Professional Documents
Culture Documents
ACFrOgCfiEAVH2XWvqneUqyBMBYXuqXWJ4RV3AGOOYSSXoo6ydpwA54dWRg37I Z5rkJOaG5iWXSH - OoeDB4cgxs8V6M5qqgodnX5OFiHciwysoNcoOH rlc8jjlWFM PDF
ACFrOgCfiEAVH2XWvqneUqyBMBYXuqXWJ4RV3AGOOYSSXoo6ydpwA54dWRg37I Z5rkJOaG5iWXSH - OoeDB4cgxs8V6M5qqgodnX5OFiHciwysoNcoOH rlc8jjlWFM PDF
Contents
Assurance ............................................................................................................................... 2
DEFINITION: ........................................................................................................................ 2
LEVEL OF ASSURANCE:........................................................................................................ 3
Introduction to an External Audit .......................................................................................... 4
WHAT IS AN AUDIT? ........................................................................................................... 4
AN AUDIT PROCESS CAN BE OUTLINED AS FOLLOWS: ....................................................... 5
PROS AND CONS OF AN EXTERNAL AUDIT: ........................................................................ 5
Fundamental Principles .......................................................................................................... 6
DEFINITION: ........................................................................................................................ 6
Ethical Risks ............................................................................................................................ 8
THREATS TO OBJECTIVITY AND INDEPENDENCE: ............................................................... 8
BREAKING CONFIDENTIALITY: ............................................................................................ 9
Corporate Governance ......................................................................................................... 10
DEFINITION AND PRINCIPLES: .......................................................................................... 10
BOARD OF DIRECTORS: ..................................................................................................... 10
COMMITTEES: ................................................................................................................... 11
AUDITOR’S REPORT: ......................................................................................................... 12
Internal Auditors .................................................................................................................. 13
THE ROLE OF INTERNAL AUDITORS .................................................................................. 13
DIFFERENCES BETWEEN EXTERNAL AND INTERNAL AUDITORS....................................... 14
RELIANCE ON INTERNAL AUDITORS' WORK ..................................................................... 15
OUTSOURCING.................................................................................................................. 15
1
Assurance
DEFINITION:
A practitioner evaluates a subject matter, that is the responsibility of another party, against
a criteria, to express a conclusion, to the user of the subject, where:
1) The three parties involved, the practitioner, the responsible party and the user
(auditor, the management and the shareholders);
2
LEVEL OF ASSURANCE:
IAASB introduces guidance designed for better understanding of two levels of assurance:
Notes:
3
Introduction to an External Audit
WHAT IS AN AUDIT?
Objective of external auditor: to review the financial statements and form an independent
opinion. The auditor must communicate whether financial statements are true and fair and
properly prepared.
Role of the auditor: to identify any material misstatements so that they can be corrected by
the management before the accounts are published.
Material misstatements are errors within the financial statements that, if not corrected,
could influence the decisions made based on the information given.
1) Factual;
3) Clear;
4) Unbiased;
Properly prepared means that financial statements are prepared in accordance with the
applicable reporting framework.
EXPECTATION GAP:
Misconception Fact
Auditors test transactions on a sample
Auditors test all transactions and balances.
basis
It is auditor’s responsibility to report on
whether financial statements are free
Auditors should detect all fraud and error.
from material misstatements whether
caused by fraud or error.
This is the responsibility of directors, not
Auditors prepare financial statements
the auditors
4
AN AUDIT PROCESS CAN BE OUTLINED AS FOLLOWS:
1) Acceptance. The auditors must consider before they begin the audit work whether they
want to accept new client or continue with existing one;
2) Engagement. Ensure that agreement between the auditor and the client is in place;
3) The plan. Auditors must carefully plan the audit and identify any risks and other issues
that need to be managed;
4) Assess controls and systems. Auditors must review the systems and control procedures
in order to identify whether controls are strong or poor;
6) Completion and review. Audit manager will review the evidence collected and work
completed to ensure it is enough to form an opinion;
7) Audit report. Audit partner will review the audit work and the financial statements and
form an independent audit opinion.
Pros Cons
5
The relationship between International Standards on Auditing and National Standards
The International Standards of auditing are set by the International Audit and Assurance Standards
Board (IAASB). The structures and processes that support the operations of the IAASB are facilitated by
the International Federation of Accountants (IFAC). IFAC is a worldwide organisation for the
accountancy profession dedicated to serving the public interest by strengthening the profession.
However, IFAC is not responsible for enforcing these standards. It is up to individual countries to
implement the standards if they deem them appropriate. Countries also have the choice to set their
own National Standards of implementation or may modify the ISAs’ to suit their needs.
National Regulatory bodies will be charged with enforcing the implementation of auditing standards,
enforcing quality control of audits and inspecting audit files. Countries may do this by allowing the
accountancy profession to implement the above or setting up an independent authority to do it.
Fundamental Principles
DEFINITION:
O - Objectivity
P - Professional behavior
I - Integrity
C - Confidentiality
Professional competence and due care means that the auditor should ensure that:
6
Integrity means that the auditor should be:
7
Ethical Risks
THREATS TO OBJECTIVITY AND INDEPENDENCE:
Objectivity is one of fundamental principles given in the ethical code. An auditor should
remain objective, which means that they should not allow bias and not be influenced by
others.
1) Self interest - arises when the auditor has personal interest in the client, which
could affect the audit;
2) Self review - arises when the auditor has to review work that they previously
performed;
3) Familiarity - arises when the auditor is too sympathetic or trusting of the client
because of a close relationship with them;
4) Advocacy - arises when the auditor is asked to promote or represent their client
in some way;
Note: if auditors identify any of these threats, they need to put safeguards in place to
reduce the threat to an acceptable level.
Conflicts of interest:
A conflict of interest arises when the audit firm has the opportunity to audit two connected
clients. The main issue with a conflict of interest is confidentiality as there is a risk of
sensitive information being leaked.
1) Discuss with both clients whether they are happy to continue with the same
audit firm;
8
Note: If the audit firm cannot guarantee safeguards are strong enough, they should not
continue with both audits.
BREAKING CONFIDENTIALITY:
Keeping client information confidential is it is one of the fundamental principles from the
ethical code. Confidentiality should be broken when:
9
Corporate Governance
DEFINITION AND PRINCIPLES:
Aim - to allow companies to operate in the shareholders interests and help protect their
investment from poor management decisions.
1) Leadership - that the board of directors are collectively responsible for the
success of the organisation and decisions are made fairly. Non executive
directors who are part time and not involved in the day to day activities should
assist with decisions made;
3) Accountability - the board of directors should ensure risks are identified and
that strategies are formed while communicating openly with the auditors;
4) Remuneration - directors pay should be fair and still be able to attract the right
individuals to the role. Pay should not be set by one individual and no one
should set their own pay;
BOARD OF DIRECTORS:
In order for these principles to be implemented, the company must organise the board of
directors so that responsibilities are shared and decisions are made fairly. Heading up the
board of directors should be:
The next tier of management would consist of executive and non-executive directors and
there should be an equal board mix of these two types of directors.
10
COMMITTEES:
Executive and non-executive directors would then form committees who take on
responsibilities for the company. The committees are:
1) The audit committee - responsible for financial reporting and system control matters
and should be comprised of at least 3 non-executive directors. This committee should
ensure that:
2) The risk committee - responsible for assessing the risks associated with the company
and recommending the best approach to reduce these risks. This committee is also
made up of non-executive directors, whose role is to identify risks, prioritise them and
then assess whether the risk:
Business risks must be reviewed and reported to the board regularly to ensure they are
identified in a timely manner.
3) The remuneration committee - set pay for the board of directors. It is made up of non-
executive directors to ensure that:
11
4) The nomination committee - responsible for appointing directors to the board. The
board is made up of non-executive directors which ensures that the best person is
appointed for the role and reduces the risk of bias in decisions being made on
recruitment.
AUDITOR’S REPORT:
12
The provisions of international codes of corporate governance (such as OECD) that are most relevant
to auditors
- To improve the legal, institutional and regulatory framework for corporate governance.
- To provide guidance and suggestions for stock exchanges, investors, corporations and other
parties that have a role in the process of developing good corporate governance.
