Professional Documents
Culture Documents
ADVANCED LEVEL
STUDY TEXT
Page 1
CONTENT
Page 2
Audit under taxation laws
Other special audit assignments
Forensic accounting
Page 3
CONTENT
Page 4
TOPIC 1
ASSURANCE AND NON-ASSURANCE
ASSURANCE AND NON-ASSURANCE CONCEPT
Auditing the independent examination of and expression of opinion on, the financial statements
of an enterprise by an appointed auditor in pursuance of that appointment and in compliance with
any relevant statutory obligation
Auditor—“Auditor” is used to refer to the person or persons conducting the audit, usually the
engagement partner or other members of the engagement team, or, as applicable, the firm. Where
an ISA expressly intends that a requirement or responsibility be fulfilled by the engagement
partner, the term “engagement partner” rather than “auditor” is used. “Engagement partner” and
“firm” are to be read as referring to their public sector equivalents where relevant.
Audit This is the independent investigation into the quality of published accounting information.
Auditing the independent examination of and expression of opinion on, the financial statements
of an enterprise by an appointed auditor in pursuance of that appointment and in compliance with
any relevant statutory obligation
There are five elements that must all be present in order to qualify the engagement as an
assurance engagement. (TSECA)
Page 5
Appropriate Subject Matter
The subject matter and the subject matter information of an assurance engagement can take many
forms, such as:
Suitable Criteria
Page 6
Reliability – allows reasonably consistent evaluation or measurement of the subject
matter including where relevant, presentation and disclosure, when used in similar
circumstances by similarly qualified practitioners
Neutrality – free from bias
Understandability – contribute to conclusions that are clear, comprehensive, and not
subject to significantly different interpretations
1. As to level of assurance:
a) Reasonable Assurance
The objective is a reduction in assurance engagement risk to an acceptably low level as the basis
for a positive form of expression of a practitioner’s conclusion. (e.g., audit of historical financial
statements)
b) Limited Assurance
The objective is a reduction in assurance engagement risk to a level that is acceptable in the
circumstances of the engagement, but where the risk is greater that for a reasonable assurance
engagement, as the basis for a negative form of expression of the practitioner’s conclusion. (e.g.,
review of historical financial statements
2. As to structure of engagement:
a) Assertion-based
The evaluation or measurement of the subject matter is performed by the responsible party, and
the subject matter information is in the form of assertion to the intended users.
b) Direct Reporting
The practitioner either directly performs the evaluation or measurement of the subject matter, or
obtains a representation from the responsible party that has performed the evaluation or
measurement that is not available to intended users. The subject matter information is provided
to the intended users in the assurance report.
Page 7
1. Potential bias in providing information
2. Remoteness between a user and the organization
3. Complexity of the transactions, information, or processing systems
4. Investors need to manage their risk and thereby minimize financial surprises as
consequences to investors, and others, of relying on inaccurate information can be quite
significant.
The assurance
Type of
Objective Evidence gathering procedures engagement
engagement
report
Sufficient appropriate evidence is
obtained as part of a systematic
A reduction in assurance assurance engagement process that
engagement risk to an includes:
Description of
acceptably low level in the the assurance
circumstances of the obtaining an understanding engagement
Reasonable assurance engagement, as of the assurance engagement
assurance the basis for a positive circumstances circumstances,
and a positive
engagement form of expression of the assessing risks
form of
auditor’s conclusion. responding to assessed risks
expression of the
Reasonable assurance performing further evidence
conclusion.
means a high but not gathering procedures, and
absolute level of assurance. evaluating the evidence
obtained.
Page 8
than for a reasonable circumstances; but evidence expression of the
assurance engagement, as gathering procedures are conclusion.
the basis for a negative deliberately limited in comparison
form of expression of the with a reasonable assurance
auditor’s conclusion. engagement.
NON-ASSURANCE ENGAGEMENTS
1. Agreed-upon procedures
2. Compilations engagements
3. Preparation of Income tax returns where no conclusion conveying assurance is expressed
4. Management advisory services and Consulting
5. Engagement that includes rendering of professional opinions not intended to be an
assurance report
Auditor—“Auditor” is used to refer to the person or persons conducting the audit, usually the
engagement partner or other members of the engagement team, or, as applicable, the firm. Where
an ISA expressly intends that a requirement or responsibility be fulfilled by the engagement
partner, the term “engagement partner” rather than “auditor” is used.
Practitioner:
The person who performs the engagement. It is broader than the term “auditor” which relates
only to practitioners performing audit or review engagements with respect to historical financial
information
Page 9
Responsible Party:
The person responsible for the subject matter in direct reporting engagement or subject matter
information (the assertion), and may be the subject matter in an assertion-based engagement. The
responsible party may or may not be the party who engages the practitioner or the engaging
party.
Intended Users:
For whom the assurance report is prepared. The responsible party can be one of the intended
users, but not the only one.
Suitable Criteria:
Professional Skepticism:
An attitude that includes a questioning mind, being alert to conditions which may indicate
possible misstatement due to error or fraud, and a critical assessment of evidence.
Non-assurance Engagements
Reviews
The objective of a review of financial statements is to enable an auditor to state whether, on the
basis of procedures which do not provide all the evidence that would be required in an audit,
anything has come to the auditor’s attention that causes the auditor to believe that the
financial statements are not prepared, in all material respects, in accordance with an identified
financial reporting framework. A similar objective applies to the review of financial or other
Agreed-upon Procedures
Page 10
conclusions from the report by the auditor. The report is restricted to those parties that have
agreed to the procedures to be performed since others, unaware of the reasons for the procedures,
may misinterpret the results.
Compilations
The objective of compilations is to collect, summarize and classify financial information i.e.
using accounting rather than auditing expertise into understandable form e.g. financial
statements
ASSURANCE REPORTS
The need quicker and better information for decision making in increasingly competitive
business environment.
The complexity of systems and the anonymity of the internet present potential barriers to
growth.
The need for independent assurance that decisions are made based on reliable information.
Page 11
The practitioner provides a written report containing a conclusion that conveys the assurance
obtained about the subject matter information. He or she also considers othe reporting
responsibilities including communicating with those charged with governance.
Page 12
TOPIC 2
AUDIT FRAMEWORK AND REGULATIONS
OBJECTIVES AND PRINCIPLES
Auditing the independent examination of and expression of opinion on, the financial statements
of an enterprise by an appointed auditor in pursuance of that appointment and in compliance with
any relevant statutory obligation
Auditor—“Auditor” is used to refer to the person or persons conducting the audit, usually the
engagement partner or other members of the engagement team, or, as applicable, the firm. Where
an ISA expressly intends that a requirement or responsibility be fulfilled by the engagement
partner, the term “engagement partner” rather than “auditor” is used.
Page 13
Errors are those mistakes which are committed due to carelessness or negligence or lack of
knowledge or without having vested interest. Errors may be committed without or with any
vested interest. So, they are to be checked carefully. Errors are of various types. Some of them
are:
* Errors of principle
* Errors of omission
* Errors of commission
* Compensating errors
The broad regulations that govern the Accounting profession in Kenya are set out in the
Accountants Act, Chapter 531 of the Laws of Kenya.
The act establishes various bodies to regulate the profession in Kenya. These are detailed below
with their major respective functions summarised.
Page 14
• Make rules with respect to examinations;
Functions:
• Register accountants who are effectively graduates of IAS / IFRSNEB examinations or hold
qualifications recognised by RAB (Section 23 & 24).
• Promote research into the subjects of accountancy and finance and related
matters, publication of books, periodicals, journals and articles;
4. Disciplinary Committee
Page 15
c) The member be reprimanded with publication of the reprimand in the Gazette;
d) Registration be cancelled;
The organisation adopted by most of the large firms in Kenya involves a pyramid structure
that is usually made up as follows:
Partner
Manager
Accountant in Charge
The preface to the International Standards on Quality Control, Auditing, Assurance and Related
Services (International Standards or IAASB’s Standards) is issued to facilitate understanding of
the objectives and operating procedures of the International Auditing and Assurance Standards
Board (IAASB) and the scope and authority of the pronouncements it issues, as set forth in the
IAASB’s Interim Terms of Reference.
The mission of the International Federation of Accountants (IFAC), as set out in its constitution,
is “the worldwide development and enhancement of an accountancy profession with harmonized
standards, able to provide services of consistently high quality in the public interest.”
Page 16
In pursuing this mission, the IFAC Board has established the IAASB to develop and issue, under
its own authority, high quality standards on auditing, assurance and related services engagements
(IAASB’s Engagement Standards, as defined in paragraph 14),
related Practice Statements and quality control standards for use around the world.
The IAASB’s pronouncements govern audit, assurance and related services engagements that are
conducted in accordance with International Standards.
They do not override the local laws or regulations that govern the audit of historical financial
statements or assurance engagements on other information in a particular country required to be
followed in accordance with that country’s national standards. In the event that local laws or
regulations differ from, or conflict with, the IAASB’s Standards on a particular subject, an
engagement conducted in accordance with local laws or regulations will not automatically comply
with them. A professional accountant should not represent compliance with the IAASB’s
Engagement Standards unless the professional accountant has complied fully with all of those
relevant to the engagement.
The IAASB is committed to the goal of developing a set of International Standards generally
accepted worldwide. To further this goal, the IAASB works cooperatively with national standard
setters, and takes a lead role in joint projects with them, to promote convergence between national
and international standards and achieve acceptance of IAASB’s Standards.
The IAASB is a Board established by IFAC. The members of the IAASB are appointed by the
IFAC Board to serve on the IAASB.
IAASB members act in the common interest of the public at large and the worldwide accountancy
profession. This could result in their taking a position on a matter that is not in
accordance with current practice in their country or firm or not in accordance with the position
taken by those who put them forward for membership of the IAASB. Each IAASB member has
the right to appoint one technical advisor who may participate in the discussions at IAASB
meetings.
IAASB meetings to discuss the development and to approve the issuance of International
Standards, Practice Statements or other papers are open to the public. Agenda papers, including
minutes of the meetings of the IAASB, are published on the IAASB’s website.
Page 17
International Standards on Auditing (ISAs) are to be applied in the audit of historical financial
information.
ISAs, ISREs, ISAEs and ISRSs are collectively referred to as the IAASB’s Engagement
Standards.
International Standards on Quality Control (ISQCs) are to be applied for all services falling
under the IAASB’s Engagement Standards.
The IAASB’s Standards contain basic principles and essential procedures (identified in bold type
lettering) together with related guidance in the form of explanatory and other material, including
appendices. The basic principles and essential procedures are to be understood and applied in the
context of the explanatory and other material that provide guidance for their application. It is
therefore necessary to consider the whole text of a Standard to understand and apply the basic
principles and essential procedures.
The nature of the IAASB’s Standards requires professional accountants to exercise professional
judgment in applying them. In exceptional circumstances, a professional accountant may judge it
necessary to depart from a basic principle or essential procedure of an Engagement Standard to
achieve more effectively the objective of the engagement. When such a situation arises, the
professional accountant should be prepared to justify the departure.
Any limitation of the applicability of a specific International Standard is made clear in the standard.
AUDITORS LIABILITY
Where the auditor’s legal liability falls. We need therefore to refer to decided cased in other
countries. But even in those countries there are in fact very few decided cases against auditors. In
those countries, the vast majority of actions against auditors are settled out of court. This saves
what could otherwise be very expensive court costs. It is also significant to note that this saves
Page 18
dragging the professional firm's name through the courts and most likely through the
newspapers. Firms are of course anxious to avoid such bad publicity.
It is however generally known that the auditor's liability falls under three specific headings:
(c) Civil and criminal liability under statute law and we will deal with each in turn:
To his clients: The auditor is under duty to report to the members in general meetings on all
accounts examined by him and laid before them. His contract is therefore with the company as a
whole and not with individual shareholders. The auditor can therefore be accused of negligence
if:
(a) he fails to detect fraud or error which he should reasonably have detected;
(b) if he fails to comply with generally accepted auditing standards and practices.
However, it is also generally held that for an auditor to suffer actual financial loss, the following
conditions must be met.
iii. the loss must be as a direct consequence of his reliance on the auditor's report and the
auditors negligence.
Therefore if the auditor fails to detect a fraud which is immaterial to the accounts and unless there
are suspicious circumstances which he had noticed or should reasonably have noticed, it is unlikely
that he will be held negligent.
Even if the fraud was material to the accounts, he may still escape liability if detection could not
reasonably have been achieved using normal audit procedures. It must be admitted however this
is a very dubious area of law.
The auditor has no duty to individual shareholders. A shareholder who makes an investment
decision by relying on the auditor's report and suffers loss cannot claim under the law of
contract. Only if the company as a whole has suffered, can the whole body of shareholders claim
from the auditor.
Page 19
In a number of cases it appears that claims have arisen as a result of some misunderstanding as to
the degree of responsibility which the accountant was expected to take in giving advice or
expressing an opinion. It is therefore important, to distinguish between disputes arising from
misunderstanding regarding the duties assumed, and negligence in carrying out agreed terms
For a long time liability to third parties existed only in respect to physical injury. Liability for
financial loss is a recent development. Examples of occasions when an accountant may run the
risk of insuring a liability to third parties may include the following:
(a)Preparing financial statements or reports for a client when it is known or ought to be known that
they are intended to be shown to and relied upon by a third party even if the identity of the third
party is not disclosed.
Again, it must be shown that the accountant was negligent, third parties suffered a financial loss,
the financial loss occurred as a result of the accountant's negligence and that the accountant knew
the purpose for which his report or accounts were to be used.
Civil liability: Section 206 of the Companies Act provides that officers of the company and for
these purposes auditors are considered as officers, may be liable for financial damages in respect
of the civil offences of misfeasance and breach of trust. This section which is only relevant to
winding up refers to a situation where officers have misused their position of authority for the
purposes of personal gain.
Criminal liability: Section 46 of the Companies Act states that an auditor shall be criminally
liable if he wilfully makes a materially false statement in any report, certificate, financial statement
etc. Wilfully implies fraudulently and can be difficult to prove. Whereby, it is held that where
an officer of a body corporate with intent to deceive members or creditors, publishes or concurs in
publishing a written statement of account which to his knowledge is or may be misleading, false
or deceptive in a material particular he shall on conviction be liable to imprisonment for a term not
exceeding 7 years.
Page 20
• The auditor with illegal acts by client or client's staff;
• Questionable payments;
ILLEGAL ACTS
Auditors may uncover criminal offences committed by a client or an employee of the client. This
puts them in a difficult position, but the auditor should act carefully and correctly and if necessary,
take legal advice. The auditor must not commit a criminal offence himself. It is felt that he would
have committed a criminal offence if:
(c) If he agrees with a client to conceal or destroy evidence or mislead the police with
false statements;
(d) If he knows that his client has committed an arrest able offence and tries to impede
his arrest and prosecution. Impede does not include refusing to answer questions or refusing to
produce documents without the client's consent;
(e) If he knows that his client has committed an offence and agreed to accept
consideration to withhold information;
(f) If he knows that the client has committed treason and fails to report the offence to the
proper authority.
When an auditor discovers unlawful acts, usually he is not expected to disclose to the police or
other authorities unless:
ii. That disclosure is compelled by process of law for example, a court order;
iv. The circumstances are such that the auditor has a public duty to disclose, for
example, when the client has committed a serious crime or his act treasonable
Page 21
TOPIC 3
PROFESSIONAL AND ETHICAL
CONSIDERATIONS
Requirements
The auditor shall comply with relevant ethical requirements, including those pertaining to
independence, relating to financial statement audit engagements.
(a) Integrity;
Page 22
(b) Objectivity;
Part B of the IESBA Code illustrates how the conceptual framework is to be applied in specific
situations.
Fundamental Principles
The IESBA Code of Ethics requires accountants to adhere to five fundamental principles:
Page 23
Compliance with the fundamental principles may potentially be threatened by a broad range of
circumstances. Many threats fall into the following categories:
a. Self-interest threats, which may occur as a result of the financial or other interests of a
professional accountant or of an immediate or close family" member;
b. Self-review threats, which may occur when a previous judgment needs to be re-valuated
by the professional accountant responsible for that judgment;
c. Advocacy threats, which may occur when a professional accountant promotes a position
or opinion to the point that subsequent objectivity may be compromised;
d. Familiarity threats, which may occur when, because of a close relationship, a professional
accountant becomes too sympathetic to the interests of others; and
e. Intimidation threats, which may occur when a professional accountant may be deterred
from acting objectively by threats, actual or perceived.
Safeguards that may eliminate or reduce such threats to an acceptable level fall into two broad
categories:
Safeguards created by the profession, legislation or regulation include, but are not restricted to:
Educational, training and experience requirements for entry into the profession.
Continuing professional development requirements.
Corporate governance regulations.
Professional standards.
Professional or regulatory monitoring and disciplinary procedures.
Externally review by a legally empowered third party of the reports, returns,
communications or information produced by a professional accountant.
Certain safeguards may increase the likelihood of identifying or deterring unethical behavior.
Such safeguards, which may be created by the accounting profession, legislation, regulation or
an employing organization, include, but are not restricted to:
The nature of the safeguards to be applied will vary depending on the circumstances. In
exercising professional judgment, a professional accountant should consider what a reasonable
and informed third party, having knowledge of all relevant information, including the
significance of the threat and the safeguards applied, would conclude to be unacceptable.
Page 24
ADVERTISING, PUBLICITY, OBTAINING PROFESSIONAL WORK AND FEES AND
MONEY LAUNDERING.
ADVERTISING
PUBLICITY
This is communication to the public of facts which are not designed for deliberate promotion.
Acceptable publicity includes
AUDIT FEES
General basis on which fees are computed should be set out in the letter of engagement.
Members can charge whatever they consider appropriate. The following factors should be
considered;
A firm may obtain assurance engagement for a fee level that is significantly lower than that charged
by the predecessor firm or quoted by another firm. This creates a self interest threat that will not
be reduced to an acceptable level unless the firm can demonstrate that appropriate time and
qualified staff are assigned to the task and that all applicable assurance standards, guidelines and
quality control procedures are complied with
Page 25
Contingency fee means that no fee is charged unless a specified finding or result is obtained.
Fess should not be charged on a %’ contingency or similar basis except where it is generally
accepted
Fee quotations - If a fee quotation is not economical, there maybe a self-interest threat. The firm
must be able to demonstrate that appropriate time and qualified staff are assigned to the task and
that all applicable assurance standards guidelines and quality control procedures are being
complied with
Variations between the notes should be explained e.g. reasons for extra work.
If a client pays a smaller amount, it must be stated, in writing. That is accepted as part
payment and not full discharge of the amount owed.
Both parties to a fee dispute may make a written application to ha an arbitrator appointed.
A particular lien maybe exercised over certain books and papers which have been worked
on.
MONEY LAUNDERING
Money laundering is the process by which funds derived from criminal activity (“dirty money”)
are given the appearance of having been legitimately obtained, through a series of transactions in
which the funds are cleaned. Its purpose is to provide a legitimate cover for the source of the
money.
Money laundering is a global phenomenon that affects all countries to varying degrees. By its
very nature, it is a hidden activity and involves various actor and is a white collar crime.
It is important for auditors conducting forensic audit to understand what money laundering
entails, the International and domestic legal and institutional framework to combat money
laundering.
FORENSIC INVESTIGATION IN ML
Crime investigation mainly involves forensic auditing of accounts and documents, examination
of bank statements and various records and statements filed by the companies or Govt. Agencies.
} Forensic auditing is a technique to legally determine whether accounting transactions are in
Page 26
consonance with various accounting, auditing and legal requirements and eventually determine
whether any crime has taken place.
PROFESSIONAL SKEPTICISM
The auditor shall plan and perform an audit with professional skepticism recognizing that
circumstances may exist that cause the financial statements to be materially misstated.
Maintaining professional skepticism throughout the audit is necessary if the auditor is, for
example, to reduce the risks of:
Page 27
Using inappropriate assumptions in determining the nature, timing and extent of the audit
procedures and evaluating the results thereof.
Professional skepticism is necessary to the critical assessment of audit evidence. This
includes questioning contradictory audit evidence and the reliability of documents and
responses to inquiries and other information obtained from management and those
charged with governance. It also includes consideration of the sufficiency and
appropriateness of audit evidence obtained in the light of the circumstances, for example,
in the case where fraud risk factors exist and a single document, of a nature that is
susceptible to fraud, is the sole supporting evidence for a material financial statement
amount.
The auditor may accept records and documents as genuine unless the auditor hasreason to
believe the contrary. Nevertheless, the auditor is required to consider thereliability of
information to be used as audit evidence. In cases of doubt about thereliability of
information or indications of possible fraud (for example, if conditionsidentified during
the audit cause the auditor to believe that a document may not beauthentic or that terms in
a document may have been falsified), the ISAs requirethat the auditor investigate further
and determine what modifications or additions toaudit procedures are necessary to
resolve the matter.
The auditor cannot be expected to disregard past experience of the honesty andintegrity
of the entity’s management and those charged with governance.Nevertheless, a belief that
management and those charged with governance arehonest and have integrity does not
relieve the auditor of the need to maintainprofessional skepticism or allow the auditor to
be satisfied with less thanpersuasive audit evidence when obtaining reasonable assurance.
Professional Judgment
The auditor shall exercise professional judgment in planning and performing an audit of financial
statements.
Page 28
TOPIC 4
MANAGEMENT OF AUDIT PRACTICE
CLIENT ACCEPTANCE AND RETENTION
The audit acceptance and planning process can be compared to a road map which gives
directions and guidance for the audit team to follow throughout the audit in order to help it reach
the correct final conclusion, i.e. whether the financial statements give a true and fair view of the
position of the company at the end of the accounting period.
The issues and activities that an auditor must consider prior to commencement of the fieldwork of
an audit are of vital importance. These are referred to as the audit acceptance and planning stages.
Identification of these various stages will assist the auditor to recognise key areas of risk and
concerns, which in turn will help the auditor make decisions such as:
The process of audit acceptance, planning and subsequent undertaking and completion of the
audit can be broadly distilled into four phases, namely;
Page 29
Phase 1: Acceptance of the audit
Phase 2: Planning the audit
Phase 3: Documenting audit plan and strategy, performing the audit and gathering audit
evidence
Phase 4: Completing the audit and issuing an audit opinion on the financial statements.
Phase 3, documenting the plan and strategy of the audit, the gathering of audit evidence
via the performance of the audit process will vary from audit to audit. The methods for
gathering the evidence are dependent on the nature of the entity’s business, the internal
controls and the transactions and balances included within the financial statements.
Phase 2 is critical to the success of Phases 3 and 4. This is because if not adequately planned or
an inappropriate strategy is adopted the approach to performing the audit and gathering evidence
may not be suitable, resulting in sufficient evidence not being obtained by the audit team, and an
incorrect audit opinion being issued
Audit firms should only accept a new client or continue an existing client relationship where it;
Audit firms should establish policies and procedures for the acceptance and continuance of client
relationships and specific engagements.
These should be designed to provide the firm with reasonable assurance that it will only
undertake or continue relationships and engagements where the three principles listed above are
met.
The key point is that an audit firm does not want to engage with a client who brings with it
unacceptable levels of risk; thus it is essential that a thorough assessment is made of the
prospective engagement prior to the firm becoming engaged with the client.
Issues to be considered in relation to integrity, competency and ethics that the auditor may have
cause to address, are various. A sample of such issues are outlined below: Integrity of the Client:
Client Reputation
Nature of Client Operations
Page 30
Attitudes of Key Players (Aggressive Standards Interpretation / internal controls / Low
audit fees / limiting scope of work)
Money Laundering
Outgoing auditors (reason).
Ethical Considerations:
Where issues arise out of any of the above considerations, the firm must conduct appropriate
consultations with the client or third parties. Should the firm then decide to engage with the
client. It must ensure that a record of the resolution of the issues involved is documented clearly
in the audit file.
In the event that no such issues are raised in regards to the client the firm may issue the
engagement letter.
The final decision as to whether to engage with a new client or continue engaging with an
existing client is the responsibility of the audit engagement leader:
“The engagement partner should be satisfied that appropriate procedures regarding the
acceptance and continuance of client relationships and audit engagements have been
followed, and shall determine that conclusions reached in this regard are appropriate” ISA
220 – Quality Control for Audits of Financial Statements Paragraph 12
The auditor and the client should agree terms of the engagement and the terms should be
recorded in writing.
The issuing of an engagement letter is in the interest of both the firm and the client, as it helps
avoid any misunderstandings with respect to the engagement.
Page 31
The client and the auditor should agree on all terms of the engagement and the signing of the
engagement letter is the recognition of this agreement.
A new engagement letter may not be required each year of a continuing engagement. However,
each year the auditor should consider whether circumstances require the terms of the engagement
to be revised and whether there is a need to remind the client of the existing terms of the
engagement. Alternatively, the client may request a change to the terms of the engagement.
“..the auditor should plan an audit so that the engagement will be performed in an effective
manner and reduce audit risk to an acceptably low level”
The auditor may approach the process by identifying two main areas of planning namely;
This part of the procedure is performed in conjunction with all members / levels of the audit
team and with their experience and competencies in mind
Audit Strategy
There must be consideration of a number of key factors in order to ensure the detailed plan is the
most efficient approach and hence assists in guiding the detailed audit plan. Some key factors
include:
Page 32
The concept of risk, and the assessment of risk of material misstatement and developing
responses to risks at financial statement and assertion levels.
Adequate audit planning should benefit an audit of financial statements in a number of facets,
some of which are listed below:
The auditor must develop an understanding of internal control function within the entity (see ISA
315) by considering the following factors:
Page 33
Performance materiality – lower than materiality for financial statements as a whole.
Relativity to financial statements.
Overall Materiality level for financial statements as a whole – v – materiality for
particular classes of transactions.
Possible existence of undetected and material misstatements.
Calculating materiality – identify Financial Statement critical balance (i.e. profit / net
assets / revenues etc)
Updating Materiality
Sample Question
You are planning the audit of Lonco Ltd (Lonco) for the year ended 31 December 20X5. The
company manufactures and sells products made from imported timber.
In recent years, the company has expanded into the manufacture of quality childrens’ garden
swings and jungle gyms which are sold with a 10-year guarantee. Most sales are to domestic
customers, but the company also has a small export market which has grown steadily over the last
few years.
At your planning meeting with the finance director, the following matters were discussed:
Operating activities
During the year, the company’s revenue increased by 20% and the gross and operating margins
increased by 5% and 2% respectively. Inventory and trade receivable balances are significantly
higher than the previous year as a result of this increased activity.
Online ordering on the company’s website began in recent years. Internet orders have grown
steadily but still only represent a small percentage of the total of company sales however the
company continues to invest significant sums in the website to maintain its speed and ease of use
for customers.
Payroll
Following the successful implementation of a new computer system two years ago, payroll
processing, which had been outsourced for many years, was brought back in house from 1 March
2013. Management were unhappy with the service provided by the external payroll company,
and cancelled the contract. Additional staff has been recruited to process the payroll.
Managing director
Page 34
The MD has announced his intention to sell his 100% shareholding in Lonco in order to
concentrate on his other business interests. Negotiations are underway with a potential buyer for
his shares.
Annual financial audits are required for all publicly held firms. Many private firms, especially
those that receive funding from investors, must also undergo a yearly audit. Depending on the
size and complexity of a company, financial audits may take place over several months and cost
a considerable amount of money. An audit tender process begins with a solicitation of bids.
Audit firms provide audit tender offers, submitted according to instructions detailed in the audit
services tender letter or request.
The soliciting firm sends an audit services tender letter to firms asking bids. Conditions are
stipulated in the document include the limit of only one tender per tenderer, the review and
approval process timeline, eligibility and selection criteria. The letter also discusses site visits
and related tender expenses.
Preparing Tenders
An audit firm prepares a tender document, which must adhere to certain conditions and contain
certain components as requested by the potential hiring firm. Each process may have its own
requirements, but generally, tenderers should include a draft contract. This contract should
include general conditions and address any special conditions. It should provide an explanation
of proposed terms and include a model of the financial bid for the audit project work.
Submitting Tenders
Audit firms must adhere to a formal tender submission process. The tender must be sealed and
delivered as specified by the potential client. A submission time and a date will be identified in
the invitation letter. Tenderers may submit variants of their proposals, but they must package and
seal them separately, marking them clearly as variants. Tenders received after the stated deadline
are usually not considered. If a tenderer wishes to alter or withdraw its tender, it must provide a
written explanation, delivered in the same way as the original tender.
Evaluating Offers
Page 35
When the soliciting firm receives tenders, the evaluation process usually remains confidential
until the audit work is awarded. If the soliciting firm is a public entity, the tender offers might be
opened during a public meeting, resulting in a posted summary of the tender details. This could
include tenderers' names, prices, proposal variants and any other information considered
relevant. While the soliciting firm evaluates the offers, it may ask tenderers to provide
clarification on certain points or issues. The tenders will be reviewed on criteria such as
compliance with administrative, eligibility and technical requirements. Tenderers that meet the
technical requirements may be asked to submit additional technical documentation or samples.
Finally, tenders will undergo a financial evaluation where the soliciting firm evaluates the best
financial offer.
Upon selection of a qualified tender, the award will be stated in writing and delivered to the
winning firm. Unsuccessful bidding firms are also notified, usually with details on the winning
bidder, such as proposed price and name of the firm. The notice will also outline why the
unsuccessful bidder was rejected and note the deadline for filing an appeal.
APPOINTMENT OF AUDITORS
- Every company shall at each annual general meeting appoint an auditor or auditors to hold
office from the conclusion of that, until the conclusion of the next, annual general meeting.
- At any annual general meeting a retiring auditor, however appointed, shall be deemed to be
reappointed without any resolution being passed unless –
Page 36
- Subject as hereinafter provided, the first auditors of a company may be appointed by the
directors at any time before the first annual general meeting, and auditors so appointed shall
hold office until the conclusion of that meeting:
Provided that–
i) the company may at a general meeting remove any such auditors and appoint in their place
any other persons who have been nominated for appointment by any member of the
company and of whose nomination notice has been given to the members of the company
not less than fourteen days before the date of the meeting; and
ii) if the directors fail to exercise their powers under this subsection, the company in general
meeting may appoint the first auditors, and thereupon the said powers of the directors shall
cease.
The directors may fill any casual vacancy in the office of auditor, but while any such vacancy
continues the surviving or continuing auditor or auditors, if any, may act.
Remuneration
The remuneration of the auditors of a company–
i) In the case of an auditor appointed by the directors or by the registrar remuneration may be
fixed by the directors or by the registrar as the case may be;
ii) Subject to note (i) above, shall be fixed by the company in general meeting or in such manner
as the company in general meeting may determine.
Any sums paid by the company in respect of the auditors’ expenses shall be deemed to be
included in the expression “remuneration”.
