AUDITING 322

INTRODUCTION

Internal controls
 Internal controls are controls put in place to safe guard the assets of the company, to prevent fraud from
occurring, ensure compliance with laws and regulations applicable to entity, to produce reliable
information and to operate the business effectively and efficiently.
 Auditor needs to understand internal controls from the businesses perspective.
 Internal control is a process, it’s a combination of systems, policies and procedures designed, implemented
and maintained to address the risks involved in running a business.
 Not the sole responsibility of management, everyone is responsible for internal control.
Limitations to internal controls
1. Cost/benefit – may be more expensive and not worth implementing.
2. Internal controls are directed at routine transactions (everyday transactions) rather than non-routine
transactions (special cases).
3. Human error – due to carelessness, distractions, mistakes or misunderstandings.
4. Internal controls could be dodged through collusion.
5. Management could easily override internal controls.
6. Procedures may become inadequate due to changes and compliance with procedures may deteriorate.
Components of internal control
1. The control environment ISA 315 para 14 A76-A86
2. Risk assessment ISA 315 para 15 A87-A88
Identify and assess risks
- Operational – risk that threatens the entity
- Financial reporting – risk that accounting system doesn’t only record
transactions which have occurred, are authorised and which are
recorded and processed accurately and completely.
- Compliance – risk that entity does not comply with laws and regulations
applicable to the entity.
How to respond to risk
- Control activities
- Information system

3. Information systems ISA 315 para 18-19 A89-A95

- Valid, accurate and complete
- Procedures to deal with transactions –initiating, recording, processing,
correcting and posting to ledgers.

4. Control activities ISA 315 para 20 A96-A105

- Actions, procedures supported by policies * approved, authorized *seg
of duties *isolation of responsibilities * access /custody *comparison
and reconciliation *performance reviews
- Preventive and detective
- General and application

5. Monitoring of controls ISA 315 para 22 A106-A108

 Audit evidence
 Audit evidence is absolutely fundamental to the audit function. Auditor has the duty to gather evidence to
support his opinion on whether the assertions of the financial statements are fairly presented.

 Auditor needs to collect sufficient appropriate audit evidence:

- Sufficient evidence (quantity)
- Appropriate evidence (quality)
*Reliability *Relevance

 Influencing factors in determining whether sufficient appropriate evidence has been obtained.
- Assessing inherent and control risk at the client
- Materiality
- Experience gained from previous audits
- Results of audit procedures already conducted
- Source and reliability of information available
- The persuasiveness of the audit evidence

 FINANCIAL STATEMENT ASSERTIONS

Income statement
- Completeness, Occurrence, Cut off, Accuracy ,Classification
Balance sheet
- Completeness, Existence, Rights and obligations, Valuation and
allocation ,Presentation and disclosure
Same as income statement, excluding CUT OFF
Auditor’s toolbox

 Procedures in carrying out a risk assessment, test of controls and substantive testing.
 Inspection (examining documentation to physical asset)
 Observation (looking at the process being performed by others)
 External confirmation (written)
 Recalculate (checking manually or electronically the math accuracy of documents or records)
 Reperformance (auditor preforming the procedure or control of internal controls)
 Analytical procedures (comparing year to year or mouths)
 Inquiry (seeking information from knowledgeable persons )

 Why perform test of controls?

The auditor who is interested in the fair presentation of balances and totals, could test the accounting system
and related control activities to determine whether they produce reliable balances and totals.
 Why perform substantive testing?
Substantive procedures may be performed on balances and totals themselves or individual transactions making
up a total or balance.
Substantive procedures seek to provide evidence to support financial statement assertions.
- Balances CERVP - Verifying
- Transactions COCAC - Vouching
- Disclosure ROCCA

>>THE AUDIT PROCESS<<

1. Prelimanary stage
 The auditor decides whether or not to accept an audit engagement
 Haven’t taken on client yet or haven’t decided to continue with client yet.
 Reasons an audit firm may wish not to enter/ continue relations with a client:
- Management seems unethical or lack integrity
- Firm does not wish to be associated with the industry
- Client does not pay fees
- Reputation of a poor relationship with auditor
 - Client does not comply with the appropriate framework
- Firm may not be competent or have enough resources to complete
audit properly
 Compliance with the standard
*Consider integrity of clients principal owners, Determine whether the firm is competent to perform
engagement and if they can comply with ethical requirements.
 Procedures for gathering preliminary engagement information:
- Communicate with previous auditor (with permission)
- Inquiry from the firms bank, legal counsel, etc. (with permission)
- Discussions with client’s directors, senior financial personnel, audit
committee, etc.
- Background searches on relevant databases (google)
- Review of documentation
 Formalise the engagement letter

2. Planning stage
IAS 300 states that the objective of the audit is to plan the audit so it will be performed in an effective
manner.
The planning of the audit: - Ensures appropriate attention is devoted to important areas of the
audit.
- Problems are identified and resolved on a timely basis.
- A competent audit team
- Appropriate direction and supervision of the audit team
- Work is completed on time
* The audit strategy
Sets the scope, timing and direction of the audit and guides the development of the audit plan.
o Scope:
*The financial reporting standards on which the financial information has been prepared.
*Expected coverage, including numbers and locations of components to be involved.
*Involvement of other auditors?
*The need for specialised knowledge
* The availability of internal audit work and the extent of the auditor’s reliance on it.
* The effect of information technology on the audit procedures, use of CAATS
o Timing:
*The company’s time table for reporting – interim, year end?
* Schedules with management and those charged with governance to discuss the nature, timing and
extent of the audit.
* Communication with other auditors, experts etc. and the timing of reports to be issued as a result of
their work.
* Size, complexity and number of locations of the client.
* Extent and complexity of computerisation of the client – CAATS
o Direction:
*Materiality – lower = more audit work
* The presence of significant risk
* Impact of high risk at FS level means more experienced staff to be placed of the audit.
* Evidence of management’s commitment to design and operation of sound internal controls
*The volume of transactions – Use of CAATS
*Significant business development affecting the entity.

