ACFrOgCfiEAVH2XWvqneUqyBMBYXuqXWJ4RV3AGOOYSSXoo6ydpwA54dWRg37I Z5rkJOaG5iWXSH - OoeDB4cgxs8V6M5qqgodnX5OFiHciwysoNcoOH rlc8jjlWFM PDF

AA - Audit framework & regulation
Contents
Assurance ............................................................................................................................... 2
DEFINITION: ........................................................................................................................ 2
LEVEL OF ASSURANCE:........................................................................................................ 3
Introduction to an External Audit .......................................................................................... 4
WHAT IS AN AUDIT? ........................................................................................................... 4
AN AUDIT PROCESS CAN BE OUTLINED AS FOLLOWS: ....................................................... 5
PROS AND CONS OF AN EXTERNAL AUDIT: ........................................................................ 5
Fundamental Principles .......................................................................................................... 6
DEFINITION: ........................................................................................................................ 6
Ethical Risks ............................................................................................................................ 8
THREATS TO OBJECTIVITY AND INDEPENDENCE: ............................................................... 8
BREAKING CONFIDENTIALITY: ............................................................................................ 9
Corporate Governance ......................................................................................................... 10
DEFINITION AND PRINCIPLES: .......................................................................................... 10
BOARD OF DIRECTORS: ..................................................................................................... 10
COMMITTEES: ................................................................................................................... 11
AUDITOR’S REPORT: ......................................................................................................... 12
Internal Auditors .................................................................................................................. 13
THE ROLE OF INTERNAL AUDITORS .................................................................................. 13
DIFFERENCES BETWEEN EXTERNAL AND INTERNAL AUDITORS....................................... 14
RELIANCE ON INTERNAL AUDITORS' WORK ..................................................................... 15
OUTSOURCING.................................................................................................................. 15
1
Assurance
DEFINITION:
A practitioner evaluates a subject matter, that is the responsibility of another party, against
a criteria, to express a conclusion, to the user of the subject, where:
Practitioner = External auditor;
Subject matter = Financial statements;
Responsible party = Client management;
Conclusion = Audit opinion;
Users = Shareholders and other users.
By providing assurance you are:
1) Giving confidence to the users who make decisions;
2) Enhancing the credibility of the information in the financial statements.
ELEMENTS OF ASSURANCE ENGAGEMENT:
There are 5 elements of any assurance engagement:
1) The three parties involved, the practitioner, the responsible party and the user
(auditor, the management and the shareholders);
2) The subject matter (financial statements);
3) A suitable criteria (applicable financial reporting framework);
4) Sufficient appropriate evidence (audit procedures carried out);
5) Written assurance report (audit report).
2
LEVEL OF ASSURANCE:
IAASB introduces guidance designed for better understanding of two levels of assurance:
1) Reasonable assurance. The practitioner must:
 Provide sufficient appropriate evidence in order to form reasonable conclusions;

 Provide high level of assurance;
 Issue positive report or opinion.
2) Limited assurance. Such engagement provides:
 Sufficient appropriate evidence in order to form limited conclusions;

 Moderate level of assurance;
 Negative report or opinion.
Notes:
 When reviewing information regarding future events, it is impossible to give a

positive opinion as we cannot predict future events;
 The term ‘nothing has come to our attention’ is used if there is a negative opinion.
3
Introduction to an External Audit
WHAT IS AN AUDIT?
Objective of external auditor: to review the financial statements and form an independent
opinion. The auditor must communicate whether financial statements are true and fair and
properly prepared.
Role of the auditor: to identify any material misstatements so that they can be corrected by
the management before the accounts are published.
Material misstatements are errors within the financial statements that, if not corrected,
could influence the decisions made based on the information given.
True and fair means that financial statements are:
1) Factual;
2) Agree with the underlying records;
3) Clear;
4) Unbiased;
5) Free from material misstatements.
Properly prepared means that financial statements are prepared in accordance with the
applicable reporting framework.
EXPECTATION GAP:
There is a misconception of the role of external auditor known as expectation gap:
Misconception Fact
 Auditors test transactions on a sample
Auditors test all transactions and balances.
basis
 It is auditor’s responsibility to report on
whether financial statements are free
Auditors should detect all fraud and error.
from material misstatements whether
caused by fraud or error.
This is the responsibility of directors, not
Auditors prepare financial statements
the auditors
4
AN AUDIT PROCESS CAN BE OUTLINED AS FOLLOWS:
1) Acceptance. The auditors must consider before they begin the audit work whether they
want to accept new client or continue with existing one;
2) Engagement. Ensure that agreement between the auditor and the client is in place;
3) The plan. Auditors must carefully plan the audit and identify any risks and other issues
that need to be managed;
4) Assess controls and systems. Auditors must review the systems and control procedures
in order to identify whether controls are strong or poor;
5) Substantive testing. Auditors perform audit procedures on transactions and balances to

identify potential misstatements;
6) Completion and review. Audit manager will review the evidence collected and work
completed to ensure it is enough to form an opinion;
7) Audit report. Audit partner will review the audit work and the financial statements and
form an independent audit opinion.
PROS AND CONS OF AN EXTERNAL AUDIT:
Pros Cons
1) It results in greater detection of fraud and 1) There could be misstatements in

error; transactions not included in audit sampling;
2) It enhances the credibility of financial 2) Estimates are subjective and difficult to

statements; audit;
3) It improves shareholder confidence and 3) Auditors have to rely on evidence
company’s reputation; provided by client management;
4) Improvements to control systems are
4) Auditors have to rely on systems and
made based on prior experience of the
controls.
auditors;
5) It helps to resolve disputes between
management and assist in better decision
making.
5
The relationship between International Standards on Auditing and National Standards
The International Standards of auditing are set by the International Audit and Assurance Standards
Board (IAASB). The structures and processes that support the operations of the IAASB are facilitated by
the International Federation of Accountants (IFAC). IFAC is a worldwide organisation for the
accountancy profession dedicated to serving the public interest by strengthening the profession.
However, IFAC is not responsible for enforcing these standards. It is up to individual countries to
implement the standards if they deem them appropriate. Countries also have the choice to set their
own National Standards of implementation or may modify the ISAs’ to suit their needs.
National Regulatory bodies will be charged with enforcing the implementation of auditing standards,
enforcing quality control of audits and inspecting audit files. Countries may do this by allowing the
accountancy profession to implement the above or setting up an independent authority to do it.
Fundamental Principles
DEFINITION:
Ethics - guidance on how to behave morally and professionally.
IFAC code of ethics is the key regulative document.
Ethic principles must be considered when:
 Accepting new audit client;

 Acting for an existing audit client (not to act for a client if it will affect the judgement
during the assignment).
FUNDAMENTAL PRINCIPLES (OPPIC):
O - Objectivity
P - Professional behavior
P - Professional competence and due care
I - Integrity
C - Confidentiality
Objectivity means that the auditor:
 Must be objective when making the decision;

 Does not allow bias or other factors to influence the decision;
 Is able to make an independent opinion on the financial statements;
 Is not too connected to client to maintain objectivity.
Professional behavior means that the auditor:
 Complies with relevant laws and regulations;

 Acts properly to maintain professional standards;
 Is trusted to give an independent opinion.
Professional competence and due care means that the auditor should ensure that:
 Professional knowledge and skill are maintained;

 All relevant regulations are followed;
 Work is not taken on that they are not technically competent to do;
 Reporting requirements are understood.
6
Integrity means that the auditor should be:
 Straightforward and honest;

 Establishing trust.
Confidentiality means that the auditor must:
 Keep the information confidential;

 Do not pass the information to third parties without the authority;
 Implement strong controls.
7
Ethical Risks
THREATS TO OBJECTIVITY AND INDEPENDENCE:
Objectivity is one of fundamental principles given in the ethical code. An auditor should
remain objective, which means that they should not allow bias and not be influenced by
others.
Types of objectivity threats:
1) Self interest - arises when the auditor has personal interest in the client, which
could affect the audit;
2) Self review - arises when the auditor has to review work that they previously
performed;
3) Familiarity - arises when the auditor is too sympathetic or trusting of the client
because of a close relationship with them;
4) Advocacy - arises when the auditor is asked to promote or represent their client
in some way;
5) Intimidation - arises when clients put pressure on auditors in order to influence

the outcome of the audit.
Note: if auditors identify any of these threats, they need to put safeguards in place to
reduce the threat to an acceptable level.
Conflicts of interest:
A conflict of interest arises when the audit firm has the opportunity to audit two connected
clients. The main issue with a conflict of interest is confidentiality as there is a risk of
sensitive information being leaked.
The safeguards are as follows:
1) Discuss with both clients whether they are happy to continue with the same
audit firm;
2) Separate audit partners heading up the audit teams;
3) Set up separate audit teams and offices if possible;
4) Provide training on the importance of confidentiality to all staff;
5) Sign confidentiality agreements with the audit staff;
8
Note: If the audit firm cannot guarantee safeguards are strong enough, they should not
continue with both audits.
BREAKING CONFIDENTIALITY:
Keeping client information confidential is it is one of the fundamental principles from the
ethical code. Confidentiality should be broken when:
 Client has given permission to disclose information;

 There is a legal duty;
 It may be in the public interest.
9
Corporate Governance
DEFINITION AND PRINCIPLES:
Corporate governance - a set of guidelines that listed companies should follow.
Aim - to allow companies to operate in the shareholders interests and help protect their
investment from poor management decisions.
The UK version of the corporate governance is presented by Corporate governance code.

The code gives us 5 main principles:
1) Leadership - that the board of directors are collectively responsible for the
success of the organisation and decisions are made fairly. Non executive
directors who are part time and not involved in the day to day activities should
assist with decisions made;
2) Effectiveness - the board of directors should have appropriate skills and be

provided with the relevant information on a timely basis to ensure the right
decisions are made;
3) Accountability - the board of directors should ensure risks are identified and
that strategies are formed while communicating openly with the auditors;
4) Remuneration - directors pay should be fair and still be able to attract the right
individuals to the role. Pay should not be set by one individual and no one
should set their own pay;
5) Shareholder relationships - communication should be clear and objectives and

any issues should be dealt with on a timely basis.
BOARD OF DIRECTORS:
In order for these principles to be implemented, the company must organise the board of
directors so that responsibilities are shared and decisions are made fairly. Heading up the
board of directors should be:
a) The Chairman - a non-executive director who leads the board to ensure

strategic decisions are made in the shareholders interests;
b) The Chief executive officer (or CEO).
The next tier of management would consist of executive and non-executive directors and
there should be an equal board mix of these two types of directors.
10
COMMITTEES:
Executive and non-executive directors would then form committees who take on
responsibilities for the company. The committees are:
1) The audit committee - responsible for financial reporting and system control matters
and should be comprised of at least 3 non-executive directors. This committee should
ensure that:
 They increase confidence in the published financial information;

 They liaise and advise the board of directors to ensure they meet their
responsibilities for providing financial information;
 They improve independence of the external auditor as they communicate directly
with them.
Responsibilities of the audit committee include:
 Reviewing the internal controls and recommending changes;

 Communicating with the internal and external auditors;
 Reviewing the reliability of the financial statements;
 Recommending the appointment and removal of external auditors;
 Arranging for a confidential whistleblowing system for employees and potentially
investigate any issues found.
2) The risk committee - responsible for assessing the risks associated with the company
and recommending the best approach to reduce these risks. This committee is also
made up of non-executive directors, whose role is to identify risks, prioritise them and
then assess whether the risk:
 Can be transferred to another party, for example by insurance cover;

 Can be avoided all together;
 Can be reduced by improving controls;
 Can be accepted.
Business risks must be reviewed and reported to the board regularly to ensure they are
identified in a timely manner.
3) The remuneration committee - set pay for the board of directors. It is made up of non-
executive directors to ensure that:
 The executive directors are not paid excessive amounts;

