Professional Documents
Culture Documents
Assurance engagement
- Key elements: practitioner, intended users, responsible party, subject matter, criteria, evidence,
written report
Level of assurance
Reasonable assurance Limited assurance
Risk Reduce to acceptably low level Reduce to acceptable level
Opinion Express positively (In our Express negatively (nothing has come
opinion, “subject matter” is to our attention that …)
fairly represented (is true and
fair))
Scope of work More evidence Less evidence
More procedures Less procedures
Examples Audit engagement Review engagement
Assurance of forecast (prospective
financial information)
Benefits of assurance
- Key benefit: Independent, professional verification (enhances creditability/ reliability and confidence
of intended users)
- Easier to raise finance (borrowings from bank)
- Identify frauds and errors
- Deficiencies are highlighted to intended users
- Help investors to make informed decisions
Limitation of assurance
- Testing is used
- Inherent limitations of accounting systems
- Evidence is persuasive rather than conclusive (ví dụ, kiểm toán viên muốn xác định quyền sử dụng
đất thì sẽ phải xem giấy chứng nhận quyền sử dụng đất, tuy nhiên họ không có trách nhiệm và khả
năng để xác định xem giấy chứng nhận đó là thật hay giả. Do đó, giấy chứng nhận đó chỉ thuyết phục
kiểm toán viên là doanh nghiệp có quyền sử dụng đất, chứ không đảm bảo 100% là doanh nghiệp có
quyền sử dụng đất đó)
- Not test all items
- Related to areas which are subjective and require professional judgement
- Rely on information provided by responsible party
- Accounting estimate
Expectation gap (please read study manual and also refer to chapter 4 for expectation gap)
Statutory audit
- Practitioner: auditor
- Intended users: mostly shareholders
- Responsible party: board of directors
- Subject matter: financial statements
- Criteria: law and accounting standards (UK: UK GAAP, IFRS, Vietnam: VAS)
- Evidence and writtent report
Audit exemption in UK
- Two out of 3 criterias are met:
+ Revenue no more than 10.2m (no more means lesser or equal)
+ Total assets no more than 5.1m (no more means lesser or equal)
+ 50 or fewer employees on average (50 also counted as criteria is met)
Who can be assigned to an audit engagement:
- Individual holding an appropriate qualification (người hành nghề riêng lẻ, có bằng kiểm toán)
- Firms controlled by qualified persons (công ty kiểm toán (hiển nhiên là được điều hành bởi người có
bằng kiểm toán)
Who cannot be assigned to an audit engagement:
- Office or employee of company
- Partner or employee of such a person (những người ở dòng trên)
- Any partner in a partnership in which such a person is partner (những người đồng sở hữu công ty với
những người bên trên trong một công ty hợp danh)
- Ineligible by the above for appointment as auditor of any directly connected companies
Auditors in UK need to conduct in accordance with International Standards on Auditing (ISAs).
Stages of an audit
- Obtaining the engagement (Acceptance)
- Planning
- Performing procedures (Execute)
- Review and completion (Evaluate)
- Reporting
Objectives of auditor
- Obtain reasonable assurance and express opinion
- Report on the financial statements in accordance with findings
To do so, auditor must:
- Ethical requirement
- Professional skepticism (applying questioning mind): be alert to
+ Evidence that contradicts (không hợp lý khi đặt cạnh các bằng chứng khác)
+ Question the reliability of documents provided
+ Possible fraud
+ The need for addition audit procedures than requirement.
- Professional judgement (determine appropriate course of actions)
+ Materiality and risk
+ Nature, extent and timing
+ Evaluate evidence, whether sufficient and appropriate
+ Evaluate management’s judgements
+ Drawing conclusion
- Obtain appropriate and sufficient engagement
Chap 2: Process of assurance: obtaining an engagement
Obtaining an engagement
- Advertise for clients within professional guidelines
- Invited to tender
Accepting an engagement
- Ensure professionally qualified
- Ensure existing resource adequate
- Obtain references
- Communicate with present auditors
After accepting an engagement
- Ensure outgoing auditor’s removal of resignation has been properly conducted
- Ensure new auditor’s appointment is valid. Obtain copy of resolution passed at general meeting.