1. Corporate Governance: There should be a clear basis for an effective corporate governance
framework which should ensure there is transparency and acceptance of responsibility of all
parties involved.
2. Agency: Management of the company should recognise that they are agents of the shareholders
and should uphold their rights and act in their interest at all times
3. Equitable Treatment: There should be equitable treatment amongst shareholders so that
regardless of whether institutional or minority, they are all treated in a fair and just manner.
4. Shareholder Rights: The Rights of Stakeholders should be recognised, and there should be
cooperation between the organisation and it’s stakeholders.
5. Disclosure: All material matters, such as the financial situation, performance, ownership and
governance of the company, should be disclosed in a timely and accurate manner.
6. Board Duties: The strategic guidance of the company should be ensured by the corporate
governance framework and monitored by the board.
Evaluate corporate governance deficiencies and provide recommendations to allow compliance with
international codes of corporate governance
The below table demonstrates recommendations for “good” corporate governance. In situations where
the below does not exist, it would imply a corporate governance deficiency with regard to the
International Codes of Corporate Governance, as shown.
The Board - The Chairman and Chief - The Chairman and Chief Executive
Executive should be different are the same person.
people to prevent unfettered - There are no or few Non-
power Executive Directors (NEDs)
- Half of the board to be Non- - There is no nomination process.
Executive Directors (NEDs) - Directors don’t submit for re-
- There should be a rigorous election regularly.
and transparent nomination
process.
- Directors should submit for
re-election regularly.
13
DIFFERENCES BETWEEN EXTERNAL AND INTERNAL AUDITORS
2 Scope of details Plan and perform audit Cover many areas looking at the
procedures on control systems, systems and controls used by the
transactions and balances in FS. entity. Amount of work depends
on the management’s
requirements.
7 Whether they are a legal Required by law (there are some Not required by law.
requirement exemptions).
Recommended by corporate
governance to ensure sound
control systems.
14
RELIANCE ON INTERNAL AUDITORS' WORK
A. Scope of work;
B. Technical competence;
D. Independence.
1. Company is large;
OUTSOURCING
Outsourcing: Not all companies will benefit from a full-time internal audit function. In this case
audit firms provide expertise for clients needing an internal audit.
Advantages Disadvantages
Removing employment costs (recruitment Lack of knowledge of the business;
and tax);
Long-term use may become less cost
Audit firms may have more specialised skills;
effective;
Services may not be available immediately;
Increased independence; and
and
Reducing the burden of having a Conflicts of interest may arise if the audit
department to manage. firm carried out the external audit.
15
AA - Audit framework & regulation
Contents
The Acceptance Stage ............................................................................................................ 2
The Engagement Letter .......................................................................................................... 3
TERMINOLOGY USED .......................................................................................................... 3
PURPOSE AND CONTENTS OF THE ENGAGEMENT LETTER ................................................ 3
Audit Risk ................................................................................................................................ 6
TERMINOLOGY USED: ......................................................................................................... 6
AUDIT RISK MODEL: ............................................................................................................ 6
Identifying Audit Risks ............................................................................................................ 8
TERMINOLOGY USED: ......................................................................................................... 8
USING ANALYTICAL PROCEDURES: ..................................................................................... 9
1
The Acceptance Stage
At the acceptance stage the auditor will consider:
1) Client request;
2) Advertising;
3) Tendering.
Note: if preconditions are not met, the auditor should not accept the audit assignment.
2) Other considerations:
Reject if the risks being associated with the client are too high.
Accept and move to the next stage of audit process, the engagement letter.
2
The Engagement Letter
TERMINOLOGY USED
Engagement letter: An agreement that is put in place at the start of the audit process. The
engagement letter is prepared once the acceptance stage is concluded.
2. To explain the audit process and the terms and conditions; and
3
3. Auditor’s responsibilities:
a. The formal written audit report will show the audit opinion; and
b. Any control deficiencies will also be reported in writing in the form of the
management letter or report to management.
4
f. The limitations of the audit; and
4. Not received confirmation that the management accept their responsibilities; and
5
Audit Risk
TERMINOLOGY USED:
Audit risk is the risk of the auditor giving an inappropriate opinion on the financial
statements, i.e. there are material misstatements present in the financial statements.
Misstatement is:
2) the difference between what is in the financial statements and what should be
in the financial statements in accordance with the applicable financial reporting
framework.
Note: Material misstatement not identified by the auditor leads to incorrect decisions made
by users and affects the auditor’s reputation.
In order to calculate audit risk, the auditors use the audit risk model: AR=IR*CR*DR, where:
AR - Audit risk;
IR - Inherent risk - is the risk of a material misstatement in the financial statements due to
the nature of the
client, whether it be the business itself or the industry which they operate within;
CR - Control risk - is the risk of a material misstatement in the financial statements due to
poor client controls;
DR - Detection risk - is the risk of a material misstatement in the financial statements due to
the auditor not
Note: Inherent risk and Control risk cannot be changed, but must be identified to decide
what should be the level of Detection risk.
If Inherent risk and Control risk are high, then Detection risk must be low, meaning that:
6
– Sample sizes should be increased;
– More experienced audit staff should be used.
If Inherent risk and Control risk are low, then Detection risk can be high, meaning that:
If audit risk is assessed correctly, the audit opinion will be appropriate at the end of the
process.
7
Identifying Audit Risks
TERMINOLOGY USED:
Audit risk is the risk of the auditor giving an inappropriate opinion on the financial statements.
For example, stating the financial statements are true and fair when there is a material
misstatement uncorrected.
1) Enquiry;
2) Observation;
3) Inspection.
8
The four main sources of information are:
a) Within the audit firm (previous years workings, discussions with audit partner and
manager);
b) From external sources (companies house, internet and trade press, industry surveys, credit
reference agencies);
Note: Analytical procedures are used on planning stage, substantive testing stage and
completion and review stage of the audit.
The purpose of analytical procedures at the planning stage is to understand the business the
client operates, identify unusual balances, transactions and events, and identify potential
material misstatements.
9
Ratios can be categorised to review the following:
1) Profitability ratios:
Gross profit PBT
Gross profit margin = * 100% Net margin = * 100%
Revenue Revenue
2) Efficiency ratios:
Receivables Payables
Receivable days = * 365 days Payable days = * 365 days
Revenue Purchases
Inventory
Inventory days = * 365 days
Cost of sales
3) Liquidity ratios:
Current assets Current assets - Inventory
Current ratio = Quick ratio =
Current liabilities Current liabilities
4) Return ratios:
Debt Borrowings
Gearing ratio = =
Equity Share capital and reserves
Note: Comparison of current year ratios to previous year, budgets and averages helps to
identify unusual differences which could be the result of a material misstatement.
10
AA - Audit and Assurance
Contents
Laws and Regulations ............................................................................................................. 2
REGULATORY BODY ............................................................................................................ 2
REQUIREMENT OF EXTERNAL AUDIT.................................................................................. 2
THE RIGHTS AND DUTIES OF THE AUDITOR ....................................................................... 3
APPOINTMENT AND REMOVAL OF THE AUDITOR ............................................................. 4
Fraud ...................................................................................................................................... 5
AUDITOR'S RESPONSIBILITIES ............................................................................................. 5
FRAUD ................................................................................................................................. 6
The Planning Process.............................................................................................................. 7
THE PURPOSE OF THE PLAN ............................................................................................... 7
IDENTIFYING AUDIT RISKS .................................................................................................. 7
AUDIT STRATEGY ................................................................................................................ 8
MATERIALITY AND PERFORMANCE MATERIALITY ............................................................. 8
Audit Documentation ........................................................................................................... 10
AUDIT DOCUMENTATION ................................................................................................. 10
CURRENT AUDIT FILE ........................................................................................................ 11
ACCESS TO WORKING PAPERS .......................................................................................... 12
Quality Management (ISA 220 - Revised) ............................................................................ 13
1. The H is for HUMAN RESOURCES: ................................................................................ 13
2. The E is for ETHICAL REQUIREMENTS: .......................................................................... 13
3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS: ....................................... 14
4. The R is for RESPONSIBILITIES OF LEADERSHIP: ........................................................... 14
5. The M is for MONITORING: .......................................................................................... 14
6. Finally, E is for ENGAGEMENT PERFORMANCE: ........................................................... 15
Evaluating quality management deficiencies and providing recommendations to allow
compliance with quality management requirements: ..................................................... 15
1
Laws and Regulations
REGULATORY BODY
External auditors must follow strict guidance to ensure their work is of the correct standard.