 Performance is considered in decisions;
 They are not setting their own pay.
11
4) The nomination committee - responsible for appointing directors to the board. The
board is made up of non-executive directors which ensures that the best person is
appointed for the role and reduces the risk of bias in decisions being made on
recruitment.
AUDITOR’S REPORT:
The following recommendations should be followed by the companies:
 Listed companies should produce much more detailed financial information in

their annual report. It will report on the corporate governance code and
whether they have followed all of the principles;
 The auditors must audit the financial statements, plus they must report and
review the compliance of the corporate governance code;
 The auditors must prepare their audit report and report on whether the
financial statements are true and fair.
 They must also report on any inconsistencies found with the other information
in the annual report, including the directors statement.
12
The provisions of international codes of corporate governance (such as OECD) that are most relevant
to auditors
The International Codes of Corporate Governance are intended:
- To improve the legal, institutional and regulatory framework for corporate governance.
- To provide guidance and suggestions for stock exchanges, investors, corporations and other
parties that have a role in the process of developing good corporate governance.
The six Principles most relevant to the Auditors are:
1. Corporate Governance: There should be a clear basis for an effective corporate governance
framework which should ensure there is transparency and acceptance of responsibility of all
parties involved.
2. Agency: Management of the company should recognise that they are agents of the shareholders
and should uphold their rights and act in their interest at all times
3. Equitable Treatment: There should be equitable treatment amongst shareholders so that
regardless of whether institutional or minority, they are all treated in a fair and just manner.
4. Shareholder Rights: The Rights of Stakeholders should be recognised, and there should be
cooperation between the organisation and it’s stakeholders.
5. Disclosure: All material matters, such as the financial situation, performance, ownership and
governance of the company, should be disclosed in a timely and accurate manner.
6. Board Duties: The strategic guidance of the company should be ensured by the corporate
governance framework and monitored by the board.
Evaluate corporate governance deficiencies and provide recommendations to allow compliance with
international codes of corporate governance
The below table demonstrates recommendations for “good” corporate governance. In situations where
the below does not exist, it would imply a corporate governance deficiency with regard to the
International Codes of Corporate Governance, as shown.
Good Corporate Governance Corporate Governance Deficiency
The Board - The Chairman and Chief - The Chairman and Chief Executive
Executive should be different are the same person.
people to prevent unfettered - There are no or few Non-
power Executive Directors (NEDs)
- Half of the board to be Non- - There is no nomination process.
Executive Directors (NEDs) - Directors don’t submit for re-
- There should be a rigorous election regularly.
and transparent nomination
process.
- Directors should submit for
re-election regularly.
Remuneration - Excessive remuneration - Directors are given excessive

should be avoided. remuneration.
- Remuneration should be - Remuneration is unrelated to the
linked to the performance of performance of the business.
the business. - The directors are responsible for
- The directors should not be setting their own pay.
responsible for setting their - There is no procedure for setting
own pay. directors remuneration.
- There should be a
transparent procedure for
setting directors
remuneration.
Auditor - Directors understand they - Directors aren’t aware they are

Committee are responsible for preparing responsible for preparing financial
financial statements. statements.
- An Audit Committee is in - There is no Audit Committee in
place with at least 3 non- place or it does not comprise of
executive directors. non-executive directors.
- The Audit Committee terms - There is no Audit Committee
of reference are set out in terms of reference in writing and
writing and there is a whistle- there is no whistle-blowing
blowing facility. facility.
- The Audit Committee reviews - The Audit Committee does not
and monitor’s internal review and monitor the internal
control system and is control system or does not take
responsible for the responsibility for the
appointment of an external appointment of an external
auditor. auditor.
Internal Auditors
THE ROLE OF INTERNAL AUDITORS
Internal auditor’s key role: advise and report to management.

Other roles:
 Review of control systems within

the entity; and
1.
Review of control activities  Highlighting any control
deficiencies that may need to be
addressed.
2. Examining the timeliness of  Regular review of systems and
control information ensuring that issues are reported.
 Identifying whether a decision is
3. appropriate for the organisation;
Value for money audits
 3E's (economy, efficiency,
effectiveness).
 Review of the entity and its control
systems;
4.
Identifying business risks  Reporting to management; and
 Recommendations on how to
reduce the risk.
 Expertise to identify non-
compliance with laws and
5. regulations;
Examine compliance
 Reporting to management; and
 Assessing how this can be avoided
in the future.
 Audit committee - a group of non-
6.
Supporting the audit committee executive directors who manage
external and internal auditors.
 Special investigations requested by
7. the entity management, including
Special purpose tasks
mystery shopper reviews, inventory
counts, and asset inspections.
13
DIFFERENCES BETWEEN EXTERNAL AND INTERNAL AUDITORS
Difference External Auditors Internal Auditors
1 Independence External auditors must be Internal auditors are not

independent to form an opinion independent as they are
on the FS. employees and report directly to
directors.
2 Scope of details Plan and perform audit Cover many areas looking at the
procedures on control systems, systems and controls used by the
transactions and balances in FS. entity. Amount of work depends
on the management’s
requirements.
3 Objectives Form an independent opinion on Advise management and improve

whether the FS are true and fair. the control system.
4 Written report at the end of

audit.
5 Reporting To shareholders To directors or the audit
committee
6 Appointment and removal By shareholders by vote, usually By the board of directors or the
at the AGM. audit committee.
7 Whether they are a legal Required by law (there are some Not required by law.
requirement exemptions).
Recommended by corporate
governance to ensure sound
control systems.
14
RELIANCE ON INTERNAL AUDITORS' WORK
Review of control systems External auditors can use

is what the internal some of this work, so that Consider how reliable
auditor carries out. they can then concentrate the internal audit is.
on other areas of the audit.
Considerations in respect of reliability of internal audit:
A. Scope of work;
B. Technical competence;
C. Report quality; and
D. Independence.
Indicators of requiring the internal audit function:
1. Company is large;
2. It has complex systems and regulations that must be followed;
3. It is listed on the stock exchange; and
4. It has been known to have problems.
OUTSOURCING
Outsourcing: Not all companies will benefit from a full-time internal audit function. In this case
audit firms provide expertise for clients needing an internal audit.
Advantages and disadvantages of internal audit outsourcing:
Advantages Disadvantages
 Removing employment costs (recruitment  Lack of knowledge of the business;
and tax);
 Long-term use may become less cost
 Audit firms may have more specialised skills;
effective;
 Services may not be available immediately;
 Increased independence; and
and
 Reducing the burden of having a  Conflicts of interest may arise if the audit
department to manage. firm carried out the external audit.
15
AA - Audit framework & regulation
Contents
The Acceptance Stage ............................................................................................................ 2
The Engagement Letter .......................................................................................................... 3
TERMINOLOGY USED .......................................................................................................... 3
PURPOSE AND CONTENTS OF THE ENGAGEMENT LETTER ................................................ 3
Audit Risk ................................................................................................................................ 6
TERMINOLOGY USED: ......................................................................................................... 6
AUDIT RISK MODEL: ............................................................................................................ 6
Identifying Audit Risks ............................................................................................................ 8
USING ANALYTICAL PROCEDURES: ..................................................................................... 9
1
The Acceptance Stage
At the acceptance stage the auditor will consider:
– Whether to continue to act for an existing client;

– Whether to accept a new engagement.
New audit clients are generally gained by three methods:
1) Client request;
2) Advertising;
3) Tendering.
Considerations as to why auditors may not accept new client:
1) At pre-conditions stage (ISA 210):
– Is the client following an acceptable financial reporting framework (is it

consistent and relevant)?
– Does the client management accept their responsibilities (ensures that controls
are sufficient and provides all relevant information)?
Note: if preconditions are not met, the auditor should not accept the audit assignment.
2) Other considerations:
– Professional clearance. Writing a letter to previous auditor asking about any

professional reasons why auditors should not accept the client (breach of law,
disagreements with management, lack of integrity from management, overdue
fees). Note: permission is required from the client to write such letter;
– -Audit risk considerations - identify any issues that may indicate that audit risk is
high;
- Time needed;
- Skills required;
- The fee.
– Ethical considerations - identify any conflicts of interest with the existing clients
or threats to objectivity; Then a decision is made:
Reject if the risks being associated with the client are too high.
Accept and move to the next stage of audit process, the engagement letter.
2
The Engagement Letter
TERMINOLOGY USED
Engagement letter: An agreement that is put in place at the start of the audit process. The
engagement letter is prepared once the acceptance stage is concluded.
PURPOSE AND CONTENTS OF THE ENGAGEMENT LETTER
Purpose of the engagement letter:
1. To minimize the risk of misunderstandings;
2. To explain the audit process and the terms and conditions; and
3. For accepting the audit process in writing.

ISA 210 requirements:
Contents of the engagement letter (ISA 210):
1. Objective of the audit: Sufficient appropriate evidence to form an independent opinion;
2. Scope of the audit:
a. Plan and perform audit procedures to audit;
b. Statement of financial position;
c. Statement of profit or loss;
d. Statement of changes in equity; and
e. Statement of cash flows.
3
3. Auditor’s responsibilities:
4. Client management responsibilities:
5. Financial reporting framework (for example IFRS);
6. Form and contents of any reports used:
a. The formal written audit report will show the audit opinion; and
b. Any control deficiencies will also be reported in writing in the form of the
management letter or report to management.
7. Other matters that may be included:
a. Confirming the use of experts during the audit engagement;
b. The basis of fees;
c. The reliance of some of the internal auditor's work if appropriate;
d. Acknowledgement of any specific regulations relating to the audit;
e. Provision of additional services;
4
f. The limitations of the audit; and
g. Timings of any communications during the audit.
The importance of the engagement letter being reviewed every year:
1. Information may be out of date;
2. Auditors may provide services not included in the engagement letter;
3. Fee basis may have changed;
4. Not received confirmation that the management accept their responsibilities; and
5. ISA 210 is not being followed.
5
Audit Risk
TERMINOLOGY USED:
Audit risk is the risk of the auditor giving an inappropriate opinion on the financial
statements, i.e. there are material misstatements present in the financial statements.
Misstatement is:
1) a difference between the amount, classification, presentation or disclosure of a

reported financial statement item; and the amount, classification, presentation
or disclosure that is required for the item to be in accordance with the
applicable financial reporting framework (ISA 450);
2) the difference between what is in the financial statements and what should be
in the financial statements in accordance with the applicable financial reporting
framework.
Note: Material misstatement not identified by the auditor leads to incorrect decisions made
by users and affects the auditor’s reputation.
AUDIT RISK MODEL:
In order to calculate audit risk, the auditors use the audit risk model: AR=IR*CR*DR, where:
AR - Audit risk;
IR - Inherent risk - is the risk of a material misstatement in the financial statements due to
the nature of the
client, whether it be the business itself or the industry which they operate within;
CR - Control risk - is the risk of a material misstatement in the financial statements due to
poor client controls;
DR - Detection risk - is the risk of a material misstatement in the financial statements due to
the auditor not
spotting the error.
Note: Inherent risk and Control risk cannot be changed, but must be identified to decide
what should be the level of Detection risk.
If Inherent risk and Control risk are high, then Detection risk must be low, meaning that:
– More audit procedures would be needed;

– More time should be spent on the audit;
6
– Sample sizes should be increased;
– More experienced audit staff should be used.
If Inherent risk and Control risk are low, then Detection risk can be high, meaning that:
– Smaller samples of transactions can be tested;

– Less time will be spent on the audit.
If audit risk is assessed correctly, the audit opinion will be appropriate at the end of the
process.
7
Identifying Audit Risks
TERMINOLOGY USED:
Audit risk is the risk of the auditor giving an inappropriate opinion on the financial statements.
For example, stating the financial statements are true and fair when there is a material
misstatement uncorrected.
Audit risk = Inherent risk * Control risk * Detection risk
ISA 315: Auditors required to perform risk assessment procedures.