- Submit letter of engagement to directors
Money laundering regulations
- Checking identity of client:
+ Individuals: photograph, name, permanent address, passport, driving license
+ Companies: certificate of incorporation, registered address, list of shareholders and directors
Purpose of engagement letter:
- Define the extent of auditor’s responsibilities
- Written confirmation of acceptance
What must be included in engagement letter (compulsory)
- Objective of audit
- Scope of work
- Auditor’s responsibilities
- Reporting framework
- Management’s responsibilities
- Form of any reports
Other things may be included in engagement letter (optional, not compulsory)
- Form of any other communication
- Test nature and inherent limitations of an audit
- Planning
- Expecting of receiving written confirmation of representation (representation letter)
- Agreement of client to provide information on time
- Basis of calculating fees
- Request client to confirm the terms of engagement
- Arrangement with other auditors and experts
- Arrangement with internal auditors
- Arrangement with predecessor auditor
- Restriction on auditor’s liability
- Further agreement
- Obligations of auditors to other parties (bank, tax authority, )
Chap 3: Process of assurance: planning the assignment
Planning
- Audit strategy: scope, timing and direction of audit, guides to development of audit plan.
- Audit plan: nature, extent and timing to be performed.
Purpose of planning:
- Attention to important areas
- Identify problems and resolve them timely
- Ensure audit is properly organized and managed
- Assign work properly
- Facilitate direction and supervision of team members
- Facilitate review of work
Step of planning:
- Ethical requirement
- Terms of engagement are understood
- Establishing overall audit strategy
+ Relevant characteristics of engagement, eg. Reporting framework
+ Key dates
+ Materiality, preliminary risk assessment, whether test of controls is used
+ When work is to be carried out
+ Team member available
- Develop audit plan
+ Understanding the entity’s environment: economic factors, industry conditions, characteristics of
client, competence of management
+ Understanding the accounting and internal control systems: accounting policies, effect of new
auditing and accounting standards, auditor’s cumulative knowledge of client
+ Risk and materiality: assessments of risks, setting materiality, possibility of material
misstatements, complex accounting areas
+ Nature, extend and timing: Possible change of emphasis on specific audit areas, effect of IT on
audit.
+ Direction, supervision and review: Number of locations, staffing requirement, need to do inventory
count at client premises
+ Other matters: Going concern, conditions requiring special attention (eg covid-19), terms of
engagement, nature and timing of reports.
Understanding the entity and its environment
- Reason: identify and assess the RoMM (risk of material misstatements), to design and perform
further audit procedures, provide frame of reference for exercising audit judgement
- What to understand?
+ External factors: industry, regulatory, reporting framework, others
+ Internal factors: nature of entity, accounting policies, objectives, strategy of business, business
risks, entity’s financial performance, internal control
- How to understand? Inquiry management, analytical procedures, observation, inspective, prior period
knowledge, discussion of susceptibility of financial statements to material misstatements among the
team
Analytical procedures: analysis of relationships among data (both financial and non-financial)
- Comparison between: comparable information for periods (eg this year vs last year), anticipated
results (actual vs budget), similar industry information (information about other competitors within
same industry)
- Relationships between: financial information and relevant non-financial information (payroll cost vs
number of employees), elements of financial information with predictable pattern (eg rental
expenses)
Possible source of information for analytical procedures:
- Interim financial information, budgets, management accounts, non-financial information, bank and
cash records, VAT returns, board minutes, discussions or correspondence with client at year end.
Key accounting ratios: please remember all formulas in page 50-51 of study manual (especially for
performance, short-term liquidity and efficiency. The long-term solvency is less likely that will be met in
exam than other sections).
Materiality (overall materiality - OM): a matter is material if its omission or misstatement count
influence the decision of users.
