minutes of board of directors and stockholder’s meetings after the
financial statement date;
4. Reading the latest available subsequent interim financial statements as well as
management reports such as budgets and forecasts; and
5. Inquiring of the entity's lawyers concerning litigation, claims, and assessments.
If, as a result or applying the above procedures, the identifies subsequent events that
auditor require adjustment of, or disclosure in, the financial statements, the auditor should
determine whether such event is appropriately reflected in the financial statements. In
addition, the auditor should request management to provide a written representation that
all subsequent events requiring adjustment or disclosure have been adjusted or disclosed
in the financial statements in accordance with the applicable financial reporting framework.
Subsequent Events Occurring After the Auditor's Report Date but Before the
Financial Statements are Issued
The auditor does not have any responsibility to perform procedures to identify subsequent
events occurring after the date of the auditor's report. During this period, it is the

responsibility of the management to inform the auditor of events that may affect the
financial statements. lf the auditor becomes aware of an event occurring after the date of
the report but before the issuance of the financial statements, the auditor should take the
necessary actions to ascertain whether such event has been properly accounted for and
disclosed in the financial statements.
Failure on the part of the client to make appropriate amendments to the financial
statements, where the auditor believes they need to be amended, will cause the auditor
to issue either qualified or adverse opinion.
In the event that the auditor's report has been released to the entity, the auditor would
notify those persons ultimately responsible for the overall direction of an entity not to issue
the financial statements. If the financial statements are subsequently released, the auditor
needs to take action to prevent reliance on auditor's report.
Effect of Subsequent Events on the Date of the Auditor’s Report
Generally, the auditor’s report should be dated completion of the essential audit
procedures. The auditor's report is important because it is the date when the auditor's
responsibility for subsequent events ends This date informs the readers of the financial
statements that the auditor has considered the effect of subsequent events that occurred
up to the date of the report.
A question regarding the dating or the report arises when subsequent events occur after
the date of the auditor s report, but before the issuance of the financial statements. It is to
be emphasized that the auditor is not responsible to perform audit procedures to identity
subsequent events after the date of the auditor's report. During the period from the date
of the auditor's report, to the date the financial statements are issued, the responsibility to
inform the auditor of facts which may affect the financial statements rests with
management.
If a material subsequent event requiring adjustment to the financial statements occurs
after the date of the auditor s report but before the issuance of the financial statements,
the financial statements should be adjusted and the auditor's report should bear the
original date of the report. The fact that the current event required adjustment of the
financial statement simply means that the condition already existed as of the financial
statement date and did not actually subsequent period. s
On the other hand, subsequent event requiring disclosure occurs during this period, the
auditor should consider the adequacy of disclosure and should date the report either:
 As of the date of the subsequent event
 Dual date the report.
When the auditor decides to date the report as of the date of the subsequent event, the
auditor's responsibility for the subsequent events is extended up to subsequent event
date: Consequently, the auditor will also have to extend the subsequent event review
procedures to identity other subsequent events which may have transpired from the
original audit report date up to the new audit report date.
If the auditor does not want to extend the subsequent event review procedures anymore,
the auditor may dual date the report. When dual dating the report, the auditor's

responsibility for subsequent events, occurring after the original date of the report, is
limited only to the specific event referred to in the note. The following is an illustration of a
dual dater report: "February 14. 20X2, except as to Note Y, which is as of March 5, 20X2."
As An alternative to dual dating, the auditor is also permitted, under PSA 560, to issue a
report that includes an Emphasis of Matter paragraph or Other Matter paragraph stating
that the auditor's procedures on subsequent events, occurring after the original report
date, are restricted solely to the specific event referred to in the relevant note to the
Litigation and Claims
Litigation and claims involving the entity may have a material effect on the financial
statements. It is the managements responsibility to adopt policies and procedures that will
identify, evaluate, and account for litigation and claims as a basis for the preparation of
financial statements in conformity with applicable financial reporting framework.
PSA 501 requires the auditor to carry out procedures in order to become aware of litigation
and claims involving the entity which may have a material effect on the financial
statements. Some of the effective audit procedures that can be performed to litigation and
claims include:
 Inquiry of management
 Reading minutes of meetings and correspondence with lawyers; and
 Reviewing legal expense account
In addition, the auditor should request management to provide written representations that
all known actual or possible litigation and claims have been disclosed to the auditor and
that the effects have been properly accounted for and disclosed in accordance with the
applicable financial reporting framework.
 Letter of Inquiry
The entity 's management is the primary source of information about litigation and claims.
The auditor corroborates the information obtained from management by sending a letter
of audit inquiry to external legal counsel with whom the client has consulted concerning
those matters. Direct communication with the entity's legal counsel assists the auditor in
obtaining sufficient appropriate audit evidence as to whether potentially material litigation
and claims are known and whether management's estimates of the financial implications
are reasonable.
In certain circumstances, the auditor may deem it necessary to meet with the entity's
external legal counsel to discuss the likely outcome of the litigation or claims. This may be
the case where:
 The auditor determines that the matter is a significant risk,
 The matter is complex; or
 There is disagreement between management and the entity's external legal
counsel.
Ordinarily, such meetings require management's permission and are held with a
representative of management in attendance.