ISA 200: Auditors must apply ‘professional scepticism’ during the audit
Professional scepticism is an attitude that includes a questioning mind, being alert to

conditions which may indicate possible misstatement due to error or fraud, and a critical
assessment of audit evidence.
Risk assessment includes two main pieces of work:
1) Understanding the entity and its environment
2) Using analytical procedures.
UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT:
The process of understanding includes the following:
– Understanding the industry and other external factors;

– Laws and regulations affecting the entity;
– Organisational structure;
– Accounting policies that company follows;
– Client business plan and risks;
– Financial performance;
– Internal controls.
Three main methods of gathering information about the client are:
1) Enquiry;
2) Observation;
3) Inspection.
8
The four main sources of information are:
a) Within the audit firm (previous years workings, discussions with audit partner and
manager);
b) From external sources (companies house, internet and trade press, industry surveys, credit
reference agencies);
c) From the client (discussions with management, observation of procedures, website,

brochures);
d) From the individual auditor.
USING ANALYTICAL PROCEDURES:
Analytical procedures are defined as:
1) Evaluations of financial information through analysis of plausible relationships among both

financial and non-financial data (ISA 520).
2) Comparing financial and non-financial data to understand changes.
Note: Analytical procedures are used on planning stage, substantive testing stage and
completion and review stage of the audit.
The purpose of analytical procedures at the planning stage is to understand the business the
client operates, identify unusual balances, transactions and events, and identify potential
material misstatements.
9
Ratios can be categorised to review the following:
1) Profitability ratios:
Gross profit PBT
Gross profit margin = * 100% Net margin = * 100%
Revenue Revenue
2) Efficiency ratios:
Receivables Payables
Receivable days = * 365 days Payable days = * 365 days
Revenue Purchases
Inventory
Inventory days = * 365 days
Cost of sales
3) Liquidity ratios:
Current assets Current assets - Inventory
Current ratio = Quick ratio =
Current liabilities Current liabilities
4) Return ratios:
Debt Borrowings
Gearing ratio = =
Equity Share capital and reserves
Equity Share capital and reserves
Note: Comparison of current year ratios to previous year, budgets and averages helps to
identify unusual differences which could be the result of a material misstatement.
10
AA - Audit and Assurance
Contents
Laws and Regulations ............................................................................................................. 2
REGULATORY BODY ............................................................................................................ 2
REQUIREMENT OF EXTERNAL AUDIT.................................................................................. 2
THE RIGHTS AND DUTIES OF THE AUDITOR ....................................................................... 3
APPOINTMENT AND REMOVAL OF THE AUDITOR ............................................................. 4
Fraud ...................................................................................................................................... 5
AUDITOR'S RESPONSIBILITIES ............................................................................................. 5
FRAUD ................................................................................................................................. 6
The Planning Process.............................................................................................................. 7
THE PURPOSE OF THE PLAN ............................................................................................... 7
IDENTIFYING AUDIT RISKS .................................................................................................. 7
AUDIT STRATEGY ................................................................................................................ 8
MATERIALITY AND PERFORMANCE MATERIALITY ............................................................. 8
Audit Documentation ........................................................................................................... 10
AUDIT DOCUMENTATION ................................................................................................. 10
CURRENT AUDIT FILE ........................................................................................................ 11
ACCESS TO WORKING PAPERS .......................................................................................... 12
Quality Management (ISA 220 - Revised) ............................................................................ 13
1. The H is for HUMAN RESOURCES: ................................................................................ 13
2. The E is for ETHICAL REQUIREMENTS: .......................................................................... 13
3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS: ....................................... 14
4. The R is for RESPONSIBILITIES OF LEADERSHIP: ........................................................... 14
5. The M is for MONITORING: .......................................................................................... 14
6. Finally, E is for ENGAGEMENT PERFORMANCE: ........................................................... 15
Evaluating quality management deficiencies and providing recommendations to allow
compliance with quality management requirements: ..................................................... 15
1
Laws and Regulations
REGULATORY BODY
External auditors must follow strict guidance to ensure their work is of the correct standard.
This includes:
– The code of ethics which is guidance on behaviour of the auditor;
– Auditing standards that must be followed; and
– Corporate law specific to where they are based and where the client operates.
The IFAC, International Federation of Accountants, is a global supervisory body.
The IAASB, International Auditing and Assurance Standards Board, is the group that looks
after the external auditor. They have 2 key outputs:
1. The development of international standards on auditing, or ISAs (currently 36); and
2. International standard on quality control, or ISQC (only 1).
ISAs are published in a book, regularly reviewed and periodically updated by the IAASB.
Each ISA gives the auditor specific guidance on elements of the audit process. For a new ISA
to be developed, there is a lengthy process, which includes:
– A debate within the IAASB on the issue;
– An issue of an exposure draft, which is a draft of the standard;
– Comments from external parties are taken on board and approval from the IAASB is
sought; and
– The new or adapted ISA is published.
Note: Many countries may have created their own version of auditing standards and choose
not to follow the international ones. This is permitted as the IFAC has no legal standing in
each country.
REQUIREMENT OF EXTERNAL AUDIT
Who needs an audit?
1. Registered companies are required to have an external audit.
2
2. In UK law there is an exemption which allows small companies (companies with
revenue not more than £6.5 million) to not appoint external auditors, but they can
still have an external audit if they wish.
Who is allowed to form an independent opinion?
– The practitioners (those responsible for the audit and decisions made on it) are
required to be a member of a recognised supervisory body or RSB (ACCA and ICAEW),
and be allowed to be a practitioner by their rules.
– Once a member, they are allowed to form an opinion on financial statements and sign
audit reports.
THE RIGHTS AND DUTIES OF THE AUDITOR
The key rights of an auditor are:
1. They must be allowed access to all relevant company books and records;
2. They must be given all information and explanations necessary to complete their
audit;
3. They must be allowed to attend any general meetings between the management
and the shareholders, including the AGM;
4. They are allowed to be heard at such meetings; and
5. They must be given copies of any written resolutions of the company.
The auditor's duties are:
1. To audit the financial statements and form an independent opinion on them, stating
whether or not they are true and fair;
2. To report on any specific legal requirements relevant to the company being audited;
and
3. To ensure they follow auditing standards and their ethical code while carrying out
the audit.
3
APPOINTMENT AND REMOVAL OF THE AUDITOR
Auditors are generally appointed by the shareholders. However there are some exceptions
to this rule:
− If it is the first year that the audit has been required, or if it is the first year the
company has been set up, the directors are allowed to appoint the auditors initially.
− If neither the directors or shareholders have appointed the auditors, and deadlines
for submission of an audit report have passed, then the government would usually
step in.
There are two main situations where auditors would no longer act for a company:
1. They are no longer able to act for the company and resign as auditors. Auditors issue
a statement of circumstances which gives the reasons for the resignation, and would
then be available to assist with a handover to the next audit firm appointed; or
2. They are sacked or removed.
Notes:
– The shareholders are responsible for removing the auditors;
– Notice is given to both the directors and auditors;
– If auditors feel the decision is unjust, they have the right to send a response to all
parties explaining why they should not be removed.
4
Fraud
AUDITOR'S RESPONSIBILITIES
ISA 240 Auditor’s responsibilities relating to fraud: The auditors have a duty to identify and
communicate any evidence found that fraud is present.
Auditor’s responsibility: To obtain reasonable assurance that the financial statements as a

whole are free from material misstatements, whether they arise from fraud or error.
Note: The key difference between fraud and error is whether the misstatement was
intentional or not.
The primary responsibility towards fraud (remains with directors) is to ensure that fraud is
not present in the financial statements and the company as a whole.
The secondary responsibility towards fraud (auditor’s responsibility) is to identify

misstatements during the audit process and assess whether they are as a result of fraud or
error.
In order to maintain responsibility, the auditor must:
– Maintain professional scepticism throughout the audit process;
– Assess any audit risks that could lead to fraud;
– Generally assess the risk of material misstatements for the entity;
– Review how management react and manage fraud;
– Talk to management to see if they are aware of any instances of fraud; and
– Gather sufficient appropriate evidence from audit procedures designed to assess the
risk of fraud.
5
FRAUD
Fraud is criminal activity. There are two types of fraud:
1. Fraudulent financial reporting; and
2. Misappropriation of assets.
A high risk of fraud requires:
1. Planning of appropriate procedures to ensure auditors are in the best position to

detect fraud;
2. Ensuring that more experienced audit staff is available for the audit team;
3. Changing audit procedures from what auditors would normally do, as being less
predictable could catch out anyone trying to conceal fraud;
4. Focusing on balances containing estimates from management as this would be a

popular area to manipulate figures; and
5. Focusing on the transactions posted around the year end, as cut-off errors are often
an intentional way of increasing or reducing balances.
If fraud is found by the auditor, the following steps must be followed:
1. Report it to those responsible for the audit team, for example, the audit manager
and audit partner;
2. They should then consider the evidence obtained and report this to the highest level
of management at the client;
3. If the auditor is suspicious that the management are involved, they should seek legal
advice and consider whether they should report externally;
4. Caution should be taken when reporting externally as the auditor has a duty to
maintain confidentiality;
5. If the fraud detected is material to the users of the financial information, then the
auditor would need to modify the audit report to make the shareholders aware of
the issue.
6
RESPONSIBILITY OF INTERNAL AND EXTERNAL AUDITORS FOR PREVENTING
FRAUD
Internal auditors and external auditors both play a crucial role in the prevention and detection of
fraud and error. While their roles may overlap to some extent, there are key differences in their
responsibilities and approach.
Internal auditors are employees of the organization they work for, and their primary responsibility is
to provide independent and objective assurance to management and the board of directors. They
evaluate the effectiveness of internal controls and assess the risk of fraud and error occurring in
the organization's operations. Internal auditors also identify opportunities for improvement in
internal control systems and recommend changes to reduce the risk of fraud and error.
To prevent and detect fraud and error, internal auditors may conduct risk assessments, perform
fraud investigations, and analyze financial data. They may also review contracts, policies, and
procedures to ensure compliance with laws and regulations. Additionally, internal auditors may
provide training and guidance to employees on how to identify and report potential fraud and error.
External auditors, on the other hand, are typically hired by the organization to provide an
independent evaluation of the financial statements. Their primary responsibility is to express an
opinion on the fairness of the financial statements and provide reasonable assurance that they are
free from material misstatement. While external auditors are not responsible for detecting all
instances of fraud and error, they do have a responsibility to identify and report any material
misstatements they become aware of during their audit.
To prevent and detect fraud and error, external auditors may perform various procedures such as
reviewing transactions, testing internal controls, and verifying the accuracy of financial information.
They may also conduct interviews with key personnel and review documents to gain a better
understanding of the organization's operations.
Precisely, internal auditors and external auditors both have a responsibility to prevent and detect
fraud and error in an organization. Internal auditors focus on providing independent assurance and
identifying opportunities for improvement in internal controls, while external auditors focus on
expressing an opinion on the fairness of the financial statements and identifying any material
misstatements. By working together, these two types of auditors can help ensure the integrity of an
organization's operations and financial reporting.
The Planning Process
THE PURPOSE OF THE PLAN
ISA 300: The objective of planning the audit is to ensure it is performed in an effective
manner. There are some key reasons why a plan is important for an audit:
– It will ensure the auditor can give enough attention to more problematic areas;
– It gives auditors time to assess the risks associated with the audit before they start the
audit work;
– They are able to plan appropriate audit procedures in relation to these risks;
– They can select the right level of experience needed on the audit team; and
– They can consider the need for experts and assistance from internal auditors which can
then be planned properly.
IDENTIFYING AUDIT RISKS
The audit plan begins with identifying potential audit risks. An audit risk is the risk of the
auditor providing an inappropriate opinion, for example, reporting that the financial
statements are true and fair when they are not. The auditor must assess risks using the
audit risk model:
AR = IR x CR x DR, where
IR = Inherent risk - the risk of material misstatement due to the nature of the entity;
CR = Control risk - the risk of material misstatement due to poor controls; and
DR = Detection risk - the risk of material misstatement due to the auditor not spotting
errors.
There are two main pieces of work that assist auditors in identifying these risks:
1. Analytical procedures: These are comparisons of financial and non-financial data to help
the auditor understand material changes in the financial statements. With the use of ratios,
auditors can identify changes in balances which may then need to be investigated when
carrying out their audit procedures later on.
2. Understanding the entity and its environment: This is an important procedure because if
the auditor lacks a fundamental understanding of what the client does, there is a real risk
they may make poor decisions and issue an inappropriate opinion.
7
AUDIT STRATEGY
The audit strategy is produced to identify the overall plan for the audit. We can separate the
audit strategy into three components:
1. The scope: specific details relating to the audit for the client (inventory locations,
reporting systems, etc.);
2. The timing: Considers when areas of the audit process should be completed. The
audit may need to include an interim and a final audit; and
3. The overall direction of the audit: The auditor decides what style of procedures are
required and the volume of work needed. The auditor will be able to determine
whether control systems look reliable and decide whether direction will be controls
based (the level of substantive work can be reduced), or procedural (more detailed
audit testing, larger sample sizes, skilled staff and more time needed).
MATERIALITY AND PERFORMANCE MATERIALITY
At the planning stage, the auditor must decide what a material misstatement is, which
means that it can influence the users of the financial information. An item can be material
by:
1. Its size: If that is the case, the auditor would request that the client correct this in the
financial statements. If they don’t, the auditor would conclude that the financial statements
are not true and fair. The guidelines on materiality state that an item is material if it is
above:
a. 5-10% of profit;
b. 1/ - 1% of revenue; or
2
c. 1-2% of total assets.
2. Its nature: A prime example is directors' transactions which must be transparent to the
users.
The auditor must also consider and set performance materiality. If any misstatements
identified while performing audit procedures are above performance materiality, they are
recorded and presented in the summary of unadjusted errors. The auditor would then
request the client to adjust these errors in the financial statements.
8
WRITTEN AUDIT PLAN
The audit planning document is a detailed document that proves whether the auditor has
planned the audit properly and includes all information needed to then carry out the rest of
the audit process. The planning document should include the following:
– Assessment of materiality and performance materiality;
– Details from the analytical review performed at the planning stage;
– Key audit risks;
– Background information regarding the client in understanding the entity;
– Any specific laws and regulations;
– Staff booked for the audit team and budgets set;
– The overall audit strategy; and
– Deadlines set to ensure the audit process is completed on time.
9
Audit Documentation
AUDIT DOCUMENTATION
ISA 230: The auditors must ensure they have written documentation that:
– Proves that the audit was planned and performed in accordance with auditing
standards;
– Helps the audit team plan and perform the audit;
– Helps more senior members of the audit team direct and supervise, as well as review
the work completed;
– Is a sufficient appropriate record of audit work completed to assist in forming the audit
opinion;
– Assists future audits; and
– Enables the audit team to prove they did the work.
For every client, the audit firm will keep files to organise documentation. There will be:
1. Current audit file: Stores all relevant evidence and documentation relating to the current
audit:
a. It should be completed in a timely manner;
b. Files must be retained by the audit firm for a minimum of 5 years; and
c. It enables the auditor to prove what they did (e.g., in case of legal action).
2. Permanent audit file: Stores all client-related documentation that would be useful for
current and future audits (previous years' financial statements, client organisation structure,
key personnel, contact details, etc.).
3. Correspondence: Evidence that proves that communication between the auditor and the
client is effective (may be electronic or physical).
10
CURRENT AUDIT FILE
The current audit file has three main sections:
1. The planning section: Includes all considerations made during the planning stage;
– Assessment of materiality and performance materiality;
– Details from the analytical review performed at the planning stage;
– Key audit risks;
– Background information regarding the client in understanding the entity;
– Any specific laws and regulations;
– Staff booked for the audit team and budgets set;
– The overall audit strategy; and
– Deadlines set to ensure the audit process is completed on time.
2. Audit performance:
Note: The audit performance section will include all documentation and evidence collected
that relates to the audit procedures carried out on the systems, transactions, balances and
disclosures relating to the financial statements. Without this work the auditor cannot form
an opinion on the financial statements.
For every test carried out, the auditor needs to prepare something called working papers.
The working papers will usually include:
i. Lead schedule: The first document for each balance that will show the total balance,
which will agree with the balance shown in the financial statements;
ii. Backup schedules: Individual schedules for each sub balance which makes up the total
balance in the financial statements;
iii. Audit programmes: Detailed documents which explain the audit procedures carried
out on the balance. Each audit programme must show the following:
– Objective of the test;
– Description of the audit work;
– How the sample was chosen to test;
– Outcome or conclusion from the work;
11
– Who did the work;
– Date it was completed; and
– Who reviewed the work at the completion stage.
3. Completion: The section where the final review is carried out and post year end audit
procedures are carried out. The key areas of the completion stage are:
– Final analytical procedures;