Provisions as to resolution relating to appointment and removal of auditors
- Special notice shall be required for a resolution at a company’s annual general meeting
appointing as auditor a person other than a retiring auditor or providing expressly that a retiring
auditor shall not be reappointed.
- On receipt of notice of such an intended resolution as aforesaid, the company shall forthwith
send a copy thereof to the retiring auditor (if any).
- Where notice is given of such an intended resolution as aforesaid and the retiring auditor
makes with respect to the intended resolution representations in writing to the company (not
exceeding a reasonable length) and requests their notification to members of the company,
the company shall, unless the representations are received by it too late for it to do so–
Page 37
- and if a copy of the representations is not sent as aforesaid because received too late or
because of the company’s default, the auditor may (without prejudice to his right to be heard
orally) require that the representations shall be read out at the meeting:
- Provided that copies of the representations need not be sent out and the representations need
not be read out at the meeting if, on the application either of the company or of any other
person who claims to be aggrieved, the court is satisfied that the rights conferred by this
section are being abused to secure needless publicity for defamatory matter; and the court
may order the company’s costs on an application under this section to be paid in whole or in
part by the auditor, notwithstanding that he is not a party to the application.
Provided that note (ii) above shall not apply in the case of a private company.
- References in this subsection to an officer or servant shall be construed as not including
references to an auditor.
- A person shall also not be qualified for appointment as auditor of a company if he is,
disqualified for appointment as auditor of any other body corporate which is that company’s
subsidiary or holding company or a subsidiary of that company’s holding company, or would
be so disqualified if the body corporate were a company.
- If any person who is not qualified so to act is appointed as auditor of a company such person
and the company and every officer in default shall each be liable to a fine not exceeding four
thousand shillings.
Auditors’ report and right of access to books and to attend and be heard at general
meetings
- The auditors shall make a report to the members on the accounts examined by them, and on
every balance sheet, every profit and loss account and all group accounts laid before the
company in general meeting during their tenure of office.
- The auditors’ report shall be read before the company in general meeting and shall be open to
inspection by any member.
Page 38
- Every auditor of a company shall have a right of access at all times to the books and accounts
and vouchers of the company, and shall be entitled to require from the officers of the company
such information and explanation as he thinks necessary for the performance of the duties of
the auditors.
- The auditors of a company shall be entitled to attend any general meeting of the company
and to receive all notices of and other communications relating to any general meeting which
any member of the company is entitled to receive and to be heard at any general meeting
which they attend on any part of the business of the meeting which concerns them as
auditors.
PLANNING AN AUDIT
International Standard on Auditing (ISA) 300, Planning an Audit of Financial Statements
Introduction
ISA 300 requires the auditor to plan the audit so that the engagement is performed in an effective
manner. Planning also helps the firm perform the engagement efficiently. Planning involves
establishing and documenting the overall audit strategy for the engagement and developing
and documenting an audit plan, in order to reduce audit risk to an acceptably low level.
Planning is not a discrete phase of an audit, but a continual process that often begins shortly after
the completion of the previous audit and continues until the completion of the current audit
engagement.
Planning should in any case start before the accounting year-end to take into account year end
procedures which need to be carried out e.g. attendance at the annual inventory count or
circularisation of receivables. The nature and extent of planning will vary according to the size
and complexity of the entity, previous experience with the entity and changes in circumstances
that occur during the engagement.
Page 39
Initial engagements
In case of initial engagements, while the planning elements remain the same as for recurring
engagements, the auditor may need to expand the planning activities as the auditor does not
necessarily have the previous experience with the entity that is considered when planning recurring
engagements.
Once the overall audit strategy has been established the auditor can commence the development
of a more detailed audit plan to address the various matters identified in the strategy. Although the
auditor establishes the overall audit strategy before developing the audit plan, the two activities
are not necessarily sequential processes but closely inter-related since changes in one may result
in changes to the other.
In case of audits of smaller entities where the audit is conducted by a very small audit team, the
development of an audit strategy need not be a complex process and a brief memorandum prepared
at the completion of the previous audit, based on a review of the working papers and highlighting
the issues identified, updated and changed in the current period based on discussions with the
management, can serve as the basis for planning the current audit engagement.
Helping the auditor to devote appropriate attention to important areas of the audit.
Helping the auditor identify and resolve potential problems on a timely basis.
Page 40
Helping the auditor properly organize and manage the audit engagement so that it is
performed in an effective and efficient manner.
Assisting in the selection of engagement team members with appropriate levels of
capabilities and competence to respond to anticipated risks, and the proper assignment of
work to them.
Facilitating the direction and supervision of engagement team members and the review of
their work.
Assisting, where applicable, in coordination of work done by auditors of components and
experts
The objective of the auditor is to plan the audit so that it will be performed in an effective
manner.
Time Budgeting
Time budgets are an essential tool for monitoring the progress of an engagement, in determining
actual performance against the budget and to assist in future planning of audits.
When conducting the audit, the engagement team should aim to keep within the budget in so far
as is possible, but should never compromise the standard of his audit work, to keep within budget.
If it appears that there will be significant discrepancies between the budgeted time and the actual
time, the senior / manager should inform the manager/ partner as soon as possible, particularly
where additional time arises due to the client's shortcomings.
Time summaries should be prepared for all engagements and the total time spent should be
compared with the budgeted time and reasons given for significant variances. A record should be
Page 41
kept of work which the engagement team have had to complete as a result of client shortcomings,
as a basis for additional charges if necessary.
Requirements
Involvement of Key Engagement Team Members
- The engagement partner and other key members of the engagement team shall be involved
in planning the audit, including planning and participating in the discussion among
engagement team members.
- The involvement of the engagement partner and other key members of the engagement
team in planning the audit draws on their experience and insight, thereby enhancing the
effectiveness and efficiency of the planning process
- Performing the preliminary engagement activities at the beginning of the current audit
engagement assists the auditor in identifying and evaluating events or circumstances that
may adversely affect the auditor’s ability to plan and perform the audit engagement.
- Performing these preliminary engagement activities enables the auditor to plan an audit
engagement for which, for example:
The auditor maintains the necessary independence and ability to perform the engagement.
There are no issues with management integrity that may affect the auditor’s willingness to
continue the engagement.
There is no misunderstanding with the client as to the terms of the engagement.
Page 42
engagements, such initial procedures often occur shortly after (or in connection with) the
completion of the previous audit.
i) Audit plan
ii) Audit programme.
The audit planwill often be prepared by the manager, although preparation of parts or all of it may
be delegated to the senior. In case of high risk audits the partner may also be involved in preparing
the plan, particularly in the areas of materiality, risk assessment and approach to assessed risk and
sample sizes. The plan together with the tailored audit programmes setting out the nature, timing
and extent of the audit procedures to be adopted during the engagement should be completed and
approved by the partner prior to commencement of the engagement. In case of a sole
proprietorships or small audit firms, the partner may be actively involved in developing the audit
plan and programmes.
Page 43
The audit programme will often be drafted by the senior and reviewed by the manager and
approved by the engagement partner. However, the extent of the manager’s role will depend on
the senior’s previous experience and knowledge of the entity.
In preparing the audit programme, consideration should be given to the specific assessment of risk
and the level of assurance to be provided by substantive procedures.
The use of unedited programmes does not constitute adequate planning as it could expose the
auditor to risks not covered in detail by the programme or result in the auditor carrying out
unnecessary tests thereby resulting in inefficiencies.
Planning Activities
- The auditor shall establish an overall audit strategy that sets the scope, timing and direction
of the audit, and that guides the development of the audit plan.
- In establishing the overall audit strategy, the auditor shall:
Page 44
How such resources are managed, directed and supervised, such as when team briefing and
debriefing meetings are expected to be held, how engagement partner and manager reviews
are expected to take place (for example, on-site or off-site), and whether to complete
engagement quality control reviews.
The development and documentation of the overall audit strategy sets the scope, timing and
direction of the audit, and guides the development of the more detailed audit plan. It also helps to
ascertain the nature, timing and extent of the resources necessary to perform the engagement. In
developing the audit strategy, the engagement team may consider the experience gained on other
engagements performed for the entity.
The key components of an audit strategy include:
Page 45
- Obtain the latest financial information to help in setting materiality levels and in performing
preliminary analytical review work.
- Agree a timetable (including inventory counts and visits) and any specific deadlines.
- Agree schedules requirements and on any other accounting work to be produced by the client. -
Find out the actions taken on the points raised in last year's management letter.
- Agree settlement of any outstanding fees.
- Identify any specific areas of concern to the client and their impact on the audit scope.
Once the overall audit strategy has been established, an audit plan can be developed to address the
various matters identified in the overall audit strategy, taking into account the need to achieve the
audit objectives through the efficient use of the auditor’s resources.
The establishment of the overall audit strategy and the detailed audit plan are not necessarily
discrete or sequential processes, but are closely inter-related since changes in one may result in
consequential changes to the other.
Establishing the overall audit strategy for the audit of a small entity need not be a complex or time-
consuming exercise; it varies according to the size of the entity, the complexity of the audit, and
the size of the engagement team. For example, a brief memorandum prepared at the completion of
the previous audit, based on a review of the working papers and highlighting issues identified in the
audit just completed, updated in the current period based on discussions with the owner-manager,
can serve as the documented audit strategy for the current audit engagement if it covers the matters.
The auditor shall develop an audit plan that shall include a description of:
a) The nature, timing and extent of planned risk assessment procedures, as determined under
ISA 315.
b) The nature, timing and extent of planned further audit procedures at the assertion level, as
determined under ISA 330.
c) Other planned audit procedures that are required to be carried out so that the engagement
complies with ISAs.
- The audit plan is more detailed than the overall audit strategy in that it includes the nature,
timing and extent of audit procedures to be performed by engagement team members.
Page 46
Planning for these audit procedures takes place over the course of the audit as the audit plan
for the engagement develops. For example, planning of the auditor’s risk assessment
procedures occurs early in the audit process. However, planning the nature, timing and extent
of specific further audit procedures depends on the outcome of those risk assessment
procedures. In addition, the auditor may begin the execution of further audit procedures for
some classes of transactions, account balances and disclosures before planning all remaining
further audit procedures.
- The auditor shall update and change the overall audit strategy and the audit plan as necessary
during the course of the audit.
Page 47
- Forming an objective view on the appropriateness of the judgments made in the course of the
audit can present practical problems when the same individual also performs the entire audit.
If particularly complex or unusual issues are involved, and the audit is performed by a sole
practitioner, it may be desirable to consult with other suitably-experienced auditors or the
auditor’s professional body.
Documentation
The auditor shall include in the audit documentation:
a) The overall audit strategy;
b) The audit plan; and
c) Any significant changes made during the audit engagement to the overall audit strategy or
the audit plan, and the reasons for such changes.
The documentation of the overall audit strategy is a record of the key decisions considered
necessary to properly plan the audit and to communicate significant matters to the engagement
team. For example, the auditor may summarize the overall audit strategy in the form of a
memorandum that contains key decisions regarding the overall scope, timing and conduct of the
audit.
The documentation of the audit plan is a record of the planned nature, timing and extent of risk
assessment procedures and further audit procedures at the assertion level in response to the
assessed risks. It also serves as a record of the proper planning of the audit procedures that can
be reviewed and approved prior to their performance. The auditor may use standard audit
programs or audit completion checklists, tailored as needed to reflect the particular engagement
circumstances.
A record of the significant changes to the overall audit strategy and the audit plan, and resulting
changes to the planned nature, timing and extent of audit procedures, explains why the
significant changes were made, and the overall strategy and audit plan finally adopted for the
audit. It also reflects the appropriate response to the significant changes occurring during the
audit.
Page 48
The auditor shall undertake the following activities prior to starting an initial audit:
a) Performing procedures regarding the acceptance of the client relationship and the specific
audit engagement; and
b) Communicating with the predecessor auditor, where there has been a change of auditors, in
compliance with relevant ethical requirements.
The purpose and objective of planning the audit are the same whether the audit is an initial or
recurring engagement. However, for an initial audit, the auditor may need to expand the planning
activities because the auditor does not ordinarily have the previous experience with the entity
that is considered when planning recurring engagements. For an initial audit engagement,
additional matters the auditor may consider in establishing the overall audit strategy and audit
plan include the following:
Unless prohibited by law or regulation, arrangements to be made with the predecessor
auditor, for example, to review the predecessor auditor’s working papers.
Any major issues (including the application of accounting principles or of auditing and
reporting standards) discussed with management in connection with the initial selection as
auditor, the communication of these matters to those charged with governance and how these
matters affect the overall audit strategy and audit plan.
The audit procedures necessary to obtain sufficient appropriate audit evidence regarding
opening balances.
Other procedures required by the firm’s system of quality control for initial audit
engagements (for example, the firm’s system of quality control may require the involvement
of another partner or senior individual to review the overall audit strategy prior to
commencing significant audit procedures or to review reports prior to their issuance).
Page 49
The nature of the control relationships between a parent and its components that determine
how the group is to be consolidated.
The extent to which components are audited by other auditors.
The nature of the business segments to be audited, including the need for specialized
knowledge.
The reporting currency to be used, including any need for currency translation for the
financial information audited.
The need for a statutory audit of standalone financial statements in addition to an audit for
consolidation purposes.
The availability of the work of internal auditors and the extent of the auditor’s potential
reliance on such work.
The entity’s use of service organizations and how the auditor may obtain evidence
concerning the design or operation of controls performed by them.
The expected use of audit evidence obtained in previous audits, for example, audit evidence
related to risk assessment procedures and tests of controls.
The effect of information technology on the audit procedures, including the availability of
data and the expected use of computer-assisted audit techniques.
The coordination of the expected coverage and timing of the audit work with any reviews of
interim financial information and the effect on the audit of the information obtained during
such reviews.
The availability of client personnel and data.
Page 50
Whether there are any other expected communications with third parties, including any
statutory or contractual reporting responsibilities arising from the audit.
Page 51
Nature, Timing and Extent of Resources
The selection of the engagement team (including, where necessary, the engagement quality
control reviewer) and the assignment of audit work to the team members, including the
assignment of appropriately experienced team members to areas where there may be higher
risks of material misstatement.
Engagement budgeting, including considering the appropriate amount of time to set aside for
areas where there may be higher risks of material misstatement.
As the assessed risk of material misstatement increases, one would ordinarily increase the extent
and timeliness of direction and supervision of the engagement team and perform a more detailed
review of their work.
Any changes to the audit strategy and plan needs to be documented giving reasons for significant
changes and the auditor’s response to the events, conditions or results of audit procedures that
resulted in such changes. The changes need to be discussed and approved by the partner.
In case of smaller entities where the audit is carried out entirely by the engagement partner, the
partner needs to ensure that the audit has been conducted in accordance with ISA’s. In such cases
the partner needs to ensure that he takes an objective view on the appropriateness of the judgements
Page 52
made in the course of the audit, and where desirable, on complex or unusual issues, the partner
undertakes appropriate consultations.
Objective
The objective of the auditor is to identify and assess the risks of material misstatement, whether
due to fraud or error, at the financial statement and assertion levels, through understanding the
entity and its environment, including the entity’s internal control, thereby providing a basis for
designing and implementing responses to the assessed risks of material misstatement.
Risk assessment procedures are performed at the planning stage of an audit to obtain an
understanding of the entity being audited and to identify any areas of concern which could result
in material misstatements in the financial statements. They allow the auditor to assess the nature,
timing and extent of audit procedures to be performed.
ISA 315 Risk Assessments and Internal Controls states that the auditor should obtain an
understanding of the accounting and internal control systems sufficiently to plan the audit and
develop an effective audit approach. The auditor should use professional judgment to assess
audit risk and to design audit procedures to ensure it is reduced to an acceptably low level.
Sources of audit evidence that can be used as part of risk assessment procedures.
- Inquiries of management
- Prior year financial statement
- Current year management accounts and budgets
- Analytical procedures
- Observation and inspection
Definitions
For purposes of the ISAs, the following terms have the meanings attributed below:
a) Assertions – Representations by management, explicit or otherwise, that are embodied in the
financial statements, as used by the auditor to consider the different types of potential
misstatements that may occur.
Page 53
b) Business risk – A risk resulting from significant conditions, events, circumstances, actions
or inactions that could adversely affect an entity’s ability to achieve its objectives and
execute its strategies, or from the setting of inappropriate objectives and strategies.
c) Internal control – The process designed, implemented and maintained by those charged
with governance, management and other personnel to provide reasonable assurance about the
achievement of an entity’s objectives with regard to reliability of financial reporting,
effectiveness and efficiency of operations, and compliance with applicable laws and
regulations. The term “controls” refers to any aspects of one or more of the components of
internal control.
d) Risk assessment procedures – The audit procedures performed to obtain an understanding
of the entity and its environment, including the entity’s internal control, to identify and assess
the risks of material misstatement, whether due to fraud or error, at the financial statement
and assertion levels.
e) Significant risk – An identified and assessed risk of material misstatement that, in the
auditor’s judgment, requires special audit consideration.
Page 54
- The engagement partner and other key engagement team members shall discuss the
susceptibility of the entity’s financial statements to material misstatement, and the
application of the applicable financial reporting framework to the entity’s facts and
circumstances. The engagement partner shall determine which matters are to be
communicated to engagement team members not involved in the discussion.
The Required Understanding of the Entity and Its Environment, Including the Entity’s
Internal Control
Page 55
Components of Internal Control
Control environment
The auditor shall obtain an understanding of the control environment. As part of obtaining this
understanding, the auditor shall evaluate whether:
a) Management, with the oversight of those charged with governance, has created and
maintained a culture of honesty and ethical behavior; and
b) The strengths in the control environment elements collectively provide an appropriate
foundation for the other components of internal control, and whether those other components
are not undermined by deficiencies in the control environment.
The information system, including the related business processes, relevant to financial reporting,
and communication
- The auditor shall obtain an understanding of the information system, including the related
business processes, relevant to financial reporting, including the following areas:
a) The classes of transactions in the entity’s operations that are significant to the financial
statements;
Page 56
b) The procedures, within both information technology (IT) and manual systems, by which
those transactions are initiated, recorded, processed, corrected as necessary, transferred to
the general ledger and reported in the financial statements;
c) The related accounting records, supporting information and specific accounts in the
financial statements that are used to initiate, record, process and report transactions; this
includes the correction of incorrect information and how information is transferred to the
general ledger. The records may be in either manual or electronic form;
d) How the information system captures events and conditions, other than transactions, that
are significant to the financial statements;
e) The financial reporting process used to prepare the entity’s financial statements,
including significant accounting estimates and disclosures; and
f) Controls surrounding journal entries, including non-standard journal entries used to
record non-recurring, unusual transactions or adjustments.
- The auditor shall obtain an understanding of how the entity communicates financial reporting
roles and responsibilities and significant matters relating to financial reporting, including:
(a) Communications between management and those charged with governance; and
(b) External communications, such as those with regulatory authorities.
Monitoring of controls
- The auditor shall obtain an understanding of the major activities that the entity uses to
monitor internal control relevant to financial reporting, including those related to those
control activities relevant to the audit, and how the entity initiates remedial actions to
deficiencies in its controls.
- If the entity has an internal audit function the auditor shall obtain an understanding of the
nature of the internal audit function’s responsibilities, its organizational status, and the
activities performed, or to be performed.
Page 57
- The auditor shall obtain an understanding of the sources of the information used in the
entity’s monitoring activities, and the basis upon which management considers the
information to be sufficiently reliable for the purpose.
Page 58
If the auditor has determined that a significant risk exists, the auditor shall obtain an
understanding of the entity’s controls, including control activities, relevant to that risk.
Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate
Audit Evidence
In respect of some risks, the auditor may judge that it is not possible or practicable to obtain
sufficient appropriate audit evidence only from substantive procedures. Such risks may relate to
the inaccurate or incomplete recording of routine and significant classes of transactions or
account balances, the characteristics of which often permit highly automated processing with
little or no manual intervention. In such cases, the entity’s controls over such risks are relevant to
the audit and the auditor shall obtain an understanding of them.
Documentation
The auditor shall include in the audit documentation:
a) The discussion among the engagement team and the significant decisions reached;
b) Key elements of the understanding obtained regarding each of the aspects of the entity and
its environment specified in and of each of the internal control components; the sources of
information from which the understanding was obtained; and the risk assessment
procedures performed;
c) The identified and assessed risks of material misstatement at the financial statement level
and at the assertion level and
d) The risks identified, and related controls about which the auditor has obtained an
understanding,
Page 59
Determining materiality in accordance with ISA 320;
Considering the appropriateness of the selection and application of accounting policies,
and the adequacy of financial statement disclosures;
Identifying areas where special audit consideration may be necessary, for example,
related party transactions, the appropriateness of management’s use of the going concern
assumption, or considering the business purpose of transactions;
Developing expectations for use when performing analytical procedures;
Responding to the assessed risks of material misstatement, including designing and
performing further audit procedures to obtain sufficient appropriate audit evidence; and
Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the
appropriateness of assumptions and of management’s oral and written representations.
- Information obtained by performing risk assessment procedures and related activities may be
used by the auditor as audit evidence to support assessments of the risks of material
misstatement. In addition, the auditor may obtain audit evidence about classes of
transactions, account balances, or disclosures, and related assertions, and about the operating
effectiveness of controls, even though such procedures were not specifically planned as
substantive procedures or as tests of controls. The auditor also may choose to perform
substantive procedures or tests of controls concurrently with risk assessment procedures
because it is efficient to do so.
- The auditor uses professional judgment to determine the extent of the understanding
required. The auditor’s primary consideration is whether the understanding that has been
obtained is sufficient to meet the objective stated in this ISA. The depth of the overall
understanding that is required by the auditor is less than that possessed by management in
managing the entity.
- The risks to be assessed include both those due to error and those due to fraud, and both are
covered by this ISA. However, the significance of fraud is such that further requirements and
guidance are included in ISA 240 in relation to risk assessment procedures and related
activities to obtain information that is used to identify the risks of material misstatement due
to fraud.
- Although the auditor is required to perform all the risk assessment procedures above in the
course of obtaining the required understanding of the entity, the auditor is not required to
perform all of them for each aspect of that understanding. Other procedures may be
performed where the information to be obtained therefrom may be helpful in identifying risks
of material misstatement.
Examples of such procedures include:
Page 60
Reviewing information obtained from external sources such as trade and economic
journals; reports by analysts, banks, or rating agencies; or regulatory or financial
publications.
Making inquiries of the entity’s external legal counsel or of valuation experts that the entity
has used.
Inquiries of Management, the Internal Audit Function and Others within the Entity
- Much of the information obtained by the auditor’s inquiries is obtained from management
and those responsible for financial reporting. Information may also be obtained by the
auditor through inquiries with the internal audit function, if the entity has such a function
and others within the entity.
- The auditor may also obtain information, or a different perspective in identifying risks of
material misstatement, through inquiries of others within the entity and other employees
with different levels of authority.
For example:
Inquiries directed towards those charged with governance may help the auditor
understand the environment in which the financial statements are prepared. ISA 260
identifies the importance of effective two-way communication in assisting the auditor to
obtain information from those charged with governance in this regard.
Inquiries of employees involved in initiating, processing or recording complex or unusual
transactions may help the auditor to evaluate the appropriateness of the selection and
application of certain accounting policies.
Inquiries directed toward in-house legal counsel may provide information about such
matters as litigation, compliance with laws and regulations, knowledge of fraud or
suspected fraud affecting the entity, warranties, post-sales obligations, arrangements
(such as joint ventures) with business partners and the meaning of contract terms.
Inquiries directed towards marketing or sales personnel may provide information about
changes in the entity’s marketing strategies, sales trends, or contractual arrangements
with its customers.
Inquiries directed to the risk management function (or those performing such roles) may
provide information about operational and regulatory risks that may affect financial
reporting.
Inquiries directed to information systems personnel may provide information about
system changes, system or control failures, or other information system-related risks.
- As obtaining an understanding of the entity and its environment is a continual, dynamic
process, the auditor’s inquiries may occur throughout the audit engagement.
Page 61
ENGAGEMENT RISK
Engagement risk―This is the risk that the practitioner expresses an inappropriate conclusion
when the subject matter information is materially misstated.
- Engagement risk does not refer to or include the practitioner’s business risks such as loss
from litigation, adverse publicity, or other events arising in connection with a subject matter
information reported on.
- In general, engagement risk can be represented by the following components, although not
all of these components will necessarily be present or significant for all assurance
engagements:
(a) Risks that the practitioner does not directly influence, which may consist of:
(i) The susceptibility of the subject matter information to a material misstatement before
consideration of any related controls (inherent risk); and
(ii) The risk that a material misstatement that occurs in the subject matter information
will not be prevented, or detected and corrected, on a timely basis by the appropriate
party(ies)’s internal control (control risk); and
(b) Risks that the practitioner does directly influence, which may consist of:
(i) The risk that the procedures performed by the practitioner will not detect a material
misstatement (detection risk); and
(ii) In the case of a direct engagement, the risks associated with the practitioner’s
measurement or evaluation of the underlying subject matter against the applicable
criteria.
- The degree to which each of these components is relevant to the engagement is affected by
the engagement circumstances, in particular:
i) The nature of the underlying subject matter and the subject matter information. For
example, the concept of control risk may be more useful when the underlying subject
matter relates to the preparation of information about an entity’s performance than when
it relates to information about the effectiveness of a controls or the existence of a physical
condition.
ii) Whether a reasonable assurance or a limited assurance engagement is being performed.
For example, in limited assurance attestation engagements the practitioner may often
decide to obtain evidence by means other than tests of controls, in which case
consideration of control risk may be less relevant than in a reasonable assurance
attestation engagement on the same subject matter information.
Page 62
iii) Whether it is a direct engagement or an attestation engagement. While the concept of
control risk is relevant to attestation engagements, the broader concept of measurement or
evaluation risk is relevant to direct engagements.
iv) The consideration of risks is a matter of professional judgment, rather than a matter
capable of precise measurement.
Reducing engagement risk to zero is very rarely attainable or cost beneficial and, therefore,
reasonable assurance is less than absolute assurance, as a result of factors such as the following:
The use of selective testing.
The inherent limitations of internal control.
The fact that much of the evidence available to the practitioner is persuasive rather than
conclusive.
The use of professional judgment in gathering and evaluating evidence and forming
conclusions based on that evidence.
In some cases, the characteristics of the underlying subject matter when evaluated or
measured against the applicable criteria.
Significant Risks
Identifying Significant Risks
- Significant risks often relate to significant non-routine transactions or judgmental matters.
Non-routine transactions are transactions that are unusual, due to either size or nature, and
that therefore occur infrequently.
- Judgmental matters may include the development of accounting estimates for which there
is significant measurement uncertainty. Routine, noncomplex transactions that are subject
to systematic processing are less likely to give rise to significant risks.
- Risks of material misstatement may be greater for significant non-routine transactions
arising from matters such as the following:
Greater management intervention to specify the accounting treatment.
Greater manual intervention for data collection and processing.
Complex calculations or accounting principles.
The nature of non-routine transactions, which may make it difficult for the entity to
implement effective controls over the risks.
- Risks of material misstatement may be greater for significant judgmental matters that require
the development of accounting estimates, arising from matters such as the following:
Accounting principles for accounting estimates or revenue recognition may be subject
to differing interpretation.
Required judgment may be subjective or complex, or require assumptions about the
effects of future events, for example, judgment about fair value.
Page 63
- ISA 330 describes the consequences for further audit procedures of identifying a risk as
significant.
- Significant risks relating to the risks of material misstatement due to fraud
- ISA 240 provides further requirements and guidance in relation to the identification and
assessment of the risks of material misstatement due to fraud.
Risks for Which Substantive Procedures Alone Do Not Provide Sufficient Appropriate
Audit Evidence
- Risks of material misstatement may relate directly to the recording of routine classes of
transactions or account balances, and the preparation of reliable financial statements. Such
risks may include risks of inaccurate or incomplete processing for routine and significant
classes of transactions such as an entity’s revenue, purchases, and cash receipts or cash
payments.
- Where such routine business transactions are subject to highly automated processing with
little or no manual intervention, it may not be possible to perform only substantive
procedures in relation to the risk. For example, the auditor may consider this to be the case in
circumstances where a significant amount of an entity’s information is initiated, recorded,
processed, or reported only in electronic form such as in an integrated system. In such cases:
Page 64
Audit evidence may be available only in electronic form, and its sufficiency and
appropriateness usually depend on the effectiveness of controls over its accuracy and
completeness.
The potential for improper initiation or alteration of information to occur and not be
detected may be greater if appropriate controls are not operating effectively.
Documentation
- The manner in which the requirements are documented is for the auditor to determine using
professional judgment. For example, in audits of small entities the documentation may be
incorporated in the auditor’s documentation of the overall strategy and audit plan.
- Similarly, for example, the results of the risk assessment may be documented separately, or
may be documented as part of the auditor’s documentation of further procedures.
- The form and extent of the documentation is influenced by the nature, size and complexity of
the entity and its internal control, availability of information from the entity and the audit
methodology and technology used in the course of the audit.
- For entities that have uncomplicated businesses and processes relevant to financial reporting,
the documentation may be simple in form and relatively brief. It is not necessary to document
the entirety of the auditor’s understanding of the entity and matters related to it. Key
elements of understanding documented by the auditor include those on which the auditor
based the assessment of the risks of material misstatement.
- The extent of documentation may also reflect the experience and capabilities of the members
of the audit engagement team. Provided the requirements of ISA 230 are always met, an
audit undertaken by an engagement team comprising less experienced individuals may
require more detailed documentation to assist them to obtain an appropriate understanding of
the entity than one that includes experienced individuals.
Page 65
- For recurring audits, certain documentation may be carried forward, updated as necessary to
reflect changes in the entity’s business or processes.
Control Environment
The control environment encompasses the following elements:
(a) Communication and enforcement of integrity and ethical values.
The effectiveness of controls cannot rise above the integrity and ethical values of the people
who create, administer, and monitor them.
Integrity and ethical behaviorsare the product of the entity’s ethical and behavioral standards,
how they are communicated, and how they are reinforced in practice.
The enforcement of integrity and ethical values includes, for example, management actions
to eliminate or mitigate incentives or temptations that might prompt personnel to engage in
dishonest, illegal, or unethical acts. The communication of entity policies on integrity and
ethical values may include the communication of behavioral standards to personnel through
policy statements and codes of conduct and by example.
(b) Commitment to competence. Competence is the knowledge and skills necessary to
accomplish tasks that define the individual’s job.
(c) Participation by those charged with governance. An entity’s control consciousness is
influenced significantly by those charged with governance. The importance of the
responsibilities of those charged with governance is recognized in codes of practice and other
laws and regulations or guidance produced for the benefit of those charged with governance.