This includes:
– Corporate law specific to where they are based and where the client operates.
The IFAC, International Federation of Accountants, is a global supervisory body.
The IAASB, International Auditing and Assurance Standards Board, is the group that looks
after the external auditor. They have 2 key outputs:
ISAs are published in a book, regularly reviewed and periodically updated by the IAASB.
Each ISA gives the auditor specific guidance on elements of the audit process. For a new ISA
to be developed, there is a lengthy process, which includes:
– Comments from external parties are taken on board and approval from the IAASB is
sought; and
Note: Many countries may have created their own version of auditing standards and choose
not to follow the international ones. This is permitted as the IFAC has no legal standing in
each country.
2
2. In UK law there is an exemption which allows small companies (companies with
revenue not more than £6.5 million) to not appoint external auditors, but they can
still have an external audit if they wish.
– The practitioners (those responsible for the audit and decisions made on it) are
required to be a member of a recognised supervisory body or RSB (ACCA and ICAEW),
and be allowed to be a practitioner by their rules.
– Once a member, they are allowed to form an opinion on financial statements and sign
audit reports.
1. They must be allowed access to all relevant company books and records;
2. They must be given all information and explanations necessary to complete their
audit;
3. They must be allowed to attend any general meetings between the management
and the shareholders, including the AGM;
1. To audit the financial statements and form an independent opinion on them, stating
whether or not they are true and fair;
2. To report on any specific legal requirements relevant to the company being audited;
and
3. To ensure they follow auditing standards and their ethical code while carrying out
the audit.
3
APPOINTMENT AND REMOVAL OF THE AUDITOR
Auditors are generally appointed by the shareholders. However there are some exceptions
to this rule:
− If it is the first year that the audit has been required, or if it is the first year the
company has been set up, the directors are allowed to appoint the auditors initially.
− If neither the directors or shareholders have appointed the auditors, and deadlines
for submission of an audit report have passed, then the government would usually
step in.
There are two main situations where auditors would no longer act for a company:
1. They are no longer able to act for the company and resign as auditors. Auditors issue
a statement of circumstances which gives the reasons for the resignation, and would
then be available to assist with a handover to the next audit firm appointed; or
Notes:
– If auditors feel the decision is unjust, they have the right to send a response to all
parties explaining why they should not be removed.
4
Fraud
AUDITOR'S RESPONSIBILITIES
ISA 240 Auditor’s responsibilities relating to fraud: The auditors have a duty to identify and
communicate any evidence found that fraud is present.
Note: The key difference between fraud and error is whether the misstatement was
intentional or not.
The primary responsibility towards fraud (remains with directors) is to ensure that fraud is
not present in the financial statements and the company as a whole.
– Talk to management to see if they are aware of any instances of fraud; and
– Gather sufficient appropriate evidence from audit procedures designed to assess the
risk of fraud.
5
FRAUD
2. Misappropriation of assets.
A high risk of fraud requires:
2. Ensuring that more experienced audit staff is available for the audit team;
3. Changing audit procedures from what auditors would normally do, as being less
predictable could catch out anyone trying to conceal fraud;
5. Focusing on the transactions posted around the year end, as cut-off errors are often
an intentional way of increasing or reducing balances.
1. Report it to those responsible for the audit team, for example, the audit manager
and audit partner;
2. They should then consider the evidence obtained and report this to the highest level
of management at the client;
3. If the auditor is suspicious that the management are involved, they should seek legal
advice and consider whether they should report externally;
4. Caution should be taken when reporting externally as the auditor has a duty to
maintain confidentiality;
5. If the fraud detected is material to the users of the financial information, then the
auditor would need to modify the audit report to make the shareholders aware of
the issue.
6
RESPONSIBILITY OF INTERNAL AND EXTERNAL AUDITORS FOR PREVENTING
FRAUD
Internal auditors and external auditors both play a crucial role in the prevention and detection of
fraud and error. While their roles may overlap to some extent, there are key differences in their
responsibilities and approach.
Internal auditors are employees of the organization they work for, and their primary responsibility is
to provide independent and objective assurance to management and the board of directors. They
evaluate the effectiveness of internal controls and assess the risk of fraud and error occurring in
the organization's operations. Internal auditors also identify opportunities for improvement in
internal control systems and recommend changes to reduce the risk of fraud and error.
To prevent and detect fraud and error, internal auditors may conduct risk assessments, perform
fraud investigations, and analyze financial data. They may also review contracts, policies, and
procedures to ensure compliance with laws and regulations. Additionally, internal auditors may
provide training and guidance to employees on how to identify and report potential fraud and error.
External auditors, on the other hand, are typically hired by the organization to provide an
independent evaluation of the financial statements. Their primary responsibility is to express an
opinion on the fairness of the financial statements and provide reasonable assurance that they are
free from material misstatement. While external auditors are not responsible for detecting all
instances of fraud and error, they do have a responsibility to identify and report any material
misstatements they become aware of during their audit.
To prevent and detect fraud and error, external auditors may perform various procedures such as
reviewing transactions, testing internal controls, and verifying the accuracy of financial information.
They may also conduct interviews with key personnel and review documents to gain a better
understanding of the organization's operations.
Precisely, internal auditors and external auditors both have a responsibility to prevent and detect
fraud and error in an organization. Internal auditors focus on providing independent assurance and
identifying opportunities for improvement in internal controls, while external auditors focus on
expressing an opinion on the fairness of the financial statements and identifying any material
misstatements. By working together, these two types of auditors can help ensure the integrity of an
organization's operations and financial reporting.
The Planning Process
THE PURPOSE OF THE PLAN
ISA 300: The objective of planning the audit is to ensure it is performed in an effective
manner. There are some key reasons why a plan is important for an audit:
– It will ensure the auditor can give enough attention to more problematic areas;
– It gives auditors time to assess the risks associated with the audit before they start the
audit work;
– They are able to plan appropriate audit procedures in relation to these risks;
– They can select the right level of experience needed on the audit team; and
– They can consider the need for experts and assistance from internal auditors which can
then be planned properly.
The audit plan begins with identifying potential audit risks. An audit risk is the risk of the
auditor providing an inappropriate opinion, for example, reporting that the financial
statements are true and fair when they are not. The auditor must assess risks using the
audit risk model:
AR = IR x CR x DR, where
IR = Inherent risk - the risk of material misstatement due to the nature of the entity;
CR = Control risk - the risk of material misstatement due to poor controls; and
DR = Detection risk - the risk of material misstatement due to the auditor not spotting
errors.
There are two main pieces of work that assist auditors in identifying these risks:
1. Analytical procedures: These are comparisons of financial and non-financial data to help
the auditor understand material changes in the financial statements. With the use of ratios,
auditors can identify changes in balances which may then need to be investigated when
carrying out their audit procedures later on.
2. Understanding the entity and its environment: This is an important procedure because if
the auditor lacks a fundamental understanding of what the client does, there is a real risk
they may make poor decisions and issue an inappropriate opinion.
7
AUDIT STRATEGY
The audit strategy is produced to identify the overall plan for the audit. We can separate the
audit strategy into three components:
1. The scope: specific details relating to the audit for the client (inventory locations,
reporting systems, etc.);
2. The timing: Considers when areas of the audit process should be completed. The
audit may need to include an interim and a final audit; and
3. The overall direction of the audit: The auditor decides what style of procedures are
required and the volume of work needed. The auditor will be able to determine
whether control systems look reliable and decide whether direction will be controls
based (the level of substantive work can be reduced), or procedural (more detailed
audit testing, larger sample sizes, skilled staff and more time needed).
At the planning stage, the auditor must decide what a material misstatement is, which
means that it can influence the users of the financial information. An item can be material
by:
1. Its size: If that is the case, the auditor would request that the client correct this in the
financial statements. If they don’t, the auditor would conclude that the financial statements
are not true and fair. The guidelines on materiality state that an item is material if it is
above:
a. 5-10% of profit;
b. 1/ - 1% of revenue; or
2
2. Its nature: A prime example is directors' transactions which must be transparent to the
users.