* The audit plan

Audit plan is more detailed than the audit strategy.
Audit plan defines the nature, timing and extent of procedures that will need to be carried out by auditor.
- ISA 315 nature, timing and extent of risk assessment procedures
- ISA 330 nature, timing and extent of further audit procedures
Before the strategy or plan a great deal of information needs to be collected about the client company.

* Understanding the entity and its environment

To do proper risk assessment
How to get information about the client:
- Preliminary activities
- Previous experience with entity
- Inquiries of management and client personnel
- Observation
- Inspection
- Analytical procedures
- Discussion among audit team

* Materiality
It is understood that FS are not 100% accurate, there is a margin of error. This margin must be acceptable to
users otherwise FS are of little or no value. If misstatements are outside the acceptable margin they become
material and are likely to affect user’s decisions.

ISA320 – materiality at planning and performing stage of the audit

- Misstatements are material if they individually or aggregate could be
expected to influence the economic decision of user on basis of FS.
- Judgement about materiality are affected by size or nature of a
misstatement, or combination of both.
- Matter will be material if a user of FS should know about it when making
a decision based of FS.

ISA 450 – materiality at evaluating stage relating to forming an opinion.

Nature of materiality
- It is subjective
- It is relative (very from user to user)
- Can be both qualitative (regarded as material when judged against other
factors) and quantitative (exceeds amount which auditor deems
material)

Planning and performance materiality

Planning stage – auditor makes judgement about size of misstatements that will be considered material,
having an idea of the size assists the auditor to:
- Determine nature, timing and extent of risk assessment procedures
- ID and assessing the risk of material misstatements
- Determine the nature, timing and extent of further audit procedures

Planning materiality is basically the guideline for the amount of misstatements the user can live with.

Setting planning materiality:

Materiality set for FS as a whole, as well as a lessor amount of materiality set for class of transactions, acc
balances and disclosure.
Factors which may be considered when quantifying planning materiality:
- Use of benchmarks (PBT, assets etc.)
- Importance of specific information to users
- Key disclosures (correctly disclosed)
- Legal requirements (eg: facts that need to be disclosed in terms of
companies act)

Performing stage – this will be set once auditor starts tests on specific acc balances and classes of
transactions.
NB to remember that something could be material in aggregate and not just individually.
Performance materiality is set lower than planning materiality and thus a larger sample should be tested.
ISA 320 – auditor must determine performance materiality for the purpose of:
- Assessing risk of material misstatements (class of trans or acc bal)
- Determine nature, timing and extent of further audit procedures
Performance materiality takes into account that we test for misstatements which in aggregate might exceed
the planning materiality level.

Planning for qualitative misstatements – essentially deals with disclosure.

Auditor should have a good idea about the disclosure which, if omitted or inadequately presented, could
influence the decision of users, like:
- Improper description of acc policies which could mislead users
- Related party transactions
- Directions remuneration
- Other
Performance materiality directly influences the extent (nature and timing too) of further audit procedures, if
performance materiality needs to change it will change the further audit procedures which must be
performed to reduce audit risk to an acceptable level.

Final materiality (Evaluating stage)

ISA 450 – auditor must:

o Evaluate effect of identified misstatements on audit
Auditor monitoring how audit is going in respect to what they expected and what is reflected by
materiality level and audit strategy and plan which was put in plan, if not going as planned =
revise audit strategy and plan.
o Evaluated the effect of uncorrected misstatements, if any, on FS
These procedures are usually performed on samples of population, the conclusion however
needs to be drawn on the population from which sample came.
Auditor needs to:
- Analysis and project the errors in the sample over the population
(errors/total sample x population)
- Decide whether further tests by audit team or ask client to check
population in detail for further errors.
- Discuss with management to have errors corrected. Management may
not due to :
 Disagree that there is a misstatement
 Not regard as material
 Ulterior motives
 Too much hassle
 Be unconcerned about getting qualified report
Final materiality is the guideline against which auditor measures the effect of uncorrected misstatements on
the FS.

* Planning and conducting risk assessment procedures

If auditor does not understand client and his business, he will be unable to identify and assess the risk of
material misstatements.
 Risk at FS level
Risk that could affect FS as a whole and filter down into many assertions
- Integrity of management
- Managements experience and knowledge
- Unusual pressure on management
 - Nature of the entity’s business

 Risk at assertion level

Affect account balances, transactions and disclosure, auditor will seek:
- Information about product company sells
*occurrence relating to class of transactions
- Type of inventory held, locations and controls over them
*existence relating to asset account balance
- Related parties who can assist in finding omissions in disclosure.
*completeness of presentation and disclosure

* Planning further audit procedures based on the risk assessment

This will entail developing a plan which describes the nature, timing and extent of further audit procedures,
both test of controls and substantive testing, which will be conducted to reduce the risk of material
misstatements relating to the assertions remaining undetected.
 General observations relating to nature and extent
- Nature of audit = its purpose (TOC/SP) and = its type
(observation, enquiry, recalculate, a/p, external confirmation
and perform.)