Other responsibilities of those charged with governance include oversight of the design and
effective operation of whistle blower procedures and the process for reviewing the
effectiveness of the entity’s internal control.
(d) Management’s philosophy and operating style. Management’s philosophy and operating
style encompass a broad range of characteristics. For example, management’s attitudes and
actions toward financial reporting may manifest themselves through conservative or
aggressive selection from available alternative accounting principles, or conscientiousness
and conservatism with which accounting estimates are developed.
(e) Organizational structure. Establishing a relevant organizational structure includes
considering key areas of authority and responsibility and appropriate lines of reporting. The
appropriateness of an entity’s organizational structure depends, in part, on its size and the
nature of its activities.
(f) Assignment of authority and responsibility. The assignment of authority and responsibility
may include policies relating to appropriate business practices, knowledge and experience of
key personnel, and resources provided for carrying out duties. In addition, it may include
policies and communications directed at ensuring that all personnel understand the entity’s
Page 66
objectives, know how their individual actions interrelate and contribute to those objectives,
and recognize how and for what they will be held accountable.
(g) Human resource policies and practices. Human resource policies and practices often
demonstrate important matters in relation to the control consciousness of an entity. For
example, standards for recruiting the most qualified individuals – with emphasis on
educational background, prior work experience, past accomplishments, and evidence of
integrity and ethical behavior – demonstrate an entity’s commitment to competent and
trustworthy people. Training policies that communicate prospective roles and responsibilities
and include practices such as training schools and seminars illustrate expected levels of
performance and behavior.
Page 67
Rapid growth. Significant and rapid expansion of operations can strain controls and
increase the risk of a breakdown in controls.
New technology. Incorporating new technologies into production processes or
information systems may change the risk associated with internal control.
New business models, products, or activities. Entering into business areas or
transactions with which an entity has little experience may introduce new risks
associated with internal control.
Corporate restructurings. Restructurings may be accompanied by staff reductions
and changes in supervision and segregation of duties that may change the risk
associated with internal control.
Expanded foreign operations. The expansion or acquisition of foreign operations
carries new and often unique risks that may affect internal control, for example,
additional or changed risks from foreign currency transactions.
New accounting pronouncements. Adoption of new accounting principles or
changing accounting principles may affect risks in preparing financial statements.
Page 68
policy manuals, accounting and financial reporting manuals, and memoranda.
Communication also can be made electronically, orally, and through the actions of
management.
Control Activities
Generally, control activities that may be relevant to an audit may be categorized as policies and
procedures that pertain to the following:
Performance reviews. These control activities include reviews and analyses of actual
performance versus budgets, forecasts, and prior period performance; relating different sets
of data – operating or financial – to one another, together with analyses of the relationships
and investigative and corrective actions; comparing internal data with external sources of
information; and review of functional or activity performance.
Information processing. The two broad groupings of information systems control
activities are application controls, which apply to the processing of individual applications,
and general IT controls, which are policies and procedures that relate to many applications
and support the effective functioning of application controls by helping to ensure the
continued proper operation of information systems.
Examples of application controls include checking the arithmetical accuracy of records,
maintaining and reviewing accounts and trial balances, automated controls such as edit
checks of input data and numerical sequence checks, and manual follow-up of exception
reports. Examples of general IT controls are program change controls, controls that restrict
access to programs or data, controls over the implementation of new releases of packaged
software applications, and controls over system software that restrict access to or monitor
the use of system utilities that could change financial data or records without leaving an
audit trail.
Physical controls. Controls that encompass:
- The physical security of assets, including adequate safeguards such as secured facilities
over access to assets and records.
- The authorization for access to computer programs and data files.
- The periodic counting and comparison with amounts shown on control records (for
example, comparing the results of cash, security and inventory counts with accounting
records).
- The extent to which physical controls intended to prevent theft of assets are relevant to
the reliability of financial statement preparation, and therefore the audit, depends on
circumstances such as when assets are highly susceptible to misappropriation.
Segregation of duties. Assigning different people the responsibilities of authorizing
transactions, recording transactions, and maintaining custody of assets. Segregation of
Page 69
duties is intended to reduce the opportunities to allow any person to be in a position to both
perpetrate and conceal errors or fraud in the normal course of the person’s duties.
- Certain control activities may depend on the existence of appropriate higher level policies
established by management or those charged with governance.
- For example, authorization controls may be delegated under established guidelines, such as
investment criteria set by those charged with governance; alternatively, non-routine
transactions such as major acquisitions or divestments may require specific high level
approval, including in some cases that of shareholders.
Monitoring of Controls
- An important management responsibility is to establish and maintain internal control on an
ongoing basis. Management’s monitoring of controls includes considering whether they are
operating as intended and that they are modified as appropriate for changes in conditions.
- Monitoring of controls may include activities such as management’s review of whether bank
reconciliations are being prepared on a timely basis, internal auditors’ evaluation of sales
personnel’s compliance with the entity’s policies on terms of sales contracts, and a legal
department’s oversight of compliance with the entity’s ethical or business practice policies.
Monitoring is done also to ensure that controls continue to operate effectively over time.
- For example, if the timeliness and accuracy of bank reconciliations are not monitored,
personnel are likely to stop preparing them.
- Internal auditors or personnel performing similar functions may contribute to the monitoring
of an entity’s controls through separate evaluations.
- Ordinarily, they regularly provide information about the functioning of internal control,
focusing considerable attention on evaluating the effectiveness of internal control, and
communicate information about strengths and deficiencies in internal control and
recommendations for improving internal control.
- Monitoring activities may include using information from communications from external
parties that may indicate problems or highlight areas in need of improvement. Customers
implicitly corroborate billing data by paying their invoices or complaining about their
charges. In addition, regulators may communicate with the entity concerning matters that
affect the functioning of internal control, for example, communications concerning
examinations by bank regulatory agencies. Also, management may consider communications
relating to internal control from external auditors in performing monitoring activities.
AUDIT RISK
Page 70
Audit risk refers to the risk that the auditors will express an inappropriate audit opinion when the
financial statements are materially misstated.
Audit risk therefore could be defined as the chance of damage to the audit firm as a result of
giving an opinion that is wrong in some particular. Or put another way, it could be explained as
the possibility that financial statements contain material mis-statements which had escaped
detection by both an internal control on which the auditor has relied and on the auditor’s own
substantive tests and other work.
It could be looked at also as: the possibility that the auditor may be required to pay damages to
the client or other persons as a consequence of:
Damage to the audit firm or the auditor may be in the form of monetary damages paid to the
complainant as compensation or simply damage to their reputation with a client or the business
community.
All audits involve an element of risk such that however strong the audit evidence and however
careful the auditor, there is always a possibility of an error or a fraud going undetected. It is
generally known that the auditor who organises his office and staff in a competent manner an
follows auditing standards and guidelines is unlikely to be found negligent and to pay damages
as a consequence of fraud or error not being discovered by him.
Audit risks facing the auditor when material assets are stated at fair values instead of historical
costs include:
Page 71
o Detection risk is the risk that the auditor will not detect a material misstatement that exists
in an assertion that could be material either individually or when aggregated with other
misstatements. Detection risk is a function of the effectiveness of an audit procedure and
its application by the auditor.
When the auditor is faced with the normal audit risk, the audit approach adopted is usually one of
reliance on key controls supported by substantive tests, compliance tests and analytical review.
Page 72
Higher than normal risk
Several audit assignments involve high audit risk and usually in any client there will always be at
least one high risk area. Indications that an audit has an element of higher than normal audit risk
include:
In addition to normal risk and higher than normal risk discussed above, the auditor can also be
exposed by sub-standard work such as:
It is essential that an audit firm should organize itself in such a way that it can minimise the risk
of suffering any damage. We can look at these measures from two points of view. Broad
Page 73
measures taken by the profession as a whole and measures to be taken by the individual auditor
in minimising this audit risk.
This approach requires the auditor to determine what are the very important business risks which
the client faces. This line of approach both helps the client and also enables the auditor to
appreciate and understand his clients business and appreciate all aspects of the business
activities. It is then for the auditor to determine where the risks are likely or unlikely and whether
the risks are likely to produce serious consequences. This enable the audit to be focussed on
those matters where there is a possibility of misstatement. This is the basis of revised auditing
standards.
The big firms have largely adopted this approach within their audit methodology.
The history of auditing shows a gradual change over time as detailed testing of transactions
moved to system audits. The next development was the audit risk model which focuses the audit
and the extent of audit procedures on to the areas of an audit where the auditor was most at risk
of giving an inappropriate opinion.
Page 74
ISA 550establishes requirements and provides guidance on the auditor’s considerations
relevant to related parties.
Examples of matters that the auditor may consider when obtaining an understanding of the nature
of the entity include:
Page 75
o Accounting for fair values.
o Foreign currency assets, liabilities and transactions.
o Accounting for unusual or complex transactions including those in controversial or
emerging areas (for example, accounting for stock-based compensation).
Significant changes in the entity from prior periods may give rise to, or change, risks of material
misstatement.
Page 76
The business risk approach to auditing involves examining the business in it’s entirely and
evaluating the various risks to which it is exposed. The business risks are factors which affect the
company’s ability to meet its goals. The risks may be controllable (to some extent) or
uncontrollable (for example, external factors). It may be possible to trade-off some risks (e.g.
insurance). The auditor is concerned about those risks which may impact upon the financial
statements and therefore needs a full understanding of the business and its risks in order to do
this. The auditor will then plan the audit strategy with these business risks clearly focused in
mind.
Page 77
As should be evident from this summary the business risk approach is a more holistic approach
to the audit. The business risk approach starts at a stage back from the traditional audit risk
model and offers more benefit to auditors and clients alike.
Business Risk results from significant conditions, events, circumstances or actions that could
adversely affect the entity's ability to achieve its objectives and execute its strategies. Even
though such risks are likely to eventually have an impact on an entity's financial statements, not
every business risk will translate directly in a risk of a material misstatement in the financial
statements, which is often referred to as audit risks. There are 3 categories of business risk.
o Financial risk- this is the risk that the firm will not be able to meet its short term maturing
obligations as a when they fall due.
o Operational risk- these are risks arising with regard to operations for instance, the risk that
a major supplier will lay longer be able to supply the company with the key raw materials.
o Compliance risk- Risk that arises from non-compliance with laws and regulations under
which the business operates tor example, environmental issues.
Page 78
Industry developments (a potential related business risk might be, for example, that the
entity does not have the personnel or expertise to deal with the changes in the industry).
New products and services (a potential related business risk might be, for example, that
there is increased product liability).
Expansion of the business (a potential related business risk might be, for example, that
the demand has not been accurately estimated).
New accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation, or increased costs).
Regulatory requirements (a potential related business risk might be, for example, that
there is increased legal exposure).
Current and prospective financing requirements (a potential related business risk might
be, for example, the loss of financing due to the entity’s inability to meet requirements).
Use of IT (a potential related business risk might be, for example, that systems and
processes are incompatible).
The effects of implementing a strategy, particularly any effects that will lead to new
accounting requirements (a potential related business risk might be, for example,
incomplete or improper implementation).
- A business risk may have an immediate consequence for the risk of material misstatement
for classes of transactions, account balances, and disclosures at the assertion level or the
financial statement level. For example, the business risk arising from a contracting customer
base may increase the risk of material misstatement associated with the valuation of
receivables.
- However, the same risk, particularly in combination with a contracting economy, may also
have a longer-term consequence, which the auditor considers when assessing the
appropriateness of the going concern assumption. Whether a business risk may result in a
risk of material misstatement is, therefore, considered in light of the entity’s circumstances.
- Usually, management identifies business risks and develops approaches to address them.
Such a risk assessment process is part of internal control.
Page 79
1. INSPECTION
a. Documents and records:
While verifying various transactions, the auditor examines the supporting documents and records.
This technique is otherwise called vouching. The purpose of examining the documents and records
is to
How for an auditor can rely on the documents depends on the origin (source) of the documents
and the efficiency of the internal control system in operation.
Documents which have their origin in the hands of the third parties and held by third parties are
more reliable than the documents which have their origin in the organization itself and held by the
organization. One can classify the documents into 4 major categories according to their origin and
availability.
1. Documents which have their origin in the hands of the third party and held by them – Most
reliable evidence.
2. Documents which have their origin in the hands of the third party and held by the organization
– More reliable.
3. Documents which have their origin in the hands of the organization and held by the third party
– Reliable.
4. Documents which have the origin in the hands of the organization and held by the organization
– Reliable only if the internal control is effective.
b. Physical Verification
If an item can be measured in physical term, the same may be verified for quantity and quality (if
possible). By physical examination, the auditor ensures the availability of the item. However, the
ownership of the items cannot be verified through this method.
2. OBSERVATION
Page 80
The auditor observes a particular procedure being carried by the organization. Examples are
observation of the internal control measures that are adopted in transactions involving cash,
procedures followed on receipt or issue of material, etc. The auditor makes his observations to
evaluate the efficiency and effectiveness of the system followed by the organization.
Inquiry: Seeking information from persons belonging to the organization or from outside
organization is called inquiry.
Confirmation: Confirming the information available with the records of the organization or with
the persons mostly from outside the organization through an inquiry is confirmation.
Inquiry and confirmation can take place either orally or in writing. The best example for inquiry
and confirmation is confirming the balances of debtors shown in the accounting records with the
debtors of the organization.
4. COMPUTATION
An auditor makes appropriate calculations and verifies the accuracy of the accounting records. For
example, the auditor computes the depreciation to be charged for the year, by taking into
consideration. the value of the asset (cost), the date of purchase, the rate of depreciation, etc., to
verify the accuracy of the depreciation charged by the organization. The auditor also traces a
particular transaction from the origin to check the book keeping procedure.
5. ANALYTICAL PROCEDURES
The purpose of analysis is to ensure consistency of accounting methods and also to evaluate the
efficiency of the management by comparing the results of several years. The several analytical
procedures are
i. Reconciliation
ii. Ratio Analysis; and
iii. Variance Analysis.
The auditor also applies the analytical procedures to help the management in decision making.
Such analytical techniques are
i. Marginal Costing
ii. Standard costing etc.
The auditor studies the nature of the business and also the prevailing circumstances and selects the
techniques to be applied. While conducting the audit, he may change his technique according to
the changes observed in the circumstances. The suitable audit techniques adopted by the auditor
helps him to carry on the audit efficiently.
Page 81
INTERNAL CONTROL SYSTEMS
The auditors must understand the accounting system and control environment in order to
determine
their audit approach.
Internal control is the process designed and effected by those charged with governance,
management,
and other personnel to provide reasonable assurance about the achievement of the entity's
objectives with regard to reliability of financial reporting, effectiveness and efficiency of
operations and compliance with applicable laws and regulations.
ISA 315 Identifying and assessing the risks of material misstatement through understanding the
entity and its environment deals with the whole area of controls.
In obtaining an understanding of internal control, the auditor must understand the design of the
internal control and the implementation of that control. In the following sub-sections, we look at
each of the elements of internal control in turn.
Control environment
The control environment is the framework within which controls operate. The control
environment is very much determined by the management of a business.
Control environment includes the governance and management functions and the attitudes,
awareness and actions of those charged with governance and management concerning the entity's
internal control and its importance in the entity.
A strong control environment does not, itself, ensure the effectiveness of the overall internal
control system, but can be a positive factor when assessing the risks of material misstatement. A
weak control environment can undermine the effectiveness of controls.
Page 82
Aspects of the control environment (such as management attitudes towards control) will
nevertheless be a significant factor in determining how controls operate. Controls are more likely
to operate well in an environment where they are treated as being important. In addition
consideration of the control environment will mean determining whether certain controls
(internal auditors, budgets) actually exist.
ISA 315 states that auditors shall have an understanding of the control environment. As part of
this
understanding, the auditor shall evaluate whether:
Management has created and maintained a culture of honesty and ethical behavior
The strengths in the control environment provide an appropriate foundation for the other
components of internal control and whether those components are not undermined by
deficiencies in the control environment
The following illustrates the elements of the control environment that may be relevant when
obtaining an understanding of the control environment.
Communication and enforcement of integrity and ethical values - Essential elements which
influence the effectiveness of the design, administration and monitoring of controls
Organisational structure
The framework within which an entity's activities for achieving its objectives are planned,
Page 83
executed, controlled and reviewed
The auditor shall assess whether these elements of the control environment have been
implemented using a combination of inquiries of management and observation and inspection.
ISA 315 says the auditor shall obtain an understanding of whether the entity has a process for:
If the entity has established such a process, the auditor shall obtain an understanding of it. If
there is not a process, the auditor shall discuss with management whether relevant business risks
have been identified and how they have been addressed.
The auditor shall obtain an understanding of the information system relevant to financial
reporting
objectives, including the following areas:
The classes of transactions in the entity's operations that are significant to the financial
statements
Page 84
The procedures, within both IT and manual systems, by which those transactions are
initiated,
recorded, processed, corrected, transferred to the general ledger and reported in the financial
statements
The related accounting records, supporting information, and specific accounts in the financial
statements, in respect of initiating, recording, processing and reporting transactions
How the information system captures events and conditions, other than transactions, that are
significant to the financial statements
The financial reporting process used to prepare the entity's financial statements, including
significant accounting estimates and disclosures
Controls surrounding journal entries, including non-standard journal entries used to record
non-
recurring, unusual transactions or adjustments
The auditor shall obtain an understanding of how the entity communicates financial reporting
roles and responsibilities and significant matters relating to financial reporting.
Control activities
Control activities are those policies and procedures that help ensure that management directives
are carried out.
ISA 315 states that the auditor shall obtain an understanding of control activities relevant to
the audit and how the entity has responded to risks arising from IT.
Control activities include those activities designed to prevent or to detect and correct errors.
Examples
include activities relating to authorisation, performance reviews, information processing,
physical controls and segregation of duties.
Examples of control activities
Checking the arithmetical accuracy of records - for example checking to see if individual
invoices have been added up correctly.
Page 85
Maintaining and reviewing control accounts and trial balances - Control accounts bring
together transactions in individual ledgers. Trial balances bring together unusual transactions for
the organisation as a whole. Preparing these can highlight unusual transactions or accounts.
Comparing the results of cash, security and inventory counts with accounting records - For
example, in a physical count of petty cash, the balance shown in the cash book should be the
same as the amount held.
Comparing internal data with external sources of information - For example, comparing
records of goods dispatched to customers with customers' acknowledgement of goods that have
been received.
Limiting physical access to assets and records - Only authorised personnel should have access
to certain assets (particularly valuable or portable ones)for example, ensuring that the inventory
store is only open when store personnel are there and is otherwise locked
Segregation of duties
Segregation implies a number of people being involved in the accounting process. This makes it
more
difficult for fraudulent transactions to be processed (since a number of people would have to
collude in the fraud), and it is also more difficult for accidental errors to be processed (since the
more people are involved, the more checking there can be). Segregation should take place in
various ways:
a) Segregation of function. The key functions that should be segregated are the carrying out of a
transaction, recording that transaction in the accounting records and maintaining custody of
assets that arise from the transaction.
b) The various steps in carrying out the transaction should also be segregated.
c) The carrying out of various accounting operations should be segregated. For example the
same
staff should not record transactions and carry out the reconciliations at the period-end.
Monitoring of controls
Monitoring of controls is a process to assess the effectiveness of internal control performance
Page 86
over time.
It includes assessing the design and operation of controls on a timely basis and taking necessary
corrective actions modified for changes in conditions.
The auditor shall obtain an understanding of the major activities that the entity uses to monitor
internal control over financial reporting, including those related to those control activities
relevant to the audit, and how the entity initiates corrective actions to deficiencies in its controls.
If the entity has an internal audit function, the auditor shall obtain an understanding of the nature
of its responsibilities and how it fits in the organisational structure, and the activities
performed/to be
performed.
The auditor shall also obtain an understanding of the sources of the information used in the
monitoring activities and the basis on which management considers it reliable.
Auditors can have difficulties not because there is a general lack of controls but because the
evidence available as to their operation and the completeness of the records is insufficient.
Segregation of duties will often appear inadequate in enterprises having a small number of staff.
Similarly, because of the scale of the operation, organisation and management controls are likely
to be
rudimentary at best.
The onus is on the proprietor, by virtue of his day-to-day involvement, to compensate for this
lack. This involvement should encompass physical, authorisation, arithmetical and accounting
controls as well as supervision.
However it is important to stress that in a well run small company there will be a system of
internal
control. In any case, all companies must comply with any relevant legislation concerning the
Page 87
maintenance of a proper accounting system.
Where the manager of a small business is not himself the owner, he may not possess the same
degree of commitment to the running of it as an owner-manager would. In such cases, the
auditors will have to consider the adequacy of controls exercised by the shareholders over the
manager in assessing internal control.
Any internal control system can only provide the directors with reasonable assurance that their
objectives are reached, because of inherent limitations. These include:
These factors demonstrate why auditors cannot obtain all their evidence from tests of the systems
of
internal control. The key factors in the limitations of controls system are human error and
potential for
fraud.
The safeguard of segregation of duties can help deter fraud. However, if employees decide to
perpetrate frauds by collusion, or management commits fraud by overriding systems, the
accounting system will not be able to prevent such frauds.
This is one of the reasons that auditors always need to be alert to the possibility of fraud, the
subject of ISA 240.
The auditors shall assess the adequacy of the systems as a basis for the financial statements and
shall
identify risks of material misstatements to provide a basis for designing and performing further
audit
procedures.
Page 88
Auditors are only concerned with assessing policies and procedures which are relevant to the
financial
statements. Auditors shall:
Assess the adequacy of the accounting system as a basis for preparing the accounts
Identify the types of potential misstatements that could occur in the accounts
Consider factors that affect the risk of misstatements
Design appropriate audit procedures
We have discussed the process of assessing the risks of material misstatement in previously. The
assessment of the controls of an entity will have an impact on that risk assessment.
Risks arising from poor control environments are unlikely to be confined to particular assertions
in the financial statements, and, if severe, may even raise questions about whether the financial
statements are capable of being audited, that is, if control risk is so high that audit risk cannot be
reduced to an
acceptable level.
On the other hand, some control procedures may be closely connected to an assertion in financial
statements, for example, controls over the inventory count are closely connected with the
existence and completeness of inventory in the financial statements.
The evaluation of internal control components the controls, that is by controls testing. This is
most likely to be the case in a system which is highly computerised and which does not require
much manual intervention.
The auditors must keep a record of the client's systems which must be updated each year. This
can be
done through the use of narrative notes, flowcharts, questionnaires or checklists.
There are several techniques for recording the assessment of control risk, that is, the system. One
or more of the following may be used depending on the complexity of the system.
Questionnaires
Checklists
Page 89
Narrative notes
Flowcharts
Whatever method of recording is used, the record will usually be retained on the permanent file
and
updated each year. We will look at the use of questionnaires in a little more detail here. There are
two
types, each with a different purpose.
Internal Control Questionnaires (ICQs) are used to ask whether controls exist which meet
specific control objectives.
Internal Control Evaluation Questionnaires (ICEQs) are used to determine whether there
are controls which prevent or detect specified errors or omissions.
If the auditors believe the system of controls is strong, they may choose to test controls to assess
whether they can rely on the controls having operated effectively.
Confirming understanding
In order to confirm their understanding of the control systems, auditors will often carry out walk-
through tests. This is where they pick up a transaction and follow it through the system to see
whether all the controls they anticipate should be in existence were in operation with regard to
that transaction.
Tests of control
Tests of control are tests performed to obtain audit evidence about the effectiveness of the:
Design of the accounting and internal control systems, i.e. whether they are suitably designed to
prevent, or detect and correct, material misstatement at the assertion level; and
Operation of the internal controls throughout the period.
Tests of control are distinguished from substantive tests which are designed to detect material
misstatements in the financial statements.
a) Inspection of documents supporting controls or events to gain audit evidence that internal
controls
have operated properly, e.g. verifying that a transaction has been authorised
Page 90
b) Inquiries about internal controls which leave no audit trail, e.g. determining who actually
performs each function not merely who is supposed to perform it
c) Reperformance of control procedures, e.g. reconciliation of bank accounts, to ensure they
were
correctly performed by the entity
d) Examination of evidence of management views, e.g. minutes of management meetings
e) Testing of internal controls operating on computerised systems or over the overall IT
functionegaccess controls
f) Observation of controls to consider the manner in which the control is being operated
Auditors should consider:
How controls were applied
The consistency with which they were applied during the period
By whom they were applied
Deviations in the operation of controls (caused by change of staff etc) may increase control
riskandtestsof control may need to be modified to confirm effective operation during and after
any change,
In a continuing engagement, the auditor will be aware of the accounting and internal control
systems through work carried out previously but will need to update the knowledge gained and
considerthe need to obtain further audit evidence of any changes in control.
In particular, if controls testing reveal that controls have not operated effectively throughout the
year,theauditor may have to extend substantive testing,
Page 91
implications of those weaknesses, and possible recommendations to mitigate them.
The internal controls in a computerised environment include both manual procedures and
procedures
designed into computer programs. Such control procedures comprise two types of control,
general
controls and application controls.
General IT controls are policies and procedures that relate to many applications and support the
effective functioning of application controls by helping to ensure the continued proper operation
of information systems. They commonly include controls over data center and network
operations, system software acquisition, change and maintenance, access security, and
application system acquisition, development and maintenance.
Application controls are manual or automated procedures that typically operate at a business
process
level. They can be preventative or detective in nature and are designed to ensure the integrity of
the
accounting records. Accordingly, they relate to procedures used to initiate, record, process and
report
transactions or other financial data.
TEST OF CONTROLS
Selling (authorisation)
Goods outwards (custody)
Accounting (recording)
Page 92
Control objectives
One person is not responsible for taking orders, recording sales and receiving payment.
Recorded sales transactions represent goods shipped.
Goods and services are only supplied to customers with good credit ratings.
Goods and services are provided at authorised prices and on authorised terms.
Customers are encouraged to pay promptly.
Controls
- Segregation of duties
- Sales recorded only with approved sales order form and shipping documentation.
- Accounting for numerical sequences of invoices.
- Monthly customer statements sent out and customer queries and complaints handled
independently.
- Authorisation of credit terms to customers (senior staff authorisation, references/credit
checksfornew customers, regular review of credit limits)
- Authorisation by senior staff required for changes in other customer data such as address etc.
- Orders not accepted unless credit limits reviewed first.
- Authorised price lists and specified terms of trade in place.
Tests of controls
- Observe and evaluate whether proper segregation of duties is operating.
- Test a sample of sales invoices for authorised sales order form and shipping documentation.
- Examine application controls for authorisation.
- Review and test entity's procedures for accounting for numerical sequences of invoices.
- Review entity's procedures for sending out monthly statements and dealing with customer
queries and complaints.
- Review entity's procedures for granting credit to customers.
- Examine a sample of sales orders for evidence of proper credit approval by the appropriate
senior staff member.
- Examine application controls for credit limits.
- Authorised price lists and specified terms of trade in place.
- Review all new customer files to ensure satisfactory credit references have been obtained.
- Compare prices and terms on a sample of sales invoices to the authorised price list and terms
of trade.
- Examine application controls for authorised prices and terms.
Assertion:Completeness
Control objectives
- All revenue relating to goods dispatched is recorded.
- All goods and services sold are correctly invoiced.
Page 93
Controls
- Accounting for numerical sequences of invoices.
- Shipping documentation is matched to sales invoices.
- Sales invoices are reconciled to the daily sales report.
- An open-order file is maintained and reviewed regularly.
Tests of controls
- Review and test entity's procedures for accounting for numerical sequences of invoices.
- Trace a sample of shipping documents to the sales invoices and ledger.
- Review a sample of reconciliations performed.
- Inspect the open- order file for unfilled orders.
Assertion: Accuracy
Control objectives
All sales and adjustments are correctly journalised, summarised and posted to the correct
accounts.
Controls
Sales invoices and matching documents required for all entries.
Tests of controls
Vouch recorded sales to supporting documents.
Assertion: Cut-off
Control objectives
Transactions have been recorded in the correct period.
Controls
- All shipping documentation is forwarded to the invoicing section on a daily basis.
- Daily invoicing of goods shipped.
Tests of controls
- Compare dates on sales invoices with dates of corresponding shipping documentation.
- Compare dates on sales invoices with dates recorded in the sales ledger.
Assertion: Classification
Control objectives
All transactions are properly classified in accounts.
Page 94
Controls
- Chart of accounts in place.
- Codes in place for different types of products or services.
Tests of controls
- Review sales ledger for proper classification.
- Examine a sample of sales invoices for proper classification.
- Test application controls for proper codes.
Control objectives
Recorded purchases represent goods and services received.
Controls
- Authorisation procedures and policies in place for ordering goods and services.
- Segregation of duties.
- Purchase orders raised for each purchase and authorised by appropriate senior personnel.
- Approved purchase order for each receipt of goods.
- Staff receiving goods and check them against the purchase order.
- Stores clerks sign for goods received.
- Purchase orders and GRNs are matched with the supplies’ invoices
Tests of controls
- Inspect policies and procedures and inquire about them.
- Observe and evaluate segregation of duties.
- Examine a sample of purchase orders to ensure they have been appropriately authorised.
- Review the delegated list of authority for purchases.
Page 95
- For a sample of orders, examine the goods received note (GRN) and match it to the order.
- Observe receipt of goods by staff to confirm whether the check is done.
- Inspect a sample to confirm whether stores staff undertake this check.
- Examine supporting documentation for a sample of invoices
Assertion: Completeness
Control objectives
Controls
- Purchase orders and GRNs are matched with the suppliers' invoices.
- Periodic accounting for prenumbered GRNs and purchase orders.
- Independent check of amount recorded in the purchase journal.
Tests of control
- Examine supporting documentation for a sample of invoices.
- Review entity's procedures for accounting for prenumbered documents.
- Examine application controls.
- Examine documentation for evidence of this check.
Assertion: Rights and obligations
Control objectives
Recorded purchases represent the liabilities of the entity.
Controls
Purchase orders and GRNs are matched with the suppliers' invoices.
Tests of control
Examine supporting documentation for a sample of invoices.
Control objectives
Purchase transactions are correctly recorded in the accounting system.
Controls
- Purchase orders and GRNs are matched- with the suppliers' invoices.
- Mathematical accuracy of the supplier's invoice is verified.
Page 96
- Amount posted to general ledger is reconciled to the purchases ledger.
- Chart of accounts in place.
Tests of control
- Examine supporting documentation for documentation for a sample of invoices.
- Recalculate the mathematical accuracy of a sample of suppliers' invoices.
- Review reconciliations for evidence of this check.
- Review purchases journal and general ledger for reasonableness.
Assertion: Cut-off
Control objectives
Purchase transactions are recorded in the correct accounting period.
Controls
- All goods received reports forwarded to accounts payable department daily.
- Procedures in place that require recording of purchases as soon as possible after
goods/services received.