– Disclosure checklist for accounting standards;
– Summary of unadjusted errors;
– Record of adjustments made since the trial balance was produced;
– The subsequent event review;
– The going concern review;
– Written representations;
– Draft financial statements; and
– Draft management letter or report to those charged with governance.
ACCESS TO WORKING PAPERS
The audit file and all of the working papers produced by the audit team belong to the
auditor. Access to the working papers is only permitted if authorisation is given by the
auditor. The reasons for this are:
– The working papers will contain sensitive information about the client;
– If any of the work is lost or stolen, it would need to be recreated in order to form an
opinion; and
– There is a risk of evidence being tampered with.
12
Quality Management (ISA 220 - Revised)
The topic of Quality Management directly relates to the auditing standard, ISA220 (Revised)
– Quality Management for an Audit of Financial Statements. This auditing standard focuses
on the audit firm’s own quality management procedures.
Overall objective and importance of quality management:
The standard states that the objective of the auditor is to implement quality management
procedures at the
engagement level that provide the auditor with reasonable assurance that:
(a) The audit complies with professional standards and applicable legal and regulatory
requirements; and
(b) The auditor’s report issued is appropriate in the circumstances.
For this to happen, the standard gives a recommended set of policies and procedures that
should be carried out.
To help remember the key policies and procedures from the standard, you could use ‘HEAR
ME’.
1. The H is for HUMAN RESOURCES:
The audit firm, and in particular, the engagement partner who is responsible for the client,
should ensure that their audit team is capable.
– They should assess the competence of the team members to ensure that the audit is
performed at an appropriate standard.
– They should ensure that the audit team has sound knowledge of the client being
audited, and therefore understands the entity and its environment.
– However, they must also ensure the technical skills within the audit team are enough to
reach appropriate conclusions.
2. The E is for ETHICAL REQUIREMENTS:
Quite simply, the audit firm must ensure that they comply with the ACCA code of ethics.
– They must ensure the fundamental principles are followed, and;
– That they manage any ethical threats, conflicts of interest or other risks appropriately.
13
3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS:
The audit firm must consider whether they should accept every engagement.
– Once they have accepted the client engagement, they must then review every year to
ensure the entity should continue to be their client.
– The key issue is that the audit firm must only accept clients with an acceptable level of
risk.
4. The R is for RESPONSIBILITIES OF LEADERSHIP:
– The engagement partner must take overall responsibility for the audit team and the
audit process.
– This means they must also ensure the quality management procedures within the audit
firm are of a high standard so as to follow professional standards accordingly.
5. The M is for MONITORING:
We have already said that strong policies and procedures should be in place. However, to
ensure these are followed, there must be an element of review from the audit firm. The
standard recommends 2 types of monitoring:
– HOT review
– COLD review
An independent partner within the audit firm undertakes the hot review usually. They
review the audit work and conclusions reached. This is to ensure that the overall conclusion,
i.e. the opinion is appropriate. Hot reviews are usually carried out for listed clients or those
with significant audit risks. A hot review is carried out before the audit report is signed. It is
also known as an EQR or engagement quality review. A senior member of staff at the audit
firm performs a cold review. An external consultant can carry it out. They review the work
carried out for the client and the conclusions reached. The key difference is that the review
takes place after the audit has been completed and the audit report is signed. A sample of
clients is selected across the audit firm to review. This ensures consistency across audit
teams, and identifies if there is a risk of noncompliance of professional standards.
14
6. Finally, E is for ENGAGEMENT PERFORMANCE:
This looks at the overall performance of the audit assignments across the audit firm. This is
made up of 3
elements:
– Direction of audit:
The direction focuses on ensuring everyone is aware of the objectives of the audit,
knowledge of the client
business, the risks and any problems that may arise.
– Supervision of audit:
Supervision is looking to ensure that the audit is reviewed by someone senior who can
ensure the team is
competent and the deadlines are met to provide timely information for the client.
– Review of the audit:
The review is to ensure professional standards have been followed, that there is evidence to
back up conclusions made and that the evidence collected is sufficient and appropriate.
Each of these 6 components is explained in ISA220 to enable audit firms to ensure the
highest quality work is performed. This therefore ensures that an appropriate audit opinion
is formed on the financial statements for every client, which ties back to the obligation to
ensure they follow professional standards and that their reports are appropriate for the
client’s requirements.
Evaluating quality management deficiencies and providing recommendations

to allow compliance with quality management requirements:
Regarding monitoring and remediation, the standard provides following guidance (section
A111. of ISA 220 (revised)):
In considering information communicated by the firm through its monitoring and

remediation process and how it may affect the audit engagement, the engagement partner
may consider the remedial actions designed and implemented by the firm to address
identified deficiencies and, to the extent relevant to the nature and circumstances of the
engagement, communicate accordingly to the engagement team. The engagement partner
may also determine whether additional remedial actions are needed at the engagement
level. For example, the engagement partner may determine that:
15
• An auditor’s expert is needed; or
• The nature, timing and extent of direction, supervision and review needs to be enhanced
in an area of the audit where deficiencies have been identified.
If an identified deficiency does not affect the quality of the audit (e.g., if it relates to a
technological resource that the engagement team did not use) then no further action may
be needed.
However, the standard further states that an identified deficiency in the firm’s system of
quality management does not necessarily indicate that an audit engagement was not
performed in accordance with professional standards and applicable legal and regulatory
requirements, or that the auditor’s report was not appropriate in the circumstances.
16
AA – Internal control
Contents
The Auditors Approach to Internal Controls .......................................................................... 2
UNDERSTANDING OF CONTROL: ........................................................................................ 2
OBJECTIVES OF CONTROL SYSTEMS: .................................................................................. 2
LIMITATIONS OF CONTROL SYSTEM: .................................................................................. 2
AUDITOR’S EXPECTATION OF INTERNAL CONTROL SYSTEM:............................................. 2
AUDITOR’S WORK AND APPROACH: .................................................................................. 3
Identifying and Reporting Internal Control Deficiencies ....................................................... 4
HOW THE AUDITOR IDENTIFIES DEFICIENCIES: .................................................................. 4
THE MANAGEMENT REPORT: ............................................................................................. 4
TIMING OF COMMUNICATING DEFICIENCIES: ................................................................... 5
Control Cycles ......................................................................................................................... 6
KEY CONTROL CYCLES ......................................................................................................... 6
SALES CYCLE ........................................................................................................................ 7
PURCHASE CYCLE ................................................................................................................ 8
ASSETS CYCLE ...................................................................................................................... 9
INVENTORY CYCLE .............................................................................................................. 9
PAYROLL CYCLE ................................................................................................................. 11
CASH CYCLE ....................................................................................................................... 12
1
The Auditors Approach to Internal Controls
UNDERSTANDING OF CONTROL:
A control is a procedure put in place to achieve company’s objectives. For any organisation
to run well it needs sound control systems in place.
OBJECTIVES OF CONTROL SYSTEMS:
– To ensure accurate accounting records;

– To safeguard assets held by the organisation;
– To prevent and detect fraud;
– To ensure an efficient working environment.
LIMITATIONS OF CONTROL SYSTEM:
– Human error;
– Fraudulent collusion;
– Abuse of authority.
AUDITOR’S EXPECTATION OF INTERNAL CONTROL SYSTEM:
ISA 315: Auditors must understand the client’s internal controls. In particular:
– To assess whether control system is strong or weak;

– Develop an understanding of what is expected from control system;
To give a benchmark of what is a good control system, ISA 315 provides 5 components of an
internal control system:
– Control activities - all individual procedures and policies of the system (authorisation,
performance review, accounting reconciliations, segregation of duties, IT controls,
physical controls);
– Risk assessment procedures - procedures to identify and manage business risks;
– Information systems - organised system for collection, organisation, storage and
communication of financial information;
– Monitoring of controls - role of internal auditor;
– Environment - overall control environment of the entity.
2
AUDITOR’S WORK AND APPROACH:
The aim of the auditor is to assess whether internal control would ensure material
misstatements are identified and corrected. Poor control system increases the risk of
material misstatements.
Step by step approach of control systems review:
1) Identify and understand the control system. Methods used: enquiry, inspection,
observation.
2) Document the system. Methods used: detailed notes, flowcharts.
3) Assess the system. Identify whether it is strong or weak through enquiry, inspection,
observation sending questionnaires (ICQ’s or ICEQ’s).
4) Report any issues identified and provide recommendations.
5) Gather evidence for a strong control system in a form of control tests or control
procedures.
6) Decide how much further audit work is needed to form the audit opinion.
7) Perform substantive procedures.
3
The factors to be taken into account when assessing the need for an internal audit
When assessing the need for an internal audit, the audit committee should consider:
- The scale, diversity and complexity of the business.