* Auditors responsibility relating to fraud

ISA 240: Auditor should
 Id and asses RMM of FS due to fraud
 Implement appropriate responses
 Respond appropriately to fraud or suspected fraud Id during
audit
Types of fraud
1. Fraudulent financial reporting
2. Misappropriation of assets

Management responsibility: prevent and detect fraud by implementation and monitoring of internal
controls.
Auditors responsibility: ISA 240 p12-33
Responses to risk at material misstatements due to fraud ISA 240 p28-33

3. Responding to assessed risk

Having responded to the risk assessment by planning further audit procedures, the auditor will proceed by
implementing an overall response and carrying out the planned further procedures and other procedures.

 Overall response at FS level

ISA330
- Prof scepticism
- Experienced staff/ experts
- More supervision
- Unpredictability
- General changes to nature, timing and extent

The auditor will respond by conducting extensive procedures on the existence, rights and
valuation of inventory and the occurrence of sales/ existence of debtors.

 Respond to assessed RMM at assertion level (further procedures)

The auditor must respond to risk by getting the nature, timing and extent of tests of controls
and sub testing correct so as to reduce the RMM going undetected to an acceptable level,
and reduce the risk of giving an inappropriate opinion.
AKA – carry out procedures with the intention of reducing audit risk to an acceptable level.
- Inspection
 - Observation
- Inquiry
- External confirmation
- Recalculation
- Analytical procedures
- Reperformance
ISA 500/540/520
Remember objective is to gather sufficient appropriate evidence to reduce RMM remaining undetected in
the acc balances, class of transactions and disclosure which makes up FS, to an acceptable level.

Significant risk
Auditor must consider whether:
- Risk of fraud
- Relates to recent significant economic, accounting, other
development
- Complexity of transaction
- The degree of subjectivity
- Whether it involves transactions outside normal course of
business, unusual due to size or nature.
Concept of materiality: see above

SUBSTANTIVE PROCEDURES
 Debtors
 Creditor
 Other income and accruals
 Provisions
 Long term loans
 Inventory
 Investments
Major risk will be overstating the investment account (fictitious investments, overstatement of value).
Client will prepare schedule of investments – listed, unlisted, details of each, cost and fair value, CY movement.
Assertions CERVP
 PPE
Take IAS 16 into account – cost or revaluation model
Assertions for PPE account – CERVP
 Completeness
- Select sample of Fixed (A) and trace to fixed (A) register (asset to
document).
- Review CPJ and creditor’s payment for fixed assets purchased
and confirm that they are recorded as fixed (A).
- Review lease agreement and enquire of senior personnel for
evidence of asset leased but not capitalised.
- Inspect for repairs and similar accounts for material items which
may indicate acquisition of PPE which was erroneously
expensed.
 Existence
- Select sample of assets on fixed (A) register and inspect for
physical asset (Document to asset)
- If asset cannot be physically verified, inspect collaborating
evidence eg: licence expenses
- Inspect CRJ for cash received for disposal of fixed asset, ensure
that item for which cash was received is on disposal list.
 Rights
- Determine change in rights to assets by 1. Enquire of
management 2. Inspect director minutes.
 - For additions, inspect purchase documents for title to ensure
they are in client’s name. (registration documents, title deeds,
sales agreements)
- For assets still being paid for, inspect payment records to ensure
client is not behind on payments.
- Where leased assets are being capitalised inspect lease
agreement to ensure risk and rewards of ownership has passed
to client.
- 1. Enquire of management 2. Inspect director’s minutes 3.
Inspect loan agreement to ensure that assets are not held as
security.
 Valuation
- Agree o/b on summary schedule to prior years working paper
and general ledger to ensure amounts agree.
- Repreform all casts and extensions in fixed asset register and
supporting list of additions and disposals.
- Inspect summary of schedules and general ledger to ensure
amounts agree.
- Reperform reconciliation of the fixed asset register to fixed
assets accounts and acc dep in general ledger.

Assertions for movement (additions and disposals) – COCAC *remember depreciation and impairments
 Completeness
 Occurrence
- Select sample of assets from fixed (A) register and trace to
capital budget, minutes, purchase requisition for evidence of
authority.(ADD)
- Inspect physical asset and cross ref description, serial number to
purchase document. (ADD)
- Inspect invoice/ contract to ensure it was made out to client,
signed by client. (ADD)
- Inspect payment records CPJ to ensure payment was made for
asset. (ADD)
- Trace proceeds to bank statements to ensure disposal was
recorded. (DISP)
- Inspect documents used to approve disposal for authorise
signature. (DISP)
 Classification
- Inspect purchase documents and ledger account to ensure that
VAT was not included in cost.
- Trace posting from source in GL to ensure transaction was
recorded in the correct account.
 Accuracy
- Inspect invoice to ensure that cost of asset includes shipping
and installation.
 Cut off
- Inspect dates on all documentation to ensure transaction was
recorded in correct period.
 Intangibles
Assertions related to it will be CERVP. Main focus for auditor will be valuation and existence.
 Completeness
- Enquire of management about R&D projects on way.
- Review minutes to identify expenditure on intangibles and
inspect documents to ensure recorded.
- Obtain written representation about any intangible assets.
 Existence
 - If asset has a physical representation, this should be inspected
by auditor.
 Rights
- Inspect letters, patents, registration of trademarks to ensure
they are in client’s name.
 Valuation
- Depending on indefinite or definite useful life inspect
documentation and supporting schedule to ID if intangible was
tested for impairments.
 Presentation
- Inspect disclosure for applicable framework, consistence with
evidence gained, clear and understandable wording.
 Bank
 Equity