Performance materiality (PM): amount set by auditor, less than materiality so aggregate of PM and
uncorrected and undetected misstatements would not exceeds materiality (OM).
Materiality are considered throughout the audit when:
- Identifying and assessing the risks of material misstatement (Planning stage)
- Determining the nature, extent and timing and extent of further audit procedures (Execute stage)
- Evaluating identified misstatements (Evaluate stage).
Materiality will help auditors to decide:
- How and what items to examine (items larger than materiality need to be tested)
- Use sampling techniques (if materiality is small, test all rather than sampling)
- Level of misstatement is likely to lead to an unmodified opinion (misstatements which is higher than
PM will lead to modified opinion)
Benchmark for overall materiality:
- Profit before tax (PBT) 5-10%
- Revenue 0.5-1%
- Total assets 1-2%
Benchmark for performance materiality:
- Calculate on a percentage of overall materiality. The percentage require professional judgement to
provide a margin of safety.
- Lower the PM, more work need to be done, lesser detection risk.
Audit risk: risk that auditor expresses inappropriate audit opinion
- Audit risk = RoMM + Detection risk
- RoMM = Inherent risk + Control risk
Inherent risk: risk which is inherent to a type of business
Control risk: risk of internal control is not properly designed or not effective
Detection risk: risk that auditor cannot detect material misstatements.
Audit risk is pre-determined, hence, must be fixed to an acceptable level. This means if the RoMM is
high, detection risk must be lower to compensate, which will result in lower PM and more work to do.
And vice versa.
Steps to identify and assessing risk:
- Identify risks
- Assess identified risk and what could go wrong?
- Consider the impact
- Consider the likehood
Significant risk:
- Risk of fraud
- Significant economic, accounting and other development
- Complexity of transaction
- Related party transactions
- Degree of subjectivity
- Unusual transaction
Unusual transactions is higher risk because it have more:
- Management intervention
- Manual intervention
- Complex accounting principles and calculations
- Control procedures may not be followed
Related party transactions:
- Materiality in nature
- Need fully disclose in financial statements
- Inherently risky because auditor may not be aware that a party is related.
Fraud and error:
- Fraud: intentional
- Error: unintentional
Types of fraud:
- Misappropriate of assets
- Fraudulent financial reporting
Fraud is higher risk because:
- Fraud may involve complex transactions to conceal
- Fraud may relate to collusion
- Management fraud is harder to detect because they can manipulate accounting records and override
controls.
Responsibility of auditor relating to fraud:
- Identify and assess RoMM due to fraud
- Obtain evidence regarding these risks
- Respond appropriately to actual and suspected fraud identified
Expectation gap
- Statement of financial position provides a fair valuation of entity
- Amount in FS are stated previsely
- Audited FS guarantee then entity will continue to exist
- All items are tested
- Auditor will cover all errors
- Auditor will detect all fraud
- Auditor provide absolute assurance.
Other report (please read study manual as this part as this is quite similar to an audit report, only some
element is different as it is applicable to other types of assurance engagement).
Chap 4: Process of assurance: evidence and reporting
There are 2 types of test: tests of controls and substantive procedures
Tests of controls: procedures designed to evaluate effectiveness of internal control system.
Substantive procedures: procedures designed to detect material misstatements at assertion level.
There are two types of substantive procedures: tests of details and substantive analytical procedures (SAP).
Evidence obtained need to be sufficient (enough in quantity) and appriate (enough in quality).
Quantity of evidence to obtained depends on level of risk and also affected by quality of evidence.
Quality of evidence:
- External source is more reliablt than internal source
- Obtained directly by auditors is more reliable than obtained indirectly
- Evidence is more reliable when related control systems operate effectively
- Documents evidence is morereliable then oral evidence
- Original documents are more reliable than photocopy of fascimiles (fax)
Assertions:
- Account balances (balance sheet items) and related disclosure:
+ Existence (eg: tài sản ghi trên sổ có tồn tại ngoài thực tế không?)