- The resources available to carry out an internal audit.
- The level of internal controls within the organisation.
Some of the reasons to have an Internal Audit function include:
- Internal Controls: IA could determine where control systems are needed and recommend/
monitor the implementation of these.
- Audit Fee: IA may decrease the audit fee where external auditors can place reliance on the work
of internal audit
- Assistance to Financial Accountant: IA could support the financial accountant in compliance
with financial reporting standards, as well as recommending control systems
- Corporate Governance: IA could recommend policies for good corporate governance
- Accounting Systems: IA could audit the accounting systems to ensure they are operating
correctly.
- Computer Systems: IA could review the effectiveness of controls specifically around the
computer systems, for example reviewing the backup and disaster recovery arrangements and
ensuring compliance with regulations.
- Value For Money (VMF) Audits: IA could offer VFM audit services, such as reviewing the
potential upgrade of systems.
Where no internal audit function exists, the reasons behind its absence should be explained in the
annual report. The factors that may be considered against establishing of internal audit department
include:
- No Statutory Requirements: Given it is not a statutory requirement, the directors may deem IA
as an unnecessary use of resources.
- Non-complex Systems: The directors may deem the systems in place non-complex and, as such,
not deem review needed.
- Potential Cost: The cost associated with establishing and maintaining IA may be deemed too
high.
- Internal Resistance to Review: Management and
staff may feel challenged by IA review, and it
may affect morale.
The elements of best practice in the structure and operations of internal audit
Elements of Best Practice in IA:
- Scope & Reporting: The scope of IA work should be determined by the Audit Committee, and IA
should report their findings to the Audit Committee (or Board if no Audit Committee exists).
- Competence & Resources: The IA function will need to be professionally competent, sufficiently
resourced and well-organised in order to carry out its function effectively. In particular, the head
of the internal audit should be sufficiently experienced and professionally qualified.
- Independence: IA will need to maintain the independence of internal audit from management,
and care must be taken to keep it objective and independent. They should report to an
independent committee (i.e. the Audit Committee), maintain good regard with other
departments, and have a ‘whistle-blowing’ function to report serious misconduct when found.
Alongside this, controls should be established to avoid self-review by internal auditors, and staff
should be regularly rotated into different work areas.
The scope of internal audit and the limitations of the internal audit function
The scope of the IA function is as follows:
- Reporting on and monitoring the effectiveness of internal controls.

- Assisting with the implementation of required accounting standards.
- Liaising with the external auditor to reduce the time and expense of the external audit.
- Ensuring compliance with OECD Principles.
Some limitations of the IA function (as well as potential safeguards) include:
- Reporting: The IA function may be reporting information back to the individual who prepared
that information (e.g. Finance Director). A safeguard for this is to also report relevant
information to the Audit Committee.
- Scope: The scope of IA may be decided by executives who intentionally focus on certain areas
and avoid others. A safeguard for this is to have the scope decided by the Chief Internal Auditor
or the Audit Committee.
- Self-Review Threat: IA may find themselves reviewing their own work. A safeguard for this is to
ensure IA is removed from the setting and management of controls.
- Familiarity Threat: IF members of the IA function have been there for too long, they risk
becoming over-familiar with areas and losing their professional scepticism. A safeguard for this
is to rotate roles and members within the IA function.
The nature and purpose of internal audit assignments, including value for money, IT, financial,
regulatory compliance, fraud investigations and customer experience
(VFM, Financial and Regulatory are Included)
The main function of internal audit in the area of IT will be to assess the controls in place. The internal
audit function of an organisation may have an IT specialist in the team who will support this. Other
functions will be to ensure that the systems in place represent value for money and also to ensure
effective controls over the awarding of IT contracts.
The internal audit function may also conduct assignments to assess the handling of fraud or customer
complaints independently from management. Again their role is to monitor that the controls in place
are being appropriately followed and are aligned with relevant legislation, and they should report
significant matters to the Audit Committee.
Discuss the nature and purpose of operational internal audit assignments
Operational audit assignments should identify the possible risks involved in that operation, the
procedures in place to mitigate the risks and whether those procedures are being followed.
Some examples of operations and the areas looked at by IA include:
- Marketing: Is the company getting value for money from its advertising? Were the objectives of
the campaigns achieved?
- Procurement: Are the systems in place for control of purchasing operating effectively? What
procedures are in place to reduce procedure risk?
- Treasury: Are there procedures in place to manage currency risk, interest rate risk, and inflation
impacts?
- Human Resources: Are policies in place to ensure the appropriate hiring, management and
layoff of employees?
Describe the format and content of internal audit review reports and make appropriate
recommendations to management and those charged with governance
Internal audit reports will usually be issued to the Audit Committee or those charged with governance.
The Internal Audit Review Report should be set out clearly and concisely, be fair and consistent, and
highlight findings, making recommendations as appropriate. IA should be engaged in ongoing
discussions with management as they conduct their assignment, and as such, any issues that arise
should be well communicated and not included as unexpected findings in the report.
The format and content of the report should include the following:
- Cover: Setting out the subject, recipient, date, and any relevant rating required.
- Executive Summary: Summarize the key points of the report concisely.
- Key findings and recommendations: Giving an overview of the main problems discovered, any
breaches in procedures and any ineffective controls.
- Detailed findings and agreed actions: Setting out the key findings and the timing and
responsibilities for corrective action.
- Assessment grading or rating: Internal audit may undertake a rating system for grading the
systems under review, in which case this should be provided.
Identifying and Reporting Internal Control Deficiencies
HOW THE AUDITOR IDENTIFIES DEFICIENCIES:
1) Each system must be reviewed and understood by the auditor;
2) Then the system is documented for evidence;
3) It is decided whether the system can cause material misstatements;
4) Auditor identifies if there are any issues with the way the system operates;
5) Using their skills auditors may notice control activities that are missing.
All this gives the auditor opportunity to find deficiencies within the system.
Note: For every control deficiency found the auditor has an obligation to provide
recommendation about how the entity could improve that control.
THE MANAGEMENT REPORT:
Report to those charged with governance = Management letter = Management report.
ISA 265: Significant deficiencies should be communicated in writing to the entity’s

management.
The management report is addressed to the directors and:
– Contains all deficiencies found during the audit;

– Explains the impact of deficiencies;
– Provides recommendations.
Specific information in management report:
– Report is not a comprehensive list of all deficiencies, it contains only those found by the
auditor;
– Information is solely for the use of the company;
– Nothing within the report should be disclosed to a third party without written auditor’s
permission;
– No responsibility is assumed to any other parties.
4
TIMING OF COMMUNICATING DEFICIENCIES:
Management report is usually communicated at the end of the audit.
5
Computer systems controls, including general IT controls and information processing controls.
A good IT system should have both application and general IT controls.
General IT controls to ensure that the information system can run properly. Examples of these
controls include:
● Software system acquisition controls

● Software change and maintenance controls
● Security (password etc.) controls
● Backup controls
Information processing controls apply to the processing of transactions. Examples of these controls
include:
● Existence checks
● Authorisation checks
● Sequence checks
● Arithmetic checks
● Batch total checks
Control Cycles
KEY CONTROL CYCLES
Control cycles are systems linked to financial statements that have an impact on whether
the financial statements are true and fair. They are:
– Sales; _ Inventory;
– Purchases; _ Payroll; and
– Assets; _ Cash;
6
SALES CYCLE
Stage # Control objective Example of risk Controls put in place

An order is taken for a
All orders are customer who has Access to customer
processed. exceeded their credit accounts where
1. Order is received limit.
Orders are accepted for The order is not credit limits can be
customers who can pay. recorded properly. reviewed.
Goods dispatched are The goods sent out are Original order must be
on time for agreed to the dispatch
2. Goods are
note and goods. This
dispatched to the right customer. the wrong quantity.
check must be signed.
All goods are sent out.
A customer was not Sequentially numbered
All goods have been invoiced for copy of dispatch note is
3. Invoice is invoiced for. sent to accountants and
prepared and sent the right product. reviewed by them.
The amounts are
correct.
Sales are not recorded
Include all invoices on accurately Invoices are
the system. or recorded in the sequentially numbered.
4. Transaction is
recorded wrong period.
Regular check of the
The amounts are
system for missing
correct.
invoices.
Perform credit control
procedures: analyse
Cash is received on a The cash is not paid on
timely basis. time. overdue debts, chase
5. Cash is received customers for
payments.
Cash is recorded
correctly in the correct
account.
7
PURCHASE CYCLE

Requisitions must be sent
The requisition note may
by email to the
Ensure goods are not be received by
purchasing
1. Requisition requested and are for
department who must
business purposes. the purchasing
respond when they make
department.
the order.
A supplier is not reliable
Ensure suppliers are
and delivers late, Select a supplier from an
checked for reliability,
leading to a delay in authorised supplier list.
2. Order is quality and price.
production.
placed
Ensure orders are made
considering disruptions
to production.
Goods should be
Ensure only goods Goods received have not
inspected and agreed to
ordered are received and been ordered by the
3. Goods are the delivery note and
accepted. company.
received purchase order.
Ensure goods are
received on time.
Invoice is matched with
Ensure invoices received The invoice is not for the corresponding
are for goods received. goods ordered. purchase order and
4. Invoice is requisition note.
received Goods received are for
business purposes.
Amounts and products
are correct.
Ensure all invoices are Invoice may be missed,
recorded accurately thus, purchases and Allocate sequential
payables may be number to each invoice.
5. Invoice is and in the correct period.
understated.
recorded
Check the system
regularly for missing
invoices.
Ensure payments are
The payment is not made Review the aged
made on time for the
6. Payment is and the supplier payables list regularly for
correct
sent
amounts, for goods may no longer grant older debts and ensure
ordered and received. credit. they are paid on time.
8
ASSETS CYCLE
The control system for assets would work in the same way as the purchase system.
However, there would be some additional controls required:
– Authorisation of costs by a senior level of management; and
– Use of the asset register. This spreadsheet will record date, cost, depreciation, carrying
value, location and disposal date, and proceeds in relation to the assets. It must be
updated, reviewed regularly and compared to the accounting system to ensure there
are no errors.
INVENTORY CYCLE
Key objective: To keep inventory safe and maintain its value.

The risks are:
– Goods could be stolen;
– Goods could be damaged;
– Goods may become obsolete.
Storage controls are:
– Increased security measures such as CCTV, alarm systems, and security guards;
– Restricted access to the warehouse;
– Swipe card access or fingerprint recognition at entry points;
9
– Practical packaging of inventory items;
– Shelving for organised storage;
– Training for handling of items;
– First in first out system for items being dispatched;
– Not to hold excessive amounts of inventory;
– Regular monitoring of aged inventory list for old, slow-moving items;
– Special offers potentially to shift items that are not selling faster.
Controls over monitoring of inventory count should also be implemented. Important

elements of the inventory count are:
– The people counting - they should be objective (i.e., no warehouse staff);
– The admin or paperwork;
– The count itself; and
– The end process of the count.