The auditor must also consider and set performance materiality. If any misstatements
identified while performing audit procedures are above performance materiality, they are
recorded and presented in the summary of unadjusted errors. The auditor would then
request the client to adjust these errors in the financial statements.
8
WRITTEN AUDIT PLAN
The audit planning document is a detailed document that proves whether the auditor has
planned the audit properly and includes all information needed to then carry out the rest of
the audit process. The planning document should include the following:
9
Audit Documentation
AUDIT DOCUMENTATION
ISA 230: The auditors must ensure they have written documentation that:
– Proves that the audit was planned and performed in accordance with auditing
standards;
– Helps more senior members of the audit team direct and supervise, as well as review
the work completed;
– Is a sufficient appropriate record of audit work completed to assist in forming the audit
opinion;
For every client, the audit firm will keep files to organise documentation. There will be:
1. Current audit file: Stores all relevant evidence and documentation relating to the current
audit:
b. Files must be retained by the audit firm for a minimum of 5 years; and
c. It enables the auditor to prove what they did (e.g., in case of legal action).
2. Permanent audit file: Stores all client-related documentation that would be useful for
current and future audits (previous years' financial statements, client organisation structure,
key personnel, contact details, etc.).
3. Correspondence: Evidence that proves that communication between the auditor and the
client is effective (may be electronic or physical).
10
CURRENT AUDIT FILE
1. The planning section: Includes all considerations made during the planning stage;
2. Audit performance:
Note: The audit performance section will include all documentation and evidence collected
that relates to the audit procedures carried out on the systems, transactions, balances and
disclosures relating to the financial statements. Without this work the auditor cannot form
an opinion on the financial statements.
For every test carried out, the auditor needs to prepare something called working papers.
The working papers will usually include:
i. Lead schedule: The first document for each balance that will show the total balance,
which will agree with the balance shown in the financial statements;
ii. Backup schedules: Individual schedules for each sub balance which makes up the total
balance in the financial statements;
iii. Audit programmes: Detailed documents which explain the audit procedures carried
out on the balance. Each audit programme must show the following:
11
– Who did the work;
3. Completion: The section where the final review is carried out and post year end audit
procedures are carried out. The key areas of the completion stage are:
The audit file and all of the working papers produced by the audit team belong to the
auditor. Access to the working papers is only permitted if authorisation is given by the
auditor. The reasons for this are:
– The working papers will contain sensitive information about the client;
– If any of the work is lost or stolen, it would need to be recreated in order to form an
opinion; and
12
Quality Management (ISA 220 - Revised)
The topic of Quality Management directly relates to the auditing standard, ISA220 (Revised)
– Quality Management for an Audit of Financial Statements. This auditing standard focuses
on the audit firm’s own quality management procedures.
The standard states that the objective of the auditor is to implement quality management
procedures at the
engagement level that provide the auditor with reasonable assurance that:
(a) The audit complies with professional standards and applicable legal and regulatory
requirements; and
For this to happen, the standard gives a recommended set of policies and procedures that
should be carried out.
To help remember the key policies and procedures from the standard, you could use ‘HEAR
ME’.
The audit firm, and in particular, the engagement partner who is responsible for the client,
should ensure that their audit team is capable.
– They should assess the competence of the team members to ensure that the audit is
performed at an appropriate standard.
– They should ensure that the audit team has sound knowledge of the client being
audited, and therefore understands the entity and its environment.
– However, they must also ensure the technical skills within the audit team are enough to
reach appropriate conclusions.
Quite simply, the audit firm must ensure that they comply with the ACCA code of ethics.
– That they manage any ethical threats, conflicts of interest or other risks appropriately.
13
3. The A is for ACCEPTANCE AND CONTINUANCE OF CLIENTS:
The audit firm must consider whether they should accept every engagement.
– Once they have accepted the client engagement, they must then review every year to
ensure the entity should continue to be their client.
– The key issue is that the audit firm must only accept clients with an acceptable level of
risk.
– The engagement partner must take overall responsibility for the audit team and the
audit process.
– This means they must also ensure the quality management procedures within the audit
firm are of a high standard so as to follow professional standards accordingly.
We have already said that strong policies and procedures should be in place. However, to
ensure these are followed, there must be an element of review from the audit firm. The
standard recommends 2 types of monitoring:
– HOT review
– COLD review
An independent partner within the audit firm undertakes the hot review usually. They
review the audit work and conclusions reached. This is to ensure that the overall conclusion,
i.e. the opinion is appropriate. Hot reviews are usually carried out for listed clients or those
with significant audit risks. A hot review is carried out before the audit report is signed. It is
also known as an EQR or engagement quality review. A senior member of staff at the audit
firm performs a cold review. An external consultant can carry it out. They review the work
carried out for the client and the conclusions reached. The key difference is that the review
takes place after the audit has been completed and the audit report is signed. A sample of
clients is selected across the audit firm to review. This ensures consistency across audit
teams, and identifies if there is a risk of noncompliance of professional standards.
14
6. Finally, E is for ENGAGEMENT PERFORMANCE:
This looks at the overall performance of the audit assignments across the audit firm. This is
made up of 3
elements:
– Direction of audit:
The direction focuses on ensuring everyone is aware of the objectives of the audit,
knowledge of the client
– Supervision of audit:
Supervision is looking to ensure that the audit is reviewed by someone senior who can
ensure the team is
competent and the deadlines are met to provide timely information for the client.
The review is to ensure professional standards have been followed, that there is evidence to
back up conclusions made and that the evidence collected is sufficient and appropriate.
Each of these 6 components is explained in ISA220 to enable audit firms to ensure the
highest quality work is performed. This therefore ensures that an appropriate audit opinion
is formed on the financial statements for every client, which ties back to the obligation to
ensure they follow professional standards and that their reports are appropriate for the
client’s requirements.
Regarding monitoring and remediation, the standard provides following guidance (section
A111. of ISA 220 (revised)):
15
• An auditor’s expert is needed; or
• The nature, timing and extent of direction, supervision and review needs to be enhanced
in an area of the audit where deficiencies have been identified.
If an identified deficiency does not affect the quality of the audit (e.g., if it relates to a
technological resource that the engagement team did not use) then no further action may
be needed.
However, the standard further states that an identified deficiency in the firm’s system of
quality management does not necessarily indicate that an audit engagement was not
performed in accordance with professional standards and applicable legal and regulatory
requirements, or that the auditor’s report was not appropriate in the circumstances.
16
AA – Internal control
Contents
The Auditors Approach to Internal Controls .......................................................................... 2
UNDERSTANDING OF CONTROL: ........................................................................................ 2
OBJECTIVES OF CONTROL SYSTEMS: .................................................................................. 2
LIMITATIONS OF CONTROL SYSTEM: .................................................................................. 2
AUDITOR’S EXPECTATION OF INTERNAL CONTROL SYSTEM:............................................. 2
AUDITOR’S WORK AND APPROACH: .................................................................................. 3
Identifying and Reporting Internal Control Deficiencies ....................................................... 4
HOW THE AUDITOR IDENTIFIES DEFICIENCIES: .................................................................. 4
THE MANAGEMENT REPORT: ............................................................................................. 4
TIMING OF COMMUNICATING DEFICIENCIES: ................................................................... 5
Control Cycles ......................................................................................................................... 6
KEY CONTROL CYCLES ......................................................................................................... 6
SALES CYCLE ........................................................................................................................ 7
PURCHASE CYCLE ................................................................................................................ 8
ASSETS CYCLE ...................................................................................................................... 9
INVENTORY CYCLE .............................................................................................................. 9
PAYROLL CYCLE ................................................................................................................. 11
CASH CYCLE ....................................................................................................................... 12
1
The Auditors Approach to Internal Controls
UNDERSTANDING OF CONTROL:
A control is a procedure put in place to achieve company’s objectives. For any organisation
to run well it needs sound control systems in place.
– Human error;
– Fraudulent collusion;
– Abuse of authority.