Tests of control
- Compare dates on reports to dates on relevant vouchers.
- Compare dates on vouchers with dates they were recorded in the purchases journal
Introduction
The inventory system can be very important in an audit because of the high value of inventory or
the complexity of its audit. It is closely connected with the sales and purchases systems covered
in the previous sections.
There are three possible approaches to the audit of inventory and the approach chosen depends
on the control in system in place over inventory.
(a) If the entity has a perpetual inventory system in place where inventory is counted
continuously throughout the year, and therefore a year-end count is not undertaken, a
controls-based approach can be taken if control risk has been assessed as low.
Page 97
(b) If an inventory count is to be undertaken near the year-end and adjusted by perpetual
inventory records for the year-end value, this approach also requires control risk to be
assessed as low.
(c) If inventory quantities will be determined by an inventory count at the year-end date, a
substantive approach is taken and no reliance is placed on controls.
Control objectives
- All inventory movements are authorised and recorded.
- Inventory included on the statement of financial position physically exists.
Controls
- Pre-numbered documentation such as GDNs and GRNs in use.
- Reconciliations of inventory records with general ledger.
- Segregation of duties
- Physical safeguards in place to ensure inventory is not stolen.
- Separate responsibilities for maintenance of records and custodianship.
- Inventory counted regularly.
Tests of control
- Review documentation in use.
- Review a sample of reconciliations to confirm they are performed and then reviewed by an
independent person
- Observe and evaluate proper segregation of duties.
- Review security systems in place (e.g. locked warehouses, CCTV etc).
- Review policies and procedures in place; discuss procedures with relevant staff.
- Review procedures for counting inventory.
- Attend inventory count.
Assertion: Completeness
Control objectives
Page 98
- All purchases and sales of inventory have been recorded in the accounting system.
Controls
- Procedures in place to include inventory held at third parties and exclude inventory held on
consignment for third parties.
- Reconciliations of accounting records with physical inventory.
Tests of control
- Review entity's procedures relating to consignment inventory.
- Review reconciliations performed and whether reviewed by independent person.
Assertive: Rights and obligations
Control objectives
Inventory records only include items that belong to the entity.
Controls
Procedures in place to include inventory held at third parties and exclude inventory held on
consignment for third parties.
Tests of control
Review entity's procedures relating to consignment inventory.
Control objectives
- Inventory quantities have been accurately determined.
- Inventory is properly stated at the lower of cost and net realisable value.
Controls
- Periodic or annual comparison of inventory with amounts shown in continuous (perpetual)
inventory records
- Standard costs reviewed by management.
- Review of cost accumulation and variance reports.
- Inventory managers review inventory regularly to identify slow-moving, obsolete and excess
inventory.
Tests of control
- Review and test entity's procedures for taking physical inventory
Page 99
- Review and test entity's procedures for developing standard costs.
- Inspect variance reports produced.
- Discuss with inventory managers how this is done.
- Observe the procedure being performed.
Assertive: Cut off
Control objectives
All purchases and sales of inventory are recorded in the correct accounting period.
Controls
- All dispatch documents processed daily to record the dispatch of finished goods.
- All goods inwards reports processed daily to record the receipt of inventory.
- Reconciliations of inventory records with general ledger.
Tests of control
- Inspect documentation to confirm daily processing.
- Inspect documentation to confirm daily processing.
- Review reconciliations performed.
Assertive: Presentation and disclosure assertions
Control objectives
- Inventory transactions and balances are properly identified and classified in the financial
statements.
- Disclosures relating to classification and valuation are sufficient.
Controls
- Orders for materials and production data forms used to process goods through
manufacturing.
- Approval by Finance
- Director
Tests of control
- Review entity's procedures and documentation used to classify inventory.
- Review entity's working papers for evidence of review.
THE CASH SYSTEM
Controls over cash receipts and payments should prevent fraud or theft.
Page 100
payments.
Assertion: Occurrence
Control Objective
- Only valid cash payments are made.
Controls
- Segregation of duties
- Supplier statements independently reviewed and reconciled to trade payable records.
- Monthly bank reconciliations prepared and reviewed.
- Only authorised staff can make electronic cash payments and issue cheques .
- Electronic cash payments and cheques prepared only after all source documents have been
independently approved.
Test of control
- Observe and evaluate proper segregation of duties.
- Review procedures for reconciling supplier statements.
- Review reconciliations to confirm whether undertaken and reviewed.
- Review delegated list of authority for cash payments.
- Inspect relevant documentation for evidence of approval by senior personnel.
Assertion: Completeness
Control objective
- All cash payments that occurred are recorded
Control
- Segregation of duties
- Supplier statements
- Independently reviewed and reconciled to trade payable records.
- Monthly bank reconciliations prepared and reviewed.
- Review of cash payments by manager before release.
- Daily cash payments reconciled to posting to payable accounts.
- Use of prenumbered cheques.
Test of control
- Observe and evaluate proper segregation of duties.
- Review procedures for reconciling supplier statements.
- Review reconciliations to confirm whether undertaken and independently reviewed.
Page 101
- Inspect sample of listings for evidence of senior review.
- Review a sample of reconciliations for evidence that they have been done.
- Examine evidence of use of prenumbered cheques.
The following table sets out the control objectives, controls and possible tests of control over
cash
Control objectives
- Cash payments recorded correctly in the ledger
- Cash payments posted to correct payable accounts and to the general ledger.
Controls
- Reconciliation of daily payments report to electronic cash payment transfers and cheques
issued.
- Supplier statements reconciled to payable accounts regularly.
- Monthly bank reconciliations of bank statements to ledger account. ,
- Supplier statements reconciled to payable accounts regularly.
- Agreement of monthly cash payments journal to general ledger posting
- Payable accounts reconciled to general ledger control account.
Tests of control
- Review reconciliation.
- Review reconciliations for a sample of accounts.
- Review bank reconciliation for evidence it was done and independently reviewed.
- Review reconciliations for a sample of accounts.
- Review postings from journal to general ledger.
Assertion: Cut-off
Control objectives
Cash payments are recorded in the correct accounting period.
Controls
Reconciliation of electronic funds transfers and cheques issued with postings to cash payments
journal and payable accounts
Tests of control
Review reconciliation and check it is carried out regularly.
Page 102
Assertion: Presentation and disclosure assertions
Control objectives
- Cash payments are charged to the correct accounts.
Controls
- Chart of accounts
- Independent approval and review of general ledger account assignment.
Tests of control
- Review cash payments journal to assess reasonableness of charging of accounts.
- Review assignment of general ledger account.
The following are control objectives, controls and possible tests of controls over cash receipts.
Assertion: Occurrence
Control objectives
All valid cash receipts are received and deposited.
Controls
- Segregation of duties
- Use of electronic cash receipts transfer not received or deposited
- Monthly bank reconciliations performed and independently reviewed.
- Use of cash registers or point-of-sale devices.
- Periodic inspections of cash sales procedures.
- Restrictive endorsement of cheques immediately on receipt.
- Mail opened by two staff members.
- Immediate preparation of cash book or list of mail receipts
- Independent check of agreement of cash/cheques to be deposited at bank with register totals
and receipts listing.
- Independent check of agreement of bank deposit slip with daily cash summary.
Test of control
- Observe and evaluate proper segregation of duties.
- Examine application controls for electronic cash receipts transfer.
- Review monthly bank reconciliations to confirm performed and reviewed.
- Observe cash sales procedures.
Page 103
- Inquire of managers about results of inspections.
- Observe mail opening, including endorsement of cheques.
- Observe mail opening procedures.
- Observe preparation of cash receipts' records.
- Review documentation for evidence of independent check.
Assertion:Completeness
Control objectives
All cash receipts received are recorded
Controls
- Segregation of duties
- Use of electronic cash receipts transfer not received or deposited.
- Monthly bank reconciliations performed and independently reviewed.
- Daily cash receipts listing reconciled with posting to customer accounts.
- Customer statements prepared and sent out on a regular basis.
Tests of Controls
- Observe and evaluate proper segregation of duties.
- Examine application controls for electronic cash receipts transfer.
- Review monthly bank reconciliations to confirm performed and reviewed.
- Review reconciliation.
- Inquire of management about handling of customer statements.
- Examine a sample of customers and note frequency of statements.
Control objectives
- Cash receipts recorded at correct amounts.
- Cash receipts posted to correct receivables accounts and to the general ledger.
Control
- Daily remittance report
- Review reconciliations reconciled to control listing of remittance advices.
- Monthly bank statement performed and reviewed independently
- Daily remittance report reconciled, daily with postings to cash, receipts journal and customer
accounts.
- Monthly customer statements sent out.
Page 104
- Monthly cash receipts journal agreed to general ledger posting
- Receivables ledger reconciled to control account.
Tests of controls
- Review reconciliations for evidence they were performed and independently reviewed.
- Review reconciliations.
- Review entity's procedures for sending out customer statements.
- Review journal and posting to general ledger.
Assertion: Cut-off
Control objectives
Cash receipts are recorded in the correct accounting period.
Control
Bank reconciliation at period-end
Tests of control
Review and test reconciliation
Control objective
Cash receipts are charged to the correct accounts.
Control
Chart of accounts.
Tests of control
- Review cash receipts journal for unusual items.
- Trace cash receipts from listing to cash receipts journal for proper classification.
Page 105
Audit working papers refer to the documents that prepare by or use by auditors as part of their
works. Those documents include the summary of client’s nature of business, business process
flow, audit program, as well as audit testing documents.
Audit working papers are sometime refer to audit documents that they are very import part of
audit works. These documents are the evidence that support auditor to make their conclusion on
the financial statements.
For example, auditor has an engagement with a company to audit the financial statements.
Before signing audit engagement, auditor require to obtain some information about the client, do
the client’s due diligence, and assess whether they should reject or accept the engagement. In this
case if the engagement is ready signed, that mean assessment is already done and accepted.
The documents that auditors use to documents client nature of business, perform client due
diligence, as well as assessment are the example of audit working papers.
Audit working papers also include the words or excel files that auditors used to documents
client’s key internal control over financial reporting, nature of business, as well as audit test’s
working paper. There are many types of audit working papers are listed below.
Example:
Here are the example of audit working papers:
Audit documents on client nature of business
Audit documents of team meeting
Evidence of the planning process including audit programs and any changes thereto
Page 106
Evidence of the auditor’s consideration of the work of internal audit and conclusions reached
Analyses of transactions and balances
Analyses of significant ratios and trends
Identified and assessed risks of material misstatements
A record of the nature, timing, extent and results of audit procedures
Evidence that the work performed was supervised and reviewed
An indication as to who performed the audit procedures and when they were performed
Details of audit procedures applied regarding components whose financial statements are audited
Result of audit testing on depreciation expenses
Result of audit testing on salaries expenses
by another auditor
Page 107
TOPIC 5
AUDIT EVALUATION AND REVIEWS
Accuracy. All of the information contained within the financial statements has been
accurately recorded.
Completeness. All of the information that should be disclosed has been included within the
financial statements and accompanying footnotes, so that readers have a complete picture of
the results and financial position of the entity.
Cut-off. Transactions have been compiled into the correct reporting period.
Existence. The information recorded in the financial statements actually occurred during the
year; fraudulent transactions are most likely to violate this assertion.
Rights and obligations. The entity is entitled to the assets it is reporting, and is reporting
all of its obligations as liabilities.
Page 108
Understandability. The information contained within the financial statements has been
clearly presented, with no intent to obfuscate the results or financial position of the entity.
Valuation. The transactions that are summarized in the financial statements were properly
valued; this is a particular concern when transactions must be either initially or subsequently
recorded at their market value.
If audit procedures result in a conclusion that any of the preceding assertions are not correct,
then the auditors may need to conduct additional audit procedures, or they may not be able
to provide a clean audit opinion at all.
Assertion: Completeness
- Obtain or prepare a summary of tangible non-current assets showing how:
Gross book value
Accumulated depreciation
Net book value reconcile with the opening position.
- Compare non-current assets in the general ledger with the non-current assets register and
obtain explanations for differences.
- For a sample of assets which physically exist agree that they are recorded in the
non-current asset register.
- If a non-current asset register is not kept, obtain a schedule showing the original costs and
present depreciated value of major non-current assets.
- Reconcile the schedule of non-current assets with the general ledger.
Existence
- Confirm that the company physically inspects all items in the non-current asset register each
year.
Page 109
- Inspect assets, concentrating on high value items and additions in-year.
- Confirm that items inspected:
Exist
Are in use
Are in good condition
Have correct serial numbers
- Review records of income-yielding assets.
- Reconcile opening and closing vehicles by numbers as well as amounts.
Valuation
- Verify valuation to valuation certificate.
- Consider reasonableness of valuation, reviewing:
Experience of valuer
Scope of work
Methods and assumptions used
Valuation bases are in line with accounting standards
- Reperform calculation of revaluation surplus.
- Confirm whether valuations of all assets that have been revalued have been updated regularly
(full valuation every five years and an interim valuation in year three generally) by inquiries
of Finance Director and inspection of previous financial statements.
- Inspect draft accounts to check that client has recognised in the statement of comprehensive
income revaluation losses unless there is a credit balance in respect of that asset in equity, in
which case it should be debited to equity to cancel the credit. All revaluation gains should be
credited to equity.
- Review depreciation rates applied in relation to:
Asset lives
Residual values
Replacement policy
Past experience of gains and losses on disposal
Consistency with prior years and accounting policy
Possible obsolescence
- Review non-current assets register to ensure that depreciation has been charged on all assets
with a limited useful life.
- For revalued assets, ensure that the charge for depreciation is based on the revalued amount
by recalculating it for a sample of revalued assets.
- Reperform calculation of depreciation rates to ensure it is correct.
- Compare ratios of depreciation to non-current assets (by category) with:
Page 110
Previous years
Depreciation policy rates
- Scrutinise draft accounts to ensure that depreciation policies and rates are disclosed in the
accounts.
- Review insurance policies in force for all categories of tangible non-current assets and
consider the adequacy of their insured values and check expiry dates.
Additions
These tests are to confirm rights and obligations, valuation and completeness.
- Verify additions by inspection of architects' certificates, solicitors' completion statements,
suppliers' invoices etc.
- Review capitalisation of expenditure by examining for non-current assets additions and items
in relevant expense categories (repairs, motor expenses, sundry expenses) to ensure that:
- Capital/revenue distinction is correctly drawn
- Capitalisation is in line with consistently applied company policy
- Inspect non-current asset accounts for a sample of purchases to ensure they have been
properly allocated.
- Check purchases have been authorised by directors/senior management by reviewing board
minutes.
- Ensure that appropriate claims have been made for grants, and grants received and receivable
have been received, by inspecting claims documentations and bank statements.
Page 111
- Check additions have been recorded by scrutinising the non-current asset register and general
ledger.
Disposal
These tests are to confirm rights and Obligations, completeness, occurrence and accuracy.
- Verify disposals with supporting documentation, checking transfer of title, sales price and
dates of completion and payment.
- Recalculate profit or loss on disposal.
- Check that disposals have been authorised by reviewing boards minutes.
- Consider whether proceeds are reasonable.
- If the asset was used as security, ensure release from security has been correctly made.
Page 112
The key assertions relating to intangible are existence (not so much ‘do they exist?’, but, are they
genuinely assets?) and valuation.
AUDIT PLAN
Goodwill
- Agree the consideration to sales agreement by inspection.
- Consider whether asset valuation is reasonable.
- Agree that the calculation is correct by recalculation.
- Review the impairment review and discuss with management.
- Ensure valuation of goodwill is reasonable/there has been no impairment not adjusted
through discussion with management.
AUDIT OF RECEIVABLES
Receivables are usually audited using a combination of tests of detail and analytical procedures.
The audit of receivables is important as this is likely to be a material area. A combination of
analytical
procedures and tests of detail are used, with sales also being tested in conjunction with trade
receivables.
Page 113
Assertions about account balances at the period-end
- Existence: Recorded receivables exist
- Rights and obligations: The entity controls the rights to receivables and related accounts
- Completeness: All receivables that should have been recorded have been recorded
- Valuation and allocation: Receivables are included in the accounts at the correct amounts
Completeness
- Agree the balance from the individual sales ledger accounts to the aged receivables' listing
and vice versa.
- Match the total of the aged receivables' listing to the sales ledger control account.
- Cast and cross cast the aged trial balance before selecting any samples to test.
- Trace a sample of shipping documentation to sales invoices and into the sales and
receivables' ledger.
- Complete the disclosure checklist to ensure that all the disclosures relevant to receivables
have been made.
- Compare the gross profit percent by product line with the previous year and industry data.
- Compare the level of prepayments to the previous year to ensure the figure is materially
correct and complete.
Existence
- Perform a receivables' circularisation on a sample of year-end trade receivables
- Follow up all balance disagreements and non-replies to the receivables' confirmation,
- Perform alternative procedures for any exceptions and non-replies to the receivables'
confirmation, such as:
Page 114
- Review after-date cash receipts by inspecting bank statements and cash receipts
documentation.
- Examine the customer's account and customer correspondence to assess whether the balance
outstanding represents specific invoices and confirm their validity.
- Examine the underlying documentation (purchase order, dispatch documentation, duplicate
sales invoice etc).
- Inquire from management explanations for invoices remaining unpaid after subsequent ones
have been paid.
- Observe whether the balance on the account is growing and if so, find out why by discussing
with management.
Cut off
- For a sample of sales invoices around the year-end, inspect the dates and compare with the
dates of dispatch and the dates recorded in ledger for application of correct cut-off.
- For sales returns, select a sample of returns documentation around the year-end and trace to
the related credit entries.
- Perform analytical procedures on sales returns, comparing the ratio of sales returns to sales.
Page 115
- Review material after-date invoices, credit notes and adjustments' ensure that they are
recorded correctly in the relevant financial period
Classification
Take a sample of sales invoices and examine for proper classification into revenue accounts
Accuracy
- For a sample of sales invoices, compare the prices and terms to the authorised price list and
terms of trade documentation
- Test whether discounts have been properly applied by recalculating them for a sample of
invoices
- Test the correct calculation of tax on a sample of invoices
Occurrence
For a sample of sales transactions recorded in the ledger, vouch the sales invoice back to
customer orders and dispatch documentation.
Page 116
Objectives of confirmation
Part of ISA 505 External Confirmation states that, when it is reasonable to expect customers to
respond, the auditors should ordinarily plan to obtain direct confirmation of receivables to
individual entries in an account balance.
The verification of trade receivables by direct confirmation is therefore the normal means of
providing audit evidence to satisfy the objective of checking whether customers exist and owe
bona fide amounts to the company (existence and rights and obligations).
Confirmation will produce for the current audit file a written statement from each respondent that
the
amount owed at the date of the confirmation is correct. This is, prima facie, reliable audit
evidence, being from an independent source and in documentary form. The confirmation of
receivables on a test basis should not be regarded as replacing other normal audit tests, such as
the testing in-depth of sales transactions, but the results may influence the scope of such tests.
Timing of confirmation
Ideally the confirmation should take place immediately after the year-end and hence cover the
year-end balances to be included in the balance sheet. However, time constraints may make it
impossible to achieve this ideal.
In these circumstances it may be acceptable to carry out the confirmation prior to the year-end
provided that confirmation is no more than three months before the year-end and internal
controls are strong.
Client's mandate
Confirmation is essentially an act of the client, who alone can authorise third parties to divulge
information to the auditors.
The ISA outlines what the auditors' response should be when management refuses permission for
the
auditors to contact third parties for evidence. Note that this applies to all such external
confirmations, not just trade receivables' circularisations.
If management asks the auditor not to seek the confirmation, the auditor should consider if there
are valid grounds for the request and obtain evidence to support this. If the auditor agrees not to
seek external confirmations, other procedures should be carried out to obtain sufficient
appropriate audit evidence. If the auditor does not accept the validity of management's request
and is prevented from undertaking the confirmations, this may impact on the auditor's report.
Page 117
When confirmation is undertaken the method of requesting information from the customer may
be either positive or negative.
Under the positive method the customer is requested to confirm the accuracy of the balance
shown or state in what respect he is in disagreement.
Under the negative method the customer is requested to reply only if the amount stated is
disputed.
The positive method is generally preferable as it is designed to encourage definite replies from
those
contacted.
The negative method may be used if the client has good internal controls, with a large number of
small accounts. In some circumstances, say where there are a small number of large accounts and
a large number of small accounts, a combination of both methods may be appropriate.
The statements will normally be prepared by the client's staff, from which point the auditors, as a
safeguard against the possibility of fraudulent manipulation, must maintain strict control over the
preparation and dispatch of the statements.
Sample Selection
Auditors will normally only contact a sample of accounts receivable. If this sample is to yield a
meaningful result, it must be based upon a complete list of all accounts receivable. In addition,
when constructing the sample, the following classes of account should receive special attention:
- Old unpaid accounts
- Accounts written off during the period under review
- Accounts with credit balances
- Accounts settled by round sum payments
- Accounts with nil balances
- Accounts which have been paid by the date of the examination
Follow-up procedures
Auditors will have to carry out further work in relation to those receivable who:
- Positive and negative confirmation - Disagree with the balance stated
- Negative confirmation – Do not respond
In the case of disagreements, the customer response should have identified specific amounts
which are
disputed
Page 118
Reasons for disagreement
- There is a dispute between the client and the customer. The reasons for the dispute would
have to be identified, and provision made if appropriate against the debt.
- Cut-off problems exist, because the client records the following year's sales in the current
year or because goods returned by the customer in the current year are not recorded in the
current year. Cut-off testing may have to be extended.
- The customer may have sent the monies before the year-end, but the monies were not
recorded by the client as receipts until after the year-end. Detailed cut-off work may be
required on receipts.
- Monies received may have been posted to the wrong account or a cash-in-transit account.
Auditors should check if there is evidence of other mis-posting. If the monies have been
posted to a cash-in-transit account, auditors should ensure this account has been cleared
promptly.
- Customers who are also suppliers may net-off balances owed and owing. Auditors should
check that this is allowed.
- Teeming and lading, stealing monies and incorrectly posting other receipts so that no
particular customer is seriously in debt is a fraud that can arise in this area. If auditors suspect
teeming and lading has occurred, detailed testing will be required on cash receipts,
particularly on prompt posting of cash receipts.
When the positive confirmation method is used the auditors must follow up by all practicable
means those receivables who fail to respond. Second requests should be sent out in the event of
no reply being received within two or three weeks and if necessary this may be followed by
telephoning the customer, with the client's permission.
After two, or even three, attempts to obtain confirmation, a list of the outstanding items will
normally be passed to a responsible company official, preferably independent of the sales
accounting department, who will arrange for them to be investigated
The receivables' confirmation provides good audit evidence of the existence of receivables, but
not
necessarily of their valuation. Therefore, in a question on the audit of receivables, remember to
include other audit procedures such as analytical procedures.
Page 119
business
processes, and is particularly impacted by the sales and purchases processes. We consider the
substantive audit testing applied to the year-end cash figure.
BANK
Bank balances are usually confirmed directly with the bank in question.
This type of audit evidence is valuable because it comes directly from an independent source
and, therefore, provides greater assurance of reliability than that obtained solely from the client's
own records.
Page 120
The bank letter is mentioned as a source of external third party evidence in ISA 505 External
confirmations, and guidance to auditors is provided in IAPS 1000 Inter-bank confirmation
procedures.
Confirmation requests
The bank confirmation letter can be used to ask a variety of questions, including queries about
outstanding interests, contingent liabilities and guarantees.
The auditors should decide from which bank or banks to request confirmation, having regard to
such
matters as size of balance, volume of activity, degree of reliance on internal control, and
materiality
within the context of the financial statements.
The auditors should determine which of the following approaches is the most appropriate in
seeking
confirmation of balances or other information from the bank:
- Listing balances and other information, and requesting confirmation of their accuracy and
completeness, or
- Requesting details of balances and other information, which can then be compared with the
requesting client's records
In determining which of the above approaches is the most appropriate, the auditors should weigh
the
quality of audit evidence they require in the particular circumstances against the practicality of
obtaining a reply from the confirming bank.
Difficulty may be encountered in obtaining a satisfactory response even where the client
company submits information for confirmation to the confirming bank. It is important that a
response is sought for all confirmation requests. Auditors should not usually request a response
only if the information submitted is incorrect or incomplete.
Page 121
The most commonly requested information is in respect of balances due to or from the client
entity on
current, deposit, loan and other accounts. The request letter should provide the account
description
number and the type of currency for the account.
It may also be advisable to request information about nil balances on accounts, and accounts
which were closed in the 12 months prior to the chosen confirmation date. The client entity may
ask for confirmation not only of the balances on accounts but also, where it may be helpful, other
information, such as the maturity and interest terms on loans and overdrafts, unused facilities,
lines of credit/standby facilities, any offset or other rights or encumbrances, and details of any
collateral given or received.
The client entity and its auditors are likely to request confirmation of contingent liabilities, such
as those arising on guarantees, comfort letter, bills and so on.
Banks often hold securities and other items in safe custody on behalf of customers. A request
letter may thus ask for confirmation of such items held by the bank.
The procedure is simple but important, and outlined below.
a) The banks will require explicit written authority from their client to disclose the information
requested.
b) The auditors' request must refer to the client's letter of authority and the date thereof.
c) Alternatively it may be countersigned by the client or it may be accompanied by a specific
letter of
authority.
d) In the case of joint accounts, letters to authority signed by all parties will be necessary.
e) Such letters of authority may either give permission to the bank to disclose information for a
specific request or grant permission for an indeterminate length of time.
f) The request should reach the branch manager at least one month in advance of the client's
year-
g) The auditors should themselves check that the bank response covers all the information in the
standard and other responses.
Cut-off
Care must be taken to ensure that there is no window dressing, by auditing cut-off carefully.
Window
dressing in this context is usually manifested as an attempt to overstate the liquidity of the
company by:
Page 122
a) Keeping the cash book open to take credit for remittances actually received after the year-
end,
thus enhancing the balance at bank and reducing receivables
b) Recording cheques paid in the period under review which are not actually dispatched until
after the year-end, thus decreasing the balance at bank and reducing liabilities
A combination of (a) and (b) can contrive to present an artificially healthy looking current
ratio.
With the possibility of (a) above in mind, where lodgments have not been cleared by the bank
until the new period, the auditors should examine the paying-in slip to ensure that the amounts
were actually paid into the bank on or before the period-end date.
As regards (b) above, where there appears to be a particularly large number of outstanding
cheques at
the year-end, the auditors should check whether these were cleared within a reasonable time in
the new period. If not, this may indicate that dispatch occurred after the year-end.
Page 123
- Verify the bank balances with reply to standard bank letter and with the bank statements.
- Inspect the cash book and bank statements before and after the year-end for exceptional
entries or
transfers which have a material effect on the balance shown to be in-hand.
- Identify whether any accounts are secured on the assets of the company by discussion with
management.
- Consider whether there is a legal right of set-off of overdrafts against positive bank balances.
- Determine whether the bank accounts are subject to any restrictions by inquiries with
management.
- Review draft accounts to ensure that disclosures for bank are complete and accurate and in
accordance with accounting standards.
Remember that the bank confirmation letter contains the balance held by the client at the bank
per the
bank's records. This must be reconciled to the balance held with the bank per the client's records.
CASH
Cash balances should be verified if they are material or irregularities are suspected.
Cash balances/floats are often individually immaterial but they may require some audit emphasis
because of the opportunities for fraud that could exist where internal control is weak and because
they may be material in total.
However in enterprises such as hotels and retail organisations, the amount of cash-in-hand at the
period- end could be considerable. Cash counts may be important for internal auditors, who have
a role in fraud prevention.
Auditors will be concerned that the cash exists, is complete, and belongs to the company (rights
and
obligations) and is stated at the correct value.
Where the auditors determine that cash balances are potentially material they may conduct a cash
count, ideally at the period-end. Rather like attendance at an inventory count, the conduct of the
count falls into three phases: planning, the count itself, and follow-up procedures.
As part of their planning procedures the auditors will need to determine the locations where cash
is held and which of these locations warrant a count.
Page 124
Planning decisions will need to be recorded on the current audit file including:
- The precise time of the count(s) and location(s)
- The names of the audit staff conducting the counts
- The names of the client staff intending to be present at each location
- Where a location is not visited it may be appropriate to obtain a letter from the client
confirming the balance.
Cash count
The following matters apply to the count itself.
- All cash/petty cash books should be written up to date in ink (or other permanent form) at the
time
of the count.
- All balances must be counted at the same time.
- All negotiable securities must be available and counted at the time the cash balances are
counted.
- At no time should the auditors be left alone with the cash and negotiable securities.
- All cash and securities counted must be recorded on working papers subsequently filed on
the
current audit file. Reconciliations should be prepared where applicable (for example, imprest
petty cash float).
Follow up
- Check certificates of cash-in-hand are obtained as appropriate.
- Verify unbanked cheques/cash receipts have subsequently been paid in and agree to the bank
reconciliation by inspection of the relevant documentation.
- Ensure IOUs and cheques cashed for employees have been reimbursed.
- Check IOUs or cashed cheques outstanding for unreasonable periods of time have been
providedfor.
Page 125
- Verify the balances as counted are reflected in the accounts (subject to any agreed
amendments because of shortages and so on) by inspection of draft accounts.
Bank balances are usually confirmed directly with the bank in question.
The bank confirmation letter can be used to ask a variety of questions, including queries about
outstanding interests, contingent liabilities and guarantees.
Cash balances should be verified if they are material or irregularities are suspected.
We examine the substantive audit of trade payables and accruals, long-term liabilities and
provisions and end with a brief look at capital. Purchases are often tested in conjunction with the
audit of trade payables and so are included in the section on trade payables. The following sets
out the
financial statement assertions to which audit testing is directed.
Page 126
Assertion about presentation and disclosure
- Occurrence and rights and obligations: Occurred and relate to the entity
- Completeness: All disclosures required have been included
- Classification and understandability: Financial information is appropriately presented and
described and disclosures clearly expressed
- Accuracy and valuation: Financial information is disclosed fairly and at appropriate amounts
AUDIT PROCEDURES
As with accounts receivable, accounts payable are likely to be a material figure in the statement
of financial position of most enterprises.
Auditors should however be particularly aware, when conducting their work on the statement of
financial position, of the possibility of understatement of liabilities to improve liquidity and
profit (by understating the corresponding purchases). The primary objective of their work will
therefore be to ascertain whether liabilities existing at the year-end have been completely and
accurately recorded.
As regards trade accounts payable, this primary objective can be subdivided into two detailed
objectives is there a satisfactory cut-off between goods received and invoices received, so that
purchases and trade accounts payable are recognised in the correct year?
Do trade accounts payable represent the bona fide amounts due by the company?
Before we ascertain how the auditors design and conduct their tests with these objectives in
mind, we need to establish the importance of the list of balances.