 Effect on the Auditor's Report

Refusal by the management to give the auditor permission to communicate with the
entity's lawyer or the lawyer's refusal to reply to the auditor's letter of inquiry, would be
considered a scope limitation that would result to either qualified or disclaimer of opinion
on the financial statements.
Written Management Representation
PSA 580 requires an auditor to obtain sufficient appropriate audit evidence that the entity's
management:
 Has acknowledged that it has fulfilled its responsibility for the preparation and
presentation of fair financial statements, and
 Has approved the financial statements.
Such evidence is acquired by obtaining a written representation from management. The
auditor shall request written representations from management with appropriate
responsibilities for the financial statement and knowledge of the maters concerned.
Written representations are normally requested from the entity's chief executive officer
and chief financial officer, or other equivalent persons in entities that do not use such titles.
 Written Representations as Audit Evidence
Written representations are an important source of audit evidence. If management
modifies or does not provide requested written representations, it may alert the auditor
other issue affecting the financial statements. Further, a request for written to rather than
oral, representations may prompt management consider the matter more rigorously,
thereby enhancing the quality of evidence.
Although written representations provide necessary evidence, they do not provide
sufficient appropriate audit evidence on their own about any of the matters with which they
deal. Furthermore, the fact that management has provided reliable written representations
does not affect the nature or the extent of other audit evidence that the auditor obtains
about the fulfilment of management's responsibilities, or about specific assertions.
Management written representations complement the audit evidence the auditor
accumulates, but they do not substitute for the performance of audit procedures designed
to obtain necessary evidence for the expression of an opinion.
 Form and Content of Written Representations
The written representations shall be in the form of representation letter from management.
This letter sha include:
 A representation that management has fulfilled its responsibility for the preparation
and presentation of financial statements as set out in the terms of the engagement
 A representation that the financial statements are prepared and presented in
accordance with the applicable financial reporting framework,
 A representation that management has provided the auditor with all relevant
information agreed in the terms of the engagement, and that all transactions have
been recorded and reflected in the financial statements;

 A representation that describes managements responsibilities as described in the

terms of the engagement, and
 Other representations required by other PSAs.
 Basic Elements of a Written Management Representation
 The written representation should be addressed to the auditor;

 The date of the written representations shall be as near as practicable to, but not
after, the date of the auditor’s report, and
 The written representation should be signed by the appropriate level of
management who has the primary responsibility for the financial statements.
Ordinarily, written representation is signed by the chief executive officer and the
chief financial officer or their equivalent because they are usually the ones
responsible for the preparation and fair presentation of the financial statements.
 Management's Refusal to provide Written Representations

Written representations are an important source of audit evidence. If management
modifies the requested written presentations, it may alert the auditor to the possibility that
one or more significant issues may exist. When management does not provide written
representations or the auditor concludes that there is sufficient doubt about the integrity
of management, the auditor should consider these as scope limitation that would warrant
a disclaimer of opinion
Wrap-up Procedures
Wrap-up procedures are those procedures done at the end of the audit that generally
cannot be performed before the other audit work is complete. These include:
 Final analytical procedures;
 Evaluation of the entity's ability to continue as a going concern and
 Evaluating audit findings and obtaining client’s approval for the proposed adjusting
entries.
 Final Analytical Procedures

Analytical procedures are required to be performed in the planning and overall review
stages of the audit. The auditor should apply analytical procedures at or near the end of
the audit when forming an overall conclusion as to whether the financial statements as a
whole are consistent with the auditor's knowledge of business. Analytical procedures
applied in the completion phase of the audit should focus on
 Assessing the validity of the conclusions reached and evaluating the overall
financial statement presentation, and
 Identifying unusual fluctuations that were not previously identified.
The conclusions drawn from the results of analytical procedures performed in final review
stage of the audit are intended corroborate conclusions formed during the audit of
individual components or elements of the financial statements. This assists the auditor to
draw reasonable conclusions on which to base auditor’s opinion. Additionally, the results

of such analytical procedures may identify a previously unrecognized risk of material