ISA 315: Auditors must understand the client’s internal controls. In particular:
To give a benchmark of what is a good control system, ISA 315 provides 5 components of an
internal control system:
– Control activities - all individual procedures and policies of the system (authorisation,
performance review, accounting reconciliations, segregation of duties, IT controls,
physical controls);
– Risk assessment procedures - procedures to identify and manage business risks;
– Information systems - organised system for collection, organisation, storage and
communication of financial information;
– Monitoring of controls - role of internal auditor;
– Environment - overall control environment of the entity.
2
AUDITOR’S WORK AND APPROACH:
The aim of the auditor is to assess whether internal control would ensure material
misstatements are identified and corrected. Poor control system increases the risk of
material misstatements.
1) Identify and understand the control system. Methods used: enquiry, inspection,
observation.
3) Assess the system. Identify whether it is strong or weak through enquiry, inspection,
observation sending questionnaires (ICQ’s or ICEQ’s).
5) Gather evidence for a strong control system in a form of control tests or control
procedures.
6) Decide how much further audit work is needed to form the audit opinion.
3
The factors to be taken into account when assessing the need for an internal audit
When assessing the need for an internal audit, the audit committee should consider:
- Internal Controls: IA could determine where control systems are needed and recommend/
monitor the implementation of these.
- Audit Fee: IA may decrease the audit fee where external auditors can place reliance on the work
of internal audit
- Assistance to Financial Accountant: IA could support the financial accountant in compliance
with financial reporting standards, as well as recommending control systems
- Corporate Governance: IA could recommend policies for good corporate governance
- Accounting Systems: IA could audit the accounting systems to ensure they are operating
correctly.
- Computer Systems: IA could review the effectiveness of controls specifically around the
computer systems, for example reviewing the backup and disaster recovery arrangements and
ensuring compliance with regulations.
- Value For Money (VMF) Audits: IA could offer VFM audit services, such as reviewing the
potential upgrade of systems.
Where no internal audit function exists, the reasons behind its absence should be explained in the
annual report. The factors that may be considered against establishing of internal audit department
include:
- No Statutory Requirements: Given it is not a statutory requirement, the directors may deem IA
as an unnecessary use of resources.
- Non-complex Systems: The directors may deem the systems in place non-complex and, as such,
not deem review needed.
- Potential Cost: The cost associated with establishing and maintaining IA may be deemed too
high.
- Internal Resistance to Review: Management and
staff may feel challenged by IA review, and it
may affect morale.
The elements of best practice in the structure and operations of internal audit
- Scope & Reporting: The scope of IA work should be determined by the Audit Committee, and IA
should report their findings to the Audit Committee (or Board if no Audit Committee exists).
- Competence & Resources: The IA function will need to be professionally competent, sufficiently
resourced and well-organised in order to carry out its function effectively. In particular, the head
of the internal audit should be sufficiently experienced and professionally qualified.
- Independence: IA will need to maintain the independence of internal audit from management,
and care must be taken to keep it objective and independent. They should report to an
independent committee (i.e. the Audit Committee), maintain good regard with other
departments, and have a ‘whistle-blowing’ function to report serious misconduct when found.
Alongside this, controls should be established to avoid self-review by internal auditors, and staff
should be regularly rotated into different work areas.
The scope of internal audit and the limitations of the internal audit function
- Reporting: The IA function may be reporting information back to the individual who prepared
that information (e.g. Finance Director). A safeguard for this is to also report relevant
information to the Audit Committee.
- Scope: The scope of IA may be decided by executives who intentionally focus on certain areas
and avoid others. A safeguard for this is to have the scope decided by the Chief Internal Auditor
or the Audit Committee.
- Self-Review Threat: IA may find themselves reviewing their own work. A safeguard for this is to
ensure IA is removed from the setting and management of controls.
- Familiarity Threat: IF members of the IA function have been there for too long, they risk
becoming over-familiar with areas and losing their professional scepticism. A safeguard for this
is to rotate roles and members within the IA function.
The nature and purpose of internal audit assignments, including value for money, IT, financial,
regulatory compliance, fraud investigations and customer experience
The main function of internal audit in the area of IT will be to assess the controls in place. The internal
audit function of an organisation may have an IT specialist in the team who will support this. Other
functions will be to ensure that the systems in place represent value for money and also to ensure
effective controls over the awarding of IT contracts.
The internal audit function may also conduct assignments to assess the handling of fraud or customer
complaints independently from management. Again their role is to monitor that the controls in place
are being appropriately followed and are aligned with relevant legislation, and they should report
significant matters to the Audit Committee.
Discuss the nature and purpose of operational internal audit assignments
Operational audit assignments should identify the possible risks involved in that operation, the
procedures in place to mitigate the risks and whether those procedures are being followed.
- Marketing: Is the company getting value for money from its advertising? Were the objectives of
the campaigns achieved?
- Procurement: Are the systems in place for control of purchasing operating effectively? What
procedures are in place to reduce procedure risk?
- Treasury: Are there procedures in place to manage currency risk, interest rate risk, and inflation
impacts?
- Human Resources: Are policies in place to ensure the appropriate hiring, management and
layoff of employees?
Describe the format and content of internal audit review reports and make appropriate
recommendations to management and those charged with governance
Internal audit reports will usually be issued to the Audit Committee or those charged with governance.
The Internal Audit Review Report should be set out clearly and concisely, be fair and consistent, and
highlight findings, making recommendations as appropriate. IA should be engaged in ongoing
discussions with management as they conduct their assignment, and as such, any issues that arise
should be well communicated and not included as unexpected findings in the report.
The format and content of the report should include the following:
- Cover: Setting out the subject, recipient, date, and any relevant rating required.
- Executive Summary: Summarize the key points of the report concisely.
- Key findings and recommendations: Giving an overview of the main problems discovered, any
breaches in procedures and any ineffective controls.
- Detailed findings and agreed actions: Setting out the key findings and the timing and
responsibilities for corrective action.
- Assessment grading or rating: Internal audit may undertake a rating system for grading the
systems under review, in which case this should be provided.
Identifying and Reporting Internal Control Deficiencies
HOW THE AUDITOR IDENTIFIES DEFICIENCIES:
4) Auditor identifies if there are any issues with the way the system operates;
5) Using their skills auditors may notice control activities that are missing.
All this gives the auditor opportunity to find deficiencies within the system.
Note: For every control deficiency found the auditor has an obligation to provide
recommendation about how the entity could improve that control.
– Report is not a comprehensive list of all deficiencies, it contains only those found by the
auditor;
– Information is solely for the use of the company;
– Nothing within the report should be disclosed to a third party without written auditor’s
permission;
– No responsibility is assumed to any other parties.
4
TIMING OF COMMUNICATING DEFICIENCIES:
5
Computer systems controls, including general IT controls and information processing controls.
General IT controls to ensure that the information system can run properly. Examples of these
controls include:
Information processing controls apply to the processing of transactions. Examples of these controls
include:
● Existence checks
● Authorisation checks
● Sequence checks
● Arithmetic checks
● Batch total checks
Control Cycles
KEY CONTROL CYCLES
Control cycles are systems linked to financial statements that have an impact on whether
the financial statements are true and fair. They are:
– Sales; _ Inventory;
– Assets; _ Cash;
6
SALES CYCLE
7
PURCHASE CYCLE
8
ASSETS CYCLE
The control system for assets would work in the same way as the purchase system.
However, there would be some additional controls required:
– Use of the asset register. This spreadsheet will record date, cost, depreciation, carrying
value, location and disposal date, and proceeds in relation to the assets. It must be
updated, reviewed regularly and compared to the accounting system to ensure there
are no errors.
INVENTORY CYCLE
– Increased security measures such as CCTV, alarm systems, and security guards;
9
– Practical packaging of inventory items;
– Special offers potentially to shift items that are not selling faster.
1. The count instructions: They should be clear and easy to follow. They should be
given out before the count and the staff should be briefed so they fully understand
what they are to do.
2. The count sheets: They should be sequentially numbered. Spare sheets for inventory
found not on them, should also be pre-numbered so sheets cannot go missing. The
count sheets should be signed out and divided between the teams.
– Count staff should inspect inventory for evidence of damage which could affect the
valuation and flag this on the count sheets or inform the count supervisor;
– Areas can be marked once counted to also reduce the risk of mistakes; and
– At the end of the count, the sheets should all be signed back in and the sequence
checked to ensure no inventory sheets are missing.