The following table sets out audit procedures to test trade accounts payables and accruals.
Page 127
Perform a confirmation of accounts payables for a sample
Complete the disclosure checklist to ensure that all the disclosures relevant to liabilities have
been made.
Compare the current year balances for trade accounts payables and accruals to the previous
year.
Compare the amounts owed to a sample of individual suppliers in the trade accounts payables
listing to amounts owed to these suppliers in the previous year.
Compare the payables' turnover and payables' days to the previous year and industry data.
Existence
Vouch selected amounts from the trade accounts payables listing and accruals listing to
supporting documentation such as purchase orders and suppliers' invoices.
Obtain selected suppliers' statements and reconcile these to the relevant suppliers' accounts.
Perform a confirmation of accounts payables for a sample.
Perform analytical procedures comparing current year balances to the previous year to
confirm reasonableness, and also calculating payables' turnover and comparing to the
previous year.
Cut-off
For a sample of vouchers, compare the dates with the dates they were recorded in the ledger
for application of correct cut-off.
Page 128
Test transactions around the year-end to determine whether amounts have been recognised in
the correct financial period.
Perform analytical procedures on purchase returns, comparing the purchase returns as a % of
sales or cost of sales to the previous year.
Accuracy
Recalculate the mathematical accuracy of a sample of suppliers' invoices to confirm the amounts
are correct.
Occurrence
For a sample of vouchers, inspect supporting documentation such as authorised purchase orders.
Where the entity has strong controls in place to ensure that all liabilities are recorded, the
confirmation will focus on large balances.
Where the auditor is concerned about the presence of unrecorded liabilities, regular suppliers
with smallor zero balances on their accounts and a sample of other accounts will be confirmed as
well as large balances.
Auditors use a positive confirmation referred to as a blank or zero-balance confirmation. This
confirmation does not state the balance owed but requires the supplier to declare the amount
Page 129
owed at the year-end and to provide a detailed statement of the account. When the confirmation
is received back, the amount must be reconciled with the entity's records.
The selection and sending out of accounts payables' confirmations should be controlled using the
same procedures as for the receivables' confirmation that we discussed previously.
Having said this, auditors do still need to be cautious when using them as they may have been
tampered with by the entity. The auditor should not rely on photocopies or faxed statements. If
there is any doubt, the auditor should request a copy directly from the supplier or confirm the
balance with the supplier (see above).
When selecting accounts for testing, the auditor should consider the volume of business during
the year, not the balance outstanding at the year-end, because the risk is understatement of
balances. Most
differences between balances on suppliers' statements and the year-end accounts payables' listing
are
likely to be due to goods and cash-in-transit and disputed amounts, however all differences need
to be
investigated thoroughly.
We are concerned here with non-current liabilities comprising debentures, loan inventory and
other loans repayable at a date more than one year after the year-end.
Accuracy: whether interest payable has been calculated correctly and included in the correct
accounting period
Page 130
Classification and understandability: whether long-term loans and interest have been correctly
disclosed in the financial statements
The major complication for the auditors is that debenture and loan agreements frequently contain
conditions with which the company must comply, including restrictions on the company's total
borrowings and adherence with specific borrowing ratios.
Page 131
The accounting treatments for provisions and contingenciesare complex and involve judgement
and this can make them difficult to audit.
Accounting issues
Key terms
A provision is a liability of uncertain timing or amount.
A liability is a present obligation of the entity arising from past events, the settlement of which is
expected to result in an outflow from the entity of resources embodying economic benefits.
An obligating event is an event that creates a legal or constructive obligation that results in an
entity having no realistic alternative to settling that obligation.
A contingent asset is a possible asset that arises from past events and whose existence will be
confirmed only by the occurrence or non-occurrence of one or more uncertain future events not
wholly within the control of the entity.
Page 132
Under IAS 37 Provisions, contingent liabilities and contingent assets, an entity should not
recognise a
contingent asset or a contingent liability. However if it becomes probable that an outflow of
future
economic benefits will be required for a previous contingent liability, a provision should be
recognised.
A contingent asset should not be accounted for unless its realisation is virtually certain; if an
inflow of
economic benefits has become probable, the asset should be disclosed.
Examples of the principal types of contingencies disclosed by companies are:
- Guarantees (for group companies, of staff pension schemes, of completion of contracts)
- Discounted bills of exchange
- Uncalled liabilities on shares or loan inventory
- Lawsuits or claims pending
- Options to purchase assets
Page 133
The ISA discusses the form the letter to the entity's lawyer should take. 'The letter, which should
be
prepared by management and sent by the auditor, should request the lawyer to communicate
directly with the auditor.
If it is thought unlikely that the lawyer will respond to a general enquiry, the letter should specify
the
following.
(a) A list of litigation and claims
(b) Management's assessment of the outcome of the litigation or claim and its estimate
of the
financial implications, including costs involved
(c) A request that the lawyer confirms the reasonableness of management's assessments
and
provides the auditor with further information if the list is considered by the lawyer
to be incomplete or incorrect
The auditors must consider these matters up to the date of their report and so a further, updating
letter
may be necessary.
A meeting between the auditors and the lawyer may be required, for example where a complex
matter
arises, or where there is a disagreement between management and the lawyer. Such meetings
should take place only with the permission of management, and preferably with a management
representative present.
If management refuses to give the auditor permission to communicate with the lawyers; this may
have an impact on the audit opinion.
AUDIT OF PROVISIONS
The following audit plan can be used in the audit of provisions.
Page 134
- Review of correspondence relating to the item
- Discussion with the directors. Have they created a valid expectation in other parties that they
will discharge the obligation?
- Determine for each material provision whether it is probable that a transfer of economic
benefits will be required to settle the obligation by:
- Checking whether any payments have been made in the post year-end period in respect of the
item by reviewing after-date cash
- Review of correspondence with solicitors, banks, customers, insurance company and
suppliers
both pre and post year-end
- Sending a letter to the solicitor to obtain his views (where relevant)
- Discussing the position of similar past provisions with the directors. Were these provisions
eventually settled?
- Considering the likelihood of reimbursement
- Recalculate all provisions made.
- Compare the amount provided with any post year-end payments and with any amount paid in
the past for similar items.
- In the event that it is not possible to estimate the amount of the provision, check that a
contingent
liability is disclosed in the accounts.
- Consider the nature of the client's business. Would you expect to see any other provisions eg
warranties? Consider the adequacy of disclosure of provisions, contingent assets and
contingent liabilities in accordance with IAS 37.
Page 135
Agree the authorised share capital with the statutory documents governing the company's
constitution.
Agree changes to authorised share capital with properly authorised resolutions.
Issue of Shares
Verify any issue of share capital or other changes during the year with general and board
minutes.
Ensure issue or change is within the terms of the constitution, and directors possess appropriate
authority to issue shares.
Confirm that cash or other consideration has been received or receivable{s) is included as cal/ed-
up share capital not paid.
Transfer of shares
Verify transfers of shares by reference to:
- Correspondence
- Completed and stamped transfer forms
- Cancelled share certificates
- Minutes of directors' meeting
Review the balances on shareholders' accounts in the register of members and the total list with
the amount of issued share capital in the general ledger.
Dividends
- Agree dividends paid and proposed to authority in minute books and check calculation with
total share capital issued to ascertain whether there are any outstanding or unclaimed
dividends.
- Agree dividend payments with documentary evidence (say, the returned dividend warrants).
- Check that dividends do not contravene the distribution provisions of the legislation.
- Check that imputed tax has been accounted for to the taxation authorities and correctly
treated in the accounts.
Reserves
- Agree movements on reserves to supporting authority
- Ensure that movements on reserves do not contravene the legislation and the company’s
constitution
- Confirm that the company can distinguish distributable reserves from those that are non-
distributable
- Ensure appropriate disclosures of movements on reserves are made in the company’s
accounts by inspection of the financial statements.
Page 136
Summary
The largest figure in current liabilities will normally be trade accounts payable which are
generally
audited by comparison of suppliers' statements with purchase ledger accounts.
Non-current liabilities are usually authorised by the board and should be well documented.
The accounting treatments for provisions and contingencies are complex and involve judgement
and this can make them difficult to audit.
The main concern with share capital and reserves is that the company has complied with the law
AUDIT OF INVENTORY
Inventory
If inventory is material to the financial statements, the auditor shall obtain sufficient appropriate
audit evidence regarding the existence and condition of inventory by:
a) Attendance at physical inventory counting, unless impracticable, to:
i) Evaluate management’s instructions and procedures for recording and controlling the
results of the entity’s physical inventory counting;
ii) Observe the performance of management’s count procedures;
iii) Inspect the inventory; and
iv) Perform test counts; and
b) Performing audit procedures over the entity’s final inventory records to determine whether
they accurately reflect actual inventory count results.
c) If physical inventory counting is conducted at a date other than the date of the financial
statements, the auditor shall, perform audit procedures to obtain audit evidence about
whether changes in inventory between the count date and the date of the financial statements
are properly recorded.
d) If the auditor is unable to attend physical inventory counting due to unforeseen
circumstances, the auditor shall make or observe some physical counts on an alternative date,
and perform audit procedures on intervening transactions.
e) If attendance at physical inventory counting is impracticable, the auditor shall perform
alternative audit procedures to obtain sufficient appropriate audit evidence regarding the
existence and condition of inventory. If it is not possible to do so, the auditor shall modify
the opinion in the auditor’s report in accordance with ISA 705.
f) If inventory under the custody and control of a third party is material to the financial
statements, the auditor shall obtain sufficient appropriate audit evidence regarding the
existence and condition of that inventory by performing one or both of the following:
(a) Request confirmation from the third party as to the quantities and condition of inventory
held on behalf of the entity.
(b) Perform inspection or other audit procedures appropriate in the circumstances.
Page 137
Attendance at Physical Inventory Counting
- Management ordinarily establishes procedures under which inventory is physically counted
at least once a year to serve as a basis for the preparation of the financial statements and, if
applicable, to ascertain the reliability of the entity’s perpetual inventory system.
- Attendance at physical inventory counting involves:
Inspecting the inventory to ascertain its existence and evaluate its condition, and
performing test counts;
Observing compliance with management’s instructions and the performance of
procedures for recording and controlling the results of the physical inventory count; and
Obtaining audit evidence as to the reliability of management’s count procedures.
These procedures may serve as test of controls or substantive procedures depending on the
auditor’s risk assessment, planned approach and the specific procedures carried out.
Page 138
The procedures used to estimate physical quantities, where applicable, such as may be
needed in estimating the physical quantity of a coal pile.
Control over the movement of inventory between areas and the shipping and receipt of
inventory before and after the cutoff date.
In addition to recording the auditor’s test counts, obtaining copies of management’s completed
physical inventory count records assists the auditor in performing subsequent audit procedures to
determine whether the entity’s final inventory records accurately reflect actual inventory count
results.
Physical Inventory Counting Conducted Other than at the Date of the Financial Statements
- For practical reasons, the physical inventory counting may be conducted at a date, or dates,
other than the date of the financial statements. This may be done irrespective of whether
management determines inventory quantities by an annual physical inventory counting or
maintains a perpetual inventory system. In either case, the effectiveness of the design,
implementation and maintenance of controls over changes in inventory determines whether
the conduct of physical inventory counting at a date, or dates, other than the date of the
financial statements is appropriate for audit purposes. ISA 330 establishes requirements and
provides guidance on substantive procedures performed at an interim date.
- Where a perpetual inventory system is maintained, management may perform physical
counts or other tests to ascertain the reliability of inventory quantity information included in
Page 139
the entity’s perpetual inventory records. In some cases, management or the auditor may
identify differences between the perpetual inventory records and actual physical inventory
quantities on hand; this may indicate that the controls over changes in inventory are not
operating effectively.
- Relevant matters for consideration when designing audit procedures to obtain audit evidence
about whether changes in inventory amounts between the count date, or dates, and the final
inventory records are properly recorded include:
Confirmation
ISA 505 establishes requirements and provides guidance for performing external confirmation
procedures.
Page 140
Depending on the circumstances, for example, where information is obtained that raises doubt
about the integrity and objectivity of the third party, the auditor may consider it appropriate to
perform other audit procedures instead of, or in addition to, confirmation with the third party.
Examples of other audit procedures include:
Attending, or arranging for another auditor to attend, the third party’s physical counting of
inventory, if practicable.
Obtaining another auditor’s report, or a service auditor’s report, on the adequacy of the third
party’s internal control for ensuring that inventory is properly counted and adequately
safeguarded.
Inspecting documentation regarding inventory held by third parties, for example, warehouse
receipts.
Requesting confirmation from other parties when inventory has been pledged as collateral.
SUBSEQUENT EVENTS
A subsequent event is an event that occurs after a reporting period, but before the financial
statements for that period have been issued or are available to be issued. Depending on the
situation, such events may or may not require disclosure in an organization's financial
statements.
Generally accepted accounting principles state that the financial statements should include
the effects of all subsequent events that provide additional information about conditions in
existence as of the balance sheet date. This rule requires that all entities evaluate subsequent
events through the date when financial statements are available to be issued, while a public
company should continue to do so through the date when the financial statements are
Page 141
actually filed with the Securities and Exchange Commission. Examples of situations calling
for the adjustment of financial statements are:
Lawsuit. If events take place before the balance sheet date that trigger a lawsuit, and lawsuit
settlement is a subsequent event, consider adjusting the amount of any contingent
loss already recognized to match the amount of the actual settlement.
Bad debt. If a company issues invoices to a customer before the balance sheet date, and the
customer goes bankrupt as a subsequent event, consider adjusting the allowance for doubtful
accounts to match the amount of receivables that will likely not be collected.
If there are subsequent events that provide new information about conditions that did not
exist as of the balance sheet date, and for which the information arose before the financial
statements were available to be issued or were issued, these events should not be recognized
in the financial statements. Examples of situations that do not trigger an adjustment to the
financial statements if they occur after the balance sheet date but before financial statements
are issued or are available to be issued are:
A business combination
Changes in the value of assets due to changes in exchange rates
Destruction of company assets
Entering into a significant guarantee or commitment
Sale of equity
Settlement of a lawsuit where the events causing the lawsuit arose after the balance sheet
date
A company should disclose the date through which there has been an evaluation of
subsequent events, as well as either the date when the financial statements were issued or
when they were available to be issued.
Page 142
There may be situations where the non-reporting of a subsequent event would result in
misleading financial statements. If so, disclose the nature of the event and an estimate of its
financial effect.
If a business reissues its financial statements, disclose the dates through which it has
evaluated subsequent events, both for the previously issued and revised financial statements.
The recognition of subsequent events in financial statements can be quite subjective in many
instances. Given the amount of time required to revise financial statements at the last
minute, it is worthwhile to strongly consider whether the circumstances of a subsequent
event can be construed as not requiring the revision of financial statements.
There is a danger in inconsistently applying the subsequent event rules, so that similar
events do not always result in the same treatment of the financial statements. Consequently,
it is best to adopt internal rules regarding which events will always lead to the revision of
financial statements; these rules will likely require continual updating, as the business
encounters new subsequent events that had not previously been incorporated into it s rules.
ISA 560 (redrafted) outlines the auditor’s responsibility in relation to subsequent events. For the
purposes of ISA 560, subsequent events are those events that occur between the reporting date
and the date of approval of the financial statements and signing of the auditors’ report.
In summary, the auditor should perform audit procedures designed to obtain sufficient
appropriate audit evidence that all events up to the date of the auditors’ report that may require
adjustment of, or disclosure in, the financial statements have been identified.
It is widely understood that an audit of an entity’s financial statements often takes place
sometime after the reporting date and during the intervening period, facts could arise that may
affect the financial statements. There is also a relevant International Accounting Standard which
deals with such events, IAS 10 ‘Events after the Reporting Period’.
Page 143
The audit procedures to be adopted by the auditor where subsequent events are concerned may
give rise to an adjustment to, or the inclusion of a note in, the financial statements. The auditor
will adopt relevant procedures depending on the risk assessment of the client.
GOING CONCERN
Introduction
IAS 1 Presentation of Financial Statements recognizes the going concern assumption as one of the
fundamental assumptions that underlie the periodic financial statements of enterprises.
The meaning of going concern can be said to be that the financial statements assume that the
enterprise will continue in operational existence for the foreseeable future, or put another way the
financial statements assume no intention or necessity to liquidate or curtail significantly the scale
of operation or put more simply that the enterprise can meet its financial obligations as they fall
due.
Page 144
Concern
- Some financial reporting frameworks contain an explicit requirement for management to
make a specific assessment of the entity’s ability to continue as a going concern, and
standards regarding matters to be considered and disclosures to be made in connection with
going concern.
- For example, International Accounting Standard (IAS) 1 requires management to make an
assessment of an entity’s ability to continue as a going concern. The detailed requirements
regarding management’s responsibility to assess the entity’s ability to continue as a going
concern and related financial statement disclosures may also be set out in law or regulation.
- In other financial reporting frameworks, there may be no explicit requirement for
management to make a specific assessment of the entity’s ability to continue as a going
concern. Nevertheless, since the going concern assumption is a fundamental principle in the
preparation of financial statements, the preparation of the financial statements requires
management to assess the entity’s ability to continue as a going concern even if the financial
reporting framework does not include an explicit requirement to do so.
- Management’s assessment of the entity’s ability to continue as a going concern involves
making a judgment, at a particular point in time, about inherently uncertain future outcomes
of events or conditions. The following factors are relevant to that judgment:
The degree of uncertainty associated with the outcome of an event or condition increases
significantly the further into the future an event or condition or the outcome occurs. For
that reason, most financial reporting frameworks that require an explicit management
assessment specify the period for which management is required to take into account all
available information.
The size and complexity of the entity, the nature and condition of its business and the
degree to which it is affected by external factors affect the judgment regarding the
outcome of events or conditions.
Any judgment about the future is based on information available at the time at which the
judgment is made. Subsequent events may result in outcomes that are inconsistent with
judgments that were reasonable at the time they were made.
Page 145
explicit requirement for management to make a specific assessment of the entity’s ability to
continue as a going concern.
- However, as described in ISA 200, the potential effects of inherent limitations on the
auditor’s ability to detect material misstatements are greater for future events or conditions
that may cause an entity to cease to continue as a going concern. The auditor cannot predict
such future events or conditions.
- Accordingly, the absence of any reference to going concern uncertainty in an auditor’s report
cannot be viewed as a guarantee as to the entity’s ability to continue as a going concern.
Objectives
The objectives of the auditor are:
a) To obtain sufficient appropriate audit evidence regarding the appropriateness of
management’s use of the going concern assumption in the preparation of the financial
statements;
b) To conclude, based on the audit evidence obtained, whether a material uncertainty exists
related to events or conditions that may cast significant doubt on the entity’s ability to
continue as a going concern; and
c) To determine the implications for the auditor’s report.
Page 146
Evaluating Management’s Assessment
- The auditor shall evaluate management’s assessment of the entity’s ability to continue as
a going concern. In evaluating management’s assessment of the entity’s ability to
continue as a going concern, the auditor shall cover the same period as that used by
management to make its assessment as required by the applicable financial reporting
framework, or by law or regulation if it specifies a longer period.
- If management’s assessment of the entity’s ability to continue as a going concern covers
less than twelve months from the date of the financial statements as defined in ISA 560,
the auditor shall request management to extend its assessment period to at least twelve
months from that date.
- In evaluating management’s assessment, the auditor shall consider whether
management’s assessment includes all relevant information of which the auditor is aware
as a result of the audit.
Page 147
(d) Considering whether any additional facts or information have become available since the
date on which management made its assessment.
(e) Requesting written representations from management and, where appropriate, those charged
with governance, regarding their plans for future action and the feasibility of these plans.
(a) Adequately describe the principal events or conditions that may cast significant doubt on
the entity’s ability to continue as a going concern and management’s plans to deal with
these events or conditions; and
(b) Disclose clearly that there is a material uncertainty related to events or conditions that
may cast significant doubt on the entity’s ability to continue as a going concern and,
therefore, that it may be unable to realize its assets and discharge its liabilities in the
normal course of business.
- If adequate disclosure is made in the financial statements, the auditor shall express an
unmodified opinion and include an Emphasis in the auditor’s report to:
(a) Highlight the existence of a material uncertainty relating to the event or condition that
may cast significant doubt on the entity’s ability to continue as a going concern; and
(b) Draw attention to the note in the financial statements that discloses the matters
- If adequate disclosure is not made in the financial statements, the auditor shall express a
qualified opinion or adverse opinion, as appropriate, in accordance with ISA 705
Page 148
The auditor shall state in the auditor’s report that there is a material uncertainty that may cast
significant doubt about the entity’s ability to continue as a going concern.
If the financial statements have been prepared on a going concern basis but, in the auditor’s
judgment, management’s use of the going concern assumption in the financial statements is
inappropriate, the auditor shall express an adverse opinion.
Page 149
- Events or conditions that may cast significant doubt on an entity’s ability to continue as a
going concern in the public sector may include situations where the public sector entity lacks
funding for its continued existence or when policy decisions are made that affect the services
provided by the public sector entity.
If management refuses to provide a representation then this constitutes a limitation in scope and
consideration should be given to expressing a qualified opinion or a disclaimer of opinion.
Page 150
2. The specific requirements for written representations of other ISAs do not limit the
application of this ISA. Written Representations as Audit Evidence
3. Audit evidence is all the information used by the auditor in arriving at the conclusions on
which the audit opinion is based. Written representations are necessary information that the
auditor requires in connection with the audit of the entity’s financial statements.
4. Accordingly, similar to responses to inquiries, written representations are audit evidence.
5. Although written representations provide necessary audit evidence, they do not provide
sufficient appropriate audit evidence on their own about any of the matters with which they
deal. Furthermore, the fact that management has provided reliable written representations
does not affect the nature or extent of other audit evidence that the auditor obtains about the
fulfillment of management’s responsibilities, or about specific assertions.
Where representations relate to matters that are material to the financial statements, the
engagement team should:
- Seek corroborative audit evidence from sources inside or outside the entity;
- Evaluate the reasonableness of management representations and consistency with other audit
evidence; and
- Consider whether the individuals making the representations are knowledgeable on those
particular matters.
Where other audit evidence could reasonably be expected to be available, management
representations cannot be substituted for that audit evidence. For example, a representation by
management as to the cost of an asset is not a substitute for the audit evidence of such cost that an
engagement team would ordinarily expect to obtain.
Page 151
Where audit evidence is reasonably expected to be available, relating to a matter that is material
to the financial statements, and the engagement team is unable to obtain such evidence,
consideration should be given to modifying the auditor’s report with a limitation of scope
paragraph. This will be the case even if management representation on that particular matter has
been received.
Where management representations are contradicted by other audit evidence, the engagement team
should investigate the circumstances and, if need be, reconsider the reliability of other
representations made by management.
Documentation
In Audit Evidence, documentary evidence is more reliable than oral evidence. Thus, management’s
representations should be obtained in a written form. This also reduces the possibility of
misunderstandings between the engagement team and management.
The basic elements of the management representation letter are:
- It should be addressed to the auditor.
- It is dated the same date as the auditor’s report.
- It is normally signed by members of management who have responsibility for the entity and
its financial aspects (normally the directors), based on the best of their knowledge and belief.
The management letter will normally be a natural by-product of the audit, and the auditor should
incorporate the need to issue the letter in the planning of the audit. The letter should be sent as
soon as possible after completion of the audit procedures giving rise to the need to comment.
Where audit work is carried out in more than one stage it may be appropriate to issue a letter at
the interim audit stage as well as the final audit stage.
Page 152
It is important that the management letter is sent and responded to on a timely basis (at the audit
completion stage) in order to have impact, be effective and acted upon by the client. It is
important to discuss all the points in the letter with management before the letter is issued. Any
significant matters should be brought to management’s attention immediately first verbally
followed up in writing. It is essential that the contents of the letter are considered by the
management. A copy of the letter with replies should be kept on the file. Significant matters
should be followed up after the client’s response by way of discussion or the performance of
system tests. Normally, it is usual for the auditor to review points made in previous years at the
first subsequent audit visit.
When a group of companies is involved, the management of the holding company may want to
be informed of significant points arising in the reports of the management of the subsidiaries.
The auditor must obtain permission from the management of the subsidiary before releasing such
information.
Any report made to management should be regarded as confidential communication. The auditor
should therefore not normally reveal the contents of the report to any third party without the prior
written consent of the management of the company.
In practice, the auditor has little control over what happens to the report once it has been
dispatched.
Occasionally, management may provide third parties e.g. their bankers, with copies of the report.
The auditor can use a disclaimer of liability against foreseen liability to third parties but this may
not give full protection from liability where the auditor knows or ought to know that a report to
management may be passed to a third party who would rely on it.
The Directors
Zawadi Ltd.
Nairobi.
Page 153
Morovia
15th May 20x8
Dear Sirs
ZawadiLtd.
This report has been prepared for the sole use of the directors of Upper plc. None of its contents
may be disclosed to third parties without our written consent. Swift and Co assumes no liability
to any other persons.
The matters detailed in this report reflect matters coning to our attention during the course of our
audit. They are not intended to be a comprehensive statement of all weaknesses that may exist or
of all improvements that could be made. We set out below those matters which we consider to be
of fundamental importance. Other matters of lesser significance, but which nevertheless require
your attention, are dealt with in note form.
Page 154
iii) Our audit work was made considerably more difficult by the absence of care in filing
supporting documentation which was therefore difficult to trace. The proper maintenance
of records is not only a requirement of the (national laws/IASs but is also necessary for the
efficient running of your business.
To reduce the time spent on the audit, and thus the cost to you, all supporting documentation
should agree with the financial statements and statutory disclosure information would be
assembled prior to our examination.
Yours faithfully
Swift & Co
Appendix
Zawadi Ltd. – year ended 31 December 2007
Weaknesses:
Lack of control exercised over computer processing.
Implications
The completeness, accuracy and validity of the accounting records may be undermined.
Recommendations:
(i) Authorization of input especially journals not arising from books of prime entry.
(ii) Batch controls using registers over all input in terms of value and number of
documents/transactions processed.
Page 155
(iii) Use of hash totals
(iv) Management control over master file amendments
(v) Reconciliation to control accounts
(vi) Clear audit trial for the correction and resubmission of nay rejected
(vii) All financial information processed at one location
(viii) A back up system should be available if the bureau is unable to process the input.
(b) Payroll
Weaknesses
No evidence of approval
Implications
Unauthorized changes may occur
Recommendations
Management should evidence their approval of the payroll, changes in rates of pay and the
employment of new staff.
(c) Inventory
Weaknesses
• Lack of physical and financial control over times of inventory
• Cut off errors were discovered for widgets dispatched prior to the year end but not invoiced
• Overhead allocation in valuation of widgets lacked support
Implications
• Inventory could be misappropriated
• The year-end inventory figure could be misstated
Recommendations
(i) A simple system of perpetual inventory should be implemented at each location.
This should be used to check for the dispatch and receipt of inventory and would provide good
overall control to enable a comparison of:
- Expected use to actual by comparison with orders, and
- Book inventory to actual after regular inventory checks
(ii) Improvements should be made to the system of control to facilitate a review of the
dispatches at the year end to ensure that a proper cutoff is achieved.
Page 156
(iii) The valuation of widgets depends on the estimated throughout during the year.
It is important that the number of widgets produced is properly recorded and that
consideration is given to normal production levels to allow compliance with accounting
standards.
Recommendations
(i) A register should be introduced to record all assets at cost together with associated
depreciation
(ii) In previous year’s capital additions, notably the improvements to the leasehold premises
have been written off. Also, assets scrapped have not been written off. The effect of this
cancels out and therefore we have not proposed an adjustment to opening figures. A
capitalization should be laid down and adhered to.
(iii) A register would enable the identification of fully depreciated assets and allow them to be
excluded from the deprecation calculations.
Weaknesses
• Lack of proper allocation of costs
• Lack of supporting documents
• Lack of control over cheque books
• Unauthorized charges
• Poor control over unrecorded liabilities
Implications
• Purchases in the accounts may be misstated
• Payables may be understated if unrecorded liabilities are not controlled
Page 157
Recommendations
i) All charges incurred should be allocated to the relevant cost centres to promote
accountability of these centers.
ii) Proper supporting documents for all payments must be retained and property filed for easy
retrieval.
iii) Control over payments would be improved if only one cheque book was in use at any one
time.
iv) Documents supporting charges should be authorized by an appropriate level of
management
v) A purchases journal should be introduced. Payments should be marked off. This would
provide control over unpaid invoices and a means for regular control account
reconciliation.
GROUP AUDITS
Group audits are audits of financial statements that include the financial information of more
than one component.
Group audit: The audit of group financial statements.
Group financial statements: Group financial statements are financial statements that
include the financial information of more than one component. “Group financial
statements” also refers to combined financial statements aggregating the financial
information of components that are under common control.
Component: A component is an entity or business activity for which group or
component management prepares financial information that is required to be included in
the group financial statements. A component may include, but is not limited to,
subsidiaries, geographical locations, divisions, investments, products or services,
functions, processes, or component units of state or local governments.
ISA 600 (revised and redrafted), special considerations – audits of group financial
statements (including the work of component auditors)
Definitions
The group auditor is responsible for providing the audit opinion on the group financial
statements. Components of the group financial statements can include subsidiaries, associates,
joint ventures, and branches. The components may be audited by the group auditor, but may
Page 158
instead be audited by a different firm of auditors known as the ‘component auditors’, also known
as the ‘other auditor’. The term component auditor is introduced by the revised and redrafted ISA
600. This article focuses on the objectives and responsibilities of the group auditor.
Objectives
The objective of the group auditor is twofold. First, the group auditor should establish that it is
appropriate to act as group auditor. Second, the group auditor should gather sufficient and
appropriate evidence in order to reach an opinion on the consolidated financial statements. This
article focuses on the second of these two objectives.
It is useful to consider the process by which the group financial statements are produced before
considering the group auditor’s objectives in relation to evidence. This three-stage process is
summarised
Page 159
to be taken, or any further work which needs to be carried out, in order to ensure that the
financial statements are free from material misstatement. Such actions could include:
a review of the component auditor’s overall audit strategy
performing a risk assessment at the company level
participating in closing meetings with the component auditor and the management of the
company
a review of relevant parts of the component auditor’s audit working papers.
Where a company is material to the group financial statements, the group auditor should carry
out further actions, including:
discussing with the component auditor, and/or the management of the company, the business
activities that are significant to the group
discussing with the component auditor the susceptibility of the company’s financial statements to
material error or deliberate misstatement
reviewing the component auditor’s documentation of identified significant risks, and the
conclusions reached on these risks.