4. Concluding stage
See completion of the audit discussed later.

>> AUDIT RISK <<

The risk that the auditor will get it wrong is called the audit risk.
THE RISK THAT THE AUDITOR WILL EXPRESS AN INAPPROPRIATE OPINION WHEN THE FINANCIAL
STATEMENTS ARE MATERIALLY MISSTATED.
Limitations of an audit
- Nature of financial reporting – based on judgement
- Nature of audit procedures - info not always 100%
- Time constraints
- Cost /benefits
Components of audit risk
 Inherent risk
In a financial audit, measures the auditor's assessment of the likelihood that there are material
misstatements due to error or fraud in segment before considering the effectiveness of internal
control.
*Valuation assertion of inventory – diamonds, expert needed?
 Control risk
CR refers to the risk that a misstatement could occur but may not be detected and corrected or
prevented by entity's internal control mechanism. Example, control risk assessment may be higher in
an entity where separation of duties is not well defined.
* If internal controls don’t work there is a strong possibility that misstatements of which the auditor
may not be aware of, will occur.
* Limitation of internal control
- Cost/benefit
- Directed at routine transactions rather than non-routine
transactions.
- Potential human error
- Collusion of members
- Management override internal controls
- Procedures become inadequate due to changes in conditions
 Detection risk
The risk that the auditor will conclude that no material errors are present when in fact there are
errors.
-Detection risk relates to the nature, timing and extent of audit procedures put in place to respond
to the risk of material misstatement and reduce audit risk to an acceptable level.
 -Detection risk may rise if the auditor selects an inappropriate procedure, misapplies an appropriate
procedure or misinterprets the results of the test.
-the above can be avoided by sound planning, proper assignment of staff on engagement team,
applying professional scepticism and having proper supervision.

The relationship between audit risk, inherent risk, control and detection risk and material
misstatements
AR = IH x CR x DR
The risk of material misstatements are made up of inherent risk and control risk – the risk of material
misstatement will be highest where there is a high level of inherent risk relating to the assertion and the
control is weak.
If inherent (built in risk) and control risk (management’s responsibility) is high, the auditor needs to ensure
that the detection risk is low as to reduce audit risk, by:
- Having an audit team exercise professional scepticism
- Proper supervision in place
- Review procedures
This means getting the nature, timing and extent of the audit procedures right.
>>detection risk is the only risk controllable by auditor.

>> COMPUTER AUDIT <<

Client’s computer environment will directly affect the audit strategy and plan.
ISA 315 – auditor is required to gather understanding of clients internal control system, also the company’s
IT on that computer:

1. Control environment
Management’s attitude to and awareness of the need for controls, because of the major consequences
of poor controls in a computerised system.
2. Company’s risk assessment procedures
About controlling IT risk, IT risks are one of the major risks company’s face. Internal control component
focuses on the assessment of and response to IT risk facing company
3. Information system
ISA 315 p89
4. Control activities
This component has a big influence on whether Fin info system records and processes only transactions
which are authorised and have actually occurred and has done so accurately and completely. Control
activities are a combination of auto and manual controls.
5. Monitoring of controls
Management needs to assess whether internal control system is meeting its objectives over time.
Whether they take place and whether they are affective.

General controls
General controls are those which establish an overall framework of control for computer activities,
controls which should be in place before and processing of transactions take place.
General controls categorised as follows:
o Control environment
ISA 315 pA76/77

o System development and implementation control

Has to do with significant changes relating to computerised systems.
o Access control
Controlling physical access to hardware and software.
- Security policy
 *Least privileged, fail safe, defence in depth, logging
- Physical access control
*ID tags to get into building, only IT staff enter data
centre
- Logical access control
*Only authorised ppl, ID tags, passcodes
- Other access considerations
*Firewalls
o Continuity of operations
- Risk assessment
- Physical security
- Disaster recovery
o System software and operating controls

o Documentation

Application controls
o Closely linked to cycles – as an application is a set of procedures and programmes designed to satisfy all
users associated with a specific task. Eg: payroll cycle
o Application controls are controls which are relevant to a specific task within a cycle of the accounting
system.
o An application control therefore is any control within an application which contributes to the accurate
and complete recording and processing of transactions which have actually occurred and have been
authorised. (V, A, C)
o Input, processing and output – application controls relate to each of these stages.
o Controls must be implemented over input, processing and output but also over MASTERFILE.
Masterfile
- Stores standard information and balances
- Names, addresses, balances
STRICTER CONROL OVER MASTERFILE, MORE RELIABLE INFO IS.
o Objective of control in computerised accounting environment is generally related to occurrence,
authorisation, accuracy and completeness of data and info stored on pc.
 Occurrence and authorisation is concerned with making sure transactions and data is not
fictitious or fraudulent and have been authorised by management.
 Accuracy is about minimising error by ensuring data and transactions are completely captured,
processed and allocated.
 Completeness is making sure that data and transactions are not omitted or incomplete

o Main focus of application controls is to prevent errors, a good system will have a good detection control.
If errors are detected they must be corrected.
>>Control activities in a computerised system.
ISA 315 in a computerised system:
NB to remember application controls are a combination of manual (user controls) and automated
procedures.

1. Segregation of duties
Takes employees out of system, enables control procedures relating to authorising, executing, custody
and recording to be performed by 1 person on his pc. THIS IS DANGEROUS AND INCREASES RISK.
 Seg of duties is achieved by controlling access employees have to the
system, the application on it and the functions within the application.
 Achieved by setting up user profiles which details exactly what that
employee must have access to, and what they can do when he accesses.
(read only)
2. Isolation of responsibilities
Enhances isolation of resp by programming the pc to produce a log of who did what and when. This must
be properly followed up to be effective.
 Terminal ID, passwords, authorisation control all isolate access as well.
3. Approval and authorisation
System can be programmed NOT to process if certain conditions have not been met.
 Eg: System will not allow purchases from unapproved suppliers who are
not on creditors Masterfile.
 EFT will not process unless myb 2 passwords have been entered to
authorise transaction.