10
PAYROLL CYCLE
Supervision of employees.
Regular checks on
2. Calculations The software is up-to- calculations, taking
are made by the date and checked for System is not updated. samples
system updates.
and making recalculations.
11
CASH CYCLE
Payments are for Payments are made for Cash book and petty
business purposes only. personal purposes. cash book are reviewed
regularly.
4. Transaction is
recorded
12
AA - Audit evidence
Contents
The Financial Statement Assertions ....................................................................................... 2
TERMINOLOGY USED: ......................................................................................................... 2
ASSERTIONS: ....................................................................................................................... 2
Gathering Evidence ................................................................................................................ 4
AUDIT PROCEDURES: .......................................................................................................... 4
CRAVE COCA: ...................................................................................................................... 4
QUALITY OF EVIDENCE: .......................................................................................................... 5
METHODS OF GATHERING EVIDENCE: ................................................................................... 6
REVIEW THE RESULTS OF AUDIT PROCEDURES:................................................................. 7
Computer Assisted Audit Techniques (CAAT's) ...................................................................... 8
TEST DATA: ......................................................................................................................... 8
AUDIT SOFTWARE:.............................................................................................................. 9
Data Analytics in Audit ......................................................................................................... 10
What is Data Analytics? .................................................................................................... 10
Data Analytics and Audit .................................................................................................. 10
Benefits of Data Analytics ................................................................................................. 10
Challenges in Data Analytics ............................................................................................. 11
Relying on the Work of Others ............................................................................................. 13
KEY CONSIDERATIONS ...................................................................................................... 13
AUDITOR'S OWN EXPERT.................................................................................................. 14
EXTERNAL EXPERT - INTERNAL AUDIT .............................................................................. 14
EXTERNAL EXPERT - SERVICE ORGANISATION.................................................................. 15
Smaller Entities and Not-for-Profit Organisations ............................................................... 16
AUDIT OF SMALLER ENTITIES ........................................................................................... 16
AUDIT OF NOT-FOR-PROFIT ORGANISATIONS ................................................................. 17
1
The Financial Statement Assertions
TERMINOLOGY USED:
Financial statement assertions represent the key objectives of the substantive audit
procedures. If a substantive procedure does not address an assertion, it does not assist the
auditor in forming an audit opinion.
Overall objective of the external auditor is to decide whether the financial statements are
true and fair and properly prepared.
Financial statement assertions are given to assist the auditor in planning audit procedures to
decide whether the balance is free from material misstatement.
ASSERTIONS:
C - Completeness C - Cut-off
A - Allocation
C - Classification and understandability
V - Valuation
E - Existence A - Accuracy
Completeness ensures that all transaction and events recorded are present in the financial
statements. Rights and obligations ensures that ownership and responsibility of assets and
liabilities are reviewed. Accuracy ensures that all transactions, balances and other items
have been accurately recorded.
Valuation and allocation ensures that items in the statement of financial position are
presented correctly and at the correct values.
Existence ensures that items in the statement of financial position actually exist.
Presentation ensures all transactions events and disclosures are clearly described, relevant,
understandable
Classification and understandability ensures that transactions are in the correct accounts
and items have been disclosed correctly.
2
Cut-off ensures that transactions are recorded in the correct financial period.
Note: CRAVE assertions are mainly used to test assets, liabilities and equity. POCC assertions
are mainly used to test income and expenses. The assertions which cover the whole
financial statements and can therefore be
COMPLETENESS
ACCURACY
PRESENTATION
CLASSIFICATION
3
Gathering Evidence
AUDIT PROCEDURES:
- Controls procedures - procedures which identify whether the controls systems being
reviewed actually work;
Note: Substantive testing is carried out after controls have been assessed.
CRAVE COCA:
C - Completeness C - Cut-off
A
- Allocation and valuation C - Classification and understandability
V
E - Existence A - Accuracy
4
The problems associated with the audit and review of accounting estimates
Accounting estimates are of particular concern to the auditor as, by their nature, there may not be any
physical evidence to support them, and they are prone to inaccuracy. They are also subjective and,
therefore, prone to management bias. If the directors wished to manipulate the accounts in any way,
accounting estimates are an easy way for them to do this. The auditor must take care when auditing
estimates to ensure this has not been the case.
In accordance with ISA 540 Auditing Accounting Estimates, auditors need to obtain an understanding of:
- How management identifies those transactions, events and conditions that give rise to the need
for estimates; and
- How management actually makes the estimates, including the control procedures in place to
minimise the risk of misstatement.
- The degree of uncertainty associated with an accounting estimate and if the uncertainty gives
rise to significant risks.
In response to this assessment, the auditors may perform the following further procedures:
- Review of the outcome of the estimates made in the prior period (or their subsequent re-
estimation)
- Consider events after the reporting date that provide additional evidence about estimates made
at the year-end
- Test the basis and data upon which management made the estimate (e.g. review mathematical
methods)
- Test the operating effectiveness of controls over how estimates are made
- Develop an independent estimate to use as a point of comparison
- Consider whether specialist skills/knowledge are
required (e.g. lawyer)
QUALITY OF EVIDENCE:
ISA 500 main requirement - Sufficient appropriate audit evidence
2) Materiality of balance/item;
1) Control procedures - evidence should identify whether the control system operates
effectively;
2) Substantive procedures:
- Evidence should help to conclude whether the FS are true and fair.
- Independent;
- Written;
- In original form.
5
METHODS OF GATHERING EVIDENCE:
ISA 500 methods:
Sampling (ISA 530 definition) - the application of audit procedures to less than 100% of
items within a population of audit relevance such that all sampling units have a chance of
selection in order to provide the auditor with a reasonable basis on which to draw
conclusions about the entire population.
Sampling risk - risk of not selecting transaction that contain a material misstatement.
Sampling considerations:
2) Sample size should be sufficient to reduce sampling risk to the acceptable level;
Sampling methods:
1) Statistical sampling - auditor has not influenced the selection the transaction
(random selection, probability theory);
6
Commonly used methods:
7
The results of statistical sampling, including consideration of whether additional testing is required
Tolerable misstatement looks at individually immaterial misstatements added together. The smaller the
tolerable misstatement or rate of deviation, the greater the required sample size. The higher the
expected misstatement or rate of deviation, the greater the required sample size.
Furthermore, the auditor should investigate the nature and cause of all material misstatements/
deviations and evaluate their effect.
Computer Assisted Audit Techniques (CAAT's)
TEST DATA:
Test data is where the auditor will access the client’s computer controls. They will perform
audit tests on the system by entering dummy data into the system and monitoring how it
progresses through the control cycle. This method of testing will allow the auditor to see if
the control functions of the computer system perform properly.
The auditor has access to the The auditor can enter dummy data in a
Definition computer systems during the batch after working hours.
operating hours of the client.
8
AUDIT SOFTWARE:
Audit software - software assisting at substantive testing stage where the auditor is
performing audit procedures that help to detect potential material misstatements.
1. Analytical procedures:
Calculate ratios;
Compare to previous year’s results, budgets and industry averages;
Investigate unusual results with client;
3. Checking calculations:
Note: Auditor must be able to import all client transactions and balances onto the audit
software.
It can save time due to automatic Bespoke system can be very expensive;
procedure being carried out by software;
Risk of data corruption when carrying out the
It can save on labour costs for audit process;
assignment;
Risk of data leak;
It reduces the risk of human error.
Confidentiality is a concern;
9
Data Analytics in Audit
Data analytics is the process of examining the available data in order to draw meaningful
conclusions. It enables the businesses to identify new opportunities, to harness costs
savings and to enable faster decision making, by drawing data from multiple sources to
inform decisions or draw conclusions. The data is often both internal and external and is
often aided by specialised software.
Data analytics for audit involves discovering and analysing patterns, deviations and
inconsistencies, and extracting other useful information in the data related to the subject
matter of an audit. This can be done through analysis, modelling and visualisation for the
purpose of planning and performing the audit. The process can reduce the risk of error in
the audit as well as offering value to the client, as they often use visual methods such as
graphs to present data, helping to identify trends and correlations.