misstatement. In such circumstances, the auditor should consider the need to perform
further audit procedures accordingly.
 Evaluation of the entity's ability to continue as a going concern
The going concern assumption is a fundamental principle in the preparation of the financial
statements. An entity's continuance as a going concern is assumed in the preparation of
financial statements in the absence of information to the contrary.
 Management's responsibility
IAS 1 contains an explicit requirement for management to make a specific assessment of
the entity's ability to continue as a going concern. This assessment should take into
account all available information for the foreseeable future, which should be at least, but
is not limited to, twelve months from the financial statement date.
 Auditor's responsibility
The auditor's responsibility is to consider the appropriateness of management use of the
going concern assumption in the preparation of the financial statements. For this purpose:
1. The auditor should consider whether there are events or conditions which may cast
significant doubt on the entity's ability to continue as a going concern
2. In addition, the auditor should evaluate management's assessment of the entity's
ability to continue as a going concern.
Examples of conditions or events that may cast significant doubt about the going concern
assumption include:
 Non-compliance with the terms of loan agreements or other statutory
requirements,
 Pending major legal or regulatory proceedings
 Changes in legislation or government policy expected to adversely affect the entity.
 Net liability or net current liability:
 Substantial operating losses:
 Inability to pay creditors on due dates: and
 Loss of major market, franchise, license or principal supplier.
When evaluating the entity’s going concern assumption, the auditor should remember that
the conditions and events that may indicate significant doubt about entity’s continued
existence can be mitigated by other factors.
For example, the effect of an entity’s not being able to make its normal debt repayments
may be mitigated by managements plans to maintain adequate cash flows by alternative
means such
a. Disposal of assets
b. Rescheduling of loan repayments: or
c. Obtaining additional capital.
Effect on the auditor's report

After the auditor has carried out the necessary audit procedure obtained the required
information, and considered the effects of the management plans, the auditor should
determine whether the questions raised regarding going concern hare been satisfactory
resolved.
If the use of the going concern assumption is appropriate and no material uncertainties
exist, the auditor may issue an unmodified opinion on the financial statements. If there is
a material uncertainty about the entity's ability to continue as a going concern, the auditor's
report will depend on whether this going concern uncertainty is adequately disclosed. If
the going concern uncertainty is adequately disclosed, the auditor should issue an
unmodified opinion with a separate section "Material Uncertainty Related to Going
Concern." This section should draw the readers to the disclosure that discusses the going
concern uncertainty.
If the auditor believes that the going concern uncertainty is not adequately disclosed, the
auditor should express either qualified opinion or adverse opinion. lf the going concern
assumption is not appropriate, the financial statements should be prepared using another
appropriate basis. Otherwise, the auditor should express an adverse opinion.
 Evaluating audit findings and preparing a list of potential adjusting entries.
After evaluating the evidence obtained, the auditor should decide whether to accept the
financial statements as fairly stated or to request management to revise the statements.
Material misstatements discovered during the audit must be corrected by mending
appropriate adjusting entries. If management accepts all the adjusting entries proposed
by the auditor, an unmodified report is issued on the financial statements. On the other
hand, if management refuses to correct the financial statements for these material
misstatements, the auditor should issue a qualified adverse opinion.
Post Audit Responsibilities: Events after the Financial Statements are Issued
Ordinarily, the auditor does not have any responsibility to perform additional procedures
atter the financial statements are issued. However, when the auditor becomes aware that
the report issued in connection with the financial statements may be inappropriate, the
auditor must take steps to prevent future reliance on such report.
 Subsequent discovery of facts
The auditor has no obligation to make any inquiry regarding previously issued financial
statements unless the auditor becomes aware of a material fact,
 which existed at the date of the auditor's report; and
 which, if known at that date, may have caused the auditor to modify the report.
This is dangerous because users may be relying on misleading financial statements.
When the auditor becomes aware of this type of information, the auditor should:
a. Discuss the matter with the appropriate level of management and consider whether
the financial statements need revision, and
b. Advise management to take the necessary steps to ensure that users of the previously
issued financial statements are informed of the situation.

If the management makes the appropriate revisions and disclosure to the users of the
financial statements, the auditor should issue a new auditor's report that includes an
emphasis of a matter paragraph to highlight the reason for the revision of the previously
issued financial statements.
In the event that management refuses to revise the financial statements or to inform the
users about the newly discovered information, the auditor should notify those persons
ultimately responsible for the direction of the entity about the management’s refusal and
about his intent to prevent users from relying on the auditor's report.
 Subsequent discovery of omitted procedures
Auditors are not required to review the working papers once the audit report is issued.
However, CPA firm's internal inspection program may disclose the omission of auditing
procedures considered necessary at the time of the audit. In this situation, the auditor
should follow these guidelines:
1. Assess the importance of the omitted procedure
An omitted procedure is considered important if such omission impairs the auditor's

ability to support the previously issued opinion on the financial statements. Evaluating
the impact of an omitted procedure would depend on the type of substantive evidence
it would have produced; and whether there were other procedures performed that
provide the same type of evidence as the procedure omitted.
The results of other audit procedures, performed during the audit, may compensate
for or make the omitted procedure less important. In determining whether there were
other procedures applied that could compensate for the omitted procedure, the auditor
may
 Review the working papers,