+ Right and obligations (eg: tài sản do bên thứ 3 gửi nhờ tại kho của mình, tài sản có tồn tại tuy
nhiên mình không có quyền đối với tài sản đó).
+ Completeness (eg: tài sản thực tế có được ghi lên sổ đầy đủ không?)
+ Accuracy (valuation, allocation) (eg: khấu hao tài sản cố định, dự phòng giảm phải thu khó đòi,…
có được tính chính xác không?)
+ Classification
+ Presentation
- Class of transactions, events (income statement items) and related disclosure
+ Occurrence (tương tự existence của tài sản, nhưng cho transactions)
+ Completeness (tương tự completeness của tài sản, nhưng cho transactions)
+ Accuracy (tương tự accuracy của tài sản, nhưng cho transactions, ví dụ: chênh lêch tỷ giá có được
tính toán chính xác không, …)
+ Cut-off (ví dụ: doanh thu của kỳ sau bị cố tình chuyển sang kỳ này để tăng doanh thu nhằm đạt
mục tiêu doanh số, để giám đốc được hưởng bonus,…)
+ Classification
+ Presentation
Test of control only used when auditor determined that can rely on client’s internal controls
Substantive must always be carried out on material items
Auditor must also carry out following substantive procedures:
- Agreeing the FS to the underlying accounting records
- Examining material journal entries
- Examining other adjustment in preparing FS.
Data analytics may help auditors to test 100% but cannot fully replace auditor in some areas require
professional judgement.
Content of auditor’s report:
- Explicit opinions (ý kiến lúc nào cũng phải nói)
+ State of company’s affair
+ Company’s profit or los
+ Financial reporting framwork+
+ Requirement of Companies Act 2006
+ Information in strategic report and directors’ report is consistent with financial statements
- Implicit opinions (included only be exception – ý kiến chỉ nói ra khi có ngoại lệ không thỏa mãn)
+ Adequate accounting records
+ Returns adequate for the audit
+ Financial statements are in agreement with accounting records and return
+ All information and explanations have been received by auditors
+ Details of directors’ benefits is disclosed
+ Particulars of loans and other transactions with directors
- Basic element:
+ Title
+ Addressee
+ Basis for opinion
+ Going concern (nếu có vấn đề về khả năng hoạt động liên tục của doanh nghiệp)
+ Key audit matters (areas with high risk (always), areas of significant auditor and management
judgement (always), significant transactions or events (depends on circumstances))
+ Other information
+ Responsibilities of management
+ Responsibilities of auditors
+ Opinion on other matters
+ Matters to be reported by exception
+ Name of engagement partner
+ Signature of engagement partner
+ Adress of auditor
+ Date of report
Chap 5: Introduction to internal control
Internal control
- Process designed, implemented, maintained to mitigate risks to the business and ensure that the
business operates effectively efficiently
Reasons for internal controls:
- Minimizing business risks
- Ensure business run effectively and efficiently
- Compliance with law and regulations
Limitations of internal controls
- Human element
- Collusion
- Unusual transactions
Components of internal controls
- Control environment
- Control activities
- Information system
- Risk assessment
- Monitoring of controls
Control environment:
- Definition: governance and management functions and awareness, attitude and actions of those
charged with governance, management to internal controls and its importance.