It may be the case that, having performed the actions outlined above, the group auditor concludes
that further audit work is required on the financial statements of a company, or that a
memorandum of audit issues arising from the audit of the company is needed. For example, the
group auditor may consider that an element of the financial statements of the company could be
materially misstated, and that further audit evidence is necessary.
The group auditor should determine the nature of the work necessary, and whether the work
should be carried out by the group auditor or the component auditor.
Having taken the actions outlined above, the group auditor should now have obtained sufficient
evidence to show that the individual company financial statements are free from material
misstatement, and are a sound basis for the preparation of the consolidated financial statements.
Page 160
ensure that audit risk is minimised. The types of audit procedures that could be performed
include:
checking that figures taken into the consolidation have been accurately extracted from the
financial statements of the components
evaluating the classifications of the components of the group – for example, whether the
components have been correctly identified and treated as subsidiaries, associates, or joint
ventures
reviewing the disclosures necessary in the group financial statements, such as related party
transactions and minority interests
investigating the treatment of any components which have a different financial year end from
that of the rest of the group
gathering evidence appropriate to the specific consolidation adjustments made necessary by
financial reporting standards, including, for example:
– the calculation of goodwill and its impairment review
– cancellation of inter-company balances and transactions
– provision for unrealised profits as a result of inter-company transactions
– fair value adjustments needed for assets and liabilities held by the component
– re-translation of financial statements of components denominated in a foreign currency.
Some of the evidence required to meet the above objectives will be gathered by the component
auditor, and it is the group auditor’s responsibility to communicate to the component auditor the
evidence that they are expected to gather. This communication ideally occurs at the audit
planning stage.
The group auditor must have a sound knowledge of the relevant financial reporting standards,
which include:
IFRS 3, Business Combinations
IAS 28, Investments in Associates
IAS 31, Interests in Joint Ventures
IAS 32, Financial Instruments: Presentation
IAS 39, Financial Instruments: Recognition and Measurement.
Candidates are advised that, for the purposes of study for Paper P7, they must be very familiar
with the above financial reporting standards. Particularly important are the accounting
regulations relating to subsidiaries regarding goodwill, inter-company transactions, and fair value
adjustments, as well as the financial reporting implications on the acquisition and disposal of a
Page 161
subsidiary. Candidates must also be aware of the principles of accounting for associates, joint
ventures, and foreign subsidiaries.
It is also important to remember that the parent company’s individual financial statements will
contain balances and transactions pertinent to the components of the group. The parent
company’s statement of financial position (balance sheet) will carry the investments as non-
current assets, and the statement of comprehensive income is likely to contain dividend receipts
and other group transactions. The auditor expressing an opinion on the parent company’s
individual financial statements must gather sufficient appropriate evidence regarding these items,
paying particular attention to the carrying value of the investments. Candidates are reminded that
IFRS 3 contains detailed guidance on the treatment of group investments, particularly on the
calculation of the cost of investment.
Joint auditing
A joint audit is when two audit firms are appointed to jointly provide an audit opinion on a set of
financial statements. This is becoming increasingly common, especially in group audits, where a
component may be audited by both the group auditor and another auditor. The main benefit of
this type of arrangement is that when a new component is acquired by the group, for example the
acquisition of a new subsidiary, it is advantageous to keep the subsidiary’s existing audit firm,
which will have built up considerable knowledge and experience of the business of the
component. However, the group auditor will also need to build up knowledge of the new
subsidiary’s business, and also become familiar with the audit methods and procedures used by
the other auditor. One way for this to happen is for the group auditor to be appointed, along with
the other auditor, to jointly provide the audit opinion on the individual financial statements of the
subsidiary. The two firms will work together to plan the audit, gather evidence, review the work
done, and to finally provide the opinion.
Other benefits from a joint audit may include better availability of resources and the provision of
a higher quality audit, as there will be access to staff from both firms of auditors. The inclusion
of members of staff from the group audit firm within the audit team of the subsidiary should also
improve the efficiency of the audit of the consolidation process.
Page 162
However, it may be difficult for the two firms to work together if they use different audit
methods and it may take time to develop a ‘joint audit’ approach. There will also be cost
implications for the client, as it will presumably be more expensive to use two firms of auditors
to provide an audit opinion instead of one.
Joint auditing has been the subject of some debate within the profession in recent times. This is
largely because it is seen as a way for small and medium-sized audit firms to continue to be
involved in the audit of their client once the client has been acquired by another company. Prior
to the emergence of the joint audit, it would have been most likely for the existing auditor
(especially if a small or medium-sized audit firm) to be replaced by the group auditor (likely to
be a larger audit firm) as the provider of the audit opinion on the individual financial statements.
As more and more companies become acquisition targets, it can be seen that if this practice were
to continue, the small and medium-sized audit firms would continue to lose audit clients to the
larger audit firms, and would be left with few clients to provide a source of income. Therefore, in
the interests of maintaining revenue streams for small and medium-sized audit firms, and in the
interests of competition in the audit profession, joint auditing is an important current issue, and
will continue to be debated for the foreseeable future.
Conclusion
Group audits raise a variety of issues. The group structure can be complex and the existence of
numerous components within the group means that there may be several firms of auditors
involved. The group auditor must ensure that the group audit is carefully planned and that
communications with other auditors are made early in the audit process. The group auditor needs
to gather two types of evidence. Evidence regarding individual components of the group may be
gathered using a joint audit arrangement, though this is not without disadvantages. Evidence on
the consolidation process must be thorough, and planned with regard to numerous complex
financial reporting standards.
ANALYTICAL REVIEW
If sales increase by 20% during the review period, then accounts receivable should increase by a
similar amount. If the proportional change in receivables is greater than the increase in sales, this
Page 163
could be caused by several issues, such as a reduced collections effort or extending credit to
lower-quality customers. In both cases, a larger reserve for bad debts is indicated.
If 10% of the inventory has been declared obsolete in the past three years, then the obsolescence
charge for the current year should be about the same. If the actual amount of this charge is lower
than 10%, one might suspect that there is unidentified obsolete inventory still in stock.
If there has been a change in an expense account of greater than 25% and more than $5,000 in
the past year, investigate the reason for the change.
Analytical reviews can be quite useful for spotlighting general areas in which financial
statements are incorrect or where transactions have been mis-classified. Once the analysis
identifies areas of concern, the auditor must conduct a further investigation in order to pinpoint
the source of the underlying problem.
ANALYTICAL TESTS
It is a procedure evaluating data relationships to derive substantive audit evidence. It identifies
areas requiring additional audit attention. For example, auditors would compare actual financial
statement figures against their professional expectations and the firm's experience. Discrepancies
are noted and investigated. A comparison may also be made between figures of competing firms
and industry norms. Further, financial information can be compared to nonfinancial information,
where appropriate.
An example is the relationship between sales and number of employees. Analytical tests can be
conducted in measures other than dollars, if desired, such as in physical quantities and ratio
percentages.
To assist the auditor in planning the nature, timing and extend of other audit procedures
As substantive procedures when their use can be more effective or efficient than tests of
details in reducing detection risk for specific financial statement assertion
As an overall review of the financial statements in the final review stage of the audit
BANK AUDITING
Bank auditing is the procedure of reviewing the services and procedures adopted by banks and
other financial institutions. It is a routine procedure that all financial services entities must
Page 164
undergo in order to ensure that they are in compliance with industry standards and jurisdictional
regulations.
Banks are central to the nation’s financial system because, by receiving deposits and distributing
loans, they circulate money. This makes stable and efficient banks essential to the economy.
Bank auditors, therefore, evaluate financial information for accuracy and perform procedures
that determine if management controls are effective. The public can rely on the banking system
because of these audit activities
Key Areas
Auditors define your bank’s key areas depending on factors such as the services it offers,
systems it runs and the risk of fraud or misstatement these systems pose. They examine all the
earning streams, including interest income, and the recording mechanisms. They also audit all
expense streams, including interest, human resources and regulatory expenses and their
recording mechanisms. Items that have an element of human judgment, such as provision for bad
debts or asset capitalization, also attract the auditors’ attention. Other significant areas include
key assets and liabilities, such as government grants, tax assets or loans.
Test of Details
Test of details is a substantive audit procedure that auditors carry out when they think that the
risk of misstatement at the assertion level is substantial. While auditing your bank, auditors
usually assume loans are risky. This is because the more loans the bank issues, the more interest
it earns. Therefore, as a test of detail, auditors send out confirmation letters to customers who
borrowed from your bank. These borrowers respond to the letters, confirming their balances and
interest due. Recalculations and physical inspection are among the other tests of details that
auditors use. These tests are evidence that the information is legitimate.
Substantive Analytics
While auditing your bank’s financial statements, auditors apply a second type of substantive
procedure, the substantive analytics. While performing this analysis they try to find existing
plausible relationships among financial data. For example, if your bank’s lending is increasing,
auditors expect to find a corresponding increase in interest income. If they don’t find this
increase in interest, they look for and try to identify, calculate and corroborate reasonable factors
contributing to this situation.
Test of Controls
Usually, when risk of material misstatement isn’t high, auditors rely on a test of controls and
substantive analytics for their opinion. Tests of controls are procedures that auditors perform to
determine how effectively management or system controls function. Their goal is to find
significant control weaknesses if they exist. For example, auditors check whether your bank’s
Page 165
system correctly calculates interest and principal. They also check to see if appropriate bank
employees with applicable authorization approve them.
INSURANCE AUDIT
Insurance Companies
Authoritative documents include:
The Insurance Act
The Companies Act
IFRS 4 Insurance Contracts
The main legislation governing insurance companies and their conduct is the Insurance Act
Insurance companies like banks are also subject to special exempting provisions in the
Companies Act and in the Insurance Act. Unlike banks, not only do they take advantage of
the special provision but are in fact required by the Commissioner to take advantage of the
provisions. The auditor therefore, in practice gives two audit reports for an insurance company
and is also required to sign various reports that are submitted to the Commissioner of
Insurance. The insurance company prepares statutory accounts which are audited in the
normal way and a true and fair view report given and these are submitted to the members in
the normal way and adopted and dividends paid on their strength. The Commissioner then
requires accounts to be prepared in accordance with insurance regulations taking advantage of
creating secret reserves. These are also audited and reported on accordingly by the auditor but
not in true and fair view terms but rather by simply stating compliance with the insurance act.
(a) Ascertainment of debtors and creditors. Insurance companies do not maintain their
personal ledgers in such a way as to produce directly a separate list of debtors and creditors.
Their ledgers instead reflect the section of the market from which the business originates e.g.
broker, reinsurer, direct policy holder etc, hence it is quite possible that both debtor and creditor
Page 166
balances will exist in one ledger sometimes for the same person. The legal position with regard
to right of set off between debit and credit balances with the same person is not clear. From a
professional point of view the auditor must ensure therefore that the company adopts a
consistence approach in establishing the separate amounts of debtors and creditors.
(b) Unearned premiums: This represents the appropriate portion of a premium received during
the year under review but is applicable to later accounting periods. Once again, a consistent
approach should be adopted and the accounts should declare the basis selected by the insurance
company under the heading of accounting policies. The most common basis adopted for
annual premiums is the 24th basis.
(c) Expired risks: This represents the carry forward of provisions to the next accounting period
in circumstances where it appears that insurance business undertaken in the period under
review is unprofitable. This makes it similar to the provision on long term contracts in the
construction industry. The audit difficulty is that a considerable element of adjustment enters
the computation of such risks, the issue is for the auditor to form an opinion on the need for
such a provision and if one exists whether the sum provided is adequate.
(d) Outstanding claims: We can classify these claims in the following three categories:
i. Those which have been notified and agreed but are still outstanding at the balance
sheet date
ii. Those which have been notified before, but not yet agreed at the balance sheet date
and
iii. Those which have arisen but have not yet been notified to the company by the
balance sheet date.
A good deal of estimation is needed with regard to category (ii) and (iii) above. The audit
procedures therefore would invariably include, review of the claims files in order to appraise
the company's estimates. We must also compare the average cost of outstanding claims for
each class of business with current experience and finally the auditor should examine statistical
elements comparing past estimates with actual results.
Co-operative Societies
An audit in this case is carried out as a normal audit except you should note that the auditor is
appointed by the Commissioner of Co-operatives and although he reports to the members the
accounts must be registered with the Commissioner. Of special note is that he is required to carry
out special investigations on the bad debts provision to determine its adequacy and on the good debts
he has to confirm their recoverability.
Building Societies
Page 167
Building Societies are organisations which exist to offer a savings and investment medium to
the public and to lend to individuals money to enable them buy their own houses taking as
security the deeds of the houses. They are not limited companies but are run by a board of
directors elected by the investors and permanent staff. There are strong similarities in the
legislation covering building societies and that covering companies.
It shall be the duty of the auditors of a building society to carry out such investigations as will enable
them to form an opinion as to the following matter.
Examination of deeds
Page 168
• Ensure that the mortgage is in the name shown in the advance records;
• That there is a document of title to the property under mortgage and that the society's
lawyers have been satisfied as to the borrower's title;
• The amount of the advance as stated in the mortgage deed is not less than that shown on the
advance records;
• The mortgage deed is stamped, properly signed, witnessed and is prima facie in order;
• The property is adequately insured, the premium is paid up to date and the society's interest
as mortgage is endorsed in the insurance policy.
o There should be proper custody of unused share and deposit pass book, receipt forms
and share certificates;
o There should be proper instructions to the staff as to the making of entries in the pass
books and the issue of receipts;
o Withdrawal terms, notice and specimen signatures;
o Authorization of withdrawals by the ledger department or against the pass books;
o Records of deaths, marriages, powers of attorney and transmission of shares and
deposits;
o The comparison of the balance shown in the pass book with that shown in the ledger.
Cash
Possibility of error and misappropriation always accompany the handling of cash. Building societies
transactions to a large extent are in cash. This however does not involve audit considerations which
differ in principle from those encountered in any other business. So there should be surprise cash
counts and any discrepancies should be investigated in detail.
Window Dressing
Auditors should examine transactions which have the effect of showing as at the balance sheet date
a state of affairs particularly the society's liquidity which is materially better than it was during the
year and shortly after. Of particular attention are:
1. Large deposits received shortly before the year end and repaid shortly after;
2. Large mortgage repayments received shortly before the year end and re-advanced on the
same property shortly after;
3. Unusual delay until after the year end in making payments in accordance with
applications received for withdrawals of shares or deposits;
4. An abnormal year end accumulation of commitments for advances followed by the
making of the advances shortly after the year end;
Page 169
5. The significance of items in the bank reconciliation statements.
Not only does the auditor report to the members on the financial statements, he is also supposed
to give a report to the registrar of societies to accompany the annual return.
3. Investments: Many charities have investments and these are verified in the normal way
of verifying in investments.
The audit report is usually qualified on grounds that it is not possible because of the nature of the
society to verify whether all the income receivable in the form of donations has been fully accounted
for.
Page 170
(f) All cash payments should be made out of cash drawn from the bank, unless any donor
objects the annual report should contain a full list of donors. The annual report and the
accounts should be as detailed as possible.
Pension Funds
Pension funds are set up by companies or other organizations:
i. Examining the trust deed that set up the fund and ensuring that its provisions have
been correctly carried out;
ii. Verifying that there is proper control over the transactions of the fund;
iii. Verifying the portfolio of investments. All changes should be authorised by
trustee minutes and all income must be received;
iv. Verify that the funds are sufficient to meet its future commitments. These are
usually determined actuarially, preferably annually. Many schemes incorporate
an undertaking by the sponsor to make good any deficiency.
Advocates
The statutory provision regulating the handling of client's monies are covered in the advocate's
act.
Purpose of the rules:
• To require a lawyer to keep client's money separate from his own money;
• To ensure that a lawyer keeps adequate records of his transactions so that his books show
money received and paid and balance held on account of each client;
• To ensure that one client's money is clearly distinguished from that of other clients and from
any other money passing through the lawyer's accounts.
Page 171
1. Ascertain from the lawyer particulars of all bank accounts kept or operated by the lawyer
in connection with his practice.
2. Examine the book keeping system in every office of the lawyer to see that the system
complies with the following requirements:
1. To extend his enquiries beyond the information contained in the relevant documents as
supplemented by such information and explanations as he may obtain from the lawyer.
2. To enquire into stocks shares other securities or documents of title held by the lawyer
on behalf of clients.
3. To consider whether the books of accounts of the lawyer were properly written up in
accordance with the rules at any other time than at which his examination took place.
Page 172
TOPIC 6
AUDIT RELATED ASSURANCE SERVICES
DUE DILIGENCE
Due diligence is an investigation or audit of a potential investment or product to confirm all
facts, such as reviewing all financial records, plus anything else deemed material. It refers to the
care a reasonable person should take before entering into an agreement or a
financial transaction with another party. Due diligence can also refer to the investigation a seller
does of a buyer; items that may be considered are whether the buyer has adequate resources to
complete the purchase, as well as other elements that would affect the acquired entity or the
seller after the sale has been completed.
Conducting a due diligence audit lets you know in advance if a business is worth an investment
of your time and money. Reviewing the financial and corporate documents gives you a complete
picture of the company, and you can hire a professional business appraiser to help you with this
task. You have a set deadline to get out of the contract if your due diligence finds something
materially wrong with the business. Because the seller is providing you with private corporate
and financial information, be prepared to sign a nondisclosure or confidentiality agreement
before receiving the documents.
The seller should provide you with audited financial statements and copies of bank statements
for the business checking, savings and investment accounts for the past three years. Ask for
copies of credit and loan agreements, notes payable and any liens that have been filed against the
company. You’ll also want copies of vendor and supplier contracts, the accounts receivable, an
accounts receivable aging spreadsheet and accounts written off as uncollectable. Get copies of all
income tax records for the past seven years to be sure there are no outstanding taxes or ongoing
IRS collection activities.
Visit the Business Location
Page 173
What looks good on paper may not be so impressive when seen in person. Plan to make at least
one trip to inspect the business premises. Look at the overall condition of the building inside and
out. Bring along a list of the fixed assets and equipment, inventory and supplies, office furniture
and fixtures the business owns. Verify that what’s on the list is physically there, functioning and
in good condition. Be sure to get copies of current business licenses and operating permits.
Employee wages and benefits are a substantial business expense. Along with monthly payroll
information, you’ll want to know about employer-sponsored retirement plans, health insurance
benefits and employee vacation and leave policies. Determine if there are any employee
agreements or contracts in force. The employee handbook should be current and in compliance
with federal and state employment laws. Verify the identity of key employees along with their
payment and benefit package. If key employees have left the company, ensure that they signed a
noncompete agreement or nondisclosure agreement.
Products, Services and Competitors
If sales or services are the lifeblood of the business, you’ll want to know how many products or
services the business provides along with how the selling price is determined. You need to know
how the products and services stack up against the competitors. Ask the seller how he sets his
products or services apart from his competitors to attract and retain customers. Compare the
financial ratios against industry norms to get an idea of how the business stacks up. If the
business is involved in an environmentally sensitive industry such as dry cleaning or gasoline
sales, be sure any regulatory concerns or issues are resolved.
AUDIT COMMITTEES
An audit committee is one of the major operating committees of a company's board of
directors that is in charge of overseeing financial reporting and disclosure.
The main objectives usually associated with audit committees include;
i. Increasing public confidence in the creditability and objectivity of published
financial information including unaudited interim statements
Page 174
ii. Assisting directors (particularly non executive directors) in meeting their
responsibilities in respect of financial reporting
iii. Strengthening the independent position of a company’s external auditor by
providing an additional channel of communication.
A particular role is to assist in the communication process between the board and the auditors
throughout the medium of the non-executive directors and it provides a useful way of assisting
the latter in the discharge of their duties.
• The audit function may become more independent as there will be a quasi-independent
body between the board and the auditors. It may paradoxically improve communications
between auditor and board;
• Improvement in the quality of the accounting and auditing functions. A continuous review
of the functions of financial management and internal and external audit will inevitably
result in higher status to the practitioners and superior performance.
Page 175
• There are not enough non-executive directors;
• Audit committees would take too much time and cost too much;
• Audit committees would be least effective in companies which need them most (e.g.
companies dominated by ambitious and unscrupulous entrepreneurs).
• The production of financial statements may be delayed.
Corporate governance is the system by which organisations are directed and controlled. It
encompasses the relationship between the board of directors, shareholders and other
stakeholders, and the effects on corporate strategy and performance. Corporate governance is
important because it looks at how these decision makers act, how they can or should be
monitored, and how they can be held to account for their decisions and actions.
The published audited financial statements and related information are therefore of key
importance. They will usually be the main information set to which shareholders and other
stakeholders have access and this is why having credible financial statements supported by the
auditor’s opinion is crucial.
Page 176
Every company should be headed by an effective board which is collectively responsible for the
long-term success of the company, and should lead and control the company’s operations.
There should be a clear division of responsibilities at the head of the company, which will ensure
a balance of power and authority, such that no one individual has unfettered powers of decision.
Non-executive directors should constructively challenge and help develop proposals on strategy.
The board should include a balance of executive and non-executive directors such that no
individual or small group of individuals can dominate the board’s decision taking.
Effectiveness
The board and its committees should have the appropriate balance of skills, experience,
independence and knowledge of the company to enable them to discharge their respective duties
and responsibilities effectively.
There should be a formal, rigorous and transparent procedure for the appointment of new
directors to the board. All directors should receive induction on joining the board and should
regularly update and refresh their skills and knowledge.
All directors should be submitted for re-election at regular intervals, subject to continued
satisfactory performance.
Accountability
The board should present a balanced and understandable assessment of the company’s position
and prospects. For UK companies, this is also required by the Companies Act 2006, which
requires that the directors disclose a business review as part of the directors’ report to be
included in the financial statements.
The board should maintain sound risk management and internal control systems. The board
should establish formal and transparent arrangements for considering how they should apply the
corporate reporting and risk management and internal control principles and for maintaining an
appropriate relationship with the company’s auditor.
Remuneration
Levels of remuneration should be sufficient to attract, retain and motivate directors of the quality
required to run the company successfully, but a company should avoid paying more than is
necessary for this purpose. A significant proportion of executive directors’ remuneration should
be structured so as to link rewards to corporate and individual performance.
Page 177
Relations with shareholders
There should be a dialogue with shareholders based on the mutual understanding of objectives.
The board as a whole has responsibility for ensuring that a satisfactory dialogue with
shareholders takes place. The board should use the Annual General Meeting to communicate
with investors and to encourage their participation.
The role of audit committees
The audit committee is such an important part of corporate governance that it is the subject of its
own guidance document in the UK, the Financial Reporting Council’s Guidance on Audit
Committees. The audit committee should be made up of at least three independent non-executive
directors, one of whom should have recent and relevant financial experience. The committee has
many roles, including several that are specifically related to the external auditor, which are
discussed below.
Page 178
Finally, the audit committee plays a part in fraud prevention and detection in that whistleblowing
arrangements should be made so that staff of the company may raise concerns about possible
improprieties in respect of financial reporting matters.
Internal audit has two key roles to play in relation to organisational risk management:
- Ensuring the company's risk management system operates effectively
- Ensuring that strategies implemented in respect of business risks operate effectively
Internal audit may assist in the development of systems. However, its key role will be in
monitoring the overall process and in providing assurance that the systems which the
departments have designed meet objectives and operate effectively.
It is important that the internal audit department retains its objectivity towards these aspects of its
role,
which is another reason why internal audit would generally not be involved in the assessment of
risks and the design of the system.
Page 179
Although the presence of an internal audit department within an organisation is indicative of
good internal control, by its very nature, there are some limitations of the internal audit function.
Internal auditors are employed by the organisation and this can impair their independence and
objectivity and ability to report fraud/error to senior management because of perceived threats to
their continued employment within the company.
To ensure transparency, best practice indicates that the internal audit function should have a dual
reporting relationship, i.e. report both to management and those charged with governance (the
audit committee). If this reporting structure is not in place, management may be able to unduly
influence the internal audit plan, scope, and whether issues are reported appropriately.
This results in a serious conflict, limits the scope and compromises the effectiveness of the
internal audit function.
Internal auditors are not required to be professionally qualified (as accountants are) and so there
may be limitations in their knowledge and technical expertise
2. Dynamic business
Due to changes in technology a number of companies have become so dynamic such that their
controls are updated on a continuous basis and this calls for constant feed back on those controls
that necessitate updating. This meant that, to cope with these demands companies had to
improvise and use expert advice, which was available from the Internal Auditor.
4. Competition
Under perfect competition companies can only survive if they are operationally efficient and this
calls for stronger controls and cost effectiveness.
Page 180
5. Evolution of IT
Of late many companies have computerised their operations and controls. There is need therefore
for continuous review of the operation of controls over these computerized systems.
This International Standard on Auditing (ISA) deals with the external auditor’s responsibilities if
using the work of the internal audit function in obtaining audit evidence.
Relationship between the Internal Audit Function and the External Auditor
The objectives of the internal audit function are determined by management and, where
applicable, those charged with governance. While the objectives of the internal audit function
and the external auditor are different, some of the ways in which the internal audit function and
the external auditor achieve their respective objectives may be similar.
Irrespective of the degree of autonomy and objectivity of the internal audit function, such
function is not independent of the entity as is required of the external auditor when expressing an
opinion on financial statements. The external auditor has sole responsibility for the audit opinion
expressed, and that responsibility is not reduced by the external auditor’s use of the work of the
internal auditors.
Page 181
c) Adequate audit evidence has been obtained to enable the internal auditors to draw
reasonable conclusions;
d) Conclusions reached are appropriate in the circumstances and any reports prepared by the
internal auditors are consistent with the results of the work performed; and
e) Any exceptions or unusual matters disclosed by the internal auditors are properly
resolved.
Documentation
If the external auditor uses specific work of the internal auditors, the external auditor shall
include in the audit documentation the conclusions reached regarding the evaluation of the
adequacy of the work of the internal auditors, and the audit procedures performed by the external
auditor on that work.
Scope of this ISA {International Standard on Auditing (ISA) 610 (Revised), Using the Work of
Internal Auditors}
- The entity’s internal audit function is likely to be relevant to the audit if the nature of the
internal audit function’s responsibilities and activities are related to the entity’s financial
reporting, and the auditor expects to use the work of the internal auditors to modify the
nature or timing, or reduce the extent, of audit procedures to be performed.
- Carrying out procedures in accordance with this ISA may cause the external auditor to re-
evaluate the external auditor’s assessment of the risks of material misstatement.
Consequently, this may affect the external auditor’s determination of the relevance of the
internal audit function to the audit.
- Similarly, the external auditor may decide not to otherwise use the work of the internal
auditors to affect the nature, timing or extent of the external auditor’s procedures. In such
circumstances, the external auditor’s further application of this ISA may not be necessary.
Page 182
operating information, and to make specific inquiry into individual items, including
detailed testing of transactions, balances and procedures.
Review of operating activities. The internal audit function may be assigned to review the
economy, efficiency and effectiveness of operating activities, including non-financial
activities of an entity.
Review of compliance with laws and regulations. The internal audit function may be
assigned to review compliance with laws, regulations and other external requirements,
and with management policies and directives and other internal requirements.
Risk management. The internal audit function may assist the organization by identifying
and evaluating significant exposures to risk and contributing to the improvement of risk
management and control systems.
Governance. The internal audit function may assess the governance process in its
accomplishment of objectives on ethics and values, performance management and
accountability, communicating risk and control information to appropriate areas of the
organization and effectiveness of communication among those charged with governance,
external and internal auditors, and management.
Determining Whether and to What Extent to Use the Work of the Internal Auditors
Whether the Work of the Internal Auditors is likely to be Adequate for Purposes of the
Audit
Factors that may affect the external auditor’s determination of whether the work of the internal
auditors is likely to be adequate for the purposes of the audit include:
Objectivity
The status of the internal audit function within the entity and the effect such status has on the
ability of the internal auditors to be objective.
Whether the internal audit function reports to those charged with governance or an officer
with appropriate authority, and whether the internal auditors have direct access to those
charged with governance.
Whether the internal auditors are free of any conflicting responsibilities.
Whether those charged with governance oversee employment decisions related to the internal
audit function.
Whether there are any constraints or restrictions placed on the internal audit function by
management or those charged with governance.
Whether, and to what extent, management acts on the recommendations of the internal audit
function, and how such action is evidenced.
Technical competence
Page 183
Whether the internal auditors are members of relevant professional bodies.
Whether the internal auditors have adequate technical training and proficiency as internal
auditors.
Whether there are established policies for hiring and training internal auditors.
Communication
Communication between the external auditor and the internal auditors may be most effective
when the internal auditors are free to communicate openly with the external auditors, and:
Meetings are held at appropriate intervals throughout the period;
The external auditor is advised of and has access to relevant internal audit reports and is
informed of any significant matters that come to the attention of the internal auditors when
such matters may affect the work of the external auditor; and
The external auditor informs the internal auditors of any significant matters that may affect
the internal audit function.
Planned Effect of the Work of the Internal Auditors on the Nature, Timing or Extent of the
External Auditor’s Procedures
Where the work of the internal auditors is to be a factor in determining the nature, timing or
extent of the external auditor’s procedures, it may be useful to agree in advance the following
matters with the internal auditors:
The timing of such work;
The extent of audit coverage;
Materiality for the financial statements as a whole (and, if applicable, materiality level or
levels for particular classes of transactions, account balances or disclosures), and
performance materiality;
Proposed methods of item selection;
Documentation of the work performed; and
Review and reporting procedures.
The nature, timing and extent of the audit procedures performed on specific work of the internal
auditors will depend on the external auditor’s assessment of the risk of material misstatement,
Page 184
the evaluation of the internal audit function, and the evaluation of the specific work of the
internal auditors. Such audit procedures may include:
Examination of items already examined by the internal auditors;
Examination of other similar items; and
Observation of procedures performed by the internal auditors.
This ISA, therefore, defines the conditions that are necessary for the external auditor to be able to
use the work of internal auditors. It also defines the necessary work effort to obtain sufficient
appropriate evidence that the work of the internal audit function is adequate for the purposes of
the audit. The requirements are designed to provide a framework for the external auditor’s
judgments regarding the use of the work of the internal audit function to prevent over or undue
use of such work.
Objectives
The objectives of the external auditor, where the entity has an internal audit function and the
external auditor expects to use the work of the function to modify the nature or timing, or reduce
the extent, of audit procedures to be performed directly by the external auditor are:
a) To determine whether the work of the internal audit function can be used, and if so, in which
areas and to what extent; and having made that determination:
b) If using the work of the internal audit function, to determine whether that work is adequate
for purposes of the audit.
Determining Whether, in Which Areas, and to What Extent the Work of the Internal Audit
Function Can Be Used
Page 185
b) The level of competence of the internal audit function; and
c) Whether the internal audit function applies a systematic and disciplined approach, including
quality control.