 Discuss the circumstances with the engagement personnel: and
 Reevaluate the scope of the audit.
2. Undertake to apply the omitted procedures or the corresponding alternative

procedures.
If the auditor determines that the omission of the procedures is important because it
impairs the auditor's ability to support the previously issued opinion, and the auditor
believes that there are persons currently relying, or likely to rely on the report, the
auditor should promptly apply the omitted procedures or the corresponding alternative
procedures.
The result of applying the omitted procedure may indicate, whether or not, material
misstatements exist. If, after applying the omitted procedures, the auditor determines
that the financial statements are materially misstated and that the auditor's opinion
was inappropriate, the auditor should discuss the matter with the management and, if
necessary, should take steps to prevent future reliance on the report.


Unit 4 Understanding Internal Control

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Unit 4 Understanding Internal Control

Uploaded by

Copyright:

Available Formats

Introduction to Auditing Page 1 of 60

“Not intended for publication. For classroom instruction purposes only”.

Unit IV – Understanding the Internal Control Environment

At the end of the unit, you will be able

Thank you for answering the test. Please

The next section is the content of this unit. It

“Not intended for publication. For classroom instruction purposes only”.

Employee fraud is often accompanied by false or misleading records or documents in

“Not intended for publication. For classroom instruction purposes only”.

 Individuals charged with governance of an entity to ensure the integrity of an

 Management's assessment of risks due to fraud,

 Controls established to address the risks, or

“Not intended for publication. For classroom instruction purposes only”.

“Not intended for publication. For classroom instruction purposes only”.

 Discuss the matter and the approach to further investigation with an

 Attempt to obtain evidence to determine whether a material fraud in fact exists

 the management acknowledges its responsibility for the implementation and

 it believes the effects of those uncorrected financial statement misstatements

“Not intended for publication. For classroom instruction purposes only”.

“Not intended for publication. For classroom instruction purposes only”.

 Use the existing knowledge of the entity’s industry and business,

 Reading minutes of meetings;

 The potential financial consequences, such as fines, penalties, damages,

“Not intended for publication. For classroom instruction purposes only”.

“Not intended for publication. For classroom instruction purposes only”.

c. Operating Characteristics and Financial Stability.

 There is excessive interest by management in maintaining or increasing the

 Management commits to analysts, creditors and other third parties to achieving

 Management has an interest in pursuing inappropriate means to minimize reported

 Management is dominated by a single person or a small group without

 Management does not monitor significant controls adequately.

 Management tails to correct known material weaknesses in internal control on a

“Not intended for publication. For classroom instruction purposes only”.

 Management sets unduly aggressive financial targets and expectations tor

 Management displays a significant disregard tor regulatory authority.

 Management continues to employ ineffective accounting, information technology

 Unreasonable demands on the auditor, including unreasonable time constraints

 Domineering management behavior in dealing with the auditors, especially

 A high degree of competition or market saturation, accompanied by declining

“Not intended for publication. For classroom instruction purposes only”.

 A declining industry with increasing business failures and significant declines in

 Rapid changes in the industry, such as high vulnerability to rapid changing

“Not intended for publication. For classroom instruction purposes only”.

Fraud Risk Factors Relating to Misstatements Resulting from Misappropriation of

“Not intended for publication. For classroom instruction purposes only”.

conclusion reached as a result of assessing control risk is referred to as the assessed

 Internal control is effected by those charged with governance, management and

 Internal control can be expected to provide reasonable assurance of achieving the

o Management's usual requirement that the cost of an internal control should

“Not intended for publication. For classroom instruction purposes only”.

o Most internal controls tend to be directed at routine transactions rather than

o The potential for human error due to carelessness, distraction, mistakes of

o The possibility of circumvention of internal controls through the collusion

o The possibility of management overriding the internal control, and

o The possibility that procedures may become inadequate due to changes in

 Internal control is designed to help achieve the entity's objectives.

a. Operational Objective- Effectiveness and efficiency of operations,

“Not intended for publication. For classroom instruction purposes only”.

“Not intended for publication. For classroom instruction purposes only”.

A. Performance reviews. These control activities include reviews and analyses of

B. Information processing. A variety of controls are performed to check accuracy,

C. Physical controls. These activities encompass the physical security of assets,

D. Segregation of duties. Assigning different people, the responsibilities of