There are 2 key pieces of paperwork to be made:
1. The count instructions: They should be clear and easy to follow. They should be
given out before the count and the staff should be briefed so they fully understand
what they are to do.
2. The count sheets: They should be sequentially numbered. Spare sheets for inventory
found not on them, should also be pre-numbered so sheets cannot go missing. The
count sheets should be signed out and divided between the teams.
Additional controls over inventory count:
– Count staff should inspect inventory for evidence of damage which could affect the
valuation and flag this on the count sheets or inform the count supervisor;
– Areas can be marked once counted to also reduce the risk of mistakes; and
– At the end of the count, the sheets should all be signed back in and the sequence
checked to ensure no inventory sheets are missing.
10
PAYROLL CYCLE
Ensure that data is kept Including fraudulent

secure and only working hours, as CCTV over the clock card
authorised access is information is opened area as a deterrent.
1. Fixed and
allowed. to manipulation.
variable data is
recorded Risk of unauthorised Authorisation of overtime
access. from a senior official.
Supervision of employees.
Regular checks on
2. Calculations The software is up-to- calculations, taking
are made by the date and checked for System is not updated. samples
system updates.
and making recalculations.
Ensure that data is kept

secure and only Risk of unauthorised
Secure password access.
authorised access is access.
allowed.
3. Outputs from
Access only by those
system are
authorised.
created
Sending payslips straight to
employees' homes.
Payroll report is reviewed

by manager.
Payments are correct,

made on time and to Payment is missing or Payment sheets are
4. Payments are not made on time reviewed by manager.
valid employees.
made
Deadlines for submissions
are identified.
11
CASH CYCLE
1. Payment is Cash is kept to a Cash is stolen. Use imprest system for

requested minimum. petty cash.
Payments can only be Unauthorised All payments must be

made with proper payments are made. authorised.
authorisation.
Payments are for Payments are made for Cash book and petty
business purposes only. personal purposes. cash book are reviewed
regularly.
2. Payment is Cash is protected from Cash is kept in safe.

authorised theft.
3. Payment is Cash is banked Implement procedures

made regularly. to avoid theft.
4. Transaction is
recorded
12
AA - Audit evidence
Contents
The Financial Statement Assertions ....................................................................................... 2
ASSERTIONS: ....................................................................................................................... 2
Gathering Evidence ................................................................................................................ 4
AUDIT PROCEDURES: .......................................................................................................... 4
CRAVE COCA: ...................................................................................................................... 4
QUALITY OF EVIDENCE: .......................................................................................................... 5
METHODS OF GATHERING EVIDENCE: ................................................................................... 6
REVIEW THE RESULTS OF AUDIT PROCEDURES:................................................................. 7
Computer Assisted Audit Techniques (CAAT's) ...................................................................... 8
TEST DATA: ......................................................................................................................... 8
AUDIT SOFTWARE:.............................................................................................................. 9
Data Analytics in Audit ......................................................................................................... 10
What is Data Analytics? .................................................................................................... 10
Data Analytics and Audit .................................................................................................. 10
Benefits of Data Analytics ................................................................................................. 10
Challenges in Data Analytics ............................................................................................. 11
Relying on the Work of Others ............................................................................................. 13
KEY CONSIDERATIONS ...................................................................................................... 13
AUDITOR'S OWN EXPERT.................................................................................................. 14
EXTERNAL EXPERT - INTERNAL AUDIT .............................................................................. 14
EXTERNAL EXPERT - SERVICE ORGANISATION.................................................................. 15
Smaller Entities and Not-for-Profit Organisations ............................................................... 16
AUDIT OF SMALLER ENTITIES ........................................................................................... 16
AUDIT OF NOT-FOR-PROFIT ORGANISATIONS ................................................................. 17
1
The Financial Statement Assertions
TERMINOLOGY USED:
Financial statement assertions represent the key objectives of the substantive audit
procedures. If a substantive procedure does not address an assertion, it does not assist the
auditor in forming an audit opinion.
Overall objective of the external auditor is to decide whether the financial statements are
true and fair and properly prepared.
Financial statement assertions are given to assist the auditor in planning audit procedures to
decide whether the balance is free from material misstatement.
ASSERTIONS:
C - Completeness C - Cut-off
R - Rights and obligations O - Occurrence
A - Allocation
C - Classification and understandability
V - Valuation
E - Existence A - Accuracy
Completeness ensures that all transaction and events recorded are present in the financial
statements. Rights and obligations ensures that ownership and responsibility of assets and
liabilities are reviewed. Accuracy ensures that all transactions, balances and other items
have been accurately recorded.
Valuation and allocation ensures that items in the statement of financial position are
presented correctly and at the correct values.
Existence ensures that items in the statement of financial position actually exist.
Presentation ensures all transactions events and disclosures are clearly described, relevant,
understandable
and applicable to the financial reporting framework.
Occurrence ensures that transactions and events actually happened.
Classification and understandability ensures that transactions are in the correct accounts
and items have been disclosed correctly.
2
Cut-off ensures that transactions are recorded in the correct financial period.
Note: CRAVE assertions are mainly used to test assets, liabilities and equity. POCC assertions
are mainly used to test income and expenses. The assertions which cover the whole
financial statements and can therefore be
used to test all balances and transactions are
COMPLETENESS
ACCURACY
PRESENTATION
CLASSIFICATION
3
Gathering Evidence
AUDIT PROCEDURES:
- Controls procedures - procedures which identify whether the controls systems being
reviewed actually work;
- Substantive procedures - procedures which identify material misstatements present

in financial statements.
Control procedures include:
1) Assessing the internal control systems which relate to financial statements;
2) Identification whether the control system is strong or weak;
3) Testing by the auditor to gather evidence to back up a conclusion.
Note: Substantive testing is carried out after controls have been assessed.
Reliable controls ⟹ Lower risk of material misstatement
Financial statements assertions (e.g. objective of substantive procedures) -
CRAVE COCA:
C - Completeness C - Cut-off
R - Rights and obligations O - Occurrence
A
- Allocation and valuation C - Classification and understandability
V
E - Existence A - Accuracy
Note: Every procedure must cover at least one assertion.
4
The problems associated with the audit and review of accounting estimates
Accounting estimates are of particular concern to the auditor as, by their nature, there may not be any
physical evidence to support them, and they are prone to inaccuracy. They are also subjective and,
therefore, prone to management bias. If the directors wished to manipulate the accounts in any way,
accounting estimates are an easy way for them to do this. The auditor must take care when auditing
estimates to ensure this has not been the case.
Common accounting estimates include:
- Provisions and contingent liabilities

- Inventory valuations
- Fixed asset valuations where revaluations have occurred
- Depreciation method and useful life
- Irrecoverable debts and allowances
In accordance with ISA 540 Auditing Accounting Estimates, auditors need to obtain an understanding of:
- How management identifies those transactions, events and conditions that give rise to the need
for estimates; and
- How management actually makes the estimates, including the control procedures in place to
minimise the risk of misstatement.
- The degree of uncertainty associated with an accounting estimate and if the uncertainty gives
rise to significant risks.
In response to this assessment, the auditors may perform the following further procedures:
- Review of the outcome of the estimates made in the prior period (or their subsequent re-
estimation)
- Consider events after the reporting date that provide additional evidence about estimates made
at the year-end
- Test the basis and data upon which management made the estimate (e.g. review mathematical
methods)
- Test the operating effectiveness of controls over how estimates are made
- Develop an independent estimate to use as a point of comparison
- Consider whether specialist skills/knowledge are
required (e.g. lawyer)
QUALITY OF EVIDENCE:
ISA 500 main requirement - Sufficient appropriate audit evidence
Sufficient = enough evidence.
Points for consideration when deciding if the evidence is sufficient:
1) Risk of material misstatement;
2) Materiality of balance/item;
3) Reliability of control systems;
4) Conclusions of control test performed previously;
5) Size of sample being tested;
6) Reliability of evidence that can be collected.
Appropriate = relevant + reliable evidence
Relevant evidence in:
1) Control procedures - evidence should identify whether the control system operates
effectively;
2) Substantive procedures:
- Evidence must achieve at least one of the FS assertions;
- Evidence should help to conclude whether the FS are true and fair.
Reliable evidence should be (ideally):
- Independent;
- Obtained directly by the auditor;
- From strong control system;
- Written;
- In original form.
Less characteristics ⟹ More evidence to obtain
5
METHODS OF GATHERING EVIDENCE:
ISA 500 methods:
1) Analytical procedures - comparison of data in FS;
2) Enquiry - talking to client staff and management;
3) Inspection - inspecting documentation that confirms balances and transactions;
4) Observation - observing processes at the client to understand and review reliability;
5) Recalculation - recalculating transactions and balances for accuracy;
6) Confirmation - written confirmation of balances and transactions;
7) Reperformance - carrying out the procedure the client has performed.
Note: Most appropriate method should be selected.
Sampling (ISA 530 definition) - the application of audit procedures to less than 100% of
items within a population of audit relevance such that all sampling units have a chance of
selection in order to provide the auditor with a reasonable basis on which to draw
conclusions about the entire population.
Sampling risk - risk of not selecting transaction that contain a material misstatement.
Sampling considerations:
1) Sampling requires auditor judgement and skills;
2) Sample size should be sufficient to reduce sampling risk to the acceptable level;
3) Sample chosen should represent the whole population of transactions.
Sampling methods:
1) Statistical sampling - auditor has not influenced the selection the transaction
(random selection, probability theory);
2) Non-statistical sampling (any other method).
6
Commonly used methods:
- Random number tables;
- Systematic selection (for example every 10th transaction);
- Block selection (e.g. cut-off test);
- Monetary unit selection (largest items);
- Haphazard methods (no bias!).
REVIEW THE RESULTS OF AUDIT PROCEDURES:
Identified misstatements are material?
1) Yes ⟹ Misstatements are misleading to users ⟹ Amend FS;
2) No ⟹ Smaller errors could accumulate in material misstatement ⟹ Record on the

spreadsheet and review it at the end of the audit.
7
The results of statistical sampling, including consideration of whether additional testing is required
Tolerable misstatement looks at individually immaterial misstatements added together. The smaller the
tolerable misstatement or rate of deviation, the greater the required sample size. The higher the
expected misstatement or rate of deviation, the greater the required sample size.
Furthermore, the auditor should investigate the nature and cause of all material misstatements/
deviations and evaluate their effect.
Computer Assisted Audit Techniques (CAAT's)
Two main areas where CAATs are widely used:
1) Controls - using test data;

2) Substantive testing - using audit software.
TEST DATA:
Test data is where the auditor will access the client’s computer controls. They will perform
audit tests on the system by entering dummy data into the system and monitoring how it
progresses through the control cycle. This method of testing will allow the auditor to see if
the control functions of the computer system perform properly.
There are several ways of data testing:
Narrative Live data tests Dead data tests
The auditor has access to the The auditor can enter dummy data in a
Definition computer systems during the batch after working hours.
operating hours of the client.
Demand has impact on Easier to reverse;

efficiency of the controls;
Remove the risk of material misstatement;
Detect that system does not
Advantages Enabling test of the system by taking copy to
cope when there are multiple
install on own computer;
users, all posting onto and
reviewing the data on the Effective way of testing controls;
system;
Dummy entries may be Auditor cannot assess whether the system

Disadvantages
forgotten and not reversed; would have problems when busy;
8
AUDIT SOFTWARE:
Audit software - software assisting at substantive testing stage where the auditor is
performing audit procedures that help to detect potential material misstatements.
Audit procedures which may be performed using audit software:
1. Analytical procedures:
 Calculate ratios;
 Compare to previous year’s results, budgets and industry averages;
 Investigate unusual results with client;
2. Selecting samples using systematic method;
3. Checking calculations:
4. Adding-up transactions to agree balances in the system;
 Recalculating other transactions (for example VAT);

 Reduces risk of human error;
 Exceptions reporting:
5. Highlighting unusual trends;
 Detect balances that look unusual;

 Balances and transactions detected by the system can be investigated for potential
material misstatement;
Note: Auditor must be able to import all client transactions and balances onto the audit
software.
Benefits of audit software: Drawbacks of audit software:
It can save time due to automatic Bespoke system can be very expensive;
procedure being carried out by software;
Risk of data corruption when carrying out the
It can save on labour costs for audit process;
assignment;
Risk of data leak;
It reduces the risk of human error.
Confidentiality is a concern;
Strong security controls are required.
9
Data Analytics in Audit
What is Data Analytics?
Data analytics is the process of examining the available data in order to draw meaningful
conclusions. It enables the businesses to identify new opportunities, to harness costs
savings and to enable faster decision making, by drawing data from multiple sources to
inform decisions or draw conclusions. The data is often both internal and external and is
often aided by specialised software.
Data Analytics and Audit
Data analytics for audit involves discovering and analysing patterns, deviations and
inconsistencies, and extracting other useful information in the data related to the subject
matter of an audit. This can be done through analysis, modelling and visualisation for the
purpose of planning and performing the audit. The process can reduce the risk of error in
the audit as well as offering value to the client, as they often use visual methods such as
graphs to present data, helping to identify trends and correlations.
For auditors, the main driver of using data analytics is to improve audit quality. It allows
auditors to more effectively audit the large amounts of data held and processed in IT
systems in larger clients, and by doing so they can better understand the client’s
information and better identify the risks.
Data analytics tools have the power to turn all the data into an understandable presentation
for both the auditors and clients. Large firms often have the resources to create their own
data analytics platforms, whereas smaller firms may opt to acquire an off the shelf package.
Larger firms may also generate audit programmes tailored to client-specific risks or to
provide data directly into computerised audit procedures, allowing them to more efficiently
arrive at the result.
Benefits of Data Analytics
– Data analytics enable increased business understanding as you gain a more thorough
analysis of a client’s data.
– It gives auditors a better focus on risk. This increased understanding, aids the
identification of risks associated with a client, enabling testing to be better directed at
those areas.
– It results in increased consistency across group audits where all auditors are using the
same technology
10
– and process, enabling the group auditor to direct specific tools for use in component
audits and to execute testing across the group.
– There’s increased efficiency through the use of computer programmes to perform very
fast processing of large volumes of data and provide analysis to auditors, saving time
and focus for judgemental and risk areas.
– Data can be more easily manipulated by the auditor as part of audit testing, for example
performing sensitivity analysis on management assumptions.
– There is increased fraud detection through the ability to interrogate all data and to test
segregation of duties,
– The information obtained through data analytics can be shared with the client, adding
value to the audit and providing a real benefit to management in that they are provided
with useful information perhaps from a different perspective.
Challenges in Data Analytics
– There is a lack of consistency or a widely accepted standard across firms and even
within a firm often. Moreover, there is currently no specific regulation or guidance
which covers all the uses of data analytics within an audit, which can make quality
control guidelines difficult.
– Storing client data gives rise to the risk of breach of confidentiality and data protection.
This data could be misused or illegal access obtained if the firm’s data security is weak
or hacked, which may result in serious legal and reputational consequences.
– The completeness and integrity of the extracted client data may not be guaranteed.
Specialists are often required to perform the extraction and there may be limitations to
the data extraction where either the firm does not have the appropriate tools or
understanding of the client data to ensure that all data is collected.
– There may be compatibility issues with the client systems which may render standard
tests ineffective if data is not available in the expected formats.
– The audit staff may not be competent to understand the exact nature of the data and
output to draw appropriate conclusions. In this case training may need to be provided
which can be expensive.
– There could be insufficient or inappropriate evidence retained on file due to failure to