The external auditor shall not use the work of the internal audit function if the external auditor
determines that:
a) The function’s organizational status and relevant policies and procedures do not adequately
support the objectivity of internal auditors;
b) The function lacks sufficient competence; or
c) The function does not apply a systematic and disciplined approach, including quality control.
As a basis for determining the areas and the extent to which the work of the internal audit
function can be used, the external auditor shall consider the nature and scope of the work that has
been performed, or is planned to be performed, by the internal audit function and its relevance to
the external auditor’s overall audit strategy and audit plan.
The external auditor shall make all significant judgments in the audit engagement and, to prevent
undue use of the work of the internal audit function, shall plan to use less of the work of the
function and perform more of the work directly:
(a) The more judgment is involved in:
i) Planning and performing relevant audit procedures; and
ii) Evaluating the audit evidence gathered;
(b) The higher the assessed risk of material misstatement at the assertion level, with special
consideration given to risks identified as significant;
(c) The less the internal audit function’s organizational status and relevant policies and
procedures adequately support the objectivity of the internal auditors; and
(d) The lower the levels of competence of the internal audit function.
- The external auditor shall also evaluate whether, in aggregate, using the work of the internal
audit function to the extent planned would still result in the external auditor being sufficiently
involved in the audit, given the external auditor’s sole responsibility for the audit opinion
expressed.
- The external auditor shall, in communicating with those charged with governance an
overview of the planned scope and timing of the audit communicate how the external auditor
has planned to use the work of the internal audit function.
- If the external auditor plans to use the work of the internal audit function, the external auditor
shall discuss the planned use of its work with the function as a basis for coordinating their
respective activities.
Page 186
- The external auditor shall read the reports of the internal audit function relating to the work
of the function that the external auditor plans to use to obtain an understanding of the nature
and extent of audit procedures it performed and the related findings.
- The external auditor shall perform sufficient audit procedures on the body of work of the
internal audit function as a whole that the external auditor plans to use to determine its
adequacy for purposes of the audit, including evaluating whether:
a) The work of the function had been properly planned, performed, supervised, reviewed
and documented;
b) Sufficient appropriate evidence had been obtained to enable the function to draw
reasonable conclusions; and
c) Conclusions reached are appropriate in the circumstances and the reports prepared by the
function are consistent with the results of the work performed.
- The nature and extent of the external auditor’s audit procedures shall be responsive to the
external auditor’s evaluation of:
- The external auditor shall also evaluate whether the external auditor’s conclusions
regarding the internal audit function and the determination of the nature and extent of use
of the work of the function for purposes of the audit
Documentation
If the external auditor uses the work of the internal audit function, the external auditor shall
include in the audit documentation:
(a) The evaluation of:
i) Whether the function’s organizational status and relevant policies and procedures
adequately support the objectivity of the internal auditors;
ii) The level of competence of the function; and
iii) Whether the function applies a systematic and disciplined approach, including quality
control;
(b) The nature and extent of the work used and the basis for that decision; and
(c) The audit procedures performed by the external auditor to evaluate the adequacy of the work
used.
Page 187
The objectives and scope of internal audit functions typically include assurance and consulting
activities designed to evaluate and improve the effectiveness of the entity’s governance
processes, risk management and internal control such as the following:
With the current trend in technological changes auditors need to be updated in system use to
make their work easier. This means that the auditor has to device new means of carrying out an
audit in a computerized environment. He also needs to understand how the controls work in such
a system.
KEY TERMS
Transaction Files: Are the equivalent of journals such as the sales journal or the purchases
journal or the cashbook.
Programs are the instructions telling the computer how each type of transaction is to be
processed.
Test data are designed to test the performance of the clients programs.
Exam Context
As the world embraces the emerging technological changes, so does the audit profession.
Page 188
Bearing this in mind, questions bordering on the application of information technology will be
common in the exam. The questions that are likely to appear are the ones that deal with the
impact Information technology has had on audit.
Introduction
In the business environment today and in today’s world, there has been an irreversible push for
companies to automate their systems and their way of doing business so as to be competitive.
The push for companies to embrace the new technological changes has come with new
challenges for the audit environment. Unlike before where most systems were manual and the
procedures carried out by the auditor’s were tailor made for them, most company systems today
are automated. This means that the auditor has to device new means of carrying out an audit in a
computerized environment. He also needs to understand how the controls work in such a system.
In the chapter below, all this is covered so that the student can be able to understand and
appreciate the challenges and the gains in auditing in a computerized environment.
i) Input devices. These include keyboards, optical readers, and bar code scanners.
ii) Processing devices. These are the computers themselves. i.e. CPU
iii) Storages devices include hard disk, diskettes and magnetic tapes.
iv) Output devices. These include the visual display unit (VDU) and printers.
The computer software consists of programs and operating systems.
Programs are the instructions telling the computer how each type of transaction is to
beprocessed. These instructions include routines of checking and controlling data, matching data
with master files and performing mathematical operations on data. E.g. for sales transactions,
matching routines will enable the computer to identify the right sales price from the sales master
Page 189
file and the right customer from debtors master file. Mathematical routines will include
calculating the total debtor’s amount and updating customer’s balance in the debtors’ master file.
Operating system relates to a series of related programs to provide instructions as to what files
are required to be on-line, what output devices are required to be ready and what additional file
need to be created for further processing. E.g. with a batch of sales transactions, the sales price
file and debtor’s file need to be on-line. The printer must be loaded with blank invoice forms and
the totals must be retained for posting to the sales and debtors control accounts in the general
ledger master file.
An operating system will provide details of further processing runs within the system. So, for
example, in sales these will include updating the general ledger, processing cash receipts and
credit notes to the debtor’s file, printing out monthly statements and printing out analysis of due
accounts for credit control purposes.
In a batch processing system, the operating system may consist of a set of instructions provided
to the operator but increasingly the operating system is part of the computer software such
thatwith real time system, the computer identifies source of an incoming signal and
automaticallyprocesses that transaction using the appropriate programs and the right file.
COMPUTER FILES
These are equivalent of books and records in a manual system and are described as either
transaction files or master files.
a) Transaction files.
These are equivalent of journal such as sales journal, the purchases journal or the cash book.
They contain details of individual transactions, but unlike books, a transaction file is not a
cumulative record. A separate file is set up for each batch. Thus in real time systems, a
transaction file is not necessary, but good systems will always create a transaction file for control
purposes to provide a security back up, incase of errors or computer malfunctions during
processing data to master file.
b) Master files.
These contain what is referred as standing data. They may be the equivalent of ledgers but may
also contain semi permanent data needed to process transactions. E.g. a debtor’s master file the
equivalent of debtor’s ledger but will also include data that in a manual system may be kept
separately such as invoicing address, discount terms and credit limits, even non accounting data
as cumulative sales to specific customers.
Page 190
When master files are updated by processing them against a transaction file, the entire contents
of the file are usually re-written in a separate location so that after processing, the two files can
be compared and the difference agreed to the total of the transaction file. Any errors in updating
the master file will thus be detected and the process repeated. In practice, the old copy of the
master file and transaction file will be retained until the master file is updated again. This is the
grandfather-father-son approach. If the current master file is corrupted or lost due to machine or
operator error, previous versions provide back up from which the master file can be re-created.
Master files holding semi permanent data would in the case of debtor’s system include current
sales price list and in the case of personnel department, a personnel file giving details of wage
rates, authorized deductions and cumulative record of amounts paid to date for purpose of
providing tax certificates.
A special class of transactions includes those of amending standing data held in master files such
as sales price or wage rate. These transactions require special consideration because an error in
such data held in a master file will cause errors in all transactions processed against the master
file. E.g. an item priced erroneously in sales price list will mean all sales will be charged to
customers at the wrong price.
Traditional batch processing has the advantage that the data can be subjected to checks for
validity, accuracy and completeness before it is processed. But for organizations that need
information on strict time scale, this type of processing is unacceptable. This has led to the
development of on-line and real time systems and the number is growing particularly in airline
offices, banks and other financial institutions. The auditor’s duties do not change but his audit
techniques must change.
The key features of these systems are that they are based on the use of a remote terminal which is
just a VDU and a keyboard. These terminals will be scattered within the user department and
have access to the central computer store. The problem for the auditor arises from the fact that
master files held in the central computer store may be read and updated by the remote terminals
without an adequate audit trail. Necessary precautions have to be made therefore to ensure that
these terminals are used in a controlled way by authorized personnel only.
- Hardware constraints e.g. necessitating the use of a key of magnetic strip badge or card to
engage a terminal or placing the terminal in allocation to which access is carefully restricted
and which is constantly monitored by closed circuit television surveillance systems.
Page 191
- The allocation of identification numbers to authorized terminal operators. With or without
the use of passwords, these are checked by the main frame computer against stored records of
authorized numbers or passwords.
- Using operator characteristics such as voice, fingerprints and hand geometry (finger length
ratios) as a means of identification by the mainframe computer.
- Restricting the access to particular programs or master files in the mainframe computer to
designated terminals.
- In top security systems, the authority to allocate authorities such as determination of
passwords and nominating selected terminals should be restricted to senior personnel other
than intended users.
- A special file maybe maintained in the central processor which records every occasion on
which access is made by particular terminals and operators to the central programs and files.
This log will be printed out on regular basis or on request by personnel with appropriate
authority.
What differentiate on-line system from real time system is that the on-line system has a buffer
store where input data is held by the central processor before accessing the master files. This
enables input from the remote terminals to be checked by a special scanning program before
processing commences.
With real systems however, action at the terminal causes an immediate response in the central
processor where the terminal is on-line. Security against unauthorized access and input is even
more important in real time systems because the effect of the input is that it instantaneously
updates the file held in the central processor and any edit checks on the input are likely to be
under the control of the terminal operators themselves. In view of these control problems, most
real time systems incorporate additional controls over the scrutiny of the master file.
In planning the audit, the auditor should consider how the presence of computerized information
systems may affect client’s accounting and internal control system and the conduct of the audit.
This is because computerized information systems have unique features compared to manual
systems and require inbuilt adequate controls to ensure that the accounting system can be relied
upon for complete and accurate accounting records. These features include;
Page 192
duties such that persons involved in writing of programs may also be involved in processing
transactions. This increases risk of manipulation of operating programs and data. Programs
ad data are held together increasing the potential for unauthorized access and alteration.
- Computerized information systems are designed to limit paperwork. This result in less visible
evidence to support transactions processed which ultimately leads to loss of the audit trail.
- Ease of access of data and computer programs. Where there are no proper controls over
access to computers at remote terminals, there is increased danger of unauthorized access and
alteration of data and programs.
- Use of programmed controls. In a computerized environment, controls are programmed
together with data processing instructions e.g. protection of data against unauthorized access
may be by way of using passwords and user profiles that grant different levels of access to
the system. Use of programmed controls implies that the auditor must adopt an audit
approach to test effectiveness of those controls.
- System generated transactions. Many systems are capable of generating transactions
automatically without manual intervention e.g. calculation of interest from customer’s
accounts may be done and charged to income automatically. If the system set up is interfered
with, this could affect the accuracy and integrity of transactions generated.
- Data and programs are stored in portable magnetic disks and tapes which are vulnerable to
theft and intentional or accidental alteration.
SYSTEMS AUDIT APPROACH
Page 193
1. General controls.
These relate to the environment within which the computer based systems are developed,
maintained and operated aimed at providing reasonable assurance that the overall objectives of
internal controls are achieved e.g. completeness, accuracy and validity of financial information
The objective of the general controls is to ensure the proper development and implementation of
applications and the integrity of program files and information. These controls could either be
manual or programmed and are classified into;
The organization should set up a steering committee composed of senior management and high
level representatives of system users who should the development and implementation of the
new system.
Management should approve specifications of the new system after the steering committee has
assessed the user needs. Before the new system is commissioned for use, appropriate testing
should be carried out to ensure that both the hardware and the application programs are operating
effectively. The testing will provide assurance that the new system is reliable.
Page 194
The information technology manager, user department and the appropriate management level
should give appropriate approval of new system before being placed under operation and after
reviewing completeness of system documentation and results of its testing.
General IT controls that relate to some or all applications are usually interdependent controls, i.e.
their
operation is often essential to the effectiveness of application controls. As application controls
may be
useless when general controls are ineffective, it will be more efficient to review the design of
general IT controls first, before reviewing the application controls.
Program changes refer to modifications made to existing programs. Changes in the computer
system should be subject to strict controls e.g. a written request for an application program
changes should be met by user department and authorized by designated manager or committee.
Once changes have been made, appropriate testing should be carried out to ensure that the
modified system is reliable.
The system documentation should then be amended to reflect the changes and appropriate
approval obtained for the modified system to start running.
Page 195
- Back-up copies of programs being taken and stored in other locations
Control copies of programs being preserved and regularly compared with actual programs
- Stricter controls over certain programs (utility programs) by use of read-only memory
System documentation
This involves putting together information that supports and explains computer applications. The
documentation provides details of capability of the system and how it is operated.
System documentation is important in conducting user training and also enables the management
to effectively review the system by considering whether appropriate controls have been put in
place during system development.
Parallel running
Before switching to the new system, the whole system should be tested by running it alongside
the old system for a specified period. This is important because it provides user with the
opportunity to familiarize themselves with the new system before it is fully implemented and
ensures that the new system is reliable and data is correctly carried forward from the old to the
new system.
b) Access controls.
The success of computerized information systems is largely dependent on the accuracy, validity
and credibility of the data processed by the system. Access controls to computer hardware,
software and data files is therefore vital.
Access controls provide assurance that only authorized individuals use the system and that the
usage is for authorized purposes only.
Access may be restricted to specified persons, files, functions or computer devices. This can be
achieved using both physical and programmed controls. Examples of access controls include;
- Physical restriction of access to computer facilities to specified persons only e.g. file servers
should be maintained in a secure location where access is granted to only specified persons.
- Controls over computers stored in the user department could be improved by making sure
that vital data on programs are not left running when the computer is left unattended.
- Passwords should be used by all staff when accessing computer facilities.
- Passwords should be changed regularly and access to password data held in a computer
system should be subject to stringent controls. This will ensure that some users do not gain
access to other people’s passwords.
Page 196
- In granting user rights within the system, there should be appropriate segregation of duties to
ensure that rights granted are not excessive. e.g. a user should not have right to post data and
also make amendments on the same data.
- When designing the user rights, sensitive data and programs should only be accessible to few
individuals. In other cases, some files should be designed as ‘read only’ to avoid
unauthorized amendments.
- Programs and data that do not need to be online should be stored in secure locations.
- A system’s access log to record all attempts to log in the system should be maintained.
This would record name of user, data accessed or entered, time of log in and mode of access.
- When transmitting data over communication lines, it should be encrypted to make it difficult
for persons with access to communication lines from being able to modify the contents.
- There should be automatic log off i.e. the disconnection of active data terminal to prevent
viewing of sensitive data on unattended terminals.
Controls to ensure continuity of operation
- Storing extra copies of programs and data files off-site
- Protection of equipment against fire and other hazards
- Back-up power sources
- Disaster recovery procedures e.g. availability of back-up computer facilities.
- Maintenance agreements and insurance
The auditors will wish to test some or all of the above general IT controls, having considered
how they affect the computer applications significant to the audit.
The recovery plan should create back up or duplicate copies of important data files and programs
which should be stored off site.
The recovery plan should also be tested on regular basis to ensure that it indeed works. Other
issues that should be addressed include:
- Undertaking protection measures against natural disasters such as setting up computer rooms
in areas protected from floods and fitted with smoke or fire detectors.
- There should be standby equipment to revert to incase of computer breakdown.
There should be adequate virus detection. Procedures for dealing with virus infection are.
Page 197
- Establishing a formal security policy which requires only clean and certified copies of
software are installed and checking data introduced from external sources for viruses.
- The company can also install antivirus software.
- Clean back up should be maintained and there should be adequate segregation of duties such
that people with powers and knowledge in making amendments to the application programs
should not have the responsibility for initiation and processing transactions and even making
amendments to existing data.
Controls to prevent wrong programs or files being used
- Operation controls over programs
- Libraries of programs
- Proper job scheduling
Application control
The purpose of application controls is to establish specific control procedures over the
accounting
applications in order to provide reasonable assurance that all transactions are authorised and
recorded,
and are processed completely, accurately and on a timely basis. Application controls include the
following.
Application controls are therefore important in providing assurance that all transaction are
recorded on timely basis and that only valid transactions are captured by the system. Application
controls are divided into;
1. Input controls.
2. Processing controls.
3. Output controls
4. Controls over master files and standby data
However, some of the controls management implement would cut across the four categories
mentioned above. E.g. some edit checks could provide comfort over the completeness and
accuracy of the input data by the way the data is processed and output information obtained and
also provide protection over standby data.
Input controls.
Page 198
Most errors in data processed by computerized information systems can be traced to errors made
when the data was being input into the system. Controls over input fulfill the following
objectives.
- Completeness of input. This ensures that all transactions that took place have been processed.
- Accuracy. This ensures that the recorded transactions have been captured accurately.
- Validity. This ensures that only valid or genuine transactions appropriately authorized have
been
- Recorded. It also ensures credibility and reliability of recorded transactions.
Control over input: completeness
- Manual or programmed agreement of control totals
- Document counts
- One-to-one checking of processed output to source documents
- Programmed matching of input to an expected input control file
- Procedures over resubmission of rejected controls
Programmes to check data fields (for example value, reference number, date) on input
transactions for plausibility:
Authorised
Input by authorised personnel
Page 199
- Similar controls to input must be in place when input is completed example, batch
reconciliations.
- Screen warnings can prevent people logging out before processing; complete
- Controls over master files and standing data
To achieve the above objectives the most common types of input controls that management can
implement are called edit controls and examples include:
Field checks - These controls check that all data fields required to process the transactions have
been filled with correct information. The controls also ensure accuracy of processed data and its
completeness because transactions cannot be properly processed if necessary data is missing.
Valid character checks-These check that data fields are filled with data of the correct type. E.g.
that amounts column is filled with numerical variables. This also ensures correctness of input
data.
Reasonableness or limit checks - These verify that data falls within predetermined reasonable
limits. E.g. if the authorized discount is 10%, the system would seek to verify that no customer is
awarded discounts beyond this limit without approved authorization. These controls ensure
accuracy and validity of the input data.
Master file checks - These verify that the codes used in processing transactions match with
those from master files. E.g. that customer identification code keyed in matches with what is on
sales master file.
These controls ensure that data is processed against correct master file.
Document count - This agrees number of input records if what is expected as per batch control.
Sign checks-These ensure that data has been keyed in with correct arithmetic sign. E.g. a
positive sign for debit entry and a negative sign for credit entry. The objective is to check
validity and accuracy of the processed data.
Zero balance checks - These verify that for every transaction process, debit entries equal
creditentries and any mismatches found are reported through an exception report. This control
ensuresaccuracy of input data.
Generation of exception reports to capture transactions that have been rejected for failing various
control checks.
Page 200
Measures to ensure that the reasons behind rejected transactions are investigated and corrective
action taken.
There may be need for manual controls to for instance, a check to reveal that all purchase orders
have been appropriately authorized before a transaction is submitted for processing.
Processing controls
These controls seek to ensure that transactions are processed by the right programs and against
the correct master files. They also seek to ensure that data is not lost, duplicated or altered during
processing and that errors are identified ad corrected.
Some of the controls in input could help in meeting the above objectives of processing controls.
Physical file identification procedures -This is in form of labels which are physically attached
to files or diskettes to ensure right files are used during processing of transactions.
Sequence tests over pre-numbered documents-This ensures that all transactions are being
processed. Comparing the contents in files before and after processing a transaction to ensure
that the expected processing results have been achieved.
Zero balance checks that add up debits and credits of the transactions posted to ensure that the
result is zero as an indication that double entry has been completed.
An audit trail should be created through use of input and output control logs and maintenance of
transaction listing. This trail will facilitate an attempt to trace a transaction as a way of verifying
that it has been correctly processed.
Output controls.
Page 201
- Noting distribution of all output information to verify that this information is accessible
toand is distributed to the list of authorized users only.
- Error listing or exception reports should be generated on a daily basis and reviewed byan
independent person to ensure that the transactions summarized in these reports
areinvestigated and where appropriate resubmitted for processing.
If, in addition to manual controls exercised by the user, the controls to be tested use information
produced by the computer or are contained within computer programs, such controls may be
tested by examining the system's output using either manual procedures or computers. Such
output may be in the form of magnetic media, microfilm or printouts. Alternatively, the auditor
may test the control by performing it with the use of computers.
Others include
- Similar controls to input must be in place when input is completed, for example, batch
reconciliations.
- Screen warnings can prevent people logging out before processing is complete
- Cyclical reviews of all master files and standing data
- Record counts (number of documents processed) and hash totals (for example, the total of all
the payroll numbers) used when master files are used to ensure no deletions
- Controls over the deletion of accounts that have no current balance
- Controls over input, processing, data files and output may be carried out by IT personnel,
users of the system, a separate control group and may be programmed into application
software. The auditors may wish to test the following application controls.
Cyclical reviews of all master files and standing data
Standing data refers to the data that is required during processing of the transactions but which
does not vary or change with every transaction. E.g. customer details such as name and address
do not change with every transaction although they are required in processing every transaction
with the customer.
Controls over master files and standing data are aimed at ensuring completeness, accuracy and
credibility of the information maintained. These controls include;
- Restrictive access to standing data and ensuring that only few individuals have the user rights
within the system to make adjustments to the standing data.
- Before any changes are made to the standing data, appropriate authorization should be
obtained. E.g. before any changes are made on selling prices in the master file, appropriate
authorization should be obtained from the responsible officials.
Page 202
- Once amendments have been made on standing data, a print out should be obtained from the
system such that an independent person can verify that the correct amendments have been
made.
- Where necessary, the organization should print out all the standing data and an independent
check be carried out to verify that this data is accurate and complete.
- An exception report should be generated on a regular basis providing details of any
unauthorized amendments made on standing data.
- One-to-one checking
- Record counts (number of documents processed) and hash totals (for example, the total of all
the payroll numbers) used when mast; files are used to ensure no deletions
- Controls over the deletion of accounts that have no current balance
- Controls over input, processing, data files and output may be carried out by IT personnel
users of the system, a separate control group and may be programmed into application
software. The auditors may wish to test the following application controls.
Testing the internal controls in a computerized environment
The auditor tests the internal controls when he wishes to place reliance on the controls to
determine whether the accounting records are reliable.
A computerized information system may differ from a manual system by having both manual
and programmed controls. The manual controls are tested in exactly the same way as in a manual
system. The programmed controlled in the following ways:
- By examination of exception reports and rejection reports. But there is no assurance that the
items on the exception reports were the only exceptions or that they actually met the
parameters set by the management. The auditor must seek for ways to test the performance of
the programs by auditing.
- Use of CAATs (computer assisted audit techniques). Test data is mainly applied intesting
computerized information systems.
Programmed control procedures
In the case of certain computer systems, the auditor may find that it is not possible or, in some
cases, not practical to test controls by examining only user controls or the system's output. The
auditor may
consider performing tests of control by using computers, reprocessing transaction data or, in
unusual situations, examining the coding of the application program.
As we have already noted, general IT controls may have a pervasive effect on the processing of
transactions in application systems. If these general controls are not effective, there may be a risk
that
Page 203
misstatements occur and go undetected in the application systems. Although weaknesses in
general IT
controls may preclude testing certain IT application controls, it is possible that manual
procedures
exercised by users may provide effective control at the application levelfocus
The examiner expects you to be comfortable with a computerised scenario so it's important that
you
understand the use of IT controls within an organisation.
Summary
The auditors must understand the accounting system and control environment in order to
determine their audit approach.
The auditors shall assess the adequacy of the systems as a basis for the financial statements
and shall identify risks of material misstatements to provide a basis for designing and
performing further audit procedures.
The auditors must keep a record of the client's systems which must be updated each year.
This can be done through the use of narrative notes, flowcharts, questionnaires or checklists.
If the auditors believe the system of controls is strong, they may choose to test controls to
assess whether they can rely on the controls having operated effectively.
There are special considerations for auditors when a system is computerised. IT controls
comprise
general and application controls.
Page 204
- Reconciliations. These will include reconciliations for computer listings with
creditor’sstatements, bank statements, actual stock and personnel records.
- Comparison with other evidence such as results of debtor’s circularization, attendanceat
stock take and physical inspection of fixed asset.
- If manual controls exercised by the user of the application system are capable of providing
reasonable assurance that the system's output is complete, accurate and authorised, the
auditors may decide to limit tests of control to these manual controls.
Uses of computer audit programs.
Computer audit programs sometimes generalized audit software. These programs are also
calledinquiry or interrogation programs. Computer audit programs are computer programs used
by the auditor to;
- Read magnetic files and to extract specified information from the files.
- To carry out audit work on the contents of the files.
- In the selection of representative or randomly chosen transactions or items for audittests.
- The scrutiny of files and selection of exceptional items for testing
- Comparison of two files and printing out the difference e.g. payrolls at two selecteddates.
- Preparing exception reports e.g. overdue debts.
- Stratification of data such as stock items or debtors with a view to examine only thematerial
items.
- Carrying out detailed tests and calculations
- Verifying data such as stock or fixed assets at the interim stage and then comparingthe
examined file with the end file so that only changed items need to be examined atthe final
audit.
The Control file
When auditing computerized information systems, it will be found that much reliance is placed
within the system upon standard forms and documentation in general, as well as upon strict
adherence to procedures laid down. This is no surprise, of course, since the ultimate constraining
factor in the system is the computers own capability and all users are competitors for its time. It
is therefore important that an audit control file be built as part of working papers and the auditor
must that he is on the distribution list for notifications of all new procedures, documents and
system changes in general.
- Copies of all the forms which source documents might take and details of the checksthat
have been carried out to ensure their accuracy.
- Details of physical controls over source documents as well as of the nature of anycontrol
totals of numbers, quantities or values including the names of persons keepingthese controls.
Page 205
- Full description of how the source documents are to be converted into input media andthe
checking of control procedures.
- A detailed account of the clerical, procedural and systems development controlscontained in
the system. e.g. separation of programs from operators and separation ofcontrols over assets
from records relating to the assets.
- The arrangements for retaining source documents and input media for suitable periods.
- This is of great importance as they may be required for reconstructing stored files inevent of
error or mishap.
- A detailed flow diagram of what takes place during each routine processing run.
- Details of all tapes and discs in use including their layout, labeling, storage and
retentionarrangements.
- Copies of all the forms which output documents might take and details of their sortingand
checking.
- The auditor’s comments on the effectiveness of the controls.
Internal controls over computer processing include both manual procedures and procedures built
into the computer programs.
- The use of computers does not affect the auditor’s primary responsibility of reporting onthe
accounts but the way in which the auditor carries out his substantive and
complianceprocedures to arrive, at his opinion will be considerably different.
- The objectives of application controls which may be manual or programmed are toensure the
completeness and accuracy of the accounting records and the validity of theentries made
therein resulting from both manual and programmed processing.
- There are basically two techniques available to the auditor for auditing through thecomputer.
These are a use of test data and the use of computer audit programs.
- Substantive testing of computer records is possible and necessary. The extent dependson the
degree of reliance the auditor has placed on the internal controls
When auditing Electronic data processing systems, it will be found that much reliance is placed
within the system upon standard forms and documentation in general, as well as upon strict
adherence to procedures laid down. This is no surprise, of course, since the ultimate constraining
factor in the system is the computer’s own capability, and all users are competitors for its time. It
is therefore important that an audit control file be built up as part of the working papers, and the
auditor should ensure that he is on the distribution list for notifications of all new procedures,
documents and systems changes in general. The following should be included in the audit control
file.
(a) Copies of all the forms which source documents might take, and details of the checks that
have been carried out to ensure their accuracy.
Page 206
(b) Details of physical control over source documents, as well as of the nature of any control
totals of numbers, quantities or values, including the names of the persons keeping these
controls.
(c) Full description of how the source documents are to be converted into input media, and the
checking and control procedures.
(d) A detailed account of the clerical, procedural and systems development controls contained in
the system (e.g. separation of programmers from operators; separation of control of assets
from records relating thereto).
(e) The arrangements for retaining source documents and input media for suitable periods.
(f) This is of great importance, as they may be required for reconstructing stored files in the
event of error or mishap.
(g) A detailed flow diagram of what takes place during each routine processing run.
(h) Details of all tapes and discs in use, including their layout, labelling, storage andretention
arrangements.
(i) Copies of all the forms which output documents might take, and details of their subsequent
sorting and checking.
(j) The auditor’s own comments on the effectiveness of the controls
This means examining evidence for all items in the financial statements without getting
immersed in the details of the computerized information system. The benefits of this approach
Page 207
are that it saves time and its justification is that computers are 100% accurate in processing
transactions and therefore material processing errors simply do not occur.
The draw back of this approach is that once an application is programmed to process an item
incorrectly, then it processes exactly as programmed indefinitely. However, major frauds and
error or system failures should be picked up in the assets and liabilities verification e.g. if
processing of sales is incorrect, verification of debtors can uncover the error. Also an analysis of
gross profit margins will help discover any errors in sales. This approach is suitable for small
businesses but largely unsuitable for large scale entities.
When it is possible to relate on a one to one basis, the original input to the final output or to put it
another way, where the audit trail is always preserved than the presence of the computer has
minimal effect on the auditor’s work, and in that case it is possible to ignore what goes on in the
computer and concentrate audit tests on the completeness, accuracy, validity on the input and the
output, without paying any due concern to how that output has been processed. Where there is
super abundance of documentation and the output is as detailed and complete as in any manual
system and where the trail from beginning to end is complete so that all documents can be
identified and vouched and totally cross referenced, then the execution of normal audit tests on
records which are computer produced but which are nevertheless as complete as above then this
type of auditing is called auditing around the machine. In this case, the machine is viewed as
simply an instrument through which conventional records are produced. This approach is much
criticised because:
i) Doing so accurately;
Page 208
ii) Printing all the exception which exists;
iii) Are authorised programs as opposed to dummy programs specially created for a fraudulent
purpose or out of date programs accidentally taken from the library and;
iv) That they contain programs control parameters which do in fact meet the company’s genuine
internal control requirements.
So although it may be reasonable for management to have faith in their systems and programs,
such faith on the part of the auditor would be completely misplaced and may reflect very
adversely on his duty of care. This is the first situation on the loss of audit trail.
The other situation where loss of audit trail is noted where the computer generates, totals,
analyses and balances without printing out details. It therefore becomes necessary for the auditor
to find a way to audit through the computer rather than around it. But before we go on to that, the
loss of audit train can be overcome as follows:
a) We can have special print outs for auditors, remember the need to be consulted at the design
stage.
b) Inclusive audit facility: This means putting in the programs special audit instructions that
enable the computer to carry out some audit tests and produce print outs specially for the
auditor.
c) Clerical recreation: Given unlimited time and man power, maintain the possibility to recreate
manually the audit trail. This would obviously be a very tedious exercise.
d) Total testing and comparison: It is possible to compare results with other data, budgets,
previous periods and industry averages.
e) Alternative tests: We can perform stock takes, debtors’ circularisation and examination of the
condition of fixed assets.
f) We can use test packs to verify program performance.