These are all very effective for preventing unauthorised transactions.

OVERRIDE of controls above will be logged – logging and following up is a detective control.

4. Custody
If company does not have application controls to prevent and detect invalid actions, assets are under
serious threat.
 Eg: company does not have physical control over the cash in bank but
must control unauthorised removals from bank account.
 Controls over EFT will be extensive as cheque can be cancelled eft cant,
so preventive controls because detective controls over eft are irrelevant.
 Electronic data protected by: controlling access of system at system
level (unauthorised access to system) and application level (if
authorised, can’t gain access to debtor’s applications), physical control
and disaster recovery controls.
5. Access control
Least privilege.
User must ID himself to system with valid user ID
Must authenticate himself with valid password
He will only be given access to what he is authorised to have access to in terms of his user profile.
6. Comparison and reconciliation
Eg: before authorising payment of wages, the paymaster or accountant could review the reconciliation
and tie it up to other sources of information, like changes in pay rates checked against original authority
for the change.
7. Performance review
Transactions can be tracked on the pc screen as they are being carried out.

>>Control techniques and application controls

Batching –technique which assists in controlling an activity which will be carried out on a batch of
transaction with intention of making sure all transactions are accurate and no invalid transactions were
added to batch.

Screen aids and features – all features, procedures and controls built into the application software and
on screen to assist user to capture info accurately and completely, also links user’s access privilege to
screen in front of them.
o Minimum key in info – less errors
o Formatted to look like hardcopy – recognisable
o Extensive use of screen dialogue and prompts – msgs pop up to guide user
o Mandatory fields – cannot continue unless complete
o Shading of field – no access, cannot click on it

Programme controls (input and processing)

* Input programme checks
 EXISTENCE/VALIDITY CHECKS
 Valuation check – validate data keyed in against Masterfile.
Matching check – input being matched against data already in database (Masterfile).
Data approval/ authorisation checks – tests input against a present condition (credit limit on debtors
account is 30 days, 120 days would not be approved).
 REASONABLENESS AND LIMIT CHECKS
Limit checks – when field entered does not satisfy limit which has been set (hours worked can’t be
more than 40 a week.
Reasonableness check – in a reasonable limit compared to other data.
 DEPENDENCY CHECKS
Entry in a field will only be accepted depending on information entered in another field.
 FOMAT CHECKS
Alpha-numeric checks – prevents/detects numbers in alphabet field and vice versa.
Size check – detect if entry doesn’t match field pre-set size limit.
Missing data check/ mandatory checks – detects blanks where no blanks should exist.
Valid character and sign check – letters, digits or signs entered in a field are checked against valid
signs/ characters for that field.
 SEQUENCE CHECKS
Detects gaps or duplicates in sequence of numbers as they were entered.
- Pre-printed
- Pre-numbered
- Logical design

* Processing programme checks

Ensuring data is processed accurately and completely. Combination of elements in the system:
Masterfile, transaction info etc. user cannot see processing but pc will be programmed to carry out
checks on itself and report to user on what it has done.
ERROR WILL BE WRITEN IN EXCEPTION REPORTS

Programme edit checks:

-Sequence checks
-Arithmetic accuracy check
-Reasonableness tests
-Limit test
-Accuracy test
-Matching

* Output controls
Objective is to ensure that output is accurate and complete and that its distribution is strictly controlled
Eg: confidential output does not go to incorrect person.
Linked to processing controls because if processing was done accurately and completely it’s more likely
that output will be accurate and complete.

Controls over distribution – prevention controls:

 Clear report ID (name, time )
 A distribution matrix (who is to receive output and when – should be aligned with user
profile so ppl who don’t need to access report, cannot access it)
 Hardcopy should be controlled by a distribution list of who gets it and when and signed
by authorised recipient when received.
 Confidential info in sealed envelope, or if emailed should not be mailed to their pc.
 Output which is not required should be shredded

User controls – detective

 Review output for completeness – numerical sequence checks
 Reconciliation of input to output
 Review of output for reasonability – week to week wages reconciliation
  Review and follow up of exception report produced during processing
* Logging and reports
Used as detective and monitoring controls to provide additional assurance that pc is processing is valid,
accurate and complete and that pc usage is authorised and productive. Review and follow up to be effective.
Types of logs and reports
o Audit trail
o Run to run balancing report
o Override reports
o Exception reports
o Activity report
o Access/ access violation report

>>Masterfile amendments
Needs to be protected from unauthorised changes!
Objective will be that: * only valid, authorised amendments are made to Masterfile. *details of amendment
are captured and processed accurately and completely. And *All Masterfile amendments captured are
processed. (Includes detective and preventive controls, where applicable correction)
1. RECORD ALL MASTERFILE AMENDMENTS ON A SOURCE DOCUMENT
(1) All amendments were recorded on hardcopy MAFs.
(2) MAFs were pre-printed, sequenced and designed in terms of sound document design principles.
2. AUTHORISE MASTERFILE AMENDMENT FORMS
(1) MAFs should be: *signed by 2 senior personnel and *cross referenced to the supporting documents.
3. ENTER ONLY AUTHORISED MASTERFILE AMENDMENTSONTO SYSTEM ACCURATELY AND COMPLETELY
(1) Restrict write access to specific members only, use their ID and password.
(2) All amendments automatically logged, sequenced and no write access to logs.
(3) To enhance accuracy and completeness of keying in info and detecting invalid conditions, screen aids
and programme checks will be implemented.
4. REVIEW MASTERFILE AMENDMENTS TO ENSURE THEY OCCURRED, WERE AUTHORISED AND WERE
ACCURATE AND COMPLETELY PROCESSED.
(1) Logs reviewed regularly by senior member
(2) Each logged amendment should be to confirm that it is supported by a proper authorised MAF
(3) The details on MAF are correct
(4) MAFs should be sequenced against the log to confirm that all MAF were entered.