understand or
– document the procedures and inputs fully.
11
– Another issue arises relating to data storage and accessibility for the duration of the
required retention period for audit evidence. The data obtained must be held for
several years in a form which can be retested. As large volumes will be required firms
may need to invest in hardware to support such storage or outsource data storage
which compounds the risk of lost data or privacy issues.
– There can be an expectation gap among stakeholders who think that because the
auditor is testing 100% of transactions in a specific area, the client’s data must be 100%
correct, which may not be the case.
12
Relying on the Work of Others
KEY CONSIDERATIONS
Aim: To obtain sufficient and appropriate audit evidence.

Reasons to rely on the work of others:
1. Lack of technical knowledge.
2. This is the most efficient way of obtaining evidence.
Examples of work of others which may be relied upon:
Own Expert Client's Expert
1. Using a property valuer to verify 1. Client lawyers' documentation;

property figures; 2. Relying on internal auditor’s work; and
2. Bringing in an inventory expert; 3. Service organisations used by client.
3. Experts to assist with progress values;
and
4. Legal advice on legal cases.
Steps in relying on the work of others:
Decide if experts are needed
Plan work required of them
Reduce disruption to the audit
13
Form the audit opinion
AUDITOR'S OWN EXPERT
Assessment of competence and independence:
According to ISA 620 the auditor should determine whether the work of the expert is
adequate for the auditor’s purposes.
How to ensure that work is adequate:
1. Review qualifications, experience, memberships; and
2. Review any business or personal connections. Key tips:
1. Communicate to the client before audit work; and
2. Include in engagement letter.
EXTERNAL EXPERT - INTERNAL AUDIT
Importance and responsibilities of internal auditor:
1. Fundamental to control systems;
2. Carries out control procedures;
3. Identifies deficiencies and implements changes.
Auditor can rely on: Auditor should consider:

1 Control test; 1 Scope of work;
2 Risk assessment; and 2 Level of detail;
3 Special investigations 3 Reasonability of assurance;
(fraud). and
4 Further work (if necessary).
14
Audit requirements:
Work adequacy
Independence considerations: Quality of report:
considerations:
1. Assessment of 1. Evidence collected is
1. Internal auditors are employees –
technical competence; fundamental in forming an
independence is unlikely;
and independent opinion;
2. Ideally - written evidence;
2. Audit committee is formed of non- if no such evidence is
2. Review of qualifications
executive directors = Independence available, auditor
and experience.
from board is improved; and may still need some further
work to be done.
3. Less independence the expert has from
the entity = Less reliance can
be placed on their work.
EXTERNAL EXPERT - SERVICE ORGANISATION
Service organisation - outsourced function used by client (for example payroll function).
Audit considerations:
1. Understand organisations and assess risk;
2. Decide testing level and assess procedures; and
3. Consider visit.
Advantages Disadvantages
1. Increased expertise and skills; 1. Obtaining information on a timely basis may be difficult;
2. Increased independence from
2. May not be allowed to perform audit work; and
directors.
3. Not being able to obtain sufficient appropriate evidence.
15
The extent to which refers to the work of others can be made in the independent auditor's report
The auditor should make no reference to the use of the work of others in the audit report. It is the
auditors' opinion in the report - the work of others is simply one piece of evidence that may be used, if
sufficient and reliable, in forming that opinion.
Smaller Entities and Not-for-Profit Organisations
AUDIT OF SMALLER ENTITIES
Smaller entities may not require a statutory audit in some countries. The reasons for not
requiring a statutory audit are:
– The shareholders are often the directors of the entity;
– Companies may have only a few members of staff;
– Audits are expensive; and
– With fewer resources, the systems may be more straightforward, and not require expert
advice from the auditor.
Note: If a smaller entity requires an external audit, the auditors would ensure that they have an
experienced audit team.
The advantages of such an audit are:
1. It can be a relatively low risk audit;
2. With direct control, the management will have a full understanding and
responsibility for the organisation, and can assist the auditor effectively; and
3. The systems will often be straightforward and easier to understand.

The disadvantages of such an audit are:
1. Shareholders are in a position to manipulate the figures in the financial

statement or hide personal expenses;
2. There is an increased risk of human error which needs to be identified and

addressed by the auditor;
3. Having one staff member responsible for an entire control system can increase
the risk of fraud; and
4. There is limited amount of written evidence the auditor can obtain from the
client.
16
Summary:
– There may be elements of the audit that are far more straightforward than dealing with a
larger organisation; and
– There will possibly be less substantive testing. However, careful planning is still needed to
assess the risks and review the control systems and any limitations.
AUDIT OF NOT-FOR-PROFIT ORGANISATIONS
Not-for-profit organisations include charities and public sector entities. It is even more
important that specialised audit staff are involved in the audit process for this kind of entity.
The key differences we would see with a not-for-profit organisation are:
– They are not driven by profits;
– They will not have shareholders;
– There will be no dividend payments; and
– A charity would prepare a statement of financial activities which is formatted differently to

a statement of profit and loss.
Auditing not-for-profit organisations comes with its own audit risks and some of these are:
– There may be a lack of segregation of duties and simple systems may not be documented.
This could increase the risk of fraud and error;
– Entities may not have the expertise or time to make good strategic decisions;
– Volunteers are used to keep costs down. They may lack skills and make mistakes, but also,
they may not stay long and then not be available to assist the auditor with explanations;
– Income may depend on external factors (government grants and donations);
– Entities may have very complex regulations to follow. This increases the risk of disclosure
notes being inadequate; and
– Any sudden change in circumstances could affect the entity in the short term. The audit
approach for this type of entity should include:
1. Careful planning;
17
2. A specialised audit team;
3. Pure substantive testing if controls are not deemed effective; and
4. Analytical procedures.
Note: If there are any issues gathering the evidence needed to form an audit opinion, as always,
the auditor may need to modify their audit report.
18
AA - Audit and Assurance
Contents
Audit of Specific Balances - Intro and Non-current Assets .................................................... 2
GENERAL PRINCIPLES OF AUDIT PROCEDURES .................................................................. 2
SUBSTANTIVE AUDIT PROCEDURES .................................................................................... 3
NON-CURRENT ASSETS ....................................................................................................... 3
Audit of Specific Balances - Current Assets ............................................................................ 6
BANK ................................................................................................................................... 6
ACCOUNTS RECEIVABLE...................................................................................................... 7
Audit of Specific Balances Liabilities ...................................................................................... 9
ACCRUALS ........................................................................................................................... 9
PROVISIONS ........................................................................................................................ 9
OTHER LIABILITIES ............................................................................................................ 10
TRADE PAYABLES .............................................................................................................. 10
Audit of Specific Balances - P&L, Directors, and Equity ....................................................... 12
THE STATEMENT OF PROFIT AND LOSS ............................................................................ 12
DIRECTORS' EMOLUMENTS .............................................................................................. 13
EQUITY .............................................................................................................................. 14
1
Audit of Specific Balances - Intro and Non-current Assets
GENERAL PRINCIPLES OF AUDIT PROCEDURES
Substantive audit procedures are procedures that identify if material misstatements are
present within the financial statements. They test the transactions, balances and disclosures
for these misstatements. The steps to performing a substantive test are:
1. Identify the item to test and set the objectives of the test;
2. Consider the quality of evidence required. It must be sufficient and

appropriate;
3. Design the test and ensure it meets the objective;
4. Select the sample of transactions to perform the test on;
5. Record the test, method, results and other evidence as working papers; and
6. Consider the conclusion of the test.
The objective of a substantive test must be at least one of these financial statement
assertions:
C  Completeness C  Cut-off
R  Rights and obligations O  Occurrence

A C  Classification and
V  Allocation and valuation understandability
E  Existence A  Accuracy
2
SUBSTANTIVE AUDIT PROCEDURES
Procedures that can be performed for any balance can be remembered using the mnemonic
TOAD:
– Trial balance: To agree the balance in the financial statements to the trial balance;
– Opening balance: To agree the opening balance to last year's closing balance and
investigate any differences with the client;
– Add up and recalculate: All balances need to be checked for accuracy; and
– Disclosure check: To review any specific accounting standards relating to the area of the
financial statements and ensure they have been followed when preparing the financial
statements.
NON-CURRENT ASSETS
In order to ensure non-current assets are audited effectively, the auditor will need to
review:
– The financial statements, including the statement of financial position and the non-
current asset note;
– The asset register, which includes all details relating to the assets held by the company;
and
– The trial balance and ledger accounts forming the non-current asset balance.
The key assertions to be verified for non-current assets are:
– Completeness (C);
– Rights and obligations (R&O);
– Valuation (V); and
– Existence (E).
The auditor needs to ensure that each balance has been audited, therefore auditing:
1. Opening and closing balances: Procedures include:
a. Agreeing the opening balance to last year's financial statement;
b. Adding up the non-current asset note to ensure the auditor agrees with the
closing balance shown; and
3
c. Agreeing the closing balance for non-current assets in the note, to the
balance shown on the statement of financial position.
2. New assets purchased or additions: Procedures include:
a. Agreeing the additions balance in the financial statements to the asset

register (C);
b. Adding up the additions in the asset register to ensure they agree with the
total in the financial statements (C); and
c. For additions in the year, trace to invoice, to agree amounts recorded and
whether the invoice is in the company name (R&O).
3. Disposals of assets in the year: The auditor should:
a. Obtain a list of all disposals of assets made in the year and agree them to the
asset register to ensure they have now been removed (E and A);
b. Agree disposals to documentation, for example, sales receipts and bank

statements to prove they were disposed of (E and A); and
c. Review the profit or loss on disposal and agree with what has been recorded
in the statement of profit and loss (E and A).
4. Depreciation: Must be audited by:
a. Recalculating the depreciation charge for a sample of assets (V and A);
b. Reviewing the accounting policies to see if the treatment being used is