AUDITING THROUGH THE COMPUTER
There are two basic techniques available to the auditor for auditing through the computer. These
are use of test data and use of computer audit programs which are also called CAATs (computer
assisted audit techniques).
i) Test data
These are designed to test the performance of client’s programs. What it involves is for the
auditor either using dummy data or live data for processing to manually work out the expected
result using the logic of the program. This is then run on the computer using the program and the
results are compared. A satisfactory outcome gives the auditor a degree of assurance that if that
program is used continuously throughout the year, then it will perform as required. This
technique of test data falls under compliance testing.
Page 209
(a) Live testing has the following disadvantages:
i) If the data is included with normal data, separate test data totals cannot be obtained. This can
sometimes be resolved by the use of dummy branches or separate codes to report the
program’s effects on the test data.
ii) Side effects can occur. It has been known for an auditor’s dummy product to be included in a
catalogue.
iii) Client’s files and totals are corrupted although this is unlikely to be material.
iv) If the auditor is testing procedures such as debt follow up, then the testing has to be over a
fairly long period of time. This can be difficult to organise.
(b) Dead testing has the following disadvantages:
i) Difficulties will be encountered in simulating a whole system or even a part of it.
ii) A more detailed knowledge of the system is required than with the use of live files.
iii) There is often uncertainty as to whether operational programs are really being used for the
test.
iv) The time span problem is still difficult but more capable of resolution than with live testing.
Computer audit programsThese consist of computer programs used by an auditor to read
magnetic files and to extract specified information from the files. They are also used to carry out
audit work in the contents of the file. These programs are sometimes called enquiry or
interrogation programs. They can be written by an audit firm themselves or they can be found
from software houses. They have the advantage that unskilled staff can easily be taught to use
them.
Advantages
1. Examination of data is more rapid;
2. Examination of data is more accurate
3. The only practical method of examining large amounts of data;
4. Gives the auditor practical acquaintance with live files;
Page 210
5. Provides new opportunities to the auditor;
6. Overcomes in some cases a loss of audit trail;
7. Relatively cheap to use once set up costs have been incurred
Disadvantages
1. Can be expensive to set up or acquire.
2. Some technical knowledge is required.
3. A variety of programming languages is used in business. Standard computer audit programs
may not be compatible.
4. Detailed knowledge of systems and programs is required. Some auditors would dispute the
need for this detailed knowledge to be gained.
5. Difficulty in obtaining computer time especially for testing.
There can be no doubt that standard computer audit program packages will be in general use in
the near future. Use of audit software raises the visibility of the auditor in the eyes of the
company. It makes the audit more credible. Deficiencies in the system are often discovered and
can be reported to management. This also makes the audit more credible. Packages are not
however usually available for small machines.
Applications of auditing procedures using the computer as an audit tool (also known as CAATs).
In the most general terms, CAATTs can refer to any computer program utilized to improve the
audit process. Generally, however, it is used to refer to any data extraction and analysis software.
This would include programs such as spreadsheets (e.g. Excel), databases (e.g. Access),
statistical analysis (e.g. SAS), business intelligence (e.g. Crystal Reports and Business Objects),
etc.
There are, however, companies that have developed dedicated specialized data analytic software
specifically for auditors.
Computer-assisted audit techniques (CAATs) are the applications of auditing procedures using
the computer as an audit tool.
CAATs are the use of computers for audit work. The two most commonly used CAATs are audit
software and test data.
Page 211
The overall objectives and scope of an audit do not change when an audit is conducted in a
computerisedenvironment. However, the application of auditing procedures may require auditors
to consider techniques that use the computer as an audit tool. These uses of the computer for
audit work are known as computer-assisted audit techniques (CAATs).
Circumstances when the use of CAATS when performing audit procedures would be
necessary
i) When the company has recently installed a new computer system
ii) when software has been changed in the past year
iii) When standard software allows the company to change the programs or add procedures
iv) When there is a significant loss of audit trail in the computer system
v) When the auditor has identified weaknesses in the company accounting software
CAATs may be used in performing various auditing procedures, including the following.
- Tests of details of transactions and balances
- Analytical review procedures
- Tests of computer information system controls
The major steps to be undertaken by the auditors in the application of a CAAT are as follows.
- Set the objective of the CAAT application
- Determine the content and accessibility of the entity's files
Define the transaction types to be tested
- Define the procedures to be performed on the data
Define the output requirements
- Identify the audit and computer personnel who may participate in the design and application
of the CAAT
- Refine the estimates of costs and benefits
- Ensure that the use of the CAAT is properly controlled and documented
Page 212
- Arrange the administrative activities, including the necessary skills and computer facilities
- Execute the CAAT application
- Evaluate the results
There are two particularly common types of CAAT, audit software and test data.
Use of computers on audits is common practice. The examiner expects you to consider the
computer
aspects of auditing as a matter of course. Therefore in answering questions on obtaining
evidence,
remember to include reference to CAATs if they seem relevant.
AUDIT SOFTWARE
Audit software consists of computer programs used by the auditors, as part of their auditing
procedures, to process data of audit significance from the entity's accounting system. It may
consist of generalised audit software or custom audit software, Audit software is used for
substantive procedures.
Generalised audit software allows auditors to perform tests on computer files and databases, such
as reading and extracting data from a client's systems for further testing; selecting data that meets
certain
criteria, performing arithmetic calculations on data, facilitating audit sampling and producing
documents and reports.
Custom Audit software is written by auditors for specific tasks when generalised audit software
cannot be used
The following provides some examples of the use of audit software in the course of an audit.
Page 213
- Prepare documents and reports e.g. produce receivables' confirmation letters and monthly
statements
TEST DATA
Test data techniques are used in conducting audit procedures by entering data (eg a sample of
transactions) into an entity's computer system, and comparing the results obtained with pre-
determined results. Test data is used for tests of controls.
Examples include:
(a) Test data used to test specific controls in computer programs such as on-line password and
data
access controls.
(b) Test transactions selected from previously processed transactions or created by the auditors
to test
specific processing characteristics of an entity's computer system. Such transactions are
generally processed separately from the entity's normal processing, Test data can for example
be
used to check the controls that prevent the processing of invalid data by entering data with
say a
non-existent customer code or worth an unreasonable amount, or a transaction which may if
processed break customer credit limits.
(c) Test transactions used in an integrated test facility. This is where a 'dummy' unit (e.g. a
department
or employee) is established, and to which test transactions are posted during the normal
processing cycle.
A significant problem with test data is that any resulting corruption of data files has to be
corrected. This is difficult with modern real-time systems, which often have built-in (and highly
desirable) controls to ensure that data entered cannot be easily removed without leaving a mark.
Other problems with test data are that it only tests the operation of the system at a single point of
time,
and auditors are only testing controls in the programs being run and controls which they know
about. The problems involved mean that test data is being used less as a CAAT.
Page 214
Auditors of public sector entities often have additional responsibilities with regard to internal
control and compliance with applicable laws and regulations. Inquiries of appropriate individuals
in the internal audit function can assist the auditors in identifying the risk of material
noncompliance with applicable laws and regulations and the risk of deficiencies in internal
control over financial reporting.
Analytical Procedures
- Analytical procedures performed as risk assessment procedures may identify aspects of the
entity of which the auditor was unaware and may assist in assessing the risks of material
misstatement in order to provide a basis for designing and implementing responses to the
assessed risks. Analytical procedures performed as risk assessment procedures may include
both financial and non-financial information, for example, the relationship between sales and
square footage of selling space or volume of goods sold.
- Analytical procedures may help identify the existence of unusual transactions or events, and
amounts, ratios, and trends that might indicate matters that have audit implications. Unusual
or unexpected relationships that are identified may assist the auditor in identifying risks of
material misstatement, especially risks of material misstatement due to fraud.
- However, when such analytical procedures use data aggregated at a high level (which may be
the situation with analytical procedures performed as risk assessment procedures), the results
of those analytical procedures only provide a broad initial indication about whether a
material misstatement may exist. Accordingly, in such cases, consideration of other
information that has been gathered when identifying the risks of material misstatement
together with the results of such analytical procedures may assist the auditor in understanding
and evaluating the results of the analytical procedures.
Page 215
TOPIC 7
FORENSIC ACCOUNTING
FORENSIC ACCOUNTING
Forensic accounting is defined as "the application of investigative and analytical skills for the
purpose of resolving financial issues in a manner that meets standards required by courts of law.
Forensic accountants apply special skills in accounting, auditing, finance, quantitative methods,
certain areas of the law, research and investigative skills to collect, analyze and evaluate
evidential matter and to interpret and communicate findings."[4]
Forensic accounting is the term used to describe the type of engagement. It is the whole process
of carrying out a forensic investigation, including preparing an expert’s report or witness
statement, and potentially acting as an expert witness in legal proceedings.
Forensic investigation is a part of a forensic accounting engagement. Forensic investigation is the
process of gathering evidence so that the expert’s report or witness statement can be prepared. It
includes forensic auditing, but incorporates a much broader range of investigative techniques,
such as interviewing witnesses and suspects, imaging or recovering computer files including
emails, physical searches of premises etc.
Forensic auditing is the application of traditional auditing procedures and techniques in order to
gather evidence as part of the forensic investigation.
APPLICATION
The major applications of forensic accounting include fraud investigations, negligence cases and
insurance claims.
An insurance claim would require determination of how much the client should claim from the
insurer.
STEP 1
Page 216
The first step would be a detailed review of the insurance policy to determine ‘coverage’, ie what
is insured and any clauses that might restrict the amount that can be claimed or invalidate the
claim.
STEP 1
The second step would be to gather evidence to quantify the loss, ie the amount to be claimed.
Insurance claims might include claims following misappropriation of assets, ie theft of goods or
money. In such cases, the forensic accountant will review inventory or cash records and details
of sales and purchases to reconcile the amounts held and determine the value of the goods or
cash stolen. They will also test the reliability of the information held by counting a sample of
inventory or cash currently held in comparison with the client’s records. The forensic accountant
will not assume that there has been a theft; they will consider other possibilities such as an error
in the data held.
Insurance claims may however, be much more complicated than this, such as in the case of
business interruptions arising as a result of fire or flood. In these types of engagements the
forensic accountant will review prospective financial information in comparison with reported
outturn to evaluate the loss of profit arising as a result of the business interruption. The forensic
accountant will not assume that there has been any loss of profit due to the business interruption;
they will consider other possibilities such as a straightforward loss of market share to a
competitor.
FORENSIC ENGAGEMENTS
Forensic engagements often require the forensic accountant to quantify a loss. One such
engagement is in professional negligence claims, ie when another accountant has breached their
duty of care to a client or third party resulting in a loss for that client. In these types of
engagement, the forensic accountant would also provide an opinion on whether the duty of care
owed has been breached, ie whether the audit or other accountancy service was performed in
accordance with current standards in practice, legislation and techniques. In relation to an audit,
this would require consideration of whether the International Standards on Auditing were
followed.
Financial forensic engagements may fall into several categories. For example:
Page 217
Computer forensics/e-discovery.
Page 218
Forensic accounting engagements are agreed-upon procedures engagements, not assurance
engagements. The forensic accountant will not provide an assurance opinion – that is the role of
the auditor when reviewing the amount of loss included in the financial statements.
This will normally involve determining an appropriate value or quantifying a loss as discussed
above; this is quite distinct from an assurance engagement in which the engagement team would
review an amount determined by the client.
As an agreed-upon procedures engagement, the forensic accountant will normally prepare a
report for the client that sets out their findings, based on the scope agreed in the engagement
letter. This report may be addressed to management, often in the case of a fraud, or to the insurer.
It may be that a witness statement/report for submission to the court/arbitrator is required in
addition to or instead of a report to the client.
However, planning the investigation is likely to be similar to planning an audit or any other
assurance engagement.
Planning will commence with a meeting with the client in which the engagement team will
develop an understanding of the issue/events (the fraud, theft etc) and actions taken by the client
since it occurred.
A key part of planning is to confirm exactly what format the output is required in, and exactly
what matters are required to be covered within it.
At this stage any key documentation will be obtained and scrutinised – for example, the
insurance policy, the partnership agreement, the evidence that led to the discovery of the fraud,
etc.
The team will agree with the client, what access to other information or personnel will be
required and this will be arranged.
Based on the above, the team will design procedures that enable them to meet the requirements
of the client, as agreed. This may or may not include test of controls, depending on the
circumstances. There would be no need to tests control when valuing a business for a
matrimonial dispute. However, testing controls will be key to determining how a fraud took
place.
Page 219
Forensic engagements will include a detailed and wholesale review of all documentation and
electronic evidence available. The opinion given by the expert accountant must be reasoned, and
backed up by evidence. Their opinion cannot be objective if only based on what they are told;
they must corroborate that information.
To be awarded marks in the exam, your procedures cannot be vague. They must be specific
enough that the engagement team could actually follow your instructions.
For example, it would not be sufficient to write 'interview the suspect'. You must suggest
questions that should be asked of the suspect in interview, depending on the circumstances in the
scenario. For example, the suspect could be asked to explain their job role and what access that
gives them to systems, cash, inventory etc.
This also applies when recommending enquires of or discussions with management – it must be
clear in your answer what it is the engagement team should ask of them, eg have they informed
the police, has the suspect been suspended, have they informed the insurer etc.
Equally it is not sufficient to suggest the use of computer assisted auditing techniques (CAATs).
You must specify how the CAATs could be used. For example, data matching bank accounts
used for paying suppliers with bank accounts for paying employees, exception reports
identifying employees who are not taking holiday, etc.
In order to design appropriate procedures you must identify the type of forensic accounting
engagement, and the specific type of fraud, insurance or negligence claim. For example,
quantifying the theft of goods will be very different from quantifying a loss from payroll or
‘ghost employee’ fraud or loss of profits following a business interruption (as discussed above).
The potential forensic accounting expert witness should keep the following in mind the
following requirements:
Page 220
In many trials, including those involving fraud, there may be forensic accounting expert
witnesses brought by both sides of the case. Representing the actual “innocent” party in the case
is not a guarantee that the expert witness for the opposition cannot hurt your case. The next part
of this series will delve further into the skills and background a forensic accounting expert
witness may bring to the table.
The various forms of evidence that can be used during a criminal trial are
Documentary evidence
In order for a document to be admissible during criminal proceedings, the following conditions
must be met
Real evidence
Real evidence is an object which, upon proper identification, becomes, of itself, evidence.
If the evidence is properly identified and relevant and if there is no other rule of evidence that
excludes it as evidence, it will be included as an exhibit that will be duly labelled and numbered
and available for the court to inspect.
Electronic Evidence
It is stated that a data message that was made by a person during the ordinary course of their
business, or a certified copy thereof, is admissible as evidence
Difference between the audit report and a forensic accounting expert report
A forensic accounting report differs considerably from an audit report. The audit report contains
audit opinions that are issued under International Financial Reporting Standards (IFRS), while
the forensic accounting report is not constrained by the required language of a governing
Page 221
standard and forensic reports differ from one investigation to another, and one firm to another,
depending on the client‘s needs.
The following table illustrates the difference between auditing and a forensic accounting
investigation
AUDIT FORENSIC
ACCOUNTING
INVESTIGATION
Page 222
FUNDAMENTAL ETHICAL PRINCIPLES
The range of ethical and professional issues will be similar to any other type of engagement.
However, the importance of ethics is arguably much greater in relation to forensic
accountancy. Often both ‘sides’ will bring an expert witness to the hearing where they do not
agree. The decision maker must decide which evidence they ‘prefer’ – the credibility of the
witness is often the primary factor on which they can base that decision and the credibility of an
accountant is reliant on their compliance with the fundamental ethical principles.
In the exam, you will also need to note whether the client requesting the forensic accounting
service is an audit client, if so, this will present an additional and particularly important threat to
objectivity; a self-review threat. The investigation is likely to involve the quantification of an
amount, which will then be reviewed as part of the financial statements audit. The significance
of the threat will be affected by the materiality of the amount and the subjectivity involved in
quantifying it, eg if for loss of profits following business interruption this will be more subjective
than quantification of the value of stolen inventory.
Remember that the decision to prosecute is a matter for the client. Often, clients do not want to
prosecute for fear of damaging their reputation. The forensic accountant can provide the client
with an analysis of all of the facts, but must not make the decision to prosecute (a management
threat to objectivity). The forensic accountant has a duty of confidentiality, unless it is in the
public interest to do so, they must not disclose the fraud to any third party including the police,
without client permission.
Page 223
TOPIC 8
AUDIT CLEARANCE AND REPORTING
PURPOSES OF THE AUDITOR’S REPORT
The requirements of Companies Act regarding auditors report
The Companies Act cap 486 requires that the auditor of a limited liability company to report to the
members whether the financial statements laid before the AGM show true and fair view of the state of
affairs of the company and comply with the requirements of the companies act. The audit report is
therefore the means by which the auditor reports his opinions as to whether the financial statements show
a true and fair view of the state of affairs. The report is addressed to shareholders.
Section 162(1) of the Companies Act stipulates the statements that should be expressly stated in the
auditor’s report. These are;
- Whether the auditor has obtained all the information and explanation which to the bestof his
knowledge and belief were necessary for audit proposes.
- Whether in his opinion, proper books of accounts have been kept by the company, sofar as it appears
from the examination of those books and proper returns adequate forthe purposes of the audit from
branches not visited by him.
- Whether the company’s balance sheet and profit and loss accounts dealt by the reportare in agreement
with the books of the accounts and returns.
- Whether in his opinion and to the best of his information and according to the explanationsgiven to
him, the financial statements give the information required by the CompaniesAct in the manner so
required and give at rue and fair view.
- In the case of the balance sheet, of the state of affairs of the company as at the end ofthe accounting
period.
- In the case of the profit and loss account, of the state of profit or loss of the companyin the financial
year.
- In the case of a holding company submitting group financial statements whether in hisopinion, the
group financial statements have been prepared in accordance with theprovisions of the Companies
Act so as to give a true and fair view of the state of affairsand profit or loss of the company.
Once the auditor has gathered sufficient appropriate audit evidence on which to base his opinion, he is
expected to put his findings on the true and fairness of the financial statements in a report.
a) Examining, on a test basis, evidence to support the financial statement amounts and disclosures;
b) Assessing the accounting principles used in the preparation of the financial statements;
Page 224
c) Assessing the significant estimates made by management in the preparation of the financial
statements; and
d) Evaluating the overall financial statement presentation.
This report is referred to as the auditor’s report. The report is primarily meant for the Shareholders but
can be of benefit to other users of the financial statements as well for example the banks. The wording
and the format of the report is guided by law.
International Standard on Auditing (ISA) 700, Forming an Opinion and Reportingon Financial
Statements
For purposes of the ISAs, the following terms have the meanings attributedbelow:
a) General purpose financial statements – Financial statements prepared in accordance with a general
purpose framework.
b) General purpose framework – A financial reporting framework designed to meet the common
financial information needs of a wide range of users. The financial reporting framework may be a fair
presentation framework or a compliance framework.
The term “fair presentation framework” is used to refer to a financialreporting framework that requires
compliance with the requirementsof the framework and:
i) Acknowledges explicitly or implicitly that, to achieve fair presentation of the financial statements, it
may be necessary for management to provide disclosures beyond those specifically required by the
framework; or
ii) Acknowledges explicitly that it may be necessary for management to depart from a requirement of the
framework to achieve fair presentation of the financial statements. Such departures are expected to be
necessary only in extremely rare circumstances.
iii) The term “compliance framework” is used to refer to a financial reporting framework that requires
compliance with the requirements of the framework, but does not contain the acknowledgements in
(i) or (ii) above.
c) Unmodified opinion – The opinion expressed by the auditor when the auditor concludes that the
financial statements are prepared, in all material respects, in accordance with the applicable financial
reporting framework.
Reference to “financial statements” in this ISA means “a complete set of generalpurpose financial
statements, including the related notes.” The related notesordinarily comprise a summary of significant
accounting policies and otherexplanatory information. The requirements of the applicable financial
reportingframework determine the form and content of the financial statements, and whatconstitutes a
complete set of financial statements.
Page 225
(b) To express clearly that opinion through a written report that also describes the basis for that
opinion.
Page 226
i) Appropriate report title
Auditing standards require that the report be titled and that the title includes the word ‘independent’
e.g. independent auditors report’. The requirement that the title includes the word independent is
intended to convey to users that the audit was unbiased in all aspects.The title should indicate that the
report is by an independent auditor to confirm all the relevant ethical standards have been met
ii) Address
The auditor’s report shall be addressed as required by the circumstances of the engagement. The
report is usually addressed to the company, its stockholders or the board of directors. For practical
reasons, it limits the users of auditor’s report.
iii) Introductory paragraph
The first paragraph has three purposes, fist, it makes a statement that the practice did an audit.
Secondly, it lists all the financial statements that were audited including the balance sheet dates and
accounting periods for the income statement and cash flow statement. The wording of the financial
statements in the report should be identical to those used by management on the financial statements.
Thirdly, the introductory paragraph states that the statements are the responsibility of management
and that the auditor’s responsibility is to express an opinion on the statements based on the audit.
v) Opinion paragraph
This final paragraph states the auditors conclusions based on the results of the audit. This part of the
report is so important that often the audit report is simply called the auditor’s opinion.
The opinion paragraph is stated as an opinion rather than a statement of absolute fact or a guarantee.
Page 227
vii) Name of audit firm
The firm’s name is used because the entire firm has the legal responsibility to ensure that the quality
of audit meets professional standards.
Page 228
phrase that the auditor’s consideration of internal control is not for the purpose of expressing an
opinion on the effectiveness of internal control; and
- An audit also includes evaluating the appropriateness of the accounting policies used and the
reasonableness of accounting estimates made by management, as well as the overall presentation of
the financial statements.
- Where the financial statements are prepared in accordance with a fair presentation framework, the
description of the audit in the auditor’s report shall refer to “the entity’s preparation and fair
presentation of the financial statements” or “the entity’s preparation of financial statements that give a
true and fair view,” as appropriate in the circumstances.
- The auditor’s report shall state whether the auditor believes that the audit evidence the auditor has
obtained is sufficient and appropriate to provide a basis for the auditor’s opinion.
x) Auditor’s Opinion
(a) Whether users might misunderstand the assurance obtained from the audit of the financial
statements and, if so,
(b) Whether additional explanation in the auditor’s report can mitigate possible misunderstanding.
If the auditor concludes that additional explanation in the auditor’s report cannot mitigate possible
misunderstanding, ISA 210 requires the auditor not to accept the audit engagement, unless required by
law or regulation to do so. In accordance with ISA 210, an audit conducted in accordance with such law
or regulation does not comply with ISAs. Accordingly, the auditor does not include any reference in the
auditor’s report to the audit having been conducted in accordance with International Standards on
Auditing.
“Present fairly, in all material respects” or “give a true and fair view”
- Whether the phrase “present fairly, in all material respects,” or the phrase “give a true and fair view”
is used in any particular jurisdiction is determined by the law or regulation governing the audit of
financial statements in that jurisdiction, or by generally accepted practice in that jurisdiction. Where
law or regulation requires the use of different wording, this does not affect the requirement for the
auditor to evaluate the fair presentation of financial statements prepared in accordance with a fair
presentation framework.
Page 229
and fair view of the information that the financial statements are designed to present, for example, in the
case of many general purpose frameworks, the financial position of the entity as at the end of the period
and the entity’s financial performance and cash flows for the period then ended.
Description of the applicable financial reporting framework and how it may affect the auditor’s
opinion
- The identification of the applicable financial reporting framework in the auditor’s opinion is intended
to advise users of the auditor’s report of the context in which the auditor’s opinion is expressed. The
applicable financial reporting framework is identified in such terms as:
“… in accordance with International Financial Reporting Standards” or
“… in accordance with accounting principles generally accepted in Jurisdiction X …”
- When the applicable financial reporting framework encompasses financial reporting standards and
legal or regulatory requirements, the framework is identified in such terms as “… in accordance with
International Financial Reporting Standards and the requirements of Jurisdiction X Corporations
Act.” ISA 210 deals with circumstances where there are conflicts between the financial reporting
standards and the legislative or regulatory requirements.
- The financial statements may be prepared in accordance with two financial reporting frameworks,
which are therefore both applicable financial reporting frameworks. Accordingly, each framework is
considered separately when forming the auditor’s opinion on the financial statements, and the
auditor’s opinion refers to both frameworks as follows:
a) If the financial statements comply with each of the frameworks individually, two opinions are
expressed: that is, that the financial statements are prepared in accordance with one of the
applicable financial reporting frameworks (for example, the national framework) and an opinion
that the financial statements are prepared in accordance with the other applicable financial
reporting framework (for example, International Financial Reporting Standards). These opinions
may be expressed separately or in a single sentence (for example, the financial statements are
presented fairly, in all material respects, in accordance with accounting principles generally
accepted in Jurisdiction X and with International Financial Reporting Standards).
b) If the financial statements comply with one of the frameworks but fail to comply with the other
framework, an unmodified opinion can be given that the financial statements are prepared in
accordance with the one framework (for example, the national framework) but a modified opinion
given with regard to the other framework (for example, International Financial Reporting
Standards) in accordance with ISA 705.
- The financial statements may represent compliance with the applicable financial reporting framework
and, in addition, disclose the extent of compliance with another financial reporting framework.
- Such supplementary information is covered by the auditor’s opinion as it cannot be clearly
differentiated from the financial statements.
a) If the disclosure as to the compliance with the other framework is misleading, a modified opinion
is expressed in accordance with ISA 705.
Page 230
b) If the disclosure is not misleading, but the auditor judges it to be of such importance that it is
fundamental to the users’ understanding of the financial statements, an Emphasis of Matter
paragraph is added in accordance with ISA 706, drawing attention to the disclosure.
a) A title;
b) An addressee, as required by the circumstances of the engagement;
c) An introductory paragraph that identifies the financial statements audited;
d) A description of the responsibility of management (or other appropriate term, ) for the preparation of
the financial statements;
e) A description of the auditor’s responsibility to express an opinion on the financial statements and the
scope of the audit, that includes:
A reference to International Standards on Auditing and the law or regulation; and
A description of an audit in accordance with those standards;
f) An opinion paragraph containing an expression of opinion on the financial statements and a reference
to the applicable financial reporting framework used to prepare the financial statements (including
identifying the jurisdiction of origin of the financial reporting framework that is not International
Financial Reporting Standards or International Public Sector Accounting Standards
g) The auditor’s signature;
h) The date of the auditor’s report; and
i) The auditor’s address.
Page 231
Auditor’s Report for Audits Conducted in Accordance with Both Auditing Standards of a Specific
Jurisdiction and International Standards on Auditing
- An auditor may be required to conduct an audit in accordance with the auditing standards of a specific
jurisdiction (the “national auditing standards”), but may additionally have complied with the ISAs in
the conduct of the audit. If this is the case, the auditor’s report may refer to International Standards on
Auditing in addition to the national auditing standards, but the auditor shall do so only if:
a) There is no conflict between the requirements in the national auditing standards and those in ISAs
that would lead the auditor (i) to form a different opinion, or (ii) not to include an Emphasis of
Matter paragraph that, in the particular circumstances, is required by ISAs; and
b) The auditor’s report includes, at a minimum, each of the elements set out in above when the
auditor uses the layout or wording specified by the national auditing standards. Reference to law
or regulation shall be read as reference to the national auditing standards. The auditor’s report
shall thereby identify such national auditing standards.
- When the auditor’s report refers to both the national auditing standards and International Standards on
Auditing, the auditor’s report shall identify the jurisdiction of origin of the national auditing
standards.
The financial reporting framework is determined by IFRS’s, with due regard to local legislation. To advise
the reader of the context in which the auditor’s opinion is expressed, the auditor’s opinion indicates the
framework upon which the financial statements are based. This designation helps the user to better
understand which financial reporting framework was used in preparing the financial statements.
The following are the various types of audit opinions that the auditor can issue:
i) Unqualified opinion.
ii) Modified opinions:
Emphasis of matter.
Qualified opinion.
Disclaimer of opinion.
Adverse opinion.
These are covered in detail below.
a) Unqualified Opinion
Page 232
An unqualified opinion should be expressed when the auditor concludes that the financial statements give
a true and fair view in accordance with IFRS and the Kenyan Companies Act. An unqualified opinion also
indicates implicitly that any changes in accounting principles or in the method of their application, and the
effects thereof, have been properly determined and disclosed in the financial statements.
b) Modified Reports
Matters That Do Not Affect the Auditor’s Opinion
In certain circumstances, an auditor’s report may be modified by adding an emphasis of matter paragraph
to highlight a matter affecting the financial statements, which is included in a note to the financial statements
that more extensively discusses the matter. The emphasis of matter paragraph does not affect the auditor’s
opinion and is normally included after the auditor’s opinion paragraph. The emphasis of matter paragraph
would ordinarily refer to the fact that the auditor’s opinion is not qualified in this respect.
The engagement partner would normally consider including an emphasis of matter paragraph in the
auditor’s report in the following circumstances:
i) When there is a going concern problem; or
ii) When there is a significant uncertainty (other than a going concern problem), the resolution of which
is dependent upon future events and which may affect the financial statements; or
iii) When there is a material inconsistency in other information in documents containing financial
statements (e.g. a directors’ report), and the directors refuse to make an appropriate amendment.
Page 233
Whenever the auditor expresses an opinion that is other than unqualified, a clear description of all the
substantive reasons should be included in the report and, unless impracticable, a quantification of the
possible effect(s) on the financial statements. This information is normally set out in a separate paragraph
preceding the opinion or disclaimer of opinion and may include a reference to a note to the financial
statements that more extensively discusses the matter.
The following is an illustration of the relevant paragraphs when an adverse opinion is to be expressed:
Page 234
Limitation on Scope
A limitation in the scope of the auditor’s work can arise in the following circumstances:
i) When the limitation in scope is imposed by the entity (for example, as a result of the terms of
engagement).
ii) When the limitation on scope is imposed by circumstances (for example, the timing of the auditor’s
appointment is such that the auditor is unable to observe the counting of inventories or when the entity’s
accounting records are inadequate and the auditor is unable to carry out reasonable alternative
procedures to obtain sufficient appropriate audit evidence to support an unqualified opinion).
When there is a limitation on the scope of the auditor’s work that requires expression of a qualified opinion
or a disclaimer of opinion, the auditor’s report should describe the limitation and indicate the possible
adjustments to the financial statements that might have been determined to be necessary had the limitation
not existed.
Page 235