CAATS – computer assisted audit techniques

CAATS make it possible to do 100% testing instead of sample testing, thus providing huge benefits for
auditor by significantly reducing risk, providing more reliable evidence (no human error) and increasing audit
efficiencies.
SYSTEM ORIANTATED CAATS (test of controls)
>These CAATS concentrate on the accounting system and related control procedures and are used to
perform test of controls. (Auditing through the pc)
 Test data –auditor creates a set of transactions to be keyed in and processed. Transactions will
include both correct and incorrect data – if process goes ahead for incorrect data, control is not
working. Should be run on a copy of live programme to prevent corrupting client’s data.
 Integrated test facility – extension of test data. An artificial unit is created on the clients system.
Auditor can feed test transactions through along with normal transactions for processing.
Reduces risk of corrupting client information.
Auditor will have clear knowledge of controls in system, this can be used by auditor again at any
time in the year_ this helps gather evidence that controls worked throughout the year.
  Parallel simulation – running client’s transactions through a trusted system set up by auditor as
well as through clients system and comparing output and following up on any discrepancies.
 Embedded audit facility – auditor needs to have an audit module inserted into the client’s
application programme. It them IDs transactions that might be of interest to auditor (eg: all
payments over 500 000. Auditor could appear at any to follow up on recorded transactions or
exceptions written to file.
DATA ORIENTATED CAATS (sub testing)
Obtaining evidence to support the assertions relating to balances in the SFP and totals of transactions.
(Auditing with the pc)
 Generalised/ customised audit software – used to interrogate/ manipulate data extracted from
client systems. If general audit software doesn’t suit need, customised audit software could be
developed.
 System utilities and report writers – utility programmes can be used to manipulate ad analyse
data and test whether programs function correctly. Report writing programs enable user to
design and extract various reports, which may be useful for performing sub tests.
CAATS should be used when:
- Complex system
- Volume of transactions/ output
- Data stored only in electronic form
Shouldn’t be used
- Audit team is not skilled in using CAATs
- Potential loss of independence
- Incompatibility of firms hard and software with clients hard and
software.
 >> COMPLETION OF THE AUDIT <<

1. The appropriateness and sufficiency of audit evidence

Audit only provides reasonable assurance because:
 Selective testing is used
 Inherent and control limitations
 Evidence is persuasive rather than conclusive
 Use of judgement when gather, evaluating and concluding
AUDIT EVIDENCE - ISA 500
Obtain audit evidence by performing audit procedures
 Risk assessment procedures
 Test of controls
 Substantive procedures
-Consider the appropriateness (Quality) and sufficiency (Quantity) of the audit evidence (ISA 500.7)
-Is it reasonable a basis to form an opinion?
 Yes: unmodified report, or qualification or adverse
 No: disclaimer of opinion, or qualification
EXTERNAL CONFIRMATION – ISA 505

2. Evaluating audit differences

MATERIALITY – ISA 450/320
-Materiality for FS as a whole
-Materiality as balance, class of transactions, disclosure
-Performance materiality
-Clearly trivial threshold

 Quantitative / Qualitative
 Individual / Aggregate
-Important procedures that could create misstatements
o Related parties –ISA 550/IAS 24
o Contingent liabilities –IAS 37
o Impairments –IAS 36
o Subsequent events – IAS 10

3. Going concern –ISA 570

This means that assets and liabilities are recorded on the assumption that the company will continue in
operational existence for the foreseeable future.
When FS are not prepared on a going concern basis, this should be disclosed together with the basis on
which the FS are prepared as well as reasons why the company is considered not to be a going concern.
It is management’s responsibility to assess the entities ability to continue as a going concern.

Auditors interest in the going concern ability of the company:

The going concern assumption:
 o The assumption of a going concern in the preparation of the FS directly affects many assertions
Audit risk
o The risk the auditor faces is expressing as unmodified audit opinion where the going concern
concept has been, or may be applied inappropriately.
o If the FS are based on a going concern basis when it is not a going concern, there will be material
misstatements in the FS which auditor cannot ignore.
Auditor’s objective
o Obtain sufficient appropriate evidence about the appropriateness of management’s use of the
going concern assumption in preparing the FS.
o Conclude, based on evidence, whether a material uncertainty exists that could cast significant
doubt on entities ability to continue as a going concern basis.
o Determine the implications for the audit report.

When does the auditor consider the appropriateness of the going concern?
o At all stages of the audit.

Audit plan for going concern

Management needs to take into account all available information about the future, +- 12 months from
the balance sheet.
Nature, timing and extent of tests depend primarily on the level of risk which the auditor perceives
exists.
Risk assessment procedures will be conventional:
 Inquire of management and others within the entity.
 Analytical procedures
 Inspection of documentation (mng report, cash flow forecasts, budgets)
With regards to further and other procedures:
 Nature: auditor should still enquire as to whether they are aware of anything beyond the 12
months which may cast significant doubt on the entity’s ability to continue going concern.
 Extent: varies on the certainty of the company’s ability to continue as a going concern, little
audit work for a sound company, great deal of audit work for where material uncertainty exists.
 Timing: financial year end and post balance sheet period as auditor is interested in the most up
to date information.