consistent with prior years’ (V and A); and
c. Inspecting the budgets for capital expenditure to see if plans for disposals
and new assets mean the depreciation methods are appropriate (V and A).
5. Revaluations: Procedures would be:
a. Inspect the valuer's report and agree the amount concluded by them with
what has been recorded in the financial statements (V); and
b. Review the methods used by the valuer described in their report and ensure
they agree with what is required by the accounting standards for revaluations
(V).
Notes:
– The key for an auditor is to gather as much sufficient appropriate evidence as possible.
4
– The more written, detailed, independent evidence auditors can collect, the better.
– Each audit procedure must verify at least one of the financial statement assertions.
5
Audit of Specific Balances - Current Assets
BANK
The bank is an asset presented in the financial statements. It is shown under the heading
"Current Assets" in the statement of financial position.
The key assertions that should be verified are:
– Valuation (V); and
– Existence (E).
The evidence that the auditor would obtain can be referred to as the three B’s:
1. The bank statement: This will show all movements in the bank balance
during the period that can be agreed with the movements in the cash book (E
and V);
2. The bank report: This is written confirmation from the bank sent directly to
the auditor, which confirms all the bank balances held by the client for the
year end and any balances of liabilities held by them. The auditor should also
agree the bank accounts to the trial balance (E, V and C); and
3. The bank reconciliation: This will show the differences between what the
cash book states as the balance and what the bank states as the balance.
Auditors should also ensure that balances agree to the bank statement, bank
report and cash book.
Unpresented cheques are any payments that have not yet been cleared by the bank. The
auditor would usually:
– Agree the amounts on the bank reconciliation to the cheque stubs and cash book;
– Ensure none of the payments are missing or belong in the following period; and
– Inspect the bank statements after the year end to ensure the payments have now
cleared. Then any uncleared receipts would be audited. Auditors would need to:
– Agree that all uncleared receipts on the bank reconciliation are in the cash book;
– Ensure there are no missing receipts from the cash book; and
– Inspect the bank statements after the year end to ensure the receipts have now
cleared.
6
ACCOUNTS RECEIVABLE
Accounts receivable balance is actually made up of two balances in the ledger, the trade
receivables, and any provision for bad debts. There are three important tests auditors
should carry out on this balance:
1. Circularisation: It is writing to a sample of trade receivable customers requesting

that they confirm the balance they owe from their records. If the response does not
agree with the ledger, the auditor will then need to complete a reconciliation
between the client and customer balance to identify if the difference is due to
timings issues, or due to a misstatement;
2. Cash received after the year end: The auditor will select a sample of receivable
customer balances and then agree these balances to receipts in the post year end
bank statements (E);
3. Cut-off: The auditor should review invoices just before and after the year end, and
inspect their goods dispatch notes, reviewing the delivery date to ensure they are in
the correct period.
The next step is then to audit the provision for bad debts. The key assertion to verify is
valuation. Examples of procedures include:
– Comparing the provision to the previous year and investigating any differences;
– Calculating the receivables days ratio and comparing it to the previous year;
– Reviewing the aged receivables list and investigating old balances to see if they should
be included in the provision or written off;
– Enquiry with management about any specific provisions; and
– Post year end event review to see if the customer has paid.
7
INVENTORY
Key assertion Procedures
According to IAS 2, inventory should be valued at the lower of cost and

net realisable value.
_ The auditor must review sales around the year end;
Valuation _ Sales prices of items should be compared to the calculations for

net realisable value to ensure the selling price looks reasonable;
and
_ The auditor should trace the cost used in valuation to the source
document such as the purchase invoice.
_ This assertion can be verified by attending the inventory count.

This also enables the auditor to review the control procedures
Existence and
carried out by the client.
completeness
Using samples for counting, the auditor verifies the existence and
completeness of counting records.
_ Inspection of ownership documentation should be carried out; as

well as review of the purchase invoices; and
Rights and obligations
_ Inspection of any inventory stored at third party warehouses and
review of respective agreements.
8
Audit of Specific Balances Liabilities
Key concern: The client may have understated the balance to make the business look
healthier and more liquid than it is.
Key assertions: Completeness, rights and obligations, valuation.
ACCRUALS
Accruals balance is based on costs that may not have been invoiced in the year but belong
to the current year. The following procedures should be performed:
– Obtain a breakdown of the accruals balance and ensure it adds up and agrees with the
accruals balance in the financial statements;
– Compare accruals balance to last year and investigate any differences; and
– Review invoices dated after the year end to identify if the costs belong to the current
year;
PROVISIONS
Provisions could arise from events such as potential compensation payments from court
cases. The client needs to ensure they have followed the rules of IAS 37:
– If there is a remote chance of the client suffering an outflow of resources, then there
should be nothing included in the financial statements;
– If there is a possible chance of the client suffering an outflow of resources, then there
should be a disclosure note called a contingent liability note explaining the possible
event, but still, no provision;
– If there is a probable outflow of resources, then a provision may be included in the

financial statements and a disclosure note explaining the balance.
There are three criteria that must be met for a provision to be allowed:
1. There must be a present obligation due to a past event;
2. There must be a probable outflow of resources; and
3. There must be a reliable estimate.
In order to be satisfied that all criteria mentioned above are met, the auditor must perform
the following procedures:
9
– They must inspect correspondence, for example, from the company lawyer, and also
discuss the event with them;
– They can inspect any other external evidence, such as press reports, if they relate to a
court case; and
– They must then obtain evidence on the estimate of costs and ensure it is from a reliable
source. This must not be an estimate from the client management.
OTHER LIABILITIES
Other liability balances include:
– Sales tax;
– Employee tax;
– Payroll; and
– Bank overdrafts.
The following procedures may be performed to verify these balances:
– Agree each of these balances to the bank statement as the payment should be shown
after the year end (except for bank overdraft, as there may be timing differences); and
– The bank reconciliation will play a part in verifying the bank overdraft balance, along
with the bank report.
TRADE PAYABLES
Trade payables is the total balance of all outstanding balances owed to trade suppliers.
Audit procedures will include:
1. Cut-off testing: The procedure would be to identify the invoices posted just before
and after the year end,
compare them to the goods received note, review the delivery date, and ensure the invoice
is posted in the correct period;
2. Reconciling supplier statements: The auditor should select a sample of suppliers and
reconcile the supplier statement sent at the year end to the ledger (timing differences
are acceptable);
10
3. Post year end invoice review: Inspecting purchase invoices since year end and
reviewing the details will be required to ensure that there were no invoices that
should have been included in the current year;
4. Analytical procedures: These include:
– Comparing the balance to the previous year and investigating any significant
differences;
– Calculating the payable days ratio and comparing to the previous year;
– Identifying the trade payables balance for each month and comparing the level of
payables to the expected trend of the company; and
– Inspecting the aged payable analysis, in particular, identifying the old and slow
moving balances and investigating these with the client.
11
Audit of Specific Balances - P&L, Directors, and Equity
THE STATEMENT OF PROFIT AND LOSS
Remember: Much of the transactions in the P&L have already been tested via the
corresponding debit or credit balance in the SFP.
The key assertions for the statement of profit and loss balances are:
– Cut-off (C/O);
– Occurrence (O);
– Completeness (CO);
– Classification (C); and
– Accuracy (A).
For the payroll balance, a few specific audit procedures include:
– For a sample of employee balances, recalculate the deductions, such as tax, and
investigate any differences;
– Agree the net pay as per the payroll records to the bank statements and cash book; and
– Agree total wages and salaries from the payroll system to the trial balance and financial
statements.
Analytical procedures:
– Proof in total of the wages and salaries balance (estimate the balance from
management information such as average wages and the percentage pay rise) and
compare it to the actual balance.
– Comparing the current year's balance to the previous year's will also identify
potential misstatements if significantly different.
The revenue balance substantive tests include:
– For a sample of invoices, to recalculate the sales tax and discounts for accuracy;
– Agree a sample of customer orders to the dispatch notes and invoices to ensure they
were recorded; and
– Inspecting credit notes issued shortly after the year end and supporting documentation
for evidence that they were related to actual sales and not created to overstate
12
revenue.
– Analytical procedures:
– Comparing the revenue balance to the previous year;
– Calculating and comparing gross profit margins to previous years; and
– Comparing the balance to budgeted figures.

The purchase and other expense balance procedures include:
– Inspecting purchase orders and agreeing these to the goods received notes and invoices
recorded;
– Recalculating sales tax and discounts on a sample of invoices; and
– Agreeing the balance on the ledger to the trial balance and financial statements.
Analytical procedures:
– Calculate operating profit margin to compare to the previous year, investigating any
significant differences; and
– Comparing each expense account to budget to identify anything to investigate further.
DIRECTORS' EMOLUMENTS
Remember: the auditor regards any director's transactions as material by nature. The key
assertion is accuracy. An example of audit procedures would be:
– Obtain the detailed list of directors' transactions which shows the split between wages,
bonuses, pensions etc., and check it to ensure all the totals are correct;
– Inspect payroll records and agree the balances to the list;
– Inspect bank statements and agree amounts actually paid; and
– Obtain a written representation from the directors that they have included all directors'
remuneration to the auditor.
13
EQUITY
The financial statements will include the statement of changes in equity (SOCIE) which will
show the movement in equity section from the beginning of the year. The equity section will
include the following balances:
1. Share capital: To verify this balance, the auditor will need to:
a. Inspect share certificates or other official documentation and agree to

disclosures made in the financial statements;
b. Inspect board minutes for evidence of a share issue; and
c. Inspect the cash book for evidence of money coming in from a share issue.
2. Dividends: This will require the auditor to:
a. Inspect board minutes to ensure the amount and that the date declared was
before the year end; and
b. Inspect the bank statement to agree the amounts paid and that they were
before the year end also.
3. Other reserves: To audit this balance, the auditor must ensure:
a. The opening balance agrees to last year;
b. The movements in reserves add up to the closing balance; and
c. Any movements agree with supporting documentation, for example, a

valuation report.
14

ACFrOgCfiEAVH2XWvqneUqyBMBYXuqXWJ4RV3AGOOYSSXoo6ydpwA54dWRg37I Z5rkJOaG5iWXSH - OoeDB4cgxs8V6M5qqgodnX5OFiHciwysoNcoOH rlc8jjlWFM PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACFrOgCfiEAVH2XWvqneUqyBMBYXuqXWJ4RV3AGOOYSSXoo6ydpwA54dWRg37I Z5rkJOaG5iWXSH - OoeDB4cgxs8V6M5qqgodnX5OFiHciwysoNcoOH rlc8jjlWFM PDF

Uploaded by

Copyright:

Available Formats

AA - Audit framework & regulation

Practitioner = External auditor;

Subject matter = Financial statements;

Responsible party = Client management;

Conclusion = Audit opinion;

Users = Shareholders and other users.

By providing assurance you are:

1) Giving confidence to the users who make decisions;

2) Enhancing the credibility of the information in the financial statements.

ELEMENTS OF ASSURANCE ENGAGEMENT:

There are 5 elements of any assurance engagement:

2) The subject matter (financial statements);

3) A suitable criteria (applicable financial reporting framework);

4) Sufficient appropriate evidence (audit procedures carried out);

5) Written assurance report (audit report).

1) Reasonable assurance. The practitioner must:

 Provide sufficient appropriate evidence in order to form reasonable conclusions;

2) Limited assurance. Such engagement provides:

 Sufficient appropriate evidence in order to form limited conclusions;

 When reviewing information regarding future events, it is impossible to give a

True and fair means that financial statements are:

2) Agree with the underlying records;

5) Free from material misstatements.

There is a misconception of the role of external auditor known as expectation gap:

5) Substantive testing. Auditors perform audit procedures on transactions and balances to

PROS AND CONS OF AN EXTERNAL AUDIT:

1) It results in greater detection of fraud and 1) There could be misstatements in

2) It enhances the credibility of financial 2) Estimates are subjective and difficult to

Ethics - guidance on how to behave morally and professionally.

IFAC code of ethics is the key regulative document.

Ethic principles must be considered when:

 Accepting new audit client;

FUNDAMENTAL PRINCIPLES (OPPIC):

P - Professional competence and due care

Objectivity means that the auditor:

 Must be objective when making the decision;

Professional behavior means that the auditor:

 Complies with relevant laws and regulations;

 Professional knowledge and skill are maintained;

 Straightforward and honest;

Confidentiality means that the auditor must:

 Keep the information confidential;

Types of objectivity threats:

5) Intimidation - arises when clients put pressure on auditors in order to influence

The safeguards are as follows:

2) Separate audit partners heading up the audit teams;

3) Set up separate audit teams and offices if possible;

4) Provide training on the importance of confidentiality to all staff;

5) Sign confidentiality agreements with the audit staff;

 Client has given permission to disclose information;

Corporate governance - a set of guidelines that listed companies should follow.

The UK version of the corporate governance is presented by Corporate governance code.

2) Effectiveness - the board of directors should have appropriate skills and be

5) Shareholder relationships - communication should be clear and objectives and

a) The Chairman - a non-executive director who leads the board to ensure

b) The Chief executive officer (or CEO).

 They increase confidence in the published financial information;

Responsibilities of the audit committee include:

 Reviewing the internal controls and recommending changes;

 Can be transferred to another party, for example by insurance cover;

 The executive directors are not paid excessive amounts;

The following recommendations should be followed by the companies:

 Listed companies should produce much more detailed financial information in