For auditors, the main driver of using data analytics is to improve audit quality. It allows
auditors to more effectively audit the large amounts of data held and processed in IT
systems in larger clients, and by doing so they can better understand the client’s
information and better identify the risks.
Data analytics tools have the power to turn all the data into an understandable presentation
for both the auditors and clients. Large firms often have the resources to create their own
data analytics platforms, whereas smaller firms may opt to acquire an off the shelf package.
Larger firms may also generate audit programmes tailored to client-specific risks or to
provide data directly into computerised audit procedures, allowing them to more efficiently
arrive at the result.
– Data analytics enable increased business understanding as you gain a more thorough
analysis of a client’s data.
– It gives auditors a better focus on risk. This increased understanding, aids the
identification of risks associated with a client, enabling testing to be better directed at
those areas.
– It results in increased consistency across group audits where all auditors are using the
same technology
10
– and process, enabling the group auditor to direct specific tools for use in component
audits and to execute testing across the group.
– There’s increased efficiency through the use of computer programmes to perform very
fast processing of large volumes of data and provide analysis to auditors, saving time
and focus for judgemental and risk areas.
– Data can be more easily manipulated by the auditor as part of audit testing, for example
performing sensitivity analysis on management assumptions.
– There is increased fraud detection through the ability to interrogate all data and to test
segregation of duties,
– The information obtained through data analytics can be shared with the client, adding
value to the audit and providing a real benefit to management in that they are provided
with useful information perhaps from a different perspective.
– There is a lack of consistency or a widely accepted standard across firms and even
within a firm often. Moreover, there is currently no specific regulation or guidance
which covers all the uses of data analytics within an audit, which can make quality
control guidelines difficult.
– Storing client data gives rise to the risk of breach of confidentiality and data protection.
This data could be misused or illegal access obtained if the firm’s data security is weak
or hacked, which may result in serious legal and reputational consequences.
– The completeness and integrity of the extracted client data may not be guaranteed.
Specialists are often required to perform the extraction and there may be limitations to
the data extraction where either the firm does not have the appropriate tools or
understanding of the client data to ensure that all data is collected.
– There may be compatibility issues with the client systems which may render standard
tests ineffective if data is not available in the expected formats.
– The audit staff may not be competent to understand the exact nature of the data and
output to draw appropriate conclusions. In this case training may need to be provided
which can be expensive.
11
– Another issue arises relating to data storage and accessibility for the duration of the
required retention period for audit evidence. The data obtained must be held for
several years in a form which can be retested. As large volumes will be required firms
may need to invest in hardware to support such storage or outsource data storage
which compounds the risk of lost data or privacy issues.
– There can be an expectation gap among stakeholders who think that because the
auditor is testing 100% of transactions in a specific area, the client’s data must be 100%
correct, which may not be the case.
12
Relying on the Work of Others
KEY CONSIDERATIONS
13
Form the audit opinion
According to ISA 620 the auditor should determine whether the work of the expert is
adequate for the auditor’s purposes.
14
Audit requirements:
Work adequacy
Independence considerations: Quality of report:
considerations:
1. Assessment of 1. Evidence collected is
1. Internal auditors are employees –
technical competence; fundamental in forming an
independence is unlikely;
and independent opinion;
2. Ideally - written evidence;
2. Audit committee is formed of non- if no such evidence is
2. Review of qualifications
executive directors = Independence available, auditor
and experience.
from board is improved; and may still need some further
work to be done.
3. Less independence the expert has from
the entity = Less reliance can
be placed on their work.
Service organisation - outsourced function used by client (for example payroll function).
Audit considerations:
3. Consider visit.
Advantages Disadvantages
1. Increased expertise and skills; 1. Obtaining information on a timely basis may be difficult;
2. Increased independence from
2. May not be allowed to perform audit work; and
directors.
3. Not being able to obtain sufficient appropriate evidence.
15
The extent to which refers to the work of others can be made in the independent auditor's report
The auditor should make no reference to the use of the work of others in the audit report. It is the
auditors' opinion in the report - the work of others is simply one piece of evidence that may be used, if
sufficient and reliable, in forming that opinion.
Smaller Entities and Not-for-Profit Organisations
AUDIT OF SMALLER ENTITIES
Smaller entities may not require a statutory audit in some countries. The reasons for not
requiring a statutory audit are:
– With fewer resources, the systems may be more straightforward, and not require expert
advice from the auditor.
Note: If a smaller entity requires an external audit, the auditors would ensure that they have an
experienced audit team.
2. With direct control, the management will have a full understanding and
responsibility for the organisation, and can assist the auditor effectively; and
3. Having one staff member responsible for an entire control system can increase
the risk of fraud; and
4. There is limited amount of written evidence the auditor can obtain from the
client.
16
Summary:
– There may be elements of the audit that are far more straightforward than dealing with a
larger organisation; and
– There will possibly be less substantive testing. However, careful planning is still needed to
assess the risks and review the control systems and any limitations.
Not-for-profit organisations include charities and public sector entities. It is even more
important that specialised audit staff are involved in the audit process for this kind of entity.
Auditing not-for-profit organisations comes with its own audit risks and some of these are:
– There may be a lack of segregation of duties and simple systems may not be documented.
This could increase the risk of fraud and error;
– Entities may not have the expertise or time to make good strategic decisions;
– Volunteers are used to keep costs down. They may lack skills and make mistakes, but also,
they may not stay long and then not be available to assist the auditor with explanations;
– Entities may have very complex regulations to follow. This increases the risk of disclosure
notes being inadequate; and
– Any sudden change in circumstances could affect the entity in the short term. The audit
approach for this type of entity should include:
1. Careful planning;
17
2. A specialised audit team;
4. Analytical procedures.
Note: If there are any issues gathering the evidence needed to form an audit opinion, as always,
the auditor may need to modify their audit report.
18
AA - Audit and Assurance
Contents
Audit of Specific Balances - Intro and Non-current Assets .................................................... 2
GENERAL PRINCIPLES OF AUDIT PROCEDURES .................................................................. 2
SUBSTANTIVE AUDIT PROCEDURES .................................................................................... 3
NON-CURRENT ASSETS ....................................................................................................... 3
Audit of Specific Balances - Current Assets ............................................................................ 6
BANK ................................................................................................................................... 6
ACCOUNTS RECEIVABLE...................................................................................................... 7
Audit of Specific Balances Liabilities ...................................................................................... 9
ACCRUALS ........................................................................................................................... 9
PROVISIONS ........................................................................................................................ 9
OTHER LIABILITIES ............................................................................................................ 10
TRADE PAYABLES .............................................................................................................. 10
Audit of Specific Balances - P&L, Directors, and Equity ....................................................... 12
THE STATEMENT OF PROFIT AND LOSS ............................................................................ 12
DIRECTORS' EMOLUMENTS .............................................................................................. 13
EQUITY .............................................................................................................................. 14
1
Audit of Specific Balances - Intro and Non-current Assets
GENERAL PRINCIPLES OF AUDIT PROCEDURES
Substantive audit procedures are procedures that identify if material misstatements are
present within the financial statements. They test the transactions, balances and disclosures
for these misstatements. The steps to performing a substantive test are:
1. Identify the item to test and set the objectives of the test;
5. Record the test, method, results and other evidence as working papers; and
The objective of a substantive test must be at least one of these financial statement
assertions:
C Completeness C Cut-off
2
SUBSTANTIVE AUDIT PROCEDURES
Procedures that can be performed for any balance can be remembered using the mnemonic
TOAD:
– Trial balance: To agree the balance in the financial statements to the trial balance;
– Opening balance: To agree the opening balance to last year's closing balance and
investigate any differences with the client;
– Add up and recalculate: All balances need to be checked for accuracy; and
– Disclosure check: To review any specific accounting standards relating to the area of the
financial statements and ensure they have been followed when preparing the financial
statements.
NON-CURRENT ASSETS
In order to ensure non-current assets are audited effectively, the auditor will need to
review:
– The financial statements, including the statement of financial position and the non-
current asset note;
– The asset register, which includes all details relating to the assets held by the company;
and
– The trial balance and ledger accounts forming the non-current asset balance.
The key assertions to be verified for non-current assets are:
– Completeness (C);
– Existence (E).