Obtaining information about going concern

Information about going concern will come from the auditor’s consideration of management’s
assessment of the entity’s ability to continue as a going concern, by analytical review, enquiry and
confirmation, as well as auditors own evidence gathered throughout the audit.
Auditor should:
o Analyse and discuss cash flow, profit and finances with management.
o Analyse and discuss the entity’s last available interim financial information.
o Review terms of debentures and loan agreements to determine if they can be met.
o Read minutes of meetings of shareholders for reference to financial difficulties.
o Enquire of entity’s lawyers regarding claims against the company.
o Confirm existence, legality and enforceability of arrangements to provide or maintain financial
support with related and 3rd parties and assess the financial ability of parties to provide such
funds.
o Consider entities position concerning unfilled customer contracts/orders (penalties?)
o Review after year end transactions which either reduces or increases risk relating to entities
ability to continue as a going concern.
 Mitigating factors and management plans
When there is material uncertainty about the continuance of going concern, directors will attempt to fix
problem by putting a plan in place:
 Disposal of assets to generate cash flow
 Raising of additional debt or restructuring debt
 Cost cutting
 Increase sales
The auditor will have to consider any plan and if it’s possible.

Audit conclusion
 If material uncertainty exists that casts significant doubt upon the entities ability to continue as a
going concern, it should be clearly disclosed of the nature and implications of uncertainly
necessary for the presentation of the FS not to be misleading.
 If material uncertainty exists it must be properly disclosed in the FS otherwise the FS do not
fairly present the state of the affairs of the company.
 Disclosure requires * description of condition giving rise to significant doubt and managements
plans to deal with such conditions * state clearly that there is a material uncertainty.

The auditor’s report

 Unmodified opinion
No doubt exists about the appropriateness of presentation of AFS
 Unmodified opinion- emphasis of matter added
Presentation is appropriate but a material uncertainty exists and it is properly disclosed.
 Qualified opinion or adverse opinion based on disclosure problems
Presentation is appropriate but a material uncertainty exists and it is not properly disclosed or is
inadequately disclosed.
 Adverse opinion- inappropriate basis
Basis is not appropriate regardless of whether it was properly disclosed or not.
 Disclaimer of opinion
Auditor is unable to form an opinion due to multiple significant uncertainties .

4. Subsequent events – ISA 560

When evaluating and concluding, the auditor is obliged to consider whether all material events occurring
after balance sheet date and up to audit report date, which may indicate the need to adjust or disclose
have been identified.

Subsequent events - Events occurring between date of financial statements and date of
auditors report.
- Facts that become known to auditor after the date of the auditor’s
report.

Events after the balance sheet date – IAS 10 events after balance sheet date, both favourable and
unfavourable, occurring between balance sheet date and date when the financial statements are
authorised.
ISA 560 splits time after auditors report into two 1) after auditors report, before financial statements
issued. 2) After financial statements have been issued to users.

TYPES OF SUBSEQUENT EVENTS

1. Adjusting events
Requires adjustments in the financial statements. Entity shall adjust amount in the FS to reflect
adjusting events after balance sheet date.
 2. Non adjusting events
Events that arose after balance sheet date. If material must be disclosed, as non-disclosure could
influence the decisions of users.
3. Dividends
Dividends declared after balance sheet date, shall not be recognised as a liability at the balance
sheet date.
4. Going concern
If management determines after the balance sheet date that it intends to liquidate the company
or FS may not be prepared on the appropriate basis.

Events occurring between date of financial statements and auditors report

Duty of the auditor
*Subsequent events must be identified. *Treatment in FS must be audited to determine if it applies with
IAS 10
For ISA 560, auditor shall request management to provide a written letter of representation that all
events occurring subsequent to FS date which requires adjustment and disclosure, have been adjusted
and disclosed.

IDENTIFING SUBSEQUENT EVENTS

o Review procedure management put in place to identify events after the balance sheet
date.
o Review minutes of meetings of directors, executives and audit committee held after FS
date.
o Obtain updated from clients legal reps on outstanding legal matters.
o Review companies latest financial information – cash flow forecasts, budgets,
management reports and interim financial statements.
o Inspect the financial records from post balance sheet period.
o Inspect prior year’s working papers to identify types of events which have occurred
before.
o Obtain management rep letter in respect of events after balance sheet date.
o Enquire of management to:
a. New commitments, borrowing etc.
b. Planned sales, disposals, abandonment of assets
c. Realisation of assets less than balance sheet value
d. Assets destroyed, impaired or appropriated
e. Development in risk areas previously identified
f. Usual accounting adjustments which have been made
g. Events which may affect the appropriateness of accounting policies
adopted at year end
h. Going concern ability of the company
The intention of these enquiries is to gather the latest information about audit issues.

AUDITING THE TREATMENT OF SUBSEQUENT EVENTS

o The auditor should determine whether event is adjusting or non-adjusting (condition existed
at balance sheet date or not).
o Evaluate the evidence supporting the event after balance sheet date (inspect contract where
new commitments have arisen).
o Reperform any casts or calculations applicable to events after balance sheet date
o Where adjustment has to be made, inspect to see if adjustment was made correctly.
o Where disclosure is required, inspect notes for compliance with IAS10 *nature*estimate of
financial effect*
Facts that become known after auditors report but before FS issue date
No duty to perform procedures to identify events after reporting date, but if it becomes known that an event
exists after the audit report, auditor needs to consider whether it affects the FS which have already been
reported on and whether it is material.