Audit committees is an important aspect of control environment:
- Comprise of non-executive directors
- Responsibility of audit committees:
+ Review integrity of FSs and formal announcements relating to company’s performance
+ Review internal financial controls and company’s risk management system
+ Monitor and review effectiveness of company’s internal audit
+ Make recommendations to the board in relation to the external auditor
+ Monitor the independence of the external auditor
+ Implement policy on provision of non-audit services by the external auditor
- Key issue for audit committees:
+ Financial statements, information system
+ Supervising the identification of risks and monitoring of controls
Risk assessment process
- Identify relevant business risks. Business risks are risks that could affect an entity’s ability to achieve
its objectives, strategies or wrong objectives, strategies (remember the primary objective of n profit-
oriented organization is maximizing profit and shareholders’ wealth)
- Estimate significance (impact)
- Assess the likelihood
- Decide actions
Information system
- Process of initiate, record, process and report entity transactions and maintain accountability of
assets, liabilities and equity
- Auditor will be interested in
+ Classes of transactions that are significant to financial statements
+ Procedures that transactions are initiated, recorded, processed, corrected and reported
+ Related accounting records and supporting information
+ How information system captures events other than transactions, but significant to the FSs
+ Process of preparing FSs
Types of control activities
- Authorisation
+ Approval of transactions/documents
- Performance review
+ Actual vs budget
+ Relating different sets of data
+ Internal data vs external data
+ Review of functional and activity performance
- Information processing
+ Controls to check accuracy, completeness and authorization of transactions. Include: general
controls, application controls
- Physical controls
+ Physical security
+ Authorization for access
+ Periodic counting
- Segregation of duties
+ Assigning different individual the responsibilities of:
Authorising transactions
Recording transactions
Custody of assets
Application controls: controls relate to business process level
- Control over input: completeness
+ Manual or programmed agreement of control totals
+ Document counts
+ One-for-one checking of processed output to source documents
+ Matching input to an expected input control file
+ Procedures over resubmission of rejected data
- Control over input: accuracy
+ Check data field
+ Scrutiny of output and reconcile to source
+ Agreement of control totals
- Control over input: authorization
+ Ensure information input was authorized and input by authorized personnel
- Control over processing
+ Similar controls to input must be completed when input is completed
+ Screen warning
- Controls over master files and standing data
+ Checking master files to source documents
+ Cyclical review all master files and standing data
+ Record counts
+ Controls over the deletion of accounts that have no current balance (closed items)
General controls: controls relate to many applications
- Development of computer applications:
+ Standards over system design, programming and documentation
+ Full testing procedures
+ Approval by computer users and management
+ Segregation of duties for design and testing
+ Installation procedures
+ Training staff
- Prevention or detection of unauthorized changes to programs
+ Segregation of duties: people who authorize access and who make changes to program
+ Full records of changes
+ Password protection
+ Restricted access to central computer
+ Maintenance of program logs
+ Virus checks
+ Back-up copies
+ Control copies of program
+ Stricter controls by use of read only memory
- Testing and documentation of program changes
+ Complete testing procedures
+ Documentation standards
+ Approval of changes
+ Training staff
- Controls to prevent wrong programs or files being used
+ Operation controls
+ Libraries of programs
+ Proper job scheduling
- Controls to prevent unauthorized amendments to data files
+ Set password
- Controls to ensure continuity of operation
+ Storing extra copies of programs and data files
+ Protection of equipment
+ Back-up power sources
+ Emergency procedures
+ Disaster recovery procedures
+ Maintenance agreements, insurance
Cyber security risks:
- Human threats
- Fraud
- Deliberate sabotage
- Viruses and other corruptions
- Malware
- DoS attack
ICAEW’s suggestions for organizations to combat cyber risk
- Communication is a key barrier to common understanding and discussion
- Organisational structures need to define responsibility and accountability for cyber
- security.
- Board-level accountability for cyber risks needs to be determined
- Non-executive directors and audit committees also need to play a part
Monitoring of controls
- Often taken by internal audit
- For smaller entities which does not have internal audits, company may make use of external audit
Source of information about controls:
- Manual or SOP (standard operating procedures) of control activities
- Copies of internal control policies
- Enquiry company’s staff
- Last year audit working papers (do note that control system of client may change this year)
Recording of controls
- Narrative notes: good for things simple, background information
- Questionnaires and checklists: good for memories and to cover all bases
- Digrams: good when things is more complex.
+ Flowcharts: recording systems
+ Organisational charge, family tree: recording relationships, reporting lines
Walk through procedures
- Tracing a few transactions through the financial reporting system
- Confirm that auditor has correctly understanding on how the controls are supposed to operate.
- Not test of controls