The auditor needs to ensure that each balance has been audited, therefore auditing:
b. Adding up the non-current asset note to ensure the auditor agrees with the
closing balance shown; and
3
c. Agreeing the closing balance for non-current assets in the note, to the
balance shown on the statement of financial position.
b. Adding up the additions in the asset register to ensure they agree with the
total in the financial statements (C); and
c. For additions in the year, trace to invoice, to agree amounts recorded and
whether the invoice is in the company name (R&O).
a. Obtain a list of all disposals of assets made in the year and agree them to the
asset register to ensure they have now been removed (E and A);
c. Review the profit or loss on disposal and agree with what has been recorded
in the statement of profit and loss (E and A).
c. Inspecting the budgets for capital expenditure to see if plans for disposals
and new assets mean the depreciation methods are appropriate (V and A).
a. Inspect the valuer's report and agree the amount concluded by them with
what has been recorded in the financial statements (V); and
b. Review the methods used by the valuer described in their report and ensure
they agree with what is required by the accounting standards for revaluations
(V).
Notes:
– The key for an auditor is to gather as much sufficient appropriate evidence as possible.
4
– The more written, detailed, independent evidence auditors can collect, the better.
– Each audit procedure must verify at least one of the financial statement assertions.
5
Audit of Specific Balances - Current Assets
BANK
The bank is an asset presented in the financial statements. It is shown under the heading
"Current Assets" in the statement of financial position.
– Existence (E).
The evidence that the auditor would obtain can be referred to as the three B’s:
1. The bank statement: This will show all movements in the bank balance
during the period that can be agreed with the movements in the cash book (E
and V);
2. The bank report: This is written confirmation from the bank sent directly to
the auditor, which confirms all the bank balances held by the client for the
year end and any balances of liabilities held by them. The auditor should also
agree the bank accounts to the trial balance (E, V and C); and
3. The bank reconciliation: This will show the differences between what the
cash book states as the balance and what the bank states as the balance.
Auditors should also ensure that balances agree to the bank statement, bank
report and cash book.
Unpresented cheques are any payments that have not yet been cleared by the bank. The
auditor would usually:
– Agree the amounts on the bank reconciliation to the cheque stubs and cash book;
– Ensure none of the payments are missing or belong in the following period; and
– Inspect the bank statements after the year end to ensure the payments have now
cleared. Then any uncleared receipts would be audited. Auditors would need to:
– Agree that all uncleared receipts on the bank reconciliation are in the cash book;
– Ensure there are no missing receipts from the cash book; and
– Inspect the bank statements after the year end to ensure the receipts have now
cleared.
6
ACCOUNTS RECEIVABLE
Accounts receivable balance is actually made up of two balances in the ledger, the trade
receivables, and any provision for bad debts. There are three important tests auditors
should carry out on this balance:
2. Cash received after the year end: The auditor will select a sample of receivable
customer balances and then agree these balances to receipts in the post year end
bank statements (E);
3. Cut-off: The auditor should review invoices just before and after the year end, and
inspect their goods dispatch notes, reviewing the delivery date to ensure they are in
the correct period.
The next step is then to audit the provision for bad debts. The key assertion to verify is
valuation. Examples of procedures include:
– Comparing the provision to the previous year and investigating any differences;
– Calculating the receivables days ratio and comparing it to the previous year;
– Reviewing the aged receivables list and investigating old balances to see if they should
be included in the provision or written off;
– Post year end event review to see if the customer has paid.
7
INVENTORY
_ The auditor should trace the cost used in valuation to the source
document such as the purchase invoice.
8
Audit of Specific Balances Liabilities
Key concern: The client may have understated the balance to make the business look
healthier and more liquid than it is.
ACCRUALS
Accruals balance is based on costs that may not have been invoiced in the year but belong
to the current year. The following procedures should be performed:
– Obtain a breakdown of the accruals balance and ensure it adds up and agrees with the
accruals balance in the financial statements;
– Compare accruals balance to last year and investigate any differences; and
– Review invoices dated after the year end to identify if the costs belong to the current
year;
PROVISIONS
Provisions could arise from events such as potential compensation payments from court
cases. The client needs to ensure they have followed the rules of IAS 37:
– If there is a remote chance of the client suffering an outflow of resources, then there
should be nothing included in the financial statements;
– If there is a possible chance of the client suffering an outflow of resources, then there
should be a disclosure note called a contingent liability note explaining the possible
event, but still, no provision;
There are three criteria that must be met for a provision to be allowed:
In order to be satisfied that all criteria mentioned above are met, the auditor must perform
the following procedures:
9
– They must inspect correspondence, for example, from the company lawyer, and also
discuss the event with them;
– They can inspect any other external evidence, such as press reports, if they relate to a
court case; and
– They must then obtain evidence on the estimate of costs and ensure it is from a reliable
source. This must not be an estimate from the client management.
OTHER LIABILITIES
– Sales tax;
– Employee tax;
– Payroll; and
– Bank overdrafts.
– Agree each of these balances to the bank statement as the payment should be shown
after the year end (except for bank overdraft, as there may be timing differences); and
– The bank reconciliation will play a part in verifying the bank overdraft balance, along
with the bank report.
TRADE PAYABLES
Trade payables is the total balance of all outstanding balances owed to trade suppliers.
Audit procedures will include:
1. Cut-off testing: The procedure would be to identify the invoices posted just before
and after the year end,
compare them to the goods received note, review the delivery date, and ensure the invoice
is posted in the correct period;
2. Reconciling supplier statements: The auditor should select a sample of suppliers and
reconcile the supplier statement sent at the year end to the ledger (timing differences
are acceptable);
10
3. Post year end invoice review: Inspecting purchase invoices since year end and
reviewing the details will be required to ensure that there were no invoices that
should have been included in the current year;
– Comparing the balance to the previous year and investigating any significant
differences;
– Calculating the payable days ratio and comparing to the previous year;
– Identifying the trade payables balance for each month and comparing the level of
payables to the expected trend of the company; and
– Inspecting the aged payable analysis, in particular, identifying the old and slow
moving balances and investigating these with the client.
11
Audit of Specific Balances - P&L, Directors, and Equity
THE STATEMENT OF PROFIT AND LOSS
Remember: Much of the transactions in the P&L have already been tested via the
corresponding debit or credit balance in the SFP.
The key assertions for the statement of profit and loss balances are:
– Cut-off (C/O);
– Occurrence (O);
– Completeness (CO);
– Accuracy (A).
– For a sample of employee balances, recalculate the deductions, such as tax, and
investigate any differences;
– Agree the net pay as per the payroll records to the bank statements and cash book; and
– Agree total wages and salaries from the payroll system to the trial balance and financial
statements.
Analytical procedures:
– Proof in total of the wages and salaries balance (estimate the balance from
management information such as average wages and the percentage pay rise) and
compare it to the actual balance.
– Comparing the current year's balance to the previous year's will also identify
potential misstatements if significantly different.
– For a sample of invoices, to recalculate the sales tax and discounts for accuracy;
– Agree a sample of customer orders to the dispatch notes and invoices to ensure they
were recorded; and
– Inspecting credit notes issued shortly after the year end and supporting documentation
for evidence that they were related to actual sales and not created to overstate
12
revenue.
– Analytical procedures:
– Inspecting purchase orders and agreeing these to the goods received notes and invoices
recorded;
– Agreeing the balance on the ledger to the trial balance and financial statements.
Analytical procedures:
– Calculate operating profit margin to compare to the previous year, investigating any
significant differences; and
DIRECTORS' EMOLUMENTS
Remember: the auditor regards any director's transactions as material by nature. The key
assertion is accuracy. An example of audit procedures would be:
– Obtain the detailed list of directors' transactions which shows the split between wages,
bonuses, pensions etc., and check it to ensure all the totals are correct;
– Obtain a written representation from the directors that they have included all directors'
remuneration to the auditor.
13
EQUITY
The financial statements will include the statement of changes in equity (SOCIE) which will
show the movement in equity section from the beginning of the year. The equity section will
include the following balances:
1. Share capital: To verify this balance, the auditor will need to:
c. Inspect the cash book for evidence of money coming in from a share issue.
a. Inspect board minutes to ensure the amount and that the date declared was
before the year end; and
b. Inspect the bank statement to agree the amounts paid and that they were
before the year end also.
14