 IF THE EFFECT IS MATERIAL

1. Should it be amended? AFS should be revised by adjustments or disclosure, if not =
qualified report.
2. Management’s willingness to amend the FS.
- If management is willing to amend FS, auditor should:
* Carry out audit procedures to confirm appropriateness of amendment.
* Conduct further subsequent event procedures up to date of new audit
report.
* provide management with new audit report on the amended FS
correctly dated.

- If management is NOT willing to amend FS the auditor should:

*Redraft the report expressing a qualified or adverse opinion.
(Only possible is auditor has not yet released report)
*If auditor has released report and client intends to release report with
incorrect FS the auditor must 1. Inform client that FS including the audit
report should NOT be released and 2. That if they are the auditor will
take steps to prevent reliance on the audit report.

Facts that become known after FS has been issued

Auditor should take appropriate action if, had the event been known at reporting date would of given a
modified report.
- If management agrees to revise the FS, the auditor should:
* carry out procedures to ensure revision is satisfactory.
*conduct sub event procedures up to the revised report date.
*issue a revised report with emphasis of matter paragraph, explaining
the reissue of the report.
*review steps taken by management to notify users that FS have been
revised.
- If managements disagrees to all of the above, the auditor should:
*Notify those charged with governance that action will be taken to
prevent reliance on the auditor’s report.

>> The decision as to whether amendments are necessary

Consider the following:
o Reason why directors refuse to revise
o Potential risk users could be exposed to if not revised
o Material and pervasive
o Time elapsed since audit report and sub measurement pronouncement.
o The practicality of communication with users (not cost efficient)
o Any legal advice that auditor may have sought

Actions to prevent further reliance on the audit report

The following measures could be taken:
o Address shareholders at general meeting
o Notify each person who the audit firm knows received the FS
o Make an announcement through public media
 o Notify any regulatory agency which may have jurisdiction over audit client- JSE
Confidential, therefore state audit report can no longer be relied upon.

5. The Audit report

The objective is to express an opinion on whether the FS present fairly in all material respects, the
financial position of the company at a specific date and its financial performance and cash flows for a
specific period prior to that date, in accordance with IFRS.

Why the auditor might need to modify the audit opinion.

a) Auditor may need to modify his opinion
The auditor will modify his opinion if
- His unable to gather sufficient appropriate evidence to support an unmodified opinion.
- There are uncorrected misstatements that are material and affect the fair presentation
- ISA 705 *qualified (except for) *Adverse (do not fairly present…) *Disclaimer of opinion (we do not
express an opinion on fair presentation of FS).
b) There may be information needed to be added to the report for the benefit of users
- Emphasis of matter *Highlight a matter already in the FS.
- Other matters *Add additional information to users.
LIMITATION OF SCOPE
Beyond control – fire
Natire, timing and extent of audit work – not being able to find information being appropriately applied.
Limited by client – client refuses to give auditor the information.
DISAGREEMENT

Arises when at the conclution of the audit there is a material uncorrected misstatement.

SEE ISA 700, 705, 706

 >> Corporate Governance <<
The companies act #71 2008
If management is about running the business, governance is about seeing that it runs properly.
CG is mainly concern what happens at the top (board) level of a business – the board should:
- Give strategic direction to the company
- Control the company

Why do we need CG?

- Because of creative accounting (catching on kak in FS)
- The very limited role of auditors
- Week link between executive compensation and companies
performance
- Market place focuses on short term perspective, which actually harms
general economic performance.

 NB: Sound CG is not a guarantee against failure but they are less likely to happen.

INTRODUCTION
5 policy objectives around which act was built, company law should promote the competitiveness and
development of SA economy by:
1. Encouraging entrepreneurship and enterprise development
2. Promoting innovation and investment in SA markets
3. Promoting efficiency of companies and their management
4. Encouraging transparency
5. Making company law compatible
In support of above, specific goals were set:
 Simplicity
 Flexibility
 Corporate efficiency
 Transparency
 Predictable regulations
* 26: Public interest score
Every company needs to calculate public interest score at the end of each financial year. Used to determine
which financial reporting standard the company must comply with, categories to be audited/reviewed and
who must carry out review. See p 3/6
* 27: companies FS may be compiled internally or independently
*28: Independent review
A company which is not required to be audited must have an independent review of its annual financial
statements UNLESS it is a private company in which every shareholder is a director, owner/ manager.
Pub int score more than 100 review must be conducted by a registered auditor or member of professional
body.
*29: reportable irregularities, independent review
Places obligation on the independent reviewer to report a reportable irregularity at an independent review
client.
 1. Send written report to commissioner
2. Within 3 days notify board in written, and send them a copy of the report.
3. In no longer than 20 days discuss RI with board
4. Send second report to commissioner either stating there is no RI, the RI is no longer
continuing or the RI is continuing.
*43: Social and ethics committee
Every STATE OWNED company, LISTED PUBLIC Company, any other company which in the prior 2/5 years
scored a pub int score of 500 points must all appoint a social and ethics committee.
Must be appointed 12 months of date they first became listed or met 500 points
Committee must comprise of:
- No less than 3 directors
- 1 non-executive director not involved in the prior 3 years
Function is to monitor the company’s activities, relevant legislation, legal requirements or code of best
practise with regards to:
- Social and economic development
- Good corporate citizenship
- The environment, health and public safety
- Consumers relationships
- Labour and employment

ACT: chapter 1-9 see company act 2008